Expose openssl feature

api/flowcollector/v1beta2/flowcollector_types.go

@@ -183,7 +183,8 @@ type FlowCollectorIPFIX struct {
 // - `EbpfManager`, to enable using eBPF Manager to manage NetObserv eBPF programs. [Unsupported (*)].<br>
 // - `UDNMapping`, to enable interfaces mapping to UDN.<br>
 // - `IPSec`, to track flows between nodes with IPsec encryption.<br>
-// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping";"IPSec"
+// - `OpenSSLTracking`, to track SSL/TLS encrypted traffic using OpenSSL uprobes [Technology Preview].<br>
+// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager";"UDNMapping";"IPSec";"OpenSSLTracking"
 type AgentFeature string
 
 const (
@@ -195,6 +196,7 @@ const (
 	EbpfManager       AgentFeature = "EbpfManager"
 	UDNMapping        AgentFeature = "UDNMapping"
 	IPSec             AgentFeature = "IPSec"
+	OpenSSLTracking   AgentFeature = "OpenSSLTracking"
 )
 
 // Name of an eBPF agent alert.

api/flowcollector/v1beta2/flowcollector_validation_webhook.go

@@ -25,10 +25,11 @@ var (
 	CurrentClusterInfo     *cluster.Info
 	needPrivileged         = []AgentFeature{UDNMapping, NetworkEvents}
 	neededOpenShiftVersion = map[AgentFeature]string{
-		PacketDrop:    "4.14.0",
-		UDNMapping:    "4.18.0",
-		NetworkEvents: "4.19.0",
-		EbpfManager:   "4.19.0",
+		PacketDrop:      "4.14.0",
+		UDNMapping:      "4.18.0",
+		NetworkEvents:   "4.19.0",
+		EbpfManager:     "4.19.0",
+		OpenSSLTracking: "4.14.0", // Requires uprobe support
 	}
 )
 

api/flowcollector/v1beta2/helper.go

@@ -109,6 +109,10 @@ func (spec *FlowCollectorEBPF) IsIPSecEnabled() bool {
 	return spec.IsAgentFeatureEnabled(IPSec)
 }
 
+func (spec *FlowCollectorEBPF) IsOpenSSLTrackingEnabled() bool {
+	return spec.IsAgentFeatureEnabled(OpenSSLTracking)
+}
+
 func (spec *FlowCollectorEBPF) IsEBPFMetricsEnabled() bool {
 	return spec.Metrics.Enable == nil || *spec.Metrics.Enable
 }

bundle/manifests/flows.netobserv.io_flowcollectors.yaml

@@ -1152,6 +1152,7 @@ spec:
                             - `EbpfManager`, to enable using eBPF Manager to manage NetObserv eBPF programs. [Unsupported (*)].<br>
                             - `UDNMapping`, to enable interfaces mapping to UDN.<br>
                             - `IPSec`, to track flows between nodes with IPsec encryption.<br>
+                            - `OpenSSLTracking`, to track SSL/TLS encrypted traffic using OpenSSL uprobes [Technology Preview].<br>
                           enum:
                           - PacketDrop
                           - DNSTracking
@@ -1161,6 +1162,7 @@ spec:
                           - EbpfManager
                           - UDNMapping
                           - IPSec
+                          - OpenSSLTracking
                           type: string
                         type: array
                       flowFilter:

config/crd/bases/flows.netobserv.io_flowcollectors.yaml

@@ -1078,6 +1078,7 @@ spec:
                               - `EbpfManager`, to enable using eBPF Manager to manage NetObserv eBPF programs. [Unsupported (*)].<br>
                               - `UDNMapping`, to enable interfaces mapping to UDN.<br>
                               - `IPSec`, to track flows between nodes with IPsec encryption.<br>
+                              - `OpenSSLTracking`, to track SSL/TLS encrypted traffic using OpenSSL uprobes [Technology Preview].<br>
                             enum:
                               - PacketDrop
                               - DNSTracking
@@ -1087,6 +1088,7 @@ spec:
                               - EbpfManager
                               - UDNMapping
                               - IPSec
+                              - OpenSSLTracking
                             type: string
                           type: array
                         flowFilter:

helm/crds/flows.netobserv.io_flowcollectors.yaml

@@ -1082,6 +1082,7 @@ spec:
                               - `EbpfManager`, to enable using eBPF Manager to manage NetObserv eBPF programs. [Unsupported (*)].<br>
                               - `UDNMapping`, to enable interfaces mapping to UDN.<br>
                               - `IPSec`, to track flows between nodes with IPsec encryption.<br>
+                              - `OpenSSLTracking`, to track SSL/TLS encrypted traffic using OpenSSL uprobes [Technology Preview].<br>
                             enum:
                               - PacketDrop
                               - DNSTracking
@@ -1091,6 +1092,7 @@ spec:
                               - EbpfManager
                               - UDNMapping
                               - IPSec
+                              - OpenSSLTracking
                             type: string
                           type: array
                         flowFilter:

internal/controller/ebpf/agent_controller.go

@@ -72,6 +72,8 @@ const (
 	envEnableEbpfMgr              = "EBPF_PROGRAM_MANAGER_MODE"
 	envEnableUDNMapping           = "ENABLE_UDN_MAPPING"
 	envEnableIPsec                = "ENABLE_IPSEC_TRACKING"
+	envEnableOpenSSLTracking      = "ENABLE_OPENSSL_TRACKING"
+	envOpenSSLPath                = "OPENSSL_PATH"
 	envDNSTrackingPort            = "DNS_TRACKING_PORT"
 	envPreferredInterface         = "PREFERRED_INTERFACE_FOR_MAC_PREFIX"
 	envAttachMode                 = "TC_ATTACH_MODE"
@@ -100,6 +102,7 @@ const (
 
 const (
 	defaultDNSTrackingPort = "53"
+	defaultOpenSSLPath     = "/usr/lib64/libssl.so.3"
 	bpfmanMapsVolumeName   = "bpfman-maps"
 	bpfManBpfFSPath        = "/run/netobserv/maps"
 )
@@ -762,6 +765,13 @@ func getEnvConfig(coll *flowslatest.FlowCollector, cinfo *cluster.Info) []corev1
 		})
 	}
 
+	if coll.Spec.Agent.EBPF.IsOpenSSLTrackingEnabled() {
+		config = append(config, corev1.EnvVar{
+			Name:  envEnableOpenSSLTracking,
+			Value: "true",
+		})
+	}
+
 	if coll.Spec.Agent.EBPF.IsEBPFMetricsEnabled() {
 		config = append(config, corev1.EnvVar{
 			Name:  envEnableMetrics,
@@ -810,6 +820,7 @@ func getEnvConfig(coll *flowslatest.FlowCollector, cinfo *cluster.Info) []corev1
 		envNetworkEventsGroupID: defaultNetworkEventsGroupID,
 		envPreferredInterface:   defaultPreferredInterface,
 		envAttachMode:           defaultAttach,
+		envOpenSSLPath:          defaultOpenSSLPath,
 	}
 	advancedConfig := helper.GetAdvancedAgentConfig(coll.Spec.Agent.EBPF.Advanced)
 	moreConfig := helper.BuildEnvFromDefaults(advancedConfig.Env, defaults)

internal/controller/ebpf/agent_controller_test.go

@@ -111,6 +111,7 @@ func TestGetEnvConfig_Default(t *testing.T) {
 			}},
 		{Name: "DNS_TRACKING_PORT", Value: "53"},
 		{Name: "NETWORK_EVENTS_MONITORING_GROUP_ID", Value: "10"},
+		{Name: "OPENSSL_PATH", Value: "/usr/lib64/libssl.so.3"},
 		{Name: "PREFERRED_INTERFACE_FOR_MAC_PREFIX", Value: "0a:58=eth0"},
 		{Name: "TC_ATTACH_MODE", Value: "tcx"},
 	}, env)
@@ -159,6 +160,7 @@ func TestGetEnvConfig_WithOverrides(t *testing.T) {
 			}},
 		{Name: "DNS_TRACKING_PORT", Value: "5353"},
 		{Name: "NETWORK_EVENTS_MONITORING_GROUP_ID", Value: "any"},
+		{Name: "OPENSSL_PATH", Value: "/usr/lib64/libssl.so.3"},
 		{Name: "PREFERRED_INTERFACE_FOR_MAC_PREFIX", Value: "0a:58=ens5"},
 		{Name: "TC_ATTACH_MODE", Value: "any"},
 	}, env)
@@ -190,6 +192,7 @@ func TestGetEnvConfig_OCP4_14(t *testing.T) {
 			}},
 		{Name: "DNS_TRACKING_PORT", Value: "53"},
 		{Name: "NETWORK_EVENTS_MONITORING_GROUP_ID", Value: "10"},
+		{Name: "OPENSSL_PATH", Value: "/usr/lib64/libssl.so.3"},
 		{Name: "PREFERRED_INTERFACE_FOR_MAC_PREFIX", Value: "0a:58=eth0"},
 		{Name: "TC_ATTACH_MODE", Value: "tc"},
 	}, env)