Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipsec: Flag to disable key watcher and Helm values #25893

Merged
merged 3 commits into from
Jun 6, 2023
Merged

ipsec: Flag to disable key watcher and Helm values #25893

merged 3 commits into from
Jun 6, 2023

Conversation

pchaigno
Copy link
Member

@pchaigno pchaigno commented Jun 5, 2023
edited

See commits for details.

Add agent flag `enable-ipsec-key-watcher` to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect.

@pchaigno
ipsec, option: Allow users to disable the IPsec key watcher
466178d 
The IPsec key watcher is used to automatically detect and apply changes
in the key (typically during key rotations). Having this watcher avoids
having to restart the agents to apply the key change.

It can however be desired to only apply the key change when the agent is
restarted. It gives control to the user on when exactly the change
happens. It may also be used as a way to switch from one IPsec
implementation to another (XFRM configs specifically): the user rotates
the key just before the upgrade; on upgrade, the SPI is implicitly used
to distinguish between the old and new implementations as well as the
old and new keys.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno pchaigno added area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. area/helm Impacts helm charts and user deployment experience release-blocker/1.11 This issue will prevent the release of the next version of Cilium. needs-backport/1.11 release-blocker/1.12 This issue will prevent the release of the next version of Cilium. needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Jun 5, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Jun 5, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.13.4 Jun 5, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.11.18 Jun 5, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.12.11 Jun 5, 2023
@pchaigno pchaigno added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Jun 5, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 5, 2023
@pchaigno pchaigno marked this pull request as ready for review June 5, 2023 10:20
@pchaigno pchaigno requested review from a team as code owners June 5, 2023 10:20
@pchaigno pchaigno requested review from thorn3r, tklauser, jibi, youngnick and kaworu and removed request for kaworu and youngnick June 5, 2023 10:20
@pchaigno
helm: Value for enable-ipsec-key-watcher
8f9b4d2 
This commit adds a Helm value for the enable-ipsec-key-watcher agent
flag introduced in the previous commit.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno
Copy link
Member Author

pchaigno commented Jun 6, 2023

Marking ready to merge given the two lines of actual functional change are not covered by end-to-end tests today anyway.

@dylandreimerink dylandreimerink merged commit 31f6ab1 into cilium:main Jun 6, 2023
59 of 61 checks passed
@pchaigno pchaigno deleted the flag-disable-key-watcher branch June 6, 2023 12:23
@YutaroHayakawa YutaroHayakawa mentioned this pull request Jun 7, 2023
Merged
4 tasks
@YutaroHayakawa YutaroHayakawa added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Jun 7, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.13 in 1.13.4 Jun 7, 2023
@YutaroHayakawa YutaroHayakawa mentioned this pull request Jun 8, 2023
Merged
3 tasks
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.12 in 1.12.11 Jun 8, 2023
@YutaroHayakawa YutaroHayakawa mentioned this pull request Jun 8, 2023
Merged
2 tasks
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.11 in 1.11.18 Jun 8, 2023
@YutaroHayakawa YutaroHayakawa added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Jun 8, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.4 Jun 8, 2023
@qmonnet qmonnet mentioned this pull request Jun 9, 2023
Closed
@michi-covalent michi-covalent mentioned this pull request Jun 9, 2023
Closed
@YutaroHayakawa YutaroHayakawa added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed backport-pending/1.11 labels Jun 12, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.11 to Backport done to v1.11 in 1.11.18 Jun 12, 2023
@YutaroHayakawa YutaroHayakawa added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels Jun 12, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.12 to Backport done to v1.12 in 1.12.11 Jun 12, 2023
This was referenced Jun 12, 2023
Closed
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jibi jibi jibi approved these changes

@kaworu kaworu kaworu approved these changes

@tklauser tklauser tklauser approved these changes

@youngnick youngnick youngnick approved these changes

@qmonnet qmonnet qmonnet approved these changes

Assignees
No one assigned
Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. area/helm Impacts helm charts and user deployment experience backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-blocker/1.11 This issue will prevent the release of the next version of Cilium. release-blocker/1.12 This issue will prevent the release of the next version of Cilium. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
No open projects
1.11.18
Backport done to v1.11
1.12.11
Backport done to v1.12
1.13.4
Backport done to v1.13
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@pchaigno @jibi @kaworu @tklauser @youngnick @qmonnet @dylandreimerink @YutaroHayakawa