workflows: Cover IPsec encrypted overlay mode in end-to-end tests #31637
+42
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pchaigno
added
area/CI
pchaigno
force-pushed
the
pr/pchaigno/cover-encrypted-overlay-e2e
branch
from
4fb54dd
to
1c3c8a0
Compare
julianwiedmann
approved these changes
Mar 27, 2024
brlbil
approved these changes
Mar 27, 2024
|
s/encryption-overlay/encrypted-overlay/ no? |
Encrypted overlay was introduced in d669341 ("bpf: encrypt overlay traffic"). As the name indicates, with that feature, Cilium will also encrypt the overlay itself (i.e., the VXLAN headers). The present commit covers this configuration in the two IPsec workflows. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
pchaigno
force-pushed
the
pr/pchaigno/cover-encrypted-overlay-e2e
branch
from
1c3c8a0
to
1d3f8a1
Compare
pchaigno
commented
Mar 27, 2024
|
/test |
sayboras
added a commit
that referenced
this pull request
Mar 28, 2024
There is a merge race between the below two PRs, which leads to failure in CI job for ipsec upgrade config 5.15. https://github.com/cilium/cilium/actions/runs/8461160283/job/23180526103 ``` Error: Unable to upgrade Cilium: execution error at (cilium/templates/cilium-configmap.yaml:70:5): kubeProxyReplacement must be explicitly set to a valid value (true or false) to continue. ``` Relates: #31637, ##31637 Signed-off-by: Tam Mach <tam.mach@cilium.io>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 28, 2024
There is a merge race between the below two PRs, which leads to failure in CI job for ipsec upgrade config 5.15. https://github.com/cilium/cilium/actions/runs/8461160283/job/23180526103 ``` Error: Unable to upgrade Cilium: execution error at (cilium/templates/cilium-configmap.yaml:70:5): kubeProxyReplacement must be explicitly set to a valid value (true or false) to continue. ``` Relates: #31637, ##31637 Signed-off-by: Tam Mach <tam.mach@cilium.io>
rzdebskiy
added a commit
to rzdebskiy/cilium
that referenced
this pull request
Apr 3, 2024
commit 611ffe08287a862a98a0d1a916a28c71e6d623fc
Author: Romuald Zdebskiy <zdebskiy@hotmail.com>
Date: Wed Apr 3 17:22:24 2024 +0500
Revert "Merge branch 'cilium:main' into patch-1"
This reverts commit 888a6b1bd57d7d65763558dec41624f1b1d13715, reversing
changes made to a11fe7de7516ab00443aa56a0b3c508c2af436dc.
commit 888a6b1bd57d7d65763558dec41624f1b1d13715
Merge: a11fe7de75 b6ca995ade
Author: Romuald Zdebskiy <zdebskiy@hotmail.com>
Date: Wed Apr 3 17:04:12 2024 +0500
Merge branch 'cilium:main' into patch-1
commit b6ca995adec708c646abb7426725309ff1172555
Author: Gray Liang <gray.liang@isovalent.com>
Date: Wed Apr 3 16:54:30 2024 +0800
bpf/test: Adjust mock function to reflect changes in tail_ipvX_policy
https://github.com/cilium/cilium/commit/0cd9780648d834c772f656f99c2c0a2911b5d804 (bpf: lxc: fine-tune from_tunnel path in ingress tail-call)
removed `define(TUNNEL_MODE)` in tail_ipvX_policy(), this commit makes
sure the bpf mock function for that has the same behavior.
Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
commit 24dd20dcf53cb3230b1c2ea572ddf3107535c85c
Author: Casey Callendrello <cdc@isovalent.com>
Date: Wed Feb 21 17:09:46 2024 +0100
labels: don't expand CIDR labels
Previously, we would expand a CIDR in to the full set of possible CIDRs
that could select it. For example "1.1.1.1/32" would be expanded in to
[0.0.0.0/0, 0.0.0.0/1, ... 1.1.1.0/31, 1.1.1.0/32]. This causes
significant memory and CPUusage, especially for circumstances such as ToFQDN
policies where many /32 and /128 identities are created.
Now that CIDR selectors are prefix-aware, rather than just string
matches, we can stop generating the complete list of CIDRs. This is safe
because CIDRs labels now select CIDRs that are contained within.
Benchmark results:
│ ../bench_main.out │ ../bench_cidr.out
│ sec/op │ sec/op vs base
UpdateGenerateDNS-12 4.972 ± 2% 2.882 ± 3% -42.02% (p=0.000 n=10)
│ ../bench_main.out │ ../bench_cidr.out
│ B/op │ B/op vs base
UpdateGenerateDNS-12 77.26Mi ± 0% 24.52Mi ± 0% -68.26% (p=0.000 n=10)
│ ../bench_main.out │ ../bench_cidr.out
│ allocs/op │ allocs/op vs base
UpdateGenerateDNS-12 508.0k ± 0% 291.7k ± 0% -42.59% (p=0.000 n
Signed-off-by: Casey Callendrello <cdc@isovalent.com>
commit 4484ad7e808d05f22378db91e5ebfab98d266d60
Author: Casey Callendrello <cdc@isovalent.com>
Date: Mon Feb 26 16:21:48 2024 +0100
labels: CIDR-aware label selection
This changes the Labels API to be CIDR-aware. It then logically
"expands" CIDR labels when computing matches, so that selectors can
match CIDRs even when not present. It does this by parsing CIDRs on
label creation, then checking CIDR overlap in the `MatchesKey()`
function.
The API contract we expose to the policy engine is unchanged:
```
GetCIDRLabels("10.0.0.0/24").LabelArray().Has("cidr.10.0.0.0/8") == true
```
The goal is to stop manually expanding CIDR labels, which is very
inefficient. This will follow in a subsequent commit.
Signed-off-by: Casey Callendrello <cdc@isovalent.com>
commit 64076d65e9c556ab4ce69238f02f565b2dc5722e
Author: Casey Callendrello <cdc@isovalent.com>
Date: Mon Feb 26 16:13:03 2024 +0100
labels: clean up label matching API
The label matching API is complicated and inconsistent. This change
tries to bring some sanity to the API going forward, without changing
existing behavior.
Label matching is directional / non-communtative. Specifically,
`"any:foo=bar".Equals("k8s:foo=bar")` is true, whereas
`"k8s:foo=bar".Equals("any:foo=bar")` is false.
So, with the eventual goal of removing `Label.Equals()`, this commit
adds a new `Label.Has()` and `Label.HasKey()` api, with clear
documentation around directionality.
The fixed point here is `LabelArray.Has()`, which needs a specific
directionality as required by the k8s label selector library. Everything
else is based off of that.
This also changes `Labels.Has()` to match directionality w.r.t
`any`-source selectors. In theory this is a breaking change, in
actuality `Labels.Has()` is never passed `any` selectors, so this is
moot.
Signed-off-by: Casey Callendrello <cdc@isovalent.com>
commit 1418f3c931056ff47219f638cdbb175c06b7ab40
Author: Casey Callendrello <cdc@isovalent.com>
Date: Mon Feb 26 16:09:40 2024 +0100
pkg/labels: add simple CIDR test
This tests adds a very specific invariant that is needed by the policy
engine. Specifically, the expanded set of CIDR labels must always
`.Has()` a CIDR label that contains it.
This will be relevant when we stop expanding CIDR labels and, instead,
logically compute CIDR matching.
Signed-off-by: Casey Callendrello <cdc@isovalent.com>
commit b200d6f1c16e1404db722a8b74ff31ff7195ff6b
Author: Casey Callendrello <cdc@isovalent.com>
Date: Mon Feb 26 13:49:46 2024 +0100
policy: small cidr selector test cases
Adding some invariants that should not be broken during coming
refactors.
Signed-off-by: Casey Callendrello <cdc@isovalent.com>
commit 2272e4a38f5cc6f7ab4305e0413a5353695bd63c
Author: Casey Callendrello <cdc@isovalent.com>
Date: Mon Feb 26 13:40:31 2024 +0100
labels / policy: have tests mirror actual usage of LabelSourceAny
We actually rely quite heavliy on the LabelSourceAny mechanism.
EndpointSelectors in CiliumNetworkPolicies always have LabelSourceAny
added.
For example, the block
```yaml
toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
```
converts to the label selector
`{any.io.kubernetes.pod.namespace: kube-system,any.k8s-app: kube-dns,}`
So, explicitly mention this in comments and update the SelectorCache
tests to capture this behavior.
Signed-off-by: Casey Callendrello <cdc@isovalent.com>
commit 3e32efc962afca58548144ab6b126640e0ec0794
Author: Julian Wiedmann <jwi@isovalent.com>
Date: Wed Apr 3 11:32:39 2024 +0300
bpf: tests: don't define HAVE_ENCAP in IPsec tests
This is an internal macro that's selected by common.h (based on
TUNNEL_MODE and a few other config options). There should be no need to
explicitly set it.
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
commit 6888c64f941a63c92be241f28de938a014abdb85
Author: Casey Callendrello <cdc@isovalent.com>
Date: Mon Mar 18 15:24:56 2024 +0100
endpoint: skip Envoy incremental updates if no Envoy redirects
This should significantly reduce the amount of time it takes to roll our
incremental policy updates.
Signed-off-by: Casey Callendrello <cdc@isovalent.com>
commit 399ab5e328dccb5acae5a9b1f1c83b8d90678e74
Author: Julian Wiedmann <jwi@isovalent.com>
Date: Mon Mar 25 14:41:22 2024 +0200
bpf: nodeport: extract SVC logic from nodeport_lb*()
nodeport_lb*() has grown into a massive function, and its current code
flow is rather confusing:
if (is-svc-request) {
/* do svc stuff */
} else {
/* do other stuff and return */
}
/* do more svc stuff */
Clean this up by pulling all the SVC logic into a separate function.
Long-term this will make it easier to configure BPF masquerading
independently from ENABLE_NODEPORT.
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
commit d0b270d010fcf13f57094b2aa10c35bb3f68bd39
Author: Julian Wiedmann <jwi@isovalent.com>
Date: Mon Mar 25 14:10:09 2024 +0200
bpf: nodeport: clean up identity-forwarding logic
Use positive logic in the "use identity forward?" condition. Also limit
the additional sanity-checks for the forwarded identity to this code path.
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
commit 8d555e52c0546b80de682b33cac1516e6b4bd9ee
Author: Joe Stringer <joe@cilium.io>
Date: Tue Apr 2 18:50:38 2024 -0700
Revert "Prepare for release v1.16.0-pre.1"
This reverts commit a5d8886d2033a4761db19f8c2c9222baf3c51449.
Signed-off-by: Joe Stringer <joe@cilium.io>
commit e37b3e494c15a56e5c9351fea56c4c3a86709188
Author: Joe Stringer <joe@cilium.io>
Date: Tue Apr 2 18:50:19 2024 -0700
Prepare for release v1.16.0-pre.1
Signed-off-by: Joe Stringer <joe@cilium.io>
commit beb05cd0149963e8fa6880532a0ccb6e8c33da70
Author: Joe Stringer <joe@cilium.io>
Date: Tue Apr 2 18:49:21 2024 -0700
Update AUTHORS and CRD schema table
Signed-off-by: Joe Stringer <joe@cilium.io>
commit 04badd97d80c8dd2387e09292324c511afb5d81d
Author: Tam Mach <tam.mach@cilium.io>
Date: Wed Apr 3 00:03:24 2024 +1100
gha: Clean-up renovate config for integration test
Relates: https://github.com/cilium/cilium/issues/22834
Relates: https://github.com/cilium/cilium/issues/22834#issuecomment-1699097697
Signed-off-by: Tam Mach <tam.mach@cilium.io>
commit ecf6ff19e7a8011c73ad62d337dabddb34ad72cf
Author: xyz-li <hui0787411@163.com>
Date: Mon Dec 18 18:00:37 2023 +0800
daemon: add BackendSlot to Service6Key.String and Service4Key.String
This commit adds BackendSlot value to the Service6Key.String
and Service4Key.String methods. This is to prevent the
service key from being deleted when the backend endpoint is deleted.
Fixes: #29580
Signed-off-by: xyz-li <hui0787411@163.com>
commit 0a79dbd66f7f29b0fdfa622f7554803c6443d42e
Author: Tam Mach <tam.mach@cilium.io>
Date: Sat Mar 30 14:38:20 2024 +1100
cni: Allow text-ts log format value
The new log format (e.g. text-ts) is added recently in the below commit,
so we need to allow it in regex. Additionally, text-ts is used as the
default value if not specified or invalid.
Fixes: a099bf1571f1a090ccfd6ccbba545828a6b3b63c
Signed-off-by: Tam Mach <tam.mach@cilium.io>
commit 4d05e9f9bedf3fe5022adec256c8d4dcbe224d48
Author: Tam Mach <tam.mach@cilium.io>
Date: Tue Apr 2 13:07:08 2024 +1100
metric: Avoid memory leak/increase
This commit is to make sure that the processed item in pod deletion
queue is removed by explicitly call Done() function as per suggestion
in godoc[^1].
The impact of not having this change will be increasing of memory in
cilium agent when the hubble metrics are enabled. This might take days
(if not weeks) to observe in a normal Cilium deployment due to low number
of Pod deletion events (i.e. in high churn environment, the memory will
be increasing in a faster pace).
Testing is done before and after the changes as per below.
Sample workload to simulate high number of pod deletion events
```yaml
apiVersion: batch/v1
kind: Job
metadata:
name: pod-churn-job
spec:
completions: 50000000
parallelism: 100
template:
metadata:
labels:
app: pod-churn-job
spec:
containers:
- name: churn-app
image: sandeshkv92/highpodchurn:linux_amd64
restartPolicy: Never
```
Before this change, the cilium agent memory keeps increasing from 150MB
to ~500MB in less than 3 hours, while with the same workload configured
and this change, the memory is quite stable for a longer period (e.g. 5
hours).
[^1]: https://pkg.go.dev/k8s.io/client-go@v0.29.3/util/workqueue#Type.Get
Fixes: 782f934641df5bafd4a9ee737e00872f65f56b64
Signed-off-by: Tam Mach <tam.mach@cilium.io>
commit f77e831b4ee9f87a81baf738fbc4dd972d8f0d5b
Author: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon Apr 1 03:57:43 2024 +0000
chore(deps): update golangci/golangci-lint docker tag to v1.57.2
Signed-off-by: renovate[bot] <bot@renovateapp.com>
commit e22c108f92716c453c8b99a5f30654f80203163c
Author: Birol Bilgin <birol@cilium.io>
Date: Thu Mar 7 12:52:31 2024 +0100
update azure k8s versions
This commit updates tested azure k8s versions according to supported versions
Signed-off-by: Birol Bilgin <birol@cilium.io>
commit 3c3843ca0ae221768d93b0dbef69a38cfc21b5d4
Author: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon Apr 1 03:57:54 2024 +0000
chore(deps): update all github action dependencies
Signed-off-by: renovate[bot] <bot@renovateapp.com>
commit f05574da3ca6b32300fdd8e01f4801328dc40f39
Author: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon Apr 1 00:50:43 2024 +0000
chore(deps): update cilium/little-vm-helper action to v0.0.17
Signed-off-by: renovate[bot] <bot@renovateapp.com>
commit 11e7dbe929c3253b5190a398f3d219ca381dd565
Author: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
Date: Fri Mar 15 01:18:40 2024 +0100
nodeipam: add `match-node-labels` annotation to filter nodes
Now that nodeipam consider all nodes as potential candidate in
the eTP=Cluster case, a way for user to filter nodes become way more
critical and thus this commit is implementing this.
Co-authored-by: Brendan Dalpe <bdalpe@gmail.com>
Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
commit 86c2e12a81d1690db38cd79b285a0b9615758ced
Author: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
Date: Fri Mar 15 00:20:56 2024 +0100
nodeipam: align eTP=Cluster to kubernetes cloud-providers service lb
nodeipam was always looking at the related EndpointSlices of the Service
LoadBalancer to decide which nodes should be "advertised". This is a
problem when Service LoadBalancers are created with dummy endpoints which
is the case for Cilium Ingress/GatewayAPI for instance.
This commit attempts to replicate a bit more the behavior that a CCM
would do to select nodes when eTP=Cluster. In that case we select all
Nodes we consider all nodes as potential candidate instead of
checking where the pods are scheduled via their EndpointSlices.
In the case of eTP=Local, we fallback to the previous behavior of
checking the EndpointSlice to know which Nodes are backing your
corresponding Service. This is not the behavior done in classic CCM
as eTP local seems to be typically implemented by Cloud providers via an
health check mechanism that we currently don't have in nodeipam. And at
this very moment is not planned to be implemented because of the extra
complexity. If this gets implemented at some point nodeipam could also
align with CCM on the eTP=Local case though.
Also in both eTP=Cluster/Local we will respect KEP-3458 that is becoming
stable in Kubernetes 1.30 and dictate how CCM does their first node
filtering. The Predicates were extracted as is from
kubernetes/cloud-provider repo where this is normally implemented for
CCM.
Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>
commit 9876d51ff31ab2a5f3642d1ed87406a4c493c43b
Author: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri Mar 29 11:14:53 2024 +0000
chore(deps): update dependency cilium/cilium-cli to v0.16.4
Signed-off-by: renovate[bot] <bot@renovateapp.com>
commit 3ebc78e0e18ec473bbe6396d6b120bfaff26ca73
Author: Tobias Klauser <tobias@cilium.io>
Date: Tue Apr 2 13:55:56 2024 +0200
CODEOWNERS: assign pkg/signal to @cilium/sig-datapath
Signed-off-by: Tobias Klauser <tobias@cilium.io>
commit d43607361c436c3e523517801ca2bdc25ee2751f
Author: Tobias Klauser <tobias@cilium.io>
Date: Tue Apr 2 13:51:44 2024 +0200
signal: remove spare debug logs
These debug logs were likely used during development of commit
25c00b0970cc ("signal: Generalize for multiple targets") but don't add
much value now and only clutter the logs. Remove them.
Signed-off-by: Tobias Klauser <tobias@cilium.io>
commit bee8ae24a280161fe85db51488415b483d701051
Author: Haiyue Wang <haiyue.wang@intel.com>
Date: Mon Apr 1 14:45:42 2024 +0800
docs,test: Update the latest program type link
Use the eBPF github release tag (referred in go.mod) to format the link,
to easily keep the information updated.
Signed-off-by: Haiyue Wang <haiyue.wang@intel.com>
commit 2fc692213e72d3fcc3df76e8b9b836ab8bf60c4c
Author: Tim Horner <timothy.horner@isovalent.com>
Date: Thu Mar 28 14:11:37 2024 -0400
README: Update releases
Signed-off-by: Tim Horner <timothy.horner@isovalent.com>
commit 76867e23700ea899bdfdfe247998723cbe9512b2
Author: Vipul Singh <vipul21sept@gmail.com>
Date: Wed Mar 6 13:07:32 2024 -0800
feat: Add the http return code to metric api_processed_total
Signed-off-by: Vipul Singh <vipul21sept@gmail.com>
commit d32b438d8c5c5e5109b6108479e2d4b304fd4cab
Author: simonfelding <45149055+simonfelding@users.noreply.github.com>
Date: Mon Mar 25 17:23:06 2024 +0100
Apply suggestions from code review
Co-authored-by: Ryan Drew <learnitall0@gmail.com>
Signed-off-by: simonfelding <45149055+simonfelding@users.noreply.github.com>
commit 430d0237b9625600e2e008dda4bc3a35ac2f4ff7
Author: simonfelding <45149055+simonfelding@users.noreply.github.com>
Date: Tue Mar 19 14:44:49 2024 +0100
docs: Suggest operator logs for troubleshooting
Signed-off-by: simonfelding <45149055+simonfelding@users.noreply.github.com>
undo final newline
commit a63a88b0a4e12c4cc768901233bd5b83abe435e9
Author: Benjamin Leggett <benjamin.leggett@solo.io>
Date: Wed Mar 6 16:37:00 2024 -0500
No longer true as of Istio 1.21
Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>
commit f0597c00f4910b33fa42c7d25b4c4d8f08a4eddc
Author: Tomoki Sugiura <tomoki-sugiura@cybozu.co.jp>
Date: Fri Mar 8 16:17:37 2024 +0900
bpf: use `bpf_htons` instead of using shift
The current implementation using shift does not take into account endianness.
`bpf_htons()` detects which endianness is used and converts the value appropriately.
Also, this commit defines `bpf_u8_to_be16()` that wraps `bpf_htons()` because converting 8-bit ICMP types to 16-bit does not depend on the host byte order.
Signed-off-by: Tomoki Sugiura <tomoki-sugiura@cybozu.co.jp>
commit 8e1c73de5357ad58013d28e045b0a6433e62409c
Author: Tam Mach <tam.mach@cilium.io>
Date: Thu Mar 28 09:53:49 2024 +1100
api: Upgrade go-swagger version to v0.30.5
Also to add the renovate configuration for auto update version later.
Just a note we might still need to run `make generate-api` manually till
the work with self-hosted renovate with post-hook is done.
Signed-off-by: Tam Mach <tam.mach@cilium.io>
commit 7f505d78bad1829ccef7554982d7a84f6d340b61
Author: Daneyon Hansen <daneyon.hansen@solo.io>
Date: Wed Feb 21 22:38:25 2024 +0000
IPAM: Refactors Node Type to Support IP Families
Previously, the IPAM Node type represented IP information such as pools, allocations, etc.
that are specific to IPv4. This PR introduces the following changes:
- Adds the IPAllocAttrs type to represent IP-specific allocation attributes.
- Updates the Node type to expose separate attributes for IPv4 and IPv6.
- Updates Node instantiation, methods, etc. for the Node type changes introduced in this PR.
- Updates the internal resyncStats API to expose separate attributes for IPv4
and IPv6 node statistics.
- Updates the AllocationAction API to expose separate IP allocation attributes for IPv4
and IPv6. Note that the `EmptyInterfaceSlots` is not IP family specific and therefore will
continue to be a `Statistics` field.
- Updates cloud provider IPAM pkgs for API changes.
__Note:__ This PR does not implement IPv6 Node attributes.
Supports: #19251
Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io>
commit 65807c28bb85e1c0db63215d3f5681bd63fe9433
Author: Daneyon Hansen <daneyon.hansen@solo.io>
Date: Thu Feb 22 22:13:25 2024 +0000
pkg/ip: Updates PrefixToIps() to Limit the Number of Returned IPs
Previously, PrefixToIps() generates and returns all the IP addresses
in the provided CIDR. This creates performance and scalability issues
when working with large IPv6 CIDRs. This PR adds the `maxIPs` parameter
to limit the number of generated and returned prefixes.
Supports #19251
Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io>
commit ffe4ce856eca0320092c82d875e3ed758f1fb404
Author: Fabio Falzoi <fabio.falzoi@isovalent.com>
Date: Mon Mar 11 15:57:33 2024 +0100
policy: Mention EgressDeny in CIDRGroupRef docs
Update CIDRGroupRef docstring to take into account the support for
referenced CIDRGroup in EgressDeny rules.
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
commit 3b62c79c7b34ab413a97a8b9a74d2abce3b119f7
Author: Fabio Falzoi <fabio.falzoi@isovalent.com>
Date: Mon Mar 11 14:48:56 2024 +0100
policy/k8s: Add support for CIDRGroupRef in EgressDeny
Current version of CNP translation lacks support for translating
referenced CiliumCIDRGroup objects in EgressDeny rules.
The commit adds the missing logic and extends the unit tests suite to
take into account the EgressDeny rules.
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
commit 136dde6d152187e655c382a857a09415e52e5bb9
Author: Fabio Falzoi <fabio.falzoi@isovalent.com>
Date: Fri Feb 23 12:24:58 2024 +0100
policy/k8s: Add support for CIDRGroupRef in IngressDeny
Current version of CNP translation lacks support for translating
referenced CiliumCIDRGroup objects in IngressDeny rules, despite
mentioning it in the CIDRGroupRef field docstring.
The commit adds the missing logic and extends the unit tests suite to
take into account the IngressDeny rules.
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
commit b8203b0ede441b20e9623221f1bf84a2066ce21f
Author: Tam Mach <tam.mach@cilium.io>
Date: Thu Mar 28 11:18:30 2024 +1100
helm: Bump minimum k8s version to v1.21+
This commit is to bump minimum k8s version to v1.21. Ideally, we should
bump to v1.26 as per our support matrix, but some CI jobs are still older
versions as per below linked PR, hence I think v1.21 is a good balance.
Relates: https://github.com/cilium/cilium/pull/29888
Relates: https://github.com/cilium/cilium/issues/30106
Signed-off-by: Tam Mach <tam.mach@cilium.io>
commit 76a659c64b58ec3cff7b91c8eb16de2a3fa5ef42
Author: Timo Beckers <timo@isovalent.com>
Date: Thu Mar 28 13:24:41 2024 +0100
loader: only detach Cilium-owned XDP programs when XDP is disabled
Currently, even when Cilium's XDP features are disabled, the Cilium agent will
still attempt to detach a program attached to the legacy netlink XDP hook on
managed interfaces.
This is so the agent does the right thing when a user first enables and then
disables an XDP feature, where the user would expect Cilium's XDP programs to
be removed. However, this is at odds with users wanting to run their own XDP
programs on Cilium-managed interfaces. Even with XDP disabled, the agent will
unconditionally remove any XDP programs.
This patch narrows down this behaviour by checking the name of the program
attached to the legacy XDP hook before detaching it. If the kernel-provided
name is not a prefix of the name expected by the agent, the program is left
on the interface. Note that with XDP enabled, legacy XDP programs will always
be replaced with Cilium programs.
Signed-off-by: Timo Beckers <timo@isovalent.com>
commit 129f2e235e62445b73a1b5630f1f7a3a36bf5014
Author: Quentin Monnet <qmo@qmon.net>
Date: Thu Mar 28 10:00:45 2024 +0000
ci/ipsec: Print more info to debug credentials removal check failures
In commit 6fee46f9e753 ("ci/ipsec: Fix downgrade version retrieval") we
added a check to make sure that GitHub credentials are removed before
pulling the untrusted branch from the Pull Request's author. It appears
that this check occasionally fails and causes the whole job to abort.
But Cilium's repository _is_ public, and it's unclear why ".private ==
false" does not evaluate to "false" as we expected in that case. Did the
curl request fail? Did the reply miss the expected .private field? We'll
probably loosen the check as a workaround, but before that it would be
interesting to understand better what's going on. Here we remove the -s
flag from curl and print the reply from the GitHub API request, so we
can better understand what's going on next time we observe a failure.
Signed-off-by: Quentin Monnet <qmo@qmon.net>
commit 464bbe4e4994f23c17abcfa8e63a9941fdbf3fbd
Author: Julian Wiedmann <jwi@isovalent.com>
Date: Thu Mar 28 15:56:03 2024 +0200
fix 'mismatch' typos in error messages
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
commit 7baeac20765d98edc9dffd6a63d25bf7345a1f2f
Author: harsimran pabla <hpabla@isovalent.com>
Date: Fri Mar 15 17:06:01 2024 +0000
multicast: change list methods to use BatchLookup
Modifying group list and subscriber list methods to use BatchLookup
instead of iterating individual key, val pair.
Signed-off-by: harsimran pabla <hpabla@isovalent.com>
commit dc221b03f2258812c2b0f0a5e8b25580a382bc7a
Author: harsimran pabla <hpabla@isovalent.com>
Date: Fri Mar 15 15:41:13 2024 +0000
multicast: fix multicast map name in ELF ignore prefixes
Fix multicast outer map name from cilium_mcast_group_v4_outer to
cilium_mcast_group_outer_v4_map.
Signed-off-by: harsimran pabla <hpabla@isovalent.com>
commit 806c5c2aecd581cb078615b042bc5a1cad4fbeee
Author: Dylan Reimerink <dylan.reimerink@isovalent.com>
Date: Mon Mar 25 13:26:47 2024 +0100
pkg/nodediscovery,daemon: modularize node discovery
This commit modularizes the node discovery package. Before node
discovery was created by the daemon, but since all parameters needed
are already in hive we can create the node discovery in the hive to.
We also split off the creation of local node config into its own cell
since there are a few components such as the loader that are interested
in the local node config without needing the full node discovery.
Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>
commit 362c094a8e1bdd34234bf60adf5923ce0a55fec2
Author: Cilium Imagebot <noreply@cilium.io>
Date: Wed Mar 27 16:34:16 2024 +0000
images: update cilium-{runtime,builder}
Signed-off-by: Cilium Imagebot <noreply@cilium.io>
commit cd5bc4e03b5ebe3af56e639f252ff2a4a239f2a2
Author: Timo Beckers <timo@isovalent.com>
Date: Wed Mar 27 16:01:30 2024 +0100
testdata: minimize build output by reducing header includes
This patch should make testdata play a bit nicer with backports, since
including headers like node_config.h, ep_config.h and maps.h cause potential
churn in the resulting BTF info.
Include a minimal subset of headers and reduce testdata code to what's
strictly necessary for the Go tests to run.
Signed-off-by: Timo Beckers <timo@isovalent.com>
commit 5c35dc31c1acb0cba013f20a026c57e291573e55
Author: Timo Beckers <timo@isovalent.com>
Date: Wed Mar 27 15:55:56 2024 +0100
Makefile: declare CILIUM_BUILDER_IMAGE in Makefile.defs
Centralize the declaration so we can assume it's present in other Makefiles
importing Makefile.defs.
Signed-off-by: Timo Beckers <timo@isovalent.com>
commit 2d0c9706192922041c59de578cb05d0a06bb7448
Author: Dylan Reimerink <dylan.reimerink@isovalent.com>
Date: Fri Mar 1 16:18:08 2024 +0100
Remove `HAVE_CHANGE_TAIL`
The value of `HAVE_CHANGE_TAIL` was dependent on the result of a
feature probe that tests for the presence of the `bpf_skb_change_tail`
helper function, which was added in kernel v4.9. Now that the minimum
supported kernel version is v5.4, we can remove the probe and assume
we always have this feature available.
Given the existence of global asserts for features significantly newer,
I think its safe to not add an explicit assert for this feature.
Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>
commit 50547dde360b5900147286cd357cf5173b8de06c
Author: Dylan Reimerink <dylan.reimerink@isovalent.com>
Date: Fri Mar 1 16:14:48 2024 +0100
Remove `HAVE_SOCKET_LOOKUP` define
The `HAVE_SOCKET_LOOKUP` define was used to check if the current kernel
had the `bpf_sk_lookup_tcp`. This is the case of kernels after 4.20.
So now that the minimum kernel version is 5.4, we can remove this and
assume that the kernel has this feature.
Given the precense of global assertions for features that are newer than
this helper, I believe it safe to no add explicit assertions for this
feature.
Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>
commit 458b5cc6c361d130ad87602e97b57bc87b1358be
Author: Tam Mach <tam.mach@cilium.io>
Date: Thu Mar 28 13:12:20 2024 +1100
test: Update KPR value in ipsec upgrade jobs
There is a merge race between the below two PRs, which leads to failure
in CI job for ipsec upgrade config 5.15.
https://github.com/cilium/cilium/actions/runs/8461160283/job/23180526103
```
Error: Unable to upgrade Cilium: execution error at (cilium/templates/cilium-configmap.yaml:70:5): kubeProxyReplacement must be explicitly set to a valid value (true or false) to continue.
```
Relates: #31637, #https://github.com/cilium/cilium/pull/31637
Signed-off-by: Tam Mach <tam.mach@cilium.io>
commit ac804b6980aac59950e23484809cbc2cafa318c2
Author: Tobias Klauser <tobias@cilium.io>
Date: Wed Mar 27 15:01:44 2024 +0100
install/kubernetes: use renovate to update quay.io/cilium/startup-script
Make sure the latest version of the image is used in the helm charts by
letting renovatebot update it automatically.
Signed-off-by: Tobias Klauser <tobias@cilium.io>
commit 2d32dab5451d6ecc1dd1de3bc39f1070ff02b6b5
Author: Tobias Klauser <tobias@cilium.io>
Date: Wed Mar 27 14:38:55 2024 +0100
install/kubernetes: use digest for nodeinit image
Like other images used in the Cilium helm chart, use a digest in
addition to the tag for the nodeinit image.
Signed-off-by: Tobias Klauser <tobias@cilium.io>
commit dbf327d11392ec6613741d1ed91a77a253d598d7
Author: deterclosed <fliter@outlook.com>
Date: Sat Mar 23 14:12:12 2024 +0800
all: remove repetitive words
Signed-off-by: deterclosed <fliter@outlook.com>
commit 5daf681a49bbef9d66956c1ace821847cd849415
Author: Tam Mach <tam.mach@cilium.io>
Date: Thu Mar 21 00:03:39 2024 +1100
lint: Remove temp variable in the 'for' loop
Since golang 1.22+, temp variable in the for loop can be removed. There
is new linter copyloopvar in latest golangci-lint, however, there are
a lot of false positive now, so probably after a few versions, we can
enable it in .golangci.yaml.
Signed-off-by: Tam Mach <tam.mach@cilium.io>
commit 6a83269beec154c1cad91d5cd6ed2c644d79a6b2
Author: Tam Mach <tam.mach@cilium.io>
Date: Mon Mar 11 15:46:00 2024 +1100
cleanup: Remove deprecated values for KPR
This commit is to remove all deprecated values (strict, disabled, probe
and partial) for kubeProxyReplacement.
Relates: #26036, #26496
Signed-off-by: Tam Mach <tam.mach@cilium.io>
commit 5864db744bb2a85e6ef9d026262c77dae8bf9f50
Author: Paul Chaignon <paul.chaignon@gmail.com>
Date: Wed Mar 27 11:26:41 2024 +0100
workflows: Cover IPsec encrypted overlay mode in end-to-end tests
Encrypted overlay was introduced in d6693413e8afb ("bpf: encrypt
overlay traffic"). As the name indicates, with that feature, Cilium will
also encrypt the overlay itself (i.e., the VXLAN headers). The present
commit covers this configuration in the two IPsec workflows.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
commit 034aee74f57905898741b89549430c409bef99e3
Author: Tamilmani <tamanoha@microsoft.com>
Date: Fri Mar 1 12:44:09 2024 -0800
fix: Delegated ipam not configure ipv6 in ipv6 disabled case
Delegated ipam returns ipv6 address to cilium cni even if ipv6 disabled
in cilium agent config. In this scenario, ipv6 node addressing is not
set and its causing cilium cni to crash if delegated ipam returns ipv6
but disabled in cilium agent.
Signed-off-by: Tamilmani <tamanoha@microsoft.com>
commit f2d804babb4ac4098733cf0a15bd15bd834d1380
Author: Robin Gögge <r.goegge@isovalent.com>
Date: Tue Mar 5 17:45:47 2024 +0100
loader: clean up tcx bpf_links created by newer Cilium versions
A follow-up commit will introduce attaching TC programs using tcx. Those
attachments cannot be overridden using netlink. If an older version of
Cilium wants to replace an TC program on a managed interface, it'll need to
remove the tcx attachment first.
This commit teaches the agent to remove leftover tcx link objects from previous
installs, before reattaching it using netlink. Note that this transition is
never seamless, since some time passes between deleting the link and attaching
the new program using netlink. However, as explained in 7a8e3c810c
("loader: clean up XDP bpf_links created by newer Cilium versions"), this
downgrade path should rarely happen.
Signed-off-by: Robin Gögge <r.goegge@isovalent.com>
Co-authored-by: Timo Beckers <timo@isovalent.com>
commit e2d90dad6ea18242a3ba67230eb09a7340bfbc5c
Author: Robin Gögge <r.goegge@isovalent.com>
Date: Wed Dec 6 13:17:55 2023 +0100
loader: aggregate replaceDatapath arguments
The arguments to the replaceDatapath functions are already quite numerous
and make the function signature hard to read. In preparation for future
commits, this patch aggregates almost all arguments to the function into
one option parameter.
Signed-off-by: Robin Gögge <r.goegge@isovalent.com>
commit 377df9bbc2742a6c233f33385b610dfda1ad1581
Author: Maxim Mikityanskiy <maxim@isovalent.com>
Date: Tue Mar 26 16:09:24 2024 +0200
test/verifier: Sort BPF program names for stable output
Repeated runs of `go test ./test/verifier` print program complexity in
random order. Sorting by external wrappers is not feasibly, because
there are groups (each object file compiled with a certain set of
defines) that need to be sorted individually. Make the output stable.
Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
commit 820aa07acdcdcb160b62574cdf2a766cf47f5da0
Author: Paul Chaignon <paul.chaignon@gmail.com>
Date: Tue Mar 26 19:01:57 2024 +0100
workflows: Debug info for key rotations
During the key rotations, we compare the number of keys to the expected
number to know where we are in the process (started the rotation or
finished it). The expected number of keys depends on the configuration
so let's print it in the logs to help debug.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
commit 60e721243b25e163720e53170d77d10ced88ede7
Author: Maxim Mikityanskiy <maxim@isovalent.com>
Date: Tue Mar 26 22:12:08 2024 +0200
test/verifier: Keep existing environment when running make
Don't purge the environment when running `make -C bpf` in the verifier
tests, because unsetting $PATH and $HOME has numerous undesired side
effects:
1. Go is not found in complexity-test little-vm-helper images.
2. Git can't find its config in complexity-test LVH images.
3. The user can't override the path to clang.
Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
commit 283cb040ba65681e9e8776190af545769179f9ac
Author: Julian Wiedmann <jwi@isovalent.com>
Date: Wed Mar 27 12:01:50 2024 +0200
workflows: ipsec-e2e: add missing key types for some configs
These configs were recent additions, and missed the introduction of
the key-type-* parameters. Add them now.
Suggested-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
commit 23dd8de89218c8e0366928bb5c8445211c344b5b
Author: Michi Mutsuzaki <michi@isovalent.com>
Date: Tue Mar 26 01:21:35 2024 +0000
Document the process for disabling workflows
Co-authored-by: Quentin Monnet <qmo@qmon.net>
Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>
commit d00547a16267a3ec36b7a6748822b5d3657e8835
Author: Louis DeLosSantos <louis.delos@isovalent.com>
Date: Thu Feb 29 16:20:33 2024 -0500
bpf,test: add tests for vxlan helper functions
Add unit tests for new vxlan helper functions in tunnel.h
Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
commit e1951e9784b1e32b4683ed49a10694334052ac3e
Author: ldelossa <louis.delos@gmail.com>
Date: Tue Feb 27 15:18:46 2024 -0500
bpf: add trace notification for overlay encryption
Add a trace notification when we are redirecting a packet back into the
stack for XFRM encryption.
Trace example:
-> stack flow 0xc218244b , identity unknown->unknown state encrypt-overlay ifindex 0 orig-ip 0.0.0.0: 172.18.0.3:58167 -> 172.18.0.2:8472 udp
Signed-off-by: ldelossa <louis.delos@isovalent.com>
commit d6693413e8afb101a74bc5a0dcb4ba84210e576b
Author: ldelossa <louis.delos@gmail.com>
Date: Mon Feb 26 17:16:27 2024 -0500
bpf: encrypt overlay traffic
This commit introduces the ability to encrypt overlay traffic before it
leaves the host.
The 'cil_to_netdev' function is updated to sniff into overlay packets
(only VXLAN supported for now) and determine if the ENCRYPTED_OVERLAY_ID
security identifier is present in the overlay's header.
If it is, a new function in encrypt.h will set the appropriate packet
mark on the skb and redirect the packet to the ingress of the interface
it was egressing on.
When the packet is seen on the ingress side of the device it will be
submitted to the XFRM hooks in the output routing path and the XFRM
subsystem will encrypt the packet.
Subsequent changes to the IPSec control plane to create the appropriate
states and policies to support this are required.
Signed-off-by: ldelossa <louis.delos@isovalent.com>
commit 8f172e2fe982c51619d7c3254d4c27967ca0163e
Author: Louis DeLosSantos <louis.delos@isovalent.com>
Date: Mon Mar 18 20:27:53 2024 -0400
ipsec: add encrypted overlay flags
This commits and both the agent and datapath flag required to enable the
"Encrypted Overlay" feature.
The datapath will use ENABLE_ENCRYPTED_OVERLAY feature flag.
The agent will use "encryption.ipsec.encryptOverlay"
Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
commit 8503f967ff77e6457c8457bf820eafc96e21d6cd
Author: Louis DeLosSantos <louis.delos@isovalent.com>
Date: Mon Mar 4 17:36:59 2024 -0500
datapath: add EncryptedOverlayID reserved ID 11
This commit adds a new reserved security identity for signaling overlay
traffic which must be IPSec encrypted.
When the eBPF datapath encounters an egress packet with this security
identity in an overlay header (currently only VXLan supported) it will
subject the packet to IPSec encryption and rewrite the overlay header
with the correct security identity before the packet leaves the host.
Therefore, this identity should NEVER be seen on traffic ingress or
egress the node from the network.
Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
commit 43bd8c17f020eea053aab71216c37e2814fc4570
Author: Sebastian Wicki <sebastian@isovalent.com>
Date: Tue Mar 26 16:56:20 2024 +0100
cilium-health: Fix broken retry loop in `cilium-health-ep` controller
This commit fixes a bug in the `cilium-health-ep` controller restart
logic where it did not give the cilium-health endpoint enough time to
startup before it was re-created.
For context, the `cilium-health-ep` performs two tasks:
1. Launch the cilium-health endpoint when the controller is started
for the first time.
2. Ping the cilium-health endpoint, and if it does not reply, destroy
and re-create it.
The controller has a `RunInterval` of 60 seconds and a default
`ErrorRetryBaseDuration` of 1 second. This means that after launching
the initial cilium-health endpoint, we wait for 60 seconds before we
attempt to ping it. If that ping succeeds, we then keep pinging the
health endpoint every 60 seconds.
However, if a ping fails, the controller deletes the existing endpoint
and creates a new one. Because the controller then also returns an
error, it is immediately re-run after one second, because in the failure
case a controller retries with an interval of `consecutiveErrors *
ErrorRetryBaseDuration`.
This meant that after a failed ping, we deleted the unreachable
endpoint, recreated a new one, and after 1s would immediately try to
ping it. Because the newly launched endpoint will is unlikely to be
reachable after just one second (it requires a full endpoint
regeneration with BPF compilation), the `cilium-health-ep` logic would
declare the still starting endpoint as dead and re-create it. This loop
would continue endlessly, causing lots of unnecessary CPU churn, until
enough consecutive errors have happened for the wait time between launch
and the first ping to be long enough for a cilium-health endpoint to be
fully regenerated.
This commit attempts to fix the logic by not immediately killing a
unreachable health endpoint and instead waiting for three minutes to
pass before we attempt to try again. Three minutes should hopefully be
enough time for the initial endpoint regeneration to succeed.
Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
commit e2e97f3e07843f568813f90500ba75b21c462b8b
Author: Paul Chaignon <paul.chaignon@gmail.com>
Date: Tue Mar 26 23:49:48 2024 +0100
docs: Document No node ID drops in case of remote node deletion
While testing cluster scale downs, we noticed that under constant
traffic load, we sometimes had drops of type "No node ID found". We
confirmed that these are expected when the remote node was just deleted,
the delete event received by the local agent, but a local pod is still
sending traffic to pods on that node. In that case, the node is removed
from the node ID map, but information on pods hosted by that node may
still be present.
This commit documents it with the other expected reasons for "No node
ID found" drops.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
commit ebf272d77b2d9af6c991136f96e1a8f11feca320
Author: Tomoya Fujita <Tomoya.Fujita@sony.com>
Date: Wed Mar 20 14:53:20 2024 -0700
contrib: Add devcontainer setup script and doc update.
Signed-off-by: Tomoya Fujita <Tomoya.Fujita@sony.com>
commit 9b1a7c392ab3dbc1b201647a9018f994f53fe701
Author: Fabio Falzoi <fabio.falzoi@isovalent.com>
Date: Tue Feb 13 17:12:25 2024 +0100
iptables: Extract runnable interface from iptablesInterface
The current iptablesInteface is mainly used to mock the iptables and
ip6tables command in unit testing. Hence it includes the runProgOutput
and runProg methods. However, it also includes other methods that are
not strictly necessary for testing, so it may be built as an extension
of a slim runnable interface that includes just what we need to mock the
iptables command execution.
As a side benefit, this eliminates the need for mocking the getVersion
method.
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
commit 4577df2d9fb8fb6e56ba17523d4bae39fbcfedda
Author: Fabio Falzoi <fabio.falzoi@isovalent.com>
Date: Thu Jan 18 10:38:19 2024 +0100
iptables: Migrate tests to std Go testing pkg
Migrate tests from checkmate (the temporary wrapper for
gopkg.in/check.v1) to the standard Go testing framework.
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
commit 51852524f8315d98fa82b292ac7254f0564bea3a
Author: Nate Sweet <nathanjsweet@pm.me>
Date: Tue Mar 19 12:22:36 2024 -0500
testing: Update Restore Sort Method Signatrues
The Sort methods are updated to take an unused
testing.T structure to indicate to all callers
that they are only for testing purposes.
Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
commit abd7c6e7fdca4352f2d83c0701d95d53cf3e10af
Author: Nate Sweet <nathanjsweet@pm.me>
Date: Wed Mar 13 15:24:50 2024 -0500
fqdn: Fallback to Version 1 Port Lookups
In cases where a port-protocol is not present
in an restored port protocol, look up
up the Version 1 version of the PortoProto
in case a Version 1 PortProto was restored.
Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
commit 6baab364c2fe71e54b50f3d746175ef1db75f6e2
Author: Nate Sweet <nathanjsweet@pm.me>
Date: Fri Mar 22 12:05:16 2024 -0500
endpoint: Create a New Restore Field for DNS
DNSRulesV2 accounts for protocol and DNSRules does not.
DNSProxy needs to account for both, and endpoint needs
to be able to restore from a downgrade. DNSRulesV2 is used
by default now, but DNSRules is maintained in case of a
downgrade.
Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
commit bc7fbf384bd2179c943130fc6842e27045c372de
Author: Nate Sweet <nathanjsweet@pm.me>
Date: Mon Mar 11 10:36:10 2024 -0500
fqdn: Add Protocol to DNS Proxy Cache
DNS Proxy indexes domain selectors by port
only. In cases where protocols collide on port
the DNS proxy may have a more restrictive selector
than it should because it does not merge port
protocols for L7 policies (only ports).
All callers of the DNS Proxy are updated
to add protocol to any DNS Proxy entries, and all
tests are updated to test for port-protocol
merge errors.
Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
commit 1941679572fd10932f20beb30a0dc6fd4c70c05f
Author: Nate Sweet <nathanjsweet@pm.me>
Date: Wed Mar 13 11:03:14 2024 -0500
fqdn: Update DNS Restore to Index to PortProto
DNS Proxy needs to account for protocol when indexing
L7 DNS rules that it needs to adhere to, otherwise
L7 rules with differing port-protocols can override
each other (nondeterministically) and create overly
restrictive, and incorrect DNS rules. The problem with
accounting for protocol is that Endpoint restoration
logic uses DNS rules that index to port-only as JSON
saved to disk. Adding an additional protocol index to
a map structure changes the JSON structure and breaks
restoration logic between Cilium versions.
This change makes the map index backwards compatible,
since it changes the index from a uint16 to a uint32,
both of which marshal the same into a JSON structure.
The endpoint restoration logic will succeed between
versions, because the older version will be
automatically differentiated with a lack of a 1-bit
at bit position 24. Version 2 will save a 1 bit at the
24th bit going forward to differentiate when protocol
is indexed or not present.
Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
commit 54b2ce4c5023c64a30d47e2be3b9cb1b2c7cec14
Author: Quentin Monnet <qmo@qmon.net>
Date: Mon Mar 25 15:41:36 2024 +0000
ci-e2e: Add e2e test with WireGuard + Host Firewall
To get more coverage about the host firewall, let's add a new job in the
e2e test suites to run it alongside WireGuard encryption.
Signed-off-by: Quentin Monnet <qmo@qmon.net>
commit 147a9c48a0d444206640e149075743500250666b
Author: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
Date: Tue Mar 19 16:09:05 2024 +0900
docs,bgpv1: A few minor wording improvements
Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
commit 5d682ad9f428057b829f60dd6791afb93d60d73b
Author: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
Date: Tue Mar 19 16:12:27 2024 +0900
docs,bgpv1: Node failure scenario
Add a node failure scenario doc
Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
Co-authored-by: Harsimran Pabla <128612031+harsimran-pabla@users.noreply.github.com>
Co-authored-by: Ryan Drew <learnitall0@gmail.com>
commit 5e5ed75426f02c02a93b33ea8caab2c4589b74ec
Author: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
Date: Tue Mar 26 12:32:30 2024 +0900
docs,bgpv1: Add Node Shutdown operation guide
Add an operation guide to shut down the node while avoiding packet loss
as much as possible.
Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
commit f5a34f7469f4238f610b68f2e23a4f2cc70f7103
Author: Paul Chaignon <paul.chaignon@gmail.com>
Date: Wed Mar 20 22:08:44 2024 +0100
node: Log local boot ID
We have very little logging of the boot IDs. Really fixing that will
require a bit of work to not be too verbose, but in the meantime, we
should at least log the local boot ID.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
commit 98dd97bea8076189225c42f22fdf8a07b53f86f4
Author: Robin Gögge <r.goegge@gmail.com>
Date: Wed Mar 20 17:18:34 2024 +0100
ipsec: fix per-node-pair-key computation
This commit ensures that
- each time we compute a per-node-pair-key we create an empty slice with
the correct length first, and then append all the input data instead
of appending to one of the input slices (`globalKey`) directly.
- the IPs that are used as arguments in `computeNodeIPsecKey` are
canonical, meaning IPv4 IPs consist of 4 bytes and IPv6 IPs consist of
16 bytes.
This is necessary to always have the same inputs on all nodes when
computing the per-node-pair-key. Without this IPs might not match on the
byte level, e.g on one node the input is a v6 mapped v4 address (IPv4
address in 16 bytes) and on the other it isn't when used as input to the
hash function. This will generate non-matching keys.
Co-authored-by: Zhichuan Liang <gray.liang@isovalent.com>
Signed-off-by: Robin Gögge <r.goegge@gmail.com>
commit 2e321eba37f5f66fce50a83bdbac692556429064
Author: Paul Chaignon <paul.chaignon@gmail.com>
Date: Sat Mar 16 22:51:54 2024 +0100
k8s: bump CRD schema version
When adding the BootID field to the CiliumNode CRD, we forgot to bump
the version, which is an issue when after an cilium upgrade the
operator tries to update the CiliumNode objects to include the BootID
field.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
commit 07711d86fca5a2f384328f69478ad1dd538b073c
Author: Robin Gögge <r.goegge@gmail.com>
Date: Tue Feb 20 17:27:44 2024 +0100
ipsec: disallow empty bootid for key generation
A node update that doesn't contain a BootID will cause the creation
of non-matching XFRM IN and OUT states across the cluster as the
BootID is used to generate per-node key pairs. Non-matching XFRM
states will result in XfrmInStateProtoError, causing packet drops.
An empty BootID should thus be treated as an error, and Cilium
should not attempt to derive per-node keys from it.
Signed-off-by: Robin Gögge <r.goegge@gmail.com>
commit e8ddc88aa3bcd6333c21b775e2b18aea9514654f
Author: Paul Chaignon <paul.chaignon@gmail.com>
Date: Tue Feb 13 16:32:46 2024 +0100
workflows: Extend IPsec key rotation coverage
Since commit 4cf468b91b ("ipsec: Control use of per-node-pair keys from
secret bit"), IPsec key rotations can be used to switch from the
single-key system to the per-tunnel key system (also referred to as
per-node-pair key system). Our key rotation test in CI was updated to
cover such a switch.
This commit extends it to also cover traditional key rotations, with
both the new and old key systems. The switch back into a single-key
system is also covered.
These special key rotations are controlled with a single + sign. Adding
it after the SPI in the IPsec Kubernetes secret is enough to switch to a
per-tunnel key system. We thus simply need to cover all 4 cases of
having or not having the + sign in the old and new secrets.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
commit e448644f497eb83bc7184a77e0e3045646e7e216
Author: Paul Chaignon <paul.chaignon@gmail.com>
Date: Sat Mar 16 22:48:30 2024 +0100
workflows: Rename argument of key-rotation action to key-algo
The subsequent commit will introduce other arguments that are also named
"type" so let's make the existing one more precise.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
commit 8e1c3139691463e72afbae8b7330b8a96b77f0b1
Author: Paul Chaignon <paul.chaignon@gmail.com>
Date: Thu Dec 21 15:17:33 2023 +0100
conn-disrupt: Allowlist XfrmInNoStates packet drops
The IPsec fixes will introduce a few XfrmInNoStates packet drops on
up/downgrades due to non-atomic Linux APIs (can't replace XFRM states
atomically). Those are limited to a very short time (time between two
netlink syscalls).
We however need to allowlist them in the CI. Since we're using the
conn-disrupt GitHub action from main, we need to allowlist in main for
the pull request's CI to pass.
Note that despite the expected-xfrm-errors flag, the tests will still
fail if we get 10 or more such drops. We don't expect so many
XfrmInNoStates drops so we still want to fail in that case.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
commit b511bd132645660d214593c3b3b10a1651456e40
Author: Paul Chaignon <paul.chaignon@gmail.com>
Date: Wed Nov 22 21:18:25 2023 +0100
ipsec: Control use of per-node-pair keys from secret bit
The ESN bit in the IPsec secret will be used to indicate whether
per-node-pair keys should be used or if the global key should remain in
use. Specifically, it consist in a '+' sign after the SPI number in the
secret.
This ESN bit will be used to transition from a global key system to a
per-node-pair system at runtime. We would typically rely on an agent
flag for such a configuration. However, in this case, we need to perform
a key rotation at the same time as we change the key system. Encoding
the key system in the IPsec secret achieves that.
By transition from the global to the per-node-pair keys via a key
rotation, we ensure that the two can coexist during the transition. The
old, global key will have XFRM rules with SPI n, whereas the new,
per-node-pair keys will have XFRM rules with SPI n+1.
Using a bit in the IPsec secret is also easier to test because we
already have all the logic to test key rotation (whereas we would need
new logic to test a flag change).
The users therefore need to perform a key rotation from e.g.:
3 rfc4106(gcm(aes)) [...] 128
to:
4+ rfc4106(gcm(aes)) [...] 128
The key rotation test in CI is updated to cover a rotation from 3 to 4+
(meaning a rotation into the new per-node-pair key system).
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
commit 7a2a18d873094be30d80e7ff3381fc986bf6cf3e
Author: Nikolay Aleksandrov <nikolay@isovalent.com>
Date: Mon Nov 28 11:36:42 2022 +0200
ipsec: Enable ESN anti-replay protection
Now we can enable ESN anti-replay with window size of 1024. If a node
reboots then everyone updates the related keys with the new one due to
the different bootid, the node itself is already generating the keys
with the new bootid. The window is used to allow for out-of-order
packets, anti-replay still doesn't allow to replay any packet but keeps
a bitmap and can accept out-of-order packets within window size range.
For more information check section ""A2. Anti-Replay Window" of RFC 4303.
Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Co-authored-by: Paul Chaignon <paul.chaignon@gmail.com>
commit 913995fcf248517bf7d931d04bc175a9b34c3454
Author: Nikolay Aleksandrov <nikolay@isovalent.com>
Date: Wed Mar 8 13:13:32 2023 +0200
docs: Document Xfrm{In,Out}NoStates on node reboots
When a node reboots the key used to communicate with it is expected to
change due to the new boot id generated. While the new key is being
installed we may need to do it non-atomically (delete + insert), so
packets to/from that node might be dropped which would cause increases
in the XfrmNoStatesIn/Out. Add a note about it in the docs so users are
not surprised.
Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Co-authored-by: Paul Chaignon <paul.chaignon@gmail.com>
commit 840c88e787db96b21ef7607b3fc570aa2c79a995
Author: Nikolay Aleksandrov <nikolay@isovalent.com>
Date: Tue Dec 20 17:20:47 2022 +0200
ipsec: Update existing states when a node's bootid changes
When we detect that a node's bootid has changed, we need to update the
IPsec states.
Unfortunately this is not as straightforward as it should be, because we
may receive the new boot ID before a CiliumInternalIP is assign to the
node. In such a case, we can't install the XFRM states yet because we
don't have the CiliumInternalIP, but we need to remember that the boot
ID changed and states should be replaced.
We therefore record that information in a map, ipsecUpdateNeeded, which
is later read to see if the boot ID changed.
Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Co-authored-by: Paul Chaignon <paul.chaignon@gmail.com>
commit b409312b04a56dce6a1e7e378cf9bd3f6bd25d9b
Author: Nikolay Aleksandrov <nikolay@isovalent.com>
Date: Mon Dec 19 10:42:41 2022 +0200
ipsec: Use boot IDs when deriving per-node keys
We need to ensure we never have two packets encrypted with the same key
and sequence number. To that end, in previous commits, we introduced
per-node-pair keys. That is however not sufficient. Since the sequence
numbers can start from zero on node boot, if a node reboot, it will
start sending traffic encrypted again with the same key and sequence
number as it did before.
To fix that, we need to ensure the per-node-pair keys change on node
reboots. We achieve that by using the boot ID in the per-node-pair key
calculation.
For a pair of nodes A and B with IP addresses a and b and boot IDs x
and y, we will therefore install two different keys:
Node A <> Node B
XFRM IN: key(b+a+y+x) XFRM IN: key(a+b+x+y)
XFRM OUT: key(a+b+x+y) XFRM OUT: key(b+a+y+x)
This is done such that, for each pair of nodes A, B, the key used for
decryption on A (XFRM IN) is the same key used for encryption on B (XFRM
OUT), and vice versa.
Since we are now retrieving the local node's boot ID as part of the
IPsec code, we need to initialize the mocked local node store in the
unit tests.
Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Co-authored-by: Paul Chaignon <paul.chaignon@gmail.com>
commit c72e9f4600e0efec1c8d53a8b235f75b8df83ae8
Author: Nikolay Aleksandrov <nikolay@isovalent.com>
Date: Mon Dec 12 16:44:25 2022 +0200
k8s, node: Add bootid to CiliumNode resource
Read and export the local bootid via CiliumNode. We'll need it in a
subsequent commit to generate new IPsec keys when a node reboots.
This commit also collects the boot_id file as part of the bugtool
report.
Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Co-authored-by: Paul Chaignon <paul.chaignon@gmail.com>
commit f1c4a6e5934a5a95a6f4804fa156f9ce239b85d5
Author: Paul Chaignon <paul.chaignon@gmail.com>
Date: Fri Jun 2 22:43:09 2023 +0200
ipsec: Allow old and new XFRM IN states to coexist for upgrade
This commit extends the logic from commit c0d9b8c9e ("ipsec: Allow old
and new XFRM OUT states to coexist for upgrade") to have both the old
and the new XFRM IN states in place. This is necessary to avoid packet
drops during the upgrade.
As with the XFRM OUT states, we can't add the new IN state while the old
one is in place. We therefore need to first remove the old state, to
then add the new one. See c0d9b8c9e ("ipsec: Allow old and new XFRM OUT
states to coexist for upgrade") for details.
Note this commit also removes the comparison of output-marks.
Output-marks aren't actually used by the kernel to decide if two states
conflict. And in the case of XFRM IN states, the output-marks changed a
bit as well. Despite being different, the states still conflict.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
commit c017f65210ed1797d7181efa2882e7c243448324
Author: Paul Chaignon <paul@cilium.io>
Date: Wed Sep 21 15:19:41 2022 +0200
ipsec: Per-node XFRM IN states
We want to have one IPsec key per node1->node2 (not including
node2->node1 which will get a different key). We therefore need per-node
XFRM states on the receive/decrypt side to carry each node's key.
This commit implements that change. Thus, instead of creating a unique
XFRM IN state when we receive the local node, we will create an XFRM IN
state everytime we receive a remote node.
Signed-off-by: Paul Chaignon <paul@cilium.io>
commit 7f35fc57f523da0706a192c91795a65011999d28
Author: Paul Chaignon <paul.chaignon@gmail.com>
Date: Wed Sep 21 15:03:44 2022 +0200
ipsec, bpf: Match XFRM IN states using mark instead of source IP
It turns out that two XFRM IN states can't have the same mark and
destination IP, even if they have different source IPs. That's an issue
in our case because each node1->node2 pair will have its own IPsec key.
Therefore, we need one XFRM state per origin node on input.
Since we can't differentiate those XFRM states by their source
IPs, we will have to differentiate using the marks. To do so, we need to
convert the source IP into a packet mark before matching against XFRM
states. We can write these packet marks in bpf_network, before going up
the stack for decryption. And conveniently, we've just introduce a way
to convert each cluster node into an ID, the node ID, which fits in the
packet mark.
This commit therefore performs an node ID map lookup to retrieve the
node ID using the outer source IP address when packets are first
processed in bpf_network.
We clear the node ID from the packet mark after decryption using XFRM
(output-mark).
If no node ID is found for the outer source IP, we drop the packet.
It seems preferable to drop it from BPF with all the contextual
information rather than let it proceed to the XFRM layer where it will
be dropped with only an error code incrementing.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
commit 41d74a035e2a400957b9030b27b6e909f02c6e89
Author: Paul Chaignon <paul@cilium.io>
Date: Wed May 3 11:09:02 2023 +0200
ipsec: Replace states with the old IPsec key
In the previous commit, we changed the way we compute the IPsec keys. We
therefore need to replace the XFRM states to use the new keys.
Our current update logic however doesn't take this case into account. It
compares states based on IPs, marks, and SPIs, but it doesn't compare
the keys. It would therefore assume that the correct states are already
installed.
This commit extends that logic to detect a difference in encryption keys
and, if such a difference exist, remove the old states.
Signed-off-by: Paul Chaignon <paul@cilium.io>
commit c28e046d4c6216dea4fddae7b4be4823e8736764
Author: Paul Chaignon <paul.chaignon@gmail.com>
Date: Sun May 15 23:17:51 2022 +0200
ipsec: Compute per-node-pair IPsec keys
We need to ensure the (key used, sequence number) tuple for each
encrypted packet is always unique on the network. Today that's not the
case because the key is the same for all nodes and the sequence number
starts at 0 on node reboot.
To enable this, we will derive one key per node pair from a global key
shared across all nodes. We need it per node pair and not per node
because the first message emitted from A to B shouldn't be using the
same key as the first message emitted from B to A, to satisfy the above
requirement.
To that end, for each node pair (A, B), we compute a key as follows:
key = sha256(global_key + ip_of_a + ip_of_b)
The sha256 sum is then truncated to the expected length.
Once computed, we install the derived keys such that the key used for
encryption on node A is the same as the key used for decryption on node
B:
Node A <> Node B
XFRM IN: key(b+a) XFRM IN: key(a+b)
XFRM OUT: key(a+b) XFRM OUT: key(b+a)
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
commit c0d5d9054c02fe0333ea9b199d9ac…
rzdebskiy
pushed a commit
to rzdebskiy/cilium
that referenced
this pull request
Apr 3, 2024
There is a merge race between the below two PRs, which leads to failure in CI job for ipsec upgrade config 5.15. https://github.com/cilium/cilium/actions/runs/8461160283/job/23180526103 ``` Error: Unable to upgrade Cilium: execution error at (cilium/templates/cilium-configmap.yaml:70:5): kubeProxyReplacement must be explicitly set to a valid value (true or false) to continue. ``` Relates: cilium#31637, #cilium#31637 Signed-off-by: Tam Mach <tam.mach@cilium.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Encrypted overlay was introduced in #31073. As the name indicates, with that feature, Cilium will also encrypt the overlay itself (i.e., the VXLAN headers). This pull request covers this configuration in the two IPsec workflows.