Skip to content

Dual cluster FRIDGE deployment #137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 42 commits into
base: main
Choose a base branch
from
Draft

Dual cluster FRIDGE deployment #137

wants to merge 42 commits into from

Conversation

@craddm
Copy link
Contributor

@craddm craddm commented Oct 21, 2025
edited
Loading

This PR splits FRIDGE deployment up across two clusters.

The access cluster contains an SSH server and the Harbor container registry.

The isolated cluster contains the rest of the FRIDGE deployment.

This complements PR #131, which does the initial deployment of two AKS clusters.

The intended deployment pattern here is for the TRE Operator to first deploy the access cluster components, then set up the SSH proxy to allow them to deploy the isolated cluster components.

That will then be followed by a final infrastructure configuration step to limit network traffic more completely.

craddm and others added 29 commits October 8, 2025 12:43
@craddm
initial directory and tweaks for dual-cluster fridge
38ff313
@craddm
Move individual cluster scripts to own folders
81103b8
@craddm
Add components for access cluster
488128e
@craddm
Move enums to individual folders
b775ad0
@craddm
Add components for isolated cluster
0e4047b
@craddm
add cilium folder for access cluster
7aa28d9
@craddm
remove original network policies
b933c27
@craddm
Add enums for isolated cluster
8125d25
@craddm
Add network policies for isolated cluster
fb60f87
@craddm
Remove original k8s folder as transferring to individual folders
980958c
@craddm
add gitignore and requirements for access cluster
3430efc
@craddm
Add argo values and hubble yaml
fea9962
@craddm
Add cert-manager dependency
2dbb7dd
@craddm
Pass API proxy object to ingress
0d9e43e
@craddm
Add api-proxy network policy to access cluster
7e4933f
@craddm
Add api-proxy network policies
f1ee3eb
@craddm
Remove unneeded components from dual cluster isolated cluster
521d348
@craddm
Remove unneeded network policies
4592303
@craddm
Remove SSO and ingresses from Argo/Minio
316f17e
@craddm
Remove unneeded policies
489c370
@craddm
REmove ingress from Argo Workflows
86548e7
@craddm
Rename to main py
bc79d22
@craddm
Add requirements and gitignore
5e428c8
@craddm
pass api proxy details to ingress
10983ac
@craddm
Deploy a load balancer with a specific internal IP address in an Azur…
1fb1da8 
…e Kubernetes Service (AKS) cluster using Pulumi and Python.
@craddm
Remove ingress nginx policies as not used in isolated cluster
dee5148
@craddm
Remove ingress-nginx from isolated cluster policies
09259df
@craddm
Allow all private node subnet IPs
b10b05e
@craddm
Merge branch 'alan-turing-institute:main' into dual-cluster-fridge
be4d392
@craddm craddm mentioned this pull request Oct 21, 2025
Merged
JimMadge
JimMadge reviewed Oct 21, 2025
View reviewed changes
Copy link
Member

@JimMadge JimMadge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How much of this is copied from the existing Pulumi project?

Wouldn't it make more sense to replace that?

@craddm
Copy link
Contributor Author

craddm commented Oct 21, 2025

It will do, once I'm happy with it :)

@craddm
Copy link
Contributor Author

craddm commented Oct 21, 2025

Although I do wonder if it's helpful to keep a single-cluster spec around for some of the local dev work - a lot easier to run a single cluster on a VM locally than to run two...

@JimMadge
Copy link
Member

Although I do wonder if it's helpful to keep a single-cluster spec around for some of the local dev work - a lot easier to run a single cluster on a VM locally than to run two...

I think that is running just the isolated cluster part in a K3s instance. For local dev you don't need the access cluster or lock down.

That way, at least that part is the same thing locally and when deployed.

@JimMadge
Copy link
Member

It will do, once I'm happy with it :)

Someone needs to tell you about this version control thing. You don't need to make a copy of all your code when you want to make changes any more 😜

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JimMadge JimMadge JimMadge left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@craddm @JimMadge