ci-ipsec-e2e: Add more key types

Signed-off-by: Martynas Pumputis <m@lambda.lt>
cilium · Dec 5, 2023 · 7cd019c · 7cd019c
1 parent 3b4d1d8
commit 7cd019c
Showing 1 changed file with 26 additions and 2 deletions.
diff --git a/.github/workflows/conformance-ipsec-e2e.yaml b/.github/workflows/conformance-ipsec-e2e.yaml
@@ -84,6 +84,8 @@ jobs:
             tunnel: 'vxlan'
             encryption: 'ipsec'
             encryption-node: 'false'
+            key-one: 'gcm(aes)'
+            key-two: 'cbc(aes)'
 
           - name: '2'
             # renovate: datasource=docker depName=quay.io/lvh-images/kind
@@ -93,6 +95,8 @@ jobs:
             tunnel: 'disabled'
             encryption: 'ipsec'
             encryption-node: 'false'
+            key-one: 'cbc(aes)'
+            key-two: 'cbc(aes)'
 
           - name: '3'
             # renovate: datasource=docker depName=quay.io/lvh-images/kind
@@ -103,6 +107,8 @@ jobs:
             encryption: 'ipsec'
             encryption-node: 'false'
             endpoint-routes: 'true'
+            key-one: 'gcm(aes)'
+            key-two: 'gcm(aes)'
 
           - name: '4'
             # renovate: datasource=docker depName=quay.io/lvh-images/kind
@@ -113,6 +119,8 @@ jobs:
             encryption: 'ipsec'
             encryption-node: 'false'
             endpoint-routes: 'true'
+            key-one: 'gcm(aes)'
+            key-two: 'gcm(aes)'
 
     timeout-minutes: 60
     steps:
@@ -201,8 +209,16 @@ jobs:
         shell: bash
         run: |
           kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]'
+
+          if [[ "${{ matrix.key-one }}" == "gcm(aes)" ]]; then
+            key="rfc4106(gcm(aes)) $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64) 128"
+          elif [[ "${{ matrix.key-one }}" == "cbc(aes)" ]]; then
+            key="hmac(sha256) $(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64) cbc(aes) $(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64)"
+          else
+            echo "Invalid key type"; exit 1
+          fi
           kubectl create -n kube-system secret generic cilium-ipsec-keys \
-            --from-literal=keys="3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128"
+            --from-literal=keys="3 ${key}"
 
           export CILIUM_CLI_MODE=helm
           ./cilium-cli install ${{ steps.cilium-config.outputs.config }}
@@ -229,7 +245,15 @@ jobs:
           operation-cmd: |
             KEYID=$(kubectl get secret -n kube-system cilium-ipsec-keys -o go-template --template={{.data.keys}} | base64 -d | cut -c 1)
             if [[ $KEYID -ge 15 ]]; then KEYID=0; fi
-            data=$(echo "{\"stringData\":{\"keys\":\"$((($KEYID+1))) "rfc4106\(gcm\(aes\)\)" 59f4d92cccede1b1abc920104ca61cd552782e12 128\"}}")
+
+            if [[ "${{ matrix.key-two }}" == "gcm(aes)" ]]; then
+              key="rfc4106(gcm(aes)) $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64) 128"
+            elif [[ "${{ matrix.key-two }}" == "cbc(aes)" ]]; then
+              key="hmac(sha256) $(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64) cbc(aes) $(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64)"
+            else
+              echo "Invalid key type"; exit 1
+            fi
+            data="{\"stringData\":{\"keys\":\"$((($KEYID+1))) ${key}\"}}"
             kubectl patch secret -n kube-system cilium-ipsec-keys -p="$data" -v=1
 
             # Wait until key rotation starts