-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bgpv1: Use kube-system namespace by default for MD5 secret #29478
bgpv1: Use kube-system namespace by default for MD5 secret #29478
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In terms of Helm structure, the change looks good to me. I'll defer the discussion of what namespace to use to others. - it seems we're not consistent across different components (BGP vs Hubble/ClusterMesh vs Ingress/GatewayAPI)
/test |
2d65875
to
19b2a1f
Compare
Rebased on top of the main to pull-in a2694fc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Hmm, Quay looks under the weather... Let me retry. |
Currently, BGP Control Plane uses cilium-bgp-secrets namespace by default to fetch MD5 password authentication. Also, if not specified, it creates a new namespace by default. However, the rest of the cilium-related secrets such as cilium-ca, hubble certificates, or clustermesh certificates are in kube-system namespace. So, having a new namespace is inconsistent with rest of the system, and also inconvenient since users need to manage one more namespace. This commit addresses the issue by changing the default value of `bgpControlPlane.secretNamespace.name` to `kube-system` and `bgpControlPlane.secretNamespace.create` to `false`. Users can always change the namespace if they wish to have an isolation. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
19b2a1f
to
6b69064
Compare
Forgot to update cmdref 🤦 Force pushed. |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, nice work.
For everyone's info: the cilium-secrets
namespace is a bit of a different use case, in that it's a place where Secrets relevant to Ingress or Gateway API get synced to, which means that the Agent doesn't need whole-cluster Secret read access (which is way bigger than what it needs).
So, that namespace, although named generically, really needs to only be used for automatically-synced Secrets (which is only used in Ingress and Gateway API at the moment).
ci-clustermesh: #28622 |
Currently, BGP Control Plane uses cilium-bgp-secrets namespace by default to fetch MD5 password authentication. Also, if not specified, it creates a new namespace by default.
However, the rest of the cilium-related secrets such as cilium-ca, hubble certificates, or clustermesh certificates are in kube-system namespace. So, having a new namespace is inconsistent with rest of the system, and also inconvenient since users need to manage one more namespace.
This commit addresses the issue by changing the default value of
bgpControlPlane.secretNamespace.name
tokube-system
andbgpControlPlane.secretNamespace.create
tofalse
. Users can always change the namespace if they wish to have an isolation.I put
release-note/minor
because this BGP MD5 feature is only released inv1.15-pre
releases.