Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm: use local etcd client certificate when kvstoremesh is enabled #27177

Merged
merged 1 commit into from Aug 2, 2023
Merged

helm: use local etcd client certificate when kvstoremesh is enabled #27177

merged 1 commit into from Aug 2, 2023

Conversation

giorio94
Copy link
Member

@giorio94 giorio94 commented Aug 1, 2023

When kvstoremesh is enabled, local agents connect to the local clustermesh-apiserver instance, rather than the remote one. Yet, when the TLS key/certificate pair of a remote cluster is manually specified, the helm chart currently configures it both to connect to the remote clustermesh-apiserver instance (which is correct) and to the local one (which prevents the connection from being established correctly as it is signed with a different CA).

Let's fix this making sure that we always use the local TLS key/certificate pair when connecting to the local
clustermesh-apiserver instance.

Fix generation of the clustermesh config through Helm when kvstoremesh is enabled, and the TLS key/cert pair is manually specified for a given remote cluster

@giorio94
helm: use local etcd client certificate when kvstoremesh is enabled
f744a03 
When kvstoremesh is enabled, local agents connect to the local
clustermesh-apiserver instance, rather than the remote one. Yet,
when the TLS key/certificate pair of a remote cluster is manually
specified, the helm chart currently configures it both to connect
to the remote clustermesh-apiserver instance (which is correct)
and to the local one (which prevents the connection from being
established correctly as it is signed with a different CA).

Let's fix this making sure that we always use the local TLS
key/certificate pair when connecting to the local
clustermesh-apiserver instance.

Fixes: bd53860 ("kvstoremesh: add helm configuration")
Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94 giorio94 added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. area/clustermesh Relates to multi-cluster routing functionality in Cilium. area/helm Impacts helm charts and user deployment experience needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Aug 1, 2023
@giorio94 giorio94 requested review from a team as code owners August 1, 2023 08:41
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.14.1 Aug 1, 2023
@giorio94 giorio94 requested review from a team and YutaroHayakawa and removed request for a team August 1, 2023 08:41
@giorio94
Copy link
Member Author

giorio94 commented Aug 1, 2023

/test

This was referenced Aug 1, 2023
Closed
Closed
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Aug 2, 2023
@dylandreimerink dylandreimerink merged commit 4eb694a into cilium:main Aug 2, 2023
60 checks passed
@sayboras sayboras mentioned this pull request Aug 3, 2023
Merged
11 tasks
@sayboras sayboras added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels Aug 3, 2023
@nebril nebril moved this from Needs backport from main to Backport done to v1.14 in 1.14.1 Aug 10, 2023
@nebril nebril mentioned this pull request Aug 10, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brlbil brlbil brlbil approved these changes

@YutaroHayakawa YutaroHayakawa YutaroHayakawa approved these changes

@youngnick youngnick youngnick approved these changes

Assignees
No one assigned
Labels
area/clustermesh Relates to multi-cluster routing functionality in Cilium. area/helm Impacts helm charts and user deployment experience backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
No open projects
1.14.1
Backport done to v1.14
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@giorio94 @brlbil @YutaroHayakawa @youngnick @dylandreimerink @sayboras