Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-09-20 04:54:46 -04:00
Code Issues Projects Releases Packages Wiki Activity

deps: update cilium

Browse source 
Bumping Cilium to also enable node-to-node encryption and
node-to-node strict mode. Since the second is not upstream
we use our fork.
This commit is contained in:
Leonard Cohnen 2023-10-16 19:14:53 +02:00 committed by 3u13r
parent 648eebab24
commit e9694d40b9
157 changed files with 23415 additions and 1075 deletions
Download patch file Download diff file Expand all files Collapse all files

48
cli/internal/helm/charts/cilium/files/spire/init.bash Normal file
View file

@ -0,0 +1,48 @@
# shellcheck disable=SC2086
# shellcheck disable=SC2139
set -e
echo "Waiting for spire process to start"
while ! pgrep spire-server > /dev/null; do sleep 5; done
SPIRE_SERVER_ROOT_PATH="/proc/$(pgrep spire-server)/root"
alias spire_server="${SPIRE_SERVER_ROOT_PATH}/opt/spire/bin/spire-server"
SOCKET_PATH="${SPIRE_SERVER_ROOT_PATH}/tmp/spire-server/private/api.sock"
SOCKET_FLAG="-socketPath ${SOCKET_PATH}"
echo "Checking spire-server status"
while ! spire_server entry show ${SOCKET_FLAG} &> /dev/null; do
echo "Waiting for spire-server to start..."
sleep 5
done
echo "Spire Server is up, initializing cilium spire entries..."
AGENT_SPIFFE_ID="spiffe://{{ .Values.authentication.mutual.spire.trustDomain }}/ns/{{ .Values.authentication.mutual.spire.install.namespace }}/sa/spire-agent"
AGENT_SELECTORS="-selector k8s_psat:agent_ns:{{ .Values.authentication.mutual.spire.install.namespace }} -selector k8s_psat:agent_sa:spire-agent"
CILIUM_AGENT_SPIFFE_ID="spiffe://{{ .Values.authentication.mutual.spire.trustDomain }}/cilium-agent"
CILIUM_AGENT_SELECTORS="-selector k8s:ns:{{ .Release.Namespace }} -selector k8s:sa:{{ .Values.serviceAccounts.cilium.name }}"
CILIUM_OPERATOR_SPIFFE_ID="spiffe://{{ .Values.authentication.mutual.spire.trustDomain }}/cilium-operator"
CILIUM_OPERATOR_SELECTORS="-selector k8s:ns:{{ .Release.Namespace }} -selector k8s:sa:{{ .Values.serviceAccounts.operator.name }}"
while pgrep spire-server > /dev/null;
do
echo "Ensuring agent entry"
if spire_server entry show ${SOCKET_FLAG} -spiffeID $AGENT_SPIFFE_ID $AGENT_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then
spire_server entry create ${SOCKET_FLAG} -spiffeID $AGENT_SPIFFE_ID $AGENT_SELECTORS -node
fi
echo "Ensuring cilium-agent entry (required for the delegated identity to work)"
if spire_server entry show ${SOCKET_FLAG} -spiffeID $CILIUM_AGENT_SPIFFE_ID $CILIUM_AGENT_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then
spire_server entry create ${SOCKET_FLAG} -spiffeID $CILIUM_AGENT_SPIFFE_ID -parentID $AGENT_SPIFFE_ID $CILIUM_AGENT_SELECTORS
fi
echo "Ensuring cilium-operator entry (required for creating SPIFFE identities)"
if spire_server entry show ${SOCKET_FLAG} -spiffeID $CILIUM_OPERATOR_SPIFFE_ID $CILIUM_OPERATOR_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then
spire_server entry create ${SOCKET_FLAG} -spiffeID $CILIUM_OPERATOR_SPIFFE_ID -parentID $AGENT_SPIFFE_ID $CILIUM_OPERATOR_SELECTORS
fi
echo "Cilium Spire entries are initialized successfully or already in-sync"
sleep 30;
done