Skip to content

v1.17 Backports 2025-05-23 #39685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
May 27, 2025
Merged

v1.17 Backports 2025-05-23 #39685

merged 6 commits into from
May 27, 2025

Conversation

joamaki
Copy link
Contributor

@joamaki joamaki commented May 23, 2025
edited by julianwiedmann
Loading

dylandreimerink and others added 6 commits May 23, 2025 10:40
@dylandreimerink @joamaki
mtu: Catch expected error in endpoint MTU updater
1a8dce1 
[ upstream commit 2a74733 ]

There are a number of errors which we expect to occur when updating the
MTU of an endpoint while its being deleted. This commit adds checks to
catch and ignore these errors.

Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>
Signed-off-by: Jussi Maki <jussi@isovalent.com>
@julianwiedmann @joamaki
bpf: host: flag Cilium's ESP traffic as TRACE_REASON_ENCRYPTED
e8beb62 
[ upstream commit 603d505 ]

Match what we do for Cilium's Wireguard traffic that passes through
the to-netdev program on a native device.

Also clean up some whitespace damage while at it.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Jussi Maki <jussi@isovalent.com>
@sayboras @liyihuang @joamaki
gateway-api: Use original source address for GAMMA
5c6bc56 
[ upstream commit 6c39d72 ]

GAMMA is solely used for E-W traffic, hence the original source address
should be set. This will help to simplify the network policies as the
intermediate reserved:ingress will not be considered as compared to N-S
traffic.

Co-authored-by: Liyi Huang <liyi.huang@isovalent.com>
Signed-off-by: Tam Mach <tam.mach@cilium.io>
Signed-off-by: Jussi Maki <jussi@isovalent.com>
@ti-mo @joamaki
policymap: always remove egress policy program along with endpoint
0645edd 
[ upstream commit 2d8769d ]
[ backporter's note: fixed minor conflict due to missing slog changes ]

Since 7b92700 and e9438c2, egress policy programs are inserted
unconditionally, even when the L7 proxy is disabled. Unfortunately, the
teardown logic only runs when the proxy is enabled, causing all
handle_policy_egress programs to leak.

Double unfortunately, since this program doesn't reference any Cilium maps in
its attached-but-disabled state (it's an empty program), it doesn't show up in
Cilium's maps metrics, making the issue hard to spot. The latter is being
addressed in #39557.

This commit makes the removal unconditional, since the attachment is
also unconditional. I've decided against making both attachment and detachment
conditional, since that would still cause orphaned programs if the l7 proxy
was disabled on a running cluster. Endpoint teardown should always attempt to
remove all known policy programs for robustness.

Signed-off-by: Timo Beckers <timo@isovalent.com>
Signed-off-by: Jussi Maki <jussi@isovalent.com>
@devodev @joamaki
helm/hubble: Fix wrong value for metrics server tls secret
bc5fbc6 
[ upstream commit 51a87eb ]

Use `hubble.metrics.tls` instead of `hubble.tls` when setting the
hubble-metrics-tls projected secret source name in daemonset
helm template.

Signed-off-by: Alexandre Barone <abalexandrebarone@gmail.com>
Signed-off-by: Jussi Maki <jussi@isovalent.com>
@julianwiedmann @joamaki
gh: eks: restore concurrent execution of connectivity tests
4a7e738 
[ upstream commit d09069d ]

When running the connectivity tests with the `conn-disrupt-test-check`
action, the concurrency needs to be expressed through a parameter to that
action. Otherwise it defaults to 1.

This fixes breakage from
23f5a36 ("github: conn-disrupt: add test-concurrency parameter").

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Jussi Maki <jussi@isovalent.com>
@joamaki joamaki added kind/backports This PR provides functionality previously merged into master. backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. labels May 23, 2025
@joamaki
Copy link
Contributor Author

joamaki commented May 23, 2025

/test

sayboras
sayboras approved these changes May 23, 2025
View reviewed changes
Copy link
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks and looks good for my commit ✔️

devodev
devodev approved these changes May 23, 2025
View reviewed changes
Copy link
Contributor

@devodev devodev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, #39668

@joamaki joamaki marked this pull request as ready for review May 26, 2025 10:40
@joamaki joamaki requested review from a team as code owners May 26, 2025 10:40
@joamaki joamaki enabled auto-merge May 26, 2025 16:07
joestringer
joestringer approved these changes May 27, 2025
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for @cilium/github-sec

@joamaki joamaki added this pull request to the merge queue May 27, 2025
Merged via the queue into v1.17 with commit 02614ad May 27, 2025
356 of 357 checks passed
@joamaki joamaki deleted the pr/v1.17-backport-2025-05-23-10-39 branch May 27, 2025 18:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer approved these changes

@sayboras sayboras sayboras approved these changes

@julianwiedmann julianwiedmann julianwiedmann approved these changes

@dylandreimerink dylandreimerink Awaiting requested review from dylandreimerink

@ti-mo ti-mo Awaiting requested review from ti-mo

@christarazi christarazi Awaiting requested review from christarazi christarazi is a code owner automatically assigned from cilium/ci-structure

+1 more reviewer

@devodev devodev devodev approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@joamaki @joestringer @sayboras @julianwiedmann @devodev @dylandreimerink @ti-mo