ipsec: use well known paths of charon daemon

Charon ike daemon path is hardcoded according to its install location
in alpine distribution off which is based the flannel image used in
standard kubernetes deployment.

This commits hardcodes other well known paths of charon daemon in
different distributions to improved support in manual execution
scenarios or customized flannel images.

backend/ipsec/handle_charon.go

@@ -47,8 +47,13 @@ func NewCharonIKEDaemon(ctx context.Context, wg *sync.WaitGroup, espProposal str
 	addr := strings.Split("unix:///var/run/charon.vici", "://")
 	charon.viciUri = Uri{addr[0], addr[1]}
 
-	cmd, err := charon.runBundled("/usr/lib/strongswan/charon")
+	execPath, err := findExecPath()
+	if err != nil {
+		log.Errorf("Charon daemon not found: %v", err)
+		return nil, err
+	}
 
+	cmd, err := charon.run(execPath)
 	if err != nil {
 		log.Errorf("Error starting charon daemon: %v", err)
 		return nil, err
@@ -92,13 +97,9 @@ func (charon *CharonIKEDaemon) getClient(wait bool) (client *goStrongswanVici.Cl
 	}
 }
 
-func (charon *CharonIKEDaemon) runBundled(execPath string) (cmd *exec.Cmd, err error) {
-	path, err := exec.LookPath(execPath)
-	if err != nil {
-		return nil, err
-	}
+func (charon *CharonIKEDaemon) run(execPath string) (cmd *exec.Cmd, err error) {
 	cmd = &exec.Cmd{
-		Path: path,
+		Path: execPath,
 		SysProcAttr: &syscall.SysProcAttr{
 			Pdeathsig: syscall.SIGTERM,
 		},
@@ -233,3 +234,25 @@ func formatConnectionName(localLease, remoteLease *subnet.Lease) string {
 func formatChildSAConfName(localLease, remoteLease *subnet.Lease) string {
 	return fmt.Sprintf("%s-%s", localLease.Subnet, remoteLease.Subnet)
 }
+
+func findExecPath() (string, error) {
+	// try well known charon paths
+	paths := []string{
+		"charon",                         // PATH
+		"/usr/lib/strongswan/charon",     // alpine, arch, flannel container
+		"/usr/lib/ipsec/charon",          // debian/ubuntu
+		"/usr/libexec/strongswan/charon", // centos/rhel
+		"/usr/libexec/ipsec/charon",      // opensuse/sles
+	}
+	for _, path := range paths {
+		path, err := exec.LookPath(path)
+		if err != nil {
+			log.Warningf("No valid charon executable found at path %s: %v", path, err)
+			continue
+		}
+		return path, nil
+	}
+
+	err := fmt.Errorf("No valid charon executable found at paths %v", paths)
+	return "", err
+}

backend/ipsec/ipsec.go

@@ -32,9 +32,9 @@ import (
 	Flannel's approach to IPSec uses Strongswan to handle the key exchange (using IKEv2) and the kernel to handle the
 	actual encryption.
 
-	Strongswan's "charon" is bundled in the flannel container. Flannel runs it as a child process when the ipsec backend
-	is selected and communicates with it using the "VICI" interface. Strongswan ships a utility "swanctl" which also
-	uses the VICI interface. This utility is bundled in the flannel container and can help with debugging.
+	Flannel runs Strongswan's "charon" as a child process when the ipsec backend is selected and communicates with it
+	using the "VICI" interface. Strongswan ships a utility "swanctl" which also uses the VICI interface. This utility
+	is bundled in the flannel container and can help with debugging.
 
 	The file "handle_charon.go" contains the logic for working with the charon. It supports creating a "CharonIKEDaemon"
 	which supports loading the PSK into the charon and adding and removing connections.