Backport v1.13: CI: Add IPsec key rotation test #28120
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maintainer-s-little-helper
bot
added
backport/1.13
|
/ci-ipsec-e2e |
|
/ci-ipsec-upgrade |
jschwinger233
force-pushed
the
pr/gray/v1.13-ipsec-e2e
branch
from
33cea37
to
4f90090
Compare
|
/ci-ipsec-upgrade |
|
/ci-ipsec-e2e |
jschwinger233
force-pushed
the
pr/gray/v1.13-ipsec-e2e
branch
from
4f90090
to
e804d84
Compare
|
/ci-ipsec-e2e |
jschwinger233
force-pushed
the
pr/gray/v1.13-ipsec-e2e
branch
from
e804d84
to
504266e
Compare
|
/ci-ipsec-e2e |
|
/test-backport-1.13 |
jschwinger233
force-pushed
the
pr/gray/v1.13-ipsec-e2e
branch
from
504266e
to
123f971
Compare
|
/test-backport-1.13 |
jschwinger233
force-pushed
the
pr/gray/v1.13-ipsec-e2e
branch
from
123f971
to
dd0d5f4
Compare
|
/test-backport-1.13 |
jschwinger233
force-pushed
the
pr/gray/v1.13-ipsec-e2e
branch
from
dd0d5f4
to
ecf6d38
Compare
|
/test-backport-1.13 |
jschwinger233
force-pushed
the
pr/gray/v1.13-ipsec-e2e
branch
from
ecf6d38
to
eab3bdf
Compare
|
/test-backport-1.13 |
|
/ci-ipsec-upgrade |
|
This PR only affects ci-ipsec-e2e and ci-ipsec-upgrade, both checks turned green: https://github.com/cilium/cilium/actions/runs/6182957826 and https://github.com/cilium/cilium/actions/runs/6183987556 |
nebril
approved these changes
Sep 15, 2023
aanm
requested changes
Sep 15, 2023
aanm
requested changes
Sep 21, 2023
jschwinger233
force-pushed
the
pr/gray/v1.13-ipsec-e2e
branch
from
eab3bdf
to
8681c89
Compare
|
/ci-ipsec-upgrade |
|
/test-backport-1.13 Job 'Cilium-PR-K8s-1.23-kernel-4.19' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.23-kernel-4.19/308/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
aanm
approved these changes
Sep 25, 2023
lmb
approved these changes
Sep 26, 2023
|
/test-1.18-4.19 |
|
/test-1.23-4.19 |
|
/ci-ingress |
[ upstream commit 4c85662 ] IPsec cases are moved from conformance-e2e.yaml to conformance-ipsec-e2e.yaml, we can trigger the latter one using /ci-ipsec-e2e. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
[ upstream commit 48023b9 ] This commit makes conn-disrupt-test a github action, so upgrade test and IPsec key rotation test don't have to copy and paste everywhere. The idea is to allow caller workflow to specify the commands to execute, then this action will follow the steps: 1. Run "cilium-cli connectivity test --conn-disrupt-test-setup"; 2. Run whatever caller workflow passes: could be upgrade operation or IPsec key rotation; 3. Run "cilium-cli connectivity test --include-conn-disrupt-test"; Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
[ upstream commit de192de ] [ backporter's notes: 1. v1.13 doesn't allow kubeProxyReplacement=false, so it's changed to kubeProxyReplacement=disabled; 2. v1.13 doesn't have cilium-spire, so delete related code; ] This commit adds a step in conformance-ipsec-e2e to perform IPsec key rotation and conn-disrupt-test. The commands to perform IPsec key rotation are copied from https://docs.cilium.io/en/latest/security/network/encryption-ipsec/#key-rotation with a few improvements: * To pass commands with "$" character to conn-disrupt-test action, "$" must be escaped as "\$". * To have a new IPsec key in a bare VM, a string of hex is hard coded without using xxd. Fixes: #26350 Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
[ upstream commit a4d543d ] Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
[ upstream commit 751c17c ] Now that we cover the key rotations in the IPsec e2e tests, we are running the connectivity test suite twice. That means we can run in the usual bug where an existing CT entry is reused and leads to us sending traffic to the proxy when we shouldn't. Thus, we need to flush the CT entries at the end of the first test run, with --flush-ct. Fixes: de192de ("ci-ipsec-e2e: Add IPsec key rotation test") Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
jschwinger233
force-pushed
the
pr/gray/v1.13-ipsec-e2e
branch
from
8681c89
to
cc4a178
Compare
|
/test-backport-1.13 |
|
/test-1.18-4.19 |
|
/ci-clustermesh |
|
/test-1.18-4.19 |
maintainer-s-little-helper
bot
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Manual backport of
--flush-ctfor key rotation #27883Signed-off-by: Zhichuan Liang gray.liang@isovalent.com