Skip to content

ipsec: Fix key count in key rotation test #39512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 14, 2025
Merged

ipsec: Fix key count in key rotation test #39512

merged 2 commits into from
May 14, 2025

Conversation

pchaigno
Copy link
Member

@pchaigno pchaigno commented May 13, 2025
edited
Loading

Viktor noticed that the nb-nodes parameter for the IPsec key rotation tests wasn't consistent with the actual number of nodes in the test clusters. This pull request fixes it. It turns out the tests were passing for the wrong reasons. See commits for details.

@pchaigno pchaigno added release-note/ci This PR makes changes to the CI. feature/ipsec Relates to Cilium's IPsec feature labels May 13, 2025
@pchaigno pchaigno mentioned this pull request May 14, 2025
Merged
@pchaigno pchaigno force-pushed the pr/pchaigno/fix-node-count-in-key-rotations branch 3 times, most recently from 70210e1 to 1f8cba8 Compare May 14, 2025 10:45
pchaigno added 2 commits May 14, 2025 14:11
@pchaigno
workflows: Consistent values for nb-nodes param of key rotation
aab6018 
The GitHub action to perform IPsec key rotations expect a parameter
nb-nodes, described as "Number of nodes in the cluster or clustermesh".
The value actually expected is however the number of *remote nodes*, so
the number of nodes minus one.

Let's fix this to match the description. We'll decrement the value in
the GitHub action.

Reported-by: Viktor Kurchenko <viktor.kurchenko@isovalent.com>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno
workflows/ipsec: Support subnet encryption in key rotation test
6bb7ac5 
During the key rotation test, we count the number of IPsec keys to
determine where we are in the key rotation. That number however depends
on the IPAM mode. Indeed, for ENI and Azure IPAM modes, we install two
XFRM states on ingress instead of one, each with their own IPsec key.

This commit therefore adds support for these mode, called subnet
encryption in the context of IPsec.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno pchaigno force-pushed the pr/pchaigno/fix-node-count-in-key-rotations branch from 1f8cba8 to 6bb7ac5 Compare May 14, 2025 12:11
@pchaigno pchaigno marked this pull request as ready for review May 14, 2025 12:12
@pchaigno pchaigno requested review from a team as code owners May 14, 2025 12:12
@pchaigno pchaigno requested review from liyihuang, rgo3 and Artyop May 14, 2025 12:12
@pchaigno pchaigno enabled auto-merge May 14, 2025 12:13
@pchaigno pchaigno changed the title Test IPsec rotation ipsec: Fix key count in key rotation test May 14, 2025
@pchaigno
Copy link
Member Author

/test

@pchaigno pchaigno added this pull request to the merge queue May 14, 2025
Merged via the queue into main with commit 824b980 May 14, 2025
408 of 449 checks passed
@pchaigno pchaigno deleted the pr/pchaigno/fix-node-count-in-key-rotations branch May 14, 2025 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Artyop Artyop Artyop approved these changes

@liyihuang liyihuang Awaiting requested review from liyihuang liyihuang is a code owner automatically assigned from cilium/aws

@rgo3 rgo3 Awaiting requested review from rgo3 rgo3 is a code owner automatically assigned from cilium/ipsec

Assignees
No one assigned
Labels
feature/ipsec Relates to Cilium's IPsec feature release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pchaigno @Artyop