Fix ingress reconciliation errors when host network is enabled

[rtheobald]

Previously the ingress annotation code for the external traffic policy was returning Cluster as a default. This would cause a reconciliation error when using the host network and prevent the service from being created:

failed to create or update Service: Service "cilium-ingress-basic-ingress" is invalid: spec.externalTrafficPolicy: Invalid value: "Cluster": may only be set for externally-accessible services

For the service to work in this mode, there should be no external traffic policy.

To support this, the ingress service template also had to be adjusted to check the host network flag before setting the policy.

Fixes an error where the Ingress controller, when run in host network, created an invalid Service.

Fixes: #34028

[parlakisik]

This issue happens in 1.17.x . it should be backported to 1.17 too

[youngnick]

Thanks for this fix @rtheobald

[squeed]

/test

[rtheobald]

I have a fix for the integration test. I am just looking to run the conformance tests locally to figure out what is happening there.

[dylandreimerink]

/test

[rtheobald]

For the first failing test, Cilium E2E Upgrade (ci-e2e-upgrade), it is setting this helm value underlayProtocol=ipv6 but the fatal error when bringing up Cilium agent indicates that WireGuard requires an IPv4 underlay:

2025-07-14T10:45:58.405297719Z time=2025-07-14T10:45:58.405064359Z level=fatal source=/go/src/github.com/cilium/cilium/pkg/logging/slog.go:159 msg="unable to run agent: failed to start: daemon creation failed: WireGuard requires an IPv4 underlay\nfailed to stop: unable to find controller ipcache-inject-labels" subsys=daemon

The second one, Conformance IPsec E2E (ci-ipsec-e2e), the Setup & Test (ipsec-7, 5.15-...) test seems to have been cancelled after an hour of run time. Not sure if that was scripted or an operator intervened.

The third failing test Conformance Runtime (ci-runtime) seems to be trying to run make for a target that doesn't exist in the makefile:

make: *** No rule to make target 'tests-privileged-only'. Stop. Error: Process completed with exit code 2.

[joestringer]

At least some of those failures I have seen in the past when we change something in the CI on the main branch but the PR is based on an older commit. As a step forward I would suggest rebasing against the latest main, force push, then we can retrigger the tests to see if any new failures occur.

[joestringer]

/test

[rtheobald]

Cilium Cluster Mesh upgrade (ci-clustermesh): Failed Upgrade and Downgrade Test (4, wireguard, iptables, false, 511, cluster) due to errors in the log when an lxd link for endpoint kube-system/clustermesh-apiserver-c49bff577-zrvmv could not be found after an upgrade

Conformance Cluster Mesh (ci-clustermesh): Failed installing Cilium on the second cluster because a port was already allocated on the host system:
Error: Unable to install Cilium: failed to create resource: Service "clustermesh-apiserver" is invalid: spec.ports[0].nodePort: Invalid value: 32380: provided port is already allocated

Conformance Gateway API (ci-gateway-api): Failed Gateway API Conformance Test (standard, false, ipsec) for MeshHTTPRouteMatching, MeshHTTPRouteQueryParamMatching and MeshHTTPRouteRedirectHostAndStatus as no pods were found. This had the egress gateway enabled

[joestringer]

/test

[joestringer]

Thanks for triaging those failures. If they're affecting the tree we might want to check if there are existing CI issues filed for those so we can follow up. At a glance they seem unrelated to this PR.

[joestringer]

/test