gha/scale-egw: explicitly enable IPv4 masquerade #39367
Conversation
[1] modified the helm defaulting logic, disabling IPv4Masquerade by default when running in ENI mode (as we do in this workflow). However, egress gateway relies on masquerading being enabled (and performed via BPF). Hence, let's explicitly enable IPv4 masquerading. [1]: 10f87e6 ("aws: change IPv4Masquerade to false in ENI mode.") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
|
/scale-egw |
|
/test |
| @@ -162,6 +162,7 @@ jobs: | |||
| --set=prometheus.enabled=true \ | |||
| --set=cluster.name=${{ env.cluster_name }} \ | |||
| ${{ matrix.test_type == 'egw' && env.EGRESS_GATEWAY_HELM_VALUES || '' }} \ | |||
| --set=enableIPv4Masquerade=true \ | |||
| --set=bpf.masquerade=true \ | |||
| --set=kubeProxyReplacement=true \ | |||
| --set=l7Proxy=false \ | |||
There was a problem hiding this comment.
(drive-by) do you remember whether we intentionally disabled the L7 proxy for this workflow, or if that's just a leftover from a time when EGW was incompatible? Then I'd be happy to open a PR and remove it.
There was a problem hiding this comment.
That option seems to have been there since the first commit that introduced the workflow, so my assumption would be that it is just a leftover from back then. I never removed it during subsequent iterations given that we are not creating any (L7) policy during the scale test, so it shouldn't actually matter from that point of view.
That said, the only aspect to pay attention to when removing it would be whether it changes the overall Cilium memory consumption due to the additional subsystems being enabled, as in that case the current threshold may need to be tuned a bit to avoid causing the workflow to fail (or become flaky).
There was a problem hiding this comment.
That said, the only aspect to pay attention to when removing it would be whether it changes the overall Cilium memory consumption due to the additional subsystems being enabled, as in that case the current threshold may need to be tuned a bit to avoid causing the workflow to fail (or become flaky).
That's what I figured 👍. OTOH keeping it disabled is an artificial constraint, I think we should aim for testing with a default config where possible.
10f87e6 modified the helm defaulting logic, disabling IPv4Masquerade by default when running in ENI mode (as we do in this workflow). However, egress gateway relies on masquerading being enabled (and performed via BPF). Hence, let's explicitly enable IPv4 masquerading.