Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v1.14] gh/workflows: IPsec key rotation improvements #31429

Merged
merged 5 commits into from Apr 9, 2024
Merged

[v1.14] gh/workflows: IPsec key rotation improvements #31429

merged 5 commits into from Apr 9, 2024

Conversation

julianwiedmann
Copy link
Member

Manual backport of

Once this PR is merged, a GitHub action will update the labels of these PRs:

 29592 29704

@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.14 This PR represents a backport for Cilium 1.14.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Mar 16, 2024
@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann julianwiedmann requested a review from brb March 16, 2024 14:25
@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann julianwiedmann marked this pull request as ready for review March 16, 2024 18:04
@julianwiedmann julianwiedmann requested review from a team as code owners March 16, 2024 18:04
brb
brb approved these changes Mar 17, 2024
View reviewed changes
Copy link
Member

@brb brb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@julianwiedmann
Copy link
Member Author

I believe there's some conflicting work in the pipeline, so let's see how we get this in the easiest. preview-only for now, but good for review.

@julianwiedmann julianwiedmann added the dont-merge/preview-only Only for preview or testing, don't merge it. label Mar 17, 2024
@viktor-kurchenko viktor-kurchenko removed the request for review from brlbil March 18, 2024 11:49
@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann julianwiedmann removed the dont-merge/preview-only Only for preview or testing, don't merge it. label Mar 27, 2024
@julianwiedmann julianwiedmann added area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/ipsec Relates to Cilium's IPsec feature area/CI Continuous Integration testing issue or flake area/CI-improvement Topic or proposal to improve the Continuous Integration workflow labels Mar 27, 2024
@pchaigno
Copy link
Member

pchaigno commented Apr 3, 2024

@julianwiedmann Is there something in particular I should review? This is just a backport for two PRs I already reviewed, no?

@julianwiedmann
Copy link
Member Author

@julianwiedmann Is there something in particular I should review? This is just a backport for two PRs I already reviewed, no?

Right, sorry - I should have noted that. The interesting part is the adjustments for the new key system in 5e1e120. This should be very much in line with the changes in #31428.

@maintainer-s-little-helper maintainer-s-little-helper bot added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Apr 8, 2024
@julianwiedmann julianwiedmann added the dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. label Apr 8, 2024
brb added 5 commits April 8, 2024 15:31
@brb @julianwiedmann
ci-ipsec-e2e: Use cilium-config
c6c89a5 
[ upstream commit 3afd9c3 ]

[ backporter's notes: resolve conflict because 1.14 doesn't have
  4498ec9 (".github: re-use common helm values from a single action") ]

To remove the boilerplate.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@brb @julianwiedmann
ci-ipsec-e2e: Add more key types
bd3fb99 
[ upstream commit 5c988ee ]

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@brb @julianwiedmann
gh/actions: Add ipsec-key-rotate
6bd6728 
[ upstream commit 687a4f5 ]

[ backporter's notes: also apply diff from e448644
  and e8ddc88 to support new key system ]

The action is for testing whether IPsec key rotations do not cause
any packet drops.

NB for backporters: this commit just moves the code for the workflow
into the new action, and the timeout increase.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@brb @julianwiedmann
ci-eks: Add IPsec key rotation tests
8f4ad48 
[ upstream commit 5c06c8e ]

First, this commit includes the IPsec key rotation tests action.

Second, it changes the CLI exec name and path to "./cilium-cli", so that
it can be used by the key rotation action and friends.

Third, it runs the IPsec tests only if the matrix.ipsec is set to
"true". A subsequent commit will extend the matrix configuration
accordingly.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@brb @julianwiedmann
gh/actions: Add IPsec config to aws/k8s-versions.yaml
f4b64a5 
[ upstream commit f99ddb9 ]

The file name is non-ideal, but changing it would require changing many
files :-(

For each PR we will run 1.25 w/o IPsec and 1.28 w/ IPsec.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
Copy link
Member Author

Innocent rebase to pick up #31627.

@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann julianwiedmann removed the dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. label Apr 8, 2024
@lmb lmb merged commit 6f97fa9 into v1.14 Apr 9, 2024
222 checks passed
@lmb lmb deleted the pr/jwi/v1.14/ipsec-rotation branch April 9, 2024 09:09
@asauber asauber mentioned this pull request Apr 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brb brb brb approved these changes

@lmb lmb lmb approved these changes

@pchaigno pchaigno pchaigno approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

@viktor-kurchenko viktor-kurchenko viktor-kurchenko approved these changes

Assignees
No one assigned
Labels
area/CI Continuous Integration testing issue or flake area/CI-improvement Topic or proposal to improve the Continuous Integration workflow area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport/1.14 This PR represents a backport for Cilium 1.14.x of a PR that was merged to main. feature/ipsec Relates to Cilium's IPsec feature kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@julianwiedmann @pchaigno @brb @lmb @jrajahalme @viktor-kurchenko