[v1.12-backport] Introduce fromEgressProxyRule #31930
Conversation
[ upstream commit: 7d278af ] [ backporter's note: v1.12 uses bpf/init.sh to install proxy rules so we have to do a customized backport. ] Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
[ upstream commit: 53133ff ] [ backporter's note: v1.12 uses bpf/init.sh to install proxy rules so we have to do a customized backport. ] Although we don't install fromEgressProxyRule for now, this commit insists on removing it to make sure further downgrade can go smoothly. Soon We'll have another PR to install fromEgressProxyRule, and cilium downgrade from that PR to branch tip (patch downgrade, 1.X.Y -> 1.X.{Y-1}) will be broken if we don't handle the new ip rule carefullly. Without this patch, downgrade from higher version will leave fromEgressProxyRule on the lower version cilium, cluster will be in a wrong status of "having stale ip rule + not having other necessary settings (iptables)", breaking the connectivity. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
54bd107 to
385ec33
Compare
|
/test-backport-1.12 |
|
/test-1.16-4.9 |
|
This is needed to enable smooth downgrades from v1.13, right? Is it enough to merge the PR, or would the v1.13 CI also require a fresh v1.12 release? (which we most likely won't do, as v1.12 is EOL). |
|
@julianwiedmann I was thinking the same. If there won't be a 1.12 release, how about specifying downgrade image tag like https://github.com/cilium/cilium/pull/31955/files#diff-07b1303f71b74ecfe10ad34472da7c7e9b79ac9274fd93fe833ecc1551898473 in 1.13 test-ipsec-upgrade.yaml? Or any way more elegant to let 1.13 upgrade test use the 1.12 tip? |
My first thought was to make the Egress-Proxy support on v1.13 an opt-in feature. Because users will face the same problem - they can't downgrade to a fixed v1.12. |
For 1.13 -> 1.12 downgrade, we can provide downgrade guide with several simple command in the next 1.13 release notes. (Hope users are reading release notes.... |
|
Close due to won't do. 1.12 is EOL so it doesn't make sense to release another 1.12.X. I'll take care of downgrade issue by manually adding necessary commands in ci-ipsec-upgrade.yaml. |
It's basically #31930 what we can't merge due to 1.12 EOL. Signed-off-by: gray <gray.liang@isovalent.com>
It's basically #31930 what we can't merge due to 1.12 EOL. Signed-off-by: gray <gray.liang@isovalent.com>
It's basically #31930 what we can't merge due to 1.12 EOL. Signed-off-by: gray <gray.liang@isovalent.com>
|
/test-backport-1.12 |
|
This pull request has been automatically marked as stale because it |
|
This pull request has not seen any activity since it was marked stale. |
Uh oh!
There was an error while loading. Please reload this page.