expose openssl feature

Author: jpinsonneau

api/flowcollector/v1beta2/flowcollector_types.go

@@ -183,7 +183,8 @@ type FlowCollectorIPFIX struct {
 // - `EbpfManager`, to enable using eBPF Manager to manage NetObserv eBPF programs. [Unsupported (*)].<br>
 // - `UDNMapping`, to enable interfaces mapping to UDN.<br>
 // - `IPSec`, to track flows between nodes with IPsec encryption.<br>
-// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping";"IPSec"
+// - `OpenSSLTracking`, to track SSL/TLS encrypted traffic using OpenSSL uprobes [Technology Preview].<br>
+// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping";"IPSec";"OpenSSLTracking"
 type AgentFeature string
 
 const (
@@ -195,6 +196,7 @@ const (
 	EbpfManager       AgentFeature = "EbpfManager"
 	UDNMapping        AgentFeature = "UDNMapping"
 	IPSec             AgentFeature = "IPSec"
+	OpenSSLTracking   AgentFeature = "OpenSSLTracking"
 )
 
 // Name of an eBPF agent alert.

api/flowcollector/v1beta2/flowcollector_validation_webhook.go

@@ -25,10 +25,11 @@ var (
 	CurrentClusterInfo     *cluster.Info
 	needPrivileged         = []AgentFeature{UDNMapping, NetworkEvents}
 	neededOpenShiftVersion = map[AgentFeature]string{
-		PacketDrop:    "4.14.0",
-		UDNMapping:    "4.18.0",
-		NetworkEvents: "4.19.0",
-		EbpfManager:   "4.19.0",
+		PacketDrop:      "4.14.0",
+		UDNMapping:      "4.18.0",
+		NetworkEvents:   "4.19.0",
+		EbpfManager:     "4.19.0",
+		OpenSSLTracking: "4.14.0", // Requires uprobe support
 	}
 )
 

api/flowcollector/v1beta2/helper.go

@@ -109,6 +109,10 @@ func (spec *FlowCollectorEBPF) IsIPSecEnabled() bool {
 	return spec.IsAgentFeatureEnabled(IPSec)
 }
 
+func (spec *FlowCollectorEBPF) IsOpenSSLTrackingEnabled() bool {
+	return spec.IsAgentFeatureEnabled(OpenSSLTracking)
+}
+
 func (spec *FlowCollectorEBPF) IsEBPFMetricsEnabled() bool {
 	return spec.Metrics.Enable == nil || *spec.Metrics.Enable
 }

bundle/manifests/flows.netobserv.io_flowcollectors.yaml

@@ -1152,6 +1152,7 @@ spec:
                             - `EbpfManager`, to enable using eBPF Manager to manage NetObserv eBPF programs. [Unsupported (*)].<br>
                             - `UDNMapping`, to enable interfaces mapping to UDN.<br>
                             - `IPSec`, to track flows between nodes with IPsec encryption.<br>
+                            - `OpenSSLTracking`, to track SSL/TLS encrypted traffic using OpenSSL uprobes [Technology Preview].<br>
                           enum:
                           - PacketDrop
                           - DNSTracking
@@ -1161,6 +1162,7 @@ spec:
                           - EbpfManager
                           - UDNMapping
                           - IPSec
+                          - OpenSSLTracking
                           type: string
                         type: array
                       flowFilter:

config/crd/bases/flows.netobserv.io_flowcollectors.yaml

@@ -1078,6 +1078,7 @@ spec:
                               - `EbpfManager`, to enable using eBPF Manager to manage NetObserv eBPF programs. [Unsupported (*)].<br>
                               - `UDNMapping`, to enable interfaces mapping to UDN.<br>
                               - `IPSec`, to track flows between nodes with IPsec encryption.<br>
+                              - `OpenSSLTracking`, to track SSL/TLS encrypted traffic using OpenSSL uprobes [Technology Preview].<br>
                             enum:
                               - PacketDrop
                               - DNSTracking
@@ -1087,6 +1088,7 @@ spec:
                               - EbpfManager
                               - UDNMapping
                               - IPSec
+                              - OpenSSLTracking
                             type: string
                           type: array
                         flowFilter:

helm/crds/flows.netobserv.io_flowcollectors.yaml

@@ -1082,6 +1082,7 @@ spec:
                               - `EbpfManager`, to enable using eBPF Manager to manage NetObserv eBPF programs. [Unsupported (*)].<br>
                               - `UDNMapping`, to enable interfaces mapping to UDN.<br>
                               - `IPSec`, to track flows between nodes with IPsec encryption.<br>
+                              - `OpenSSLTracking`, to track SSL/TLS encrypted traffic using OpenSSL uprobes [Technology Preview].<br>
                             enum:
                               - PacketDrop
                               - DNSTracking
@@ -1091,6 +1092,7 @@ spec:
                               - EbpfManager
                               - UDNMapping
                               - IPSec
+                              - OpenSSLTracking
                             type: string
                           type: array
                         flowFilter:

internal/controller/ebpf/agent_controller.go

@@ -72,6 +72,8 @@ const (
 	envEnableEbpfMgr              = "EBPF_PROGRAM_MANAGER_MODE"
 	envEnableUDNMapping           = "ENABLE_UDN_MAPPING"
 	envEnableIPsec                = "ENABLE_IPSEC_TRACKING"
+	envEnableOpenSSLTracking      = "ENABLE_OPENSSL_TRACKING"
+	envOpenSSLPath                = "OPENSSL_PATH"
 	envDNSTrackingPort            = "DNS_TRACKING_PORT"
 	envPreferredInterface         = "PREFERRED_INTERFACE_FOR_MAC_PREFIX"
 	envAttachMode                 = "TC_ATTACH_MODE"
@@ -100,6 +102,7 @@ const (
 
 const (
 	defaultDNSTrackingPort = "53"
+	defaultOpenSSLPath     = "/usr/lib64/libssl.so.3"
 	bpfmanMapsVolumeName   = "bpfman-maps"
 	bpfManBpfFSPath        = "/run/netobserv/maps"
 )
@@ -762,6 +765,13 @@ func getEnvConfig(coll *flowslatest.FlowCollector, cinfo *cluster.Info) []corev1
 		})
 	}
 
+	if coll.Spec.Agent.EBPF.IsOpenSSLTrackingEnabled() {
+		config = append(config, corev1.EnvVar{
+			Name:  envEnableOpenSSLTracking,
+			Value: "true",
+		})
+	}
+
 	if coll.Spec.Agent.EBPF.IsEBPFMetricsEnabled() {
 		config = append(config, corev1.EnvVar{
 			Name:  envEnableMetrics,
@@ -810,6 +820,7 @@ func getEnvConfig(coll *flowslatest.FlowCollector, cinfo *cluster.Info) []corev1
 		envNetworkEventsGroupID: defaultNetworkEventsGroupID,
 		envPreferredInterface:   defaultPreferredInterface,
 		envAttachMode:           defaultAttach,
+		envOpenSSLPath:          defaultOpenSSLPath,
 	}
 	advancedConfig := helper.GetAdvancedAgentConfig(coll.Spec.Agent.EBPF.Advanced)
 	moreConfig := helper.BuildEnvFromDefaults(advancedConfig.Env, defaults)

internal/controller/ebpf/bpfmanager-controller.go

@@ -61,7 +61,8 @@ func (c *AgentController) bpfmanAttachNetobserv(ctx context.Context, fc *flowsla
 func prepareBpfApplication(bpfApp *bpfmaniov1alpha1.ClusterBpfApplication, fc *flowslatest.FlowCollector, netobservBCImage string) {
 	samplingValue := make([]byte, 4)
 	dnsPortValue := make([]byte, 2)
-	var enableDNSValue, enableRTTValue, enableFLowFilterValue, enableNetworkEvents, traceValue, networkEventsGroupIDValue, enablePktTranslation, enableIPSecValue []byte
+	var enableDNSValue, enableRTTValue, enableFLowFilterValue, enableNetworkEvents, traceValue, networkEventsGroupIDValue, enablePktTranslation, enableIPSecValue, enableOpenSSLValue []byte
+	openSSLPath := defaultOpenSSLPath
 
 	binary.NativeEndian.PutUint32(samplingValue, uint32(*fc.Spec.Agent.EBPF.Sampling))
 
@@ -93,6 +94,10 @@ func prepareBpfApplication(bpfApp *bpfmaniov1alpha1.ClusterBpfApplication, fc *f
 		enableIPSecValue = append(enableIPSecValue, uint8(1))
 	}
 
+	if fc.Spec.Agent.EBPF.IsOpenSSLTrackingEnabled() {
+		enableOpenSSLValue = append(enableOpenSSLValue, uint8(1))
+	}
+
 	bpfApp.Labels = map[string]string{
 		"app": netobservApp,
 	}
@@ -105,6 +110,8 @@ func prepareBpfApplication(bpfApp *bpfmaniov1alpha1.ClusterBpfApplication, fc *f
 				dnsPortValue = []byte(v)
 			} else if k == envNetworkEventsGroupID {
 				networkEventsGroupIDValue = []byte(v)
+			} else if k == envOpenSSLPath {
+				openSSLPath = v
 			}
 		}
 
@@ -124,6 +131,7 @@ func prepareBpfApplication(bpfApp *bpfmaniov1alpha1.ClusterBpfApplication, fc *f
 		"network_events_monitoring_groupid": networkEventsGroupIDValue,
 		"enable_pkt_translation_tracking":   enablePktTranslation,
 		"enable_ipsec":                      enableIPSecValue,
+		"enable_openssl_tracking":           enableOpenSSLValue,
 	}
 
 	bpfApp.Spec.BpfAppCommon.ByteCode = bpfmaniov1alpha1.ByteCodeSelector{
@@ -286,6 +294,23 @@ func prepareBpfApplication(bpfApp *bpfmaniov1alpha1.ClusterBpfApplication, fc *f
 			},
 		}...)
 	}
+
+	if fc.Spec.Agent.EBPF.IsOpenSSLTrackingEnabled() {
+		bpfApp.Spec.Programs = append(bpfApp.Spec.Programs, []bpfmaniov1alpha1.ClBpfApplicationProgram{
+			{
+				Name: "probe_entry_SSL_write",
+				Type: bpfmaniov1alpha1.ProgTypeUprobe,
+				UProbe: &bpfmaniov1alpha1.ClUprobeProgramInfo{
+					Links: []bpfmaniov1alpha1.ClUprobeAttachInfo{
+						{
+							Target:   openSSLPath,
+							Function: "SSL_write",
+						},
+					},
+				},
+			},
+		}...)
+	}
 }
 
 func (c *AgentController) createBpfApplication(ctx context.Context, bpfApp *bpfmaniov1alpha1.ClusterBpfApplication) error {