-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Envoy resource namespacing #26037
Envoy resource namespacing #26037
Conversation
/test |
f18a6dd
to
8393312
Compare
Dropped the secret original namespace commit from this PR as it was problematic. Will reintroduce it after this has merged. |
/test Job 'Cilium-PR-K8s-1.26-kernel-net-next' hit: #25958 (88.26% similarity) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you update the commit message for the wip one?
The changes look good to me ✔️
/test-1.26-net-next |
/ci-ginkgo |
Parsed Envoy Listeners have qualified names, so explicit listener references must also be qualified for name comparison to work. Usually listener reference is implicit (== first listener in the CiliumEnvoyConfig) so this bug was not hit in practice. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Make ResourceQualifiedName gracefully return the given resource name, if it is already qualified, or if it is empty. Optionally also qualify resource names with a different namespace as a prefix to force namespacing where applicable. Passing through empty resource names without qualifying them is important so that a potentially invalid envoy config, where a required name is missing, remains invalid also after qualifying resource names. Currently, a CiliumEnvoyConfig may use backendServices in a different namespace, so resource namespacing can not be encorced on the referred backend services. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Qualify cluster names that are not already qualified. This helps avoid accidental resource name collision when multiple CiliumEnvoyConfigs are defined. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Validate also Listener resources after parsing them from CiliumEnvoyConfig. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Qualify Envoy Secret resource names and references with the namespace and CEC name when not already namespaced. This helps prevent accidental Secret resource name collisions between different CEC/CCEC resources when they use the same (unqualified) name locally. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
'SetNodeOnFirstMessageOnly: true' was missing from the XDS reference used for secrets, which causes larger than necessary XDS messages. Let Cilium agent fill in the XDS reference instead. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
8393312
to
7476b65
Compare
/test |
Qualify cluster names that are not already qualified. This helps avoid
accidental resource name collision when multiple CiliumEnvoyConfigs are
defined.