daemon: Remove encrypt key from syncHostIPs()

There's no need for the encrypt key to be set on host IPs. Additionally, this code was also setting the encrypt key for the `0.0.0.0/0` `world` entry as well, which isn't necessary. Encryption is done for node-to-node traffic therefore it's not necessary for encrypt key to be set on local host IPs. Fixes: b698972 (cilium: ipsec, support rolling updates) Signed-off-by: Chris Tarazi <chris@isovalent.com>
cilium · May 4, 2023 · 7973477 · 7973477
1 parent 445ae6c
commit 7973477
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/daemon/cmd/datapath.go b/daemon/cmd/datapath.go
@@ -251,7 +251,6 @@ func (d *Daemon) syncHostIPs() error {
 	}
 
 	for _, ipIDPair := range specialIdentities {
-		hostKey := node.GetIPsecKeyIdentity()
 		isHost := ipIDPair.ID == identity.ReservedIdentityHost
 		if isHost {
 			added, err := lxcmap.SyncHostEntry(ipIDPair.IP)
@@ -271,7 +270,7 @@ func (d *Daemon) syncHostIPs() error {
 		// This upsert will fail with ErrOverwrite continuously as long as the
 		// EP / CN watcher have found an apiserver IP and upserted it into the
 		// ipcache. Until then, it is expected to succeed.
-		d.ipcache.Upsert(ipIDPair.PrefixString(), nil, hostKey, nil, ipcache.Identity{
+		d.ipcache.Upsert(ipIDPair.PrefixString(), nil, 0, nil, ipcache.Identity{
 			ID:     ipIDPair.ID,
 			Source: d.sourceByIP(ipIDPair.IP, source.Local),
 		})