New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
draft: support passing Secret source over MCP #40509
Conversation
😊 Welcome @doujiang24! This is either your first contribution to the Istio istio repo, or it's been You can learn more about the Istio working groups, code of conduct, and contributing guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
Hi @doujiang24. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi team, gentle ping. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will it influence configcontroller with mcp
@@ -1416,6 +1433,22 @@ func (ps *PushContext) initServiceRegistry(env *Environment) error { | |||
return nil | |||
} | |||
|
|||
// pre computes secrets per namespace | |||
func (ps *PushContext) initSecrets(env *Environment) error { | |||
secretConfigs, err := env.List(gvk.Secret, NamespaceAll) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Won't this get all secrets from all components? Including k8s?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think, no. It get configs from model.ConfigStore
. but, seems the secrets from k8s, is on another path, credentials.Controller
, which is not a kind of model.ConfigStore
.
…the kubeclient is not nil.
@hzxuzhonghu Thanks.
In the current implementation, we don't use secrets from k8s and MCP together, only use one. |
If we intend to use secret over MCP to provide gateway certs, it is a little bit complex. Even worse in multi cluster, we have to respect both secret namespace and cluster attribute. From the original issue, I guess you want to use it to provide gateway cert. So it is just a first step for transport, not for usage |
Thanks. All addressed. I have two questions, looking forward to your help, thanks.
background: we are migrating a large & old north-south ingress, from Nginx to Istio + Envoy. And the old control plane is not in the k8s system. So, we hope the new Istio way does not rely on k8s, at least for the first step.
As said in this TODO comment, so that we may register customer secret authorize method in the feature. We just passing a |
Yeah, we want to pass secrets through MCP, so that the data plane could get the gateway cert from istio, and the related name of the gateway cert is defined in For the usage: |
@doujiang24: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I am concerned with this - we need a VERY strong security review/discussion first, messing with secrets is dangerous. Also: Istiod already has a mechanism to distribute secrets using SDS ( which is a first class XDS object ), with a relatively reasonable security model we discussed at length. I don't know if k8s Secret and envoy Secret are a good match - I don't |
On a related note - we currently use the special generator for MCP, originally it was intended to keep things clean and it was an experiment, but I think it is very reasonable to allow 'MCP' generators to be used with the default (envoy) and envoy resources to be returned on the MCP generator. Only 'special' generator is proxyless - mainly because it requires a different format for LDS/RDS, but it also reuses EDS/CDS. |
Thanks for your reply. Sorry, I think I made a mistake in the title, "passing" should be "accepting". For istiod, we still deliver secret resources over SDS, just like it does now. One thing that changed is istiod also accepts k8s secret from MCP server, Backgroud: we want to get rid of k8s server, in our north-south gateway. Yeah, I totally agree with you about security. Need your help, thanks. |
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2022-10-01. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
It's a draft for #40325 , and using k8s
core.v1.Secret
according to @howardjohn 's suggestion.TODO:
@howardjohn @hzxuzhonghu Could you please take a look? Just want to make sure it's in the right direction.
Any feedbacks are welcome, thanks!