Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Add IPsec leak detection for ci-ipsec-e2e #32930

Merged
merged 7 commits into from
Jun 10, 2024
Merged

ci: Add IPsec leak detection for ci-ipsec-e2e #32930

merged 7 commits into from
Jun 10, 2024

Conversation

jschwinger233
Copy link
Member

@jschwinger233 jschwinger233 commented Jun 6, 2024
edited
Loading

Add IPsec leak detection for ci-ipsec-e2e.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 6, 2024
@jschwinger233 jschwinger233 force-pushed the pr/gray/main/ipsec-leak-detection branch 2 times, most recently from 5346da7 to 55d1d77 Compare June 6, 2024 07:03
@jschwinger233
Copy link
Member Author

jschwinger233 commented Jun 6, 2024
edited
Loading

All green 🟢 https://github.com/cilium/cilium/actions/runs/9396554042/job/25877952674

Second run failed on an echo-ingress-mutual-auth-spiffe/pod-to-pod flake: https://github.com/cilium/cilium/actions/runs/9396554042/job/25881297773

3rd run is also 🍏 https://github.com/cilium/cilium/actions/runs/9396554042/job/25883690215
4th 📗 https://github.com/cilium/cilium/actions/runs/9396554042/job/25887219490

@jschwinger233 jschwinger233 changed the title Pr/gray/main/ipsec leak detection ci: Add IPsec leak detection for ci-ipsec-e2e Jun 6, 2024
@jschwinger233 jschwinger233 added area/CI Continuous Integration testing issue or flake sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. release-note/ci This PR makes changes to the CI. feature/ipsec Relates to Cilium's IPsec feature labels Jun 6, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 6, 2024
@jschwinger233
Copy link
Member Author

/test

@jschwinger233 jschwinger233 marked this pull request as ready for review June 6, 2024 11:51
@jschwinger233 jschwinger233 requested review from a team as code owners June 6, 2024 11:51
giorio94
giorio94 reviewed Jun 6, 2024
View reviewed changes
Copy link
Member

@giorio94 giorio94 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good to me, thanks! I've left a couple of minor comments inline.

.github/actions/conn-disrupt-test-check/action.yaml Outdated Show resolved Hide resolved
.github/workflows/conformance-ipsec-e2e.yaml Show resolved Hide resolved
.github/actions/bpftrace/start/action.yaml Show resolved Hide resolved
.github/workflows/conformance-ipsec-e2e.yaml Outdated Show resolved Hide resolved
@jschwinger233 jschwinger233 force-pushed the pr/gray/main/ipsec-leak-detection branch 2 times, most recently from 6aabf75 to 586db4e Compare June 7, 2024 04:46
@jschwinger233 jschwinger233 mentioned this pull request Jun 7, 2024
Merged
1 task
@jschwinger233
Copy link
Member Author

/test

@jschwinger233 jschwinger233 mentioned this pull request Jun 7, 2024
Merged
1 task
giorio94
giorio94 approved these changes Jun 7, 2024
View reviewed changes
Copy link
Member

@giorio94 giorio94 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

.github/actions/conn-disrupt-test-setup/action.yaml Outdated Show resolved Hide resolved
@jschwinger233
ci: Add conn-disrupt-test-{setup,check} actions
64cd412 
They are to replace conn-disrupt-test action for better flexibility.

Please note the new conn-disrupt-test-check doesn't run full tests by
default.

Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233
ci: Decouple ipsec-key-rotate action from conn-disrupt-test action
253e96e 
So in future we can add encryption leak detection right after key
rotation to avoid certain issues.

ci-ipsec-e2e and ci-eks also has been adjusted to use
conn-disrupt-test-* actions before and after ipsec-key-rotate action.

Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233
ci: Use conn-disrupt-test-{setup,check} for ci-ipsec-upgrade
2517b6c 
Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233 jschwinger233 mentioned this pull request Jun 12, 2024
Closed
@julianwiedmann julianwiedmann mentioned this pull request Jun 13, 2024
Merged
8 tasks
jshr-w added a commit to jshr-w/cilium that referenced this pull request Jun 13, 2024
@jshr-w
ci: fix ces migration test trigger and conn-disrupt behavior
a20401c 
PR cilium#32930 introduced a change to the conn-disrupt test that caused this
migration test to fail. This PR updates the test to work with the
updated test format. The inconsistency was not caught because of the
path filters used in the test, so the path filters have been updated to
exclude only Documentation/ and test/.

Fixes: cilium#32268

Signed-off-by: jshr-w <shjayaraman@microsoft.com>
jshr-w added a commit to jshr-w/cilium that referenced this pull request Jun 13, 2024
@jshr-w
ci: fix ces migration test trigger and conn-disrupt usage
b34ff8e 
PR cilium#32930 introduced a change to the conn-disrupt test that caused this
migration test to fail. This PR updates the test to work with the
updated test format. The inconsistency was not caught because of the
path filters used in the test, so the path filters have been updated to
exclude only Documentation/ and test/.

Fixes: cilium#32268

Signed-off-by: jshr-w <shjayaraman@microsoft.com>
@jshr-w jshr-w mentioned this pull request Jun 13, 2024
Merged
8 tasks
@github-actions github-actions bot added the backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. label Jun 14, 2024
jshr-w added a commit to jshr-w/cilium that referenced this pull request Jun 14, 2024
@jshr-w
ci: fix ces migration test trigger and conn-disrupt usage
306a446 
PR cilium#32930 introduced a change to the conn-disrupt test that caused this
migration test to fail. This PR updates the test to work with the
updated test format. The inconsistency was not caught because of the
path filters used in the test, so the path filters have been updated to
exclude only Documentation/ and test/.

Fixes: cilium#32268

Signed-off-by: jshr-w <shjayaraman@microsoft.com>
github-merge-queue bot pushed a commit that referenced this pull request Jun 15, 2024
@jshr-w @aanm
ci: fix ces migration test trigger and conn-disrupt usage
ffb8443 
PR #32930 introduced a change to the conn-disrupt test that caused this
migration test to fail. This PR updates the test to work with the
updated test format. The inconsistency was not caught because of the
path filters used in the test, so the path filters have been updated to
exclude only Documentation/ and test/.

Fixes: #32268

Signed-off-by: jshr-w <shjayaraman@microsoft.com>
@julianwiedmann julianwiedmann added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Jun 17, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.15 in 1.15.6 Jun 17, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.13 in 1.13.17 Jun 17, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport done to v1.14 in 1.14.12 Jun 17, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport done to v1.14 in 1.14.12 Jun 17, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport done to v1.14 in 1.14.12 Jun 17, 2024
youngnick pushed a commit to youngnick/cilium that referenced this pull request Jun 20, 2024
@jshr-w @youngnick
ci: fix ces migration test trigger and conn-disrupt usage
49013ad 
PR cilium#32930 introduced a change to the conn-disrupt test that caused this
migration test to fail. This PR updates the test to work with the
updated test format. The inconsistency was not caught because of the
path filters used in the test, so the path filters have been updated to
exclude only Documentation/ and test/.

Fixes: cilium#32268

Signed-off-by: jshr-w <shjayaraman@microsoft.com>
@jschwinger233 jschwinger233 mentioned this pull request Jul 1, 2024
Closed
8 tasks
@github-actions github-actions bot added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Jul 3, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.17 Jul 3, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed this from Backport pending to v1.13 in 1.13.17 Jul 3, 2024
@julianwiedmann julianwiedmann added backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. and removed backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. labels Jul 3, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Backport done to v1.13 in 1.13.17 Jul 3, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.15 to Backport done to v1.15 in 1.15.6 Jul 3, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.15 to Backport done to v1.15 in 1.15.6 Jul 3, 2024
@julianwiedmann julianwiedmann mentioned this pull request Jul 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pchaigno pchaigno pchaigno approved these changes

@julianwiedmann julianwiedmann julianwiedmann approved these changes

@giorio94 giorio94 giorio94 approved these changes

Assignees
No one assigned
Labels
area/CI Continuous Integration testing issue or flake area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport/author The backport will be carried out by the author of the PR. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. feature/ipsec Relates to Cilium's IPsec feature ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
1.13.17
Backport done to v1.13
1.14.12
Backport done to v1.14
1.15.6
Backport done to v1.15
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jschwinger233 @pchaigno @julianwiedmann @giorio94