github.com/cilium/cilium@v1.16.2/pkg/datapath/linux/ipsec/cell.go

github.com/cilium/cilium@v1.16.2/pkg/datapath/linux/ipsec/cell.go (about)

     1  // SPDX-License-Identifier: Apache-2.0
     2  // Copyright Authors of Cilium
     3  
     4  package ipsec
     5  
     6  import (
     7  	"fmt"
     8  	"log/slog"
     9  
    10  	"github.com/cilium/hive/cell"
    11  	"github.com/cilium/hive/job"
    12  
    13  	"github.com/cilium/cilium/pkg/datapath/types"
    14  	"github.com/cilium/cilium/pkg/node"
    15  	"github.com/cilium/cilium/pkg/option"
    16  	"github.com/cilium/cilium/pkg/time"
    17  )
    18  
    19  // The IPsec key custodian handles key-related initialisation tasks for the
    20  // ipsec subsystem. It's an incremental step towards a more encompassing
    21  // modularisation of the subsystem.
    22  var Cell = cell.Module(
    23  	"ipsec-key-custodian",
    24  	"Handles initial key setup and knows the key size",
    25  
    26  	cell.Provide(newKeyCustodian),
    27  )
    28  
    29  type custodianParameters struct {
    30  	cell.In
    31  
    32  	Log            *slog.Logger
    33  	Health         cell.Health
    34  	JobGroup       job.Group
    35  	LocalNodeStore *node.LocalNodeStore
    36  }
    37  
    38  func newKeyCustodian(lc cell.Lifecycle, p custodianParameters) types.IPsecKeyCustodian {
    39  	ipsec := &keyCustodian{
    40  		log:       p.Log,
    41  		localNode: p.LocalNodeStore,
    42  		jobs:      p.JobGroup,
    43  	}
    44  
    45  	lc.Append(ipsec)
    46  	return ipsec
    47  }
    48  
    49  func (kc *keyCustodian) Start(cell.HookContext) error {
    50  	if !option.Config.EncryptNode {
    51  		DeleteIPsecEncryptRoute(kc.log)
    52  	}
    53  	if !option.Config.EnableIPSec {
    54  		return nil
    55  	}
    56  
    57  	var err error
    58  	kc.authKeySize, kc.spi, err = LoadIPSecKeysFile(kc.log, option.Config.IPSecKeyFile)
    59  	if err != nil {
    60  		return err
    61  	}
    62  	if err := SetIPSecSPI(kc.log, kc.spi); err != nil {
    63  		return err
    64  	}
    65  
    66  	kc.localNode.Update(func(n *node.LocalNode) {
    67  		n.EncryptionKey = kc.spi
    68  	})
    69  
    70  	return nil
    71  }
    72  
    73  // StartBackgroundJobs starts the keyfile watcher and stale key reclaimer jobs.
    74  func (kc *keyCustodian) StartBackgroundJobs(handler types.NodeHandler) error {
    75  	if option.Config.EnableIPSec {
    76  		if err := StartKeyfileWatcher(kc.log, kc.jobs, option.Config.IPSecKeyFile, handler); err != nil {
    77  			return fmt.Errorf("failed to start IPsec keyfile watcher: %w", err)
    78  		}
    79  
    80  		kc.jobs.Add(job.Timer("stale-key-reclaimer", staleKeyReclaimer{kc.log}.onTimer, time.Minute))
    81  	}
    82  
    83  	return nil
    84  }
    85  
    86  func (kc *keyCustodian) Stop(cell.HookContext) error {
    87  	return nil
    88  }
    89  
    90  func (kc *keyCustodian) AuthKeySize() int {
    91  	return kc.authKeySize
    92  }
    93  
    94  func (kc *keyCustodian) SPI() uint8 {
    95  	return kc.spi
    96  }
    97  
    98  type keyCustodian struct {
    99  	log       *slog.Logger
   100  	localNode *node.LocalNodeStore
   101  	jobs      job.Group
   102  
   103  	authKeySize int
   104  	spi         uint8
   105  }