USHIFT-6801: C2CC: IPSec test

[pmtk]

Summary by CodeRabbit

• New Features

  • Added IPsec-enabled container images with Libreswan, tcpdump, and preconfigured firewall rules.

• Tests

  • New end-to-end C2CC IPsec test suite and supporting Robot Framework resources with IPsec helpers, traffic/XFRM checks, and tcpdump verification.
  • New VM-based scenario scripts to provision multi-cluster full‑mesh IPsec test environments.

• Documentation

  • New how‑to guide for configuring C2CC IPsec.

• Refactor

  • Connectivity and DNS helpers moved into shared test resources for reuse.

[openshift-ci-robot]

@pmtk: This pull request references USHIFT-6801 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7da9b38f-f627-4a53-942d-64985c6b0fd7

📥 Commits

Reviewing files that changed from the base of the PR and between 02271a3 and 62981ef.

📒 Files selected for processing (1)

• docs/user/howto_c2cc_ipsec.md

✅ Files skipped from review due to trivial changes (1)

• docs/user/howto_c2cc_ipsec.md

---

Walkthrough

Adds RHEL9/10 Libreswan-enabled boot images, extracts connectivity/DNS keywords to a shared c2cc resource, adds an ipsec Robot resource with tunnel/XFRM/tcpdump/enforcement helpers, introduces a c2cc-ipsec Robot test suite, and adds EL9/EL10 scenario scripts to provision a three-host Libreswan full-mesh and run the tests.

Changes

C2CC IPsec E2E

Layer / File(s)	Summary
Container image bases with IPsec support test/image-blueprints-bootc/el{9,10}/layer2-presubmit/group2/rhel*-bootc-source-ipsec.containerfile	Add RHEL 9 and 10 bootc Containerfiles based on source images; install Libreswan and tcpdump; configure offline firewall to allow IPsec (IKE/ESP).
Documentation: howto for C2CC IPsec docs/user/howto_c2cc_ipsec.md	New user guide describing PSK generation, Libreswan per-host secrets and tunnel configs, verification (ipsec trafficstatus, ip xfrm state, tcpdump), and operational notes.
IPsec Robot resource test/resources/ipsec.resource	New Robot resource providing SA timing variables, tunnel verification/start/stop/restart helpers, XFRM byte-counter collection and assertions, tcpdump capture/verification, SA flush/check, nftables enforcement install/remove, and curl-failure assertions.
Shared C2CC resource test/resources/c2cc.resource	Add suite-level &{NAMESPACES} and &{DOMAIN_MAP} plus helper keywords to fetch pod/service/curl-pod IPs, perform curls, check source-IP preservation, and resolve/curl DNS with retries.
IPsec Robot test suite test/suites/c2cc-ipsec/ipsec.robot	New Robot suite with tests for SA counts, ESP encapsulation (tcpdump + XFRM counters), cross-cluster connectivity and source-IP preservation, plaintext rejection via nftables enforcement, near-MTU payloads, DNS-over-IPsec reachability, and tunnel recovery flows; includes setup/teardown helpers.
Scenario provisioning for three-host C2CC+IPsec mesh (EL10) test/scenarios-bootc/el10/presubmits/el102-src@c2cc-ipsec.sh	EL10 scenario to provision three VMs, configure MicroShift C2CC and firewall trusts, generate PSK and per-peer Libreswan tunnel configs (leftsubnets/rightsubnets), validate tunnels, manage VM lifecycle, and run the ipsec suite with kubeconfigs and CIDR/domain parameters.
Scenario provisioning for three-host C2CC+IPsec mesh (EL9) test/scenarios-bootc/el9/presubmits/el98-src@c2cc-ipsec.sh	EL9 scenario with equivalent wiring: write /etc/microshift/config.d/50-c2cc.yaml, open trusted sources, generate PSK and /etc/ipsec.d/* configs, run ipsec checknss, validate ESP counts, prepare kickstarts, and run the ipsec suite.
Connectivity/DNS suites cleanup test/suites/c2cc/connectivity.robot, test/suites/c2cc/dns.robot	Remove suite-local &{NAMESPACES}/&{DOMAIN_MAP} and duplicate connectivity/DNS keywords so suites use the shared test/resources/c2cc.resource.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested labels

ready-for-human-review

Suggested reviewers

• pacevedom
• vanhalenar

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 11.11% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly references the primary change: adding IPsec test infrastructure for C2CC (cluster-to-cluster) scenarios. It directly maps to the substantial additions of test resources, scenarios, and suite files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains Robot Framework and Bash scenario tests, not Ginkgo tests. Check is inapplicable to this PR since it specifically targets Go/Ginkgo test names.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo tests. All test code uses Robot Framework (.robot/.resource files) and Bash scripts (.sh), not Ginkgo (Go). Check is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds Robot Framework tests and Bash scripts, not Ginkgo e2e tests. Custom check only applies to Ginkgo tests with It()/Describe() patterns; none found in PR.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR is for MicroShift, which uses Robot Framework and Bash scripts for testing, not Ginkgo e2e tests. The check applies only to Ginkgo tests in OpenShift, making it not applicable here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds test files, test scenarios, and documentation only—no deployment manifests, operator code, or controllers that could introduce scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR contains only Robot Framework tests, bash scripts, Containerfiles, and documentation—no Go OTE binaries or Ginkgo test code. OTE stdout contract check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds Robot Framework tests, not Ginkgo e2e tests. The check specifically applies to Ginkgo tests (It(), Describe(), Context(), etc.), not Robot Framework tests.
No-Weak-Crypto	✅ Passed	No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) detected. PR uses strong algorithms: AES-256, SHA-256, and securely generated PSKs via openssl rand.
Container-Privileges	✅ Passed	PR contains test/CI files with no Kubernetes manifests or privileged container configs; 2 Containerfiles contain only basic RUN instructions without privilege escalations.
No-Sensitive-Data-In-Logs	✅ Passed	PSK output redirected to /dev/null, no debug flags, no secret logging. All logged output is safe: HTTP responses and system commands.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pmtk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pmtk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

test/scenarios-bootc/el10/presubmits/el102-src@c2cc-ipsec.sh (1)

157-159: ⚡ Quick win

PSK exposure risk is via caller tracing, not run_command_on_vm
test/bin/scenario.sh’s run_command_on_vm just forwards the provided command to ssh ... "${command}" and does not echo/log the command itself. The PSK embedded in secrets_content could still end up in CI logs if the caller runs with set -x/bash tracing around the run_command_on_vm "${host}" "... ${secrets_content} ..." call.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/scenarios-bootc/el10/presubmits/el102-src`@c2cc-ipsec.sh around lines
157 - 159, The current call embeds the PSK in the SSH command string
(secrets_content) which can leak via caller shell tracing; instead send the
secret via SSH stdin or a secure transfer so it never appears in the command
line. Update the call that uses run_command_on_vm and secrets_content to stream
the secret to the remote file (e.g., use ssh remote 'cat >
/etc/ipsec.d/c2cc.secrets' and pipe secrets_content into stdin or use an
scp/sftp/temporary file upload), then run run_command_on_vm to set secure perms
with sudo chmod 600 /etc/ipsec.d/c2cc.secrets; ensure run_command_on_vm remains
unchanged or extend it to accept stdin payloads so the secret is never
interpolated into the command string.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/resources/ipsec.resource`:
- Around line 125-132: Update the test documentation for "Curl From Host Should
Fail" to accurately describe the setup as IPsec tunnel mode (not Geneve); change
the explanatory lines that currently state "bypasses the Geneve tunnel" and "not
protected by transport-mode IPsec on port 6081" to explain that the scenario
uses type=tunnel (no Geneve between hosts) and that host-originated traffic is
not matched by selectors scoped to local pod/service CIDRs, so host-sourced
traffic to ${pod_ip}:${port} should still fail; keep the test invocation using
Disruptive Command On Cluster and the assertion Should Not Contain ${stdout}
Hello from unchanged.
- Around line 51-56: The keyword "Get XFRM Byte Counters" currently sums the
second awk field (packets) because lines like "84(bytes), 2(packets)" make $2
the packet count; update the Command On Cluster invocation that runs `ip -s xfrm
state | awk ...` to extract and sum the numeric value that precedes "(bytes)"
instead of using $2 — e.g. change the awk program to use a regex match like
/([0-9]+)\(bytes\)/ and add m[1] to sum (or otherwise strip non-digits from the
bytes token) so the returned value is the actual byte total rather than packets.
- Around line 67-76: The keyword Start Tcpdump For ESP On Cluster currently
hardcodes ${iface}=enp1s0 causing captures to miss ESP when the VM's uplink
differs; update the keyword to accept ${iface} from the suite/vars (no hard
default) or implement auto-detection (e.g., determine the primary uplink
interface inside the keyword) and use that value for tcpdump -i; update
references to ${iface}, ${alias}, and ${pcap_file} in the keyword (and callers)
so the test suite can pass a configured interface or rely on the detected uplink
interface.

In `@test/suites/c2cc-ipsec/ipsec.robot`:
- Around line 3-4: The suite docstring incorrectly describes a "Libreswan
transport-mode IPsec mesh (Geneve UDP/6081)" while the implementation
(configure_ipsec_host using type=tunnel and subnet selectors, and its comment
noting no Geneve tunnel) configures tunnel-mode; update the suite
description/docstring to state that this validates a Libreswan tunnel-mode IPsec
mesh (no Geneve) so the docs match the implementation and references to
Geneve/transport-mode are removed or corrected; ensure mentions of
transport-mode or Geneve UDP/6081 are replaced with "tunnel-mode IPsec (subnet
selectors, no Geneve)" and/or other accurate wording near the top-level suite
description.

---

Nitpick comments:
In `@test/scenarios-bootc/el10/presubmits/el102-src`@c2cc-ipsec.sh:
- Around line 157-159: The current call embeds the PSK in the SSH command string
(secrets_content) which can leak via caller shell tracing; instead send the
secret via SSH stdin or a secure transfer so it never appears in the command
line. Update the call that uses run_command_on_vm and secrets_content to stream
the secret to the remote file (e.g., use ssh remote 'cat >
/etc/ipsec.d/c2cc.secrets' and pipe secrets_content into stdin or use an
scp/sftp/temporary file upload), then run run_command_on_vm to set secure perms
with sudo chmod 600 /etc/ipsec.d/c2cc.secrets; ensure run_command_on_vm remains
unchanged or extend it to accept stdin payloads so the secret is never
interpolated into the command string.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 23b820f6-db19-498c-831f-2b7fd9a65af6

📥 Commits

Reviewing files that changed from the base of the PR and between 5280d21 and f61dd5e.

📒 Files selected for processing (9)

• test/image-blueprints-bootc/el10/layer2-presubmit/group2/rhel102-bootc-source-ipsec.containerfile
• test/image-blueprints-bootc/el9/layer2-presubmit/group2/rhel98-bootc-source-ipsec.containerfile
• test/resources/c2cc.resource
• test/resources/ipsec.resource
• test/scenarios-bootc/el10/presubmits/el102-src@c2cc-ipsec.sh
• test/scenarios-bootc/el9/presubmits/el98-src@c2cc-ipsec.sh
• test/suites/c2cc-ipsec/ipsec.robot
• test/suites/c2cc/connectivity.robot
• test/suites/c2cc/dns.robot

💤 Files with no reviewable changes (2)

• test/suites/c2cc/dns.robot
• test/suites/c2cc/connectivity.robot

[pmtk]

Re: CodeRabbit nitpick — PSK exposure via shell tracing in configure_ipsec_host

Won't fix — PSK is ephemeral (openssl rand -hex 32 per test run), VMs are disposable CI infrastructure, and run_command_on_vm does not echo commands. Only explicit set -x around the call would leak it.

[pmtk]

/test ?

[pmtk]

/test e2e-aws-tests-bootc-arm-el9 e2e-aws-tests-bootc-el10

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/scenarios-bootc/el9/presubmits/el98-src`@c2cc-ipsec.sh:
- Around line 85-87: The command substitutions for host1_ip, host2_ip, and
host3_ip using get_vm_property can hide failures when used directly in local
assignments; change each to first declare the readonly variable (e.g., local -r
host1_ip; or local host1_ip and then mark readonly) and then assign with a
separate command and immediate status check such as host1_ip=$(get_vm_property
host1 ip) || { echo "failed to get host1 ip" >&2; return 1; }, repeating for
host2_ip and host3_ip (use the same pattern for get_vm_property host2 ip and
get_vm_property host3 ip) so any failure causes the script to fail fast.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a5848435-5b6e-4fa1-9eaa-865629a703e7

📥 Commits

Reviewing files that changed from the base of the PR and between f61dd5e and aa63ee2.

📒 Files selected for processing (9)

• test/image-blueprints-bootc/el10/layer2-presubmit/group2/rhel102-bootc-source-ipsec.containerfile
• test/image-blueprints-bootc/el9/layer2-presubmit/group2/rhel98-bootc-source-ipsec.containerfile
• test/resources/c2cc.resource
• test/resources/ipsec.resource
• test/scenarios-bootc/el10/presubmits/el102-src@c2cc-ipsec.sh
• test/scenarios-bootc/el9/presubmits/el98-src@c2cc-ipsec.sh
• test/suites/c2cc-ipsec/ipsec.robot
• test/suites/c2cc/connectivity.robot
• test/suites/c2cc/dns.robot

💤 Files with no reviewable changes (2)

• test/suites/c2cc/connectivity.robot
• test/suites/c2cc/dns.robot

🚧 Files skipped from review as they are similar to previous changes (6)

• test/image-blueprints-bootc/el9/layer2-presubmit/group2/rhel98-bootc-source-ipsec.containerfile
• test/image-blueprints-bootc/el10/layer2-presubmit/group2/rhel102-bootc-source-ipsec.containerfile
• test/resources/ipsec.resource
• test/resources/c2cc.resource
• test/scenarios-bootc/el10/presubmits/el102-src@c2cc-ipsec.sh
• test/suites/c2cc-ipsec/ipsec.robot

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/user/howto_c2cc_ipsec.md`:
- Around line 55-57: Add a fenced code language tag (e.g., conf) to each
unlabeled code block to satisfy MD040: update the block containing "192.168.1.10
192.168.1.20 : PSK \"<your-hex-key>\"" to start with ```conf, and likewise label
the blocks beginning with "conn c2cc-to-host-b" and "conn c2cc-to-host-a" by
changing their opening ``` to ```conf so all three blocks are language-tagged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6ac57367-453f-4e74-aafc-e5db41019318

📥 Commits

Reviewing files that changed from the base of the PR and between 9e1caad and 02271a3.

📒 Files selected for processing (1)

• docs/user/howto_c2cc_ipsec.md

[pmtk]

/test e2e-aws-tests-bootc-arm-el10

[openshift-ci]

@pmtk: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.