Skip to content

Use ingress hostname in Tenant Control Plane #600

New issue
New issue
Closed
#608
Closed
Use ingress hostname in Tenant Control Plane#600
#608
Assignees
prometherion
@bsctl

Description

@bsctl
bsctl
opened on Oct 17, 2024

Issue

When using tcp.spec.controlPlane.ingress.hostname, in Tenant control Plane manifest, the hostname is used in the internal communication inside Kamaji cluster instead of the tcp.status.controlPlaneEndpoint.

apiVersion: kamaji.clastix.io/v1alpha1
kind: TenantControlPlane
metadata:
  annotations:
    kamaji.clastix.io/ingress.domain: clastix.cloud
  name: tenant-00-eu-south-1
  namespace: default
spec:
  controlPlane:
    deployment:
      replicas: 2
    ingress:
     ## note the port of the ingress is different from port in the  network profile
      hostname: default-tenant-00-eu-south-1.k8s.clastix.cloud:443 
    service:
      serviceType: ClusterIP
  networkProfile:
    port: 6443

the Kamaji controller logs:

2024-10-18T14:25:08Z    ERROR   soot_default_tenant-00-eu-south-1       Reconciler error        {"controller": "clusterrolebinding", "controllerGroup": "rbac.authorization.k8s.io", "controllerKind": "ClusterRoleBinding", "ClusterRoleBinding": {"name":"kubeadm:kubelet-bootstrap"}, "namespace": "", "name": "kubeadm:kubelet-bootstrap", "reconcileID": "9fc6ce0b-dbaa-496c-afd5-aebae80c53bb", "error": "unable to create ClusterRoleBinding: Post \"https://default-tenant-00-eu-south-1.k8s.clastix.cloud:6443/apis/rbac.authorization.k8s.io/v1/clusterrolebindings?timeout=10s\": context deadline exceeded",
...

Expected

The tcp.spec.controlPlane.ingress.hostname is intended for accessing the Tenant control Plane only from outside the Kamaji cluster, for example by user's kubectl, node kube-proxy and kubelet, and node kubeadm join. The internal communincation inside the Kamaji cluster should use tcp.status.controlPlaneEndpoint and tcp.spec.networkProfile.port.

When using tcp.spec.controlPlane.ingress.hostname, in Tenant control Plane manifest, it is necessary to have ingress and ingress properly set in:

  • on the Kamaji cluster, <tenant_name>-admin-kubeconfig secret
  • on the tenant cluster,
    • kube-system/kube-proxy config map
    • kube-public/cluster-info config map

If tcp.spec.controlPlane.ingress is set but hostname is not defined, then ingress's host will be: <tenant>.<namespace>.<domain>, where domain is specified under NetworkProfile.

Make sure the config maps and secrets are reconcilied upon changes in the TCP manifest.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions