Skip to content

ipsec: Improve encrypt flush command #28795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Nov 6, 2023
Merged

ipsec: Improve encrypt flush command #28795

merged 8 commits into from
Nov 6, 2023

Conversation

pchaigno
Copy link
Member

@pchaigno pchaigno commented Oct 25, 2023
edited
Loading

Add --spi and --node-id filters to the cilium-dbg encrypt flush command. This can be useful to clean leftover, stale XFRM configs during development or sometimes as a quick remediation for certain bugs.

@pchaigno pchaigno added area/cli Impacts the command line interface of any command in the repository. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. release-note/misc This PR makes changes that have no direct user impact. needs-backport/1.12 labels Oct 25, 2023
@pchaigno pchaigno force-pushed the improve-encrypt-flush-cmd branch 10 times, most recently from 615fff9 to bc38bf7 Compare October 27, 2023 13:51
@pchaigno pchaigno marked this pull request as ready for review October 27, 2023 13:58
@pchaigno pchaigno requested review from a team as code owners October 27, 2023 13:58
@pchaigno pchaigno requested review from brb and asauber October 27, 2023 13:58
asauber
asauber reviewed Nov 2, 2023
View reviewed changes
Copy link
Member

@asauber asauber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @pchaigno. Could you look into your BPF checkpatch failure?

@pchaigno
Copy link
Member Author

pchaigno commented Nov 2, 2023

Hi @pchaigno. Could you look into your BPF checkpatch failure?

I did and it's a false positive. Checkpatch also isn't a Required CI test (precisely because it has false positive).

@pchaigno pchaigno requested a review from asauber November 2, 2023 08:46
brb
brb approved these changes Nov 6, 2023
View reviewed changes
Copy link
Member

@brb brb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@pchaigno pchaigno force-pushed the improve-encrypt-flush-cmd branch from bc38bf7 to 79f973c Compare November 6, 2023 11:26
@pchaigno
ipsec: Move getSPIFromXfrmPolicy to pkg/common
017b0df 
This function will be used from cilium-dbg so we need to expose it from
a shared package. We already have such a package for IPsec utility
functions in pkg/common/ipsec.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno
cmd: Add confirmation to encrypt flush command
457e2e6 
The cilium-dbg encrypt flush command removes all XFRM states and
policies on the node. That will lead to packet drops until connections
are reestablished. Traffic will also be sent in plain text between pods.

This commit therefore asks for confirmation when running the command, to
ensure nobody performs this action by mistake.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Nov 6, 2023
@pchaigno pchaigno merged commit 550b56e into cilium:main Nov 6, 2023
@pchaigno pchaigno deleted the improve-encrypt-flush-cmd branch November 6, 2023 16:28
@jibi jibi mentioned this pull request Nov 7, 2023
Merged
15 tasks
@jibi jibi added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 labels Nov 7, 2023
@jibi jibi mentioned this pull request Nov 7, 2023
Merged
7 tasks
@jibi jibi mentioned this pull request Nov 7, 2023
Merged
6 tasks
@pchaigno pchaigno added needs-backport/1.14 backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. needs-backport/1.14 labels Nov 7, 2023
@github-actions github-actions bot added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.13 backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels Nov 8, 2023
@thorn3r thorn3r mentioned this pull request Nov 9, 2023
Merged
This was referenced Nov 12, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brb brb brb approved these changes

@asauber asauber asauber approved these changes

Assignees
No one assigned
Labels
area/cli Impacts the command line interface of any command in the repository. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
No open projects
cilium v1.13.9
Status: Released
cilium v1.14.4
Status: Released
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pchaigno @brb @asauber @jibi