OCM Cluster-Gateway Manager

TL;DR: “OCM Cluster-Gateway Manager” addon installs an operator component into the hub cluster that help the administrator to easily operate the configuration of cluster-gateway instances via “ClusterGatewayConfiguration” custom resource. WARNING this addon will restart the cluster-gateway instances upon the first-time installation.

What does “Cluster-Gateway Manager” do?

Basically it helps us to sustainably operate the cluster-gateway instances from the following aspects:

  • Automatic cluster-gateway’s server TLS certificate rotation.
  • Automatic cluster discovery.
  • Structurize the component configuration for cluster-gateway.
  • Manages the “egress identity” for cluster-gateway to access each clusters.

Note that the requests proxied by cluster-gateway will use the identity of open-cluster-management-managed-serviceaccount/cluster-gateway to access the managed clusters, and by default w/ cluster-admin permission, so please be mindful of that.

How to confirm if the addon installation is working?

Run the following commands to check the healthiness of the addons:

  1. $ kubectl -n <cluster> get managedclusteraddon
  2. kubectl get managedclusteraddon -A
  3. NAMESPACE   NAME                     AVAILABLE   DEGRADED   PROGRESSING
  4. <cluster>   cluster-gateway          True                   
  5. <cluster>   cluster-proxy            True                   
  6. <cluster>   managed-serviceaccount   True

In case you have too many clusters to browse at a time, install the command-line binary via:

  1. curl -L https://raw.githubusercontent.com/open-cluster-management-io/clusteradm/main/install.sh | bash

Then run the following commands to see the details of the addon:

  1. $ clusteradm get addon
  2. <ManagedCluster>
  3. └── managed1
  4.     └── cluster-gateway
  5.        ├── <Status>
  6.           ├── Available -> true
  7.           ├── ...
  8.        ├── <ManifestWork>
  9.            └── clusterrolebindings.rbac.authorization.k8s.io
  10.               ├── open-cluster-management:cluster-gateway:default (applied)
  11.            └── ...
  12.     └── cluster-proxy
  13.        ├── <Status>
  14.           ├── Available -> true
  15.           ├── ...
  16.        ├── <ManifestWork>
  17.            └── ...
  18.     └── managed-serviceaccount
  19.         └── <Status>
  20.            ├── Available -> true
  21.            ├── ...
  22.         └── <ManifestWork>
  23.             └── ...

Sample of ClusterGatewayConfiguration API

You can read or edit the overall configuration of cluster-gateway deployments via the following command:

  1. $ kubectl get clustergatewayconfiguration -o yaml
  2. apiVersion: v1
  3. kind: List
  4. items:
  5. - apiVersion: proxy.open-cluster-management.io/v1alpha1
  6.   kind: ClusterGatewayConfiguration
  7.   metadata: ...
  8.   spec:
  9.     egress:
  10.       clusterProxy:
  11.         credentials:
  12.           namespace: open-cluster-management-addon
  13.           proxyClientCASecretName: proxy-server-ca
  14.           proxyClientSecretName: proxy-client
  15.         proxyServerHost: proxy-entrypoint.open-cluster-management-addon
  16.         proxyServerPort: 8090
  17.       type: ClusterProxy
  18.     image: oamdev/cluster-gateway:v1.1.11
  19.     installNamespace: vela-system
  20.     secretManagement:
  21.       managedServiceAccount:
  22.         name: cluster-gateway
  23.       type: ManagedServiceAccount
  24.     secretNamespace: open-cluster-management-credentials