fix formatting issues in deploy.md

docs/guides/deploy.md

@@ -1,26 +1,27 @@
 # Deploy the AWS Gateway API Controller on Amazon EKS
 
-This Deployment Guide provides an end-to-end procedure to install the AWS Gateway API Controller with [Amazon Elastic Kubernetes Service](https://aws.amazon.com/eks/). 
+This Deployment Guide provides an end-to-end procedure to install the AWS Gateway API Controller with [Amazon Elastic Kubernetes Service](https://aws.amazon.com/eks/).
 
-Amazon EKS is a simple, recommended way of preparing a cluster for running services with AWS Gateway API Controller, however the AWS Gateway API Controller can be used on any Kubernetes cluster on AWS. Check out the [Advanced Configurations](advanced-configurations.md) section below for instructions on how to install and run the controller on self-hosted Kubernetes clusters on AWS.
+Amazon EKS is a simple, recommended way of preparing a cluster for running services with the AWS Gateway API Controller. However, the AWS Gateway API Controller can be used on any Kubernetes cluster on AWS. Check out the [Advanced Configurations](advanced-configurations.md) section below for instructions on how to install and run the controller on self-hosted Kubernetes clusters on AWS.
 
 ### Prerequisites
 
 Install these tools before proceeding:
 
 1. [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-linux.html),
-2. `kubectl` - [the Kubernetes CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/),
-3. `helm` - [the package manager for Kubernetes](https://helm.sh/docs/intro/install/),
-4. `eksctl`- [the CLI for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/setting-up.html),
-5. `jq` - [CLI to manipulate json files](https://jqlang.github.io/jq/).
+2. `kubectl` – [the Kubernetes CLI](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/),
+3. `helm` – [the package manager for Kubernetes](https://helm.sh/docs/intro/install/),
+4. `eksctl` – [the CLI for Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/setting-up.html),
+5. `jq` – [CLI to manipulate JSON files](https://jqlang.github.io/jq/).
 
 ### Setup
 
 Set your AWS Region and Cluster Name as environment variables. See the [Amazon VPC Lattice FAQs](https://aws.amazon.com/vpc/lattice/faqs/) for a list of supported regions.
- ```bash linenums="1"
- export AWS_REGION=<cluster_region>
- export CLUSTER_NAME=<cluster_name>
- ```
+
+```bash
+export AWS_REGION=<eks_cluster_region>
+export EKS_CLUSTER_NAME=<EKS_CLUSTER_NAME>
+```
 
 **Install Gateway API CRDs**
 
@@ -29,178 +30,181 @@ The latest Gateway API CRDs are available [here](https://gateway-api.sigs.k8s.io
 **Create a cluster (optional)**
 
 You can easily create a cluster with `eksctl`, the CLI for Amazon EKS:
- ```bash 
- eksctl create cluster --name $CLUSTER_NAME --region $AWS_REGION
- ```
+
+```bash
+eksctl create cluster --name ${EKS_CLUSTER_NAME} --region $AWS_REGION
+```
 
 **Allow traffic from Amazon VPC Lattice**
 
-You must set up security groups so that they allow all Pods communicating with VPC Lattice to allow traffic from the VPC Lattice managed prefix lists. See [Control traffic to resources using security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) for details. Lattice has both an IPv4 and IPv6 prefix lists available.
+You must set up security groups so that they allow all Pods communicating with VPC Lattice to allow traffic from the VPC Lattice managed prefix lists. See [Control traffic to resources using security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) for details. Lattice has both IPv4 and IPv6 prefix lists available.
+
+1. Configure the EKS nodes' security group to receive traffic from the VPC Lattice network.
 
-1. Configure the EKS nodes' security group to receive traffic from the VPC Lattice network. 
+```bash
+CLUSTER_SG=<your_node_security_group>
+```
 
- ```bash 
- CLUSTER_SG=<your_node_security_group>
- ```
- !!!Note
- If you have created the cluster with `eksctl create cluster --name $CLUSTER_NAME --region $AWS_REGION` command, you can use this command to export the Security Group ID:
+!!!Note
+ If you have created the cluster with the `eksctl create cluster --name ${EKS_CLUSTER_NAME} --region $AWS_REGION` command, you can use the following command to export the Security Group ID:
 
- ```bash 
- CLUSTER_SG=$(aws eks describe-cluster --name $CLUSTER_NAME --output json| jq -r '.cluster.resourcesVpcConfig.clusterSecurityGroupId')
- ```
+```bash
+CLUSTER_SG=$(aws eks describe-cluster --name ${EKS_CLUSTER_NAME} --output json | jq -r '.cluster.resourcesVpcConfig.clusterSecurityGroupId')
+```
 
- ```bash linenums="1"
- PREFIX_LIST_ID=$(aws ec2 describe-managed-prefix-lists --query "PrefixLists[?PrefixListName=="\'com.amazonaws.$AWS_REGION.vpc-lattice\'"].PrefixListId" | jq -r '.[]')
- aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions "PrefixListIds=[{PrefixListId=${PREFIX_LIST_ID}}],IpProtocol=-1"
- PREFIX_LIST_ID_IPV6=$(aws ec2 describe-managed-prefix-lists --query "PrefixLists[?PrefixListName=="\'com.amazonaws.$AWS_REGION.ipv6.vpc-lattice\'"].PrefixListId" | jq -r '.[]')
- aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions "PrefixListIds=[{PrefixListId=${PREFIX_LIST_ID_IPV6}}],IpProtocol=-1"
- ```
+```bash
+PREFIX_LIST_ID=$(aws ec2 describe-managed-prefix-lists --query "PrefixLists[?PrefixListName=='com.amazonaws.$AWS_REGION.vpc-lattice'].PrefixListId" | jq -r '.[]')
+aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions "PrefixListIds=[{PrefixListId=${PREFIX_LIST_ID}}],IpProtocol=-1"
+PREFIX_LIST_ID_IPV6=$(aws ec2 describe-managed-prefix-lists --query "PrefixLists[?PrefixListName=='com.amazonaws.$AWS_REGION.ipv6.vpc-lattice'].PrefixListId" | jq -r '.[]')
+aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions "PrefixListIds=[{PrefixListId=${PREFIX_LIST_ID_IPV6}}],IpProtocol=-1"
+```
 
 **Set up IAM permissions**
 
-The AWS Gateway API Controller needs to have necessary permissions to operate.
+The AWS Gateway API Controller needs to have the necessary permissions to operate.
+
+1. Create a policy (`recommended-inline-policy.json`) in IAM with the following content that can invoke the Gateway API and copy the policy ARN for later use:
 
-1. Create a policy (`recommended-inline-policy.json`) in IAM with the following content that can invoke the Gateway API and copy the policy arn for later use:
+```bash
+curl https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/recommended-inline-policy.json -o recommended-inline-policy.json
 
- ```bash linenums="1"
- curl https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/recommended-inline-policy.json -o recommended-inline-policy.json
-
- aws iam create-policy \
- --policy-name VPCLatticeControllerIAMPolicy \
- --policy-document file://recommended-inline-policy.json
+aws iam create-policy \
+ --policy-name VPCLatticeControllerIAMPolicy \
+ --policy-document file://recommended-inline-policy.json
 
- export VPCLatticeControllerIAMPolicyArn=$(aws iam list-policies --query 'Policies[?PolicyName==`VPCLatticeControllerIAMPolicy`].Arn' --output text)
- ```
+export VPCLatticeControllerIAMPolicyArn=$(aws iam list-policies --query 'Policies[?PolicyName==`VPCLatticeControllerIAMPolicy`].Arn' --output text)
+```
+
+2. Create the `aws-application-networking-system` namespace:
 
-1. Create the `aws-application-networking-system` namespace:
-```bash 
+```bash
+curl -o aws-application-networking-system.yaml https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/deploy-namesystem.yaml
 kubectl apply -f https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/deploy-namesystem.yaml
 ```
 
 You can choose from [Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) (recommended) and [IAM Roles For Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to set up controller permissions.
 
 === "Pod Identities (recommended)"
 
- **Set up the Pod Identities Agent**
+**Set up the Pod Identities Agent**
 
- To use Pod Identities, we need to [set up the Agent](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html) and to configure the controller's Kubernetes Service Account to assume necessary permissions with EKS Pod Identity.
+To use Pod Identities, set up the [Pod Identity Agent](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html) and configure the controller's Kubernetes Service Account to assume necessary permissions with EKS Pod Identity.
 
- !!!Note "Read if you are using a custom node role"
-  The node role needs to have permissions for the Pod Identity Agent to do the `AssumeRoleForPodIdentity` action in the EKS Auth API. Follow [the documentation](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html) if you are not using the AWS managed policy [AmazonEKSWorkerNodePolicy](https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEKSWorkerNodePolicy).
+!!!Note "Read if you are using a custom node role"
+ The node role needs to have permissions for the Pod Identity Agent to perform the `AssumeRoleForPodIdentity` action in the EKS Auth API. Follow [the documentation](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html) if you are not using the AWS managed policy [AmazonEKSWorkerNodePolicy](https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEKSWorkerNodePolicy).
 
+1. Run the following AWS CLI command to create the Pod Identity addon:
 
- 1. Run the following AWS CLI command to create the Pod Identity addon.
- ```bash
- aws eks create-addon --cluster-name $CLUSTER_NAME --addon-name eks-pod-identity-agent --addon-version v1.0.0-eksbuild.1
- ```
- ```bash
- kubectl get pods -n kube-system | grep 'eks-pod-identity-agent'
- ```
+```bash
+aws eks create-addon --cluster-name ${EKS_CLUSTER_NAME} --addon-name eks-pod-identity-agent --addon-version v1.0.0-eksbuild.1
+```
 
- **Assign role to Service Account**
+```bash
+kubectl get pods -n kube-system | grep 'eks-pod-identity-agent'
+```
 
- Create an IAM role and associate it with a Kubernetes service account.
+**Assign role to Service Account**
 
- 1. Create a Service Account.
+1. Create a Service Account:
 
- ```bash
- cat >gateway-api-controller-service-account.yaml <<EOF
- apiVersion: v1
- kind: ServiceAccount
- metadata:
-  name: gateway-api-controller
-  namespace: aws-application-networking-system
- EOF
- kubectl apply -f gateway-api-controller-service-account.yaml
- ```
+```bash
+cat >gateway-api-controller-service-account.yaml <<EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: gateway-api-controller
+ namespace: aws-application-networking-system
+EOF
+kubectl apply -f gateway-api-controller-service-account.yaml
+```
 
- 1. Create a trust policy file for the IAM role.
+2. Create a trust policy file for the IAM role:
 
- ```bash
- cat >trust-relationship.json <<EOF
+```bash
+cat > eks-pod-identity-trust-relationship.json <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
  {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
- "Effect": "Allow",
- "Principal": {
- "Service": "pods.eks.amazonaws.com"
- },
- "Action": [
- "sts:AssumeRole",
- "sts:TagSession"
- ]
- }
+ "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
+ "Effect": "Allow",
+ "Principal": {
+ "Service": "pods.eks.amazonaws.com"
+ },
+ "Action": [
+ "sts:AssumeRole",
+ "sts:TagSession"
  ]
  }
- EOF
- ```
+ ]
+}
+EOF
+```
 
- 1. Create the role.
+3. Create the role:
 
- ```bash
- aws iam create-role --role-name VPCLatticeControllerIAMRole --assume-role-policy-document file://trust-relationship.json --description "IAM Role for AWS Gateway API Controller for VPC Lattice"
- aws iam attach-role-policy --role-name VPCLatticeControllerIAMRole --policy-arn=$VPCLatticeControllerIAMPolicyArn
- export VPCLatticeControllerIAMRoleArn=$(aws iam list-roles --query 'Roles[?RoleName==`VPCLatticeControllerIAMRole`].Arn' --output text)
- ```
- 
- 1. Create the association
+```bash
+aws iam create-role --role-name VPCLatticeControllerIAMRole --assume-role-policy-document file://teks-pod-identity-trust-relationship.json --description "IAM Role for AWS Gateway API Controller for VPC Lattice"
+aws iam attach-role-policy --role-name VPCLatticeControllerIAMRole --policy-arn=$VPCLatticeControllerIAMPolicyArn
+export VPCLatticeControllerIAMRoleArn=$(aws iam list-roles --query 'Roles[?RoleName==`VPCLatticeControllerIAMRole`].Arn' --output text)
+```
+
+4. Create the association:
 
- ```bash
- aws eks create-pod-identity-association --cluster-name $CLUSTER_NAME --role-arn $VPCLatticeControllerIAMRoleArn --namespace aws-application-networking-system --service-account gateway-api-controller
- ```
+```bash
+aws eks create-pod-identity-association --cluster-name ${EKS_CLUSTER_NAME} --role-arn ${VPCLatticeControllerIAMRoleArn} --namespace aws-application-networking-system --service-account gateway-api-controller
+```
 
 === "IRSA"
 
- You can use AWS IAM Roles for Service Accounts (IRSA) to assign the Controller necessary permissions via a ServiceAccount.
+You can use AWS IAM Roles for Service Accounts (IRSA) to assign the controller necessary permissions via a ServiceAccount.
 
- 1. Create an IAM OIDC provider: See [Creating an IAM OIDC provider for your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) for details.
- ```bash 
- eksctl utils associate-iam-oidc-provider --cluster $CLUSTER_NAME --approve --region $AWS_REGION
- ```
+1. Create an IAM OIDC provider. See [Creating an IAM OIDC provider for your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) for details.
 
- 1. Create an iamserviceaccount for pod level permission:
+```bash
+eksctl utils associate-iam-oidc-provider --cluster ${EKS_CLUSTER_NAME} --approve --region $AWS_REGION
+```
 
- ```bash linenums="1"
- eksctl create iamserviceaccount \
- --cluster=$CLUSTER_NAME \
- --namespace=aws-application-networking-system \
- --name=gateway-api-controller \
- --attach-policy-arn=$VPCLatticeControllerIAMPolicyArn \
- --override-existing-serviceaccounts \
- --region $AWS_REGION \
- --approve
- ```
+2. Create an IAM service account for pod-level permission:
+
+```bash
+eksctl create iamserviceaccount \
+ --cluster=${EKS_CLUSTER_NAME} \
+ --namespace=aws-application-networking-system \
+ --name=gateway-api-controller \
+ --attach-policy-arn=$VPCLatticeControllerIAMPolicyArn \
+ --override-existing-serviceaccounts \
+ --region $AWS_REGION \
+ --approve
+```
 
 ### Install the Controller
 
-1. Run **either** `kubectl` or `helm` to deploy the controller. Check [Environment Variables](../guides/environment.md) for detailed explanation of each configuration option.
+Run **either** `kubectl` or `helm` to deploy the controller. Check [Environment Variables](../guides/environment.md) for a detailed explanation of each configuration option.
 
- === "Helm"
+=== "Helm"
 
- ```bash linenums="1"
- # login to ECR
- aws ecr-public get-login-password --region us-east-1 | helm registry login --username AWS --password-stdin public.ecr.aws
- # Run helm with either install or upgrade
- helm install gateway-api-controller \
- oci://public.ecr.aws/aws-application-networking-k8s/aws-gateway-controller-chart \
- --version=v1.1.0 \
- --set=serviceAccount.create=false \
- --namespace aws-application-networking-system \
- --set=log.level=info # use "debug" for debug level logs
- ```
+```bash
+# login to ECR
+aws ecr-public get-login-password --region us-east-1 | helm registry login --username AWS --password-stdin public.ecr.aws
 
- === "Kubectl"
+# Run helm with either install or upgrade
+helm install gateway-api-controller \
+ oci://public.ecr.aws/aws-application-networking-k8s/aws-gateway-controller-chart \
+ --version=v1.1.0 \
+ --set=serviceAccount.create=false \
+ --namespace aws-application-networking-system \
+ --set=log.level=info # use "debug" for debug level logs
+```
 
- ```bash 
- kubectl apply -f https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/deploy-v1.1.0.yaml
- ```
+=== "Kubectl"
 
+```bash
+kubectl apply -f https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/deploy-v1.1.0.yaml
+```
 
 1. Create the `amazon-vpc-lattice` GatewayClass:
- ```bash 
- kubectl apply -f https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/gatewayclass.yaml
- ```
-
 
+```bash
+kubectl apply -f https://raw.githubusercontent.com/aws/aws-application-networking-k8s/main/files/controller-installation/gatewayclass.yaml
+```