New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encryption docs update #14940
Encryption docs update #14940
Conversation
--set ipam.mode=eni \\ | ||
--set tunnel=disabled \\ | ||
--set encryption.enabled=true \\ | ||
--set encryption.nodeEncryption=false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll defer to @jrfastab here but from what I understand, the user must also specify --ipv4-pod-subnets
to cover all subnets that AWS may allocate IPs from within the cluster. Note this is not currently exposed in the helm charts, so users would need to either use extraArgs
or we'd need to introduce dedicated helm options for this setting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few suggestions on minor nitpicks, looks good to me besides Joe's concerns.
448b02e
to
1dda614
Compare
I'll resurrect this PR to submit this to 1.10. Marking it as a release-blocker, see the note - https://github.com/isovalent/roadmap/issues/64#issuecomment-831341265. |
6688875
to
10f25df
Compare
@jrfastab @joestringer I rebased and cleaned up the guide based on the recent encryption fixes/regressions. PTAL. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine to me, just a couple of nits.
I'd still like for there to be a proper way to enforce encryption and validate that it's working correctly without executing into the cilium pods and installing software since that's generally not a recommended production workflow, but in the absence of such features and for a getting started guide I think this is probably OK.
- Adds more troubleshooting steps. - Add steps for IPAM EMI mode. - Match installation and validation steps. (Fixes: b6ec84c) Signed-off-by: Aditi Ghag <aditi@cilium.io>
10f25df
to
05b0208
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
This is a follow-up to #14924.
Fixes: b6ec84c