infra icon indicating copy to clipboard operation
infra copied to clipboard

Published 20 hours ago verified publisher icon infrahq

Proxy traffic through infra Server

Open BeryJu opened this issue 1 year ago • 2 comments

Is your feature request related to a problem? Please describe.

I'm looking into using infrahq to replace Rancher for Cluster SSO, however one thing I quite like about how rancher works, is that their agent is deployed in each cluster, and then Kubernetes API traffic gets sent to the Rancher server, which internally proxies it to the agent.

This has the distinct advantage of only requiring the Rancher server to be accessible, and not each of the clusters. This would also remove the requirement for each cluster connector to be a LoadBalancer service.

I've read https://infrahq.com/docs/reference/architecture and the architecture looks like it purposefully doesn't include that, however is this something worth considering?

Describe the solution you'd like

The Kubernetes connector establishes a Websocket/GRPC/etc long-lived connection with the infra server, through which API requests sent to the infra server are proxied.

Describe alternatives you've considered

Use the current setup which requires an extra LoadBalancer in each cluster

Environment Details

$ infra version

 Client: 0.14.0
 Server: disconnected


$ kubectl version
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.3", GitCommit:"aef86a93758dc3cb2c658dd9657ab4ad4afc21cb", GitTreeState:"clean", BuildDate:"2022-07-13T14:30:46Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.3", GitCommit:"aef86a93758dc3cb2c658dd9657ab4ad4afc21cb", GitTreeState:"clean", BuildDate:"2022-07-13T14:23:26Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}

Kubeadm

Additional context

BeryJu avatar Jul 28 '22 09:07 BeryJu

If this feature is considered then it'll be great if it could be an optional switch. For our use-case it is really great that we don't have a single heavily loaded server with all connections to various clusters like in Rancher.

igorcoding avatar Sep 08 '22 09:09 igorcoding

Definitely would be good to have both options; in the meantime I found out that Portainer can do this proxying via their Edge Agent and still offer SSO for the K8s API so that's my current solution for this

BeryJu avatar Sep 08 '22 09:09 BeryJu

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] avatar Nov 07 '22 11:11 stale[bot]