Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
fa8cbb0 Martynas Pumputis 12 December 2023, 15:36:07 UTC WIP Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 December 2023, 15:36:07 UTC
1720e58 Martynas Pumputis 12 December 2023, 14:45:55 UTC WIP Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 December 2023, 14:45:55 UTC
8456ba5 Martynas Pumputis 12 December 2023, 13:49:01 UTC WIP: no egress Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 December 2023, 13:49:01 UTC
2a50826 Martynas Pumputis 12 December 2023, 13:26:36 UTC WIP Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 December 2023, 13:26:36 UTC
dd5b2cc Martynas Pumputis 12 December 2023, 10:33:54 UTC WIP Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 December 2023, 10:33:54 UTC
a4ccff9 Martynas Pumputis 08 December 2023, 09:33:02 UTC WIP: v1.14 test-e2e-upgrade Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 December 2023, 10:32:09 UTC
46e3b70 renovate[bot] 11 December 2023, 10:10:06 UTC chore(deps): update all lvh-images main Signed-off-by: renovate[bot] <bot@renovateapp.com> 12 December 2023, 09:35:10 UTC
85db28b Maciej Kwiek 11 December 2023, 13:30:29 UTC Prepare for release v1.14.5 Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 11 December 2023, 14:09:20 UTC
06a9f14 chez-shanpu 14 November 2023, 04:49:28 UTC bpf: Fix identity determination in bpf_overlay.c [ upstream commit 895630ba293dc0e40197bbc23ce188ba1557f27f ] When DSR with Geneve is enabled, Cilium identity is not determined by the client's IP address and requests from outside cluster are dropped even though they are permitted by CiliumNetworkPolicy using `fromCIDR`. This commit inputs identity that is from the client IP address. Fixes: #29153 Signed-off-by: Tomoki Sugiura <tomoki-sugiura@cybozu.co.jp> 11 December 2023, 09:57:44 UTC
4582a9d Julian Wiedmann 04 August 2023, 06:54:38 UTC bpf: dsr: merge Ingress tail-calls into nodeport_lb*() [ upstream commit c00d31305c1911cf20e6c1a0e3db1b297c1d3dfe ] The DSR Ingress path was initially implemented through a tail-call for program size reasons. But with the recent improvements to the CT handling, we have sufficient program space to run the DSR ingress handling straight from nodeport_lb*(). This reduces duplicated code (eg. extracting the CT tuple and DSR info twice), avoids additional error handling, and simplifies the overall code flow. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 11 December 2023, 09:57:44 UTC
462a72b Julian Wiedmann 11 July 2023, 07:28:45 UTC bpf: ct: remove unused ct_action parameter [ upstream commit 07c05fe5eaeb8146bae914ef07f4f583b598f145 ] __ct_lookup*() now selects this value internally, and the caller's parameter is ignored. Remove all the calling logic that determined the ct_action and plumbed it into the CT lookup. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 11 December 2023, 09:57:44 UTC
36e496f Julian Wiedmann 26 June 2023, 06:50:58 UTC bpf: ct: simplify ct_action parameter for CT lookup [ upstream commit 5c39551e987513acc4d8cf747d2d96a4bcbd7942 ] For a CT lookup, the calling paths currently need to determine a `ct_action` parameter. This is typically ACTION_CREATE (for TCP/UDP/SCTP), or ACTION_UNSPEC for most types of ICMP traffic. But ever since fd5ea2a3d213 ("bpf: Don't reset TCP timer on final ACK"), __ct_lookup() will only apply ACTION_CREATE handling to TCP packets with the SYN flag set. Otherwise it has the same effect as ACTION_UNSPEC. Simplify the logic by ignoring the passed-in value, and manually selecting ACTION_CREATE for applicable traffic in the CT lookup helpers (same as we already do for ACTION_CLOSE). A subsequent patch will remove all the unused code that passed the ct_action around. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 11 December 2023, 09:57:44 UTC
2095837 Julian Wiedmann 14 July 2023, 05:35:16 UTC bpf: ct: clean up tuple-swap helpers [ upstream commit d5ee4e70cfa5ea6941633d1cce545a541875b964 ] We're still using all variants of the tuple-swap helpers in some parts of the code base. But let's at least re-use the intermediate helpers to compose the bigger ones. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 11 December 2023, 09:57:44 UTC
82b95cb Julian Wiedmann 14 July 2023, 05:31:06 UTC bpf: ct: build tuple in forward layout for SCOPE_FORWARD lookups [ upstream commit 24955870a68c0c37543a663d56330d7475167d38 ] Complete the refactor of the SCOPE_FORWARD path, by doing the needed addr/port swap in the callers. Suggested-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 11 December 2023, 09:57:44 UTC
85ec5fc Julian Wiedmann 26 June 2023, 07:01:05 UTC bpf: ct: simplify tuple type selection for SCOPE_FORWARD lookup [ upstream commit 124d6f615ace39ce912d933b4bb7e554ed2570c8 ] CT lookups are typically done in reply direction first, and potentially in forward direction afterwards. tuple->flags is selected accordingly, and then swapped inbetween the two lookups. But with SCOPE_FORWARD we perform just one lookup in the forward direction. Currently the relevant code still expects a "reverse" tuple, and then swaps it into forward layout. Here we can clean things up a bit by having the caller build a "forward" tuple, and feeding that into the CT lookup code. Start by selecting the actual tuple type (TUPLE_F_*) from the start (and while at it also de-dup the existing code for this). We'll deal with swapping the addrs/ports in a subsequent patch. Suggested-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 11 December 2023, 09:57:44 UTC
2e1e812 renovate[bot] 08 December 2023, 16:51:57 UTC chore(deps): update hubble cli to v0.12.3 Signed-off-by: renovate[bot] <bot@renovateapp.com> 08 December 2023, 22:39:48 UTC
5433caa Julian Wiedmann 25 November 2023, 19:09:58 UTC gh: datapath-verifier: pick up configs for 6.1 kernel [ upstream commit d07f8a6b7c06b4a01ace0adc04c2f0a5a059f245 ] These are now different from the 5.10 configs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 08 December 2023, 19:58:25 UTC
50c0a73 Julian Wiedmann 25 November 2023, 18:47:01 UTC bpf: complexity-tests: populate HAVE_XDP_{LOAD,STORE}_BYTES [ upstream commit 6155c7ca91ae2a520b9f331d9eff2b9aa91ed46f ] As the corresponding helpers were introduced in kernel 5.18, also add separate configs for the 6.1 kernel. For now these are just copies of the net-next configs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 08 December 2023, 19:58:25 UTC
8cabb4e Julian Wiedmann 25 November 2023, 19:09:04 UTC bpf: add support for xdp_load_bytes() / xdp_store_bytes() helpers [ upstream commit 902e40816e4fb7fe52464b76d724000dcc5087e5 ] These helpers were introduced in kernel 5.18, with 3f364222d032 ("net: xdp: introduce bpf_xdp_pointer utility routine"). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 08 December 2023, 19:58:25 UTC
7f1db0e André Martins 08 December 2023, 14:30:30 UTC images: update cilium-{runtime,builder} Signed-off-by: André Martins <andre@cilium.io> 08 December 2023, 19:13:43 UTC
97233df Casey Callendrello 05 December 2023, 10:11:12 UTC images: bump cni plugins to v1.4.0 [ upstream commit 1248536a55b692ada3749da08e52afc91e10b2b2 ] The result of running ``` images/scripts/update-cni-version.sh 1.4.0 ``` Signed-off-by: Casey Callendrello <cdc@isovalent.com> 08 December 2023, 19:13:43 UTC
f1f67b1 renovate[bot] 08 December 2023, 12:00:12 UTC chore(deps): update docker.io/library/alpine docker tag to v3.18.5 Signed-off-by: renovate[bot] <bot@renovateapp.com> 08 December 2023, 14:26:22 UTC
a43782c renovate[bot] 08 December 2023, 10:39:12 UTC chore(deps): update dependency cilium/cilium-cli to v0.15.17 Signed-off-by: renovate[bot] <bot@renovateapp.com> 08 December 2023, 13:41:00 UTC
16b69a6 renovate[bot] 04 December 2023, 11:44:57 UTC chore(deps): update actions/checkout action to v4 Signed-off-by: renovate[bot] <bot@renovateapp.com> 08 December 2023, 12:50:47 UTC
23cffe1 renovate[bot] 04 December 2023, 02:15:55 UTC chore(deps): update all lvh-images main Signed-off-by: renovate[bot] <bot@renovateapp.com> 08 December 2023, 11:57:20 UTC
2bd8f8f Cilium Imagebot 08 December 2023, 08:49:19 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 08 December 2023, 11:57:07 UTC
53e713a renovate[bot] 08 December 2023, 08:14:18 UTC chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 8eab65d Signed-off-by: renovate[bot] <bot@renovateapp.com> 08 December 2023, 11:57:07 UTC
a939753 Cilium Imagebot 06 December 2023, 13:05:20 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 08 December 2023, 08:09:07 UTC
ba9a360 renovate[bot] 06 December 2023, 12:27:29 UTC chore(deps): update go to v1.20.12 Signed-off-by: renovate[bot] <bot@renovateapp.com> 08 December 2023, 08:09:07 UTC
b3cb479 renovate[bot] 07 December 2023, 17:28:16 UTC chore(deps): update actions/setup-python action to v4.8.0 Signed-off-by: renovate[bot] <bot@renovateapp.com> 08 December 2023, 08:06:11 UTC
210248f Andrii Iuspin 05 December 2023, 17:32:32 UTC helm: add resources via initResources for the agent init containers [ upstream commit de788fa9be616383c0146cd7282db032408f1b6b ] Signed-off-by: Andrii Iuspin <yuspin@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Tam Mach <tam.mach@cilium.io> 07 December 2023, 21:46:28 UTC
119583c Andrii Iuspin 30 November 2023, 14:56:48 UTC helm: Add extraVolumes and extraVolumeMounts to hubble-relay [ upstream commit 76126b7ef3024ae6589fe38ddd2c49df056ef8eb ] Signed-off-by: Andrii Iuspin <yuspin@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> 07 December 2023, 21:46:28 UTC
9ddc9c9 Andrii Iuspin 30 November 2023, 14:14:53 UTC helm: Add extraVolumeMounts to etcd-init and etcd [ upstream commit 22a4d1d6c1d173831bfadc946b5f3b063d4af648 ] Signed-off-by: Andrii Iuspin <yuspin@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> 07 December 2023, 21:46:28 UTC
21275cf Andrii Iuspin 30 November 2023, 14:00:59 UTC helm: Add automount related fields to preflight [ upstream commit 6f544480504b77afd8e5b852d64e25ac500b4f5e ] This commit is to add automountServiceAccountToken, extraVolumes and extraVolumeMounts field to preflight workload. Signed-off-by: Andrii Iuspin <yuspin@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> 07 December 2023, 21:46:28 UTC
b086837 Andrii Iuspin 29 November 2023, 21:49:48 UTC helm: Add extraVolumeMounts to cilium-monitor and clean-cilium-state [ upstream commit 4a5cbba14aa51e1c5ae83feb4d8771b20b1e5dd1 ] Signed-off-by: Andrii Iuspin <yuspin@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> 07 December 2023, 21:46:28 UTC
12e60f8 Julian Wiedmann 23 November 2023, 10:09:53 UTC gh: datapath-verifier: also run on 6.1 kernel [ upstream commit 5594aad51cdcfb2277cca35246ec465bf0e6a86a ] We don't depend on any 6.1-specific features, so it's fine to run the 5.10 complexity configs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 07 December 2023, 13:17:37 UTC
ad47e3a Tam Mach 06 December 2023, 11:02:34 UTC envoy: Bump cilium-envoy with golang 1.21.5 This is mainly for recently golang version v1.21.5 Relates build: https://github.com/cilium/proxy/actions/runs/7113088396/job/19364351580 Signed-off-by: Tam Mach <tam.mach@cilium.io> 07 December 2023, 11:23:34 UTC
ea8192c Marco Hofstetter 04 December 2023, 18:35:32 UTC endpoint: fix panic in RunMetadataResolver due to send on closed channel [ upstream commit 7abb00f4fcb82c062ddb20c7a7166d3230c704d7 ] This commit fixes a "send to closed channel" panic during execution of `Endpoint.RunMetadataResolver`. Determine whether the regenTriggeredCh channel has already been closed by a previous controller run can't be checked in the same select statement that writes to the same channel. The execution order of case statements within a select isn't guaranteed by the Go language spec. Therefore, this commti fixes the check by introducing a variable `callerBlocked`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 06 December 2023, 19:41:50 UTC
8504a3d André Martins 23 November 2023, 23:09:23 UTC pkg/endpoint: do not remove controller upon stopping [ upstream commit d618a7055832eaac24976dbe4d701996bb7a35cd ] If we execute the 'RunMetadataResolver' more than one time we could face the situation of deleting this new controller from an older run since they both shared the same name. Since controllers are never executed if the their 'RunInterval' is set to 0 then don't need to remove from the list of controllers. Signed-off-by: André Martins <andre@cilium.io> 06 December 2023, 19:41:50 UTC
cbd57ce André Martins 17 November 2023, 20:25:35 UTC pkg/endpoint: keep endpoint labels for their original sources [ upstream commit e43b759bab69c9f978fd893a75ae7c3f03d184b0 ] Fix two Cilium bugs related to label handling: 1. Addressed an issue during endpoint restoration where Cilium would incorrectly replace labels not sourced from Kubernetes. Previously, labels set on an endpoint outside of Kubernetes were wiped out upon restoration, as all labels were overwritten with those fetched from Kubernetes. 2. Resolved a bug that occurred when a user added or removed a label from a pod or namespace while the Cilium agent was inactive. Upon Cilium restart, the affected endpoint failed to reflect these changes, leading to synchronization issues in label management. Signed-off-by: André Martins <andre@cilium.io> 06 December 2023, 19:41:50 UTC
1d7e86e André Martins 17 November 2023, 20:13:06 UTC pkg/endpoint: do not run metadata resolver for eps without pods [ upstream commit 82e88496641346c31753b9c6cf04dd1db6b11223 ] If an endpoint does not contain a pod nor a namespace then don't resolve its metadata. Signed-off-by: André Martins <andre@cilium.io> 06 December 2023, 19:41:50 UTC
f7d5b28 André Martins 17 November 2023, 15:43:39 UTC pkg/labels: do not replace labels that come from a different source [ upstream commit 99609bf261ce58dca9fc4d7e08e93e8f09b5c614 ] Cilium shouldn't replace labels that come from a different source even if they have the same key. In order for a label to be replaced, the new label should have the same source as the old label. Signed-off-by: André Martins <andre@cilium.io> 06 December 2023, 19:41:50 UTC
266a0be André Martins 17 November 2023, 15:39:13 UTC pkg/endpoint: specify 'sourceFilter' when replacing endpoint labels [ upstream commit 9551482cbb08a638e3d3f48b5597e20dcf04605e ] When replacing the endpoint labels we want to keep all labels that are part of the source for which we are replacing the labels. For example, labels added through the API should not be replaced when a K8s label update is received. Signed-off-by: André Martins <andre@cilium.io> 06 December 2023, 19:41:50 UTC
bce145c Marco Hofstetter 04 December 2023, 13:08:15 UTC examples: update guestbook example with new image registry [ upstream commit c01a86062c012aac01ddc8a1e051886fad371173 ] The GCP Kubernetes Engine Samples migrated their image registry from Google Container Registry to Google Artifact Registry. Hence, the image gb-frontend from the guestbook example is no longer available. Therefore, this commit changes the example to use the new registry. Issue: https://github.com/GoogleCloudPlatform/kubernetes-engine-samples/issues/209 Guestbook PR: https://github.com/GoogleCloudPlatform/kubernetes-engine-samples/pull/194 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 14:39:53 UTC
8199610 Marco Iorio 04 December 2023, 15:49:35 UTC clustermesh: add nodes to wait for ipcache synchronization [ upstream commit 24257ffddd72b8fbe9f838dd6863b617b12606c0 ] 8de7707a706c ("endpoint: wait for clustermesh IPs/identities sync before regeneration") modified the endpoint regeneration logic to explicitly wait for ipcache and identities synchronization from all remote clusters (in addition to the local one) before starting the regeneration process, to avoid disrupting long running connections. Yet, that fix is not enough in case of pod-to-node connectivity, because the ipcache entries corresponding to the addresses of remote nodes (as well as the health and ingress IPs) are configured upon reception of the relevant node entry. Hence, let's extend the wait function to also wait for nodes synchronization in addition to IPs and identities, in order to ensure that the ipcache is fully synchronized before triggering the endpoint regeneration process. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 14:39:53 UTC
c7b2538 Chris Tarazi 02 December 2023, 07:30:43 UTC health/server: Fix stale references to old nodes during health probe [ upstream commit 7c7b72393c8afd7595f976db2ba64ef9227c0c1b ] Given the order of operations in prober.OnIdle, it is possible for the health probe to have a stale references to a deleted nodes. When that occurs, node connectivity metrics which were previously deleted [1] would be brought back, causing confusion. If users defined alerts for node connectivity health checks metrics (see example below), then this would erroneously trigger because the old nodes would appear in the metric labels as a failing health check. Example given deletion of "kind-worker2" node: ``` cilium_node_connectivity_status source_cluster="kind-kind" source_node_name="kind-worker" target_cluster="kind-kind" target_node_name="kind-control-plane" target_nod e_type="remote_intra_cluster" type="endpoint" 1.000000 cilium_node_connectivity_status source_cluster="kind-kind" source_node_name="kind-worker" target_cluster="kind-kind" target_node_name="kind-control-plane" target_nod e_type="remote_intra_cluster" type="node" 1.000000 cilium_node_connectivity_status source_cluster="kind-kind" source_node_name="kind-worker" target_cluster="kind-kind" target_node_name="kind-worker" target_node_type= "local_node" type="endpoint" 1.000000 cilium_node_connectivity_status source_cluster="kind-kind" source_node_name="kind-worker" target_cluster="kind-kind" target_node_name="kind-worker" target_node_type= "local_node" type="node" 1.000000 cilium_node_connectivity_status source_cluster="kind-kind" source_node_name="kind-worker" target_cluster="kind-kind" target_node_name="kind-worker2" target_node_type ="remote_intra_cluster" type="endpoint" 0.000000 ``` Fixes: d9e1ff897d ("cilium-health: Remove unnecessary goroutine") [1]: e9f97cd0e3 ("Ensures prometheus metrics associated with a deleted node are no longer reported.") Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 14:39:53 UTC
a991029 Chris Tarazi 02 December 2023, 07:29:23 UTC node/manager: Add info logs for added and deleted nodes [ upstream commit 4787f8ee43249085a02592ed82d3396eaf09eebb ] Similar to how useful log msgs are when endpoints created and deleted, this log is useful for understanding when nodes are added and deleted in production clusters. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 14:39:53 UTC
734ecbf Daneyon Hansen 29 November 2023, 23:24:47 UTC Docs: Adds Webhook Limitation to EKS Install Doc [ upstream commit 40088a2506047b46ac9de350697f1d31d2773cb8 ] For EKS installs that use overlay mode, webhook servers must be exposed outside the cluster so they are reachable from the managed control plane. Fixes #29454 Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 14:39:53 UTC
d2e6322 Tobias Klauser 01 December 2023, 14:27:19 UTC endpointmanager: unmap ip for lookup [ upstream commit 777252363b252439710e8e37345c1aa4d62bb89a ] In case of an IPv4-mapped IPv6 address we'd lookup the address as an IPv4 address with a ::ffff: prefix, leading to endpoint lookup errors such as cannot find endpoint with IP ::ffff:10.0.1.19 Fix this by explicitly unmapping the address before lookup which leads to 10.0.1.19 to be looked up (and found) in the above case. Fixes: 54a896c5ab9a ("endpointmanager: Use netip.Addr instead of net.IP in LookupIP") Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 14:39:53 UTC
21c7c1b Tam Mach 01 December 2023, 11:59:12 UTC gateway: Ignore loadbalancer class for Gateway service [ upstream commit 4f515fa9787c9d651a3473b8c580139979f43d99 ] This is to align with Ingress implementation Relates: #29327 Fixes: #28949 Co-authored-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 14:39:53 UTC
62bcaf7 Tam Mach 01 December 2023, 11:53:09 UTC gateway: Simplify ensure resources with controllerutil [ upstream commit 2f6994f928f78c13a4757f3937d2511b01b1414f ] This is to leverage the existing controllerutil package to ensure the resources. Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 14:39:53 UTC
e545622 viktor-kurchenko 29 November 2023, 16:17:54 UTC CountUniqueIPsecKeys function returns error to allow consumers to implement error handling. [ upstream commit 6f227fbd59450d9aefa3fd1f95c6f76640dc1245 ] [ backporter's notes: conflicts due to `cilium/cmd` having been renamed to `cilium-dbg/cmd`. ] Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 14:39:53 UTC
21a5c99 viktor-kurchenko 15 November 2023, 09:59:33 UTC cmd: Handle non-AEAD IPsec keys in encrypt status [ upstream commit da354d96b40e1030f1f62ca69587a8f12c34917f ] CountUniqueIPsecKeys function fixed to count non-Aead keys and catch unsupported XfrmStateAlgo combinations. Fixes cilium#29181. Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 14:39:53 UTC
8232337 Akhil Velagapudi 28 November 2023, 20:21:39 UTC plugins/cilium-cni: Install loopback atomically [ upstream commit 7398ea32db038d375381aa57ac657c98cbc6dd6f ] If copying of the loopback binary is interrupted, then a truncated version will exist on the node. The node can't recover from this state even if the pod is restarted because install-plugin.sh won't overwrite the existing loopback file. To fix, install loopback atomically using a cp + mv. This change also removes the unnecessary deletion of "${BIN_NAME}.new". This is a no-op because the temporary copy destination is prefixed with a dot: ".${BIN_NAME}.new". Signed-off-by: Akhil Velagapudi <4@4khil.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 14:39:53 UTC
04413f2 Julian Wiedmann 05 November 2023, 09:24:31 UTC ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() [ upstream commit dfbae95eb544fc218a9cb251edd281afac6a96c2 ] The BPF datapath potentially re-creates a CT entry, in particular when a DSR connection gets re-opened as local connection. Such a re-purposed CT entry then leaves a DSR NAT entry behind. Currently we wouldn't clean up such NAT entries (as the matching CT entry still exists). But once we look at the CT entry's .dsr flag, we understand that the CT entry is actually no longer a match for the NAT entry. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 14:39:53 UTC
df0dc9f Alex Waring 22 November 2023, 09:24:00 UTC datapath: Avoid Upserting AWS SG vlans [ upstream commit 95a7d1288d5a13a5a216dcdb09383f1f483e5ac1 ] When cilium is not in charge of routing traffic, there is no ability to avoid creating the route (`InstallEndointRoute`) while still configuring the BPF programs (`RequireEgressProg`). This PR implements a config option to do just that, meaning we allow the host CNI to configure routing but still enable network policy for those endpoints. This is defaulted to enabled for aws-cni chaining. Fixes: #27152 Signed-off-by: Alex Waring <ajmwaring@gmail.com> Co-authored-by: Joe Stringer <joe@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 14:39:53 UTC
5b5e032 renovate[bot] 04 December 2023, 02:15:48 UTC chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> 06 December 2023, 13:59:56 UTC
d20432b renovate[bot] 04 December 2023, 12:57:29 UTC chore(deps): update google-github-actions/auth action to v2 Signed-off-by: renovate[bot] <bot@renovateapp.com> 06 December 2023, 13:59:45 UTC
16ee6d9 Sebastian Wicki 28 November 2023, 11:47:55 UTC ipam: Fix bug where IP lease did not expire [ upstream commit cf76f8995b56f52215dbbf3cde8dcdf90138a05e ] The `AllocateNextWithExpiration`[1] function is used to allocate an IP via API from the CNI plugin. Such IPs are always allocated with an expiration timer, which means that if the CNI ADD fails later on and is never retried, the IP is automatically released. Only once an endpoint is created, we then stop the expiration timer during the endpoint creation request [2], making the allocation of the IP permanent until it is explicitly freed. The current expiration implementation however has a bug: Instead of releasing the IP back into the IPAM pool from where the IP was actually allocated from, we forwarded the desired pool, which can be empty and is later overwritten with the actual pool. Because we passed in an empty pool into `StartExpirationTimer`, this led to IP expiration being broken in almost all cases: ``` 2023-11-24T06:24:37.089657953Z level=warning msg="Unable to release IP after expiration" error="no IPAM pool provided for IP release of 10.0.1.41" ip=10.0.1.41 subsys=ipam uuid=2320c5c1-b4c0-4a2e-8f3d-2b906330ab55 ``` This commit fixes that by using the realized pool (from the result) instead of the desired pool from the request. In addition, the unit tests are also adapted to cover this case to ensure we don't regress. [1] https://github.com/cilium/cilium/blob/0fcd1c86e347b2701880c9034e7ea3a74cd6b13e/daemon/cmd/ipam.go#L46 [2] https://github.com/cilium/cilium/blob/95a7d1288d5a13a5a216dcdb09383f1f483e5ac1/daemon/cmd/endpoint.go#L536 Reported-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 06 December 2023, 13:52:43 UTC
70a3d39 Sebastian Wicki 29 November 2023, 13:41:14 UTC ipam: Improve expiration timer memory footprint [ upstream commit be9e85395c0ffca6b569dc09ac86477a7f089aaf ] This commit addresses two problems with the IPAM expiration timer: 1. Before this commit, each timer consisted of a Go routine calling `time.Sleep` to wait for expiration to occur. The default expiration timeout is 10 minutes. This meant, that for every IP allocated via CNI ADD, we had a Go routine unconditionally sleeping for 10 minutes, only to (in most cases) wake up and learn that the expiration timer was stopped. This commit improves that situation by having the expiration Go routine wake up and exit early if it was stopped (either via IP Release or `StopExpirationTimer`). 2. In CI, we set the hidden `max-internal-timer-delay` option to 5 seconds (see cilium/cilium#27253). This meant that the `time.Sleep` expiration timer would effectively be 5 seconds instead of 10 minutes. 5 seconds however is not enough for an endpoint to be created via CNI ADD and complete its first endpoint regeneration. This therefore led to endpoint IPs being released while the endpoint was still being created. Due to another bug (fixed in the next commit) the expiration timer failed to actually release the IP, which is why this bug was not discovered earlier when we introduced the 5 second limit. This commit addresses this issue by adding an escape hatch to `pkg/time`, allowing the creation of a timer which is not subject to the `max-internal-timer-delay`. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 06 December 2023, 13:52:43 UTC
d59aadc Jarno Rajahalme 28 September 2023, 07:16:11 UTC envoy: Set enforce_policy_on_l7lb on l7 LB listener filters [ upstream commit 7646b69abf092991a1c3e0953e59725418b167ca ] Turn on ingress policy enforcement on L7 LB. With this cilium-envoy starts dropping Ingress traffic unless Cilium Agent configures it with a passing policy via the Ingress endpoint (with the reserved:ingress identity). Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 06 December 2023, 11:55:45 UTC
34ca62a Jarno Rajahalme 28 September 2023, 07:17:53 UTC k8s: Use reserved:ingress identity also for Gateway API [ upstream commit b035460f59ab5063488276453c494d700b87421f ] Tell envoy package to use the IPs allocated for reserved:ingress identity also when a CEC/CCEC is owned by Gateway API in addition to Cilium Ingress. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 06 December 2023, 11:55:45 UTC
aa6770c Jarno Rajahalme 04 October 2023, 12:07:54 UTC daemon: Add ingress endpoint [ upstream commit 04f19e98705ce54d6b6bb0c33a7d0af826c9900e ] Add Cilium Endpoint representing Ingress. It is defined without a veth interface and no bpf programs or maps are created for it. Ingress endpoint is needed so that the network policy is computed and configured to Envoy, so that ingress/egress network policy defined for Ingress can be enforced. Cilium Ingress is implemented as L7 LB, which is an Envoy redirect on the egress packet path. Egress CNP policies are already enforced when defined. Prior to this commit CNPs defined for reserved:ingress identity were not computed, however, and all traffic was passed through by Cilium Ingress was allowed to egress towards the backends. When the backends receive such packets, they are identified as coming from Cilium Ingress, so any ingress policies at the backends can not discern the original source of the traffic. This commit adds a Cilium endpoint for the reserved:ingress identity, which makes the Cilium node compute and pass policies whose endpoint selector selects this identity (e.g., by selecting all entities) to Envoy, so that they can be enforced. Envoy listener will then enforce not just the egress policy but also the ingress policy for the original incoming source security identity. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 06 December 2023, 11:55:45 UTC
7bb2a3a Jarno Rajahalme 24 August 2023, 16:14:19 UTC envoy: Fix commants with references to deprecated uint64 policy ids [ upstream commit de085db6c50b613e37ed014328fcfae1003af244 ] Fix comments that still had references to the now-deprecated uint64 policy IDs. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 06 December 2023, 11:55:45 UTC
0d684e1 Jarno Rajahalme 13 October 2023, 07:22:46 UTC envoy: Bump envoy image to the latest v1.26.x [ upstream commit 34415bd203fb5cfe32fe829f04cd691ff6d35712 ] This commit is to perform the below: - Update envoy image to latest build from v1.26 branch - Include new resources into pkg/envoy/resource for serialization - grpc related resources are for upcoming support with GRPCRoute - Change policy id to uint32, related to https://github.com/cilium/proxy/commit/f37daf70991e4d58fc610244fb559cf48ea475e2 Related build: https://github.com/cilium/proxy/actions/runs/7070197416/job/19246669763 Signed-off-by: Tam Mach <tam.mach@cilium.io> 06 December 2023, 11:55:45 UTC
6cbbaa8 Jarno Rajahalme 13 September 2023, 12:08:12 UTC envoy: Fix support for allow-all network policies [ upstream commit 995915343ff4fc3a2589dbe24fe992f26d88f722 ] Generate the ingress/egress network policy also when l4 filter is nil. This enables creating allow-all rules when policy is not enforced. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 06 December 2023, 11:55:45 UTC
0792b88 Lorenz Bauer 01 December 2023, 14:12:01 UTC test/verifier: improve log output [ upstream commit 1e71a19a5db1f411b4e804d3f798e7b454168e13 ] Include the command invoked to compile the BPF and the output of the command in the test output by default. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 05 December 2023, 12:24:00 UTC
aed2f0a Lorenz Bauer 30 November 2023, 13:25:51 UTC test/verifier: fix complexity tests not being recompiled [ upstream commit 735807fb16806abf13c71c936efbf887b8ee00a5 ] TestVerifier is accidentally reusing the result of previous subtest compilations. This means that only the first set of configurations was tested. Invoke clean for every new compilation. The generated object files are moved to the test directory to make them accessible as artifacts from CI. Fixes: d3ef5b2ac8 ("test/verifier: Avoid pruning object files before testing the next file") Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 05 December 2023, 12:24:00 UTC
48fe429 Marco Iorio 27 November 2023, 08:25:25 UTC node: skip ClusterID validation for external workloads [ upstream commit 56676d2a22a6573309d0e8525a5efad14ab0dd26 ] 23e762cffd90 ("node: add extra validation") introduced extra validation logic executed when unmarshalling node objects retrieved from the kvstore, ensuring in particular that the ClusterID is in the expected range and non-zero (unless the local ClusterID is zero). Yet, this validation broke the external workloads support, if the ClusterID is set to a non-zero value. Indeed, the RegisterNode type used in this case is just a wrapper for the Node one, and reuses the same unmarshalling logic. Given that the RegisterNode object is initially created configuring the name only, it causes an unmarshalling failure when processed by the clustermesh-apiserver, due to the ClusterID being zero (only if that of the cluster is different from zero). To fix this issue, let's override the Unmarshal function to skip the validation logic for the external workloads type, as used differently. Another possibility could be to explicitly configure the ClusterID; yet this would be trickier to backport to v1.14, as historically the ClusterID was not configured for external workloads agents, and inferred at runtime from that of the cluster it connected to. Fixes: 23e762cffd90 ("node: add extra validation") Fixes: #29355 Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
461ef36 Julian Wiedmann 21 November 2023, 12:17:21 UTC iptables: remove logic to control non-existent net.ipv6.ip_early_demux [ upstream commit 0cdfe30ce656ad06bebe19b2ab50890f127f7844 ] Early demux for both IP protocols is controlled by the IPv4 sysctl. Trying to control net.ipv6.ip_early_demux would just result in awkward error scenarios. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
15a6aab Paul Chaignon 21 November 2023, 19:09:59 UTC workflows: Add debug info to IPsec key rotation test [ upstream commit a6e22ba7c4e8e25a50f36b35361b49f38c27776f ] To detect that the key rotation began or that it successfully ended, we rely on the number of keys in use reported by `cilium-dbg encrypt status`. When either of those steps times out, it would be good to have information on what the number of keys was. This commit adds that debug information to the test. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
ebf6650 Marco Iorio 27 November 2023, 15:29:23 UTC gha: wait for downgrade images to be ready in clustermesh upgrade test [ upstream commit a587b8837be1b6d67021593cb13fa6bdd783ec0a ] Currently, we only wait for the images from the current PR/main to be available in the clustermesh upgrade tests. Yet, it can happen that the ones from the stable branch are not available (either because they are being built, or something went wrong), leading to confusing failures (as the installation eventually fails due to ImagePullBackOff errors). To prevent this, let's add an explicit step to additionally wait for downgrade images to be available before proceeding with the installation step, so that also the error message is clear. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
9a9b11c Paul Chaignon 22 November 2023, 19:45:22 UTC ipsec: Merge functions ipSecJoinState and ipSecNewState [ upstream commit ba3fa898ee40ab5a581a27c5f2c0dad2f1876286 ] ipSecJoinState is never called without ipSecNewState and vice versa. So let's just merge both to have all XFRM state initialization in the same place. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
cc97435 Paul Chaignon 22 November 2023, 19:30:26 UTC ipsec: Move SPI parsing to own function and test it [ upstream commit f7a58affe5597bd6299a92aa48e9f4a86aa87cf7 ] The SPI parsing logic is fairly complex so let's move it to its own function and write a unit test for that. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
745cf1a Marco Hofstetter 24 November 2023, 14:02:53 UTC ingress: move missleading log message about CEC deletion into condition [ upstream commit 4f34e2c8e2b6eb741a2350ca165fe504ecac8aa5 ] This commit moves the write of the log message about the deletion of a shared CiliumEnvoyConfig into the condition that checks whether it's a dedicated Ingress. This way, when deleting a shared Ingress, the irritating log message isn't displayed. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
8366c8b Marco Hofstetter 24 November 2023, 13:44:12 UTC ingress: fix foreground deletion of Ingress [ upstream commit 804d15e519e01c41c67bcb5c3268daa1f5b894ef ] Currently, when a shared Ingress resource (managed by Cilium) gets deleted via k8s foreground deletion (e.g. `kubectl delete ingress ... --cascade=foreground`) the corresponding shared CiliumEnvoyConfig in Ciliums namespace gets rewritten empty. This breaks all other shared Ingresses from working. The reason is an error in the condition that checks which Ingresses should be taken into account when building the model for the shared CiliumEnvoyConfig. The condition checks the `DeletionTimeStamp` (set via foreground deletion) from the modified Ingres instead of the one within the loop. In case of the foreground deletion this always evaluates to `true` - hence no entries in the CEC. This commit fixes the condition to check for any ongoing deletion on the Ingress that gets checked within the loop. Fixes: #21386 Fixes: #29306 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
59684fc Ondrej Blazek 26 October 2023, 10:24:12 UTC bpf: fix missing ipv6 ct entry for snated traffic [ upstream commit 9c1031e31719214c2d19c0fa0c33d91a3304df3b ] When combining HostFW with kube-proxy based masquerading host traffic will have HOST_ID for both - packet mark based src_id and ip cache based src_id. While SNATed pod traffic will only have HOST_ID from the ipcache (as it doesn't pass through the iptables rules that set the mark). Therefore for SNATed traffic we get HOST_ID only from ipcache and not from packet mark it means we are handling SNATed traffic from pod that needs to have a conntrack entry so that return traffic doesn't go through host firewall and is skipped. This commit fixes the issue and adds a missing ct entry for SNATed traffic and it also unifies the code between ipv4 and ipv6 versions Signed-off-by: Ondrej Blazek <ondrej.blazek@firma.seznam.cz> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
5e119cb Julian Wiedmann 23 November 2023, 09:49:50 UTC bpf: remove HAVE_FIB_LOOKUP leftovers from compile tests [ upstream commit abe1b38c91d2a79ce980308f600a3e9a6650898f ] This feature is available on all supported kernels, and there is no datapath code that checks for HAVE_FIB_LOOKUP. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
61f0276 Julian Wiedmann 23 November 2023, 09:44:57 UTC bpf: complexity-tests: add HAVE_FIB_NEIGH to relevant configs [ upstream commit 357cd6fd1172d8bdf97550219bd764cfdbd18971 ] This helper is available on kernel 5.10 and newer. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
c7f888d Julian Wiedmann 23 November 2023, 09:42:27 UTC bpf: complexity-tests: add one missing HAVE_FIB_INDEX [ upstream commit dfb0fb38faa7798b6b8dcb62dfbfad4c74a8cb3f ] Looks like this was missed when initially populating the test configs. Fixes: 323b4cb7aef3 ("bpf, complexity-tests: Add HAVE_FIB_IFINDEX coverage") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
3432904 Martynas Pumputis 22 November 2023, 13:48:24 UTC ci-ipsec-upgrade: Drop no-missed-tail-calls exclusion [ upstream commit 9ecca98a25b7c808c4433d935123cca408ff9d26 ] The issue got fixed by https://github.com/cilium/cilium/pull/29309. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
a246a15 Julian Wiedmann 16 July 2023, 14:39:24 UTC bpf: nat: only set SNAT_DONE when packet was actually SNATed [ upstream commit 2393707606c409351118fda59207de3131375730 ] With eff26cf680e5 ("datapath: Fix double SNAT") the outbound SNAT path now sets ctx_snat_done_set() after checking whether a packet requires SNAT. This was meant to avoid double-NATing when a packet passes through multiple network interfaces with a to-netdev program. But looking at the SNAT code in detail, some of its conditions only apply on specific interfaces (see nodeport_has_nat_conflict_ipv4(), which checks for `NATIVE_DEV_IFINDEX == DIRECT_ROUTING_DEV_IFINDEX`). So if a packet passes through multiple interfaces which all have `to-netdev` attached, the first `to-netdev` program might set SNAT_DONE even when some subsequent program (attached to DIRECT_ROUTING_DEV_IFINDEX) would still want to apply SNAT to the packet. Therefore we should apply the SNAT checks on *each* interface, until we have actually SNATed the packet. Only then set the SNAT_DONE marker. Note that this also fixes an EgressGW bug in nodeport_snat_fwd_ipv4(), where we would redirect the packet even if snat_v4_nat() reported an error. Fixes: eff26cf680e5 ("datapath: Fix double SNAT") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
7775310 Maciej Kwiek 20 November 2023, 11:14:52 UTC docs: bump required Helm version [ upstream commit 0ac34f084f726e638e75a9a639c5fd1acc6f9897 ] We are hitting nil check bug in helm < 3.9, let's bump required Helm version in the docs. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
47634b7 Jarno Rajahalme 17 November 2023, 12:54:27 UTC envoy: Better track updates when qualifying Envoy resource names [ upstream commit 2e0019453c22b7267c32ccbed262ba5607c01335 ] Pass a boolean "updated" pointer to api.ResourceQualifiedName() in order to better track if updates were done or not. In the case of Http Connection Manager RouteConfig the need for the update was ignored, so this is a bug fix for that. This omission hid a bug where HCM RouteConfigs in our examples (and tests) refer to "envoy-admin" cluster while unqualified cluster names should no longer be accessible to CEC/CCEC. Fix this by renaming "envoy-admin" as "/envoy-admin". This requres all references to "envoy-admin" cluster to be changed to "/envoy-admin", including in any CEC/CCEC users may have. Factor out the TCP proxy qualification logic to qualifyTcpProxyResourceNames() which is similar to qualifyRouteConfigurationResourceNames() to keep the main logic simpler. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
d81abce Jarno Rajahalme 13 November 2023, 09:15:13 UTC envoy: Add qualifyTcpProxyResourceNames helper [ upstream commit 0200c9f546371ea19ecb424aee2d0208803369b8 ] Factor out TcpProxy resource name qualifications to a helper function and check for nil pointers. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 09:56:59 UTC
a8e6923 Rastislav Szabo 05 October 2023, 07:29:35 UTC bgpv1: Fix BGP component tests using the same VirtualRouter config As some of the BGP component tests mutate the VirtualRouter config, we need to make sure that mutated config is not used by the following tests. That was the case before this fix, as multiple tests are using the same baseBGPPolicy. Now each test creates a deep copy of the base config, which is fine to mutate within the test. This change also ensures that fixture.config.policy always contains the most up-to-date policy. Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> 29 November 2023, 23:42:14 UTC
7a88c8c Martynas Pumputis 24 November 2023, 08:23:01 UTC ci-ipsec-upgrade: Disable Linux 5.10-based configs As reported in [1], the node-to-node-encryption tests are failing. It expects ICMP packets to be not encrypted. Disable the configs until we have resolved the issue. [1]: https://github.com/cilium/cilium/issues/29351 Reported-by: Marcel Zieba <marcel.zieba@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 29 November 2023, 20:17:46 UTC
9d631b9 renovate[bot] 28 November 2023, 22:31:20 UTC chore(deps): update dependency cilium/cilium-cli to v0.15.16 Signed-off-by: renovate[bot] <bot@renovateapp.com> 29 November 2023, 02:12:32 UTC
5eaa5ed Tam Mach 12 November 2023, 12:02:53 UTC gateway-api: Correct list of HTTPRoutes in VirtualHost This is to fix the issue in which the wrong list of HTTP routes is used to construct virtual host for insecure and secure routes. Ideally, only related HTTP routes for the same listener ports should be considered. Normally, this should not have any side effect, except using weightage clusters for the multiple, but the same, backends. However, in case of redirect filter, this will cause redirect loop as mentioned in the below issue. Fixes: 299648fef30ebefab6bfc93399f005473624f703 Fixes: #28186 Signed-off-by: Tam Mach <tam.mach@cilium.io> 29 November 2023, 00:31:33 UTC
9c074a5 Tam Mach 11 November 2023, 21:49:06 UTC gateway-api: Refactor common component to its own func Signed-off-by: Tam Mach <tam.mach@cilium.io> 29 November 2023, 00:31:33 UTC
d3eb130 renovate[bot] 27 November 2023, 21:14:36 UTC chore(deps): update all lvh-images main Signed-off-by: renovate[bot] <bot@renovateapp.com> 28 November 2023, 11:08:56 UTC
8e5a7db Cilium Imagebot 28 November 2023, 00:00:28 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 28 November 2023, 11:08:38 UTC
35e2c9e renovate[bot] 27 November 2023, 21:14:28 UTC chore(deps): update docker.io/library/golang:1.20.11 docker digest to 4e4a34f Signed-off-by: renovate[bot] <bot@renovateapp.com> 28 November 2023, 11:08:38 UTC
388fa7c Tam Mach 27 November 2023, 09:18:46 UTC envoy: Bump envoy container image The new build is with golang 1.21.4 and grpc v1.59.0, mainly for recent HTTP/2 related CVEs. Related build: https://github.com/cilium/proxy/actions/runs/7002314626/job/19047286335 Relates: https://github.com/cilium/proxy/pull/439 Signed-off-by: Tam Mach <tam.mach@cilium.io> 28 November 2023, 10:24:45 UTC
7dcee9d Quentin Monnet 26 October 2023, 15:56:38 UTC ci/ipsec: Skip upgrade/downgrade test to patch release on main branch [ upstream commit c9dedb49f5a65dda4af26af6ee79abe863153171 ] Skip upgrade/downgrade test to patch release when we fail to retrieve the number for the previous patch release. This happens mostly for the main branch (where testing upgrades/downgrades is covered by the tests to the previous stable (minor) release already). This may also happen on top of release preparation commits, where we set the patch number to 90, and where it is non-trivial to retrieve the previous patch release number. This case doesn't matter much, because commits for preparing releases are Not Expected To Break IPsec (TM). Signed-off-by: Quentin Monnet <quentin@isovalent.com> 28 November 2023, 03:28:36 UTC
9352658 Quentin Monnet 26 October 2023, 13:59:16 UTC ci/ipsec: Add upgrade/downgrade tests for patch releases [ upstream commit ed59edc9f34596c871e45430c9378579eed9a12a ] Currently, we test upgrades and downgrades for IPsec against the previous stable branch, for example: - On main branch (v1.15-dev): v1.14 (branch tip) -> main (PR HEAD) -> v1.14 (branch tip) - On older stable branches: v1.13 (branch tip) -> v1.14 (PR HEAD) -> v1.13 (branch tip) For stable branches, this commit adds support for testing upgrades and downgrades against the latest patch release as well, for example: - On v1.14: v1.14.4 (tag) -> v1.14 (PR HEAD) -> v1.14.4 (tag) The workflow currently fails on the main branch (this case is covered by the upgrade/downgrade test to the previous stable branch already). This is addressed by skipping most of the steps on main branch, in a follow-up commit. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 28 November 2023, 03:28:36 UTC
08ad45c Martynas Pumputis 09 November 2023, 08:34:51 UTC ci-ipsec-upgrade: Add missed tail calls check for upgrade [ upstream commit ced884f22c62585431fe048c872897a009d3d064 ] The downgrade is still affected [1]. [1]: https://github.com/cilium/cilium/issues/26739#issuecomment-1803373334 Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 28 November 2023, 03:28:36 UTC
3c22ed1 Martynas Pumputis 09 November 2023, 08:27:54 UTC ci-ipsec-upgrade: Use branch tip instead of released version [ upstream commit 502bbc7bcc19c8a43c7a94a8ad9a16b1fb666e11 ] [1] changed the upgrade path from "v1.14 (branch tip) -> main -> v1.14 (branch tip)" to "v1.14.x (last release) -> main -> v1.14.x (last release)". The downside of the former path is that we catch any upgrade/downgrade regressions only after a release. This commit brings back the previous path. [1]: https://github.com/cilium/cilium/commit/31afd0211984f170f2844e455f6e48ad055e586d Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 28 November 2023, 03:28:36 UTC
f9d757d Gray Liang 08 September 2023, 06:47:35 UTC CI: Let actions/cilium-config use Chart.yaml-specified image by default [ upstream commit 31afd0211984f170f2844e455f6e48ad055e586d ] Previously cilium-config action always generates helm-set flags for image settings, but in some cases we can just rely on Chart.yaml since we always set chart-dir. This helps when: 1. We want to install release version instead of ci version. Currently cilium-config action sets `cilium-ci` unconditionally. 2. We have complicated image tag requirements such as `v1.14.1-beta.1`. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 28 November 2023, 03:28:36 UTC
924f842 Quentin Monnet 26 October 2023, 13:39:03 UTC contrib/scripts: Support patch releases in print-downgrade-version.sh [ upstream commit 56dfec2f1ac5126bd5eeed3e30607b215e4ab991 ] Script contrib/scripts/print-downgrade-version.sh is used to derive the name of the previous stable branch, based on the current version number found in the repository. This is useful for testing upgrades and dowgrades in CI, between the current branch and the previous stable branch. For some tests we need to perform similar checks between the current tip of a branch and the latest patch release on the branch. For example, when working on branch 1.14, we want to downgrade to the latest patch release, 1.14.3 at this time, then upgrade back to the tip of 1.14. On the main branch, this is not relevant, because we don't usually have patch releases on that branch. The current commit updates print-downgrade-version.sh to add support for patch releases. When a user pass "patch" as first argument to the patch, then instead of decrementing the minor version by one, the script decrements the patch release number by one, and prints the results. When the patch release number is 0 (new minor release) or 90 (release preparation), the script returns an error, because it is non-trivial to find the preceding patch release number in such cases (at least without Git and the Git history). From the workflow's perspective (for supporting upgrades from patch releases in a follow-up commit), for new minor releases, update/downgrade is already covered in this case by working with the previous stable branch; and for 90, we just don't have an easy way to retrieve the previous number. We make the script print errors on stderr, in order to make it easier to compare the string returned on stdout (empty in case of error). Some examples of numbers from VERSION and the corresponding values returned: VERSION Previous minor Previous patch release 1.14.3 v1.13 v1.14.2 1.14.1 v1.13 v1.14.0 1.14.0 v1.13 <error> 1.14.1-dev v1.13 v1.14.0 1.15.0-dev v1.14 <error> 1.13.90 v1.12 <error> In order to test the script easily, this commit also allows setting $VERSION from the command line, defaulting to the content of file VERSION if no value is provided. Let's also add the errexit and nounset options to the script. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 28 November 2023, 03:28:36 UTC
back to top