workflows/ipsec: yet another fix for downgrade#41260
Merged
Conversation
In #40868, we observed no DNS traffic being recorded by the check-encryption-leaks.bt script when skipping Cilium version downgrade in IPv6-only cluster. This was true given the to-fqdn tests were run only if IPv4 was enabled. However, the fix landed in #40881 is not enough: the downgrade is skipped, but the chekc-encryption-leaks.bt script can be still run in DNS-assertion mode for clusters with IPv4-enabled. This would cause the script to throw an error if no DNS traffic is being recorded. Given we skip the whole downgrade tests, there is no guarantee that we see DNS traffic, given no CLI tests nor conn-disrupt tests run at that moment in time. There are two possible ways to fix that: 1. activate the DNS-assertion mode only when IPv4 is enabled (already doing this) AND when downgrade is not skipped. 2. skip the whole check-encryption-leaks.bt setup for the downgrade step when we're skipping downgrade (i.e., no tests would generate such traffic). This commit opts for (2). Fixes: #40868. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
Contributor
Author
|
/test |
pchaigno
approved these changes
Aug 19, 2025
Member
pchaigno
left a comment
There was a problem hiding this comment.
LGTM. Thanks for catching and fixing this!
17 tasks
schwarlex
pushed a commit
to la-demos/vcluster-workshop-prep
that referenced
this pull request
Feb 11, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | patch | `1.18.1` -> `1.18.2` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.18.2`](https://github.com/cilium/cilium/releases/tag/v1.18.2): 1.18.2 [Compare Source](cilium/cilium@1.18.1...1.18.2) ## Summary of Changes **Minor Changes:** - Fix validation bug where namespaced CiliumNetworkPolicies with nodeSelector in specs array were silently accepted but ignored. Now properly rejected with validation error. (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​40702](cilium/cilium#40702), [@​pillai-ashwin](https://github.com/pillai-ashwin)) - lbipam: do not reallocate IPs in LB IPAM on operator restart (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41147](cilium/cilium#41147), [@​marseel](https://github.com/marseel)) - lbipam: widening CIDR range or updating selector of CiliumLoadBalancerIPPool does no longer reassign IPs (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41122](cilium/cilium#41122), [@​marseel](https://github.com/marseel)) **Bugfixes:** - Add option to configure BGP origin attribute for LoadBalancer IPs in BGP Control Plane v2, allowing smoother migration from MetalLB integration. (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41231](cilium/cilium#41231), [@​hanapedia](https://github.com/hanapedia)) - Add toleration for 'node.cloudprovider.kubernetes.io/uninitialized' to Cilium Operator (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41098](cilium/cilium#41098), [@​guettli](https://github.com/guettli)) - bgpv2: Avoid modifying CiliumBGPPeerConfig in resource store (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41088](cilium/cilium#41088), [@​rastislavs](https://github.com/rastislavs)) - bpf: add support for delinearized ARP packets (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41233](cilium/cilium#41233), [@​vsinitsyn](https://github.com/vsinitsyn)) - ctmap/gc: continue interval time on partial GC pass. (Backport PR [#​41591](cilium/cilium#41591), Upstream PR [#​41258](cilium/cilium#41258), [@​tommyp1ckles](https://github.com/tommyp1ckles)) - Disable unnecessary headless service watching to reduce API server load in clusters not using the Gateway API or Ingress features. (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​40844](cilium/cilium#40844), [@​moscicky](https://github.com/moscicky)) - Fix "Error while correcting L4 checksum" dropped packets for ICMP destination unreachable error packets. (Backport PR [#​41591](cilium/cilium#41591), Upstream PR [#​40194](cilium/cilium#40194), [@​br4243](https://github.com/br4243)) - Fix "No mapping for NAT masquerade" flakes in the CI, make NAT LRU fallbacks more robust. (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​40971](cilium/cilium#40971), [@​gentoo-root](https://github.com/gentoo-root)) - Fix --exclude-local-address with eBPF Host-Routing (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41275](cilium/cilium#41275), [@​antonipp](https://github.com/antonipp)) - Fix a BGP bug where the routerID specified in a CiliumBGPNodeConfigOverride was not correctly updated in RouterIDIPPool mode. (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​40340](cilium/cilium#40340), [@​liyihuang](https://github.com/liyihuang)) - Fix a bug that would cause NodePort requests to be sent to the wrong backends when using KPR and Clustermesh with two identical, non-global NodePort services on different clusters. (Backport PR [#​41591](cilium/cilium#41591), Upstream PR [#​41337](cilium/cilium#41337), [@​pchaigno](https://github.com/pchaigno)) - Fix a bug where cilium-agent would report "Link not found" for an endpoint deleted during state restore after cilium-agent restart. (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​40568](cilium/cilium#40568), [@​fristonio](https://github.com/fristonio)) - Fix a regression where enabling unknown Hubble metrics would crash the cilium agent (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41368](cilium/cilium#41368), [@​devodev](https://github.com/devodev)) - Fix agent config initContainer unable to hit apiservers in apiServerURLs by passing as container arg (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41110](cilium/cilium#41110), [@​JJGadgets](https://github.com/JJGadgets)) - Fix bug that would cause error messages when disabling agent health checks (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41297](cilium/cilium#41297), [@​HadrienPatte](https://github.com/HadrienPatte)) - Fix issue in Local Redirect Policies where traffic was dropped when no local pods were available to be redirected to. In these scenarios the traffic should have been processed as if the Local Redirect Policy did not exist. (Backport PR [#​41591](cilium/cilium#41591), Upstream PR [#​41463](cilium/cilium#41463), [@​joamaki](https://github.com/joamaki)) - Fix issue where Local Redirect Policy (LRP) services with a single named port did not create a local redirect service entry. (Backport PR [#​41591](cilium/cilium#41591), Upstream PR [#​41534](cilium/cilium#41534), [@​aditighag](https://github.com/aditighag)) - Fix the bug local redirect policy not doing filter based destination port (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41411](cilium/cilium#41411), [@​liyihuang](https://github.com/liyihuang)) - Fixes a cosmetic bug where the cilium\_bpf\_map\_ops\_total error count was incorrectly being incremented for map cilium\_lb\_affinity\_match. (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41378](cilium/cilium#41378), [@​squeed](https://github.com/squeed)) - Fixes an issue in NodeManager where restored cluster nodes can be pruned before the initial node listing completes. (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41039](cilium/cilium#41039), [@​0xch4z](https://github.com/0xch4z)) - Helm: Ensure consistent default labels for all ServiceMonitor resources (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41240](cilium/cilium#41240), [@​baurmatt](https://github.com/baurmatt)) - iptables: Fix IPv6 SNAT for L7 proxy upstream traffic (Backport PR [#​41249](cilium/cilium#41249), Upstream PR [#​41034](cilium/cilium#41034), [@​gentoo-root](https://github.com/gentoo-root)) - loadbalancer/writer: add support for SetIsServiceHealthCheckedFunc (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41092](cilium/cilium#41092), [@​mhofstetter](https://github.com/mhofstetter)) - neighbor: Fix bug where neighbor discovery subsystem reports unhealthy when it is healthy (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41186](cilium/cilium#41186), [@​mhofstetter](https://github.com/mhofstetter)) - pkg/ipam: fix nil dereference during pool shrink operation (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41198](cilium/cilium#41198), [@​alimehrabikoshki](https://github.com/alimehrabikoshki)) - policy: fix agent crash due to policy cache update-delete race (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41079](cilium/cilium#41079), [@​fristonio](https://github.com/fristonio)) **CI Changes:** - .github/actions: fix boolean condition check in post-logic action (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41395](cilium/cilium#41395), [@​aanm](https://github.com/aanm)) - .github/worfklows: copy cilium-cli binary from container (Backport PR [#​41591](cilium/cilium#41591), Upstream PR [#​41524](cilium/cilium#41524), [@​aanm](https://github.com/aanm)) - .github/workflows: add proper suffix for scale-test-egw (Backport PR [#​41591](cilium/cilium#41591), Upstream PR [#​41477](cilium/cilium#41477), [@​aanm](https://github.com/aanm)) - .github/workflows: add timeout to Install node local DNS step (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41120](cilium/cilium#41120), [@​aanm](https://github.com/aanm)) - .github/workflows: separate feature json files in different dirs (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41403](cilium/cilium#41403), [@​aanm](https://github.com/aanm)) - .github/workflows: simplify ginkgo workflow (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41396](cilium/cilium#41396), [@​aanm](https://github.com/aanm)) - .github/workflows: simplify ginkgo workflow (Backport PR [#​41591](cilium/cilium#41591), Upstream PR [#​41396](cilium/cilium#41396), [@​aanm](https://github.com/aanm)) - .github: fix upload artifacts for features.json (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41119](cilium/cilium#41119), [@​aanm](https://github.com/aanm)) - add missing extraArgs in CI (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41005](cilium/cilium#41005), [@​aanm](https://github.com/aanm)) - checkpatch: bump checkpatch version, and minor adaptations (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41290](cilium/cilium#41290), [@​giorio94](https://github.com/giorio94)) - ci: Re-enable go caches for privileged tests (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41102](cilium/cilium#41102), [@​rastislavs](https://github.com/rastislavs)) - ci: simplify scheduled test (Backport PR [#​41262](cilium/cilium#41262), Upstream PR [#​41261](cilium/cilium#41261), [@​brlbil](https://github.com/brlbil)) - Fix multiple workflows with missing features and steps (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41398](cilium/cilium#41398), [@​aanm](https://github.com/aanm)) - gh: e2e-upgrade: skip even more steps when not downgrading (Backport PR [#​41591](cilium/cilium#41591), Upstream PR [#​41468](cilium/cilium#41468), [@​julianwiedmann](https://github.com/julianwiedmann)) - gha: run checkpatch check only on PR events (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41308](cilium/cilium#41308), [@​giorio94](https://github.com/giorio94)) - ipsec: fix xfrm privileged tests (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41279](cilium/cilium#41279), [@​smagnani96](https://github.com/smagnani96)) - node:tests: fix privileged ([#​41281](cilium/cilium#41281), [@​smagnani96](https://github.com/smagnani96)) - operator/bgpv2: Avoid race in TestRouterIDAllocation test (Backport PR [#​41591](cilium/cilium#41591), Upstream PR [#​41499](cilium/cilium#41499), [@​rastislavs](https://github.com/rastislavs)) - pkg/metrics: define default CIDR policies values (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41422](cilium/cilium#41422), [@​aanm](https://github.com/aanm)) - testutils: differentiate {Test,Benchmark}Privileged and fix benchmarks (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41007](cilium/cilium#41007), [@​smagnani96](https://github.com/smagnani96)) - workflows/ipsec: yet another fix for downgrade (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41260](cilium/cilium#41260), [@​smagnani96](https://github.com/smagnani96)) **Misc Changes:** - .github/workflows: add step 5 as part of the image build process (Backport PR [#​41177](cilium/cilium#41177), Upstream PR [#​41113](cilium/cilium#41113), [@​aanm](https://github.com/aanm)) - bpf: fix svc annotation handling (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41310](cilium/cilium#41310), [@​borkmann](https://github.com/borkmann)) - bpf: wireguard: re-add IPv6 fragment check in from-wireguard (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41451](cilium/cilium#41451), [@​julianwiedmann](https://github.com/julianwiedmann)) - build-images-release: specify main branch on reusable jobs (Backport PR [#​41177](cilium/cilium#41177), Upstream PR [#​41530](cilium/cilium#41530), [@​aanm](https://github.com/aanm)) - checkpatch: Update image digest (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41360](cilium/cilium#41360), [@​HadrienPatte](https://github.com/HadrienPatte)) - chore(deps): update actions/labeler action to v6.0.1 (v1.18) ([#​41565](cilium/cilium#41565), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#​41351](cilium/cilium#41351), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#​41660](cilium/cilium#41660), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#​41126](cilium/cilium#41126), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#​41350](cilium/cilium#41350), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#​41439](cilium/cilium#41439), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#​41509](cilium/cilium#41509), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#​41612](cilium/cilium#41612), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v32.1 (v1.18) ([#​41659](cilium/cilium#41659), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.6 docker digest to [`714ad64`](cilium/cilium@714ad64) (v1.18) ([#​41349](cilium/cilium#41349), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.6 docker digest to [`8d9e57c`](cilium/cilium@8d9e57c) (v1.18) ([#​41437](cilium/cilium#41437), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.7 docker digest to [`5e9d14d`](cilium/cilium@5e9d14d) (v1.18) ([#​41656](cilium/cilium#41656), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.24.7 (v1.18) ([#​41566](cilium/cilium#41566), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 \[security] (v1.18) ([#​41319](cilium/cilium#41319), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.6-1756960514-59def10827e2fdea04b289bb00128526bde9d3c1 (v1.18) ([#​41516](cilium/cilium#41516), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.6-1757072375-ebd79127b3d1f27212d5426619daccdd15ad9e28 (v1.18) ([#​41567](cilium/cilium#41567), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.7-1757592137-1a52bb680a956879722f48c591a2ca90f7791324 (v1.18) ([#​41657](cilium/cilium#41657), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#​41438](cilium/cilium#41438), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#​41658](cilium/cilium#41658), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - ci: Update workflow permissions (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41383](cilium/cilium#41383), [@​kyle-c-simmons](https://github.com/kyle-c-simmons)) - doc: use correct policy-default-local-cluster inspect command in example (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41118](cilium/cilium#41118), [@​Preisschild](https://github.com/Preisschild)) - docs: Add missing dsrDispatch parameter to annotation-based DSR examples (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​40873](cilium/cilium#40873), [@​gitsofaryan](https://github.com/gitsofaryan)) - docs: add table DSR Dispatch Mode following Routing Mode (Backport PR [#​41591](cilium/cilium#41591), Upstream PR [#​41431](cilium/cilium#41431), [@​alagoutte](https://github.com/alagoutte)) - docs: document portmap binary requirements (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41300](cilium/cilium#41300), [@​nbusseneau](https://github.com/nbusseneau)) - Fix release script steps (Backport PR [#​41177](cilium/cilium#41177), Upstream PR [#​41502](cilium/cilium#41502), [@​aanm](https://github.com/aanm)) - Helm: Only insert nodePort for cilium-ingress-service if specified (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41107](cilium/cilium#41107), [@​baurmatt](https://github.com/baurmatt)) - install: bump startup script version (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41299](cilium/cilium#41299), [@​Artyop](https://github.com/Artyop)) - kvstore: fix overly verbose debug log and error message (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41148](cilium/cilium#41148), [@​giorio94](https://github.com/giorio94)) - loadbalancer: Fixes to test flakes (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41085](cilium/cilium#41085), [@​joamaki](https://github.com/joamaki)) - Log kube-proxy replacement config before starting kube-proxy replacement (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41133](cilium/cilium#41133), [@​liyihuang](https://github.com/liyihuang)) - lower log severity for stale metadata to avoid CI issue (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41389](cilium/cilium#41389), [@​liyihuang](https://github.com/liyihuang)) - metrics/features: Fix counter metrics to use Set() instead of Add() (Backport PR [#​41479](cilium/cilium#41479), Upstream PR [#​41382](cilium/cilium#41382), [@​aanm](https://github.com/aanm)) - metrics/features: remove aws-vpc-cni (Backport PR [#​41591](cilium/cilium#41591), Upstream PR [#​41498](cilium/cilium#41498), [@​aanm](https://github.com/aanm)) - node/manager: Do not prune the local node on restart (Backport PR [#​41591](cilium/cilium#41591), Upstream PR [#​41544](cilium/cilium#41544), [@​joamaki](https://github.com/joamaki)) - Prevent `cilium-dbg` from panicing when `/sys` is not mounted (Backport PR [#​41365](cilium/cilium#41365), Upstream PR [#​41287](cilium/cilium#41287), [@​HadrienPatte](https://github.com/HadrienPatte)) - Support extending cilium-agent dnsPolicy as a downstream packager (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41010](cilium/cilium#41010), [@​devodev](https://github.com/devodev)) - Update all github action dependencies (v1.18) ([#​41216](cilium/cilium#41216), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - Update dependency protocolbuffers/protobuf to v32 (v1.18) ([#​41217](cilium/cilium#41217), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - Update docker.io/library/golang:1.24.6 Docker digest to [`a18e9e0`](cilium/cilium@a18e9e0) (v1.18) ([#​41214](cilium/cilium#41214), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - Update stable lvh-images (v1.18) (patch) ([#​41215](cilium/cilium#41215), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - workflows/conformance-ginkgo: fix steps for stable branches (Backport PR [#​41591](cilium/cilium#41591), Upstream PR [#​41599](cilium/cilium#41599), [@​aanm](https://github.com/aanm)) - xds: fix NACK logging after slog migration (Backport PR [#​41267](cilium/cilium#41267), Upstream PR [#​41171](cilium/cilium#41171), [@​mhofstetter](https://github.com/mhofstetter)) **Other Changes:** - \[v1.18] envoy: Start serving listeners only after clusters have been ACKed ([#​41605](cilium/cilium#41605), [@​jrajahalme](https://github.com/jrajahalme)) - docs: Add new IAM permissions requirements to upgrade notes ([#​41374](cilium/cilium#41374), [@​HadrienPatte](https://github.com/HadrienPatte)) - install: Update image digests for v1.18.1 ([#​41182](cilium/cilium#41182), [@​cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.18.2@​sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667` `quay.io/cilium/cilium:stable@sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.18.2@​sha256:cd689a07bfc7622e812fef023cb277fdc695b60a960d36f32f93614177a7a0f6` `quay.io/cilium/clustermesh-apiserver:stable@sha256:cd689a07bfc7622e812fef023cb277fdc695b60a960d36f32f93614177a7a0f6` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.18.2@​sha256:be578aaae7274ef7155bd0a6d2f7c2d91085642aea4fdb24451ee9cab4ca2e5d` `quay.io/cilium/docker-plugin:stable@sha256:be578aaae7274ef7155bd0a6d2f7c2d91085642aea4fdb24451ee9cab4ca2e5d` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.18.2@​sha256:6079308ee15e44dff476fb522612732f7c5c4407a1017bc3470916242b0405ac` `quay.io/cilium/hubble-relay:stable@sha256:6079308ee15e44dff476fb522612732f7c5c4407a1017bc3470916242b0405ac` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.18.2@​sha256:612b1d94c179cd8ae239e571e96ebd95662bb5cccb62aacfdf79355aa9cdddc8` `quay.io/cilium/operator-alibabacloud:stable@sha256:612b1d94c179cd8ae239e571e96ebd95662bb5cccb62aacfdf79355aa9cdddc8` ##### operator-aws `quay.io/cilium/operator-aws:v1.18.2@​sha256:1cb856fbe265dfbcfe816bd6aa4acaf006ecbb22dcc989116a1a81bb269ea328` `quay.io/cilium/operator-aws:stable@sha256:1cb856fbe265dfbcfe816bd6aa4acaf006ecbb22dcc989116a1a81bb269ea328` ##### operator-azure `quay.io/cilium/operator-azure:v1.18.2@​sha256:9696e9b8219b9a5c16987e072eda2da378d42a32f9305375e56d7380a0c2ba8e` `quay.io/cilium/operator-azure:stable@sha256:9696e9b8219b9a5c16987e072eda2da378d42a32f9305375e56d7380a0c2ba8e` ##### operator-generic `quay.io/cilium/operator-generic:v1.18.2@​sha256:cb4e4ffc5789fd5ff6a534e3b1460623df61cba00f5ea1c7b40153b5efb81805` `quay.io/cilium/operator-generic:stable@sha256:cb4e4ffc5789fd5ff6a534e3b1460623df61cba00f5ea1c7b40153b5efb81805` ##### operator `quay.io/cilium/operator:v1.18.2@​sha256:0f234ce2ab0f30c09f4f9fe1b9c6323f0c6b66d789bef5e958fce7cff85960f3` `quay.io/cilium/operator:stable@sha256:0f234ce2ab0f30c09f4f9fe1b9c6323f0c6b66d789bef5e958fce7cff85960f3` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMjcuMiIsInVwZGF0ZWRJblZlciI6IjQxLjEyNy4yIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=--> Reviewed-on: https://kubara.git.onstackit.cloud/STACKIT/kubara/pulls/78
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In #40868, we observed no DNS traffic being recorded by the check-encryption-leaks.bt script when skipping Cilium version downgrade in IPv6-only cluster. This was true given the to-fqdn tests were run only if IPv4 was enabled. However, the fix landed in #40881 is not enough: the downgrade is skipped, but the chekc-encryption-leaks.bt script can be still run in DNS-assertion mode for clusters with IPv4-enabled. This would cause the script to throw an error if no DNS traffic is being recorded. Given we skip the whole downgrade tests, there is no guarantee that we see DNS traffic, given no CLI tests nor conn-disrupt tests run at that moment in time.
There are two possible ways to fix that:
This commit opts for (2).
An example of the issue being still present: https://github.com/cilium/cilium/actions/runs/17046381531/job/48323205922.
Fixes: #40868.