WIP: NETOBSERV-2052: IPsec support

[msherif1234]

Description

probing XFRM input and output processing to know if packets came encrypted or left encrypted

[root@ip-10-0-1-35 /]# ip xfrm state
src 10.0.1.158 dst 10.0.1.35
	proto esp spi 0x17e83b29 reqid 16393 mode transport
	replay-window 0 flag esn
	aead rfc4106(gcm(aes)) 0x2dff2e25143878e71710cc484f87a0e04a5d9882b9e23643f28692e33935eef6879f7ef5 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 00000000 
	sel src 10.0.1.158/32 dst 10.0.1.35/32 proto udp sport 6081 

Dependencies

n/a

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

• Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist.
• Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
• Does this PR require product documentation?
  • If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
• Does this PR require a product release notes entry?
  • If so, fill in "Release Note Text" in the JIRA.
• Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
  • If so, make sure it is described in the JIRA ticket.
• QE requirements (check 1 from the list):
  • Standard QE validation, with pre-merge tests unless stated otherwise.
  • Regression tests only (e.g. refactoring with no user-facing change).
  • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from msherif1234. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

Attention: Patch coverage is 2.96296% with 131 lines in your changes missing coverage. Please review.

Project coverage is 26.71%. Comparing base (7206b08) to head (7ca8ca6).

Files with missing lines	Patch %	Lines
pkg/tracer/tracer.go	0.00%	118 Missing ⚠️
pkg/ebpf/bpf_x86_bpfel.go	0.00%	6 Missing ⚠️
pkg/model/flow_content.go	0.00%	4 Missing and 2 partials ⚠️
pkg/agent/agent.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #538      +/-   ##
==========================================
- Coverage   27.34%   26.71%   -0.64%     
==========================================
  Files          47       47              
  Lines        4988     5121     +133     
==========================================
+ Hits         1364     1368       +4     
- Misses       3521     3648     +127     
- Partials      103      105       +2     

Flag	Coverage Δ
unittests	26.71% <2.96%> (-0.64%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
pkg/agent/config.go	8.33% <ø> (ø)
pkg/decode/decode_protobuf.go	32.10% <100.00%> (+0.78%)	⬆️
pkg/agent/agent.go	30.69% <0.00%> (-0.08%)	⬇️
pkg/ebpf/bpf_x86_bpfel.go	0.00% <0.00%> (ø)
pkg/model/flow_content.go	60.19% <0.00%> (-3.73%)	⬇️
pkg/tracer/tracer.go	0.00% <0.00%> (ø)

[msherif1234]

/ok-to-test

[github-actions]

New images:
quay.io/netobserv/ebpf-bytecode:5162ef0
quay.io/netobserv/netobserv-ebpf-agent:5162ef0

These will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=5162ef0 make set-agent-image

[msherif1234]

/ok-to-test

[github-actions]

New images:
quay.io/netobserv/ebpf-bytecode:bdedd3c
quay.io/netobserv/netobserv-ebpf-agent:bdedd3c

These will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=bdedd3c make set-agent-image

[msherif1234]

/ok-to-test

[github-actions]

New images:
quay.io/netobserv/ebpf-bytecode:d4ab178
quay.io/netobserv/netobserv-ebpf-agent:d4ab178

These will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=d4ab178 make set-agent-image

[github-actions]

New images:
quay.io/netobserv/ebpf-bytecode:81c6c22
quay.io/netobserv/netobserv-ebpf-agent:81c6c22

These will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=81c6c22 make set-agent-image

[openshift-ci-robot]

@msherif1234: This pull request references NETOBSERV-2052 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target either version "4.19." or "openshift-4.19.", but it targets "netobserv-1.9" instead.

In response to this:

Description

probing XFRM input and output processing to know if packets came encrypted or left encrypted
for more details about XFRM packet processing refer to
https://pchaigno.github.io/cilium/2024/10/30/linux-xfrm-ipsec-reference-guide.html

[root@ip-10-0-1-35 /]# ip xfrm state
src 10.0.1.158 dst 10.0.1.35
  proto esp spi 0x17e83b29 reqid 16393 mode transport
  replay-window 0 flag esn
  aead rfc4106(gcm(aes)) 0x2dff2e25143878e71710cc484f87a0e04a5d9882b9e23643f28692e33935eef6879f7ef5 128
  anti-replay esn context:
   seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
   replay_window 128, bitmap-length 4
   00000000 00000000 00000000 00000000 
  sel src 10.0.1.158/32 dst 10.0.1.35/32 proto udp sport 6081 

Dependencies

n/a

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

• Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist.
• Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
• Does this PR require product documentation?
• If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
• Does this PR require a product release notes entry?
• If so, fill in "Release Note Text" in the JIRA.
• Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
• If so, make sure it is described in the JIRA ticket.
• QE requirements (check 1 from the list):
• Standard QE validation, with pre-merge tests unless stated otherwise.
• Regression tests only (e.g. refactoring with no user-facing change).
• No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@msherif1234: This pull request references NETOBSERV-2052 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target either version "4.19." or "openshift-4.19.", but it targets "netobserv-1.9" instead.

In response to this:

Description

probing XFRM input and output processing to know if packets came encrypted or left encrypted
for more details about XFRM packet processing refer to
https://pchaigno.github.io/cilium/2024/10/30/linux-xfrm-ipsec-reference-guide.html

[root@ip-10-0-1-35 /]# ip xfrm state
src 10.0.1.158 dst 10.0.1.35
  proto esp spi 0x17e83b29 reqid 16393 mode transport
  replay-window 0 flag esn
  aead rfc4106(gcm(aes)) 0x2dff2e25143878e71710cc484f87a0e04a5d9882b9e23643f28692e33935eef6879f7ef5 128
  anti-replay esn context:
   seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
   replay_window 128, bitmap-length 4
   00000000 00000000 00000000 00000000 
  sel src 10.0.1.158/32 dst 10.0.1.35/32 proto udp sport 6081 

Dependencies

n/a

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

• Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist.
• Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
• Does this PR require product documentation?
• If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
• Does this PR require a product release notes entry?
• If so, fill in "Release Note Text" in the JIRA.
• Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
• If so, make sure it is described in the JIRA ticket.
• QE requirements (check 1 from the list):
• Standard QE validation, with pre-merge tests unless stated otherwise.
• Regression tests only (e.g. refactoring with no user-facing change).
• No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@msherif1234: This pull request references NETOBSERV-2052 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target either version "4.19." or "openshift-4.19.", but it targets "netobserv-1.9" instead.

In response to this:

Description

probing XFRM input and output processing to know if packets came encrypted or left encrypted

[root@ip-10-0-1-35 /]# ip xfrm state
src 10.0.1.158 dst 10.0.1.35
  proto esp spi 0x17e83b29 reqid 16393 mode transport
  replay-window 0 flag esn
  aead rfc4106(gcm(aes)) 0x2dff2e25143878e71710cc484f87a0e04a5d9882b9e23643f28692e33935eef6879f7ef5 128
  anti-replay esn context:
   seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
   replay_window 128, bitmap-length 4
   00000000 00000000 00000000 00000000 
  sel src 10.0.1.158/32 dst 10.0.1.35/32 proto udp sport 6081 

Dependencies

n/a

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

• Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist.
• Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
• Does this PR require product documentation?
• If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
• Does this PR require a product release notes entry?
• If so, fill in "Release Note Text" in the JIRA.
• Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
• If so, make sure it is described in the JIRA ticket.
• QE requirements (check 1 from the list):
• Standard QE validation, with pre-merge tests unless stated otherwise.
• Regression tests only (e.g. refactoring with no user-facing change).
• No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[msherif1234]

/ok-to-test

[github-actions]

New images:
quay.io/netobserv/ebpf-bytecode:7755eb4
quay.io/netobserv/netobserv-ebpf-agent:7755eb4

These will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=7755eb4 make set-agent-image

[msherif1234]

/ok-to-test

[github-actions]

New images:
quay.io/netobserv/ebpf-bytecode:cad78d1
quay.io/netobserv/netobserv-ebpf-agent:cad78d1

These will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=cad78d1 make set-agent-image

[msherif1234]

/ok-to-test

[github-actions]

New images:
quay.io/netobserv/ebpf-bytecode:1aab10f
quay.io/netobserv/netobserv-ebpf-agent:1aab10f

These will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=1aab10f make set-agent-image

[msherif1234]

/ok-to-test

[github-actions]

New images:
quay.io/netobserv/ebpf-bytecode:52f0c2c
quay.io/netobserv/netobserv-ebpf-agent:52f0c2c

These will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=52f0c2c make set-agent-image