Skip to main content
Version: v1.4

OCM Cluster-Gateway Manager

TL;DR: "OCM Cluster-Gateway Manager" addon installs an operator component into the hub cluster that help the administrator to easily operate the configuration of cluster-gateway instances via "ClusterGatewayConfiguration" custom resource. WARNING this addon will restart the cluster-gateway instances upon the first-time installation.

What does "Cluster-Gateway Manager" do?#

Basically it helps us to sustainably operate the cluster-gateway instances from the following aspects:

  • Automatic cluster-gateway's server TLS certificate rotation.
  • Automatic cluster discovery.
  • Structurize the component configuration for cluster-gateway.
  • Manages the "egress identity" for cluster-gateway to access each clusters.

Note that the requests proxied by cluster-gateway will use the identity of open-cluster-management-managed-serviceaccount/cluster-gateway to access the managed clusters, and by default w/ cluster-admin permission, so please be mindful of that.

How to confirm if the addon installation is working?#

Run the following commands to check the healthiness of the addons:

$ kubectl -n <cluster> get managedclusteraddon
kubectl get managedclusteraddon -A
NAMESPACE NAME AVAILABLE DEGRADED PROGRESSING
<cluster> cluster-gateway True
<cluster> cluster-proxy True
<cluster> managed-serviceaccount True

In case you have too many clusters to browse at a time, install the command-line binary via:

curl -L https://raw.githubusercontent.com/open-cluster-management-io/clusteradm/main/install.sh | bash

Then run the following commands to see the details of the addon:

$ clusteradm get addon
<ManagedCluster>
โ””โ”€โ”€ managed1
โ””โ”€โ”€ cluster-gateway
โ”‚ โ”œโ”€โ”€ <Status>
โ”‚ โ”‚ โ”œโ”€โ”€ Available -> true
โ”‚ โ”‚ โ”œโ”€โ”€ ...
โ”‚ โ”œโ”€โ”€ <ManifestWork>
โ”‚ โ””โ”€โ”€ clusterrolebindings.rbac.authorization.k8s.io
โ”‚ โ”‚ โ”œโ”€โ”€ open-cluster-management:cluster-gateway:default (applied)
โ”‚ โ””โ”€โ”€ ...
โ””โ”€โ”€ cluster-proxy
โ”‚ โ”œโ”€โ”€ <Status>
โ”‚ โ”‚ โ”œโ”€โ”€ Available -> true
โ”‚ โ”‚ โ”œโ”€โ”€ ...
โ”‚ โ”œโ”€โ”€ <ManifestWork>
โ”‚ โ””โ”€โ”€ ...
โ””โ”€โ”€ managed-serviceaccount
โ””โ”€โ”€ <Status>
โ”‚ โ”œโ”€โ”€ Available -> true
โ”‚ โ”œโ”€โ”€ ...
โ””โ”€โ”€ <ManifestWork>
โ””โ”€โ”€ ...

Sample of ClusterGatewayConfiguration API#

You can read or edit the overall configuration of cluster-gateway deployments via the following command:

$ kubectl get clustergatewayconfiguration -o yaml
apiVersion: v1
kind: List
items:
- apiVersion: proxy.open-cluster-management.io/v1alpha1
kind: ClusterGatewayConfiguration
metadata: ...
spec:
egress:
clusterProxy:
credentials:
namespace: open-cluster-management-addon
proxyClientCASecretName: proxy-server-ca
proxyClientSecretName: proxy-client
proxyServerHost: proxy-entrypoint.open-cluster-management-addon
proxyServerPort: 8090
type: ClusterProxy
image: oamdev/cluster-gateway:v1.1.11
installNamespace: vela-system
secretManagement:
managedServiceAccount:
name: cluster-gateway
type: ManagedServiceAccount
secretNamespace: open-cluster-management-credentials
Last updated on by wyike