datapath: fix NodePort to remote hostns backend with tunnel config #27323
Conversation
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
github-actions
bot
added
the
kind/community-contribution
|
After rebasing on top of #24677, a nil check introduced in front of device manager allows the tests to pass. Looks like this can be merged with just these changes 😄 |
|
@julianwiedmann these are basically the changes you made in #22738 but updated with some of the newer changes in device manager. Tested the agent tests, and they pass now 🥳 |
joestringer
added
release-note/bug
|
/test |
|
If this is based on #22738, then please ensure that the commit message properly attributes the origins of the source, ie: |
|
Thanks @joestringer! Definitely want to make sure credit is given 👍 |
|
I'm seeing a few CI issues that are due to the PR being based on an older version of |
joestringer
added
the
dont-merge/needs-rebase
|
Done! |
|
/test |
|
Fixed issue in TestDetect, other issues seem unrelated. I reverted my changes just in case and I could repro the TestWriteNodeConfig failures locally. |
|
@julianwiedmann as previous owner of the PR can you please help us with the reviews and approval process? |
|
@jibi can you review this please? @michaelasp please respond to or resolve the open conversations. |
|
Hey @lmb sorry for the wait! I just got back to my computer today from a long break, responded 😃. |
There was a problem hiding this comment.
The rationale for the change makes sense to me, but it could have a broader impact than expected as:
DirectRoutingDeviceRequired()can now return true even when tunneling is not enabled- because of that
(*DeviceManager) Detect()will try to auto-detect a direct routing device even in tunneling mode - if we fail to detect a device either bpf nodeport gets disabled or the agent returns an error during initialization
so this PR has a potential upgrade impact as it might break some setups that used to work before 🤔
maintainer-s-little-helper
bot
added
the
ready-to-merge
jibi
removed
the
ready-to-merge
maintainer-s-little-helper
bot
added
the
ready-to-merge
|
Awesome! Glad to hear :) |
|
Removing ready-to-merge since @ti-mo needs to approve for cilium/loader. Not sure why the automation decided this was ready. |
lmb
removed
ready-to-merge
maintainer-s-little-helper
bot
added
the
ready-to-merge
sayboras
added
backport-pending/1.14
joamaki
added
needs-backport/1.14
joamaki
added
backport-pending/1.14
github-actions
bot
added
backport-done/1.14
jrajahalme
moved this from Needs backport from main
to Backport done to v1.14
in 1.14.3
When forwarding external service requests to a remote backend in hostNetwork, the NodePort code in tail_nodeport_nat_egress_ipv4() doesn't redirect into the tunnel (as it's effectively a host-to-host connection).
Therefore it uses IPV4_DIRECT_ROUTING as src address. So if we're not populating IPV4_DIRECT_ROUTING, such forwarded requests end up being SNATed with 0.0.0.0.
This is a copy of #22738 by jwi@isovalent.com, reopening to debug test failures.
Fixes: #22557
Fixes: 5283ec9 ("datapath: Introduce DirectRoutingDeviceRequired helper")