infra
infra copied to clipboard
Proxy traffic through infra Server
Is your feature request related to a problem? Please describe.
I'm looking into using infrahq to replace Rancher for Cluster SSO, however one thing I quite like about how rancher works, is that their agent is deployed in each cluster, and then Kubernetes API traffic gets sent to the Rancher server, which internally proxies it to the agent.
This has the distinct advantage of only requiring the Rancher server to be accessible, and not each of the clusters. This would also remove the requirement for each cluster connector to be a LoadBalancer service.
I've read https://infrahq.com/docs/reference/architecture and the architecture looks like it purposefully doesn't include that, however is this something worth considering?
Describe the solution you'd like
The Kubernetes connector establishes a Websocket/GRPC/etc long-lived connection with the infra server, through which API requests sent to the infra server are proxied.
Describe alternatives you've considered
Use the current setup which requires an extra LoadBalancer in each cluster
Environment Details
$ infra version
Client: 0.14.0
Server: disconnected
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.3", GitCommit:"aef86a93758dc3cb2c658dd9657ab4ad4afc21cb", GitTreeState:"clean", BuildDate:"2022-07-13T14:30:46Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.3", GitCommit:"aef86a93758dc3cb2c658dd9657ab4ad4afc21cb", GitTreeState:"clean", BuildDate:"2022-07-13T14:23:26Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
Kubeadm
Additional context
If this feature is considered then it'll be great if it could be an optional switch. For our use-case it is really great that we don't have a single heavily loaded server with all connections to various clusters like in Rancher.
Definitely would be good to have both options; in the meantime I found out that Portainer can do this proxying via their Edge Agent and still offer SSO for the K8s API so that's my current solution for this
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.