-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPsec key rotation with algorithm change support. #2291
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Signed-off-by: viktor-kurchenko <[email protected]>
58d9946
to
3d9437f
Compare
GitHub Pull Request: #623 chore(deps): update dependency cilium/cilium-cli to v0.15.23 (v1.15) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [cilium/cilium-cli](https://togithub.com/cilium/cilium-cli) | | patch | `v0.15.22` -> `v0.15.23` | | [cilium/cilium-cli](https://togithub.com/cilium/cilium-cli) | action | patch | `v0.15.22` -> `v0.15.23` | --- ### Release Notes <details> <summary>cilium/cilium-cli (cilium/cilium-cli)</summary> ### [`v0.15.23`](https://togithub.com/cilium/cilium-cli/releases/tag/v0.15.23) [Compare Source](https://togithub.com/cilium/cilium-cli/compare/v0.15.22...v0.15.23) #### What's Changed - gateway: Upgrade API version by [@&cilium#8203;sayboras](https://togithub.com/sayboras) in [https://github.com/cilium/cilium-cli/pull/2285](https://togithub.com/cilium/cilium-cli/pull/2285) - chore(deps): update dependency kubernetes-sigs/kind to v0.21.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2284](https://togithub.com/cilium/cilium-cli/pull/2284) - IPsec key rotation command. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [https://github.com/cilium/cilium-cli/pull/2266](https://togithub.com/cilium/cilium-cli/pull/2266) - IPsec key status command implementation. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [https://github.com/cilium/cilium-cli/pull/2287](https://togithub.com/cilium/cilium-cli/pull/2287) - AWS OIDC instead of access key. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [https://github.com/cilium/cilium-cli/pull/2297](https://togithub.com/cilium/cilium-cli/pull/2297) - Remove no longer necessary step from the external workloads installation script generation process by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [https://github.com/cilium/cilium-cli/pull/2275](https://togithub.com/cilium/cilium-cli/pull/2275) - Enable no-errors-in-logs check by default, and extend it to all Cilium components by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [https://github.com/cilium/cilium-cli/pull/2184](https://togithub.com/cilium/cilium-cli/pull/2184) - chore(deps): update golangci/golangci-lint-action action to v4 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2295](https://togithub.com/cilium/cilium-cli/pull/2295) - chore(deps): update helm/kind-action action to v1.9.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2296](https://togithub.com/cilium/cilium-cli/pull/2296) - chore(deps): update golang docker tag to v1.22.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2289](https://togithub.com/cilium/cilium-cli/pull/2289) - fix(deps): update module golang.org/x/mod to v0.15.0 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2294](https://togithub.com/cilium/cilium-cli/pull/2294) - chore(deps): update go to v1.22.0 (minor) by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2293](https://togithub.com/cilium/cilium-cli/pull/2293) - chore(deps): update all github action dependencies (patch) by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2286](https://togithub.com/cilium/cilium-cli/pull/2286) - chore(deps): update golangci/golangci-lint docker tag to v1.56.1 by [@&cilium#8203;renovate](https://togithub.com/renovate) in [https://github.com/cilium/cilium-cli/pull/2290](https://togithub.com/cilium/cilium-cli/pull/2290) - IPsec key rotation with algorithm change support. by [@&cilium#8203;viktor-kurchenko](https://togithub.com/viktor-kurchenko) in [https://github.com/cilium/cilium-cli/pull/2291](https://togithub.com/cilium/cilium-cli/pull/2291) - chore: Amend connectivity tests for OpenShift by [@&cilium#8203;fgiloux](https://togithub.com/fgiloux) in [https://github.com/cilium/cilium-cli/pull/2303](https://togithub.com/cilium/cilium-cli/pull/2303) - Increase timeouts in AKS and GKE GHA workflows by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [https://github.com/cilium/cilium-cli/pull/2307](https://togithub.com/cilium/cilium-cli/pull/2307) - gha: increase GKE disk size in external workloads workflow to 15GB by [@&cilium#8203;giorio94](https://togithub.com/giorio94) in [https://github.com/cilium/cilium-cli/pull/2301](https://togithub.com/cilium/cilium-cli/pull/2301) - Prepare for v0.15.23 release by [@&cilium#8203;michi-covalent](https://togithub.com/michi-covalent) in [https://github.com/cilium/cilium-cli/pull/2302](https://togithub.com/cilium/cilium-cli/pull/2302) #### New Contributors - [@&cilium#8203;fgiloux](https://togithub.com/fgiloux) made their first contribution in [https://github.com/cilium/cilium-cli/pull/2303](https://togithub.com/cilium/cilium-cli/pull/2303) **Full Changelog**: cilium/cilium-cli@v0.15.22...v0.15.23 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/aanm/cilium). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMjAuMiIsInVwZGF0ZWRJblZlciI6IjM3LjIyMC4yIiwidGFyZ2V0QnJhbmNoIjoidjEuMTUifQ==--> Patch-set: 1 Change-id: I515325620aa4905df61d31323487f6936237e3a5 Subject: chore(deps): update dependency cilium/cilium-cli to v0.15.23 Branch: refs/heads/v1.15 Status: new Topic: Commit: 7c37f7d Tag: autogenerated:gerrit:newPatchSet Groups: 7c37f7d Private: false Work-in-progress: false
"": func(key ipsecKey) (ipsecKey, error) { return key.rotate() }, | ||
"gcm-aes": newGcmAesKey, | ||
"hmac-md5": newHmacMD5Key, | ||
"hmac-sha1": newHmacSHA1Key, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these two options really something we want to encourage using?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We just support them and it's up to the user which one should be used.
Do you think it's better to drop them?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you mean by "we support them"? Technically, we support all algorithms that Linux supports.
I'm mostly unsure we want to encourage MD5 and SHA1 when they are known broken in the general case (although maybe not in this specific authentication case).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, I put in the map all the algorithms that we used (during testing) for one of our Customers.
I'm happy to raise a PR and remove hmac-md5
and hmac-sha1
.
The following optional input params added to
encryption rotate-key
command:auth-algo
: allows to select authentication key algorithmkey-per-node
: allows to modify key per node approach