Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

connectivity: Add encryption tests #1241

Merged
merged 5 commits into from
Dec 12, 2022
Merged

connectivity: Add encryption tests #1241

merged 5 commits into from
Dec 12, 2022

Conversation

brb
Copy link
Member

@brb brb commented Nov 29, 2022

Going to be used by the DP conformance suite to test WireGuard/IPsec.

Signed-off-by: Martynas Pumputis <[email protected]>
@brb brb temporarily deployed to ci November 29, 2022 11:31 Inactive
This is going to be used for exec'ing from a concurrent goroutine, and
then reading std{out,err} from another one.

Signed-off-by: Martynas Pumputis <[email protected]>
@brb brb force-pushed the pr/brb/ci-dp-encrypt branch from f41f715 to f6edf73 Compare November 29, 2022 13:37
@brb brb temporarily deployed to ci November 29, 2022 13:37 Inactive
@brb brb added the area/CI Continuous Integration testing issue or flake label Nov 29, 2022
@brb brb requested a review from pchaigno November 29, 2022 13:38
@brb brb marked this pull request as ready for review November 29, 2022 13:39
@brb brb requested review from a team as code owners November 29, 2022 13:39
@brb brb requested review from tommyp1ckles and joamaki November 29, 2022 13:39
@brb brb force-pushed the pr/brb/ci-dp-encrypt branch from f6edf73 to 967e017 Compare November 29, 2022 13:44
@brb brb temporarily deployed to ci November 29, 2022 13:44 Inactive
Copy link
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice commit history and comments! ❤️

LGTM, only nits below.

Out of scope, but would be nice to check the same with a service translation on the path.

connectivity/tests/encryption.go Show resolved Hide resolved
connectivity/tests/encryption.go Outdated Show resolved Hide resolved
connectivity/tests/encryption.go Outdated Show resolved Hide resolved
connectivity/tests/encryption.go Outdated Show resolved Hide resolved
connectivity/tests/encryption.go Show resolved Hide resolved
connectivity/tests/encryption.go Show resolved Hide resolved
@brb brb force-pushed the pr/brb/ci-dp-encrypt branch from 967e017 to 80b0cff Compare December 5, 2022 15:26
@brb brb temporarily deployed to ci December 5, 2022 15:26 Inactive
@brb
Copy link
Member Author

brb commented Dec 5, 2022

Out of scope, but would be nice to check the same with a service translation on the path.

Yep, it's planned with cilium/cilium#19401.

connectivity/check/features.go Outdated Show resolved Hide resolved
connectivity/tests/encryption.go Outdated Show resolved Hide resolved
brb added 3 commits December 6, 2022 14:51
Going to be used by the upcoming encryption tests.

Signed-off-by: Martynas Pumputis <[email protected]>
Signed-off-by: Martynas Pumputis <[email protected]>
The pod-to-pod encryption test checks connectivity between pods, and
whether no unencrypted traffic is leaked.

All subtle details are in the code comments.

Signed-off-by: Martynas Pumputis <[email protected]>
@brb brb force-pushed the pr/brb/ci-dp-encrypt branch from 80b0cff to be0cf10 Compare December 6, 2022 13:54
@brb brb temporarily deployed to ci December 6, 2022 13:54 Inactive
@brb
Copy link
Member Author

brb commented Dec 6, 2022

EKS jobs are failing due to the provisioning issues. Previously, all tests passed. Applied only minor changes. Marking as ready to merge.

@brb brb added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. ci/hyperjump and removed ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Dec 6, 2022
@brb
Copy link
Member Author

brb commented Dec 7, 2022

@tklauser from @cilium/cli will do a review before merging.

@tklauser tklauser self-requested a review December 7, 2022 15:37
Copy link
Member

@tklauser tklauser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clean commit history and for adding explanatory comments in the test ❤️

connectivity/tests/encryption.go Show resolved Hide resolved
connectivity/tests/encryption.go Show resolved Hide resolved
@brb brb requested a review from tklauser December 8, 2022 05:57
@@ -623,3 +623,8 @@ func (ct *ConnectivityTest) K8sClient() *k8s.Client {
func (ct *ConnectivityTest) NodesWithoutCilium() []string {
return ct.nodesWithoutCilium
}

func (ct *ConnectivityTest) Feature(f Feature) (FeatureStatus, bool) {
s, ok := ct.features[f]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return ct.feature[f] works too.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, this won't work:

# github.com/cilium/cilium-cli/connectivity/check
connectivity/check/context.go:628:9: not enough return values
	have (FeatureStatus)
	want (FeatureStatus, bool)

Also see golang/go#6230.

iface = "cilium_" + tunnelFeat.Mode // E.g. cilium_vxlan
} else {
cmd := []string{"/bin/sh", "-c",
fmt.Sprintf("ip -o r g %s from %s | grep -oP '(?<=dev )[^ ]+'",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

going via ip -json may sometimes by nicer way to do this, but I'm fine with this as long as it doesn't get any more complex.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, but unfortunately this brings the runtime dependency for jq.

// might terminate the tcpdump process before it gets a chance to dump
// its captures.
cmd := []string{
"tcpdump", "-i", iface, "--immediate-mode", "-w", "/tmp/foo.pcap",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be better to generate a unique(ish) filename for this and mention that this is part of the cilium-cli encryption test. "cilium-test-encryption-XXX.pcap" where XXX is unix time?

// Redirect stderr to /dev/null, as tcpdump logs to stderr, and ExecInPod
// will return an error if any char is written to stderr. Anyway, the count
// is written to stdout.
cmd := []string{"/bin/sh", "-c", "tcpdump -r /tmp/foo.pcap --count 2>/dev/null"}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add && rm -f /tmp/foo.pcap to not leave the file around.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, don't we want to keep it around so that the workflows can collect it as part of the artifacts? It might be useful to debug failures.

@brb brb added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Dec 10, 2022
@tklauser tklauser merged commit 998ef8a into master Dec 12, 2022
@tklauser tklauser deleted the pr/brb/ci-dp-encrypt branch December 12, 2022 09:59
brb added a commit to cilium/cilium that referenced this pull request Dec 12, 2022
The encryption test details -
cilium/cilium-cli#1241.

Signed-off-by: Martynas Pumputis <[email protected]>
brb added a commit to cilium/cilium that referenced this pull request Dec 14, 2022
The encryption test details -
cilium/cilium-cli#1241.

Signed-off-by: Martynas Pumputis <[email protected]>
pchaigno pushed a commit to cilium/cilium that referenced this pull request Dec 14, 2022
The encryption test details -
cilium/cilium-cli#1241.

Signed-off-by: Martynas Pumputis <[email protected]>
brb added a commit to cilium/cilium that referenced this pull request Dec 20, 2022
The encryption test details -
cilium/cilium-cli#1241.

Signed-off-by: Martynas Pumputis <[email protected]>
joestringer pushed a commit to joestringer/cilium that referenced this pull request Dec 21, 2022
[ upstream commit 843c072 ]

The encryption test details -
cilium/cilium-cli#1241.

Signed-off-by: Martynas Pumputis <[email protected]>
Signed-off-by: Joe Stringer <[email protected]>
joestringer pushed a commit to cilium/cilium that referenced this pull request Dec 22, 2022
[ upstream commit 843c072 ]

The encryption test details -
cilium/cilium-cli#1241.

Signed-off-by: Martynas Pumputis <[email protected]>
Signed-off-by: Joe Stringer <[email protected]>
giorio94 added a commit to giorio94/cilium-cli that referenced this pull request Oct 13, 2023
When running in ENI mode, the outgoing interface of pod originating traffic
is different from the one that would be used by host originating traffic
towards the same destination. This breaks the current pod-to-pod
encryption validation, as the source interface for the tcpdump filter is
determined based on the routes towards the given destination only.

Let's update the source interface determination to additionally consider
the source address. This approach had been initially suggested by Paul
Chaignon in cilium#1241, but then reverted in [1] because `ip route get` returns
and error in case the `from` address is not assigned to any local interface.
We can work around this by specifying an input interface: let's use lo
as it should be always present.

[1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests")

Signed-off-by: Marco Iorio <[email protected]>
giorio94 added a commit to giorio94/cilium-cli that referenced this pull request Oct 16, 2023
When running in ENI mode, the outgoing interface of pod originating traffic
is different from the one that would be used by host originating traffic
towards the same destination. This breaks the current pod-to-pod
encryption validation, as the source interface for the tcpdump filter is
determined based on the routes towards the given destination only.

Let's update the source interface determination to additionally consider
the source address. This approach had been initially suggested by Paul
Chaignon in cilium#1241, but then reverted in [1] because `ip route get` returns
and error in case the `from` address is not assigned to any local interface.
We can work around this by specifying an input interface: let's use lo
as it should be always present.

[1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests")

Signed-off-by: Marco Iorio <[email protected]>
giorio94 added a commit to giorio94/cilium-cli that referenced this pull request Oct 17, 2023
When running in ENI mode, the outgoing interface of pod originating traffic
is different from the one that would be used by host originating traffic
towards the same destination. This breaks the current pod-to-pod
encryption validation, as the source interface for the tcpdump filter is
determined based on the routes towards the given destination only.

Let's update the source interface determination to additionally consider
the source address. This approach had been initially suggested by Paul
Chaignon in cilium#1241, but then reverted in [1] because `ip route get` returns
and error in case the `from` address is not assigned to any local interface.
We can work around this by specifying an input interface: let's use lo
as it should be always present.

[1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests")

Signed-off-by: Marco Iorio <[email protected]>
giorio94 added a commit to giorio94/cilium-cli that referenced this pull request Oct 18, 2023
When running in ENI mode, the outgoing interface of pod originating traffic
is different from the one that would be used by host originating traffic
towards the same destination. This breaks the current pod-to-pod
encryption validation, as the source interface for the tcpdump filter is
determined based on the routes towards the given destination only.

Let's update the source interface determination to additionally consider
the source address. This approach had been initially suggested by Paul
Chaignon in cilium#1241, but then reverted in [1] because `ip route get` returns
and error in case the `from` address is not assigned to any local interface.
We can work around this by specifying an input interface: let's use lo
as it should be always present.

[1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests")

Signed-off-by: Marco Iorio <[email protected]>
brb pushed a commit that referenced this pull request Oct 19, 2023
When running in ENI mode, the outgoing interface of pod originating traffic
is different from the one that would be used by host originating traffic
towards the same destination. This breaks the current pod-to-pod
encryption validation, as the source interface for the tcpdump filter is
determined based on the routes towards the given destination only.

Let's update the source interface determination to additionally consider
the source address. This approach had been initially suggested by Paul
Chaignon in #1241, but then reverted in [1] because `ip route get` returns
and error in case the `from` address is not assigned to any local interface.
We can work around this by specifying an input interface: let's use lo
as it should be always present.

[1]: 2fc0835 ("connectivity: Fix iface derivation in encrypt tests")

Signed-off-by: Marco Iorio <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/CI Continuous Integration testing issue or flake ci/hyperjump ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants