Add encrypted field to Hubble flows and filtering to observe WireGuard/IPsec encrypted traffic

[SRodi]

Description

I would like to propose adding an encrypted boolean field to Hubble flow events, along with a corresponding filter (e.g., --encrypted / --unencrypted) in the hubble observe CLI.

Problem / Use-case

Today, it is not possible to filter Hubble flows based on whether traffic was encrypted (WireGuard or IPsec). This makes it difficult to debug:

• node-to-node encryption issues
• mixed-mode clusters during upgrades
• partial encryption misconfigurations
• compliance checks for mandatory encryption

Adding this field makes it much easier to diagnose why traffic is (or is not) being encrypted.

Proposal

• Add a boolean encrypted field to flow.proto (metadata only; no datapath changes).
• Add a matching field to filter.proto.
• Add a new filter in Hubble server + CLI (--encrypted, --unencrypted).
• Flow data would be populated based on existing WireGuard/IPsec metadata already available in the agent.

Impact

• Backward compatible: new field is optional.
• Enables more precise observability for encrypted traffic.
• Useful for troubleshooting, operator workflows, and cloud-managed Cilium distributions.

Request for guidance

Looking for confirmation on:

• Field name (encrypted or preferred alternative).
• Placement inside the flow model (IP message vs. top-level).
• Whether both WireGuard and IPsec should be covered in the same field.

Happy to open a PR immediately with your feedback.