Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mutual-auth: Avoid confusion on mTLS wording #25761

Merged
merged 4 commits into from Jun 5, 2023
Merged

mutual-auth: Avoid confusion on mTLS wording #25761

merged 4 commits into from Jun 5, 2023

Conversation

sayboras
Copy link
Member

@sayboras sayboras commented May 30, 2023
edited

Description

Please refer to individual commits for more details.

Tasks

Copied from #24867

  • rename the field in NetworkPolicy to authentication (from auth)
  • rename the value in NetworkPolicy to spiffe from mtls-spiffe. Just removing the tls part removes any possibility of confusion here, and we'll address that spiffe uses TLS in other parts of the docs. Something like this is basically a must-do.
  • rename the existing auth stanza in Helm to authentication instead.
  • rename the current mTLS stanza in Helm to mutual instead. This means that the complete path will be authentication.mutual. To me, this leaves the authentication level with the possibility to add other types of authentication for Cilium to configure. I don't know if this is viable, or if we should collapse what's currently mTLS into authentication instead.
  • Change all command-line flags and config file options for cilium to use mutual, mutual-auth, or MutualAuth instead of mtls, mtls-auth, or MTLS respectively.
  • Refactor code to remove mTLS references (lowest priority).

Testing

Testing was done locally with cilium cli build from cilium/cilium-cli#1673

$ cilium connectivity test --test auth
...
[=] Test [echo-ingress-auth-always-fail]
........
[=] Test [echo-ingress-mutual-auth-spiffe]
........

[=] Skipping Test [pod-to-ingress-service]
...
[=] Skipping Test [to-fqdns]

✅ All 2 tests (16 actions) successful, 53 tests skipped, 0 scenarios skipped.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 30, 2023
@sayboras sayboras added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label May 30, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 30, 2023
@sayboras sayboras added the area/servicemesh GH issues or PRs regarding servicemesh label May 30, 2023
@sayboras sayboras force-pushed the tam/auth-terminology branch 4 times, most recently from f3a8b36 to 7c6a486 Compare May 30, 2023 12:35
@sayboras sayboras marked this pull request as ready for review May 30, 2023 12:35
@sayboras sayboras requested review from a team as code owners May 30, 2023 12:35
meyskens
meyskens reviewed May 30, 2023
View reviewed changes
operator/auth/cell.go Outdated Show resolved Hide resolved
meyskens
meyskens approved these changes May 30, 2023
View reviewed changes
Copy link
Member

@meyskens meyskens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One nit but LGTM

mhofstetter
mhofstetter reviewed May 30, 2023
View reviewed changes
Copy link
Member

@mhofstetter mhofstetter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the renames @sayboras!

only one small concern regarding naming inline.

Documentation/cmdref/cilium-agent.md Outdated Show resolved Hide resolved
Documentation/cmdref/cilium-operator.md Outdated Show resolved Hide resolved
youngnick
youngnick reviewed May 30, 2023
View reviewed changes
operator/auth/cell.go Outdated Show resolved Hide resolved
youngnick
youngnick approved these changes May 30, 2023
View reviewed changes
Copy link
Contributor

@youngnick youngnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with that one change about using mesh-auth-mutual for command line flags instead of mesh-mutual-auth (just so the flags are all grouped together).

@sayboras
Copy link
Member Author

/test

@sayboras
Copy link
Member Author

sayboras commented Jun 2, 2023

/test

@sayboras sayboras marked this pull request as ready for review June 2, 2023 10:07
mhofstetter
mhofstetter requested changes Jun 2, 2023
View reviewed changes
pkg/policy/l4.go Outdated Show resolved Hide resolved
pkg/policy/l4.go Outdated Show resolved Hide resolved
pkg/policy/l4.go Outdated Show resolved Hide resolved
pkg/auth/cell.go Show resolved Hide resolved
pkg/auth/disabled_authhandler.go Outdated Show resolved Hide resolved
pkg/auth/disabled_authhandler.go Outdated Show resolved Hide resolved
pkg/auth/mutual_authhandler.go Outdated Show resolved Hide resolved
@sayboras sayboras requested a review from a team as a code owner June 2, 2023 11:04
mhofstetter
mhofstetter approved these changes Jun 2, 2023
View reviewed changes
Copy link
Member

@mhofstetter mhofstetter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thanks for the additional changes 🥇

only one small non-blocking nit regarding the comment of alwaysPassAuthHandler

pkg/auth/always_pass_authhandler.go Outdated Show resolved Hide resolved
bimmlerd
bimmlerd requested changes Jun 2, 2023
View reviewed changes
Copy link
Member

@bimmlerd bimmlerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GH is somehow not letting me comment on the file, but tools/maptool/maptool is a binary, I'm guessing it was accidentially commited?

@sayboras
Copy link
Member Author

sayboras commented Jun 2, 2023

GH is somehow not letting me comment on the file, but tools/maptool/maptool is a binary, I'm guessing it was accidentially commited?

ah thanks for pointing it out, it the left over file in old releases :( (probably due to my backport duty)

@sayboras
helm: Update the terminology for authentication
97e8c16 
This commit is to make sure that the name and language for authentication
are explicit.

Relates: cilium#24867
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras
crd: Rename auth field to authentication
fb51ca0 
This commit is to rename `auth` attribute in both Ingress and Egress
rules to `authentication` for more clarity. Also, `type` attribute is
renamed to `mode` with applicable values as disabled, required and
test-always-fail.

Relates: cilium#24867
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras
operator/agent: Rename mtls command line flags options
dabb34e 
This commit is to change all command-line flags and config file options
for cilium to use mutual, mutual-auth, or MutualAuth instead of mtls,
mtls-auth, or MTLS respectively.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras
operator/agent: Refactor to remove mTLS references
acdfea3 
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras sayboras requested a review from bimmlerd June 2, 2023 12:23
@sayboras
Copy link
Member Author

sayboras commented Jun 2, 2023

/test

bimmlerd
bimmlerd approved these changes Jun 2, 2023
View reviewed changes
Copy link
Member

@bimmlerd bimmlerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

contributing review requirement is gone now, so I can :disappear:

qmonnet
qmonnet approved these changes Jun 5, 2023
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks all good from my side, thanks!

Documentation/operations/upgrade.rst Show resolved Hide resolved
@aanm
Copy link
Member

aanm commented Jun 5, 2023

The majority of the codeowneres reviewed the PR. Merging since it's blocking a lot of other PRs and this PR is simply a name refactoring.

@aanm aanm merged commit afb6b2b into cilium:main Jun 5, 2023
61 checks passed
@sayboras sayboras deleted the tam/auth-terminology branch June 5, 2023 09:46
@sayboras sayboras mentioned this pull request Jun 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qmonnet qmonnet qmonnet approved these changes

@kaworu kaworu kaworu approved these changes

@lmb lmb lmb approved these changes

@joamaki joamaki joamaki approved these changes

@rolinh rolinh rolinh approved these changes

@aanm aanm aanm approved these changes

@mhofstetter mhofstetter mhofstetter approved these changes

@bimmlerd bimmlerd bimmlerd approved these changes

@michi-covalent michi-covalent michi-covalent approved these changes

@nathanjsweet nathanjsweet Awaiting requested review from nathanjsweet nathanjsweet is a code owner automatically assigned from cilium/api

@zacharysarah zacharysarah Awaiting requested review from zacharysarah zacharysarah is a code owner automatically assigned from cilium/docs-structure

@meyskens meyskens Awaiting requested review from meyskens

@youngnick youngnick Awaiting requested review from youngnick

Assignees
No one assigned
Labels
area/servicemesh GH issues or PRs regarding servicemesh release-blocker/1.14 This issue will prevent the release of the next version of Cilium. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet