Skip to content

Update Network Policy Secret management to use SDS#35513

Merged
youngnick merged 8 commits intocilium:mainfrom
youngnick:networkpolicy-secretsync
Nov 7, 2024
Merged

Update Network Policy Secret management to use SDS#35513
youngnick merged 8 commits intocilium:mainfrom
youngnick:networkpolicy-secretsync

Conversation

@youngnick
Copy link
Copy Markdown
Contributor

@youngnick youngnick commented Oct 23, 2024
edited
Loading

This PR migrates Network Policy Secret handling to use SDS instead of inlining the secrets inside NPDS.

This has a few advantages:

  • Changes to policy Secrets will no longer require a policy recalculation to take effect
  • We can use the existing secret syncing functionality to reduce the scope of access that the Agent requires to Secrets (so that it no longer requires access to all Secrets in the cluster for secret use in NetworkPolicy to work)
  • Reducing the size of NPDS updates (by not inlining) should hopefully speed up sending this config, and help with memory use at large scale.

Some background on using secrets in NetworkPolicy:

There are two ways you can use a Secret in NetworkPolicy, for TLS interception (both termination and origination), and for storing the value of a header that you want to match or add.

TLS Interception seems to be more common, but both are currently implemented.

One additional piece of functionality that this PR preserves is the ability to read "Secrets" specified in CiliumNetworkPolicy via files on the filesystem of the Agent. This functionality was built when Cilium was more focused on non-Kubernetes use cases, and should probably be deprecated and then removed at a later date. Removing this will substantially simplify the code.

This PR also includes all the requisite Helm changes to track secret syncing (similarly to Ingress, Gateway API, and BGP config), and updates the connectivity tests in cilium-cli to use all the new values and functionality correctly.

It also updates the existing TLS Interception docs for the changes, and makes them so that they work (the example app artii.herokuapp.com is down, this replaces that with httpbin.org.)

Fixes: #24020

Cilium now sends TLS Interception and Header manipulation secrets referenced in CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy by reference using SDS, using the same secret synchronization method used for Ingress, Gateway API, and BGP control plane secrets.

For reviewers, reviewing by commits will definitely be easier for this one.

Sorry about the size, this turned out to be a much bigger change than anticipated.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 23, 2024
@github-actions github-actions bot added sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. cilium-cli This PR contains changes related with cilium-cli labels Oct 23, 2024
@youngnick youngnick changed the title Update Network Policy Secret managemnt to use SDS Update Network Policy Secret management to use SDS Oct 24, 2024
@youngnick youngnick force-pushed the networkpolicy-secretsync branch 2 times, most recently from a1856db to 2b62f3e Compare October 28, 2024 05:56
@youngnick youngnick added release-note/major This PR introduces major new functionality to Cilium. and removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Oct 28, 2024
@youngnick youngnick force-pushed the networkpolicy-secretsync branch 3 times, most recently from 094e4bb to 4851458 Compare October 28, 2024 06:45
@youngnick
Copy link
Copy Markdown
Contributor Author

youngnick commented Oct 28, 2024

/test

1 similar comment
@youngnick
Copy link
Copy Markdown
Contributor Author

youngnick commented Oct 28, 2024

/test

@youngnick youngnick force-pushed the networkpolicy-secretsync branch 3 times, most recently from 149c1ed to 1b28fcf Compare October 29, 2024 07:26
@youngnick youngnick marked this pull request as ready for review October 29, 2024 07:28
@youngnick youngnick requested review from a team as code owners October 29, 2024 07:28
@youngnick
Copy link
Copy Markdown
Contributor Author

youngnick commented Nov 5, 2024

/test

jrajahalme
jrajahalme approved these changes Nov 5, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@jrajahalme jrajahalme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great improvement, thanks!

sayboras
sayboras approved these changes Nov 6, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Niceeee

@sayboras sayboras removed the request for review from mhofstetter November 6, 2024 01:37
@youngnick youngnick enabled auto-merge November 6, 2024 01:47
learnitall
learnitall approved these changes Nov 6, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@learnitall learnitall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 thanks!

@youngnick youngnick requested review from a team and derailed and removed request for a team and squeed November 6, 2024 23:19
derailed
derailed approved these changes Nov 7, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@derailed derailed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@youngnick Nice work!

@youngnick youngnick added this pull request to the merge queue Nov 7, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 7, 2024
Merged via the queue into cilium:main with commit 327df8e Nov 7, 2024
@youngnick youngnick deleted the networkpolicy-secretsync branch November 7, 2024 14:48
sayboras added a commit that referenced this pull request Nov 19, 2024
@sayboras
gha: Add coverage for policy secret sync
b63a66d 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras sayboras mentioned this pull request Nov 19, 2024
Merged
sayboras added a commit that referenced this pull request Nov 19, 2024
@sayboras
gha: Add coverage for policy secret sync
95ae53e 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 19, 2024
@sayboras
gha: Add coverage for policy secret sync
2b12438 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 19, 2024
@sayboras
gha: Add coverage for policy secret sync
654f59b 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 19, 2024
@sayboras
gha: Add coverage for policy secret sync
4946ef2 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 25, 2024
@sayboras
gha: Add coverage for policy secret sync
85b64e1 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 25, 2024
@sayboras
gha: Add coverage for policy secret sync
6946282 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras sayboras mentioned this pull request Jan 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@squeed squeed squeed left review comments

@mhofstetter mhofstetter mhofstetter left review comments

@derailed derailed derailed approved these changes

@chancez chancez chancez approved these changes

@nebril nebril nebril approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

@sayboras sayboras sayboras approved these changes

+1 more reviewer

@learnitall learnitall learnitall approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cilium-cli This PR contains changes related with cilium-cli ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/major This PR introduces major new functionality to Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Sync TLS interception secrets to Envoy via SDS

10 participants

@youngnick @marseel @derailed @squeed @chancez @nebril @jrajahalme @mhofstetter @sayboras @learnitall