Jef Spaleta
Jef Spaleta
Okay its crazier.... still on 1.15.0-pre.3 If I delete the external workload, uninstall cilium from it and then reinstall it...it starts communicating via cilium_vxlan to the pre-existing deathstar pod...even though...
Putting aside the state updater issue and just focusing on the wireguard tunnel usage. In 1.15.0-pre.3 cilium-dbg bpf ipcache doesn't list encryptkey=255 for the external workload's identity associated with the...
I'm suspicous of the "skip update" logic in ipcache upcert is the villain here. ref: https://github.com/cilium/cilium/blob/be9ba166089f886961509da8052c843a1fe79692/pkg/ipcache/ipcache.go#L330 if I'm reading the logic right, any request to update the ipcache due to...
I would really love a debug log message for when the ipcache upsert skip update logic fires. Now that've I've seen this logic, it could help me explain some other...
Just add more detail looking at the CiliumNode resource for the external workload and the spec.encryption.key field is set to 255 as expected... It really does seem like bpf ipcache...
More info... The CiliumEndPoint associated with the CiliumExternalWorkload is missing its encryption key information in its status. ``` $ kubectl get cep/msi -o json | jq .status.encryption {} ``` Compare...
Okay my brain wouldn't let me sleep last night... the fact that the CiliumEndpoint status doesn't include the "key: 255" value is a smoking gun of sorts. The status is...
okay looking at the cilium api output now on the external workload ``` sudo curl --unix-socket /var/run/cilium/cilium.sock http://localhost/v1/ip | jq . ... { "cidr": "192.168.1.28/32", "encryptKey": 255, "hostIP": "192.168.1.28", "identity":...
So it looks like the cluster agents are seeing the CiliumEndPoint associated with the CiliumExternalWorkload and choosing to map the IP address to that identity instead of the identity associated...
So it appears that right now there's no way to actually do an Cilium API lookup for the endpoint associated with the external workload. The CEP k8s resource exists... ```...