-
Epic
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
Set up East-West Gateway
-
Product / Portfolio Work
-
False
-
-
False
-
Unset
-
To Do
-
-
-
Review the CRCPLAN parent feature for additional context, including the feature overview, goals, user stories and use cases, acceptance criteria, designs, dependencies, risks, assumptions, pending questions and documentation callouts.
Summary and goal
The goal is to set up a cross-cluster gateway using the OpenShift Service Mesh 3 operator's Gateway API. This gateway will support first-party clients only, such as internal platform services and Red Hat-controlled workloads, to facilitate secure inter-cluster communication. The gateway will provide essential functionality for authentication, authorization, and observability to ensure a robust and controlled communication environment. The gateway will allow for both HTTP and GRPC endpoints to be exposed. The gateway will be easily extended to support additional token issuers.
Acceptance Criteria
- The gateway is set up on hccs01 and hccp01 clusters.
- The gateway is set up using the OpenShift Service Mesh 3 operator.
- The gateway supports authentication with JWT tokens issued sso.redhat.com scheme.
- The gateway can be easily configured to trust additional token issuers, such as OpenShift cluster service account tokens.
- The gateway implements edge-level authorization.
- As a service owner, I can define an authorization policy for my services’s route.
- The gateway is configured to deny all traffic by default, unless the client is explicitly allowed by an authorization policy.
- The gateway is configured to produce logs that can be sent to CloudWatch.
- The gateway is configured to produce metrics in a Prometheus-compatible format.
- The gateway is capable of exposing both HTTP and GRPC endpoints.
Checklist
Checklist Item | Required | Notes or Comments |
---|---|---|
Workstream or external team dependencies? | Y / N | |
ADR Required?
|
Y / N | |
Testing plans
|
Y / N | |
Known dependencies?
|
Y / N |
Open Questions
- Path/hostname strategy for routing
- Authorization implementation: Kuadrant’s AuthPolicy vs. Istio's AuthorizationPolicy?.
- SLOs for the gateway
- What are the specific requirements for log format and metric labels?
- Expose the gateway via an VPC Endpoint Service?
Non-goals
- Support for x-rh-identity
- Entitlement injection
- Export compliance checks
- RBAC/TAM access
- is depended on by
-
RHCLOUD-42367 CAPS | Expose Over East-West Gateway
-
- Refinement
-
- is related to
-
RHCLOUD-42362 Kessel | Dual Deployment in HCC clusters
-
- New
-