cmd, datapath: Support --devices for encryption interfaces

The agent supported attaching the IPsec decryption logic to interfaces given via --devices. In that case, this logic was contained in bpf_host instead of bpf_network. This support is partially covered in ginkgo end-to-end tests. That support is however broken, as there doesn't seem to be anything preventing bpf_network from being reloaded in place of bpf_host on the same interfaces. This commit fixes it by implementing proper support for --devices in IPsec. If no devices flag is given then we fallback to using the encrypt-interface flag. That should allow us to deprecate encrypt-interface at a latter time. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
cilium · Mar 25, 2024 · 3c6f957 · 3c6f957
1 parent 4687325
commit 3c6f957
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
@@ -1354,6 +1354,7 @@ func initEnv(vp *viper.Viper) {
 	if option.Config.EnableIPSec &&
 		!option.Config.TunnelingEnabled() &&
 		len(option.Config.EncryptInterface) == 0 &&
+		len(option.Config.GetDevices()) == 0 &&
 		option.Config.IPAM != ipamOption.IPAMENI {
 		link, err := linuxdatapath.NodeDeviceNameWithDefaultRoute()
 		if err != nil {

diff --git a/pkg/datapath/linux/ipsec.go b/pkg/datapath/linux/ipsec.go
@@ -31,11 +31,14 @@ func (n *linuxNodeHandler) getDefaultEncryptionInterface() string {
 	if option.Config.TunnelingEnabled() {
 		return n.datapathConfig.TunnelDevice
 	}
-	iface := ""
+	devices := option.Config.GetDevices()
+	if len(devices) > 0 {
+		return devices[0]
+	}
 	if len(option.Config.EncryptInterface) > 0 {
-		iface = option.Config.EncryptInterface[0]
+		return option.Config.EncryptInterface[0]
 	}
-	return iface
+	return ""
 }
 
 func (n *linuxNodeHandler) getLinkLocalIP(family int) (net.IP, error) {

diff --git a/pkg/datapath/loader/base.go b/pkg/datapath/loader/base.go
@@ -170,7 +170,9 @@ func cleanIngressQdisc() error {
 
 // reinitializeIPSec is used to recompile and load encryption network programs.
 func (l *loader) reinitializeIPSec(ctx context.Context) error {
-	if !option.Config.EnableIPSec {
+	// If devices are specified, then we are relying on autodetection and don't
+	// need the code below, specific to EncryptInterface.
+	if !option.Config.EnableIPSec || len(option.Config.GetDevices()) > 0 {
 		return nil
 	}