Version: v1.4

OCM Cluster-Gateway Manager

TL;DR: "OCM Cluster-Gateway Manager" addon installs an operator component into the hub cluster that help the administrator to easily operate the configuration of cluster-gateway instances via "ClusterGatewayConfiguration" custom resource. WARNING this addon will restart the cluster-gateway instances upon the first-time installation.

What does "Cluster-Gateway Manager" do?#

Basically it helps us to sustainably operate the cluster-gateway instances from the following aspects:

Automatic cluster-gateway's server TLS certificate rotation.
Automatic cluster discovery.
Structurize the component configuration for cluster-gateway.
Manages the "egress identity" for cluster-gateway to access each clusters.

Note that the requests proxied by cluster-gateway will use the identity of open-cluster-management-managed-serviceaccount/cluster-gateway to access the managed clusters, and by default w/ cluster-admin permission, so please be mindful of that.

How to confirm if the addon installation is working?#

Run the following commands to check the healthiness of the addons:

$ kubectl -n <cluster> get managedclusteraddon
kubectl get managedclusteraddon -A
NAMESPACE   NAME                     AVAILABLE   DEGRADED   PROGRESSING
<cluster>   cluster-gateway          True                   
<cluster>   cluster-proxy            True                   
<cluster>   managed-serviceaccount   True 

In case you have too many clusters to browse at a time, install the command-line binary via:

curl -L https://raw.githubusercontent.com/open-cluster-management-io/clusteradm/main/install.sh | bash

Then run the following commands to see the details of the addon:

$ clusteradm get addon
<ManagedCluster>
└── managed1
    └── cluster-gateway
    │   ├── <Status>
    │   │   ├── Available -> true
    │   │   ├── ...
    │   ├── <ManifestWork>
    │       └── clusterrolebindings.rbac.authorization.k8s.io
    │       │   ├── open-cluster-management:cluster-gateway:default (applied)
    │       └── ...
    └── cluster-proxy
    │   ├── <Status>
    │   │   ├── Available -> true
    │   │   ├── ...
    │   ├── <ManifestWork>
    │       └── ...
    └── managed-serviceaccount
        └── <Status>
        │   ├── Available -> true
        │   ├── ...
        └── <ManifestWork>
            └── ...

Sample of ClusterGatewayConfiguration API#

You can read or edit the overall configuration of cluster-gateway deployments via the following command:

$ kubectl get clustergatewayconfiguration -o yaml
apiVersion: v1
kind: List
items:
- apiVersion: proxy.open-cluster-management.io/v1alpha1
  kind: ClusterGatewayConfiguration
  metadata: ...
  spec:
    egress:
      clusterProxy:
        credentials:
          namespace: open-cluster-management-addon
          proxyClientCASecretName: proxy-server-ca
          proxyClientSecretName: proxy-client
        proxyServerHost: proxy-entrypoint.open-cluster-management-addon
        proxyServerPort: 8090
      type: ClusterProxy
    image: oamdev/cluster-gateway:v1.1.11
    installNamespace: vela-system
    secretManagement:
      managedServiceAccount:
        name: cluster-gateway
      type: ManagedServiceAccount
    secretNamespace: open-cluster-management-credentials