Conversation
|
Commit 21605a5 does not match "(?m)^Signed-off-by:". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
maintainer-s-little-helper
bot
added
dont-merge/needs-sign-off
github-actions
bot
added
the
cilium-cli
ldelossa
added
release-note/major
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
ldelossa
force-pushed
the
ldelossa/ipsec-vxlan-in-esp
branch
from
6e08fac to
97e66cf
Compare
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-sign-off
ldelossa
force-pushed
the
ldelossa/ipsec-vxlan-in-esp
branch
from
97e66cf to
cf4f1d3
Compare
julianwiedmann
left a comment
julianwiedmann
left a comment
There was a problem hiding this comment.
Some comments in-line :)
ldelossa
force-pushed
the
ldelossa/ipsec-vxlan-in-esp
branch
3 times, most recently
from
4f36d57 to
b075675
Compare
ldelossa
force-pushed
the
ldelossa/ipsec-vxlan-in-esp
branch
6 times, most recently
from
4cad2ea to
7c1c9c8
Compare
ldelossa
force-pushed
the
ldelossa/ipsec-vxlan-in-esp
branch
4 times, most recently
from
8493c56 to
9b19920
Compare
|
I still want to draw attention to the facts that ipsec encryption logic has changes:
Above changes have been discussed multiple times and agreed upon by the team. The main goal is to consolidate the encryption datapath flow between IPsec and Wireguard for better consistency and maintainability. Let's keep in mind these important changes in case we unfortunately hit any issues. |
|
@jschwinger233 thanks for the feedback Gray! ✅ to your comments. |
This commit was originally applied in ca9c056 removed in 152867f and is now being reapplied to support moving IPsec hooks to the egress device. To support upgrades properly we ensure that `bpf_host` is installed first when IPsec is enabled. This ensures the transition to `bpf_lxc` programs which no longer perform IPsec encryption do not result in leaked traffic. The IPsec enabled `bpf_host` programs will be in place prior to the IPsec disabled `bpf_lxc` transition. Signed-off-by: Paul Chaignon <[email protected]>
To fully support Encrypted Overlay and moving IPsec encrypt hooks to the egress device we must ensure the `to-netdev` program exists on native devices. Update the `DaemonConfig.AreDevicesRequired` function to return `true` when IPsec is enabled. This is a more general option which encompasses the `EnableIPSecEncryptedOverlay` flag. Moving forward Encrypted Overlay will be the default and this flag will be removed. Signed-off-by: Louis DeLosSantos <[email protected]>
Detect if traffic has been encrypted before traversing the overlay driver via a mark. This is useful for VinE, where encryption occurs at the ultimate egress device. If a packet was previously encrypted by the pre-VinE bpf_lxc programs, we can detect this and avoid performing double encryption. Likewise, if a packet arrives at the egress device and is unencrypted tunnel traffic, we can encrypt it to ensure the traffic does not leak. Implementation of the previous statement will be done in a subsequent commit. Signed-off-by: Louis DeLosSantos <[email protected]>
Move IPsec encryption hooks to the native egress device. Prior to this commit IPsec hooks would occur at pod egress (or at proxy egress if l7 policy is enforced). This move accomplish two goals: 1. Consolidate the encryption datapath flow between IPsec and Wireguard 2. Encrypt security IDs when tunnel mode is enabled (VinE/Encrypted Overlay) Thus, when this commit lands IPsec hooks will begin to be applied at bpf_host and only after the vlxan driver has encapsulated a packet, if tunnel mode is enabled. To cleanly migrate to the new IPsec datapath the Cilium cluster MUST be patched to the latest v1.17 patch release and then upgraded to v1.18. Signed-off-by: Louis DeLosSantos <[email protected]>
Remove the tests which are no longer valid for IPsec. This includes the group of tests which focused on bpf_lxc and encrypted overlay. IPsec encryption hooks no longer run at bpf_lxc and encrypted overlay is deprecated. Add two new tests: 1. Integration test with bpf_host which ensures the IPsec hooks are called for traffic about to leave the host 2. Unit tests for the IPsec encryption hook and its hairpin functionality. The latter ensures the `ctx` is prepared correctly for the hairpin and a call to ctx_redirect is made to recirculate the packet into the stack for XFRM processing Signed-off-by: Louis DeLosSantos <[email protected]>
Enable the v2 pod-to-pod encryption tests for IPsec and not just wireguard, now that VinE is implemented. Additionally, we can now disable the v1 pod-to-pod encryption tests for all encryption modes, since IPsec no longer requires it to run. Signed-off-by: Louis DeLosSantos <[email protected]>
This commit is added to work around an issue with the cluster mesh testing. This issue is being tracked and worked on saparately to this PR in issue: 38113 See issue for full details. Signed-off-by: gray <[email protected]>
Add documentation outlining the move to VinE in v1.18 forward. Signed-off-by: Louis DeLosSantos <[email protected]>
|
/test |
|
IPsec flake is now cleared with merge of #38843 🎉 |
|
@ldelossa I feel this broke In particular https://github.com/cilium/cilium/actions/runs/14585424143 was a scheduled run with this PR as the top-commit, and all the failed configs have |
|
@julianwiedmann Thanks for the heads up. Created: #39337 Will be debugging this now. |
| * The tunnel_endpoint is used in the IPsec hook under test below to | ||
| * find the associated NodeID for an egress packet | ||
| */ | ||
| ipcache_v4_add_entry(DST_IP, 0, 0xAC, DST_IP, TARGET_SPI); |
There was a problem hiding this comment.
Hm, shouldn't all of this be in a SETUP instead of CHECK?
There was a problem hiding this comment.
Oh, I see the comment above 😬 Yeah... we should debug.
There was a problem hiding this comment.
I often run into strange anomalies when writing BPF unit tests. I tend to follow the path of least resistance once I find something that works.
Can't hurt to debug further tho.
There was a problem hiding this comment.
I think part of the issue is that we keep calling them BPF unit tests when they're actually integration tests. The SETUP, CHECK, PKTGEN things are for integration tests, but you tried to use them to test just one function (so unit test). It took me a bit to understand that's why you had issues with SETUP.
There was a problem hiding this comment.
Oh, I see. Cuz the first example in the BPF testing docs is a unit test which tests one function :-D
There was a problem hiding this comment.
Hm, I see. And the docs don't say when to use which.
8 participants
Implement IPsec VinE
See commits for details.