New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support of storing the caBundle in a secret #25728
Conversation
294f5d3
to
c62e407
Compare
There are a couple of CI failures, if you are taking a look at logs, there will be steps to rectify. |
👋 friendly ping if you have a chance to perform the above. Also, would you mind to rebase with main branch for latest CI configuration. |
@sayboras thanks for a ping! I got a bit distracted by my cilium setup breaking down in new and exciting ways but I'm back to this and I have a working solution that I just need to rewrite this nix into helm yamls: 😄 {
patchCM = object:
let
volumes = object.spec.template.spec.volumes;
projected = builtins.filter (v: builtins.hasAttr "projected" v) volumes;
nonProjected = builtins.filter (v: builtins.hasAttr "projected" v == false) volumes;
reprojected = builtins.map
(p: lib.recursiveUpdate p (
let
caSources = builtins.filter (s: (s.configMap or { name = ""; }).name == "cilium-ca") p.projected.sources;
nonCaSources = builtins.filter (s: (s.configMap or { name = ""; }).name != "cilium-ca") p.projected.sources;
patchedSources = builtins.map
(s: {
secret = {
items = [{ key = "certificate"; path = (builtins.head s.configMap.items).path; }];
name = "cilium-ca";
};
})
caSources;
in
{
projected.sources = nonCaSources ++ patchedSources;
}
))
projected;
in
(lib.recursiveUpdate object {
spec.template.spec.volumes = nonProjected ++ reprojected;
});
patchOn = cond: object:
if (cond object) then patchCM object
else object;
patchCiliumDS = patchOn (object: (object.kind == "DaemonSet" && object.metadata.name == "cilium"));
patchApiServerDeployment = patchOn (object: (object.kind == "Deployment" && object.metadata.name == "clustermesh-apiserver"));
patchHubbleRelayDeployment = patchOn (object: (object.kind == "Deployment" && object.metadata.name == "hubble-relay"));
patchHubbleUIDeployment = patchOn (object: (object.kind == "Deployment" && object.metadata.name == "hubble-ui"));
} |
Heading on vacation so unassigned myself and picked @tommyp1ckles from sig-k8s by lottery ( |
cc @cilium/sig-hubble I think some of you folks have spent more time with Cilium's secret management previously and could potentially help advise on the solution here. |
Also cc @giorio94 who added the CA bundle feature in #24862 To me, the overall motivation "this allows to e.g. pull it from vault via external-secrets (as ES cannot write to a ConfigMap)." sounds very reasonable. Since we have not shipped the CA bundle feature in a release yet, I'd even say let's always make it a secret if that makes the CA bundle easier to manage (and I'm not a big fan of having a resource either be a configmap or a secret based on a Helm value). It was also the case that before we added the CA bundle, the CA was already part of a secret, so that should also not be a problem. But I think it would be interesting to know from @giorio94 if there is a particular reason why the CA bundle is a ConfigMap, or if the intent just was that "it's a public key, so it doesn't need to be a secret". I'm marking this as a release blocker for now, since I think this is something that we can quite easily resolve now, where it will become harder to resolve once we ship the CA bundle feature in a stable release. |
No specific reason beside the fact that it is not a "secret" value as you mentioned, and to mimic the kubernetes behavior (specifically the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please run make -C install/kubernetes
, it generates the install/kubernetes/cilium/README.md
which needs to be updated if you add or change Helm values.
install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
Outdated
Show resolved
Hide resolved
Thanks @giorio94 for the quick response! I did a quick look at trust-manager, and it seems to only support ConfigMaps unfortunately https://cert-manager.io/docs/projects/trust-manager/api-reference/#bundlespectarget So maybe we do need to use flag that switches between ConfigMap and Secrets 😞 In that case I'll remove the release-blocker label again, since the change with |
Oh right, I actually forgot to double-check it. Thanks! |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes lgtm ✅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the patch @farcaller!
Couple of cosmetic comments, but other than that LGTM.
install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
Outdated
Show resolved
Hide resolved
0a61061
to
b559760
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please squash all the PR's commits into one on the way!
install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
Outdated
Show resolved
Hide resolved
202f059
to
b49610e
Compare
b49610e
to
4d5fb4f
Compare
One more: https://github.com/cilium/cilium/actions/runs/5354804806/jobs/9712313069?pr=25728
|
4d5fb4f
to
a75663c
Compare
Done (thought that one was supposed to be re-generated from |
a75663c
to
5fd07ee
Compare
This allows to e.g. pull it from vault via external-secrets Signed-off-by: Vladimir Pouzanov <farcaller@gmail.com>
5fd07ee
to
baa0af7
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
“docs” change looks good. Thanks!
description and a
Fixes: #XXX
line if the commit addresses a particularGitHub issue.
Fixes: <commit-id>
tag, thenplease add the commit author[s] as reviewer[s] to this issue.
This allows to e.g. pull it from vault via external-secrets (as ES cannot write to a ConfigMap).