Goal

Validate Gateway API for North/South gateway implementation, establish a repeatable pattern for deploying pre-configured Gateways for HCC tenants and help alleviate pressure on the CRC cluster by moving part of the pulp traffic to the Pulp cluster. 

The implementation will follow ADR-80 and Multicluster HCC/Fabric Gateway Architecture RACI. This initial integration will not integrate with CAPS (i.e. won’t issue x-rh-identity header nor perform any policy checks). The gateway implementation will allow the Pulp team to expose their pulp-content service to serve (unauthenticated) requests for public repositories (Fedora COPR, RHEL AI - Python Content, …)

Acceptance criteria

• a repeatable pattern (e.g. a dressup template) for deploying North/South Gateway on HCC tenant clusters is established and supported by AppSRE
• Akamai configuration is updated to route traffic to Pulp public repositories via the new gateway/cluster
• the gateway is configured in HA mode
• the gateway is configured to serve traffic over TLS
• the gateway configured reject traffic not originating in Akamai proxies
• the gateway is configured to produce Prometheus metrics and CloudWatch logs
• traffic routing to the pulp-content service (HTTPRoute) is configured

Open questions

• how to restrict traffic origin to Akamai? PSK/mTLS/defer?