Skip to content

workflows/ipsec: yet another fix for downgrade#41260

Merged
pchaigno merged 1 commit intomainfrom
pr/smagnani96/fix-encryption-no-proxy
Aug 19, 2025
Merged

workflows/ipsec: yet another fix for downgrade#41260
pchaigno merged 1 commit intomainfrom
pr/smagnani96/fix-encryption-no-proxy

Conversation

@smagnani96
Copy link
Copy Markdown
Contributor

@smagnani96 smagnani96 commented Aug 19, 2025

In #40868, we observed no DNS traffic being recorded by the check-encryption-leaks.bt script when skipping Cilium version downgrade in IPv6-only cluster. This was true given the to-fqdn tests were run only if IPv4 was enabled. However, the fix landed in #40881 is not enough: the downgrade is skipped, but the chekc-encryption-leaks.bt script can be still run in DNS-assertion mode for clusters with IPv4-enabled. This would cause the script to throw an error if no DNS traffic is being recorded. Given we skip the whole downgrade tests, there is no guarantee that we see DNS traffic, given no CLI tests nor conn-disrupt tests run at that moment in time.

There are two possible ways to fix that:

  1. activate the DNS-assertion mode only when IPv4 is enabled (already doing this) AND when downgrade is not skipped.
  2. skip the whole check-encryption-leaks.bt setup for the downgrade step when we're skipping downgrade (i.e., no tests would generate such traffic).

This commit opts for (2).
An example of the issue being still present: https://github.com/cilium/cilium/actions/runs/17046381531/job/48323205922.

Fixes: #40868.

@smagnani96
workflows/ipsec: yet another fix for downgrade
b75d1cb 
In #40868, we observed no DNS traffic being recorded by the
check-encryption-leaks.bt script when skipping Cilium version downgrade
in IPv6-only cluster. This was true given the to-fqdn tests were run only
if IPv4 was enabled. However, the fix landed in #40881 is not enough:
the downgrade is skipped, but the chekc-encryption-leaks.bt script can
be still run in DNS-assertion mode for clusters with IPv4-enabled.
This would cause the script to throw an error if no DNS traffic is being
recorded. Given we skip the whole downgrade tests, there is no guarantee
that we see DNS traffic, given no CLI tests nor conn-disrupt tests run
at that moment in time.

There are two possible ways to fix that:

1. activate the DNS-assertion mode only when IPv4 is enabled (already doing this)
   AND when downgrade is not skipped.
2. skip the whole check-encryption-leaks.bt setup for the downgrade step
   when we're skipping downgrade (i.e., no tests would generate such traffic).

This commit opts for (2).

Fixes: #40868.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96 smagnani96 self-assigned this Aug 19, 2025
@smagnani96 smagnani96 added kind/bug/CI This is a bug in the testing code. area/CI Continuous Integration testing issue or flake area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. release-note/ci This PR makes changes to the CI. feature/ipsec Relates to Cilium's IPsec feature needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Aug 19, 2025
@smagnani96
Copy link
Copy Markdown
Contributor Author

smagnani96 commented Aug 19, 2025

/test

@smagnani96 smagnani96 marked this pull request as ready for review August 19, 2025 13:16
@smagnani96 smagnani96 requested review from a team as code owners August 19, 2025 13:16
@smagnani96 smagnani96 requested a review from Artyop August 19, 2025 13:16
pchaigno
pchaigno approved these changes Aug 19, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for catching and fixing this!

@pchaigno pchaigno removed the request for review from Artyop August 19, 2025 13:54
@pchaigno pchaigno added this pull request to the merge queue Aug 19, 2025
Merged via the queue into main with commit 34242dd Aug 19, 2025
124 checks passed
@pchaigno pchaigno deleted the pr/smagnani96/fix-encryption-no-proxy branch August 19, 2025 14:07
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Aug 19, 2025
@pippolo84 pippolo84 mentioned this pull request Aug 25, 2025
Merged
17 tasks
@pippolo84 pippolo84 added backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. and removed needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Aug 25, 2025
@github-actions github-actions bot added backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. and removed backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. labels Sep 1, 2025
@cilium-release-bot cilium-release-bot bot moved this to Released in cilium v1.19.0 Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pchaigno pchaigno pchaigno approved these changes

Assignees

@smagnani96 smagnani96

Labels

area/CI Continuous Integration testing issue or flake area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. feature/ipsec Relates to Cilium's IPsec feature kind/bug/CI This is a bug in the testing code. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI.

Projects

No open projects
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CI: Cilium E2E Upgrade - ipsec-7 - assert that no unencrypted packets are leaked

4 participants

@smagnani96 @pchaigno @pippolo84 @msune