Skip to content

Replace grand-central Ingress with HTTPRoute and Traefik Middlewares#837

Open
tomach wants to merge 9 commits into
masterfrom
ta/gc-ingress-traefik
Open

Replace grand-central Ingress with HTTPRoute and Traefik Middlewares#837
tomach wants to merge 9 commits into
masterfrom
ta/gc-ingress-traefik

Conversation

@tomach
Copy link
Copy Markdown
Contributor

@tomach tomach commented May 13, 2026
edited
Loading

Summary of changes

Extends the existing exposure field support to grand-central. When spec.cluster.exposure: traefik, grand-central is now exposed through the Gateway API (HTTPRoute) and three Traefik Middlewares instead of an nginx Ingress. The default loadbalancer path is unchanged.

  • grand-central.py adds builders for HTTPRoute, compress-js, buffering, and ip-allowlist Middlewares; adds create_grand_central_exposure (routing resources only, no deployment/service) and delete helpers for both paths
  • exposure.py - ChangeExposureSubHandler now also switches grand-central resources when the exposure field changes
  • operations.py - suspend_or_start_grand_central deletes routing resources on suspend and recreates them on resume, respecting the active exposure mode
  • handle_update_allowed_cidrs.py patches the ip-allowlist Middleware instead of the Ingress annotation when exposure=traefik
  • RBAC - adds permissions for gateway.networking.k8s.io/httproutes and traefik.io/middlewares

Checklist

  • Link to issue this PR refers to: https://github.com/crate/cloud/issues/2905
  • Relevant changes are reflected in CHANGES.rst
  • Added or changed code is covered by tests
  • Documentation has been updated if necessary
  • Changed code does not contain any breaking changes (or this is a major version change)

@tomach tomach force-pushed the ta/gc-ingress-traefik branch from 3ab31e1 to bf3789f Compare May 19, 2026 13:00
@tomach tomach marked this pull request as ready for review May 19, 2026 15:34
@tomach tomach requested review from juanpardo and plaharanne May 19, 2026 15:34
@tomach tomach force-pushed the ta/gc-ingress-traefik branch from bf3789f to 6946339 Compare May 20, 2026 06:50
@goat-ssh
Copy link
Copy Markdown
Contributor

goat-ssh commented May 20, 2026

Caught some errors on dev on /auth and /health endpoints:

The 'Access-Control-Allow-Origin' header contains multiple values 
'https://console.cratedb-dev.cloud,http://localhost:8000', but only one is allowed.

According to the W3C and MDN web specs, the Access-Control-Allow-Origin header can only contain a single origin, the wildcard *, or null. It cannot accept a comma-separated list of multiple origins. When you pass a list, browsers reject it as an invalid value, causing the CORS block.

juanpardo
juanpardo reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@juanpardo juanpardo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a few comments. It looks good

Comment thread crate/operator/exposure.py
Comment thread crate/operator/grand_central.py
_HTTPROUTE_PLURAL = "httproutes"

_GC_GATEWAY_NAME: str = "traefik"
_GC_GATEWAY_NAMESPACE: str = "traefik"
Copy link
Copy Markdown
Contributor

@juanpardo juanpardo May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think @WalBeh was challenging using this namespace in the meeting. I also think it would be nice if we could use the project namespace (but not sure if it's possible) CC @goat-ssh

Comment thread crate/operator/grand_central.py
Comment thread crate/operator/grand_central.py Outdated
Comment thread crate/operator/grand_central.py Outdated
Comment thread crate/operator/grand_central.py

if use_traefik:
custom = CustomObjectsApi(api_client)
for mw_body in (
Copy link
Copy Markdown
Contributor

@juanpardo juanpardo May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this code is repeated in create_grand_central_exposure at line 756

Comment thread crate/operator/operations.py
Scale the grand-central Deployment to 0 (suspend) or 1 (start) and
manage its routing resources accordingly.

On suspend, the Deployment is scaled to 0 and the active routing resource
Copy link
Copy Markdown
Contributor

@juanpardo juanpardo May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would still not delete the DNS entry, right? I hope not because that way we can avoid the DNS propagation time when resuming. CC @goat-ssh

Copy link
Copy Markdown
Contributor

@goat-ssh goat-ssh May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Record Resource How DNS is created
*.aks1.eastus.azure.cratedb-dev.netCNAME IngressRouteTCP (CrateDB cluster) CNAME to the regional Traefik LB hostname
*.gc.aks1.eastus.azure.cratedb-dev.netA HTTPRoute (grand-central) external-dns creates an A record directly from the Gateway's resolved IP

Note: Both records resolve to the same Traefik load balancer IP: 51.8.42.241

so, yes the tenant grand central DNS is deleted on suspend.

@tomach tomach force-pushed the ta/gc-ingress-traefik branch from 2285ad0 to 2c867a7 Compare May 22, 2026 11:58
@tomach tomach force-pushed the ta/gc-ingress-traefik branch from 2c867a7 to b4041f1 Compare May 22, 2026 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juanpardo juanpardo juanpardo left review comments

@goat-ssh goat-ssh goat-ssh left review comments

@plaharanne plaharanne Awaiting requested review from plaharanne

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tomach @goat-ssh @juanpardo