ztunnel: introduce end to end connectivity tests by ldelossa · Pull Request #43166 · cilium/cilium

ldelossa · 2025-12-05T17:50:59Z

This pull requests adds KIND based end to end tests for Cilium's ZTunnel integration.

Two new test triggers are introduced:
/ci-ztunnel-e2e - run KIND based ZTunnel end to end tests

note: commit a222626 will be removed and exists to run our new tests within the context of this PR.

Closes: #41901

Introduce end-to-end tests for Cilium's ZTunnel integration.

nddq · 2025-12-09T17:45:08Z

#43227 is for adding ztunnel as a valid encryption type for cilium status, which we can then use in the connectivity test suite to check for enablement.

ldelossa · 2025-12-09T22:17:31Z

/test

ldelossa · 2026-01-07T20:26:09Z

/ci-ztunnel-e2e

ldelossa · 2026-01-07T20:26:24Z

/ci-ztunnel

ldelossa · 2026-02-09T18:40:05Z

/test

joestringer

Nothing jumps out at me from the perspective of @cilium/github-sec

joestringer · 2026-02-09T21:54:14Z

(GitHub had outages earlier today which likely explains many of the failures; may make sense to close/reopen/retest)

Artyop · 2026-02-10T10:41:01Z

/test

ldelossa · 2026-02-10T15:54:35Z

@joestringer would an amend and force push fix it? Or are you saying the PR must be closed and reopened?

joestringer · 2026-02-10T17:06:14Z

That works too :) There's various tricks, I know sometimes you can retrigger the simple checks by just closing and reopening the PR.

ldelossa · 2026-02-11T01:41:00Z

/test

The test infrastructure deploys three dedicated namespaces with client and echo-server pods in each: two enrolled namespaces for testing cross-namespace mTLS scenarios and one unenrolled namespace for baseline verification. Pod affinity rules ensure echo-same-node pods co-locate with clients while echo-other-node pods schedule on different nodes, enabling both intra-node and inter-node traffic validation. The test scenarios verify ztunnel mTLS behavior by dynamically labeling namespaces with the io.cilium/mtls-enabled label during test execution. For enrolled pod pairs, the tests assert that traffic flows through port 15008 (the ztunnel HBONE proxy) and that no unencrypted traffic appears on port 8080. For unenrolled pods, the assertions are inverted to confirm traffic bypasses ztunnel entirely. Cross-namespace scenarios confirm that mTLS works correctly when client and server reside in separately enrolled namespaces. Packet capture validation runs from host network pods using tcpdump, which is required since ztunnel operates in the host network namespace. The tests query the ztunnel admin API to verify workload registration before generating traffic, ensuring the any state the test depends on has converged before making assertions. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com> Signed-off-by: Robin Gögge <r.goegge@isovalent.com>

Add a new GitHub Actions workflow to run end-to-end tests for ztunnel encryption in Cilium. The new /ci-ztunnel-e2e trigger is added to the Ariane configuration, pointing to the newly created conformance-ztunnel-e2e.yaml workflow file. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>

Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>

ldelossa · 2026-02-11T19:56:01Z

Final test, I dropped the 'tmp' commit, removing the ztunnel tests from running, previous test run confirmed working however.

ldelossa · 2026-02-11T19:56:05Z

/test

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [aqua:cilium/cilium-cli](https://redirect.github.com/cilium/cilium-cli) | patch | `0.19.0` → `0.19.2` | --- ### Release Notes <details> <summary>cilium/cilium-cli (aqua:cilium/cilium-cli)</summary> ### [`v0.19.2`](https://redirect.github.com/cilium/cilium-cli/compare/v0.19.1...v0.19.2) [Compare Source](https://redirect.github.com/cilium/cilium-cli/compare/v0.19.1...v0.19.2) ### [`v0.19.1`](https://redirect.github.com/cilium/cilium-cli/releases/tag/v0.19.1) [Compare Source](https://redirect.github.com/cilium/cilium-cli/compare/v0.19.0...v0.19.1) ## Summary of Changes **Minor Changes:** - cli: clustermesh: use ca bundle to connect clusters ([cilium/cilium#42833](https://redirect.github.com/cilium/cilium/issues/42833), [@MrFreezeex](https://redirect.github.com/MrFreezeex)) **Bugfixes:** - cilium-cli: Fix NodePort deployment check in dual-stack clusters ([cilium/cilium#43888](https://redirect.github.com/cilium/cilium/issues/43888), [@gandro](https://redirect.github.com/gandro)) - Fix GKE conformance test NodePort timeouts by skipping unreachable external IP validation on GKE ([cilium/cilium#44014](https://redirect.github.com/cilium/cilium/issues/44014), [@pillai-ashwin](https://redirect.github.com/pillai-ashwin)) **CI Changes:** - cli: Relax warning exclusion for "unable to find key in local cache" ([cilium/cilium#44149](https://redirect.github.com/cilium/cilium/issues/44149), [@brb](https://redirect.github.com/brb)) **Misc Changes:** - chore(deps): update all-dependencies (main) ([cilium/cilium#43700](https://redirect.github.com/cilium/cilium/issues/43700), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (main) ([cilium/cilium#43824](https://redirect.github.com/cilium/cilium/issues/43824), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (main) ([cilium/cilium#43965](https://redirect.github.com/cilium/cilium/issues/43965), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (main) ([cilium/cilium#44090](https://redirect.github.com/cilium/cilium/issues/44090), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (main) ([cilium/cilium#44235](https://redirect.github.com/cilium/cilium/issues/44235), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (main) ([cilium/cilium#43827](https://redirect.github.com/cilium/cilium/issues/43827), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (main) ([cilium/cilium#43969](https://redirect.github.com/cilium/cilium/issues/43969), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (main) ([cilium/cilium#44239](https://redirect.github.com/cilium/cilium/issues/44239), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - cilium-cli: Fix container name in connectivity test logs ([cilium/cilium#44076](https://redirect.github.com/cilium/cilium/issues/44076), [@HadrienPatte](https://redirect.github.com/HadrienPatte)) - docs: fix typos in comments ([cilium/cilium#43821](https://redirect.github.com/cilium/cilium/issues/43821), [@NAM-MAN](https://redirect.github.com/NAM-MAN)) - feat(cilium-cli): Add -r(estart) parameter to cilium upgrade ([cilium/cilium#43722](https://redirect.github.com/cilium/cilium/issues/43722), [@alagoutte](https://redirect.github.com/alagoutte)) - Introduce end-to-end tests for Cilium's ZTunnel integration. ([cilium/cilium#43166](https://redirect.github.com/cilium/cilium/issues/43166), [@ldelossa](https://redirect.github.com/ldelossa)) - Replace Index{,Byte} with Cut,Contains ([cilium/cilium#43708](https://redirect.github.com/cilium/cilium/issues/43708), [@joestringer](https://redirect.github.com/joestringer)) - sysdump: Use label selectors for Hubble UI/Relay deployment collection ([cilium/cilium#44227](https://redirect.github.com/cilium/cilium/issues/44227), [@darox](https://redirect.github.com/darox)) - chore(deps): update dependency cilium/cilium to v1.18.6 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#3168](https://redirect.github.com/cilium/cilium-cli/pull/3168) - Update stable release to v0.19.0 by [@tklauser](https://redirect.github.com/tklauser) in [#3169](https://redirect.github.com/cilium/cilium-cli/pull/3169) - chore(deps): update go to v1.25.6 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#3170](https://redirect.github.com/cilium/cilium-cli/pull/3170) - chore(deps): update docker.io/library/golang:1.25.6 docker digest to [`ce63a16`](https://redirect.github.com/cilium/cilium-cli/commit/ce63a16) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#3172](https://redirect.github.com/cilium/cilium-cli/pull/3172) - chore(deps): update actions/checkout action to v6.0.2 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#3171](https://redirect.github.com/cilium/cilium-cli/pull/3171) - ci: Harden the image build process by [@ferozsalam](https://redirect.github.com/ferozsalam) in [#3174](https://redirect.github.com/cilium/cilium-cli/pull/3174) - chore(deps): update gcr.io/distroless/static:latest docker digest to [`972618c`](https://redirect.github.com/cilium/cilium-cli/commit/972618c) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#3176](https://redirect.github.com/cilium/cilium-cli/pull/3176) - chore(deps): update all github action dependencies by [@renovate](https://redirect.github.com/renovate)\[bot] in [#3175](https://redirect.github.com/cilium/cilium-cli/pull/3175) - chore(deps): update go to v1.25.7 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#3178](https://redirect.github.com/cilium/cilium-cli/pull/3178) - chore(deps): update golangci/golangci-lint docker tag to v2.9.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#3179](https://redirect.github.com/cilium/cilium-cli/pull/3179) - chore(deps): update go to v1.26.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#3181](https://redirect.github.com/cilium/cilium-cli/pull/3181) - chore(deps): update docker/build-push-action action to v6.19.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#3180](https://redirect.github.com/cilium/cilium-cli/pull/3180) - chore(deps): update docker/build-push-action action to v6.19.2 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#3183](https://redirect.github.com/cilium/cilium-cli/pull/3183) - Prepare for v0.19.1 release by [@tklauser](https://redirect.github.com/tklauser) in [#3184](https://redirect.github.com/cilium/cilium-cli/pull/3184) #### New Contributors - [@ferozsalam](https://redirect.github.com/ferozsalam) made their first contribution in [#3174](https://redirect.github.com/cilium/cilium-cli/pull/3174) **Full Changelog**: <cilium/cilium-cli@v0.19.0...v0.19.1> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/lambchop4prez/network).

github-actions bot added cilium-cli This PR contains changes related with cilium-cli cilium-cli-exclusive This PR only impacts cilium-cli binary labels Dec 5, 2025

ldelossa force-pushed the ztunnel-e2e-tests branch 6 times, most recently from 5d5fd98 to d3b42b3 Compare December 18, 2025 13:59

ldelossa force-pushed the ztunnel-e2e-tests branch 2 times, most recently from cb3f08a to a222626 Compare January 7, 2026 20:13

ldelossa marked this pull request as ready for review January 8, 2026 17:15

ldelossa requested review from a team as code owners January 8, 2026 17:15

ldelossa requested review from Artyop and rgo3 January 8, 2026 17:15

ldelossa removed the request for review from a team February 4, 2026 17:13

ldelossa force-pushed the ztunnel-e2e-tests branch 2 times, most recently from e6573e2 to c2346e7 Compare February 9, 2026 18:14

joestringer approved these changes Feb 9, 2026

View reviewed changes

ldelossa force-pushed the ztunnel-e2e-tests branch from c2346e7 to 00bc800 Compare February 10, 2026 16:02

ldelossa added this pull request to the merge queue Feb 11, 2026

ldelossa removed this pull request from the merge queue due to a manual request Feb 11, 2026

ldelossa added 3 commits February 11, 2026 14:45

ci,ztunnel: add ztunnel cert script to actions

5aa14e9

Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>

ldelossa force-pushed the ztunnel-e2e-tests branch from 00bc800 to 5aa14e9 Compare February 11, 2026 19:46

nddq approved these changes Feb 11, 2026

View reviewed changes

ldelossa added this pull request to the merge queue Feb 12, 2026

Merged via the queue into main with commit f0a331f Feb 12, 2026
629 of 638 checks passed

ldelossa deleted the ztunnel-e2e-tests branch February 12, 2026 03:52

glrf mentioned this pull request Feb 17, 2026

v1.19 Backports 2026-02-17 #44398

Merged

12 tasks

glrf added backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. and removed needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Feb 17, 2026

github-actions bot added backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. and removed backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. labels Feb 19, 2026

Conversation

ldelossa commented Dec 5, 2025 • edited by rgo3 Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nddq commented Dec 9, 2025

Uh oh!

ldelossa commented Dec 9, 2025

Uh oh!

ldelossa commented Jan 7, 2026

Uh oh!

ldelossa commented Jan 7, 2026

Uh oh!

ldelossa commented Feb 9, 2026

Uh oh!

joestringer left a comment

Choose a reason for hiding this comment

Uh oh!

joestringer commented Feb 9, 2026

Uh oh!

Artyop commented Feb 10, 2026

Uh oh!

ldelossa commented Feb 10, 2026

Uh oh!

joestringer commented Feb 10, 2026

Uh oh!

ldelossa commented Feb 11, 2026

Uh oh!

ldelossa commented Feb 11, 2026

Uh oh!

ldelossa commented Feb 11, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

ldelossa commented Dec 5, 2025 •

edited by rgo3

Loading