connectivity: Add IPsec key derivation validation integration test #40808
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as resolved.
This comment was marked as resolved.
771f6b8 to
9efa5ab
Compare
pchaigno
reviewed
Jul 30, 2025
Member
pchaigno
left a comment
There was a problem hiding this comment.
This is fantastic! Thanks a lot for working on this!
I've left comments below. I think right now the two blockers are:
- I'd much prefer if we can avoid parsing text output and instead rely on the
netlinklibrary as usual. - I think this would be particularly useful as a debugging tool, which means we may need to run it on large clusters. So we need to rethink iterations and logging a bit (see below).
9efa5ab to
e92ff55
Compare
c54487e to
9b0c9ce
Compare
Member
Author
Why
|
derailed
reviewed
Jul 31, 2025
Contributor
derailed
left a comment
There was a problem hiding this comment.
@pillai-ashwin Nice work! a bit out of context here so feel free to discard...
9b0c9ce to
453e46d
Compare
pchaigno
reviewed
Aug 1, 2025
Member
pchaigno
left a comment
There was a problem hiding this comment.
Thanks for the new version!
Lots of comments below, but I think we're getting closer and we'll have a very good test in the end.
c00824f to
c77c878
Compare
pchaigno
reviewed
Aug 2, 2025
c77c878 to
9caf3a3
Compare
pchaigno
reviewed
Aug 2, 2025
Member
pchaigno
left a comment
There was a problem hiding this comment.
A few small mistakes around the use of pkg/common/ipsec.
b82bfb1 to
727a968
Compare
Member
Author
|
/test |
727a968 to
e04b97d
Compare
Member
|
/test |
pchaigno
requested changes
Sep 15, 2025
Member
pchaigno
left a comment
There was a problem hiding this comment.
A few suggestions for improvements below.
CI is also failing with what appears to be related (https://github.com/cilium/cilium/actions/runs/17728520295). It also looks like the test was skipped for configuration ipsec-7; I'm wondering why?
e04b97d to
c8e724c
Compare
Member
Author
|
/test |
c8e724c to
54f6186
Compare
pchaigno
approved these changes
Sep 29, 2025
Member
|
/test |
Member
|
The E2E Upgrade Tests are failing for IPsec because the new connectivity test needs to be skipped on Cilium versions that don't support the new cilium-dbg command. |
54f6186 to
7a3b55b
Compare
Member
Author
Reason for failure: What I did -
Expected Behavior Now:
The error message "XFRM command from cilium-nf2xx returned non-JSON output" will no longer occur because we now detect and handle this case gracefully by skipping the test instead of failing it. |
pchaigno
reviewed
Oct 1, 2025
Extract XfrmStateInfo struct to pkg/types to resolve cross-compilation issues. This allows cilium-cli (which builds for Darwin/Windows) to import the struct without pulling in Linux-specific netlink dependencies from cilium-dbg. Signed-off-by: Ashwin Pillai <pillaiashwin96@gmail.com>
Add dump-xfrm subcommand to extract XFRM state information in JSON format. This command is used by integration tests to validate IPsec key derivation consistency across nodes. Key features: - Linux-specific build constraints to prevent cross-compilation issues - Filters for Cilium-managed states (ReqID == 1) - Extracts authentication, encryption, and AEAD key information - JSON output for programmatic consumption by tests Signed-off-by: Ashwin Pillai <pillaiashwin96@gmail.com>
Add integration test to validate IPsec key derivation consistency across nodes. The test ensures that Cilium's IPsec key derivation algorithm produces identical cryptographic keys for the same tunnels on different nodes. Key features: - Extracts XFRM states from all Cilium nodes using cilium encrypt dump-xfrm - Validates key consistency (AEAD, authentication, encryption) across nodes - Checks bidirectional tunnel establishment for all tunnel directions - Runs as part of concurrent connectivity tests when IPsec is enabled - Uses SPI-based tunnel correlation for accurate state matching - Requires Cilium 1.19.0-pre.0+ for the dump-xfrm command The test helps detect key derivation inconsistencies that could cause IPsec tunnel failures or security issues in multi-node deployments. Fixes: cilium#35843 Signed-off-by: Ashwin Pillai <pillaiashwin96@gmail.com>
7a3b55b to
3380bcc
Compare
Member
Author
|
/test |
pchaigno
approved these changes
Oct 2, 2025
zocimek
added a commit
to zocimek/home-ops
that referenced
this pull request
Dec 9, 2025
… ) (#398) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [aqua:cilium/cilium-cli](https://redirect.github.com/cilium/cilium-cli) | patch | `0.18.7` -> `0.18.9` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>cilium/cilium-cli (aqua:cilium/cilium-cli)</summary> ### [`v0.18.9`](https://redirect.github.com/cilium/cilium-cli/releases/tag/v0.18.9) [Compare Source](https://redirect.github.com/cilium/cilium-cli/compare/v0.18.8...v0.18.9) ## Summary of Changes **Major Changes:** - Operator prometheus support TLS/mTLS using existing secret ([cilium/cilium#42077](https://redirect.github.com/cilium/cilium/issues/42077), [@​phuhung273](https://redirect.github.com/phuhung273)) **Minor Changes:** - CLI: Allow users to set the default Cilium namespace via the CILIUM\_NAMESPACE environment variable ([cilium/cilium#41557](https://redirect.github.com/cilium/cilium/issues/41557), [@​td0ne](https://redirect.github.com/td0ne)) - Removed deprecated `CiliumBGPPeeringPolicy` CRD and its agent implementation. Use `cilium.io/v2` CRDs (`CiliumBGPClusterConfig`, `CiliumBGPPeerConfig`, `CiliumBGPAdvertisement`, `CiliumBGPNodeConfigOverride`) for configuring BGP. ([cilium/cilium#42278](https://redirect.github.com/cilium/cilium/issues/42278), [@​rastislavs](https://redirect.github.com/rastislavs)) **CI Changes:** - Add CCNP cilium connectivity tests ([cilium/cilium#42051](https://redirect.github.com/cilium/cilium/issues/42051), [@​karina-ranadive](https://redirect.github.com/karina-ranadive)) - Fix connectivity tests for access to link-local nodelocaldns classified as 'host' entity ([cilium/cilium#42984](https://redirect.github.com/cilium/cilium/issues/42984), [@​rptaylor](https://redirect.github.com/rptaylor)) **Misc Changes:** - bgp: Correct misleading error message in GetPeeringState ([cilium/cilium#42945](https://redirect.github.com/cilium/cilium/issues/42945), [@​hargrovee](https://redirect.github.com/hargrovee)) - bgp: Remove versions from bgp package names ([cilium/cilium#42503](https://redirect.github.com/cilium/cilium/issues/42503), [@​rastislavs](https://redirect.github.com/rastislavs)) - cilium-cli: add own type for root command parameters ([cilium/cilium#42609](https://redirect.github.com/cilium/cilium/issues/42609), [@​tklauser](https://redirect.github.com/tklauser)) - cli: cleanups for pre-v1.15 removal ([cilium/cilium#42757](https://redirect.github.com/cilium/cilium/issues/42757), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) - cli: require Cilium v1.15 ([cilium/cilium#41538](https://redirect.github.com/cilium/cilium/issues/41538), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) - go.mod, vendor: bump github.com/google/go-github to v79 ([cilium/cilium#42857](https://redirect.github.com/cilium/cilium/issues/42857), [@​tklauser](https://redirect.github.com/tklauser)) - Update lrp frontend IP address to avoid IMDS conflict in the cloud environment in cilium-cli ([cilium/cilium#42737](https://redirect.github.com/cilium/cilium/issues/42737), [@​liyihuang](https://redirect.github.com/liyihuang)) - Use modern Go constructs ([cilium/cilium#42525](https://redirect.github.com/cilium/cilium/issues/42525), [@​HadrienPatte](https://redirect.github.com/HadrienPatte)) - Update stable release to v0.18.8 by [@​michi-covalent](https://redirect.github.com/michi-covalent) in [#​3121](https://redirect.github.com/cilium/cilium-cli/pull/3121) - chore(deps): update actions/upload-artifact action to v5 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3124](https://redirect.github.com/cilium/cilium-cli/pull/3124) - chore(deps): update docker.io/library/golang:1.25.3 docker digest to [`8c945d3`](https://redirect.github.com/cilium/cilium-cli/commit/8c945d3) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3122](https://redirect.github.com/cilium/cilium-cli/pull/3122) - chore(deps): update dependency cilium/cilium to v1.18.3 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3123](https://redirect.github.com/cilium/cilium-cli/pull/3123) - chore(deps): update docker.io/library/golang:1.25.3 docker digest to [`6bac879`](https://redirect.github.com/cilium/cilium-cli/commit/6bac879) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3125](https://redirect.github.com/cilium/cilium-cli/pull/3125) - renovate: try to group dependency updates by [@​tklauser](https://redirect.github.com/tklauser) in [#​3126](https://redirect.github.com/cilium/cilium-cli/pull/3126) - chore(deps): update golangci/golangci-lint docker tag to v2.6.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3127](https://redirect.github.com/cilium/cilium-cli/pull/3127) - chore(deps): update helm/kind-action action to v1.13.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3128](https://redirect.github.com/cilium/cilium-cli/pull/3128) - chore(deps): update golangci/golangci-lint docker tag to v2.6.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3129](https://redirect.github.com/cilium/cilium-cli/pull/3129) - chore(deps): update golang docker tag to v1.25.4 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3130](https://redirect.github.com/cilium/cilium-cli/pull/3130) - chore(deps): update go to v1.25.4 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3131](https://redirect.github.com/cilium/cilium-cli/pull/3131) - chore(deps): update golang:1.25.4-alpine3.21 docker digest to [`3289aac`](https://redirect.github.com/cilium/cilium-cli/commit/3289aac) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3132](https://redirect.github.com/cilium/cilium-cli/pull/3132) - chore(deps): update docker.io/library/golang:1.25.4 docker digest to [`e68f6a0`](https://redirect.github.com/cilium/cilium-cli/commit/e68f6a0) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3135](https://redirect.github.com/cilium/cilium-cli/pull/3135) - chore(deps): update golangci/golangci-lint docker tag to v2.6.2 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3136](https://redirect.github.com/cilium/cilium-cli/pull/3136) - chore(deps): update golangci/golangci-lint-action action to v9 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3133](https://redirect.github.com/cilium/cilium-cli/pull/3133) - chore(deps): update dependency cilium/cilium to v1.18.4 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3134](https://redirect.github.com/cilium/cilium-cli/pull/3134) - chore(deps): update all github action dependencies by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3137](https://redirect.github.com/cilium/cilium-cli/pull/3137) - chore(deps): update actions/setup-go action to v6.1.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3138](https://redirect.github.com/cilium/cilium-cli/pull/3138) - chore(deps): update actions/checkout action to v6 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3139](https://redirect.github.com/cilium/cilium-cli/pull/3139) - chore(deps): update golangci/golangci-lint-action action to v9.1.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3141](https://redirect.github.com/cilium/cilium-cli/pull/3141) - chore(deps): update docker.io/library/golang:1.25.4 docker digest to [`f60eaa8`](https://redirect.github.com/cilium/cilium-cli/commit/f60eaa8) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3140](https://redirect.github.com/cilium/cilium-cli/pull/3140) - chore(deps): update docker.io/library/golang:1.25.4 docker digest to [`6981837`](https://redirect.github.com/cilium/cilium-cli/commit/6981837) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3143](https://redirect.github.com/cilium/cilium-cli/pull/3143) - chore(deps): update softprops/action-gh-release action to v2.5.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3144](https://redirect.github.com/cilium/cilium-cli/pull/3144) - chore(deps): update golang docker tag to v1.25.5 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3147](https://redirect.github.com/cilium/cilium-cli/pull/3147) - chore(deps): update actions/checkout action to v6.0.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3146](https://redirect.github.com/cilium/cilium-cli/pull/3146) - Prepare for v0.18.9 release by [@​michi-covalent](https://redirect.github.com/michi-covalent) in [#​3145](https://redirect.github.com/cilium/cilium-cli/pull/3145) **Full Changelog**: <cilium/cilium-cli@v0.18.8...v0.18.9> ### [`v0.18.8`](https://redirect.github.com/cilium/cilium-cli/releases/tag/v0.18.8) [Compare Source](https://redirect.github.com/cilium/cilium-cli/compare/v0.18.7...v0.18.8) ## Summary of Changes **Minor Changes:** - clustermesh: add endpoints metrics and change global service (and MCS ServiceExport) metrics to report per cluster metrics instead of a global count ([cilium/cilium#41323](https://redirect.github.com/cilium/cilium/issues/41323), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) **Bugfixes:** - cilium-cli: Fix CNI config file collection in sysdump ([cilium/cilium#42111](https://redirect.github.com/cilium/cilium/issues/42111), [@​pillai-ashwin](https://redirect.github.com/pillai-ashwin)) - cilium-cli: Prevent panic in `node-to-node-encryption` connectivity test ([cilium/cilium#41600](https://redirect.github.com/cilium/cilium/issues/41600), [@​HadrienPatte](https://redirect.github.com/HadrienPatte)) - connectivity-tests: limit IPv6 PodToIngress to Cilium >= v1.17 ([cilium/cilium#42148](https://redirect.github.com/cilium/cilium/issues/42148), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) - Fix a fatal error when accessing multicast map using cilium-dbg bpf multicast ([cilium/cilium#42080](https://redirect.github.com/cilium/cilium/issues/42080), [@​tklauser](https://redirect.github.com/tklauser)) **CI Changes:** - Add integration test to validate IPsec key derivation consistency across nodes, ensuring tunnel keys are properly derived and identical between Cilium pods. ([cilium/cilium#40808](https://redirect.github.com/cilium/cilium/issues/40808), [@​pillai-ashwin](https://redirect.github.com/pillai-ashwin)) - ci: enable copyloopvar linter ([cilium/cilium#41893](https://redirect.github.com/cilium/cilium/issues/41893), [@​tklauser](https://redirect.github.com/tklauser)) - cilium-cli, netns: fix golangci-lint 2.5.0 errors ([cilium/cilium#41856](https://redirect.github.com/cilium/cilium/issues/41856), [@​tklauser](https://redirect.github.com/tklauser)) - cilium-cli: Bring back NodePort Acceleration feature detection ([cilium/cilium#41812](https://redirect.github.com/cilium/cilium/issues/41812), [@​brb](https://redirect.github.com/brb)) - cilium-cli: Reenable L7 IPv6 tests ([cilium/cilium#39662](https://redirect.github.com/cilium/cilium/issues/39662), [@​gentoo-root](https://redirect.github.com/gentoo-root)) - cilium-cli: Specify TARGET for building release binaries ([cilium/cilium#42177](https://redirect.github.com/cilium/cilium/issues/42177), [@​michi-covalent](https://redirect.github.com/michi-covalent)) - cilium\_cli: Override GO\_BUILD Make variable ([cilium/cilium#42162](https://redirect.github.com/cilium/cilium/issues/42162), [@​michi-covalent](https://redirect.github.com/michi-covalent)) - cli, ipsec: Fix bidirectional IPsec tunnel check ([cilium/cilium#42047](https://redirect.github.com/cilium/cilium/issues/42047), [@​pchaigno](https://redirect.github.com/pchaigno)) - cli: Fix unreliable tests due to error emitted in Cilium logs "retrieving device lxc\*: Link not found" ([cilium/cilium#42146](https://redirect.github.com/cilium/cilium/issues/42146), [@​fristonio](https://redirect.github.com/fristonio)) **Misc Changes:** - chore(deps): update all-dependencies (main) ([cilium/cilium#41611](https://redirect.github.com/cilium/cilium/issues/41611), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (main) ([cilium/cilium#42018](https://redirect.github.com/cilium/cilium/issues/42018), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/alpine/socat:1.8.0.3 docker digest to [`0ce60b5`](https://redirect.github.com/cilium/cilium-cli/commit/0ce60b5) (main) ([cilium/cilium#41558](https://redirect.github.com/cilium/cilium/issues/41558), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.25.1 docker digest to [`8305f5f`](https://redirect.github.com/cilium/cilium-cli/commit/8305f5f) (main) ([cilium/cilium#41649](https://redirect.github.com/cilium/cilium/issues/41649), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.25.1 docker digest to [`d709837`](https://redirect.github.com/cilium/cilium-cli/commit/d709837) (main) ([cilium/cilium#42019](https://redirect.github.com/cilium/cilium/issues/42019), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.25.3 docker digest to [`6ea52a0`](https://redirect.github.com/cilium/cilium-cli/commit/6ea52a0) (main) ([cilium/cilium#42252](https://redirect.github.com/cilium/cilium/issues/42252), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.25.1 (main) ([cilium/cilium#41560](https://redirect.github.com/cilium/cilium/issues/41560), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.25.3 (main) ([cilium/cilium#42061](https://redirect.github.com/cilium/cilium/issues/42061), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - cilium-cli/features: use common cmd metric list command ([cilium/cilium#41630](https://redirect.github.com/cilium/cilium/issues/41630), [@​aanm](https://redirect.github.com/aanm)) - cilium-cli: drop disabled IP cache check from connectivity tests ([cilium/cilium#42240](https://redirect.github.com/cilium/cilium/issues/42240), [@​tklauser](https://redirect.github.com/tklauser)) - cli/clustermesh: remove leftover global services status info ([cilium/cilium#41727](https://redirect.github.com/cilium/cilium/issues/41727), [@​giorio94](https://redirect.github.com/giorio94)) - Refactor policy engine to use PolicyEntry as the internal representation of policies, as described in CFP-39646. ([cilium/cilium#40213](https://redirect.github.com/cilium/cilium/issues/40213), [@​TheBeeZee](https://redirect.github.com/TheBeeZee)) - sysdump: add resource usage of nodes and pods ([cilium/cilium#41415](https://redirect.github.com/cilium/cilium/issues/41415), [@​darox](https://redirect.github.com/darox)) - chore(deps): update go to v1.25.1 (patch) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3097](https://redirect.github.com/cilium/cilium-cli/pull/3097) - chore(deps): update actions/setup-go action to v6 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3094](https://redirect.github.com/cilium/cilium-cli/pull/3094) - chore(deps): update docker.io/library/golang:1.25.1 docker digest to [`d6bdb04`](https://redirect.github.com/cilium/cilium-cli/commit/d6bdb04) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3096](https://redirect.github.com/cilium/cilium-cli/pull/3096) - chore(deps): update gcr.io/distroless/static:latest docker digest to [`87bce11`](https://redirect.github.com/cilium/cilium-cli/commit/87bce11) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3099](https://redirect.github.com/cilium/cilium-cli/pull/3099) - chore(deps): update softprops/action-gh-release action to v2.3.3 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3098](https://redirect.github.com/cilium/cilium-cli/pull/3098) - chore(deps): update golang docker tag to v1.25.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3093](https://redirect.github.com/cilium/cilium-cli/pull/3093) - chore(deps): update actions/stale action to v10 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3095](https://redirect.github.com/cilium/cilium-cli/pull/3095) - chore(deps): update golang:1.25.1-alpine3.21 docker digest to [`331bde4`](https://redirect.github.com/cilium/cilium-cli/commit/331bde4) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3100](https://redirect.github.com/cilium/cilium-cli/pull/3100) - chore(deps): update dependency cilium/cilium to v1.18.2 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3102](https://redirect.github.com/cilium/cilium-cli/pull/3102) - chore(deps): update docker.io/library/golang:1.25.1 docker digest to [`8305f5f`](https://redirect.github.com/cilium/cilium-cli/commit/8305f5f) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3103](https://redirect.github.com/cilium/cilium-cli/pull/3103) - chore(deps): update golangci/golangci-lint docker tag to v2.5.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3104](https://redirect.github.com/cilium/cilium-cli/pull/3104) - chore(deps): update docker/login-action action to v3.6.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3105](https://redirect.github.com/cilium/cilium-cli/pull/3105) - chore(deps): update docker.io/library/golang:1.25.1 docker digest to [`ab1f5c4`](https://redirect.github.com/cilium/cilium-cli/commit/ab1f5c4) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3106](https://redirect.github.com/cilium/cilium-cli/pull/3106) - chore(deps): update actions/stale action to v10.1.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3108](https://redirect.github.com/cilium/cilium-cli/pull/3108) - chore(deps): update softprops/action-gh-release action to v2.3.4 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3107](https://redirect.github.com/cilium/cilium-cli/pull/3107) - chore(deps): update softprops/action-gh-release action to v2.4.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3109](https://redirect.github.com/cilium/cilium-cli/pull/3109) - chore(deps): update golang docker tag to v1.25.2 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3110](https://redirect.github.com/cilium/cilium-cli/pull/3110) - chore(deps): update go to v1.25.2 (patch) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3112](https://redirect.github.com/cilium/cilium-cli/pull/3112) - chore(deps): update golang:1.25.2-alpine3.21 docker digest to [`0134653`](https://redirect.github.com/cilium/cilium-cli/commit/0134653) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3113](https://redirect.github.com/cilium/cilium-cli/pull/3113) - RELEASE: also look for release-blockers in cilium/cilium by [@​julianwiedmann](https://redirect.github.com/julianwiedmann) in [#​3116](https://redirect.github.com/cilium/cilium-cli/pull/3116) - chore(deps): update golang docker tag to v1.25.3 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3117](https://redirect.github.com/cilium/cilium-cli/pull/3117) - chore(deps): update softprops/action-gh-release action to v2.4.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3114](https://redirect.github.com/cilium/cilium-cli/pull/3114) - chore(deps): update go to v1.25.3 (patch) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3118](https://redirect.github.com/cilium/cilium-cli/pull/3118) - chore(deps): update golang:1.25.3-alpine3.21 docker digest to [`0c9f3e0`](https://redirect.github.com/cilium/cilium-cli/commit/0c9f3e0) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3115](https://redirect.github.com/cilium/cilium-cli/pull/3115) - Makefile: fix renovate depname for GO\_IMAGE\_\* updates by [@​tklauser](https://redirect.github.com/tklauser) in [#​3119](https://redirect.github.com/cilium/cilium-cli/pull/3119) - chore(deps): update docker.io/library/golang:1.25.3 docker digest to [`6ea52a0`](https://redirect.github.com/cilium/cilium-cli/commit/6ea52a0) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​3111](https://redirect.github.com/cilium/cilium-cli/pull/3111) - Prepare for v0.18.8 release by [@​michi-covalent](https://redirect.github.com/michi-covalent) in [#​3120](https://redirect.github.com/cilium/cilium-cli/pull/3120) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTcuMSIsInVwZGF0ZWRJblZlciI6IjQyLjMwLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbInR5cGUvcGF0Y2giXX0=--> Co-authored-by: zocimek-renovate[bot] <134739422+zocimek-renovate[bot]@users.noreply.github.com> Co-authored-by: Łukasz Pospiech <zocimek@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please ensure your pull request adheres to the following guidelines:
description and a
Fixes: #XXXline if the commit addresses a particularGitHub issue.
Fixes: <commit-id>tag, thenplease add the commit author[s] as reviewer[s] to this issue.
This PR adds integration test coverage for IPsec key derivation validation across multiple nodes. The new test ensures that Cilium's IPsec key derivation algorithm produces consistent cryptographic keys for the same tunnels on different nodes.
What this PR does:
IPsecKeyDerivationValidationconnectivity test that extracts XFRM states from multiple Cilium nodesTesting:
Fixes: #35843