New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth: Switch to observing identity changes #26375
auth: Switch to observing identity changes #26375
Conversation
20766fc
to
2bdb5ab
Compare
bbfc60c
to
eb5eb6f
Compare
dependent PR #26373 (making the identity allocator observable) has been merged -> will remove |
/test |
Observe the identity changes via the CachingIdentityAllocator instead of using CiliumIdentity CRD directly. This both fixes the issue of having two informers (and thus double the bandwidth), but it also allows auth to work with the kvstore identity allocation backend. Co-authored-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com>
This commit renames the helm value `authentication.expiredGCInterval` to `authentication.gcInterval` as it will be used for multiple types of auth related GC's. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Latest changes reflect deleted identities and nodes only in the internal state of the garbage collector without deleting the related entries immediately. Therefore, this commit changes the auth map gc interval from `15m` to `5m` which reflects the changes faster in the map itself. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Currently, auth map entries related to a deleted cilium identity are immediately deleted when the event has been received. The actual deletion might result in errors, which no longer can be reported back to the IdentityAllocator which emits the events. To prevent events result in errors, the events should no longer delete auth map entries. Therefore, this commit refactors that the deletion information is stored within the garbage collector, and the actual garbage collection run uses these information to cleanup the map. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit reorders the functions within the garbage collector Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Currently, auth map entries related to a deleted node are immediately deleted when the event has been received. To prevent events result in errors, the events should no longer delete auth map entries. Therefore, this commit refactors that the deletion information is stored within the garbage collector, and the actual garbage collection run uses these information to cleanup the map. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit combines the different timer based auth map gc jobs into a single job. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit separates the existing auth map gc tests into multiple tests per "type" * identities * nodes * policies * expiration Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit cleans up the auth module. * improve comments * renamed newAuthManager -> registerAuthManager * grouped params in authManagerParams * rename gc job names * split registration into instantiation & job/lifecycle registration sections Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
eb5eb6f
to
734794b
Compare
/test |
/ci-multicluster |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM ✔️
This PR was marked as release-blocker for 1.14, so nominate it for backport. Feel free to let us know if you think otherwise. Thanks. |
Observe the identity changes via the CachingIdentityAllocator instead of using CiliumIdentity CRD directly. This both fixes the issue of having two informers (and thus double the bandwidth), but it also allows auth to work with the kvstore identity allocation
backend.
In addition, the the auth map garbage collection has been refactored to use the events (deleted nodes, deleted
identities) only to update the internal state - whereas the actual GC is combined to a timer based job. This way we prevent events resulting in errors - that wouldn't be retried in case of the observable identity allocator (therefore this refactoring has become mandatory).
It's recommended to review the individual commits for more clarity & more context.
Depends on: #26373
Fixes: #25898