Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v1.15 - Author backport] envoy: enable k8s secret watch even if only CEC is enabled #31451

Merged
merged 1 commit into from Mar 18, 2024
Merged

[v1.15 - Author backport] envoy: enable k8s secret watch even if only CEC is enabled #31451

merged 1 commit into from Mar 18, 2024

Conversation

mhofstetter
Copy link
Member

@mhofstetter mhofstetter commented Mar 18, 2024
edited

Manual backport of #31447

Currently, the K8s Secret watch (used by Envoy SecretSync (K8s TLS Secret -> Envoy SDS)) is only active if either Ingress Controller or Gateway API is enabled.

Hence Secrets aren't available via SDS in cases where only CiliumEnvoyConfig is enabled (--enable-envoy-config).

This commit fixes this by enabling the K8s Secret watch also in cases where only CiliumEnvoyConfig is enabled (without Ingress Controller and/or Gateway API being enabled).

Before:

root@kind-control-plane:/home/cilium# cilium status --verbose
...
Kubernetes APIs:        ["EndpointSliceOrEndpoint", "cilium/v2::CiliumClusterwideEnvoyConfig", "cilium/v2::CiliumClusterwideNetworkPolicy", "cilium/v2::CiliumEndpoint", "cilium/v2::CiliumEnvoyConfig", "cilium/v2::CiliumNetworkPolicy", "cilium/v2::CiliumNode", "cilium/v2alpha1::CiliumCIDRGroup", "core/v1::Namespace", "core/v1::Pods", "core/v1::Service", "networking.k8s.io/v1::NetworkPolicy"]
...

(without "core/v1::Secrets")

After:

root@kind-worker:/home/cilium# cilium status --verbose
...
Kubernetes APIs:        ["EndpointSliceOrEndpoint", "cilium/v2::CiliumClusterwideEnvoyConfig", "cilium/v2::CiliumClusterwideNetworkPolicy", "cilium/v2::CiliumEndpoint", "cilium/v2::CiliumEnvoyConfig", "cilium/v2::CiliumNetworkPolicy", "cilium/v2::CiliumNode", "cilium/v2alpha1::CiliumCIDRGroup", "core/v1::Namespace", "core/v1::Pods", "core/v1::Secrets", "core/v1::Service", "networking.k8s.io/v1::NetworkPolicy"]
...

(with "core/v1::Secrets")

Fixes: #26005

@mhofstetter
envoy: enable k8s secret watch even if only CEC is enabled
adcce49 
Currently, the K8s Secret watch (used by Envoy SecretSync (K8s TLS Secret -> Envoy SDS))
is only active if either Ingress Controller or Gateway API is enabled.

Hence Secrets aren't available via SDS in cases where only CiliumEnvoyConfig is
enabled (`--enable-envoy-config`).

This commit fixes this by enabling the K8s Secret watch also in cases where only
CiliumEnvoyConfig is enabled (without Ingress Controller and/or Gateway API
being enabled).

Fixes: cilium#26005

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter mhofstetter added kind/bug This is a bug in the Cilium logic. area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. release-note/bug This PR fixes an issue in a previous release of Cilium. backport/1.15 This PR represents a backport for Cilium 1.15.x of a PR that was merged to main. labels Mar 18, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added the kind/backports This PR provides functionality previously merged into master. label Mar 18, 2024
@mhofstetter mhofstetter marked this pull request as ready for review March 18, 2024 12:46
@mhofstetter mhofstetter requested a review from a team as a code owner March 18, 2024 12:46
@mhofstetter
Copy link
Member Author

/test-backport-1.15

@mhofstetter mhofstetter changed the title [v1.15] envoy: enable k8s secret watch even if only CEC is enabled [v1.15 - Author backport] envoy: enable k8s secret watch even if only CEC is enabled Mar 18, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 18, 2024
@jrajahalme jrajahalme merged commit 6fbadc0 into cilium:v1.15 Mar 18, 2024
60 checks passed
@mhofstetter mhofstetter deleted the pr/mhofstetter/cec-secret-sync-v1.15 branch March 18, 2024 19:05
@jrajahalme jrajahalme mentioned this pull request Mar 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrajahalme jrajahalme jrajahalme approved these changes

Assignees
No one assigned
Labels
area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. backport/1.15 This PR represents a backport for Cilium 1.15.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mhofstetter @jrajahalme