From 458ac037915268da7840c867ba129f3ec677d020 Mon Sep 17 00:00:00 2001 From: gray Date: Thu, 15 Aug 2024 17:34:46 +0800 Subject: [PATCH] connectivity: Run echo-ingress-l7-via-hostport-with-encryption for IPsec Since https://github.com/cilium/cilium/issues/32897 has been fixed, it's time to cover it. Signed-off-by: gray --- connectivity/builder/echo_ingress_l7.go | 32 +++++++++++++++++-------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/connectivity/builder/echo_ingress_l7.go b/connectivity/builder/echo_ingress_l7.go index 0018670039..0654ea0f4c 100644 --- a/connectivity/builder/echo_ingress_l7.go +++ b/connectivity/builder/echo_ingress_l7.go @@ -48,16 +48,28 @@ func (t echoIngressL7) build(ct *check.ConnectivityTest, _ map[string]string) { WithCondition(func() bool { return versioncheck.MustCompile(">=1.16.0")(ct.CiliumVersion) }). - WithFeatureRequirements( - features.RequireEnabled(features.L7Proxy), - // Once https://github.com/cilium/cilium/issues/33168 is fixed, we - // can enable for IPsec too. - features.RequireMode(features.EncryptionPod, "wireguard"), - // Otherwise pod->hostport traffic will be policy - // denied on the ingress of dest node when - // routing=vxlan + kpr=1 + bpf_masq=1 - features.RequireEnabled(features.EncryptionNode), - ). + WithCondition(func() bool { + if ok, _ := ct.Features.MatchRequirements(features.RequireEnabled(features.L7Proxy)); !ok { + return false + } + // wireguard requires node encryption, otherwise + // pod->hostport traffic will be policy denied on the + // ingress of dest node when routing=tunnel + kpr=1 + + // bpf_masq=1 + if ok, _ := ct.Features.MatchRequirements(features.RequireMode(features.EncryptionPod, "wireguard")); ok { + ok, _ = ct.Features.MatchRequirements(features.RequireEnabled(features.EncryptionNode)) + return ok + } + // ipsec can't do node encryption, so just skip the test when routing=tunnel + kpr=1 + if ok, _ := ct.Features.MatchRequirements(features.RequireMode(features.EncryptionPod, "ipsec")); ok { + ok, _ = ct.Features.MatchRequirements( + features.RequireEnabled(features.Tunnel), + features.RequireEnabled(features.KPRMode), + ) + return !ok + } + return false + }). WithCiliumPolicy(echoIngressL7HTTPPolicyYAML). // L7 allow policy with HTTP introspection WithScenarios(tests.PodToHostPort()). WithExpectations(expectation)