Restructure TLS documentation to separate AWS and Gateway API guides

- Split AWS EKS Ingress setup into dedicated guide (tls-aws-ingress.md)
- Add comprehensive Gateway API section to main TLS guide using Envoy Gateway
- Reduce duplication in AWS Gateway API guide by referencing common setup steps
- Update navigation to include new AWS-specific guides

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>

Author: welteki

docs/reference/tls-aws-gateway-api.md

@@ -306,206 +306,17 @@ The NLB approach requires the `TCPRoute` CRD which is part of the experimental G
 kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml
 ```
 
-### Install Envoy Gateway
+### Set up Envoy Gateway, cert-manager, and HTTPRoutes
 
-Install Envoy Gateway using Helm.
+Follow the [Gateway API with Envoy Gateway](/reference/tls-openfaas.md#gateway-api-with-envoy-gateway) section in the TLS for OpenFaaS guide to:
 
-```sh
-helm install eg oci://docker.io/envoyproxy/gateway-helm \
-  --version v1.7.0 \
-  -n envoy-gateway-system \
-  --create-namespace
-```
-
-Wait for Envoy Gateway to become available:
-
-```sh
-kubectl wait --timeout=5m -n envoy-gateway-system \
-  deployment/envoy-gateway --for=condition=Available
-```
-
-See also: [Envoy Gateway installation](https://gateway.envoyproxy.io/docs/install/install-helm/)
-
-### Create the Envoy GatewayClass
-
-Create a GatewayClass for Envoy Gateway:
-
-```bash
-cat > gatewayclass-eg.yaml <<EOF
-apiVersion: gateway.networking.k8s.io/v1
-kind: GatewayClass
-metadata:
-  name: eg
-spec:
-  controllerName: gateway.envoyproxy.io/gatewayclass-controller
-EOF
-```
-
-```bash
-kubectl apply -f gatewayclass-eg.yaml
-```
-
-### Install cert-manager
-
-cert-manager is used to obtain TLS certificates from Let's Encrypt for the Envoy Gateway.
-
-```sh
-helm install \
-  cert-manager oci://quay.io/jetstack/charts/cert-manager \
-  --namespace cert-manager \
-  --create-namespace \
-  --set crds.enabled=true \
-  --set config.apiVersion="controller.config.cert-manager.io/v1alpha1" \
-  --set config.kind="ControllerConfiguration" \
-  --set config.enableGatewayAPI=true
-```
-
-The `enableGatewayAPI` flag tells cert-manager to watch for Gateway API resources when solving ACME challenges.
-
-### Create a cert-manager Issuer
-
-Create an Issuer in the `openfaas` namespace that uses Let's Encrypt with an HTTP-01 challenge. The solver uses `gatewayHTTPRoute` instead of the `ingress` class used in a traditional Ingress-based setup:
-
-```bash
-cat > issuer.yaml <<EOF
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: letsencrypt-prod
-  namespace: openfaas
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    privateKeySecretRef:
-      name: letsencrypt-prod-account-key
-    solvers:
-      - http01:
-          gatewayHTTPRoute:
-            parentRefs:
-              - name: openfaas-gateway
-                namespace: openfaas
-                kind: Gateway
-EOF
-```
-
-```bash
-kubectl apply -f issuer.yaml
-```
-
-The `parentRefs` field points to the Envoy Gateway we'll create in the next step. The referenced Gateway must have a listener on port 80 so that Let's Encrypt can reach the HTTP-01 challenge URL.
-
-### Create the Envoy Gateway
-
-Create the Envoy Gateway with listeners for both HTTP (for ACME challenges) and HTTPS (for application traffic):
-
-```bash
-cat > envoy-gateway.yaml <<EOF
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: openfaas-gateway
-  namespace: openfaas
-  annotations:
-    cert-manager.io/issuer: letsencrypt-prod
-spec:
-  gatewayClassName: eg
-  listeners:
-    - name: http
-      port: 80
-      protocol: HTTP
-      allowedRoutes:
-        namespaces:
-          from: Same
-    - name: gateway
-      hostname: "gw.example.com"
-      port: 443
-      protocol: HTTPS
-      allowedRoutes:
-        namespaces:
-          from: Same
-      tls:
-        mode: Terminate
-        certificateRefs:
-          - name: openfaas-gateway-cert
-    - name: dashboard
-      hostname: "dashboard.example.com"
-      port: 443
-      protocol: HTTPS
-      allowedRoutes:
-        namespaces:
-          from: Same
-      tls:
-        mode: Terminate
-        certificateRefs:
-          - name: openfaas-dashboard-cert
-EOF
-```
-
-```bash
-kubectl apply -f envoy-gateway.yaml
-```
-
-The `cert-manager.io/issuer` annotation tells cert-manager to automatically create Certificate resources for each HTTPS listener. The certificates will be stored in the Secrets referenced by `certificateRefs`.
-
-### Create HTTPRoutes
-
-Create an HTTPRoute for the OpenFaaS gateway:
-
-```bash
-cat > httproute.yaml <<EOF
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: openfaas-gateway
-  namespace: openfaas
-spec:
-  parentRefs:
-    - name: openfaas-gateway
-  hostnames:
-    - "gw.example.com"
-  rules:
-    - matches:
-        - path:
-            type: PathPrefix
-            value: /
-      backendRefs:
-        - name: gateway
-          port: 8080
-EOF
-```
-
-```bash
-kubectl apply -f httproute.yaml
-```
-
-If you are using the [OpenFaaS Dashboard](/openfaas-pro/dashboard.md), create an additional HTTPRoute:
-
-```bash
-cat > httproute-dashboard.yaml <<EOF
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: openfaas-dashboard
-  namespace: openfaas
-spec:
-  parentRefs:
-    - name: openfaas-gateway
-  hostnames:
-    - "dashboard.example.com"
-  rules:
-    - matches:
-        - path:
-            type: PathPrefix
-            value: /
-      backendRefs:
-        - name: dashboard
-          port: 8080
-EOF
-```
+1. Install Envoy Gateway and create its GatewayClass
+2. Install cert-manager with Gateway API support
+3. Create a cert-manager Issuer
+4. Create the Envoy Gateway with HTTP and HTTPS listeners
+5. Create HTTPRoutes for the OpenFaaS gateway (and optionally the dashboard)
 
-```bash
-kubectl apply -f httproute-dashboard.yaml
-```
+Once the Envoy Gateway, HTTPRoutes, and certificates are configured, continue with the steps below to place an NLB in front of Envoy Gateway.
 
 ### Create the NLB GatewayClass and Gateway
 

docs/reference/tls-aws-ingress.md

@@ -0,0 +1,72 @@
+# TLS on AWS EKS with Ingress
+
+If you're running on AWS EKS, the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/) can be used to provision a Network Load Balancer (NLB) for Traefik's LoadBalancer Service. Traefik still acts as the Ingress Controller and handles TLS termination with cert-manager, but the NLB provides the public endpoint.
+
+For Gateway API approaches on AWS, see [TLS on AWS with Gateway API](/reference/tls-aws-gateway-api.md).
+
+## Pre-requisites
+
+* AWS EKS cluster with OpenFaaS installed via Helm
+* A domain name under your control, and access to create A or CNAME records
+
+Where you see `example.com` given in an example, replace that with your own domain name.
+
+## Install the AWS Load Balancer Controller
+
+Follow the [AWS documentation to install the AWS Load Balancer Controller using Helm](https://docs.aws.amazon.com/eks/latest/userguide/lbc-helm.html). The installation guide covers IAM configuration and the controller deployment.
+
+See also: [AWS Load Balancer Controller documentation](https://kubernetes-sigs.github.io/aws-load-balancer-controller/)
+
+Once installed, verify the controller is running:
+
+```sh
+$ kubectl get deployment -n kube-system aws-load-balancer-controller
+
+NAME                           READY   UP-TO-DATE   AVAILABLE   AGE
+aws-load-balancer-controller   2/2     2            2           84s
+```
+
+## Install Traefik with the NLB annotation
+
+On EKS with the AWS Load Balancer Controller, Traefik's LoadBalancer Service needs the correct annotation so that the controller provisions an internet-facing NLB.
+
+Install Traefik using Helm with the required annotation:
+
+```sh
+helm repo add traefik https://traefik.github.io/charts
+helm repo update
+
+helm install --namespace=traefik traefik traefik/traefik \
+  --create-namespace \
+  --set "service.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-scheme=internet-facing"
+```
+
+The `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` annotation ensures the NLB is publicly accessible. Without it, the AWS Load Balancer Controller defaults to an `internal` scheme, which would prevent Let's Encrypt HTTP01 challenges from reaching your cluster.
+
+Verify that Traefik is running and has an external address:
+
+```sh
+$ kubectl get svc -n traefik
+
+NAME      TYPE           CLUSTER-IP      EXTERNAL-IP                  PORT(S)                      AGE
+traefik   LoadBalancer   10.100.45.123   xxx.elb.amazonaws.com        80:31876/TCP,443:31706/TCP   60s
+```
+
+The `EXTERNAL-IP` field will show an NLB hostname (e.g. `xxx.elb.amazonaws.com`).
+
+## Configure cert-manager, Issuers, and OpenFaaS TLS
+
+The remaining steps are the same as in the [general Ingress setup](/reference/tls-openfaas.md#ingress-with-traefik):
+
+1. [Install cert-manager](/reference/tls-openfaas.md#install-cert-manager)
+2. [Configure cert-manager](/reference/tls-openfaas.md#configure-cert-manager)
+3. [Configure TLS for the OpenFaaS gateway](/reference/tls-openfaas.md#configure-tls-for-the-openfaas-gateway)
+4. Optionally, [Configure TLS for the OpenFaaS dashboard](/reference/tls-openfaas.md#configure-tls-for-the-openfaas-dashboard)
+
+## Create DNS records
+
+On EKS the `EXTERNAL-IP` field shows a hostname rather than an IP address. Create a **CNAME record** pointing your domain to the NLB hostname instead of an A record.
+
+## Verifying the installation
+
+See the [verification steps](/reference/tls-openfaas.md#verifying-the-installation) in the main TLS guide.