Skip to content

Conversation

viktor-kurchenko
Copy link
Contributor

@viktor-kurchenko viktor-kurchenko commented Feb 18, 2025

Please see per commit description.

@viktor-kurchenko viktor-kurchenko requested review from a team as code owners February 18, 2025 18:40
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 18, 2025
@github-actions github-actions bot added cilium-cli This PR contains changes related with cilium-cli cilium-cli-exclusive This PR only impacts cilium-cli binary labels Feb 18, 2025
Copy link
Contributor

@smagnani96 smagnani96 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I remember discussing (and tried to implement) this with @pchaigno during my on-boarding. IIRC, the outcome of the discussion was "It's a nice to have, but the burden of maintaining additional code might be heavier than the advantages brought".

Though, happy to re-consider this 😃
The code LGTM. We're not going to support all possible cases (ex looking here I also see a key 3 digest_null "" cipher_null ""), right?

@viktor-kurchenko
Copy link
Contributor Author

We're not going to support all possible cases (ex looking here I also see a key 3 digest_null "" cipher_null ""), right?

Oh, good question!
Do we know all possible supported formats?

@smagnani96
Copy link
Contributor

Oh, good question! Do we know all possible supported formats?

These are used in our tests, but there could be more combination with different formats.

@pchaigno
Copy link
Member

I remember discussing (and tried to implement) this with @pchaigno during my on-boarding. IIRC, the outcome of the discussion was "It's a nice to have, but the burden of maintaining additional code might be heavier than the advantages brought".

I think my opinion didn't change, though I'm happy to discuss it and reconsider. My main question would be what problem do we aim to solve with this additional code? Any code we add will need maintenance, any abstraction will limit what users can do. Even if these inconveniences are small (as is likely the case here), we need to weight them against benefit(s). If the benefits are negligible (ex. the command looks nicer), then it's probably not worth it.

@viktor-kurchenko
Copy link
Contributor Author

My main question would be what problem do we aim to solve with this additional code? Any code we add will need maintenance, any abstraction will limit what users can do. Even if these inconveniences are small (as is likely the case here), we need to weight them against benefit(s). If the benefits are negligible (ex. the command looks nicer), then it's probably not worth it.

I see your points, fair enough!

My arguments are:

  1. For the users (who are not familiar with XFRM) Cilium CLI can be more friendly than bash commands.
  2. Bash tools might have different behavior on different OSs.
  3. Bash tools might not be installed on user boxes.
  4. We already have key rotation support in Cilium CLI which does the same thingy and requires the same maintenance from our side. So, I think it should also be removed if we decide not to introduce this one.
  5. Advanced users are still not limited to using bash tools.

CC: @smagnani96

@smagnani96
Copy link
Contributor

smagnani96 commented Feb 19, 2025

  1. For the users (who are not familiar with XFRM) Cilium CLI can be more friendly than bash commands.

I'd like to provide users the easiest way to interact with Cilium.
Our configurations might be hacky or tricky sometimes.
We could provide such CLI command with "bare minimum" support (ex. just aead algo), leaving advanced config to expert users who need specific settings.
After all, that's similar to how users can install Cilium (either via cli install or directly via helm).

  1. Bash tools might have different behavior on different OSs.

In theory that's right, in practice I don't think we're using sorceries (echo, dd, xxd), so I wouldn't worry too much for this.

  1. Bash tools might not be installed on user boxes.

I remember once I received an error xxd: unknown command upon issuing the following, but I don't recall the env:

kubectl create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128"

  1. We already have key rotation support in Cilium CLI which does the same thingy and requires the same maintenance from our side. So, I think it should also be removed if we decide not to introduce this one.

Partially agree. Unfortunately, the commands to patch the k8s secret are less immediate than a simple create, as shown https://github.com/cilium/cilium/blob/main/.github/actions/ipsec-key-rotate/action.yaml#L26-L39.

So the rotate command is definitively convenient to keep it (even though it does not support all algo formats).

  1. Advanced users are still not limited to using bash tools.

The manual create secret command would still be available to users.

@viktor-kurchenko
Copy link
Contributor Author

@pchaigno WDYT?

@jschwinger233
Copy link
Member

I still remember copying and pasting commands too quickly, failing to notice error messages (such as xxd: command not found) "hidden" in the output multiple times. If a cilium-cli create-key command existed, I must admit I’d prefer to use it.

However, cilium-cli create-key --auth-algo gcm-aes --wait-duration 1 doesn’t cover all current use cases. For example, cilium-cli --context should be considered for clustermesh scenarios, which is precisely Paul’s concern: any abstraction will limit what users can do.

My personal take is that we should incorporate the new CLI into all ipsec gh workflows as part of the pr, demonstrating that it is robust enough to handle our current use cases. Even if this can only help developers make less mistakes, I think it's of value.

@asauber
Copy link
Member

asauber commented Mar 21, 2025

Is this a WIP?

@viktor-kurchenko viktor-kurchenko marked this pull request as draft March 21, 2025 16:02
@viktor-kurchenko
Copy link
Contributor Author

Is this a WIP?

Yes, I've converted to the draft.
Sorry for the delay.

Copy link

This pull request has been automatically marked as stale because it
has not had recent activity. It will be closed if no further activity
occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Apr 21, 2025
@viktor-kurchenko viktor-kurchenko force-pushed the vk/pr/encrypt/key/create branch 2 times, most recently from 188b46c to ec0c0c4 Compare April 21, 2025 20:27
@viktor-kurchenko
Copy link
Contributor Author

/ci-ipsec-e2e

@viktor-kurchenko
Copy link
Contributor Author

/ci-eks

@viktor-kurchenko viktor-kurchenko added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. release-note/ci This PR makes changes to the CI. labels Apr 21, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 21, 2025
@github-actions github-actions bot removed the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Apr 22, 2025
@viktor-kurchenko viktor-kurchenko force-pushed the vk/pr/encrypt/key/create branch from ec0c0c4 to 7df7ab8 Compare April 22, 2025 06:18
@viktor-kurchenko
Copy link
Contributor Author

@tamilmani1989 kind ping)

@viktor-kurchenko
Copy link
Contributor Author

Hey @cilium/azure, could you please review the PR.

@qmonnet
Copy link
Member

qmonnet commented Jun 3, 2025

@cilium/azure (@tamilmani1989, @ungureanuvladvictor, @hemanthmalla, @tommyp1ckles), gentle ping. It would be great to move forward with this PR.

@viktor-kurchenko viktor-kurchenko removed the request for review from tamilmani1989 June 3, 2025 14:33
Copy link
Contributor

@tommyp1ckles tommyp1ckles left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks, had a few points but they're minor. Approving to not hold this up anymore.

@maintainer-s-little-helper maintainer-s-little-helper bot added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Jun 4, 2025
@viktor-kurchenko viktor-kurchenko force-pushed the vk/pr/encrypt/key/create branch from 5d89eb0 to 8fa28bd Compare June 4, 2025 07:44
@viktor-kurchenko
Copy link
Contributor Author

/test

The commit adds IPsec key create sub-command in Cilium CLI.
The intention is to use this command for encryption secret provisioning
before the Cilium installation.

Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
The commit replaces bash scripts in CI with the Cilium CLI encrypt
sub-commands.

Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
The commit fixes IPsec expected key calculation algorithm.

Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
The commit improves IPsec algorithm names.

Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com>
@viktor-kurchenko viktor-kurchenko force-pushed the vk/pr/encrypt/key/create branch from 8fa28bd to fb67420 Compare June 5, 2025 06:40
@viktor-kurchenko
Copy link
Contributor Author

/test

@joestringer joestringer added this pull request to the merge queue Jun 5, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jun 5, 2025
@joestringer joestringer added this pull request to the merge queue Jun 5, 2025
Merged via the queue into main with commit 7ff6054 Jun 5, 2025
313 of 315 checks passed
@joestringer joestringer deleted the vk/pr/encrypt/key/create branch June 5, 2025 16:06
@maintainer-s-little-helper maintainer-s-little-helper bot removed ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Jun 5, 2025
@joestringer joestringer removed the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Jul 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cilium-cli This PR contains changes related with cilium-cli cilium-cli-exclusive This PR only impacts cilium-cli binary release-note/ci This PR makes changes to the CI.
Projects
None yet
Development

Successfully merging this pull request may close these issues.