Kubernetes Gateway API

NVIDIA Run:ai supports the Kubernetes Gateway API as an alternative to Ingress for routing external traffic. Gateway API provides a flexible and extensible model for defining how traffic is exposed and routed within the cluster.

This page builds on the concepts described in Routing Traffic to and from NVIDIA Run:ai Services, including FQDN configuration, TLS certificates, and routing behavior.

Note

Gateway API support in NVIDIA Run:ai is optional. If you are currently using HAProxy Ingress or other ingress controllers, no action is required. Customers who wish to adopt Gateway API may do so using the instructions on this page.

Scope and Prerequisites

Before proceeding, ensure that the following prerequisites are already configured:

Fully Qualified Domain Names (FQDN) for:
- Control plane access
- Development workspaces and training workloads
- Inference workloads
TLS certificates associated with the configured FQDNs

These configurations are described in the Routing Traffic to and from NVIDIA Run:ai Services section.

Routing Modes in NVIDIA Run:ai

NVIDIA Run:ai supports two routing approaches for exposing services: host-based routing and path-based routing.

Different NVIDIA Run:ai services use these routing approaches as follows:

Service

Routing Mode

Example

Control plane

Host-based (single domain)

https://runai.mycorp.local

Inference workloads

Host-based (wildcard subdomains)

https://<service>.runai-inference.mycorp.local

Workspaces & training workloads

Host-based or path-based

See section below

Installing a Gateway Controller

NVIDIA Run:ai supports any conformant Gateway API implementation. The example below uses KGateway. If you are using a different conformant controller, follow its installation documentation and then proceed to the migration steps.

Install the Gateway API CRDs:

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml

Install the KGateway CRDs:

helm upgrade -i --create-namespace \
  --namespace kgateway-system \
  --version v2.2.1 \
  kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds

Install the KGateway controller:

helm upgrade -i -n kgateway-system kgateway \
  oci://cr.kgateway.dev/kgateway-dev/charts/kgateway \
  --version v2.2.1

Ensure that the Gateway controller is running before proceeding.

Routing Traffic for Workspaces and Training Workloads

The following sections describe how development workspaces and training workloads are exposed using Gateway API.

Depending on the selected routing mode, these workloads are accessed differently:

In host-based routing, each development workspace and training workload is exposed using its own subdomain:
```
https://<project>-<workload>.<CLUSTER_URL>
```
In path-based routing, development workspaces and training workloads are exposed under a shared domain using URL paths:
```
https://runai.mycorp.local/<project>/<workload>
```

This distinction determines the required FQDN structure, TLS certificates, and Gateway configuration described in the sections below.

Gateway API with Host-Based Routing

In this configuration:

Development workspaces and training workloads are exposed using subdomains
A wildcard FQDN is required (e.g., *.runai.mycorp.local)
A wildcard TLS certificate is required for those workloads
The Gateway includes listeners for:
- The cluster domain (control plane access)
- Wildcard subdomains (workspace and training workloads)

Gateway Configuration

Note

Routing is based on hostnames (subdomains). HTTPRoute resources for the control plane and workloads are created automatically by NVIDIA Run:ai and bind to the configured Gateway.

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: runai-gateway
  namespace: runai
spec:
  gatewayClassName: kgateway
  listeners:
  - name: https-cluster-domain
    protocol: HTTPS
    port: 443
    hostname: "<CLUSTER_DOMAIN>"
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        name: runai-cluster-domain-tls-secret

  - name: https-workloads
    protocol: HTTPS
    port: 443
    hostname: "*.<CLUSTER_DOMAIN>"
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        name: runai-cluster-domain-star-tls-secret

Gateway API with Path-Based Routing

In this configuration:

Development workspaces and training workloads are exposed under a single domain using URL paths
A wildcard FQDN is not required for workspace and training workloads
A wildcard TLS certificate is not required for workspace and training workloads
The Gateway uses a single domain listener for these services

Ensure that host-based routing is disabled using the following. For more details, see Advanced cluster configurations.

clusterConfig.global.subdomainSupport: false

Gateway Configuration

Note

Routing is based on URL paths under a shared domain. HTTPRoute resources for the control plane and workloads are created automatically by NVIDIA Run:ai and bind to the configured Gateway.

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: runai-gateway
  namespace: runai
spec:
  gatewayClassName: kgateway
  listeners:
  - name: https-cluster-domain
    protocol: HTTPS
    port: 443
    hostname: "<CLUSTER_DOMAIN>"
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        name: runai-cluster-domain-tls-secret

Inference Routing with Gateway API

Inference workloads are always exposed using host-based routing, regardless of the selected routing mode for development workspaces and training workloads.

Inference endpoints are accessed via dedicated subdomains, for example:

https://<service>.runai-inference.mycorp.local

To enable inference routing with Gateway API:

A wildcard FQDN must be configured for inference (e.g., *.runai-inference.mycorp.local)
A wildcard TLS certificate must be configured for that domain
The Gateway must include a listener for the inference subdomain
Knative Serving must be configured to route inference traffic from the Gateway to inference workloads

TLS Certificate

Ensure that a wildcard TLS certificate for inference is created:

Secret name: runai-cluster-inference-tls-secret
Namespace: runai

Replace /path/to/inference-fullchain.pem and /path/to/inference-private.pem with the actual paths to your certificate and private key:

kubectl create secret tls runai-cluster-inference-tls-secret -n runai \
    --cert /path/to/inference-fullchain.pem \
    --key /path/to/inference-private.pem

Gateway Configuration

Note

Routing to inference workloads is based on hostnames (subdomains).

Add an inference listener to the existing Gateway resource:

- name: https-inference
  protocol: HTTPS
  port: 443
  hostname: "*.runai-inference.<CLUSTER_DOMAIN>"
  tls:
    mode: Terminate
    certificateRefs:
    - kind: Secret
      name: runai-cluster-inference-tls-secret

Configure Knative Serving

NVIDIA Run:ai supports Knative-based inference workloads. Inference traffic arrives at the Gateway and is forwarded to Knative Serving through Kourier, which routes it to the individual inference endpoints. The following steps install Knative Serving and configure the HTTPRoute to connect the Gateway to Kourier. Knative versions 1.19 to 1.21 are supported.

Install Knative Serving. Follow the Installing Knative instructions or run:

helm repo add knative-operator https://knative.github.io/operator
helm install knative-operator --create-namespace --namespace knativeoperator --version 1.18.2 knative-operator/knative-operator

Create the knative-serving namespace:
```
kubectl create ns knative-serving
```

Create a YAML file named knative-serving.yaml and replace the placeholder FQDN with your wildcard inference FQDN (for example, runai-inference.mycorp.local):

apiVersion: operator.knative.dev/v1beta1
kind: KnativeServing
metadata:
  name: knative-serving
  namespace: knative-serving
spec:
  config:
    config-autoscaler:
      enable-scale-to-zero: "true"
    config-features:
      kubernetes.podspec-affinity: enabled
      kubernetes.podspec-init-containers: enabled
      kubernetes.podspec-persistent-volume-claim: enabled
      kubernetes.podspec-persistent-volume-write: enabled
      kubernetes.podspec-schedulername: enabled
      kubernetes.podspec-securitycontext: enabled
      kubernetes.podspec-tolerations: enabled
      kubernetes.podspec-volumes-emptydir: enabled
      kubernetes.podspec-fieldref: enabled
      kubernetes.containerspec-addcapabilities: enabled
      kubernetes.podspec-nodeselector: enabled
      multi-container: enabled
      kubernetes.podspec-hostipc: enabled
      kubernetes.podspec-hostnetwork: enabled
    domain:
      runai-inference.mycorp.local: "" # replace with the wildcard FQDN for Inference
    network:
      domainTemplate: '{{.Name}}-{{.Namespace}}.{{.Domain}}'
      ingress-class: kourier.ingress.networking.knative.dev
      default-external-scheme: https
  high-availability:
    replicas: 2
  ingress:
    kourier:
      enabled: true

Apply the changes:
```
kubectl apply -f knative-serving.yaml
```

Create a YAML file named knative-httproute.yaml to route inference traffic from the Gateway to the Kourier service. Replace the FQDN placeholder with your wildcard inference FQDN:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: knative-serving-httproute
  namespace: knative-serving
spec:
  parentRefs:
    - name: runai-gateway
      namespace: runai
  hostnames:
    - "*.runai-inference.mycorp.local" # replace with the wildcard FQDN for Inference
  rules:
    - matches:
      - path:
          type: PathPrefix
          value: /
      backendRefs:
        - name: kourier
          port: 80

Apply the changes:
```
kubectl apply -f knative-httproute.yaml
```

Install the OpenShift Serverless Operator. Follow the Installing the OpenShift Serverless Operator instructions. Once installed, follow the steps below.
Create the knative-serving project:
```
oc new-project knative-serving
```

Create a YAML file named knative-serving.yaml:

apiVersion: operator.knative.dev/v1beta1
kind: KnativeServing
metadata:
  finalizers:
    - knative-serving-openshift
    - knativeservings.operator.knative.dev
  name: knative-serving
  namespace: knative-serving
spec:
  config:
    config-features:
      kubernetes.podspec-tolerations: enabled
      kubernetes.podspec-volumes-emptydir: enabled
      kubernetes.podspec-persistent-volume-claim: enabled
      multi-container: enabled
      kubernetes.podspec-persistent-volume-write: enabled
      kubernetes.podspec-fieldref: enabled
      kubernetes.podspec-schedulername: enabled
      kubernetes.podspec-nodeselector: enabled
      kubernetes.podspec-init-containers: enabled
      kubernetes.podspec-securitycontext: enabled
      kubernetes.podspec-affinity: enabled
      kubernetes.containerspec-addcapabilities: enabled
  controller-custom-certs:
    name: ''
    type: ''
  registry: {}

Apply the changes:
```
oc apply -f knative-serving.yaml
```

Create a YAML file named knative-httproute.yaml to route inference traffic from the Gateway to the Kourier service. Replace the FQDN placeholder with your wildcard inference FQDN:

Note

OpenShift's Ingress Operator automatically creates DNS records for Gateway listeners, so no manual DNS configuration is required for the inference subdomain.

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: knative-serving-httproute
  namespace: knative-serving
spec:
  parentRefs:
    - name: openshift-default
      namespace: openshift-ingress
  hostnames:
    - "*.runai-inference.mycorp.local" # replace with the wildcard FQDN for Inference
  rules:
    - matches:
      - path:
          type: PathPrefix
          value: /
      backendRefs:
        - name: kourier
          port: 80

Apply the changes:
```
oc apply -f knative-httproute.yaml
```

Introduce the Gateway API to NVIDIA Run:ai Services

To enable NVIDIA Run:ai to route traffic through the configured Gateway, both the control plane and the cluster must be updated to reference the Gateway.

At this stage, traffic is still served through the existing Ingress. The Gateway is introduced alongside the current setup and will become active only after DNS is updated in a later step.

Configure the NVIDIA Run:ai Cluster

helm upgrade runai-cluster -n runai runai/runai-cluster \
  --reuse-values \
  --set-string clusterConfig.global.gatewayAPI.enabled=true \
  --set-string clusterConfig.global.gatewayAPI.name=<gateway-name> \
  --set-string clusterConfig.global.gatewayAPI.namespace=<gateway-namespace>

Verify Gateway Configuration

kubectl get gateway -n runai

kubectl get httproute -A

Test connectivity:

curl -H "Host: <CLUSTER_DOMAIN>" https://<gateway-ip>/

Switch Traffic to Gateway

Before switching traffic, ensure that the NVIDIA Run:ai control plane and cluster are already configured to use the Gateway API.

Update DNS:

<CLUSTER_DOMAIN> -> Gateway IP
*.<CLUSTER_DOMAIN> -> Gateway IP

Traffic is routed based on DNS configuration. Until DNS records are updated to point to the Gateway IP, all traffic continues to be served through the existing Ingress.

nslookup <CLUSTER_DOMAIN>

curl https://<CLUSTER_DOMAIN>/

Disable Ingress on the cluster:

helm upgrade runai-cluster -n runai runai/runai-cluster \
  --reuse-values \
  --set-string clusterConfig.global.ingress.enabled=false

Rollback to Ingress

To roll back to Ingress, re-enable Ingress and disable Gateway API on both the cluster and the control plane. Then update DNS records to point back to the Ingress IP.

helm upgrade runai-cluster -n runai runai/runai-cluster \
  --reuse-values \
  --set-string clusterConfig.global.ingress.enabled=true \
  --set-string clusterConfig.global.gatewayAPI.enabled=false

Update DNS records for <CLUSTER_DOMAIN> and *.<CLUSTER_DOMAIN> to point back to the Ingress IP.

PreviousVertical Pod Autoscaling (VPA)NextContainer Access

Last updated 15 days ago