Cephalon.Edge.Traefik
เนื้อหานี้ยังไม่ได้แปลเป็นภาษาไทย แสดงเป็นภาษาอังกฤษแทน
Maturity:
M3· Ownership: provider-managed · Family:edge· See audit, matrix.
Cephalon.Edge.Traefik is the second provider-specific control-plane materializer pack for Cephalon cell traffic automation. It proves that the shared provider-materializer seam is not overfit to Kubernetes Gateway API by projecting truthful Traefik IngressRoute intent and, when enabled, overlaying live Traefik CRD observation, ownership-aware IngressRoute apply-and-reconcile posture, typed provider materialization conditions, and additive cleanup sweeps for both primary routes and safe owned dependents back onto the same shared runtime surfaces without moving Traefik-specific assumptions into Cephalon.Engine.
What it owns
Section titled “What it owns”TraefikTrafficMaterializerOptions,TraefikTrafficObservationModes,TraefikTrafficObservationOptions,TraefikIngressRouteOptions, andTraefikMiddlewareReferenceOptionsfor declarative TraefikIngressRouteprojection plus opt-in live observation, apply-and-reconcile execution, or cleanup sweeps- the
AddTraefikTrafficMaterializer(...)registration entry point for attaching the pack to anEngineBuilder - a provider-specific
ICellTrafficAutomationProviderMaterializerimplementation forproviderId = "traefik" - deterministic projection of selected cell routes into Traefik
IngressRouteintent, including entry points, match rules, middleware references, backend Service references, and TLS options - opt-in observe-only polling over Traefik
IngressRoute,Middleware,TLSOption,Secret, and backendServiceresources so live ownership, dependency, drift, freshness, and cleanup posture can flow back into the shared runtime catalog - opt-in
apply-and-reconcileownership over TraefikIngressRouteresources only, while treating referencedMiddleware,TLSOption,Secret, and backendServiceresources as pre-provisioned dependencies for steady-state writes - namespace-scoped cleanup sweeps in
apply-and-reconcilemode that can delete transferredIngressRouteresources, prune orphaned Cephalon-owned routes, and remove safe ownedMiddlewareorTLSOptiondependents that no longer map to active projections without inventing a second lifecycle registry - the
traefik-ingressroute-traffic-materializationstechnology surface undercell-based-architecture - truthful operator metadata such as
providerRouteId,ingressRouteNamespace,ingressRouteName,entryPoints,matchRule,middlewareRefs,serviceRefs,tlsSecretName,tlsOptionsRef,statusSource,observationMode,ingressRouteWriteAction, freshness metadata, typed providerMaterializationConditions, additive cleanup-sweep summaries such ascleanupState,cleanupObservedAtUtc,cleanup.cleanupStrategy,cleanup.primaryCandidateCount,cleanup.dependencyCandidateCount, the shared ownership/dependency/drift/lifecycle-action vocabulary, and additive condition summaries such asproviderMaterialization.conditionCountplusproviderMaterialization.highestConditionSeverity
Main surfaces
Section titled “Main surfaces”Configuration/TraefikTrafficMaterializerOptions.csConfiguration/TraefikTrafficObservationModes.csConfiguration/TraefikTrafficObservationOptions.csConfiguration/TraefikIngressRouteOptions.csConfiguration/TraefikMiddlewareReferenceOptions.csModules/TraefikTrafficMaterializerModule.csRegistration/TraefikEngineBuilderExtensions.csServices/TraefikTrafficAutomationMaterializer.csServices/TraefikTrafficObservationHostedService.csServices/TraefikTrafficObservationSource.csServices/TraefikTrafficProjectionBuilder.csServices/TraefikTrafficMaterializationRuntimeContributor.cs
How it fits
Section titled “How it fits”This pack sits on top of the shared Phase 13 cell-traffic contract instead of replacing it.
Cephalon.Abstractions still owns ICellTrafficAutomationProviderMaterializer,
CellTrafficAutomationRuntimeDescriptor, and the shared provider-materialization result and state
contracts. Cephalon.Engine still owns route ownership, health-isolation validation, deterministic
materializer selection, startup reconciliation, and the canonical /engine/cell-traffic-automations*
plus snapshot.CellTrafficAutomations truth. Cephalon.Edge.Traefik only answers one
provider-specific question: how should a provider-managed automation targeting
providerId = "traefik" project into Traefik IngressRoute intent and, when observation is
enabled, how should the pack read live CRD posture or owned IngressRoute write posture back into
that same shared truth?
This pack currently ships three truthful modes:
- default
configured-intent, which reportsproviderAction = projected-intent,observationMode = configured-intent,statusSource = configured-intent,ownershipState = requested,dependencyState = unknown,driftState = unknown, andlifecycleAction = project, withresourceState = projection-onlywhile publishing deterministic TraefikIngressRouteintent without claiming live cluster state or successful control-plane writes; the shared provider materialization state stayspending - opt-in
observe-only, which reportsproviderAction = observe-only,observationMode = observe-only,statusSource = traefik-ingressroute-observation, andlifecycleAction = observewhile polling live Traefik CRDs and dependent Kubernetes resources so the shared provider materialization state can move toapplied,pending, orfailedbased on observed route existence, dependency readiness, ownership, drift, and freshness instead of staying projection-only - opt-in
apply-and-reconcile, which reportsproviderAction = apply-and-reconcile,observationMode = apply-and-reconcile, andstatusSource = control-plane-applyduring owned write attempts before merging the resultingingressRouteWriteActiontogether with livestatusSource = traefik-ingressroute-observationposture; the pack only creates or replacesIngressRouteresources that Cephalon already owns, is creating from scratch, or can adopt from stale or incomplete Cephalon ownership metadata; existing unmanaged routes and active foreign owners stay blocked as ownership conflicts, while the merged provider answer keeps the last write lifecycle action (create,replace, ortransfer) instead of collapsing every successful reconciliation back toobserve - optional cleanup sweeps inside
apply-and-reconcile, which publish additivecleanup*metadata after namespace-scoped delete or prune passes while leaving the primary provider lifecycle answer grounded in the selected route’s actual materialization state and truthfully publishingcleanupStrategy = primary-and-owned-dependenciesplus primary/dependency cleanup breakdowns
What this proves is that a second provider family can publish selected materializer ownership, provider-facing route identity, middleware and TLS intent, a typed condition taxonomy, and the same requested or observed lifecycle truth back onto the shared automation catalog without inventing a provider-local traffic registry.
When the pack owns an automation answer, operators can inspect the same route through:
/engine/cell-traffic-automations/engine/cell-traffic-automations/providers/traefik/engine/technology-surfaces/cell-based-architecture/engine/snapshot
The technology surface entry lives under surfaceId = "traefik-ingressroute-traffic-materializations"
and carries one provider-facing projection per selected route, including the projected or observed
providerRouteId, entry points, route match, middleware references, backend service reference, TLS
intent, resource existence, dependency posture, ingressRouteWriteAction, freshness metadata, and
additive cleanup-sweep metadata such as cleanupState, cleanup.cleanupStrategy,
cleanup.primaryCandidateCount, cleanup.dependencyCandidateCount, and cleanup.lifecycleActions. The shared
automation answer for the same route now also carries typed provider conditions through
CellTrafficAutomationRuntimeDescriptor.MaterializationConditions plus additive summaries such as
materialization.conditionCount, materialization.highestConditionSeverity,
providerMaterialization.conditionCategories, and providerMaterialization.conditionBreakdown.
Registration
Section titled “Registration”engine.AddTraefikTrafficMaterializer(options =>{ options.RouteNamespace = "edge-traefik"; options.EntryPoints.Add("websecure"); options.Observation.Mode = TraefikTrafficObservationModes.ObserveOnly; options.Observation.KubeConfigPath = "/etc/cephalon/traefik-kubeconfig"; options.Observation.PollingIntervalSeconds = 30;
options.Routes.Add(new TraefikIngressRouteOptions { RouteId = "orders-to-public-ingress", IngressRouteName = "orders-public-ingress", MatchRule = "Host(`orders.example.com`) && PathPrefix(`/orders`)", BackendNamespace = "orders-runtime", BackendServiceName = "orders-api", BackendPort = 8443, BackendWeight = 100, BackendScheme = "https", PassHostHeader = true, TlsSecretName = "orders-public-tls", TlsOptionsName = "strict-mtls", TlsOptionsNamespace = "edge-security" });
options.Routes[0].Middlewares.Add(new TraefikMiddlewareReferenceOptions { Name = "secure-headers" }); options.Routes[0].Middlewares.Add(new TraefikMiddlewareReferenceOptions { Name = "orders-rate-limit", Namespace = "edge-security" });});Use this pack alongside the shared cell baseline:
engine.UseConfiguration(configuration);engine.AddTraefikTrafficMaterializer(...);{ "Engine": { "Cells": { "TrafficAutomation": { "Routes": [ { "RouteId": "orders-to-public-ingress", "AutomationMode": "automatic", "TriggerMode": "source-or-target-health", "ActionMode": "shed-load", "MaterializationMode": "provider-managed", "ProviderId": "traefik" } ] } } }}The route must still exist on the shared ICellRouteCatalog, and the engine still decides whether
this pack is the selected provider materializer for that route.
Enable cleanup sweeps when the same apply-and-reconcile loop should also delete transferred routes or prune orphaned Cephalon-owned routes that no longer map to an active automation:
engine.AddTraefikTrafficMaterializer(options =>{ options.Observation.Mode = TraefikTrafficObservationModes.ApplyAndReconcile; options.Observation.KubeConfigPath = "/etc/cephalon/traefik-kubeconfig"; options.Observation.EnableCleanupSweep = true; options.Observation.PollingIntervalSeconds = 30; options.Observation.StaleAfterSeconds = 90;});Ownership and cleanup model
Section titled “Ownership and cleanup model”- the pack writes only
IngressRouteresources Middleware,TLSOption, backendService, and TLSSecretresources remain pre-provisioned dependencies for steady-state apply-and-reconcile; this pack never creates or replaces them- the pack only replaces an existing
IngressRoutewhen ownership matches the current automation or when stale or incomplete Cephalon ownership metadata marks the route as an orphaned transfer candidate - existing unmanaged resources and active foreign Cephalon owners fail with an explicit ownership-conflict posture instead of being hijacked silently
- owned routes carry stable Cephalon ownership labels and annotations so later observation can verify ownership truthfully
- merged live observation keeps the last write lifecycle action (
create,replace, ortransfer) visible on the same shared runtime surfaces instead of collapsing every successful reconciliation back toobserve - optional cleanup sweeps run only when
EnableCleanupSweepis true inapply-and-reconcilemode, scan the configured route namespaces, delete stale transferredIngressRouteresources withlifecycleAction = delete, and prune orphaned Cephalon-owned routes withlifecycleAction = prune - when ownership metadata proves safe delete and no active projection still references them, the same cleanup sweeps can also remove Cephalon-managed
MiddlewareandTLSOptionresources that became orphaned or transfer candidates; backendServiceand TLSSecretdependencies remain observe-only - cleanup sweep summaries stay additive through
providerMaterialization.cleanup*andtraefik-ingressroute-traffic-materializationsentries so operators can inspect delete/prune posture without losing the selected route’s primary materialization answer; those summaries now publishcleanupStrategy = primary-and-owned-dependenciesplus primary/dependency resource breakdowns
Current limits
Section titled “Current limits”This pack intentionally does not yet claim:
- controller-driven success or policy semantics beyond the shipped typed readiness, ownership, dependency, lifecycle, and observation condition taxonomy plus the current CRD-existence and dependency checks
TraefikService, parentIngressRoute, or richer multi-layer routing follow-through beyond the single route-rule and Service backend baseline- broader dependency-aware teardown beyond the shipped
IngressRouteplus safe ownedMiddlewareandTLSOptioncleanup-sweep baseline; backendService, TLSSecret, and richer dependent-resource families remain later work
Those remain later follow-through so the current provider claim stays honest.