New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bgpv1: Add BGP peer password #23759
bgpv1: Add BGP peer password #23759
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First of all, thank you very much for this contribution.
While this is a sorely needed feature, I think this implementation is not secure enough. Having the password in plain text in the policy seems irresponsible. I would suggest updating this PR so the peering policy holds the name+key of a secret. Then retrieve this secret from the API server when adding the neighbor.
We already have facilities for getting secrets from the API server which are used in other locations in the code base:
func (m *Manager) GetSecrets(ctx context.Context, secret *api.Secret, ns string) (string, map[string][]byte, error) { |
@dgl this one's been sitting for a while, are you still interested in working on it? |
Yes, I'm looking at adding secret fetch support, should have something soon. |
Commit 57971eba4a762260f5ea34678146f30e44c4c4c9 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
I've pushed an update with the ability to read secrets. There's currently no integration test for BGP, so I'm not sure how best to test this in an automated way, any feedback welcome. It also needs some docs. |
K8s changes make sense to me, but im a bit unfamiliar with the BGP feature. @dylandreimerink any thoughts on the CRD schema changes? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dgl thank you for working on this feature. When you have a moment, PTAL at my review comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now LGTM 👍 Thanks for your contribution!
3aeb41c
to
797ac15
Compare
/test |
/test |
1 similar comment
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍 Thanks!
This needs another rebase to deal with CI failure: #28462 😞 |
Add 'authSecretRef' to the BGP peering policies CRD which specifies a secret which contains a password. This also adds support for creating the namespace for BGP secrets to the Helm chart. Signed-off-by: David Leadbeater <dgl@dgl.cx>
/test |
The IPSec upgrading test is failing consistently at the main branch, and the fix is going on with #28088. https://github.com/cilium/cilium/actions/workflows/tests-ipsec-upgrade.yaml I don't see the scenario that this PR affects IPSec, and at least for some cases, it is succeeding, so it's safe to ignore the failure for the 5.10 case. Reviews are in and the rest of the CIs are passing. Making this ready to merge. |
Add 'authSecret' to the BGP peering policies CRD.
This makes it possible to provide passwords for BGP peers through a Secret and CiliumBGPPeeringPolicy.