Skip to content

workflows/gateway-api: Cover IPsec with GatewayAPI #35584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 30, 2024
Merged

workflows/gateway-api: Cover IPsec with GatewayAPI #35584

merged 3 commits into from
Oct 30, 2024

Conversation

pchaigno
Copy link
Member

@pchaigno pchaigno commented Oct 28, 2024
edited
Loading

First commit adds coverage for IPsec as a new matrix config. Second commit fixes an issue with the sysdump filenames. Last commit adds a few basic CLI tests to catch potential IPsec bugs.

@pchaigno pchaigno added area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. release-note/ci This PR makes changes to the CI. feature/k8s-gateway-api feature/ipsec Relates to Cilium's IPsec feature labels Oct 28, 2024
@pchaigno pchaigno force-pushed the pr/pchaigno/test-ipsec-gatewayapi branch 6 times, most recently from a1eac0b to cf24ac2 Compare October 29, 2024 10:24
@pchaigno
workflows/gateway-api: Cover IPsec
b635481 
This commit adds coverage for GatewayAPI+IPsec in the Gateway API
workflow.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno
workflows/gateway-api: Fix sysdump filename
350c566 
The sysdump filename is not built with the same commands between its
creation and its uploading. This wasn't an issue before the previous
commit because both outputs would still match. However, the previous
commit extended the matrix and surfaced this issue.

This commit ensures the exact same command is used to generate the
sysdump filenames at creation and upload times.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno pchaigno force-pushed the pr/pchaigno/test-ipsec-gatewayapi branch from cf24ac2 to 5fca412 Compare October 29, 2024 10:24
@pchaigno
workflows/gateway-api: Run basic CLI tests
61ff7bc 
This commit adds some basic checks from the Cilium CLI connectivity
tests:
- no-unexpected-packet-drops is trivial and will report any unexpected
  packet drops.
- the pod-to-pod and node-to-node encryption tests will ensure that
  traffic is encrypted or not according to the configuration. This is
  useful here since the workflow may now be running with IPsec enabled.
- allow-all-except-world will check connectivity with some basic network
  policy. This is also useful in the context of IPsec as some
  IPsec-related bugs can cause the source identity to be lost. Having a
  policy that allows everything but not world is typically enough to catch
  such cases.

The check-log-errors test should also be enabled, but it is currently
failing because there are errors in logs whenever enabling the Gateway
API. It can be added once those errors are fixed.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno pchaigno force-pushed the pr/pchaigno/test-ipsec-gatewayapi branch from 5fca412 to 61ff7bc Compare October 29, 2024 10:28
@pchaigno pchaigno marked this pull request as ready for review October 29, 2024 11:14
@pchaigno pchaigno requested review from a team as code owners October 29, 2024 11:14
@pchaigno pchaigno requested review from youngnick and brlbil October 29, 2024 11:14
@pchaigno pchaigno enabled auto-merge October 29, 2024 14:12
youngnick
youngnick approved these changes Oct 30, 2024
View reviewed changes
Copy link
Contributor

@youngnick youngnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @pchaigno

@pchaigno pchaigno added this pull request to the merge queue Oct 30, 2024
Merged via the queue into main with commit 91a844c Oct 30, 2024
82 checks passed
@pchaigno pchaigno deleted the pr/pchaigno/test-ipsec-gatewayapi branch October 30, 2024 03:09
@pchaigno pchaigno added the needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch label Nov 8, 2024
@viktor-kurchenko viktor-kurchenko mentioned this pull request Nov 12, 2024
Merged
13 tasks
@viktor-kurchenko viktor-kurchenko added the backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. label Nov 12, 2024
@viktor-kurchenko viktor-kurchenko removed the needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch label Nov 12, 2024
@github-actions github-actions bot added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. and removed backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. labels Nov 12, 2024
@cilium-release-bot cilium-release-bot bot mentioned this pull request Nov 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@youngnick youngnick youngnick approved these changes

@brlbil brlbil Awaiting requested review from brlbil brlbil is a code owner automatically assigned from cilium/github-sec

Assignees
No one assigned
Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. feature/ipsec Relates to Cilium's IPsec feature feature/k8s-gateway-api release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pchaigno @youngnick @viktor-kurchenko