connectivity: Add encryption tests #1241
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Going to be used by the DP conformance suite to test WireGuard/IPsec. Signed-off-by: Martynas Pumputis <m@lambda.lt>
This is going to be used for exec'ing from a concurrent goroutine, and
then reading std{out,err} from another one.
Signed-off-by: Martynas Pumputis <m@lambda.lt>
brb
force-pushed
the
pr/brb/ci-dp-encrypt
branch
from
f41f715
to
f6edf73
Compare
brb
force-pushed
the
pr/brb/ci-dp-encrypt
branch
from
f6edf73
to
967e017
Compare
pchaigno
approved these changes
Nov 30, 2022
brb
force-pushed
the
pr/brb/ci-dp-encrypt
branch
from
967e017
to
80b0cff
Compare
Yep, it's planned with cilium/cilium#19401. |
tommyp1ckles
approved these changes
Dec 5, 2022
Going to be used by the upcoming encryption tests. Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Martynas Pumputis <m@lambda.lt>
The pod-to-pod encryption test checks connectivity between pods, and whether no unencrypted traffic is leaked. All subtle details are in the code comments. Signed-off-by: Martynas Pumputis <m@lambda.lt>
brb
force-pushed
the
pr/brb/ci-dp-encrypt
branch
from
80b0cff
to
be0cf10
Compare
|
EKS jobs are failing due to the provisioning issues. Previously, all tests passed. Applied only minor changes. Marking as ready to merge. |
brb
added
ready-to-merge
|
@tklauser from @cilium/cli will do a review before merging. |
tklauser
reviewed
Dec 7, 2022
joamaki
approved these changes
Dec 8, 2022
| @@ -623,3 +623,8 @@ func (ct *ConnectivityTest) K8sClient() *k8s.Client { | |||
| func (ct *ConnectivityTest) NodesWithoutCilium() []string { | |||
| return ct.nodesWithoutCilium | |||
| } | |||
|
|
|||
| func (ct *ConnectivityTest) Feature(f Feature) (FeatureStatus, bool) { | |||
| s, ok := ct.features[f] | |||
There was a problem hiding this comment.
return ct.feature[f] works too.
There was a problem hiding this comment.
Unfortunately, this won't work:
# github.com/cilium/cilium-cli/connectivity/check
connectivity/check/context.go:628:9: not enough return values
have (FeatureStatus)
want (FeatureStatus, bool)
Also see golang/go#6230.
| iface = "cilium_" + tunnelFeat.Mode // E.g. cilium_vxlan | ||
| } else { | ||
| cmd := []string{"/bin/sh", "-c", | ||
| fmt.Sprintf("ip -o r g %s from %s | grep -oP '(?<=dev )[^ ]+'", |
There was a problem hiding this comment.
going via ip -json may sometimes by nicer way to do this, but I'm fine with this as long as it doesn't get any more complex.
There was a problem hiding this comment.
Yep, but unfortunately this brings the runtime dependency for jq.
| // might terminate the tcpdump process before it gets a chance to dump | ||
| // its captures. | ||
| cmd := []string{ | ||
| "tcpdump", "-i", iface, "--immediate-mode", "-w", "/tmp/foo.pcap", |
There was a problem hiding this comment.
Would be better to generate a unique(ish) filename for this and mention that this is part of the cilium-cli encryption test. "cilium-test-encryption-XXX.pcap" where XXX is unix time?
| // Redirect stderr to /dev/null, as tcpdump logs to stderr, and ExecInPod | ||
| // will return an error if any char is written to stderr. Anyway, the count | ||
| // is written to stdout. | ||
| cmd := []string{"/bin/sh", "-c", "tcpdump -r /tmp/foo.pcap --count 2>/dev/null"} |
There was a problem hiding this comment.
add && rm -f /tmp/foo.pcap to not leave the file around.
There was a problem hiding this comment.
Hm, don't we want to keep it around so that the workflows can collect it as part of the artifacts? It might be useful to debug failures.
brb
added
the
ready-to-merge
tklauser
approved these changes
Dec 12, 2022
brb
added a commit
to cilium/cilium
that referenced
this pull request
Dec 12, 2022
The encryption test details - cilium/cilium-cli#1241. Signed-off-by: Martynas Pumputis <m@lambda.lt>
brb
added a commit
to cilium/cilium
that referenced
this pull request
Dec 14, 2022
The encryption test details - cilium/cilium-cli#1241. Signed-off-by: Martynas Pumputis <m@lambda.lt>
pchaigno
pushed a commit
to cilium/cilium
that referenced
this pull request
Dec 14, 2022
The encryption test details - cilium/cilium-cli#1241. Signed-off-by: Martynas Pumputis <m@lambda.lt>
brb
added a commit
to cilium/cilium
that referenced
this pull request
Dec 20, 2022
The encryption test details - cilium/cilium-cli#1241. Signed-off-by: Martynas Pumputis <m@lambda.lt>
joestringer
pushed a commit
to joestringer/cilium
that referenced
this pull request
Dec 21, 2022
[ upstream commit 843c072 ] The encryption test details - cilium/cilium-cli#1241. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io>
joestringer
pushed a commit
to cilium/cilium
that referenced
this pull request
Dec 22, 2022
[ upstream commit 843c072 ] The encryption test details - cilium/cilium-cli#1241. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io>
2 tasks
giorio94
added a commit
to giorio94/cilium-cli
that referenced
this pull request
Oct 13, 2023
When running in ENI mode, the outgoing interface of pod originating traffic is different from the one that would be used by host originating traffic towards the same destination. This breaks the current pod-to-pod encryption validation, as the source interface for the tcpdump filter is determined based on the routes towards the given destination only. Let's update the source interface determination to additionally consider the source address. This approach had been initially suggested by Paul Chaignon in cilium#1241, but then reverted in [1] because `ip route get` returns and error in case the `from` address is not assigned to any local interface. We can work around this by specifying an input interface: let's use lo as it should be always present. [1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
giorio94
added a commit
to giorio94/cilium-cli
that referenced
this pull request
Oct 16, 2023
When running in ENI mode, the outgoing interface of pod originating traffic is different from the one that would be used by host originating traffic towards the same destination. This breaks the current pod-to-pod encryption validation, as the source interface for the tcpdump filter is determined based on the routes towards the given destination only. Let's update the source interface determination to additionally consider the source address. This approach had been initially suggested by Paul Chaignon in cilium#1241, but then reverted in [1] because `ip route get` returns and error in case the `from` address is not assigned to any local interface. We can work around this by specifying an input interface: let's use lo as it should be always present. [1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
giorio94
added a commit
to giorio94/cilium-cli
that referenced
this pull request
Oct 17, 2023
When running in ENI mode, the outgoing interface of pod originating traffic is different from the one that would be used by host originating traffic towards the same destination. This breaks the current pod-to-pod encryption validation, as the source interface for the tcpdump filter is determined based on the routes towards the given destination only. Let's update the source interface determination to additionally consider the source address. This approach had been initially suggested by Paul Chaignon in cilium#1241, but then reverted in [1] because `ip route get` returns and error in case the `from` address is not assigned to any local interface. We can work around this by specifying an input interface: let's use lo as it should be always present. [1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
giorio94
added a commit
to giorio94/cilium-cli
that referenced
this pull request
Oct 18, 2023
When running in ENI mode, the outgoing interface of pod originating traffic is different from the one that would be used by host originating traffic towards the same destination. This breaks the current pod-to-pod encryption validation, as the source interface for the tcpdump filter is determined based on the routes towards the given destination only. Let's update the source interface determination to additionally consider the source address. This approach had been initially suggested by Paul Chaignon in cilium#1241, but then reverted in [1] because `ip route get` returns and error in case the `from` address is not assigned to any local interface. We can work around this by specifying an input interface: let's use lo as it should be always present. [1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
brb
pushed a commit
that referenced
this pull request
Oct 19, 2023
When running in ENI mode, the outgoing interface of pod originating traffic is different from the one that would be used by host originating traffic towards the same destination. This breaks the current pod-to-pod encryption validation, as the source interface for the tcpdump filter is determined based on the routes towards the given destination only. Let's update the source interface determination to additionally consider the source address. This approach had been initially suggested by Paul Chaignon in #1241, but then reverted in [1] because `ip route get` returns and error in case the `from` address is not assigned to any local interface. We can work around this by specifying an input interface: let's use lo as it should be always present. [1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please see commit msgs.
Example run - https://github.com/cilium/cilium/actions/runs/3573711857/jobs/6008107171.