Doc fixes 1.16 (#9196)

* Backport Kube service note

* Update settings.proto

* backport of routing to Kube services

* changelog

* Update settings.pb.go

* Backport 35e1fa5 retry policy in passthrough auth

* Update _index.md

* disableKubernetesDestinations:true in prod recs

* Remove WasmHub and wasme from Edge docs (#9169)

* changelog

---------

Co-authored-by: Nadine Spies <[email protected]>
Co-authored-by: Art <[email protected]>
Co-authored-by: Art Berger <[email protected]>

Author: Nadine2016

changelog/v1.16.5/doc-kube-services-note.yaml

@@ -0,0 +1,13 @@
+changelog:
+- type: NON_USER_FACING  
+  description: >- 
+    Backport for adding more info about not using Kube services as a routing destination.
+    skipCI-kube-tests:true
+  resolvesIssue: false
+- type: NON_USER_FACING  
+  description: >- 
+    Removes references to WebAssembly Hub and `wasme` CLI.
+    Updates the old WAH image to one stored in GCR.
+    skipCI-kube-tests:true
+  issueLink: https://github.com/solo-io/doctopus/issues/79
+  resolvesIssue: false

docs/content/guides/security/auth/extauth/passthrough_auth/grpc/_index.md

@@ -210,6 +210,40 @@ curl -H "Host: foo" -H "authorization: authorize me" $(glooctl proxy url)/posts/
 
 The request should now be authorized!
 
+## Configuring retries for unresponsive passthrough services
+
+You can configure the Gloo ExtAuth server to retry the connection to the passthrough service in the case that the passthrough service becomes unavailable. Consider the following two scenarios to learn more about how retries to the passthrough service are executed: 
+
+
+* **Passthrough service becomes unavailable after initial connection**: In this scenario, the Gloo ExtAuth server successfully established an initial connection to the passthrough service. However later on, the passthrough service becomes unavailable. You can add a retry policy to your AuthConfig to retry the connection to the passthrough service if the service becomes unavailable. In the following AuthConfig, the Gloo ExtAuth server is configured to retry the connection to the passthrough service 10 times. To not overload the passthrough service, an optional exponential backoff strategy is defined. The backoff strategy configures the ExtAuth server to start retries after 1 second (`baseInterval`). Retries are then executed exponentially, such as after 2 seconds, 4 seconds, 8 seconds, etc up to the `maxInterval` that defaults to 10 times the `baseInterval`. In this example, the `maxInterval` configures a maximum delay of 2 seconds between retries. Note that the global settings `global.extensions.extAuth.requestTimeout` must be greater than the `retryPolicy.numRetries` * `retryPolicy.retryBackOff.baseInterval` to ensure that the failed gRPC call has sufficient time to retry.
+
+  For more information, see the [API docs]({{< versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk/#retrypolicy" >}}).
+
+  {{< highlight yaml "hl_lines=13-18" >}}
+apiVersion: enterprise.gloo.solo.io/v1
+kind: AuthConfig
+metadata:
+  name: passthrough-auth
+  namespace: gloo-system
+spec:
+  configs:
+  - passThroughAuth:
+      grpc:
+        # Address of the grpc auth server to query
+        address: example-grpc-auth-service.default.svc.cluster.local:9001
+        # Set a connection timeout to external service, default is 5 seconds
+        connectionTimeout: 3s
+        retryPolicy: 
+          numRetries: 10
+          retryBackOff:
+            baseInterval: 1s
+            maxInterval: 2s
+  {{< /highlight >}}
+
+
+* **Passthrough service is unavailable during the initial connection**: When you configure your AuthConfig with a retry policy, auth requests are retried only after the initial connection between the Gloo auth server and passthrough service is established successfully. If establishing the initial connection fails, the ExtAuth server retries the connection up to the defined `connectionTimeout` in the AuthConfig. The settings in the retry policy are ignored and any auth requests that are sent to the ExtAuth server during that time fail immediately. Auth requests continue to fail when the `connectionTimeout` is reached, even if the passthrough service becomes available afterwards. To mitigate this issue, you can try increasing the `connectionTimeout` setting if you think that your passthrough service can recover and become available within the specified connection timeout.
+
+
 ## Sharing state with other auth steps
 
 {{% notice note %}}
@@ -260,4 +294,4 @@ This config is accessible via the [CheckRequest FilterMetadata](https://github.c
 
 ## Summary
 
-In this guide, we installed Gloo Edge Enterprise and created an unauthenticated Virtual Service that routes requests to a static upstream. We spun up an example gRPC authentication service that uses a simple header for authentication. We then created an `AuthConfig` and configured it to use Passthrough Auth, pointing it to the IP of our example gRPC service. In doing so, we instructed gloo to pass through requests from the external authentication server to the grpc authentication service provided by the user.
+In this guide, we installed Gloo Edge Enterprise and created an unauthenticated Virtual Service that routes requests to a static upstream. We spun up an example gRPC authentication service that uses a simple header for authentication. We then created an `AuthConfig` and configured it to use Passthrough Auth, pointing it to the IP of our example gRPC service. In doing so, we instructed gloo to pass through requests from the external authentication server to the grpc authentication service provided by the user.

docs/content/guides/traffic_management/destination_types/kubernetes_services/_index.md

@@ -4,17 +4,28 @@ weight: 80
 description: Routing to services registered as Kubernetes Services through the API
 ---
 
-If you are running Gloo Edge in a Kubernetes cluster, it is possible to directly specify 
-[Kubernetes Services](https://kubernetes.io/docs/concepts/services-networking/service/) as routing destinations. 
-The `kube` destination type has two required fields:
+To allow for optimal performance in Gloo Edge, it is recommended to use Gloo [static]({{% versioned_link_path fromRoot="/guides/traffic_management/destination_types/static_upstream/" %}}) and [discovered]({{% versioned_link_path fromRoot="/guides/traffic_management/destination_types/discovered_upstream/" %}}) Upstreams as your routing destination. However, if you run Gloo Edge in a Kubernetes cluster, you can choose between the following options to route to a Kubernetes service: 
 
-* `ref` is a {{< protobuf name="core.solo.io.ResourceRef">}} to the service that should receive traffic
-* `port` is an `int` which represents the port on which the service is listening. This must be one of the ports defined in the Kubernetes service spec
+## Option 1: Route to a Kubernetes service directly
 
-The following configuration will forward all requests to `/petstore` to port `8080` on the Kubernetes service named 
-`petstore` in the `default` namespace.
+You can configure your VirtualService to route to a Kubernetes service instead of a Gloo Upstream. 
 
-{{< highlight yaml "hl_lines=6-10" >}}
+{{% notice note %}}
+Consider the following information before choosing a Kubernetes service as your routing destination: 
+- For Gloo Edge to route traffic to a Kubernetes service directly, Gloo Edge requires scanning of all services in the cluster to create in-memory Upstream resources to represent them. Gloo uses these resources to validate that the upstream destination is valid and returns an error if the specified Kubernetes service cannot be found. Note that the in-memory Upstream resources are included in the API snapshot. If you have a large number of services in your cluster, the API snapshot increases which can have a negative impact on the Gloo Edge translation time.
+- When using Kubernetes services as a routing destination, Gloo Edge relies on `kube-proxy` to perform load balancing which can have further performance impacts. Routing to Gloo Upstreams bypasses `kube-proxy` as the request is routed to the pod directly. 
+- Some Gloo Edge functionality, such as policies, might not be available when using Kubernetes services as a routing destination. 
+{{% /notice %}}
+
+To use Kubernetes services as a routing destination: 
+
+1. Get the default Gloo Edge settings and verify that `spec.gloo.disableKubernetesDestinations` is set to `false`. This setting is required to allow Gloo Edge to scan all Kubernetes services in the cluster and to create in-memory Upstream resources to represent them. If it is set to `true`, follow the [upgrade guide]({{% versioned_link_path fromRoot="/operations/upgrading/" %}}) and set `settings.disableKubernetesDestinations: false` in your Helm chart. 
+   ```sh
+   kubectl get settings default -n gloo-system -o yaml
+   ```
+2. Configure the Kubernetes service as a routing destination in your VirtualService. The following example configuration forwards all requests to `/petstore` to port `8080` on the `petstore` Kubernetes service in the `default` namespace.
+
+   {{< highlight yaml "hl_lines=6-10" >}}
 routes:
 - matchers:
    - prefix: /petstore
@@ -25,4 +36,43 @@ routes:
           name: petstore
           namespace: default
         port: 8080
-{{< /highlight >}}
+   {{< /highlight >}}
+  
+   The `kube` destination type has two required fields:
+
+   * `ref` is a {{< protobuf name="core.solo.io.ResourceRef">}} to the service that receives the traffic. 
+   * `port` is an integer (`int`) and represents the port the service listens on. Note that this port must be defined in the Kubernetes service.
+   
+
+## Option 2: Use Kubernetes Upstream resources
+
+Instead of routing to a Kubernetes service directly, you can create [Gloo Kubernetes Upstream]({{% versioned_link_path fromRoot="/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/kubernetes/kubernetes.proto.sk/" %}}) resources that represent your Kubernetes workload. With Kubernetes Upstream resources, you can route requests to a specific pod in the cluster. This process bypasses `kube-proxy` which improves load balancing times for your workloads. 
+
+To use Kubernetes Upstream resources: 
+
+1. Create a Kubernetes Upstream resource for your workload. The following configuration creates an upstream resource for the Petstore app that listens on port 8080 in the default namespace. 
+   ```yaml
+   apiVersion: gloo.solo.io/v1
+   kind: Upstream
+   metadata:
+     name: petstore
+     namespace: gloo-system
+   spec:
+     kube:
+       serviceName: petstore
+       serviceNamespace: default
+       servicePort: 8080
+   ```
+   
+2. Configure the Kubernetes Upstream as a routing destination in your VirtualService. The following example configuration forwards all requests to `/petstore` to the Petstore upstream in the `gloo-system` namespace.
+
+   {{< highlight yaml "hl_lines=6-8" >}}
+routes:
+- matchers:
+   - prefix: /petstore
+  routeAction:
+    single:
+      upstream:
+        name: petstore
+        namespace: gloo-system
+   {{< /highlight >}}

docs/content/installation/advanced_configuration/wasm.md

@@ -20,36 +20,24 @@ The [upstream Envoy Wasm filter](https://www.envoyproxy.io/docs/envoy/latest/con
 
 WebAssembly provides a safe, secure, and dynamic way of extending infrastructure with the programming language of your choice.
 
-1. Get a Wasm image. Review the following resources to help.
-   * [WebAssembly Hub](https://webassemblyhub.io/repositories/) to use an existing Wasm image repository.
-   * [WebAssembly Developer's Guide](https://webassembly.org/getting-started/developers-guide/) for more information on building your own Wasm image.
-   * [Solo's `wasme` CLI tool](https://docs.solo.io/web-assembly-hub/latest/tutorial_code/getting_started/) with starter kits that makes it easy to build and push Wasm modules to WebAssembly Hub.
-
-   Example steps with `wasme` CLI: For more information, see the [Build tutorial](https://docs.solo.io/web-assembly-hub/latest/tutorial_code/build_tutorials/building_cpp_filters/).
-   1. Start a C++ filter for Gloo.
-      ```sh
-      wasme init --language cpp --platform gloo --platform-version 1.13.x ./my-filter
-      ```
-   2. Build the filter into a Wasm image.
-      ```sh
-      cd my-filter
-      wasme build cpp --store ./wasmstore . -t my-wasm-filter:v1.0
-      ```
+1. Get a Wasm image. For more information on building your own Wasm image, see the [WebAssembly Developer's Guide](https://webassembly.org/getting-started/developers-guide/). 
 
 2. Prepare your Wasm image for use with Gloo Edge Enterprise. Review the following options.
-   * **Store in an image repository like WebAssembly Hub**: Solo provides [WebAssembly Hub](https://webassemblyhub.io/) as the simplest way to share and consume Wasm Envoy repositories. When you use the `wasme` CLI tool, you can push the image directly to your WebAssembly Hub repository. The resulting image repository is in a format similar to the following: `webassemblyhub.io/<username>/<filter-name>:<tag>`.
-   * **Load the Wasm file directly into the filter**: If your filter is not hosted in an image repository such as WebAssembly Hub, you can refer to the filepath directly, such as `<directory>/<filter-name>.wasm`.
-   * **Use an init container**: In some circumstances, you might not be able to use an image repository due to enterprise networking restrictions. Instead, you can use an `initContainer` on the Gloo Edge `gatewayProxy` deployment to load a `.wasm` file into a shared `volume`.
+
+   * Store in an OCI-compliant image repository. This guide uses an example Wasm image from Solo's public Google Container Registry.
+   * Load the Wasm file directly into the filter. If your filter is not hosted in an image repository, you can refer to the filepath directly, such as `<directory>/<filter-name>.wasm`.
+   * Use an init container. In some circumstances, you might not be able to use an image repository due to enterprise networking restrictions. Instead, you can use an `initContainer` on the Gloo Edge `gatewayProxy` deployment to load a `.wasm` file into a shared `volume`.
 
 ## Configure Gloo Edge to use a Wasm filter {#configuration}
 
 Now that Gloo Edge Enterprise is installed and you have your Wasm image, you are ready to configure Gloo Edge to use the Wasm filter. You add the filter to your gateway proxy configuration. For more information, check out the {{% protobuf name="wasm.options.gloo.solo.io.PluginSource" display="API docs"%}}.
 
 {{< tabs >}} 
-{{% tab name="From WebAssembly Hub" %}}
+{{% tab name="From an image registry" %}}
 1. Get the configuration for your `gateway-proxy` gateway.
    ```shell
    kubectl get -n gloo-system gateways.gateway.solo.io gateway-proxy -o yaml > gateway-proxy.yaml
+   open gateway-proxy.yaml
    ```
 2. Add the reference to your Wasm filter in the `httpGateway` section as follows.
    ```yaml
@@ -60,7 +48,7 @@ Now that Gloo Edge Enterprise is installed and you have your Wasm image, you are
            - config:
                '@type': type.googleapis.com/google.protobuf.StringValue
                value: "world"
-             image: webassemblyhub.io/yuval/add-header:v0.1
+             image: gcr.io/solo-public/docs/assemblyscript-test:istio-1.8
              name: add-header
              rootId: add_header
    ```
@@ -241,9 +229,3 @@ Now that your `gateway-proxy` gateway is updated, the hard work has been done. A
    < 
    [{"id":1,"name":"Dog","status":"available"},{"id":2,"name":"Cat","status":"pending"}]
    {{< /highlight >}}
-
-## References
-
-* [WebAssembly Hub](https://webassemblyhub.io/) for sharing and reusing Wasm filters.
-* [Solo's `wasme` CLI tool](https://docs.solo.io/web-assembly-hub/latest/installation/) for building and deploying Wasm filters for Gloo Edge Enterprise, Istio, and Envoy.
-* [Solo's `wasm` GitHub repo](https://github.com/solo-io/wasm) for the `wasme` tool.