New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds new Cilium subcommand: cilium encrypt status
and cilium encrypt flush
#16770
Conversation
This comment has been minimized.
This comment has been minimized.
cilium encypt status
and cilium encrypt flush
cilium encrypt status
and cilium encrypt flush
b67277d
to
fe5c304
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. I only have minor comments.
We will also need unit tests for the helper functions in encrypt_status.go
: getXfrmStats
, countUniqueIPsecKeys
, maxSequenceNumber
. You can check examples for other commands in the same directory as that file.
0aacb73
to
189f667
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good, looks like you need to run make -C Documentation update-cmdref
to update the docs following the changes to the CLI option descriptions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM (but with some nits below)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple remaining nits below. The output in case of failure could also be improved a bit. For example, this is what I get just after having run cilium encrypt flush
:
Encryption: IPsec
Keys in use: 0
Max Seq. Number: /0xffffffff
Errors: 9
XfrmInNoStates: 9
For Max Seq. Number
we could either default to a 0 value or even explicitly state N/A
when they are no oseq matches. XfrmInNoStates
should also be indented for clarity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Found a couple errors while testing. We could also cover a couple more cases in the unit tests.
General remarks:
- Commit
fix(cilium encrypt): fix helper functions and minor nits
should be squashed in the relevant previous commits. For example, if there is a fix to helper function A, then that fix should be in the commit that introduced function A. - We don't usually have the format
feat()
,test()
, etc. in Cilium. I like it, but I think it would be best to drop it for consistency with the rest of the commit history. - You will need to rebase with latest master. In general, I would advise to always rebase with latest master when you update the branch. That's the best way to keep the branch up-to-date.
44c2a68
to
707999e
Compare
Add subcommand `cilium encrypt status` and `cilium encrypt flush` to interact with IPsec mode of the node. Signed-off-by: Gaurav Genani <h3llix.pvt@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only one nit below. LGTM otherwise!
Signed-off-by: Gaurav Genani <h3llix.pvt@gmail.com>
Signed-off-by: Gaurav Genani <h3llix.pvt@gmail.com>
The end-to-end tests don't cover those new CLIs and other tests are all passing. All team review requests are covered, sometimes with multiple reviews. Marking ready to merge. |
Fixes: #14638
cilium encrypt status
displays information on the current status of the IPSec configuration whilecilium encrypt flush
flushes the current XFRM States.Here is the cli output: