Commits on May 31, 2023

1. loader: Allow reinitializeIPSec to run multiple times …

   reinitializeIPSec only runs the interface detection if EncryptInterface
   is empty. Since it sets it after detecting interfaces, it will only run
   the detection once.
   
   Let's change that to run the detection even if the EncryptInterface list
   isn't empty. That will allow us to rerun the detection when new ENI
   devices are added on EKS.
   
   One consequence of this change is that we will now attach to all
   interfaces even if the user configured --encrypt-interface. That is fine
   because --encrypt-interface shouldn't actually be used in ENI mode. In
   ENI mode, we want to attach to all interfaces as we don't have a
   guarantee on which interface the IPsec traffic will come in.
   
   Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
   Signed-off-by: Jussi Maki <jussi@isovalent.com>

   

   pchaigno authored and joamaki committed May 31, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for 5d37421
   • Browse repository at this point

   Copy the full SHA

   5d37421 View commit details

   Browse the repository at this point in the history

2. loader: Reinitialize IPsec on device changes on ENI …

   If IPsec is enabled along with the ENI IPAM mode we
   need to load the bpf_network program onto new ENI devices
   when they're added at runtime.
   
   To fix this, we subscribe to netlink link updates to detect when
   new (non-veth) devices are added and reinitialize IPsec to load the BPF
   program onto the devices. The compilation of the bpf_netowrk program
   has been moved to Reinitialize() to avoid spurious recompilation on
   reinitialize.
   
   Signed-off-by: Jussi Maki <jussi@isovalent.com>

   

   joamaki committed May 31, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for 66f4383
   • Browse repository at this point

   Copy the full SHA

   66f4383 View commit details

   Browse the repository at this point in the history