Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.13 Backports 2023-06-13 (IPsec) #26160

Merged
merged 1 commit into from
Jun 13, 2023
Merged

v1.13 Backports 2023-06-13 (IPsec) #26160

merged 1 commit into from
Jun 13, 2023

Conversation

qmonnet
Copy link
Member

@qmonnet qmonnet commented Jun 13, 2023
edited by pchaigno

Once this PR is merged, you can update the PR labels via:

for pr in 26093; do contrib/backporting/set-labels.py $pr done 1.13; done

or with

make add-labels BRANCH=v1.13 ISSUES=26093

@pchaigno @qmonnet
ipsec: Don't attempt per-node route deletion when unexistant
c610ad1 
[ upstream commit 1e1e2f7 ]

Commit 3e59b68 ("ipsec: Per-node XFRM states & policies for EKS &
AKS") changed the XFRM config to have one state and policy per remote
node in IPAM modes ENI and Azure. The IPsec cleanup logic was therefore
also updated to call deleteIPsec() whenever a remote node is deleted.

However, we missed that the cleanup logic also tries to remove the
per-node IP route. In case of IPAM modes ENI and Azure, the IP route
however stays as before: we have a single route for all remote nodes. We
therefore don't have anything to cleanup.

Because of this unnecessary IP route cleanup attempt, an error message
was printed for every remote node deletion:

    Unable to delete the IPsec route OUT from the host routing table

This commit fixes it to avoid attempting this unnecessary cleanup.

Fixes: 3e59b68 ("ipsec: Per-node XFRM states & policies for EKS & AKS")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Quentin Monnet <quentin@isovalent.com>
@qmonnet qmonnet added kind/backports This PR provides functionality previously merged into master. backport/1.13 This PR represents a backport for Cilium 1.13.x of a PR that was merged to main. labels Jun 13, 2023
@qmonnet qmonnet requested a review from pchaigno June 13, 2023 09:11
@qmonnet qmonnet changed the title v1.13 Backports 2023-06-13 v1.13 Backports 2023-06-13 (IPsec) Jun 13, 2023
@qmonnet
Copy link
Member Author

qmonnet commented Jun 13, 2023
edited by maintainer-s-little-helper bot

/test-backport-1.13

Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed:

Click to show.

Test Name

K8sAgentPolicyTest Multi-node policy test with L7 policy using connectivity-check to check datapath

Failure Output

FAIL: cannot install connectivity-check

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/743/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next so I can create one.

Then please upload the Jenkins artifacts to that issue.

@qmonnet qmonnet marked this pull request as ready for review June 13, 2023 09:13
@qmonnet qmonnet requested a review from a team as a code owner June 13, 2023 09:13
pchaigno
pchaigno approved these changes Jun 13, 2023
View reviewed changes
Copy link
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My PR looks good. Thanks Quentin!

@qmonnet
Copy link
Member Author

qmonnet commented Jun 13, 2023
edited

/test-1.26-net-next
Previous run hit #13071.

@gandro gandro added the release-blocker/1.13 This issue will prevent the release of the next version of Cilium. label Jun 13, 2023
@gandro
Copy link
Member

gandro commented Jun 13, 2023

Let's wait on net-next as well and then this should be ready to merge, as there is nothing we can do about the current 1.1.1.1 issue in this PR.

@gandro
Copy link
Member

gandro commented Jun 13, 2023

net-next is green. This is ready-to-merge.

@gandro gandro added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 13, 2023
@gandro gandro merged commit aac8a6a into v1.13 Jun 13, 2023
62 of 63 checks passed
@gandro gandro deleted the pr/v1.13-backport-2023-06-13 branch June 13, 2023 18:34
This was referenced Jun 13, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pchaigno pchaigno pchaigno approved these changes

@michi-covalent michi-covalent michi-covalent approved these changes

Assignees
No one assigned
Labels
backport/1.13 This PR represents a backport for Cilium 1.13.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-blocker/1.13 This issue will prevent the release of the next version of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@qmonnet @gandro @pchaigno @michi-covalent