github.com/oam-dev/cluster-gateway@v1.9.0/README.md (about) 1 # Cluster Gateway 2 3 ## Overall 4 5 "Cluster Gateway" is a gateway apiserver for routing kubernetes api traffic 6 to multiple kubernetes clusters. Additionally, the gateway is completely 7 pluggable for a running kubernetes cluster natively because it is developed 8 based on the native api extensibility named [apiserver-aggregation](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/). 9 A new extended resource "cluster.core.oam.dev/ClusterGateway" will be 10 registered into the hosting cluster after properly applying corresponding 11 `APIService` objects, and a new subresource named "proxy" will be available 12 for every existing "Cluster Gateway" resource which is inspired by the 13 original kubernetes "service/proxy", "pod/proxy" subresource. 14 15 Overall our "Cluster Gateway" also has the following merits as a multi-cluster 16 api-gateway solution: 17 18 - __Etcd Free__: Normally an aggregated apiserver must be deployed along 19 with a dedicated etcd cluster which is bringing extra costs for the admins. 20 While our "Cluster Gateway" can be running completely without etcd instances, 21 because the extended "ClusterGateway" resource are virtual read-only 22 kubernetes resource which is converted from secret resources from a namespace 23 in the hosting cluster. 24 25 - __Scalability__: Our "Cluster Gateway" can scale out to arbitrary instances 26 to deal with the increasing loads 27 28  29 30 31 ## Image 32 33 ```shell 34 $ docker pull oamdev/cluster-gateway:v1.1.12 # Or other newer tags 35 ``` 36 37 ## Documentation 38 39 - __Run locally__: https://github.com/oam-dev/cluster-gateway/blob/master/docs/local-run.md 40 - __Sample cluster-gateway converting secret__: 41 - __ServiceAccountToken type secret__: https://github.com/oam-dev/cluster-gateway/blob/master/hack/samples/cluster-gateway-secret-serviceaccount-token.yaml 42 - __X.509 certificate type secret__: https://github.com/oam-dev/cluster-gateway/blob/master/hack/samples/cluster-gateway-secret-x509.yaml 43 44 ### Performance 45 46 Compile the e2e benchmark suite by: 47 48 ```shell 49 $ make e2e-benchmark-binary 50 ``` 51 52 The benchmark suite will be creating-updating-deleting configmaps in a flow 53 repeatly for 100 times. Here's a comparison of the performance we observed 54 in a local experiment: 55 56 57 | Bandwidth | Direct | ClusterGateway | ClusterGateway(over Konnectivity) | 58 |-------------|------------------|------------------|-----------------------------------| 59 | Fastest | 0.059s | 0.190s | 0.428s | 60 | Slowest | 0.910s | 0.856s | 1.356s | 61 | Average | 0.583s ± 0.104s | 0.581s ± 0.087s | 0.608s ± 0.135s | 62 63 ### Open-Cluster-Management Integration 64 65 Cluster-gateway has native integration with [Open-Cluster-Management(OCM)](https://open-cluster-management.io/) 66 to provide the KubeVela admin a more coherent user experience in distributing 67 applications across multiple clusters: 68 69 #### Enabling OCM seamlessly in your KubeVela environment 70 71 The official vela addon named [ocm-cluster-manager](https://github.com/oam-dev/catalog/tree/master/addons/ocm-cluster-manager) 72 will help you easily bootstrap the OCM control plane (in the hosting cluster 73 where your KubeVela control plane lives). Note that the OCM environment 74 installed from the addon above will not take any effect until we opt-in to 75 enable the functional integration between KubeVela and OCM as is elaborated 76 below. It's just a minimal trial setup to try out OCM instantly, while in order 77 to enable the further integration with OCM, we will need to adjust the 78 configuration of cluster-gateway to make it detect and aware of the local OCM 79 environment. 80 81 #### Aligning ClusterGateway to OCM's cluster registry 82 83 By opt-in to the flag `--ocm-integration=true`, the cluster-gateway will be 84 detecting and loading the OCM environment in the hosting cluster and connecting 85 each `ClusterGateway` custom resource from cluster-gateway to OCM's original 86 cluster model in OCM named `ManagedCluster`. The `ClusterGateway` is a 87 gateway "ingress" abstraction for the Kubernetes clusters managed by KubeVela, 88 so after integrating with OCM it's intuitive to regard the gateway resource 89 as a "satellite" child resource around `ManagedCluster`. Setting the flag will 90 make the cluster-gateway filter out those dangling `ClusterGateway` that doesn't 91 have a valid `ManagedCluster` bound with. In addition to that, we won't need to 92 explicitly set the master URL in the cluster secret because the cluster-gateway 93 will be merging the URL list from the corresponding `ManagedCluster`. 94 95 Furthermore, by enabling the integration, we will also reflect/aggregate the 96 healthiness of the corresponding clusters by partially merging the original 97 healthiness status from OCM's `ManagedCluster`. So we can save the troubles 98 before attempting to talk to an unavailable cluster. 99 100 #### Delegating the upgrading/rotation of cluster-gateway to OCM 101 102 Installing the cluster-gateway via the [standalone chart](https://github.com/oam-dev/cluster-gateway/tree/master/charts/cluster-gateway) 103 or [KubeVela's chart](https://github.com/oam-dev/kubevela/tree/master/charts/vela-core) 104 provides us a one-time light-weighting setup of cluster-gateway, but sadly 105 there are still some missing puzzles we should notice before we bring the 106 cluster-gateway into sustainable production environment: 107 108 - The rotation of cluster-gateway's server TLS certificate. 109 - Automatic addition/removal of the `ClusterGateway` resource upon cluster 110 discovery. 111 112 In order to fill the blanks in cluster-gateway above, optionally we can delegate 113 the management of cluster-gateway to OCM by introducing a new component named [cluster-gateway-addon-manager](https://github.com/oam-dev/cluster-gateway/tree/master/cmd/addon-manager) 114 to the hosting cluster which is basically responsible for: 115 116 1. Sustainable installation as a typical "operator" dedicated for 117 cluster-gateway. 118 2. Modelling cluster-gateway as an [OCM addon](https://open-cluster-management.io/concepts/addon/). 119 120 The addon-manager can be installed via simple helm commands, please refer to 121 the installation guide [here](https://open-cluster-management.io/scenarios/pushing-kube-api-requests/#installation). 122 123 ### Identity Passing 124 125 When feature flag `ClientIdentityPenetration` is enabled, cluster-gateway will 126 recognize the identity in the incoming requests and use the [impersonation mechanism](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) 127 to send requests to managed clusters with identity impersonated. By default, 128 the impersonated identity is consistent with the identity in the incoming requests. 129 130 In the cases that the identity in different clusters are not aligned, the [ClientIdentityExchanger](https://github.com/oam-dev/cluster-gateway/issues/120) 131 feature would be helpful to make projections. You can use either the global configuration 132 or the cluster configuration for declaring the identity exchange rules, like the given 133 [example](https://github.com/oam-dev/cluster-gateway/tree/master/examples/client-identity-exchanger/config.yaml). 134 For global configuration, you need to set up the `--cluster-gateway-proxy-config=<the configuration file path>` 135 to enable it. For cluster configuration, you can set the annotation `cluster.core.oam.dev/cluster-gateway-proxy-configuration` 136 value to enable the configuration for the requests to the attached cluster.