libnetwork/d/overlay: drop initEncryption function

corhere · corhere · commit df6b4057967e · 2025-05-29T14:13:13.000-04:00
The (*driver).Join function does many things to set up overlay
networking. One of the first things it does is call
(*network).joinSandbox, which in turn calls (*driver).initSandboxPeerDB.
The initSandboxPeerDB function iterates through the peer db to add
entries to the VXLAN FDB, neighbor table and IPsec security association
database in the kernel for all known peers on the overlay network.

One of the last things the (*driver).Join function does is call
(*driver).initEncryption. The initEncryption function iterates through
the peer db to add entries to the IPsec security association database in
the kernel for all known peers on the overlay network. But the preceding
initSandboxPeerDB call already did that! The initEncryption function is
redundant and can safely be removed.

Signed-off-by: Cory Snider &lt;csnider@mirantis.com&gt;
diff --git a/libnetwork/drivers/overlay/encryption.go b/libnetwork/drivers/overlay/encryption.go
@@ -113,41 +113,6 @@ func (e *encrMap) String() string {
 	return b.String()
 }
 
-// initEncryption sets up IPsec encryption parameters for all known peers on a network.
-func (d *driver) initEncryption(nid string) error {
-	log.G(context.TODO()).Debugf("initEncryption(%.7s)", nid)
-
-	n := d.network(nid)
-	if n == nil || !n.secure {
-		return nil
-	}
-
-	if len(d.keys) == 0 {
-		return types.ForbiddenErrorf("encryption key is not present")
-	}
-
-	nodes := map[netip.Addr]struct{}{}
-
-	if err := d.peerDbNetworkWalk(nid, func(_ netip.Addr, _ net.HardwareAddr, pEntry *peerEntry) bool {
-		if !pEntry.isLocal() {
-			nodes[pEntry.vtep] = struct{}{}
-		}
-		return false
-	}); err != nil {
-		log.G(context.TODO()).Warnf("Failed to retrieve list of participating nodes in overlay network %.5s: %v", nid, err)
-	}
-
-	log.G(context.TODO()).Debugf("List of nodes: %s", nodes)
-
-	for rIP := range nodes {
-		if err := d.setupEncryption(rIP); err != nil {
-			log.G(context.TODO()).Warnf("Failed to program network encryption to remote peer %s: %v", rIP, err)
-		}
-	}
-
-	return nil
-}
-
 // setupEncryption programs the encryption parameters for secure communication
 // between the local node and a remote node.
 func (d *driver) setupEncryption(remoteIP netip.Addr) error {
diff --git a/libnetwork/drivers/overlay/joinleave.go b/libnetwork/drivers/overlay/joinleave.go
@@ -121,10 +121,6 @@ func (d *driver) Join(ctx context.Context, nid, eid string, sboxKey string, jinf
 
 	d.peerAdd(nid, eid, ep.addr, ep.mac, netip.Addr{})
 
-	if err = d.initEncryption(nid); err != nil {
-		log.G(ctx).Warn(err)
-	}
-
 	buf, err := proto.Marshal(&PeerRecord{
 		EndpointIP:       ep.addr.String(),
 		EndpointMAC:      ep.mac.String(),
