From 27837dc26905ea76c243edbeb21705b9cf72f9f5 Mon Sep 17 00:00:00 2001
From: Alexey Makhov <amakhov@mirantis.com>
Date: Tue, 26 Sep 2023 14:45:54 +0300
Subject: [PATCH] Client connection tunneling docs

Signed-off-by: Alexey Makhov <amakhov@mirantis.com>
---
 docs/capi-controlplane-bootstrap.md |  27 +++++
 docs/resource-reference.md          | 146 ++++++++++++++++++++++++++++
 2 files changed, 173 insertions(+)

diff --git a/docs/capi-controlplane-bootstrap.md b/docs/capi-controlplane-bootstrap.md
index e01a55702..f00380ebf 100644
--- a/docs/capi-controlplane-bootstrap.md
+++ b/docs/capi-controlplane-bootstrap.md
@@ -113,3 +113,30 @@ spec:
 ```
 
 **Note:** Controller nodes running with `--enable-worker` are assigned `node-role.kubernetes.io/master:NoExecute` taint automatically. You can disable default taints using `--no-taints`  parameter.
+
+## Client connection tunneling
+
+k0smotron supports client connection tunneling to the child cluster's control plane nodes. This is useful when you want to access the control plane nodes from a remote location.
+To enable tunneling, you need to set `spec.k0sConfigSpec.tunneling.enabled` to `true` in the `K0sControlPlane` object.
+
+```yaml
+apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+kind: K0sControlPlane
+metadata:
+  name: docker-test
+spec:
+  replicas: 1
+  k0sConfigSpec:
+    tunneling:
+      enabled: true
+      mode: tunnel # Tunneling mode: tunnel or proxy (default: tunnel)
+```
+
+K0smotron supports two tunneling modes: `tunnel` and `proxy`. You can set the tunneling mode using `spec.k0sConfigSpec.tunneling.mode` field. The default mode is `tunnel`.
+
+K0smotron will create a kubeconfig file for the tunneling client in the `K0sControlPlane` object's namespace. You can find the kubeconfig file in the `<cluster-name>-<mode>-kubeconfig` secret.
+You can use this kubeconfig file to access the control plane nodes from a remote location.
+
+**Note:** Parent cluster's worker nodes must be accessible from the child cluster's nodes. You can use `spec.k0sConfigSpec.tunneling.serverAddress` to set the address of the parent cluster's node or load balancer. If you don't set this field, k0smotron will use the random worker node's address as the default address.
+
+Currently, k0smotron supports only NodePort service type for tunneling. You can set the tunneling service port using `spec.k0sConfigSpec.tunneling.tunnelingNodePort` field. The default port is `31443`.
diff --git a/docs/resource-reference.md b/docs/resource-reference.md
index 2dbf765cd..066066b95 100644
--- a/docs/resource-reference.md
+++ b/docs/resource-reference.md
@@ -138,6 +138,13 @@ Resource Types:
           PreStartCommands specifies commands to be run before starting k0s worker.<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b><a href="#k0scontrollerconfigspectunneling">tunneling</a></b></td>
+        <td>object</td>
+        <td>
+          Tunneling defines the tunneling configuration for the cluster.<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>version</b></td>
         <td>string</td>
@@ -190,6 +197,72 @@ Resource Types:
 </table>
 
 
+### K0sControllerConfig.spec.tunneling
+<sup><sup>[↩ Parent](#k0scontrollerconfigspec)</sup></sup>
+
+
+
+Tunneling defines the tunneling configuration for the cluster.
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b>enabled</b></td>
+        <td>boolean</td>
+        <td>
+          Enabled specifies whether tunneling is enabled.<br/>
+          <br/>
+            <i>Default</i>: false<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>mode</b></td>
+        <td>enum</td>
+        <td>
+          Mode describes tunneling mode. If empty, k0smotron will use the default one.<br/>
+          <br/>
+            <i>Enum</i>: tunnel, proxy<br/>
+            <i>Default</i>: tunnel<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>serverAddress</b></td>
+        <td>string</td>
+        <td>
+          Server address of the tunneling server. If empty, k0smotron will try to detect worker node address for.<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>serverNodePort</b></td>
+        <td>integer</td>
+        <td>
+          NodePort to publish for server port of the tunneling server. If empty, k0smotron will use the default one.<br/>
+          <br/>
+            <i>Format</i>: int32<br/>
+            <i>Default</i>: 31700<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>tunnelingNodePort</b></td>
+        <td>integer</td>
+        <td>
+          NodePort to publish for tunneling port. If empty, k0smotron will use the default one.<br/>
+          <br/>
+            <i>Format</i>: int32<br/>
+            <i>Default</i>: 31443<br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
+</table>
+
+
 ### K0sControllerConfig.status
 <sup><sup>[↩ Parent](#k0scontrollerconfig)</sup></sup>
 
@@ -1099,6 +1172,13 @@ Resource Types:
           PreStartCommands specifies commands to be run before starting k0s worker.<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b><a href="#k0scontrolplanespeck0sconfigspectunneling">tunneling</a></b></td>
+        <td>object</td>
+        <td>
+          Tunneling defines the tunneling configuration for the cluster.<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>version</b></td>
         <td>string</td>
@@ -1151,6 +1231,72 @@ Resource Types:
 </table>
 
 
+### K0sControlPlane.spec.k0sConfigSpec.tunneling
+<sup><sup>[↩ Parent](#k0scontrolplanespeck0sconfigspec)</sup></sup>
+
+
+
+Tunneling defines the tunneling configuration for the cluster.
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b>enabled</b></td>
+        <td>boolean</td>
+        <td>
+          Enabled specifies whether tunneling is enabled.<br/>
+          <br/>
+            <i>Default</i>: false<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>mode</b></td>
+        <td>enum</td>
+        <td>
+          Mode describes tunneling mode. If empty, k0smotron will use the default one.<br/>
+          <br/>
+            <i>Enum</i>: tunnel, proxy<br/>
+            <i>Default</i>: tunnel<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>serverAddress</b></td>
+        <td>string</td>
+        <td>
+          Server address of the tunneling server. If empty, k0smotron will try to detect worker node address for.<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>serverNodePort</b></td>
+        <td>integer</td>
+        <td>
+          NodePort to publish for server port of the tunneling server. If empty, k0smotron will use the default one.<br/>
+          <br/>
+            <i>Format</i>: int32<br/>
+            <i>Default</i>: 31700<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>tunnelingNodePort</b></td>
+        <td>integer</td>
+        <td>
+          NodePort to publish for tunneling port. If empty, k0smotron will use the default one.<br/>
+          <br/>
+            <i>Format</i>: int32<br/>
+            <i>Default</i>: 31443<br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
+</table>
+
+
 ### K0sControlPlane.spec.machineTemplate
 <sup><sup>[↩ Parent](#k0scontrolplanespec)</sup></sup>