envoy: Update to release 1.21.0#18748
Conversation
f629e7f to
c4edc78
Compare
|
/test Job 'Cilium-PR-K8s-GKE' failed and has not been observed before, so may be related to your PR: Click to show.Test NameFailure OutputIf it is a flake, comment |
|
/test-only --focus="K8sPolicy.*abel.*L7" |
|
/test-only --focus="K8sPolicyTest.*using namespace label and L7" |
|
/test-only --focus="K8sPolicyTest.*using.namespace.label.and.L7" |
|
/test-1.23-net-next |
|
/test-gke |
|
Focused test run "failed" due to artifact collection failing when no tests were run: |
c4edc78 to
ec18fc2
Compare
Envoy Go API is updated to contain the generated validation code. Envoy image is updated to support the new EndpointId option for the bpf_metadata listener filter. NPDS field 'Policy' is renamed as 'EndpointID'. 'Policy' field was not used for anything, so might as well recycle it while this API is not yet public. Envoy retries may fail on "address already in use" when the original source address and port are used on upstream connections. Cilium typically does this in the egress proxy listeners. Fix this by using a Cilium Envoy build that always sets SO_REUSEADDR when original source address and port is used. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
|
Fixed typo. |
|
/test |
|
runtime test failed with unrelated error: This likely indicates a problem in the VM provisioning. |
|
/test-runtime |
sayboras
left a comment
There was a problem hiding this comment.
LGTM.
multi cluster test can be re-run after rebase with master.
| obtained := getNetworkPolicy(ep, nil, IPv4Addr, L4Policy1, true, true) | ||
| expected := &cilium.NetworkPolicy{ | ||
| Name: IPv4Addr, | ||
| Policy: uint64(Identity), |
There was a problem hiding this comment.
nit: uint64 conversion here is redundant
| // Envoy since 1.20.0 uses SO_REUSEPORT on listeners by default. | ||
| // BPF TPROXY is currently not compatible with SO_REUSEPORT, so disable it. | ||
| // Note that this may degrade Envoy performance. | ||
| listenerConfig.EnableReusePort = &wrappers.BoolValue{Value: false} |
| expectedNetworkPolicy = &cilium.NetworkPolicy{ | ||
| Name: ProdIPv4Addr.String(), | ||
| Policy: uint64(prodBarSecLblsCtx.ID), | ||
| EndpointId: uint64(eProdBar.ID), |
There was a problem hiding this comment.
Interesting, so the policy API between cilium-agent and the proxy has changed?
I think this is fine given that we always ship Envoy alongside Cilium. So we shouldn't need to deal with compatibility issues of mismatched versions attempting to use different field names from what the other binary expects.
|
Multicluster workflow was broken on master for a while, fixed in #18808 (merged yesterday). It's likely only failing because the PR has not been rebased. I think we're good to optimistically just merge this to unblock next steps. |
Update Envoy to release 1.21.0. Envoy Go API is updated to contain
the generated validation code.
cilium-envoy image is updated to support the newEgressMarkSourceEndpointId
option for the Cilium listener filter. NPDS field 'Policy' is renamed as
'EndpointID'. 'Policy' field was not used for anything, so might as
well recycle it while this API is not yet public.
Envoy retries may fail on "address already in use" when the original
source address and port are used on upstream connections. Cilium
typically does this in the egress proxy listeners. Fix this by using a
Cilium Envoy build that always sets SO_REUSEADDR when original source
address and port is used.
Signed-off-by: Jarno Rajahalme jarno@isovalent.com