cc: @bimmlerd

Hi, unfortunately swamped at the moment, and on PTO starting tomorrow; until Monday - I'll review once I'm back (otherwise, you can always request feedback from the folks who engaged with the first PR!)

I added the release-note/misc label since the feature needs several PRs together to be functional. I'd like the overall feature to be releases-note/major in the release notes assuming that all relevant PRs go in on time, but we probably just need to make that call closer to the time.

@joestringer Can we add the v1.18 release label to the SDP PRs ? Trying to push this in the v1.18 release.

I can put it in the v1.18 milestone, but that only expresses intent. It's still up to the contributors and reviewers to collaborate to meet that date. We don't change release timelines for specific features.

@squeed Friendly for re-review on this. Thanks !

Much cleaner! This is a lot easier to follow :-).

A few more things to take care of. Please squash to one or two commits once you've got this PR where you like. But this is getting close.

/test

/test

/ci-clustermesh

/ci-integration

/ci-clustermesh

@vipul-21 Why were the tests failing? I see several re-runs of CI, but no evidence of investigation of the failures.

The CI Failure Triage page in the docs describes the expected pattern when encountering a failure. If the tests are repeatedly re-run on a PR, then the default assumption would be that the PR itself is introducing failures into the tree, so we should avoid merging until we know that the PR is not destabilizing the tree.

Hey @joestringer sorry about that. Here's the investigation on why I retriggered.
/test by Casey initially - This was before the squashing of the commits. So had to run /test after squashing the commits which lead to two failures.

• Integration failure: https://github.com/cilium/cilium/actions/runs/16051925410/job/45296477129, the failure logs mentioned that these cases failed:

--- FAIL: TestSpireDelegateClient_GetCertificateForIdentity (0.05s)
--- FAIL: TestSpireDelegateClient_GetCertificateForIdentity/get_certificate_for_numeric_identity (0.00s)

On searching the existing issues, found the open issue and a flaky label attached to it. #40130. So re ran the integration test only which passed on the second run.

• Clustermesh upgrade failure: https://github.com/cilium/cilium/actions/runs/16051925656/job/45296500181, this failed on the check-log-errors and there was a corresponding open issue: CI: Cilium Cluster Mesh upgrade (ci-clustermesh) - check-log-errors - Error while reloading endpoint BPF program #39855 for the same as well. It had the flaky label too. So re ran the clustermesh ci.
• On the second run of cluster mesh ci: https://github.com/cilium/cilium/actions/runs/16298107935/job/46025195838, it failed due to the same reason as well. So ran it again.

Since the test failures were not related to the code changes in the PR and same issues were seen elsewhere too, I didn;t investigate further and re ran them.

@vipul-21 OK thanks for reporting back. Your explanation makes sense. I'd encourage reporting in a similar way if you observe failures unrelated to your PRs again, as this helps to highlight which CI issues we need to focus on, and also makes it clear to reviewers/committers whether there might be reasons to be concerned about how your PR affects CI stability.

It turns out that #40130 was pretty easy to reproduce, so I dug in a bit and proposed a fix. #39855 is already being investigated by someone so hopefully we'll resolve that soon enough.