Skip to content

envoy: Update to pick up fixes #32864

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 4, 2024
Merged

envoy: Update to pick up fixes #32864

merged 1 commit into from
Jun 4, 2024

Conversation

jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Jun 4, 2024
edited
Loading

Update Envoy image to pick up fixes:

  • reopen bpf ipcache map on network policy stream restart

    Fixes the problem where cilium agent restart creates a new bpf ipcache map and (daemonset) cilium-envoy keeps using the old one.

  • change original destination cluster to not create different Host instances for the same destination

    Fixes the problem where multiple Host instances are created when two worker threads access the same destination at the same time, and then one of them fails to create an upstream connection due to source port bind failure.

  • update Go dependencies

    Fixes CVEs for the proxylib.

Fixes: #32651

Envoy now reopens ipcache on agent restart and avoids upstream bind errors on concurrent access to a destination.

@jrajahalme
envoy: Update to pick up fixes
f1455dc 
Update Envoy image to pick up fixes:

- reopen bpf ipcache map on network policy stream restart

  Fixes the problem where cilium agent restart creates a new bpf ipcache
  map and (daemonset) cilium-envoy keeps using the old one.

- change original destination cluster to not create different Host instances for the same destination

  Fixes the problem where multiple Host instances are created when two
  worker threads access the same destination at the same time, and then
  one of them fails to create an upstream connection due to source port
  bind failure.

- update Go dependencies

  Fixes CVEs for the proxylib.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme added kind/bug This is a bug in the Cilium logic. area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. release-note/bug This PR fixes an issue in a previous release of Cilium. labels Jun 4, 2024
@jrajahalme jrajahalme requested review from a team as code owners June 4, 2024 07:30
@jrajahalme jrajahalme mentioned this pull request Jun 4, 2024
Merged
@jrajahalme
Copy link
Member Author

/test

@youngnick youngnick removed their request for review June 4, 2024 08:35
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 4, 2024
@sayboras sayboras added this pull request to the merge queue Jun 4, 2024
Merged via the queue into cilium:main with commit 1b987b6 Jun 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gandro gandro gandro approved these changes

@borkmann borkmann borkmann approved these changes

@sayboras sayboras sayboras approved these changes

Assignees
No one assigned
Labels
area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Envoy standalone DaemonSet does not pick up IPCache changes after cilium-agent restart
4 participants
@jrajahalme @gandro @borkmann @sayboras