mtls: SPIRE server and agent installation #24765
Conversation
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
sayboras
added
the
release-note/minor
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
sayboras
added
area/helm
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
sayboras
force-pushed
the
tam/spire-installation
branch
7 times, most recently
from
a315cd7
to
5a1d388
Compare
|
/test |
|
/test-1.16-4.19 |
|
/test-1.24-5.4 |
|
/test-1.25-4.19 |
|
/test-1.26-net-next |
|
/test |
|
/test-1.26-net-next |
maintainer-s-little-helper
bot
added
the
ready-to-merge
|
Adding a note that i got this error on my system with this PR on the spire agent, it could be me but better verify a later change did not break it. |
| # -- SPIRE agent init containers | ||
| initContainers: | ||
| - name: init | ||
| image: cgr.dev/chainguard/wait-for-it@sha256:ecb58e3a2ffbdb732bb9049987e06eaf826d945410e167f31d6ffe28fab259f4 |
There was a problem hiding this comment.
why does this need to be configurable?
There was a problem hiding this comment.
FY I plan to revert this change in #24897
There was a problem hiding this comment.
what @meyskens says 👍, we probably either change the default here, or just remove it from being configurable.
| # -- SPIRE agent configuration | ||
| agent: | ||
| # -- SPIRE agent image | ||
| image: ghcr.io/spiffe/spire-agent:1.5.1@sha256:40228af4d9a094f0fef2d7a303a3b6a689c4b4eba2fa9f7da5125b81d2d68ec8 |
There was a problem hiding this comment.
Are we going to mirror these containers to a repository in the cilium organization?
There was a problem hiding this comment.
most of users are kind of doing that i.e. copy public images to private registry (e.g. ecr, google, etc), so I think we don't need to do it ourselves.
|
How does this affect cluster bootstrap? Is a running SPIRE agent + server required for cilium agent start / restart / upgrade? If a cluster is using an in-cluster-hosted CSI driver, the statefulset volume will not be available until after the network starts up, for example. Is that going to be a problem here? |
This is highlighted as part of CFP. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This is to avoid any confusion on valid DNS name, which could cause any assumption on external traffic/lookup as part of Auth process. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This is to simplify the identity registration as part of bootstrap. Signed-off-by: Tam Mach <tam.mach@cilium.io>
The current implementation makes sure that cilium will not crash or wait for SPIRE component to bootstrap. Cilium will perform connection retry with back-off to SPIRE.
Same as above, Cilium will automatically retry with backoff, so once SPIRE components are up, things will be converged. |
sayboras
force-pushed
the
tam/spire-installation
branch
from
ddebd44
to
fbc1e1e
Compare
|
Commit fbc1e1e75f0131da33c167ce451da94633a4b4d0 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
maintainer-s-little-helper
bot
added
the
dont-merge/needs-sign-off
sayboras
force-pushed
the
tam/spire-installation
branch
from
fbc1e1e
to
c6bbee1
Compare
|
Commit fbc1e1e75f0131da33c167ce451da94633a4b4d0 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
sayboras
removed
the
dont-merge/needs-sign-off
|
@sayboras should this be marked ready to merge? Some tests seem to be still running, and we are failing a smoke testing. |
Thanks, I didn't know that we need to remove ready-to-merge manually. I pushed one small change to incorporate review comments. |
sayboras
removed
the
ready-to-merge
This commit is just to put the layout for current structure of spire configuration. All generated docs and files are included. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to add all required manifests for both spire agent and server components. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to register all cilium related identities in spire, so that other components (e.g. spire-agent, cilium agent, cilium operator) are having required permissions. Currently, a small bash script is used for simplicity, once things are getting more complicated, we can move these steps to a small golang utility, like what we have with cilium-mount or cilium-sysctlfix. Kind note that shareProcessNamespace is enabled, so that init container can cooperate with main spire-server and perform required identity registration. https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras
force-pushed
the
tam/spire-installation
branch
from
c6bbee1
to
71e000a
Compare
|
/test |
maintainer-s-little-helper
bot
added
the
ready-to-merge
Description
This is to install SPIRE server and agent for cilium mTLS.
TODO
Temp script
Fixes: #23806
Testing
Testing was done with fresh cilium installation with mTLS enabled.