Comments (2)
Joseph-Irving
commented on July 30, 2024
I don't think supporting both would be needed for a first pass, neither of us need that option so I would be keen not to over-engineer the solution yet leave it open enough to do that later if need be.
How do you propose managing the secrets? You could go and fetch the secret on every sync but that could be quite inefficient at scale, you could end up making a lot of api calls, alternatively a store could be used but by default that would have all secrets in your cluster being store in yggdrasil, which doesn't seem ideal as you're only interested in the tls related ones.
Also worth noting that by adding this it does make Yggdrasil more of a target for intruders as it will have access to all the secrets in all your clusters.
from yggdrasil.
Aluxima
commented on July 30, 2024
Hello, sorry for the late reply to this issue.
We have been testing some implementation for this (see master...Aluxima:secrets-sync) and were able to selectively fetch the tls secrets using a store and dynamically use them as downstream certificates.
The synchronization flow was copied from the ingresses sync and definitely needs cleaning and improvement.
I saw this comment about adding events handlers, maybe what we could do is switch to using a shared informer that will be used to watch both ingresses and secrets using proper events, a bit like haproxy ingress-controller does (see https://github.com/haproxytech/kubernetes-ingress/blob/master/pkg/k8s/main.go#L148 and https://github.com/haproxytech/kubernetes-ingress/blob/master/pkg/controller/monitor.go#L27)
Also I noticed some complexity issues in the way that the snapshots are done. Right now yggdrasil does a snapshot (here) at each and every resource addition/change/deletion so the startup phase with thousands of ingresses and secrets never ends :D
But I think this deserves its own issue.
About the security concerns of yggdrasil holding access to k8s secrets, it is an accepted risk on our side and the rights will not be needed for those who will not use this option.
Do you think it is a good way to go for this new feature?
from yggdrasil.
Related Issues (12)
- Add Diagram HOT 1
- Add health check endpoint HOT 1
- Add Prometheus metrics HOT 1
- Errors on envoy startup with provided configuration HOT 2
- Envoy is not getting k8s ingress cluster config from yggdrasil control-plane HOT 6
- Adopt go modules HOT 1
- Ingress controllers under loadbalancer
- Upgrade Envoy API v2 to v3 HOT 2
- Support networking.k8s.io ingresses HOT 2
- Add annotation to configure ingress weight HOT 2
- Add listener IP option HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yggdrasil.