Skip to content

fix(chart): pin the IPsec key directory to a Talos-writable path#5

Open
Aleksei Sviridkin (lexfrei) wants to merge 1 commit into
mainfrom
fix/talos-writable-ipsec-key-dir
Open

fix(chart): pin the IPsec key directory to a Talos-writable path#5
Aleksei Sviridkin (lexfrei) wants to merge 1 commit into
mainfrom
fix/talos-writable-ipsec-key-dir

Conversation

@lexfrei

Copy link
Copy Markdown

OVN_IPSEC_KEY_DIR is a hostPath mounted into kube-ovn-cni on every node whenever func.ENABLE_OVN_IPSEC is on. The kube-ovn default places it at /etc/origin/ovs_ipsec_keys, which a Talos node cannot create — its root filesystem is read-only, so the container fails at create time with mkdir /etc/origin: read-only file system and the node comes up with no ESP security associations, degrading the overlay the feature is meant to protect.

The sibling OPENVSWITCH_DIR and OVN_DIR are already pinned under the writable /var/lib for exactly this reason. The key directory was left at its default because nothing enabled IPsec until now, so the value was never exercised. This moves it in beside them and documents why all three are relocated.

The consumer that surfaced it is cozystack/cozystack#2984, which adds an opt-in east-west encryption toggle — the first thing to ever set func.ENABLE_OVN_IPSEC on this chart. That PR carries a temporary copy of this override so it can ship without waiting on a chart bump; the copy is dropped once a tag here carries the default.

Verified by rendering the chart with func.ENABLE_OVN_IPSEC=true: the ovs-ipsec-keys volume resolves to /var/lib/ovs_ipsec_keys, and no /etc/origin path remains anywhere in the output. Not yet verified on a live Talos node with IPsec enabled.

Consumers of this chart pick the value up on their next chart bump.

OVN_IPSEC_KEY_DIR is a hostPath mounted into kube-ovn-cni on every node
whenever func.ENABLE_OVN_IPSEC is on. The kube-ovn default places it at
/etc/origin/ovs_ipsec_keys, which a Talos node cannot create: its root
filesystem is read-only, so the container fails at create time with
"mkdir /etc/origin: read-only file system" and the node comes up with no
ESP security associations, degrading the overlay the feature is meant to
protect.

The sibling OPENVSWITCH_DIR and OVN_DIR are already pinned under the
writable /var/lib for exactly this reason. The key directory was left at
its default because nothing enabled IPsec until now, so the value was
never exercised. Move it in beside them and document why all three are
relocated.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@lexfrei, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 23 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ffa0f8e5-aa28-4b20-bf84-6e344545bead

📥 Commits

Reviewing files that changed from the base of the PR and between 51df575 and ca95dbe.

📒 Files selected for processing (1)
  • chart/values.yaml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/talos-writable-ipsec-key-dir

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the chart/values.yaml configuration to relocate directory paths for OVN components to /var/lib, ensuring compatibility with Talos nodes that have read-only root filesystems. I have no feedback to provide as there are no review comments.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@lexfrei
Aleksei Sviridkin (lexfrei) marked this pull request as ready for review July 16, 2026 18:48

@IvanHunters IvanHunters left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed hermetically. LGTM with non-blocking notes.

Verified:

  • The fix moves the IPsec key directory from /etc/origin/ovs_ipsec_keys to /var/lib/ovs_ipsec_keys, confirmed by render (both pass kubeconform). This avoids mkdir /etc/origin: read-only file system on Talos, whose root is read-only.
  • No consumer sets ENABLE_OVN_IPSEC: true today, so running clusters are unaffected; the change ships only via a new git tag.

Non-blocking / please double-check:

  • The PR body states that cozystack/cozystack#2984 carries a temporary copy of this OVN_IPSEC_KEY_DIR override, but #2984's diff only sets func.ENABLE_OVN_IPSEC: true; the override is not present there nor in the vendored values on main. Merge-order risk: if #2984 lands before a new tag here is vendored, a Talos cluster enabling encryption would hit the same read-only mkdir failure. Worth reconciling the two.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants