Support multi-cluster deployments (Central + SecuredCluster on separate clusters)

Author: AlexVulaj

README.md

@@ -84,6 +84,23 @@ Similarly, the deployment(s) can be torn down using:
 ./bin/roxie teardown [ <component> ]
 ```
 
+### Multi-cluster deployments
+
+roxie supports hub + spoke architectures where Central and SecuredCluster run on separate clusters.
+
+1. Deploy Central on the hub cluster:
+```bash
+MAIN_IMAGE_TAG=4.9.2 ./roxie deploy central
+```
+
+2. Switch kubectl context to the spoke cluster and deploy SecuredCluster:
+```bash
+./roxie deploy secured-cluster \
+  --central-endpoint=<central-loadbalancer-ip>:443 \
+  --central-password=<admin-password> \
+  --ca-cert-file=/tmp/roxie-ca-cert.pem
+```
+
 ## Development
 
 Enter the dev shell:

cmd/deploy.go

@@ -240,6 +240,11 @@ Examples:
 		return pflag.NormalizedName(name)
 	})
 
+	cmd.Flags().StringVar(&centralEndpointFlag, "central-endpoint", "", "Central endpoint for multi-cluster SecuredCluster deployments (e.g., central.example.com:443)")
+	cmd.Flags().StringVar(&centralPasswordFlag, "central-password", "", "Central admin password (takes precedence over ROX_ADMIN_PASSWORD)")
+	cmd.Flags().StringVar(&caCertFileFlag, "ca-cert-file", "", "Path to Central CA certificate file (takes precedence over ROX_CA_CERT_FILE)")
+
+
 	return cmd
 }
 
@@ -299,6 +304,20 @@ func runDeploy(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	hasMultiClusterFlags := centralEndpointFlag != "" || centralPasswordFlag != "" || caCertFileFlag != ""
+	if hasMultiClusterFlags && components != component.SecuredCluster {
+		return errors.New("--central-endpoint, --central-password, and --ca-cert-file flags can only be used with 'secured-cluster' component")
+	}
+
+	if centralEndpointFlag != "" {
+		if centralPasswordFlag == "" && os.Getenv("ROX_ADMIN_PASSWORD") == "" {
+			return errors.New("--central-endpoint requires a Central admin password (set --central-password or ROX_ADMIN_PASSWORD)")
+		}
+		if caCertFileFlag == "" && os.Getenv("ROX_CA_CERT_FILE") == "" {
+			return errors.New("--central-endpoint requires a Central CA certificate (set --ca-cert-file or ROX_CA_CERT_FILE)")
+		}
+	}
+
 	d, err := deployer.New(log)
 	if err != nil {
 		return fmt.Errorf("failed to create deployer: %w", err)
@@ -319,6 +338,18 @@ func runDeploy(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Minute)
 	defer cancel()
 
+	if centralEndpointFlag != "" {
+		d.SetCentralEndpoint(centralEndpointFlag)
+	}
+	if centralPasswordFlag != "" {
+		d.SetCentralPassword(centralPasswordFlag)
+	}
+	if caCertFileFlag != "" {
+		if err := d.SetCACertFile(caCertFileFlag); err != nil {
+			return err
+		}
+	}
+
 	if components.IncludesCentral() {
 		d.PrintCentralDeploymentSummary()
 	}

cmd/main.go

@@ -15,6 +15,11 @@ var (
 	envrc   string
 	dryRun  bool
 
+	// Multi-cluster flags
+	centralEndpointFlag string
+	centralPasswordFlag string
+	caCertFileFlag      string
+
 	// We need this set up before command line flags are parsed.
 	deploySettings = deployer.NewConfig()
 )

internal/deployer/central_endpoint_test.go

@@ -0,0 +1,107 @@
+package deployer
+
+import (
+	"testing"
+)
+
+func TestSetCentralEndpoint(t *testing.T) {
+	tests := []struct {
+		name                         string
+		input                        string
+		expectedCentralEndpoint      string
+		expectedUserProvidedEndpoint string
+	}{
+		{
+			name:                         "plain host:port",
+			input:                        "10.0.0.1:443",
+			expectedCentralEndpoint:      "10.0.0.1:443",
+			expectedUserProvidedEndpoint: "10.0.0.1:443",
+		},
+		{
+			name:                         "strips https prefix",
+			input:                        "https://10.0.0.1:443",
+			expectedCentralEndpoint:      "10.0.0.1:443",
+			expectedUserProvidedEndpoint: "10.0.0.1:443",
+		},
+		{
+			name:                         "hostname with port",
+			input:                        "central.example.com:443",
+			expectedCentralEndpoint:      "central.example.com:443",
+			expectedUserProvidedEndpoint: "central.example.com:443",
+		},
+		{
+			name:                         "strips https from hostname",
+			input:                        "https://central.example.com:443",
+			expectedCentralEndpoint:      "central.example.com:443",
+			expectedUserProvidedEndpoint: "central.example.com:443",
+		},
+		{
+			name:                         "strips http prefix",
+			input:                        "http://10.0.0.1:443",
+			expectedCentralEndpoint:      "10.0.0.1:443",
+			expectedUserProvidedEndpoint: "10.0.0.1:443",
+		},
+		{
+			name:                         "strips http from hostname",
+			input:                        "http://central.example.com:443",
+			expectedCentralEndpoint:      "central.example.com:443",
+			expectedUserProvidedEndpoint: "central.example.com:443",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			d := &Deployer{}
+			d.SetCentralEndpoint(tt.input)
+
+			if d.centralEndpoint != tt.expectedCentralEndpoint {
+				t.Errorf("centralEndpoint: got %q, want %q", d.centralEndpoint, tt.expectedCentralEndpoint)
+			}
+			if d.userProvidedCentralEndpoint != tt.expectedUserProvidedEndpoint {
+				t.Errorf("userProvidedCentralEndpoint: got %q, want %q", d.userProvidedCentralEndpoint, tt.expectedUserProvidedEndpoint)
+			}
+		})
+	}
+}
+
+func TestGetCentralEndpointForSensor(t *testing.T) {
+	tests := []struct {
+		name             string
+		userProvided     string
+		centralNamespace string
+		expected         string
+	}{
+		{
+			name:             "falls back to internal endpoint",
+			userProvided:     "",
+			centralNamespace: "acs-central",
+			expected:         "central.acs-central.svc:443",
+		},
+		{
+			name:             "falls back to internal endpoint with custom namespace",
+			userProvided:     "",
+			centralNamespace: "stackrox",
+			expected:         "central.stackrox.svc:443",
+		},
+		{
+			name:             "uses user-provided endpoint",
+			userProvided:     "10.0.0.1:443",
+			centralNamespace: "acs-central",
+			expected:         "10.0.0.1:443",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			d := &Deployer{
+				centralNamespace:            tt.centralNamespace,
+				userProvidedCentralEndpoint: tt.userProvided,
+			}
+
+			result := d.getCentralEndpointForSensor()
+			if result != tt.expected {
+				t.Errorf("got %q, want %q", result, tt.expected)
+			}
+		})
+	}
+}

internal/deployer/deployer.go

@@ -51,7 +51,8 @@ type Deployer struct {
 	config Config
 
 	// State
-	centralEndpoint        string
+	centralEndpoint             string
+	userProvidedCentralEndpoint string
 	centralPassword        string
 	roxCACertFile          string
 	tempDir                string
@@ -653,6 +654,32 @@ func (d *Deployer) removePauseReconcileAnnotation(ctx context.Context, resourceT
 	return nil
 }
 
+func (d *Deployer) SetCentralEndpoint(endpoint string) {
+	endpoint = strings.TrimPrefix(endpoint, "https://")
+	endpoint = strings.TrimPrefix(endpoint, "http://")
+	d.centralEndpoint = endpoint
+	d.userProvidedCentralEndpoint = endpoint
+}
+
+func (d *Deployer) SetCentralPassword(password string) {
+	d.centralPassword = password
+}
+
+func (d *Deployer) SetCACertFile(path string) error {
+	if _, err := os.Stat(path); err != nil {
+		return fmt.Errorf("CA cert file not found: %w", err)
+	}
+	d.roxCACertFile = path
+	return nil
+}
+
+func (d *Deployer) getCentralEndpointForSensor() string {
+	if d.userProvidedCentralEndpoint != "" {
+		return d.userProvidedCentralEndpoint
+	}
+	return internalCentralEndpoint(d.config.Central.Namespace)
+}
+
 // WaitForCentral waits for Central to be ready and responding on its endpoint
 // Returns true if Central is ready, false if timeout occurs
 func (d *Deployer) WaitForCentral(timeout time.Duration) bool {
@@ -995,6 +1022,10 @@ func (d *Deployer) PrintSecuredClusterDeploymentSummary() {
 		log.Info(cyan.Sprint("│") + createRow("OLM", "Yes"))
 	}
 
+	if d.userProvidedCentralEndpoint != "" {
+		log.Info(cyan.Sprint("│") + createRow("Central Endpoint", d.userProvidedCentralEndpoint))
+	}
+
 	log.Info(cyan.Sprint("└" + strings.Repeat("─", boxWidth) + "┘"))
 	log.Info("")
 }