v1.15 Backports 2024-05-30 #32789
Merged
v1.15 Backports 2024-05-30 #32789
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/test-backport-1.15 |
75f5de9 to
b20d18f
Compare
|
/test-backport-1.15 |
giorio94
approved these changes
May 30, 2024
sayboras
approved these changes
May 30, 2024
[ upstream commit cf6b203 ] To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. #29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 7afb7c6 ] Make sure to test all the three supported certificate generation methods (i.e., helm, cronJob and certmanager) to prevent possible regressions affecting only one of them. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
b20d18f to
1754a01
Compare
brlbil
approved these changes
May 30, 2024
|
/test-backport-1.15 |
[ upstream commit ecadbf8 ] [ backporter's notes: additionally configured the cm-auth-mode value in the third matrix entry (the one using the external kvstore) to workaround validation given that we enable the clustermesh-apiserver in that case in Cilium v1.14 (although with 0 replicas) to force the creation of the clustermesh configuration. ] Additionally test the stricter authentication modes, to prevent introducing possible regressions due to incompatibilities between Cilium versions. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 6a014ff ] This aids in troubleshooting, as the list of ports is not visible anywhere else in the sysdump. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com>
[ upstream commit 76ecb4b ] This fixes a bug where the port reservation of ports which can conflict with transparent DNS proxy where only reserved if IPv6 was enabled. The call to `reserveLocalIPPorts` was accidentally added in the "IPv6-only" branch. This commit fixes that by unconditionally reserving local ports. Fixes: 11fe7cc ("cilium-cni: Reserve ports that can conflict with transparent DNS proxy") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit 4cda262 ] In the latest state, lint-build-commits takes over 90min. While it is not desirable to take many time, bump it to 180min as a workaround. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com>
[ upstream commit 6ed0098 ] When queried for the routes of an unknown IP family the kernel return the routes for all IP families. This end up returning the IPv4 routes when IPv6 is disabled at boot time. Therefore calling DeleteRouteTable with family = AF_INET6 will delete IPv4 routes too, breaking the DNS proxy. Fixes: #30744 Signed-off-by: Foyer Unix <foyerunix@foyer.lu>
1754a01 to
c5c1039
Compare
|
Edited ab1b332 to additionally configure the |
|
/test-backport-1.15 |
YutaroHayakawa
approved these changes
May 30, 2024
joestringer
approved these changes
May 30, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixed minor conflicts due to some diff lines not being present in v1.15.
Once this PR is merged, a GitHub action will update the labels of these PRs: