New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm: simplify TLS configuration of clustermesh peers #24222
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
giorio94
added
kind/enhancement
This would improve or streamline existing functionality.
release-note/minor
This PR changes functionality that users may find relevant to operating Cilium.
area/clustermesh
Relates to multi-cluster routing functionality in Cilium.
area/helm
Impacts helm charts and user deployment experience
labels
Mar 7, 2023
giorio94
changed the title
helm: simplify configuration of clustermesh peers
helm: simplify TLS configuration of clustermesh peers
Mar 7, 2023
kaworu
approved these changes
Mar 7, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @giorio94, couple of question/nitpicking comments, but overall the patch LGTM.
install/kubernetes/cilium/templates/clustermesh-config/clustermesh-secret.yaml
Show resolved
Hide resolved
giorio94
force-pushed
the
mio/clustermesh-auth
branch
from
March 7, 2023 15:58
1fad155
to
4debeff
Compare
chancez
reviewed
Mar 7, 2023
In the clustermesh context, when the CA is shared across clusters, there is no need to explicitly set the TLS private key and certificate for each peer, since the one with CN=remote available locally is enough for authn/authz purposes. This commit extends the helm chart to automatically mount the secret containing the above key and certificate alongside the existing clustermesh configuration files, and for each peer configures etcd to use those if no TLS entry is provided. Overall, this simplifies the declarative configuration of clustermesh peers, as well as makes it transparent to the certificate renewal process. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
This commit extends the helm chart to enable overriding the CA certificate of a specific clustermesh peer. This is required in case different CAs are used across the mesh, since it otherwise defaults to the local one. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
giorio94
force-pushed
the
mio/clustermesh-auth
branch
from
March 7, 2023 17:19
4debeff
to
97dadf3
Compare
chancez
approved these changes
Mar 7, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
ConformanceGatewayAPI test hit known flake: #24217 |
/test |
christarazi
approved these changes
Mar 8, 2023
maintainer-s-little-helper
bot
added
the
ready-to-merge
This PR has passed all tests and received consensus from code owners to merge.
label
Mar 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/clustermesh
Relates to multi-cluster routing functionality in Cilium.
area/helm
Impacts helm charts and user deployment experience
kind/enhancement
This would improve or streamline existing functionality.
ready-to-merge
This PR has passed all tests and received consensus from code owners to merge.
release-note/minor
This PR changes functionality that users may find relevant to operating Cilium.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces two main changes
Please, refer to the individual commits for more details.