ENG-10378 | Cross vCluster APIs (#3389)

* Add vcluster.yaml resource proxy configuration

* Start proxy

* Move proxy config to experimental

* Rename start func

* Vendor in dev platform changes

* Bump admin-apis

Author: janekbaraniewski

chart/values.schema.json

@@ -1024,6 +1024,38 @@
       "additionalProperties": false,
       "type": "object"
     },
+    "CustomResourceProxy": {
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "description": "Enabled defines if this resource proxy should be enabled"
+        },
+        "target": {
+          "$ref": "#/$defs/CustomResourceProxyTarget",
+          "description": "CustomResourceProxyTarget is the target configuration for the custom resource proxy"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object"
+    },
+    "CustomResourceProxyTarget": {
+      "properties": {
+        "name": {
+          "type": "string",
+          "description": "Name is the name of the virtual cluster"
+        },
+        "project": {
+          "type": "string",
+          "description": "Project is the project of the virtual cluster"
+        },
+        "serviceAccountRef": {
+          "$ref": "#/$defs/NamespacedNameArgs",
+          "description": "ServiceAccountRef is the service account to use for the proxy in target cluster"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object"
+    },
     "Database": {
       "properties": {
         "embedded": {
@@ -1764,6 +1796,10 @@
           "type": "array",
           "description": "DenyProxyRequests denies certain requests in the vCluster proxy.",
           "pro": true
+        },
+        "proxy": {
+          "$ref": "#/$defs/Proxy",
+          "description": "Proxy enables vCluster-to-vCluster proxying of resources via Tailscale"
         }
       },
       "additionalProperties": false,
@@ -2929,6 +2965,20 @@
       "additionalProperties": false,
       "type": "object"
     },
+    "NamespacedNameArgs": {
+      "properties": {
+        "namespace": {
+          "type": "string",
+          "description": "Namespace is the namespace of the resource"
+        },
+        "name": {
+          "type": "string",
+          "description": "Name is the name of the resource"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object"
+    },
     "NetworkPolicy": {
       "properties": {
         "enabled": {
@@ -3530,6 +3580,19 @@
       "additionalProperties": false,
       "type": "object"
     },
+    "Proxy": {
+      "properties": {
+        "customResources": {
+          "additionalProperties": {
+            "$ref": "#/$defs/CustomResourceProxy"
+          },
+          "type": "object",
+          "description": "Resources is a map of resource keys (format: \"kind.apiGroup/version\") to proxy configuration"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object"
+    },
     "RBAC": {
       "properties": {
         "role": {

chart/values.yaml

@@ -1218,6 +1218,11 @@ plugins: {}
 
 # Experimental features for vCluster. Configuration here might change, so be careful with this.
 experimental:
+  # Proxy enables vCluster-to-vCluster proxying of resources via Tailscale
+  proxy:
+    # Resources is a map of resource keys (format: "kind.apiGroup/version") to proxy configuration
+    customResources: {}
+  
   # SyncSettings are advanced settings for the syncer controller.
   syncSettings:
     # SetOwner specifies if vCluster should set an owner reference on the synced objects to the vCluster service. This allows for easy garbage collection.

cmd/vcluster/cmd/start.go

@@ -187,6 +187,13 @@ func StartInCluster(ctx context.Context, options *StartOptions) error {
 		}
 	}
 
+	// Check if any proxy resources are enabled
+	if len(vConfig.Experimental.Proxy.CustomResources) > 0 {
+		if err := pro.StartCustomResourceProxy(controllerCtx, vConfig); err != nil {
+			return fmt.Errorf("start resource proxy: %w", err)
+		}
+	}
+
 	// start leader election + controllers
 	err = StartLeaderElection(controllerCtx, func() error {
 		return setup.StartControllers(controllerCtx, syncers)

config/config.go

@@ -2399,6 +2399,38 @@ type ControlPlaneHeadlessService struct {
 	Labels map[string]string `json:"labels,omitempty"`
 }
 
+type Proxy struct {
+	// Resources is a map of resource keys (format: "kind.apiGroup/version") to proxy configuration
+	CustomResources map[string]CustomResourceProxy `json:"customResources,omitempty"`
+}
+
+type CustomResourceProxy struct {
+	// Enabled defines if this resource proxy should be enabled
+	Enabled bool `json:"enabled,omitempty"`
+
+	// CustomResourceProxyTarget is the target configuration for the custom resource proxy
+	Target CustomResourceProxyTarget `json:"target,omitempty"`
+}
+
+type NamespacedNameArgs struct {
+	// Namespace is the namespace of the resource
+	Namespace string `json:"namespace,omitempty"`
+
+	// Name is the name of the resource
+	Name string `json:"name,omitempty"`
+}
+
+type CustomResourceProxyTarget struct {
+	// Name is the name of the virtual cluster
+	Name string `json:"name,omitempty"`
+
+	// Project is the project of the virtual cluster
+	Project string `json:"project,omitempty"`
+
+	// ServiceAccountRef is the service account to use for the proxy in target cluster
+	ServiceAccountRef NamespacedNameArgs `json:"serviceAccountRef,omitempty"`
+}
+
 type ExternalEtcdPersistence struct {
 	// VolumeClaim can be used to configure the persistent volume claim.
 	VolumeClaim ExternalEtcdPersistenceVolumeClaim `json:"volumeClaim,omitempty"`
@@ -2992,6 +3024,9 @@ type Experimental struct {
 
 	// DenyProxyRequests denies certain requests in the vCluster proxy.
 	DenyProxyRequests []DenyRule `json:"denyProxyRequests,omitempty" product:"pro"`
+
+	// Proxy enables vCluster-to-vCluster proxying of resources via Tailscale
+	Proxy Proxy `json:"proxy,omitempty"`
 }
 
 func (e Experimental) JSONSchemaExtend(base *jsonschema.Schema) {

config/values.yaml

@@ -657,6 +657,9 @@ external: {}
 plugins: {}
 
 experimental:
+  proxy:
+    customResources: {}
+
   syncSettings:
     setOwner: true
 

go.mod

@@ -24,7 +24,7 @@ require (
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/invopop/jsonschema v0.12.0
 	github.com/kubernetes-csi/external-snapshotter/client/v8 v8.2.0
-	github.com/loft-sh/admin-apis v0.0.0-20250923191853-0998210fade9
+	github.com/loft-sh/admin-apis v0.0.0-20251209063713-e076e2ddb87c
 	github.com/loft-sh/agentapi/v4 v4.5.0-alpha.10
 	github.com/loft-sh/analytics-client v0.0.0-20240219162240-2f4c64b2494e
 	github.com/loft-sh/api/v4 v4.5.0-alpha.10
@@ -49,7 +49,7 @@ require (
 	github.com/wk8/go-ordered-map/v2 v2.1.8
 	go.etcd.io/etcd/server/v3 v3.6.4
 	go.uber.org/atomic v1.11.0
-	golang.org/x/mod v0.26.0
+	golang.org/x/mod v0.27.0
 	google.golang.org/grpc v1.72.1
 	google.golang.org/protobuf v1.36.8
 	gopkg.in/yaml.v3 v3.0.1
@@ -267,7 +267,7 @@ require (
 	golang.org/x/term v0.34.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.35.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
@@ -279,3 +279,5 @@ require (
 	sigs.k8s.io/kustomize/api v0.20.1 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect
 )
+
+replace github.com/loft-sh/api/v4 => ../loft-enterprise/staging/src/github.com/loft-sh/api/v4

go.sum

@@ -295,14 +295,12 @@ github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhn
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/lithammer/dedent v1.1.0 h1:VNzHMVCBNG1j0fh3OrsFRkVUwStdDArbgBWoPAffktY=
 github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc=
-github.com/loft-sh/admin-apis v0.0.0-20250923191853-0998210fade9 h1:ifHh06CRNzg0Ff2rDekGDuYYAY39wMRpBU9Ym5TxXSI=
-github.com/loft-sh/admin-apis v0.0.0-20250923191853-0998210fade9/go.mod h1:WHCqWfljfD1hkwk41hLeqBhW2yeLvWipB1sH6vfnR7U=
+github.com/loft-sh/admin-apis v0.0.0-20251209063713-e076e2ddb87c h1:HAAqcQPai7ziBFN9Yhq/3Jdhrl9OWnL61Gnm6FukOIY=
+github.com/loft-sh/admin-apis v0.0.0-20251209063713-e076e2ddb87c/go.mod h1:WHCqWfljfD1hkwk41hLeqBhW2yeLvWipB1sH6vfnR7U=
 github.com/loft-sh/agentapi/v4 v4.5.0-alpha.10 h1:QK+lMUuZ7c8qWDWISyumaTxc7dTDjmttNCE3RiRE/T8=
 github.com/loft-sh/agentapi/v4 v4.5.0-alpha.10/go.mod h1:eK66Ey/Zcx9LHjnCHSho1C0HTlf4jjyEUaCwP/9QNn8=
 github.com/loft-sh/analytics-client v0.0.0-20240219162240-2f4c64b2494e h1:JcPnMaoczikvpasi8OJ47dCkWZjfgFubWa4V2SZo7h0=
 github.com/loft-sh/analytics-client v0.0.0-20240219162240-2f4c64b2494e/go.mod h1:FFWcGASyM2QlWTDTCG/WBVM/XYr8btqYt335TFNRCFg=
-github.com/loft-sh/api/v4 v4.5.0-alpha.10 h1:pcPkIAqPSJWZ+DB+9j7rBXb8iClHAMeh0QZC6Tiw6vA=
-github.com/loft-sh/api/v4 v4.5.0-alpha.10/go.mod h1:GzkHPh5gRBOjrYYQt1evksEdlBpB/FUvDYN7nL/sfJU=
 github.com/loft-sh/apiserver v0.0.0-20250910060242-4b9f3ffe0646 h1:ZWOAMcsIZN4GKESwZBWU1+uepe+L8owmrkJDe5j4KlE=
 github.com/loft-sh/apiserver v0.0.0-20250910060242-4b9f3ffe0646/go.mod h1:hLlplUgCm+KDLoTVfSNTGQSBx/fhsTxu5m8d1LBUXKA=
 github.com/loft-sh/image v0.0.0-20250625154753-87447a6ad364 h1:vSuqHqh4w2zrG+WvnyH64JAUhX+Bou19n0gvCrPirOs=
@@ -558,8 +556,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
-golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -664,8 +662,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
-golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

pkg/pro/proxy.go

@@ -0,0 +1,10 @@
+package pro
+
+import (
+	"github.com/loft-sh/vcluster/pkg/config"
+	"github.com/loft-sh/vcluster/pkg/syncer/synccontext"
+)
+
+var StartCustomResourceProxy = func(_ *synccontext.ControllerContext, _ *config.VirtualClusterConfig) error {
+	return NewFeatureError("resource proxy")
+}