-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[1.13] ci: Add IPsec leak detection for ci-ipsec-e2e #33080
Commits on Jun 12, 2024
-
ci: Add conn-disrupt-test-{setup,check} actions
[ upstream commit: 0f957a7 ] They are to replace conn-disrupt-test action for better flexibility. Please note the new conn-disrupt-test-check doesn't run full tests by default. Signed-off-by: gray <gray.liang@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 32bbc31 - Browse repository at this point
Copy the full SHA 32bbc31View commit details -
ci: Decouple ipsec-key-rotate action from conn-disrupt-test action
[ upstream commit: c430572 ] [ backporter's note: 1.13 doesn't have ipsec-key-rotate action, we just get ride of conn-disrupt-test from ci-ipsec-e2e. ] So in future we can add encryption leak detection right after key rotation to avoid certain issues. ci-ipsec-e2e and ci-eks also has been adjusted to use conn-disrupt-test-* actions before and after ipsec-key-rotate action. Signed-off-by: gray <gray.liang@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 4df44d4 - Browse repository at this point
Copy the full SHA 4df44d4View commit details -
ci: Use conn-disrupt-test-{setup,check} for ci-ipsec-upgrade
[ upstream commit: 364ff9e ] Signed-off-by: gray <gray.liang@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for ba6a053 - Browse repository at this point
Copy the full SHA ba6a053View commit details -
ci: Delete deprecated conn-disrupt-test action
[ upstream commit: ec1b796 ] Signed-off-by: gray <gray.liang@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for a875def - Browse repository at this point
Copy the full SHA a875defView commit details -
conformance-ipsec-e2e: add leaked unencrypted packets check
[ upstream commit: e3fe4bc ] Extend the conformance-ipsec-e2e GHA workflow to additionally check that we don't leak any unencrypted packets during the connectivity test. This aims to complement the validation already performed as part of the connectivity tests by the Cilium CLI. Specifically, we leverage bpftrace to analyze the packets forwarded by the bridge device (used by kind), and report those that are not encrypted. We flag packets with both the source and the destination belonging to the IPv4/6 PodCIDR, and we consider the inner headers if packets are encapsulated. In this case, we additionally skip packets originating or targeting CiliumInternalIP addresses (as these are used for node-to-pod traffic when running in tunnel mode, which is not encrypted by design). Extra checks are finally added to always include packets originating from the L7 and DNS proxies, as their source IP is not that of a pod. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: gray <gray.liang@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 4a57b23 - Browse repository at this point
Copy the full SHA 4a57b23View commit details -
ci: check-ipsec-leaks.bt can tolerate proxy traffic not found
[ upstream commit: 230c200 ] Add an argument to tell check-ipsec-leaks.bt whether to report errors if proxy traffic not found. Signed-off-by: gray <gray.liang@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 0a53348 - Browse repository at this point
Copy the full SHA 0a53348View commit details -
conformance-ipsec-e2e: run leak check before/after key rotation
[ upstream commit: 4e2a66d ] [ backporter's note: In 1.13 ci-ipsec-e2e disables IPv6, we need to suppress "no IPv6 connections" errors in check-ipsec-leaks.bt ] This is because we saw a racing issue if leak detection covers the whole rotation + conn-disrupt-check: cilium connectivity will remove conn-disrupt pods in the end of connectivity test, leaving some linger packets recognized as leaked traffic. This commit avoids the issue by running leak checks separately for key rotation and after-rotation test. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: gray <gray.liang@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 1d8e7de - Browse repository at this point
Copy the full SHA 1d8e7deView commit details