Gateway API
The Kubernetes Gateway API is an alternative to Ingress for exposing TDP components externally. TDP charts support both models; the choice depends on what is installed in the cluster.
See Prerequisites — Ingress and Gateway API to understand when to use each approach and how to verify cluster readiness.
How it works in TDP charts
Each TDP chart exposes two mutually exclusive control parameters:
TDPConfiguration:
gateway:
ingress:
enabled: false # Standard Kubernetes Ingress
gatewayApi:
enabled: true # Kubernetes Gateway API (HTTPRoute)
When gatewayApi.enabled: true, the chart creates an HTTPRoute resource that attaches to a Gateway already installed in the cluster.
parentRefs configuration
The gatewayApi.parentRefs block specifies which Gateway will receive the routes. This configuration is the same for all components:
gatewayApi:
parentRefs:
- name: my-gateway # name of the Gateway resource in the cluster
namespace: gateway-system # namespace where the Gateway is installed
sectionName: https # optional: specific Gateway listener
sectionName is useful when the Gateway has multiple listeners (for example, one for HTTP and one for HTTPS).
Supported components
All components below support Gateway API. The hostnames and port values are chart defaults — replace them with the addresses for your environment.
| Component | Block key | Default hostname | Port | TLS |
|---|---|---|---|---|
| Argo CD | gatewayApi.server | argo.tdp.local | 80 | optional |
| CloudBeaver | gatewayApi.cloudbeaver | cloudbeaver.local | 8978 | optional |
| NiFi | gatewayApi.nifi | — | — | optional |
| OpenMetadata | gatewayApi.openmetadata | — | — | optional |
| Superset | gatewayApi.superset | superset.tdp.local | 8088 | optional |
| Trino | gatewayApi.trino | trino.tdp.local | 8080 | optional |
| Ozone — OM UI | gatewayApi.om | ozone-om.local | 9874 | optional |
| Ozone — SCM UI | gatewayApi.scm | ozone-scm.local | 9876 | optional |
| Ozone — S3 REST | gatewayApi.s3g.rest | ozone-s3.local | 9878 | optional |
| Ozone — S3 Web UI | gatewayApi.s3g.web | ozone-s3-ui.local | 19878 | optional |
Full example — Superset in the tdp-project namespace
TDPConfiguration:
gateway:
ingress:
enabled: false
gatewayApi:
enabled: true
gatewayApi:
parentRefs:
- name: my-gateway
namespace: gateway-system
superset:
enabled: true
hostnames:
- superset.company.com
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- port: 8088
tls:
certificateRefs:
- name: superset-tls
namespace: tdp-project
TLS via Gateway
TLS can be managed by the Gateway itself (termination at the Gateway) instead of being configured per component. In this case, certificateRefs references a Secret containing the certificate:
Example:
gatewayApi:
superset:
tls:
certificateRefs:
- name: superset-tls
namespace: tdp-project
If the Gateway is already configured for TLS termination, certificateRefs can be omitted.
Troubleshooting
| Problem | What to check |
|---|---|
HTTPRoute created but no traffic | Verify parentRefs.name and namespace point to the correct Gateway |
| Gateway rejects the route | Confirm the Gateway listener allows the component's namespace (allowedRoutes) |
| Hostname not resolving | DNS must point to the Gateway IP/endpoint, not the component's Service |
| TLS failure | Check that the Secret referenced in certificateRefs exists in the specified namespace |
gatewayclass not found | Run kubectl get gatewayclass to confirm the controller is installed |