Skip to content

Proxy persist proxy ports 1.15 #35684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 6, 2024
Merged

Proxy persist proxy ports 1.15 #35684

merged 6 commits into from
Nov 6, 2024

Conversation

jrajahalme
Copy link
Member

Once this PR is merged, a GitHub action will update the labels of these PRs:

 32973

@jrajahalme
proxy: Clear the proxy port on failure
e059bef 
[ upstream commit 00b7717 ]

Clear proxy port on failure so that we'll try another random port next
time.

We have two failure cases for creating new redirects:

- syncronous, for DNS proxy. Simply zero the proxy port in the retry
  loop.

- asynchronous, for Envoy proxy. Clear proxy port state on revert
  callback.

Noticed the need for this change when accidentally trying to use port 1
for Envoy when developing another feature. In this case Envoy can't bind
the port, and all further tries were also trying the same port, as the
proxy port was not cleared on revert.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
proxy: Try previously used port first
e35c0ac 
[ upstream commit bfbd3d6 ]

"rulesPort" is non-zero when we have a datapath (iptables) rules with a
specific port. Try re-creating a redirect with that port if no other port
is configured. This reduces churn on the datapath, as the existing rule
can be reused without a need for an update.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
proxy: Fix AllocateProxyPort
3416361 
[ upstream commit ee1cf1c ]

Rename AllocateProxyPort as AllocateCRDProxyPort to make it clear that it
is only to be used for CEC/CCEC CRD listeners. Also enforce the current
practice where CRD proxy ports are only accessed by name, and 'ingress'
member is always false for CRD ports.

Fix the unit test to verify that the proxy port was not reallocated for
the same listener name.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
proxy: Remove deprecated "localOnly"
2ad8786 
[ upstream commit 8149af7 ]

We now only ever have 'localOnly = true' so that we always bind the proxy
listeners to localhost address. Remove support for all-hosts addresses.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
proxy: Reuse proxy ports from datapath on restart
6bd4689 
[ upstream commit d11e4d2 ]

Previously we only reused the DNS proxy port from the datapath. Change to
reuse the old proxy ports for all proxy redirects from datapath, if
possible. This reduces Listener churn on daemonset Envoy on agent
restart.

With this change the listener update in Envoy logs after agent restart
looks like this:

  begin add/update listener: name=cilium-http-egress:13563 hash=11560876577076369351
  duplicate/locked listener 'cilium-http-egress:13563'. no add/update
  lds: add/update listener 'cilium-http-egress:13563' skipped

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme added kind/backports This PR provides functionality previously merged into master. backport/1.15 This PR represents a backport for Cilium 1.15.x of a PR that was merged to main. labels Oct 31, 2024
@jrajahalme jrajahalme requested a review from a team as a code owner October 31, 2024 15:58
@jrajahalme
proxy: Persists proxy ports in /var/run/cilium/state
054fda9 
[ upstream commit 9f210b5 ]

Write proxy ports into /var/cilium/state/proxy_ports_state.json and
restore from there. If the file is not available, only then restore from
iptables rules. Restoration from iptables is still needed for upgrades.

This fixes the issue with bpf TPROXY, as it does not rely on iptables
rules, so the proxy ports can not be recovered from them.

Note: File IO is patterned after similar methods for
      cache.CachingIdentityAllocator.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the proxy-persist-proxy-ports-1.15 branch from e81ea2d to 054fda9 Compare November 2, 2024 13:09
@jrajahalme
Copy link
Member Author

/test-backport-1.15

@jrajahalme jrajahalme mentioned this pull request Nov 5, 2024
Closed
@jrajahalme jrajahalme enabled auto-merge (rebase) November 6, 2024 09:57
@jrajahalme jrajahalme merged commit 78684dc into cilium:v1.15 Nov 6, 2024
59 checks passed
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 6, 2024
@gandro
Copy link
Member

gandro commented Nov 6, 2024

@jrajahalme I think you also need to backport #33230

@gandro gandro mentioned this pull request Nov 13, 2024
Closed
@cilium-release-bot cilium-release-bot bot mentioned this pull request Nov 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@youngnick youngnick youngnick approved these changes

Assignees
No one assigned
Labels
backport/1.15 This PR represents a backport for Cilium 1.15.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jrajahalme @gandro @youngnick