Support multi-cluster deployments (Central + SecuredCluster on separate clusters)

[AlexVulaj]

Summary

Roxie currently assumes Central and SecuredCluster are deployed on the same Kubernetes cluster. Many ACS customers and internal teams run a hub + spoke architecture where Central lives on one cluster and one or more SecuredClusters are deployed to separate clusters. This PR adds multi-cluster support so that roxie can deploy a SecuredCluster that points to a Central running on a different cluster.

A new centralEndpoint config property is added to SecuredClusterConfig, settable via config file or --set:

roxie deploy secured-cluster --set securedCluster.centralEndpoint=<central-ip>:443

or via config file:

securedCluster:
  centralEndpoint: "central.example.com:443"

When centralEndpoint is set, roxie uses it as the SecuredCluster CR's centralEndpoint instead of the internal cluster DNS name. Authentication to Central for CRS generation uses the existing ROX_ADMIN_PASSWORD and ROX_CA_CERT_FILE environment variables. When centralEndpoint is not set, behavior is completely unchanged — the internal central.<namespace>.svc:443 endpoint is used, preserving full backward compatibility.

Testing

• Single-cluster deploy on GKE (regression test): verified default behavior is unchanged
• Multi-cluster deploy on GKE (new feature): Central on cluster A, SecuredCluster on cluster B with securedCluster.centralEndpoint pointing to cluster A — both deployed and connected successfully, sensor logs confirmed connection to remote Central

Closes #99

[davdhacs]

This will be very helpful for Infra and e2e testing. In Infra/Automation, we've had a long-term todo of adding multi-cluster capability to the demo (ansible scripts) and repeated asks/investigations on various teams have looked at multi-cluster deploys for automated testing.
+1

[AlexVulaj]

Holding this PR until we can have further discussions around the UX of the feature.

[AlexVulaj]

Ready for re-review @porridge @mclasmeier

[mclasmeier]

I'm not sure about this kind of validation.

I have always thought that roxie just takes what it needs from the provided config. Even if it has a full configuration for component A and only deployment of component B is requested, the config should be usable unmodified.

This validation step would prevent the user from using a single, merged configuration, no?

[mclasmeier]

Thought about this since yesterday and I keep coming back to the question: why not simply use spec["centralEndpoint"]? This is already a field in the CR and if we want to keep roxie a relative light-weight layer on top of our operator-based installation, we could naturally just use the existing spec field.

[mclasmeier]

For the (new) docs, I think we should prever roxie deploy -t <version> over MAIN_IMAGE_TAG, which was primarily added for backwards compat reasons with deployment scripts.

[mclasmeier]

The external endpoint is also contained in some environment variable written by roxie, right?

[mclasmeier]

Ah, there it comes.

Maybe move this a bit up, because the above instructions as written direct the user to this mode?

Maybe also mention that for some use cases (automation), --envrc might be the better fit?

[porridge]

FTR I don't have anything to add over what @mclasmeier wrote.