conformance-ipsec-e2e: run leak check before/after key rotation

[ upstream commit: 4e2a66d ] [ backporter's note: In 1.13 ci-ipsec-e2e disables IPv6, we need to suppress "no IPv6 connections" errors in check-ipsec-leaks.bt ] This is because we saw a racing issue if leak detection covers the whole rotation + conn-disrupt-check: cilium connectivity will remove conn-disrupt pods in the end of connectivity test, leaving some linger packets recognized as leaked traffic. This commit avoids the issue by running leak checks separately for key rotation and after-rotation test. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: gray <gray.liang@isovalent.com>
cilium · Jun 12, 2024 · 1d8e7de · 1d8e7de
1 parent 0a53348
commit 1d8e7de
Showing 1 changed file with 31 additions and 3 deletions.
diff --git a/.github/workflows/conformance-ipsec-e2e.yaml b/.github/workflows/conformance-ipsec-e2e.yaml
@@ -307,7 +307,7 @@ jobs:
         uses: ./.github/actions/bpftrace/start
         with:
           script: ./.github/actions/bpftrace/scripts/check-ipsec-leaks.bt
-          args: ${{ steps.bpftrace-params.outputs.params }} "true"
+          args: ${{ steps.bpftrace-params.outputs.params }} "false"
 
       - name: Run tests (${{ join(matrix.*, ', ') }})
         shell: bash
@@ -322,6 +322,15 @@ jobs:
             --junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})" \
             --flush-ct
 
+      - name: Assert that no unencrypted packets are leaked
+        uses: ./.github/actions/bpftrace/check
+
+      - name: Start unencrypted packets check for key rotation
+        uses: ./.github/actions/bpftrace/start
+        with:
+          script: ./.github/actions/bpftrace/scripts/check-ipsec-leaks.bt
+          args: ${{ steps.bpftrace-params.outputs.params }} "false"
+
       - name: Setup conn-disrupt-test before rotating (${{ join(matrix.*, ', ') }})
         uses: ./.github/actions/conn-disrupt-test-setup
 
@@ -385,12 +394,31 @@ jobs:
             sleep 30s
           done
 
+      - name: Assert that no unencrypted packets are leaked during key rotation
+        uses: ./.github/actions/bpftrace/check
+
       - name: Check conn-disrupt-test after rotating (${{ join(matrix.*, ', ') }})
         uses: ./.github/actions/conn-disrupt-test-check
+
+      - name: Start unencrypted packets check for tests
+        uses: ./.github/actions/bpftrace/start
         with:
-          full-test: 'true'
+          script: ./.github/actions/bpftrace/scripts/check-ipsec-leaks.bt
+          args: ${{ steps.bpftrace-params.outputs.params }} "false"
 
-      - name: Assert that no unencrypted packets are leaked
+      - name: Run tests (${{ join(matrix.*, ', ') }})
+        shell: bash
+        run: |
+          mkdir -p cilium-junits
+
+          ./cilium-cli connectivity test --include-unsafe-tests --collect-sysdump-on-failure \
+            --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \
+            --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-<ts>" \
+            --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \
+            --junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})" \
+            --flush-ct
+
+      - name: Assert that no unencrypted packets are leaked during tests
         uses: ./.github/actions/bpftrace/check
 
       - name: Fetch artifacts