Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci-datapath: Enable IPV6 masquerading when KPR=off #25111

Merged
merged 2 commits into from Apr 28, 2023
Merged

ci-datapath: Enable IPV6 masquerading when KPR=off #25111

merged 2 commits into from Apr 28, 2023

Conversation

brb
Copy link
Member

@brb brb commented Apr 25, 2023
edited

ci-dp successful run https://github.com/cilium/cilium/actions/runs/4798712433/jobs/8537364470?pr=25111.

Before removing the WIP commit, all ginkgo tests have passed.

@brb
gh/workflows: Enable IPv6 with IPsec/vxlan in ci-dp
55377e6 
As pointed by Maxim Mikityanskiy, the issue #23461 was resolved, so we
can enable IPv6 with IPsec/vxlan.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 25, 2023
@brb
gh/workflows: Enable v6 masquerading with KPR=off in ci-dp
e8a39c0 
More test coverage.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
@brb
Copy link
Member Author

brb commented Apr 25, 2023

/test

@brb brb added area/CI-improvement Topic or proposal to improve the Continuous Integration workflow release-note/ci This PR makes changes to the CI. labels Apr 26, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 26, 2023
@brb brb marked this pull request as ready for review April 26, 2023 04:57
@brb brb requested review from a team as code owners April 26, 2023 04:57
gentoo-root
gentoo-root reviewed Apr 26, 2023
View reviewed changes
.github/workflows/conformance-datapath.yaml
# BPF-masq requires KPR=strict.
# Disable IPv6 until https://github.com/cilium/cilium/issues/14350 has been resolved
MASQ="--helm-set=bpf.masquerade=true --helm-set=enableIPv6Masquerade=false"
fi
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't seem to understand this second commit... It says:

Enable v6 masquerading with KPR=off in ci-dp

...but enableIPv6Masquerade is still false,

More test coverage.

...but bpf.masquerade is now set to true only when KPR=strict (used to be set unconditionally).

Could you explain what's the idea of this change?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

...but enableIPv6Masquerade is still false,

If not specified, it defaults to true - https://github.com/cilium/cilium/blob/main/install/kubernetes/cilium/values.yaml#L1527

...but bpf.masquerade is now set to true only when KPR=strict

This is because of https://github.com/cilium/cilium/blob/main/daemon/cmd/daemon.go#L940 (KPR=strict means that NodePort is enabled).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is because of https://github.com/cilium/cilium/blob/main/daemon/cmd/daemon.go#L940

How did it work before? When KPR could be none, and bpf.masquerade was always enabled.

Copy link
Member Author

@brb brb Apr 27, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very good question. I wanted to figure out myself. Anyway:

level=warning msg="Falling back to iptables-based masquerading." error="BPF masquerade requires NodePort (--enable-node-port="true")" subsys=daemon

The agent automatically switched to the iptables-based masquerading.

@brb brb requested a review from gentoo-root April 27, 2023 12:34
@brb brb added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 27, 2023
@pchaigno pchaigno merged commit 6f2a05b into main Apr 28, 2023
43 checks passed
@pchaigno pchaigno deleted the pr/brb/ci-dp-v6-more branch April 28, 2023 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gentoo-root gentoo-root gentoo-root approved these changes

@viktor-kurchenko viktor-kurchenko viktor-kurchenko approved these changes

Assignees
No one assigned
Labels
area/CI-improvement Topic or proposal to improve the Continuous Integration workflow ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@brb @gentoo-root @viktor-kurchenko @pchaigno