https://github.com/cilium/cilium
- HEAD
- refs/heads/1.2.7-hotfix1-fqdn-regen
- refs/heads/EndpointPolicyEnformcement
- refs/heads/add_metrics_to_scale_test
- refs/heads/all-scalability-improvements
- refs/heads/beta/service-mesh
- refs/heads/bpf-metrics
- refs/heads/brb/brb-patch-2
- refs/heads/cilium-envoy-crd-pre-beta
- refs/heads/cilium-no-gopath
- refs/heads/cli-upgrade-v1.12-ci-test
- refs/heads/clustermesh511-upgrade-test
- refs/heads/committers-codeowners
- refs/heads/dev/joe/v1.8-with-hostfw-fixes
- refs/heads/encrypt-node-fixes
- refs/heads/encrypted-overlay-xfrm-policies
- refs/heads/ensure-macos-build-succeeds
- refs/heads/envoy-policy-precedence
- refs/heads/envoy-warnings-cleanup
- refs/heads/extension-mysql
- refs/heads/feature/cep-scalability
- refs/heads/feature/devices-and-addresses
- refs/heads/feature/devices-reconciliation-v1.16
- refs/heads/feature/main/svc-icmp-response
- refs/heads/feature/service-refactor
- refs/heads/feature/service-refactor-fresh
- refs/heads/feature/v1.11/beta-test
- refs/heads/feature/v1.11/k8s-ingress
- refs/heads/fix-error-wrapping-1.13
- refs/heads/fix-error-wrapping-1.14
- refs/heads/fix-error-wrapping-1.15
- refs/heads/fix-iphealth
- refs/heads/fqdn-fixl3-wildcard
- refs/heads/fristonio/iptables-manager-fix
- refs/heads/ft/main/chancez/push-dev-charts
- refs/heads/ft/main/push_chart_stable_branches_fix
- refs/heads/ft/main/test_push_chart_updates
- refs/heads/gce-example
- refs/heads/gh-readonly-queue/main/pr-27509-78a5f177693fb443cd946441f45826bf7fa2437a
- refs/heads/ginkgo-better-timeout
- refs/heads/graduation
- refs/heads/hf/main/ipam-pools-build-230605
- refs/heads/hf/master/v1.12-rc2-health-dbg-v1
- refs/heads/hf/master/wg-fix-ipam-k8s-v2
- refs/heads/hf/v1.10/cls-prio2
- refs/heads/hf/v1.10/debug-taint-removal
- refs/heads/hf/v1.10/v1.10.10-with-19452
- refs/heads/hf/v1.10/v1.10.2-fix-ipsec-ep-routes
- refs/heads/hf/v1.10/v1.10.5-with-identity-leak-fix
- refs/heads/hf/v1.10/v1.10.7-additional-logs
- refs/heads/hf/v1.10/v1.10.7-exclude-local
- refs/heads/hf/v1.10/v1.10.7-exclude-loopback
- refs/heads/hf/v1.10/v1.10.7-extra-logs
- refs/heads/hf/v1.10/v1.10.7-more-logs
- refs/heads/hf/v1.10/v1.10.8-deadlock-and-complexity-fix
- refs/heads/hf/v1.10/v1.10.8-deadlock-fix
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v3
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v4
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v5
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v6
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v7
- refs/heads/hf/v1.11/1.11.4-custom-taint
- refs/heads/hf/v1.11/19247-custom-taint-key
- refs/heads/hf/v1.11/dbg-svc-restore
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attach-and-logging
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attachment
- refs/heads/hf/v1.11/v1.11.3-with-19259
- refs/heads/hf/v1.11/v1.11.4-custom-taint
- refs/heads/hf/v1.11/v1.11.5-and-19247-eed5544
- refs/heads/hf/v1.11/xdp-multidev-v1
- refs/heads/hf/v1.11/xdp-multidev-v2-ipcache-fix
- refs/heads/hf/v1.12/next-net-v1
- refs/heads/hf/v1.12/v1.12.18-994
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat-v2
- refs/heads/hf/v1.13/bpf-sock-l7-fix
- refs/heads/hf/v1.13/v1.13.2-with-24875
- refs/heads/hf/v1.13/v1.13.3-with-26242
- refs/heads/hf/v1.14/cidr-identity-refcnt-fix
- refs/heads/hf/v1.14/v1.14-with-27327
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix-2
- refs/heads/hf/v1.8/v1.8.13-with-19452
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-15303
- refs/heads/hf/v1.8/v1.8.7-with-fqdn-underscore-fix
- refs/heads/hf/v1.8/v1.8.8-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.8-with-encrypt-fixes
- refs/heads/hf/v1.9/v1.9.8-azure-ipam-fix
- refs/heads/hf/v1.9/v1.9.9-azure-pod-egress-fix
- refs/heads/images/runtime/20210830
- refs/heads/ipc-demo
- refs/heads/ktls-tx-only
- refs/heads/ktls-tx-only-v2
- refs/heads/ktls-tx-rx
- refs/heads/ktls-tx-rx-v2
- refs/heads/ktls-tx-rx-v3
- refs/heads/ktls-tx-rx-v4
- refs/heads/ktls-tx-rx-v5
- refs/heads/ldelossa/feat/bgp-control-plane
- refs/heads/ldelossa/segment-makefiles
- refs/heads/ldelossa/segment-makefiles-v2
- refs/heads/ldelossa/srv6-encap-fib
- refs/heads/lizrice/pr/cli-confusion
- refs/heads/main
- refs/heads/marseel-modularize_scale_test
- refs/heads/marseel_scale_test_100_nodes
- refs/heads/multi-stack-dev-vm
- refs/heads/pr/1-9-ci-test
- refs/heads/pr/aanm-update-k8s-conformance
- refs/heads/pr/aanm/bisect
- refs/heads/pr/aanm/test-31027
- refs/heads/pr/add-controller-identity
- refs/heads/pr/aditighag/lrp-skip-lb
- refs/heads/pr/asauber/link-local-as-host
- refs/heads/pr/asauber/max-ifindex-metric
- refs/heads/pr/avoid-ct-for-dsr
- refs/heads/pr/backend-state
- refs/heads/pr/bbb-cpy
- refs/heads/pr/bimmlerd/modularize-bandwidth-manager
- refs/heads/pr/bimmlerd/v1.12-backport-quay-org-from-env
- refs/heads/pr/bounded-loops
- refs/heads/pr/bpf-based-masquerading
- refs/heads/pr/bpf-edt-proxy
- refs/heads/pr/brb/arping-nexthop
- refs/heads/pr/brb/arping-via-gw
- refs/heads/pr/brb/auto-multi-dev-v2
- refs/heads/pr/brb/backport-1.8.5-nat-gc
- refs/heads/pr/brb/bpf-host-routing-wg
- refs/heads/pr/brb/bpf-lxc-no-redirect
- refs/heads/pr/brb/bpf-masq-veth
- refs/heads/pr/brb/bpf-multihoming
- refs/heads/pr/brb/cgroup-v2-test
- refs/heads/pr/brb/check-errors-in-logs
- refs/heads/pr/brb/ci
- refs/heads/pr/brb/ci-1111
- refs/heads/pr/brb/ci-2
- refs/heads/pr/brb/ci-4.19
- refs/heads/pr/brb/ci-arping-flake
- refs/heads/pr/brb/ci-bigtcp
- refs/heads/pr/brb/ci-bpf-netdev-without-egress
- refs/heads/pr/brb/ci-cleanup-svc
- refs/heads/pr/brb/ci-dbg-conformance-kind
- refs/heads/pr/brb/ci-dbg-external
- refs/heads/pr/brb/ci-dbg-flake-from-outside
- refs/heads/pr/brb/ci-demo
- refs/heads/pr/brb/ci-disable-ces-for-egress-gw
- refs/heads/pr/brb/ci-dp-disable-bpf-host-routing
- refs/heads/pr/brb/ci-dp-hubble-flows
- refs/heads/pr/brb/ci-dp-more-diversity
- refs/heads/pr/brb/ci-dp-v1.13
- refs/heads/pr/brb/ci-dp-v6
- refs/heads/pr/brb/ci-dp-verifier
- refs/heads/pr/brb/ci-e2e-enable-debug-ipsec
- refs/heads/pr/brb/ci-e2e-helm-mode-v1.13
- refs/heads/pr/brb/ci-e2e-lvh-retry
- refs/heads/pr/brb/ci-e2e-more-nodes
- refs/heads/pr/brb/ci-e2e-new-cli
- refs/heads/pr/brb/ci-e2e-nft
- refs/heads/pr/brb/ci-e2e-unsafe
- refs/heads/pr/brb/ci-e2e-unsafe-v2
- refs/heads/pr/brb/ci-e2e-upgrade-tests
- refs/heads/pr/brb/ci-e2e-upgrade-tests-ipsec
- refs/heads/pr/brb/ci-eks-ipsec-upgrade
- refs/heads/pr/brb/ci-fix-ip-masq-dry-run
- refs/heads/pr/brb/ci-ipsec-upgrade-fix
- refs/heads/pr/brb/ci-ipsec-upgrade-missed-tail-calls
- refs/heads/pr/brb/ci-ipsec-upgrade-v1.13
- refs/heads/pr/brb/ci-ipsec-upgrade-vol2
- refs/heads/pr/brb/ci-keep-missed-tail-calls
- refs/heads/pr/brb/ci-l7-nodeport
- refs/heads/pr/brb/ci-lvh-4.19
- refs/heads/pr/brb/ci-lvh-5.4
- refs/heads/pr/brb/ci-lvh-5.4-v2
- refs/heads/pr/brb/ci-lvh-bpf-next
- refs/heads/pr/brb/ci-no-self-hosted
- refs/heads/pr/brb/ci-pass-kernel-env
- refs/heads/pr/brb/ci-prepull-l4lb
- refs/heads/pr/brb/ci-refactor-svc-suite
- refs/heads/pr/brb/ci-rm-smoke-tests
- refs/heads/pr/brb/ci-sanity
- refs/heads/pr/brb/ci-test
- refs/heads/pr/brb/ci-test-2
- refs/heads/pr/brb/ci-test-k8s-vsn-swap
- refs/heads/pr/brb/ci-test-large-runners
- refs/heads/pr/brb/ci-uffff
- refs/heads/pr/brb/ci-upgrade-vol-2
- refs/heads/pr/brb/ci-upgrade-vol-3
- refs/heads/pr/brb/cilium-host-v6-from-ipam
- refs/heads/pr/brb/cli-bump-test
- refs/heads/pr/brb/datapath-loop-dbg
- refs/heads/pr/brb/dbg-ci
- refs/heads/pr/brb/dbg-conformance-gke
- refs/heads/pr/brb/dbg-master-np-vxlan-ipcache-ci
- refs/heads/pr/brb/debug-nodeport-bpf-flake
- refs/heads/pr/brb/do-not-derive-pod-cidrs-from-dev
- refs/heads/pr/brb/do-not-query-dev-for-arping
- refs/heads/pr/brb/docs--wg-what-encrypted
- refs/heads/pr/brb/docs-clarify-egress-gw-ip-addr-dp
- refs/heads/pr/brb/drop-notify
- refs/heads/pr/brb/dsr
- refs/heads/pr/brb/dsr-v2
- refs/heads/pr/brb/dualstack-ci
- refs/heads/pr/brb/enable-ipv6-per-endpoint-routes
- refs/heads/pr/brb/fib-lookup-src
- refs/heads/pr/brb/fix-backend-id-u32
- refs/heads/pr/brb/fix-ci-dp-deprecation-warn
- refs/heads/pr/brb/fix-clang-vsn-regexp
- refs/heads/pr/brb/fix-egress-ip-16147
- refs/heads/pr/brb/fix-external-ip-dp
- refs/heads/pr/brb/fix-maglev-del
- refs/heads/pr/brb/fix-nodeport-hostnetns
- refs/heads/pr/brb/fix-np-redir-l3-to-tunnel
- refs/heads/pr/brb/fix-stale-dsr
- refs/heads/pr/brb/fix-svc-backend-selection
- refs/heads/pr/brb/fix-third-host
- refs/heads/pr/brb/gh-action-cgr
- refs/heads/pr/brb/gh-action-lvh
- refs/heads/pr/brb/gh-install-cli-backup
- refs/heads/pr/brb/ginkgo-kpr-strict
- refs/heads/pr/brb/ginkgo-rm-update-tests
- refs/heads/pr/brb/go-crazy
- refs/heads/pr/brb/hubble-tcp-ack-seq-no
- refs/heads/pr/brb/improve-svc-restore
- refs/heads/pr/brb/istio-getsockopt
- refs/heads/pr/brb/it-cannot-be-truth
- refs/heads/pr/brb/kpr-svc-mesh
- refs/heads/pr/brb/kubeproxy-free-ci
- refs/heads/pr/brb/l7-np-bpf
- refs/heads/pr/brb/l7-rerevert
- refs/heads/pr/brb/lets-be-friends-with-ipsec
- refs/heads/pr/brb/lvh-kind-127
- refs/heads/pr/brb/lvh-kind-ipsec-upgrade
- refs/heads/pr/brb/meyskens/auth-ep-gc-locks
- refs/heads/pr/brb/multi-network
- refs/heads/pr/brb/no-cache-snat
- refs/heads/pr/brb/no-rev-nat-bpf-lxc-ingress
- refs/heads/pr/brb/node-id-per-fam
- refs/heads/pr/brb/nodeport-xlr-flag
- refs/heads/pr/brb/perf-wg
- refs/heads/pr/brb/pin-lvh
- refs/heads/pr/brb/push-ci-charts
- refs/heads/pr/brb/pwru
- refs/heads/pr/brb/rm-arping-l2-addr-check
- refs/heads/pr/brb/rm-no-redirect
- refs/heads/pr/brb/rm-np-deadcode
- refs/heads/pr/brb/rm-partial-host-svc
- refs/heads/pr/brb/rm-test-gke
- refs/heads/pr/brb/test-bpf-masq
- refs/heads/pr/brb/test-ci-e2e
- refs/heads/pr/brb/test-ci-e2e-v1.13
- refs/heads/pr/brb/test-kind
- refs/heads/pr/brb/third-host-more-pain
- refs/heads/pr/brb/timing-l4lb-gh-action
- refs/heads/pr/brb/triage-flake-v2
- refs/heads/pr/brb/triage-lb-flake
- refs/heads/pr/brb/unquarantine-svc
- refs/heads/pr/brb/v1.10-istio-snat
- refs/heads/pr/brb/v1.12-ci-e2e
- refs/heads/pr/brb/v1.12-ci-ipsec-upgrade
- refs/heads/pr/brb/v1.12-test-ipsec-upgrade
- refs/heads/pr/brb/v1.13-ci-e2e
- refs/heads/pr/brb/v1.13-remote-np
- refs/heads/pr/brb/v1.13-upgrade-fixes
- refs/heads/pr/brb/v1.14-ci-e2e-upgrade
- refs/heads/pr/brb/v1.14-drop-notify
- refs/heads/pr/brb/v1.6.9-iptables-W
- refs/heads/pr/brb/v1.8-fix-icmp-port-check
- refs/heads/pr/brb/wg-encrypt-node-test
- refs/heads/pr/brb/wg-hack
- refs/heads/pr/brb/wg-ipam-fix
- refs/heads/pr/brb/wg-kpr
- refs/heads/pr/brb/wg-test
- refs/heads/pr/brb/wip
- refs/heads/pr/brb/wip-ci
- refs/heads/pr/brb/wip-sync-policy-map
- refs/heads/pr/brb/xdp-egress-gw
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming-v2
- refs/heads/pr/brlbil/ci-remove-unsupported-k8s-version-1.13
- refs/heads/pr/bruno/sleepy-pawn
- refs/heads/pr/bugtool-systemd
- refs/heads/pr/bwm-base2
- refs/heads/pr/bwm-priority
- refs/heads/pr/chancez/add_hubble_l7_dashboard_prometheus_example
- refs/heads/pr/chancez/fix_websocket_l7_policies
- refs/heads/pr/chancez/flow_filter_namespace
- refs/heads/pr/chancez/hubble_cel
- refs/heads/pr/chancez/hubble_plus_plus
- refs/heads/pr/chancez/static_peers_hubble_relay
- refs/heads/pr/christarazi/controlplane-fqdn
- refs/heads/pr/christarazi/ipcache-async-cep-pods-namedports
- refs/heads/pr/christarazi/k8s-1.30
- refs/heads/pr/christarazi/prep-from-cidr-tests
- refs/heads/pr/datapath-opt
- refs/heads/pr/dbkm/nodeport-lb
- refs/heads/pr/debug-dns-timeout
- refs/heads/pr/eproutes-redir
- refs/heads/pr/example/neigh-state-manager
- refs/heads/pr/fastdp
- refs/heads/pr/fastdp2
- refs/heads/pr/fib-consolidation
- refs/heads/pr/fix-aks-workflow
- refs/heads/pr/fix-k8s-all-sha1
- refs/heads/pr/fix-pod-pacing
- refs/heads/pr/fix-tail-call-replace
- refs/heads/pr/fristonio/feat-19038
- refs/heads/pr/fristonio/fix-istio-k8sT
- refs/heads/pr/fristonio/ipv6-masquerading
- refs/heads/pr/fristonio/test-dual-stack
- refs/heads/pr/fristonio/test-ipv6-dualstack
- refs/heads/pr/gandro+brb/fix-monitor-aggregation-np-v2
- refs/heads/pr/gandro+brb/mv-trace-point-to-rev-nodeport
- refs/heads/pr/gandro+brb/wg-host-encryption-v3
- refs/heads/pr/gandro+brb/wg-host2host
- refs/heads/pr/gandro+brb/wg-host2host-kind
- refs/heads/pr/gandro/bump-hubble-2020-03-25
- refs/heads/pr/gandro/ci-conformance-multicluster-fix-log-gathering
- refs/heads/pr/gandro/ci-delete-crds-in-cleanupcomponents
- refs/heads/pr/gandro/ci-fix-status-if-workflows-are-skipped
- refs/heads/pr/gandro/ci-wait-for-all-relevant-images-do-not-merge-test
- refs/heads/pr/gandro/enable-hubble-by-default
- refs/heads/pr/gandro/portmap-refcount
- refs/heads/pr/gandro/re-enable-wireguard-in-multicluster-ci
- refs/heads/pr/gandro/svc-healthchecknodeport
- refs/heads/pr/gc-on-svc-update
- refs/heads/pr/getname-hooks
- refs/heads/pr/giorio94/1.14/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/gha-cluster-name
- refs/heads/pr/giorio94/main/gha-clustermesh-endpointslice-sync
- refs/heads/pr/giorio94/main/gha-fully-qualified-dns
- refs/heads/pr/giorio94/main/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/tests-clustermesh-upgrade-interrupted
- refs/heads/pr/gray/30837-with-pwru
- refs/heads/pr/gray/pwru-action
- refs/heads/pr/health-data-path
- refs/heads/pr/hubble-tls-cert-gen-via-k8s-job
- refs/heads/pr/ianvernon/kvstore-client-type
- refs/heads/pr/ianvernon/kvstore-context
- refs/heads/pr/ianvernon/more-endpoint-cleanup
- refs/heads/pr/ianvernon/resolve-cidr-policy-perf-improvement
- refs/heads/pr/increase-verifier-test-build-timeout
- refs/heads/pr/ipip
- refs/heads/pr/ipip-encap
- refs/heads/pr/ipip-encap2
- refs/heads/pr/ipip2
- refs/heads/pr/ipip4
- refs/heads/pr/ipip6
- refs/heads/pr/jibi/fix-differentiate-udp-tcp-svc-upgrade
- refs/heads/pr/jibi/ip-list-contains-addr
- refs/heads/pr/joamaki/gather-network-info
- refs/heads/pr/joamaki/idless-service-restapi
- refs/heads/pr/joe/ariane-scheduled-cilium-only
- refs/heads/pr/joe/backport-28007-1.11
- refs/heads/pr/joe/bump-ginkgo-seed
- refs/heads/pr/joe/docker-build-log-tracing
- refs/heads/pr/joe/ipcache-cidr-policy
- refs/heads/pr/joe/lost-identity
- refs/heads/pr/joe/sw-quay
- refs/heads/pr/joe/test-lvh-fix
- refs/heads/pr/joe/v1.13-stability-check
- refs/heads/pr/joe/v1.7-dev-env
- refs/heads/pr/jrajahalme/gh-filter-test-files
- refs/heads/pr/jrfastab/backport-ooo-ipsec-fixes
- refs/heads/pr/jrfastab/backport-v111-loopback
- refs/heads/pr/jrfastab/backport-v115
- refs/heads/pr/jrfastab/dbgNodeId
- refs/heads/pr/jrfastab/dbgNodeId111
- refs/heads/pr/jrfastab/dbgNodeId111v2
- refs/heads/pr/jrfastab/dbgv114
- refs/heads/pr/jrfastab/eks-encrypt-ipamupdate
- refs/heads/pr/jrfastab/fix-encrypt-subnets
- refs/heads/pr/jrfastab/fix-ixsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/fixes-ipsec-init
- refs/heads/pr/jrfastab/v1.8-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v1.9-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v111-debug-ooo
- refs/heads/pr/jrfastab/v111-debug-ooo-v2
- refs/heads/pr/jwi/main/ipsec-rhel8
- refs/heads/pr/jwi/main/test
- refs/heads/pr/jwi/v1.13/test
- refs/heads/pr/jwi/v1.14/test
- refs/heads/pr/jwi/v1.15/bpf-complexity
- refs/heads/pr/jwi/v1.15/test
- refs/heads/pr/k8s-nat46x64
- refs/heads/pr/k8s-nat46x64-2
- refs/heads/pr/kaworu/helm-hubble-cli.yaml
- refs/heads/pr/kkourt/azure-ipam-test-race
- refs/heads/pr/kkourt/bpftool-update
- refs/heads/pr/kkourt/ct-rst-timeout-wip
- refs/heads/pr/kkourt/v1.11-backport-2022-01-26
- refs/heads/pr/kkourt/v1.9-lxc-complexity
- refs/heads/pr/learnitall/add-pprofs-scale-tests
- refs/heads/pr/learnitall/ginkgo-race-workflow
- refs/heads/pr/marga/v1.11-without-deny-precedence
- refs/heads/pr/max/ci-clang-builder
- refs/heads/pr/max/llvm17-fixes-2
- refs/heads/pr/max/llvm17-fixes-3
- refs/heads/pr/max/upgrade-llvm-17-2
- refs/heads/pr/max/upgrade-llvm-17-3
- refs/heads/pr/max/upgrade-llvm-17-3-test
- refs/heads/pr/max/upgrade-llvm-17-3-test-alt
- refs/heads/pr/meyskens/renovate-gha
- refs/heads/pr/mhofstetter/guestbook-registry
- refs/heads/pr/mhofstetter/junit-fetch-nullglob
- refs/heads/pr/mhofstetter/ssh-store-consolelog
- refs/heads/pr/mhofstetter/test-ingress
- refs/heads/pr/michi/circular-struggle
- refs/heads/pr/michi/crdregister
- refs/heads/pr/michi/debug
- refs/heads/pr/michi/description
- refs/heads/pr/michi/dns-refactor12
- refs/heads/pr/michi/l7drop
- refs/heads/pr/michi/majestic-ketchup
- refs/heads/pr/michi/mega-ketchup
- refs/heads/pr/michi/peerapi
- refs/heads/pr/michi/sleep-on-it
- refs/heads/pr/michi/test
- refs/heads/pr/michi/weekly-bot
- refs/heads/pr/monitor-wait-ci
- refs/heads/pr/move-image-to-one-repo
- refs/heads/pr/nat-gw-tests
- refs/heads/pr/nathanjsweet/add-complex-allow-test-to-policy-map-tests
- refs/heads/pr/nathanjsweet/add-lockdown-mode-for-policy-map-overflows
- refs/heads/pr/nathanjsweet/add-packet-size-to-flow-structure
- refs/heads/pr/nathanjsweet/add-policy-port-range-mapping
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-13
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-14
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-15
- refs/heads/pr/nathanjsweet/differentiate-protocol-in-services
- refs/heads/pr/nathanjsweet/document-test-and-fix-descendants-bug
- refs/heads/pr/nathanjsweet/node-port-addresses
- refs/heads/pr/nathanjsweet/refactor-mapstate
- refs/heads/pr/nathanjsweet/update-k8s-control-plane-tests-to-1-27
- refs/heads/pr/nebril/add-dns-concurrency-limit
- refs/heads/pr/nebril/fix-precheck
- refs/heads/pr/nebril/fqdn-proxy-ha
- refs/heads/pr/nebril/fqdn-proxy-interface
- refs/heads/pr/nebril/gke-workflow-migrate-from-cli
- refs/heads/pr/nebril/quarantine-1.14-nodeport
- refs/heads/pr/nebril/test-bottlerocket
- refs/heads/pr/nebril/test-helm-gke-fix
- refs/heads/pr/nebril/test-our-ghaction-shenanigans
- refs/heads/pr/nebril/test-rebase-helm
- refs/heads/pr/nebril/trololo
- refs/heads/pr/nebril/update-cli-9.1-test
- refs/heads/pr/netkit
- refs/heads/pr/netns-switch
- refs/heads/pr/netns-switch-no-peer
- refs/heads/pr/nodeport-fix
- refs/heads/pr/nodeport-improvements2
- refs/heads/pr/nodeport-nat-improvements
- refs/heads/pr/nodeport-nat-improvements2
- refs/heads/pr/nodeport-retry-sport
- refs/heads/pr/pchaigno/deprecate-bpf_network-f
- refs/heads/pr/pchaigno/fix-4.19-bpf-program-size
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix-brb-v0
- refs/heads/pr/pchaigno/ipsec-kpr
- refs/heads/pr/pchaigno/optim-complexity-ipcache-lookup
- refs/heads/pr/pchaigno/rework-config-probes
- refs/heads/pr/pchaigno/tmp-base-branch
- refs/heads/pr/pin-1.10-workflows-k8s-version
- refs/heads/pr/pin-1.11-workflows-k8s-version
- refs/heads/pr/pin-1.12-workflows-k8s-version
- refs/heads/pr/pin-1.13-workflows-k8s-version
- refs/heads/pr/pin-cloud-provider-master-workflows
- refs/heads/pr/pr/fix-ipam-node-manager-semaphore-error-handling
- refs/heads/pr/publish-test-images
- refs/heads/pr/qmonnet/docs-20230224
- refs/heads/pr/qmonnet/docs-bump
- refs/heads/pr/qmonnet/ipsec/no-missed-tail-call-1.13
- refs/heads/pr/qmonnet/ipsec/test-1.13
- refs/heads/pr/qmonnet/ipsec/test-1.14
- refs/heads/pr/qmonnet/ipsec/test-1.15
- refs/heads/pr/qmonnet/ipsec/test-main
- refs/heads/pr/qmonnet/standalone-lb-docs
- refs/heads/pr/qmonnet/sync-joblists
- refs/heads/pr/ray/late-dns-proxy
- refs/heads/pr/rgo3/1.12-run-no-unexpected-drops-for-patch
- refs/heads/pr/rgo3/fix-k8s-vm-provisioning-1.13
- refs/heads/pr/rolinh/better-policy-verdict
- refs/heads/pr/rolinh/hubble-dump-all
- refs/heads/pr/rolinh/hubble-fix-maxflows-rounding
- refs/heads/pr/rolinh/mitchellh
- refs/heads/pr/route-test
- refs/heads/pr/run-tests-in-parallel
- refs/heads/pr/scalability-crd-only
- refs/heads/pr/squeed/make-ccache
- refs/heads/pr/squeed/per-node-config
- refs/heads/pr/squeed/remote-cluster-leak
- refs/heads/pr/stacy/docs-update
- refs/heads/pr/tammach/ci-tunnel
- refs/heads/pr/tammach/cni-logging-improvement
- refs/heads/pr/tammach/envoy-1.28.2
- refs/heads/pr/tammach/fun-with-flake-xds
- refs/heads/pr/tammach/sync-up-gwapi
- refs/heads/pr/tc-np-test
- refs/heads/pr/test-419-ci
- refs/heads/pr/test-increase-update-delete-timeout
- refs/heads/pr/test-k8s-all-tests
- refs/heads/pr/test-lb-super-netperf
- refs/heads/pr/test-nightly
- refs/heads/pr/test-upstream-timeout
- refs/heads/pr/tgraf/chaos-testing
- refs/heads/pr/tgraf/clustermesh-stale-state
- refs/heads/pr/tgraf/eni-ipam
- refs/heads/pr/tgraf/new-endpoint-state
- refs/heads/pr/tgraf/new-policy
- refs/heads/pr/tgraf/remove-tunnel-map
- refs/heads/pr/tgraf/scoped-ipam
- refs/heads/pr/tgraf/sctp
- refs/heads/pr/tgraf/split-lxc-prog
- refs/heads/pr/thorn3r/clustermesh511
- refs/heads/pr/tklauser/labelsfilter-silence-logs
- refs/heads/pr/tklauser/rm-contexthelper
- refs/heads/pr/tklauser/rm-safe-rand
- refs/heads/pr/tommyp1ckles/debugging-aks-conformance
- refs/heads/pr/tp/add-logging-for-wait-for-pods-term-condition
- refs/heads/pr/tp/backport-31380
- refs/heads/pr/tp/bump-cilium-cli
- refs/heads/pr/tp/complexity-issue-verifier-case-main
- refs/heads/pr/tp/eps-modular-health
- refs/heads/pr/tp/fix-stuck-ginko-pod-v2
- refs/heads/pr/tp/forward-hubble-for-e2e
- refs/heads/pr/tp/forward-hubble-for-e2e-v2
- refs/heads/pr/tp/switch-1.24-eks-region
- refs/heads/pr/tp/switch-1.24-eks-region-v1.13
- refs/heads/pr/tp/use-helm-default-vars-for-clustermesh-downgrade-c1
- refs/heads/pr/tweak-github-action-ref
- refs/heads/pr/twpayne/hubble-recent-events-buffer
- refs/heads/pr/twpayne/hubble-ring-buffer-benchmarks
- refs/heads/pr/update-tm-network
- refs/heads/pr/v1.10-backport-2022-06-13
- refs/heads/pr/v1.10-backport-2022-10-03
- refs/heads/pr/v1.10-eni-stability-improvements-v1
- refs/heads/pr/v1.10-neigh-clean
- refs/heads/pr/v1.11-backport-2022-10-03
- refs/heads/pr/v1.11-test/issue-692
- refs/heads/pr/v1.12-backport-2023-10-10
- refs/heads/pr/v1.12-test/issue-692
- refs/heads/pr/v1.13-backport-2023-10-31
- refs/heads/pr/v1.13-test/issue-692
- refs/heads/pr/v1.14.1
- refs/heads/pr/v1.7-stability-test
- refs/heads/pr/v1.7.9-hf-13205
- refs/heads/pr/v3-cpu
- refs/heads/pr/v6-host-addr2
- refs/heads/pr/vk/azure/oidc
- refs/heads/pr/vk/doc/ipsec
- refs/heads/pr/vk/ipsec/key/rotate
- refs/heads/regex_improved
- refs/heads/renovate/main-all-dependencies
- refs/heads/renovate/main-all-go-deps-main
- refs/heads/renovate/main-patch-all-lvh-images-main
- refs/heads/renovate/main-patch-go
- refs/heads/renovate/v1.13-all-github-action
- refs/heads/renovate/v1.13-patch-stable-lvh-images
- refs/heads/renovate/v1.14-patch-stable-lvh-images
- refs/heads/renovate/v1.15-patch-stable-lvh-images
- refs/heads/revert-29086-2023-11-09-backport-1.14
- refs/heads/rib
- refs/heads/run-ci-wihout-building-cilium
- refs/heads/sh-dep-test-l4lb
- refs/heads/sidecar-http-proxy
- refs/heads/sockmap-v5
- refs/heads/sockops-build-fix
- refs/heads/tam/integration-tests
- refs/heads/tam/more-ingress-tests
- refs/heads/tam/proxy-tunnel
- refs/heads/tb/bpf-remove-bear
- refs/heads/test-branch
- refs/heads/test-ipsec
- refs/heads/test-sig-bgp-notifs
- refs/heads/test/brlbil/upload
- refs/heads/test/skip-workflows
- refs/heads/test_scale
- refs/heads/testing_envoy_default
- refs/heads/tgraf/process-policy
- refs/heads/tklauser+brb/wip/multi-homing
- refs/heads/unit-test-ipsec
- refs/heads/v0.10
- refs/heads/v0.11
- refs/heads/v0.12
- refs/heads/v0.13
- refs/heads/v0.8
- refs/heads/v0.9
- refs/heads/v1.0
- refs/heads/v1.0.0-rc2
- refs/heads/v1.0.0-rc3
- refs/heads/v1.1
- refs/heads/v1.10
- refs/heads/v1.11
- refs/heads/v1.12
- refs/heads/v1.12.11-base
- refs/heads/v1.13
- refs/heads/v1.14
- refs/heads/v1.15
- refs/heads/v1.2
- refs/heads/v1.3
- refs/heads/v1.3.1
- refs/heads/v1.3.1-release
- refs/heads/v1.3.7-release
- refs/heads/v1.4
- refs/heads/v1.4.5-release
- refs/heads/v1.5
- refs/heads/v1.5.2-rc1-with-clusterip-fix
- refs/heads/v1.5.4-release
- refs/heads/v1.6
- refs/heads/v1.7
- refs/heads/v1.7.9-1
- refs/heads/v1.7.9.1
- refs/heads/v1.8
- refs/heads/v1.9
- refs/heads/verify-external-workload-dns-setup-redux
- refs/heads/vladu/identity-type-metrics
- refs/heads/weavescope
- refs/heads/wip-ktls-tx-rx
- refs/heads/wip-sockmap
- refs/heads/wip-sockmap-v2
- refs/heads/wip-sockmap-v3
- refs/heads/wip-sockmap-v4
- refs/heads/xfrm-subnet-test
- refs/heads/yutaro/bgp-cplane-etp-local/doc
- refs/heads/yutaro/oss/eni-overlapping-mark
- refs/remotes/bruno/hf/v1.10/v1.10.3-bpf-snat-and-masq-fixes
- refs/remotes/joe/submit/quarantine-etcd
- refs/remotes/origin/1.2-backports-18-09-12
- refs/remotes/origin/ipvlan3
- refs/remotes/origin/pr/add-reserved-health
- refs/remotes/origin/pr/brb/nodeport-lb
- refs/remotes/origin/pr/ianvernon/5859
- refs/remotes/origin/pr/ianvernon/dynamic-ep-cfg
- refs/remotes/origin/pr/tgraf/kube-dns-fixed-identity
- refs/semaphoreci/6384f501b324813e55cfbe818c04a40f2a923765
- refs/semaphoreci/7f69b285bac8a1be414e8769799962ae1408d9e1
- refs/semaphoreci/b5eb6622da121ad36b8f375a084392f7feeec64a
- refs/semaphoreci/d9e7e28f39d34a7050a9c1cad2a26d84f5f4eff1
- refs/semaphoreci/f55ec535d85f387ef981265967fabb3c1b5f1ec6
- refs/tags/0.10.1
- refs/tags/1.1.1
- refs/tags/1.9.0-rc0
- refs/tags/v0.11
- refs/tags/v0.12.0
- refs/tags/v0.13.1
- refs/tags/v0.8.0
- refs/tags/v0.8.1
- refs/tags/v0.8.2
- refs/tags/v0.9.0
- refs/tags/v0.9.0-rc1
- refs/tags/v1.0.0-rc2
- Branches list truncated to 652 entries, 4 were omitted.
- v1.11.0-rc0
- v1.11.0
- v1.10.9
- v1.10.8
- v1.10.7
- v1.10.6
- v1.10.5
- v1.10.4
- v1.10.3
- v1.10.20
- v1.10.2
- v1.10.19
- v1.10.18
- v1.10.17
- v1.10.16
- v1.10.15
- v1.10.14
- v1.10.13
- v1.10.12
- v1.10.11
- v1.10.10
- v1.10.1
- v1.10.0-rc2
- v1.10.0-rc1
- v1.10.0-rc0
- v1.10.0
- v1.1.6
- v1.1.5
- v1.1.4
- v1.1.3
- v1.1.2
- v1.1.1
- v1.1.0-rc4
- v1.1.0-rc3
- v1.1.0-rc2
- v1.1.0-rc1
- v1.1.0-rc0
- v1.1.0
- v1.0.7
- v1.0.6
- v1.0.5
- v1.0.4
- v1.0.3
- v1.0.2
- v1.0.1
- v1.0.0-rc9
- v1.0.0-rc8
- v1.0.0-rc7
- v1.0.0-rc6
- v1.0.0-rc5
- v1.0.0-rc4
- v1.0.0-rc14
- v1.0.0-rc13
- v1.0.0-rc11
- v1.0.0-rc10
- v1.0.0-rc1
- v1.0.0
- v0.13.9
- v0.13.8
- v0.13.7
- v0.13.6
- v0.13.5
- v0.13.4
- v0.13.3
- v0.13.28
- v0.13.25
- v0.13.24
- v0.13.23
- v0.13.22
- v0.13.21
- v0.13.20
- v0.13.2
- v0.13.19
- v0.13.18
- v0.13.17
- v0.13.16
- v0.13.15
- v0.13.14
- v0.13.13
- v0.13.12
- v0.13.11
- v0.13.10
- v0.10.0
- 1.9.9
- 1.9.8
- 1.9.7
- 1.9.6
- 1.9.5
- 1.9.4
- 1.9.3
- 1.9.2
- 1.9.18
- 1.9.17
- 1.9.16
- 1.9.15
- 1.9.14
- 1.9.13
- 1.9.12
- 1.9.11
- 1.9.10
- 1.9.1
- 1.9.0-rc3
- 1.9.0-rc2
- 1.9.0-rc1
- 1.9.0
- 1.8.9
- 1.8.8
- 1.8.7
- 1.8.6
- 1.8.5
- 1.8.4
- 1.8.3
- 1.8.2
- 1.8.13
- 1.8.12
- 1.8.11
- 1.8.10
- 1.8.1
- 1.8.0-rc4
- 1.8.0-rc3
- 1.8.0-rc2
- 1.8.0-rc1
- 1.8.0
- 1.7.9
- 1.7.8
- 1.7.7
- 1.7.6
- 1.7.5
- 1.7.4
- 1.7.3
- 1.7.2
- 1.7.16
- 1.7.15
- 1.7.14
- 1.7.13
- 1.7.12
- 1.7.11
- 1.7.10
- 1.7.1
- 1.7.0-rc4
- 1.7.0-rc3
- 1.7.0
- 1.6.9
- 1.6.8
- 1.6.7
- 1.6.6
- 1.6.5
- 1.6.4
- 1.6.3
- 1.6.2
- 1.6.12
- 1.6.11
- 1.6.10
- 1.6.1
- 1.6.0
- 1.5.9
- 1.5.8
- 1.5.7
- 1.5.6
- 1.5.5
- 1.5.4
- 1.5.3
- 1.5.2
- 1.5.13
- 1.5.12
- 1.5.11
- 1.5.10
- 1.5.1
- 1.5.0-rc6
- 1.5.0-rc5
- 1.5.0-rc4
- 1.5.0-rc3
- 1.5.0-rc2
- 1.5.0
- 1.4.9
- 1.4.8
- 1.4.7
- 1.4.6
- 1.4.5
- 1.4.4
- 1.4.3
- 1.4.2
- 1.4.10
- 1.4.1
- 1.4.0-rc9
- 1.4.0-rc8
- 1.4.0-rc7
- 1.4.0-rc6
- 1.4.0-rc5
- 1.4.0-rc2
- 1.4.0
- 1.3.8
- 1.3.7
- 1.3.6
- 1.3.5
- 1.3.4
- 1.3.3
- 1.3.2
- 1.3.1
- 1.3.0-rc5
- 1.3.0-rc4
- 1.3.0
- 1.2.8
- 1.2.7
- 1.2.6
- 1.2.5
- 1.2.4
- 1.2.3
- 1.2.2
- 1.2.1
- 1.2.0-rc3
- 1.2.0-rc2
- 1.2.0-rc1
- 1.2.0
- 1.16.0-pre.1
- 1.16.0-pre.0
- 1.15.3
- 1.15.2
- 1.15.1
- 1.15.0-rc.1
- 1.15.0-rc.0
- 1.15.0-pre.3
- 1.15.0-pre.2
- 1.15.0-pre.1
- 1.15.0-pre.0
- 1.15.0
- 1.14.9
- 1.14.8
- 1.14.7
- 1.14.6
- 1.14.5
- 1.14.4
- 1.14.3
- 1.14.2
- 1.14.1
- 1.14.0-snapshot.4
- 1.14.0-snapshot.3
- 1.14.0-snapshot.2
- 1.14.0-snapshot.1
- 1.14.0-snapshot.0
- 1.14.0-rc.1
- 1.14.0-rc.0
- 1.14.0-pre.2
- 1.14.0
- 1.13.9
- 1.13.8
- 1.13.7
- 1.13.6
- 1.13.5
- 1.13.4
- 1.13.3
- 1.13.2
- 1.13.14
- 1.13.13
- 1.13.12
- 1.13.11
- 1.13.10
- 1.13.1
- 1.13.0-rc5
- 1.13.0-rc4
- 1.13.0-rc3
- 1.13.0-rc2
- 1.13.0-rc1
- 1.13.0-rc0
- 1.13.0
- 1.12.9
- 1.12.8
- 1.12.7
- 1.12.6
- 1.12.5
- 1.12.4
- 1.12.3
- 1.12.2
- 1.12.19
- 1.12.18
- 1.12.17
- 1.12.16
- 1.12.15
- 1.12.14
- 1.12.13
- 1.12.12
- 1.12.11
- 1.12.10
- 1.12.1
- 1.12.0-rc3
- 1.12.0-rc2
- 1.12.0-rc1
- 1.12.0-rc0
- 1.12.0
- 1.11.9
- 1.11.8
- 1.11.7
- 1.11.6
- 1.11.5
- 1.11.4
- 1.11.3
- 1.11.20
- 1.11.2
- 1.11.19
- 1.11.18
- 1.11.17
- 1.11.16
- 1.11.15
- 1.11.14
- 1.11.13
- 1.11.12
- 1.11.11
- 1.11.10
- 1.11.1
- 1.11.0-rc3
- 1.11.0-rc2
- 1.11.0-rc1
- 1.11.0-rc0
- 1.11.0
- 1.10.9
- 1.10.8
- 1.10.7
- 1.10.6
- 1.10.5
- 1.10.4
- 1.10.3
- 1.10.20
- 1.10.2
- 1.10.19
- 1.10.18
- 1.10.17
- 1.10.16
- 1.10.15
- 1.10.14
- 1.10.13
- 1.10.12
- 1.10.11
- 1.10.10
- 1.10.1
- 1.10.0-rc2
- 1.10.0-rc1
- 1.10.0-rc0
- 1.10.0
- 1.1.6
- 1.1.5
- 1.1.4
- 1.1.3
- 1.1.2
- 1.1.0
- 1.0.7
- 1.0.6
- 1.0.5
- 1.0.4
- Releases list truncated to 348 entries, 258 were omitted.
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.![swh spinner](/static/img/swh-spinner.gif)
Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
Revision | Author | Date | Message | Commit Date |
---|---|---|---|---|
9a9ec79 | Daniel Borkmann | 31 January 2024, 10:27:41 UTC | bpf: Support external IPv6 DSR Support IP6IP6 termination from the Cilium L4LB against a regular Cilium cluster. This is the IPv6 side of 50f6fa80e2ef ("bpf: Support external IPv4 DSR"). Cilium L4LB node: # ./cilium-dbg/cilium-dbg service list ID Frontend Service Type Backend [...] 12 [face:b::1]:80 ExternalIPs 1 => [2a02:168:f656:0:1ac0:4dff:fe09:d5e6]:80 (active) Cilium regular cluster with --enable-external-dsr=true: # ./cilium-dbg/cilium-dbg service list ID Frontend Service Type Backend [...] 12 [2a02:168:f656:0:1ac0:4dff:fe09:d5e6]:80 ExternalIPs 1 => [2a03:2880:f16d:81:face:b00c:0:25de]:80 (active) tcpdump on Cilium regular node: [...] 12:13:17.150875 IP6 2a02:168:f656::2 > 2a02:168:f656:0:1ac0:4dff:fe09:d5e6: IP6 2a02:168:f656:0:1ac0:4dff:fe0b:720e.36764 > face:b::1.80: Flags [S], seq 863958068, win 43200, options [mss 1440,sackOK,TS val 2302007970 ecr 0,nop,wscale 9], length 0 12:13:17.150893 IP6 2a02:168:f656:0:1ac0:4dff:fe09:d5e6.36764 > 2a03:2880:f16d:81:face:b00c:0:25de.80: Flags [S], seq 863958068, win 43200, options [mss 1440,sackOK,TS val 2302007970 ecr 0,nop,wscale 9], length 0 12:13:17.155619 IP6 2a03:2880:f16d:81:face:b00c:0:25de.80 > 2a02:168:f656:0:1ac0:4dff:fe09:d5e6.36764: Flags [S.], seq 1192141025, ack 863958069, win 65535, options [mss 1392,sackOK,TS val 1118681450 ecr 2302007970,nop,wscale 8], length 0 12:13:17.155911 IP6 face:b::1.80 > 2a02:168:f656:0:1ac0:4dff:fe0b:720e.36764: Flags [S.], seq 1192141025, ack 863958069, win 65535, options [mss 1392,sackOK,TS val 1118681450 ecr 2302007970,nop,wscale 8], length 0 12:13:17.156232 IP6 2a02:168:f656::2 > 2a02:168:f656:0:1ac0:4dff:fe09:d5e6: IP6 2a02:168:f656:0:1ac0:4dff:fe0b:720e.36764 > face:b::1.80: Flags [.], ack 1, win 85, options [nop,nop,TS val 2302007975 ecr 1118681450], length 0 [...] Note that CONNTRACK_ACCOUNTING is not compatible with the --enable-external-dsr setting given the union in the CT value. There are other items broken as well such as CONNTRACK_LOCAL. Perhaps it's time to deprecate / remove them entirely at some point. The agent cannot block enablement of the latter two since it's only done manually via cilium-dbg tool. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 05 March 2024, 10:22:13 UTC |
cf8a2ce | Daniel Borkmann | 26 January 2024, 12:32:04 UTC | bpf: Support external IPv4 DSR Support IPIP termination from the Cilium L4LB against a regular Cilium cluster. This work covers the termination as well as DSR aspect, so that replies go directly back to clients instead of the Cilium L4LB. Given the VIP:port of an external L4LB is not known in our K8s cluster, we also cannot hold them in the revNat map. Therefore, add the tuple info in the CT map. Guard this under a compilation flag given this is only relevant for users who really want to terminate the external L4LB in the workload cluster, others don't need to take the additional cycles. From agent side, the --enable-external-dsr={true,false} flag controls this setting. The default is on false. Example with IPIP termination : Cilium L4LB node: # ./cilium-dbg/cilium-dbg service list ID Frontend Service Type Backend [...] 11 1.1.1.1:80 ExternalIPs 1 => 192.168.2.12:80 (active) Cilium regular cluster with --enable-external-dsr=true: # ./cilium-dbg/cilium-dbg service list ID Frontend Service Type Backend [...] 11 192.168.2.12:80 ExternalIPs 1 => 193.99.144.80:80 (active) tcpdump on Cilium regular node: [...] 09:36:17.421507 IP 192.168.2.11 > 192.168.2.12: IP 192.168.2.13.43196 > 1.1.1.1.80: Flags [S], seq 3976047959, win 42340, options [mss 1460,sackOK,TS val 4083238462 ecr 0,nop,wscale 9], length 0 09:36:17.421529 IP 192.168.2.12.43196 > 193.99.144.80.80: Flags [S], seq 3976047959, win 42340, options [mss 1460,sackOK,TS val 4083238462 ecr 0,nop,wscale 9], length 0 09:36:17.428443 IP 193.99.144.80.80 > 192.168.2.12.43196: Flags [S.], seq 1717159938, ack 3976047960, win 14600, options [mss 1460,nop,wscale 0,sackOK,TS val 1591760912 ecr 4083238462], length 0 09:36:17.428680 IP 1.1.1.1.80 > 192.168.2.13.43196: Flags [S.], seq 1717159938, ack 3976047960, win 14600, options [mss 1460,nop,wscale 0,sackOK,TS val 1591760912 ecr 4083238462], length 0 [...] What can be seen is the IPIP termination, the Cilium regular node then performing the service request to the backend, and upon reply reversing everything along with the DSR (1.1.1.1.80) to the client directly. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 05 March 2024, 10:19:03 UTC |
84fe76c | renovate[bot] | 04 March 2024, 19:30:56 UTC | fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> | 05 March 2024, 09:13:59 UTC |
1c3a17f | Paul Chaignon | 26 February 2024, 12:07:43 UTC | bugtool: Capture memory fragmentation info from /proc This information can be useful to understand why memory allocation in the kernel may fail (ex. for maps or for XFRM). I've checked that these two files are accessible from a typical cilium-agent deployment (on GKE). Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 05 March 2024, 07:26:43 UTC |
68e504b | Aditi Ghag | 01 March 2024, 15:55:31 UTC | bpf,config: Add ENABLE_LOCAL_REDIRECT_POLICY macro Wrap the datapath code by the macro when the feature is enabled. Signed-off-by: Aditi Ghag <aditi@cilium.io> | 05 March 2024, 05:31:09 UTC |
0bd59b2 | Alexandre Perrin | 01 March 2024, 16:15:36 UTC | hubble: gracefully handle parsing nil HTTP url Before this patch, Hubble would panic when attempting to parse a accesslog.LogRecordHTTP with a nil URL. While filterURL was handling the nil case, the following caller codepath would unconditionally call String() on the URL, potentially causing a panic. This patch improves Hubble robustness and clarify the role of the filterURL (renamed filteredURL) to always return an URL such as calling String() on it is safe. Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 05 March 2024, 03:16:21 UTC |
f7142c8 | Alexandre Perrin | 01 March 2024, 16:13:55 UTC | hubble: fix http parsing when given invalid URL Before this patch, Hubble could cause a Cilium agent panic when attempting to decode invalid URLs. See https://github.com/cilium/cilium/issues/31071 Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 05 March 2024, 03:16:21 UTC |
fe76af5 | Alexandre Perrin | 01 March 2024, 15:52:51 UTC | hubble: rename url local variable to uri to avoid confusion with net/url Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 05 March 2024, 03:16:21 UTC |
82006e0 | Alexandre Perrin | 01 March 2024, 15:25:02 UTC | hubble: move TestDecodeL7HTTPRequestRemoveUrlQuery with related Hubble redact test functions Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 05 March 2024, 03:16:21 UTC |
7c7ae03 | chaunceyjiang | 07 February 2024, 14:03:36 UTC | GatewayAPI supports to setting the number of trusted loadbalancer hops Signed-off-by: chaunceyjiang <chaunceyjiang@gmail.com> | 05 March 2024, 00:12:44 UTC |
bebb6be | Ondrej Sika | 02 February 2024, 07:19:40 UTC | docs: Update link to USERS.md in README from RAW Github to standart Github UI Signed-off-by: Ondrej Sika <ondrej@ondrejsika.com> | 04 March 2024, 23:01:44 UTC |
2330c83 | Gilberto Bertin | 04 March 2024, 09:16:23 UTC | bpf: nodeport: don't forward host id in nodeport_lb4 this should never happen, but to be extra defensive add an explicit check to prevent forwarding this identity, as it wouldn't make sense for the remote node Suggested-by: Joe Stringer <joe@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 04 March 2024, 22:28:30 UTC |
d49e0a0 | Gilberto Bertin | 04 March 2024, 09:16:00 UTC | bpf: identity: add identity_is_host Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 04 March 2024, 22:28:30 UTC |
4dd9ee6 | Tam Mach | 04 March 2024, 01:04:36 UTC | envoy: Remove deprecated runtime key logs The upstream envoy has up-deprecated global_downstream_max_connections runtime key as part of 1.28.1, hence we can safely remove the warning log exception. Relates: https://github.com/envoyproxy/envoy/pull/30735 Relates: https://github.com/cilium/cilium/pull/30697 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 04 March 2024, 21:18:07 UTC |
5a96a95 | Nate Sweet | 28 February 2024, 16:51:12 UTC | container/bitlpm: Add Lookup Boolean Return Value Lookup currently returns the default value of the bitlpm.Trie when it fails to find a match. There are cases where comparing the default value to the return value is logically expensive (i.e. code needs to be written to do the comparison). Lookup can easily return a boolean value to indicate whether it failed. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> | 04 March 2024, 20:57:44 UTC |
641f1f8 | Daniel Borkmann | 30 January 2024, 08:49:09 UTC | bpf: Reduce conntrack accounting from rx/tx stats to pkt/byte stats Make space in our BPF CT. CONNTRACK_ACCOUNTING was recently disabled by default. Shrink the stats from rx/tx packets/bytes to just packets/ bytes so that the freed up space can be reused for other meta data. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 04 March 2024, 19:43:09 UTC |
8a939bd | Daniel Borkmann | 31 January 2024, 09:20:07 UTC | bpf, cilium: Fix NodePortNat46X64 config option The option.Config.NodePortNat46X64 is only supported for LB-only mode, so do not enable it for regular clusters. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 04 March 2024, 19:43:09 UTC |
3117a52 | Daniel Borkmann | 26 January 2024, 12:11:23 UTC | bpf: Rename dsr to dsr_internal We're going to add dsr_external bit, so this is to better distinguish the two in the CT state. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 04 March 2024, 19:43:09 UTC |
9a5cfb8 | Feroz Salam | 01 March 2024, 13:39:31 UTC | Fail container scans on vulnerability scan results Now that we have a method of marking false positives using VEX documents, we cam make the container scanning workflow a failing step. Also reduce the permission of the workflow. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> | 04 March 2024, 19:24:55 UTC |
db4589a | Rastislav Szabo | 04 March 2024, 12:16:47 UTC | renovate: temporarily do not update GoBGP Due to a breaking change in GoBGP v3.24.0, do not update GoBGP until the issue https://github.com/osrg/gobgp/issues/2777 is resolved. Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> | 04 March 2024, 19:23:40 UTC |
d6e7c5d | Marcel Zieba | 22 February 2024, 15:10:58 UTC | health-server: Do not cleanup health checking result on node updates. Whenever node was updated, healtch-checking was removing and re-adding that node. This caused it to lose information about previously performed probes, which resulted in `unknown` status for such nodes. This can happen often especially in ENI mode, where node updates happen each time new pod is scheduled on the node. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 04 March 2024, 18:56:41 UTC |
aec875f | Aditi Ghag | 02 March 2024, 02:24:19 UTC | lrp: Remove redundant pod spec validations Kubernetes validates these fields, so additional checks are not required. Example: ``` The Pod "be" is invalid: spec.containers[0].ports[0].containerPort: Invalid value: 65540: must be between 1 and 65535, inclusive ``` Signed-off-by: Aditi Ghag <aditi@cilium.io> | 04 March 2024, 18:55:54 UTC |
81ca8e8 | Aditi Ghag | 02 March 2024, 02:18:42 UTC | lrp: Remove redundant pod spec validations Kubernetes validates these fields, so additional checks are not required. Example: ``` The Pod "be" is invalid: spec.containers[0].ports[0].containerPort: Invalid value: 65540: must be between 1 and 65535, inclusive The Pod "be" is invalid: spec.containers[0].ports[0].protocol: Unsupported value: "icmp": supported values: "SCTP", "TCP", "UDP" ``` Signed-off-by: Aditi Ghag <aditi@cilium.io> | 04 March 2024, 18:55:54 UTC |
3dd29fc | Marco Hofstetter | 01 March 2024, 09:22:38 UTC | cec: move config property 'envoy-config-timeout' into hive config Currently, the config property `envoy-config-timeout` is defined in the global config. This commit moves the config property into the hive config of the respective Hive Cell `ciliumenvoyconfig`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 04 March 2024, 18:44:41 UTC |
a099bf1 | Tom Hadlaw | 27 February 2024, 17:30:44 UTC | cni: use default logger with timestamps. Unlike runtime agent/operator logs, CNI logs are just written to disk so we have no way to attach timestamps to them. This makes it harder to debug CNI issues as we have no way to correlate when things happened between Agent logs and CNI events. This switches CNI to use the same default logger, except with timestamps enabled. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> | 04 March 2024, 18:08:18 UTC |
b156023 | Julian Wiedmann | 20 February 2024, 16:40:04 UTC | bpf: lxc: also set from_tunnel for IPv6 CT entries Marco noticed that we currently only set the from_tunnel flag for IPv4 connections. But as the IPv6 path recently learned to support CB_FROM_TUNNEL, we can now also set this flag for IPv6 connections. For now this is just for symmetry reasons, there's no feature that strictly requires it. Reported-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 04 March 2024, 17:36:15 UTC |
7a5a429 | Dean | 26 January 2024, 13:11:44 UTC | Update kafka-sw-gen-traffic.sh Fixed `kubectl exec` syntax Signed-off-by: Dean <22192242+saintdle@users.noreply.github.com> | 04 March 2024, 17:25:31 UTC |
475a194 | Julian Wiedmann | 04 March 2024, 13:35:15 UTC | bpf: host: optimize from-host's ICMPv6 path The ICMPv6 handling in handle_ipv6() is only required for the HostFW or by from-netdev. Exclude it otherwise. This is a minor optimization for dc9dfd72f2ae ("bpf: Re-introduce ICMPv6 NS responder on from-netdev"). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 04 March 2024, 15:52:02 UTC |
2fda72e | André Martins | 04 March 2024, 11:58:17 UTC | renovate: separate major.minor.patch for lvh images If we don't split the major.minor and the minor.patch, renovate will not update the dependencies that are marked to have their major and minor updates done by the maintainers. Thus, this commit will split them moving forward. Signed-off-by: André Martins <andre@cilium.io> | 04 March 2024, 15:40:47 UTC |
5863f8e | Dylan Reimerink | 01 March 2024, 11:18:55 UTC | contrib/scripts: Remove false positives from check-go-testdata.sh The check-go-testdata.sh script would fail on any changes in the whole repo not just the target directory. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 04 March 2024, 13:08:36 UTC |
70b405f | Tom Hadlaw | 26 February 2024, 20:41:32 UTC | loader: fix cancelled context during compile logging errors. On Linux/Unix based implementations, exec/cmd.Run will return either context.ContextCancelled or the error "signal: killed" depending on whether the cancellation occurred while the process was running. There's several places we check on ```is.Errors(err, context.Cancelled)``` on whether to emit high level logs about failed program compilations. Because already running cmd.Run() doesn't return an error that satisfies this, this will result in spurious error logs about failed compilation (i.e. "signal: killed") This meant that in cases where a compilation is legitimately cancelled, we would still log an error such as msg="BPF template object creation failed" ... error="...: compile bpf_lxc.o: signal: killed" This can occur occasionally in CI, which enforces no error to pass, causing failures. example: ``` ctx, c := context.WithTimeout(context.Background(), time.Second) go func() { time.Sleep(time.Second) c() }() cmd := exec.CommandContext(ctx, "sleep", "2") fmt.Println(cmd.Run()) ctx, c = context.WithTimeout(context.Background(), time.Second) c() cmd = exec.CommandContext(ctx, "sleep", "2") fmt.Println(cmd.Run()) ``` To fix this, this will join in the ctx.Err() if it is: * context.Cancelled * The process has not exited itself. * The process appeared to be SIGKILL'ed. Addresses: #30991 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> | 04 March 2024, 12:52:31 UTC |
5448ac1 | André Martins | 04 March 2024, 11:14:49 UTC | Revert "Prepare for release v1.16.0-pre.0" This reverts commit 1eafeed1cdfb8ea763c14659c714d4107fa1a16b. Signed-off-by: André Martins <andre@cilium.io> | 04 March 2024, 12:06:43 UTC |
e206ef0 | André Martins | 04 March 2024, 11:10:49 UTC | Prepare for release v1.16.0-pre.0 Signed-off-by: André Martins <andre@cilium.io> | 04 March 2024, 12:06:43 UTC |
ad34de3 | André Martins | 04 March 2024, 11:10:32 UTC | update AUTHORS and Documentation Signed-off-by: André Martins <andre@cilium.io> | 04 March 2024, 12:06:43 UTC |
4293d2b | Maxim Mikityanskiy | 17 October 2023, 19:22:34 UTC | maps: Consider actual passed time for GC interval calculation When GetInterval calculates the new GC interval, it uses the result of the previous calculation as a pivot point. However, if GC was triggered by a signal, smaller time interval has passed, therefore, expectations on the delete ratio should be lower. Adjust the delete ratio proportionally to avoid increasing the interval uncontrollably when multiple signals arrive over a short period of time. Ref: #27405 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> | 04 March 2024, 11:56:10 UTC |
f604ce2 | Julian Wiedmann | 01 March 2024, 07:56:25 UTC | docs: update note on WireGuard with tunnel routing https://github.com/cilium/cilium/pull/29000 changed how we mix WireGuard with VXLAN / Geneve tunneling. Reflect this in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 04 March 2024, 09:30:37 UTC |
6b98a0b | Julian Wiedmann | 20 February 2024, 12:49:10 UTC | loader: also populate NATIVE_DEV_IFINDEX for cilium_overlay Avoid any odd surprises when this macro ends up being used by shared nodeport.h code. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 04 March 2024, 08:53:19 UTC |
127851e | renovate[bot] | 04 March 2024, 01:52:39 UTC | chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> | 04 March 2024, 08:34:46 UTC |
2d901d7 | Julian Wiedmann | 26 February 2024, 07:23:39 UTC | bpf: lb: simplify handling of stale CT_SERVICE entries lb*_local() currently handles a special case, where the matched CT_SERVICE entry (for some Client -> VIP connection) was created for an *old* service definition. In which case we shouldn't use the cached backend selection, as this backend was associated with the *old* service. Instead we perform a fresh backend selection. But with the infrastructure added by https://github.com/cilium/cilium/pull/27607, we can detect such cases during the actual CT lookup - and not even pass the stale CT entry back to the caller. Instead the CT lookup returns CT_NEW, and the caller just creates a new CT entry (along with selecting a fresh backend). One side effect of this change is that all the other state in the CT entry (eg statistics) also gets reset. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 04 March 2024, 08:22:17 UTC |
4701512 | Julian Wiedmann | 26 February 2024, 06:58:27 UTC | bpf: lb: let CT lookup update the rev_nat_index for old connections lb*_local() contains some upgrade handling for old connections, where the CT_SERVICE entry was created without populating .rev_nat_index. In this case the .rev_nat_index is updated manually. But as the code path doesn't have direct access to the matched ct_entry, updating it requires an additional lookup in the CT map. Clean this up by pushing the update into __ct_lookup(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 04 March 2024, 08:22:17 UTC |
c9518a9 | Michi Mutsuzaki | 03 March 2024, 01:28:08 UTC | golangci-lint: Fix goimports local prefix Change the prefix to github.com/cilium/cilium/ to only match packages from github.com/cilium/cilium repository. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> | 04 March 2024, 04:05:08 UTC |
d697a14 | Gilberto Bertin | 01 March 2024, 08:23:43 UTC | bpf: nodeport: fix check to forward identity in nodeport_lb4 as the original intent of this logic was to avoid forwarding local identities, fix the check to ensure none of the 8MSB of the identity are set before forwarding the identity Fixes: 490ecc5016b ("bpf: nodeport: don't forward local CIDR identities") Suggested-by: Joe Stringer <joe@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 01 March 2024, 19:34:21 UTC |
136e501 | Gilberto Bertin | 01 March 2024, 08:13:46 UTC | bpf: identity: add identity_is_local Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 01 March 2024, 19:34:21 UTC |
baf2619 | Gilberto Bertin | 01 March 2024, 08:07:59 UTC | bpf: identity: rename local scope masks rename the IDENTITY_SCOPE_MASK and IDENTITY_SCOPE_REMOTE_NODE constants to IDENTITY_LOCAL_SCOPE_MASK and IDENTITY_LOCAL_SCOPE_REMOTE_NODE, to make it clear these refer to local identities. No functional changes Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 01 March 2024, 19:34:21 UTC |
cfb1158 | Michi Mutsuzaki | 01 March 2024, 15:08:50 UTC | cli: Replace --cluster-name with --helm-set cluster.name The --cluster-name flag got removed in cilium/cilium-cli#2351. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> | 01 March 2024, 19:20:36 UTC |
25d946d | Anubhab Majumdar | 06 February 2024, 18:44:00 UTC | Update pkg/hubble/parser/parser.go Co-authored-by: Marek Chodor <marqc@users.noreply.github.com> Signed-off-by: Anubhab Majumdar <anubhabmajumdar93@gmail.com> | 01 March 2024, 18:15:39 UTC |
8bbfe0b | Anubhab Majumdar | 13 December 2023, 21:53:32 UTC | Add an interface for Parser struct Signed-off-by: Anubhab Majumdar <anmajumdar@microsoft.com> | 01 March 2024, 18:15:39 UTC |
f7fdeef | Tomoya Fujita | 19 January 2024, 04:42:28 UTC | ipfamily should be set by platform configuration. Signed-off-by: Tomoya Fujita <Tomoya.Fujita@sony.com> | 01 March 2024, 17:51:19 UTC |
f56e61b | Shunpoco | 24 February 2024, 05:55:49 UTC | ICMP: Use CamelCase for ICMP type messages This commit fixes ICMP type messages to use CamelCase instead of space-separated words. For example, Echo Reply is changed to EchoReply. Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> | 01 March 2024, 17:33:49 UTC |
8b5663e | Shunpoco | 05 February 2024, 22:18:08 UTC | doc: modify upgrade note and comment in code block - Modify comment in upgrade note in order to focus on user-facing CRD change - Fix indentation in code block Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> | 01 March 2024, 17:33:49 UTC |
37d969c | Shunpoco | 02 February 2024, 22:03:11 UTC | doc: modify/add ICMP type change ICMP `type` field is changed to accept both integer and string. This commit updates: - v1.15 Upgrade Notes to add about it. - ICMP part in layer 4 examples Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> | 01 March 2024, 17:33:49 UTC |
5cc5ac9 | Shunpoco | 15 January 2024, 20:39:10 UTC | ICMP: Introduce ICMP type name in ICMPField Currently ICMP only supports ICMP type code (0-255), but ideally it should also support ICMP type names like "Echo", or "Echo Reply". This commit changes the type of ICMPField.Type from uint8 to intstr.IntOrString, and also updates ICMPField.PortProtocol to treat type names. ICMPField treats both ICMP IPv4 and v6, but kubebuilder's validation can't distinguish if the given type name matches with the family (IPv4 or IPv6). So this commit also introduces UnmarshalJSON method for ICMPField. That function checks if the unmarshaled ICMPField's family and type match properly. In addition, this commit changes some tests which use ICMPField, and introduces a unit test for ICMPField's UnmarshalJSON method. Fixes: #23000 Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> | 01 March 2024, 17:33:49 UTC |
76454a2 | Dean | 21 February 2024, 15:50:39 UTC | docs: Correct Hubble Exportor config lines in dynamic example This commit makes corrections to the Hubble Exporter dynamic example. This includes lowercasing the "I" in `IncludeFilters`, as well as removing unnecessary `*`s in the provided filters. Signed-off-by: Dean <22192242+saintdle@users.noreply.github.com> | 01 March 2024, 17:21:19 UTC |
bb8deb3 | Dean | 21 February 2024, 15:46:11 UTC | docs: Remove erroneous line from Dynamic Hubble Exporter example This commit removes a line that was unnecessarily copied from the static config example into the dynamic config example. Signed-off-by: Dean <22192242+saintdle@users.noreply.github.com> | 01 March 2024, 17:21:19 UTC |
518a1eb | Dean | 21 February 2024, 15:44:52 UTC | docs: Add information to disable Hubble Exporter static config Fixes: #30425 Signed-off-by: Dean <22192242+saintdle@users.noreply.github.com> | 01 March 2024, 17:21:19 UTC |
8d4db89 | Gray Liang | 20 February 2024, 09:15:48 UTC | bpf/tests: Add IPv6 NDP bpf test This commit adds bpf/tests/ipv6_ndp_from_netdev_test.c to cover two scenarios: 1. from_netdev receives IPv6 NS for a pod IP on the same host 2. from_netdev receives IPv6 NS for the node IP (eth0's addr) For case 1, from_netdev should return a NA on behalf of the target pod to avoid https://github.com/cilium/cilium/issues/30926. for case 2, it must return the NS to stack to address https://github.com/cilium/cilium/issues/14509. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> | 01 March 2024, 17:05:01 UTC |
dc9dfd7 | Gray Liang | 19 February 2024, 08:18:37 UTC | bpf: Re-introduce ICMPv6 NS responder on from-netdev This reverts commit 658071414ca4606e537bc4bbb37dcae5e18cd7dc, to fix the breakage of "IPv6 NS responder for pod" introduced by https://github.com/cilium/cilium/pull/12086 (bpf: Reply NA when recv ND for local IPv6 endpoints). 658071414ca4606e537bc4bbb37dcae5e18cd7dc was merged to solve https://github.com/cilium/cilium/issues/14509. To not revive #14509, this commit also passes through ICMPv6 NS if the target is native node IP (eth0's addr). By letting stack take care of those NS-for-node-IP packets, we managed to: 1. Solve #14509 again, but in a way keeping NS responder. The cause of #14509 was NS responder always generates ND whose source IP is "router_ip" (cilium_internal_ip) rather than "node_ip". Once we pass those NS-for-node-IP packets to stack, the ND response would naturally have "node_ip" as source. 2. Avoid the fib_lookup failure mentioned at https://github.com/cilium/cilium/pull/30837#issuecomment-1960897445. icmp6_host_handle() also has a new parameter `handle_ns` to control if we want NS responder to be active. If it is called from `to-netdev` code path, handle_ns is set to false. This is suggested by julianwiedmann. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> | 01 March 2024, 17:05:01 UTC |
60c5e76 | Gray Liang | 01 March 2024, 09:12:03 UTC | bpf/tests: Remove SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c SKIP_ICMPV6_NS_HANDLING was there to pass bpf coverage test, which is gone by https://github.com/cilium/cilium/pull/28090. In the meantime, removing SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c prevents "potential missed tailcall" errors introduced by https://github.com/cilium/cilium/pull/30467, as tail_icmp6_handle_ns() doesn't exist when SKIP_ICMPV6_NS_HANDLING is defined, but still gets tail-called by icmp6_handle_ns(). Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> | 01 March 2024, 17:05:01 UTC |
4082bc3 | Daniel Borkmann | 27 February 2024, 10:24:59 UTC | cilium, tests: Do not manually install neigh entries for the backend The agent discovers this automatically now, thus drop this part. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 01 March 2024, 07:12:22 UTC |
5c207ff | Daniel Borkmann | 06 December 2023, 13:54:06 UTC | pkg/service: Add backends as managed neighbor entry In LB-only mode, push backends as managed neighbors into the Linux kernel's neighboring subsystem. This is needed in particular for XDP since in XDP layer it is not possible to resolve backend L2 addresses if they are in the same L2 domain. For CNI mode this is not an issue since we push down all cluster nodes in the same L2 as managed neighbors anyway. However, in the L4LB case, backend nodes are not in our LB-only cluster. Reuse the same internal infrastructure for managing and pushing down neighbors, so that we do not need to open-code it and improvements benefit both L4LB and CNI mode. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 01 March 2024, 07:12:22 UTC |
0007e35 | Hemanth Malla | 28 February 2024, 21:31:30 UTC | Adding unit test for PD fallback Signed-off-by: Hemanth Malla <hemanth.malla@datadoghq.com> | 01 March 2024, 02:13:02 UTC |
5a487b5 | Hemanth Malla | 27 February 2024, 21:38:58 UTC | Handle InvalidParameterValue as well for PD fallback cilium#30536 prematurely concluded that AWS now uses InsufficientCidrBlocks to indicate the subnet is out of prefixes. Looks like AWS still uses InvalidParameterValue and "There aren't sufficient free Ipv4 addresses or prefixes" to indicate subnet is at capacity. In addition to this InsufficientCidrBlocks is returned when subnet is at capacity potentially due to fragmentation. In either case, it's worth trying to fallback since /32 IPs might still be available compared to /28. See PR for details from AWS support ticket. Signed-off-by: Hemanth Malla <hemanth.malla@datadoghq.com> | 01 March 2024, 02:13:02 UTC |
5abe8a8 | Tam Mach | 29 February 2024, 22:18:49 UTC | gha: Re-purpose Conformance Kind proxy test As Envoy DS is the default mode now, we should re-purpose the existing test to embedded mode, so that we still have required coverage. Relates: 21fa2df60abd0f3a5627aca3265347558d170f37 Relates: https://github.com/cilium/cilium/pull/30034 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 01 March 2024, 00:24:50 UTC |
8a131c2 | Marco Hofstetter | 20 February 2024, 07:52:51 UTC | cec: timerbased reconcile job as fallback Currently, there might be rare cases were changes to a node's labels lead to errors when applying the Envoy resources of a `CiliumEnvoyConfig` in the xDS cache. With the current implementation of the `LocalNodeStore`, there won't be a retry in these cases. Therefore, this commit adds a timer-job that periodically checks for un-applied configs - and tries to reconcile them. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 01 March 2024, 00:12:23 UTC |
6b63ea2 | Jarno Rajahalme | 26 February 2024, 15:49:17 UTC | bitlpm: Factor out common code Reduce code repetition by defining a 'traverse' function that is shared between multiple functions. Clarify comments. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 29 February 2024, 23:06:01 UTC |
21fa2df | Tam Mach | 22 December 2023, 10:52:55 UTC | envoy: Default to daemon set deployment from 1.16 This is to set the default envoy deployment to daemon set mode for new installation. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 29 February 2024, 21:51:23 UTC |
e1afa06 | Dylan Reimerink | 26 February 2024, 19:24:11 UTC | bpf: Fix missing tail calls The changes to the dead tail call elimination revealed 2 cases of missing tail calls. First is to do with NAT46x64 logic where there still existed a call path from the IPv4 logic which would attempt to tail call into IPv6 to recirculate the packet, even when the IPv6 tail call wasn't compiled in. The second was that when XDP offloaded, the IPv6 logic would tail call into a ICMP6 tail call which is only compiled in for TC programs. This commit fixes both possible missing tail calls. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 29 February 2024, 21:07:28 UTC |
217426a | Dylan Reimerink | 30 January 2024, 10:11:00 UTC | pkg/bpf: Add test for removeUnreachableTailcalls This commit adds a test to verify the behavior of the dead tail call pruning. It consists of 5 tail calls, of which 2 are unreachable. The test asserts that only the unreachable tail calls are removed from the spec. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 29 February 2024, 21:07:28 UTC |
16033b9 | Dylan Reimerink | 26 January 2024, 14:50:13 UTC | pkg/bpf: Implement unreachable tail call pruning This commit implements unreachable tail call pruning. When loading a collection we check if a tail call is reachable. If not, we remove the tail call from the collection. This saves us from having to load the tail call program into the kernel. Previously, we would conditionally not include tail calls in the collection with pre-processor directives. Now that we do it in the loader, we can remove the pre-processor directives. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 29 February 2024, 21:07:28 UTC |
c4cbb38 | Dylan Reimerink | 13 February 2024, 13:43:12 UTC | bpf: Modify tail_call_static to emit better parseable assembly Before this change the tail_call_static function would emit the following instructions to perform a tailcall: ``` Mov R1, Rctx Mov R2, Rmap_ptr Mov R3, <slot> Call TailCall ``` Since the second instruction is always a Register to Register move, we would have to backtrack to find the actual map which is being used. These changes makes it so the following instructions are emitted: ``` Mov R1, Rctx Mov R2, 0 ll <calls_map> Mov R3, <slot> Call TailCall ``` By always using a double word immediate, with a relocation entry on the Mov R2 instruction it is much easier to find the actual map which is being used. As a side effect, we usually eliminate an extra instruction clang was otherwise forced to emit. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 29 February 2024, 21:07:28 UTC |
46db413 | Dylan Reimerink | 26 January 2024, 15:09:08 UTC | bpf: Remove `declare_tailcall_if` Remove `declare_tailcall_if`, so we always emit the tailcall programs into the ELF. The followup commit will implement pruning logic based on the actual usage of the tail calls. This means that we will only need the `invoke_tailcall_if` without the need to keep both the declaration and invocation in sync. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 29 February 2024, 21:07:28 UTC |
ce25c55 | Dorde Lapcevic | 06 February 2024, 18:13:21 UTC | operator: Implement cache to be used for Cilium Identity management Signed-off-by: Dorde Lapcevic <dordel@google.com> | 29 February 2024, 16:41:03 UTC |
eb0030c | Dylan Reimerink | 22 February 2024, 14:43:56 UTC | pkg/datapath/linux: Require dead code elimination support This commit adds a test to check for dead code elimination support in the kernel. Support was added in v5.1, our new minimum supported version is v5.4. This feature will be crucial for the datapath to properly function in the future. So assert this kernel feature works on startup. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 29 February 2024, 16:07:07 UTC |
b9098e6 | Gilberto Bertin | 29 February 2024, 07:36:40 UTC | bpf: explicitly pass map to policy_can_{in,e}gress{4,6} currently some functions in policy.h reference POLICY_MAP, assuming it's always defined. This prevents including this header in a context where the POLICY_MAP is not defined. To overcome this, remove all the POLICY_MAP references from these functions and always pass the map explicitly in the caller. No functional changes are introduced. Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 29 February 2024, 15:47:00 UTC |
d7dba5e | Tam Mach | 29 February 2024, 13:50:26 UTC | xds: Avoid xds timeout due to agent restart in envoy DS mode For external envoy, xds server and envoy are having different life cycles i.e. each is running in its own pod, and can be deployed or restarted independently. This commit is to handle the case that xds in cilium agent got restarted, and nonce value is always 0. Sample error ``` 2024-02-05T12:49:51.771714518Z level=warning msg="Regeneration of endpoint failed" bpfCompilation=0s bpfLoadProg=105.68356ms bpfWaitForELF="24.396µs" bpfWriteELF=1.802221ms ciliumEndpointName=cilium-test/client-56f8968958-fqdl4 containerID=245b2aaac2 containerInterface=eth0 datapathPolicyRevision=5 desiredPolicyRevision=6 endpointID=134 error="Error while configuring proxy redirects: proxy state changes failed: context canceled" identity=1713 ipv4=10.244.1.1 ipv6="fd00:10:244:1::9544" k8sPodName=cilium-test/client-56f8968958-fqdl4 mapSync=2.476505ms policyCalculation=1.240346ms prepareBuild="437.049µs" proxyConfiguration="837.119µs" proxyPolicyCalculation="234.369µs" proxyWaitForAck=2m34.697546384s reason="policy rules added" subsys=endpoint total=2m34.818201428s waitingForCTClean=270ns waitingForLock="2.605µs" ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> | 29 February 2024, 15:19:03 UTC |
cbca369 | Benjamin Leggett | 20 February 2024, 15:25:45 UTC | netns: clean up API, reimplement in pure Go without dependencies The previous netns package had a few problems. It shelled out to iproute2, and it depended on both containernetworking/plugins/pkg/ns and vishvananda/netns, which lead to some idiosyncratic API. This commit addresses these issues and takes care of some much-needed API cleanup: - Create a new netns with New() - Open an existing pinned netns with OpenPinned() - Execute code within the netns with ns.Do() - Close with Close() Pinning network namespaces is not supported, as there is currently little reason for doing so. In case the requirement pops up again later, it can always be added. All tests now use anonymous (non-pinned) network namespaces, and the netns created for cilium-health also no longer leaves an entry in /var/run/netns. Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io> Co-authored-by: Timo Beckers <timo@isovalent.com> | 29 February 2024, 13:38:41 UTC |
2063a21 | Timo Beckers | 20 February 2024, 15:23:34 UTC | cilium-dbg: remove netns cleanup code This was already redundant when running Cilium inside a container, since the nsfs instance inside the container is bound to the container's lifecycle. Running Cilium outside of a container is currently rather involved and not officially supported. Remove the netns cleanup code. When the container exits, cilium-health and its enclosing namespace also disappears. Follow-up commits will remove the code in package netns being called here. Signed-off-by: Timo Beckers <timo@isovalent.com> | 29 February 2024, 13:38:41 UTC |
ed04ccd | Timo Beckers | 05 February 2024, 18:44:14 UTC | link: ignore missing interfaces in DeleteByName This allows surfacing unexpected errors, but ignores interfaces that are already absent. Signed-off-by: Timo Beckers <timo@isovalent.com> | 29 February 2024, 13:38:41 UTC |
77053ae | Fabio Falzoi | 14 February 2024, 14:53:37 UTC | iptables: Read CNI chaining mode from CNI config manager CNI chaining mode option has been moved to the CNI cell in commit 1254bf403f. Since it is not a global config option anymore, iptables manager will not see any change to that value, and its field `CNIChainingMode` will always be an empty string. Thus, with the following config option values: - "enable-endpoint-routes": true - "cni-chaining-mode": "aws-cni" the delivery interface referenced in the rules installed by the manager is "lxc+" instead of "eni+". This commit fixes this adding a CNI config manager reference to the iptables manager parameters, in order to read the current setting for the chaining mode during rules installation. Fixes: 1254bf403f ("daemon / cni: move to Cell, watch for changes") Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 29 February 2024, 10:21:41 UTC |
cd53c4f | Tam Mach | 29 February 2024, 06:12:42 UTC | gateway-api: Correct the null check for GRPRRoute Match The null check for Method should be before the check for Method.Service to avoid NPE. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 29 February 2024, 09:10:04 UTC |
5d3c7c3 | Joe Stringer | 28 February 2024, 18:51:20 UTC | bpf: Fix VTEP drop check Commit a94fa56f6713 ("Fix CIDR to World Entity Conversion Bug") seems to have inadvertently swapped a check for "is not world" to a check for "is world" in order to drop. This has likely broken the VTEP feature. Fix it. Fixes: a94fa56f6713 ("Fix CIDR to World Entity Conversion Bug") Reported-by: Jan Hugo Prins <jhp@jhprins.org> Signed-off-by: Joe Stringer <joe@cilium.io> | 29 February 2024, 06:58:49 UTC |
fe71a4a | David Bimmler | 28 February 2024, 12:21:23 UTC | controlplane: fix mechanism for ensuring watchers I realized that the fix for controlplane tests isn't complete. There is still a (small) race window: The current watch reaction records a watcher as established without "handling" the watch itself, i.e. it lets the default watch reaction actually call 'Watch' on the tracker. This is racy, as things can happen in the window between recordng and actually watching. To fix this, add the recording unconditionally in the existing tracker augmentation. Fixes: ba99d74c44 (controlplane: add mechanism to wait for watchers) Signed-off-by: David Bimmler <david.bimmler@isovalent.com> | 28 February 2024, 19:59:31 UTC |
badd092 | André Martins | 23 February 2024, 16:26:48 UTC | endpoint: rename GetMetadataValue to GetPropertyValue During the PR review for d735c5017bd1 it was suggested to change the field name from endpoint.Metadata to endpoint.Properties. Unfortunately, this method was missed during the renaming and this commit sets the right name to it. Fixes: d735c5017bd1 ("introduce 'properties' for endpoints") Signed-off-by: André Martins <andre@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 28 February 2024, 15:09:29 UTC |
44bb357 | Gilberto Bertin | 28 February 2024, 09:02:52 UTC | endpoint: use PropertyCEP{Owner,Name} as CEP owner/name if set this will allow alternative implementations to extend the CiliumEndpoint usage Signed-off-by: André Martins <andre@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 28 February 2024, 15:09:29 UTC |
f2a0940 | André Martins | 27 February 2024, 15:51:50 UTC | operator: gc: don't GC a CEP if its not owned by a pod or node to prevent Cilium Operator from garbage collecting CiliumEndpoints that have an owner reference other than a Pod and CiliumNode, we should default to not garbage collect them Signed-off-by: André Martins <andre@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 28 February 2024, 15:09:29 UTC |
8bf9fd2 | Tam Mach | 24 February 2024, 11:28:40 UTC | xds: Move MockStream to stream_test.go This commit is to move MockStream struct to stream_test.go as it's only used in unit test. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 28 February 2024, 14:28:39 UTC |
6fee46f | Quentin Monnet | 30 January 2024, 16:18:58 UTC | ci/ipsec: Fix downgrade version retrieval Figuring out the right "previous patch release version number" to downgrade to in print-downgrade-version.sh turns out to be more complex than expected [0][1][2][3]. This commit is an attempt to 1) fix issues with the current script and 2) overall make the script clearer, so we can avoid repeating these mistakes. As for the fixes, there are two things that are not correct with the current version. First, we're trying to validate the existence of the tag to downgrade to, in case the script runs on top of a release preparation commit for which file VERSION has been updated to a value that does not yet contains a corresponding tag. This part of the script is actually OK, but not the way we call it in the IPsec workflow: we use "fetch-tags: true" but "fetch-depth: 0" (the default), and the two are not compatible, a shallow clone results in no tags being fetched. To address this, we retrieve the tag differently: instead of relying on "fetch-tags" from the workflow, we call "git fetch" from the script itself, provided the preconditions are met (we only run it from a Git repository, if the "origin" remote is defined). If the tag exists, either locally or remotely, then we can use it. Otherwise, the script considers that it runs from a release preparation Pull Request, and decrements the patch release number. The second issue is that we would return no value from the script if the patch release is zero. This is to avoid any attempt to find a previous patch release when working on a development branch. However, this logics is incorrect (it comes from a previous version of the script where we would always decrement the patch number). After the first release of a new minor version, it's fine to have a patch number at 0. What we should check instead is whether the version ends with "-dev". This commit brings additional changes for clarity: more comments, and a better separation between the "get latest patch release" and "get previous stable branch" cases, moving the relevant code to independent functions, plus better argument handling. We also edit the IPsec workflow to add some logs about the version retrieved. The logs should also display the script's error messages, if any, that are printed to stderr. Sample output from the script: VERSION Tag exists Prevous minor Previous patch release 1.14.3 Y v1.13 v1.14.3 1.14.1 Y v1.13 v1.14.1 1.14.0 Y v1.13 v1.14.0 1.14.1-dev N v1.13 <error> 1.15.0-dev N v1.14 <error> 1.13.90 N v1.12 v1.13.89 <- decremented 2.0.0 N <error> <error> 2.0.1 N <error> v2.0.0 <- decremented 2.1.1 N v2.0 v2.1.0 <- decremented [0] 56dfec2f1ac5 ("contrib/scripts: Support patch releases in print-downgrade-version.sh") [1] 4d7902f54a74 ("contrib/scripts: Remove special handling for patch release number 90") [2] 5581963cbf94 ("ci/ipsec: Fix version retrieval for downgrades to closest patch release") [3] 3803f539a740 ("ci/ipsec: Fix downgrade version for release preparation commits") Fixes: 3803f539a740 ("ci/ipsec: Fix downgrade version for release preparation commits") Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 28 February 2024, 14:11:08 UTC |
dd693a7 | Michal Siwinski | 06 February 2024, 15:41:53 UTC | Add Hubble metrics HTTP endpoint status metrics This change introduces two new metrics: * hubble_http_handler_requests_total - counter for requests made to the endpoint, grouped by HTTP status code * hubble_http_handler_request_duration_seconds - histogram of latencies for requests made to the endpoint, grouped by HTTP status code This provides option to measure availability of Hubble metrics endpoint on Hubble side. Although similar functionality might be achieved through using metrics of collectors scraping this endpoint, unavailability measured with that approach includes unavailability of the collector itself, which might not be desired in some cases. Signed-off-by: Michal Siwinski <siwy@google.com> | 28 February 2024, 14:02:54 UTC |
2534006 | Misha Bragin | 28 February 2024, 12:09:49 UTC | Fix netbird name in the description Signed-off-by: Misha Bragin <bangvalo@gmail.com> | 28 February 2024, 14:08:28 UTC |
36006f1 | Misha Bragin | 28 February 2024, 12:08:20 UTC | Add link to the blog post about the usage Signed-off-by: Misha Bragin <bangvalo@gmail.com> | 28 February 2024, 14:08:28 UTC |
2b1a281 | Misha Bragin | 28 February 2024, 12:06:25 UTC | Add further description about usage of Cilium in NetBird Signed-off-by: Misha Bragin <bangvalo@gmail.com> | 28 February 2024, 14:08:28 UTC |
2a7c0de | Misha Bragin | 06 February 2024, 12:47:54 UTC | Add NetBird to the Cilium user list Signed-off-by: Misha Bragin <bangvalo@gmail.com> | 28 February 2024, 14:08:28 UTC |
39637d6 | Marco Iorio | 23 February 2024, 10:17:37 UTC | gha: don't wait for kind clusters to become ready They will never, because no CNI is present at that point. Hence, let's just avoid wasting one minute waiting for the timeout to expire. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 28 February 2024, 13:13:33 UTC |
c442ca5 | Marco Iorio | 22 February 2024, 17:47:21 UTC | renovate: onboard KIND_K8S_IMAGE var and drop kind-config.yaml files Let's make sure that the newly introduced KIND_K8S_IMAGE variable gets automatically updated by renovate. Additionally, the kind configuration files no longer hard-code the kind image, hence they don't need to be automatically renovated anymore. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 28 February 2024, 13:13:33 UTC |
aabdfa7 | Marco Iorio | 22 February 2024, 17:20:43 UTC | gha: migrate workflows to use the global kind-related variables Let's switch all the workflows over to using the globally defined kind-related variables, and remove the workflow specific definitions. This also addresses a few cases which didn't specify any version. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 28 February 2024, 13:13:33 UTC |
394b3de | Marco Iorio | 22 February 2024, 17:15:28 UTC | gha: centralize kind version and image definition in set-env-variables Let's define kind-related variables (i.e., version, k8s image and k8s version) inside the set-env-variables action. One all consumers will have been migrated through the subsequent commit, this will ensure consistency across workflows, simplify version bumps as well as the introduction of new workflows depending on them. One extra byproduct is that renovate updates will also stop requesting reviews from all the different teams owning each specific workflow. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 28 February 2024, 13:13:33 UTC |
91fc572 | Marco Hofstetter | 15 February 2024, 08:37:12 UTC | ingress/gateway-api: expose Envoy listeners on subset of nodes This commit adds support for exposing L7 Envoy Listeners only on a subset of Cilium Nodes. This only works in combination with the hostnetwork mode. **Configure node labelselector via Helm** * Ingress Controller: `ingressController.hostNetwork.nodes.matchLabels` * Gateway API: `gatewayAPI.hostNetwork.nodes.matchLabels` ``` ingressController: hostNetwork: nodes: matchLabels: role: infra component: ingress ``` An empty selector selects all Nodes and continues to expose the functionality on all Cilium Nodes. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 28 February 2024, 12:27:37 UTC |
72da224 | Marco Hofstetter | 12 February 2024, 13:05:08 UTC | ingress/gateway-api: expose listeners on host network This commit adds support for exposing the L7 Envoy Listeners directly on the host network - and no longer use Kubernetes Services of type `LoadBalancer` or `NodePort`. The listener is exposed on all interfaces (`0.0.0.0` for IPv4 and/or `::` for IPv6). **Enable HostNetwork support via Helm** * Ingress Controller: `ingressController.hostNetwork.enabled=true` * Gateway API: `gatewayAPI.hostNetwork.enabled=true` **Configure listener port** * Shared Ingress: configurable via Helm (`ingressController.hostNetwork.sharedHTTPPort` & `ingressController.hostNetwork.sharedTLSPassthroughPort`) * Dedicated Ingress: configurable via Annotation on the resource `Ingress` (`ingress.cilium.io/http-host-port` & `ingress.cilium.io/tls-passthrough-host-port`) * Gateway API: configurable via `spec.listeners.port` on the resource `Gateway` Be aware that missconfiguration might result in port clashes. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 28 February 2024, 12:27:37 UTC |
3f9e0e9 | Marco Hofstetter | 13 February 2024, 11:16:45 UTC | gateway api: no error if lb service isn't ready yet Currently, the reconciliation of `Gateway` fails with an error if the status of the corresponding loadbalancer service isn't ready. Returning an error leads to an additional reconciliation and logs the error. There are cases (upcoming hostnetwork support) where the status of the loadbalancer service is never set which leads to reconciliation loops. Therefore, with this commit, a missing status no longer results in an error. This should also be enough in all other cases because a reconciliation should be triggered on an update of the loadbalancer service itself. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 28 February 2024, 12:27:37 UTC |
c336bc6 | Marco Hofstetter | 12 February 2024, 12:59:47 UTC | ingress: remove unused parameters from IngressPassthrough Ingestion of an Passthrough listener (`IngressPassthrough`) never uses the parameters `defaultSecretNamespace` and `defaultSecretName`. Therefore, this commit removes these from the function signature. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 28 February 2024, 12:27:37 UTC |