[WIP] Merge cluster-proxy into core

[qiujian16]

No description provided.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: qiujian16

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [qiujian16]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[xuezhaojun]

I wonder whether we should use term "proxy", I got some cases that users get confused about cluster-proxy with other "proxy" settings like addonproxyconfig.proxyconfig.

Could we use another term like "tunnel"?

[qiujian16]

tunnel may not be clearly state the functions. Tunnel would mean that agent and hub is establishing the tunnel, but proxy is more accurate which mean user is proxying the request.

[qiujian16]

some naming suggestion from chatgpt.

grpxy (grpc proxy, short, sysadmin vibe)

tunnx (tunnel nginx-style)

relayx (captures the agent relay role)

[xuezhaojun]

I believe the complete description of this functionality can be "proxy requests between hub and agent," but it can also be "establish a tunnel between hub and agent that can be used to proxy requests."

For users of this functionality, they indeed only need to know about an endpoint that can proxy requests - they don't need to know about the existence of a "tunnel." However, for developers and maintainers, the term "tunnel" helps distinguish this functionality from other proxy-related features.

If "tunnel" doesn't work, could we adopt other terms such as: gateway, bridge, relay, etc.?

[qiujian16]

relay seems ok to me, but since cluster-proxy has been known to many, I am not quite sure how strong the desire to rename.

@jnpacker thought?

[xuezhaojun]

In hub side, except for grpc server, we will also need endpoint and certificates for the http server.

[qiujian16]

yes, it is specified in the following.

[xuezhaojun]

Don‘t we also need cert and endpoint configuration of this http server also set in cluster-manager?

[qiujian16]

cluster manager will generate the cert. and we only need to configure endpoint I think?

[xuezhaojun]

What if user want to use their customzied cert as the proxy endpoint maybe exposed in their domain?

[xuezhaojun]

grpc connection is internal used by proxy, but http proxy is facing to user or maybe user's user.

[qiujian16]

I got your point, yes we need at least endpoint of http server. I am not sure we need ca bundle. Do we support setting this in cluster-proxy today?

[qiujian16]

updated

[xuezhaojun]

Currently, this version of http-server using CA generated by openshift:

• https://github.com/stolostron/backplane-operator/blob/main/pkg/templates/charts/toggle/cluster-proxy-addon/templates/user-deployment.yaml#L139-L148
• https://github.com/stolostron/backplane-operator/blob/b5438698d74b66ada00c92cc63c13611757b77c8/pkg/templates/charts/toggle/cluster-proxy-addon/templates/user-service.yaml#L9

[xuezhaojun]

The fix looks good to me

[skeeey]

how about introduce a config for grpcserver instead of proxyConifg

type GRPCServerConfiguration struct {
    ImagePullSpec string `json:"imagePullSpec,omitempty"`
    FeatureGates []FeatureGate `json:"featureGates,omitempty"`
    EndpointExposure *GRPCEndpointExposure `json:"endpointExposure,omitempty"` 
}

use featureGates to control proxy or transport hub resources with grpc

[qiujian16]

when we use grpc registration driver, does it mean we need to set both in registrationConfig and gRPCconfig?

[skeeey]

yes, for registrationConfig, we need to set authType with grpc to enable the grpc registration

[qiujian16]

updated

[skeeey]

Suggested change

	Example of grpc registration with proxy disabled:
	Example of grpc registration with proxy enabled:

[skeeey]

Suggested change

	Example of grpc registraion with proxy enabled:
	Example of grpc registraion with proxy disabled:

[qiujian16]

@skeeey @xuezhaojun are your fine with the API change on the clusterManager, if so we will need to update clustermanager API sooner.

[skeeey]

@skeeey @xuezhaojun are your fine with the API change on the clusterManager, if so we will need to update clustermanager API sooner.

I'm fine with it

[xuezhaojun]

/lgtm

[xuezhaojun]

@skeeey @xuezhaojun are your fine with the API change on the clusterManager, if so we will need to update clustermanager API sooner.

Yes, the PR looks good to me.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[qiujian16]

we finally decide we will still follow with addon pattern for cluster-proxy.

/close

[openshift-ci]

@qiujian16: Closed this PR.

In response to this:

we finally decide we will still follow with addon pattern for cluster-proxy.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.