Add L7 policy traffic disruption tests by fristonio · Pull Request #42150 · cilium/cilium

fristonio · 2025-10-13T07:18:15Z

Dependency: cilium/test-connection-disruption#16

This PR adds a new flag to cilium-cli to run L7 traffic disruption tests as part of upgrade tests that validate connections are not interrupted. Currently it covers HTTP traffic with a L7 policy.
The check can be enabled with --include-conn-disrupt-test-l7-traffic flag.

Currently cilium-envoy restarts are not hitless, so this check fails for full cilium upgrade(which includes a proxy restart). This PR updates the ci-e2e-upgrade workflow to add steps for running conn-disrupt-test during cilium-agent restart. We expect L7 policy and traffic to not be impacted during just cilium-agent restart.

fristonio · 2025-10-13T07:59:05Z

/ci-e2e-upgrade

fristonio · 2025-10-15T16:18:04Z

/ci-e2e-upgrade

fristonio · 2025-10-15T17:36:55Z

/ci-e2e-upgrade

fristonio · 2025-10-20T17:31:53Z

/ci-e2e-upgrade

fristonio · 2025-10-21T20:53:29Z

/ci-e2e-upgrade

fristonio · 2025-10-29T16:36:37Z

/ci-e2e-upgrade

fristonio · 2025-10-29T17:22:36Z

/ci-e2e-upgrade

fristonio · 2025-10-29T18:27:21Z

/ci-e2e-upgrade

cilium-cli/defaults/defaults.go

github-actions · 2025-11-29T02:07:49Z

This pull request has been automatically marked as stale because it
has not had recent activity. It will be closed if no further activity
occurs. Thank you for your contributions.

fristonio · 2025-12-08T03:17:25Z

/ci-e2e-upgrade

fristonio · 2025-12-08T09:57:23Z

/test

This commit adds a new flag to cilium-cli to run L7 traffic disruption tests. The check is added as part of existing connection disruption check and can be enabled(disabled by default) using `--include-conn-disrupt-test-l7-traffic` flag. The check is enabled only when envoy runs as external deployment and L7 proxy is enabled. The check creates a CNP with L7 http policy on server pods. Clients connect to these server pods and continuously make http requests exiting in case of failure. Following paths are verified: * Server Endpoint IPv4 * Server Endpoint IPv6 * Server k8s service DNS Signed-off-by: Deepesh Pathak <[email protected]>

This commit extends e2e upgrade workflow to add a step valdiating connection and L7 policy traffic disruption on cilium-agent restart. Signed-off-by: Deepesh Pathak <[email protected]>

fristonio · 2025-12-09T01:27:21Z

/test

smagnani96

Changes LGTM, thanks!
Just left a comment to address my lack of knowledge and make sure I'm aligned.

cilium-cli/connectivity/check/features.go

odinuge · 2025-12-11T13:11:15Z

fysa this required all other PRs to be rebased to pass the tests. Would be great if next time this could be introduced in a way that didn't require all PRs to be rebased to pass tests. Hit it in #43237. Breaking 1-2-3-4 week old branches feels fine, but if these happen often, its very painful to get things into a mergable state. 😄

fristonio · 2025-12-11T18:59:57Z

Thanks for the input @odinuge. I didn't realize that.
But yeah, seems like this would happen every time a cilium cli change is made along with a workflow that consumes that change. For PRs from forks, we pick the workflow definition from stable branch(eg. main-ce) but cilium-cli is from the build of PR HEAD.
I guess we should always first merge cilium-cli change and only later update the workflow that consume that change. I will bring this up in the next community meeting to discuss.

This commit disables workflow errors for flaky l7 connection disruption tests during agent restarts, introduced as part of cilium#42150 Signed-off-by: Deepesh Pathak <[email protected]>

This commit disables workflow errors for flaky l7 connection disruption tests during agent restarts, introduced as part of #42150 Signed-off-by: Deepesh Pathak <[email protected]>

[ upstream commit 53c671e ] This commit disables workflow errors for flaky l7 connection disruption tests during agent restarts, introduced as part of #42150 Signed-off-by: Deepesh Pathak <[email protected]> Signed-off-by: Marco Hofstetter <[email protected]>

[ upstream commit 53c671e ] This commit disables workflow errors for flaky l7 connection disruption tests during agent restarts, introduced as part of cilium#42150 Signed-off-by: Deepesh Pathak <[email protected]> Signed-off-by: Marco Hofstetter <[email protected]>

fristonio added release-note/ci This PR makes changes to the CI. cilium-cli This PR contains changes related with cilium-cli labels Oct 13, 2025

fristonio force-pushed the pr/fristonio/ci/l7-traffic-disruption branch 2 times, most recently from bc768db to 0a1fbe0 Compare October 15, 2025 15:52

fristonio force-pushed the pr/fristonio/ci/l7-traffic-disruption branch from 0a1fbe0 to 7b76082 Compare October 15, 2025 17:04

fristonio force-pushed the pr/fristonio/ci/l7-traffic-disruption branch from 7b76082 to cffd930 Compare October 20, 2025 17:23

fristonio force-pushed the pr/fristonio/ci/l7-traffic-disruption branch from cffd930 to 3aa0efb Compare October 21, 2025 19:10

fristonio force-pushed the pr/fristonio/ci/l7-traffic-disruption branch from 7a202ef to a19dce4 Compare October 29, 2025 17:10

fristonio force-pushed the pr/fristonio/ci/l7-traffic-disruption branch from a19dce4 to b9ffbdb Compare October 29, 2025 18:23

fristonio mentioned this pull request Oct 29, 2025

Add http client and server implementation cilium/test-connection-disruption#16

Merged

fristonio commented Oct 29, 2025

View reviewed changes

cilium-cli/defaults/defaults.go Outdated Show resolved Hide resolved

github-actions bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Nov 29, 2025

fristonio removed the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Dec 1, 2025

fristonio force-pushed the pr/fristonio/ci/l7-traffic-disruption branch 3 times, most recently from 53f5f4e to 7388cb6 Compare December 8, 2025 03:02

fristonio marked this pull request as ready for review December 8, 2025 20:57

fristonio requested review from a team as code owners December 8, 2025 20:57

fristonio requested a review from a team as a code owner December 8, 2025 20:57

fristonio requested review from asauber, nebril, smagnani96 and viktor-kurchenko December 8, 2025 20:57

fristonio added 2 commits December 8, 2025 17:08

.github: add L7 policy traffic disruption check to upgrade workflow

fa0dd37

This commit extends e2e upgrade workflow to add a step valdiating connection and L7 policy traffic disruption on cilium-agent restart. Signed-off-by: Deepesh Pathak <[email protected]>

fristonio force-pushed the pr/fristonio/ci/l7-traffic-disruption branch from 7388cb6 to fa0dd37 Compare December 9, 2025 01:09

nebril approved these changes Dec 9, 2025

View reviewed changes

smagnani96 approved these changes Dec 9, 2025

View reviewed changes

cilium-cli/connectivity/check/features.go Show resolved Hide resolved

squeed approved these changes Dec 10, 2025

View reviewed changes

squeed added this pull request to the merge queue Dec 10, 2025

Merged via the queue into main with commit db03f5d Dec 10, 2025
381 of 388 checks passed

squeed deleted the pr/fristonio/ci/l7-traffic-disruption branch December 10, 2025 15:55

odinuge mentioned this pull request Dec 11, 2025

Revert "policy: Replace versioned with part.Map" #43237

Merged

phuhung273 mentioned this pull request Dec 16, 2025

cilium-cli: convert net.IP to netip.Addr #42371

Merged

fristonio mentioned this pull request Dec 30, 2025

Add egress policy validation to L7 traffic disruption test #43523

Closed

joestringer mentioned this pull request Jan 14, 2026

CI: Conformance L7-only (ci-l7): connection disruption during agent restart #43770

Closed

cilium-release-bot bot moved this to Released in cilium v1.19.0 Feb 3, 2026

cilium-release-bot bot added this to cilium v1.19.0 Feb 3, 2026

Conversation

fristonio commented Oct 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

fristonio commented Oct 13, 2025

Uh oh!

fristonio commented Oct 15, 2025

Uh oh!

fristonio commented Oct 15, 2025

Uh oh!

fristonio commented Oct 20, 2025

Uh oh!

fristonio commented Oct 21, 2025

Uh oh!

fristonio commented Oct 29, 2025

Uh oh!

fristonio commented Oct 29, 2025

Uh oh!

fristonio commented Oct 29, 2025

Uh oh!

Uh oh!

github-actions bot commented Nov 29, 2025

Uh oh!

fristonio commented Dec 8, 2025

Uh oh!

fristonio commented Dec 8, 2025

Uh oh!

fristonio commented Dec 9, 2025

Uh oh!

smagnani96 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

odinuge commented Dec 11, 2025

Uh oh!

fristonio commented Dec 11, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

fristonio commented Oct 13, 2025 •

edited

Loading