New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mutual-auth: Avoid confusion on mTLS wording #25761
Conversation
f3a8b36
to
7c6a486
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One nit but LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the renames @sayboras!
only one small concern regarding naming inline.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with that one change about using mesh-auth-mutual
for command line flags instead of mesh-mutual-auth
(just so the flags are all grouped together).
7c6a486
to
474bd06
Compare
/test |
0fe3851
to
f572c62
Compare
/test |
f572c62
to
de7e5b2
Compare
de7e5b2
to
3e23a32
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - thanks for the additional changes 🥇
only one small non-blocking nit regarding the comment of alwaysPassAuthHandler
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GH is somehow not letting me comment on the file, but tools/maptool/maptool
is a binary, I'm guessing it was accidentially commited?
ah thanks for pointing it out, it the left over file in old releases :( (probably due to my backport duty) |
This commit is to make sure that the name and language for authentication are explicit. Relates: cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to rename `auth` attribute in both Ingress and Egress rules to `authentication` for more clarity. Also, `type` attribute is renamed to `mode` with applicable values as disabled, required and test-always-fail. Relates: cilium#24867 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to change all command-line flags and config file options for cilium to use mutual, mutual-auth, or MutualAuth instead of mtls, mtls-auth, or MTLS respectively. Signed-off-by: Tam Mach <tam.mach@cilium.io>
Signed-off-by: Tam Mach <tam.mach@cilium.io>
3e23a32
to
acdfea3
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
contributing review requirement is gone now, so I can :disappear:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks all good from my side, thanks!
The majority of the codeowneres reviewed the PR. Merging since it's blocking a lot of other PRs and this PR is simply a name refactoring. |
Description
Please refer to individual commits for more details.
Tasks
Copied from #24867
authentication
(fromauth
)spiffe
frommtls-spiffe
. Just removing thetls
part removes any possibility of confusion here, and we'll address thatspiffe
uses TLS in other parts of the docs. Something like this is basically a must-do.auth
stanza in Helm toauthentication
instead.mTLS
stanza in Helm tomutual
instead. This means that the complete path will beauthentication.mutual
. To me, this leaves theauthentication
level with the possibility to add other types of authentication for Cilium to configure. I don't know if this is viable, or if we should collapse what's currentlymTLS
intoauthentication
instead.cilium
to usemutual
,mutual-auth
, orMutualAuth
instead ofmtls
,mtls-auth
, orMTLS
respectively.Testing
Testing was done locally with cilium cli build from cilium/cilium-cli#1673