Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm: simplify TLS configuration of clustermesh peers #24222

Merged
merged 2 commits into from Mar 10, 2023
Merged

helm: simplify TLS configuration of clustermesh peers #24222

merged 2 commits into from Mar 10, 2023

Conversation

giorio94
Copy link
Member

@giorio94 giorio94 commented Mar 7, 2023
edited

This PR introduces two main changes

  1. Avoid the need to specify the TLS config for clustermesh peers in case of shared CA
  2. Allow to override the CA on a per-peer basis, required in case of non-shared CA

Please, refer to the individual commits for more details.

helm: simplify TLS configuration of clustermesh peers

@giorio94 giorio94 added kind/enhancement This would improve or streamline existing functionality. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/clustermesh Relates to multi-cluster routing functionality in Cilium. area/helm Impacts helm charts and user deployment experience labels Mar 7, 2023
@giorio94 giorio94 requested review from a team as code owners March 7, 2023 14:49
@giorio94 giorio94 changed the title helm: simplify configuration of clustermesh peers helm: simplify TLS configuration of clustermesh peers Mar 7, 2023
@giorio94 giorio94 requested a review from chancez March 7, 2023 14:50
kaworu
kaworu approved these changes Mar 7, 2023
View reviewed changes
Copy link
Member

@kaworu kaworu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @giorio94, couple of question/nitpicking comments, but overall the patch LGTM.

install/kubernetes/cilium/templates/clustermesh-config/clustermesh-secret.yaml Show resolved Hide resolved
install/kubernetes/cilium/templates/clustermesh-config/_helpers.tpl Show resolved Hide resolved
install/kubernetes/cilium/values.yaml.tmpl Outdated Show resolved Hide resolved
@giorio94
helm: simplify TLS config for clustermesh etcd if CA is shared
473d1b9 
In the clustermesh context, when the CA is shared across clusters,
there is no need to explicitly set the TLS private key and certificate
for each peer, since the one with CN=remote available locally is
enough for authn/authz purposes.

This commit extends the helm chart to automatically mount the secret
containing the above key and certificate alongside the existing
clustermesh configuration files, and for each peer configures etcd to
use those if no TLS entry is provided. Overall, this simplifies the
declarative configuration of clustermesh peers, as well as makes it
transparent to the certificate renewal process.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
helm: allow to override the CA cert on a clustermesh peer basis
97dadf3 
This commit extends the helm chart to enable overriding the CA certificate
of a specific clustermesh peer. This is required in case different CAs are
used across the mesh, since it otherwise defaults to the local one.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
chancez
chancez approved these changes Mar 7, 2023
View reviewed changes
Copy link
Contributor

@chancez chancez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@giorio94
Copy link
Member Author

giorio94 commented Mar 8, 2023

ConformanceGatewayAPI test hit known flake: #24217

@giorio94
Copy link
Member Author

giorio94 commented Mar 8, 2023

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 8, 2023
@pchaigno pchaigno merged commit 46ecd9a into cilium:master Mar 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaworu kaworu kaworu approved these changes

@chancez chancez chancez approved these changes

@christarazi christarazi christarazi approved these changes

Assignees
No one assigned
Labels
area/clustermesh Relates to multi-cluster routing functionality in Cilium. area/helm Impacts helm charts and user deployment experience kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@giorio94 @kaworu @chancez @christarazi @pchaigno