cilium-cli: skip some IPv6 connectivity tests for Cilium<1.14 when IPsec is enabled #36664
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jschwinger233
added a commit
that referenced
this pull request
Dec 17, 2024
Signed-off-by: gray <gray.liang@isovalent.com>
|
/ci-ipsec-upgrade |
jschwinger233
added a commit
that referenced
this pull request
Dec 17, 2024
Signed-off-by: gray <gray.liang@isovalent.com>
jschwinger233
added a commit
that referenced
this pull request
Dec 17, 2024
Signed-off-by: gray <gray.liang@isovalent.com>
jschwinger233
added a commit
that referenced
this pull request
Dec 17, 2024
Signed-off-by: gray <gray.liang@isovalent.com>
|
/test |
0cb64a1 to
30c9a74
Compare
|
/test |
git bisect said so 😶🌫️ I was also surprised |
That PR removes several "skip IPv6 on <v1.14" checks. So in essence this is a regression, and ideally we'd restore those checks so that the downgrade to v1.13 works again. cc @squeed |
auto-merge was automatically disabled
December 26, 2024 09:53
Pull request was converted to draft
30c9a74 to
a6cc4de
Compare
jschwinger233
added a commit
that referenced
this pull request
Dec 26, 2024
Signed-off-by: gray <gray.liang@isovalent.com>
a6cc4de to
313b84a
Compare
|
/test |
313b84a to
bd7a9fe
Compare
|
/test |
It wasn't until #23445 was fixed in 1.14 when Cilium had robust IPv6 connectivity for IPsec[1]. Previously CI workflows didn't run IPv6 connectivity for IPsec in 1.13, until #35314 recently enabled it. Subsequently, We noticed a number of CI failures in ci-ipsec-upgrade, caused by testing IPv6 connectivity in 1.13. This patch reverts the deletion of `if <1.14 then skip` made by #35314. [2] [1] #23461 [2] git diff aabda4b aabda4b~ ``` func (t *Test) ForEachIPFamily(do func(features.IPFamily)) { + // The per-endpoint routes feature is broken with IPv6 on < v1.14 when there + // are any netpols installed (#23852 + // and #23910). + if f, ok := t.Context().Feature(features.EndpointRoutes); ok && + f.Enabled && (len(t.cnps) > 0 || len(t.knps) > 0) && + versioncheck.MustCompile("<1.14.0")(t.Context().CiliumVersion) { + + ipFams = []features.IPFamily{features.IPFamilyV4} + } + func curlNodePort(ctx context.Context, s check.Scenario, t *check.Test, + // Skip IPv6 requests when running on <1.14.0 Cilium with CNPs + if features.GetIPFamily(addr.Address) == features.IPFamilyV6 && + versioncheck.MustCompile("<1.14.0")(t.Context().CiliumVersion) && + (len(t.CiliumNetworkPolicies()) > 0 || len(t.KubernetesNetworkPolicies()) > 0) { + continue + } + ``` Signed-off-by: gray <gray.liang@isovalent.com>
bd7a9fe to
4cc0d20
Compare
|
/test |
aanm
approved these changes
Jan 6, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It wasn't until #23445 was fixed in 1.14 when Cilium had robust IPv6 connectivity for IPsec[1]. Previously CI workflows didn't run IPv6 connectivity test for IPsec in 1.13, until #35314 recently enabled it. Subsequently, We noticed a number of CI failures in ci-ipsec-upgrade, caused by testing IPv6 connectivity in 1.13.
This patch reverts the deletion of
if <1.14 then skipmade by #35314 [2][1] #23461
[2] git diff aabda4b aabda4b~ | grep '<1.14.0' -C8
func (t *Test) ForEachIPFamily(do func(features.IPFamily)) { ipFams := []features.IPFamily{features.IPFamilyV4, features.IPFamilyV6} + // The per-endpoint routes feature is broken with IPv6 on < v1.14 when there + // are any netpols installed (https://github.com/cilium/cilium/issues/23852 + // and https://github.com/cilium/cilium/issues/23910). + if f, ok := t.Context().Feature(features.EndpointRoutes); ok && + f.Enabled && (len(t.cnps) > 0 || len(t.knps) > 0) && + versioncheck.MustCompile("<1.14.0")(t.Context().CiliumVersion) { + + ipFams = []features.IPFamily{features.IPFamilyV4} + } + for _, ipFam := range ipFams { switch ipFam { case features.IPFamilyV4: @@ -853,6 +979,18 @@ func (t *Test) CertificateCAs() map[string][]byte { -- + "github.com/cilium/cilium/pkg/versioncheck" ) // PodToService sends an HTTP request from all client Pods @@ -227,6 +228,13 @@ func curlNodePort(ctx context.Context, s check.Scenario, t *check.Test, } } + // Skip IPv6 requests when running on <1.14.0 Cilium with CNPs + if features.GetIPFamily(addr.Address) == features.IPFamilyV6 && + versioncheck.MustCompile("<1.14.0")(t.Context().CiliumVersion) && + (len(t.CiliumNetworkPolicies()) > 0 || len(t.KubernetesNetworkPolicies()) > 0) { + continue + } + // Manually construct an HTTP endpoint to override the destination IP // and port of the request. ep := check.HTTPEndpoint(name, fmt.Sprintf("%s://%s:%d%s", svc.Scheme(), addr.Address, np, svc.Path())) diff --git a/cilium-cli/k8s/client.go b/cilium-cli/k8s/client.go1.14 ci-ipsec-upgrade test: #36668