Remote cluster configuration
A remote cluster configuration resource (RemoteClusterConfiguration) represents a cluster in a federation of clusters. Each remote cluster needs a configuration to be specified to allow the local cluster to access resources on the remote cluster. The connection is one-way: the information flows only from the remote to the local cluster. To share information from the local cluster to the remote one a remote cluster configuration resource must be created on the remote cluster.
A remote cluster configuration causes Typha and calicoq
to retrieve the following resources from a remote cluster:
- Workload endpoints
- Host endpoints
- Profiles (rules are not retrieved from remote profiles, only the
LabelsToApply
field is used)
When using the Kubernetes API datastore with RBAC enabled on the remote cluster, the RBAC rules must be configured to allow access to these resources.
For more details on the federation feature refer to the Overview.
For the meaning of the fields matches the configuration used for configuring calicoctl
, see Kubernetes datastore instructions for more details.
This resource is not supported in kubectl
.
Sample YAML
For a remote Kubernetes datastore cluster:
apiVersion: projectcalico.org/v3
kind: RemoteClusterConfiguration
metadata:
name: cluster1
spec:
datastoreType: kubernetes
kubeconfig: /etc/tigera-federation-remotecluster/kubeconfig-rem-cluster-1
For a remote etcdv3 cluster:
apiVersion: projectcalico.org/v3
kind: RemoteClusterConfiguration
metadata:
name: cluster1
spec:
datastoreType: etcdv3
etcdEndpoints: 'https://10.0.0.1:2379,https://10.0.0.2:2379'
RemoteClusterConfiguration Definition
Metadata
Field | Description | Accepted Values | Schema |
---|---|---|---|
name | The name of this remote cluster configuration. | Lower-case alphanumeric with optional - | string |
Spec
Field | Secret key | Description | Accepted Values | Schema | Default |
---|---|---|---|---|---|
clusterAccessSecret | Reference to a Secret that contains connection information | Kubernetes ObjectReference | none | ||
datastoreType | datastoreType | The datastore type of the remote cluster. | etcdv3 kubernetes | string | none |
etcdEndpoints | etcdEndpoints | A comma separated list of etcd endpoints. | string | none | |
etcdUsername | etcdUsername | Username for RBAC. | string | none | |
etcdPassword | etcdPassword | Password for the given username. | string | none | |
etcdKeyFile | etcdKey | Path to the etcd key file. | string | none | |
etcdCertFile | etcdCert | Path to the etcd certificate file. | string | none | |
etcdCACertFile | etcdCACert | Path to the etcd CA certificate file. | string | none | |
kubeconfig | kubeconfig | Location of the kubeconfig file. | string | none | |
k8sAPIEndpoint | Location of the kubernetes API server. | string | none | ||
k8sKeyFile | Location of a client key for accessing the Kubernetes API. | string | none | ||
k8sCertFile | Location of a client certificate for accessing the Kubernetes API. | string | none | ||
k8sCAFile | Location of a CA certificate. | string | none | ||
k8sAPIToken | Token to be used for accessing the Kubernetes API. | string | none |
When using the clusterAccessSecret
field, all other fields in the RemoteClusterconfiguration resource must be empty.
When the clusterAccessSecret
reference is used, all datastore configuration will be read from the referenced Secret
using the "Secret key" fields named in the above table as the data key in the Secret. The fields read from a Secret
that were file path or locations in a RemoteClusterConfiguration will be expected to be the file contents when read
from a Secret.
All of the fields that start with etcd
are only valid when the DatastoreType is etcdv3 and the fields that start with k8s
or kube
are only valid when the datastore type is kubernetes.
The kubeconfig
field and the fields that end with File
must be accessible to Typha and calicoq
, this does not apply when the data is coming from a Secret referenced by clusterAccessSecret
.
When the DatastoreType is kubernetes
, the kubeconfig
file is optional but since it can contain all of the authentication information needed to access the Kubernetes API server it is generally easier to use than setting all the individual k8s
fields. The other kubernetes fields can be used by themselves though or to override specific kubeconfig values.
Supported operations
Datastore type | Create/Delete | Update | Get/List | Notes |
---|---|---|---|---|
etcdv3 | Yes | Yes | Yes | |
Kubernetes API server | Yes | Yes | Yes |