Hosted mode relay support

[kahirokunn]

Summary by CodeRabbit

• New Features

  • Added hosted mode support enabling cluster-proxy addon deployment across separate clusters.
  • Added managed kubeconfig provisioning with automatic token refresh and health monitoring.
  • Added managed API server proxy component for secure Kubernetes API access.
  • Added service relay for service proxying in hosted environments with BestEffort and Relay modes.
  • Enhanced Prometheus metrics collection for improved observability.

• Documentation

  • Added hosted mode configuration and deployment documentation.
  • Updated contributor guidelines with build/test requirements.

• Tests

  • Added end-to-end test suite for hosted mode deployments.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kahirokunn
Once this PR has been reviewed and has the lgtm label, please assign xuezhaojun for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4341e672-746f-4454-b1ea-da013e15b794

📥 Commits

Reviewing files that changed from the base of the PR and between 753b3da and e84b7d3.

📒 Files selected for processing (37)

• CONTRIBUTING.md
• Makefile
• README.md
• cmd/addon-agent/main.go
• cmd/cluster-proxy/main.go
• pkg/constant/constant.go
• pkg/metrics/metrics.go
• pkg/proxyagent/agent/agent.go
• pkg/proxyagent/agent/agent_test.go
• pkg/proxyagent/agent/managedapiserver/proxy.go
• pkg/proxyagent/agent/managedapiserver/proxy_test.go
• pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml
• pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-role.yaml
• pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-rolebinding.yaml
• pkg/proxyagent/agent/manifests/charts/addon-agent/templates/agent-client-secret.yaml
• pkg/proxyagent/agent/manifests/charts/addon-agent/templates/ca-secret.yaml
• pkg/proxyagent/agent/manifests/charts/addon-agent/templates/cluster-service.yaml
• pkg/proxyagent/agent/manifests/charts/addon-agent/templates/managed-kubeconfig-provisioner.yaml
• pkg/proxyagent/agent/manifests/charts/addon-agent/templates/namespace.yaml
• pkg/proxyagent/agent/manifests/charts/addon-agent/templates/service-account.yaml
• pkg/proxyagent/agent/manifests/charts/addon-agent/templates/service-proxy-server-certificates.yaml
• pkg/proxyagent/agent/manifests/charts/addon-agent/templates/service-relay.yaml
• pkg/proxyagent/agent/manifests/charts/addon-agent/values.yaml
• pkg/proxyagent/agent/provisioner/command.go
• pkg/proxyagent/agent/provisioner/managed_kubeconfig.go
• pkg/proxyagent/agent/provisioner/managed_kubeconfig_test.go
• pkg/serviceproxy/service_proxy.go
• pkg/serviceproxy/token_authenticator.go
• pkg/serviceproxy/token_authenticator_test.go
• pkg/servicerelay/service_relay.go
• pkg/servicerelay/service_relay_test.go
• pkg/utils/utils.go
• test/e2e/connect_test.go
• test/e2e/e2e_test.go
• test/e2e/env/init-hosted.sh
• test/e2e/env/run-hosted.sh
• test/e2e/hosted_test.go

---

Walkthrough

This PR adds comprehensive hosted mode support to Cluster Proxy, enabling addon-framework deployed proxies to serve both hub and managed clusters. It introduces managed kubeconfig provisioning, three service proxy modes (Disabled/BestEffort/Relay), managed API server and service relays, and complete E2E testing infrastructure.

Changes

Hosted Mode Feature Implementation

Layer / File(s)	Summary
Metrics and observability foundation pkg/metrics/metrics.go, pkg/utils/utils.go	Prometheus metrics for managed kubeconfig token expiration, relay connections, and proxy/relay request counters; /metrics endpoint registered on health probes server.
Managed kubeconfig provisioner pkg/proxyagent/agent/provisioner/command.go, managed_kubeconfig.go, managed_kubeconfig_test.go	Continuously syncs managed kubeconfig Secret from source Secret, refreshes tokens before expiration, patches add-on conditions, and provides pre-delete cleanup Job.
Service proxy hosted modes and routing pkg/serviceproxy/service_proxy.go, token_authenticator.go, token_authenticator_test.go	Three hosted modes (Disabled/BestEffort/Relay) with managed kubeconfig impersonation, relay URL construction, and updated token review error handling.
Managed API server proxy (TCP relay) pkg/proxyagent/agent/managedapiserver/proxy.go, proxy_test.go	TCP relay parsing kubeconfig, deriving apiserver address, handling bidirectional streaming with per-connection metrics and dial error tracking.
Service relay HTTP proxy pkg/servicerelay/service_relay.go, service_relay_test.go	HTTP relay resolving target service URLs from headers, restoring authorization, filtering internal headers, recording request metrics.
Addon agent and CLI integration cmd/addon-agent/main.go, cmd/cluster-proxy/main.go, pkg/proxyagent/agent/agent.go, agent_test.go	Optional spoke kubeconfig flag, management-lease mode, metrics serving, expanded RBAC permissions, and CLI subcommand wiring for provisioner/proxy/relay.
Constants and shared utilities pkg/constant/constant.go, pkg/utils/utils.go	Service relay port (7444) and name constants; cluster-proxy authorization header constant.
Helm templates for hosted deployment pkg/proxyagent/agent/manifests/charts/addon-agent/templates/*.yaml	Conditional rendering of hosted-mode resources: managed kubeconfig provisioner, service relay, kube-apiserver proxy container, managed kubeconfig volumes/mounts, hosted-manifest location annotations.
Helm values and configuration pkg/proxyagent/agent/manifests/charts/addon-agent/values.yaml	Install mode, external managed kubeconfig source namespace/name, managed secret naming/timing, hosted service proxy mode, service relay name/port.
Addon agent and integration tests pkg/proxyagent/agent/agent_test.go	Tests validating hosted-mode manifest rendering with expected container sets, volume mounts, RBAC rules, and expectations for hosted vs default mode artifacts.
E2E infrastructure and initialization test/e2e/env/init-hosted.sh, run-hosted.sh	Bash scripts creating kind clusters, initializing OCM hub, joining clusters in hosted mode, deploying add-ons, provisioning test services, and exporting environment variables.
E2E test suites for hosted mode test/e2e/hosted_test.go, e2e_test.go	Ginkgo tests validating resource distribution, managed kubeconfig generation/refresh, API server proxying with auth, service proxying via relay, metrics, mode switching, and cleanup.
Existing E2E test adaptations test/e2e/connect_test.go	Namespace/cluster client selection, pod/container targeting, service address environment variable overrides, HTTPS test branching for hosted mode.
Documentation and build infrastructure README.md, CONTRIBUTING.md, Makefile	Hosted mode documentation section, pre-check make targets, and hosted E2E Makefile targets for environment setup/cleanup/execution.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• open-cluster-management-io/cluster-proxy#282: Both PRs modify TokenReview/token-authentication flow in pkg/serviceproxy (main PR adds hosted-mode auth handling and changes unauthenticated error behavior; related PR adds TokenReview result caching).
• open-cluster-management-io/cluster-proxy#285: Both PRs modify shared health probe handling in pkg/utils/utils.go (main PR adds /metrics endpoint; related PR changes ServeHealthProbes to accept TLS ConfigMap).

Suggested labels

approved, lgtm

Suggested reviewers

• qiujian16
• xuezhaojun

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mikeshng]

@kahirokunn This will be a great addition if you can get this work! CC @augustrh

[kahirokunn]

Sorry, it is still under development, and I am currently in the PoC phase.
I plan to open a PR once everything is complete, as I still need to conduct integration tests in the production environment after this. Thank you 🙏