Skip to content

fix: build cilium-envoy proxylib with go 1.25-fips for proxy v1.34#58

Merged
ktsakalozos-canonical merged 1 commit into
mainfrom
fix/proxy-v1.34-go-1.25-fips
Jun 23, 2026
Merged

fix: build cilium-envoy proxylib with go 1.25-fips for proxy v1.34#58
ktsakalozos-canonical merged 1 commit into
mainfrom
fix/proxy-v1.34-go-1.25-fips

Conversation

@ktsakalozos-canonical

Copy link
Copy Markdown
Contributor

Summary

  • Fixes the cilium-envoy proxylib build failure for the 1.17.9, 1.17.12, and 1.18.4 cilium rocks, which broke the post-merge Push Multiarch Images run for Add Cilium 1.19.4 rocks #57 and prevented the 1.19.4-ck0 manifest from publishing.
  • These three rocks pin cilium/proxy source-tag: v1.34, whose go.mod requires Go >= 1.25.0, but they install go/1.24-fips/stable to match the upstream Cilium builder.
  • FIPS Go pins GOTOOLCHAIN=local, so unlike the non-FIPS snap it will not auto-fetch a newer toolchain, producing:
    go: ../go.mod requires go >= 1.25.0 (running go 1.24.13; GOTOOLCHAIN=local)
    make: *** [Makefile:29: libcilium.so] Error 1
    'override-build' in part 'cilium-envoy' failed with code 2
    

Fix

  • Add snap refresh go --channel 1.25-fips/stable to the cilium-envoy part only, immediately before make -C proxylib all.
  • Each later go-using part already runs its own snap refresh go --channel 1.24-fips/stable, so the agent and all other components remain on Go 1.24-fips (matching the upstream builder). The change is self-contained to the envoy proxylib build.

Scope / intentionally untouched

  • 1.17.1 uses proxy v1.31 (go.mod ≤ 1.24) — unaffected.
  • The non-FIPS static variants use go/1.24/stable, which auto-downloads 1.25 — unaffected.
  • 1.19.4 already installs go/1.25-fips/stable globally — used as the reference for this fix.

Validation

  • Diff is exactly three identical hunks, all inside the cilium-envoy override-build.
  • Matches the existing per-part snap refresh go pattern already used throughout these files.

cilium/proxy v1.34's go.mod requires Go >= 1.25.0. These rocks install
go/1.24-fips/stable to match the upstream Cilium builder, but FIPS Go
pins GOTOOLCHAIN=local so it will not auto-fetch a newer toolchain the
way the non-FIPS snap does. The proxylib build (libcilium.so) therefore
fails with:

  go: ../go.mod requires go >= 1.25.0 (running go 1.24.13; GOTOOLCHAIN=local)

Refresh the global go snap to 1.25-fips for the cilium-envoy part only,
right before 'make -C proxylib all'. Each later go-using part already
re-refreshes to 1.24-fips itself, so the agent and other components are
unaffected. 1.17.1 (proxy v1.31) and the non-FIPS static variants build
fine and are intentionally left untouched.
@ktsakalozos-canonical ktsakalozos-canonical requested a review from a team as a code owner June 23, 2026 06:37
@ktsakalozos-canonical ktsakalozos-canonical merged commit 0ea6908 into main Jun 23, 2026
50 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants