[1.13] ci: Add IPsec leak detection for ci-ipsec-e2e #33080
Merged
Commits on Jun 12, 2024
-
ci: Add conn-disrupt-test-{setup,check} actions
[ upstream commit: 0f957a7 ] They are to replace conn-disrupt-test action for better flexibility. Please note the new conn-disrupt-test-check doesn't run full tests by default. Signed-off-by: gray <gray.liang@isovalent.com>
-
ci: Decouple ipsec-key-rotate action from conn-disrupt-test action
[ upstream commit: c430572 ] [ backporter's note: 1.13 doesn't have ipsec-key-rotate action, we just get ride of conn-disrupt-test from ci-ipsec-e2e. ] So in future we can add encryption leak detection right after key rotation to avoid certain issues. ci-ipsec-e2e and ci-eks also has been adjusted to use conn-disrupt-test-* actions before and after ipsec-key-rotate action. Signed-off-by: gray <gray.liang@isovalent.com>
-
ci: Use conn-disrupt-test-{setup,check} for ci-ipsec-upgrade
[ upstream commit: 364ff9e ] Signed-off-by: gray <gray.liang@isovalent.com>
-
ci: Delete deprecated conn-disrupt-test action
[ upstream commit: ec1b796 ] Signed-off-by: gray <gray.liang@isovalent.com>
-
conformance-ipsec-e2e: add leaked unencrypted packets check
[ upstream commit: e3fe4bc ] Extend the conformance-ipsec-e2e GHA workflow to additionally check that we don't leak any unencrypted packets during the connectivity test. This aims to complement the validation already performed as part of the connectivity tests by the Cilium CLI. Specifically, we leverage bpftrace to analyze the packets forwarded by the bridge device (used by kind), and report those that are not encrypted. We flag packets with both the source and the destination belonging to the IPv4/6 PodCIDR, and we consider the inner headers if packets are encapsulated. In this case, we additionally skip packets originating or targeting CiliumInternalIP addresses (as these are used for node-to-pod traffic when running in tunnel mode, which is not encrypted by design). Extra checks are finally added to always include packets originating from the L7 and DNS proxies, as their source IP is not that of a pod. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: gray <gray.liang@isovalent.com>
-
ci: check-ipsec-leaks.bt can tolerate proxy traffic not found
[ upstream commit: 230c200 ] Add an argument to tell check-ipsec-leaks.bt whether to report errors if proxy traffic not found. Signed-off-by: gray <gray.liang@isovalent.com>
-
conformance-ipsec-e2e: run leak check before/after key rotation
[ upstream commit: 4e2a66d ] [ backporter's note: In 1.13 ci-ipsec-e2e disables IPv6, we need to suppress "no IPv6 connections" errors in check-ipsec-leaks.bt ] This is because we saw a racing issue if leak detection covers the whole rotation + conn-disrupt-check: cilium connectivity will remove conn-disrupt pods in the end of connectivity test, leaving some linger packets recognized as leaked traffic. This commit avoids the issue by running leak checks separately for key rotation and after-rotation test. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: gray <gray.liang@isovalent.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.