Skip to content

Update Network Policy Secret management to use SDS #35513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Nov 7, 2024
Merged

Update Network Policy Secret management to use SDS #35513

merged 8 commits into from
Nov 7, 2024

Conversation

youngnick
Copy link
Contributor

@youngnick youngnick commented Oct 23, 2024
edited
Loading

This PR migrates Network Policy Secret handling to use SDS instead of inlining the secrets inside NPDS.

This has a few advantages:

  • Changes to policy Secrets will no longer require a policy recalculation to take effect
  • We can use the existing secret syncing functionality to reduce the scope of access that the Agent requires to Secrets (so that it no longer requires access to all Secrets in the cluster for secret use in NetworkPolicy to work)
  • Reducing the size of NPDS updates (by not inlining) should hopefully speed up sending this config, and help with memory use at large scale.

Some background on using secrets in NetworkPolicy:

There are two ways you can use a Secret in NetworkPolicy, for TLS interception (both termination and origination), and for storing the value of a header that you want to match or add.

TLS Interception seems to be more common, but both are currently implemented.

One additional piece of functionality that this PR preserves is the ability to read "Secrets" specified in CiliumNetworkPolicy via files on the filesystem of the Agent. This functionality was built when Cilium was more focused on non-Kubernetes use cases, and should probably be deprecated and then removed at a later date. Removing this will substantially simplify the code.

This PR also includes all the requisite Helm changes to track secret syncing (similarly to Ingress, Gateway API, and BGP config), and updates the connectivity tests in cilium-cli to use all the new values and functionality correctly.

It also updates the existing TLS Interception docs for the changes, and makes them so that they work (the example app artii.herokuapp.com is down, this replaces that with httpbin.org.)

Fixes: #24020

Cilium now sends TLS Interception and Header manipulation secrets referenced in CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy by reference using SDS, using the same secret synchronization method used for Ingress, Gateway API, and BGP control plane secrets.

For reviewers, reviewing by commits will definitely be easier for this one.

Sorry about the size, this turned out to be a much bigger change than anticipated.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 23, 2024
@github-actions github-actions bot added sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. cilium-cli This PR contains changes related with cilium-cli labels Oct 23, 2024
@youngnick youngnick changed the title Update Network Policy Secret managemnt to use SDS Update Network Policy Secret management to use SDS Oct 24, 2024
@youngnick youngnick force-pushed the networkpolicy-secretsync branch 2 times, most recently from a1856db to 2b62f3e Compare October 28, 2024 05:56
@youngnick youngnick added release-note/major This PR introduces major new functionality to Cilium. and removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Oct 28, 2024
@youngnick youngnick force-pushed the networkpolicy-secretsync branch 3 times, most recently from 094e4bb to 4851458 Compare October 28, 2024 06:45
@youngnick
Copy link
Contributor Author

/test

1 similar comment
@youngnick
Copy link
Contributor Author

/test

@youngnick youngnick force-pushed the networkpolicy-secretsync branch 3 times, most recently from 149c1ed to 1b28fcf Compare October 29, 2024 07:26
@youngnick youngnick marked this pull request as ready for review October 29, 2024 07:28
@youngnick youngnick requested review from a team as code owners October 29, 2024 07:28
learnitall
learnitall approved these changes Nov 6, 2024
View reviewed changes
Copy link
Contributor

@learnitall learnitall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 thanks!

@youngnick youngnick requested review from a team and derailed and removed request for squeed and a team November 6, 2024 23:19
derailed
derailed approved these changes Nov 7, 2024
View reviewed changes
Copy link
Contributor

@derailed derailed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@youngnick Nice work!

@youngnick youngnick added this pull request to the merge queue Nov 7, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 7, 2024
Merged via the queue into cilium:main with commit 327df8e Nov 7, 2024
74 checks passed
@youngnick youngnick deleted the networkpolicy-secretsync branch November 7, 2024 14:48
sayboras added a commit that referenced this pull request Nov 19, 2024
@sayboras
gha: Add coverage for policy secret sync
b63a66d 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras sayboras mentioned this pull request Nov 19, 2024
Merged
sayboras added a commit that referenced this pull request Nov 19, 2024
@sayboras
gha: Add coverage for policy secret sync
95ae53e 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 19, 2024
@sayboras
gha: Add coverage for policy secret sync
2b12438 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 19, 2024
@sayboras
gha: Add coverage for policy secret sync
654f59b 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 19, 2024
@sayboras
gha: Add coverage for policy secret sync
4946ef2 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 25, 2024
@sayboras
gha: Add coverage for policy secret sync
85b64e1 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 25, 2024
@sayboras
gha: Add coverage for policy secret sync
6946282 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 25, 2024
@sayboras
gha: Add coverage for policy secret sync
80b49ba 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 25, 2024
@sayboras
gha: Add coverage for policy secret sync
97599ed 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 25, 2024
@sayboras
gha: Add coverage for policy secret sync
48ade65 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 25, 2024
@sayboras
gha: Add coverage for policy secret sync
a376ae2 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 25, 2024
@sayboras
gha: Add coverage for policy secret sync
27f56f7 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Nov 25, 2024
@sayboras
gha: Add coverage for policy secret sync
98e34c1 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
github-merge-queue bot pushed a commit that referenced this pull request Nov 25, 2024
@sayboras @aanm
gha: Add coverage for policy secret sync
f6c93df 
This commit is to make sure that we have the coverage for policy secret
sync enabled and disabled.

Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit that referenced this pull request Jan 16, 2025
@sayboras
connectivity: Add retry all error for L7 header related test
e93f018 
This is to cater for the case that SDS secret is ingested later when the
curl request is sent, applicable when secret-backend-k8s is enabled.

Relates: #36998
Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras sayboras mentioned this pull request Jan 16, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jan 16, 2025
@sayboras
connectivity: Add retry all error for L7 header related test
3d75eba 
This is to cater for the case that SDS secret is ingested later when the
curl request is sent, applicable when secret-backend-k8s is enabled.

Relates: #36998
Relates: #35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
jongj pushed a commit to jongj/cilium that referenced this pull request Feb 11, 2025
@sayboras @jongj
connectivity: Add retry all error for L7 header related test
0cdb122 
This is to cater for the case that SDS secret is ingested later when the
curl request is sent, applicable when secret-backend-k8s is enabled.

Relates: cilium#36998
Relates: cilium#35513
Signed-off-by: Tam Mach <tam.mach@cilium.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squeed squeed squeed left review comments

@mhofstetter mhofstetter mhofstetter left review comments

@derailed derailed derailed approved these changes

@chancez chancez chancez approved these changes

@nebril nebril nebril approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

@sayboras sayboras sayboras approved these changes

+1 more reviewer

@learnitall learnitall learnitall approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
cilium-cli This PR contains changes related with cilium-cli ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/major This PR introduces major new functionality to Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sync TLS interception secrets to Envoy via SDS
10 participants
@youngnick @marseel @derailed @squeed @chancez @nebril @jrajahalme @mhofstetter @sayboras @learnitall