...
- Main DCM Microservice (contains the service mesh Module(formally Logical Cloud Controller), User Module and Namespace Module, Quota Module(Limits resources available to each logical cloud))
- CA Key Distribution Controller ( Generate intermediate CA key for each edge which is signed by an root or intermediate key)
...
Drawio |
---|
border | true |
---|
viewerToolbar | true |
---|
| |
---|
fitWindow | false |
---|
diagramDisplayName | |
---|
lbox | true |
---|
revision | 17 |
---|
diagramName | DCM |
---|
simpleViewer | false |
---|
width | 1000 |
---|
links | auto |
---|
tbstyle | top |
---|
diagramWidth | 721 |
---|
|
Fig 1: DCM Components
DCM Sequence
- Client creates logical cloud using logical cloud creation API and the following documents are created in the DCM collection
- The core module parses the Json and creates a new document for the logical cloud in the mongodb DCM collection.
- The core module also creates a cluster document in the DCM collection
- The user module parses the Json and creates a new document for user
The namespace module parses the Json and creates a new document for namespace
- Associates logical cloud with clusters (this API is called multiple times)
- Updates the cluster document with the cluster name, loadbalancer ip every time its called
- Add quota for logical cloud client talks to the core module and at each step the core module calls the specific modules which then take the information and store it in the required section in the database. For examle, the namespace module will store the namespace for the logical cloud in the DB.
- quota module creates a quota document containing the quota details
- Apply API is called
- Service mesh module gets CA bundle from CA controller via gRPC
- Service mesh module gets names of logical cloud and creates a new namespace name using name of logical cloud name
- Service mesh module creates helm template/istioctl manifest
and stores it in the database with the namespace to use- (WIP)
- Service mesh module creates
k8s coredns file for coredns of control plane for each cluster i.e, there is a coredns deployment file, configmap, service account etc for each cluster per control plane (logical cloud)- service mesh document in the DCM collection and stores the above (CA bundle contents, istio namespace, istioctl manifest) in the document
- DCM informs the resource synchronizer to start the logical cloud creation via gRPC and the resource synchronizer starts reading from the DB
- The DCM gets status from the resource synchronizer via gRPC
- When the logical cloud creation is complete, the resource synchronizer will store the modified kubeconfig file for each cluster in the cluster document of the logical cloud
The details of the DCM Data Model can be found in DCM MongoDB Data Model
DCM Source Code Directory Structure
...
Code Block |
---|
language | js |
---|
title | PUT Logical Cloud |
---|
|
URL: /v2/projects/<project-name>/logical-clouds/<name><logical-cloud-name>
PUT BODY:
{
"metadata" : {
"name": "lc-1",
"description": "logical cloud for walmart finance department", //description for the logical cloud
"userData1":"<user data>",
"userData2":"<user data>"
},
"spec" : {
"namespace" : "ns-1", // one namespace per logical cloud
"user" : {
"user-name" : "user-1", //name of user for this cloud (username and logical cloud name would be used as subject for the user key)
"type" : "certificate", //type of authentication credentials used by user (certificate, Token, UNPW)
"user-permissions" : [
{ "permission-name" : "permission-1",
"apiGroups" : ["stable.example.com"],
"resources" : ["secrets", "pods"],
"verbs" : ["get", "watch", "list", "create"]
},
{ "permission-name" : "permission-2",
"apiGroups" : [""],
"resources" : ["configmaps"],
"verbs" : ["*"]
}
]
}
}
}
Return Status: 200 (OK)
Return Body:
{
"name" : "logical-cloud-1",
"logical-cloud-name" : "logical-cloud-1",
"namespace" : "ns-1",
"user" : "user-1"
}
|
...
Code Block |
---|
language | js |
---|
title | GET Logical Cloud |
---|
|
GET
URL: /v2/projects/<project-name>/logical-clouds/<name><logical-cloud-name>
RESPONSE BODY:
{
"metadata" : {
"name": "lc-1", //unique name for the record
"description": "logical cloud for walmart finance department", //description for the logical cloud
"userData1":"<user data>",
"userData2":"<user data>"
},
"spec" : {
"namespace" : "ns-1", // one namespace per logical cloud
"user" : {
"user-name" : "user-1", //name of user for this cloud (username and logical cloud name would be used as subject for the user key)
"type" : "certificate", //type of authentication credentials used by user (certificate, Token, UNPW)
"user-permissions" : [
{ "permission-name" : "permission-1",
"apiGroups" : ["stable.example.com"],
"resources" : ["secrets", "pods"],
"verbs" : ["get", "watch", "list", "create"]
},
{ "permission-name" : "permission-2",
"apiGroups" : [""],
"resources" : ["configmaps"],
"verbs" : ["*"]
}
],
"clusters" : ["cluster-1", "cluster-2", "cluster-3]
}
}
}
|
...
Code Block |
---|
language | js |
---|
title | DELETE Logical Cloud |
---|
|
DELETE
URL: /v2/projects/<project-name>/logical-clouds/<name><logical-cloud-name>
|
Logical Cloud Cluster API
...
Code Block |
---|
language | js |
---|
title | Associate logical cloud with cluster |
---|
|
URL: /v2/projects/<project-name>/logical | cloud with clusterURL: /v2/projects/<project-name>/logical-clouds/<logical-cloud-name>/cluster-references/
POST BODY:
{
-clouds/<logical-cloud-name>/cluster-references/
POST BODY:
{
"metadata" : {
"name": "lc-cl-1",
"description": "desc",
"userData1":"<user data>",
"userData2":"<user data>"
},
"spec" : {
"cluster-provider": "cp-1",
"cluster-name": "c1", //name of the cluster,
"loadbalancer-ip" : "0.0.0.0" //IP address of the istio loadbalancer for the logical cloud control plane in the cluster
}
}
}
Return Status: 200 (OK)
Return Body:
{
"cluster-name" : "cluster-1"
"loadbalancer-ip" : "0.0.0.0"
}
|
...
Code Block |
---|
language | js |
---|
title | Delete Cluster from logical cloud |
---|
|
DELETE
URL: /v2/projects/<project-name>/logical-clouds/<logical-cloud-name>/cluster-references/cluster<cluster-namename>
RESPONSE STATUS: 204
}
|
Logical Cloud User Permissions API
...
Code Block |
---|
language | js |
---|
title | Update KV pair |
---|
|
URL: /v2/projects/<project-name>/logical-clouds/<logical-cloud-name>/kv-pairs/<name><kv-pair-name>
PUT BODY
{
"metadata":{
"description":"<description>",
"userData1":"<user data>",
"userData2":"<user data>"
},
"spec":{
"kv":[
{
"key1":"val3"
},
{
"key2":"val4"
}
]
}
}
RETURN STATUS: 201
RETURN BODY:
{
"metadata":{
"description":"<description>",
"userData1":"<user data>",
"userData2":"<user data>"
},
"spec":{
"kv":[
{
"key1":"val3"
},
{
"key2":"val4"
}
]
}
} |
...
Code Block |
---|
language | js |
---|
title | Get KV pair |
---|
|
URL: /v2/projects/<project-name>/logical-clouds/<logical-cloud-name>/kv-pairs/<name><kv-pair-name>
RETURN STATUS: 200
RETURN BODY:
{
"metadata":{
"name":"<name>",
"description":"<description>",
"userData1":"<user data>",
"userData2":"<user data>"
},
"spec":{
"kv":[
{
"key1":"val1"
},
{
"key2":"val2"
}
]
}
} |
...
Code Block |
---|
language | js |
---|
title | Delete KV pair |
---|
|
URL: /v2/projects/<project-name>/logical-clouds/<logical-cloud-name>/kv-pairs/<name><kv-pair-name>
RETURN STATUS: 204
|
...
Kubeconfig API (WORK IN PROGRESS)
Important points to Note
- cluster CA and cluster CRT will be gotten when a cluster is registered and this will be used to create the user crt after the user csr and user key are created
...
Code Block |
---|
language | js |
---|
title | Get Logical cloud kubeconfig |
---|
|
URL: /v2/projects/<project-name>/logical-clouds/<logical-cloud-name>/kubeconfig?cluster-reference=cluster-1
GET
Return Status: 201
Return Body :
{
"apiVersion": "v1",
"clusters": [
{
"cluster": {
"certificate-authority-data": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01ERXhOakl5TlRReU1sb1hEVE13TURFeE16SXlOVFF5TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXZ5ClpSMmtHZ201OHJtRUYxZ0VVNDlwR281TjR5WlZzbUtsemJxeitHcmp3MWY4ZHBaa01JN1RYbm1xaXdjbmpiZksKdlZDYmFKblBwRm9Wc0gyMTFMRVYxa1pqQ2RZakgrQnA4VUNadFpOZnJha1o1TU91RW40MXlpbDRxVTFxRnBYcgpvMnAvTTJNSTc0bzdYSis5V2VUNmZ1MFJ0RjRjK1p6K3IzbWY3YWFnem9weEo1TzcyN010WkN5bzJHaWNJdzgyCk1uSmUrbHBnNDdEdTNwK0JzOVZ4cENNVjhUTFBDWWFxVUZHZWZ1U25zTHpCOWFHUGJaMi9kWlMrQll6VGJ1dWIKZ0pzbmxKd1o2Z1orVkJKWGtxcFN4ZmJTWFE3V2VLR1BkMkptYk04THFtd2UxcEtIMnNnVEs0cnBuM3dKdzk1Uwp5c01LZWp5aS9TcmZWci9ZdmRNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFIRkJ3VUJrRE56MDV3cGlVVkhaeld3Z0JWWTgKTFRIV2RZYUliaTZzeCthTUhIOFF3cERhSUIvME9KUlZmc01XNXd2eldTWE05d28zR2ltMlYxNnBsN0E3ZXRkLwo3OWZiT0FaTTh0bUFHMVlraFlJbjc0NzRvaE5GZjhLdjFqY3ZIUStIREZZRTRHdTBXUXhBQU9sRmh2SUNKc1VDCmRrN25mREpMRTIwa1E0M1ZIMnc3Ukg3clFVcUVNVnhVU2VTTWdid0xEQms5bWFQNm83RjdsT0ZqQnJibmhaVlgKNDA3U3Z2aTFRM0x6eCtubklhY3RidkZaUGFDRlpPMlkvS0dpcFpYM3o0R3hiR0sxM3VweExuSllHZEI4eFBrRApmK3FISFYvMHVVV2Yzb2JpSUNTT09qUjF5VnB3eXdIVFcrTHhyM1BZcXQ5b0NTRXErYitPUDE2SVV5az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
"server": "https://1.2.3.4:6443"
},
"name": "kubernetes"
}
],
"contexts": [
{
"context": {
"cluster": "cluster-1",
"user": "user-1"
},
"name": "user-1-context"
}
],
"current-context": "user-1-context",
"kind": "Config",
"users": [
{
"name": "user-1",
"user": {
"client-certificate-data" : "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJZVovY05tQVE5NGd3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TURBeE1UWXlNalUwTWpKYUZ3MHlNVEF4TVRVeU1qVTBNamhhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW0zblA0eTdURjNrZldaZFoKaFdaV2RTSWZlNlpkbTdWK1BpcER6UWFHMTVuU0ZNSVRSeFVyYkhHdWlzakZQRlAzbUIyT09yN3BSQjJab3VDegppOFlYS21iYjJ6K2tjeWZxT1drcHhmTzlHQlV6SlYxL1BoUGU2dGRaSEp3c3FtNlhYZ2xkcTEvNjBSTWNwUVUxCi9LOXNZNHhWQ1djSkN4SEkvTnp4VDY0TU5zQlF3VldONXZWTTJOUDJtZDFOa2x2S3J2bnFRUERXTGxVWEx2THIKK2NESk50VytxcFc4dzVreXF5YWp1ZHQ4ZGw0dzZSY3FnL3VnbXRVMHRnVEdxcFdSYm5yZlFMSzBsaGJKejVMTgpmK1pNTjRCYllxWGRBZ2hFMTNEeHhYd2tHUHdnL3h0aFhManBaQzhjeTNlV0hCenV2cWY1aWJ2S0hRQ20zRmFjCjhBTlVpUUlEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDV3BuY1RhTWowOWZDL25CQTF1NWhkbFQrQmdhc3NZSFVEeQplM2tQUXJlUXdseUhYTGtWdDdiSkIxT0l6Y1V3K2M5MVF6Mm9lRFBaNzZGNGlQMTd5RUgrUFZrMVVUSzBLRU9jCjM2cVpXTUdMK0ptZy9wTnFBNXRsNG1EUTVneFhHTENpa2JiYzRTM0oxL0FicmFVakRtM1FEOTd6UEhSUkZnN2oKN2VXMnB2V3ZEakRTWDZGejY0dEorRHB2NUpGZGRHNU5lQVErZ0hNOWFPVUdCVG1oZlYzZnl1NzkzV0cyUGlxMgpMMlZQU0YycU5DRG96Y3Z3am84VHkxbUpXSzIvTkVjN2ZMd24wbml3UTd3aXpMWHU0N1hvL3Frb2pBMUN6MW9YCkhid1JQMjZXdVNDTGpnNnpHVUh3VnBZWmV4Z3pkY05CRERQTnlPem94RTFwUVlXRXkrZz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
"client-key-data" : "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBbTNuUDR5N1RGM2tmV1pkWmhXWldkU0lmZTZaZG03VitQaXBEelFhRzE1blNGTUlUClJ4VXJiSEd1aXNqRlBGUDNtQjJPT3I3cFJCMlpvdUN6aThZWEttYmIyeitrY3lmcU9Xa3B4Zk85R0JVekpWMS8KUGhQZTZ0ZFpISndzcW02WFhnbGRxMS82MFJNY3BRVTEvSzlzWTR4VkNXY0pDeEhJL056eFQ2NE1Oc0JRd1ZXTgo1dlZNMk5QMm1kMU5rbHZLcnZucVFQRFdMbFVYTHZMcitjREpOdFcrcXBXOHc1a3lxeWFqdWR0OGRsNHc2UmNxCmcvdWdtdFUwdGdUR3FwV1JibnJmUUxLMGxoYkp6NUxOZitaTU40QmJZcVhkQWdoRTEzRHh4WHdrR1B3Zy94dGgKWExqcFpDOGN5M2VXSEJ6dXZxZjVpYnZLSFFDbTNGYWM4QU5VaVFJREFRQUJBb0lCQURSeCs3RTd5MU1ndFhXSQpPMWRuZFFTZ0ZSU2x3dS9TWWhwZ01XeklwZFcyZW9vc0NVcXlGbXJIVWtSWWcwZmRYeWk5MTR0emVNWlVZYzN5CmxENHkvUDk5b080dFlyREJweDNrbm9XNnVXK1ZQeUo4am42SFAydmlacG5qQ0tJWkdoQkxnb0JicVFTN3VLN2wKdWhkWnFXdFBIQ1JHMEdNZWhiamVZcndwRHMrc3V5Y0tUNlh2OGR0am9PRGlSenpodTBBWjErSDBMbC9MaUp5NgpubUF1M3IzUDN2dGt1ZndoOXB2SjA2TjhHVWhRZFlvVENBMHQ4c0lEN0Q0ZUZGcXdjM2FVTmlyVGdtcllmcVFkCnJQMnRUMkYxbEE5bEJ1bUJmNDBCUFMrejR0MS92Tk5XSEtseFFzaDRkTnNJczlFbHB1YkVTMlovbmJkUHpEOXUKUHlmWmNCMENnWUVBemZEZ21TVVZ2REpJMEZWWnNENWszNWxRWFpmQ3ZLZWpaaU5ScTZzaDlROUhBcTdaN3dESwo3RmNHSGZFQVhNZ1YyQ2VibUtkbFZ4aFJMQUVQb0todzNCbG94RlhiNC9ESytYdmV0ek4vUnQzQ0VGN29jZTFECko0eXVTS0pYR25RVW82NXV6RVBJMmVVdi81Njh5dEdDdXlNRmdIZDNTRHBxeUZqSjhlVXp3RGNDZ1lFQXdVU2kKVVpkMTEzVnFWeEpUQytSeTlsRzNIeGZFekhBbUdkMXNQNFdmYm9nZ3hjbmZrZk9ndU1ua0dzVVNnNGZjN3BKNworVDd2dFg2QVRXQkUzeUV1SHdMcytJd2VQT2RFeDNBZytSYnBKU25pTEc2WmUxdER0K2NtdTdObGZGRWRuR0l2CkUvTkt1c3FLdmduN3FzK216OHR5UmwxZ0pYMGdjT3J1TFVnbnNUOENnWUVBaGlUdUY3TnBXZ0lqSGRsS3A1dXMKMTEwbFZTR2lqb0pmMUFzVGlzL1pPYWh1NTlkL1M4aG5aZFUxdmRFYkhGU1VyZ3oydEZQdGxmTFlCT0xZREIxTQpEb0phbFBFY1gzaWNyaSs2bmZqa1lnUFhBaFRnTWoyTExicmNWNkd2UFNMNXdyaS9vVHhTRzJUSGhDa2c3cmZVCkFSUEo1S2xzd0ZhVThkV3NEVzN2N0xjQ2dZQlhlZGc2TStLcmpjSisvSlZJR2JPTEY3dFp3R2xiMnhyenRBdk4KeUk0NytqTlRNcWNWcVg3Q2hPYlEwd2dwTG5KcUxUVWR3RVhCRVN2RFdlSnlWOU5IU0F5NEJydWM5MVJqTExaUAo1L1hJMDJkQ2t5QzIrN3p2M1JqajlqUG1DOVRxTm1wMmpqVHh6TUQxZVJGRzQ4dnQyM2l5cm9yWkRRU0U5MkNzCmNDOC9Bd0tCZ1FDamRrVTNOcWFPZHUzMlpkWm5IK0cxY0NwbGtRK1VFZXNmTlcrWjdiWWtocng2Z2l6eCtjY0UKS3FhNTRxTmJkQVdLQXRzSU5lZ3pQU0toV0g0eXFnaWYrNmQ1aVVZUlFoUUhNVG0yTHpEQ2xGQ001N2FPdmQ3YQpNUEZxR3BNV2tqVmlnZjlwdHV3YW1qWkYwbm5MUVE5dWIzMlB3Zjk0Yzl4NFBEdkpmdTQrUHc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo="
}
}
]
} |
...
Apply API
When the API is called, the resource synchronizer is called and the resource creation in the cluster begins
...
Code Block |
---|
language | js |
---|
title | Apply configuration |
---|
|
URL: /v2/projects/<project-name>/logical-clouds/<logical-cloud-name>/apply
Return Status: 200 (OK)
Return Body:
{
"logical-cloud-name" : "logical-cloud-1",
"namespace" : "ns-1", // one namespace per logical cloud
"description": "logical cloud for walmart finance department", //description for the logical cloud
"user" : "user-1",
"clusters" : ["cluster1", "cluster2", "cluster3"]
"quota-name" : "quota-1"
}
|
...
Status API
GET (Check status of operation)
...