Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IPsec key rotation with algorithm change support. #2291

Merged
merged 1 commit into from
Feb 15, 2024

Conversation

viktor-kurchenko
Copy link
Contributor

@viktor-kurchenko viktor-kurchenko commented Feb 7, 2024

The following optional input params added to encryption rotate-key command:

  • auth-algo: allows to select authentication key algorithm
  • key-per-node: allows to modify key per node approach

@viktor-kurchenko viktor-kurchenko marked this pull request as ready for review February 7, 2024 19:21
@viktor-kurchenko viktor-kurchenko requested a review from a team as a code owner February 7, 2024 19:21
Copy link
Member

@jschwinger233 jschwinger233 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

internal/cli/cmd/encrypt.go Outdated Show resolved Hide resolved
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 15, 2024
@michi-covalent michi-covalent merged commit 1007419 into main Feb 15, 2024
13 checks passed
@michi-covalent michi-covalent deleted the pr/vk/ipsec/key/rotators branch February 15, 2024 17:33
aanm referenced this pull request in aanm/cilium Mar 7, 2024
GitHub Pull Request: #623

chore(deps): update dependency cilium/cilium-cli to v0.15.23 (v1.15)

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [cilium/cilium-cli](https://togithub.com/cilium/cilium-cli) |  | patch | `v0.15.22` -> `v0.15.23` |
| [cilium/cilium-cli](https://togithub.com/cilium/cilium-cli) | action | patch | `v0.15.22` -> `v0.15.23` |

---

### Release Notes

<details>
<summary>cilium/cilium-cli (cilium/cilium-cli)</summary>

### [`v0.15.23`](https://togithub.com/cilium/cilium-cli/releases/tag/v0.15.23)

[Compare Source](https://togithub.com/cilium/cilium-cli/compare/v0.15.22...v0.15.23)

#### What's Changed

-   gateway: Upgrade API version by [@&cilium#8203;sayboras](https://togithub.com/sayboras) in [https://github.com/cilium/cilium-cli/pull/2285](https://togithub.com/cilium/cilium-cli/pull/2285)
-   chore(deps): update dependency kubernetes-sigs/kind to v0.21.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2284](https://togithub.com/cilium/cilium-cli/pull/2284)
-   IPsec key rotation command. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [https://github.com/cilium/cilium-cli/pull/2266](https://togithub.com/cilium/cilium-cli/pull/2266)
-   IPsec key status command implementation. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [https://github.com/cilium/cilium-cli/pull/2287](https://togithub.com/cilium/cilium-cli/pull/2287)
-   AWS OIDC instead of access key. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [https://github.com/cilium/cilium-cli/pull/2297](https://togithub.com/cilium/cilium-cli/pull/2297)
-   Remove no longer necessary step from the external workloads installation script generation process by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [https://github.com/cilium/cilium-cli/pull/2275](https://togithub.com/cilium/cilium-cli/pull/2275)
-   Enable no-errors-in-logs check by default, and extend it to all Cilium components by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [https://github.com/cilium/cilium-cli/pull/2184](https://togithub.com/cilium/cilium-cli/pull/2184)
-   chore(deps): update golangci/golangci-lint-action action to v4 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2295](https://togithub.com/cilium/cilium-cli/pull/2295)
-   chore(deps): update helm/kind-action action to v1.9.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2296](https://togithub.com/cilium/cilium-cli/pull/2296)
-   chore(deps): update golang docker tag to v1.22.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2289](https://togithub.com/cilium/cilium-cli/pull/2289)
-   fix(deps): update module golang.org/x/mod to v0.15.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2294](https://togithub.com/cilium/cilium-cli/pull/2294)
-   chore(deps): update go to v1.22.0 (minor) by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2293](https://togithub.com/cilium/cilium-cli/pull/2293)
-   chore(deps): update all github action dependencies (patch) by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2286](https://togithub.com/cilium/cilium-cli/pull/2286)
-   chore(deps): update golangci/golangci-lint docker tag to v1.56.1 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2290](https://togithub.com/cilium/cilium-cli/pull/2290)
-   IPsec key rotation with algorithm change support. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [https://github.com/cilium/cilium-cli/pull/2291](https://togithub.com/cilium/cilium-cli/pull/2291)
-   chore: Amend connectivity tests for OpenShift by [@&cilium#8203;fgiloux](https://togithub.com/fgiloux) in [https://github.com/cilium/cilium-cli/pull/2303](https://togithub.com/cilium/cilium-cli/pull/2303)
-   Increase timeouts in AKS and GKE GHA workflows by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [https://github.com/cilium/cilium-cli/pull/2307](https://togithub.com/cilium/cilium-cli/pull/2307)
-   gha: increase GKE disk size in external workloads workflow to 15GB by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [https://github.com/cilium/cilium-cli/pull/2301](https://togithub.com/cilium/cilium-cli/pull/2301)
-   Prepare for v0.15.23 release by [@&cilium#8203;michi-covalent](https://togithub.com/michi-covalent) in [https://github.com/cilium/cilium-cli/pull/2302](https://togithub.com/cilium/cilium-cli/pull/2302)

#### New Contributors

-   [@&cilium#8203;fgiloux](https://togithub.com/fgiloux) made their first contribution in [https://github.com/cilium/cilium-cli/pull/2303](https://togithub.com/cilium/cilium-cli/pull/2303)

**Full Changelog**: cilium/cilium-cli@v0.15.22...v0.15.23

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/aanm/cilium).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMjAuMiIsInVwZGF0ZWRJblZlciI6IjM3LjIyMC4yIiwidGFyZ2V0QnJhbmNoIjoidjEuMTUifQ==-->


Patch-set: 1
Change-id: I515325620aa4905df61d31323487f6936237e3a5
Subject: chore(deps): update dependency cilium/cilium-cli to v0.15.23
Branch: refs/heads/v1.15
Status: new
Topic: 
Commit: 7c37f7d
Tag: autogenerated:gerrit:newPatchSet
Groups: 7c37f7d
Private: false
Work-in-progress: false
"": func(key ipsecKey) (ipsecKey, error) { return key.rotate() },
"gcm-aes": newGcmAesKey,
"hmac-md5": newHmacMD5Key,
"hmac-sha1": newHmacSHA1Key,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these two options really something we want to encourage using?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We just support them and it's up to the user which one should be used.
Do you think it's better to drop them?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean by "we support them"? Technically, we support all algorithms that Linux supports.

I'm mostly unsure we want to encourage MD5 and SHA1 when they are known broken in the general case (although maybe not in this specific authentication case).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, I put in the map all the algorithms that we used (during testing) for one of our Customers.
I'm happy to raise a PR and remove hmac-md5 and hmac-sha1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants