Skip to content

Envoy: Cancel completions on proxy listeners removal#44597

Merged
jrajahalme merged 2 commits intocilium:mainfrom
jrajahalme:cancel-completions-on-proxy-listeners-removal-main
Mar 16, 2026
Merged

Envoy: Cancel completions on proxy listeners removal#44597
jrajahalme merged 2 commits intocilium:mainfrom
jrajahalme:cancel-completions-on-proxy-listeners-removal-main

Conversation

@jrajahalme
Copy link
Copy Markdown
Member

@jrajahalme jrajahalme commented Mar 2, 2026

Cancel Network Policy completions when the last proxy listener is removed. This prevents hanging policy update waits in situations where it is known that the NPDS client has been stopped, and that no further ACKs or NACKs are to be received. Any pending completions are cancelled with nil error, as the NPDS cache updaters have no way of reacting to the listeners being removed. NPDS cache is still being updated for the eventual restart of the NPDS client when a new proxy listener is added.

Mock metrics had ACK/NACK reversed, this is now fixed.

Fixes: #44543

Fixed ipcache identity update hang when last proxy listener is removed.

@jrajahalme jrajahalme requested a review from a team as a code owner March 2, 2026 17:25
@jrajahalme jrajahalme requested a review from sayboras March 2, 2026 17:25
@jrajahalme jrajahalme added kind/bug This is a bug in the Cilium logic. area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. affects/v1.16 This issue affects v1.16 branch needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Mar 2, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 2, 2026
@jrajahalme
Copy link
Copy Markdown
Member Author

jrajahalme commented Mar 2, 2026

/test

@jrajahalme jrajahalme added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Mar 3, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 3, 2026
@jrajahalme jrajahalme changed the title Cancel completions on proxy listeners removal Envoy: Cancel completions on proxy listeners removal Mar 3, 2026
sayboras
sayboras approved these changes Mar 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah nice test 💯

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 13, 2026
@jrajahalme jrajahalme added this pull request to the merge queue Mar 13, 2026
@jrajahalme jrajahalme added the backport/author The backport will be carried out by the author of the PR. label Mar 13, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to a conflict with the base branch Mar 13, 2026
@jrajahalme
xds: add cancel metric
5f36852 
Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
envoy: Cancel Network Policy completions on last proxy listener removal
6a0e040 
Cancel Network Policy completions when the last proxy listener is
removed. This prevents hanging policy update waits in situations where it
is known that the NPDS client has been stopped, and that no further ACKs
or NACKs are to be received. Any pending completions are cancelled with
nil error, as the NPDS cache updaters have no way of reacting to the
listeners being removed. NPDS cache is still being updated for the
eventual restart of the NPDS client when a new proxy listener is added.

Mock metrics had ACK/NACK reversed, this is now fixed.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the cancel-completions-on-proxy-listeners-removal-main branch from 2177436 to 6a0e040 Compare March 16, 2026 15:42
@jrajahalme
Copy link
Copy Markdown
Member Author

jrajahalme commented Mar 16, 2026

rebased to fix merge conflicts

@jrajahalme
Copy link
Copy Markdown
Member Author

jrajahalme commented Mar 16, 2026

/test

@jrajahalme jrajahalme enabled auto-merge March 16, 2026 15:43
@cilium-ariane
Copy link
Copy Markdown

cilium-ariane bot commented Mar 16, 2026

/test

@jrajahalme jrajahalme added this pull request to the merge queue Mar 16, 2026
Merged via the queue into cilium:main with commit e0c4554 Mar 16, 2026
78 of 79 checks passed
@jrajahalme jrajahalme deleted the cancel-completions-on-proxy-listeners-removal-main branch March 16, 2026 19:05
@jrajahalme jrajahalme mentioned this pull request Mar 17, 2026
Merged
@viktor-kurchenko viktor-kurchenko mentioned this pull request Mar 30, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sayboras sayboras sayboras approved these changes

Assignees

No one assigned

Labels

affects/v1.16 This issue affects v1.16 branch area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. backport/author The backport will be carried out by the author of the PR. kind/bug This is a bug in the Cilium logic. needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

identity updater is wedged forever when missing NPDS ack from envoy

3 participants

@jrajahalme @sayboras @msune