8000 [v1.14] gh/workflows: IPsec key rotation improvements by julianwiedmann · Pull Request #31429 · cilium/cilium · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

[v1.14] gh/workflows: IPsec key rotation improvements #31429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Apr 9, 2024
Merged

[v1.14] gh/workflows: IPsec key rotation improvements #31429

merged 5 commits into from
Apr 9, 2024

Conversation

julianwiedmann
Copy link
Member

Manual backport of

Once this PR is merged, a GitHub action will update the labels of these PRs:

 29592 29704

@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.14 This PR represents a backport for Cilium 1.14.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Mar 16, 2024
@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann julianwiedmann force-pushed the pr/jwi/v1.14/ipsec-rotation branch from de3a0f6 to 94b6f78 Compare March 16, 2024 14:24
@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann julianwiedmann requested a review from brb March 16, 2024 14:25
@julianwiedmann julianwiedmann force-pushed the pr/jwi/v1.14/ipsec-rotation branch from 94b6f78 to fbf3a34 Compare March 16, 2024 16:59
@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann julianwiedmann force-pushed the pr/jwi/v1.14/ipsec-rotation branch from fbf3a34 to 1665948 Compare March 16, 2024 17:23
@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann julianwiedmann force-pushed the pr/jwi/v1.14/ipsec-rotation branch from 1665948 to 2c7221a Compare March 16, 2024 17:43
@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann julianwiedmann marked this pull request as ready for review March 16, 2024 18:04
@julianwiedmann julianwiedmann requested review from a team as code owners March 16, 2024 18:04
@julianwiedmann julianwiedmann requested a review from brlbil March 16, 2024 18:04
brb
brb approved these changes Mar 17, 2024
View reviewed changes
Copy link
Member
@brb brb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@julianwiedmann
Copy link
Member Author

I believe there's some conflicting work in the pipeline, so let's see how we get this in the easiest. preview-only for now, but good for review.

@julianwiedmann julianwiedmann added the dont-merge/preview-only Only for preview or testing, don't merge it. label Mar 17, 2024
@viktor-kurchenko viktor-kurchenko removed the request for review from brlbil March 18, 2024 11:49
@julianwiedmann julianwiedmann force-pushed the pr/jwi/v1.14/ipsec-rotation branch from 2c7221a to 614db9d Compare March 27, 2024 12:58
@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann julianwiedmann force-pushed the pr/jwi/v1.14/ipsec-rotation branch from 614db9d to 39eb11d Compare March 27, 2024 14:09
@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann julianwiedmann force-pushed the pr/jwi/v1.14/ipsec-rotation branch from 39eb11d to 7530971 Compare March 27, 2024 14:58
@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann julianwiedmann removed the dont-merge/preview-only Only for preview or testing, don't merge it. label Mar 27, 2024
@julianwiedmann julianwiedmann added the dont-merge/waiting-for-review Requires further review before merging. label Mar 27, 2024
@julianwiedmann julianwiedmann requested a review from pchaigno March 27, 2024 16:32
@julianwiedmann julianwiedmann added area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/ipsec Relates to Cilium's IPsec feature area/CI Continuous Integration testing issue or flake area/CI-improvement Topic or proposal to improve the Continuous Integration workflow labels Mar 27, 2024
@pchaigno
Copy link
Member
pchaigno commented Apr 3, 2024

@julianwiedmann Is there something in particular I should review? This is just a backport for two PRs I already reviewed, no?

@julianwiedmann
Copy link
Member Author

@julianwiedmann Is there something in particular I should review? This is just a backport for two PRs I already reviewed, no?

Right, sorry - I should have noted that. The interesting part is the adjustments for the new key system in 5e1e120. This should be very much in line with the changes in #31428.

@julianwiedmann julianwiedmann removed the dont-merge/waiting-for-review Requires further review before merging. label Apr 8, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Apr 8, 2024
@julianwiedmann julianwiedmann added the dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. label Apr 8, 2024
brb added 5 commits April 8, 2024 15:31
@brb @julianwiedmann
ci-ipsec-e2e: Use cilium-config
c6c89a5 
[ upstream commit 3afd9c3 ]

[ backporter's notes: resolve conflict because 1.14 doesn't have
  4498ec9 (".github: re-use common helm values from a single action") ]

To remove the boilerplate.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@brb @julianwiedmann
ci-ipsec-e2e: Add more key types
bd3fb99 
[ upstream commit 5c988ee ]

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@brb @julianwiedmann
gh/actions: Add ipsec-key-rotate
6bd6728 
[ upstream commit 687a4f5 ]

[ backporter's notes: also apply diff from e448644
  and e8ddc88 to support new key system ]

The action is for testing whether IPsec key rotations do not cause
any packet drops.

NB for backporters: this commit just moves the code for the workflow
into the new action, and the timeout increase.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@brb @julianwiedmann
ci-eks: Add IPsec key rotation tests
8f4ad48 
[ upstream commit 5c06c8e ]

First, this commit includes the IPsec key rotation tests action.

Second, it changes the CLI exec name and path to "./cilium-cli", so that
it can be used by the key rotation action and friends.

Third, it runs the IPsec tests only if the matrix.ipsec is set to
"true". A subsequent commit will extend the matrix configuration
accordingly.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@brb @julianwiedmann
gh/actions: Add IPsec config to aws/k8s-versions.yaml
f4b64a5 
[ upstream commit f99ddb9 ]

The file name is non-ideal, but changing it would require changing many
files :-(

For each PR we will run 1.25 w/o IPsec and 1.28 w/ IPsec.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann force-pushed the pr/jwi/v1.14/ipsec-rotation branch from 7530971 to f4b64a5 Compare April 8, 2024 12:36
@julianwiedmann
Copy link
Member Author

Innocent rebase to pick up #31627.

@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann julianwiedmann removed the dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. label Apr 8, 2024
@lmb lmb merged commit 6f97fa9 into v1.14 Apr 9, 2024
@lmb lmb deleted the pr/jwi/v1.14/ipsec-rotation branch April 9, 2024 09:09
@asauber asauber mentioned this pull request Apr 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brb brb brb approved these changes

@lmb lmb lmb approved these changes

@pchaigno pchaigno pchaigno approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

@viktor-kurchenko viktor-kurchenko viktor-kurchenko approved these changes

Assignees
No one assigned
Labels
area/CI Continuous Integration testing issue or flake area/CI-improvement Topic or proposal to improve the Continuous Integration workflow area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport/1.14 This PR represents a backport for Cilium 1.14.x of a PR that was merged to main. feature/ipsec Relates to Cilium's IPsec feature kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
No open projects
cilium v1.14.10
Status: Released
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@julianwiedmann @pchaigno @brb @lmb @jrajahalme @viktor-kurchenko
0