Skip to content

Commit

Permalink
docs: Fix spelling for "IPsec"
Browse files Browse the repository at this point in the history
IPsec should not be IPSec. Fix all occurrences in the docs, and in
source files used to auto-generate documentation.

This commit does not change the occurrences of "IPSec" in the rest of
the code base.

Ideally, we would like to prevent "IPSec" to come back to the
documentation via spell checks. However, I could not find a good
solution to do that. This is based on the following considerations:

- We currently have "ipsec" and "IPsec" in the list of spelling
  exceptions (the second is probably useless as the first should be
  treated by the spell checker as case-insensitive). They correspond to
  the syntax we accept when "ipsec" occurs in some technical terms, and
  for the rightfully-spelt "IPsec", respectively. The list of exceptions
  does not contain "IPSec" (even though it should be allowed due to
  "ipsec" being case-insensitive).

- We can remove both occurrences from the list of spelling exceptions,
  and cover them instead by a custom filter, the same way as we do for
  "wireguard" and "WireGuard". This solution, however, does not work,
  for two reasons.

- One reason is that "ipsec" sometimes appear in the middle of a
  compound-term, as in "something-ipsec-something", and a custom filter
  modeled after the one for WireGuard wouldn't "skip" it. We would have
  to make it more robust to detect "ipsec" in the middle of such
  compounds.

- The other reason is that even if we accept only "ipsec" and "IPsec" in
  the custom filter, ... it turns out that the spell checker still
  accepts "IPSec". After some investigation, it turns out that this is
  because the spell checker configuration option
  spelling_ignore_wiki_words defaults to True. This option determines
  "whether words that follow the CamelCase conventions used for page
  names in wikis should be treated as spelled properly." As it turns
  out, "IPsec" does not follow these conventions, at least in the eyes
  of the spell checker, but "IPSec" does, making it a valid word.

- Can we easily update a custom filter to make the spell checker reject
  a specific word? The answer is no, we can only skip words (and
  consider them correct) or tokenize them more:
  sphinx-contrib/spelling#120.

- As a consequence, the best way to reject "IPSec" would be to set
  spelling_ignore_wiki_words to False in the configuration file. So I
  tried that, and obtained:

    Please fix the following documentation warnings:
    WARNING: Found 1271 misspelled words

  It turns out we have a lot of words that implicitely follow camel case
  conventions and are skipped by the spell checker for that reason. It's
  not worth adding all of them to the list of exceptions.

Let's just accept that "IPSec" may come back, and clean it up from time
to time.

Signed-off-by: Quentin Monnet <[email protected]>
  • Loading branch information
qmonnet committed Apr 16, 2024
1 parent 0b64d66 commit ec5b796
Show file tree
Hide file tree
Showing 11 changed files with 18 additions and 18 deletions.
6 changes: 3 additions & 3 deletions Documentation/cmdref/cilium-agent.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Documentation/community/roadmap.rst
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ Major Feature Status
++-------------------------------------------------+----------------------------------------------------------+
|| :ref:`egress-gateway` | Stable |
++-------------------------------------------------+----------------------------------------------------------+
|| :ref:`gsg_encryption` (IPSec and WireGuard) | Stable |
|| :ref:`gsg_encryption` (IPsec and WireGuard) | Stable |
++-------------------------------------------------+----------------------------------------------------------+
|| :ref:`bandwidth-manager` | Stable |
++-------------------------------------------------+----------------------------------------------------------+
Expand Down
2 changes: 1 addition & 1 deletion Documentation/helm-values.rst

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Documentation/network/concepts/ipam/multi-pool.rst
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ Multi-Pool IPAM mode:

.. warning::
- Tunnel mode is not supported. Multi-Pool IPAM may only be used in direct routing mode.
- Transparent encryption is only supported with WireGuard and cannot be used with IPSec.
- Transparent encryption is only supported with WireGuard and cannot be used with IPsec.
- IPAM pools with overlapping CIDRs are not supported. Each pod IP must be
unique in the cluster due the way Cilium determines the security identity
of endpoints by way of the IPCache.
Expand Down
2 changes: 1 addition & 1 deletion Documentation/observability/metrics.rst
Original file line number Diff line number Diff line change
Expand Up @@ -340,7 +340,7 @@ Name Labels
``datapath_conntrack_gc_duration_seconds`` ``status`` Enabled Duration in seconds of the garbage collector process
============================================= ================================================== ========== ========================================================

IPSec
IPsec
~~~~~

============================================= ================================================== ========== ===========================================================
Expand Down
2 changes: 1 addition & 1 deletion Documentation/operations/system_requirements.rst
Original file line number Diff line number Diff line change
Expand Up @@ -332,7 +332,7 @@ to enable health monitoring. If the firewall does not permit either of these
methods, Cilium will still operate fine but will not be able to provide health
information.

For IPSec enabled Cilium deployments, you need to ensure that the firewall
For IPsec enabled Cilium deployments, you need to ensure that the firewall
allows ESP traffic through. For example, AWS Security Groups doesn't allow ESP
traffic by default.

Expand Down
4 changes: 2 additions & 2 deletions Documentation/security/network/encryption-ipsec.rst
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ example below demonstrates generation of the necessary IPsec configuration
which will be distributed as a Kubernetes secret called ``cilium-ipsec-keys``.
A Kubernetes secret should consist of one key-value pair where the key is the
name of the file to be mounted as a volume in cilium-agent pods, and the
value is an IPSec configuration in the following format::
value is an IPsec configuration in the following format::

key-id encryption-algorithms PSK-in-hex-format key-size

Expand Down Expand Up @@ -197,7 +197,7 @@ Troubleshooting
===============

* If the ``cilium`` Pods fail to start after enabling encryption, double-check if
the IPSec ``Secret`` and Cilium are deployed in the same namespace together.
the IPsec ``Secret`` and Cilium are deployed in the same namespace together.

* Check for ``level=warning`` and ``level=error`` messages in the Cilium log files

Expand Down
6 changes: 3 additions & 3 deletions daemon/cmd/daemon_main.go
Original file line number Diff line number Diff line change
Expand Up @@ -360,10 +360,10 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) {
flags.Bool(option.EnableWellKnownIdentities, defaults.EnableWellKnownIdentities, "Enable well-known identities for known Kubernetes components")
option.BindEnv(vp, option.EnableWellKnownIdentities)

flags.Bool(option.EnableIPSecName, defaults.EnableIPSec, "Enable IPSec support")
flags.Bool(option.EnableIPSecName, defaults.EnableIPSec, "Enable IPsec support")
option.BindEnv(vp, option.EnableIPSecName)

flags.String(option.IPSecKeyFileName, "", "Path to IPSec key file")
flags.String(option.IPSecKeyFileName, "", "Path to IPsec key file")
option.BindEnv(vp, option.IPSecKeyFileName)

flags.Duration(option.IPsecKeyRotationDuration, defaults.IPsecKeyRotationDuration, "Maximum duration of the IPsec key rotation. The previous key will be removed after that delay.")
Expand All @@ -372,7 +372,7 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) {
flags.Bool(option.EnableIPsecKeyWatcher, defaults.EnableIPsecKeyWatcher, "Enable watcher for IPsec key. If disabled, a restart of the agent will be necessary on key rotations.")
option.BindEnv(vp, option.EnableIPsecKeyWatcher)

flags.Bool(option.EnableIPSecEncryptedOverlay, defaults.EnableIPSecEncryptedOverlay, "Enable IPSec encrypted overlay. If enabled tunnel traffic will be encrypted before leaving the host.")
flags.Bool(option.EnableIPSecEncryptedOverlay, defaults.EnableIPSecEncryptedOverlay, "Enable IPsec encrypted overlay. If enabled tunnel traffic will be encrypted before leaving the host.")
option.BindEnv(vp, option.EnableIPSecEncryptedOverlay)

flags.Bool(option.EnableWireguard, false, "Enable WireGuard")
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/cilium/README.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions install/kubernetes/cilium/values.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions install/kubernetes/cilium/values.yaml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -867,7 +867,7 @@ encryption:
# -- Maximum duration of the IPsec key rotation. The previous key will be
# removed after that delay.
keyRotationDuration: "5m"
# -- Enable IPSec encrypted overlay
# -- Enable IPsec encrypted overlay
encryptedOverlay: false
wireguard:
# -- Enables the fallback to the user-space implementation (deprecated).
Expand Down Expand Up @@ -3298,7 +3298,7 @@ authentication:
gcInterval: "5m0s"
# Configuration for Cilium's service-to-service mutual authentication using TLS handshakes.
# Note that this is not full mTLS support without also enabling encryption of some form.
# Current encryption options are WireGuard or IPSec, configured in encryption block above.
# Current encryption options are WireGuard or IPsec, configured in encryption block above.
mutual:
# -- Port on the agent where mutual authentication handshakes between agents will be performed
port: 4250
Expand Down

0 comments on commit ec5b796

Please sign in to comment.