v1.11 Backports 2023-06-22 #26419
Merged
v1.11 Backports 2023-06-22 #26419
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit 525007f ] [ backporter's notes: conflicts due to proxy_test.go not existing on v1.11, these changes were skipped. ] CreateOrUpdateRedirect called nil revertFunc when any local error was returned. This was done using the pattern `return 0, err, nil, nil` which sets the revertFunc return variable as nil, but this was called on a deferred function to revert any changes on a local error. Fix this by calling ReverStack.Revert() directly on the deferred function, and setting the return variable if there was no local error. This was hit any time a CiliumNetworkPolicy referred to a non-existing listener. Add a test case that reproduced the panic and works after the fix. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit ca61998 ] [ backporter's notes: conflicts due to ProxyType not existing on v1.11, used parserType as the v1.11 equivalent. ] Only update an existing redirect if it is configured. This prevents Cilium agent panic when trying to update redirect with released proxy port. This has only been observed to happen with explicit Envoy listener redirects in CiliumNetworkPolicy when the listener has been removed. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 894aa4e ] [ backporter's notes: conflicts due to ProxyType not existing on v1.11, used parserType as the v1.11 equivalent. ] Increment non-DNS proxy ports on failure even if DNS has been configured with a static port. Fixes: cilium#20896 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 13f146e ] New Docker desktop may have a default builder with name "desktop-linux" that is not buildx capable. Detect that name as well as the old "default" for the need to create a new buildx builder. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 68bff35 ] [ backporter's notes: conflicts due to docs structure change, manually applied changes to the corresponding file pre-structure change. ] Fixing incorrect description of the GET /public policy in the L7 section. Signed-off-by: Peter Jausovec <peter.jausovec@solo.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit e0931df ] [ backporter's notes: conflicts due to docs structure change, manually applied changes to the corresponding file pre-structure change. ] Add a note to the L3 policy documentation clarifying that L3 DNS policies require the L7 proxy enabled and an L7 policy for DNS traffic so Cilium can intercept DNS responses. Previously, the documentation linked to other sections describing the DNS Proxy, but I know at least a few people who were surprised that a policy under "L3 Examples" would require an L7 proxy. Hopefully adding a note near the beginning of the section will make this requirement more obvious. Signed-off-by: Will Daly <widaly@microsoft.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 18f85a0 ] To help to detect when IPcache is out of sync with locally stored Node IDs. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit e956bb1 ] [ backporter's notes: conflicts due to string format being different in v1.11, applied changes based on v1.11 format. ] The Node ID is used in SKB mark used by XFRM policies. The latter print it in hex. So, let's reduce a mental strain by a bit when debugging IPsec issues. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit f4f3656 ] We expect deprioritizeOldOutPolicy() to be executed for IPv4 and IPv6, but removeStaleXFRMOnce prevents the second call. If both IPv4 and IPv6 are enabled, v6 xfrm policy won't be deprioritized due to this issue. This commit fixes it by spliting removeStaleXFRMOnce into removeStaleIPv4XFRMOnce and removeStaleIPv6XFRMOnce. Fixes: cilium@688dc9a Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 390b4dc ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
nbusseneau
added
kind/backports
nbusseneau
requested review from
jrajahalme,
aanm,
brb,
jschwinger233 and
joestringer
|
@jrajahalme @brb Conflicts arised during backport of your commits, please check the notes in commits for context and validate that it looks good to you :) |
|
/test-backport-1.11 |
|
/test-1.16-netnext EDIT: it hit provisioning issues, re-triggering. |
|
/test-1.17-4.9 EDIT: I think it hit #24840, re-running to check. |
jschwinger233
approved these changes
Jun 27, 2023
|
The GKE failures are expected due to 1.11 not supporting K8s 1.24. This is caused by an infrastructure setup conundrum and will be addressed as part of infrastructure rework items this week (not feasible to simply rollback, unfortunately). In the meantime, we should ignore these failures on 1.11. |
nbusseneau
added
the
ready-to-merge
|
CI passed (barring note above) and most reviews are in (most importantly those for commits with conflicts), marking ready to merge. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, you can update the PR labels via:
or with