-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
connectivity: Add encryption tests #1241
Conversation
Going to be used by the DP conformance suite to test WireGuard/IPsec. Signed-off-by: Martynas Pumputis <[email protected]>
This is going to be used for exec'ing from a concurrent goroutine, and then reading std{out,err} from another one. Signed-off-by: Martynas Pumputis <[email protected]>
f41f715
to
f6edf73
Compare
f6edf73
to
967e017
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice commit history and comments! ❤️
LGTM, only nits below.
Out of scope, but would be nice to check the same with a service translation on the path.
967e017
to
80b0cff
Compare
Yep, it's planned with cilium/cilium#19401. |
Going to be used by the upcoming encryption tests. Signed-off-by: Martynas Pumputis <[email protected]>
Signed-off-by: Martynas Pumputis <[email protected]>
The pod-to-pod encryption test checks connectivity between pods, and whether no unencrypted traffic is leaked. All subtle details are in the code comments. Signed-off-by: Martynas Pumputis <[email protected]>
80b0cff
to
be0cf10
Compare
EKS jobs are failing due to the provisioning issues. Previously, all tests passed. Applied only minor changes. Marking as ready to merge. |
@tklauser from @cilium/cli will do a review before merging. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the clean commit history and for adding explanatory comments in the test ❤️
@@ -623,3 +623,8 @@ func (ct *ConnectivityTest) K8sClient() *k8s.Client { | |||
func (ct *ConnectivityTest) NodesWithoutCilium() []string { | |||
return ct.nodesWithoutCilium | |||
} | |||
|
|||
func (ct *ConnectivityTest) Feature(f Feature) (FeatureStatus, bool) { | |||
s, ok := ct.features[f] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return ct.feature[f]
works too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, this won't work:
# github.com/cilium/cilium-cli/connectivity/check
connectivity/check/context.go:628:9: not enough return values
have (FeatureStatus)
want (FeatureStatus, bool)
Also see golang/go#6230.
iface = "cilium_" + tunnelFeat.Mode // E.g. cilium_vxlan | ||
} else { | ||
cmd := []string{"/bin/sh", "-c", | ||
fmt.Sprintf("ip -o r g %s from %s | grep -oP '(?<=dev )[^ ]+'", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
going via ip -json
may sometimes by nicer way to do this, but I'm fine with this as long as it doesn't get any more complex.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, but unfortunately this brings the runtime dependency for jq
.
// might terminate the tcpdump process before it gets a chance to dump | ||
// its captures. | ||
cmd := []string{ | ||
"tcpdump", "-i", iface, "--immediate-mode", "-w", "/tmp/foo.pcap", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be better to generate a unique(ish) filename for this and mention that this is part of the cilium-cli encryption test. "cilium-test-encryption-XXX.pcap" where XXX is unix time?
// Redirect stderr to /dev/null, as tcpdump logs to stderr, and ExecInPod | ||
// will return an error if any char is written to stderr. Anyway, the count | ||
// is written to stdout. | ||
cmd := []string{"/bin/sh", "-c", "tcpdump -r /tmp/foo.pcap --count 2>/dev/null"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add && rm -f /tmp/foo.pcap
to not leave the file around.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, don't we want to keep it around so that the workflows can collect it as part of the artifacts? It might be useful to debug failures.
The encryption test details - cilium/cilium-cli#1241. Signed-off-by: Martynas Pumputis <[email protected]>
The encryption test details - cilium/cilium-cli#1241. Signed-off-by: Martynas Pumputis <[email protected]>
The encryption test details - cilium/cilium-cli#1241. Signed-off-by: Martynas Pumputis <[email protected]>
The encryption test details - cilium/cilium-cli#1241. Signed-off-by: Martynas Pumputis <[email protected]>
[ upstream commit 843c072 ] The encryption test details - cilium/cilium-cli#1241. Signed-off-by: Martynas Pumputis <[email protected]> Signed-off-by: Joe Stringer <[email protected]>
[ upstream commit 843c072 ] The encryption test details - cilium/cilium-cli#1241. Signed-off-by: Martynas Pumputis <[email protected]> Signed-off-by: Joe Stringer <[email protected]>
When running in ENI mode, the outgoing interface of pod originating traffic is different from the one that would be used by host originating traffic towards the same destination. This breaks the current pod-to-pod encryption validation, as the source interface for the tcpdump filter is determined based on the routes towards the given destination only. Let's update the source interface determination to additionally consider the source address. This approach had been initially suggested by Paul Chaignon in cilium#1241, but then reverted in [1] because `ip route get` returns and error in case the `from` address is not assigned to any local interface. We can work around this by specifying an input interface: let's use lo as it should be always present. [1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests") Signed-off-by: Marco Iorio <[email protected]>
When running in ENI mode, the outgoing interface of pod originating traffic is different from the one that would be used by host originating traffic towards the same destination. This breaks the current pod-to-pod encryption validation, as the source interface for the tcpdump filter is determined based on the routes towards the given destination only. Let's update the source interface determination to additionally consider the source address. This approach had been initially suggested by Paul Chaignon in cilium#1241, but then reverted in [1] because `ip route get` returns and error in case the `from` address is not assigned to any local interface. We can work around this by specifying an input interface: let's use lo as it should be always present. [1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests") Signed-off-by: Marco Iorio <[email protected]>
When running in ENI mode, the outgoing interface of pod originating traffic is different from the one that would be used by host originating traffic towards the same destination. This breaks the current pod-to-pod encryption validation, as the source interface for the tcpdump filter is determined based on the routes towards the given destination only. Let's update the source interface determination to additionally consider the source address. This approach had been initially suggested by Paul Chaignon in cilium#1241, but then reverted in [1] because `ip route get` returns and error in case the `from` address is not assigned to any local interface. We can work around this by specifying an input interface: let's use lo as it should be always present. [1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests") Signed-off-by: Marco Iorio <[email protected]>
When running in ENI mode, the outgoing interface of pod originating traffic is different from the one that would be used by host originating traffic towards the same destination. This breaks the current pod-to-pod encryption validation, as the source interface for the tcpdump filter is determined based on the routes towards the given destination only. Let's update the source interface determination to additionally consider the source address. This approach had been initially suggested by Paul Chaignon in cilium#1241, but then reverted in [1] because `ip route get` returns and error in case the `from` address is not assigned to any local interface. We can work around this by specifying an input interface: let's use lo as it should be always present. [1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests") Signed-off-by: Marco Iorio <[email protected]>
When running in ENI mode, the outgoing interface of pod originating traffic is different from the one that would be used by host originating traffic towards the same destination. This breaks the current pod-to-pod encryption validation, as the source interface for the tcpdump filter is determined based on the routes towards the given destination only. Let's update the source interface determination to additionally consider the source address. This approach had been initially suggested by Paul Chaignon in #1241, but then reverted in [1] because `ip route get` returns and error in case the `from` address is not assigned to any local interface. We can work around this by specifying an input interface: let's use lo as it should be always present. [1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests") Signed-off-by: Marco Iorio <[email protected]>
Please see commit msgs.
Example run - https://github.com/cilium/cilium/actions/runs/3573711857/jobs/6008107171.