New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mtls: SPIRE server and agent installation #24765
Conversation
a315cd7
to
5a1d388
Compare
/test |
/test-1.16-4.19 |
/test-1.24-5.4 |
/test-1.25-4.19 |
/test-1.26-net-next |
/test |
/test-1.26-net-next |
Adding a note that i got this error on my system with this PR on the spire agent, it could be me but better verify a later change did not break it.
|
# -- SPIRE agent init containers | ||
initContainers: | ||
- name: init | ||
image: cgr.dev/chainguard/wait-for-it@sha256:ecb58e3a2ffbdb732bb9049987e06eaf826d945410e167f31d6ffe28fab259f4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why does this need to be configurable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FY I plan to revert this change in #24897
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what @meyskens says 👍, we probably either change the default here, or just remove it from being configurable.
# -- SPIRE agent configuration | ||
agent: | ||
# -- SPIRE agent image | ||
image: ghcr.io/spiffe/spire-agent:1.5.1@sha256:40228af4d9a094f0fef2d7a303a3b6a689c4b4eba2fa9f7da5125b81d2d68ec8 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we going to mirror these containers to a repository in the cilium organization?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
most of users are kind of doing that i.e. copy public images to private registry (e.g. ecr, google, etc), so I think we don't need to do it ourselves.
How does this affect cluster bootstrap? Is a running SPIRE agent + server required for cilium agent start / restart / upgrade? If a cluster is using an in-cluster-hosted CSI driver, the statefulset volume will not be available until after the network starts up, for example. Is that going to be a problem here? |
This is highlighted as part of CFP. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This is to avoid any confusion on valid DNS name, which could cause any assumption on external traffic/lookup as part of Auth process. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This is to simplify the identity registration as part of bootstrap. Signed-off-by: Tam Mach <tam.mach@cilium.io>
The current implementation makes sure that cilium will not crash or wait for SPIRE component to bootstrap. Cilium will perform connection retry with back-off to SPIRE.
Same as above, Cilium will automatically retry with backoff, so once SPIRE components are up, things will be converged. |
ddebd44
to
fbc1e1e
Compare
Commit fbc1e1e75f0131da33c167ce451da94633a4b4d0 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
fbc1e1e
to
c6bbee1
Compare
Commit fbc1e1e75f0131da33c167ce451da94633a4b4d0 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
@sayboras should this be marked ready to merge? Some tests seem to be still running, and we are failing a smoke testing. |
Thanks, I didn't know that we need to remove ready-to-merge manually. I pushed one small change to incorporate review comments. |
This commit is just to put the layout for current structure of spire configuration. All generated docs and files are included. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to add all required manifests for both spire agent and server components. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to register all cilium related identities in spire, so that other components (e.g. spire-agent, cilium agent, cilium operator) are having required permissions. Currently, a small bash script is used for simplicity, once things are getting more complicated, we can move these steps to a small golang utility, like what we have with cilium-mount or cilium-sysctlfix. Kind note that shareProcessNamespace is enabled, so that init container can cooperate with main spire-server and perform required identity registration. https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ Signed-off-by: Tam Mach <tam.mach@cilium.io>
c6bbee1
to
71e000a
Compare
/test |
Description
This is to install SPIRE server and agent for cilium mTLS.
TODO
Temp script
Fixes: #23806
Testing
Testing was done with fresh cilium installation with mTLS enabled.