doc: Fix clustermesh documentation to set the correct identityMode

[soumynathan]

This PR fixes the documentation issues and as well adds in the option
through helm when 'etcd' is enabled.

Fixes: #12125
Signed-off-by: Swaminathan Vasudevan svasudevan@suse.com

[maintainer-s-little-helper]

Please set the appropriate release note label.

[coveralls]

Coverage increased (+0.001%) to 37.146% when pulling b1f48738e438c7378ba68ff1e5d8e122b0ef6468 on soumynathan:fix-clustermesh-guide into 93d32dd on cilium:master.

[joestringer]

Thanks for picking this up. I have a couple of minor comments below.

[christarazi]

Just one minor comment, otherwise everything looks good. I'll let others review the Helm change.

[joestringer]

Unless we shift around how this is configured, I'm not sure there's a better way. Currently it's by default set to crd via the global config map, so we can't detect that it's not configured then apply only in that case.

I'm fine with forcing kvstore mode in this way even though it overrides the user-specified configuration, because I don't see a reason why users would want to use the kvstore but manage identities via CRDs. 👍

[aanm]

because I don't see a reason why users would want to use the kvstore but manage identities via CRDs.

@joestringer cilium-etcd-operator won't have a security identity because of the chicken-egg problem.

[soumynathan]

because I don't see a reason why users would want to use the kvstore but manage identities via CRDs.

@joestringer cilium-etcd-operator won't have a security identity because of the chicken-egg problem.
So @joestringer what do you think, can we leave it this way or do we want to change this.

[joestringer]

@aanm isn't that what fixed identities are for?

[aanm]

@joestringer it's not 100% reliable, I mean it would be less reliable than CRD based identity.

[aanm]

because I don't see a reason why users would want to use the kvstore but manage identities via CRDs.

@joestringer cilium-etcd-operator won't have a security identity because of the chicken-egg problem.

[soumynathan]

@joestringer and @aanm Is there anything else left in this PR that need to be addressed.

[joestringer]

@joestringer and @aanm Is there anything else left in this PR that need to be addressed.

During my testing, I found that if identities are not managed by the kvstore, clustermesh would not be able to enforce security policies correctly. The docs changes reflect the changes necessary there so that side is good.

The ConfigMap changes side I'm less sure about. @aanm sounds like you think that we should defer this to the user and not override their setting here if they configure --set global.etcd.enabled. Ie outside of clustermesh scenarios, it would be fine to just default to managing the identities via CRD instead. Is that right? In that case, we should drop the helm changes.

[joestringer]

I spoke with @aanm last week before he went on PTO and he said that as long as this behaviour is expected (clustermesh security policies require --identity-allocation-mode=kvstore), he's fine with the PR. @tgraf confirmed this on Slack (at least until we document how to use http://github.com/cilium/clustermesh-apiserver which changes the story).