Add support for Calico, use RBAC and secrets encryption. #283
Conversation
manifests/calico/tigera-operator.yml
Outdated
There was a problem hiding this comment.
Can't review this amount of YAML 😓
Can we just curl this YAML from the upstream?
https://github.com/projectcalico/calico/blob/v3.26.1/manifests/tigera-operator.yaml
There was a problem hiding this comment.
Absolutly, it actually comes from this repo
There was a problem hiding this comment.
This should be gitignored and curled on make.
manifests/secrets-encryption.yml
Outdated
| providers: | ||
| - secretbox: | ||
| keys: | ||
| - name: key1 |
There was a problem hiding this comment.
According to the documentation the key should be used by kube-apiserver to encrypt the secrets.
There was a problem hiding this comment.
Can we have more descriptive name?
There was a problem hiding this comment.
I have confirmed we can use something better, currently I set it to secrets_key.
Do you have something in mind that would be better ?
| @@ -51,7 +51,7 @@ function usage() { | |||
| echo | |||
| echo " --start=UNIT Enable and start the specified target after the installation, e.g. \"u7s.target\". Set to an empty to disable autostart. (Default: \"$start\")" | |||
| echo " --cri=RUNTIME Specify CRI runtime, \"containerd\" or \"crio\". (Default: \"$cri\")" | |||
| echo ' --cni=RUNTIME Specify CNI, an empty string (none) or "flannel". (Default: none)' | |||
| echo ' --cni=RUNTIME Specify CNI, an empty string (none), \"calico\" or "flannel". (Default: none)' | |||
There was a problem hiding this comment.
Can we test calico in CI ?
usernetes/.github/workflows/main.yaml
Line 24 in 58df6ea
There was a problem hiding this comment.
We should be able to, I have never used Github CI but I can look into it.
| @@ -19,6 +19,8 @@ exec $(dirname $0)/nsenter.sh kube-apiserver \ | |||
| --service-account-signing-key-file=$XDG_CONFIG_HOME/usernetes/master/service-account-key.pem \ | |||
| --advertise-address=$(cat $XDG_RUNTIME_DIR/usernetes/parent_ip) \ | |||
| --allow-privileged \ | |||
| --encryption-provider-config=$XDG_CONFIG_HOME/usernetes/master/secrets-encryption.yml \ | |||
| --authorization-mode=Node,RBAC \ | |||
There was a problem hiding this comment.
Could you split and squash the commits so that one commit has one topic?
Probably, this PR should have the following three commits:
- RBAC
- Secrets encryption
- Calico
There was a problem hiding this comment.
How should I handle install.sh as it has edits for RBAC, Calico and secrets encryption ?
There was a problem hiding this comment.
Just make commit 3 depend on commit 1 and 2?
manifests/secrets-encryption.yml
Outdated
There was a problem hiding this comment.
The suffix should be something like .yaml.template, as this is not a complete manifest
manifests/secrets-encryption.yml
Outdated
| - secretbox: | ||
| keys: | ||
| - name: key1 | ||
| secret: |
There was a problem hiding this comment.
Can we use envsubst or something for filling up the secret value?
README.md
Outdated
| @@ -129,7 +129,7 @@ iptable_filter | |||
| ip6table_filter | |||
| nf_tables | |||
| x_tables | |||
| xt_MASQUERADE | |||
| xt_MASQUERADE # on older kernels: ipt_MASQUERADE and ip6t_MASQUERADE | |||
There was a problem hiding this comment.
A comment should be a separate line for ease of parsing
| @@ -51,7 +51,7 @@ function usage() { | |||
| echo | |||
| echo " --start=UNIT Enable and start the specified target after the installation, e.g. \"u7s.target\". Set to an empty to disable autostart. (Default: \"$start\")" | |||
| echo " --cri=RUNTIME Specify CRI runtime, \"containerd\" or \"crio\". (Default: \"$cri\")" | |||
| echo ' --cni=RUNTIME Specify CNI, an empty string (none) or "flannel". (Default: none)' | |||
| echo ' --cni=RUNTIME Specify CNI, an empty string (none), \"calico\" or "flannel". (Default: none)' | |||
There was a problem hiding this comment.
Could you update README.md too?
Signed-off-by: Pierre Boudvillain <[email protected]>
Signed-off-by: Pierre Boudvillain <[email protected]>
Signed-off-by: Pierre Boudvillain <[email protected]>
Signed-off-by: Pierre Boudvillain <[email protected]>
|
Do you plan to add a test? |
I have tried to work on that by making a similar test to the flannel one (replacing flannel by calico in the docker-compose file and publishing ports according to the calico requirements), however I wasn't able to make it work.
I'm not sure where the issue might come from. |
kube-apiserverwith RBAC (launch kube-apiserver with --authorization-mode=Node,RBAC #166)Tested with a single node cluster on Centos 9.