New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
workflows: Cover IPsec encrypted overlay mode in end-to-end tests #31637
Merged
+42
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pchaigno
added
area/CI
Continuous Integration testing issue or flake
area/encryption
Impacts encryption support such as IPSec, WireGuard, or kTLS.
release-note/ci
This PR makes changes to the CI.
feature/ipsec
Relates to Cilium's IPsec feature
labels
Mar 27, 2024
pchaigno
force-pushed
the
pr/pchaigno/cover-encrypted-overlay-e2e
branch
from
March 27, 2024 13:29
4fb54dd
to
1c3c8a0
Compare
julianwiedmann
approved these changes
Mar 27, 2024
brlbil
approved these changes
Mar 27, 2024
s/encryption-overlay/encrypted-overlay/ no? |
Encrypted overlay was introduced in d669341 ("bpf: encrypt overlay traffic"). As the name indicates, with that feature, Cilium will also encrypt the overlay itself (i.e., the VXLAN headers). The present commit covers this configuration in the two IPsec workflows. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
pchaigno
force-pushed
the
pr/pchaigno/cover-encrypted-overlay-e2e
branch
from
March 27, 2024 15:22
1c3c8a0
to
1d3f8a1
Compare
pchaigno
commented
Mar 27, 2024
/test |
sayboras
added a commit
that referenced
this pull request
Mar 28, 2024
There is a merge race between the below two PRs, which leads to failure in CI job for ipsec upgrade config 5.15. https://github.com/cilium/cilium/actions/runs/8461160283/job/23180526103 ``` Error: Unable to upgrade Cilium: execution error at (cilium/templates/cilium-configmap.yaml:70:5): kubeProxyReplacement must be explicitly set to a valid value (true or false) to continue. ``` Relates: #31637, ##31637 Signed-off-by: Tam Mach <tam.mach@cilium.io>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 28, 2024
There is a merge race between the below two PRs, which leads to failure in CI job for ipsec upgrade config 5.15. https://github.com/cilium/cilium/actions/runs/8461160283/job/23180526103 ``` Error: Unable to upgrade Cilium: execution error at (cilium/templates/cilium-configmap.yaml:70:5): kubeProxyReplacement must be explicitly set to a valid value (true or false) to continue. ``` Relates: #31637, ##31637 Signed-off-by: Tam Mach <tam.mach@cilium.io>
rzdebskiy
added a commit
to rzdebskiy/cilium
that referenced
this pull request
Apr 3, 2024
commit 611ffe08287a862a98a0d1a916a28c71e6d623fc Author: Romuald Zdebskiy <zdebskiy@hotmail.com> Date: Wed Apr 3 17:22:24 2024 +0500 Revert "Merge branch 'cilium:main' into patch-1" This reverts commit 888a6b1bd57d7d65763558dec41624f1b1d13715, reversing changes made to a11fe7de7516ab00443aa56a0b3c508c2af436dc. commit 888a6b1bd57d7d65763558dec41624f1b1d13715 Merge: a11fe7de75 b6ca995ade Author: Romuald Zdebskiy <zdebskiy@hotmail.com> Date: Wed Apr 3 17:04:12 2024 +0500 Merge branch 'cilium:main' into patch-1 commit b6ca995adec708c646abb7426725309ff1172555 Author: Gray Liang <gray.liang@isovalent.com> Date: Wed Apr 3 16:54:30 2024 +0800 bpf/test: Adjust mock function to reflect changes in tail_ipvX_policy https://github.com/cilium/cilium/commit/0cd9780648d834c772f656f99c2c0a2911b5d804 (bpf: lxc: fine-tune from_tunnel path in ingress tail-call) removed `define(TUNNEL_MODE)` in tail_ipvX_policy(), this commit makes sure the bpf mock function for that has the same behavior. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> commit 24dd20dcf53cb3230b1c2ea572ddf3107535c85c Author: Casey Callendrello <cdc@isovalent.com> Date: Wed Feb 21 17:09:46 2024 +0100 labels: don't expand CIDR labels Previously, we would expand a CIDR in to the full set of possible CIDRs that could select it. For example "1.1.1.1/32" would be expanded in to [0.0.0.0/0, 0.0.0.0/1, ... 1.1.1.0/31, 1.1.1.0/32]. This causes significant memory and CPUusage, especially for circumstances such as ToFQDN policies where many /32 and /128 identities are created. Now that CIDR selectors are prefix-aware, rather than just string matches, we can stop generating the complete list of CIDRs. This is safe because CIDRs labels now select CIDRs that are contained within. Benchmark results: │ ../bench_main.out │ ../bench_cidr.out │ sec/op │ sec/op vs base UpdateGenerateDNS-12 4.972 ± 2% 2.882 ± 3% -42.02% (p=0.000 n=10) │ ../bench_main.out │ ../bench_cidr.out │ B/op │ B/op vs base UpdateGenerateDNS-12 77.26Mi ± 0% 24.52Mi ± 0% -68.26% (p=0.000 n=10) │ ../bench_main.out │ ../bench_cidr.out │ allocs/op │ allocs/op vs base UpdateGenerateDNS-12 508.0k ± 0% 291.7k ± 0% -42.59% (p=0.000 n Signed-off-by: Casey Callendrello <cdc@isovalent.com> commit 4484ad7e808d05f22378db91e5ebfab98d266d60 Author: Casey Callendrello <cdc@isovalent.com> Date: Mon Feb 26 16:21:48 2024 +0100 labels: CIDR-aware label selection This changes the Labels API to be CIDR-aware. It then logically "expands" CIDR labels when computing matches, so that selectors can match CIDRs even when not present. It does this by parsing CIDRs on label creation, then checking CIDR overlap in the `MatchesKey()` function. The API contract we expose to the policy engine is unchanged: ``` GetCIDRLabels("10.0.0.0/24").LabelArray().Has("cidr.10.0.0.0/8") == true ``` The goal is to stop manually expanding CIDR labels, which is very inefficient. This will follow in a subsequent commit. Signed-off-by: Casey Callendrello <cdc@isovalent.com> commit 64076d65e9c556ab4ce69238f02f565b2dc5722e Author: Casey Callendrello <cdc@isovalent.com> Date: Mon Feb 26 16:13:03 2024 +0100 labels: clean up label matching API The label matching API is complicated and inconsistent. This change tries to bring some sanity to the API going forward, without changing existing behavior. Label matching is directional / non-communtative. Specifically, `"any:foo=bar".Equals("k8s:foo=bar")` is true, whereas `"k8s:foo=bar".Equals("any:foo=bar")` is false. So, with the eventual goal of removing `Label.Equals()`, this commit adds a new `Label.Has()` and `Label.HasKey()` api, with clear documentation around directionality. The fixed point here is `LabelArray.Has()`, which needs a specific directionality as required by the k8s label selector library. Everything else is based off of that. This also changes `Labels.Has()` to match directionality w.r.t `any`-source selectors. In theory this is a breaking change, in actuality `Labels.Has()` is never passed `any` selectors, so this is moot. Signed-off-by: Casey Callendrello <cdc@isovalent.com> commit 1418f3c931056ff47219f638cdbb175c06b7ab40 Author: Casey Callendrello <cdc@isovalent.com> Date: Mon Feb 26 16:09:40 2024 +0100 pkg/labels: add simple CIDR test This tests adds a very specific invariant that is needed by the policy engine. Specifically, the expanded set of CIDR labels must always `.Has()` a CIDR label that contains it. This will be relevant when we stop expanding CIDR labels and, instead, logically compute CIDR matching. Signed-off-by: Casey Callendrello <cdc@isovalent.com> commit b200d6f1c16e1404db722a8b74ff31ff7195ff6b Author: Casey Callendrello <cdc@isovalent.com> Date: Mon Feb 26 13:49:46 2024 +0100 policy: small cidr selector test cases Adding some invariants that should not be broken during coming refactors. Signed-off-by: Casey Callendrello <cdc@isovalent.com> commit 2272e4a38f5cc6f7ab4305e0413a5353695bd63c Author: Casey Callendrello <cdc@isovalent.com> Date: Mon Feb 26 13:40:31 2024 +0100 labels / policy: have tests mirror actual usage of LabelSourceAny We actually rely quite heavliy on the LabelSourceAny mechanism. EndpointSelectors in CiliumNetworkPolicies always have LabelSourceAny added. For example, the block ```yaml toEndpoints: - matchLabels: io.kubernetes.pod.namespace: kube-system k8s-app: kube-dns ``` converts to the label selector `{any.io.kubernetes.pod.namespace: kube-system,any.k8s-app: kube-dns,}` So, explicitly mention this in comments and update the SelectorCache tests to capture this behavior. Signed-off-by: Casey Callendrello <cdc@isovalent.com> commit 3e32efc962afca58548144ab6b126640e0ec0794 Author: Julian Wiedmann <jwi@isovalent.com> Date: Wed Apr 3 11:32:39 2024 +0300 bpf: tests: don't define HAVE_ENCAP in IPsec tests This is an internal macro that's selected by common.h (based on TUNNEL_MODE and a few other config options). There should be no need to explicitly set it. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> commit 6888c64f941a63c92be241f28de938a014abdb85 Author: Casey Callendrello <cdc@isovalent.com> Date: Mon Mar 18 15:24:56 2024 +0100 endpoint: skip Envoy incremental updates if no Envoy redirects This should significantly reduce the amount of time it takes to roll our incremental policy updates. Signed-off-by: Casey Callendrello <cdc@isovalent.com> commit 399ab5e328dccb5acae5a9b1f1c83b8d90678e74 Author: Julian Wiedmann <jwi@isovalent.com> Date: Mon Mar 25 14:41:22 2024 +0200 bpf: nodeport: extract SVC logic from nodeport_lb*() nodeport_lb*() has grown into a massive function, and its current code flow is rather confusing: if (is-svc-request) { /* do svc stuff */ } else { /* do other stuff and return */ } /* do more svc stuff */ Clean this up by pulling all the SVC logic into a separate function. Long-term this will make it easier to configure BPF masquerading independently from ENABLE_NODEPORT. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> commit d0b270d010fcf13f57094b2aa10c35bb3f68bd39 Author: Julian Wiedmann <jwi@isovalent.com> Date: Mon Mar 25 14:10:09 2024 +0200 bpf: nodeport: clean up identity-forwarding logic Use positive logic in the "use identity forward?" condition. Also limit the additional sanity-checks for the forwarded identity to this code path. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> commit 8d555e52c0546b80de682b33cac1516e6b4bd9ee Author: Joe Stringer <joe@cilium.io> Date: Tue Apr 2 18:50:38 2024 -0700 Revert "Prepare for release v1.16.0-pre.1" This reverts commit a5d8886d2033a4761db19f8c2c9222baf3c51449. Signed-off-by: Joe Stringer <joe@cilium.io> commit e37b3e494c15a56e5c9351fea56c4c3a86709188 Author: Joe Stringer <joe@cilium.io> Date: Tue Apr 2 18:50:19 2024 -0700 Prepare for release v1.16.0-pre.1 Signed-off-by: Joe Stringer <joe@cilium.io> commit beb05cd0149963e8fa6880532a0ccb6e8c33da70 Author: Joe Stringer <joe@cilium.io> Date: Tue Apr 2 18:49:21 2024 -0700 Update AUTHORS and CRD schema table Signed-off-by: Joe Stringer <joe@cilium.io> commit 04badd97d80c8dd2387e09292324c511afb5d81d Author: Tam Mach <tam.mach@cilium.io> Date: Wed Apr 3 00:03:24 2024 +1100 gha: Clean-up renovate config for integration test Relates: https://github.com/cilium/cilium/issues/22834 Relates: https://github.com/cilium/cilium/issues/22834#issuecomment-1699097697 Signed-off-by: Tam Mach <tam.mach@cilium.io> commit ecf6ff19e7a8011c73ad62d337dabddb34ad72cf Author: xyz-li <hui0787411@163.com> Date: Mon Dec 18 18:00:37 2023 +0800 daemon: add BackendSlot to Service6Key.String and Service4Key.String This commit adds BackendSlot value to the Service6Key.String and Service4Key.String methods. This is to prevent the service key from being deleted when the backend endpoint is deleted. Fixes: #29580 Signed-off-by: xyz-li <hui0787411@163.com> commit 0a79dbd66f7f29b0fdfa622f7554803c6443d42e Author: Tam Mach <tam.mach@cilium.io> Date: Sat Mar 30 14:38:20 2024 +1100 cni: Allow text-ts log format value The new log format (e.g. text-ts) is added recently in the below commit, so we need to allow it in regex. Additionally, text-ts is used as the default value if not specified or invalid. Fixes: a099bf1571f1a090ccfd6ccbba545828a6b3b63c Signed-off-by: Tam Mach <tam.mach@cilium.io> commit 4d05e9f9bedf3fe5022adec256c8d4dcbe224d48 Author: Tam Mach <tam.mach@cilium.io> Date: Tue Apr 2 13:07:08 2024 +1100 metric: Avoid memory leak/increase This commit is to make sure that the processed item in pod deletion queue is removed by explicitly call Done() function as per suggestion in godoc[^1]. The impact of not having this change will be increasing of memory in cilium agent when the hubble metrics are enabled. This might take days (if not weeks) to observe in a normal Cilium deployment due to low number of Pod deletion events (i.e. in high churn environment, the memory will be increasing in a faster pace). Testing is done before and after the changes as per below. Sample workload to simulate high number of pod deletion events ```yaml apiVersion: batch/v1 kind: Job metadata: name: pod-churn-job spec: completions: 50000000 parallelism: 100 template: metadata: labels: app: pod-churn-job spec: containers: - name: churn-app image: sandeshkv92/highpodchurn:linux_amd64 restartPolicy: Never ``` Before this change, the cilium agent memory keeps increasing from 150MB to ~500MB in less than 3 hours, while with the same workload configured and this change, the memory is quite stable for a longer period (e.g. 5 hours). [^1]: https://pkg.go.dev/k8s.io/client-go@v0.29.3/util/workqueue#Type.Get Fixes: 782f934641df5bafd4a9ee737e00872f65f56b64 Signed-off-by: Tam Mach <tam.mach@cilium.io> commit f77e831b4ee9f87a81baf738fbc4dd972d8f0d5b Author: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Date: Mon Apr 1 03:57:43 2024 +0000 chore(deps): update golangci/golangci-lint docker tag to v1.57.2 Signed-off-by: renovate[bot] <bot@renovateapp.com> commit e22c108f92716c453c8b99a5f30654f80203163c Author: Birol Bilgin <birol@cilium.io> Date: Thu Mar 7 12:52:31 2024 +0100 update azure k8s versions This commit updates tested azure k8s versions according to supported versions Signed-off-by: Birol Bilgin <birol@cilium.io> commit 3c3843ca0ae221768d93b0dbef69a38cfc21b5d4 Author: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Date: Mon Apr 1 03:57:54 2024 +0000 chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> commit f05574da3ca6b32300fdd8e01f4801328dc40f39 Author: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Date: Mon Apr 1 00:50:43 2024 +0000 chore(deps): update cilium/little-vm-helper action to v0.0.17 Signed-off-by: renovate[bot] <bot@renovateapp.com> commit 11e7dbe929c3253b5190a398f3d219ca381dd565 Author: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> Date: Fri Mar 15 01:18:40 2024 +0100 nodeipam: add `match-node-labels` annotation to filter nodes Now that nodeipam consider all nodes as potential candidate in the eTP=Cluster case, a way for user to filter nodes become way more critical and thus this commit is implementing this. Co-authored-by: Brendan Dalpe <bdalpe@gmail.com> Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> commit 86c2e12a81d1690db38cd79b285a0b9615758ced Author: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> Date: Fri Mar 15 00:20:56 2024 +0100 nodeipam: align eTP=Cluster to kubernetes cloud-providers service lb nodeipam was always looking at the related EndpointSlices of the Service LoadBalancer to decide which nodes should be "advertised". This is a problem when Service LoadBalancers are created with dummy endpoints which is the case for Cilium Ingress/GatewayAPI for instance. This commit attempts to replicate a bit more the behavior that a CCM would do to select nodes when eTP=Cluster. In that case we select all Nodes we consider all nodes as potential candidate instead of checking where the pods are scheduled via their EndpointSlices. In the case of eTP=Local, we fallback to the previous behavior of checking the EndpointSlice to know which Nodes are backing your corresponding Service. This is not the behavior done in classic CCM as eTP local seems to be typically implemented by Cloud providers via an health check mechanism that we currently don't have in nodeipam. And at this very moment is not planned to be implemented because of the extra complexity. If this gets implemented at some point nodeipam could also align with CCM on the eTP=Local case though. Also in both eTP=Cluster/Local we will respect KEP-3458 that is becoming stable in Kubernetes 1.30 and dictate how CCM does their first node filtering. The Predicates were extracted as is from kubernetes/cloud-provider repo where this is normally implemented for CCM. Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> commit 9876d51ff31ab2a5f3642d1ed87406a4c493c43b Author: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Date: Fri Mar 29 11:14:53 2024 +0000 chore(deps): update dependency cilium/cilium-cli to v0.16.4 Signed-off-by: renovate[bot] <bot@renovateapp.com> commit 3ebc78e0e18ec473bbe6396d6b120bfaff26ca73 Author: Tobias Klauser <tobias@cilium.io> Date: Tue Apr 2 13:55:56 2024 +0200 CODEOWNERS: assign pkg/signal to @cilium/sig-datapath Signed-off-by: Tobias Klauser <tobias@cilium.io> commit d43607361c436c3e523517801ca2bdc25ee2751f Author: Tobias Klauser <tobias@cilium.io> Date: Tue Apr 2 13:51:44 2024 +0200 signal: remove spare debug logs These debug logs were likely used during development of commit 25c00b0970cc ("signal: Generalize for multiple targets") but don't add much value now and only clutter the logs. Remove them. Signed-off-by: Tobias Klauser <tobias@cilium.io> commit bee8ae24a280161fe85db51488415b483d701051 Author: Haiyue Wang <haiyue.wang@intel.com> Date: Mon Apr 1 14:45:42 2024 +0800 docs,test: Update the latest program type link Use the eBPF github release tag (referred in go.mod) to format the link, to easily keep the information updated. Signed-off-by: Haiyue Wang <haiyue.wang@intel.com> commit 2fc692213e72d3fcc3df76e8b9b836ab8bf60c4c Author: Tim Horner <timothy.horner@isovalent.com> Date: Thu Mar 28 14:11:37 2024 -0400 README: Update releases Signed-off-by: Tim Horner <timothy.horner@isovalent.com> commit 76867e23700ea899bdfdfe247998723cbe9512b2 Author: Vipul Singh <vipul21sept@gmail.com> Date: Wed Mar 6 13:07:32 2024 -0800 feat: Add the http return code to metric api_processed_total Signed-off-by: Vipul Singh <vipul21sept@gmail.com> commit d32b438d8c5c5e5109b6108479e2d4b304fd4cab Author: simonfelding <45149055+simonfelding@users.noreply.github.com> Date: Mon Mar 25 17:23:06 2024 +0100 Apply suggestions from code review Co-authored-by: Ryan Drew <learnitall0@gmail.com> Signed-off-by: simonfelding <45149055+simonfelding@users.noreply.github.com> commit 430d0237b9625600e2e008dda4bc3a35ac2f4ff7 Author: simonfelding <45149055+simonfelding@users.noreply.github.com> Date: Tue Mar 19 14:44:49 2024 +0100 docs: Suggest operator logs for troubleshooting Signed-off-by: simonfelding <45149055+simonfelding@users.noreply.github.com> undo final newline commit a63a88b0a4e12c4cc768901233bd5b83abe435e9 Author: Benjamin Leggett <benjamin.leggett@solo.io> Date: Wed Mar 6 16:37:00 2024 -0500 No longer true as of Istio 1.21 Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io> commit f0597c00f4910b33fa42c7d25b4c4d8f08a4eddc Author: Tomoki Sugiura <tomoki-sugiura@cybozu.co.jp> Date: Fri Mar 8 16:17:37 2024 +0900 bpf: use `bpf_htons` instead of using shift The current implementation using shift does not take into account endianness. `bpf_htons()` detects which endianness is used and converts the value appropriately. Also, this commit defines `bpf_u8_to_be16()` that wraps `bpf_htons()` because converting 8-bit ICMP types to 16-bit does not depend on the host byte order. Signed-off-by: Tomoki Sugiura <tomoki-sugiura@cybozu.co.jp> commit 8e1c73de5357ad58013d28e045b0a6433e62409c Author: Tam Mach <tam.mach@cilium.io> Date: Thu Mar 28 09:53:49 2024 +1100 api: Upgrade go-swagger version to v0.30.5 Also to add the renovate configuration for auto update version later. Just a note we might still need to run `make generate-api` manually till the work with self-hosted renovate with post-hook is done. Signed-off-by: Tam Mach <tam.mach@cilium.io> commit 7f505d78bad1829ccef7554982d7a84f6d340b61 Author: Daneyon Hansen <daneyon.hansen@solo.io> Date: Wed Feb 21 22:38:25 2024 +0000 IPAM: Refactors Node Type to Support IP Families Previously, the IPAM Node type represented IP information such as pools, allocations, etc. that are specific to IPv4. This PR introduces the following changes: - Adds the IPAllocAttrs type to represent IP-specific allocation attributes. - Updates the Node type to expose separate attributes for IPv4 and IPv6. - Updates Node instantiation, methods, etc. for the Node type changes introduced in this PR. - Updates the internal resyncStats API to expose separate attributes for IPv4 and IPv6 node statistics. - Updates the AllocationAction API to expose separate IP allocation attributes for IPv4 and IPv6. Note that the `EmptyInterfaceSlots` is not IP family specific and therefore will continue to be a `Statistics` field. - Updates cloud provider IPAM pkgs for API changes. __Note:__ This PR does not implement IPv6 Node attributes. Supports: #19251 Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io> commit 65807c28bb85e1c0db63215d3f5681bd63fe9433 Author: Daneyon Hansen <daneyon.hansen@solo.io> Date: Thu Feb 22 22:13:25 2024 +0000 pkg/ip: Updates PrefixToIps() to Limit the Number of Returned IPs Previously, PrefixToIps() generates and returns all the IP addresses in the provided CIDR. This creates performance and scalability issues when working with large IPv6 CIDRs. This PR adds the `maxIPs` parameter to limit the number of generated and returned prefixes. Supports #19251 Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io> commit ffe4ce856eca0320092c82d875e3ed758f1fb404 Author: Fabio Falzoi <fabio.falzoi@isovalent.com> Date: Mon Mar 11 15:57:33 2024 +0100 policy: Mention EgressDeny in CIDRGroupRef docs Update CIDRGroupRef docstring to take into account the support for referenced CIDRGroup in EgressDeny rules. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> commit 3b62c79c7b34ab413a97a8b9a74d2abce3b119f7 Author: Fabio Falzoi <fabio.falzoi@isovalent.com> Date: Mon Mar 11 14:48:56 2024 +0100 policy/k8s: Add support for CIDRGroupRef in EgressDeny Current version of CNP translation lacks support for translating referenced CiliumCIDRGroup objects in EgressDeny rules. The commit adds the missing logic and extends the unit tests suite to take into account the EgressDeny rules. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> commit 136dde6d152187e655c382a857a09415e52e5bb9 Author: Fabio Falzoi <fabio.falzoi@isovalent.com> Date: Fri Feb 23 12:24:58 2024 +0100 policy/k8s: Add support for CIDRGroupRef in IngressDeny Current version of CNP translation lacks support for translating referenced CiliumCIDRGroup objects in IngressDeny rules, despite mentioning it in the CIDRGroupRef field docstring. The commit adds the missing logic and extends the unit tests suite to take into account the IngressDeny rules. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> commit b8203b0ede441b20e9623221f1bf84a2066ce21f Author: Tam Mach <tam.mach@cilium.io> Date: Thu Mar 28 11:18:30 2024 +1100 helm: Bump minimum k8s version to v1.21+ This commit is to bump minimum k8s version to v1.21. Ideally, we should bump to v1.26 as per our support matrix, but some CI jobs are still older versions as per below linked PR, hence I think v1.21 is a good balance. Relates: https://github.com/cilium/cilium/pull/29888 Relates: https://github.com/cilium/cilium/issues/30106 Signed-off-by: Tam Mach <tam.mach@cilium.io> commit 76a659c64b58ec3cff7b91c8eb16de2a3fa5ef42 Author: Timo Beckers <timo@isovalent.com> Date: Thu Mar 28 13:24:41 2024 +0100 loader: only detach Cilium-owned XDP programs when XDP is disabled Currently, even when Cilium's XDP features are disabled, the Cilium agent will still attempt to detach a program attached to the legacy netlink XDP hook on managed interfaces. This is so the agent does the right thing when a user first enables and then disables an XDP feature, where the user would expect Cilium's XDP programs to be removed. However, this is at odds with users wanting to run their own XDP programs on Cilium-managed interfaces. Even with XDP disabled, the agent will unconditionally remove any XDP programs. This patch narrows down this behaviour by checking the name of the program attached to the legacy XDP hook before detaching it. If the kernel-provided name is not a prefix of the name expected by the agent, the program is left on the interface. Note that with XDP enabled, legacy XDP programs will always be replaced with Cilium programs. Signed-off-by: Timo Beckers <timo@isovalent.com> commit 129f2e235e62445b73a1b5630f1f7a3a36bf5014 Author: Quentin Monnet <qmo@qmon.net> Date: Thu Mar 28 10:00:45 2024 +0000 ci/ipsec: Print more info to debug credentials removal check failures In commit 6fee46f9e753 ("ci/ipsec: Fix downgrade version retrieval") we added a check to make sure that GitHub credentials are removed before pulling the untrusted branch from the Pull Request's author. It appears that this check occasionally fails and causes the whole job to abort. But Cilium's repository _is_ public, and it's unclear why ".private == false" does not evaluate to "false" as we expected in that case. Did the curl request fail? Did the reply miss the expected .private field? We'll probably loosen the check as a workaround, but before that it would be interesting to understand better what's going on. Here we remove the -s flag from curl and print the reply from the GitHub API request, so we can better understand what's going on next time we observe a failure. Signed-off-by: Quentin Monnet <qmo@qmon.net> commit 464bbe4e4994f23c17abcfa8e63a9941fdbf3fbd Author: Julian Wiedmann <jwi@isovalent.com> Date: Thu Mar 28 15:56:03 2024 +0200 fix 'mismatch' typos in error messages Signed-off-by: Julian Wiedmann <jwi@isovalent.com> commit 7baeac20765d98edc9dffd6a63d25bf7345a1f2f Author: harsimran pabla <hpabla@isovalent.com> Date: Fri Mar 15 17:06:01 2024 +0000 multicast: change list methods to use BatchLookup Modifying group list and subscriber list methods to use BatchLookup instead of iterating individual key, val pair. Signed-off-by: harsimran pabla <hpabla@isovalent.com> commit dc221b03f2258812c2b0f0a5e8b25580a382bc7a Author: harsimran pabla <hpabla@isovalent.com> Date: Fri Mar 15 15:41:13 2024 +0000 multicast: fix multicast map name in ELF ignore prefixes Fix multicast outer map name from cilium_mcast_group_v4_outer to cilium_mcast_group_outer_v4_map. Signed-off-by: harsimran pabla <hpabla@isovalent.com> commit 806c5c2aecd581cb078615b042bc5a1cad4fbeee Author: Dylan Reimerink <dylan.reimerink@isovalent.com> Date: Mon Mar 25 13:26:47 2024 +0100 pkg/nodediscovery,daemon: modularize node discovery This commit modularizes the node discovery package. Before node discovery was created by the daemon, but since all parameters needed are already in hive we can create the node discovery in the hive to. We also split off the creation of local node config into its own cell since there are a few components such as the loader that are interested in the local node config without needing the full node discovery. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> commit 362c094a8e1bdd34234bf60adf5923ce0a55fec2 Author: Cilium Imagebot <noreply@cilium.io> Date: Wed Mar 27 16:34:16 2024 +0000 images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> commit cd5bc4e03b5ebe3af56e639f252ff2a4a239f2a2 Author: Timo Beckers <timo@isovalent.com> Date: Wed Mar 27 16:01:30 2024 +0100 testdata: minimize build output by reducing header includes This patch should make testdata play a bit nicer with backports, since including headers like node_config.h, ep_config.h and maps.h cause potential churn in the resulting BTF info. Include a minimal subset of headers and reduce testdata code to what's strictly necessary for the Go tests to run. Signed-off-by: Timo Beckers <timo@isovalent.com> commit 5c35dc31c1acb0cba013f20a026c57e291573e55 Author: Timo Beckers <timo@isovalent.com> Date: Wed Mar 27 15:55:56 2024 +0100 Makefile: declare CILIUM_BUILDER_IMAGE in Makefile.defs Centralize the declaration so we can assume it's present in other Makefiles importing Makefile.defs. Signed-off-by: Timo Beckers <timo@isovalent.com> commit 2d0c9706192922041c59de578cb05d0a06bb7448 Author: Dylan Reimerink <dylan.reimerink@isovalent.com> Date: Fri Mar 1 16:18:08 2024 +0100 Remove `HAVE_CHANGE_TAIL` The value of `HAVE_CHANGE_TAIL` was dependent on the result of a feature probe that tests for the presence of the `bpf_skb_change_tail` helper function, which was added in kernel v4.9. Now that the minimum supported kernel version is v5.4, we can remove the probe and assume we always have this feature available. Given the existence of global asserts for features significantly newer, I think its safe to not add an explicit assert for this feature. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> commit 50547dde360b5900147286cd357cf5173b8de06c Author: Dylan Reimerink <dylan.reimerink@isovalent.com> Date: Fri Mar 1 16:14:48 2024 +0100 Remove `HAVE_SOCKET_LOOKUP` define The `HAVE_SOCKET_LOOKUP` define was used to check if the current kernel had the `bpf_sk_lookup_tcp`. This is the case of kernels after 4.20. So now that the minimum kernel version is 5.4, we can remove this and assume that the kernel has this feature. Given the precense of global assertions for features that are newer than this helper, I believe it safe to no add explicit assertions for this feature. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> commit 458b5cc6c361d130ad87602e97b57bc87b1358be Author: Tam Mach <tam.mach@cilium.io> Date: Thu Mar 28 13:12:20 2024 +1100 test: Update KPR value in ipsec upgrade jobs There is a merge race between the below two PRs, which leads to failure in CI job for ipsec upgrade config 5.15. https://github.com/cilium/cilium/actions/runs/8461160283/job/23180526103 ``` Error: Unable to upgrade Cilium: execution error at (cilium/templates/cilium-configmap.yaml:70:5): kubeProxyReplacement must be explicitly set to a valid value (true or false) to continue. ``` Relates: #31637, #https://github.com/cilium/cilium/pull/31637 Signed-off-by: Tam Mach <tam.mach@cilium.io> commit ac804b6980aac59950e23484809cbc2cafa318c2 Author: Tobias Klauser <tobias@cilium.io> Date: Wed Mar 27 15:01:44 2024 +0100 install/kubernetes: use renovate to update quay.io/cilium/startup-script Make sure the latest version of the image is used in the helm charts by letting renovatebot update it automatically. Signed-off-by: Tobias Klauser <tobias@cilium.io> commit 2d32dab5451d6ecc1dd1de3bc39f1070ff02b6b5 Author: Tobias Klauser <tobias@cilium.io> Date: Wed Mar 27 14:38:55 2024 +0100 install/kubernetes: use digest for nodeinit image Like other images used in the Cilium helm chart, use a digest in addition to the tag for the nodeinit image. Signed-off-by: Tobias Klauser <tobias@cilium.io> commit dbf327d11392ec6613741d1ed91a77a253d598d7 Author: deterclosed <fliter@outlook.com> Date: Sat Mar 23 14:12:12 2024 +0800 all: remove repetitive words Signed-off-by: deterclosed <fliter@outlook.com> commit 5daf681a49bbef9d66956c1ace821847cd849415 Author: Tam Mach <tam.mach@cilium.io> Date: Thu Mar 21 00:03:39 2024 +1100 lint: Remove temp variable in the 'for' loop Since golang 1.22+, temp variable in the for loop can be removed. There is new linter copyloopvar in latest golangci-lint, however, there are a lot of false positive now, so probably after a few versions, we can enable it in .golangci.yaml. Signed-off-by: Tam Mach <tam.mach@cilium.io> commit 6a83269beec154c1cad91d5cd6ed2c644d79a6b2 Author: Tam Mach <tam.mach@cilium.io> Date: Mon Mar 11 15:46:00 2024 +1100 cleanup: Remove deprecated values for KPR This commit is to remove all deprecated values (strict, disabled, probe and partial) for kubeProxyReplacement. Relates: #26036, #26496 Signed-off-by: Tam Mach <tam.mach@cilium.io> commit 5864db744bb2a85e6ef9d026262c77dae8bf9f50 Author: Paul Chaignon <paul.chaignon@gmail.com> Date: Wed Mar 27 11:26:41 2024 +0100 workflows: Cover IPsec encrypted overlay mode in end-to-end tests Encrypted overlay was introduced in d6693413e8afb ("bpf: encrypt overlay traffic"). As the name indicates, with that feature, Cilium will also encrypt the overlay itself (i.e., the VXLAN headers). The present commit covers this configuration in the two IPsec workflows. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> commit 034aee74f57905898741b89549430c409bef99e3 Author: Tamilmani <tamanoha@microsoft.com> Date: Fri Mar 1 12:44:09 2024 -0800 fix: Delegated ipam not configure ipv6 in ipv6 disabled case Delegated ipam returns ipv6 address to cilium cni even if ipv6 disabled in cilium agent config. In this scenario, ipv6 node addressing is not set and its causing cilium cni to crash if delegated ipam returns ipv6 but disabled in cilium agent. Signed-off-by: Tamilmani <tamanoha@microsoft.com> commit f2d804babb4ac4098733cf0a15bd15bd834d1380 Author: Robin Gögge <r.goegge@isovalent.com> Date: Tue Mar 5 17:45:47 2024 +0100 loader: clean up tcx bpf_links created by newer Cilium versions A follow-up commit will introduce attaching TC programs using tcx. Those attachments cannot be overridden using netlink. If an older version of Cilium wants to replace an TC program on a managed interface, it'll need to remove the tcx attachment first. This commit teaches the agent to remove leftover tcx link objects from previous installs, before reattaching it using netlink. Note that this transition is never seamless, since some time passes between deleting the link and attaching the new program using netlink. However, as explained in 7a8e3c810c ("loader: clean up XDP bpf_links created by newer Cilium versions"), this downgrade path should rarely happen. Signed-off-by: Robin Gögge <r.goegge@isovalent.com> Co-authored-by: Timo Beckers <timo@isovalent.com> commit e2d90dad6ea18242a3ba67230eb09a7340bfbc5c Author: Robin Gögge <r.goegge@isovalent.com> Date: Wed Dec 6 13:17:55 2023 +0100 loader: aggregate replaceDatapath arguments The arguments to the replaceDatapath functions are already quite numerous and make the function signature hard to read. In preparation for future commits, this patch aggregates almost all arguments to the function into one option parameter. Signed-off-by: Robin Gögge <r.goegge@isovalent.com> commit 377df9bbc2742a6c233f33385b610dfda1ad1581 Author: Maxim Mikityanskiy <maxim@isovalent.com> Date: Tue Mar 26 16:09:24 2024 +0200 test/verifier: Sort BPF program names for stable output Repeated runs of `go test ./test/verifier` print program complexity in random order. Sorting by external wrappers is not feasibly, because there are groups (each object file compiled with a certain set of defines) that need to be sorted individually. Make the output stable. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> commit 820aa07acdcdcb160b62574cdf2a766cf47f5da0 Author: Paul Chaignon <paul.chaignon@gmail.com> Date: Tue Mar 26 19:01:57 2024 +0100 workflows: Debug info for key rotations During the key rotations, we compare the number of keys to the expected number to know where we are in the process (started the rotation or finished it). The expected number of keys depends on the configuration so let's print it in the logs to help debug. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> commit 60e721243b25e163720e53170d77d10ced88ede7 Author: Maxim Mikityanskiy <maxim@isovalent.com> Date: Tue Mar 26 22:12:08 2024 +0200 test/verifier: Keep existing environment when running make Don't purge the environment when running `make -C bpf` in the verifier tests, because unsetting $PATH and $HOME has numerous undesired side effects: 1. Go is not found in complexity-test little-vm-helper images. 2. Git can't find its config in complexity-test LVH images. 3. The user can't override the path to clang. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> commit 283cb040ba65681e9e8776190af545769179f9ac Author: Julian Wiedmann <jwi@isovalent.com> Date: Wed Mar 27 12:01:50 2024 +0200 workflows: ipsec-e2e: add missing key types for some configs These configs were recent additions, and missed the introduction of the key-type-* parameters. Add them now. Suggested-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> commit 23dd8de89218c8e0366928bb5c8445211c344b5b Author: Michi Mutsuzaki <michi@isovalent.com> Date: Tue Mar 26 01:21:35 2024 +0000 Document the process for disabling workflows Co-authored-by: Quentin Monnet <qmo@qmon.net> Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> commit d00547a16267a3ec36b7a6748822b5d3657e8835 Author: Louis DeLosSantos <louis.delos@isovalent.com> Date: Thu Feb 29 16:20:33 2024 -0500 bpf,test: add tests for vxlan helper functions Add unit tests for new vxlan helper functions in tunnel.h Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> commit e1951e9784b1e32b4683ed49a10694334052ac3e Author: ldelossa <louis.delos@gmail.com> Date: Tue Feb 27 15:18:46 2024 -0500 bpf: add trace notification for overlay encryption Add a trace notification when we are redirecting a packet back into the stack for XFRM encryption. Trace example: -> stack flow 0xc218244b , identity unknown->unknown state encrypt-overlay ifindex 0 orig-ip 0.0.0.0: 172.18.0.3:58167 -> 172.18.0.2:8472 udp Signed-off-by: ldelossa <louis.delos@isovalent.com> commit d6693413e8afb101a74bc5a0dcb4ba84210e576b Author: ldelossa <louis.delos@gmail.com> Date: Mon Feb 26 17:16:27 2024 -0500 bpf: encrypt overlay traffic This commit introduces the ability to encrypt overlay traffic before it leaves the host. The 'cil_to_netdev' function is updated to sniff into overlay packets (only VXLAN supported for now) and determine if the ENCRYPTED_OVERLAY_ID security identifier is present in the overlay's header. If it is, a new function in encrypt.h will set the appropriate packet mark on the skb and redirect the packet to the ingress of the interface it was egressing on. When the packet is seen on the ingress side of the device it will be submitted to the XFRM hooks in the output routing path and the XFRM subsystem will encrypt the packet. Subsequent changes to the IPSec control plane to create the appropriate states and policies to support this are required. Signed-off-by: ldelossa <louis.delos@isovalent.com> commit 8f172e2fe982c51619d7c3254d4c27967ca0163e Author: Louis DeLosSantos <louis.delos@isovalent.com> Date: Mon Mar 18 20:27:53 2024 -0400 ipsec: add encrypted overlay flags This commits and both the agent and datapath flag required to enable the "Encrypted Overlay" feature. The datapath will use ENABLE_ENCRYPTED_OVERLAY feature flag. The agent will use "encryption.ipsec.encryptOverlay" Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> commit 8503f967ff77e6457c8457bf820eafc96e21d6cd Author: Louis DeLosSantos <louis.delos@isovalent.com> Date: Mon Mar 4 17:36:59 2024 -0500 datapath: add EncryptedOverlayID reserved ID 11 This commit adds a new reserved security identity for signaling overlay traffic which must be IPSec encrypted. When the eBPF datapath encounters an egress packet with this security identity in an overlay header (currently only VXLan supported) it will subject the packet to IPSec encryption and rewrite the overlay header with the correct security identity before the packet leaves the host. Therefore, this identity should NEVER be seen on traffic ingress or egress the node from the network. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> commit 43bd8c17f020eea053aab71216c37e2814fc4570 Author: Sebastian Wicki <sebastian@isovalent.com> Date: Tue Mar 26 16:56:20 2024 +0100 cilium-health: Fix broken retry loop in `cilium-health-ep` controller This commit fixes a bug in the `cilium-health-ep` controller restart logic where it did not give the cilium-health endpoint enough time to startup before it was re-created. For context, the `cilium-health-ep` performs two tasks: 1. Launch the cilium-health endpoint when the controller is started for the first time. 2. Ping the cilium-health endpoint, and if it does not reply, destroy and re-create it. The controller has a `RunInterval` of 60 seconds and a default `ErrorRetryBaseDuration` of 1 second. This means that after launching the initial cilium-health endpoint, we wait for 60 seconds before we attempt to ping it. If that ping succeeds, we then keep pinging the health endpoint every 60 seconds. However, if a ping fails, the controller deletes the existing endpoint and creates a new one. Because the controller then also returns an error, it is immediately re-run after one second, because in the failure case a controller retries with an interval of `consecutiveErrors * ErrorRetryBaseDuration`. This meant that after a failed ping, we deleted the unreachable endpoint, recreated a new one, and after 1s would immediately try to ping it. Because the newly launched endpoint will is unlikely to be reachable after just one second (it requires a full endpoint regeneration with BPF compilation), the `cilium-health-ep` logic would declare the still starting endpoint as dead and re-create it. This loop would continue endlessly, causing lots of unnecessary CPU churn, until enough consecutive errors have happened for the wait time between launch and the first ping to be long enough for a cilium-health endpoint to be fully regenerated. This commit attempts to fix the logic by not immediately killing a unreachable health endpoint and instead waiting for three minutes to pass before we attempt to try again. Three minutes should hopefully be enough time for the initial endpoint regeneration to succeed. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> commit e2e97f3e07843f568813f90500ba75b21c462b8b Author: Paul Chaignon <paul.chaignon@gmail.com> Date: Tue Mar 26 23:49:48 2024 +0100 docs: Document No node ID drops in case of remote node deletion While testing cluster scale downs, we noticed that under constant traffic load, we sometimes had drops of type "No node ID found". We confirmed that these are expected when the remote node was just deleted, the delete event received by the local agent, but a local pod is still sending traffic to pods on that node. In that case, the node is removed from the node ID map, but information on pods hosted by that node may still be present. This commit documents it with the other expected reasons for "No node ID found" drops. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> commit ebf272d77b2d9af6c991136f96e1a8f11feca320 Author: Tomoya Fujita <Tomoya.Fujita@sony.com> Date: Wed Mar 20 14:53:20 2024 -0700 contrib: Add devcontainer setup script and doc update. Signed-off-by: Tomoya Fujita <Tomoya.Fujita@sony.com> commit 9b1a7c392ab3dbc1b201647a9018f994f53fe701 Author: Fabio Falzoi <fabio.falzoi@isovalent.com> Date: Tue Feb 13 17:12:25 2024 +0100 iptables: Extract runnable interface from iptablesInterface The current iptablesInteface is mainly used to mock the iptables and ip6tables command in unit testing. Hence it includes the runProgOutput and runProg methods. However, it also includes other methods that are not strictly necessary for testing, so it may be built as an extension of a slim runnable interface that includes just what we need to mock the iptables command execution. As a side benefit, this eliminates the need for mocking the getVersion method. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> commit 4577df2d9fb8fb6e56ba17523d4bae39fbcfedda Author: Fabio Falzoi <fabio.falzoi@isovalent.com> Date: Thu Jan 18 10:38:19 2024 +0100 iptables: Migrate tests to std Go testing pkg Migrate tests from checkmate (the temporary wrapper for gopkg.in/check.v1) to the standard Go testing framework. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> commit 51852524f8315d98fa82b292ac7254f0564bea3a Author: Nate Sweet <nathanjsweet@pm.me> Date: Tue Mar 19 12:22:36 2024 -0500 testing: Update Restore Sort Method Signatrues The Sort methods are updated to take an unused testing.T structure to indicate to all callers that they are only for testing purposes. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> commit abd7c6e7fdca4352f2d83c0701d95d53cf3e10af Author: Nate Sweet <nathanjsweet@pm.me> Date: Wed Mar 13 15:24:50 2024 -0500 fqdn: Fallback to Version 1 Port Lookups In cases where a port-protocol is not present in an restored port protocol, look up up the Version 1 version of the PortoProto in case a Version 1 PortProto was restored. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> commit 6baab364c2fe71e54b50f3d746175ef1db75f6e2 Author: Nate Sweet <nathanjsweet@pm.me> Date: Fri Mar 22 12:05:16 2024 -0500 endpoint: Create a New Restore Field for DNS DNSRulesV2 accounts for protocol and DNSRules does not. DNSProxy needs to account for both, and endpoint needs to be able to restore from a downgrade. DNSRulesV2 is used by default now, but DNSRules is maintained in case of a downgrade. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> commit bc7fbf384bd2179c943130fc6842e27045c372de Author: Nate Sweet <nathanjsweet@pm.me> Date: Mon Mar 11 10:36:10 2024 -0500 fqdn: Add Protocol to DNS Proxy Cache DNS Proxy indexes domain selectors by port only. In cases where protocols collide on port the DNS proxy may have a more restrictive selector than it should because it does not merge port protocols for L7 policies (only ports). All callers of the DNS Proxy are updated to add protocol to any DNS Proxy entries, and all tests are updated to test for port-protocol merge errors. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> commit 1941679572fd10932f20beb30a0dc6fd4c70c05f Author: Nate Sweet <nathanjsweet@pm.me> Date: Wed Mar 13 11:03:14 2024 -0500 fqdn: Update DNS Restore to Index to PortProto DNS Proxy needs to account for protocol when indexing L7 DNS rules that it needs to adhere to, otherwise L7 rules with differing port-protocols can override each other (nondeterministically) and create overly restrictive, and incorrect DNS rules. The problem with accounting for protocol is that Endpoint restoration logic uses DNS rules that index to port-only as JSON saved to disk. Adding an additional protocol index to a map structure changes the JSON structure and breaks restoration logic between Cilium versions. This change makes the map index backwards compatible, since it changes the index from a uint16 to a uint32, both of which marshal the same into a JSON structure. The endpoint restoration logic will succeed between versions, because the older version will be automatically differentiated with a lack of a 1-bit at bit position 24. Version 2 will save a 1 bit at the 24th bit going forward to differentiate when protocol is indexed or not present. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> commit 54b2ce4c5023c64a30d47e2be3b9cb1b2c7cec14 Author: Quentin Monnet <qmo@qmon.net> Date: Mon Mar 25 15:41:36 2024 +0000 ci-e2e: Add e2e test with WireGuard + Host Firewall To get more coverage about the host firewall, let's add a new job in the e2e test suites to run it alongside WireGuard encryption. Signed-off-by: Quentin Monnet <qmo@qmon.net> commit 147a9c48a0d444206640e149075743500250666b Author: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Date: Tue Mar 19 16:09:05 2024 +0900 docs,bgpv1: A few minor wording improvements Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> commit 5d682ad9f428057b829f60dd6791afb93d60d73b Author: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Date: Tue Mar 19 16:12:27 2024 +0900 docs,bgpv1: Node failure scenario Add a node failure scenario doc Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Co-authored-by: Harsimran Pabla <128612031+harsimran-pabla@users.noreply.github.com> Co-authored-by: Ryan Drew <learnitall0@gmail.com> commit 5e5ed75426f02c02a93b33ea8caab2c4589b74ec Author: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Date: Tue Mar 26 12:32:30 2024 +0900 docs,bgpv1: Add Node Shutdown operation guide Add an operation guide to shut down the node while avoiding packet loss as much as possible. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> commit f5a34f7469f4238f610b68f2e23a4f2cc70f7103 Author: Paul Chaignon <paul.chaignon@gmail.com> Date: Wed Mar 20 22:08:44 2024 +0100 node: Log local boot ID We have very little logging of the boot IDs. Really fixing that will require a bit of work to not be too verbose, but in the meantime, we should at least log the local boot ID. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> commit 98dd97bea8076189225c42f22fdf8a07b53f86f4 Author: Robin Gögge <r.goegge@gmail.com> Date: Wed Mar 20 17:18:34 2024 +0100 ipsec: fix per-node-pair-key computation This commit ensures that - each time we compute a per-node-pair-key we create an empty slice with the correct length first, and then append all the input data instead of appending to one of the input slices (`globalKey`) directly. - the IPs that are used as arguments in `computeNodeIPsecKey` are canonical, meaning IPv4 IPs consist of 4 bytes and IPv6 IPs consist of 16 bytes. This is necessary to always have the same inputs on all nodes when computing the per-node-pair-key. Without this IPs might not match on the byte level, e.g on one node the input is a v6 mapped v4 address (IPv4 address in 16 bytes) and on the other it isn't when used as input to the hash function. This will generate non-matching keys. Co-authored-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Robin Gögge <r.goegge@gmail.com> commit 2e321eba37f5f66fce50a83bdbac692556429064 Author: Paul Chaignon <paul.chaignon@gmail.com> Date: Sat Mar 16 22:51:54 2024 +0100 k8s: bump CRD schema version When adding the BootID field to the CiliumNode CRD, we forgot to bump the version, which is an issue when after an cilium upgrade the operator tries to update the CiliumNode objects to include the BootID field. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> commit 07711d86fca5a2f384328f69478ad1dd538b073c Author: Robin Gögge <r.goegge@gmail.com> Date: Tue Feb 20 17:27:44 2024 +0100 ipsec: disallow empty bootid for key generation A node update that doesn't contain a BootID will cause the creation of non-matching XFRM IN and OUT states across the cluster as the BootID is used to generate per-node key pairs. Non-matching XFRM states will result in XfrmInStateProtoError, causing packet drops. An empty BootID should thus be treated as an error, and Cilium should not attempt to derive per-node keys from it. Signed-off-by: Robin Gögge <r.goegge@gmail.com> commit e8ddc88aa3bcd6333c21b775e2b18aea9514654f Author: Paul Chaignon <paul.chaignon@gmail.com> Date: Tue Feb 13 16:32:46 2024 +0100 workflows: Extend IPsec key rotation coverage Since commit 4cf468b91b ("ipsec: Control use of per-node-pair keys from secret bit"), IPsec key rotations can be used to switch from the single-key system to the per-tunnel key system (also referred to as per-node-pair key system). Our key rotation test in CI was updated to cover such a switch. This commit extends it to also cover traditional key rotations, with both the new and old key systems. The switch back into a single-key system is also covered. These special key rotations are controlled with a single + sign. Adding it after the SPI in the IPsec Kubernetes secret is enough to switch to a per-tunnel key system. We thus simply need to cover all 4 cases of having or not having the + sign in the old and new secrets. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> commit e448644f497eb83bc7184a77e0e3045646e7e216 Author: Paul Chaignon <paul.chaignon@gmail.com> Date: Sat Mar 16 22:48:30 2024 +0100 workflows: Rename argument of key-rotation action to key-algo The subsequent commit will introduce other arguments that are also named "type" so let's make the existing one more precise. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> commit 8e1c3139691463e72afbae8b7330b8a96b77f0b1 Author: Paul Chaignon <paul.chaignon@gmail.com> Date: Thu Dec 21 15:17:33 2023 +0100 conn-disrupt: Allowlist XfrmInNoStates packet drops The IPsec fixes will introduce a few XfrmInNoStates packet drops on up/downgrades due to non-atomic Linux APIs (can't replace XFRM states atomically). Those are limited to a very short time (time between two netlink syscalls). We however need to allowlist them in the CI. Since we're using the conn-disrupt GitHub action from main, we need to allowlist in main for the pull request's CI to pass. Note that despite the expected-xfrm-errors flag, the tests will still fail if we get 10 or more such drops. We don't expect so many XfrmInNoStates drops so we still want to fail in that case. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> commit b511bd132645660d214593c3b3b10a1651456e40 Author: Paul Chaignon <paul.chaignon@gmail.com> Date: Wed Nov 22 21:18:25 2023 +0100 ipsec: Control use of per-node-pair keys from secret bit The ESN bit in the IPsec secret will be used to indicate whether per-node-pair keys should be used or if the global key should remain in use. Specifically, it consist in a '+' sign after the SPI number in the secret. This ESN bit will be used to transition from a global key system to a per-node-pair system at runtime. We would typically rely on an agent flag for such a configuration. However, in this case, we need to perform a key rotation at the same time as we change the key system. Encoding the key system in the IPsec secret achieves that. By transition from the global to the per-node-pair keys via a key rotation, we ensure that the two can coexist during the transition. The old, global key will have XFRM rules with SPI n, whereas the new, per-node-pair keys will have XFRM rules with SPI n+1. Using a bit in the IPsec secret is also easier to test because we already have all the logic to test key rotation (whereas we would need new logic to test a flag change). The users therefore need to perform a key rotation from e.g.: 3 rfc4106(gcm(aes)) [...] 128 to: 4+ rfc4106(gcm(aes)) [...] 128 The key rotation test in CI is updated to cover a rotation from 3 to 4+ (meaning a rotation into the new per-node-pair key system). Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> commit 7a2a18d873094be30d80e7ff3381fc986bf6cf3e Author: Nikolay Aleksandrov <nikolay@isovalent.com> Date: Mon Nov 28 11:36:42 2022 +0200 ipsec: Enable ESN anti-replay protection Now we can enable ESN anti-replay with window size of 1024. If a node reboots then everyone updates the related keys with the new one due to the different bootid, the node itself is already generating the keys with the new bootid. The window is used to allow for out-of-order packets, anti-replay still doesn't allow to replay any packet but keeps a bitmap and can accept out-of-order packets within window size range. For more information check section ""A2. Anti-Replay Window" of RFC 4303. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Co-authored-by: Paul Chaignon <paul.chaignon@gmail.com> commit 913995fcf248517bf7d931d04bc175a9b34c3454 Author: Nikolay Aleksandrov <nikolay@isovalent.com> Date: Wed Mar 8 13:13:32 2023 +0200 docs: Document Xfrm{In,Out}NoStates on node reboots When a node reboots the key used to communicate with it is expected to change due to the new boot id generated. While the new key is being installed we may need to do it non-atomically (delete + insert), so packets to/from that node might be dropped which would cause increases in the XfrmNoStatesIn/Out. Add a note about it in the docs so users are not surprised. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Co-authored-by: Paul Chaignon <paul.chaignon@gmail.com> commit 840c88e787db96b21ef7607b3fc570aa2c79a995 Author: Nikolay Aleksandrov <nikolay@isovalent.com> Date: Tue Dec 20 17:20:47 2022 +0200 ipsec: Update existing states when a node's bootid changes When we detect that a node's bootid has changed, we need to update the IPsec states. Unfortunately this is not as straightforward as it should be, because we may receive the new boot ID before a CiliumInternalIP is assign to the node. In such a case, we can't install the XFRM states yet because we don't have the CiliumInternalIP, but we need to remember that the boot ID changed and states should be replaced. We therefore record that information in a map, ipsecUpdateNeeded, which is later read to see if the boot ID changed. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Co-authored-by: Paul Chaignon <paul.chaignon@gmail.com> commit b409312b04a56dce6a1e7e378cf9bd3f6bd25d9b Author: Nikolay Aleksandrov <nikolay@isovalent.com> Date: Mon Dec 19 10:42:41 2022 +0200 ipsec: Use boot IDs when deriving per-node keys We need to ensure we never have two packets encrypted with the same key and sequence number. To that end, in previous commits, we introduced per-node-pair keys. That is however not sufficient. Since the sequence numbers can start from zero on node boot, if a node reboot, it will start sending traffic encrypted again with the same key and sequence number as it did before. To fix that, we need to ensure the per-node-pair keys change on node reboots. We achieve that by using the boot ID in the per-node-pair key calculation. For a pair of nodes A and B with IP addresses a and b and boot IDs x and y, we will therefore install two different keys: Node A <> Node B XFRM IN: key(b+a+y+x) XFRM IN: key(a+b+x+y) XFRM OUT: key(a+b+x+y) XFRM OUT: key(b+a+y+x) This is done such that, for each pair of nodes A, B, the key used for decryption on A (XFRM IN) is the same key used for encryption on B (XFRM OUT), and vice versa. Since we are now retrieving the local node's boot ID as part of the IPsec code, we need to initialize the mocked local node store in the unit tests. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Co-authored-by: Paul Chaignon <paul.chaignon@gmail.com> commit c72e9f4600e0efec1c8d53a8b235f75b8df83ae8 Author: Nikolay Aleksandrov <nikolay@isovalent.com> Date: Mon Dec 12 16:44:25 2022 +0200 k8s, node: Add bootid to CiliumNode resource Read and export the local bootid via CiliumNode. We'll need it in a subsequent commit to generate new IPsec keys when a node reboots. This commit also collects the boot_id file as part of the bugtool report. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Co-authored-by: Paul Chaignon <paul.chaignon@gmail.com> commit f1c4a6e5934a5a95a6f4804fa156f9ce239b85d5 Author: Paul Chaignon <paul.chaignon@gmail.com> Date: Fri Jun 2 22:43:09 2023 +0200 ipsec: Allow old and new XFRM IN states to coexist for upgrade This commit extends the logic from commit c0d9b8c9e ("ipsec: Allow old and new XFRM OUT states to coexist for upgrade") to have both the old and the new XFRM IN states in place. This is necessary to avoid packet drops during the upgrade. As with the XFRM OUT states, we can't add the new IN state while the old one is in place. We therefore need to first remove the old state, to then add the new one. See c0d9b8c9e ("ipsec: Allow old and new XFRM OUT states to coexist for upgrade") for details. Note this commit also removes the comparison of output-marks. Output-marks aren't actually used by the kernel to decide if two states conflict. And in the case of XFRM IN states, the output-marks changed a bit as well. Despite being different, the states still conflict. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> commit c017f65210ed1797d7181efa2882e7c243448324 Author: Paul Chaignon <paul@cilium.io> Date: Wed Sep 21 15:19:41 2022 +0200 ipsec: Per-node XFRM IN states We want to have one IPsec key per node1->node2 (not including node2->node1 which will get a different key). We therefore need per-node XFRM states on the receive/decrypt side to carry each node's key. This commit implements that change. Thus, instead of creating a unique XFRM IN state when we receive the local node, we will create an XFRM IN state everytime we receive a remote node. Signed-off-by: Paul Chaignon <paul@cilium.io> commit 7f35fc57f523da0706a192c91795a65011999d28 Author: Paul Chaignon <paul.chaignon@gmail.com> Date: Wed Sep 21 15:03:44 2022 +0200 ipsec, bpf: Match XFRM IN states using mark instead of source IP It turns out that two XFRM IN states can't have the same mark and destination IP, even if they have different source IPs. That's an issue in our case because each node1->node2 pair will have its own IPsec key. Therefore, we need one XFRM state per origin node on input. Since we can't differentiate those XFRM states by their source IPs, we will have to differentiate using the marks. To do so, we need to convert the source IP into a packet mark before matching against XFRM states. We can write these packet marks in bpf_network, before going up the stack for decryption. And conveniently, we've just introduce a way to convert each cluster node into an ID, the node ID, which fits in the packet mark. This commit therefore performs an node ID map lookup to retrieve the node ID using the outer source IP address when packets are first processed in bpf_network. We clear the node ID from the packet mark after decryption using XFRM (output-mark). If no node ID is found for the outer source IP, we drop the packet. It seems preferable to drop it from BPF with all the contextual information rather than let it proceed to the XFRM layer where it will be dropped with only an error code incrementing. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> commit 41d74a035e2a400957b9030b27b6e909f02c6e89 Author: Paul Chaignon <paul@cilium.io> Date: Wed May 3 11:09:02 2023 +0200 ipsec: Replace states with the old IPsec key In the previous commit, we changed the way we compute the IPsec keys. We therefore need to replace the XFRM states to use the new keys. Our current update logic however doesn't take this case into account. It compares states based on IPs, marks, and SPIs, but it doesn't compare the keys. It would therefore assume that the correct states are already installed. This commit extends that logic to detect a difference in encryption keys and, if such a difference exist, remove the old states. Signed-off-by: Paul Chaignon <paul@cilium.io> commit c28e046d4c6216dea4fddae7b4be4823e8736764 Author: Paul Chaignon <paul.chaignon@gmail.com> Date: Sun May 15 23:17:51 2022 +0200 ipsec: Compute per-node-pair IPsec keys We need to ensure the (key used, sequence number) tuple for each encrypted packet is always unique on the network. Today that's not the case because the key is the same for all nodes and the sequence number starts at 0 on node reboot. To enable this, we will derive one key per node pair from a global key shared across all nodes. We need it per node pair and not per node because the first message emitted from A to B shouldn't be using the same key as the first message emitted from B to A, to satisfy the above requirement. To that end, for each node pair (A, B), we compute a key as follows: key = sha256(global_key + ip_of_a + ip_of_b) The sha256 sum is then truncated to the expected length. Once computed, we install the derived keys such that the key used for encryption on node A is the same as the key used for decryption on node B: Node A <> Node B XFRM IN: key(b+a) XFRM IN: key(a+b) XFRM OUT: key(a+b) XFRM OUT: key(b+a) Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> commit c0d5d9054c02fe0333ea9b199d9ac…
rzdebskiy
pushed a commit
to rzdebskiy/cilium
that referenced
this pull request
Apr 3, 2024
There is a merge race between the below two PRs, which leads to failure in CI job for ipsec upgrade config 5.15. https://github.com/cilium/cilium/actions/runs/8461160283/job/23180526103 ``` Error: Unable to upgrade Cilium: execution error at (cilium/templates/cilium-configmap.yaml:70:5): kubeProxyReplacement must be explicitly set to a valid value (true or false) to continue. ``` Relates: cilium#31637, #cilium#31637 Signed-off-by: Tam Mach <tam.mach@cilium.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/CI
Continuous Integration testing issue or flake
area/encryption
Impacts encryption support such as IPSec, WireGuard, or kTLS.
feature/ipsec
Relates to Cilium's IPsec feature
release-note/ci
This PR makes changes to the CI.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Encrypted overlay was introduced in #31073. As the name indicates, with that feature, Cilium will also encrypt the overlay itself (i.e., the VXLAN headers). This pull request covers this configuration in the two IPsec workflows.