github.com/oam-dev/cluster-gateway@v1.9.0/docs/local-run.md (about) 1 # Running Non-Etcd Apiserver Locally 2 3 ### Setting Up Environment 4 5 1. Build the container: 6 7 ```shell 8 docker build \ 9 -t "cluster-gateway:v0.0.0-non-etcd" \ 10 -f cmd/apiserver/Dockerfile . 11 ``` 12 13 2. Spawn a local KinD cluster: 14 15 ```shell 16 kind create cluster --name hub 17 kind export kubeconfig --kubeconfig /tmp/hub.kubeconfig --name hub 18 kind load docker-image "cluster-gateway:v0.0.0-non-etcd" --name hub 19 ``` 20 21 3. Apply the manifests below: 22 23 ```yaml 24 apiVersion: apps/v1 25 kind: Deployment 26 metadata: 27 name: gateway-deployment 28 labels: 29 app: gateway 30 spec: 31 replicas: 3 32 selector: 33 matchLabels: 34 app: gateway 35 template: 36 metadata: 37 labels: 38 app: gateway 39 spec: 40 containers: 41 - name: gateway 42 image: "cluster-gateway:v0.0.0-non-etcd" 43 command: 44 - ./apiserver 45 - --secure-port=9443 46 - --secret-namespace=default 47 - --feature-gates=APIPriorityAndFairness=false 48 ports: 49 - containerPort: 9443 50 --- 51 apiVersion: v1 52 kind: Service 53 metadata: 54 name: gateway-service 55 spec: 56 selector: 57 app: gateway 58 ports: 59 - protocol: TCP 60 port: 9443 61 targetPort: 9443 62 --- 63 apiVersion: apiregistration.k8s.io/v1 64 kind: APIService 65 metadata: 66 name: v1alpha1.cluster.core.oam.dev 67 labels: 68 api: cluster-extension-apiserver 69 apiserver: "true" 70 spec: 71 version: v1alpha1 72 group: cluster.core.oam.dev 73 groupPriorityMinimum: 2000 74 service: 75 name: gateway-service 76 namespace: default 77 port: 9443 78 versionPriority: 10 79 insecureSkipTLSVerify: true 80 --- 81 apiVersion: rbac.authorization.k8s.io/v1 82 kind: RoleBinding 83 metadata: 84 name: system::extension-apiserver-authentication-reader:cluster-gateway 85 namespace: kube-system 86 roleRef: 87 apiGroup: rbac.authorization.k8s.io 88 kind: Role 89 name: extension-apiserver-authentication-reader 90 subjects: 91 - kind: ServiceAccount 92 name: default 93 namespace: default 94 --- 95 apiVersion: rbac.authorization.k8s.io/v1 96 kind: Role 97 metadata: 98 namespace: default 99 name: cluster-gateway-secret-reader 100 rules: 101 - apiGroups: 102 - "" 103 resources: 104 - "secrets" 105 verbs: 106 - get 107 - list 108 - watch 109 --- 110 apiVersion: rbac.authorization.k8s.io/v1 111 kind: RoleBinding 112 metadata: 113 name: cluster-gateway-secret-reader 114 namespace: default 115 roleRef: 116 apiGroup: rbac.authorization.k8s.io 117 kind: Role 118 name: cluster-gateway-secret-reader 119 subjects: 120 - kind: ServiceAccount 121 name: default 122 namespace: default 123 --- 124 ``` 125 126 4. Check if apiserver aggregation working properly: 127 128 ```shell 129 $ KUBECONFIG=/tmp/hub.kubeconfig kubectl api-resources | grep clustergateway 130 $ KUBECONFIG=/tmp/hub.kubeconfig kubectl get clustergateway # A 404 error is expected 131 ``` 132 133 ### Proxying Multi-Cluster 134 135 1. Prepare a second cluster `managed1` that accessible from `hub`'s network. 136 137 2.1. Creates a secret containing X509 certificate/key to the hub cluster: 138 139 ```yaml 140 apiVersion: v1 141 kind: Secret 142 metadata: 143 name: managed1 144 labels: 145 cluster.core.oam.dev/cluster-credential-type: X509 146 type: Opaque # <--- Has to be opaque 147 data: 148 endpoint: "..." # Should NOT be 127.0.0.1 149 ca.crt: "..." # ca cert for cluster "managed1" 150 tls.crt: "..." # x509 cert for cluster "managed1" 151 tls.key: "..." # private key for cluster "managed1" 152 ``` 153 154 2.2. (Alternatively) Create a secret containing service-account token to the hub cluster: 155 156 ```yaml 157 apiVersion: v1 158 kind: Secret 159 metadata: 160 name: managed1 161 labels: 162 cluster.core.oam.dev/cluster-credential-type: ServiceAccountToken 163 type: Opaque # <--- Has to be opaque 164 data: 165 endpoint: "..." # ditto 166 ca.crt: "..." # ditto 167 token: "..." # working jwt token 168 ``` 169 170 2.3. (Alternatively) Create a secret containing an exec config to dynamically fetch the cluster credential from an external command: 171 172 ```yaml 173 apiVersion: v1 174 kind: Secret 175 metadata: 176 name: managed1 177 labels: 178 cluster.core.oam.dev/cluster-credential-type: Dynamic 179 type: Opaque # <--- Has to be opaque 180 data: 181 endpoint: "..." # ditto 182 exec: "..." # an exec config in JSON format; see ExecConfig (https://github.com/kubernetes/kubernetes/blob/2016fab3085562b4132e6d3774b6ded5ba9939fd/staging/src/k8s.io/client-go/tools/clientcmd/api/types.go#L206, https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration) 183 ``` 184 185 3. Proxy to cluster `managed1`'s `/healthz` endpoint 186 187 ```shell 188 $ KUBECONFIG=/tmp/hub.kubeconfig kubectl get \ 189 --raw="/apis/cluster.core.oam.dev/v1alpha1/clustergateways/managed1/proxy/healthz" 190 ``` 191 192 4. Craft a dedicated kubeconfig for proxying `managed1` from `hub` cluster: 193 194 ```shell 195 $ cat /tmp/hub.kubeconfig \ 196 | sed 's/\(server: .*\)/\1\/apis\/cluster.core.oam.dev\/v1alpha1\/clustergateways\/managed1\/proxy\//' \ 197 > /tmp/hub-managed1.kubeconfig 198 ``` 199 200 try the tweaked kubeconfig: 201 202 ```shell 203 # list namespaces under cluster managed1 204 KUBECONFIG=/tmp/hub-managed1.kubeconfig kubectl get ns 205 ``` 206 207 ### Clean up 208 209 1. Deletes the sandbox clusters: 210 211 ```shell 212 $ kind delete cluster --name tmp 213 ```