Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Add settings to mark cryptographic algorithms in vpn customer gateways as excluded or obsolete #12193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
abh1sar wants to merge 14 commits into apache:main
base: main
Choose a base branch
Loading
from shapeblue:vpn-cust-gw

Conversation

@abh1sar
Copy link
Collaborator

@abh1sar abh1sar commented Dec 4, 2025
edited
Loading

Description

This PR introduces several configuration settings using which an operator can mark certain cryptographic algorithms and parameters as excluded or obsolete for VPN Customer Gateway creation for Site-to-Site VPN.

Cloud providers following modern security frameworks (e.g., ISO 27001/27017) are required to enforce and communicate approved cryptographic standards. CloudStack currently accepts several weak or deprecated algorithms without guidance to users. This PR closes that gap by giving operators explicit control over what is disallowed vs discouraged, improving security posture without breaking existing deployments.

These settings are:

1. vpn.customer.gateway.excluded.encryption.algorithms
2. vpn.customer.gateway.excluded.hashing.algorithms
3. vpn.customer.gateway.excluded.ike.versions
4. vpn.customer.gateway.excluded.dh.group
5. vpn.customer.gateway.obsolete.encryption.algorithms
6. vpn.customer.gateway.obsolete.hashing.algorithms
7. vpn.customer.gateway.obsolete.ike.versions
8. vpn.customer.gateway.obsolete.dh.group

Details :

  1. Excluded parameters are not shown to the Users in the Create and Update VPN Customer Gateway forms.
  2. Obsolete parameters are shown with a warning
  3. If a VPN gateway is already using an excluded or obsolete parameter:
    a. A warning icon is displayed near to it's name with a message to change the obsolete parameter.
    b. The Update VPN gateway form shows the setting with a warning to change it.
  4. listVpnCustomerGateways api returns two new fields obsoleteparameters and excludedparameters containing the list of obsolete and excluded parameters that the gateway is using respectively.
  5. A new field in the listCapabilities API response contains the list excluded and obsolete vpn customer gateway parameters, only if set.

Update:

Added a periodic task (Interval controlled by a configuration setting - disabled by default) to generate Alerts (Global) and events (per VPN Gateway) for existing VPN gateways that are using obsolete or excluded settings.

Documentation PR : apache/cloudstack-documentation#605

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)
  • Build/CI
  • Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

Screenshots (if appropriate):

Screenshot 2025年12月01日 at 1 55 23 PM Screenshot 2025年12月01日 at 1 55 08 PM Screenshot 2025年12月01日 at 1 54 25 PM

Alerts:
Screenshot 2025年12月10日 at 10 50 42 PM

Events:
Screenshot 2025年12月10日 at 10 51 11 PM

How Has This Been Tested?

How did you try to break this feature and the system with this change?

Copy link

codecov bot commented Dec 4, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 42.26804% with 112 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.56%. Comparing base (2600965) to head (d1466b4).
⚠️ Report is 55 commits behind head on main.

Files with missing lines Patch % Lines
...com/cloud/network/vpn/Site2SiteVpnManagerImpl.java 58.82% 52 Missing and 4 partials ⚠️
...in/java/com/cloud/server/ManagementServerImpl.java 0.00% 35 Missing ⚠️
...k/api/command/user/config/ListCapabilitiesCmd.java 0.00% 6 Missing ⚠️
...api/response/Site2SiteCustomerGatewayResponse.java 0.00% 6 Missing ⚠️
...src/main/java/com/cloud/api/ApiResponseHelper.java 0.00% 6 Missing ⚠️
.../cloudstack/api/response/CapabilitiesResponse.java 0.00% 3 Missing ⚠️
Additional details and impacted files 
@@ Coverage Diff @@
## main #12193 +/- ##
============================================
- Coverage 17.57% 17.56% -0.01% 
- Complexity 15550 15655 +105 
============================================
 Files 5913 5916 +3 
 Lines 529427 530159 +732 
 Branches 64677 64786 +109 
============================================
+ Hits 93024 93126 +102 
- Misses 425940 426546 +606 
- Partials 10463 10487 +24
Flag Coverage Δ
uitests 3.57% <ø> (-0.02%) ⬇️
unittests 18.63% <42.26%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copy link
Collaborator Author

abh1sar commented Dec 4, 2025

@blueorangutan package

Copy link

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

Copy link

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15920

@abh1sar abh1sar added this to the 4.20.3 milestone Dec 4, 2025
Copy link
Contributor

nvazquez commented Dec 8, 2025

@abh1sar can you please target this branch against main branch?
abh1sar reacted with thumbs up emoji

@DaanHoogland DaanHoogland changed the base branch from 4.20 to main December 8, 2025 13:04
@DaanHoogland DaanHoogland changed the base branch from main to 4.22 December 8, 2025 13:05
@DaanHoogland DaanHoogland changed the base branch from 4.22 to 4.20 December 8, 2025 13:05
@abh1sar abh1sar changed the base branch from 4.20 to main December 8, 2025 18:04
@nvazquez nvazquez modified the milestones: 4.20.3, 4.23 Dec 8, 2025
Copy link
Collaborator Author

abh1sar commented Dec 9, 2025

@blueorangutan package

Copy link

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

Copy link

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 15958

Copy link
Collaborator Author

abh1sar commented Dec 10, 2025

@blueorangutan package

Copy link
Collaborator Author

abh1sar commented Dec 17, 2025

@blueorangutan package

Copy link

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

Copy link

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16073

Copy link
Collaborator

RosiKyu commented Dec 19, 2025

@blueorangutan test

Copy link

@RosiKyu a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

Copy link
Collaborator

RosiKyu commented Dec 19, 2025
edited
Loading

@abh1sar - looks like there's an issue with the smoketets. Could you please have a look?

Copy link

[SF] Trillian test result (tid-15030)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 55216 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12193-t15030-kvm-ol8.zip
Smoke tests completed. 149 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test Result Time (s) Test File
test_03_deploy_and_scale_kubernetes_cluster Failure 24.57 test_kubernetes_clusters.py

Copy link
Collaborator

RosiKyu commented Dec 21, 2025

@blueorangutan test

Copy link

@RosiKyu a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

Copy link

[SF] Trillian test result (tid-15038)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 49549 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12193-t15038-kvm-ol8.zip
Smoke tests completed. 147 look OK, 3 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test Result Time (s) Test File
ContextSuite context=TestClusterDRS>:setup Error 0.00 test_cluster_drs.py
test_03_deploy_and_scale_kubernetes_cluster Failure 28.63 test_kubernetes_clusters.py
test_list_system_vms_metrics_history Failure 0.18 test_metrics_api.py

Copy link
Collaborator

RosiKyu commented Dec 22, 2025

@blueorangutan test

Copy link

@RosiKyu a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

Copy link

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

Copy link
Collaborator Author

abh1sar commented Dec 22, 2025

@blueorangutan package

Copy link

@abh1sar a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

Copy link
Collaborator

RosiKyu commented Dec 22, 2025

@blueorangutan test

Copy link

@RosiKyu a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

Copy link

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16125

Copy link

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16127

Copy link

[SF] Trillian test result (tid-15040)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 53955 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12193-t15040-kvm-ol8.zip
Smoke tests completed. 147 look OK, 3 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test Result Time (s) Test File
ContextSuite context=TestClusterDRS>:setup Error 0.00 test_cluster_drs.py
test_03_deploy_and_scale_kubernetes_cluster Failure 27.82 test_kubernetes_clusters.py
test_02_list_cpvm_vm Failure 0.04 test_ssvm.py
test_04_cpvm_internals Failure 0.05 test_ssvm.py

Copy link
Contributor

shwstppr commented Jan 7, 2026

@blueorangutan package

Copy link

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

Copy link

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16295

@abh1sar abh1sar marked this pull request as ready for review January 13, 2026 07:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nvazquez nvazquez Awaiting requested review from nvazquez

Assignees

No one assigned

Projects

None yet

Milestone

4.23.0

Development

Successfully merging this pull request may close these issues.

AltStyle によって変換されたページ (->オリジナル) /