feat: support per-route timeout overrides for ingress path rules (#2250)

djeebus · djeebot · github-actions[bot] · web-flow · commit e83bf5f150c6 · 2026-04-06T16:03:38.000-07:00
Co-authored-by: djeebot &lt;djeebot@users.noreply.github.com&gt;
Co-authored-by: github-actions[bot] &lt;github-actions[bot]@users.noreply.github.com&gt;
diff --git a/.editorconfig b/.editorconfig
@@ -7,3 +7,7 @@ ij_yaml_spaces_within_brackets = false
 [*.hcl]
 indent_size = 2
 indent_style = space
+
+[*.toml]
+indent_size = 2
+indent_style = space
diff --git a/iac/modules/job-ingress/jobs/ingress.hcl b/iac/modules/job-ingress/jobs/ingress.hcl
@@ -81,41 +81,31 @@ job "ingress" {
         image        = "traefik:v3.5"
         ports        = ["control", "ingress"]
         args = [
-          # Entry-points that are set internally by Traefik
-          "--entrypoints.web.address=:${ingress_port}",
-          "--entrypoints.traefik.address=:${control_port}",
-
-          # Traefik internals (logging, metrics, ...)
-          "--api.dashboard=true",
-          "--api.insecure=false",
-
-          "--accesslog=true",
-          "--ping=true",
-          "--ping.entryPoint=web",
-          "--metrics=true",
-          "--metrics.otlp=true",
-          "--metrics.otlp.grpc=true",
-          "--metrics.otlp.grpc.endpoint=${otel_collector_grpc_endpoint}",
-          "--metrics.otlp.grpc.insecure=true",
-
-          %{ for arg in additional_args }
-          "${ arg }",
-          %{ endfor }
-
-          # Traefik Nomad provider
-          "--providers.nomad=true",
-          "--providers.nomad.exposedByDefault=false",
-          "--providers.nomad.endpoint.address=${nomad_endpoint}",
-          "--providers.nomad.endpoint.token=${nomad_token}",
-
-          # Traefik Consul provider
-          "--providers.consulcatalog=true",
-          "--providers.consulcatalog.exposedByDefault=false",
-          "--providers.consulcatalog.endpoint.address=${consul_endpoint}",
-          "--providers.consulcatalog.endpoint.token=${consul_token}",
+          "--configFile=/local/traefik.toml",
         ]
       }
 
+      template {
+        data        = <<EOF
+${traefik_config}
+EOF
+        destination = "local/traefik.toml"
+      }
+
+      template {
+        data = "# content ignored, ensures the directory exists"
+        destination = "local/config/.keep"
+      }
+
+%{ for filename, content in config_files }
+      template {
+        data        = <<EOF
+${content}
+EOF
+        destination = "local/config/${filename}"
+      }
+%{ endfor }
+
       resources {
         memory_max = ${memory_mb * 1.5}
         memory     = ${memory_mb}
diff --git a/iac/modules/job-ingress/jobs/traefik.toml b/iac/modules/job-ingress/jobs/traefik.toml
@@ -0,0 +1,35 @@
+[accessLog]
+
+[api]
+  dashboard = true
+  insecure = false
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":${ingress_port}"
+  [entryPoints.traefik]
+    address = ":${control_port}"
+
+[metrics]
+  [metrics.otlp]
+    [metrics.otlp.grpc]
+      endpoint = "${otel_collector_grpc_endpoint}"
+      insecure = true
+
+[ping]
+  entryPoint = "web"
+
+[providers]
+  [providers.consulCatalog]
+    exposedByDefault = false
+    [providers.consulCatalog.endpoint]
+      address = "${consul_endpoint}"
+      token = "${consul_token}"
+  [providers.file]
+    directory = "/local/config"
+    watch = false
+  [providers.nomad]
+    exposedByDefault = false
+    [providers.nomad.endpoint]
+      address = "${nomad_endpoint}"
+      token = "${nomad_token}"
diff --git a/iac/modules/job-ingress/main.tf b/iac/modules/job-ingress/main.tf
@@ -1,3 +1,18 @@
+locals {
+  traefik_config = templatefile("${path.module}/jobs/traefik.toml", {
+    ingress_port = var.ingress_proxy_port
+    control_port = var.ingress_control_port
+
+    nomad_endpoint = var.nomad_endpoint
+    nomad_token    = var.nomad_token
+
+    consul_endpoint = var.consul_endpoint
+    consul_token    = var.consul_token
+
+    otel_collector_grpc_endpoint = var.otel_collector_grpc_endpoint
+  })
+}
+
 resource "nomad_job" "ingress" {
   jobspec = templatefile("${path.module}/jobs/ingress.hcl", {
     count         = var.ingress_count
@@ -6,16 +21,10 @@ resource "nomad_job" "ingress" {
     cpu_count     = var.ingress_cpu_count
     memory_mb     = var.ingress_memory_mb
 
-    ingress_port    = var.ingress_proxy_port
-    control_port    = var.ingress_control_port
-    additional_args = var.additional_traefik_arguments
-
-    nomad_endpoint = var.nomad_endpoint
-    nomad_token    = var.nomad_token
+    ingress_port = var.ingress_proxy_port
+    control_port = var.ingress_control_port
 
-    consul_token    = var.consul_token
-    consul_endpoint = var.consul_endpoint
-
-    otel_collector_grpc_endpoint = var.otel_collector_grpc_endpoint
+    traefik_config = local.traefik_config
+    config_files   = var.traefik_config_files
   })
 }
diff --git a/iac/modules/job-ingress/variables.tf b/iac/modules/job-ingress/variables.tf
@@ -54,6 +54,7 @@ variable "otel_collector_grpc_endpoint" {
   description = "OpenTelemetry collector gRPC endpoint (e.g., localhost:4317)"
 }
 
-variable "additional_traefik_arguments" {
-  type = list(string)
+variable "traefik_config_files" {
+  type        = map(string)
+  description = "Map of filename => content for additional Traefik dynamic configuration files"
 }
diff --git a/iac/provider-aws/main.tf b/iac/provider-aws/main.tf
@@ -193,9 +193,9 @@ module "nomad" {
   admin_token                    = module.init.admin_token
   sandbox_access_token_hash_seed = module.init.sandbox_access_token_hash_seed
 
-  ingress_port                 = local.ingress_port
-  ingress_count                = var.ingress_count
-  additional_traefik_arguments = var.additional_traefik_arguments
+  ingress_port         = local.ingress_port
+  ingress_count        = var.ingress_count
+  traefik_config_files = var.traefik_config_files
 
   client_proxy_count           = var.client_proxy_count
   client_proxy_repository_name = module.init.client_proxy_repository_name
diff --git a/iac/provider-aws/nomad/main.tf b/iac/provider-aws/nomad/main.tf
@@ -73,9 +73,9 @@ module "redis" {
 module "ingress" {
   source = "../../modules/job-ingress"
 
-  ingress_count                = var.ingress_count
-  ingress_proxy_port           = var.ingress_port
-  additional_traefik_arguments = var.additional_traefik_arguments
+  ingress_count        = var.ingress_count
+  ingress_proxy_port   = var.ingress_port
+  traefik_config_files = var.traefik_config_files
 
   node_pool     = var.api_node_pool
   update_stanza = var.api_cluster_size > 1
diff --git a/iac/provider-aws/nomad/variables.tf b/iac/provider-aws/nomad/variables.tf
@@ -309,9 +309,8 @@ variable "launch_darkly_api_key" {
   sensitive = true
 }
 
-variable "additional_traefik_arguments" {
-  type    = list(string)
-  default = []
+variable "traefik_config_files" {
+  type = map(string)
 }
 
 variable "db_max_open_connections" {
diff --git a/iac/provider-aws/variables.tf b/iac/provider-aws/variables.tf
@@ -156,9 +156,10 @@ variable "control_server_cluster_size" {
   default = 3
 }
 
-variable "additional_traefik_arguments" {
-  type    = list(string)
-  default = []
+variable "traefik_config_files" {
+  type        = map(string)
+  description = "Map of filename => content for additional Traefik dynamic configuration files"
+  default     = {}
 }
 
 variable "db_max_open_connections" {
diff --git a/iac/provider-gcp/main.tf b/iac/provider-gcp/main.tf
@@ -52,6 +52,15 @@ data "google_secret_manager_secret_version" "routing_domains" {
 locals {
   additional_domains = nonsensitive(jsondecode(data.google_secret_manager_secret_version.routing_domains.secret_data))
 
+  # Normalize additional_api_paths_handled_by_ingress to support both legacy (list of strings)
+  # and new (list of objects) formats. Strings are converted to objects with paths = [string].
+  normalized_api_paths_handled_by_ingress = [
+    for item in var.additional_api_paths_handled_by_ingress : {
+      paths       = try(item.paths, [item])
+      timeout_sec = try(item.timeout_sec, null)
+    }
+  ]
+
   // Check if all clusters has size greater than 1
   template_manages_clusters_size_gt_1 = alltrue([for c in var.build_clusters_config : (c.cluster_size > 1)])
 
@@ -150,9 +159,10 @@ module "cluster" {
   nomad_port                   = var.nomad_port
   google_service_account_email = module.init.service_account_email
   domain_name                  = var.domain_name
+  ingress_timeout_seconds      = var.ingress_timeout_seconds
 
   additional_domains                      = local.additional_domains
-  additional_api_paths_handled_by_ingress = var.additional_api_paths_handled_by_ingress
+  additional_api_paths_handled_by_ingress = local.normalized_api_paths_handled_by_ingress
 
   docker_contexts_bucket_name = module.init.envs_docker_context_bucket_name
   cluster_setup_bucket_name   = module.init.cluster_setup_bucket_name
@@ -208,9 +218,9 @@ module "nomad" {
   clickhouse_node_pool             = var.clickhouse_node_pool
 
   # Ingress
-  ingress_port                 = var.ingress_port
-  ingress_count                = var.ingress_count
-  additional_traefik_arguments = var.additional_traefik_arguments
+  ingress_port         = var.ingress_port
+  ingress_count        = var.ingress_count
+  traefik_config_files = var.traefik_config_files
 
   # API
   api_server_count                                       = var.api_server_count
diff --git a/iac/provider-gcp/nomad-cluster/main.tf b/iac/provider-gcp/nomad-cluster/main.tf
@@ -117,6 +117,7 @@ module "network" {
   domain_name                             = var.domain_name
   additional_domains                      = var.additional_domains
   additional_api_paths_handled_by_ingress = var.additional_api_paths_handled_by_ingress
+  ingress_timeout_seconds                 = var.ingress_timeout_seconds
 
   client_proxy_port        = var.client_proxy_port
   client_proxy_health_port = var.client_proxy_health_port
diff --git a/iac/provider-gcp/nomad-cluster/network/ingress.tf b/iac/provider-gcp/nomad-cluster/network/ingress.tf
@@ -43,7 +43,7 @@ resource "google_compute_backend_service" "ingress" {
   session_affinity = null
   health_checks    = [google_compute_health_check.ingress.id]
 
-  timeout_sec = 80
+  timeout_sec = var.ingress_timeout_seconds
 
   load_balancing_scheme = "EXTERNAL_MANAGED"
   locality_lb_policy    = "ROUND_ROBIN"
diff --git a/iac/provider-gcp/nomad-cluster/network/main.tf b/iac/provider-gcp/nomad-cluster/network/main.tf
@@ -270,11 +270,21 @@ resource "google_compute_url_map" "orch_map" {
     default_service = google_compute_backend_service.default["api"].self_link
 
     dynamic "path_rule" {
-      for_each = length(var.additional_api_paths_handled_by_ingress) > 0 ? [{}] : []
+      for_each = var.additional_api_paths_handled_by_ingress
 
       content {
-        paths   = var.additional_api_paths_handled_by_ingress
+        paths   = path_rule.value.paths
         service = google_compute_backend_service.ingress.self_link
+
+        dynamic "route_action" {
+          for_each = path_rule.value.timeout_sec != null ? [path_rule.value.timeout_sec] : []
+
+          content {
+            timeout {
+              seconds = route_action.value
+            }
+          }
+        }
       }
     }
   }
diff --git a/iac/provider-gcp/nomad-cluster/network/variables.tf b/iac/provider-gcp/nomad-cluster/network/variables.tf
@@ -104,5 +104,12 @@ variable "labels" {
 }
 
 variable "additional_api_paths_handled_by_ingress" {
-  type = list(string)
+  type = list(object({
+    paths       = list(string)
+    timeout_sec = optional(number)
+  }))
+}
+
+variable "ingress_timeout_seconds" {
+  type = number
 }
diff --git a/iac/provider-gcp/nomad-cluster/variables.tf b/iac/provider-gcp/nomad-cluster/variables.tf
@@ -368,5 +368,12 @@ variable "persistent_volume_types" {
 }
 
 variable "additional_api_paths_handled_by_ingress" {
-  type = list(string)
+  type = list(object({
+    paths       = list(string)
+    timeout_sec = optional(number)
+  }))
+}
+
+variable "ingress_timeout_seconds" {
+  type = number
 }
diff --git a/iac/provider-gcp/nomad/main.tf b/iac/provider-gcp/nomad/main.tf
@@ -52,9 +52,9 @@ data "google_secret_manager_secret_version" "redis_tls_ca_base64" {
 module "ingress" {
   source = "../../modules/job-ingress"
 
-  ingress_count                = var.ingress_count
-  ingress_proxy_port           = var.ingress_port.port
-  additional_traefik_arguments = var.additional_traefik_arguments
+  ingress_count        = var.ingress_count
+  ingress_proxy_port   = var.ingress_port.port
+  traefik_config_files = var.traefik_config_files
 
   node_pool     = var.api_node_pool
   update_stanza = var.api_machine_count > 1
diff --git a/iac/provider-gcp/nomad/variables.tf b/iac/provider-gcp/nomad/variables.tf
@@ -73,8 +73,9 @@ variable "ingress_port" {
   })
 }
 
-variable "additional_traefik_arguments" {
-  type = list(string)
+variable "traefik_config_files" {
+  type        = map(string)
+  description = "Map of filename => content for additional Traefik dynamic configuration files"
 }
 
 variable "ingress_count" {
diff --git a/iac/provider-gcp/variables.tf b/iac/provider-gcp/variables.tf
@@ -132,16 +132,18 @@ variable "ingress_count" {
 }
 
 variable "additional_api_paths_handled_by_ingress" {
-  type        = list(string)
-  description = "Additional paths to forward to nomad's ingress"
+  type        = any
+  description = <<-EOT
+    Additional path rules to forward to nomad's ingress. Each entry creates a separate path_rule.
+    Accepts two formats for backward compatibility:
+    - Legacy: list(string) - e.g. ["/path1/*", "/path2/*"]
+    - New: list(object({paths = list(string), timeout_sec = optional(number)}))
+      e.g. [{paths = ["/path1/*", "/path2/*"], timeout_sec = 120}]
+    Per-route timeout_sec overrides the ingress backend default (see ingress_timeout_seconds).
+  EOT
   default     = []
 }
 
-variable "additional_traefik_arguments" {
-  type    = list(string)
-  default = []
-}
-
 variable "client_proxy_resources_memory_mb" {
   type    = number
   default = 1024
@@ -710,3 +712,14 @@ variable "orchestrator_env_vars" {
   type    = map(string)
   default = {}
 }
+
+variable "traefik_config_files" {
+  type        = map(string)
+  description = "Map of filename => content for additional Traefik dynamic configuration files"
+  default     = {}
+}
+
+variable "ingress_timeout_seconds" {
+  type    = number
+  default = 80
+}

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,7 @@ variable "otel_collector_grpc_endpoint" {`
`54`	`54`	`description = "OpenTelemetry collector gRPC endpoint (e.g., localhost:4317)"`
`55`	`55`	`}`
`56`	`56`
`57`		`-variable "additional_traefik_arguments" {`
`58`		`- type = list(string)`
	`57`	`+variable "traefik_config_files" {`
	`58`	`+ type = map(string)`
	`59`	`+ description = "Map of filename => content for additional Traefik dynamic configuration files"`
`59`	`60`	`}`
Original file line number	Diff line number	Diff line change
`@@ -309,9 +309,8 @@ variable "launch_darkly_api_key" {`
`309`	`309`	`sensitive = true`
`310`	`310`	`}`
`311`	`311`
`312`		`-variable "additional_traefik_arguments" {`
`313`		`- type = list(string)`
`314`		`- default = []`
	`312`	`+variable "traefik_config_files" {`
	`313`	`+ type = map(string)`
`315`	`314`	`}`
`316`	`315`
`317`	`316`	`variable "db_max_open_connections" {`
Original file line number	Diff line number	Diff line change
`@@ -156,9 +156,10 @@ variable "control_server_cluster_size" {`
`156`	`156`	`default = 3`
`157`	`157`	`}`
`158`	`158`
`159`		`-variable "additional_traefik_arguments" {`
`160`		`- type = list(string)`
`161`		`- default = []`
	`159`	`+variable "traefik_config_files" {`
	`160`	`+ type = map(string)`
	`161`	`+ description = "Map of filename => content for additional Traefik dynamic configuration files"`
	`162`	`+ default = {}`
`162`	`163`	`}`
`163`	`164`
`164`	`165`	`variable "db_max_open_connections" {`