New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mutual-auth: Support spire k8s service dns resolution #26031
Conversation
0b213dc
to
5acdb5a
Compare
/test |
7e85201
to
363050c
Compare
/test |
If the operator needs to run on the same node as the SPIRE agent, then that should be expressed with PodAffinity. Or, we should include the spire container in the operator pod. |
One point of confusion -- the PR seems to suggest that we need |
363050c
to
b796d4c
Compare
This was one of the approaches that we considered, however, cilium operator is running in HA mode with the leader election, so it's hard to control the node for both cilium operator and spire server. |
Sorry for the confusion, ideally, we would love to set ClusterFirstWithHostNet by default, however, such a configuration was not working in EKS due to #24774. Hence, the goal of this PR is to avoid setting dnsPolicy as ClusterFirstWithHostNet by default if mutual auth is enabled. Users can still have the option to set dnsPolicy in their deployment. Let me update the commit message to make it clearer. |
b796d4c
to
4bc0d72
Compare
03b2159
to
84e0c4a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for docs
Force push to address the log comment Diffdiff --git a/operator/auth/spire/client.go b/operator/auth/spire/client.go
index 6af073b4c6..6d59e299e3 100644
--- a/operator/auth/spire/client.go
+++ b/operator/auth/spire/client.go
@@ -173,18 +173,18 @@ func (c *Client) connect(ctx context.Context) (*grpc.ClientConn, error) {
tlsConfig := tlsconfig.MTLSClientConfig(source, source, tlsconfig.AuthorizeMemberOf(trustedDomain))
- c.log.WithFields(map[string]interface{}{
- logfields.URL: c.cfg.SpireServerAddress,
- logfields.IPAddr: resolvedTarget,
+ c.log.WithFields(logrus.Fields{
+ logfields.Address: c.cfg.SpireServerAddress,
+ logfields.IPAddr: resolvedTarget,
}).Info("Trying to connect to SPIRE server")
conn, err := grpc.Dial(*resolvedTarget, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))
if err != nil {
return nil, fmt.Errorf("failed to create connection to SPIRE server: %w", err)
}
- c.log.WithFields(map[string]interface{}{
- logfields.URL: c.cfg.SpireServerAddress,
- logfields.IPAddr: resolvedTarget,
+ c.log.WithFields(logrus.Fields{
+ logfields.Address: c.cfg.SpireServerAddress,
+ logfields.IPAddr: resolvedTarget,
}).Info("Connected to SPIRE server")
return conn, nil
}
diff --git a/pkg/logging/logfields/logfields.go b/pkg/logging/logfields/logfields.go
index c4796bf951..3dcd56051d 100644
--- a/pkg/logging/logfields/logfields.go
+++ b/pkg/logging/logfields/logfields.go
@@ -121,6 +121,9 @@ const (
// NextHop is an IPV4 or IPv6 address for the next hop
NextHop = "nextHop"
+ // Address is an IPV4, IPv6 or FQDN address
+ Address = "address"
+
// IPAddr is an IPV4 or IPv6 address
IPAddr = "ipAddr"
|
84e0c4a
to
ffc73b5
Compare
/test |
ffc73b5
to
d08ff3a
Compare
/test |
The description must be connection timeout instead of endpoint. Signed-off-by: Tam Mach <tam.mach@cilium.io>
DNS Policy as ClusterFirstWithHostNet is not strictly required if spire components are installed with Cilium helm chart. For external spire installation, user can choose to set server address accordingly: - If a routable IP address is used, no further setting is required. - If a k8s Service FQDN is used, user can set dnsPolicy via existing helm attribute (e.g. operator.dnsPolicy) Fixes: #25860 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This is to make sure that we have the coverage for different data path modes (e.g. kernel version, ipsec, wireguard, node encryption, etc). Signed-off-by: Tam Mach <tam.mach@cilium.io>
Force pushed to rebase with main, and drop the last commit as cilium-cli version got upgraded in main branch now. |
d08ff3a
to
32301d5
Compare
/test |
Reviews from all required teams are in, all tests passed, merging. |
Description
Please refer to individual commits for more details.
Testing
Testing with the temp commit, the conformance-e2e is running successfully.
https://github.com/cilium/cilium/actions/runs/5220420030/jobs/9423492566?pr=26031