helm: configure cilium-operator managing identities

Add new helm value identityManagementMode that is an enum of: * "agent": cilium-agent manages identities (current default). * "operator": cilium-operator manages identities. * "both": migration mode where both agent and operator manage identities. When operator manages identities, its cluster role adds "create" permission for CiliumIdentity. Signed-off-by: Will Daly <[email protected]>
DataDog · Jan 27, 2025 · 7a967b3 · 7a967b3
1 parent bc4b71e
commit 7a967b3
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 0 deletions.
diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
@@ -1205,6 +1205,8 @@ data:
   {{- end }}
 {{- end }}
 
+  identity-management-mode: {{ .Values.identityManagementMode | quote }}
+
 {{- if hasKey .Values "enableK8sTerminatingEndpoint" }}
   enable-k8s-terminating-endpoint: {{ .Values.enableK8sTerminatingEndpoint | quote }}
 {{- end }}

diff --git a/install/kubernetes/cilium/templates/cilium-operator/clusterrole.yaml b/install/kubernetes/cilium/templates/cilium-operator/clusterrole.yaml
@@ -164,6 +164,9 @@ rules:
   verbs:
   # To synchronize garbage collection of such resources
   - update
+  {{- if (or (eq .Values.identityManagementMode "operator") (eq .Values.identityManagementMode "both")) }}
+  - create
+  {{- end }}
 - apiGroups:
   - cilium.io
   resources:

diff --git a/install/kubernetes/cilium/values.schema.json b/install/kubernetes/cilium/values.schema.json
@@ -3600,6 +3600,13 @@
     "identityChangeGracePeriod": {
       "type": "string"
     },
+    "identityManagementMode": {
+      "enum": [
+        "agent",
+        "operator",
+        "both"
+      ]
+    },
     "image": {
       "properties": {
         "digest": {

diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl
@@ -829,6 +829,14 @@ ciliumEndpointSlice:
   # fcfs groups together CiliumEndpoints in a first-come-first-serve basis, filling in the largest non-full slice first.
   sliceMode: identity
 
+# @schema
+# enum: ["agent", "operator", "both"]
+# @schema
+# -- Control whether CiliumIdentities are created by the agent ("agent"), the operator ("operator") or both ("both").
+# "Both" should be used only to migrate between "agent" and "operator".
+# Operator-managed identities is a beta feature.
+identityManagementMode: "agent"
+
 envoyConfig:
   # -- Enable CiliumEnvoyConfig CRD
   # CiliumEnvoyConfig CRD can also be implicitly enabled by other options.