New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backport v1.13: CI: Add IPsec key rotation test #28120
Conversation
/ci-ipsec-e2e |
/ci-ipsec-upgrade |
33cea37
to
4f90090
Compare
/ci-ipsec-upgrade |
/ci-ipsec-e2e |
4f90090
to
e804d84
Compare
/ci-ipsec-e2e |
e804d84
to
504266e
Compare
/ci-ipsec-e2e |
/test-backport-1.13 |
504266e
to
123f971
Compare
/test-backport-1.13 |
123f971
to
dd0d5f4
Compare
/test-backport-1.13 |
dd0d5f4
to
ecf6d38
Compare
/test-backport-1.13 |
ecf6d38
to
eab3bdf
Compare
/test-backport-1.13 |
/ci-ipsec-upgrade |
This PR only affects ci-ipsec-e2e and ci-ipsec-upgrade, both checks turned green: https://github.com/cilium/cilium/actions/runs/6182957826 and https://github.com/cilium/cilium/actions/runs/6183987556 |
eab3bdf
to
8681c89
Compare
/ci-ipsec-upgrade |
/test-backport-1.13 Job 'Cilium-PR-K8s-1.23-kernel-4.19' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.23-kernel-4.19/308/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
/test-1.18-4.19 |
/test-1.23-4.19 |
/ci-ingress |
[ upstream commit 4c85662 ] IPsec cases are moved from conformance-e2e.yaml to conformance-ipsec-e2e.yaml, we can trigger the latter one using /ci-ipsec-e2e. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
[ upstream commit 48023b9 ] This commit makes conn-disrupt-test a github action, so upgrade test and IPsec key rotation test don't have to copy and paste everywhere. The idea is to allow caller workflow to specify the commands to execute, then this action will follow the steps: 1. Run "cilium-cli connectivity test --conn-disrupt-test-setup"; 2. Run whatever caller workflow passes: could be upgrade operation or IPsec key rotation; 3. Run "cilium-cli connectivity test --include-conn-disrupt-test"; Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
[ upstream commit de192de ] [ backporter's notes: 1. v1.13 doesn't allow kubeProxyReplacement=false, so it's changed to kubeProxyReplacement=disabled; 2. v1.13 doesn't have cilium-spire, so delete related code; ] This commit adds a step in conformance-ipsec-e2e to perform IPsec key rotation and conn-disrupt-test. The commands to perform IPsec key rotation are copied from https://docs.cilium.io/en/latest/security/network/encryption-ipsec/#key-rotation with a few improvements: * To pass commands with "$" character to conn-disrupt-test action, "$" must be escaped as "\$". * To have a new IPsec key in a bare VM, a string of hex is hard coded without using xxd. Fixes: #26350 Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
[ upstream commit a4d543d ] Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
[ upstream commit 751c17c ] Now that we cover the key rotations in the IPsec e2e tests, we are running the connectivity test suite twice. That means we can run in the usual bug where an existing CT entry is reused and leads to us sending traffic to the proxy when we shouldn't. Thus, we need to flush the CT entries at the end of the first test run, with --flush-ct. Fixes: de192de ("ci-ipsec-e2e: Add IPsec key rotation test") Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
8681c89
to
cc4a178
Compare
/test-backport-1.13 |
/test-1.18-4.19 |
/ci-clustermesh |
/test-1.18-4.19 |
Manual backport of
--flush-ct
for key rotation #27883Signed-off-by: Zhichuan Liang gray.liang@isovalent.com