v1.15 Backports 2024-10-28 #35586
Merged
v1.15 Backports 2024-10-28 #35586
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit ed34095 ] Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com>
[ upstream commit abdaddc ] When redirecting from a L3 device to the overlay interface, we need to manually add a L2 header to the (inner) packet. #33421 fixed this for the case of Nodeport NAT traffic from the LB node to a backend. Generalize it so that it helps all users of the nodeport_add_tunnel_encap() helper - for example DSR-Geneve or EgressGW reply traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com>
[ upstream commit 677bcc1 ] Validate that the from-netdev program adds a L2 header to the packet, before redirecting it to the overlay interface. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com>
[ upstream commit 8190512 ] This commit changes the builder image for cilium-operator to be the cilium-builder image, rather than the golang image. This change will allow for arm64 builds of the cilium-operator to be built with CGO enabled due to the cilium-builder image containing multi-platform C compilers. This build configuration is a stepping stone for other build-time features, such as CGO binaries with race detection enabled. Fixes: 35324 Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com>
[ upstream commit a55178f ] [ backporter's notes: * fixed MTU argument to ReinstallRoutingRules in pkg/datapath/loader/base.go * resolved trivial conflict in Proxy interface in pkg/datapath/types/loader.go ] This commit fixes the pod-to-pod traffic being dropped because of using a higher MTU value. This is caused by a non-configuration of the default route from proxy, in the routing table n. 2005 respectively. While the pod-to-pod default route MTU is being adjusted according to the IPSec overhead and the adjusted size of the authentication key, the from-proxy route is not changed as well leading to connectivity issues when both ingress and egress policies are in-place. Fixes: #33168 Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
[ upstream commit 3ccd76a ] [ backporter's notes: resolved imports conflicts in pkg/proxy/routes_test.go ] This commit extends the routes tests to check that, according to the previous commit, the default route in the table 2005 is correctly installed with the provided MTU. This is particularly useful as when enabling both ingress and egress policies with IPSec, the default route has a lower MTU since it needs to account also for the encryption overhead. With this commit, in the tests we make sure that, when provided, the correct value is used rather than the default one. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
marseel
approved these changes
Oct 28, 2024
|
/test-backport-1.15 |
brlbil
approved these changes
Oct 28, 2024
julianwiedmann
approved these changes
Oct 28, 2024
smagnani96
approved these changes
Oct 28, 2024
smagnani96
added a commit
to smagnani96/cilium
that referenced
this pull request
Nov 4, 2024
This commit enables the `pod-to-pod-with-l7-policy-encryption` cli connectivity test from v1.15, after the successful backports of cilium#35173 in: * v1.15: cilium#35586 * v1.16: cilium#35543 While enabling the test, in this commit we split the version check logic (that is independent from the IP family used) from the check for running IPv6+IPsec (that should be prevented due to a current limitation of having a flaky plain-text packet in the test suite, tracked in cilium#35485). Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
to smagnani96/cilium
that referenced
this pull request
Nov 5, 2024
This commit enables the `pod-to-pod-with-l7-policy-encryption` cli connectivity test for v1.15 and v1.16, after the backports of cilium#35173 in: * v1.15: cilium#35586 * v1.16: cilium#35543 While enabling the test, in this commit we split the version check logic (that is independent from the IP family used) from the check for running IPv6+IPsec (that should be prevented due to a current limitation of having a flaky plain-text packet in the test suite, tracked in cilium#35485). Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Nov 22, 2024
This commit enables the `pod-to-pod-with-l7-policy-encryption` cli connectivity test for v1.15 and v1.16, after the backports of #35173 in: * v1.15: #35586 * v1.16: #35543 While enabling the test, in this commit we split the version check logic (that is independent from the IP family used) from the check for running IPv6+IPsec (that should be prevented due to a current limitation of having a flaky plain-text packet in the test suite, tracked in #35485). Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ReinstallRoutingRulesinpkg/datapath/loader/base.gocilium-cli, as it is not present in thev1.15branchOnce this PR is merged, a GitHub action will update the labels of these PRs: