Cluster Manager
The Cluster Manager commissions new clusters, and allows central services to encrypt secret information for transfer to the edge clusters.
ACS Cluster Manager Component
Overview
The Cluster Manager mainly operates autonomously, acting on requests in the form of Config Store entries. To create a new cluster, first a UUID must be allocated under the Edge cluster class. Then an Edge cluster configuration Config Store entry must be created for this object, specifying the details for the new cluster.
The Cluster Manager will pick up the new Config Store entry automatically
and will commission the new cluster; this consists of creating and
populating a Git repo within the local Git server to drive the new
cluster. The status of this process is recorded in the corresponding
Edge cluster setup status entry; once that entry has the property
ready: true the cluster is created and ready to be deployed. At this
point the URL of a bootstrap script for the new cluster can be fetched
from the Cluster Manager via its HTTP API.
This bootstrap script will attach the new cluster to the Factory+ installation as an edge cluster, create credentials for the cluster, and install the edge cluster infrastructure. Once it has been run the Edge Sync operator will be running on the edge cluster and this will keep the Edge cluster status Config Store entry up to date. One of the items in this entry is a public key which can be used to encrypt secrets such that only the edge cluster can decrypt them.
The Cluster Manager has an API endpoint to make use of this facility. This endpoint will accept secret information, encrypt it, and construct a Kubernetes SealedSecret resource containing the encrypted data. This will then be committed to the cluster's driving Git repo from where Flux running on the edge cluster will retrieve it. The Sealed Secrets operator running on the edge will decrypt the secret information and make it available on the edge cluster as a Kubernetes Secret.
HTTP interface
Well-Known UUIDs
These well-known UUIDs are part of the core framework and all MUST to be registered with the Configuration Store component under the appropriate classes.