Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend servicePublishingStrategies in HostedCluster configuration #5369

Open
mihivagyok opened this issue Jan 10, 2025 · 0 comments
Open

Extend servicePublishingStrategies in HostedCluster configuration #5369

mihivagyok opened this issue Jan 10, 2025 · 0 comments

Comments

@mihivagyok
Copy link
Contributor

mihivagyok commented Jan 10, 2025

Today, Hypershift offers the following kind of servicePublishingStrategies in the HostedCluster configuration.

  • NodePort
  • LoadBalancer
  • Route
  • S3
  • None

And the following services can be exposed:

  • APIServer
  • Konnectivity
  • OAuthServer
  • Ignition

Our goal is to expose these services using Hostname and Port (default: 443).
As we are serving hundreds of clusters on a single cluster, we don’t want to create the hundreds of load balancers for each hostedCluster - as the “LoadBalancer/Route” strategy would create kube services with load balancer type.

For our use-case, the HostedControlPlaneOperator would create a clusterIP service on the control plane and a custom solution would be implemented to integrate this behavior.

Example configuration:

apiVersion: hypershift.openshift.io/v1alpha1
kind: HostedCluster
metadata:
  name: clusterid
spec:
  services:
    - service: APIServer
      servicePublishingStrategy:
        type: ClusterIP
        clusterIP:
          hostname: clusterid.api.example.com
          port: 443
    - service: Konnectivity
      servicePublishingStrategy:
        type: ClusterIP
        clusterIP:
          hostname: clusterid.tunnel.example.com
          port: 443

The traffic flow would look like this:

Agents/clients (DP) -----> Load Balancer listens on 443 (CP) ----> Ingress gateway (SNI based routing, TLS passthru) ----> ClusterIP service ----> Application (TLS termination)

As user services (e.g agents and clients) are running in the data plane (e.g. ha-proxy (for kube-api), konnectivity-agent (konnectivity), etc), the HostedClusterConfigOperator would configure these components with the Hostname and Port set in the servicePublishingStrategy configuration.

That's why our suggestion is to add new servicePublishingStrategy called "ClusterIP".

  • it would create a ClusterIP service for the application
  • on data plane, it would configure the applications with Hostname and Port parameter (e.g. konnectivity-agent)
  • hostname and port would be validated. It would align with existing DNS best practices or standards (e.g., RFC 1123)
  • default port would be 443
  • empty hostname would be mean invalid configuration

Testing:

  • the change would be backward compatible
  • it would be directly additive new servicePublishingStrategy
  • Unit tests
  • Manual integration tests
  • Would decide on further automated testing as it requires additional networking solution to test it

Alternative option: usage of special annotations on NodePort Type services

apiVersion: v1
kind: Service
metadata:
  annotations:
    ibm-cloud-override-service-nodeport: "443"
  name: konnectivity-server
spec:
  ports:
  - port: 8091
    protocol: TCP
    targetPort: 8091
  selector:
    app: konnectivity-server
  type: NodePort

Plese share your thoughts. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant