Skip to content

Container Runtime Interface (CRI) Support and mTLS Kubernetes Integration (with CSR) #426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Container Runtime Interface (CRI) Support and mTLS Kubernetes Integration (with CSR) #426

wants to merge 5 commits into from
+2,556 −54

Conversation

dciangot
Copy link
Member

Summary

This PR introduces native Container Runtime Interface (CRI) support and Kubernetes-based mTLS certificate management, representing a major evolution in interLink's architecture and deployment capabilities.

🚀 Key Features

CRI Implementation

  • Standalone CRI Binary: New cmd/interlink-cri/ with full CRI service implementation
  • Direct Kubelet Integration: Native container runtime interface for seamless Kubernetes integration
  • Image Management: Complete CRI image service with pull, list, and status operations
  • Container Lifecycle: Full pod and container lifecycle management through CRI protocol

Kubernetes mTLS Integration

  • CSR-based Certificate Management: Automated TLS certificate provisioning via Kubernetes Certificate Signing Requests
  • Enhanced Security: Native Kubernetes certificate lifecycle management
  • Virtual Kubelet mTLS: Client certificate support for secure plugin communication

Comprehensive Documentation

  • CRI Integration Guide: Complete documentation in docs/docs/other-integrations/cri/
    • Quickstart guide for immediate deployment
    • Detailed usage guide with configuration examples
    • Technical reference with implementation details
  • mTLS Deployment Guide: Step-by-step Kubernetes certificate setup
  • Systemd Integration: Production deployment with systemd services

🔧 Technical Improvements

CI/CD Enhancements

  • Updated Dagger CI pipeline with CRI testing support
  • Enhanced build processes for new binaries
  • Comprehensive integration testing

Configuration Updates

  • Extended InterLink configuration for CRI support
  • New certificate management options
  • Enhanced plugin communication settings

🔄 Migration Path

For Existing Users:

  • Backward compatible with existing Virtual Kubelet deployments
  • Optional CRI integration for enhanced Kubernetes native support
  • Existing plugin configurations remain supported

For New Deployments:

  • CRI integration provides native kubelet experience
  • Simplified certificate management through Kubernetes APIs
  • Enhanced security posture with automated certificate rotation

🧪 TODO: Pre-Release Testing Coverage

  • Full CRI functionality testing in CI pipeline
  • mTLS certificate rotation validation
  • Multi-platform compatibility verification
  • Integration testing with real Kubernetes workloads

📋 Breaking Changes

  • Some configuration schema updates for enhanced features
  • Documentation structure reorganization
  • Enhanced security defaults may require configuration updates

dciangot added 5 commits June 19, 2025 10:12
@dciangot
add TLS management from K8s CSR mechanism
9264cba 
Signed-off-by: Diego Ciangottini <diego.ciangottini@pg.infn.it>
@dciangot
CRI interface first implementation and documentation draft
3727e87 
Signed-off-by: Diego Ciangottini <diego.ciangottini@pg.infn.it>
@dciangot
remove built binary pushed by mistake
ae72834 
Signed-off-by: Diego Ciangottini <diego.ciangottini@pg.infn.it>
@dciangot
CRI standalone and guide draft
4ddb96e 
Signed-off-by: Diego Ciangottini <diego.ciangottini@pg.infn.it>
@dciangot
CRI ci fix
394765d 
Signed-off-by: Diego Ciangottini <diego.ciangottini@pg.infn.it>
@dciangot dciangot requested a review from Bianco95 June 23, 2025 08:04
@dciangot dciangot mentioned this pull request Jul 10, 2025
Open
dciangot
dciangot commented Oct 5, 2025
View reviewed changes
Copy link
Member Author

@dciangot dciangot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR introduces substantial enhancements including native CRI support, Kubernetes mTLS integration using CSR, and improvements to CI/CD pipelines.

Pros:

  • Comprehensive support for container lifecycle through CRI and integration with kubelet.
  • Enhanced security with automated mTLS certificate management.
  • Detailed documentation aiding deployment and migration.
  • Maintains backward compatibility with existing deployments.

Suggestions:

  • Consider adding automated tests specifically targeting new CRI functionalities to ensure ongoing stability.
  • Verify CI/CD pipeline adjustments do not affect existing workflows adversely.

Overall, this is a significant and well-documented improvement that advances the project. Good job!

dciangot
dciangot commented Oct 5, 2025
View reviewed changes
Copy link
Member Author

@dciangot dciangot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Major feature PR introducing Container Runtime Interface (CRI) support and Kubernetes mTLS integration with CSR. Includes documentation and CI/CD improvements. Assigned to reviewer Bianco95. Please prioritize review for merging discussions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Bianco95 Bianco95 Awaiting requested review from Bianco95

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dciangot