-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mTLS enablement, SPIRE server and agent installation #23806
Comments
Current thoughts on this: The semi-official SPIRE Helm charts will need a lot of modification for our use case - I think it's better to maintain our own chart based on their principles, because of how we are using the DelegatedIdentity API, our install will necessarily be different to the standard ones. We also need to ensure that we're not stopping ourselves from being able to work with bring-your-own-SPIRE in the future (although that is not in scope for the initial release.) I think we should do a two-pronged approach:
Things that we can be pretty sure we need to have be configurable:
Things that we expect but probably don't need to have configurable:
|
For the Helm chart, I think we should move from the existing config: auth:
mTLS:
# -- Enable mtls-spiffe authentication method in CiliumNetworkPolicy
enabled: false
# -- SPIRE socket path where the SPIRE delegated api agent is listening
spireAdminSocketPath: /run/spire/sockets/admin.sock
# -- SPIFFE trust domain to use for fetching certificates
spiffeTrustDomain: spiffe.cilium.io
# -- port on the agent which is used to mTLS handshakes on
port: 4250 To this one: auth:
mTLS:
# -- Enable mtls authentication method in CiliumNetworkPolicy
enabled: true
# -- port on the agent which is used to mTLS handshakes on
port: 4250
# Settings for SPIRE
spire:
# Settings to control the SPIRE installation subchart
install:
# Note that this will only take effect if auth.mTLS.enabled is true _and_ authType is spire
enabled: false
namespace: cilium-spire
# -- SPIFFE trust domain to use for fetching certificates
spiffeTrustDomain: spiffe.cilium.io
# -- SPIRE socket path where the SPIRE delegated api agent is listening
adminSocketPath: /run/spire/sockets/admin.sock
# -- SPIRE socket path where the SPIRE workload agent is listening
# Applies to both the Cilium Agent and Operator
agentSocketPath: /run/spire/sockets/agent/agent.sock
# Identity paths for the SPIFFE URLs, without prependended /
# SPIFFE URLs will look like:
# spiffe://trustdomain/identity
identities:
cilium-agent: "cilium-agent"
cilium-operator: "cilium-operator" Notable things here:
We need to speak to other folks to decide if a subchart or just a directory of templates is the better option for the Cilium SPIRE install; the upstream chart is not usable without a lot of editing, we would be effectively maintaining our own chart anyway. My preference is probably for a subchart that is just stored within the Cilium chart folder, that allows some segmentation of this (pretty substantial) install away from the bits that are Cilium proper. However, Cilium has previously had subcharts and moved away from them, so we should check why that was and if the reasons for that change apply here and now (Helm 3 has changed a bunch of things). |
This issue covers figuring out how to handle enabling mTLS, and then installing the SPIRE server and per-node agents.
We'll need to ensure that we support both Helm and cilium-cli, and also that we ensure that you can't turn this on in cases where it will conflict with other features.
The text was updated successfully, but these errors were encountered: