Merged
Conversation
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
rgo3
force-pushed
the
pr/rgo3/ztunnel-xds-controlplane
branch
15 times, most recently
from
373e3d5 to
b6523df
Compare
joestringer
added
the
release-note/major
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
rgo3
force-pushed
the
pr/rgo3/ztunnel-xds-controlplane
branch
from
b6523df to
f260816
Compare
ldelossa
force-pushed
the
pr/rgo3/ztunnel-xds-controlplane
branch
3 times, most recently
from
550bf77 to
b2d7bc7
Compare
Contributor
|
/test |
ldelossa
force-pushed
the
pr/rgo3/ztunnel-xds-controlplane
branch
from
b2d7bc7 to
0122dcc
Compare
Contributor
|
/test |
qmonnet
approved these changes
Oct 29, 2025
marseel
reviewed
Oct 29, 2025
rgo3
force-pushed
the
pr/rgo3/ztunnel-xds-controlplane
branch
2 times, most recently
from
861e0c4 to
2ffada3
Compare
gandro
approved these changes
Nov 4, 2025
Member
gandro
left a comment
gandro
left a comment
There was a problem hiding this comment.
LGTM for the code owned by my codeowners. I didn't re-review the ztunnel code
Contributor
Author
|
/test |
marseel
approved these changes
Nov 6, 2025
Introduce basic controlplane structure for ztunnel integration using a new Cell in the Hive framework. This provides the foundation for implementing ztunnel control logic. It also sets new adds new codeowners for the ztunnel package. Signed-off-by: Robin Gögge <[email protected]>
Add the necessary scaffolding and xDS certificate authority server for
usage with ztunnel.
Following the pattern of IPSec's key injection, we update the Cilium
daemonset to wait on a secret-backed volume mount named
"cilium-ztunnel-secrets".
The secret includes 4 items, all of which are PEM encoded.
1. Bootstrap Certificate (bootstrap-root.crt)
2. Bootstrap Private Key (bootstrap-private.key)
3. CA Certificate (ca-root.crt)
4. CA Private Key (ca-private.key)
The bootstrap items are used to boostrap a TLS connection between
ztunnel and the CA server introduced into Cilium.
The CA items are used to create and sign certificates given
a certificate signing request from ztunnel.
The CA server implements the necessary gRPC server and methods expected
by ZTunnel. See the `github.com/cilium/cilium/ztunnel/pb` package for more
details.
Signed-off-by: Louis DeLosSantos <[email protected]>
Signed-off-by: Robin Gögge <[email protected]>
This commit introduces a minimal xDS (Extensible Discovery Service)
control plane implementation enabling Cilium to act as a control plane
for the standalone ztunnel proxy. This implementation bridges Cilium's
endpoint management with ztunnel's workload discovery requirements.
Background:
ztunnel is Istio's zero-trust tunnel proxy that handles L4 secure
communication between workloads using HBONE (HTTP-Based Overlay Network
Environment). To function, ztunnel requires a control plane that
implements the Istio Workload API to discover workloads and services
in the cluster. This commit enables Cilium to serve as that control
plane.
Implementation Details:
The xDS control-plane implements the Delta Aggregated Discovery Service
protocol, which is a bidirectional gRPC stream between Cilium and ztunnel.
It provides transformation logic between Cilium's endpoint model and
Istio's Workload API, and subscribes to Cilium's existing K8s watchers
(K8sCiliumEndpointsWatcher) to receive real-time updates about
clusterwide endpoint lifecycle events.
Protocol Flow:
1. ztunnel connects and sends DeltaDiscoveryRequest for Address resources
2. Cilium responds with initial seed of all workloads on the node
3. StreamProcessor subscribes to endpoint events via resource.Store
4. As endpoints change, updates are batched and streamed to ztunnel
5. ztunnel ACKs/NACKs each response via nonce matching
Dependencies:
This commit explicitly vendors the Istio Workload API protobuff file:
- istio.io/istio/pkg/workloadapi: Protobuf definitions for Workload,
Service, and Address types
Co-authored-by: Hemanth Malla <[email protected]>
Signed-off-by: Robin Gögge <[email protected]>
Signed-off-by: Louis DeLosSantos <[email protected]>
rgo3
force-pushed
the
pr/rgo3/ztunnel-xds-controlplane
branch
from
2ffada3 to
1436aa1
Compare
Signed-off-by: Hemanth Malla <[email protected]> Co-authored-by: Robin Gögge <[email protected]>
rgo3
force-pushed
the
pr/rgo3/ztunnel-xds-controlplane
branch
from
1436aa1 to
8e0ce81
Compare
Contributor
Author
|
/test |
maintainer-s-little-helper
bot
added
the
ready-to-merge
This was
linked to
issues
Nov 14, 2025
nezdolik
pushed a commit
to nezdolik/cilium
that referenced
this pull request
Jan 14, 2026
- `go mod tidy && go mod vendor && go mod verify` - `cd enterprise/hubble-timescape && go mod tidy && cd ../..` - fixed minor conflicts in `bpf/bpf_lxc.c`, `bpf/bpf_overlay.c` and `bpf/lib/nodeport.h` so that both new OSS code and previous Enterprise includes are present - fixed conflicts in `pkg/datapath/config/host_config.go`, `pkg/datapath/config/lxc_config.go` and `pkg/datapath/config/overlay_config.go` - adapted `enterprise/pkg/maps/extepspolicy/table.go`, `enterprise/pkg/fqdnha/relay/namemanager.go` and `enterprise/pkg/maps/extepspolicy/writer_test.go` due to function signature changes in OSS - `git cherry-pick -n 3d4abeb61b72d910c58ddb199b189c86c4eaf326 71023768865b9085e6aa8991c553997e1cc6f9b8` to pick up patches from @rastislavs (+ manual added fix in `enterprise/pkg/bgpv1/manager/reconcilerv2/neighbor_test.go` based on patch changes) - `make -C images update-builder-image update-runtime-image` - `make -C Documentation update-cmdref` - `./contrib/scripts/enterprise-testowners.sh` - remove duplicate `Cleanup Disk space in runner` step in `.github/workflows/cilium-cli.yaml` - fix mindfulness issues by manually fixing stuff coming from the following PRs: - cilium#42169 - cilium#42011 - cilium#42012 - `make generate-enterprise-apis` - adjusted `enterprise/pkg/ingresspolicy` after commit 2faed3a ("policy: fix selector policy leak and detachment issues") removed the implicit addition of the identity on lookup. Now the identity needs to be added and removed in the identity manager. - Set `clustermesh.config.enabled=true` in enterprise-clustermesh-overlapping-podcidr workflow following commit 562ba2c ("clustermesh: set authMode to migration by default"). Signed-off-by: Nicolas Busseneau <[email protected]>
nezdolik
pushed a commit
to nezdolik/cilium
that referenced
this pull request
Jan 14, 2026
- `go mod tidy && go mod vendor && go mod verify` - `cd enterprise/hubble-timescape && go mod tidy && cd ../..` - fixed minor conflicts in `bpf/bpf_lxc.c`, `bpf/bpf_overlay.c` and `bpf/lib/nodeport.h` so that both new OSS code and previous Enterprise includes are present - fixed conflicts in `pkg/datapath/config/host_config.go`, `pkg/datapath/config/lxc_config.go` and `pkg/datapath/config/overlay_config.go` - adapted `enterprise/pkg/maps/extepspolicy/table.go`, `enterprise/pkg/fqdnha/relay/namemanager.go` and `enterprise/pkg/maps/extepspolicy/writer_test.go` due to function signature changes in OSS - `git cherry-pick -n 3d4abeb61b72d910c58ddb199b189c86c4eaf326 71023768865b9085e6aa8991c553997e1cc6f9b8` to pick up patches from @rastislavs (+ manual added fix in `enterprise/pkg/bgpv1/manager/reconcilerv2/neighbor_test.go` based on patch changes) - `make -C images update-builder-image update-runtime-image` - `make -C Documentation update-cmdref` - `./contrib/scripts/enterprise-testowners.sh` - remove duplicate `Cleanup Disk space in runner` step in `.github/workflows/cilium-cli.yaml` - fix mindfulness issues by manually fixing stuff coming from the following PRs: - [cilium#42169](cilium#42169) - [cilium#42011](cilium#42011) - [cilium#42012](cilium#42012) - `make generate-enterprise-apis` ~- adjusted `enterprise/pkg/ingresspolicy` after commit 2faed3a ("policy: fix selector policy leak and detachment issues") removed the implicit addition of the identity on lookup. Now the identity needs to be added and removed in the identity manager.~ Split into separate PR isovalent/cilium#9506 to ease review and backporting. - Set `clustermesh.config.enabled=true` in enterprise-clustermesh-overlapping-podcidr workflow following commit 562ba2c ("clustermesh: set authMode to migration by default"). - Had to revert the following commits because they break the ILB CI workflow. Thanks to @mhofstetter for bisecting! See discussion for more details. Upstream fix and re-applying the changes is tracked in isovalent/cilium#9511. - cilium#42986 - 6781758 - 3cfe7a1 - a8fd4ed - 64e171e - cilium#42973 - c171f22 (with minor conflict resolution) - 9530af5 - not necessary to revert the last 2 commit of that PR
aanm
added
release-note/misc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR acts as a first part in a series of PRs to introduce native ztunnel integration into Cilium, enabling Cilium to act as a control plane for the standalone ztunnel proxy. This PR provides both a certificate authority (CA) server for mTLS certificate management and an xDS control plane for workload discovery, as well as some initial configuration options to enable this functionality.
It should be noted that the provided CA server is mainly suitable for testing and smaller deployments.
Please see the individual commits and their respective messages for more detailed descriptions of the changes.