Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
091fd40 Gilberto Bertin 03 August 2021, 10:13:23 UTC delme: keep proto=none services 03 August 2021, 12:05:42 UTC
184fda2 Gilberto Bertin 03 August 2021, 08:52:52 UTC delme: enable svc diff by default 03 August 2021, 12:05:42 UTC
7e32ff1 Gilberto Bertin 13 July 2021, 19:17:51 UTC delme: debug printk 03 August 2021, 12:05:41 UTC
250fab8 Gilberto Bertin 02 August 2021, 08:23:45 UTC delme: enable host reachable svcs in dev VM to speed up testing 03 August 2021, 12:05:41 UTC
00c22b1 Gilberto Bertin 08 July 2021, 14:23:11 UTC Differentiate UDP and TCP Protocols in Services Saving protocol information in the lb(x)_key in bpf, as well as adding protocol information to service maps creation in the lbmap package ensures that translation, receiving, and forwarding will always take the protocol into proper account. Refactor cilium to always assume a protocol with a service. Refactor tests to account for service protocols. Update Documentation for kubeproxy-free nodeport example Since the output of cilium service list has changed the documentation should reflect the change. Fixes: #9207 Signed-off-by: Nate Sweet nathanjsweet@pm.me 03 August 2021, 12:05:41 UTC
e6287ba Nicolas Busseneau 30 July 2021, 15:11:27 UTC workflows: disable scheduled runs for 1.10 workflows With the current setup, the scheduled runs on 1.10 workflows are testing exactly the same as the regular workflows. Since this doubles the amount and cost of testing for no reason, we disable schedule runs on 1.10 workflows. We can always re-enable them later on when we actually rework them to use the v1.10 branches instead. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 01 August 2021, 04:52:18 UTC
d800789 Nicolas Busseneau 28 July 2021, 12:59:17 UTC workflows: fix permissions `contents` permission is required to be able to access the repository with actions/checkout. It worked incidentally because the repo is public but let's make it cleaner. `pull-requests` permission is required to allow retrieving information from the PR API. Likewise, it worked incidentally only because the repo is public. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 01 August 2021, 04:49:37 UTC
cee08cd Àbéjídé Àyodélé 21 July 2021, 16:38:53 UTC daemon: Make L2 neighbor discovery configurable. This allows users who do not want cilium populating neighbor table with mac addresses of neighbors cilium might have discovered via its discovery process to opt out of cilium's neighbor discovery mechanisms. Signed-off-by: Ayodele Abejide <abejideayodele@gmail.com> 30 July 2021, 07:14:47 UTC
9210995 Martynas Pumputis 13 July 2021, 08:27:01 UTC ci: Bump ubuntu-next image The bump is to include [1] which is required to properly fix #14956 ("bpf_sock: Detect when running in host netns on Kind"). [1]: https://github.com/torvalds/linux/commit/e8b9eab99232c4e62ada9d7976c80fd5e8118289 Signed-off-by: Martynas Pumputis <m@lambda.lt> 30 July 2021, 07:09:01 UTC
f5c3958 Joe Stringer 20 July 2021, 21:29:39 UTC install: Fix README links to getting started guides Fix two issues in the README links for getting started guides: * Bad formatting of the image for the Self-Managed K8s option * Broken links to the docs page for getting started. Link all of the links to the same page, like we do on cilium.io. Fixes: 3662560f8979 ("Add new unified Helm guide") Signed-off-by: Joe Stringer <joe@cilium.io> 30 July 2021, 04:05:39 UTC
7ef59aa Paul Chaignon 26 July 2021, 21:49:24 UTC config: Fix incorrect packet path with IPsec and endpoint routes When endpoint routes are enabled, we attach a BPF program on the way to the container and add a Linux route to the lxc interface. So when coming from bpf_network with IPsec, we should use that route to go directly to the lxc device and its attached BPF program. In contrast, when endpoint routes are disabled, we run the BPF program for ingress pod policies from cilium_host, via a tail call in bpf_host. Therefore, in that case, we need to jump from bpf_network to cilium_host first, to follow the correct path to the lxc interface. That's what commit 287f49c2 ("cilium: encryption, fix redirect when endpoint routes enabled") attempted to implement for when endpoint routes are enabled. It's goal was to go directly from bpf_network to the stack in that case, to use the per-endpoint Linux routes to the lxc device. That commit however implements a noop change: ENABLE_ENDPOINT_ROUTES is defined as a per-endpoint setting, but then used in bpf_network, which is not tied to any endpoint. In practice, that means the macro is defined in the ep_config.h header files used by bpf_lxc, whereas bpf_network (from which the macro is used) relies on the node_config.h header file. The fix is therefore simple: we need to define ENABLE_ENDPOINT_ROUTES as a global config, written in node_config.h. To reproduce the bug and validate the fix, I deploy Cilium on GKE (where endpoint routes are enabled by default) with: helm install cilium ./cilium --namespace kube-system \ --set nodeinit.enabled=true \ --set nodeinit.reconfigureKubelet=true \ --set nodeinit.removeCbrBridge=true \ --set cni.binPath=/home/kubernetes/bin \ --set gke.enabled=true \ --set ipam.mode=kubernetes \ --set nativeRoutingCIDR=$NATIVE_CIDR \ --set nodeinit.restartPods=true \ --set image.repository=docker.io/pchaigno/cilium-dev \ --set image.tag=fix-ipsec-ep-routes \ --set operator.image.repository=quay.io/cilium/operator \ --set operator.image.suffix="-ci" \ --set encryption.enabled=true \ --set encryption.type=ipsec I then deployed the below manifest and attempted a curl request from pod client to the service echo-a. metadata: name: echo-a labels: name: echo-a spec: template: metadata: labels: name: echo-a spec: containers: - name: echo-a-container env: - name: PORT value: "8080" ports: - containerPort: 8080 image: quay.io/cilium/json-mock:v1.3.0 imagePullPolicy: IfNotPresent readinessProbe: timeoutSeconds: 7 exec: command: - curl - -sS - --fail - --connect-timeout - "5" - -o - /dev/null - localhost:8080 selector: matchLabels: name: echo-a replicas: 1 apiVersion: apps/v1 kind: Deployment --- metadata: name: echo-a labels: name: echo-a spec: ports: - name: http port: 8080 type: ClusterIP selector: name: echo-a apiVersion: v1 kind: Service --- apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "l3-rule" spec: endpointSelector: matchLabels: name: client ingress: - fromEndpoints: - matchLabels: name: echo-a --- apiVersion: v1 kind: Pod metadata: name: client labels: name: client spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app.kubernetes.io/name operator: In values: - echo-a topologyKey: kubernetes.io/hostname containers: - name: netperf args: - sleep - infinity image: cilium/netperf Fixes: 287f49c2 ("cilium: encryption, fix redirect when endpoint routes enabled") Signed-off-by: Paul Chaignon <paul@cilium.io> 29 July 2021, 22:21:37 UTC
c88244c Paul Chaignon 24 June 2021, 16:37:15 UTC ipsec: Fix off-by-one error on max SPI We encoded the SPI (aka keyID) on 4 bits [1] in the xfrm and packet marks. The maximum value is therefore 15 and not 16. This commit fixes the check on the maximum keyID value. Note the documentation for IPsec key rotation already has the correct value [2] so there shouldn't be any users with an incorrect keyID. 1 - https://github.com/cilium/cilium/blob/v1.10.1/pkg/datapath/linux/ipsec/ipsec_linux.go#L147-L150 2 - https://docs.cilium.io/en/v1.10/gettingstarted/encryption-ipsec/#key-rotation Fixes: b698972 ("cilium: ipsec, support rolling updates") Signed-off-by: Paul Chaignon <paul@cilium.io> 29 July 2021, 18:11:51 UTC
5726e9f Nicolas Busseneau 28 July 2021, 09:48:27 UTC workflows: add external workload conformance test This was ported and adapted from `cilium-cli`. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 29 July 2021, 08:43:49 UTC
94f94e5 André Martins 17 July 2021, 01:00:31 UTC operator: misc. refactoring and code removal Add better code comments as well as variable names. Also remove the code handling the GC of CiliumNodes since that is taken care by Kubernetes has CiliumNodes have owner references set to the K8s Node. Signed-off-by: André Martins <andre@cilium.io> 29 July 2021, 01:14:09 UTC
b4c85c8 Martynas Pumputis 27 July 2021, 14:47:28 UTC examples: Remove demo example It's using libnetwork which we have stopped supporting. Signed-off-by: Martynas Pumputis <m@lambda.lt> 28 July 2021, 18:36:52 UTC
ef3768a Martynas Pumputis 27 July 2021, 14:43:21 UTC test: Remove tests/ dir The directory is no longer being used. Signed-off-by: Martynas Pumputis <m@lambda.lt> 28 July 2021, 18:36:52 UTC
357cd0c Martynas Pumputis 27 July 2021, 14:38:56 UTC test: Move envoy smoke tests from tests/ Jarno is still using them. Signed-off-by: Martynas Pumputis <m@lambda.lt> 28 July 2021, 18:36:52 UTC
aab86ab Martynas Pumputis 27 July 2021, 14:34:49 UTC test: Move netpol-cyclones to tests/k8sT/manifests The tests/ directory is going to be removed. Signed-off-by: Martynas Pumputis <m@lambda.lt> 28 July 2021, 18:36:52 UTC
6f9b875 Sebastian Wicki 15 June 2021, 12:17:56 UTC hubble/recorder: Be more explicit about mutex This commit documents what fields are now protected by the mutex in `type sink` and updates a two usages accordingly, by moving channel operations out of the critical section. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 28 July 2021, 09:25:47 UTC
f8ff051 Sebastian Wicki 08 June 2021, 14:17:38 UTC hubble/recorder: Fix grpc send from concurrent go routine This commit fixes a concurrency issue in the implementation of the Hubble Recorder API. Before this commit, we were sending responses to the client from both the main `Record` function, as well as the `watchRecording` function which was spawned in a separate go routine. However, sending to a grpc.ServerStream from multiple go routines is _not_ safe: https://pkg.go.dev/google.golang.org/grpc#ServerStream It is however safe to have one go routine receive from, and another go routine send to the stream. Therefore, this commit restructures the Hubble Recorder API in such a way that only the `Record` stub ever sends back messages to the client. Receiving is done in a separate go routine which forwards all received messages into a channel, allowing us to select on incoming responses. In addition, this commit hopefully also makes the logic a bit more easier to read, as it tries to separate the cleanup of resources and communicating with the client a bit more explicitly. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 28 July 2021, 09:25:47 UTC
ee00c7e Sebastian Wicki 08 June 2021, 12:35:10 UTC hubble/recorder: Improve ergonomics by not closing stats channel Since we have introduced the `Handle.Done` channel, we do not have toV signal the shutdown of the sink by closing the statistics channel anymore. Instead, consumers can now wait on the `Handle.Done` channel getting closed. While there are not many benefits in this version of the code, it will make the select statement in a subsequent commit much more readable. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 28 July 2021, 09:25:47 UTC
3a46219 Sebastian Wicki 08 June 2021, 12:31:19 UTC hubble/recoder: Automatically unregister sink when stopped This commit changes the interface of sink.Dispatch from an explicit `RegisterSink`+`UnregisterSink` pair to a `StartSink` call which will unregister itself when it stops due to an error, an expired context, or an explicit stop request. This commit does not introduce any functional changes, it is purely a refactoring. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 28 July 2021, 09:25:47 UTC
b72eacf Sebastian Wicki 14 June 2021, 11:05:09 UTC hubble/recorder: Stop without draining queue Previously, we waited for the recording queue to drain when the client requested a stop. However, because the client has no visibility into the queue (and indeed doesn't even know if there are queued records when they issue a stop request), this does not provide any value to the client. Therefore, this PR changes the semantics of a stop request by immediately initiating a shutdown, instead of waiting for the queue to drain. This ensures that the resulting recording more closely matches the observed statistics at the time when the client issued a stop request. It also simplifies the code a bit. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 28 July 2021, 09:25:47 UTC
eccc712 Sebastian Wicki 08 June 2021, 12:07:58 UTC hubble/recorder: Allow multiple go routines to wait for sink This commit splits the sink's `done chan error` channel (which only allows a single consumer to wait on the sink to finish) into a `chan struct{}` channel and a `lastError error` variable. This enables us to signal that the sink has finished by closing the channel instead of sending a value over it. Closing the channel allows multiple go routines to block on this event via `<-s.done`. The final error value can then be retrieved via `s.err()`. This pattern is very similar to how `context.Context` works. This commit does not yet make use of this functionality. The changes enabled by this will follow in a subsequent commit. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 28 July 2021, 09:25:47 UTC
b22ba5a Đặng Minh Dũng 21 July 2021, 03:40:28 UTC update v1.11 Upgrade Notes Signed-off-by: Đặng Minh Dũng <dungdm93@live.com> 28 July 2021, 09:25:23 UTC
4638de2 Đặng Minh Dũng 15 July 2021, 11:31:24 UTC cleanup the cilium helm chart: * remove .Values.Capabilities in favor of --kube-version in helm template * using `cilium.image` template to unify image render * support `priorityClassName` in all components * move `hubble-metrics` service & `hubble` ServiceMonitor to seperated file (in hubble folder) * make `name` as the first attribute of object * remove unnecessary parentheses * using `nindent` instead of `indent` * using `default` and `ternary` instead of `if-else` * using `with` instead of `if` when it's possible Signed-off-by: Đặng Minh Dũng <dungdm93@live.com> 28 July 2021, 09:25:23 UTC
9abbbbf Joe Stringer 15 July 2021, 23:03:27 UTC backporting: Detect only one related commit Recently, the check-stable script has suggested every single possible match for commits where the name does not uniquely identify the commit. This can be a bit confusing to backporters since it looks like there are many commits to backport as part of this PR, but the second and later ones are not necessary to backport. * PR: 16589 -- vagrant: Bump all Vagrant box versions (@pchaigno) -- https://github.com/cilium/cilium/pull/16589 Merge with 1 commit(s) merged at: Tue, 22 Jun 2021 12:36:17 -0700! Branch: master (!) refs/pull/16589/head ---------- ------------------- v (start) | edf76fb1ef6b58d5ef90b439d54134f314ed086e 5bef5d77137a9ecc5d3f2b72149307ffdd52cd42 4dc60e6faf654d7424ee959867a774205b3fed13 816b3231cdbc39f4bcdd3e6f5b40a056459a478c 51826b31087496d108044f3bffbf304580fffb4a df8238d451d755d5be75e202be89b4f88067c77b a4e7bc6c1f0e96078793458b6719b9a3999b89db via fb723f8133c40faa068a5a401f594622668b2753 ("vagrant: Bump all Vagrant box versions") v (end) Probably within the last year of commits, we should be able to correlate the exact commit that needs backporting, so iterate through those to find the exact commit. If none of those are the correct commit, fail out and push back to the backporter to figure out. This allows us to now accurately pick the correct commit in most cases: * PR: 16589 -- vagrant: Bump all Vagrant box versions (@pchaigno) -- https://github.com/cilium/cilium/pull/16589 Merge with 1 commit(s) merged at: Tue, 22 Jun 2021 12:36:17 -0700! Branch: master (!) refs/pull/16589/head ---------- ------------------- v (start) | edf76fb1ef6b58d5ef90b439d54134f314ed086e via fb723f8133c40faa068a5a401f594622668b2753 ("vagrant: Bump all Vagrant box versions") v (end) Manually tested by substituting a known commit into 'related_commits', and by checking the current v1.8 backports which includes an ambiguous commit due to a revert+reapply in the master branch. Signed-off-by: Joe Stringer <joe@cilium.io> 28 July 2021, 09:24:54 UTC
3b6172b Nicolas Busseneau 23 July 2021, 16:46:54 UTC clustermesh: fix CEP status patch In 0681343309ef15677c9335802bd724500f1d663d (from PR #15632), we changed CEP CRD schema and removed the `status` subresource. This broke clustermesh logic as it was still trying to update CEP using the now removed `status` subresource. In particular, this resulted in a loss of connectivity in clustermeshes with external workloads: the VM could initially join the cluster but would immediately lose connectivity after failing to update the CEP resource (see #16984 for full context). We change the clustermesh logic to adhere to the new CEP update CRD schema. Fixes: 0681343309ef15677c9335802bd724500f1d663d Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 28 July 2021, 09:24:24 UTC
1a7a8ad dependabot[bot] 26 July 2021, 14:06:36 UTC build(deps): bump 8398a7/action-slack from 3.9.1 to 3.9.2 Bumps [8398a7/action-slack](https://github.com/8398a7/action-slack) from 3.9.1 to 3.9.2. - [Release notes](https://github.com/8398a7/action-slack/releases) - [Commits](https://github.com/8398a7/action-slack/compare/dcc8c8e9dd8802e21a712dc0c003db97b42efe43...e74cd4e48f4452e8158dc4f8bcfc780ae6203364) --- updated-dependencies: - dependency-name: 8398a7/action-slack dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 27 July 2021, 13:12:28 UTC
dd4f60f Jarno Rajahalme 22 July 2021, 11:16:44 UTC policy: Fix derived-from labels Use the "allow-any-ingress" label instead of "allow-localhost-ingress" when allowing all on ingress. Define a new "allow-remotehost-ingress" label and use that when allowing remote hosts instead of "allow-localhost-ingress". Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 27 July 2021, 08:23:27 UTC
951eded Martynas Pumputis 21 July 2021, 11:41:34 UTC docs: Clarify SA target in KPR gsg As reported in [1], we do have the same behavior for service affinity as kube-proxy in iptables and ipvs mode. Document this subtle behavior to make users aware of it. [1]: https://github.com/kubernetes/kubernetes/issues/103000 Reported-by: André Martins <andre@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 27 July 2021, 08:22:41 UTC
a315b45 Sebastian Wicki 21 July 2021, 11:34:36 UTC inctimer: Fix bug where timer fired immediately This fixes a bug where the `IncTimer.After` would fire immediately due to a rare race. See the comment in the diff as to how the race could occur. This commit also adds a unit test which has a high likelihood of triggering the bug in the old code. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 27 July 2021, 08:22:25 UTC
9e3f08f Joe Stringer 23 July 2021, 18:18:05 UTC Update stable releases Signed-off-by: Joe Stringer <joe@cilium.io> 27 July 2021, 02:45:37 UTC
059c4f5 Chris Tarazi 21 June 2021, 17:57:28 UTC vendor: Update k8s dependencies and tests to 1.21.3 Also updates the k8s version for other branches to 1.18.20, 1.19.13, and 1.20.9. Signed-off-by: Chris Tarazi <chris@isovalent.com> 23 July 2021, 22:14:26 UTC
fa00a1b Bruno Miguel Custódio 21 July 2021, 14:29:25 UTC docs: capitalize 'Pod' in 'bandwidth-manager.rst'. Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> 23 July 2021, 19:38:50 UTC
22acd68 Bruno Miguel Custódio 05 July 2021, 13:49:42 UTC docs: improve the bandwidth manager page Attempts to make the "Bandwidth Manager" page more user-friendly by deploying a server pod and a client pod that is guaranteed to not be colocated with the former. Also provides friendlier commands for making the 'netperf' test, as well as to check the status of the bandwidth manager. Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> 23 July 2021, 19:38:50 UTC
9086640 Viktor Kuzmin 15 July 2021, 08:59:26 UTC Pass vlan tagged packets back to the kernel stack. VLAN packets will be catched with bpf on main interface first. We need to passs it back to the kernel stack. VLAN info/tag will be stripped and packet will be reenqueued on proper interface or dropped. Also we do not need to process VLAN packets on egress, cause either we've already processed such packets in case bpf program is attached to VLAN interface or we do not need to process such packets at all in other way. We will reject all unknown vlan tags for security reasons. By default will be allowed only vlan tags of vlan devices controlled by cilium. Additional vlan tags may be added using `vlan-bpf-bypass` option. '0' tag (i.e. `--vlan-bpf-bypass 0`) can be used to allow all vlan tags without filtering. Fixes: cilium#14579 Signed-off-by: Viktor Kuzmin <kvaster@gmail.com> 23 July 2021, 19:01:31 UTC
090794e Vlad Ungureanu 14 July 2021, 19:21:17 UTC Cleanup Azure allocator cloud name detection code Signed-off-by: Vlad Ungureanu <vladu@palantir.com> 23 July 2021, 16:51:09 UTC
189cf7f Joe Stringer 20 July 2021, 00:09:15 UTC contrib: Improve release script guard rails * Print help if zero args are provided * Pick up on invalid URLs with a simple regex to avoid failing early * Add the actions URL to the commit and PR messages. Signed-off-by: Joe Stringer <joe@cilium.io> 22 July 2021, 22:24:22 UTC
4814dc3 Joe Stringer 19 July 2021, 18:39:40 UTC .gitattributes: Hide Documentation/_static. Treat Documentation/_static and SVG files as binary in git so that when performing a git diff or git grep, it prints just one line diff rather than matching the content of some terse javascript file. This reduces the noise greatly for greps of short strings to instead print the following: $ git grep "\.fo" Binary file Documentation/_static/copybutton.js matches Signed-off-by: Joe Stringer <joe@cilium.io> 22 July 2021, 16:03:15 UTC
a8b3480 bluikko 22 July 2021, 08:26:55 UTC Update language on libceph with kubeproxy-free It was not clear if kernel v5.8 has problem with libceph or if 5.8 fixes the problem. Redo the sentence based on feedback to make it more clear and easy to read. Signed-off-by: Ville Ojamo <bluikko@users.noreply.github.com> 22 July 2021, 15:27:10 UTC
2857b3e Jorik Jonker 20 July 2021, 09:04:39 UTC install/kubernetes: restrict k8s access for relay It seems relay has no interaction with Kubernetes, and as such, it does not need (cluster)roles/-bindings or a mounted SA token. This prevents attackers from doing nasty stuff on behalf of relay. Fixes: e9cb43c03179 ("Helm: full refactor of helm charts..") Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com> 22 July 2021, 15:26:59 UTC
a615288 Martynas Pumputis 15 July 2021, 10:54:06 UTC test: Remove Services SCTP test case The test case is supposed to test whether the BPF NAT engine doesn't drop packets of a type which it doesn't support (e.g. SCTP). However, recently the test case became flaky. Considering this and a little value the test provides, let's remove the test case. Instead, we should create a BPF unit test for it once it's available (#16862). Signed-off-by: Martynas Pumputis <m@lambda.lt> 22 July 2021, 15:26:39 UTC
9fdbafe Sarvesh Rangnekar 29 June 2021, 22:36:11 UTC Auto discover ipv6-mcast-device if not provided This change enables auto discovery of IPv6 multicast device when `enable-ipv6-ndp=true` but `ipv6-mcast-device` is not configured. It removes the requirement to manually configure `ipv6-mcast-device` Signed-off-by: Sarvesh Rangnekar <sarveshr@google.com> 22 July 2021, 15:26:27 UTC
31176f7 Sebastian Wicki 21 July 2021, 14:35:33 UTC hubble/relay: Fix close of closed channel in unit test This commit fixes #15442 (and variants), where the `done` channel used to indicate completion to the test driver could be closed twice. This happened because at the end of a test, most mock client will start returning `io.EOF`. Due to #16955, this sometimes caused the peer manager to reconnect immediately and create a new mock client, which would then attempt to re-run the test-logic again. This commit addresses this issue by ensuring that all mock clients within a test share the same state (i.e. the `i` counter and `once` instance). This way, each mock client instance will continue the work of its predecessor instead of replaying the whole test sequence. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 22 July 2021, 11:36:37 UTC
ae37b03 LiHui 15 July 2021, 02:43:25 UTC fix cilium-health alias Signed-off-by: LiHui <andrewli@yunify.com> 22 July 2021, 00:04:26 UTC
21fdd5d dependabot[bot] 21 July 2021, 15:21:37 UTC build(deps): bump aws-actions/configure-aws-credentials Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 1.5.10 to 1.5.11. - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/master/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/v1.5.10...0d9a5be0dceea74e09396820e1e522ba4a110d2f) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 21 July 2021, 15:26:36 UTC
e2eebce Robin Hahling 16 July 2021, 15:07:04 UTC hubble/relay: improve error messages on failed peer connection attempts With a dial timeout, the error on failed dialing attempts always ends up being `context deadline exceeded` which helps very little in understanding what the root cause of the failure might be. As of grpc-go v1.30.0+, there is a new gRPC option that is available: `WithReturnConnectionError()`. With this option, we can finally get informative errors instead of `context deadline exceeded`, such as: connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for *.default.hubble-grpc.cilium.io, not localhost" Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 21 July 2021, 15:20:49 UTC
b79ef92 Robin Hahling 16 July 2021, 16:05:59 UTC api: re-generate protobuf code The new cilium-builder image now uses protoc v3.17.3 and protoc-gen-go v1.27.1, thus re-generate protobuf code. Note that this means that gRPC v1.32+ is now required. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 21 July 2021, 15:20:49 UTC
3dbd4fb Robin Hahling 16 July 2021, 15:23:01 UTC images: update cilium-builder-image Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 21 July 2021, 15:20:49 UTC
68c1011 Robin Hahling 16 July 2021, 15:04:30 UTC images/builder: bump protoc to v3.17.3, protoc-gen-go to v1.27.1 Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 21 July 2021, 15:20:49 UTC
92700ee Robin Hahling 16 July 2021, 13:16:51 UTC dependabot: allow updating grpc Now that etcd-client v3.5.0 has been merged, there's no reason to block grpc from being updated anymore. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 21 July 2021, 15:20:49 UTC
620009e dependabot[bot] 21 July 2021, 14:04:28 UTC build(deps): bump KyleMayes/install-llvm-action from 1.4.0 to 1.4.1 Bumps [KyleMayes/install-llvm-action](https://github.com/KyleMayes/install-llvm-action) from 1.4.0 to 1.4.1. - [Release notes](https://github.com/KyleMayes/install-llvm-action/releases) - [Commits](https://github.com/KyleMayes/install-llvm-action/compare/94441eb6f611486ec059130719cca525263ac2be...3c8956ce3469123af1c39125f684835e56ac58ee) --- updated-dependencies: - dependency-name: KyleMayes/install-llvm-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 21 July 2021, 15:14:28 UTC
54afa8c André Martins 20 July 2021, 17:14:16 UTC .github: add workflows for stable branches Since `issue_comment` is only triggered in GH workflows of the default branch, we need to add a copy of the conformance GH workflows in the default branch as well. This will allow the conformance tests to be tested against stable branches, which right now only 1.10 has support for this. Signed-off-by: André Martins <andre@cilium.io> 21 July 2021, 15:07:58 UTC
434d9f9 André Martins 20 July 2021, 17:12:48 UTC .github: add trigger sentence in workflow file This helps developers to know which trigger they can use to retest the l4lb GH workflow. Signed-off-by: André Martins <andre@cilium.io> 21 July 2021, 15:07:58 UTC
eb11c14 Chris Tarazi 15 July 2021, 23:13:00 UTC bpf: Remove duplicate define from MAX_BASE_OPTIONS It is redundant. Signed-off-by: Chris Tarazi <chris@isovalent.com> 20 July 2021, 23:07:28 UTC
0b881e5 dependabot[bot] 20 July 2021, 14:07:07 UTC build(deps): bump aws-actions/configure-aws-credentials Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 1.5.10 to 1.5.11. - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/master/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/13d241b293754004c80624b5567555c4a39ffbe3...0d9a5be0dceea74e09396820e1e522ba4a110d2f) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 20 July 2021, 23:05:12 UTC
1b56236 Joe Stringer 20 July 2021, 22:08:00 UTC Update stable releases Signed-off-by: Joe Stringer <joe@cilium.io> 20 July 2021, 22:08:54 UTC
ecdf7e3 André Martins 20 July 2021, 10:39:50 UTC .github: harden permissions on GH workflows None of the GH workflows need the GITHUB_TOKEN to have write permissions for all scopes. This commit hardens the access values for each GH workflow accordingly their needs. Fixes: 4286608cba1e (".github: harden permissions on GH workflows") Signed-off-by: André Martins <andre@cilium.io> 20 July 2021, 16:49:01 UTC
901afa5 Gilberto Bertin 28 June 2021, 13:50:14 UTC daemon: log any error returned by RestoreServices() Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 19 July 2021, 17:35:35 UTC
63add91 André Martins 16 July 2021, 00:59:49 UTC test/l4lb: do unset useDigest when testing l4lb L4LB tests are executed against the code being submitted in a PR. If `useDigest` is set to true it will use the default digest defined in the helm charts, which in stable branches is the last stable release. Fixes: 673ccd7858ac ("test: Add GH Action for Cilium L4LB XDP tests") Signed-off-by: André Martins <andre@cilium.io> 19 July 2021, 17:32:10 UTC
d354de8 André Martins 15 July 2021, 23:07:29 UTC .github: fix codeql GH workflow to only run on push to branch 'master' Fixes: b08f700aff5a ("workflows: Skip jobs instead of workflows") Signed-off-by: André Martins <andre@cilium.io> 19 July 2021, 17:32:10 UTC
4286608 André Martins 15 July 2021, 22:56:19 UTC .github: harden permissions on GH workflows None of the GH workflows need the GITHUB_TOKEN to have write permissions for all scopes. This commit hardens the access values for each GH workflow accordingly their needs. Signed-off-by: André Martins <andre@cilium.io> 19 July 2021, 17:32:10 UTC
6cf9eaa André Martins 15 July 2021, 22:46:16 UTC .github: rename aws/eks step accordingly Signed-off-by: André Martins <andre@cilium.io> 19 July 2021, 17:32:10 UTC
b8ad1b0 André Martins 15 July 2021, 22:45:52 UTC .github: use Standard_B2s VMs for AKS primary node pool Signed-off-by: André Martins <andre@cilium.io> 19 July 2021, 17:32:10 UTC
caca50f dependabot[bot] 19 July 2021, 08:32:51 UTC build(deps): bump github.com/google/renameio from 1.0.0 to 1.0.1 Bumps [github.com/google/renameio](https://github.com/google/renameio) from 1.0.0 to 1.0.1. - [Release notes](https://github.com/google/renameio/releases) - [Commits](https://github.com/google/renameio/compare/v1.0.0...v1.0.1) --- updated-dependencies: - dependency-name: github.com/google/renameio dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 19 July 2021, 10:54:32 UTC
1e6b858 elfadel 06 May 2021, 12:14:20 UTC Improves the error logs during the bpf maps updating Fixes: #15864 Signed-off-by: El-Fadel Bonfoh <elfadel@accuknox.com> 19 July 2021, 01:09:51 UTC
f8c0dd4 Chris Tarazi 09 June 2021, 19:59:39 UTC docs, daemon: Allow EndpointSlices to be used with BGP Following the newly implemented support for EndpointSlices in MetalLB v0.10.0 (https://metallb.universe.tf/release-notes/#version-0-10-0). Signed-off-by: Chris Tarazi <chris@isovalent.com> 19 July 2021, 01:06:11 UTC
04b2d7c Chris Tarazi 09 June 2021, 19:55:48 UTC bgp, watchers: Add support for EndpointSlice Now that we've updated MetalLB to support EndpointSlice, this commit adds the K8s event handling to hook up to the BGP speaker. Signed-off-by: Chris Tarazi <chris@isovalent.com> 19 July 2021, 01:06:11 UTC
87d5602 Chris Tarazi 09 June 2021, 19:11:13 UTC watchers: Refactor endpoint slice add/update events handling This commit has no functional changes as it moves the add / update event handling to a separate function. A subsequent commit will build upon these separate functions. Signed-off-by: Chris Tarazi <chris@isovalent.com> 19 July 2021, 01:06:11 UTC
55b744b Chris Tarazi 09 June 2021, 17:28:20 UTC bgp, vendor: Update go.universe.tf/metallb to support EndpointSlices This commit updates MetalLB to v0.10.0 which brings support for EndpointSlices. Previously, we disabled EndpointSlices support in Cilium automatically to maintain compatibility when the user requests to use BGP mode. Signed-off-by: Chris Tarazi <chris@isovalent.com> 19 July 2021, 01:06:11 UTC
678e098 Akshat Agarwal 05 July 2021, 06:35:23 UTC change log level for `lock failed: endpoint is in the process of being removed` Change the log level for `lock failed: endpoint is in the process of being removed` from error to debug Fixes: #16422 Signed-off-by: Akshat Agarwal <akshat@accuknox.com> 19 July 2021, 01:02:34 UTC
c021445 Gilberto Bertin 12 July 2021, 09:25:33 UTC lbmap: fix deletion and recreation logic for maglev maps When a maglev BPF map is initialized, before creating it we check if it already exists, and if its inner map size matches the desired maglev table size ("M" parameter), so that we can delete and recreate it in case of a mismatch. The lbmap.MaglevOuterMapTableSize function is reponsible for reporting to the caller if the map already exists and its inner map size. Currently, if the map exists but its empty, MaglevOuterMapTableSize will incorrectly return false (i.e. "map does not exist"), preventing lbmap.deleteMapIfMNotMatch from deleting it in case of a mismatch with the M parameter. This commit fixes this logic. Fixes: #16844 Fixes: 879f9ebdb8a44ee4d66589c33a73de1f074d7ada Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 19 July 2021, 01:01:34 UTC
5132c54 Nicolas Busseneau 15 July 2021, 14:36:38 UTC workflows: send Slack notification on all non-success events `!success()` should be equivalent to (if not broader than) `(cancelled() || failure())`. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 19 July 2021, 00:57:58 UTC
a26f7df Nicolas Busseneau 15 July 2021, 14:34:42 UTC workflows: retrieve sysdump on all non-success events `!success()` is broader than `failure()` and notably includes cancel events. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 19 July 2021, 00:57:58 UTC
e88525f dependabot[bot] 15 July 2021, 22:46:59 UTC build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.6.0 to 1.7.1 Bumps [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) from 1.6.0 to 1.7.1. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.6.0...v1.7.1) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 19 July 2021, 00:57:13 UTC
6ccec3e Tobias Klauser 16 July 2021, 07:15:02 UTC .github/workflows: use latest stable cilium-cli release Use the stable.txt file in the cilium-cli repo to always fetch the latest stable release. Suggested-by: Robin Hahling <robin.hahling@gw-computing.net> Signed-off-by: Tobias Klauser <tobias@cilium.io> 18 July 2021, 01:12:56 UTC
2fa891d Robin Hahling 26 February 2021, 09:09:29 UTC vendor: bump etcd to v3.5.0 and grpc to v1.39.0 Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 16 July 2021, 11:36:06 UTC
576a647 Quentin Monnet 08 June 2021, 16:59:48 UTC bpf: rename variables with camel-case names We run checkpatch.pl on the commits touching the bpf/ code, and it complains when edits contain camel-case variable names -- even if they were not introduced by the commit. We could disable this report in the script we use to call checkpatch.pl, but at the same time we _do_ want it to catch the introduction of new camel-case names. Let's fix the existing variable names once and for all, to avoid contributors to get surprised by the reports. The number of variables is rather low: srcID, dstID, localID, remoteID, and newEntries. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 15 July 2021, 22:37:58 UTC
d7eda2d Quentin Monnet 23 June 2021, 11:27:45 UTC test: reenable check for encryption and direct routing with bpf_host The test was disabled because of issue #12205: When bpf_host was loading on the native device, the source identity of packet on the destination node was resolved to WORLD and policy enforcement would fail. This has now been fixed via #16136, and we can run the test again. Also adjust the conditions for the test, to reflect the changes to surrounding IPSec tests from f1209d02ce3a ("test: Enable IPSec tests on 4.19"). Signed-off-by: Quentin Monnet <quentin@isovalent.com> 15 July 2021, 22:37:43 UTC
23ffda0 Quentin Monnet 23 June 2021, 11:24:26 UTC Revert "test: Disable host firewall in AutoDirectNodeRoutes test" This reverts commit be4e93ed77c8ec58ae9f61fbff808f746a39a713. Issue #12205 has been fixed via #16136, and the Host Firewall can be used again in the tests. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 15 July 2021, 22:37:43 UTC
556bdc3 André Martins 14 July 2021, 12:30:06 UTC pkg/node: add comments for IPLen in getCiliumHostIPsFromFile The usage of IPv6Len for an IPv4 address was not clear. To prevent further confusion this commit adds some clarification for that variable. Signed-off-by: André Martins <andre@cilium.io> 15 July 2021, 22:36:58 UTC
1f5ca48 André Martins 15 July 2021, 17:33:17 UTC Update stable releases Signed-off-by: André Martins <andre@cilium.io> 15 July 2021, 17:35:32 UTC
c95f6fd Jarno Rajahalme 04 June 2021, 14:58:49 UTC test: Pass container to ExecPodCmdBackground() Add container option to kubectl exec to avoid test failures due to unexpected output like this: s: "could not parse \"Defaulted container \\\"cilium-agent\\\" out of: cilium-agent, clean-cilium-state (init)\" as JSON (line 0 of \"kubectl exec -n kube-system cilium-fsfdb -- hubble observe --follow --output=json --last 1 --type l7 --from-pod 202106040737k8shubbletesthubbleobservetestl7flow/app2-58757b7dd5-4fvh7 --to-namespace 202106040737k8shubbletesthubbleobservetestl7flow --to-label id=app1,zgroup=testapp --protocol http\")", Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 15 July 2021, 12:05:57 UTC
1da68d8 Tobias Klauser 29 June 2021, 07:51:15 UTC metrics: allow to build on non-unix platforms This package is a transitive dependency in cilium-cli, but currently it fails to build on non-unix platforms (e.g. windows) due to its use of golang.org/x/sys/unix. However, we want still to be able to build it for some these platforms, see e.g. https://github.com/cilium/cilium-cli/issues/231. Fix the build by moving all unix-specific functionality (i.e. the use of unix.Errno) to a separate file, protected by build tags. Signed-off-by: Tobias Klauser <tobias@cilium.io> 15 July 2021, 12:05:21 UTC
a4123c8 Tobias Klauser 29 June 2021, 07:40:53 UTC version: allow to build on non-unix platforms This package is a transitive dependency in cilium-cli, but currently it fails to build on non-unix platforms (e.g. windows) due to its use of golang.org/x/sys/unix. However, we want still to be able to build it for some these platforms, see e.g. https://github.com/cilium/cilium-cli/issues/231. Fix the build by moving all unix-specific functionality (i.e. the Uname call) to a separate file, protected by build tags. Signed-off-by: Tobias Klauser <tobias@cilium.io> 15 July 2021, 12:05:21 UTC
630467b Jarno Rajahalme 02 July 2021, 16:28:02 UTC istio: Update to release 1.9.6 Update Cilium Istio integration to Istio release 1.9.6. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 15 July 2021, 12:04:57 UTC
8e9321c Paul Chaignon 06 July 2021, 09:26:04 UTC test: Fix local runs of K8sUpdates When run locally with the default arguments, K8sUpdates fails because the cilium-operator image for downgrades is downloaded at quay.io/cilium/operator-generic instead of quay.io/cilium/operator-generic-ci. Unfortunately, passing cilium.operator-suffix="-ci" as an argument to ginkgo is not enough because, for local test runs, the image is pushed to k8s1:5000/cilium/operator-generic. This commit fixes those issues and makes "-ci" the default value of cilium.operator-suffix. Signed-off-by: Paul Chaignon <paul@cilium.io> 15 July 2021, 12:03:20 UTC
118af77 Paul Chaignon 06 July 2021, 10:46:14 UTC test: Fix helper to retrieve tail call counters If the tail call counter was zero (absent) on the first node, the helper function would simply return as if it was absent on all nodes. This commit fixes that bug. Fixes: e9b3844 ("test: Detect missed tail calls on upgrade/downgrade test") Signed-off-by: Paul Chaignon <paul@cilium.io> 15 July 2021, 12:02:29 UTC
77b4d3e Tobias Klauser 06 July 2021, 13:07:24 UTC fqdn, fqdn/matchpattern, policy/api: use Cilium's fqdn/dns helper package Avoid pulling in github.com/miekg/dns as a transitive dependency for out-of-tree users of the Cilium API, namely github.com/cilium/cilium-cli. Signed-off-by: Tobias Klauser <tobias@cilium.io> 15 July 2021, 12:01:10 UTC
869324c Tobias Klauser 06 July 2021, 13:05:20 UTC fqdn/dns: new helper package The github.com/cilium/cilium/pkg/fqdn/dns duplicates the IsFqdn and Fqdn functions from github.com/miekg/dns. This allows to avoid a transitive dependency on the latter package for users of the policy API, namely github.com/cilium/cilium-cli. While at it, rename the functions such that they conform to the Go naming standard and also make func FQDN return a lowercase string, as expected by all callers in Cilium code. Signed-off-by: Tobias Klauser <tobias@cilium.io> 15 July 2021, 12:01:10 UTC
507a249 Jarno Rajahalme 07 July 2021, 16:05:47 UTC test: Increase service/DNS timeout from 30 to 240 seconds Increase the timeout for service top acquire it's backends in hopes the 30 seconds was simply too optimistic in some scenarios. This could avoid test flakes like: Failed to resolve kafka-service DNS entry in pod empire-outpost-8888-544cdcd9b8-72hgl Expected <*errors.errorString | 0xc001e05fd0>: { s: "unable to resolve DNS for service kafka-service in pod empire-outpost-8888-544cdcd9b8-72hgl: 30s timeout expired", } to be nil /home/jenkins/workspace/Cilium-PR-K8s-1.21-kernel-4.9/src/github.com/cilium/cilium/test/k8sT/KafkaPolicies.go:157 In the above case the service did not have any backends yet, even when the backend pod was up and running. Give k8s apiserver a bit more time to converge. "status": { "loadBalancer": {} } Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 15 July 2021, 11:59:51 UTC
fae9f96 강주희 14 July 2021, 12:12:13 UTC docs, bpf: fix code-block for load XDP BPF example On load XDP BPF example section at "BPF and XDP Reference Guide" there are minor formatting issues related to code-block. Thus, this commit fixes these minor formatting issues. Signed-off-by: Claudia J. Kang <claudiajkang@gmail.com> 15 July 2021, 11:57:28 UTC
feb38cf Louis DeLosSantos 12 July 2021, 21:16:42 UTC chore: normalize returning of errors in NewDaemon house-keeping PR to ensure similar behavior in the NewDaemon method. After this commit all error conditions are returned if the intent is to fatal the process. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 15 July 2021, 11:56:41 UTC
fb85fee André Martins 14 July 2021, 15:35:10 UTC test: do not useDigest in upstream tests Upstream tests should be executed against the code being submitted in a PR. If `useDigest` is set to true it will use the default digest defined in the helm charts, which in stable branches is the last stable release and not the code being submitted in a PR. Fixes: 41f66a1eb4fa (".github: use quay.io images in smoke tests") Signed-off-by: André Martins <andre@cilium.io> 15 July 2021, 00:13:50 UTC
54ae42b André Martins 12 July 2021, 14:04:27 UTC pkg/k8s: re-add CiliumIsUp Node condition even if removed If the CiliumIsUp Node condition is removed either by accident or due a concurrency issue when updating the node from different entities, Cilium is now able to re-add the node condition back to the node again. Fixes: bd34b95a7939 ("pkg/k8s: remove node.cilium.io/agent-not-ready taint from nodes") Signed-off-by: André Martins <andre@cilium.io> 14 July 2021, 21:43:56 UTC
fc6ef4d Jarno Rajahalme 06 July 2021, 04:29:30 UTC wip: Add WaitGroup for SelectorCache user notifications Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2021, 12:05:18 UTC
7e91f36 Jarno Rajahalme 04 June 2021, 06:30:21 UTC policy: Make selectorcache callbacks lock-free Make IdentitySelectionUpdated() callbacks lock-free by queueing them while still holding selectorcache lock (to keep FIFO order) and calling from a goroutine not holding any locks. This prevents deadlocks caused by the implementation of IdentitySelectionUpdated() taking locks such as endpoint or selectorcache locks. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2021, 12:05:18 UTC
2acf253 Đặng Minh Dũng 05 July 2021, 17:25:42 UTC move `nodeinit` startup & prestop scripts to separated files Signed-off-by: Đặng Minh Dũng <dungdm93@live.com> 13 July 2021, 23:30:47 UTC
8c49b83 Đặng Minh Dũng 05 July 2021, 17:19:23 UTC restructure helm chart into components Signed-off-by: Đặng Minh Dũng <dungdm93@live.com> 13 July 2021, 23:30:47 UTC
back to top