@@ -12,8 +12,8 @@ All that is necessary to run the Sync Agent is a running Kubernetes cluster (for
1212## APIExport Setup
1313
1414Before installing the Sync Agent it is necessary to create an ` APIExport ` on kcp. The ` APIExport ` should
15- be empty, because it is updated later by the Sync Agent, but it defines the new API group we're
16- introducing . An example file could look like this:
15+ be empty, because it is updated later by the Sync Agent. The export's name is only important for
16+ binding to it, the resources in it can use other API groups . An example file could look like this:
1717
1818``` yaml
1919apiVersion : apis.kcp.io/v1alpha1
@@ -23,9 +23,10 @@ metadata:
2323spec : {}
2424` ` `
2525
26- Create a file with a similar content (you most likely want to change the name, as that is the API
27- group under which your published resources will be made available) and create it in a kcp workspace
28- of your choice:
26+ The ` APIExport` above might look like it is defining all resources for the `test.example.com` API
27+ group, but in reality it might contain resource schemas like `v1.crontabs.initech.com`.
28+
29+ Create a file with a similar content and create it in a kcp workspace of your choice :
2930
3031` ` ` sh
3132# use the kcp kubeconfig
@@ -65,17 +66,40 @@ $ kubectl create --filename apibinding.yaml
6566apibinding/test.example.com created
6667` ` `
6768
69+ # ## Creating an Endpoint Slice
70+
71+ Beginning with kcp 0.28, `APIExports` do not contain the list of URLs the Sync Agent would need to
72+ connect to. Instead, kcp will create an `APIExportEndpointSlice` of the same name in the same
73+ workspace as the `APIExport` it belongs to. Just as before, without any existing `APIBindings`, this
74+ endpoint slice will not contain any URLs, so the step in the section above still applies in kcp 0.28+.
75+
76+ In older kcp versions, no endpoint slice is automatically created by kcp, but admins are free to
77+ create their own.
78+
79+ The Sync Agent can work with either `APIExports` or `APIExportEndpointSlices`. Depending on your
80+ situation and needs, start it with `--apiexport-ref` or `--apiexportendpointslice-ref`. When a
81+ reference to an endpoint slice is configured, the agent will automatically determine the `APIExport`
82+ the slice belongs to (and it will of course continue to manage the `APIResourceSchemas` in that
83+ ` APIExport` ).
84+
85+ !!! note
86+ The endpoint slices can live in workspaces other than the one where the `APIExport` exists. Make
87+ sure that the kcp-kubeconfig provided to the Sync Agent always points to the workspace that has
88+ the configured element (i.e. if using `--apiexportendpointslice-ref`, the kubeconfig must point
89+ to the workspace where the endpoint slice exists, even if the APIExport is somewhere else).
90+
6891# # Sync Agent Installation
6992
7093The Sync Agent can be installed into any namespace, but in our example we are going with `kcp-system`.
7194It doesn't necessarily have to live in the same Kubernetes cluster where it is synchronizing data
7295to, but that is the common setup. Ultimately the Sync Agent synchronizes data between two kube
7396endpoints.
7497
75- Now that the `APIExport` is created, switch to the Kubernetes cluster from which you wish to
76- [publish resources](./publish-resources/index.md). You will need to ensure that a kubeconfig with access to
77- the kcp workspace that the `APIExport` has been created in is stored as a `Secret` on this cluster.
78- Make sure that the kubeconfig points to the right workspace (not necessarily the `root` workspace).
98+ Now that the `APIExport` (and optionally the `APIExportEndpointSlice`) are created, switch to the
99+ Kubernetes cluster from which you wish to [publish resources](./publish-resources/index.md). You will
100+ need to ensure that a kubeconfig with access to the kcp workspace that the referenced object (export
101+ or endpoint slice) has been created in is stored as a `Secret` on this cluster. Make sure that the
102+ kubeconfig points to the right workspace (not necessarily the `root` workspace).
79103
80104This can be done via a command like this :
81105
@@ -88,13 +112,21 @@ $ kubectl create secret generic kcp-kubeconfig \
88112# ## Helm Chart Setup
89113
90114The Sync Agent is shipped as a Helm chart and to install it, the next step is preparing a `values.yaml`
91- file for the Sync Agent Helm chart. We need to pass the target `APIExport`, a name for the Sync Agent
92- itself and a reference to the kubeconfig secret we just created.
115+ file for the Sync Agent Helm chart. We need to pass the target `APIExport` or the target
116+ ` APIExportEndpointSlice` , a name for the Sync Agent itself and a reference to the kubeconfig secret
117+ we just created.
93118
94119` ` ` yaml
95- # Required: the name of the APIExport in kcp that this Sync Agent is supposed to serve.
120+ # Either of the following two are required, and both fields are mutually exclusive:
121+
122+ # the name of the APIExport in kcp that this Sync Agent is supposed to serve.
96123apiExportName: test.example.com
97124
125+ # -- or --
126+
127+ # the name of the APIExportEndpointSlice in kcp that this Sync Agent is supposed to serve.
128+ # apiExportEndpointSliceName: test.example.com
129+
98130# Required: This Agent's public name, used to signal ownership over locally synced objects.
99131# This value must be a valid Kubernetes label value, see
100132# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
@@ -119,9 +151,11 @@ helm install kcp-api-syncagent kcp/api-syncagent \
119151 --namespace kcp-system
120152` ` `
121153
122- Two `kcp-api-syncagent` Pods should start in the `kcp-system` namespace. If they crash you will need to
123- identify the reason from container logs. A possible issue is that the provided kubeconfig does not
124- have permissions against the target kcp workspace.
154+ Two `kcp-api-syncagent` Pods should start in the `kcp-system` namespace. If they crash you will need
155+ to identify the reason from container logs. A possible issue is that the provided kubeconfig does not
156+ have permissions against the target kcp workspace (note that if you have an `APIExportEndpointSlice`
157+ in a different workspace than the `APIExport`, you will need to grant the Sync Agent permissions in
158+ both workspaces).
125159
126160# ## Service Cluster RBAC
127161
@@ -177,9 +211,11 @@ the RBAC rules that grant the Agent access.
177211
178212The Sync Agent needs to
179213
180- * access the workspace of its `APIExport`,
181- * get the `LogicalCluster`,
214+ * access the workspace of its `APIExport` or `APIExportEndpointSlice`,
215+ * get the `LogicalCluster` (if export and endpoint slice are in different workspaces, then the agent
216+ will need permission to fetch the logicalcluster in both of them),
182217* manage its `APIExport`,
218+ * watch the `APIExportEndpointSlice` if configured,
183219* manage `APIResourceSchemas`,
184220* create `events` for `APIExports` and
185221* access the virtual workspace for its `APIExport`.
@@ -201,6 +237,17 @@ rules:
201237 - cluster
202238 verbs:
203239 - get
240+ # watch the APIExportEndpointSlice (optional, could also be in a different workspace)
241+ - apiGroups:
242+ - apis.kcp.io
243+ resources:
244+ - apiexportendpointslices
245+ resourceNames:
246+ - test.example.com
247+ verbs:
248+ - get
249+ - list
250+ - watch
204251 # manage its APIExport
205252 - apiGroups:
206253 - apis.kcp.io
@@ -271,6 +318,64 @@ subjects:
271318 name: api-syncagent-mango
272319` ` `
273320
321+ If you indeed have different workspaces for the export and endpoint slice, apply the RBAC above as
322+ mentioned in the workspace with the `APIExport`, and additionally apply the RBAC below in the
323+ workspace where the `APIExportEndpointSlice` exists :
324+
325+ ` ` ` yaml
326+ apiVersion: rbac.authorization.k8s.io/v1
327+ kind: ClusterRole
328+ metadata:
329+ name: api-syncagent-mango
330+ rules:
331+ # get the LogicalCluster
332+ - apiGroups:
333+ - core.kcp.io
334+ resources:
335+ - logicalclusters
336+ resourceNames:
337+ - cluster
338+ verbs:
339+ - get
340+ # watch the APIExportEndpointSlice
341+ - apiGroups:
342+ - apis.kcp.io
343+ resources:
344+ - apiexportendpointslices
345+ resourceNames:
346+ - test.example.com
347+ verbs:
348+ - get
349+ - list
350+ - watch
351+
352+ ---
353+ apiVersion: rbac.authorization.k8s.io/v1
354+ kind: ClusterRoleBinding
355+ metadata:
356+ name: api-syncagent-mango:system
357+ roleRef:
358+ apiGroup: rbac.authorization.k8s.io
359+ kind: ClusterRole
360+ name: api-syncagent-mango
361+ subjects:
362+ - kind: User
363+ name: api-syncagent-mango
364+
365+ ---
366+ apiVersion: rbac.authorization.k8s.io/v1
367+ kind: ClusterRoleBinding
368+ metadata:
369+ name: api-syncagent-mango:access
370+ roleRef:
371+ apiGroup: rbac.authorization.k8s.io
372+ kind: ClusterRole
373+ name: system:kcp:workspace:access
374+ subjects:
375+ - kind: User
376+ name: api-syncagent-mango
377+ ` ` `
378+
274379# # Publish Resources
275380
276381Once the Sync Agent Pods are up and running, you should be able to follow the
@@ -279,8 +384,8 @@ Once the Sync Agent Pods are up and running, you should be able to follow the
279384# # Consume Service
280385
281386Once resources have been published through the Sync Agent, they can be consumed on the kcp side (i.e.
282- objects on kcp will be synced back and forth with the service cluster). Follow the
283- guide to [consuming services](consuming-services.md).
387+ objects on kcp will be synced back and forth with the service cluster). Follow the guide to
388+ [consuming services](consuming-services.md).
284389
285390[kind] : https://github.com/kubernetes-sigs/kind
286391[kcp] : https://kcp.io
0 commit comments