NETOBSERV-2198: IPsec support #1085
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1085 +/- ##
==========================================
- Coverage 62.69% 62.23% -0.47%
==========================================
Files 76 76
Lines 11613 11683 +70
==========================================
- Hits 7281 7271 -10
- Misses 3867 3943 +76
- Partials 465 469 +4
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
|
/ok-to-test |
openshift-ci
bot
added
the
ok-to-test
msherif1234
removed
the
ok-to-test
|
/ok-to-test |
openshift-ci
bot
added
the
ok-to-test
msherif1234
removed
the
ok-to-test
msherif1234
force-pushed
the
ipsec
branch
3 times, most recently
from
1425eb0 to
c970f00
Compare
| @@ -166,6 +167,7 @@ const ( | |||
| PacketTranslation AgentFeature = "PacketTranslation" | |||
| EbpfManager AgentFeature = "EbpfManager" | |||
| UDNMapping AgentFeature = "UDNMapping" | |||
| IPSEC AgentFeature = "IPSEC" | |||
There was a problem hiding this comment.
| IPSEC AgentFeature = "IPSEC" | |
| IPSEC AgentFeature = "IPSec" |
There was a problem hiding this comment.
or
| IPSEC AgentFeature = "IPSEC" | |
| IPSEC AgentFeature = "IPsec" |
| @@ -1415,6 +1425,9 @@ fields: | |||
| - name: K8S_ClusterName | |||
| type: string | |||
| description: Cluster name or identifier | |||
| - name: EncryptedFlow | |||
| type: boolean | |||
There was a problem hiding this comment.
Do you think we will be able to get more info that that in the future ?
It would be interesting to use another type here if so
There was a problem hiding this comment.
in fact, I think we could simplify that from the user perspective, with just a single field "IPsec" that could be "true" / "false" / "error: (code)", wdyt?
can be a follow-up
|
/ok-to-test |
openshift-ci
bot
added
the
ok-to-test
|
New images:
They will expire after two weeks. To deploy this build: # Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:f7e644e make deploy
# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-f7e644eOr as a Catalog Source: apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: netobserv-dev
namespace: openshift-marketplace
spec:
sourceType: grpc
image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-f7e644e
displayName: NetObserv development catalog
publisher: Me
updateStrategy:
registryPoll:
interval: 1m |
github-actions
bot
removed
the
ok-to-test
|
/ok-to-test |
openshift-ci
bot
added
the
ok-to-test
|
New images:
They will expire after two weeks. To deploy this build: # Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:c7100ef make deploy
# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-c7100efOr as a Catalog Source: apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: netobserv-dev
namespace: openshift-marketplace
spec:
sourceType: grpc
image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-c7100ef
displayName: NetObserv development catalog
publisher: Me
updateStrategy:
registryPoll:
interval: 1m |
github-actions
bot
removed
the
ok-to-test
|
/ok-to-test |
openshift-ci
bot
added
the
ok-to-test
|
New images:
They will expire after two weeks. To deploy this build: # Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:c7a3e5a make deploy
# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-c7a3e5aOr as a Catalog Source: apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: netobserv-dev
namespace: openshift-marketplace
spec:
sourceType: grpc
image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-c7a3e5a
displayName: NetObserv development catalog
publisher: Me
updateStrategy:
registryPoll:
interval: 1m |
|
@msherif1234: This pull request references NETOBSERV-2198 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@msherif1234: This pull request references NETOBSERV-2198 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/ok-to-test |
msherif1234
removed
the
ok-to-test
|
/ok-to-test |
openshift-ci
bot
added
the
ok-to-test
|
New images:
They will expire after two weeks. To deploy this build: # Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:0570119 make deploy
# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-sha-0570119Or as a Catalog Source: apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: netobserv-dev
namespace: openshift-marketplace
spec:
sourceType: grpc
image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-sha-0570119
displayName: NetObserv development catalog
publisher: Me
updateStrategy:
registryPoll:
interval: 1m |
| @@ -657,6 +657,20 @@ columns: | |||
| default: false | |||
| width: 15 | |||
| feature: packetTranslation | |||
| - id: IPSec | |||
| name: Is IPSec operation successful? | |||
There was a problem hiding this comment.
What about just "IPsec encryption" ?
There was a problem hiding this comment.
u mean use the above for name ? I used operation as it can work for both encryption or decryption
github-actions
bot
removed
the
ok-to-test
|
/ok-to-test |
openshift-ci
bot
added
the
ok-to-test
|
New images:
They will expire after two weeks. To deploy this build: # Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:34d04d6 make deploy
# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-sha-34d04d6Or as a Catalog Source: apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: netobserv-dev
namespace: openshift-marketplace
spec:
sourceType: grpc
image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-sha-34d04d6
displayName: NetObserv development catalog
publisher: Me
updateStrategy:
registryPoll:
interval: 1m |
Signed-off-by: Mohamed Mahmoud <[email protected]>
github-actions
bot
removed
the
ok-to-test
|
/ok-to-test |
openshift-ci
bot
added
the
ok-to-test
|
New images:
They will expire after two weeks. To deploy this build: # Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:b414ca0 make deploy
# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-sha-b414ca0Or as a Catalog Source: apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: netobserv-dev
namespace: openshift-marketplace
spec:
sourceType: grpc
image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-sha-b414ca0
displayName: NetObserv development catalog
publisher: Me
updateStrategy:
registryPoll:
interval: 1m |
|
sample config with ebpfMgr and features enabled w/o need privilege spec:
agent:
ebpf:
cacheActiveTimeout: 5s
cacheMaxFlows: 100000
excludeInterfaces:
- lo
features:
- PacketDrop
- DNSTracking
- FlowRTT
- PacketTranslation
- EbpfManager
- IPSec
$ oc exec -i -n bpfman bpfman-daemon-8fxw6 -c bpfman -- ./bpfman list programs
Program ID Application Type Function Name Links
279 tcx tcx_ingress_flo (58) 1295471270, 1345453941, 1441632460, ...
280 tcx tcx_egress_flow (58) 107771511, 1178908131, 1185178417, ...
281 fentry tcp_rcv_fentry (1) 425324457
282 tracepoint kfree_skb (1) 3915688123
285 kprobe track_nat_manip (1) 4169115594
286 kprobe xfrm_input_kpro (1) 3401614146
287 kprobe xfrm_input_kret (1) 233370034
288 kprobe xfrm_output_kpr (1) 1173173061
289 kprobe xfrm_output_kre (1) 3548456298 |
|
@msherif1234: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm I created https://issues.redhat.com/browse/NETOBSERV-2207 for follow-ups. I think we can improve the UX |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jotak The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Description
Dependencies
netobserv/netobserv-ebpf-agent#538
Checklist
If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.