Add mTLS auth to the Helm chart

This adds the ability to enable mtls-spiffe support in the Helm chart, It will set the required config flags to the defaults as wel as mount the spire socket to the agent pods. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
cilium · Mar 16, 2023 · d699086 · d699086
1 parent b21dac4
commit d699086
Show file tree

Hide file tree

Showing 7 changed files with 64 additions and 1 deletion.
diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
diff --git a/Documentation/spelling_wordlist.txt b/Documentation/spelling_wordlist.txt
@@ -188,9 +188,9 @@ asm
 assignees
 au
 auth
+authenticator
 authMapMax
 authMapMin
-authenticator
 autoDirectNodeRoutes
 autoMount
 autoProtectPortRange
@@ -710,6 +710,7 @@ monitorInterval
 mountCgroup
 mountPath
 mov
+mtls
 mul
 multi
 multicore
@@ -947,6 +948,9 @@ sockops
 sortBufferDrainTimeout
 sortBufferLenMax
 sourceContext
+spiffe
+spiffeTrustDomain
+spireAdminSocketPath
 src
 srv
 ssl

diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
diff --git a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
@@ -281,6 +281,11 @@ spec:
           {{- end }}
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
+        {{- if .Values.auth.mTLS.enabled }}
+        - name: spire-agent-socket
+          mountPath: {{ dir .Values.auth.mTLS.spireAdminSocketPath }}
+          readOnly: false
+        {{- end }}
         {{- if not .Values.securityContext.privileged }}
         # Unprivileged containers need to mount /proc/sys/net from the host
         # to have write access
@@ -776,6 +781,12 @@ spec:
         hostPath:
           path: /run/xtables.lock
           type: FileOrCreate
+      {{- if .Values.auth.mTLS.enabled }}
+      - name: spire-agent-socket
+        hostPath:
+          path: {{ dir .Values.auth.mTLS.spireAdminSocketPath }}
+          type: DirectoryOrCreate
+      {{- end }}
       {{- if .Values.kubeConfigPath }}
       - name: kube-config
         hostPath:

diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
@@ -999,6 +999,12 @@ data:
 
 {{- end }}
 
+{{- if .Values.auth.mTLS.enabled }}
+  mesh-auth-mtls-listener-port: {{ .Values.auth.mTLS.port | quote }}
+  mesh-auth-spire-admin-socket: {{ .Values.auth.mTLS.spireAdminSocketPath }}
+  mesh-auth-spiffe-trust-domain: {{ .Values.auth.mTLS.spiffeTrustDomain }}
+{{- end }}
+
 ---
 {{- if and .Values.ipMasqAgent.enabled .Values.ipMasqAgent.config }}
 apiVersion: v1

diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl
@@ -2604,3 +2604,14 @@ dnsProxy:
 sctp:
   # -- Enable SCTP support. NOTE: Currently, SCTP support does not support rewriting ports or multihoming.
   enabled: false
+
+auth:
+  mTLS:
+    # -- Enable mtls-spiffe authentication method in CiliumNetworkPolicy
+    enabled: false
+    # -- SPIRE socket path where the SPIRE delegated api agent is listening
+    spireAdminSocketPath: /run/spire/sockets/admin.sock
+    # -- SPIFFE trust domain to use for fetching certificates
+    spiffeTrustDomain: spiffe.cilium.io
+    # -- port on the agent which is used to mTLS handshakes on
+    port: 4250