cilium: Add encryption mode to cilium status
#15833
Conversation
gandro
added
release-note/minor
gandro
force-pushed
the
pr/gandro/wireguard-cilium-status
branch
3 times, most recently
from
85f0b55
to
0df2176
Compare
|
test-me-please |
Thanks, I think I'll leave as is though. Other multi-mode features we have in |
|
retest-1.20-4.19 Previous failure seems like a unrelated flake (NodePort failure with exit code 42): https://jenkins.cilium.io/job/Cilium-PR-K8s-1.20-kernel-4.19/276/ |
|
retest-1.21-4.9 Previous failure is a flake #15775 https://jenkins.cilium.io/job/Cilium-PR-K8s-1.21-kernel-4.9/295/ |
This adds a new `Encryption` field to both the `CiliumStatus` and `DebugInfo` models. While both models share the same underlying `WireguardStatus` type, the array of peers will only be populated when `DebugInfo` is requested. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This commit adds a `Status()` method to the Wireguard agent which dumps the current status of the Wiregaurd tunnel device. The resulting information is similar to what a user can obtain via `wg show cilium_wg0`. The list of peers is optional, as it contains the IP address of each node and endpoint in the cluster and therefore does not need to be populated for a simple `cilium status` request. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This commit populates the API responses for the `CiliumStatus` and `DebugInfo` requests. The `DebugInfo` request contains more details about each Wireguard peer. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This adds a new section for transparent encryption to the `cilium status` command. It currently can take on of the three following forms: ``` Encryption: Disabled Encryption: IPsec Encryption: Wireguard [cilium_wg0 (Pubkey: GsIGt1Juo6p8gR93driyMD5FwFu2uOBBYGVsZtfQxho=, Port: 51871, Peers: 1)] ``` Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This adds a new section to the `cilium debuginfo` output which provides
additional debugging information for Wireguard. It's output is basically
equivalent to `wg show`:
#### Cilium encryption
##### Wireguard
```
interface: cilium_wg0
public key: GsIGt1Juo6p8gR93driyMD5FwFu2uOBBYGVsZtfQxho=
listening port: 51871
peer: 6gdyrnQ9ahwDNv0Q7gj2UI2h9MUITh+O7xb2wdacKQA=
endpoint: 192.168.33.12:51871
allowed ips: fd00::1:30b9/128, fd00::1:647e/128, 10.17.227.163/32, fd00::1:d6f/128, 10.17.202.94/32, 10.17.242.225/32
latest handshake: 2021-04-22T17:48:01Z
transfer: 123 B received, 456 B sent
```
Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
gandro
force-pushed
the
pr/gandro/wireguard-cilium-status
branch
from
0df2176
to
d64d9f8
Compare
|
test-me-please |
|
CI seems to have issues, all of the three pipelines failed with Looks like: #15455 https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-net-next/355/ GKE failed to provision cluster: https://jenkins.cilium.io/job/Cilium-PR-K8s-GKE/5238/ |
|
test-1.16-netnext |
|
test-1.20-4.19 |
|
test-1.21-4.9 |
|
test-gke |
1 similar comment
|
test-gke |
|
test-me-please |
|
test-1.21-4.9 hit #15455 again (https://jenkins.cilium.io/job/Cilium-PR-K8s-1.21-kernel-4.9/312/) GKE hit an K8s API error |
|
retest-1.21-4.9 |
|
retest-gke |
1 similar comment
|
retest-gke |
|
CI is finally green (except for GKE, which is currently known to be always broken, see #15861), marking as ready to merge. |
gandro
added
the
ready-to-merge
This adds a new section for transparent encryption to the
cilium statusandcilium debugcommand.cilium statuscan currently can take on of the three following forms:Details about IPsec may be added in a subsequent PR, as I'm not too familiar with what information should be provided.
This PR here focuses on Wireguard, as for troubleshooting purposes it will be crucial to dump the state of the
cilium_wg0device viacilium debuginfo:The new section in
cilium debuginfois basically equivalent to executingwg show(with a minor difference being that thelatest handshaketimestamp is absolute, not relative):