Skip to content

ipsec: keep SPI in sync between keyCustodian and BPF map #41456

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 3, 2025
Merged

ipsec: keep SPI in sync between keyCustodian and BPF map #41456

merged 2 commits into from
Sep 3, 2025

Conversation

smagnani96
Copy link
Contributor

The keyCustodian.SPI() method is used only in newDaemon to annotate the node.
The thing is that subsequent changes to the SPI from the ipsec job would cause misalignment from the SPI in the BPF map (will contain the updated one) and the one stored in the ipsec agent (will contain the old one inferred during startup). No errors as of today though.
This is just so that we don't panic if we'll start using .SPI() in other places in the future and notice a different value.

@smagnani96
ipsec: keyfileWatcher and setIPSecSPI as private keyCustodian methods
f8878a1 
This commit is a small refactor to prepare for the subsequent one.
There are no functional changes. It simply sets the keyfileWatcher and
setIPSecSPI methods as private to the keyCustodian.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96
fix:ipsec: keep keyCustodian SPI updated with BPF map
e4cfef2 
Prior to this commit, the SPI could've changed at runtime due to a new key
being written in the watched file. However, that update would have affected
only the underlying BPF map, and not the keyCustodian.
It is true that the SPI() method of the keyCustodian seems to be called
only during the daemon startup, but if in future we'd need to call it
again and the key changed in the meantime the method would've returned
an outdated SPI value. Let's fix this behavior.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96 smagnani96 requested a review from pchaigno September 1, 2025 10:47
@smagnani96 smagnani96 self-assigned this Sep 1, 2025
@smagnani96 smagnani96 added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/ipsec Relates to Cilium's IPsec feature labels Sep 1, 2025
@smagnani96 smagnani96 mentioned this pull request Sep 1, 2025
Merged
@smagnani96
Copy link
Contributor Author

/ci-runtime

@smagnani96
Copy link
Contributor Author

/test

@smagnani96 smagnani96 marked this pull request as ready for review September 1, 2025 14:37
@smagnani96 smagnani96 requested a review from a team as a code owner September 1, 2025 14:37
@smagnani96
Copy link
Contributor Author

Merging this would unblock #41252 🙏🏼 @cilium/ipsec

pchaigno
pchaigno approved these changes Sep 3, 2025
View reviewed changes
Copy link
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure how I missed the notification when you opened for review 🤔

Thanks!

@pchaigno pchaigno added release-note/misc This PR makes changes that have no direct user impact. and removed release-note/bug This PR fixes an issue in a previous release of Cilium. labels Sep 3, 2025
@pchaigno
Copy link
Member

pchaigno commented Sep 3, 2025

It's only a release-note/bug if it fixes a bug with user-visible impact.

@pchaigno pchaigno added this pull request to the merge queue Sep 3, 2025
Merged via the queue into main with commit 39c3fc8 Sep 3, 2025
472 of 477 checks passed
@pchaigno pchaigno deleted the pr/smagnani96/fix-ipsec-spi branch September 3, 2025 08:16
@maintainer-s-little-helper maintainer-s-little-helper bot added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Sep 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pchaigno pchaigno pchaigno approved these changes

Assignees

@smagnani96 smagnani96

Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/ipsec Relates to Cilium's IPsec feature kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smagnani96 @pchaigno