Enhance ClusterProxy API.

Signed-off-by: xuezhaojun <[email protected]>

Author: xuezhaojun

feature/feature.go

@@ -93,6 +93,26 @@ const (
 	// When enabled, the work controller will automatically clean up completed manifest works based on the configured
 	// time-to-live duration to prevent accumulation of old completed resources.
 	CleanUpCompletedManifestWork featuregate.Feature = "CleanUpCompletedManifestWork"
+
+	// ClusterProxy integrates cluster-proxy functionality directly into the klusterlet-agent, enabling
+	// HTTP-based proxying to managed cluster API servers through gRPC tunnels.
+	//
+	// When enabled on the hub (via ClusterManager), it starts a gRPC server that provides an externally accessible
+	// HTTP endpoint to proxy requests to managed cluster API servers. The API path format is:
+	// https://<server-address>:<port>/<cluster-name>
+	//
+	// When enabled on the spoke (via Klusterlet), the agent establishes a gRPC connection to the hub and proxies
+	// requests to its local API server. The agent sends a CSR with signer name "open-cluster-management.io/klusterlet-proxy"
+	// to obtain the gRPC configuration, which is stored in the hub-kubeconfig-secret as "proxy-grpc.yaml".
+	//
+	// This feature requires gRPC configuration in ClusterManager.spec.grpcConfiguration with the ClusterProxy
+	// feature gate enabled. Users can authenticate using either userToken or impersonation methods.
+	//
+	// Use cases include: fetching pod logs, accessing VM consoles (kubevirt), multicluster job submission (MultiKueue),
+	// and multicluster apiserver access (Kubernetes MCP).
+	//
+	// When disabled, the legacy cluster-proxy addon should be used instead for proxy functionality.
+	ClusterProxy featuregate.Feature = "ClusterProxy"
 )
 
 // DefaultSpokeRegistrationFeatureGates consists of all known ocm-registration
@@ -137,3 +157,7 @@ var DefaultSpokeWorkFeatureGates = map[featuregate.Feature]featuregate.FeatureSp
 	ExecutorValidatingCaches: {Default: false, PreRelease: featuregate.Alpha},
 	RawFeedbackJsonString:    {Default: false, PreRelease: featuregate.Alpha},
 }
+
+var DefaultServerConfigFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
+	ClusterProxy: {Default: false, PreRelease: featuregate.Alpha},
+}

operator/v1/types_klusterlet.go

@@ -100,6 +100,20 @@ type KlusterletSpec struct {
 	// is not available on the managed cluster.
 	// +optional
 	PriorityClassName string `json:"priorityClassName,omitempty"`
+
+	// ProxyConfig holds the configuration for enabling klusterlet-proxy functionality,
+	// which allows the hub cluster to access the managed cluster's API server through
+	// a gRPC-based proxy tunnel established by the klusterlet agent.
+	//
+	// When configured, the klusterlet agent establishes a gRPC connection to the hub's
+	// proxy server and proxies incoming HTTP requests to the local managed cluster API server.
+	// This enables hub-to-spoke API access even when the managed cluster is not directly
+	// accessible from the hub (e.g., behind a firewall or NAT).
+	//
+	// This feature requires the ClusterProxy feature gate to be enabled and corresponding
+	// GRPCConfiguration to be set in the ClusterManager on the hub side.
+	// +optional
+	ProxyConfig *ProxyConfig `json:"proxyConfig,omitempty"`
 }
 
 // ServerURL represents the apiserver url and ca bundle that is accessible externally
@@ -331,6 +345,22 @@ const (
 	ClusterAnnotationsKeyPrefix = "agent.open-cluster-management.io"
 )
 
+// ProxyConfig holds the configuration of klusterlet-proxy.
+type ProxyConfig struct {
+	GRPC *EndpointExposure `json:"grpcEndpoint"`
+
+	// Authentications defines how the agent authenticates with the cluster.
+	// By default it is `userToken`, but it could also be `impersonation` or both.
+	Authentications []ProxyAuthenticationType `json:"authentications,omitempty"`
+}
+
+type ProxyAuthenticationType string
+
+const (
+	ProxyAuthenticationUserToken     ProxyAuthenticationType = "userToken"
+	ProxyAuthenticationImpersonation ProxyAuthenticationType = "impersonation"
+)
+
 // KlusterletDeployOption describes the deployment options for klusterlet
 type KlusterletDeployOption struct {
 	// Mode can be Default, Hosted, Singleton or SingletonHosted. It is Default mode if not specified