Skip to content

v1.11 backports 2023-05-28 #25733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 1, 2023
Merged

v1.11 backports 2023-05-28 #25733

merged 1 commit into from
Jun 1, 2023

Conversation

sayboras
Copy link
Member

@sayboras sayboras commented May 28, 2023
edited by jrajahalme
Loading

Once this PR is merged, you can update the PR labels via:

$ for pr in 25674; do contrib/backporting/set-labels.py $pr done 1.11; done

@sayboras sayboras requested a review from a team as a code owner May 28, 2023 01:47
@sayboras sayboras added kind/backports This PR provides functionality previously merged into master. backport/1.11 labels May 28, 2023
@sayboras sayboras requested a review from jrajahalme May 28, 2023 01:47
@sayboras
Copy link
Member Author

sayboras commented May 28, 2023
edited by maintainer-s-little-helper bot
Loading

/test-backport-1.11

Job 'Cilium-PR-K8s-1.21-kernel-5.4' failed:

Click to show.

Test Name

K8sDatapathConfig Host firewall With native routing

Failure Output

FAIL: Error deleting resource /home/jenkins/workspace/Cilium-PR-K8s-1.21-kernel-5.4/src/github.com/cilium/cilium/test/k8sT/manifests/host-policies.yaml: Cannot retrieve "cilium-x8r7z"'s policy revision: cannot get policy revision: ""

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.21-kernel-5.4/7/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.21-kernel-5.4 so I can create one.

Then please upload the Jenkins artifacts to that issue.

Job 'Cilium-PR-K8s-1.21-kernel-4.9' failed:

Click to show.

Test Name

K8sServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) with L7 policy Tests NodePort with L7 Policy

Failure Output

FAIL: Request from k8s1 to service http://[fd04::11]:31758 failed

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.21-kernel-4.9/15/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.21-kernel-4.9 so I can create one.

Then please upload the Jenkins artifacts to that issue.

Job 'Cilium-PR-K8s-1.18-kernel-4.9' failed:

Click to show.

Test Name

K8sDatapathConfig Host firewall With native routing and endpoint routes

Failure Output

FAIL: Error deleting resource /home/jenkins/workspace/Cilium-PR-K8s-1.18-kernel-4.9/src/github.com/cilium/cilium/test/k8sT/manifests/host-policies.yaml: Cannot retrieve "cilium-p5z5v"'s policy revision: cannot get policy revision: ""

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.18-kernel-4.9/18/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.18-kernel-4.9 so I can create one.

Then please upload the Jenkins artifacts to that issue.

Job 'Cilium-PR-K8s-1.21-kernel-5.4' failed:

Click to show.

Test Name

K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master

Failure Output

FAIL: Unable to download helm chart v1.10 from GitHub

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.21-kernel-5.4/8/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.21-kernel-5.4 so I can create one.

Then please upload the Jenkins artifacts to that issue.

@sayboras
Copy link
Member Author

/test-1.18-4.9

@sayboras
Copy link
Member Author

/test-1.21-4.9

@sayboras
Copy link
Member Author

/test-1.21-5.4

@sayboras
Copy link
Member Author

test-1.21-5.4 failed due to Suite-k8s-1.21.K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master, which seems to be a flake, re-run one more time to confirm if it's persistent.

@sayboras
Copy link
Member Author

/test-1.21-5.4

@jrajahalme
envoy: Never use x-forwarded-for header
da0f8a6 
[ upstream commit e8fcd6b ]

Envoy by default gets the source address from the `x-forwarded-for`
header, if present. Always add an explicit `use_remote_address: true` for
Envoy HTTP Connection Manager configuration to disable the default
behavior.

Also set the `skip_xff_append: true` option to retain the old behavior of
not adding `x-forwarded-for` headers on cilium envoy proxy.

Setting these options is not really needed for admin and metrics
listeners, or most of the tests, but we add them there too in case anyone
uses them as a source of inspiration for a real proxy configuration.

This fixes incorrect hubble flow data when HTTP requests contain an
`x-forwarded-for` header. This change has no effect on Cilium policy
enforcement where the source security identity is always resolved before
HTTP headers are parsed.

Fixes: cilium#25630
Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@jrajahalme jrajahalme force-pushed the pr/v1.11-backport-2023-05-28 branch from ceab85c to da0f8a6 Compare June 1, 2023 07:34
@jrajahalme jrajahalme merged commit ddeaf64 into cilium:v1.11 Jun 1, 2023
@jrajahalme
Copy link
Member

Removed irrelevant example files also from the 1st commit, merged as all the tests had passed.

@sayboras sayboras deleted the pr/v1.11-backport-2023-05-28 branch June 1, 2023 08:02
@michi-covalent michi-covalent mentioned this pull request Jun 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrajahalme jrajahalme Awaiting requested review from jrajahalme

Assignees
No one assigned
Labels
kind/backports This PR provides functionality previously merged into master.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sayboras @jrajahalme