Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport v1.13: CI: Add IPsec key rotation test #28120

Merged
merged 5 commits into from
Sep 29, 2023
Merged

Backport v1.13: CI: Add IPsec key rotation test #28120

merged 5 commits into from
Sep 29, 2023
+450 −88

Commits on Sep 28, 2023

  1. ci: split ci-e2e into non-ipsec and ipsec pipelines 

    [ upstream commit 4c85662 ]

IPsec cases are moved from conformance-e2e.yaml to
conformance-ipsec-e2e.yaml, we can trigger the latter one using
/ci-ipsec-e2e.

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
    @jschwinger233
    jschwinger233 committed Sep 28, 2023
    Configuration menu
    Copy the full SHA
    fa3fbcd View commit details
    Browse the repository at this point in the history

  2. Add conn-disrupt-test action for reuse 

    [ upstream commit 48023b9 ]

This commit makes conn-disrupt-test a github action, so upgrade test
and IPsec key rotation test don't have to copy and paste everywhere.

The idea is to allow caller workflow to specify the commands to execute,
then this action will follow the steps:
1. Run "cilium-cli connectivity test --conn-disrupt-test-setup";
2. Run whatever caller workflow passes: could be upgrade operation or
   IPsec key rotation;
3. Run "cilium-cli connectivity test --include-conn-disrupt-test";

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
    @jschwinger233
    jschwinger233 committed Sep 28, 2023
    Configuration menu
    Copy the full SHA
    b1389a3 View commit details
    Browse the repository at this point in the history

  3. ci-ipsec-e2e: Add IPsec key rotation test 

    [ upstream commit de192de ]

[ backporter's notes:
    1. v1.13 doesn't allow kubeProxyReplacement=false, so it's changed
       to kubeProxyReplacement=disabled;
    2. v1.13 doesn't have cilium-spire, so delete related code;
]

This commit adds a step in conformance-ipsec-e2e to perform IPsec key
rotation and conn-disrupt-test.

The commands to perform IPsec key rotation are copied from
https://docs.cilium.io/en/latest/security/network/encryption-ipsec/#key-rotation with a few improvements:
* To pass commands with "$" character to conn-disrupt-test action, "$"
  must be escaped as "\$".
* To have a new IPsec key in a bare VM, a string of hex is hard coded
  without using xxd.

Fixes: #26350

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
    @jschwinger233
    jschwinger233 committed Sep 28, 2023
    Configuration menu
    Copy the full SHA
    2da6ff6 View commit details
    Browse the repository at this point in the history

  4. ci-ipsec-upgrade: Use conn-disrupt-test action for tests-ipsec-upgrade 

    [ upstream commit a4d543d ]

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
    @jschwinger233
    jschwinger233 committed Sep 28, 2023
    Configuration menu
    Copy the full SHA
    afb5c98 View commit details
    Browse the repository at this point in the history

  5. workflows/ipsec: Add missing --flush-ct for key rotation 

    [ upstream commit 751c17c ]

Now that we cover the key rotations in the IPsec e2e tests, we are
running the connectivity test suite twice. That means we can run in the
usual bug where an existing CT entry is reused and leads to us sending
traffic to the proxy when we shouldn't.

Thus, we need to flush the CT entries at the end of the first test run,
with --flush-ct.

Fixes: de192de ("ci-ipsec-e2e: Add IPsec key rotation test")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
    @pchaigno @jschwinger233
    pchaigno authored and jschwinger233 committed Sep 28, 2023
    Configuration menu
    Copy the full SHA
    cc4a178 View commit details
    Browse the repository at this point in the history