fix(chart): pin the IPsec key directory to a Talos-writable path#5
fix(chart): pin the IPsec key directory to a Talos-writable path#5Aleksei Sviridkin (lexfrei) wants to merge 1 commit into
Conversation
OVN_IPSEC_KEY_DIR is a hostPath mounted into kube-ovn-cni on every node whenever func.ENABLE_OVN_IPSEC is on. The kube-ovn default places it at /etc/origin/ovs_ipsec_keys, which a Talos node cannot create: its root filesystem is read-only, so the container fails at create time with "mkdir /etc/origin: read-only file system" and the node comes up with no ESP security associations, degrading the overlay the feature is meant to protect. The sibling OPENVSWITCH_DIR and OVN_DIR are already pinned under the writable /var/lib for exactly this reason. The key directory was left at its default because nothing enabled IPsec until now, so the value was never exercised. Move it in beside them and document why all three are relocated. Assisted-By: Claude <noreply@anthropic.com> Signed-off-by: Aleksei Sviridkin <f@lex.la>
|
Warning Review limit reached
Next review available in: 23 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the chart/values.yaml configuration to relocate directory paths for OVN components to /var/lib, ensuring compatibility with Talos nodes that have read-only root filesystems. I have no feedback to provide as there are no review comments.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
IvanHunters
left a comment
There was a problem hiding this comment.
Reviewed hermetically. LGTM with non-blocking notes.
Verified:
- The fix moves the IPsec key directory from
/etc/origin/ovs_ipsec_keysto/var/lib/ovs_ipsec_keys, confirmed by render (both pass kubeconform). This avoidsmkdir /etc/origin: read-only file systemon Talos, whose root is read-only. - No consumer sets
ENABLE_OVN_IPSEC: truetoday, so running clusters are unaffected; the change ships only via a new git tag.
Non-blocking / please double-check:
- The PR body states that cozystack/cozystack#2984 carries a temporary copy of this
OVN_IPSEC_KEY_DIRoverride, but #2984's diff only setsfunc.ENABLE_OVN_IPSEC: true; the override is not present there nor in the vendored values on main. Merge-order risk: if #2984 lands before a new tag here is vendored, a Talos cluster enabling encryption would hit the same read-onlymkdirfailure. Worth reconciling the two.
OVN_IPSEC_KEY_DIRis a hostPath mounted intokube-ovn-cnion every node wheneverfunc.ENABLE_OVN_IPSECis on. The kube-ovn default places it at/etc/origin/ovs_ipsec_keys, which a Talos node cannot create — its root filesystem is read-only, so the container fails at create time withmkdir /etc/origin: read-only file systemand the node comes up with no ESP security associations, degrading the overlay the feature is meant to protect.The sibling
OPENVSWITCH_DIRandOVN_DIRare already pinned under the writable/var/libfor exactly this reason. The key directory was left at its default because nothing enabled IPsec until now, so the value was never exercised. This moves it in beside them and documents why all three are relocated.The consumer that surfaced it is cozystack/cozystack#2984, which adds an opt-in east-west encryption toggle — the first thing to ever set
func.ENABLE_OVN_IPSECon this chart. That PR carries a temporary copy of this override so it can ship without waiting on a chart bump; the copy is dropped once a tag here carries the default.Verified by rendering the chart with
func.ENABLE_OVN_IPSEC=true: theovs-ipsec-keysvolume resolves to/var/lib/ovs_ipsec_keys, and no/etc/originpath remains anywhere in the output. Not yet verified on a live Talos node with IPsec enabled.Consumers of this chart pick the value up on their next chart bump.