workflows/ipsec: Fix leak detection for IPv6-only in e2e downgrade #40881
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Commit 8dc7793 ("workflows/ipsec: Skip bpftrace DNS check if IPv4 is disabled") fixed the leak detection when running on an IPv6-only cluster. We forgot to disable bpftrace DNS checks for IPv6-only clusters in the "after downgrade" step. This commit should fix it. Fixes: #40868. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
joestringer
reviewed
Aug 1, 2025
|
/test |
brlbil
approved these changes
Aug 5, 2025
17 tasks
smagnani96
added a commit
that referenced
this pull request
Aug 19, 2025
In #40868, we observed no DNS traffic being recorded by the check-encryption-leaks.bt script when skipping Cilium version downgrade in IPv6-only cluster. This was true given the to-fqdn tests were run only if IPv4 was enabled. However, the fix landed in #40881 is not enough: the downgrade is skipped, but the chekc-encryption-leaks.bt script can be still run in DNS-assertion mode for clusters with IPv4-enabled. This would cause the script to throw an error if no DNS traffic is being recorded. Given we skip the whole downgrade tests, there is no guarantee that we see DNS traffic, given no CLI tests nor conn-disrupt tests run at that moment in time. There are two possible ways to fix that: 1. activate the DNS-assertion mode only when IPv4 is enabled (already doing this) AND when downgrade is not skipped. 2. skip the whole check-encryption-leaks.bt setup for the downgrade step when we're skipping downgrade (i.e., no tests would generate such traffic). This commit opts for (2). Fixes: #40868. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Aug 19, 2025
In #40868, we observed no DNS traffic being recorded by the check-encryption-leaks.bt script when skipping Cilium version downgrade in IPv6-only cluster. This was true given the to-fqdn tests were run only if IPv4 was enabled. However, the fix landed in #40881 is not enough: the downgrade is skipped, but the chekc-encryption-leaks.bt script can be still run in DNS-assertion mode for clusters with IPv4-enabled. This would cause the script to throw an error if no DNS traffic is being recorded. Given we skip the whole downgrade tests, there is no guarantee that we see DNS traffic, given no CLI tests nor conn-disrupt tests run at that moment in time. There are two possible ways to fix that: 1. activate the DNS-assertion mode only when IPv4 is enabled (already doing this) AND when downgrade is not skipped. 2. skip the whole check-encryption-leaks.bt setup for the downgrade step when we're skipping downgrade (i.e., no tests would generate such traffic). This commit opts for (2). Fixes: #40868. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 25, 2025
[ upstream commit 34242dd ] In #40868, we observed no DNS traffic being recorded by the check-encryption-leaks.bt script when skipping Cilium version downgrade in IPv6-only cluster. This was true given the to-fqdn tests were run only if IPv4 was enabled. However, the fix landed in #40881 is not enough: the downgrade is skipped, but the chekc-encryption-leaks.bt script can be still run in DNS-assertion mode for clusters with IPv4-enabled. This would cause the script to throw an error if no DNS traffic is being recorded. Given we skip the whole downgrade tests, there is no guarantee that we see DNS traffic, given no CLI tests nor conn-disrupt tests run at that moment in time. There are two possible ways to fix that: 1. activate the DNS-assertion mode only when IPv4 is enabled (already doing this) AND when downgrade is not skipped. 2. skip the whole check-encryption-leaks.bt setup for the downgrade step when we're skipping downgrade (i.e., no tests would generate such traffic). This commit opts for (2). Fixes: #40868. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 25, 2025
[ upstream commit 34242dd ] In #40868, we observed no DNS traffic being recorded by the check-encryption-leaks.bt script when skipping Cilium version downgrade in IPv6-only cluster. This was true given the to-fqdn tests were run only if IPv4 was enabled. However, the fix landed in #40881 is not enough: the downgrade is skipped, but the chekc-encryption-leaks.bt script can be still run in DNS-assertion mode for clusters with IPv4-enabled. This would cause the script to throw an error if no DNS traffic is being recorded. Given we skip the whole downgrade tests, there is no guarantee that we see DNS traffic, given no CLI tests nor conn-disrupt tests run at that moment in time. There are two possible ways to fix that: 1. activate the DNS-assertion mode only when IPv4 is enabled (already doing this) AND when downgrade is not skipped. 2. skip the whole check-encryption-leaks.bt setup for the downgrade step when we're skipping downgrade (i.e., no tests would generate such traffic). This commit opts for (2). Fixes: #40868. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 26, 2025
[ upstream commit 34242dd ] In #40868, we observed no DNS traffic being recorded by the check-encryption-leaks.bt script when skipping Cilium version downgrade in IPv6-only cluster. This was true given the to-fqdn tests were run only if IPv4 was enabled. However, the fix landed in #40881 is not enough: the downgrade is skipped, but the chekc-encryption-leaks.bt script can be still run in DNS-assertion mode for clusters with IPv4-enabled. This would cause the script to throw an error if no DNS traffic is being recorded. Given we skip the whole downgrade tests, there is no guarantee that we see DNS traffic, given no CLI tests nor conn-disrupt tests run at that moment in time. There are two possible ways to fix that: 1. activate the DNS-assertion mode only when IPv4 is enabled (already doing this) AND when downgrade is not skipped. 2. skip the whole check-encryption-leaks.bt setup for the downgrade step when we're skipping downgrade (i.e., no tests would generate such traffic). This commit opts for (2). Fixes: #40868. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 26, 2025
[ upstream commit 34242dd ] In #40868, we observed no DNS traffic being recorded by the check-encryption-leaks.bt script when skipping Cilium version downgrade in IPv6-only cluster. This was true given the to-fqdn tests were run only if IPv4 was enabled. However, the fix landed in #40881 is not enough: the downgrade is skipped, but the chekc-encryption-leaks.bt script can be still run in DNS-assertion mode for clusters with IPv4-enabled. This would cause the script to throw an error if no DNS traffic is being recorded. Given we skip the whole downgrade tests, there is no guarantee that we see DNS traffic, given no CLI tests nor conn-disrupt tests run at that moment in time. There are two possible ways to fix that: 1. activate the DNS-assertion mode only when IPv4 is enabled (already doing this) AND when downgrade is not skipped. 2. skip the whole check-encryption-leaks.bt setup for the downgrade step when we're skipping downgrade (i.e., no tests would generate such traffic). This commit opts for (2). Fixes: #40868. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
pushed a commit
that referenced
this pull request
Aug 26, 2025
[ upstream commit 34242dd ] In #40868, we observed no DNS traffic being recorded by the check-encryption-leaks.bt script when skipping Cilium version downgrade in IPv6-only cluster. This was true given the to-fqdn tests were run only if IPv4 was enabled. However, the fix landed in #40881 is not enough: the downgrade is skipped, but the chekc-encryption-leaks.bt script can be still run in DNS-assertion mode for clusters with IPv4-enabled. This would cause the script to throw an error if no DNS traffic is being recorded. Given we skip the whole downgrade tests, there is no guarantee that we see DNS traffic, given no CLI tests nor conn-disrupt tests run at that moment in time. There are two possible ways to fix that: 1. activate the DNS-assertion mode only when IPv4 is enabled (already doing this) AND when downgrade is not skipped. 2. skip the whole check-encryption-leaks.bt setup for the downgrade step when we're skipping downgrade (i.e., no tests would generate such traffic). This commit opts for (2). Fixes: #40868. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Sep 1, 2025
[ upstream commit 34242dd ] In #40868, we observed no DNS traffic being recorded by the check-encryption-leaks.bt script when skipping Cilium version downgrade in IPv6-only cluster. This was true given the to-fqdn tests were run only if IPv4 was enabled. However, the fix landed in #40881 is not enough: the downgrade is skipped, but the chekc-encryption-leaks.bt script can be still run in DNS-assertion mode for clusters with IPv4-enabled. This would cause the script to throw an error if no DNS traffic is being recorded. Given we skip the whole downgrade tests, there is no guarantee that we see DNS traffic, given no CLI tests nor conn-disrupt tests run at that moment in time. There are two possible ways to fix that: 1. activate the DNS-assertion mode only when IPv4 is enabled (already doing this) AND when downgrade is not skipped. 2. skip the whole check-encryption-leaks.bt setup for the downgrade step when we're skipping downgrade (i.e., no tests would generate such traffic). This commit opts for (2). Fixes: #40868. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Commit 8dc7793 ("workflows/ipsec: Skip bpftrace DNS check if IPv4 is disabled") fixed the leak detection when running on an IPv6-only cluster. We forgot to disable bpftrace DNS checks for IPv6-only clusters in the "after downgrade" step. This commit should fix it.
Discussion #40412 (comment).
Fixes: #40868