Skip to content

ipsec: Remove deprecated upgrade code #34709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 12, 2024
Merged

ipsec: Remove deprecated upgrade code #34709

merged 3 commits into from
Nov 12, 2024

Conversation

pchaigno
Copy link
Member

@pchaigno pchaigno commented Sep 5, 2024
edited
Loading

The first commit removes support for the global-key system in IPsec, which had been deprecated in v1.16. The second commit removes IPsec upgrade logic that isn't needed anymore. The third commit fixes the unit tests to support the per-tunnel-keys system.

Remove support for the insecure, deprecated global IPsec key. Per-tunnel IPsec keys will now be used regardless of the IPsec secret format.

@pchaigno pchaigno added kind/cleanup This includes no functional changes. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. feature/ipsec Relates to Cilium's IPsec feature labels Sep 5, 2024
@pchaigno pchaigno force-pushed the pr/pchaigno/remove-deprecated-ipsec-upgrade-code branch 4 times, most recently from 00d8893 to 55a0cfd Compare September 5, 2024 18:11
@pchaigno pchaigno added the upgrade-impact This PR has potential upgrade or downgrade impact. label Sep 5, 2024
@pchaigno pchaigno force-pushed the pr/pchaigno/remove-deprecated-ipsec-upgrade-code branch 3 times, most recently from 3453b69 to a8d2b6c Compare September 6, 2024 08:01
@pchaigno pchaigno marked this pull request as ready for review September 6, 2024 10:05
@pchaigno pchaigno requested review from a team as code owners September 6, 2024 10:05
aanm
aanm previously requested changes Sep 6, 2024
View reviewed changes
@julianwiedmann
Copy link
Member

Nice, I believe this also addresses #32040.

julianwiedmann
julianwiedmann reviewed Sep 6, 2024
View reviewed changes
Copy link
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one question, the change looks good!

qmonnet
qmonnet approved these changes Sep 6, 2024
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good from my side. Nice clean-up!

thorn3r
thorn3r approved these changes Sep 9, 2024
View reviewed changes
Copy link
Contributor

@thorn3r thorn3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for Clustermesh changes

@pchaigno pchaigno marked this pull request as draft October 3, 2024 08:33
@julianwiedmann julianwiedmann mentioned this pull request Oct 8, 2024
Merged
julianwiedmann
julianwiedmann reviewed Oct 10, 2024
View reviewed changes
@pchaigno pchaigno force-pushed the pr/pchaigno/remove-deprecated-ipsec-upgrade-code branch from a8d2b6c to ed12852 Compare November 11, 2024 19:13
@pchaigno pchaigno dismissed aanm’s stale review November 11, 2024 19:19

There are no more cilium/github-sec (and in general CI) changes.

@pchaigno pchaigno requested a review from rgo3 November 11, 2024 19:21
@pchaigno pchaigno marked this pull request as ready for review November 11, 2024 19:21
@pchaigno pchaigno enabled auto-merge November 11, 2024 20:01
@pchaigno pchaigno force-pushed the pr/pchaigno/remove-deprecated-ipsec-upgrade-code branch 2 times, most recently from d663b1b to 8bb660c Compare November 12, 2024 10:10
@pchaigno
ipsec: Remove support for deprecated global key
0017849 
Support for a global IPsec key (i.e., without + sign in the secret or
ESN set to false) was deprecated in v1.16. We can now remove it and
assume we're always using per-tunnel keys with ESN set to true.

As a reminder, global key support was disabled because it's insecure.
Removing it will ensure no Cilium user shoot themselves in the foot.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno
ipsec: Remove stale upgrade logic
5567b40 
We made a lot of changes to IPsec a few releases back. With that came a
lot of code to handle upgrades and remove or replace old XFRM rules.
With v1.17, we can now assume all users went through that upgrade in
v1.16 at the latest and the upgrade-specific code is not needed anymore.
Old XFRM rules will have been removed or replaced already.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno
ipsec: Fix unit tests for per-tunnel keys
66746e3 
The IPsec unit tests were previously running with global keys. Since
support for such keys was removed, they will now run with per-tunnel
keys. They however currently fail with per-tunnel keys:

    --- FAIL: TestUpsertIPSecEndpoint (0.00s)
    panic: runtime error: slice bounds out of range [:36] with capacity 14 [recovered]
        panic: runtime error: slice bounds out of range [:36] with capacity 14

This is because the fake boot ID being used is shorter than 36
characters. We need to pass a fake boot ID that is as long as a real
boot ID to fix this.

In addition the expected XFRM's mark must now include the node ID to
match what is installed on the system.

Finally, the expected XFRM state keys have changed and are derived from
the global key instead of simply being the global key.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno pchaigno force-pushed the pr/pchaigno/remove-deprecated-ipsec-upgrade-code branch from 8bb660c to 66746e3 Compare November 12, 2024 11:04
@pchaigno
Copy link
Member Author

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 12, 2024
@pchaigno pchaigno added this pull request to the merge queue Nov 12, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 12, 2024
Merged via the queue into main with commit ce69ff7 Nov 12, 2024
275 checks passed
@pchaigno pchaigno deleted the pr/pchaigno/remove-deprecated-ipsec-upgrade-code branch November 12, 2024 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tklauser tklauser tklauser approved these changes

@borkmann borkmann borkmann approved these changes

@rgo3 rgo3 rgo3 approved these changes

@qmonnet qmonnet qmonnet approved these changes

@thorn3r thorn3r thorn3r approved these changes

@aanm aanm aanm left review comments

@julianwiedmann julianwiedmann Awaiting requested review from julianwiedmann

Assignees
No one assigned
Labels
feature/ipsec Relates to Cilium's IPsec feature kind/cleanup This includes no functional changes. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. upgrade-impact This PR has potential upgrade or downgrade impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@pchaigno @julianwiedmann @tklauser @borkmann @aanm @rgo3 @qmonnet @thorn3r