Discover RHCL Gateway objects

⏱ ~10 min

NeuroFace traffic enters through the Gateway API on the hub — not traditional OpenShift Routes. Understanding these CRs explains how hub ingress reaches spoke workloads over Red Hat Service Interconnect (Skupper).

Gateway Routing

Inspect the Gateway CR

hub-login guest (register first)
oc get gateway -n neuroface-gateway-system
oc get gateway neuroface-gateway -n neuroface-gateway-system -o yaml | head -25
# charts/all/neuroface-gateway/templates/gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: neuroface-gateway
  namespace: neuroface-gateway-system
spec:
  gatewayClassName: istio
  listeners:
    - name: http
      port: 8080
      protocol: HTTP

Inspect HTTPRoute with 50/50 weights (NeuroFace app)

The main NeuroFace UI route (neuroface-app-lb) uses equal east/west weights by default. Other routes (for example neuroface-cv-lb) may use different weights — check values-hub.yaml or the live HTTPRoute spec.

# charts/all/neuroface-gateway/templates/httproute-app.yaml (excerpt)
spec:
  rules:
    - backendRefs:
        - name: neuroface-app-east
          port: 8080
          weight: 50
        - name: neuroface-app-west
          port: 8080
          weight: 50
oc get httproute -n neuroface-gateway-system
oc get httproute neuroface-app-lb -n neuroface-gateway-system -o yaml | grep -A20 'backendRefs'

ExternalName Services (Skupper endpoints)

# charts/all/neuroface-gateway/templates/external-services.yaml (excerpt)
spec:
  type: ExternalName
  externalName: neuroface-app-east.service-interconnect.svc.cluster.local

Observe load balancing

for i in $(seq 1 10); do
  curl -sk -o /dev/null -w "Request $i: HTTP %{http_code}\n" \
    https://neuroface.apps.cluster.example.com/
done
neuroface-cv-traffic
Expected output
Request 1: HTTP 200
Request 2: HTTP 200
...
Request 10: HTTP 200
If you get HTTP 503, the spoke NeuroFace pods may not be running yet. Verify with oc get pods -n neuroface on the spoke. The cluster badge in the NeuroFace UI shows which spoke is serving: EAST (green), WEST (yellow), or HUB (blue fallback).

Inspect response headers

curl -sk -D- https://neuroface.apps.cluster.example.com/ 2>/dev/null | head -15
Expected output
HTTP/2 200
server: istio-envoy
x-envoy-upstream-service-time: ...
...

Kuadrant AuthPolicy (future extension)

# charts/all/neuroface-gateway/templates/authpolicy.yaml (future extension)
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: neuroface-auth
  namespace: neuroface-gateway-system
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: neuroface-app-lb
  rules:
    authentication:
      apikey:
        selector:
          matchLabels:
            kuadrant.io/apikeys-by: neuroface-api

View all Gateway API objects

hub-login guest (register first)
echo "=== Gateways ==="
oc get gateway -A
echo "=== HTTPRoutes ==="
oc get httproute -A
echo "=== Services (ExternalName) ==="
oc get svc -n neuroface-gateway-system -o custom-columns=NAME:.metadata.name,TYPE:.spec.type,EXTERNAL:.spec.externalName
Expected output
=== Gateways ===
NAMESPACE                   NAME                CLASS   ADDRESS   PROGRAMMED
neuroface-gateway-system    neuroface-gateway   istio   ...       True

=== HTTPRoutes ===
NAMESPACE                   NAME               HOSTNAMES
neuroface-gateway-system    neuroface-app-lb   [neuroface.apps....]

=== Services (ExternalName) ===
NAME                  TYPE           EXTERNAL
neuroface-app-east    ExternalName   neuroface-app-east.service-interconnect.svc.cluster.local
neuroface-app-west    ExternalName   neuroface-app-west.service-interconnect.svc.cluster.local
The Gateway shows PROGRAMMED: True only when the Istio control plane is running in istio-system. If it shows Unknown, check that servicemesh-config ArgoCD app is Healthy.

What you learned

  • Gateway API CRs replace OCP Routes for NeuroFace ingress

  • HTTPRoute weights distribute traffic across east and west spokes

  • ExternalName Services bridge hub gateway to Skupper endpoints