Discover RHCL Gateway objects
⏱ ~10 min
NeuroFace traffic enters through the Gateway API on the hub — not traditional OpenShift Routes. Understanding these CRs explains how hub ingress reaches spoke workloads over Red Hat Service Interconnect (Skupper).
Inspect the Gateway CR
hub-login guest (register first)
oc get gateway -n neuroface-gateway-system
oc get gateway neuroface-gateway -n neuroface-gateway-system -o yaml | head -25
# charts/all/neuroface-gateway/templates/gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: neuroface-gateway
namespace: neuroface-gateway-system
spec:
gatewayClassName: istio
listeners:
- name: http
port: 8080
protocol: HTTP
Inspect HTTPRoute with 50/50 weights (NeuroFace app)
The main NeuroFace UI route (neuroface-app-lb) uses equal east/west weights by default. Other routes (for example neuroface-cv-lb) may use different weights — check values-hub.yaml or the live HTTPRoute spec.
# charts/all/neuroface-gateway/templates/httproute-app.yaml (excerpt)
spec:
rules:
- backendRefs:
- name: neuroface-app-east
port: 8080
weight: 50
- name: neuroface-app-west
port: 8080
weight: 50
oc get httproute -n neuroface-gateway-system
oc get httproute neuroface-app-lb -n neuroface-gateway-system -o yaml | grep -A20 'backendRefs'
ExternalName Services (Skupper endpoints)
# charts/all/neuroface-gateway/templates/external-services.yaml (excerpt)
spec:
type: ExternalName
externalName: neuroface-app-east.service-interconnect.svc.cluster.local
Observe load balancing
for i in $(seq 1 10); do
curl -sk -o /dev/null -w "Request $i: HTTP %{http_code}\n" \
https://neuroface.apps.cluster.example.com/
done
neuroface-cv-traffic
Expected output
Request 1: HTTP 200
Request 2: HTTP 200
...
Request 10: HTTP 200
If you get HTTP 503, the spoke NeuroFace pods may not be running yet. Verify with oc get pods -n neuroface on the spoke. The cluster badge in the NeuroFace UI shows which spoke is serving: EAST (green), WEST (yellow), or HUB (blue fallback).
|
Kuadrant AuthPolicy (future extension)
# charts/all/neuroface-gateway/templates/authpolicy.yaml (future extension)
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
name: neuroface-auth
namespace: neuroface-gateway-system
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: neuroface-app-lb
rules:
authentication:
apikey:
selector:
matchLabels:
kuadrant.io/apikeys-by: neuroface-api
View all Gateway API objects
hub-login guest (register first)
echo "=== Gateways ==="
oc get gateway -A
echo "=== HTTPRoutes ==="
oc get httproute -A
echo "=== Services (ExternalName) ==="
oc get svc -n neuroface-gateway-system -o custom-columns=NAME:.metadata.name,TYPE:.spec.type,EXTERNAL:.spec.externalName
Expected output
=== Gateways ===
NAMESPACE NAME CLASS ADDRESS PROGRAMMED
neuroface-gateway-system neuroface-gateway istio ... True
=== HTTPRoutes ===
NAMESPACE NAME HOSTNAMES
neuroface-gateway-system neuroface-app-lb [neuroface.apps....]
=== Services (ExternalName) ===
NAME TYPE EXTERNAL
neuroface-app-east ExternalName neuroface-app-east.service-interconnect.svc.cluster.local
neuroface-app-west ExternalName neuroface-app-west.service-interconnect.svc.cluster.local
The Gateway shows PROGRAMMED: True only when the Istio control plane is running in istio-system. If it shows Unknown, check that servicemesh-config ArgoCD app is Healthy.
|
What you learned
-
Gateway API CRs replace OCP Routes for NeuroFace ingress
-
HTTPRoute weights distribute traffic across east and west spokes
-
ExternalName Services bridge hub gateway to Skupper endpoints
Next
Continue with Module 04b — OIDC lab with Keycloak and curl.