-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cilium: Add encryption mode to cilium status
#15833
Conversation
85f0b55
to
0df2176
Compare
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: I think that the value for encryption would be a bit more clear this way:
Encryption: Disabled
Encryption: Enabled via IPsec
Encryption: Enabled via Wireguard [cilium_wg0 (Pubkey: GsIGt1Juo6p8gR93driyMD5FwFu2uOBBYGVsZtfQxho=, Port: 51871, Peers: 1)]
Thanks, I think I'll leave as is though. Other multi-mode features we have in |
retest-1.20-4.19 Previous failure seems like a unrelated flake (NodePort failure with exit code 42): https://jenkins.cilium.io/job/Cilium-PR-K8s-1.20-kernel-4.19/276/ |
retest-1.21-4.9 Previous failure is a flake #15775 https://jenkins.cilium.io/job/Cilium-PR-K8s-1.21-kernel-4.9/295/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a small correction, otherwise looks good 🚀
This adds a new `Encryption` field to both the `CiliumStatus` and `DebugInfo` models. While both models share the same underlying `WireguardStatus` type, the array of peers will only be populated when `DebugInfo` is requested. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This commit adds a `Status()` method to the Wireguard agent which dumps the current status of the Wiregaurd tunnel device. The resulting information is similar to what a user can obtain via `wg show cilium_wg0`. The list of peers is optional, as it contains the IP address of each node and endpoint in the cluster and therefore does not need to be populated for a simple `cilium status` request. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This commit populates the API responses for the `CiliumStatus` and `DebugInfo` requests. The `DebugInfo` request contains more details about each Wireguard peer. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This adds a new section for transparent encryption to the `cilium status` command. It currently can take on of the three following forms: ``` Encryption: Disabled Encryption: IPsec Encryption: Wireguard [cilium_wg0 (Pubkey: GsIGt1Juo6p8gR93driyMD5FwFu2uOBBYGVsZtfQxho=, Port: 51871, Peers: 1)] ``` Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This adds a new section to the `cilium debuginfo` output which provides additional debugging information for Wireguard. It's output is basically equivalent to `wg show`: #### Cilium encryption ##### Wireguard ``` interface: cilium_wg0 public key: GsIGt1Juo6p8gR93driyMD5FwFu2uOBBYGVsZtfQxho= listening port: 51871 peer: 6gdyrnQ9ahwDNv0Q7gj2UI2h9MUITh+O7xb2wdacKQA= endpoint: 192.168.33.12:51871 allowed ips: fd00::1:30b9/128, fd00::1:647e/128, 10.17.227.163/32, fd00::1:d6f/128, 10.17.202.94/32, 10.17.242.225/32 latest handshake: 2021-04-22T17:48:01Z transfer: 123 B received, 456 B sent ``` Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
0df2176
to
d64d9f8
Compare
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
CI seems to have issues, all of the three pipelines failed with Looks like: #15455 https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-net-next/355/ GKE failed to provision cluster: https://jenkins.cilium.io/job/Cilium-PR-K8s-GKE/5238/ |
test-1.16-netnext |
test-1.20-4.19 |
test-1.21-4.9 |
test-gke |
1 similar comment
test-gke |
test-me-please |
test-1.21-4.9 hit #15455 again (https://jenkins.cilium.io/job/Cilium-PR-K8s-1.21-kernel-4.9/312/) GKE hit an K8s API error |
retest-1.21-4.9 |
retest-gke |
1 similar comment
retest-gke |
CI is finally green (except for GKE, which is currently known to be always broken, see #15861), marking as ready to merge. |
This adds a new section for transparent encryption to the
cilium status
andcilium debug
command.cilium status
can currently can take on of the three following forms:Details about IPsec may be added in a subsequent PR, as I'm not too familiar with what information should be provided.
This PR here focuses on Wireguard, as for troubleshooting purposes it will be crucial to dump the state of the
cilium_wg0
device viacilium debuginfo
:The new section in
cilium debuginfo
is basically equivalent to executingwg show
(with a minor difference being that thelatest handshake
timestamp is absolute, not relative):