Uploaded image for project: 'Hybrid Cloud Console'
  1. Hybrid Cloud Console
  2. RHCLOUD-42363

Set up East-West Gateway

XMLWordPrintable

    • Set up East-West Gateway
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Unset
    • To Do

      Review the CRCPLAN parent feature for additional context, including the feature overview, goals, user stories and use cases, acceptance criteria, designs, dependencies, risks, assumptions, pending questions and documentation callouts.

      Summary and goal

      The goal is to set up a cross-cluster gateway using the OpenShift Service Mesh 3 operator's Gateway API. This gateway will support first-party clients only, such as internal platform services and Red Hat-controlled workloads, to facilitate secure inter-cluster communication. The gateway will provide essential functionality for authentication, authorization, and observability to ensure a robust and controlled communication environment. The gateway will allow for both HTTP and GRPC endpoints to be exposed. The gateway will be easily extended to support additional token issuers.

      Acceptance Criteria 

      • The gateway is set up on hccs01 and hccp01 clusters.
      • The gateway is set up using the OpenShift Service Mesh 3 operator.
      • The gateway supports authentication with JWT tokens issued sso.redhat.com scheme.
      • The gateway can be easily configured to trust additional token issuers, such as OpenShift cluster service account tokens.
      • The gateway implements edge-level authorization.
      • As a service owner, I can define an authorization policy for my services’s route.
      • The gateway is configured to deny all traffic by default, unless the client is explicitly allowed by an authorization policy.
      • The gateway is configured to produce logs that can be sent to CloudWatch.
      • The gateway is configured to produce metrics in a Prometheus-compatible format.
      • The gateway is capable of exposing both HTTP and GRPC endpoints.

      Checklist

      Checklist Item Required Notes or Comments
      Workstream or external team dependencies? Y / N  
      ADR Required? 
      • Long-form (approval)
      • Short-form (informational)
      Y / N  
      Testing plans
      • New automation or update existing?
      Y / N  
      Known dependencies? 
      • Link to the dependent Jiras
      • Add details
      Y / N  

      Open Questions

      • Path/hostname strategy for routing
      • Authorization implementation: Kuadrant’s AuthPolicy vs. Istio's AuthorizationPolicy?.
      • SLOs for the gateway
      • What are the specific requirements for log format and metric labels?
      • Expose the gateway via an VPC Endpoint Service?

      Non-goals

      • Support for x-rh-identity
      • Entitlement injection
      • Export compliance checks
      • RBAC/TAM access

              Unassigned Unassigned
              rhn-engineering-jharting Jozef Hartinger
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: