diff --git a/Documentation/cmdref/cilium-agent.md b/Documentation/cmdref/cilium-agent.md index 4e70c7c4c96ab..b63035e6b4bce 100644 --- a/Documentation/cmdref/cilium-agent.md +++ b/Documentation/cmdref/cilium-agent.md @@ -126,8 +126,8 @@ cilium-agent [flags] --enable-ingress-controller Enables Envoy secret sync for Ingress controller related TLS secrets --enable-ip-masq-agent Enable BPF ip-masq-agent --enable-ipip-termination Enable plain IPIP/IP6IP6 termination - --enable-ipsec Enable IPSec support - --enable-ipsec-encrypted-overlay Enable IPSec encrypted overlay. If enabled tunnel traffic will be encrypted before leaving the host. + --enable-ipsec Enable IPsec support + --enable-ipsec-encrypted-overlay Enable IPsec encrypted overlay. If enabled tunnel traffic will be encrypted before leaving the host. --enable-ipsec-key-watcher Enable watcher for IPsec key. If disabled, a restart of the agent will be necessary on key rotations. (default true) --enable-ipv4 Enable IPv4 support (default true) --enable-ipv4-big-tcp Enable IPv4 BIG TCP option which increases device's maximum GRO/GSO limits for IPv4 @@ -234,7 +234,7 @@ cilium-agent [flags] --ipam-cilium-node-update-rate duration Maximum rate at which the CiliumNode custom resource is updated (default 15s) --ipam-default-ip-pool string Name of the default IP Pool when using multi-pool (default "default") --ipam-multi-pool-pre-allocation map Defines the minimum number of IPs a node should pre-allocate from each pool (default default=8) - --ipsec-key-file string Path to IPSec key file + --ipsec-key-file string Path to IPsec key file --ipsec-key-rotation-duration duration Maximum duration of the IPsec key rotation. The previous key will be removed after that delay. (default 5m0s) --iptables-lock-timeout duration Time to pass to each iptables invocation to wait for xtables lock acquisition (default 5s) --iptables-random-fully Set iptables flag random-fully on masquerading rules diff --git a/Documentation/community/roadmap.rst b/Documentation/community/roadmap.rst index f1e9ca599a74d..ce54c27d612d7 100644 --- a/Documentation/community/roadmap.rst +++ b/Documentation/community/roadmap.rst @@ -28,7 +28,7 @@ Major Feature Status ++-------------------------------------------------+----------------------------------------------------------+ || :ref:`egress-gateway` | Stable | ++-------------------------------------------------+----------------------------------------------------------+ -|| :ref:`gsg_encryption` (IPSec and WireGuard) | Stable | +|| :ref:`gsg_encryption` (IPsec and WireGuard) | Stable | ++-------------------------------------------------+----------------------------------------------------------+ || :ref:`bandwidth-manager` | Stable | ++-------------------------------------------------+----------------------------------------------------------+ diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst index e501d15e78e7e..93a82181a58b7 100644 --- a/Documentation/helm-values.rst +++ b/Documentation/helm-values.rst @@ -985,7 +985,7 @@ - bool - ``false`` * - :spelling:ignore:`encryption.ipsec.encryptedOverlay` - - Enable IPSec encrypted overlay + - Enable IPsec encrypted overlay - bool - ``false`` * - :spelling:ignore:`encryption.ipsec.interface` diff --git a/Documentation/network/concepts/ipam/multi-pool.rst b/Documentation/network/concepts/ipam/multi-pool.rst index bfc4aa5b893ad..ecaee7202613c 100644 --- a/Documentation/network/concepts/ipam/multi-pool.rst +++ b/Documentation/network/concepts/ipam/multi-pool.rst @@ -153,7 +153,7 @@ Multi-Pool IPAM mode: .. warning:: - Tunnel mode is not supported. Multi-Pool IPAM may only be used in direct routing mode. - - Transparent encryption is only supported with WireGuard and cannot be used with IPSec. + - Transparent encryption is only supported with WireGuard and cannot be used with IPsec. - IPAM pools with overlapping CIDRs are not supported. Each pod IP must be unique in the cluster due the way Cilium determines the security identity of endpoints by way of the IPCache. diff --git a/Documentation/observability/metrics.rst b/Documentation/observability/metrics.rst index da3d1459d64e9..ade09a86b6f95 100644 --- a/Documentation/observability/metrics.rst +++ b/Documentation/observability/metrics.rst @@ -340,7 +340,7 @@ Name Labels ``datapath_conntrack_gc_duration_seconds`` ``status`` Enabled Duration in seconds of the garbage collector process ============================================= ================================================== ========== ======================================================== -IPSec +IPsec ~~~~~ ============================================= ================================================== ========== =========================================================== diff --git a/Documentation/operations/system_requirements.rst b/Documentation/operations/system_requirements.rst index f3d7d15f15efa..2d79ccdc70de5 100644 --- a/Documentation/operations/system_requirements.rst +++ b/Documentation/operations/system_requirements.rst @@ -332,7 +332,7 @@ to enable health monitoring. If the firewall does not permit either of these methods, Cilium will still operate fine but will not be able to provide health information. -For IPSec enabled Cilium deployments, you need to ensure that the firewall +For IPsec enabled Cilium deployments, you need to ensure that the firewall allows ESP traffic through. For example, AWS Security Groups doesn't allow ESP traffic by default. diff --git a/Documentation/security/network/encryption-ipsec.rst b/Documentation/security/network/encryption-ipsec.rst index b3f5a9b26cbcf..ee4ce697a185f 100644 --- a/Documentation/security/network/encryption-ipsec.rst +++ b/Documentation/security/network/encryption-ipsec.rst @@ -29,7 +29,7 @@ example below demonstrates generation of the necessary IPsec configuration which will be distributed as a Kubernetes secret called ``cilium-ipsec-keys``. A Kubernetes secret should consist of one key-value pair where the key is the name of the file to be mounted as a volume in cilium-agent pods, and the -value is an IPSec configuration in the following format:: +value is an IPsec configuration in the following format:: key-id encryption-algorithms PSK-in-hex-format key-size @@ -197,7 +197,7 @@ Troubleshooting =============== * If the ``cilium`` Pods fail to start after enabling encryption, double-check if - the IPSec ``Secret`` and Cilium are deployed in the same namespace together. + the IPsec ``Secret`` and Cilium are deployed in the same namespace together. * Check for ``level=warning`` and ``level=error`` messages in the Cilium log files diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go index 2f439785bdbd8..cdee1a52c19a8 100644 --- a/daemon/cmd/daemon_main.go +++ b/daemon/cmd/daemon_main.go @@ -360,10 +360,10 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) { flags.Bool(option.EnableWellKnownIdentities, defaults.EnableWellKnownIdentities, "Enable well-known identities for known Kubernetes components") option.BindEnv(vp, option.EnableWellKnownIdentities) - flags.Bool(option.EnableIPSecName, defaults.EnableIPSec, "Enable IPSec support") + flags.Bool(option.EnableIPSecName, defaults.EnableIPSec, "Enable IPsec support") option.BindEnv(vp, option.EnableIPSecName) - flags.String(option.IPSecKeyFileName, "", "Path to IPSec key file") + flags.String(option.IPSecKeyFileName, "", "Path to IPsec key file") option.BindEnv(vp, option.IPSecKeyFileName) flags.Duration(option.IPsecKeyRotationDuration, defaults.IPsecKeyRotationDuration, "Maximum duration of the IPsec key rotation. The previous key will be removed after that delay.") @@ -372,7 +372,7 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) { flags.Bool(option.EnableIPsecKeyWatcher, defaults.EnableIPsecKeyWatcher, "Enable watcher for IPsec key. If disabled, a restart of the agent will be necessary on key rotations.") option.BindEnv(vp, option.EnableIPsecKeyWatcher) - flags.Bool(option.EnableIPSecEncryptedOverlay, defaults.EnableIPSecEncryptedOverlay, "Enable IPSec encrypted overlay. If enabled tunnel traffic will be encrypted before leaving the host.") + flags.Bool(option.EnableIPSecEncryptedOverlay, defaults.EnableIPSecEncryptedOverlay, "Enable IPsec encrypted overlay. If enabled tunnel traffic will be encrypted before leaving the host.") option.BindEnv(vp, option.EnableIPSecEncryptedOverlay) flags.Bool(option.EnableWireguard, false, "Enable WireGuard") diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md index 911b731dbf64d..5633b1c333536 100644 --- a/install/kubernetes/cilium/README.md +++ b/install/kubernetes/cilium/README.md @@ -296,7 +296,7 @@ contributors across the globe, there is almost always someone available to help. | enableRuntimeDeviceDetection | bool | `false` | Enables experimental support for the detection of new and removed datapath devices. When devices change the eBPF datapath is reloaded and services updated. If "devices" is set then only those devices, or devices matching a wildcard will be considered. | | enableXTSocketFallback | bool | `true` | Enables the fallback compatibility solution for when the xt_socket kernel module is missing and it is needed for the datapath L7 redirection to work properly. See documentation for details on when this can be disabled: https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. | | encryption.enabled | bool | `false` | Enable transparent network encryption. | -| encryption.ipsec.encryptedOverlay | bool | `false` | Enable IPSec encrypted overlay | +| encryption.ipsec.encryptedOverlay | bool | `false` | Enable IPsec encrypted overlay | | encryption.ipsec.interface | string | `""` | The interface to use for encrypted traffic. | | encryption.ipsec.keyFile | string | `"keys"` | Name of the key file inside the Kubernetes secret configured via secretName. | | encryption.ipsec.keyRotationDuration | string | `"5m"` | Maximum duration of the IPsec key rotation. The previous key will be removed after that delay. | diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml index 6dde45ae1d940..bd50b971dc484 100644 --- a/install/kubernetes/cilium/values.yaml +++ b/install/kubernetes/cilium/values.yaml @@ -863,7 +863,7 @@ encryption: # -- Maximum duration of the IPsec key rotation. The previous key will be # removed after that delay. keyRotationDuration: "5m" - # -- Enable IPSec encrypted overlay + # -- Enable IPsec encrypted overlay encryptedOverlay: false wireguard: # -- Enables the fallback to the user-space implementation (deprecated). @@ -3284,7 +3284,7 @@ authentication: gcInterval: "5m0s" # Configuration for Cilium's service-to-service mutual authentication using TLS handshakes. # Note that this is not full mTLS support without also enabling encryption of some form. - # Current encryption options are WireGuard or IPSec, configured in encryption block above. + # Current encryption options are WireGuard or IPsec, configured in encryption block above. mutual: # -- Port on the agent where mutual authentication handshakes between agents will be performed port: 4250 diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl index 874824f5a10e8..5b97240d89dda 100644 --- a/install/kubernetes/cilium/values.yaml.tmpl +++ b/install/kubernetes/cilium/values.yaml.tmpl @@ -862,7 +862,7 @@ encryption: # -- Maximum duration of the IPsec key rotation. The previous key will be # removed after that delay. keyRotationDuration: "5m" - # -- Enable IPSec encrypted overlay + # -- Enable IPsec encrypted overlay encryptedOverlay: false wireguard: # -- Enables the fallback to the user-space implementation (deprecated). @@ -3293,7 +3293,7 @@ authentication: gcInterval: "5m0s" # Configuration for Cilium's service-to-service mutual authentication using TLS handshakes. # Note that this is not full mTLS support without also enabling encryption of some form. - # Current encryption options are WireGuard or IPSec, configured in encryption block above. + # Current encryption options are WireGuard or IPsec, configured in encryption block above. mutual: # -- Port on the agent where mutual authentication handshakes between agents will be performed port: 4250