Support multi-cluster deployments (Central + SecuredCluster on separate clusters) (#105)

AlexVulaj · Moritz Clasmeier · commit 24ce436847a1 · 2026-06-04T18:17:07.000+02:00
diff --git a/README.md b/README.md
@@ -87,6 +87,34 @@ Similarly, the deployment(s) can be torn down using:
 ./bin/roxie teardown [ <component> ]
 ```
 
+### Multi-cluster deployments
+
+roxie supports hub + spoke architectures where Central and SecuredCluster run on separate clusters.
+
+1. Deploy Central on the hub cluster:
+```bash
+./roxie deploy central -t 4.9.2
+```
+
+2. Create a config file for the spoke cluster, pointing at the Central endpoint (printed during step 1):
+```yaml
+# spoke-config.yaml
+securedCluster:
+  spec:
+    centralEndpoint: "<central-loadbalancer-ip>:443"
+```
+
+3. Switch kubectl context to the spoke cluster and deploy SecuredCluster:
+```bash
+ROX_ADMIN_PASSWORD=<admin-password> \
+ROX_CA_CERT_FILE=<path-to-ca-cert> \
+./roxie deploy secured-cluster -t 4.9.2 -c spoke-config.yaml
+```
+
+> **Tip:** If deploying from the roxie subshell, `ROX_ADMIN_PASSWORD` and `ROX_CA_CERT_FILE` are
+> already set. For automation, consider using `--envrc <file>` on the Central deploy to write the
+> environment to a file instead of spawning a subshell.
+
 ## Development
 
 Enter the dev shell:
diff --git a/internal/deployer/central_endpoint_test.go b/internal/deployer/central_endpoint_test.go
@@ -0,0 +1,61 @@
+package deployer
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+func TestConfigureSpec_CentralEndpoint(t *testing.T) {
+	tests := []struct {
+		name             string
+		spec             map[string]interface{}
+		centralNamespace string
+		expected         string
+	}{
+		{
+			name:             "sets internal endpoint when not provided",
+			spec:             map[string]interface{}{},
+			centralNamespace: "acs-central",
+			expected:         "central.acs-central.svc:443",
+		},
+		{
+			name:             "sets internal endpoint with custom namespace",
+			spec:             map[string]interface{}{},
+			centralNamespace: "stackrox",
+			expected:         "central.stackrox.svc:443",
+		},
+		{
+			name:             "preserves user-provided endpoint",
+			spec:             map[string]interface{}{"centralEndpoint": "central.example.com:443"},
+			centralNamespace: "acs-central",
+			expected:         "central.example.com:443",
+		},
+		{
+			name:             "user-provided endpoint takes precedence over internal default",
+			spec:             map[string]interface{}{"centralEndpoint": "10.0.0.1:443"},
+			centralNamespace: "stackrox",
+			expected:         "10.0.0.1:443",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			sc := &SecuredClusterConfig{
+				Spec: tt.spec,
+			}
+			roxie := NewRoxieConfig()
+			central := &CentralConfig{Namespace: tt.centralNamespace}
+
+			err := sc.ConfigureSpec(&roxie, central)
+			require.NoError(t, err, "ConfigureSpec failed")
+
+			got, found, err := unstructured.NestedString(sc.Spec, "centralEndpoint")
+			require.NoError(t, err, "failed to get centralEndpoint from spec")
+			require.True(t, found, "centralEndpoint not found in spec")
+			assert.Equal(t, tt.expected, got)
+		})
+	}
+}
diff --git a/internal/deployer/config.go b/internal/deployer/config.go
@@ -237,10 +237,8 @@ func (s *SecuredClusterConfig) ConfigureSpec(roxieConfig *RoxieConfig, centralCo
 		return err
 	}
 
-	if err := helpers.DeepMerge(s.Spec, map[string]interface{}{
-		"centralEndpoint": internalCentralEndpoint(centralConfig.Namespace),
-	}); err != nil {
-		return err
+	if _, exists := s.Spec["centralEndpoint"]; !exists {
+		s.Spec["centralEndpoint"] = internalCentralEndpoint(centralConfig.Namespace)
 	}
 
 	return nil
diff --git a/internal/deployer/deployer.go b/internal/deployer/deployer.go
@@ -965,6 +965,10 @@ func (d *Deployer) PrintSecuredClusterDeploymentSummary() {
 		log.Info(cyan.Sprint("│") + createRow("OLM", "Yes"))
 	}
 
+	if ep, ok := d.config.SecuredCluster.Spec["centralEndpoint"].(string); ok && ep != internalCentralEndpoint(d.config.Central.Namespace) {
+		log.Info(cyan.Sprint("│") + createRow("Central Endpoint", ep))
+	}
+
 	log.Info(cyan.Sprint("└" + strings.Repeat("─", boxWidth) + "┘"))
 	log.Info("")
 }

Original file line number	Diff line number	Diff line change
`@@ -237,10 +237,8 @@ func (s SecuredClusterConfig) ConfigureSpec(roxieConfig RoxieConfig, centralCo`
`237`	`237`	`return err`
`238`	`238`	`}`
`239`	`239`
`240`		`- if err := helpers.DeepMerge(s.Spec, map[string]interface{}{`
`241`		`- "centralEndpoint": internalCentralEndpoint(centralConfig.Namespace),`
`242`		`- }); err != nil {`
`243`		`- return err`
	`240`	`+ if _, exists := s.Spec["centralEndpoint"]; !exists {`
	`241`	`+ s.Spec["centralEndpoint"] = internalCentralEndpoint(centralConfig.Namespace)`
`244`	`242`	`}`
`245`	`243`
`246`	`244`	`return nil`
Original file line number	Diff line number	Diff line change
`@@ -965,6 +965,10 @@ func (d *Deployer) PrintSecuredClusterDeploymentSummary() {`
`965`	`965`	`log.Info(cyan.Sprint("│") + createRow("OLM", "Yes"))`
`966`	`966`	`}`
`967`	`967`
	`968`	`+ if ep, ok := d.config.SecuredCluster.Spec["centralEndpoint"].(string); ok && ep != internalCentralEndpoint(d.config.Central.Namespace) {`
	`969`	`+ log.Info(cyan.Sprint("│") + createRow("Central Endpoint", ep))`
	`970`	`+ }`
	`971`	`+`
`968`	`972`	`log.Info(cyan.Sprint("└" + strings.Repeat("─", boxWidth) + "┘"))`
`969`	`973`	`log.Info("")`
`970`	`974`	`}`