Skip to content

cli/connectivity: Test strict mode encryption #35231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 28, 2024
Merged

cli/connectivity: Test strict mode encryption #35231

merged 3 commits into from
Oct 28, 2024

Conversation

jschwinger233
Copy link
Member

@jschwinger233 jschwinger233 commented Oct 4, 2024
edited
Loading

Add strict-mode-encryption in connectivity test for ci-e2e-upgrade.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 4, 2024
@github-actions github-actions bot added cilium-cli This PR contains changes related with cilium-cli cilium-cli-exclusive This PR only impacts cilium-cli binary labels Oct 4, 2024
@jschwinger233 jschwinger233 force-pushed the pr/gray/strict-mode-ci branch 3 times, most recently from fa92920 to 067d687 Compare October 7, 2024 10:47
@jschwinger233
Copy link
Member Author

/ci-e2e-upgrade

@jschwinger233 jschwinger233 force-pushed the pr/gray/strict-mode-ci branch from 067d687 to 9c5fdbf Compare October 7, 2024 11:06
@jschwinger233
Copy link
Member Author

/ci-e2e-upgrade

@jschwinger233 jschwinger233 force-pushed the pr/gray/strict-mode-ci branch from 9c5fdbf to 4a16751 Compare October 7, 2024 17:06
@jschwinger233
Copy link
Member Author

/ci-e2e-upgrade

@jschwinger233 jschwinger233 force-pushed the pr/gray/strict-mode-ci branch from 4a16751 to f6ba790 Compare October 8, 2024 03:24
@jschwinger233
Copy link
Member Author

/ci-e2e-upgrade

@jschwinger233 jschwinger233 force-pushed the pr/gray/strict-mode-ci branch 2 times, most recently from 767fe87 to 77c91a1 Compare October 9, 2024 04:46
@jschwinger233
Copy link
Member Author

/test

@jschwinger233 jschwinger233 changed the title cli/connectivity: test strict mode cli/connectivity: Test strict mode encryption Oct 9, 2024
@jschwinger233 jschwinger233 added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. release-note/ci This PR makes changes to the CI. feature/wireguard Relates to Cilium's Wireguard feature labels Oct 9, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 9, 2024
@jschwinger233 jschwinger233 force-pushed the pr/gray/strict-mode-ci branch from 77c91a1 to 9b8377e Compare October 9, 2024 08:53
@jschwinger233
Copy link
Member Author

/test

@jschwinger233 jschwinger233 marked this pull request as ready for review October 9, 2024 10:07
@jschwinger233 jschwinger233 requested review from a team as code owners October 9, 2024 10:07
@jschwinger233 jschwinger233 marked this pull request as draft October 11, 2024 11:35
@jschwinger233 jschwinger233 mentioned this pull request Oct 21, 2024
Merged
@jschwinger233 jschwinger233 force-pushed the pr/gray/strict-mode-ci branch 2 times, most recently from a5584e8 to afcd9e7 Compare October 24, 2024 11:11
@jschwinger233
cli: ExecInPod returns stderr
30683d9 
If ExecInPod() returns non-nil error, cli should wrap it with stderr
which could provide valuable information.

Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233 jschwinger233 force-pushed the pr/gray/strict-mode-ci branch from afcd9e7 to ef6f7b6 Compare October 24, 2024 11:24
@jschwinger233
Copy link
Member Author

/test

@jschwinger233
cli/connectivity: add encryption-strict-mode test
3d6f8c8 
Strict mode wireguard drops plain-text egress packets as long as their
dest addresses fall into strict mode cidr. This commit adds
encryption-strict-mode test to cover this scenario by extending
pod-to-pod test suite.

To trigger the strict-mode-drop, connectivity executes cilium-dbg
cilium-agent pods to delete all "echo" pods' entries from ipcache map,
executes curl from "client" pods to remote "echo" pods, expects packet
drops due to "Traffic is unencrypted".

As suggested by Sebastian Wicki, encryption-strict-mode test is marked
as unsafe because poking around in IPCache might not be something we
want users to run in real clusters.

Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233
ci/test-e2e-upgrade: encryption-strict-mode=true for wireguard
739fbb6 
This commit enables encryption-strict-mode when wireguard is used with
native routing.

Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233 jschwinger233 force-pushed the pr/gray/strict-mode-ci branch from ef6f7b6 to 739fbb6 Compare October 24, 2024 14:28
@jschwinger233
Copy link
Member Author

/test

@jschwinger233 jschwinger233 marked this pull request as ready for review October 24, 2024 16:06
@jschwinger233 jschwinger233 requested a review from a team as a code owner October 24, 2024 16:06
@jschwinger233 jschwinger233 requested a review from gandro October 24, 2024 16:32
@julianwiedmann
Copy link
Member

As future item, would be nice to check if this allows us to remove the ginkgo test.

gandro
gandro approved these changes Oct 28, 2024
View reviewed changes
Copy link
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see you switched to a different approach deleting the IPCache entry, simplifying things even further. Awesome work!

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 28, 2024
@julianwiedmann
Copy link
Member

/ci-gateway-api

@aanm aanm added this pull request to the merge queue Oct 28, 2024
Merged via the queue into main with commit d6afee1 Oct 28, 2024
270 checks passed
@aanm aanm deleted the pr/gray/strict-mode-ci branch October 28, 2024 11:27
@github-actions github-actions bot mentioned this pull request Nov 11, 2024
Open
@pippolo84 pippolo84 mentioned this pull request Mar 26, 2025
Merged
pippolo84 added a commit to pippolo84/cilium that referenced this pull request Mar 26, 2025
@pippolo84
test: Drop WireGuard encryption strict mode test
501b7a7 
A cilium-cli test already exists to verify that there are no unencrypted
leaks in WireGuard strict mode, thus it is safe to remove the now
redundant Ginkgo test.

Related: cilium#35231

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84 pippolo84 mentioned this pull request Mar 26, 2025
Merged
pippolo84 added a commit to pippolo84/cilium that referenced this pull request Mar 27, 2025
@pippolo84
test: Drop WireGuard encryption strict mode test
8d07e24 
A cilium-cli test already exists to verify that there are no unencrypted
leaks in WireGuard strict mode, thus it is safe to remove the now
redundant Ginkgo one.

Related: cilium#35231

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
github-merge-queue bot pushed a commit that referenced this pull request Mar 28, 2025
@pippolo84 @giorio94
test: Drop WireGuard encryption strict mode test
49033fe 
A cilium-cli test already exists to verify that there are no unencrypted
leaks in WireGuard strict mode, thus it is safe to remove the now
redundant Ginkgo one.

Related: #35231

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@julianwiedmann julianwiedmann julianwiedmann left review comments

@gandro gandro gandro approved these changes

@nathanjsweet nathanjsweet nathanjsweet approved these changes

@nebril nebril nebril approved these changes

@aanm aanm aanm approved these changes

Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. cilium-cli This PR contains changes related with cilium-cli cilium-cli-exclusive This PR only impacts cilium-cli binary feature/wireguard Relates to Cilium's Wireguard feature ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jschwinger233 @julianwiedmann @gandro @nathanjsweet @nebril @aanm