Skip to content

Cilium CLI IPsec fixes #37018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 18, 2025
Merged

Cilium CLI IPsec fixes #37018

merged 2 commits into from
Feb 18, 2025

Conversation

viktor-kurchenko
Copy link
Contributor

Cilium CLI IPsec fixes:

  1. expectedIPsecKeyCount function fixed according to the rules from CI.
  2. Make key-per-node param visible to users

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 16, 2025
@github-actions github-actions bot added cilium-cli This PR contains changes related with cilium-cli cilium-cli-exclusive This PR only impacts cilium-cli binary labels Jan 16, 2025
@viktor-kurchenko viktor-kurchenko added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. and removed cilium-cli This PR contains changes related with cilium-cli cilium-cli-exclusive This PR only impacts cilium-cli binary labels Jan 16, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 16, 2025
@viktor-kurchenko viktor-kurchenko marked this pull request as ready for review January 16, 2025 13:55
@viktor-kurchenko viktor-kurchenko requested review from a team as code owners January 16, 2025 13:55
@viktor-kurchenko
Copy link
Contributor Author

/test

@viktor-kurchenko viktor-kurchenko added cilium-cli This PR contains changes related with cilium-cli cilium-cli-exclusive This PR only impacts cilium-cli binary labels Jan 16, 2025
jschwinger233
jschwinger233 reviewed Jan 17, 2025
View reviewed changes
Copy link
Member

@jschwinger233 jschwinger233 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the "+4 for tunnel routing" is only expected for 1.17+. Maybe we should do some versioning control?

if ciliumVersion > 1.17 {
   // new expected keys 
} else {
  // old algorithm
}

@viktor-kurchenko
Copy link
Contributor Author

I think the "+4 for tunnel routing" is only expected for 1.17+. Maybe we should do some versioning control?

Good catch!
I've checked v1.16 and v1.15 and the logic is also different:

So, does it mean that we should have something like this:

if ciliumVersion > 1.17 {
   // new expected keys 
} else if ciliumVersion == 1.16 {
  // old algorithm-1
} else {
  // old algorithm-2
}

?

@jschwinger233
Copy link
Member

does it mean that we should have something like this

Yes, thank you

@viktor-kurchenko viktor-kurchenko marked this pull request as draft January 17, 2025 19:53
@viktor-kurchenko viktor-kurchenko force-pushed the vk/pr/cli/ipsec/fixes branch 3 times, most recently from ed4c75e to 671cca6 Compare January 20, 2025 20:19
@viktor-kurchenko
Copy link
Contributor Author

Yes, thank you

Hey @jschwinger233, I've added version check but looks like the algorithm is incorrect.

I have local 4 node kind cluster with enabled IPsec and VXLAN.
cilium-dbg encrypt status returns Keys in use: 18.
But CLI cilium encrypt status:

IPsec keys in use: 18 on 4/4
IPsec expected key count: 20

@jschwinger233
Copy link
Member

jschwinger233 commented Jan 21, 2025
edited
Loading

Viktor: I believe you are right, I didn't think over this thoroughly.

The correct algorithm for 1.17 should be:

  • ipv4, from/to remote: (node_number - 1) * 2
  • ipv6, from/to remote: (node_number - 1) *2
  • ipv4, VinE: (node_number - 1) * 2

in total, it's (node_number - 1) * 6.

Would you like to fix the workflow in a separate PR?

@viktor-kurchenko
Copy link
Contributor Author

@jschwinger233 one clarification:
What is VinE? Is it VXLAN encapsulation?
Thank you!

@jschwinger233
Copy link
Member

VinE is Vxlan in ESP: #36345

@viktor-kurchenko viktor-kurchenko force-pushed the vk/pr/cli/ipsec/fixes branch 2 times, most recently from 64c4fe0 to 910682b Compare February 17, 2025 14:10
@viktor-kurchenko viktor-kurchenko force-pushed the vk/pr/cli/ipsec/fixes branch 3 times, most recently from 0850840 to ec320f1 Compare February 17, 2025 15:17
@viktor-kurchenko viktor-kurchenko marked this pull request as ready for review February 17, 2025 19:46
@viktor-kurchenko
Copy link
Contributor Author

viktor-kurchenko commented Feb 17, 2025
edited
Loading

@jschwinger233 Paul and I agreed to support IPsec key status and rotation starting from Cilium v1.18.
Could you please review one more time?

@viktor-kurchenko
Copy link
Contributor Author

/test

pchaigno
pchaigno reviewed Feb 17, 2025
View reviewed changes
Copy link
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple questions, but it looks good otherwise 🚀

@maintainer-s-little-helper maintainer-s-little-helper bot added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Feb 17, 2025
@pchaigno pchaigno added dont-merge/bad-bot To prevent MLH from marking ready-to-merge. and removed ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Feb 17, 2025
@viktor-kurchenko
cli,ipsec: remove key-per-node param
015070b 
The commit removes `key-per-node` parameter as newer Cilium versions
support only IPsec key per node.

Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
@viktor-kurchenko
cli,ipsec: expected key count fixed
cc8b463 
The commit fixes ipsecExpectedKeyCount function and restricts the
functionality to the Cilium version 1.18 and higher.

Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
pchaigno
pchaigno approved these changes Feb 18, 2025
View reviewed changes
Copy link
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Thanks Viktor! 🙏

@pchaigno
Copy link
Member

/test

@pchaigno pchaigno removed the dont-merge/bad-bot To prevent MLH from marking ready-to-merge. label Feb 18, 2025
@pchaigno pchaigno enabled auto-merge February 18, 2025 15:01
@pchaigno pchaigno added this pull request to the merge queue Feb 18, 2025
Merged via the queue into main with commit 9ae5282 Feb 18, 2025
208 of 211 checks passed
@pchaigno pchaigno deleted the vk/pr/cli/ipsec/fixes branch February 18, 2025 17:27
@joestringer joestringer mentioned this pull request Feb 20, 2025
Closed
@github-actions github-actions bot mentioned this pull request Feb 24, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pchaigno pchaigno pchaigno approved these changes

@asauber asauber Awaiting requested review from asauber

@jschwinger233 jschwinger233 Awaiting requested review from jschwinger233

Assignees
No one assigned
Labels
cilium-cli This PR contains changes related with cilium-cli cilium-cli-exclusive This PR only impacts cilium-cli binary release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@viktor-kurchenko @jschwinger233 @pchaigno @asauber