Switch to libreswan-minimal in the gateway

[skitt]

This reduces the image size (211MiB instead of 234MiB) and drops all the systemd dependencies.

Summary by CodeRabbit

• Chores
  • Updated base container images from Fedora 42 to Fedora 43 for gateway, globalnet, and route-agent services.
  • Reduced gateway runtime footprint by switching to a minimal VPN package and adjusting base runtime dependencies.

[submariner-bot]

🤖 Created branch: z_pr3499/skitt/libreswan-minimal
🚀 Full E2E won't run until the "ready-to-test" label is applied. I will add it automatically once the PR has 2 approvals, or you can add it manually.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further
activity occurs. Thank you for your contributions.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further
activity occurs. Thank you for your contributions.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further
activity occurs. Thank you for your contributions.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further
activity occurs. Thank you for your contributions.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further
activity occurs. Thank you for your contributions.

[coderabbitai]

Walkthrough

Updated three Submariner Dockerfiles to use Fedora 43 (was 42). In the gateway Dockerfile, swapped libreswan for libreswan-minimal and added procps-ng to the installed packages; other build steps unchanged.

Changes

Cohort / File(s)	Summary
Fedora version bumps package/Dockerfile.submariner-gateway, package/Dockerfile.submariner-globalnet, package/Dockerfile.submariner-route-agent	Updated ARG FEDORA_VERSION from 42 to 43 in each Dockerfile.
Gateway package dependencies package/Dockerfile.submariner-gateway	Replaced libreswan with libreswan-minimal; added procps-ng; adjusted installed package list (e.g., openssl, nss-tools).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

release-note-needed

Suggested reviewers

• yboaron
• Oats87
• vthapar
• sridhargaddam

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Actionable Comments Resolved	❌ Error	PR contains unresolved actionable comment regarding NFTables incompatibility between Fedora 43 and kind with no test skips, workarounds, or documented resolution plan.	Include code/config to skip NFTables tests for Fedora 43, create documented follow-up issue tracking incompatibility with resolution plan, or add comments documenting the known incompatibility.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title focuses on switching to libreswan-minimal in the gateway, which is directly related to one of the key changes in the Dockerfile.submariner-gateway file. However, the PR also includes Fedora version updates (42 to 43) across all three Dockerfiles, which represents a significant portion of the changes. The title captures the libreswan change well but doesn't fully reflect the broader scope of version updates.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cd3ef10 and f4543f6.

📒 Files selected for processing (3)

• package/Dockerfile.submariner-gateway (2 hunks)
• package/Dockerfile.submariner-globalnet (1 hunks)
• package/Dockerfile.submariner-route-agent (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: Go Unit Tests
• GitHub Check: Variant Analysis
• GitHub Check: Go
• GitHub Check: Dependency Licenses
• GitHub Check: Images
• GitHub Check: Latest Release to Latest Version
• GitHub Check: Check the multi-arch builds

🔇 Additional comments (4)

package/Dockerfile.submariner-route-agent (1)

2-2: LGTM! Base image version bump aligns with the other Dockerfiles in this PR.

package/Dockerfile.submariner-globalnet (1)

2-2: LGTM! Base image version bump is consistent with the other Dockerfiles in this PR.

package/Dockerfile.submariner-gateway (2)

27-28: Verify procps-ng necessity and libreswan-minimal functionality.

The change from libreswan to libreswan-minimal achieves the PR's goal (size reduction, systemd removal). However, procps-ng has been added without explanation in the PR description. Additionally, the gateway comment on line 23 states "libreswan provides IKE"—ensure that libreswan-minimal provides all necessary IKE/IPSec functionality required for gateway operations.

Please confirm:

1. Why procps-ng was added to the package list. Is it a dependency of libreswan-minimal, or needed for gateway runtime operations?
2. Does libreswan-minimal provide all required IKE and IPSec functionality for gateway operations, or are there any known limitations compared to the full libreswan package?

---

2-28: Fedora 43 migration and libreswan-minimal swap look good.

The base image version bump from 42 to 43 and the swap from libreswan to libreswan-minimal align with the PR objectives of reducing image size from 234 MiB to 211 MiB and removing systemd dependencies. Once the incomplete comment is resolved and the procps-ng addition is clarified, this change is ready.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Remove the incomplete comment on line 30.

The comment # util-linux-core appears orphaned or unfinished (separated by a blank line from the RUN command). Either complete the comment if it documents a decision, or remove it.

Apply this diff to remove the incomplete comment:

     openssl procps-ng nss-tools
-
-# util-linux-core
 
 FROM scratch

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# util-linux-core
	openssl procps-ng nss-tools
	FROM scratch

🤖 Prompt for AI Agents

In package/Dockerfile.submariner-gateway around line 30, there is an
orphaned/incomplete comment "# util-linux-core" that should be removed; edit the
Dockerfile to delete that lone comment line (or replace it with a complete
explanatory comment if you intend to document why util-linux-core is
referenced), ensuring no extra blank line remains between related instructions.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further
activity occurs. Thank you for your contributions.

[submariner-bot]

🤖 Closed branches: [z_pr3499/skitt/libreswan-minimal]

[submariner-bot]

🤖 Created branch: z_pr3499/skitt/libreswan-minimal
🚀 Full E2E won't run until the "ready-to-test" label is applied. I will add it automatically once the PR has 2 approvals, or you can add it manually.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further
activity occurs. Thank you for your contributions.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further
activity occurs. Thank you for your contributions.

[dfarrell07]

Seeing all the NFTables jobs failing, might be related to the incompatibility work @yboaron was digging into.

[skitt]

Seeing all the NFTables jobs failing, might be related to the incompatibility work @yboaron was digging into.

Yes, this is the same incompatibility between F43 nftables and kind’s.