-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v1.12-backport] Introduce fromEgressProxyRule #31930
base: v1.12
Are you sure you want to change the base?
[v1.12-backport] Introduce fromEgressProxyRule #31930
Conversation
jschwinger233
commented
Apr 12, 2024
•
edited
edited
- Introduce fromEgressProxyRule #31923
[ upstream commit: 7d278af ] [ backporter's note: v1.12 uses bpf/init.sh to install proxy rules so we have to do a customized backport. ] Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
[ upstream commit: 53133ff ] [ backporter's note: v1.12 uses bpf/init.sh to install proxy rules so we have to do a customized backport. ] Although we don't install fromEgressProxyRule for now, this commit insists on removing it to make sure further downgrade can go smoothly. Soon We'll have another PR to install fromEgressProxyRule, and cilium downgrade from that PR to branch tip (patch downgrade, 1.X.Y -> 1.X.{Y-1}) will be broken if we don't handle the new ip rule carefullly. Without this patch, downgrade from higher version will leave fromEgressProxyRule on the lower version cilium, cluster will be in a wrong status of "having stale ip rule + not having other necessary settings (iptables)", breaking the connectivity. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
54bd107
to
385ec33
Compare
/test-backport-1.12 |
/test-1.16-4.9 |
This is needed to enable smooth downgrades from v1.13, right? Is it enough to merge the PR, or would the v1.13 CI also require a fresh v1.12 release? (which we most likely won't do, as v1.12 is EOL). |
@julianwiedmann I was thinking the same. If there won't be a 1.12 release, how about specifying downgrade image tag like https://github.com/cilium/cilium/pull/31955/files#diff-07b1303f71b74ecfe10ad34472da7c7e9b79ac9274fd93fe833ecc1551898473 in 1.13 test-ipsec-upgrade.yaml? Or any way more elegant to let 1.13 upgrade test use the 1.12 tip? |
My first thought was to make the Egress-Proxy support on v1.13 an opt-in feature. Because users will face the same problem - they can't downgrade to a fixed v1.12. |
For 1.13 -> 1.12 downgrade, we can provide downgrade guide with several simple command in the next 1.13 release notes. (Hope users are reading release notes.... |
Close due to won't do. 1.12 is EOL so it doesn't make sense to release another 1.12.X. I'll take care of downgrade issue by manually adding necessary commands in ci-ipsec-upgrade.yaml. |
It's basically #31930 what we can't merge due to 1.12 EOL. Signed-off-by: gray <gray.liang@isovalent.com>
It's basically #31930 what we can't merge due to 1.12 EOL. Signed-off-by: gray <gray.liang@isovalent.com>
It's basically #31930 what we can't merge due to 1.12 EOL. Signed-off-by: gray <gray.liang@isovalent.com>
/test-backport-1.12 |