From 7a967b3256fa57163f03395235177d304d231835 Mon Sep 17 00:00:00 2001 From: Will Daly Date: Thu, 5 Dec 2024 22:44:37 +0000 Subject: [PATCH] helm: configure cilium-operator managing identities Add new helm value identityManagementMode that is an enum of: * "agent": cilium-agent manages identities (current default). * "operator": cilium-operator manages identities. * "both": migration mode where both agent and operator manage identities. When operator manages identities, its cluster role adds "create" permission for CiliumIdentity. Signed-off-by: Will Daly --- Documentation/helm-values.rst | 4 ++++ install/kubernetes/cilium/README.md | 1 + install/kubernetes/cilium/templates/cilium-configmap.yaml | 2 ++ .../cilium/templates/cilium-operator/clusterrole.yaml | 3 +++ install/kubernetes/cilium/values.schema.json | 7 +++++++ install/kubernetes/cilium/values.yaml | 7 +++++++ install/kubernetes/cilium/values.yaml.tmpl | 8 ++++++++ 7 files changed, 32 insertions(+) diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst index 98e0a07c2c3dd..6a1f317e4187f 100644 --- a/Documentation/helm-values.rst +++ b/Documentation/helm-values.rst @@ -2292,6 +2292,10 @@ - Time to wait before using new identity on endpoint identity change. - string - ``"5s"`` + * - :spelling:ignore:`identityManagementMode` + - Control whether CiliumIdentities are created by the agent ("agent"), the operator ("operator") or both ("both"). "Both" should be used only to migrate between "agent" and "operator". Operator-managed identities is a beta feature. + - string + - ``"agent"`` * - :spelling:ignore:`image` - Agent container image. - object diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md index bf00697ed39fa..8cd4fd699710c 100644 --- a/install/kubernetes/cilium/README.md +++ b/install/kubernetes/cilium/README.md @@ -623,6 +623,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd`, `kvstore` or `doublewrite-readkvstore` / `doublewrite-readcrd` for migrating between identity backends). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | +| identityManagementMode | string | `"agent"` | Control whether CiliumIdentities are created by the agent ("agent"), the operator ("operator") or both ("both"). "Both" should be used only to migrate between "agent" and "operator". Operator-managed identities is a beta feature. | | image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}` | Agent container image. | | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml index f4592c0a5054a..dd4a160f2a8a4 100644 --- a/install/kubernetes/cilium/templates/cilium-configmap.yaml +++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml @@ -1205,6 +1205,8 @@ data: {{- end }} {{- end }} + identity-management-mode: {{ .Values.identityManagementMode | quote }} + {{- if hasKey .Values "enableK8sTerminatingEndpoint" }} enable-k8s-terminating-endpoint: {{ .Values.enableK8sTerminatingEndpoint | quote }} {{- end }} diff --git a/install/kubernetes/cilium/templates/cilium-operator/clusterrole.yaml b/install/kubernetes/cilium/templates/cilium-operator/clusterrole.yaml index dba1ca8bbd74b..97394ada7d79b 100644 --- a/install/kubernetes/cilium/templates/cilium-operator/clusterrole.yaml +++ b/install/kubernetes/cilium/templates/cilium-operator/clusterrole.yaml @@ -164,6 +164,9 @@ rules: verbs: # To synchronize garbage collection of such resources - update + {{- if (or (eq .Values.identityManagementMode "operator") (eq .Values.identityManagementMode "both")) }} + - create + {{- end }} - apiGroups: - cilium.io resources: diff --git a/install/kubernetes/cilium/values.schema.json b/install/kubernetes/cilium/values.schema.json index c2b0870c2f728..3de7bb2eca561 100644 --- a/install/kubernetes/cilium/values.schema.json +++ b/install/kubernetes/cilium/values.schema.json @@ -3600,6 +3600,13 @@ "identityChangeGracePeriod": { "type": "string" }, + "identityManagementMode": { + "enum": [ + "agent", + "operator", + "both" + ] + }, "image": { "properties": { "digest": { diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml index 468de0294085d..3bfbd9ef06767 100644 --- a/install/kubernetes/cilium/values.yaml +++ b/install/kubernetes/cilium/values.yaml @@ -823,6 +823,13 @@ ciliumEndpointSlice: # identity groups together CiliumEndpoints that share the same identity. # fcfs groups together CiliumEndpoints in a first-come-first-serve basis, filling in the largest non-full slice first. sliceMode: identity +# @schema +# enum: ["agent", "operator", "both"] +# @schema +# -- Control whether CiliumIdentities are created by the agent ("agent"), the operator ("operator") or both ("both"). +# "Both" should be used only to migrate between "agent" and "operator". +# Operator-managed identities is a beta feature. +identityManagementMode: "agent" envoyConfig: # -- Enable CiliumEnvoyConfig CRD # CiliumEnvoyConfig CRD can also be implicitly enabled by other options. diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl index 970f28ecae1c0..5b9782f445419 100644 --- a/install/kubernetes/cilium/values.yaml.tmpl +++ b/install/kubernetes/cilium/values.yaml.tmpl @@ -829,6 +829,14 @@ ciliumEndpointSlice: # fcfs groups together CiliumEndpoints in a first-come-first-serve basis, filling in the largest non-full slice first. sliceMode: identity +# @schema +# enum: ["agent", "operator", "both"] +# @schema +# -- Control whether CiliumIdentities are created by the agent ("agent"), the operator ("operator") or both ("both"). +# "Both" should be used only to migrate between "agent" and "operator". +# Operator-managed identities is a beta feature. +identityManagementMode: "agent" + envoyConfig: # -- Enable CiliumEnvoyConfig CRD # CiliumEnvoyConfig CRD can also be implicitly enabled by other options.