ref(injector): load bootstrap SDS configuration from filesystem #4635
Conversation
53b9ebf to
7ca3d77
Compare
Codecov Report
@@ Coverage Diff @@
## main #4635 +/- ##
==========================================
- Coverage 68.91% 68.61% -0.31%
==========================================
Files 219 219
Lines 15077 15155 +78
==========================================
+ Hits 10390 10398 +8
- Misses 4632 4702 +70
Partials 55 55
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
7ca3d77 to
89a64bb
Compare
| InlineBytes: config.PrivateKey, | ||
| Name: envoyTLSCertificateSecretName, | ||
| SdsConfig: &xds_core.ConfigSource{ | ||
| ConfigSourceSpecifier: &xds_core.ConfigSource_Path{ |
There was a problem hiding this comment.
I noticed the latest (v1.22) envoy docs say this is deprecated in favor of path_config_source but that doesn't exist in v1.19 which we're using by default (or the latest go-control-plane) . It looks like that has a callout for using this for Kubernetes resources the way we are, so leaving this just as breadcrumbs for later: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/config_source.proto#config-core-v3-pathconfigsource
(Not sure how to permalink, but the version of the latest docs is currently 1.22.0-dev-33d25b)
| configMapName := fmt.Sprintf("envoy-bootstrap-config-%s", podUUID) | ||
| secretName := fmt.Sprintf("envoy-xds-secret-%s", podUUID) |
There was a problem hiding this comment.
It seems like this same logic is repeated enough that adding a simple helper to generate these names from a UUID might be worth it.
There was a problem hiding this comment.
The same logic is repeated in tests/e2e, pkg/injector, and pkg/k8s. I wasn't sure where it made the most sense for this helper function to live.
There was a problem hiding this comment.
Since nothing imports tests/e2e and pkg/injector imports pkg/k8s, does pkg/k8s work?
07352fc to
f8bf5e3
Compare
bb0619e to
dd2016f
Compare
dd2016f to
ec9d892
Compare
| Args: []string{ | ||
| "--log-level", cfg.GetEnvoyLogLevel(), | ||
| "--config-path", strings.Join([]string{envoyProxyConfigPath, envoyBootstrapConfigFile}, "/"), | ||
| "--config-path", strings.Join([]string{bootstrap.EnvoyProxyConfigPath, bootstrap.EnvoyBootstrapConfigFile}, "/"), |
There was a problem hiding this comment.
Not really related, but filepath.Join probably makes more sense here.
There was a problem hiding this comment.
Good point, thanks!
ec9d892 to
4e40792
Compare
Signed-off-by: jaellio <[email protected]>
Signed-off-by: jaellio <[email protected]>
Signed-off-by: jaellio <[email protected]>
Signed-off-by: jaellio <[email protected]>
Signed-off-by: jaellio <[email protected]>
Signed-off-by: jaellio <[email protected]>
certificate. Signed-off-by: jaellio <[email protected]>
4e40792 to
07ab9af
Compare
Description:
Loads the SDS configuration for the envoy bootstrap config from the file
system. Previously, the certificates were provided inline to the Envoy bootstrap
configuration which was stored in k8s Secret volume mounted to the Pod. This
change will allow OSM to update the certificates used when establishing a
connection with xDS without having to recreate the Pod. This allows the envoy xDS
certificates to be rotated without potential data plane downtime. Support for this
capability is documented here.
This change updates the existing envoy bootstrap k8s secret to include the TLS
and validation context SDS configs, xDS certificate, key, and ca cert.
This change is a part of the automated root certificate rotation work (#4502)
Resolves #4897
Notable changes:
Testing done:
Affected area:
Please answer the following questions with yes/no.
Does this change contain code from or inspired by another project? No
Is this a breaking change? No
Has documentation corresponding to this change been updated in the osm-docs repo (if applicable)? No, will make a follow-up PR.