Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v1.12-backport] Introduce fromEgressProxyRule #31930

Draft
wants to merge 2 commits into
base: v1.12
Choose a base branch
from
Draft

[v1.12-backport] Introduce fromEgressProxyRule #31930

wants to merge 2 commits into from

Conversation

jschwinger233
Copy link
Member

@jschwinger233 jschwinger233 commented Apr 12, 2024
edited

@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.12 This PR represents a backport for Cilium 1.12.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Apr 12, 2024
This was referenced Apr 12, 2024
Merged
Closed
@jschwinger233
proxy/routes: Introduce fromEgressProxyRule
7513e74 
[ upstream commit: 7d278af ]

[ backporter's note: v1.12 uses bpf/init.sh to install proxy rules so we
have to do a customized backport. ]

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
@jschwinger233
proxy/routes: Remove fromEgressProxyRule for ci-ipsec-upgrade
385ec33 
[ upstream commit: 53133ff ]

[ backporter's note: v1.12 uses bpf/init.sh to install proxy rules so we
have to do a customized backport. ]

Although we don't install fromEgressProxyRule for now, this commit
insists on removing it to make sure further downgrade can go smoothly.

Soon We'll have another PR to install fromEgressProxyRule, and cilium
downgrade from that PR to branch tip (patch downgrade, 1.X.Y ->
1.X.{Y-1}) will be broken if we don't handle the new ip rule carefullly.

Without this patch, downgrade from higher version will leave
fromEgressProxyRule on the lower version cilium, cluster will be in a
wrong status of "having stale ip rule + not having other necessary
settings (iptables)", breaking the connectivity.

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
@jschwinger233 jschwinger233 changed the title [v1.12] Introduce fromEgressProxyRule [v1.12-backport] Introduce fromEgressProxyRule Apr 26, 2024
@jschwinger233
Copy link
Member Author

/test-backport-1.12

@jschwinger233
Copy link
Member Author

/test-1.16-4.9

@julianwiedmann
Copy link
Member

This is needed to enable smooth downgrades from v1.13, right? Is it enough to merge the PR, or would the v1.13 CI also require a fresh v1.12 release? (which we most likely won't do, as v1.12 is EOL).

@jschwinger233
Copy link
Member Author

@julianwiedmann I was thinking the same. If there won't be a 1.12 release, how about specifying downgrade image tag like https://github.com/cilium/cilium/pull/31955/files#diff-07b1303f71b74ecfe10ad34472da7c7e9b79ac9274fd93fe833ecc1551898473 in 1.13 test-ipsec-upgrade.yaml? Or any way more elegant to let 1.13 upgrade test use the 1.12 tip?

@julianwiedmann
Copy link
Member

julianwiedmann commented Apr 26, 2024
edited

@julianwiedmann I was thinking the same. If there won't be a 1.12 release, how about specifying downgrade image tag like https://github.com/cilium/cilium/pull/31955/files#diff-07b1303f71b74ecfe10ad34472da7c7e9b79ac9274fd93fe833ecc1551898473 in 1.13 test-ipsec-upgrade.yaml? Or any way more elegant to let 1.13 upgrade test use the 1.12 tip?

My first thought was to make the Egress-Proxy support on v1.13 an opt-in feature. Because users will face the same problem - they can't downgrade to a fixed v1.12.

@jschwinger233
Copy link
Member Author

Because users will face the same problem - they can't downgrade to a fixed v1.12.

For 1.13 -> 1.12 downgrade, we can provide downgrade guide with several simple command in the next 1.13 release notes. (Hope users are reading release notes....

@jschwinger233
Copy link
Member Author

Close due to won't do.

1.12 is EOL so it doesn't make sense to release another 1.12.X.

I'll take care of downgrade issue by manually adding necessary commands in ci-ipsec-upgrade.yaml.

jschwinger233 added a commit that referenced this pull request Jun 7, 2024
@jschwinger233
ci: Manually clean stale routing rules for downgrade
997e9dc 
It's basically #31930 what we can't
merge due to 1.12 EOL.

Signed-off-by: gray <gray.liang@isovalent.com>
jschwinger233 added a commit that referenced this pull request Jun 7, 2024
@jschwinger233
ci: Manually clean stale routing rules for downgrade
cc13cac 
It's basically #31930 what we can't
merge due to 1.12 EOL.

Signed-off-by: gray <gray.liang@isovalent.com>
dylandreimerink pushed a commit that referenced this pull request Jun 11, 2024
@jschwinger233 @dylandreimerink
ci: Manually clean stale routing rules for downgrade
0e4c523 
It's basically #31930 what we can't
merge due to 1.12 EOL.

Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233 jschwinger233 reopened this Jun 12, 2024
@jschwinger233
Copy link
Member Author

/test-backport-1.12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
backport/1.12 This PR represents a backport for Cilium 1.12.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jschwinger233 @julianwiedmann