Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth: feature flag for authentication #26208

Merged
merged 1 commit into from Jun 15, 2023
Merged

auth: feature flag for authentication #26208

merged 1 commit into from Jun 15, 2023

Conversation

mhofstetter
Copy link
Member

@mhofstetter mhofstetter commented Jun 14, 2023
edited

Up to this point, only the SPIRE installation & integration were put behind a feature flag. Authentication, re-authentication & garbage collection were always active.

This PR introduces an additional feature flag to be able to disable the auth module if necessary. It is enabled by default.

Cilium config: auth-mesh-enabled
Helm value: authentication.enabled

Note that if disabled, policy enforcement will still block requests that require authentication. But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed.

@mhofstetter mhofstetter added kind/enhancement This would improve or streamline existing functionality. release-note/misc This PR makes changes that have no direct user impact. area/servicemesh GH issues or PRs regarding servicemesh feature/authentication labels Jun 14, 2023
@mhofstetter mhofstetter requested review from a team as code owners June 14, 2023 07:51
sayboras
sayboras approved these changes Jun 14, 2023
View reviewed changes
Copy link
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢

install/kubernetes/cilium/templates/validate.yaml Outdated Show resolved Hide resolved
@mhofstetter
Copy link
Member Author

/test

youngnick
youngnick reviewed Jun 14, 2023
View reviewed changes
Copy link
Contributor

@youngnick youngnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly LGTM with one small change.

install/kubernetes/cilium/values.yaml.tmpl Outdated
@@ -2964,6 +2964,9 @@ sctp:

# Configuration for types of authentication for Cilium
authentication:
# -- Enable authentication processing and garbage collection.
# Note that this doesn't affect auth policy enforcement.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this could use a little more explanation - maybe something about what happens when it's disabled? That is, what stops running, and what won't work?

As written, it sounds like disabling authentication won't affect that auth policy enforcement works properly, which doesn't seem right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@youngnick good point. i tried to come up with a better comment. PTAL

@mhofstetter mhofstetter added the release-blocker/1.14 This issue will prevent the release of the next version of Cilium. label Jun 14, 2023
@mhofstetter
auth: introduce feature flag for authentication
7075a7d 
Up to this point, only the SPIRE installation & integration were put
behind a feature flag. Authentication, re-authentication &
garbage collection were always active.

This commit introduces an additional feature flag to disable the auth
module that is enabled by default.

Cilium config: `auth-mesh-enabled`
Helm value: `authentication.enabled`

Be aware, that this doesn't affect the auth policy enforcement.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter mhofstetter force-pushed the pr/mhofstetter/auth-feature-flag branch from cd95a7e to 7075a7d Compare June 15, 2023 06:54
@mhofstetter
Copy link
Member Author

/test

youngnick
youngnick approved these changes Jun 15, 2023
View reviewed changes
Copy link
Contributor

@youngnick youngnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the extra comment, that's excellent.

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 15, 2023
@tklauser tklauser merged commit aa2e1b1 into cilium:main Jun 15, 2023
61 checks passed
@mhofstetter mhofstetter deleted the pr/mhofstetter/auth-feature-flag branch June 15, 2023 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sayboras sayboras sayboras approved these changes

@youngnick youngnick youngnick approved these changes

Assignees
No one assigned
Labels
area/servicemesh GH issues or PRs regarding servicemesh feature/authentication kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-blocker/1.14 This issue will prevent the release of the next version of Cilium. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mhofstetter @sayboras @youngnick @tklauser