Merge pull request #3661 from manics/gateway

Add support for K8S Gateway API (`httpRoute` config)

Author: consideRatio

.github/workflows/test-chart.yaml

@@ -394,3 +394,92 @@ jobs:
         if: failure() && matrix.setup-postgresql-args
         run: |
           kubectl logs statefulset/postgresql
+
+  test-gateway-ingress:
+    # The main test configures autohttps, but this conflicts with testing
+    # ingress/gateway which assume they can directly connect to proxy-public
+    # This is a minimal test that checks connections via a gateway is possible
+    timeout-minutes: 20
+
+    strategy:
+      # Keep running even if one variation of the job fail
+      fail-fast: false
+      matrix:
+        ingress-type:
+          - gateway
+          - ingress
+
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # chartpress requires git history to set chart version and image tags
+          # correctly
+          fetch-depth: 0
+
+      # Enable Gateway API in K3s
+      # https://github.com/k3s-io/k3s/issues/12183#issuecomment-2818989109
+      # This will create gateway.networking.k8s.io/v1 kube-system/traefik-gateway
+      - name: pre-configure k3s installation
+        if: matrix.ingress-type == 'gateway'
+        run: |
+          sudo mkdir -p /var/lib/rancher/k3s/server/manifests
+          sudo cp ci/traefik-config.yaml /var/lib/rancher/k3s/server/manifests/
+
+      # Starts a k8s cluster with NetworkPolicy enforcement and installs both
+      # kubectl and helm
+      #
+      # ref: https://github.com/jupyterhub/action-k3s-helm/
+      - uses: jupyterhub/action-k3s-helm@v4
+        with:
+          k3s-channel: stable
+          metrics-enabled: false
+          traefik-enabled: true
+          docker-enabled: true
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      # Build our images if needed and update values.yaml with the tags
+      - name: Install and run chartpress
+        run: |
+          pip3 install -r dev-requirements.txt
+          chartpress
+        env:
+          DOCKER_BUILDKIT: "1"
+
+      - name: Install local chart (gateway)
+        if: matrix.ingress-type == 'gateway'
+        run: >-
+          helm upgrade --install jupyterhub ./jupyterhub
+          --set proxy.service.type=ClusterIP
+          --set httpRoute.enabled=true
+          --set httpRoute.gateway.name=traefik-gateway
+          --set httpRoute.gateway.namespace=kube-system
+
+      # K3S traefik listens on host:80/443
+      - name: Install local chart (ingress)
+        if: matrix.ingress-type == 'ingress'
+        run: >-
+          helm upgrade --install jupyterhub ./jupyterhub
+          --set proxy.service.type=ClusterIP
+          --set ingress.enabled=true
+          --set ingress.hosts[0]=localhost
+
+      - name: "Await local chart"
+        uses: jupyterhub/action-k8s-await-workloads@v3
+        with:
+          timeout: 150
+          max-restarts: 1
+
+      - name: Test ingress
+        run: |
+          curl -vL http://localhost/
+          curl -vL http://localhost/ | grep '<title>JupyterHub</title>'
+
+      - name: Get traefik logs
+        if: always()
+        run: |
+          kubectl -nkube-system logs deploy/traefik

ci/traefik-config.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    providers:
+      kubernetesGateway:
+        enabled: true
+    gateway:
+      listeners:
+        web:
+          # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces
+          namespacePolicy: All
+    logs:
+      access:
+        enabled: true

jupyterhub/templates/NOTES.txt

@@ -62,8 +62,13 @@
     Try secure HTTPS access: https://{{ $host }}{{ $.Values.hub.baseUrl | trimSuffix "/" }}/
     {{- end }}
     {{- end }}
+  {{- else if .Values.httpRoute.enabled }}
+    {{- range $host := (.Values.httpRoute.hostnames | default (list "localhost")) }}
+    Try insecure HTTP access: http://{{ $host }}{{ $.Values.hub.baseUrl | trimSuffix "/" }}/
+    or secure HTTP access: https://{{ $host }}{{ $.Values.hub.baseUrl | trimSuffix "/" }}/ if supported by your Gateway
+    {{- end }}
   {{- else }}
-    You have not configured a k8s Ingress resource so you need to access the k8s
+    You have not configured a k8s Ingress or Gateway resource so you need to access the k8s
     Service {{ $proxy_service }} directly.
     {{- println }}
 

jupyterhub/templates/_helpers-names.tpl

@@ -230,6 +230,14 @@
     {{- end }}
 {{- end }}
 
+{{- /* HTTPRoute */}}
+{{- define "jupyterhub.httpRoute.fullname" -}}
+    {{- if (include "jupyterhub.fullname" .) }}
+        {{- include "jupyterhub.fullname" . }}
+    {{- else -}}
+        jupyterhub
+    {{- end }}
+{{- end }}
 
 
 {{- /*

jupyterhub/templates/httproute.yaml

@@ -0,0 +1,27 @@
+{{- if .Values.httpRoute.enabled -}}
+kind: HTTPRoute
+apiVersion: gateway.networking.k8s.io/v1
+metadata:
+  name: {{ include "jupyterhub.httpRoute.fullname" . }}
+  labels:
+    {{- include "jupyterhub.labels" . | nindent 4 }}
+  {{- with .Values.httpRoute.annotations }}
+  annotations:
+    {{- . | toYaml | nindent 4 }}
+  {{- end }}
+spec:
+  parentRefs:
+    - kind: Gateway
+      name: {{ .Values.httpRoute.gateway.name }}
+      {{- with .Values.httpRoute.gateway.namespace }}
+      namespace: "{{ . }}"
+      {{- end }}
+  {{- with .Values.httpRoute.hostnames }}
+  hostnames:
+    {{- . | toYaml | nindent 4 }}
+  {{- end }}
+  rules:
+    - backendRefs:
+        - name: proxy-public
+          port: 80
+{{- end }}

jupyterhub/values.schema.yaml

@@ -2790,6 +2790,47 @@ properties:
           See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types)
           for more details about paths.
 
+  httpRoute:
+    type: object
+    additionalProperties: false
+    required: [enabled]
+    properties:
+      enabled:
+        type: boolean
+        description: |
+          Enable the creation of a Kubernetes HTTPRoute to the proxy-public service.
+
+          Requires support for the [Gateway API](https://gateway-api.sigs.k8s.io/).
+
+          A Gateway must already exist.
+      annotations:
+        type: object
+        additionalProperties: false
+        patternProperties: *labels-and-annotations-patternProperties
+        description: |
+          Annotations to apply to the HTTPRoute resource.
+
+          See [the Kubernetes
+          documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
+          for more details about annotations.
+      hostnames:
+        type: array
+        description: |
+          List of hosts to route requests to the proxy, if empty route all requests regardless of host.
+      gateway:
+        type: object
+        additionalProperties: false
+        required: [name]
+        properties:
+          name:
+            type: string
+            description: |
+              The name of your Gateway for this route.
+          namespace:
+            type: string
+            description: |
+              The namespace the Gateway is running in.
+
   prePuller:
     type: object
     additionalProperties: false

jupyterhub/values.yaml

@@ -714,6 +714,14 @@ ingress:
   tls: []
   extraPaths: []
 
+httpRoute:
+  enabled: false
+  annotations: {}
+  hostnames: []
+  gateway:
+    name: your-gateway
+    namespace: "" # required for a gateway resource in another namespace
+
 # cull relates to the jupyterhub-idle-culler service, responsible for evicting
 # inactive singleuser pods.
 #

tools/templates/lint-and-validate-values.yaml

@@ -580,7 +580,7 @@ ingress:
   enabled: true
   annotations: *annotations
   ingressClassName: mock-ingress-class-name
-  hosts:
+  hosts: &ingress-hosts
     - mocked1.domain.name
     - mocked2.domain.name
   pathSuffix: dummy-pathSuffix
@@ -606,6 +606,16 @@ ingress:
         - mocked1.domain.name
         - mocked2.domain.name
 
+httpRoute:
+  # enabled set to false while awaiting HTTPRoute becoming available by default
+  # in our testing infra
+  enabled: false
+  annotations: *annotations
+  hostnames: *ingress-hosts
+  gateway:
+    name: gateway-name
+    namespace: gateway-namespace
+
 cull:
   enabled: true
   users: true