Support multi-cluster deployments (Central + SecuredCluster on separate clusters)

Author: AlexVulaj

README.md

@@ -89,6 +89,23 @@ Similarly, the deployment(s) can be torn down using:
 ./bin/roxie teardown [ <component> ]
 ```
 
+### Multi-cluster deployments
+
+roxie supports hub + spoke architectures where Central and SecuredCluster run on separate clusters.
+
+1. Deploy Central on the hub cluster:
+```bash
+MAIN_IMAGE_TAG=4.9.2 ./roxie deploy central
+```
+
+2. Switch kubectl context to the spoke cluster and deploy SecuredCluster:
+```bash
+./roxie deploy secured-cluster \
+  --central-endpoint=<central-loadbalancer-ip>:443 \
+  --central-password=<admin-password> \
+  --ca-cert-file=/tmp/roxie-ca-cert.pem
+```
+
 ## Development
 
 Enter the dev shell:

cmd/deploy.go

@@ -47,6 +47,9 @@ Examples:
 	cmd.Flags().BoolVar(&singleNamespace, "single-namespace", false, "Deploy all components in a single namespace ('stackrox' by default)")
 	cmd.Flags().StringVarP(&tag, "tag", "t", "", "Main image tag to use for deployment (takes precedence over MAIN_IMAGE_TAG environment variable)")
 	cmd.Flags().StringSliceVar(&featureFlags, "features", []string{}, "Feature flag settings (e.g., +ROX_FOO,-ROX_BAR,ROX_BAZ=true)")
+	cmd.Flags().StringVar(&centralEndpointFlag, "central-endpoint", "", "Central endpoint for multi-cluster SecuredCluster deployments (e.g., central.example.com:443)")
+	cmd.Flags().StringVar(&centralPasswordFlag, "central-password", "", "Central admin password (takes precedence over ROX_ADMIN_PASSWORD)")
+	cmd.Flags().StringVar(&caCertFileFlag, "ca-cert-file", "", "Path to Central CA certificate file (takes precedence over ROX_CA_CERT_FILE)")
 
 	return cmd
 }
@@ -136,6 +139,20 @@ func runDeploy(cmd *cobra.Command, args []string) error {
 		return errors.New("cannot use --deploy-operator=false with --olm (OLM requires operator deployment)")
 	}
 
+	hasMultiClusterFlags := centralEndpointFlag != "" || centralPasswordFlag != "" || caCertFileFlag != ""
+	if hasMultiClusterFlags && components != component.SecuredCluster {
+		return errors.New("--central-endpoint, --central-password, and --ca-cert-file flags can only be used with 'secured-cluster' component")
+	}
+
+	if centralEndpointFlag != "" {
+		if centralPasswordFlag == "" && os.Getenv("ROX_ADMIN_PASSWORD") == "" {
+			return errors.New("--central-endpoint requires a Central admin password (set --central-password or ROX_ADMIN_PASSWORD)")
+		}
+		if caCertFileFlag == "" && os.Getenv("ROX_CA_CERT_FILE") == "" {
+			return errors.New("--central-endpoint requires a Central CA certificate (set --ca-cert-file or ROX_CA_CERT_FILE)")
+		}
+	}
+
 	d, err := deployer.New(log)
 	if err != nil {
 		return fmt.Errorf("failed to create deployer: %w", err)
@@ -169,6 +186,18 @@ func runDeploy(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	if centralEndpointFlag != "" {
+		d.SetCentralEndpoint(centralEndpointFlag)
+	}
+	if centralPasswordFlag != "" {
+		d.SetCentralPassword(centralPasswordFlag)
+	}
+	if caCertFileFlag != "" {
+		if err := d.SetCACertFile(caCertFileFlag); err != nil {
+			return err
+		}
+	}
+
 	if components.IncludesCentral() {
 		d.PrintCentralDeploymentSummary()
 	}

cmd/main.go

@@ -26,6 +26,9 @@ var (
 	singleNamespace        bool
 	tag                    string
 	featureFlags           []string
+	centralEndpointFlag    string
+	centralPasswordFlag    string
+	caCertFileFlag         string
 )
 
 func main() {

internal/deployer/central_endpoint_test.go

@@ -0,0 +1,107 @@
+package deployer
+
+import (
+	"testing"
+)
+
+func TestSetCentralEndpoint(t *testing.T) {
+	tests := []struct {
+		name                         string
+		input                        string
+		expectedCentralEndpoint      string
+		expectedUserProvidedEndpoint string
+	}{
+		{
+			name:                         "plain host:port",
+			input:                        "10.0.0.1:443",
+			expectedCentralEndpoint:      "10.0.0.1:443",
+			expectedUserProvidedEndpoint: "10.0.0.1:443",
+		},
+		{
+			name:                         "strips https prefix",
+			input:                        "https://10.0.0.1:443",
+			expectedCentralEndpoint:      "10.0.0.1:443",
+			expectedUserProvidedEndpoint: "10.0.0.1:443",
+		},
+		{
+			name:                         "hostname with port",
+			input:                        "central.example.com:443",
+			expectedCentralEndpoint:      "central.example.com:443",
+			expectedUserProvidedEndpoint: "central.example.com:443",
+		},
+		{
+			name:                         "strips https from hostname",
+			input:                        "https://central.example.com:443",
+			expectedCentralEndpoint:      "central.example.com:443",
+			expectedUserProvidedEndpoint: "central.example.com:443",
+		},
+		{
+			name:                         "strips http prefix",
+			input:                        "http://10.0.0.1:443",
+			expectedCentralEndpoint:      "10.0.0.1:443",
+			expectedUserProvidedEndpoint: "10.0.0.1:443",
+		},
+		{
+			name:                         "strips http from hostname",
+			input:                        "http://central.example.com:443",
+			expectedCentralEndpoint:      "central.example.com:443",
+			expectedUserProvidedEndpoint: "central.example.com:443",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			d := &Deployer{}
+			d.SetCentralEndpoint(tt.input)
+
+			if d.centralEndpoint != tt.expectedCentralEndpoint {
+				t.Errorf("centralEndpoint: got %q, want %q", d.centralEndpoint, tt.expectedCentralEndpoint)
+			}
+			if d.userProvidedCentralEndpoint != tt.expectedUserProvidedEndpoint {
+				t.Errorf("userProvidedCentralEndpoint: got %q, want %q", d.userProvidedCentralEndpoint, tt.expectedUserProvidedEndpoint)
+			}
+		})
+	}
+}
+
+func TestGetCentralEndpointForSensor(t *testing.T) {
+	tests := []struct {
+		name             string
+		userProvided     string
+		centralNamespace string
+		expected         string
+	}{
+		{
+			name:             "falls back to internal endpoint",
+			userProvided:     "",
+			centralNamespace: "acs-central",
+			expected:         "central.acs-central.svc:443",
+		},
+		{
+			name:             "falls back to internal endpoint with custom namespace",
+			userProvided:     "",
+			centralNamespace: "stackrox",
+			expected:         "central.stackrox.svc:443",
+		},
+		{
+			name:             "uses user-provided endpoint",
+			userProvided:     "10.0.0.1:443",
+			centralNamespace: "acs-central",
+			expected:         "10.0.0.1:443",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			d := &Deployer{
+				centralNamespace:            tt.centralNamespace,
+				userProvidedCentralEndpoint: tt.userProvided,
+			}
+
+			result := d.getCentralEndpointForSensor()
+			if result != tt.expected {
+				t.Errorf("got %q, want %q", result, tt.expected)
+			}
+		})
+	}
+}

internal/deployer/deploy_via_helm.go

@@ -268,7 +268,7 @@ func (d *Deployer) createCentralValues(resourcesName, exposure string) (map[stri
 func (d *Deployer) createSecuredClusterValues(clusterName, resources string) (map[string]interface{}, error) {
 	base := map[string]interface{}{
 		"clusterName":               clusterName,
-		"centralEndpoint":           "https://central." + centralNamespace + ".svc:443",
+		"centralEndpoint":           "https://" + d.getCentralEndpointForSensor(),
 		"allowNonstandardNamespace": true,
 	}
 

internal/deployer/deploy_via_operator.go

@@ -669,7 +669,7 @@ func (d *Deployer) createSecuredClusterCR(clusterName, resources string) (map[st
 		},
 		"spec": map[string]interface{}{
 			"clusterName":     clusterName,
-			"centralEndpoint": internalCentralEndpoint(d.centralNamespace),
+			"centralEndpoint": d.getCentralEndpointForSensor(),
 			"imagePullSecrets": []map[string]string{
 				{"name": "stackrox"},
 			},

internal/deployer/deployer.go

@@ -98,37 +98,38 @@ var (
 
 // Deployer is the base deployer for ACS
 type Deployer struct {
-	logger                  *logger.Logger
-	startTime               time.Time
-	dockerAuth              *dockerauth.DockerAuth
-	imageCache              *imagecache.ImageCache
-	portForward             *portforward.Manager
-	clusterDefaults         *clusterdefaults.Manager
-	kubectl                 string
-	roxctlVersion           string
-	centralNamespace        string
-	sensorNamespace         string
-	mainImageTag            string
-	operatorTag             string
-	centralEndpoint         string
-	centralPassword         string
-	roxCACertFile           string
-	kubeContext             string
-	portForwardEnabled      bool
-	pauseReconciliation     bool
-	exposure                string
-	centralOverrides        map[string]interface{}
-	securedClusterOverrides map[string]interface{}
-	featureFlagOverrides    map[string]interface{}
-	envrcFile               string
-	useHelm                 bool
-	useOLM                  bool
-	useKonflux              bool
-	shouldDeployOperator    bool
-	verbose                 bool
-	earlyReadiness          bool
-	dockerCreds             *dockerauth.Credentials
-	clusterResourceKinds    map[string]struct{}
+	logger                      *logger.Logger
+	startTime                   time.Time
+	dockerAuth                  *dockerauth.DockerAuth
+	imageCache                  *imagecache.ImageCache
+	portForward                 *portforward.Manager
+	clusterDefaults             *clusterdefaults.Manager
+	kubectl                     string
+	roxctlVersion               string
+	centralNamespace            string
+	sensorNamespace             string
+	mainImageTag                string
+	operatorTag                 string
+	centralEndpoint             string
+	userProvidedCentralEndpoint string
+	centralPassword             string
+	roxCACertFile               string
+	kubeContext                 string
+	portForwardEnabled          bool
+	pauseReconciliation         bool
+	exposure                    string
+	centralOverrides            map[string]interface{}
+	securedClusterOverrides     map[string]interface{}
+	featureFlagOverrides        map[string]interface{}
+	envrcFile                   string
+	useHelm                     bool
+	useOLM                      bool
+	useKonflux                  bool
+	shouldDeployOperator        bool
+	verbose                     bool
+	earlyReadiness              bool
+	dockerCreds                 *dockerauth.Credentials
+	clusterResourceKinds        map[string]struct{}
 }
 
 type ResourceKindWithName struct {
@@ -986,6 +987,32 @@ func (d *Deployer) SetDeployOperator(deployOperator bool) {
 	d.shouldDeployOperator = deployOperator
 }
 
+func (d *Deployer) SetCentralEndpoint(endpoint string) {
+	endpoint = strings.TrimPrefix(endpoint, "https://")
+	endpoint = strings.TrimPrefix(endpoint, "http://")
+	d.centralEndpoint = endpoint
+	d.userProvidedCentralEndpoint = endpoint
+}
+
+func (d *Deployer) SetCentralPassword(password string) {
+	d.centralPassword = password
+}
+
+func (d *Deployer) SetCACertFile(path string) error {
+	if _, err := os.Stat(path); err != nil {
+		return fmt.Errorf("CA cert file not found: %w", err)
+	}
+	d.roxCACertFile = path
+	return nil
+}
+
+func (d *Deployer) getCentralEndpointForSensor() string {
+	if d.userProvidedCentralEndpoint != "" {
+		return d.userProvidedCentralEndpoint
+	}
+	return internalCentralEndpoint(d.centralNamespace)
+}
+
 func (d *Deployer) GetDeploymentInfo() (endpoint, password, caCertFile, kubeContext, exposure string) {
 	return d.centralEndpoint, d.centralPassword, d.roxCACertFile, d.kubeContext, d.exposure
 }
@@ -1323,6 +1350,10 @@ func (d *Deployer) PrintSecuredClusterDeploymentSummary() {
 		log.Info(cyan.Sprint("│") + createRow("OLM", "Yes"))
 	}
 
+	if d.userProvidedCentralEndpoint != "" {
+		log.Info(cyan.Sprint("│") + createRow("Central Endpoint", d.userProvidedCentralEndpoint))
+	}
+
 	log.Info(cyan.Sprint("└" + strings.Repeat("─", boxWidth) + "┘"))
 	log.Info("")
 }