Add support of storing the caBundle in a secret #25728
Conversation
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
github-actions
bot
added
the
kind/community-contribution
farcaller
force-pushed
the
helm-ca-secret
branch
3 times, most recently
from
294f5d3
to
c62e407
Compare
|
There are a couple of CI failures, if you are taking a look at logs, there will be steps to rectify. |
|
👋 friendly ping if you have a chance to perform the above. Also, would you mind to rebase with main branch for latest CI configuration. |
|
@sayboras thanks for a ping! I got a bit distracted by my cilium setup breaking down in new and exciting ways but I'm back to this and I have a working solution that I just need to rewrite this nix into helm yamls: 😄 {
patchCM = object:
let
volumes = object.spec.template.spec.volumes;
projected = builtins.filter (v: builtins.hasAttr "projected" v) volumes;
nonProjected = builtins.filter (v: builtins.hasAttr "projected" v == false) volumes;
reprojected = builtins.map
(p: lib.recursiveUpdate p (
let
caSources = builtins.filter (s: (s.configMap or { name = ""; }).name == "cilium-ca") p.projected.sources;
nonCaSources = builtins.filter (s: (s.configMap or { name = ""; }).name != "cilium-ca") p.projected.sources;
patchedSources = builtins.map
(s: {
secret = {
items = [{ key = "certificate"; path = (builtins.head s.configMap.items).path; }];
name = "cilium-ca";
};
})
caSources;
in
{
projected.sources = nonCaSources ++ patchedSources;
}
))
projected;
in
(lib.recursiveUpdate object {
spec.template.spec.volumes = nonProjected ++ reprojected;
});
patchOn = cond: object:
if (cond object) then patchCM object
else object;
patchCiliumDS = patchOn (object: (object.kind == "DaemonSet" && object.metadata.name == "cilium"));
patchApiServerDeployment = patchOn (object: (object.kind == "Deployment" && object.metadata.name == "clustermesh-apiserver"));
patchHubbleRelayDeployment = patchOn (object: (object.kind == "Deployment" && object.metadata.name == "hubble-relay"));
patchHubbleUIDeployment = patchOn (object: (object.kind == "Deployment" && object.metadata.name == "hubble-ui"));
} |
|
Heading on vacation so unassigned myself and picked @tommyp1ckles from sig-k8s by lottery ( |
ti-mo
added
the
release-note/minor
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
ti-mo
added
kind/enhancement
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
|
cc @cilium/sig-hubble I think some of you folks have spent more time with Cilium's secret management previously and could potentially help advise on the solution here. |
|
Also cc @giorio94 who added the CA bundle feature in #24862 To me, the overall motivation "this allows to e.g. pull it from vault via external-secrets (as ES cannot write to a ConfigMap)." sounds very reasonable. Since we have not shipped the CA bundle feature in a release yet, I'd even say let's always make it a secret if that makes the CA bundle easier to manage (and I'm not a big fan of having a resource either be a configmap or a secret based on a Helm value). It was also the case that before we added the CA bundle, the CA was already part of a secret, so that should also not be a problem. But I think it would be interesting to know from @giorio94 if there is a particular reason why the CA bundle is a ConfigMap, or if the intent just was that "it's a public key, so it doesn't need to be a secret". I'm marking this as a release blocker for now, since I think this is something that we can quite easily resolve now, where it will become harder to resolve once we ship the CA bundle feature in a stable release. |
gandro
added
the
release-blocker/1.14
No specific reason beside the fact that it is not a "secret" value as you mentioned, and to mimic the kubernetes behavior (specifically the |
install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
Outdated
Show resolved
Hide resolved
|
Thanks @giorio94 for the quick response! I did a quick look at trust-manager, and it seems to only support ConfigMaps unfortunately https://cert-manager.io/docs/projects/trust-manager/api-reference/#bundlespectarget So maybe we do need to use flag that switches between ConfigMap and Secrets 😞 In that case I'll remove the release-blocker label again, since the change with |
gandro
removed
the
release-blocker/1.14
Oh right, I actually forgot to double-check it. Thanks! |
|
/test |
There was a problem hiding this comment.
Thanks for the patch @farcaller!
Couple of cosmetic comments, but other than that LGTM.
install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
Outdated
Show resolved
Hide resolved
farcaller
force-pushed
the
helm-ca-secret
branch
from
0a61061
to
b559760
Compare
install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
Outdated
Show resolved
Hide resolved
farcaller
force-pushed
the
helm-ca-secret
branch
2 times, most recently
from
202f059
to
b49610e
Compare
farcaller
force-pushed
the
helm-ca-secret
branch
from
b49610e
to
4d5fb4f
Compare
|
One more: https://github.com/cilium/cilium/actions/runs/5354804806/jobs/9712313069?pr=25728 |
farcaller
force-pushed
the
helm-ca-secret
branch
from
4d5fb4f
to
a75663c
Compare
Done (thought that one was supposed to be re-generated from |
farcaller
force-pushed
the
helm-ca-secret
branch
from
a75663c
to
5fd07ee
Compare
This allows to e.g. pull it from vault via external-secrets Signed-off-by: Vladimir Pouzanov <farcaller@gmail.com>
farcaller
force-pushed
the
helm-ca-secret
branch
from
5fd07ee
to
baa0af7
Compare
|
/test |
maintainer-s-little-helper
bot
added
the
ready-to-merge
michi-covalent
requested review from
a team and
learnitall
and removed request for
a team
maintainer-s-little-helper
bot
removed
the
ready-to-merge
description and a
Fixes: #XXXline if the commit addresses a particularGitHub issue.
Fixes: <commit-id>tag, thenplease add the commit author[s] as reviewer[s] to this issue.
This allows to e.g. pull it from vault via external-secrets (as ES cannot write to a ConfigMap).