maleck13
commented
9 months ago Closed maleck13 closed 7 months ago
maleck13
commented
9 months ago 
mikenairn
commented
8 months ago
What
Currently we have a 2 policy controllers. One for DNS and TLS policy and second for RateLimit and Auth Policy. In addition to this we have the "enforcement" of DNS available with a DNSRecord and ManagedZone controller. We want to get to a place where we have only one policy controller for Kuadrant that can operate in a multi-cluster or single cluster environment.
Why The requirements and responsibilities of these policy controllers are very similar. They watch policy and associated network resources and convert the policy into specific configuration to be applied by an "enfocement" component such as Limitador or cert-manager. Having two separate controllers that share a lot of the same responsibilities and requirements is not ideal as we end up duplicating code, and creating awkward deployments. We already see this happening with the policy controller and CRDs being bundled into the CSV of the kuadrant operator and scripts from the kuadrant-operator depending on scripts from the multicluster gateway controller.
Goal
End up with a single policy controller that is installed into any environment that wants to use the policy APIs. Remove the need for the separate policy controller that has DNS and TLS in it.
How
We will move the
DNSPolicyandTLSPolicycontrollers into the kuadrant-operator. We will also have a way to indicate to policy controllers whether they should reconcile a given type of policy or instead just add context to the status of the policy object.Examples:
Phase1
Note: At the end of phase 1 all kuadrant policies and controllers will be present and running on both hub and spoke. This should not be an issue though since we do not sync or create polices from one to the other in MGC currently.
Followed up by https://github.com/Kuadrant/architecture/issues/69