auth: Switch to observing identity changes #26375
Merged
Commits on Jun 27, 2023
-
auth: Switch to observing identity changes
Observe the identity changes via the CachingIdentityAllocator instead of using CiliumIdentity CRD directly. This both fixes the issue of having two informers (and thus double the bandwidth), but it also allows auth to work with the kvstore identity allocation backend. Co-authored-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com>
-
helm: rename authentication.expiredGCInterval to gcInterval
This commit renames the helm value `authentication.expiredGCInterval` to `authentication.gcInterval` as it will be used for multiple types of auth related GC's. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
-
Latest changes reflect deleted identities and nodes only in the internal state of the garbage collector without deleting the related entries immediately. Therefore, this commit changes the auth map gc interval from `15m` to `5m` which reflects the changes faster in the map itself. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
-
auth: delete identity related auth map entries in gc job
Currently, auth map entries related to a deleted cilium identity are immediately deleted when the event has been received. The actual deletion might result in errors, which no longer can be reported back to the IdentityAllocator which emits the events. To prevent events result in errors, the events should no longer delete auth map entries. Therefore, this commit refactors that the deletion information is stored within the garbage collector, and the actual garbage collection run uses these information to cleanup the map. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
-
auth: reordered garbage collector
This commit reorders the functions within the garbage collector Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
-
auth: delete nodes related auth map entries in gc job
Currently, auth map entries related to a deleted node are immediately deleted when the event has been received. To prevent events result in errors, the events should no longer delete auth map entries. Therefore, this commit refactors that the deletion information is stored within the garbage collector, and the actual garbage collection run uses these information to cleanup the map. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
-
This commit combines the different timer based auth map gc jobs into a single job. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
-
auth: fix cleanup expired auth entries log message
Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
-
auth: dedicated auth map gc test case per type
This commit separates the existing auth map gc tests into multiple tests per "type" * identities * nodes * policies * expiration Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
-
This commit cleans up the auth module. * improve comments * renamed newAuthManager -> registerAuthManager * grouped params in authManagerParams * rename gc job names * split registration into instantiation & job/lifecycle registration sections Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.