Uploaded image for project: 'Hybrid Cloud Console'
  1. Hybrid Cloud Console
  2. RHCLOUD-42363

Set up East-West Gateway on HCC clusters

XMLWordPrintable

    • Set up East-West Gateway on HCC clusters
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Unset
    • To Do
    • CRCPLAN-411 - Multicluster Gateway Architecture
    • 83% To Do, 8% In Progress, 8% Done

      Review the CRCPLAN parent feature for additional context, including the feature overview, goals, user stories and use cases, acceptance criteria, designs, dependencies, risks, assumptions, pending questions and documentation callouts.

      Summary and goal

      The goal is to set up a cross-cluster gateway using the OpenShift Service Mesh 3 operator's Gateway API. This gateway will support first-party clients only, such as internal platform services and Red Hat-controlled workloads, to facilitate secure inter-cluster communication. The gateway will provide essential functionality for authentication, authorization, and observability to ensure a robust and controlled communication environment. The gateway will allow for both HTTP and GRPC endpoints to be exposed. The gateway will be easily extended to support additional token issuers.

      Acceptance Criteria 

      • The gateway is set up on hccs01 and hccp01 clusters.
      • The gateway is set up using Gateway API.
      • The gateway supports authentication with JWT tokens issued sso.redhat.com scheme.
      • The gateway can be easily configured to trust additional token issuers, such as OpenShift cluster service account tokens.
      • The gateway implements edge-level authorization (i.e. only selected allow-listed subjects are allowed).
      • As a service owner, I can define an authorization policy for my services’s route.
      • The gateway is configured to deny all traffic by default, unless the subject is explicitly allowed by an authorization policy.
      • The gateway is configured to produce logs to stdout
      • Forwarding of gateway logs is configured for CloudWatch (by default) and Splunk/SumoLogic
      • The gateway is configured to produce Prometheus metrics and the metrics are collected by in-cluster Prometheus
      • The gateway is configured to support HTTP and GRPC (both over TLS) endpoints.

      Checklist

      Checklist Item Required Notes or Comments
      Workstream or external team dependencies? Y / N  
      ADR Required? 
      • Long-form (approval)
      • Short-form (informational)
      		 Y / N  
      Testing plans
      • New automation or update existing?
      		 Y / N  
      Known dependencies? 
      • Link to the dependent Jiras
      • Add details
      		 Y / N  

      Open Questions

      • Path/hostname strategy for routing
      • What are the specific requirements for log format and metric labels?

      Non-goals

      • Support for x-rh-identity
      • Entitlement injection
      • Export compliance checks
      • RBAC/TAM access

              rh-ee-dagbay Daniel Agbay
              rhn-engineering-jharting Jozef Hartinger
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: