New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proxy: Do not change configured proxy ports #26343
Conversation
/test |
All required checks are passing. |
@mhofstetter marked this as a release blocker for 1.14, as this may become more easily hit with the non-embedded Envoy. |
👍 @jrajahalme can you please provide a little bit more context when the issue arises? My guess is that it occurs for cases where a CEC defines a listener (port gets allocated via |
It seems @mhofstetter has a more in-depth understanding of this change than I do, so I will request reviews from him. FWIW, at a high level, the change makes sense. |
Proxy redirect creation tries another proxy port number in case redirect creation needs to be retried. Do not change the proxy port on retries if the proxy port has already been configured, as configured proxy ports are already being used by proxies for listening. Previously we had avoided proxy port change on retry for DNS proxies when the DNS port had been explicitly configured. We need to do the same for proxy listeners defined in CiliumEnvoyConfig CRDs. Checking for the 'configured' flag convers both cases, as it is set via SetProxyPort() called by DNS proxy on agent bootstrap, and via AllocateProxyPort() called for CEC CRD listeners. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
89db910
to
f6106d5
Compare
Terminology here is a bit misleading as I refactored the code to only use a single |
/test |
thanks for the explanation! |
// Do not increment port for DNS when the port is set in config | ||
if pp.proxyType != ProxyTypeDNS || option.Config.ToFQDNsProxyPort == 0 { | ||
} | ||
if !pp.configured { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Follow up to my question in the PR discussion:
Am i correct that this logic still increments the proxy port in case of an initial redirect creation if an Envoy startup error occurs in createEnvoyRedirect
(e.g. memory pressure in case of embedded mode). In this case pp.reservePort()
, which would set pp.configured=true
, will not be called (only if no error occured).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, with the one remaining question. but this should be only in cases with CNP listeners - where the retry with a new port is ok.
Proxy redirect creation tries another proxy port number in case redirect creation needs to be retried. Do not change the proxy port on retries if the proxy port has already been configured, as configured proxy ports are already being used by proxies for listening.
Previously we had avoided proxy port change on retry for DNS proxies when the DNS port had been explicitly configured. We need to do the same for proxy listeners defined in CiliumEnvoyConfig CRDs. Checking for the 'configured' flag convers both cases, as it is set via SetProxyPort() called by DNS proxy on agent bootstrap, and via AllocateProxyPort() called for CEC CRD listeners.
Fixes: #25969