Skip to content

ci,gke: apply allow ESP firewall rules for GKE cluster nodes #39898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 7, 2025
Merged

ci,gke: apply allow ESP firewall rules for GKE cluster nodes #39898

merged 1 commit into from
Jun 7, 2025

Conversation

ldelossa
Copy link
Contributor

@ldelossa ldelossa commented Jun 4, 2025
edited
Loading

In v1.18 Cilium moves to utilizing VXLAN-in-ESP traffic by default.

This means traffic between nodes is now ESP and no longer VXLAN when IPsec is enabled.

GKE, by default, does not allow ESP traffic between GKE nodes.

Therefore, create a ESP allow firewall rule which targets just the cluster nodes.

Fixes: #39337

CI: Apply an ESP allow rule for GKE clusters to support IPsec VINE

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 4, 2025
@ldelossa ldelossa force-pushed the ldelossa/vine-gke-firewall-rules branch 3 times, most recently from bb1f135 to ce82721 Compare June 5, 2025 12:51
@ldelossa ldelossa marked this pull request as ready for review June 5, 2025 12:51
@ldelossa ldelossa requested review from a team as code owners June 5, 2025 12:51
@ldelossa ldelossa requested review from pchaigno and qmonnet June 5, 2025 12:51
@ldelossa ldelossa added the release-note/ci This PR makes changes to the CI. label Jun 5, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 5, 2025
pchaigno
pchaigno reviewed Jun 5, 2025
View reviewed changes
Copy link
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That must have been a pain to debug...

Couple questions below to understand.

@ldelossa ldelossa force-pushed the ldelossa/vine-gke-firewall-rules branch from ce82721 to f4fda47 Compare June 5, 2025 13:25
@ldelossa
Copy link
Contributor Author

ldelossa commented Jun 5, 2025

/ci-gke

qmonnet
qmonnet requested changes Jun 5, 2025
View reviewed changes
@ldelossa ldelossa force-pushed the ldelossa/vine-gke-firewall-rules branch from 7d7cce7 to 9087065 Compare June 5, 2025 16:43
@ldelossa
Copy link
Contributor Author

ldelossa commented Jun 6, 2025

/test

@ldelossa ldelossa requested a review from pchaigno June 6, 2025 13:59
pchaigno
pchaigno approved these changes Jun 7, 2025
View reviewed changes
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 7, 2025
@pchaigno pchaigno added dont-merge/bad-bot To prevent MLH from marking ready-to-merge. and removed ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Jun 7, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 7, 2025
@pchaigno pchaigno removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 7, 2025
@ldelossa @qmonnet
ci,gke: apply allow ESP firewall rules for GKE cluster nodes
5993d72 
In v1.18 Cilium moves to utilizing VXLAN-in-ESP traffic by default.

This means traffic between nodes is now ESP and no longer VXLAN when
IPsec is enabled.

GKE, by default, does not allow ESP traffic between GKE nodes.

Therefore, create a ESP allow firewall rule which targets just the
cluster nodes.

Co-authored-by: Quentin Monnet <qmo@qmon.net>
Signed-off-by: Louis DeLosSantos <louis.delos@gmail.com>
@ldelossa ldelossa force-pushed the ldelossa/vine-gke-firewall-rules branch from 9087065 to 5993d72 Compare June 7, 2025 17:56
@ldelossa
Copy link
Contributor Author

ldelossa commented Jun 7, 2025

/test

@ldelossa ldelossa removed the dont-merge/bad-bot To prevent MLH from marking ready-to-merge. label Jun 7, 2025
@ldelossa ldelossa enabled auto-merge June 7, 2025 18:04
@ldelossa ldelossa added this pull request to the merge queue Jun 7, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 7, 2025
Merged via the queue into main with commit e5077d8 Jun 7, 2025
67 of 68 checks passed
@ldelossa ldelossa deleted the ldelossa/vine-gke-firewall-rules branch June 7, 2025 18:16
@brlbil
Copy link
Contributor

brlbil commented Jun 23, 2025
edited
Loading

This issue is also in v1.17, but it is not detected due to conformance-gke.yaml being removed from scheduled CI runs on stable branches with #34726. Marking for backport. I run the test manually https://github.com/cilium/cilium/actions/runs/15824226226/job/44600331251

@brlbil brlbil added the backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. label Jun 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pchaigno pchaigno pchaigno approved these changes

@qmonnet qmonnet qmonnet approved these changes

Assignees
No one assigned
Labels
backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CI: Conformance GKE (ci-gke) - IPsec related failure
4 participants
@ldelossa @brlbil @pchaigno @qmonnet