CI: Cilium E2E Upgrade - ipsec-7 - assert that no unencrypted packets are leaked

[rastislavs]

CI failure

Happened on v1.18 branch, in assert that no unencrypted packets are leaked after downgrade to v1.17:

Job: https://github.com/cilium/cilium/actions/runs/16650761610/job/47126318680

Run ./.github/actions/bpftrace/check
Run cilium/little-vm-helper@9c1f3a549af06e213863d034c13ba1c5d1e3c667
Run # chmod dirs so that the cache hits can decompress the artifacts
Run echo lvh_kernel_path=$(find /kernels/amd64//boot/ -name "vmlinuz-*" -type f | head -1) >> "$GITHUB_OUTPUT"
find: ‘/kernels/amd64//boot/’: No such file or directory
Run ssh -p 2222 -o "StrictHostKeyChecking=no" root@localhost << EOF
Pseudo-terminal will not be allocated because stdin is not a terminal.
Error: bpftrace output is not empty
Sanity check failed: detected no IPv6 connections from the L7 proxy. Is the filter correct?
Sanity check failed: detected no messages sent by the DNS proxy. Is the filter correct?

• cilium-sysdumps.zip
• cilium-junits.zip
• features-tested.zip

[joestringer]

cc @cilium/ipsec

[joestringer]

Could be specific to the new IPv6 underlay support, here's the matrix configuration for the failure case:

  {
    "name": "ipsec-7",
    "kernel": "5.15-20250728.013327",
    "kube-proxy": "iptables",
    "kpr": "false",
    "tunnel": "vxlan",
    "ipv4": "false",
    "underlay": "ipv6",
    "encryption": "ipsec",
    "skip-upgrade": "true",
    "mode": "minor"
  },

[smagnani96]

Despite we're skipping downgrades for IPv6-only, I believe we should instrument bpftrace to skip checks on DNS anyway.
Just opened a PR.

[joestringer]

Reopening until the backport to v1.18 is done for #40881, as we're still observing this on main upgrade tests after a downgrade.