Update TLS Interception Helm values#37076
Merged
youngnick merged 2 commits intocilium:mainfrom Jan 23, 2025
Merged
Conversation
6d88a2d to
0e66f25
Compare
Contributor
Author
|
/test |
0e66f25 to
ed99b19
Compare
ed99b19 to
96c9f3f
Compare
b3da573 to
a150dda
Compare
Contributor
Author
|
Found some issues, looking at them, will have this ready for review tomorrow EU time. |
a150dda to
f351ca0
Compare
f351ca0 to
e0bcaa6
Compare
Contributor
Author
|
Okay, issue found, and fixed. |
e0bcaa6 to
1a0b150
Compare
This commit updates TLS Interception Helm values to both be more understandable and allow greater flexibility in rollout. * `tls.secretsBackend: k8s|local` is DEPRECATED and will be removed in a future version. * `tls.readSecretsOnlyFromSecretsNamespace` is the replacement for the _actual_ effect of `tls.secretsBackend`, named to make the tradeoffs clearer. * `tls.secretSync.secretsNamespace` is moved up one level, as it now applies in more cases than the secret-sync and SDS one There are some code changes in the Policy secret handling to ensure that we support three scenarios for where TLS Policy Secrets are located: * Secrets placed in the `cilium-secrets` namespace, and read from there by the Cilium Agent, then sent to Envoy inline in Network Policy Discovery Service. This case came from user reports about how TLS Interception was being used in the real world - it used to be possible by turning on other config that created the `cilium-secrets` namespace, but now works by default. * Secrets located anywhere in the cluster, and read directly by the Cilium agent - this requires the `tls.readSecretsOnlyFromSecretsNamespace` setting to be `false`, or `tls.secretsBackend: k8s` to be set. * Secrets located anywhere in the cluster, synchronized by the Cilium Operator into the `cilium-secrets` namespace, then read from there by the Cilium Agent and sent to Envoy via SDS. This is a new feature added since Cilium 1.16. Signed-off-by: Nick Young <nick@isovalent.com>
This commit updates the TLS Interception docs to match the new install process, including more explanation of how the Helm configuration works. Signed-off-by: Nick Young <nick@isovalent.com>
1a0b150 to
66f1f0f
Compare
Contributor
Author
|
/test |
Member
|
It looks like the Hubble team is called out for review because of changes on |
squeed
approved these changes
Jan 23, 2025
ghost
approved these changes
Jan 23, 2025
ghost
left a comment
There was a problem hiding this comment.
Docs good.
The Helm changes should be documented in the upgrade notes, but main has 1.18 upgrade notes already, so this would fall in the backport.
rolinh
approved these changes
Jan 23, 2025
Member
rolinh
left a comment
There was a problem hiding this comment.
As the Hubble team doesn't need to review changes in this PR (see #37204) and the Envoy team is already a reviewer, I'm blindly approving the PR to unblock it (I can't remove the review request for sig-hubble until the aforementioned PR is merged and this one rebased).
sayboras
approved these changes
Jan 23, 2025
Member
sayboras
left a comment
There was a problem hiding this comment.
Detailed context and explanation 👍
3 tasks
marseel
added a commit
that referenced
this pull request
Mar 4, 2025
Since #37076 was merged we have a new mode of synchronizing TLS secrets to Envoy. Previously we used NPDS, while new way uses SDS. However, by setting secretsBackend=k8s we were forcing old behaviour. Let's start testing SDS as it's a new default. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 6, 2025
Since #37076 was merged we have a new mode of synchronizing TLS secrets to Envoy. Previously we used NPDS, while new way uses SDS. However, by setting secretsBackend=k8s we were forcing old behaviour. Let's start testing SDS as it's a new default. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
mereta
pushed a commit
to mereta/cilium
that referenced
this pull request
Mar 6, 2025
Since cilium#37076 was merged we have a new mode of synchronizing TLS secrets to Envoy. Previously we used NPDS, while new way uses SDS. However, by setting secretsBackend=k8s we were forcing old behaviour. Let's start testing SDS as it's a new default. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
romanspb80
pushed a commit
to romanspb80/cilium
that referenced
this pull request
Mar 7, 2025
Since cilium#37076 was merged we have a new mode of synchronizing TLS secrets to Envoy. Previously we used NPDS, while new way uses SDS. However, by setting secretsBackend=k8s we were forcing old behaviour. Let's start testing SDS as it's a new default. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit updates TLS Interception Helm values to both be more understandable and allow greater
flexibility in rollout.
tls.secretsBackend: k8s|localis DEPRECATED and will be removed in a future version.tls.readSecretsOnlyFromSecretsNamespaceis the replacement for the actual effect oftls.secretsBackend, named to make the tradeoffs clearer. This setting controls whether the agent will read only from the configured Secrets namespace, or from any namespace in the cluster.tls.secretSync.secretsNamespaceis moved up one level, as it now applies in more cases than the secret-sync and SDS oneThere are some code changes in the Policy secret handling to ensure that we support three scenarios for where TLS Policy Secrets are located:
cilium-secretsnamespace, and read from there by the Cilium Agent, then sent to Envoy inline in Network Policy Discovery Service. This case came from user reports about how TLS Interception was being used in the real world - it used to be possible by turning on other config that created thecilium-secretsnamespace, but now works by default.tls.readSecretsOnlyFromSecretsNamespacesetting to befalse, ortls.secretsBackend: k8sto be set.cilium-secretsnamespace, then read from there by the Cilium Agent and sent to Envoy via SDS. This is a new feature added since Cilium 1.16.It also adds code to handle only enabling secret sync on new clusters. Testing done manually with
helm template: