Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
9a9ec79 Daniel Borkmann 31 January 2024, 10:27:41 UTC bpf: Support external IPv6 DSR Support IP6IP6 termination from the Cilium L4LB against a regular Cilium cluster. This is the IPv6 side of 50f6fa80e2ef ("bpf: Support external IPv4 DSR"). Cilium L4LB node: # ./cilium-dbg/cilium-dbg service list ID Frontend Service Type Backend [...] 12 [face:b::1]:80 ExternalIPs 1 => [2a02:168:f656:0:1ac0:4dff:fe09:d5e6]:80 (active) Cilium regular cluster with --enable-external-dsr=true: # ./cilium-dbg/cilium-dbg service list ID Frontend Service Type Backend [...] 12 [2a02:168:f656:0:1ac0:4dff:fe09:d5e6]:80 ExternalIPs 1 => [2a03:2880:f16d:81:face:b00c:0:25de]:80 (active) tcpdump on Cilium regular node: [...] 12:13:17.150875 IP6 2a02:168:f656::2 > 2a02:168:f656:0:1ac0:4dff:fe09:d5e6: IP6 2a02:168:f656:0:1ac0:4dff:fe0b:720e.36764 > face:b::1.80: Flags [S], seq 863958068, win 43200, options [mss 1440,sackOK,TS val 2302007970 ecr 0,nop,wscale 9], length 0 12:13:17.150893 IP6 2a02:168:f656:0:1ac0:4dff:fe09:d5e6.36764 > 2a03:2880:f16d:81:face:b00c:0:25de.80: Flags [S], seq 863958068, win 43200, options [mss 1440,sackOK,TS val 2302007970 ecr 0,nop,wscale 9], length 0 12:13:17.155619 IP6 2a03:2880:f16d:81:face:b00c:0:25de.80 > 2a02:168:f656:0:1ac0:4dff:fe09:d5e6.36764: Flags [S.], seq 1192141025, ack 863958069, win 65535, options [mss 1392,sackOK,TS val 1118681450 ecr 2302007970,nop,wscale 8], length 0 12:13:17.155911 IP6 face:b::1.80 > 2a02:168:f656:0:1ac0:4dff:fe0b:720e.36764: Flags [S.], seq 1192141025, ack 863958069, win 65535, options [mss 1392,sackOK,TS val 1118681450 ecr 2302007970,nop,wscale 8], length 0 12:13:17.156232 IP6 2a02:168:f656::2 > 2a02:168:f656:0:1ac0:4dff:fe09:d5e6: IP6 2a02:168:f656:0:1ac0:4dff:fe0b:720e.36764 > face:b::1.80: Flags [.], ack 1, win 85, options [nop,nop,TS val 2302007975 ecr 1118681450], length 0 [...] Note that CONNTRACK_ACCOUNTING is not compatible with the --enable-external-dsr setting given the union in the CT value. There are other items broken as well such as CONNTRACK_LOCAL. Perhaps it's time to deprecate / remove them entirely at some point. The agent cannot block enablement of the latter two since it's only done manually via cilium-dbg tool. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 05 March 2024, 10:22:13 UTC
cf8a2ce Daniel Borkmann 26 January 2024, 12:32:04 UTC bpf: Support external IPv4 DSR Support IPIP termination from the Cilium L4LB against a regular Cilium cluster. This work covers the termination as well as DSR aspect, so that replies go directly back to clients instead of the Cilium L4LB. Given the VIP:port of an external L4LB is not known in our K8s cluster, we also cannot hold them in the revNat map. Therefore, add the tuple info in the CT map. Guard this under a compilation flag given this is only relevant for users who really want to terminate the external L4LB in the workload cluster, others don't need to take the additional cycles. From agent side, the --enable-external-dsr={true,false} flag controls this setting. The default is on false. Example with IPIP termination : Cilium L4LB node: # ./cilium-dbg/cilium-dbg service list ID Frontend Service Type Backend [...] 11 1.1.1.1:80 ExternalIPs 1 => 192.168.2.12:80 (active) Cilium regular cluster with --enable-external-dsr=true: # ./cilium-dbg/cilium-dbg service list ID Frontend Service Type Backend [...] 11 192.168.2.12:80 ExternalIPs 1 => 193.99.144.80:80 (active) tcpdump on Cilium regular node: [...] 09:36:17.421507 IP 192.168.2.11 > 192.168.2.12: IP 192.168.2.13.43196 > 1.1.1.1.80: Flags [S], seq 3976047959, win 42340, options [mss 1460,sackOK,TS val 4083238462 ecr 0,nop,wscale 9], length 0 09:36:17.421529 IP 192.168.2.12.43196 > 193.99.144.80.80: Flags [S], seq 3976047959, win 42340, options [mss 1460,sackOK,TS val 4083238462 ecr 0,nop,wscale 9], length 0 09:36:17.428443 IP 193.99.144.80.80 > 192.168.2.12.43196: Flags [S.], seq 1717159938, ack 3976047960, win 14600, options [mss 1460,nop,wscale 0,sackOK,TS val 1591760912 ecr 4083238462], length 0 09:36:17.428680 IP 1.1.1.1.80 > 192.168.2.13.43196: Flags [S.], seq 1717159938, ack 3976047960, win 14600, options [mss 1460,nop,wscale 0,sackOK,TS val 1591760912 ecr 4083238462], length 0 [...] What can be seen is the IPIP termination, the Cilium regular node then performing the service request to the backend, and upon reply reversing everything along with the DSR (1.1.1.1.80) to the client directly. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 05 March 2024, 10:19:03 UTC
84fe76c renovate[bot] 04 March 2024, 19:30:56 UTC fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> 05 March 2024, 09:13:59 UTC
1c3a17f Paul Chaignon 26 February 2024, 12:07:43 UTC bugtool: Capture memory fragmentation info from /proc This information can be useful to understand why memory allocation in the kernel may fail (ex. for maps or for XFRM). I've checked that these two files are accessible from a typical cilium-agent deployment (on GKE). Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 05 March 2024, 07:26:43 UTC
68e504b Aditi Ghag 01 March 2024, 15:55:31 UTC bpf,config: Add ENABLE_LOCAL_REDIRECT_POLICY macro Wrap the datapath code by the macro when the feature is enabled. Signed-off-by: Aditi Ghag <aditi@cilium.io> 05 March 2024, 05:31:09 UTC
0bd59b2 Alexandre Perrin 01 March 2024, 16:15:36 UTC hubble: gracefully handle parsing nil HTTP url Before this patch, Hubble would panic when attempting to parse a accesslog.LogRecordHTTP with a nil URL. While filterURL was handling the nil case, the following caller codepath would unconditionally call String() on the URL, potentially causing a panic. This patch improves Hubble robustness and clarify the role of the filterURL (renamed filteredURL) to always return an URL such as calling String() on it is safe. Signed-off-by: Alexandre Perrin <alex@isovalent.com> 05 March 2024, 03:16:21 UTC
f7142c8 Alexandre Perrin 01 March 2024, 16:13:55 UTC hubble: fix http parsing when given invalid URL Before this patch, Hubble could cause a Cilium agent panic when attempting to decode invalid URLs. See https://github.com/cilium/cilium/issues/31071 Signed-off-by: Alexandre Perrin <alex@isovalent.com> 05 March 2024, 03:16:21 UTC
fe76af5 Alexandre Perrin 01 March 2024, 15:52:51 UTC hubble: rename url local variable to uri to avoid confusion with net/url Signed-off-by: Alexandre Perrin <alex@isovalent.com> 05 March 2024, 03:16:21 UTC
82006e0 Alexandre Perrin 01 March 2024, 15:25:02 UTC hubble: move TestDecodeL7HTTPRequestRemoveUrlQuery with related Hubble redact test functions Signed-off-by: Alexandre Perrin <alex@isovalent.com> 05 March 2024, 03:16:21 UTC
7c7ae03 chaunceyjiang 07 February 2024, 14:03:36 UTC GatewayAPI supports to setting the number of trusted loadbalancer hops Signed-off-by: chaunceyjiang <chaunceyjiang@gmail.com> 05 March 2024, 00:12:44 UTC
bebb6be Ondrej Sika 02 February 2024, 07:19:40 UTC docs: Update link to USERS.md in README from RAW Github to standart Github UI Signed-off-by: Ondrej Sika <ondrej@ondrejsika.com> 04 March 2024, 23:01:44 UTC
2330c83 Gilberto Bertin 04 March 2024, 09:16:23 UTC bpf: nodeport: don't forward host id in nodeport_lb4 this should never happen, but to be extra defensive add an explicit check to prevent forwarding this identity, as it wouldn't make sense for the remote node Suggested-by: Joe Stringer <joe@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 04 March 2024, 22:28:30 UTC
d49e0a0 Gilberto Bertin 04 March 2024, 09:16:00 UTC bpf: identity: add identity_is_host Signed-off-by: Gilberto Bertin <jibi@cilium.io> 04 March 2024, 22:28:30 UTC
4dd9ee6 Tam Mach 04 March 2024, 01:04:36 UTC envoy: Remove deprecated runtime key logs The upstream envoy has up-deprecated global_downstream_max_connections runtime key as part of 1.28.1, hence we can safely remove the warning log exception. Relates: https://github.com/envoyproxy/envoy/pull/30735 Relates: https://github.com/cilium/cilium/pull/30697 Signed-off-by: Tam Mach <tam.mach@cilium.io> 04 March 2024, 21:18:07 UTC
5a96a95 Nate Sweet 28 February 2024, 16:51:12 UTC container/bitlpm: Add Lookup Boolean Return Value Lookup currently returns the default value of the bitlpm.Trie when it fails to find a match. There are cases where comparing the default value to the return value is logically expensive (i.e. code needs to be written to do the comparison). Lookup can easily return a boolean value to indicate whether it failed. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 04 March 2024, 20:57:44 UTC
641f1f8 Daniel Borkmann 30 January 2024, 08:49:09 UTC bpf: Reduce conntrack accounting from rx/tx stats to pkt/byte stats Make space in our BPF CT. CONNTRACK_ACCOUNTING was recently disabled by default. Shrink the stats from rx/tx packets/bytes to just packets/ bytes so that the freed up space can be reused for other meta data. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 04 March 2024, 19:43:09 UTC
8a939bd Daniel Borkmann 31 January 2024, 09:20:07 UTC bpf, cilium: Fix NodePortNat46X64 config option The option.Config.NodePortNat46X64 is only supported for LB-only mode, so do not enable it for regular clusters. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 04 March 2024, 19:43:09 UTC
3117a52 Daniel Borkmann 26 January 2024, 12:11:23 UTC bpf: Rename dsr to dsr_internal We're going to add dsr_external bit, so this is to better distinguish the two in the CT state. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 04 March 2024, 19:43:09 UTC
9a5cfb8 Feroz Salam 01 March 2024, 13:39:31 UTC Fail container scans on vulnerability scan results Now that we have a method of marking false positives using VEX documents, we cam make the container scanning workflow a failing step. Also reduce the permission of the workflow. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> 04 March 2024, 19:24:55 UTC
db4589a Rastislav Szabo 04 March 2024, 12:16:47 UTC renovate: temporarily do not update GoBGP Due to a breaking change in GoBGP v3.24.0, do not update GoBGP until the issue https://github.com/osrg/gobgp/issues/2777 is resolved. Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> 04 March 2024, 19:23:40 UTC
d6e7c5d Marcel Zieba 22 February 2024, 15:10:58 UTC health-server: Do not cleanup health checking result on node updates. Whenever node was updated, healtch-checking was removing and re-adding that node. This caused it to lose information about previously performed probes, which resulted in `unknown` status for such nodes. This can happen often especially in ENI mode, where node updates happen each time new pod is scheduled on the node. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 04 March 2024, 18:56:41 UTC
aec875f Aditi Ghag 02 March 2024, 02:24:19 UTC lrp: Remove redundant pod spec validations Kubernetes validates these fields, so additional checks are not required. Example: ``` The Pod "be" is invalid: spec.containers[0].ports[0].containerPort: Invalid value: 65540: must be between 1 and 65535, inclusive ``` Signed-off-by: Aditi Ghag <aditi@cilium.io> 04 March 2024, 18:55:54 UTC
81ca8e8 Aditi Ghag 02 March 2024, 02:18:42 UTC lrp: Remove redundant pod spec validations Kubernetes validates these fields, so additional checks are not required. Example: ``` The Pod "be" is invalid: spec.containers[0].ports[0].containerPort: Invalid value: 65540: must be between 1 and 65535, inclusive The Pod "be" is invalid: spec.containers[0].ports[0].protocol: Unsupported value: "icmp": supported values: "SCTP", "TCP", "UDP" ``` Signed-off-by: Aditi Ghag <aditi@cilium.io> 04 March 2024, 18:55:54 UTC
3dd29fc Marco Hofstetter 01 March 2024, 09:22:38 UTC cec: move config property 'envoy-config-timeout' into hive config Currently, the config property `envoy-config-timeout` is defined in the global config. This commit moves the config property into the hive config of the respective Hive Cell `ciliumenvoyconfig`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 04 March 2024, 18:44:41 UTC
a099bf1 Tom Hadlaw 27 February 2024, 17:30:44 UTC cni: use default logger with timestamps. Unlike runtime agent/operator logs, CNI logs are just written to disk so we have no way to attach timestamps to them. This makes it harder to debug CNI issues as we have no way to correlate when things happened between Agent logs and CNI events. This switches CNI to use the same default logger, except with timestamps enabled. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 04 March 2024, 18:08:18 UTC
b156023 Julian Wiedmann 20 February 2024, 16:40:04 UTC bpf: lxc: also set from_tunnel for IPv6 CT entries Marco noticed that we currently only set the from_tunnel flag for IPv4 connections. But as the IPv6 path recently learned to support CB_FROM_TUNNEL, we can now also set this flag for IPv6 connections. For now this is just for symmetry reasons, there's no feature that strictly requires it. Reported-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 04 March 2024, 17:36:15 UTC
7a5a429 Dean 26 January 2024, 13:11:44 UTC Update kafka-sw-gen-traffic.sh Fixed `kubectl exec` syntax Signed-off-by: Dean <22192242+saintdle@users.noreply.github.com> 04 March 2024, 17:25:31 UTC
475a194 Julian Wiedmann 04 March 2024, 13:35:15 UTC bpf: host: optimize from-host's ICMPv6 path The ICMPv6 handling in handle_ipv6() is only required for the HostFW or by from-netdev. Exclude it otherwise. This is a minor optimization for dc9dfd72f2ae ("bpf: Re-introduce ICMPv6 NS responder on from-netdev"). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 04 March 2024, 15:52:02 UTC
2fda72e André Martins 04 March 2024, 11:58:17 UTC renovate: separate major.minor.patch for lvh images If we don't split the major.minor and the minor.patch, renovate will not update the dependencies that are marked to have their major and minor updates done by the maintainers. Thus, this commit will split them moving forward. Signed-off-by: André Martins <andre@cilium.io> 04 March 2024, 15:40:47 UTC
5863f8e Dylan Reimerink 01 March 2024, 11:18:55 UTC contrib/scripts: Remove false positives from check-go-testdata.sh The check-go-testdata.sh script would fail on any changes in the whole repo not just the target directory. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 04 March 2024, 13:08:36 UTC
70b405f Tom Hadlaw 26 February 2024, 20:41:32 UTC loader: fix cancelled context during compile logging errors. On Linux/Unix based implementations, exec/cmd.Run will return either context.ContextCancelled or the error "signal: killed" depending on whether the cancellation occurred while the process was running. There's several places we check on ```is.Errors(err, context.Cancelled)``` on whether to emit high level logs about failed program compilations. Because already running cmd.Run() doesn't return an error that satisfies this, this will result in spurious error logs about failed compilation (i.e. "signal: killed") This meant that in cases where a compilation is legitimately cancelled, we would still log an error such as msg="BPF template object creation failed" ... error="...: compile bpf_lxc.o: signal: killed" This can occur occasionally in CI, which enforces no error to pass, causing failures. example: ``` ctx, c := context.WithTimeout(context.Background(), time.Second) go func() { time.Sleep(time.Second) c() }() cmd := exec.CommandContext(ctx, "sleep", "2") fmt.Println(cmd.Run()) ctx, c = context.WithTimeout(context.Background(), time.Second) c() cmd = exec.CommandContext(ctx, "sleep", "2") fmt.Println(cmd.Run()) ``` To fix this, this will join in the ctx.Err() if it is: * context.Cancelled * The process has not exited itself. * The process appeared to be SIGKILL'ed. Addresses: #30991 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 04 March 2024, 12:52:31 UTC
5448ac1 André Martins 04 March 2024, 11:14:49 UTC Revert "Prepare for release v1.16.0-pre.0" This reverts commit 1eafeed1cdfb8ea763c14659c714d4107fa1a16b. Signed-off-by: André Martins <andre@cilium.io> 04 March 2024, 12:06:43 UTC
e206ef0 André Martins 04 March 2024, 11:10:49 UTC Prepare for release v1.16.0-pre.0 Signed-off-by: André Martins <andre@cilium.io> 04 March 2024, 12:06:43 UTC
ad34de3 André Martins 04 March 2024, 11:10:32 UTC update AUTHORS and Documentation Signed-off-by: André Martins <andre@cilium.io> 04 March 2024, 12:06:43 UTC
4293d2b Maxim Mikityanskiy 17 October 2023, 19:22:34 UTC maps: Consider actual passed time for GC interval calculation When GetInterval calculates the new GC interval, it uses the result of the previous calculation as a pivot point. However, if GC was triggered by a signal, smaller time interval has passed, therefore, expectations on the delete ratio should be lower. Adjust the delete ratio proportionally to avoid increasing the interval uncontrollably when multiple signals arrive over a short period of time. Ref: #27405 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> 04 March 2024, 11:56:10 UTC
f604ce2 Julian Wiedmann 01 March 2024, 07:56:25 UTC docs: update note on WireGuard with tunnel routing https://github.com/cilium/cilium/pull/29000 changed how we mix WireGuard with VXLAN / Geneve tunneling. Reflect this in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 04 March 2024, 09:30:37 UTC
6b98a0b Julian Wiedmann 20 February 2024, 12:49:10 UTC loader: also populate NATIVE_DEV_IFINDEX for cilium_overlay Avoid any odd surprises when this macro ends up being used by shared nodeport.h code. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 04 March 2024, 08:53:19 UTC
127851e renovate[bot] 04 March 2024, 01:52:39 UTC chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> 04 March 2024, 08:34:46 UTC
2d901d7 Julian Wiedmann 26 February 2024, 07:23:39 UTC bpf: lb: simplify handling of stale CT_SERVICE entries lb*_local() currently handles a special case, where the matched CT_SERVICE entry (for some Client -> VIP connection) was created for an *old* service definition. In which case we shouldn't use the cached backend selection, as this backend was associated with the *old* service. Instead we perform a fresh backend selection. But with the infrastructure added by https://github.com/cilium/cilium/pull/27607, we can detect such cases during the actual CT lookup - and not even pass the stale CT entry back to the caller. Instead the CT lookup returns CT_NEW, and the caller just creates a new CT entry (along with selecting a fresh backend). One side effect of this change is that all the other state in the CT entry (eg statistics) also gets reset. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 04 March 2024, 08:22:17 UTC
4701512 Julian Wiedmann 26 February 2024, 06:58:27 UTC bpf: lb: let CT lookup update the rev_nat_index for old connections lb*_local() contains some upgrade handling for old connections, where the CT_SERVICE entry was created without populating .rev_nat_index. In this case the .rev_nat_index is updated manually. But as the code path doesn't have direct access to the matched ct_entry, updating it requires an additional lookup in the CT map. Clean this up by pushing the update into __ct_lookup(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 04 March 2024, 08:22:17 UTC
c9518a9 Michi Mutsuzaki 03 March 2024, 01:28:08 UTC golangci-lint: Fix goimports local prefix Change the prefix to github.com/cilium/cilium/ to only match packages from github.com/cilium/cilium repository. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 04 March 2024, 04:05:08 UTC
d697a14 Gilberto Bertin 01 March 2024, 08:23:43 UTC bpf: nodeport: fix check to forward identity in nodeport_lb4 as the original intent of this logic was to avoid forwarding local identities, fix the check to ensure none of the 8MSB of the identity are set before forwarding the identity Fixes: 490ecc5016b ("bpf: nodeport: don't forward local CIDR identities") Suggested-by: Joe Stringer <joe@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 01 March 2024, 19:34:21 UTC
136e501 Gilberto Bertin 01 March 2024, 08:13:46 UTC bpf: identity: add identity_is_local Signed-off-by: Gilberto Bertin <jibi@cilium.io> 01 March 2024, 19:34:21 UTC
baf2619 Gilberto Bertin 01 March 2024, 08:07:59 UTC bpf: identity: rename local scope masks rename the IDENTITY_SCOPE_MASK and IDENTITY_SCOPE_REMOTE_NODE constants to IDENTITY_LOCAL_SCOPE_MASK and IDENTITY_LOCAL_SCOPE_REMOTE_NODE, to make it clear these refer to local identities. No functional changes Signed-off-by: Gilberto Bertin <jibi@cilium.io> 01 March 2024, 19:34:21 UTC
cfb1158 Michi Mutsuzaki 01 March 2024, 15:08:50 UTC cli: Replace --cluster-name with --helm-set cluster.name The --cluster-name flag got removed in cilium/cilium-cli#2351. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 01 March 2024, 19:20:36 UTC
25d946d Anubhab Majumdar 06 February 2024, 18:44:00 UTC Update pkg/hubble/parser/parser.go Co-authored-by: Marek Chodor <marqc@users.noreply.github.com> Signed-off-by: Anubhab Majumdar <anubhabmajumdar93@gmail.com> 01 March 2024, 18:15:39 UTC
8bbfe0b Anubhab Majumdar 13 December 2023, 21:53:32 UTC Add an interface for Parser struct Signed-off-by: Anubhab Majumdar <anmajumdar@microsoft.com> 01 March 2024, 18:15:39 UTC
f7fdeef Tomoya Fujita 19 January 2024, 04:42:28 UTC ipfamily should be set by platform configuration. Signed-off-by: Tomoya Fujita <Tomoya.Fujita@sony.com> 01 March 2024, 17:51:19 UTC
f56e61b Shunpoco 24 February 2024, 05:55:49 UTC ICMP: Use CamelCase for ICMP type messages This commit fixes ICMP type messages to use CamelCase instead of space-separated words. For example, Echo Reply is changed to EchoReply. Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> 01 March 2024, 17:33:49 UTC
8b5663e Shunpoco 05 February 2024, 22:18:08 UTC doc: modify upgrade note and comment in code block - Modify comment in upgrade note in order to focus on user-facing CRD change - Fix indentation in code block Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> 01 March 2024, 17:33:49 UTC
37d969c Shunpoco 02 February 2024, 22:03:11 UTC doc: modify/add ICMP type change ICMP `type` field is changed to accept both integer and string. This commit updates: - v1.15 Upgrade Notes to add about it. - ICMP part in layer 4 examples Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> 01 March 2024, 17:33:49 UTC
5cc5ac9 Shunpoco 15 January 2024, 20:39:10 UTC ICMP: Introduce ICMP type name in ICMPField Currently ICMP only supports ICMP type code (0-255), but ideally it should also support ICMP type names like "Echo", or "Echo Reply". This commit changes the type of ICMPField.Type from uint8 to intstr.IntOrString, and also updates ICMPField.PortProtocol to treat type names. ICMPField treats both ICMP IPv4 and v6, but kubebuilder's validation can't distinguish if the given type name matches with the family (IPv4 or IPv6). So this commit also introduces UnmarshalJSON method for ICMPField. That function checks if the unmarshaled ICMPField's family and type match properly. In addition, this commit changes some tests which use ICMPField, and introduces a unit test for ICMPField's UnmarshalJSON method. Fixes: #23000 Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> 01 March 2024, 17:33:49 UTC
76454a2 Dean 21 February 2024, 15:50:39 UTC docs: Correct Hubble Exportor config lines in dynamic example This commit makes corrections to the Hubble Exporter dynamic example. This includes lowercasing the "I" in `IncludeFilters`, as well as removing unnecessary `*`s in the provided filters. Signed-off-by: Dean <22192242+saintdle@users.noreply.github.com> 01 March 2024, 17:21:19 UTC
bb8deb3 Dean 21 February 2024, 15:46:11 UTC docs: Remove erroneous line from Dynamic Hubble Exporter example This commit removes a line that was unnecessarily copied from the static config example into the dynamic config example. Signed-off-by: Dean <22192242+saintdle@users.noreply.github.com> 01 March 2024, 17:21:19 UTC
518a1eb Dean 21 February 2024, 15:44:52 UTC docs: Add information to disable Hubble Exporter static config Fixes: #30425 Signed-off-by: Dean <22192242+saintdle@users.noreply.github.com> 01 March 2024, 17:21:19 UTC
8d4db89 Gray Liang 20 February 2024, 09:15:48 UTC bpf/tests: Add IPv6 NDP bpf test This commit adds bpf/tests/ipv6_ndp_from_netdev_test.c to cover two scenarios: 1. from_netdev receives IPv6 NS for a pod IP on the same host 2. from_netdev receives IPv6 NS for the node IP (eth0's addr) For case 1, from_netdev should return a NA on behalf of the target pod to avoid https://github.com/cilium/cilium/issues/30926. for case 2, it must return the NS to stack to address https://github.com/cilium/cilium/issues/14509. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> 01 March 2024, 17:05:01 UTC
dc9dfd7 Gray Liang 19 February 2024, 08:18:37 UTC bpf: Re-introduce ICMPv6 NS responder on from-netdev This reverts commit 658071414ca4606e537bc4bbb37dcae5e18cd7dc, to fix the breakage of "IPv6 NS responder for pod" introduced by https://github.com/cilium/cilium/pull/12086 (bpf: Reply NA when recv ND for local IPv6 endpoints). 658071414ca4606e537bc4bbb37dcae5e18cd7dc was merged to solve https://github.com/cilium/cilium/issues/14509. To not revive #14509, this commit also passes through ICMPv6 NS if the target is native node IP (eth0's addr). By letting stack take care of those NS-for-node-IP packets, we managed to: 1. Solve #14509 again, but in a way keeping NS responder. The cause of #14509 was NS responder always generates ND whose source IP is "router_ip" (cilium_internal_ip) rather than "node_ip". Once we pass those NS-for-node-IP packets to stack, the ND response would naturally have "node_ip" as source. 2. Avoid the fib_lookup failure mentioned at https://github.com/cilium/cilium/pull/30837#issuecomment-1960897445. icmp6_host_handle() also has a new parameter `handle_ns` to control if we want NS responder to be active. If it is called from `to-netdev` code path, handle_ns is set to false. This is suggested by julianwiedmann. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> 01 March 2024, 17:05:01 UTC
60c5e76 Gray Liang 01 March 2024, 09:12:03 UTC bpf/tests: Remove SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c SKIP_ICMPV6_NS_HANDLING was there to pass bpf coverage test, which is gone by https://github.com/cilium/cilium/pull/28090. In the meantime, removing SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c prevents "potential missed tailcall" errors introduced by https://github.com/cilium/cilium/pull/30467, as tail_icmp6_handle_ns() doesn't exist when SKIP_ICMPV6_NS_HANDLING is defined, but still gets tail-called by icmp6_handle_ns(). Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> 01 March 2024, 17:05:01 UTC
4082bc3 Daniel Borkmann 27 February 2024, 10:24:59 UTC cilium, tests: Do not manually install neigh entries for the backend The agent discovers this automatically now, thus drop this part. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 01 March 2024, 07:12:22 UTC
5c207ff Daniel Borkmann 06 December 2023, 13:54:06 UTC pkg/service: Add backends as managed neighbor entry In LB-only mode, push backends as managed neighbors into the Linux kernel's neighboring subsystem. This is needed in particular for XDP since in XDP layer it is not possible to resolve backend L2 addresses if they are in the same L2 domain. For CNI mode this is not an issue since we push down all cluster nodes in the same L2 as managed neighbors anyway. However, in the L4LB case, backend nodes are not in our LB-only cluster. Reuse the same internal infrastructure for managing and pushing down neighbors, so that we do not need to open-code it and improvements benefit both L4LB and CNI mode. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 01 March 2024, 07:12:22 UTC
0007e35 Hemanth Malla 28 February 2024, 21:31:30 UTC Adding unit test for PD fallback Signed-off-by: Hemanth Malla <hemanth.malla@datadoghq.com> 01 March 2024, 02:13:02 UTC
5a487b5 Hemanth Malla 27 February 2024, 21:38:58 UTC Handle InvalidParameterValue as well for PD fallback cilium#30536 prematurely concluded that AWS now uses InsufficientCidrBlocks to indicate the subnet is out of prefixes. Looks like AWS still uses InvalidParameterValue and "There aren't sufficient free Ipv4 addresses or prefixes" to indicate subnet is at capacity. In addition to this InsufficientCidrBlocks is returned when subnet is at capacity potentially due to fragmentation. In either case, it's worth trying to fallback since /32 IPs might still be available compared to /28. See PR for details from AWS support ticket. Signed-off-by: Hemanth Malla <hemanth.malla@datadoghq.com> 01 March 2024, 02:13:02 UTC
5abe8a8 Tam Mach 29 February 2024, 22:18:49 UTC gha: Re-purpose Conformance Kind proxy test As Envoy DS is the default mode now, we should re-purpose the existing test to embedded mode, so that we still have required coverage. Relates: 21fa2df60abd0f3a5627aca3265347558d170f37 Relates: https://github.com/cilium/cilium/pull/30034 Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 March 2024, 00:24:50 UTC
8a131c2 Marco Hofstetter 20 February 2024, 07:52:51 UTC cec: timerbased reconcile job as fallback Currently, there might be rare cases were changes to a node's labels lead to errors when applying the Envoy resources of a `CiliumEnvoyConfig` in the xDS cache. With the current implementation of the `LocalNodeStore`, there won't be a retry in these cases. Therefore, this commit adds a timer-job that periodically checks for un-applied configs - and tries to reconcile them. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 01 March 2024, 00:12:23 UTC
6b63ea2 Jarno Rajahalme 26 February 2024, 15:49:17 UTC bitlpm: Factor out common code Reduce code repetition by defining a 'traverse' function that is shared between multiple functions. Clarify comments. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 29 February 2024, 23:06:01 UTC
21fa2df Tam Mach 22 December 2023, 10:52:55 UTC envoy: Default to daemon set deployment from 1.16 This is to set the default envoy deployment to daemon set mode for new installation. Signed-off-by: Tam Mach <tam.mach@cilium.io> 29 February 2024, 21:51:23 UTC
e1afa06 Dylan Reimerink 26 February 2024, 19:24:11 UTC bpf: Fix missing tail calls The changes to the dead tail call elimination revealed 2 cases of missing tail calls. First is to do with NAT46x64 logic where there still existed a call path from the IPv4 logic which would attempt to tail call into IPv6 to recirculate the packet, even when the IPv6 tail call wasn't compiled in. The second was that when XDP offloaded, the IPv6 logic would tail call into a ICMP6 tail call which is only compiled in for TC programs. This commit fixes both possible missing tail calls. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 29 February 2024, 21:07:28 UTC
217426a Dylan Reimerink 30 January 2024, 10:11:00 UTC pkg/bpf: Add test for removeUnreachableTailcalls This commit adds a test to verify the behavior of the dead tail call pruning. It consists of 5 tail calls, of which 2 are unreachable. The test asserts that only the unreachable tail calls are removed from the spec. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 29 February 2024, 21:07:28 UTC
16033b9 Dylan Reimerink 26 January 2024, 14:50:13 UTC pkg/bpf: Implement unreachable tail call pruning This commit implements unreachable tail call pruning. When loading a collection we check if a tail call is reachable. If not, we remove the tail call from the collection. This saves us from having to load the tail call program into the kernel. Previously, we would conditionally not include tail calls in the collection with pre-processor directives. Now that we do it in the loader, we can remove the pre-processor directives. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 29 February 2024, 21:07:28 UTC
c4cbb38 Dylan Reimerink 13 February 2024, 13:43:12 UTC bpf: Modify tail_call_static to emit better parseable assembly Before this change the tail_call_static function would emit the following instructions to perform a tailcall: ``` Mov R1, Rctx Mov R2, Rmap_ptr Mov R3, <slot> Call TailCall ``` Since the second instruction is always a Register to Register move, we would have to backtrack to find the actual map which is being used. These changes makes it so the following instructions are emitted: ``` Mov R1, Rctx Mov R2, 0 ll <calls_map> Mov R3, <slot> Call TailCall ``` By always using a double word immediate, with a relocation entry on the Mov R2 instruction it is much easier to find the actual map which is being used. As a side effect, we usually eliminate an extra instruction clang was otherwise forced to emit. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 29 February 2024, 21:07:28 UTC
46db413 Dylan Reimerink 26 January 2024, 15:09:08 UTC bpf: Remove `declare_tailcall_if` Remove `declare_tailcall_if`, so we always emit the tailcall programs into the ELF. The followup commit will implement pruning logic based on the actual usage of the tail calls. This means that we will only need the `invoke_tailcall_if` without the need to keep both the declaration and invocation in sync. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 29 February 2024, 21:07:28 UTC
ce25c55 Dorde Lapcevic 06 February 2024, 18:13:21 UTC operator: Implement cache to be used for Cilium Identity management Signed-off-by: Dorde Lapcevic <dordel@google.com> 29 February 2024, 16:41:03 UTC
eb0030c Dylan Reimerink 22 February 2024, 14:43:56 UTC pkg/datapath/linux: Require dead code elimination support This commit adds a test to check for dead code elimination support in the kernel. Support was added in v5.1, our new minimum supported version is v5.4. This feature will be crucial for the datapath to properly function in the future. So assert this kernel feature works on startup. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 29 February 2024, 16:07:07 UTC
b9098e6 Gilberto Bertin 29 February 2024, 07:36:40 UTC bpf: explicitly pass map to policy_can_{in,e}gress{4,6} currently some functions in policy.h reference POLICY_MAP, assuming it's always defined. This prevents including this header in a context where the POLICY_MAP is not defined. To overcome this, remove all the POLICY_MAP references from these functions and always pass the map explicitly in the caller. No functional changes are introduced. Signed-off-by: Gilberto Bertin <jibi@cilium.io> 29 February 2024, 15:47:00 UTC
d7dba5e Tam Mach 29 February 2024, 13:50:26 UTC xds: Avoid xds timeout due to agent restart in envoy DS mode For external envoy, xds server and envoy are having different life cycles i.e. each is running in its own pod, and can be deployed or restarted independently. This commit is to handle the case that xds in cilium agent got restarted, and nonce value is always 0. Sample error ``` 2024-02-05T12:49:51.771714518Z level=warning msg="Regeneration of endpoint failed" bpfCompilation=0s bpfLoadProg=105.68356ms bpfWaitForELF="24.396µs" bpfWriteELF=1.802221ms ciliumEndpointName=cilium-test/client-56f8968958-fqdl4 containerID=245b2aaac2 containerInterface=eth0 datapathPolicyRevision=5 desiredPolicyRevision=6 endpointID=134 error="Error while configuring proxy redirects: proxy state changes failed: context canceled" identity=1713 ipv4=10.244.1.1 ipv6="fd00:10:244:1::9544" k8sPodName=cilium-test/client-56f8968958-fqdl4 mapSync=2.476505ms policyCalculation=1.240346ms prepareBuild="437.049µs" proxyConfiguration="837.119µs" proxyPolicyCalculation="234.369µs" proxyWaitForAck=2m34.697546384s reason="policy rules added" subsys=endpoint total=2m34.818201428s waitingForCTClean=270ns waitingForLock="2.605µs" ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> 29 February 2024, 15:19:03 UTC
cbca369 Benjamin Leggett 20 February 2024, 15:25:45 UTC netns: clean up API, reimplement in pure Go without dependencies The previous netns package had a few problems. It shelled out to iproute2, and it depended on both containernetworking/plugins/pkg/ns and vishvananda/netns, which lead to some idiosyncratic API. This commit addresses these issues and takes care of some much-needed API cleanup: - Create a new netns with New() - Open an existing pinned netns with OpenPinned() - Execute code within the netns with ns.Do() - Close with Close() Pinning network namespaces is not supported, as there is currently little reason for doing so. In case the requirement pops up again later, it can always be added. All tests now use anonymous (non-pinned) network namespaces, and the netns created for cilium-health also no longer leaves an entry in /var/run/netns. Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io> Co-authored-by: Timo Beckers <timo@isovalent.com> 29 February 2024, 13:38:41 UTC
2063a21 Timo Beckers 20 February 2024, 15:23:34 UTC cilium-dbg: remove netns cleanup code This was already redundant when running Cilium inside a container, since the nsfs instance inside the container is bound to the container's lifecycle. Running Cilium outside of a container is currently rather involved and not officially supported. Remove the netns cleanup code. When the container exits, cilium-health and its enclosing namespace also disappears. Follow-up commits will remove the code in package netns being called here. Signed-off-by: Timo Beckers <timo@isovalent.com> 29 February 2024, 13:38:41 UTC
ed04ccd Timo Beckers 05 February 2024, 18:44:14 UTC link: ignore missing interfaces in DeleteByName This allows surfacing unexpected errors, but ignores interfaces that are already absent. Signed-off-by: Timo Beckers <timo@isovalent.com> 29 February 2024, 13:38:41 UTC
77053ae Fabio Falzoi 14 February 2024, 14:53:37 UTC iptables: Read CNI chaining mode from CNI config manager CNI chaining mode option has been moved to the CNI cell in commit 1254bf403f. Since it is not a global config option anymore, iptables manager will not see any change to that value, and its field `CNIChainingMode` will always be an empty string. Thus, with the following config option values: - "enable-endpoint-routes": true - "cni-chaining-mode": "aws-cni" the delivery interface referenced in the rules installed by the manager is "lxc+" instead of "eni+". This commit fixes this adding a CNI config manager reference to the iptables manager parameters, in order to read the current setting for the chaining mode during rules installation. Fixes: 1254bf403f ("daemon / cni: move to Cell, watch for changes") Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 29 February 2024, 10:21:41 UTC
cd53c4f Tam Mach 29 February 2024, 06:12:42 UTC gateway-api: Correct the null check for GRPRRoute Match The null check for Method should be before the check for Method.Service to avoid NPE. Signed-off-by: Tam Mach <tam.mach@cilium.io> 29 February 2024, 09:10:04 UTC
5d3c7c3 Joe Stringer 28 February 2024, 18:51:20 UTC bpf: Fix VTEP drop check Commit a94fa56f6713 ("Fix CIDR to World Entity Conversion Bug") seems to have inadvertently swapped a check for "is not world" to a check for "is world" in order to drop. This has likely broken the VTEP feature. Fix it. Fixes: a94fa56f6713 ("Fix CIDR to World Entity Conversion Bug") Reported-by: Jan Hugo Prins <jhp@jhprins.org> Signed-off-by: Joe Stringer <joe@cilium.io> 29 February 2024, 06:58:49 UTC
fe71a4a David Bimmler 28 February 2024, 12:21:23 UTC controlplane: fix mechanism for ensuring watchers I realized that the fix for controlplane tests isn't complete. There is still a (small) race window: The current watch reaction records a watcher as established without "handling" the watch itself, i.e. it lets the default watch reaction actually call 'Watch' on the tracker. This is racy, as things can happen in the window between recordng and actually watching. To fix this, add the recording unconditionally in the existing tracker augmentation. Fixes: ba99d74c44 (controlplane: add mechanism to wait for watchers) Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 28 February 2024, 19:59:31 UTC
badd092 André Martins 23 February 2024, 16:26:48 UTC endpoint: rename GetMetadataValue to GetPropertyValue During the PR review for d735c5017bd1 it was suggested to change the field name from endpoint.Metadata to endpoint.Properties. Unfortunately, this method was missed during the renaming and this commit sets the right name to it. Fixes: d735c5017bd1 ("introduce 'properties' for endpoints") Signed-off-by: André Martins <andre@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 28 February 2024, 15:09:29 UTC
44bb357 Gilberto Bertin 28 February 2024, 09:02:52 UTC endpoint: use PropertyCEP{Owner,Name} as CEP owner/name if set this will allow alternative implementations to extend the CiliumEndpoint usage Signed-off-by: André Martins <andre@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 28 February 2024, 15:09:29 UTC
f2a0940 André Martins 27 February 2024, 15:51:50 UTC operator: gc: don't GC a CEP if its not owned by a pod or node to prevent Cilium Operator from garbage collecting CiliumEndpoints that have an owner reference other than a Pod and CiliumNode, we should default to not garbage collect them Signed-off-by: André Martins <andre@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 28 February 2024, 15:09:29 UTC
8bf9fd2 Tam Mach 24 February 2024, 11:28:40 UTC xds: Move MockStream to stream_test.go This commit is to move MockStream struct to stream_test.go as it's only used in unit test. Signed-off-by: Tam Mach <tam.mach@cilium.io> 28 February 2024, 14:28:39 UTC
6fee46f Quentin Monnet 30 January 2024, 16:18:58 UTC ci/ipsec: Fix downgrade version retrieval Figuring out the right "previous patch release version number" to downgrade to in print-downgrade-version.sh turns out to be more complex than expected [0][1][2][3]. This commit is an attempt to 1) fix issues with the current script and 2) overall make the script clearer, so we can avoid repeating these mistakes. As for the fixes, there are two things that are not correct with the current version. First, we're trying to validate the existence of the tag to downgrade to, in case the script runs on top of a release preparation commit for which file VERSION has been updated to a value that does not yet contains a corresponding tag. This part of the script is actually OK, but not the way we call it in the IPsec workflow: we use "fetch-tags: true" but "fetch-depth: 0" (the default), and the two are not compatible, a shallow clone results in no tags being fetched. To address this, we retrieve the tag differently: instead of relying on "fetch-tags" from the workflow, we call "git fetch" from the script itself, provided the preconditions are met (we only run it from a Git repository, if the "origin" remote is defined). If the tag exists, either locally or remotely, then we can use it. Otherwise, the script considers that it runs from a release preparation Pull Request, and decrements the patch release number. The second issue is that we would return no value from the script if the patch release is zero. This is to avoid any attempt to find a previous patch release when working on a development branch. However, this logics is incorrect (it comes from a previous version of the script where we would always decrement the patch number). After the first release of a new minor version, it's fine to have a patch number at 0. What we should check instead is whether the version ends with "-dev". This commit brings additional changes for clarity: more comments, and a better separation between the "get latest patch release" and "get previous stable branch" cases, moving the relevant code to independent functions, plus better argument handling. We also edit the IPsec workflow to add some logs about the version retrieved. The logs should also display the script's error messages, if any, that are printed to stderr. Sample output from the script: VERSION Tag exists Prevous minor Previous patch release 1.14.3 Y v1.13 v1.14.3 1.14.1 Y v1.13 v1.14.1 1.14.0 Y v1.13 v1.14.0 1.14.1-dev N v1.13 <error> 1.15.0-dev N v1.14 <error> 1.13.90 N v1.12 v1.13.89 <- decremented 2.0.0 N <error> <error> 2.0.1 N <error> v2.0.0 <- decremented 2.1.1 N v2.0 v2.1.0 <- decremented [0] 56dfec2f1ac5 ("contrib/scripts: Support patch releases in print-downgrade-version.sh") [1] 4d7902f54a74 ("contrib/scripts: Remove special handling for patch release number 90") [2] 5581963cbf94 ("ci/ipsec: Fix version retrieval for downgrades to closest patch release") [3] 3803f539a740 ("ci/ipsec: Fix downgrade version for release preparation commits") Fixes: 3803f539a740 ("ci/ipsec: Fix downgrade version for release preparation commits") Signed-off-by: Quentin Monnet <quentin@isovalent.com> 28 February 2024, 14:11:08 UTC
dd693a7 Michal Siwinski 06 February 2024, 15:41:53 UTC Add Hubble metrics HTTP endpoint status metrics This change introduces two new metrics: * hubble_http_handler_requests_total - counter for requests made to the endpoint, grouped by HTTP status code * hubble_http_handler_request_duration_seconds - histogram of latencies for requests made to the endpoint, grouped by HTTP status code This provides option to measure availability of Hubble metrics endpoint on Hubble side. Although similar functionality might be achieved through using metrics of collectors scraping this endpoint, unavailability measured with that approach includes unavailability of the collector itself, which might not be desired in some cases. Signed-off-by: Michal Siwinski <siwy@google.com> 28 February 2024, 14:02:54 UTC
2534006 Misha Bragin 28 February 2024, 12:09:49 UTC Fix netbird name in the description Signed-off-by: Misha Bragin <bangvalo@gmail.com> 28 February 2024, 14:08:28 UTC
36006f1 Misha Bragin 28 February 2024, 12:08:20 UTC Add link to the blog post about the usage Signed-off-by: Misha Bragin <bangvalo@gmail.com> 28 February 2024, 14:08:28 UTC
2b1a281 Misha Bragin 28 February 2024, 12:06:25 UTC Add further description about usage of Cilium in NetBird Signed-off-by: Misha Bragin <bangvalo@gmail.com> 28 February 2024, 14:08:28 UTC
2a7c0de Misha Bragin 06 February 2024, 12:47:54 UTC Add NetBird to the Cilium user list Signed-off-by: Misha Bragin <bangvalo@gmail.com> 28 February 2024, 14:08:28 UTC
39637d6 Marco Iorio 23 February 2024, 10:17:37 UTC gha: don't wait for kind clusters to become ready They will never, because no CNI is present at that point. Hence, let's just avoid wasting one minute waiting for the timeout to expire. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 28 February 2024, 13:13:33 UTC
c442ca5 Marco Iorio 22 February 2024, 17:47:21 UTC renovate: onboard KIND_K8S_IMAGE var and drop kind-config.yaml files Let's make sure that the newly introduced KIND_K8S_IMAGE variable gets automatically updated by renovate. Additionally, the kind configuration files no longer hard-code the kind image, hence they don't need to be automatically renovated anymore. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 28 February 2024, 13:13:33 UTC
aabdfa7 Marco Iorio 22 February 2024, 17:20:43 UTC gha: migrate workflows to use the global kind-related variables Let's switch all the workflows over to using the globally defined kind-related variables, and remove the workflow specific definitions. This also addresses a few cases which didn't specify any version. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 28 February 2024, 13:13:33 UTC
394b3de Marco Iorio 22 February 2024, 17:15:28 UTC gha: centralize kind version and image definition in set-env-variables Let's define kind-related variables (i.e., version, k8s image and k8s version) inside the set-env-variables action. One all consumers will have been migrated through the subsequent commit, this will ensure consistency across workflows, simplify version bumps as well as the introduction of new workflows depending on them. One extra byproduct is that renovate updates will also stop requesting reviews from all the different teams owning each specific workflow. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 28 February 2024, 13:13:33 UTC
91fc572 Marco Hofstetter 15 February 2024, 08:37:12 UTC ingress/gateway-api: expose Envoy listeners on subset of nodes This commit adds support for exposing L7 Envoy Listeners only on a subset of Cilium Nodes. This only works in combination with the hostnetwork mode. **Configure node labelselector via Helm** * Ingress Controller: `ingressController.hostNetwork.nodes.matchLabels` * Gateway API: `gatewayAPI.hostNetwork.nodes.matchLabels` ``` ingressController: hostNetwork: nodes: matchLabels: role: infra component: ingress ``` An empty selector selects all Nodes and continues to expose the functionality on all Cilium Nodes. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 28 February 2024, 12:27:37 UTC
72da224 Marco Hofstetter 12 February 2024, 13:05:08 UTC ingress/gateway-api: expose listeners on host network This commit adds support for exposing the L7 Envoy Listeners directly on the host network - and no longer use Kubernetes Services of type `LoadBalancer` or `NodePort`. The listener is exposed on all interfaces (`0.0.0.0` for IPv4 and/or `::` for IPv6). **Enable HostNetwork support via Helm** * Ingress Controller: `ingressController.hostNetwork.enabled=true` * Gateway API: `gatewayAPI.hostNetwork.enabled=true` **Configure listener port** * Shared Ingress: configurable via Helm (`ingressController.hostNetwork.sharedHTTPPort` & `ingressController.hostNetwork.sharedTLSPassthroughPort`) * Dedicated Ingress: configurable via Annotation on the resource `Ingress` (`ingress.cilium.io/http-host-port` & `ingress.cilium.io/tls-passthrough-host-port`) * Gateway API: configurable via `spec.listeners.port` on the resource `Gateway` Be aware that missconfiguration might result in port clashes. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 28 February 2024, 12:27:37 UTC
3f9e0e9 Marco Hofstetter 13 February 2024, 11:16:45 UTC gateway api: no error if lb service isn't ready yet Currently, the reconciliation of `Gateway` fails with an error if the status of the corresponding loadbalancer service isn't ready. Returning an error leads to an additional reconciliation and logs the error. There are cases (upcoming hostnetwork support) where the status of the loadbalancer service is never set which leads to reconciliation loops. Therefore, with this commit, a missing status no longer results in an error. This should also be enough in all other cases because a reconciliation should be triggered on an update of the loadbalancer service itself. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 28 February 2024, 12:27:37 UTC
c336bc6 Marco Hofstetter 12 February 2024, 12:59:47 UTC ingress: remove unused parameters from IngressPassthrough Ingestion of an Passthrough listener (`IngressPassthrough`) never uses the parameters `defaultSecretNamespace` and `defaultSecretName`. Therefore, this commit removes these from the function signature. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 28 February 2024, 12:27:37 UTC
back to top