Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
024ee3e Martynas Pumputis 10 January 2023, 10:20:43 UTC WIP Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 January 2023, 10:20:43 UTC
6fb8a87 Sebastian Wicki 12 December 2022, 11:23:02 UTC daemon: Make control-plane nodes opt-out of node-to-node encryption This commit introduces a new command-line option to specify a label selector to make nodes opt-out of node-to-node encryption. The default label selector set will match kubeadm control-plane nodes (i.e. the nodes hosting kube-apiserver). This ensures that all Cilium-managed nodes will be able to reach the kube-apiserver running on that node regardless of encryption status. This is important, because we want to ensure that nodes can change their public keys when they re-join the cluster. Nodes who opted out of node-to-node encryption will still perform encryption for pod-to-pod traffic. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 22 December 2022, 14:29:56 UTC
af3f240 Martynas Pumputis 11 April 2022, 16:44:52 UTC test: Enable node encryption for WG tests with vxlan Currently, the bpf_overlay prog doesn't redirect a packet to the WG netdev for encryption (will be addressed in a follow-up PR). So, in order for the tests to pass, we need to enable the host2host encryption. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 22 December 2022, 14:29:56 UTC
0757e3a Martynas Pumputis 13 April 2022, 08:15:07 UTC daemon: Encrypt NodePort BPF traffic with WireGuard This commit attaches the bpf_host's "from-netdev" section to the Cilium's WireGuard tunnel netdev ("cilium_wg0"). This is needed to enable the encryption of the KPR traffic. In particular, we encrypt the N/S KPR requests which will be forwarded to a remote node running a selected service endpoint. IMPORTANT: this encrypts KPR traffic only when running in the non-tunneling mode. For the request path no changes are required. The existing datapath configuration already handles it, as shown in the following: 1. The "from-netdev" attached to eth0 is invoked for the NodePort request. 2. A remote service endpoint is selected, the DNAT and SNAT translations are performed. 3. The translated request is redirected to eth0. 4. The "to-netdev" section on eth0 is invoked. It detects that the packet needs to encrypted, so it redirects to the cilium_wg0. For the reply path a minimal changes were required. After the WG netdev has decrypted the reply packet, the packet is returned to the networking stack. Because the networking stack is not aware of the connection, the reply packet is dropped. To avoid that, we attach the "from-netdev" section to the WG netdev, so that the following can be performed: 1. Reverse SNAT and DNAT translations are applied to the reply. 2. The reply packet is redirected to the outgoing interface. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 22 December 2022, 14:29:56 UTC
7bf9638 Martynas Pumputis 13 April 2022, 07:35:10 UTC datapath: Bring back WG pod2pod behavior when tunnel != disabled Before changing the WG integration's behavior, when running in the tunneling mode, a pod2pod@remote-node traffic escaped the bpf_overlay's tunneling, and was encapsulated once by the WG tunnel netdev. To be compatible with this < v1.13 behavior, this commit adds the redirect to the WG tunnel to the __encap_and_redirect_with_nodeid() function which is eventually called in the pod2pod packet path. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 22 December 2022, 14:29:56 UTC
81d3e84 Martynas Pumputis 07 April 2022, 13:15:54 UTC daemon: Drop L7 check for WireGuard There is no longer skb mark conflict with L7 proxy, so we can drop the check. This means that the L7 proxy can work together with the WG integration. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 22 December 2022, 14:29:56 UTC
aef3795 Martynas Pumputis 07 April 2022, 15:29:00 UTC daemon: Detect bpf_host netdevs when WG is enabled We need to detect a direct routing dev (= one which is used to connect K8s Nodes) in order to attach bpf_host when WG is enabled, as bpf_host is responsible for redirecting packets to the WG netdev for encryption. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 22 December 2022, 14:29:56 UTC
bd52784 Martynas Pumputis 11 April 2022, 16:05:59 UTC daemon: Adopt agent to new WireGuard integration This commit changes the agent code to support the new WireGuard integration described in the previous commit. The most important changes: 1. Configure the WG netdev to add the skb mark. 2. Add NodeIP to allowed-ips when --encrypt-node=true. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 22 December 2022, 14:29:56 UTC
c7e1830 Martynas Pumputis 11 April 2022, 10:19:39 UTC datapath: Change WG integration to support host2host case This commit completely changes the WireGuard integration in the datapath to enable the host2host encryption (also, pod2host and host2pod). Previously, we supported only the pod2pod case. This was implemented by marking a to be encrypted packet, and then letting the IP rule installed in the host netns to forward the packet to the WireGuard tunnel device "cilium_wg0" for the encryption, as shown below: ┌─────────────────┐ │ Pod A netns │ │ ┌────────┐ │ │ │ eth0 │ │ └───┴────┬───┴────┘ ┌────┴──────────┐ │ bpf_lxc@veth0 │ (host netns) └────┬──────────┘ │1."from-container" in bpf_lxc sets MARK_MAGIC_ENCRYPT │2. ip rule matches the mark and routes packet to WG netdev │ ┌───────────┐ └──────►│cilium_wg0 │ └────┬──────┘ │ ┌───▼───┐ │ eth0 │ └───────┘ This was working fine for the pod2pod case (albeit one danger that a sysadmin could nuke the rule making the packet to bypass the WG dev). However, with this approach it was not possible to enable the host2host case, as a packet originating from the host netns was never handled by bpf_lxc. Thus, we needed to change the datapath. To encrypt a host2host packet we need to attach bpf_host to the outgoing device connecting cluster nodes which in the picture is "eth0". Then the program "to-netdev" from bpf_host can forward the packet to the WG dev. Once encrypted, the packet will be again hitting the same bpf_host program. To avoid the packet looping forever, we can configure the WG netdev to set the skb mark after the encryption. Then, in the program we can skip the redirection to the WG netdev if the mark is set. The flow below shows the new integration. ┌─────────────────┐ │ Pod A netns │ │ ┌────────┐ │ │ │ eth0 │ │ └───┴────┬───┴────┘ ┌────┴──────────┐ │ bpf_lxc@veth0 │ (host netns) └────┬──────────┘ │ ┌────▼───────────┐ 1. "to-netdev" does redirect ┌───────────┐ │ bpf_host@eth0 │─────────────────────────────────►│cilium_wg0 │ └─┬─────────▲────┘ └──────┬────┘ │ │ │ │ │ 2. encrypt and set MARK_MAGIC_ENCRYPTED │ │ └──────────────────────────────────────────────┘ │ │ 3. output the encrypted packet │ ▼ The same flow is used for the host2host, host2pod and pod2host cases. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 22 December 2022, 14:29:42 UTC
9354b43 Sebastian Wicki 06 April 2022, 16:11:20 UTC helm: Enable node encryption for WireGuard Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 22 December 2022, 12:18:56 UTC
0fd31de Sebastian Wicki 04 April 2022, 14:27:29 UTC node: Set EncryptKey if WireGuard is enabled This commit sets the EncryptKey index field to a static non-zero value in CiliumEndpoints and CiliumNodes if WireGuard is enabled for managing cilium-agent. This allows us to have fine-grained tracking of encrypted endpoints. A follow-up commit will update the datapath accordingly, to make use of this field and only encrypt connections to endpoints which have a non-zero encryption key index. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 22 December 2022, 12:18:56 UTC
19f2ed1 Tam Mach 27 September 2022, 14:28:34 UTC envoy: Support default LB algorithm flag The default load balancer algorithm can still be overridden by service annotation (e.g. io.cilium.service/lb-algorithm). Signed-off-by: Tam Mach <tam.mach@cilium.io> 22 December 2022, 02:44:01 UTC
281d95a Tam Mach 18 September 2022, 12:08:42 UTC envoy: Support list of global ports for redirect This commit is to support envoy redirect for all services having port number in list, so that user didn't need to annotate one by one. Just a note that for more customized and advanced use case, service annotation will be still required. One caveat is that the current CEC operates in service level i.e. there is no granular control to only redirect one particular service port. Signed-off-by: Tam Mach <tam.mach@cilium.io> 22 December 2022, 02:44:01 UTC
1c257e3 Tam Mach 12 September 2022, 14:19:20 UTC envoy: Add annotation support for lb mode This commit is to add simple mutation function to set LB mode in envoy cluster. By default, round-robin mode is used. Signed-off-by: Tam Mach <tam.mach@cilium.io> 22 December 2022, 02:44:01 UTC
69218ef Tam Mach 12 September 2022, 13:59:03 UTC envoy: Add upgrade configuration for websocket This commit is to add simple mutation function for grpc service. Signed-off-by: Tam Mach <tam.mach@cilium.io> 22 December 2022, 02:44:01 UTC
c5a2d90 Tam Mach 11 September 2022, 14:30:06 UTC envoy: Add L7 service loadbalancing capability This commit is to add a first cut to support l7 service lb capability via envoy. The base configuration is generated from service spec, more advance features via annotation will be added in subsequent commits. Signed-off-by: Tam Mach <tam.mach@cilium.io> 22 December 2022, 02:44:01 UTC
c44b0f0 Tam Mach 08 September 2022, 08:52:45 UTC cli: Add configuration flag for service LB Just to add a CLI flag along with how to configure this flag from helm Signed-off-by: Tam Mach <tam.mach@cilium.io> 22 December 2022, 02:44:01 UTC
260a90e Tam Mach 08 September 2022, 08:24:05 UTC envoy: Add skeleton for service LB via envoy This commit contains just a simple skeleton for L7 load balancing capability via envoy proxy. There is no processing logic at all right now. Signed-off-by: Tam Mach <tam.mach@cilium.io> 22 December 2022, 02:44:01 UTC
dc7f561 obaranov1 20 December 2022, 00:20:37 UTC Update Layer 7 Protocol Visibility Document. Fixes #22615. Signed-off-by: Oksana Baranova <oksana.baranova@intel.com> 22 December 2022, 02:35:36 UTC
11a7e88 Joe Stringer 21 December 2022, 04:03:08 UTC .github: Clean up RBAC artifacts for v1.13 CI This commit is the v1.13 CI equivalent of git commit 43cb8e9124d0 (".github: manually clean up RBAC artifacts"), necessary until we resolve https://github.com/cilium/cilium-cli/issues/1257 . Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:35 UTC
488240f Patrice Chalin 17 November 2022, 00:47:50 UTC Enable Google Analytics 4 Signed-off-by: Patrice Chalin <chalin@cncf.io> 21 December 2022, 20:51:50 UTC
ae9dbd8 Julian Wiedmann 16 December 2022, 14:41:58 UTC bpf: nodeport: wire up trace aggregation for rev_nodeport_lb6() Pass the `monitor` feedback from the CT lookup to __encap_with_nodeid(). A previous commit already added this for rev_nodeport_lb4(), so aim for commonality here. Fixes: 428abc92abe8 ("bpf: pipe forwarding reason into traces for TO_OVERLAY") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 21 December 2022, 07:58:50 UTC
78146e5 Chris Tarazi 16 December 2022, 04:23:03 UTC Update MAINTAINERS.md to include Tom Hadlaw Signed-off-by: Chris Tarazi <chris@isovalent.com> 21 December 2022, 07:53:23 UTC
4ddeb34 Martynas Pumputis 20 December 2022, 15:27:14 UTC gh/workflows: First create LVH VMs, and then wait for images Saves 1-2 min. Signed-off-by: Martynas Pumputis <m@lambda.lt> 21 December 2022, 07:45:30 UTC
934657c Martynas Pumputis 20 December 2022, 15:26:19 UTC gh/workflows: Test direct routing mode in ci-datapath The configuration table - https://github.com/cilium/cilium/issues/20606. Signed-off-by: Martynas Pumputis <m@lambda.lt> 21 December 2022, 07:45:30 UTC
77a4d9e Martynas Pumputis 15 December 2022, 09:15:46 UTC gh/workflows: Add 6.0 kernel to DP conformance It's current stable. Signed-off-by: Martynas Pumputis <m@lambda.lt> 21 December 2022, 07:45:30 UTC
5fdad85 Martynas Pumputis 18 November 2022, 07:39:47 UTC gh/workflows: Fix some DP conformance deprecation warnings Signed-off-by: Martynas Pumputis <m@lambda.lt> 21 December 2022, 07:45:30 UTC
73bd4fa Martynas Pumputis 20 December 2022, 15:11:28 UTC gh/workflows: Use large runners for ci-datapath They support a nested virt, so kthnxbye poor man's ephemeral GH action runners. Signed-off-by: Martynas Pumputis <m@lambda.lt> 21 December 2022, 07:45:30 UTC
563417d Joe Stringer 20 December 2022, 23:53:48 UTC Update stable releases Signed-off-by: Joe Stringer <joe@cilium.io> 21 December 2022, 03:32:54 UTC
fd24b10 Jarno Rajahalme 26 October 2022, 12:10:49 UTC auth: Update conntrack entry Tell datapath connection is authenticated by clearing the auth_required flag on the conntrack entry. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 21 December 2022, 03:31:46 UTC
a246aa0 Jarno Rajahalme 26 October 2022, 11:44:19 UTC bpf: Enforce zero dst_id for egress Drop notification 'dst_id' is non-zero only for ingress. Enforcing this we can detect ingress/egress based on this property when receiving drop notifications. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 21 December 2022, 03:31:46 UTC
1f7ed72 Jarno Rajahalme 26 October 2022, 15:53:18 UTC bpf: Add CT map flag for auth required Add a new conntrack flag for auth required, and create CT entries for connections that are dropped due to not being authenticated yet. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 21 December 2022, 03:31:46 UTC
a3f6796 Jarno Rajahalme 27 October 2022, 15:31:41 UTC bpf: Used ENABLE_L7_LB in complexity test Add -DENABLE_L7_LB=1 to MAX_BASE_OPTIONS to pull that code in for load testing. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 21 December 2022, 03:31:46 UTC
c9d40dd Jarno Rajahalme 25 October 2022, 10:46:44 UTC bpf: Skip policy enforcement for return traffic Policy lookup results were already ignored for return traffic, so we can skip policy lookup for CT_REPLY and CT_RELATED altogether. This allows simplification of the policy verdict reporting logic as well. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 21 December 2022, 03:31:46 UTC
a7a1add Jarno Rajahalme 25 October 2022, 10:43:07 UTC bpf: Flip emit_policy_verdict logic Set 'emit_policy_verdict' to 'true' only if policy lookup is performed. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 21 December 2022, 03:31:46 UTC
be21f88 Jarno Rajahalme 25 October 2022, 10:36:01 UTC bpf: Make proxy_port an explicit parameter to policy lookup Later on we need to be able to return both a drop reason and a proxy port, so make proxy port an explicit parameter rater than folding it into the function return value. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 21 December 2022, 03:31:46 UTC
e4685f2 Jarno Rajahalme 19 October 2022, 08:22:10 UTC examples: Add auth policy example Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 21 December 2022, 03:31:46 UTC
9882a49 Jarno Rajahalme 18 October 2022, 06:06:49 UTC bpf: Add drop due to missing authentication Add new drop reason for missing authentication. Pass authentication type as extended error in the drop event. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 21 December 2022, 03:31:46 UTC
df0eebc Jarno Rajahalme 17 October 2022, 15:51:15 UTC policy: Add Auth member to CNP ingress and egress Add optional Auth object to L3 policy (ingress/egress) rules. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 21 December 2022, 03:31:46 UTC
67b1460 Jarno Rajahalme 18 October 2022, 05:06:53 UTC policy: Refactor per-selector policy handling Rename L7RulesPerSelector in L4Filter as PerSelectorPolicies, as the map values already hold more than just the L7 rules (e.g., if the L3 or L4 rule is a deny rule or not). Following commits will add more non-L7 related fields, which would be even more confusing with the old name. JSON name 'l7-rules' is kept for backwards compatibility, should consider if backwards compatibility is needed here, though. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 21 December 2022, 03:31:46 UTC
cec554b Tom Hadlaw 07 December 2022, 16:57:25 UTC daemon/cmd: improve stale cilium endpoint error handling. A CEP that is already gone by the time cleanup occurs (but may still be attempted to be cleaned up due it still being in ciliums k8s cache) should be skipped. This happens occasionally in CI as Pods/CEPs are deleted in close proximity to Cilium agent restarts. Logging error was causing the tests to fail unecessarily. This captures the NotFound case separately and instead logs an info message. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 21 December 2022, 03:26:09 UTC
4bc5629 Patrice Chalin 21 December 2022, 00:20:14 UTC Add sphinxcontrib-googleanalytics to doc requirements Signed-off-by: Patrice Chalin <chalin@cncf.io> 21 December 2022, 02:25:16 UTC
31093c1 Sebastian Wicki 19 December 2022, 10:49:47 UTC ci: Replace deprecated `hubble observe -o json` with `-o jsonpb` This commit replaces the use of the deprecated `-o json` flag on Hubble observe with `-o jsonpb`. Future versions of Hubble will make `-o json` an alias to `-o jsonpb`, so this commit should be future-proof. The new output wraps each flow in a `GetFlowsResponse`, meaning the old object is now accessible in the `.flow` attribute. All jsonpath queries in the code have been changed to reflect this change. Notably, some parts of CI (namely the `hubble-flows-*.json` files used for troubleshooting CI flakes) already used `-o jsonpb` and thus this commit should not cause any change in usual the CI troubleshooting workflow. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 20 December 2022, 11:33:42 UTC
965ca0d Julian Wiedmann 16 December 2022, 07:31:32 UTC test: service: fix formatting of error msg in doFragmentedRequest() Fix up the string formatting to include the `dstIP` parameter. Spotted in a Jenkins run: /home/jenkins/workspace/Cilium-PR-K8s-1.26-kernel-net-next/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:515 Failed to account for INGRESS IPv4 fragments in BPF metrics%!(EXTRA string=10.100.188.224) Fixes: 938b4940f92b ("bpf: add metrics for fragmented IPv4 packets") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 20 December 2022, 11:33:12 UTC
00eb46e Marek Chodor 02 December 2022, 13:08:32 UTC Add tests for hubble metrics handlers: Drop, Tcp, PortDistribution. Signed-off-by: Marek Chodor <mchodor@google.com> 20 December 2022, 11:32:21 UTC
06c5754 Anton Protopopov 08 December 2022, 13:01:23 UTC fqdn: dnsproxy: fix data race in dns proxy implementation A recent commit patched dnsproxy to configure a net.Dialer for every outgoing request. However, the dialer was assigned to a single shared copy of dns.Client which lead to data corruption. Create a new dns.Client each time we do a client, so the state is not shared between threads. Fixes: cf3cc16289b762 ("fqdn: dnsproxy: fix forwarding of the original security identity for TCP") Signed-off-by: Anton Protopopov <aspsk@isovalent.com> 20 December 2022, 11:31:50 UTC
a77007a Jussi Maki 19 December 2022, 13:15:57 UTC workflows: Pin GKE to 1.24.5 This is a temporary fix for the failing encryption connectivity tests seen with 1.24.7 and newer. Signed-off-by: Jussi Maki <jussi@isovalent.com> 20 December 2022, 11:06:49 UTC
f487647 Jussi Maki 15 December 2022, 11:46:57 UTC operator: Wait for informers to shut down when stopping Now that the control-plane tests are running multiple test cases against the operator we're seeing more flakes due to global variables that left behind goroutines from previous test cases. For example: panic: close of closed channel goroutine 697 [running]: github.com/cilium/cilium/operator/watchers.UnmanagedKubeDNSPodsInit({0x3ad76a8?, 0xc00083ed40?}) /home/vagrant/go/src/github.com/cilium/cilium/operator/watchers/pod.go:140 +0x268 The proper fix would be to refactor the operator to not use global variables and implement it as cells with their own Start and Stop hooks that don't leave goroutines behind, Since that refactoring will take significant time, we can apply band aid to the flaky test problem by propagating a Context and WaitGroup to the places where goroutines are left behind (as indicated by goleak check). This commit does not apply this to every feature in operator due to gaps in test coverage (e.g. operator/pkg/ingress was not modified). Fixes: #22748 Signed-off-by: Jussi Maki <jussi@isovalent.com> 20 December 2022, 11:05:41 UTC
64866c2 Jussi Maki 15 December 2022, 11:34:03 UTC hive: Use mutex in DefaultLifecycle The DefaultLifecycle is used concurrently in the operator: it is started when operator is elected leader and stopped when the application stops. In control-plane tests I observed that the operator was stopped before it was fully started, which lead to skipping of stop hooks which then caused subsequent tests to fail. Fix the issue by adding a mutex to DefaultLifeycle so that Stop() won't observe partial starts. Signed-off-by: Jussi Maki <jussi@isovalent.com> 20 December 2022, 11:05:41 UTC
e50bf2e Jussi Maki 13 December 2022, 10:39:29 UTC cilium: Add deprecation warning for service ids The NodePort service frontends are currently expanded early in the K8sWatcher and the IDs used by datapath are allocated for these expanded frontends in pkg/service. A NodePort frontend is created for the Node IP and other routable IPs on the system. As this is now something that can be reconfigured at runtime when devices change, we would like to make the frontend expansion and the service and backend identifiers implementation details of the datapath and not expose them to the user via the REST API (PUT /service/{id}) or the "cilium service update" command. In v1.14 we will implement this by changing the {id} from int into a string (something like "1.2.3.4:80:TCP" or "[f00d::1]:80:TCP"). We're expecting this change to only affect standalone load-balancer users that are using the "cilium service" commands directly. We do not expect there to be direct use of the "/service/" REST endpoints. Based on this we deem the backwards incompatible change to the type of the {id} parameter acceptable. In order to give advance warning to the users, this commit adds deprecation warnings to the cilium-agent logs when the /service endpoints are used and to the cilium command-line utility when "cilium service update" or "cilium service delete" is used. Signed-off-by: Jussi Maki <jussi@isovalent.com> 19 December 2022, 07:32:10 UTC
ca52560 Chris Tarazi 08 December 2022, 19:54:21 UTC daemon, ipcache: Plumb root context to IP identity watcher In the case that the Agent goes down, it can properly signal to the ipcache package to tear down the IP identity watcher goroutine. This doesn't resolve any bugs that I'm aware of and just found it via code inspection. Signed-off-by: Chris Tarazi <chris@isovalent.com> 19 December 2022, 07:12:43 UTC
3961355 David Bimmler 09 December 2022, 14:35:27 UTC backporting: leave backport/author PRs alone This label means that the backport will be performed by the author, and thus the backporting automation should ignore it. It's okay to not filter by backport-done/<branch> because these labels should not be present at the same time. (Notably, if resiliency was the intention, we should already be filtering backport-pending too.) Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 18 December 2022, 21:47:38 UTC
d8c7d93 Daniel Borkmann 14 December 2022, 14:56:32 UTC cilium: Use netip.Addr for IPv6NAT46x64CIDRBase For new code, preference is to use net/netip package. Suggested-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 16 December 2022, 16:10:11 UTC
148f71a Daniel Borkmann 14 December 2022, 10:40:13 UTC cilium: Remove unneeded CIDR nil check This cannot be true if err == nil and can also be removed in validateIPv6ClusterAllocCIDR. Also, s/CIDR length must be/prefix length must be/. Suggested-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 16 December 2022, 16:10:11 UTC
4631570 Daniel Borkmann 02 December 2022, 13:09:59 UTC cilium: Move default nat46x64 prefix into defaults package Refactor the code such that we can easily expose it as a config knob and have the underlying code be generic. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 16 December 2022, 16:10:11 UTC
94003f2 Daniel Borkmann 01 December 2022, 12:01:30 UTC cilium, status: Implement verbose dump for service/gateway nat46x64 status Add status dump and separate both Service/Gateway. Also dump the prefix for the gateway. It's hard coded here, but subsequent commit will move this into defaults package. In future this can be made configurable and potentially we might support multiple prefixes. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 16 December 2022, 16:10:11 UTC
80d9cbc Daniel Borkmann 30 November 2022, 13:27:54 UTC cilium: Add auto-generated openapi code for service/gateway nat46x64 status Auto-generated API code in here. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 16 December 2022, 16:10:11 UTC
64d7518 Daniel Borkmann 30 November 2022, 13:23:00 UTC cilium, api: Extend status API to reflect service/gateway nat46x64 status For cilium status dump we want to reflect the state of services vs gateway support on NAT46/64. Therefore extend both into objects which can be extended further if needed. Also for the GW we expose the current fixed default prefix. In future, this may be a list of prefixes. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 16 December 2022, 16:10:11 UTC
225b31c Daniel Borkmann 30 November 2022, 11:00:28 UTC cilium: Rename agent setting to generic nat64x64 gateway Rename the agent setting --enable-stateless-nat46x64 into a more generic --enable-nat46x64-gateway, given the plan is to enable both stateless and statefull translation in this case as both can be supported in parallel. This has not seen a stable release yet, so rename is fine. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 16 December 2022, 16:10:11 UTC
6d8f4a8 Daniel Borkmann 25 November 2022, 16:06:41 UTC bpf: Add generic stateful nat6->4 support This work completes the standalone egress GW functionality by implementing generic nat64 without having to configure specific services for remap: On the Gateway node: # ./daemon/cilium-agent --enable-ipv4=true --enable-ipv6=true \ --datapath-mode=lb-only --bpf-lb-algorithm=maglev \ --bpf-lb-maglev-table-size=2039 --bpf-lb-acceleration=disabled \ --devices=enp5s0 --disable-envoy-version-check=true \ --enable-stateless-nat46x64=true # ./cilium/cilium service list ID Frontend Service Type Backend # # tcpdump -i enp5s0 port 80 -n [...] 12:06:05.823733 IP6 2a02:168:f656:0:1ac0:4dff:ff01:d5e6.54054 > 64:ff9b::8c52:7903.80: Flags [S], seq 2743947568, win 43200, options [mss 1440,sackOK,TS val 3724070640 ecr 0,nop,wscale 9], length 0 12:06:05.823745 IP 192.168.2.11.54054 > 140.82.121.3.80: Flags [S], seq 2743947568, win 43200, options [mss 1440,sackOK,TS val 3724070640 ecr 0,nop,wscale 9], length 0 12:06:05.830454 IP 140.82.121.3.80 > 192.168.2.11.54054: Flags [S.], seq 433570079, ack 2743947569, win 65535, options [mss 1436,sackOK,TS val 1565141015 ecr 3724070640,nop,wscale 10], length 0 12:06:05.830479 IP6 64:ff9b::8c52:7903.80 > 2a02:168:f656:0:1ac0:4dff:ff01:d5e6.54054: Flags [S.], seq 433570079, ack 2743947569, win 65535, options [mss 1436,sackOK,TS val 1565141015 ecr 3724070640,nop,wscale 10], length 0 [...] The client only needs to add a next hop entry in its routing table, no special source address selection is needed: # ip -6 r [...] 64:ff9b::/96 via 2a02:168:f656:0:1ac0:4dff:ff01:c164 dev enp5s0 metric 1024 pref medium [...] # curl --verbose "http://[64:ff9b::101:101]" * Trying 64:ff9b::101:101:80... * TCP_NODELAY set * Connected to 64:ff9b::101:101 (64:ff9b::101:101) port 80 (#0) > GET / HTTP/1.1 > Host: [64:ff9b::101:101] > User-Agent: curl/7.68.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 403 Forbidden < Date: Tue, 29 Nov 2022 13:30:30 GMT < Content-Type: text/plain; charset=UTF-8 < Content-Length: 16 < Connection: close < X-Frame-Options: SAMEORIGIN < Referrer-Policy: same-origin < Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < Expires: Thu, 01 Jan 1970 00:00:01 GMT < Server: cloudflare < CF-RAY: 771bb2c739d5cc3e-ZRH < * Closing connection 0 [...] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 16 December 2022, 16:10:11 UTC
5473f91 Daniel Borkmann 16 December 2022, 08:24:07 UTC ci, github: Fix IPv6 conformance test Recently the IPv6 conformance test failed to bring up docker itself: [...] Dec 15 23:15:15 runner dockerd[4299]: time="2022-12-15T23:15:15.892545337Z" level=info msg="Starting up" Dec 15 23:15:15 runner dockerd[4299]: failed to start daemon: cgroup-parent for systemd cgroup should be a valid slice named as "xxx.slice" Dec 15 23:15:15 runner systemd[1]: docker.service: Main process exited, code=exited, status=1/FAILURE [...] Dumping existing /etc/docker/daemon.json prior to our modifications looks as following: { "exec-opts": ["native.cgroupdriver=cgroupfs"], "cgroup-parent": "/actions_job" } Therefore preserve these options when we enable IPv6. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Tom Hadlaw <tom.hadlaw@isovalent.com> Link: https://github.com/actions/runner/issues/533#issuecomment-643071784 Link: https://github.com/orgs/community/discussions/26507?#discussioncomment-3252157 16 December 2022, 10:03:04 UTC
4b0aaa1 Nicolas Busseneau 13 December 2022, 15:13:58 UTC ci: v1.13: pin managed clusters' K8s version to 1.24 Cilium v1.13 officially supports up to K8s 1.26. However, the cloud providers do not support creating managed with K8s 1.26: - AKS: 1.24 tops (1.25 in preview). - EKS: 1.24 tops. - GKE: 1.25 tops. We pin CI workflows for the stable branch to use K8s 1.24 when creating managed clustersas it is the lowest common supported version. This version should be updated as appropriate when new K8s versions are supported by the cloud providers. Resources: - AKS - Run `az aks get-versions --location westeurope --output table` - https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions - EKS - Run `eksctl version -o json | jq -r '.EKSServerSupportedVersions[]'` (note: this asssumes `eksctl` is up to date, as this is static info) - https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html - https://eksctl.io/usage/schema/#metadata-version - GKE - Run `gcloud container get-server-config --format="yaml(channels)"` - https://cloud.google.com/kubernetes-engine/versioning - https://cloud.google.com/kubernetes-engine/docs/release-schedule Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 15 December 2022, 22:48:55 UTC
9c067c7 Nicolas Busseneau 13 December 2022, 14:59:59 UTC ci: v1.12: pin managed clusters' K8s version to 1.24 Cilium v1.12 officially supports up to K8s 1.24. We pin CI workflows for the stable branch to use that specific K8s version when creating managed clusters. Resources: - AKS - Run `az aks get-versions --location westeurope --output table` - https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions - EKS - Run `eksctl version -o json | jq -r '.EKSServerSupportedVersions[]'` (note: this asssumes `eksctl` is up to date, as this is static info) - https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html - https://eksctl.io/usage/schema/#metadata-version - GKE - Run `gcloud container get-server-config --format="yaml(channels)"` - https://cloud.google.com/kubernetes-engine/versioning - https://cloud.google.com/kubernetes-engine/docs/release-schedule Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 15 December 2022, 22:48:55 UTC
a55e71a Nicolas Busseneau 13 December 2022, 13:46:30 UTC ci: v1.11: pin managed clusters' K8s version to 1.23 Cilium v1.11 officially supports up to K8s 1.23. We pin CI workflows for the stable branch to use that specific K8s version when creating managed clusters. Resources: - AKS - Run `az aks get-versions --location westeurope --output table` - https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions - EKS - Run `eksctl version -o json | jq -r '.EKSServerSupportedVersions[]'` (note: this asssumes `eksctl` is up to date, as this is static info) - https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html - https://eksctl.io/usage/schema/#metadata-version - GKE - Run `gcloud container get-server-config --format="yaml(channels)"` - https://cloud.google.com/kubernetes-engine/versioning - https://cloud.google.com/kubernetes-engine/docs/release-schedule Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 15 December 2022, 22:48:55 UTC
84bf9e4 Nicolas Busseneau 13 December 2022, 14:48:53 UTC ci: v1.10: pin managed clusters' K8s version to 1.21 (except AKS) Cilium v1.10 officially supports up to K8s 1.21. We pin CI workflows for the stable branch to use that specific K8s version when creating managed clusters. The only exception is AKS, because 1.21 is not supported anymore on AKS. Instead, we pin to 1.22 so as to fix CI ASAP, and will discuss on how to address such cases separately. Resources: - AKS - Run `az aks get-versions --location westeurope --output table` - https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions - EKS - Run `eksctl version -o json | jq -r '.EKSServerSupportedVersions[]'` (note: this asssumes `eksctl` is up to date, as this is static info) - https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html - https://eksctl.io/usage/schema/#metadata-version - GKE - Run `gcloud container get-server-config --format="yaml(channels)"` - https://cloud.google.com/kubernetes-engine/versioning - https://cloud.google.com/kubernetes-engine/docs/release-schedule Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 15 December 2022, 22:48:55 UTC
ddf4459 Nicolas Busseneau 15 December 2022, 15:42:22 UTC ci: update eksctl to v0.122.0 In the following commits, we pin the K8s version used in managed EKS clusters. The available K8s versions are not provided dynamically by an EKS API, instead `eksctl` bakes in a static list of allowed K8s versions. This forces us to update `eksctl` in order to pin against the currently available K8s versions. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 15 December 2022, 22:48:55 UTC
49db467 Julian Wiedmann 12 December 2022, 07:46:52 UTC bpf: add drop notification for missed L7 LB tailcall in to-netdev cil_to_netdev() is the upper-most function in the program. So don't just return a raw DROP reason to the kernel, but translate it to CTX_ACT_DROP and raise a drop notification. Fixes: d1d8e7a35b35 ("datapath: Add support for re-entering LXC egress path after L7 LB") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 15 December 2022, 15:39:20 UTC
5f6db15 Eric Ripa 26 November 2022, 00:03:36 UTC helm: adds annotations support to certgen Some tooling, such as Argo CD use annotations to signal intent and sync policies. A specific example is that the certgen Job as it currently is will result sync out-of-sync statuses as when the bootstrap certgen Job is cleaned up. This can be prevented by adding an annotation to the Job, such as: annotations: argocd.argoproj.io/hook: PreSync argocd.argoproj.io/hook-delete-policy: HookSucceeded Note: this is an additive feature and is backwards compatible Signed-off-by: Eric Ripa <eric@ripa.io> 15 December 2022, 14:57:07 UTC
12782f5 Chris Tarazi 14 October 2022, 21:30:38 UTC daemon: Clarify host IP sync controller's intent The code confusingly references "endpoints", which to the reader, signals that this function also cleans up stale endpoint information (as in workloads / pods) as well as host information. However the former is not the case. It only cleans up host information (confusingly referred to as the host endpoint). In other words, this function ensures that the ipcache and the endpoint map (lxcmap) do not contain stale host information, i.e. cilium_host IP or the internal node IP. Attempt to clarify the code by removing references to "endpoint" and rename the controller function accordingly. This commit should have no functional impact. An incorrect reference inside restoreOldEndpoints() was also fixed to refer to endpoints instead of host. Fixes: 19be15be0f3 ("agent: Fix endpoint restore with unmounted BPF filesystem") Fixes: 4ecf111c35 ("agent: Fix temporary corruption of BPF endpoint map on restart") Fixes: fd10ded5da ("agent: Add all local addresses to endpoints map and ipcache") Signed-off-by: Chris Tarazi <chris@isovalent.com> 15 December 2022, 14:54:39 UTC
76837ea Tobias Klauser 14 December 2022, 10:47:16 UTC install/kubernetes: make securityContext SELinux options configurable Make the hardcoded SELinux options in the helm charts configurable. Fixes #22703 Signed-off-by: Tobias Klauser <tobias@cilium.io> 15 December 2022, 11:37:17 UTC
1928344 Liz Rice 14 December 2022, 15:20:02 UTC docs: add FOSSA badge to readme Signed-off-by: Liz Rice <liz@lizrice.com> 15 December 2022, 11:36:49 UTC
5be08a3 Chris Tarazi 24 November 2022, 03:58:23 UTC daemon, fqdn: Fix event ordering of DNS reply / request logs Before this commit, this is what the monitor output looks like: ``` -> Request dns from 294 (...) to 0 ([reserved:host]), identity 30316->1, verdict Forwarded DNS Query: example.com. A -> Response dns to 294 (...) from 0 ([reserved:host]), identity 30316->1, verdict Forwarded DNS Proxy: example.com. A TTL: 16 Answer: '23.212.108.94,23.212.108.112' CNAMEs: cname.example.com. >> IPCache entry upserted: {"cidr":"123.123.123.123/32","id":16777744,"encrypt-key":0} >> IPCache entry upserted: {"cidr":"123.123.123.130/32","id":16777745,"encrypt-key":0} >> Endpoint regenerated: {"id":294,"labels":[...]} ``` With this commit: ``` -> Request dns from 294 (...) to 0 ([reserved:host]), identity 30316->1, verdict Forwarded DNS Query: example.com. A >> IPCache entry upserted: {"cidr":"123.123.123.123/32","id":16777744,"encrypt-key":0} >> IPCache entry upserted: {"cidr":"123.123.123.130/32","id":16777745,"encrypt-key":0} >> Endpoint regenerated: {"id":294,"labels":[...]} -> Response dns to 294 (...) from 0 ([reserved:host]), identity 30316->1, verdict Forwarded DNS Proxy: example.com. A TTL: 16 Answer: '23.212.108.94,23.212.108.112' CNAMEs: cname.example.com. ``` This makes reading the monitor events much more intuitive, as the events are logged in the order in which the operations are intended to happen. This can avoid confusion. Signed-off-by: Chris Tarazi <chris@isovalent.com> 15 December 2022, 11:36:03 UTC
cd119e7 Chris Tarazi 01 November 2022, 06:29:11 UTC dnsproxy: Fix misordered DNS msg callback The intended order is for NotifyOnDNSMsg() to be called and then sendRefused(), in the case of errors. In this commit, two error code paths called sendRefused() before calling NotifyOnDNSMsg(). One code path is when we fail to receive a response from the upstream DNS. The other is for when the DNS request is rejected by a policy. This case is an exception to the intended order defined above. The reason is because we need to ensure that the pod / endpoint which initiated the DNS request receives the DNS refused msg. If we fail to do that, we want to ensure that this error is propagated. We do this by setting the stat.Err field, which NotifyOnDNSMsg() reads and propagates as metrics. Therefore, we must call sendRefused() before NotifyOnDNSMsg() in this case, so that the metrics are propagated with the correct information. Signed-off-by: Chris Tarazi <chris@isovalent.com> 15 December 2022, 11:36:03 UTC
1732c21 Paul Chaignon 13 December 2022, 12:45:27 UTC test, jenkinsfile: Clean up natnetworks in CI after test run We currently have a flake in CI that is caused by some incorrect VirtualBox natnetwork configuration. It is currently unclear why the natnetworks are sometimes created with an incorrect configuration. Unfortunately, because we don't delete natnetworks at the end of each CI job, those incorrect natnetworks remains for subsequent runs and the tests end up failing with the same flake on every single CI job executed on that node. This commit adds a cleanup step for natnetworks in our CI. We still won't run natnetworks when running tests locally, for the same reason we don't clean up VMs. This change doesn't fix the flake but it should limit its impact to a single CI job instead of all jobs running on a node. Signed-off-by: Paul Chaignon <paul@cilium.io> 15 December 2022, 10:16:59 UTC
43cb8e9 Casey Callendrello 02 December 2022, 12:27:11 UTC .github: manually clean up RBAC artifacts We just need this until https://github.com/cilium/cilium-cli/issues/1257 is fixed. Ths problem is that, right now, reinstalling after "cilium uninstall" is broken. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 15 December 2022, 02:50:05 UTC
08b33b2 Casey Callendrello 02 December 2022, 12:17:38 UTC install/kubernetes: label all RBAC objects This is so we can delete them as part of cleanup. Also, it's good practice, especially for non-namespaced objects (ClusterRole / ClusterRoleBinding). Signed-off-by: Casey Callendrello <cdc@isovalent.com> 15 December 2022, 02:50:05 UTC
1ef7889 Casey Callendrello 15 November 2022, 14:34:46 UTC Documentation: add additional place were CRDs must be referenced The existing documentation missed a point where new CRDs need to be added. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 15 December 2022, 02:50:05 UTC
0dbde96 Casey Callendrello 14 November 2022, 23:35:08 UTC helm: wire in the config-builder This changes the agent daemonset to use the config-builder rather than directly reading from the ConfigMap. This adds an initContainer that does the configuration resolution and writes to a temporary directory. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 15 December 2022, 02:50:05 UTC
6c62ce6 Casey Callendrello 14 November 2022, 23:33:37 UTC cmd: add build-config command The build-config command is responsible for doing configuration resolution on the node. By default, it retrieves ConfigMaps, CiliumConfigOverrides, and Node objects. However, the list of sources is customizable. The intended usage is to allow administrators to roll changes out in a controlled manner to a cluster. This implements the proposed "Per-node configuration overrides" feature. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 15 December 2022, 02:50:05 UTC
884ccc1 Casey Callendrello 14 November 2022, 23:32:24 UTC CRDs: add CiliumNodeConfig CRD and scaffolding This generates the CiliumNodeConfig type, a new way to set configuration overrides on a set of nodes. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 15 December 2022, 02:50:05 UTC
843c072 Martynas Pumputis 29 November 2022, 11:37:55 UTC gh/workflows: Enable encryption tests in conformance DP The encryption test details - https://github.com/cilium/cilium-cli/pull/1241. Signed-off-by: Martynas Pumputis <m@lambda.lt> 14 December 2022, 18:49:56 UTC
3d2ceaf Paul Chaignon 14 December 2022, 15:51:54 UTC bpf: Preserve overlay->lxc path with kube-proxy The previous commit changed the packet handling on the path overlay->lxc to fix a bug. More presicely, when endpoint routes are enabled, we won't enforce ingress policies on both the overlay and the lxc devices but only on the latter. However, as a consequence of that patch, we don't go through the policy-only program in bpf_lxc and we therefore changed the way the packet is transmitted between overlay and lxc devices in some cases. As a summary of changes made in the previous path, consider the following table for the path overlay -> lxc. Before the previous patch: | Endpoint routes | Enforcement | Path | |-----------------|-----------------|----------------------| | Enable | overlay AND lxc | bpf_redirect if KPR; | | | | stack otherwise | | Disabled | overlay | bpf_redirect | Now: | Endpoint routes | Enforcement | Path | |-----------------|-------------|--------------| | Enable | lxc | bpf_redirect | | Disabled | overlay | bpf_redirect | The previous patch intended to fix the enforcement to avoid the double policy enforcement, but it also changed the packet path in case endpoint routes are enabled. This patch now fixes this by adding the same exception we have in bpf_lxc to the l3.h logic we have. Hence, with the current patch, the table will look like: | Endpoint routes | Enforcement | Path | |-----------------|-------------|----------------------| | Enable | lxc | bpf_redirect if KPR; | | | | stack otherwise | | Disabled | overlay | bpf_redirect | I've kept this in a separate commit from the previous in an attempt to split up and the logic and more clearly show the deltas. Signed-off-by: Paul Chaignon <paul@cilium.io> 14 December 2022, 18:46:39 UTC
e49ab12 Paul Chaignon 23 November 2022, 10:33:06 UTC datapath: Don't enforce policies at overlay if ep routes are enabled When endpoint routes are enabled, we should enforce ingress policies at the destination lxc interface, to which a BPF program will be attached. Nevertheless, today, for packets coming from the overlay, we enforce ingress policies twice, once at the e.g. cilium_vxlan interface and a second time at the lxc device. This is happening for two reasons: 1. bpf_overlay is not aware of the endpoint routes settings so it doesn't even know that it's not responsible for enforcing ingress policies. 2. We have a flag to force the enforcement of ingress policies at the source in this case. This flag exists for historic reasons that are not valid anymore. A separate patch will fix the reason 2 above. This commit fixes reason 1 by telling bpf_overlay to *not* enforce ingress policies when endpoint routes are enabled. Note that we do not support the case where some endpoint have endpoint routes enabled and others don't. If we did, additional logic would be required. Fixes: 3179a4773 ("datapath: Support enable-endpoint-routes with encapsulation") Signed-off-by: Paul Chaignon <paul@cilium.io> 14 December 2022, 18:46:39 UTC
dab8723 Chris Tarazi 13 December 2022, 21:47:46 UTC test/helpers: Fix retry condition for CiliumExecContext Previously, 11cb4d0bad8 assumed that 137 was the exit code for when a process exists due to a SIGKILL. However, upon reading the Go source code as of 1.20 rc1, this is not the case, and that -1 is set for all exit codes due to signals [1]. Fixes: 11cb4d0bad8 ("test: Keep trying exec if killed") Fixes: https://github.com/cilium/cilium/pull/22570 [1]: https://github.com/golang/go/blob/go1.20rc1/src/os/exec_posix.go#L128-L130 Signed-off-by: Chris Tarazi <chris@isovalent.com> 14 December 2022, 17:20:02 UTC
bf3fd5f Chris Tarazi 13 December 2022, 18:29:03 UTC test/helpers: Use switch case for readability Signed-off-by: Chris Tarazi <chris@isovalent.com> 14 December 2022, 17:20:02 UTC
527f5fd Chris Tarazi 13 December 2022, 18:26:48 UTC test/helpers: Disambiguate executor logs This makes it much easier to track down which code path the executor logs are coming from, so that when debugging issues, we can focus on the relevant code path. Signed-off-by: Chris Tarazi <chris@isovalent.com> 14 December 2022, 17:20:02 UTC
6f5888e Chris Tarazi 13 December 2022, 18:16:40 UTC test/helpers: Improve error msgs slightly around policy revision This commit makes the error msgs slightly more readable and consistent, by: * avoiding the repletion of pod name * separating error msg from output (i.e. ensuring there's a ':') * using %q as a formatter for handling quoting Signed-off-by: Chris Tarazi <chris@isovalent.com> 14 December 2022, 17:20:02 UTC
5f94e33 Paul Chaignon 13 December 2022, 12:17:38 UTC test/Vagrantfile: Don't hide natnetwork errors Commit ef22668f reworked the natnetwork creations and deletions and for some obscure reason, I thought it was a good idea to dump stderr. This commit removes that bit, to show stderr in the Vagrant output. We may have a few more erroneous-looking logs (because we sometimes try to create natnetworks that already exists) but I think it's worth it to catch any actual configuration error or even to know if natnetwork existed when they shouldn't. Fixes: ef22668f ("vagrant: Don't recreate natnetworks") Signed-off-by: Paul Chaignon <paul@cilium.io> 14 December 2022, 16:34:10 UTC
ed94b24 Martynas Pumputis 12 December 2022, 14:22:03 UTC test/nat46x64: Use DinD instead of Helm/Kind The same reasoning applies as in the previous commit. Signed-off-by: Martynas Pumputis <m@lambda.lt> 14 December 2022, 12:29:40 UTC
b4767f9 Martynas Pumputis 09 December 2022, 14:33:48 UTC test/l4lb: Use DinD instead of Kind/Helm The usage of Kind/Helm when testing the Cilium in the standalone L4LB mode started to be a source of confusion. In particular, this gave a wrong impression that in that mode Cilium still has a connectivity to the kube-apiserver. This is not true. Previously, we used Kind/Helm for these tests just to create Docker containers acting as nodes, and then to install Cilium. This can be achieved by simply using docker/dind (aka Docker-in-Docker), and then starting the L4LB Cilium by execing into the dind container and running "docker run". Signed-off-by: Martynas Pumputis <m@lambda.lt> 14 December 2022, 12:29:40 UTC
f4ccc40 Paul Chaignon 13 December 2022, 11:56:30 UTC test: Dump VirtualBox version used in CI jobs During the CI servers' provisioning, we don't install a specific VirtualBox version but the latest patch release for a specific minor release (e.g., the latest v6.1). Those patch releases can play a role in subsequent failures and flakes, so let's dump the specific version that was used as part of the Jenkins output. Signed-off-by: Paul Chaignon <paul@cilium.io> 13 December 2022, 22:03:21 UTC
a9dbd5d dependabot[bot] 13 December 2022, 14:01:46 UTC build(deps): bump helm/kind-action from 1.4.0 to 1.5.0 Bumps [helm/kind-action](https://github.com/helm/kind-action) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/helm/kind-action/releases) - [Commits](https://github.com/helm/kind-action/compare/9e8295d178de23cbfbd8fa16cf844eec1d773a07...d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00) --- updated-dependencies: - dependency-name: helm/kind-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 13 December 2022, 21:59:08 UTC
86f91a2 dependabot[bot] 13 December 2022, 14:01:43 UTC build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/d0a58c1c4d2b25278816e339b944508c875f3613...6edd4406fa81c3da01a34fa6f6343087c207a568) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 13 December 2022, 21:58:05 UTC
70c4aeb dependabot[bot] 13 December 2022, 14:01:40 UTC build(deps): bump azure/setup-helm from 3.4 to 3.5 Bumps [azure/setup-helm](https://github.com/azure/setup-helm) from 3.4 to 3.5. - [Release notes](https://github.com/azure/setup-helm/releases) - [Commits](https://github.com/azure/setup-helm/compare/f382f75448129b3be48f8121b9857be18d815a82...5119fcb9089d432beecbf79bb2c7915207344b78) --- updated-dependencies: - dependency-name: azure/setup-helm dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 13 December 2022, 21:57:12 UTC
25d0898 Tobias Klauser 09 December 2022, 14:59:23 UTC ci: remove test namespace deletion workaround in GKE v1.12 workflow Remove the workaround for https://github.com/cilium/cilium-cli/issues/255 added in commit b6a5b5b26e21 ("conformance-gke-v1.12: Miscellaneous fixes") The cilium-cli issue was fixed in https://github.com/cilium/cilium-cli/pull/1137 and has been in cilium-cli since version v0.12.5. Signed-off-by: Tobias Klauser <tobias@cilium.io> 13 December 2022, 21:56:34 UTC
9159609 Jarno Rajahalme 11 July 2022, 10:22:29 UTC policy: Add CRD Listener support for egress policies Add `listener` field to CNP and CCNP, that causes traffic to the specified port(s) to be redirected to the named Envoy listener. If the listener does not exist the traffic is not allowed at all. When `listener.envoyConfig.kind` is left out it defaults to namespaced `CiliumEnvoyConfig` for rules in namespaced policies (CNP) or to cluster-scoped `CiliumClusterwideEnvoyConfig` for rules in cluster-scoped policies (CCNP). Namespaced policies can also refer to cluster-scoped listeners with an explicit `listener.envoyConfig.kind: CiliumClusterwideEnvoyConfig`. Cluster-scoped policies can not refer to namespaced listeners. Endpoint policies are regenerated whenever Envoy listeners change to update potential listener redirections in the bpf policy maps. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 13 December 2022, 21:56:10 UTC
ede26fb Jarno Rajahalme 05 December 2022, 17:29:33 UTC envoy: Move resourceQualifiedName() to policy/api Move resourceQualifiedName() to policy/api and export it so that it can be used in policy as well as in envoy package. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 13 December 2022, 21:56:10 UTC
06ed0a4 Jarno Rajahalme 02 December 2022, 12:07:53 UTC proxy: Find CRD proxy ports by name instead of by type Find CRD proxy port by name instead of type. This is needed for enabling CEC CRD defined listeners to be used in CNPs. Prior to this CRD proxy ports did not use this code path, which is only called from endpoint policy updates, so there was no need to find CRD proxy ports by name. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 13 December 2022, 21:56:10 UTC
aff0655 Jarno Rajahalme 02 December 2022, 11:36:53 UTC proxy: Do not create Envoy redirects for listeners defined in CEC CRDs Add a new no-op CRDRedirect type to be used with Envoy listeners defined in CEC CRDs. In this case the listeners already exist and new Envoy Listener resources do not need to be created for them. This is needed for the forthcoming policy feature where policy can refer to a Listener defined in CEC CRD. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 13 December 2022, 21:56:10 UTC
a679c40 Jarno Rajahalme 01 December 2022, 16:07:49 UTC proxy: use egress in test as CRD proxy ports only work for egress for now Specify proxy port as egress (or not-ingress) in test cases as the datapath currently supports ProxyTypeCRD only for L7 LB which is always on the egress path. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 13 December 2022, 21:56:10 UTC
back to top