Merged
Conversation
mhofstetter
approved these changes
Feb 17, 2026
Contributor
Author
|
/test |
Contributor
Author
|
The ZTunnel E2E tests seem very unhappy 😕 @ldelossa did I do something wrong with your PR? |
gandro
approved these changes
Feb 17, 2026
Contributor
|
@glrf The ztunnel tests are failing because the CLI updates that enable them are missing, since they were dropped. How are CLI changes typically backported? I was under the impression the CI will use the latest cilium cli for testing, but I guess this is wrong. |
37ee25e to
265348b
Compare
Contributor
Author
That was also my impression. But I guess for stable branches we use the latest released version? I bumped it in the workflow. Let's see if that helps |
Contributor
Author
|
/test |
Member
Yep, that's the case. |
Contributor
Author
|
Welp. I upgraded the workflow to cilium v0.19.1, which has the ztunnel tests (https://github.com/cilium/cilium-cli/releases/tag/v0.19.1), but CI is still very unhappy 😕 Ah the actual version is set in |
…leanup leaked IAM roles [ upstream commit 98aeae6 ] When multiple parallel jobs generate cluster names within the same second, they can produce identical names since the timestamp has only 1-second precision. This causes CloudFormation stack creation to fail with "AlreadyExistsException", leaving orphaned IAM roles behind. This commit adds a random suffix to cluster names to prevent race conditions and enhances the failure cleanup step to delete CloudFormation stacks and orphaned IAM roles when cluster creation fails Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit fbabd89 ] This message was modified in k8s 1.35.0, therefore we should update the list of messages that can be ignored in our CI. Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit 70d7751 ] Use slotID instead of loop index when setting backend slots to avoid gaps when maintenance backends are skipped. Signed-off-by: Aman-Cool <aman017102007@gmail.com> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit 19029b8 ] This commit fixes stale ProxyRedirect reads in the health server by reloading Service state from the services table on each request. This prevents incorrect local endpoint counts when Envoy redirect state changes after the listener is created (which is the case). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit 94a64cb ] This commit fixes two issue with mcs-api doc: - a simple typo on the enabled keywork - change the code-block in parsed-literal as the |SCM_WEB| "variable" was not evaluated/replaced in the final doc with a code-block Signed-off-by: Arthur Outhenin-Chalandre <git@mrfreezeex.fr> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit e91ec2c ] Signed-off-by: darox <maderdario@gmail.com> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit a6f5887 ] Signed-off-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit cd97578 ] add missing backslash for install with Cilium CLI Signed-off-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit 7d2de0f ] Add a new GitHub Actions workflow to run end-to-end tests for ztunnel encryption in Cilium. The new /ci-ztunnel-e2e trigger is added to the Ariane configuration, pointing to the newly created conformance-ztunnel-e2e.yaml workflow file. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit f0a331f ] Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit 2df56ae ] Up until now, the page title had been "Layer 3 Examples", which is a section headline and confusing, since it is among other examples. Splitting up into several pages, similar to `network/kubernetes/`, keeps the ToC as it is, and makes it easier to navigate compared to the lengthy page it was, while also giving each page a suitable headline. Since examples are mixed with the language specification, change headings from "Layer 3 Examples" to "Layer 3 Policies", etc. Drop the old page and redirect to the overview to keep links working. Signed-off-by: Daniel Maslowski <info@orangecms.org> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit b9d4f56 ] Update the TestResource_WithFakeClient test to correctly specify the expected resource version during updates, in preparation for extending the fake client to actually enforce optimistic concurrency control. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit 7e208fa ] Update the TestUpdatePodLabels test to correctly specify the expected resource version during updates, in preparation for extending the fake client to actually enforce optimistic concurrency control. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit 48104f2 ] Update the bgp tests to correctly specify the expected resource version during updates, in preparation for extending the fake client to actually enforce optimistic concurrency control. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit 4c4c8e9 ] Update the UpdateObjects helper to use the [ObjectTracker.Patch], instead of [ObjectTracker.Update], in preparation for the subsequent commit that will make the latter implement optimistic concurrency control, and validate resource version mismatches, which is not required in this context. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit 87e01da ] Currently, the object tracker is affected by a bug that causes the resource version to not be set on creation or update if the object does not have the [metav1.TypeMeta] set. Indeed, in that case, the function updating the TypeMeta creates a deep copy of the object, causing operations performed via [meta.Accessor] to act on the old copy, and not have effect. Let's get this fixed by changing the [fillTypeMetaIfNeeded] function to not create a deep copy, given that it already operates on a copy of the original object. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit 8f41218 ] Currently, the statedb object tracker backing the fake kubernetes client used for testing purposes does not respect resource versioning, and allows update operations to succeed regardless of the provided resource version. While convenient for the `k8s/update` command itself, this approach is problematic in case of controllers acting on the same resources, as it can lead to objects being unexpectedly reverted to incorrect versions, due to the missing optimistic concurrency control. Let's get this fixed by extending the update implementation to additionally compare the resource version of the stored and provided objects, and reject the update in case they do not match, as the real Kubernetes API Server would do. By default, the k8s/update command still ignores the provided resource version, letting the update succeed regardless: this matches the desired behavior in the vast majority of the tests, and avoids the need for complex operations to set the expected resource version. Still, if necessary, the stricter behavior can be enabled via the dedicated flag. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit 8c6252f ] Currently, multiple script tests are intended to validate that no goroutines are leaked once the tests end, deferring the invocation of the dedicated [testutils.GoleakVerifyNone] function. However, the underlying [goleak.VerifyNone] utility is incompatible with t.Parallel [1], which is set by default by script tests, and no check is actually performed. Let's get this fixed by using [goleak.VerifyTestMain] instead, as also suggested by goleak documentation itself. This commit fixes all occurrences spotted via: $ git grep -l GoleakVerifyNone | xargs grep -l testdata It is worth additionally mentioning that: * GoleakVerifyTestMain was already invoked in the redirectpolicy package, and is thus not added; * The functions previously ignored in the devices_controller tests do not appear to be necessary anymore, and have been omitted; yet, we need to additionally ignore one metrics related goroutine that is otherwise flagged when IPSec is enabled; * One of the script tests in the route/reconciler package did not correctly stop the hive, causing a few goroutines to be leaked. Ideally we should have a linter to catch this problem directly in CI, but that's deferred for the future. [1]: https://pkg.go.dev/go.uber.org/goleak#VerifyNone Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
[ upstream commit b5709df ] |CHART_VERSION| already expands to '--version <release>'. Removing the extra literal --version before |CHART_VERSION| so the rendered CLI is correct (e.g. single '--version 1.19.0'). Signed-off-by: Ghassan Malke <ghassan+github@malke.nl> Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com>
265348b to
2ee392c
Compare
Contributor
Author
|
/test |
aanm
approved these changes
Feb 18, 2026
viktor-kurchenko
approved these changes
Feb 18, 2026
Contributor
Failing bpf checks. Wonder how that slipped thru HEAD. |
ldelossa
approved these changes
Feb 18, 2026
Contributor
ldelossa
left a comment
There was a problem hiding this comment.
ztunnel changes look good! thanks for handling that bit of confusion.
Member
Checkpatch is not a required workflow. This is why we allow PRs to be merged even if checkpatch complains. All required CI is green and conflicting PRs have been reviewed by their authors. Merging. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PRs skipped due to conflicts:
Once this PR is merged, a GitHub action will update the labels of these PRs: