Uploaded image for project: 'Hybrid Cloud Console'
  1. Hybrid Cloud Console
  2. RHCLOUD-43911

Dual Deployment of Export Service to HCC Cluster

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • Export
    • Dual Deployment of Export Service to HCC Cluster
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Unset
    • To Do
    • CRCPLAN-372 - Migrate core HCC/Fabric workloads to a dedicated cluster

      Goal

      To align with the initiative of moving core HCC/Fabric workloads to a dedicated HCC cluster, the Export service is to be deployed to the new HCC cluster while maintaining its presence on the CRC cluster. This dual deployment model ensures service availability during the migration of internal traffic.

      Both deployments will utilize the same shared cloud resources (PostgreSQL, S3 buckets, cache) enabled by the multi-cluster network topology. The Internal API (port 10010), used for application data uploads, will be exposed via the East-West gateway on the HCC cluster. As part of this step, the legacy Pre-Shared Key (PSK) authentication scheme will be replaced by OIDC enforced at the gateway level. The PSK scheme will remain disabled on the HCC deployment.

      The specific clients targeted for migration in this Epic are RHSM, HBI, and Notifications. They will adopt the same identity used for Kessel services for OIDC authentication. Following the migration of these clients to the East-West gateway, the NetworkPolicy on the CRC cluster will be updated to restrict direct in-cluster traffic, ensuring all internal communication flows through the managed gateway. Exposing the Public API via the North-South gateway is explicitly out of scope for this Epic.

      Acceptance criteria

      • The Export service is deployed on the HCC cluster with successful connectivity to the existing shared cloud resources
      • The internal API is exposed via the East-West gateway on the HCC cluster
      • the HCC deployment of the Export service will have PSK authentication scheme completely disabled
      • the gateway will be configured to enforce OIDC authentication on connections to the Export service. More specifically, utilizing the same identity configuration currently used for Kessel services
      • All internal clients of the Export service (RHSM, HBI, Notifications) have been migrated to use the deployment on the HCC cluster
      • After the clients have been migrated, the NetworkPolicy on the CRC cluster deployment is updated to deny all traffic except from traffic from the gateway namespace
      • SOPs are created/updated to ensure this migration process is repeatable and can be done again solely by following the SOPs
      • observability is enabled for all newly deployed components, with logs collected in CloudWatch and the same metrics as currently collected in the old CRC cluster collected by Prometheus
      • Grafana dashboards and alerts are adjusted to include data from the new cluster
      • The original deployment will continue to operate as it does today

       

              Unassigned Unassigned
              rhn-engineering-jharting Jozef Hartinger
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: