From ec5b7961b4f1afbc5072cd879de543334170ef48 Mon Sep 17 00:00:00 2001 From: Quentin Monnet Date: Tue, 16 Apr 2024 16:16:17 +0100 Subject: [PATCH] docs: Fix spelling for "IPsec" IPsec should not be IPSec. Fix all occurrences in the docs, and in source files used to auto-generate documentation. This commit does not change the occurrences of "IPSec" in the rest of the code base. Ideally, we would like to prevent "IPSec" to come back to the documentation via spell checks. However, I could not find a good solution to do that. This is based on the following considerations: - We currently have "ipsec" and "IPsec" in the list of spelling exceptions (the second is probably useless as the first should be treated by the spell checker as case-insensitive). They correspond to the syntax we accept when "ipsec" occurs in some technical terms, and for the rightfully-spelt "IPsec", respectively. The list of exceptions does not contain "IPSec" (even though it should be allowed due to "ipsec" being case-insensitive). - We can remove both occurrences from the list of spelling exceptions, and cover them instead by a custom filter, the same way as we do for "wireguard" and "WireGuard". This solution, however, does not work, for two reasons. - One reason is that "ipsec" sometimes appear in the middle of a compound-term, as in "something-ipsec-something", and a custom filter modeled after the one for WireGuard wouldn't "skip" it. We would have to make it more robust to detect "ipsec" in the middle of such compounds. - The other reason is that even if we accept only "ipsec" and "IPsec" in the custom filter, ... it turns out that the spell checker still accepts "IPSec". After some investigation, it turns out that this is because the spell checker configuration option spelling_ignore_wiki_words defaults to True. This option determines "whether words that follow the CamelCase conventions used for page names in wikis should be treated as spelled properly." As it turns out, "IPsec" does not follow these conventions, at least in the eyes of the spell checker, but "IPSec" does, making it a valid word. - Can we easily update a custom filter to make the spell checker reject a specific word? The answer is no, we can only skip words (and consider them correct) or tokenize them more: https://github.com/sphinx-contrib/spelling/issues/120. - As a consequence, the best way to reject "IPSec" would be to set spelling_ignore_wiki_words to False in the configuration file. So I tried that, and obtained: Please fix the following documentation warnings: WARNING: Found 1271 misspelled words It turns out we have a lot of words that implicitely follow camel case conventions and are skipped by the spell checker for that reason. It's not worth adding all of them to the list of exceptions. Let's just accept that "IPSec" may come back, and clean it up from time to time. Signed-off-by: Quentin Monnet --- Documentation/cmdref/cilium-agent.md | 6 +++--- Documentation/community/roadmap.rst | 2 +- Documentation/helm-values.rst | 2 +- Documentation/network/concepts/ipam/multi-pool.rst | 2 +- Documentation/observability/metrics.rst | 2 +- Documentation/operations/system_requirements.rst | 2 +- Documentation/security/network/encryption-ipsec.rst | 4 ++-- daemon/cmd/daemon_main.go | 6 +++--- install/kubernetes/cilium/README.md | 2 +- install/kubernetes/cilium/values.yaml | 4 ++-- install/kubernetes/cilium/values.yaml.tmpl | 4 ++-- 11 files changed, 18 insertions(+), 18 deletions(-) diff --git a/Documentation/cmdref/cilium-agent.md b/Documentation/cmdref/cilium-agent.md index bde2a09a78c5bb..7bf1b116bb28bf 100644 --- a/Documentation/cmdref/cilium-agent.md +++ b/Documentation/cmdref/cilium-agent.md @@ -125,8 +125,8 @@ cilium-agent [flags] --enable-ingress-controller Enables Envoy secret sync for Ingress controller related TLS secrets --enable-ip-masq-agent Enable BPF ip-masq-agent --enable-ipip-termination Enable plain IPIP/IP6IP6 termination - --enable-ipsec Enable IPSec support - --enable-ipsec-encrypted-overlay Enable IPSec encrypted overlay. If enabled tunnel traffic will be encrypted before leaving the host. + --enable-ipsec Enable IPsec support + --enable-ipsec-encrypted-overlay Enable IPsec encrypted overlay. If enabled tunnel traffic will be encrypted before leaving the host. --enable-ipsec-key-watcher Enable watcher for IPsec key. If disabled, a restart of the agent will be necessary on key rotations. (default true) --enable-ipv4 Enable IPv4 support (default true) --enable-ipv4-big-tcp Enable IPv4 BIG TCP option which increases device's maximum GRO/GSO limits for IPv4 @@ -233,7 +233,7 @@ cilium-agent [flags] --ipam-cilium-node-update-rate duration Maximum rate at which the CiliumNode custom resource is updated (default 15s) --ipam-default-ip-pool string Name of the default IP Pool when using multi-pool (default "default") --ipam-multi-pool-pre-allocation map Defines the minimum number of IPs a node should pre-allocate from each pool (default default=8) - --ipsec-key-file string Path to IPSec key file + --ipsec-key-file string Path to IPsec key file --ipsec-key-rotation-duration duration Maximum duration of the IPsec key rotation. The previous key will be removed after that delay. (default 5m0s) --iptables-lock-timeout duration Time to pass to each iptables invocation to wait for xtables lock acquisition (default 5s) --iptables-random-fully Set iptables flag random-fully on masquerading rules diff --git a/Documentation/community/roadmap.rst b/Documentation/community/roadmap.rst index f1e9ca599a74d0..ce54c27d612d78 100644 --- a/Documentation/community/roadmap.rst +++ b/Documentation/community/roadmap.rst @@ -28,7 +28,7 @@ Major Feature Status ++-------------------------------------------------+----------------------------------------------------------+ || :ref:`egress-gateway` | Stable | ++-------------------------------------------------+----------------------------------------------------------+ -|| :ref:`gsg_encryption` (IPSec and WireGuard) | Stable | +|| :ref:`gsg_encryption` (IPsec and WireGuard) | Stable | ++-------------------------------------------------+----------------------------------------------------------+ || :ref:`bandwidth-manager` | Stable | ++-------------------------------------------------+----------------------------------------------------------+ diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst index 6b2e8a9cd7109d..5995d942d5bcae 100644 --- a/Documentation/helm-values.rst +++ b/Documentation/helm-values.rst @@ -993,7 +993,7 @@ - bool - ``false`` * - :spelling:ignore:`encryption.ipsec.encryptedOverlay` - - Enable IPSec encrypted overlay + - Enable IPsec encrypted overlay - bool - ``false`` * - :spelling:ignore:`encryption.ipsec.interface` diff --git a/Documentation/network/concepts/ipam/multi-pool.rst b/Documentation/network/concepts/ipam/multi-pool.rst index bfc4aa5b893ada..ecaee7202613c1 100644 --- a/Documentation/network/concepts/ipam/multi-pool.rst +++ b/Documentation/network/concepts/ipam/multi-pool.rst @@ -153,7 +153,7 @@ Multi-Pool IPAM mode: .. warning:: - Tunnel mode is not supported. Multi-Pool IPAM may only be used in direct routing mode. - - Transparent encryption is only supported with WireGuard and cannot be used with IPSec. + - Transparent encryption is only supported with WireGuard and cannot be used with IPsec. - IPAM pools with overlapping CIDRs are not supported. Each pod IP must be unique in the cluster due the way Cilium determines the security identity of endpoints by way of the IPCache. diff --git a/Documentation/observability/metrics.rst b/Documentation/observability/metrics.rst index da3d1459d64e98..ade09a86b6f959 100644 --- a/Documentation/observability/metrics.rst +++ b/Documentation/observability/metrics.rst @@ -340,7 +340,7 @@ Name Labels ``datapath_conntrack_gc_duration_seconds`` ``status`` Enabled Duration in seconds of the garbage collector process ============================================= ================================================== ========== ======================================================== -IPSec +IPsec ~~~~~ ============================================= ================================================== ========== =========================================================== diff --git a/Documentation/operations/system_requirements.rst b/Documentation/operations/system_requirements.rst index 94935a1f9e1f81..b06037e0156d34 100644 --- a/Documentation/operations/system_requirements.rst +++ b/Documentation/operations/system_requirements.rst @@ -332,7 +332,7 @@ to enable health monitoring. If the firewall does not permit either of these methods, Cilium will still operate fine but will not be able to provide health information. -For IPSec enabled Cilium deployments, you need to ensure that the firewall +For IPsec enabled Cilium deployments, you need to ensure that the firewall allows ESP traffic through. For example, AWS Security Groups doesn't allow ESP traffic by default. diff --git a/Documentation/security/network/encryption-ipsec.rst b/Documentation/security/network/encryption-ipsec.rst index b3f5a9b26cbcfa..ee4ce697a185f1 100644 --- a/Documentation/security/network/encryption-ipsec.rst +++ b/Documentation/security/network/encryption-ipsec.rst @@ -29,7 +29,7 @@ example below demonstrates generation of the necessary IPsec configuration which will be distributed as a Kubernetes secret called ``cilium-ipsec-keys``. A Kubernetes secret should consist of one key-value pair where the key is the name of the file to be mounted as a volume in cilium-agent pods, and the -value is an IPSec configuration in the following format:: +value is an IPsec configuration in the following format:: key-id encryption-algorithms PSK-in-hex-format key-size @@ -197,7 +197,7 @@ Troubleshooting =============== * If the ``cilium`` Pods fail to start after enabling encryption, double-check if - the IPSec ``Secret`` and Cilium are deployed in the same namespace together. + the IPsec ``Secret`` and Cilium are deployed in the same namespace together. * Check for ``level=warning`` and ``level=error`` messages in the Cilium log files diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go index 3b396a7e947b1f..a2723f92f6f566 100644 --- a/daemon/cmd/daemon_main.go +++ b/daemon/cmd/daemon_main.go @@ -360,10 +360,10 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) { flags.Bool(option.EnableWellKnownIdentities, defaults.EnableWellKnownIdentities, "Enable well-known identities for known Kubernetes components") option.BindEnv(vp, option.EnableWellKnownIdentities) - flags.Bool(option.EnableIPSecName, defaults.EnableIPSec, "Enable IPSec support") + flags.Bool(option.EnableIPSecName, defaults.EnableIPSec, "Enable IPsec support") option.BindEnv(vp, option.EnableIPSecName) - flags.String(option.IPSecKeyFileName, "", "Path to IPSec key file") + flags.String(option.IPSecKeyFileName, "", "Path to IPsec key file") option.BindEnv(vp, option.IPSecKeyFileName) flags.Duration(option.IPsecKeyRotationDuration, defaults.IPsecKeyRotationDuration, "Maximum duration of the IPsec key rotation. The previous key will be removed after that delay.") @@ -372,7 +372,7 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) { flags.Bool(option.EnableIPsecKeyWatcher, defaults.EnableIPsecKeyWatcher, "Enable watcher for IPsec key. If disabled, a restart of the agent will be necessary on key rotations.") option.BindEnv(vp, option.EnableIPsecKeyWatcher) - flags.Bool(option.EnableIPSecEncryptedOverlay, defaults.EnableIPSecEncryptedOverlay, "Enable IPSec encrypted overlay. If enabled tunnel traffic will be encrypted before leaving the host.") + flags.Bool(option.EnableIPSecEncryptedOverlay, defaults.EnableIPSecEncryptedOverlay, "Enable IPsec encrypted overlay. If enabled tunnel traffic will be encrypted before leaving the host.") option.BindEnv(vp, option.EnableIPSecEncryptedOverlay) flags.Bool(option.EnableWireguard, false, "Enable WireGuard") diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md index b0dc7650506b83..12c562946489ae 100644 --- a/install/kubernetes/cilium/README.md +++ b/install/kubernetes/cilium/README.md @@ -298,7 +298,7 @@ contributors across the globe, there is almost always someone available to help. | enableRuntimeDeviceDetection | bool | `false` | Enables experimental support for the detection of new and removed datapath devices. When devices change the eBPF datapath is reloaded and services updated. If "devices" is set then only those devices, or devices matching a wildcard will be considered. | | enableXTSocketFallback | bool | `true` | Enables the fallback compatibility solution for when the xt_socket kernel module is missing and it is needed for the datapath L7 redirection to work properly. See documentation for details on when this can be disabled: https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. | | encryption.enabled | bool | `false` | Enable transparent network encryption. | -| encryption.ipsec.encryptedOverlay | bool | `false` | Enable IPSec encrypted overlay | +| encryption.ipsec.encryptedOverlay | bool | `false` | Enable IPsec encrypted overlay | | encryption.ipsec.interface | string | `""` | The interface to use for encrypted traffic. | | encryption.ipsec.keyFile | string | `"keys"` | Name of the key file inside the Kubernetes secret configured via secretName. | | encryption.ipsec.keyRotationDuration | string | `"5m"` | Maximum duration of the IPsec key rotation. The previous key will be removed after that delay. | diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml index 2ae3e6ccd38bbd..ff5c789e638a1d 100644 --- a/install/kubernetes/cilium/values.yaml +++ b/install/kubernetes/cilium/values.yaml @@ -868,7 +868,7 @@ encryption: # -- Maximum duration of the IPsec key rotation. The previous key will be # removed after that delay. keyRotationDuration: "5m" - # -- Enable IPSec encrypted overlay + # -- Enable IPsec encrypted overlay encryptedOverlay: false wireguard: # -- Enables the fallback to the user-space implementation (deprecated). @@ -3289,7 +3289,7 @@ authentication: gcInterval: "5m0s" # Configuration for Cilium's service-to-service mutual authentication using TLS handshakes. # Note that this is not full mTLS support without also enabling encryption of some form. - # Current encryption options are WireGuard or IPSec, configured in encryption block above. + # Current encryption options are WireGuard or IPsec, configured in encryption block above. mutual: # -- Port on the agent where mutual authentication handshakes between agents will be performed port: 4250 diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl index 00efa862392330..df1f579284c64a 100644 --- a/install/kubernetes/cilium/values.yaml.tmpl +++ b/install/kubernetes/cilium/values.yaml.tmpl @@ -867,7 +867,7 @@ encryption: # -- Maximum duration of the IPsec key rotation. The previous key will be # removed after that delay. keyRotationDuration: "5m" - # -- Enable IPSec encrypted overlay + # -- Enable IPsec encrypted overlay encryptedOverlay: false wireguard: # -- Enables the fallback to the user-space implementation (deprecated). @@ -3298,7 +3298,7 @@ authentication: gcInterval: "5m0s" # Configuration for Cilium's service-to-service mutual authentication using TLS handshakes. # Note that this is not full mTLS support without also enabling encryption of some form. - # Current encryption options are WireGuard or IPSec, configured in encryption block above. + # Current encryption options are WireGuard or IPsec, configured in encryption block above. mutual: # -- Port on the agent where mutual authentication handshakes between agents will be performed port: 4250