Skip to content

Commit

Permalink
WIP: connectivity: Support validation of encryption
Browse files Browse the repository at this point in the history
Requires Cilium >=1.9.5 || >=1.8.8

Fixes: #50

Signed-off-by: Thomas Graf <[email protected]>
  • Loading branch information
tgraf committed Mar 18, 2021
1 parent f05d883 commit e79a55d
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 2 deletions.
9 changes: 7 additions & 2 deletions .github/workflows/kind.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ jobs:
- name: Connectivity Test
run: |
cilium connectivity test
cilium connectivity test --print-flows
- name: Uninstall cilium
run: |
Expand All @@ -74,9 +74,14 @@ jobs:
run: |
cilium status --wait
- name: Relay Port Forward
run: |
kubectl port-forward -n kube-system deployment/hubble-relay 4245:4245&
sleep 5s
- name: Connectivity test
run: |
cilium connectivity test
cilium connectivity test --expect-encryption --print-flows
- name: Cleanup
if: ${{ always() }}
Expand Down
25 changes: 25 additions & 0 deletions connectivity/check/check.go
Original file line number Diff line number Diff line change
Expand Up @@ -259,6 +259,10 @@ type TestContext interface {

// Report is called to report the outcome of a test
Report(r TestResult)

// ExpectEncryption returns true if all traffic across nodes is
// expected to be encrypted
ExpectEncryption() bool
}

// TestRun is the state of an individual test run
Expand Down Expand Up @@ -415,6 +419,22 @@ func (t *TestRun) ValidateFlows(ctx context.Context, pod, podIP string, filterPa
goodLog = append(goodLog, "✅ "+msg)
}
}

if t.context.ExpectEncryption() {
encryptedFlows := 0
for _, f := range flows.flows {
flow := f.GetFlow()
if flow.GetIP().Encrypted {
encryptedFlows++
} else {
t.Failure("Unencrypted flow found for pod %s", pod)
}
}

if encryptedFlows > 0 {
t.context.Log("✅ %d encrypted flows found for pod %s", encryptedFlows, pod)
}
}
}

// End is called at the end of a test run to signal completion. It must be
Expand Down Expand Up @@ -680,6 +700,7 @@ type Parameters struct {
PostTestSleepDuration time.Duration
FlowSettleSleepDuration time.Duration
FlowValidation string
ExpectEncryption bool
Writer io.Writer
}

Expand Down Expand Up @@ -1145,6 +1166,10 @@ func (k *K8sConnectivityCheck) PostTestSleepDuration() time.Duration {
return k.params.PostTestSleepDuration
}

func (k *K8sConnectivityCheck) ExpectEncryption() bool {
return k.params.ExpectEncryption
}

func (k *K8sConnectivityCheck) Report(r TestResult) {
if k.results == nil {
k.results = TestResults{}
Expand Down
1 change: 1 addition & 0 deletions internal/cli/cmd/connectivity.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ func newCmdConnectivityCheck() *cobra.Command {
cmd.Flags().StringVar(&contextName, "context", "", "Kubernetes configuration context")
cmd.Flags().StringSliceVar(&params.Tests, "test", []string{}, "Run a particular set of tests")
cmd.Flags().StringVar(&params.FlowValidation, "flow-validation", check.FlowValidationModeWarning, "Enable Hubble flow validation { disabled | warning | strict }")
cmd.Flags().BoolVar(&params.ExpectEncryption, "expect-encryption", false, "Expect all traffic to be encrypted and fail if clear text is encountered")

return cmd
}

0 comments on commit e79a55d

Please sign in to comment.