fix(apiserver): wire queryserver to Linseed via tigera-linseed service in MCM#4786
Open
tianfeng92 wants to merge 5 commits intotigera:masterfrom
Open
fix(apiserver): wire queryserver to Linseed via tigera-linseed service in MCM#4786tianfeng92 wants to merge 5 commits intotigera:masterfrom
tianfeng92 wants to merge 5 commits intotigera:masterfrom
Conversation
…e in MCM On a managed cluster the queryserver sidecar fetches policy_activity from the management cluster's Linseed via the voltron tunnel. Three gaps were producing 500s on the manager UI policy list page: 1. apiserver-ca-bundle only contained the local cluster's tigera-operator-signer; guardian's TLS cert is signed by the management cluster's signer with the same Subject DN, so Go's x509 verifier matched the local CA and failed with "crypto/rsa: verification error". 2. LINSEED_URL pointed at guardian.calico-system.svc directly. The linseed Go client overrides SNI to "tigera-linseed", but matching fluentd's pattern of routing through a "tigera-linseed" ExternalName service is the documented model. 3. The queryserver authenticated to Linseed with its own managed cluster SA token, which Linseed cannot validate; and CLUSTER_ID defaulted to the literal "cluster", which voltron's inner_handler rejected. This change, on managed clusters: - Adds VoltronLinseedPublicCert to the apiserver trusted bundle so guardian's tigera-linseed serving cert verifies. - Renders a "tigera-linseed" ExternalName Service in calico-system that CNAMEs to guardian, plus a "tigera-linseed" RoleBinding granting guardian SA the tigera-linseed-secrets ClusterRole so the Linseed token controller can write the per-SA token Secret into calico-system. - Sets LINSEED_URL=https://tigera-linseed.calico-system.svc.<domain> on the queryserver, mounts the calico-apiserver-tigera-linseed-token Secret, and points LINSEED_TOKEN at it. - Sets CLUSTER_ID="" so voltron rewrites x-cluster-id to the managed cluster name on the tunnel inbound path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Verify that with ManagementClusterConnection set, the apiserver component renders: - a tigera-linseed ExternalName Service in calico-system - a tigera-linseed RoleBinding granting guardian SA tigera-linseed-secrets - LINSEED_URL=https://tigera-linseed.calico-system.svc.cluster.local - CLUSTER_ID="" and LINSEED_TOKEN=/var/run/secrets/tigera.io/linseed/token on the queryserver - the linseed-token volume sourced from calico-apiserver-tigera-linseed-token Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…rvice Address review feedback on tigera#4780. The queryserver's LINSEED_URL is now built from relasticsearch.LinseedEndpoint(...) so all components share one source of truth for managed/standalone/Windows URL forms (matches fluentd at pkg/render/fluentd.go:691). The helper returns https://guardian.calico-system.svc for non-fluentd managed-cluster clients; the linseed Go client overrides TLS SNI to tigera-linseed at linseed/pkg/client/rest/client.go:98, so verification against the voltron-linseed cert still succeeds. The tigera-linseed ExternalName Service is therefore no longer needed and is dropped (it was only required for fluentd-style non-Linseed-client consumers that can't override SNI). The tigera-linseed RoleBinding stays — the linseed token controller still needs guardian-SA RBAC to write the per-SA token Secret into calico-system. Update apiserver_test.go accordingly: drop the Service assertion, expect LINSEED_URL=https://guardian.calico-system.svc. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Master sync of #4780 (release-v1.42 → master). On managed clusters, render the queryserver to talk to Linseed through the same signed-token / Linseed CA path as fluentd:
VoltronLinseedPublicCerttoapiserver-ca-bundleand watch it.RoleBinding/tigera-linseed(guardian SA →tigera-linseed-secrets) incalico-systemso the Linseed token controller can write the per-SA Secret in this namespace.LINSEED_URLviarelasticsearch.LinseedEndpoint(...), setCLUSTER_ID="", mountcalico-apiserver-tigera-linseed-token, setLINSEED_TOKEN.Pairs with https://github.com/tigera/calico-private/pull/11857
Why
Manager UI policy list returns 500 on managed clusters — queryserver's
enrichPoliciesWithActivityfails. Three gaps on the path queryserver → guardian → voltron tunnel → Linseed:tigera-operator-signer; both signers share Subject DN, so x509 matched the wrong CA (crypto/rsa: verification error).LINSEED_TOKENwas set, so the queryserver sent its managed-cluster SA token which Linseed cannot validate → 401. AndCLUSTER_IDdefaulted to the literal"cluster", which voltron'sinner_handlerrejected.calico-systemfor guardian SA, so the Linseed token controller couldn't write the per-SA Secret in this namespace.Behavior changes
Managed clusters only — every change gated on
ManagementClusterConnection != nil. NewRoleBindingincalico-system, new env vars + token volume on the queryserver, andapiserver-ca-bundleextended with the management cluster's CA. No-op on management/standalone.Release Note