https://github.com/cilium/cilium
- HEAD
- refs/heads/1.2.7-hotfix1-fqdn-regen
- refs/heads/EndpointPolicyEnformcement
- refs/heads/add_metrics_to_scale_test
- refs/heads/all-scalability-improvements
- refs/heads/beta/service-mesh
- refs/heads/bpf-metrics
- refs/heads/brb/brb-patch-2
- refs/heads/cilium-envoy-crd-pre-beta
- refs/heads/cilium-no-gopath
- refs/heads/cli-upgrade-v1.12-ci-test
- refs/heads/clustermesh511-upgrade-test
- refs/heads/committers-codeowners
- refs/heads/dev/joe/v1.8-with-hostfw-fixes
- refs/heads/encrypt-node-fixes
- refs/heads/encrypted-overlay-xfrm-policies
- refs/heads/ensure-macos-build-succeeds
- refs/heads/envoy-policy-precedence
- refs/heads/envoy-warnings-cleanup
- refs/heads/extension-mysql
- refs/heads/feature/cep-scalability
- refs/heads/feature/devices-and-addresses
- refs/heads/feature/devices-reconciliation-v1.16
- refs/heads/feature/main/svc-icmp-response
- refs/heads/feature/service-refactor
- refs/heads/feature/service-refactor-fresh
- refs/heads/feature/v1.11/beta-test
- refs/heads/feature/v1.11/k8s-ingress
- refs/heads/fix-error-wrapping-1.13
- refs/heads/fix-error-wrapping-1.14
- refs/heads/fix-error-wrapping-1.15
- refs/heads/fix-iphealth
- refs/heads/fqdn-fixl3-wildcard
- refs/heads/fristonio/iptables-manager-fix
- refs/heads/ft/main/chancez/push-dev-charts
- refs/heads/ft/main/push_chart_stable_branches_fix
- refs/heads/ft/main/test_push_chart_updates
- refs/heads/gce-example
- refs/heads/gh-readonly-queue/main/pr-27509-78a5f177693fb443cd946441f45826bf7fa2437a
- refs/heads/ginkgo-better-timeout
- refs/heads/graduation
- refs/heads/hf/main/ipam-pools-build-230605
- refs/heads/hf/master/v1.12-rc2-health-dbg-v1
- refs/heads/hf/master/wg-fix-ipam-k8s-v2
- refs/heads/hf/v1.10/cls-prio2
- refs/heads/hf/v1.10/debug-taint-removal
- refs/heads/hf/v1.10/v1.10.10-with-19452
- refs/heads/hf/v1.10/v1.10.2-fix-ipsec-ep-routes
- refs/heads/hf/v1.10/v1.10.5-with-identity-leak-fix
- refs/heads/hf/v1.10/v1.10.7-additional-logs
- refs/heads/hf/v1.10/v1.10.7-exclude-local
- refs/heads/hf/v1.10/v1.10.7-exclude-loopback
- refs/heads/hf/v1.10/v1.10.7-extra-logs
- refs/heads/hf/v1.10/v1.10.7-more-logs
- refs/heads/hf/v1.10/v1.10.8-deadlock-and-complexity-fix
- refs/heads/hf/v1.10/v1.10.8-deadlock-fix
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v3
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v4
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v5
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v6
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v7
- refs/heads/hf/v1.11/1.11.4-custom-taint
- refs/heads/hf/v1.11/19247-custom-taint-key
- refs/heads/hf/v1.11/dbg-svc-restore
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attach-and-logging
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attachment
- refs/heads/hf/v1.11/v1.11.3-with-19259
- refs/heads/hf/v1.11/v1.11.4-custom-taint
- refs/heads/hf/v1.11/v1.11.5-and-19247-eed5544
- refs/heads/hf/v1.11/xdp-multidev-v1
- refs/heads/hf/v1.11/xdp-multidev-v2-ipcache-fix
- refs/heads/hf/v1.12/next-net-v1
- refs/heads/hf/v1.12/v1.12.18-994
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat-v2
- refs/heads/hf/v1.13/bpf-sock-l7-fix
- refs/heads/hf/v1.13/v1.13.2-with-24875
- refs/heads/hf/v1.13/v1.13.3-with-26242
- refs/heads/hf/v1.14/cidr-identity-refcnt-fix
- refs/heads/hf/v1.14/v1.14-with-27327
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix-2
- refs/heads/hf/v1.8/v1.8.13-with-19452
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-15303
- refs/heads/hf/v1.8/v1.8.7-with-fqdn-underscore-fix
- refs/heads/hf/v1.8/v1.8.8-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.8-with-encrypt-fixes
- refs/heads/hf/v1.9/v1.9.8-azure-ipam-fix
- refs/heads/hf/v1.9/v1.9.9-azure-pod-egress-fix
- refs/heads/images/runtime/20210830
- refs/heads/ipc-demo
- refs/heads/ktls-tx-only
- refs/heads/ktls-tx-only-v2
- refs/heads/ktls-tx-rx
- refs/heads/ktls-tx-rx-v2
- refs/heads/ktls-tx-rx-v3
- refs/heads/ktls-tx-rx-v4
- refs/heads/ktls-tx-rx-v5
- refs/heads/ldelossa/feat/bgp-control-plane
- refs/heads/ldelossa/segment-makefiles
- refs/heads/ldelossa/segment-makefiles-v2
- refs/heads/ldelossa/srv6-encap-fib
- refs/heads/lizrice/pr/cli-confusion
- refs/heads/main
- refs/heads/marseel-modularize_scale_test
- refs/heads/marseel_scale_test_100_nodes
- refs/heads/multi-stack-dev-vm
- refs/heads/pr/1-9-ci-test
- refs/heads/pr/aanm-update-k8s-conformance
- refs/heads/pr/aanm/bisect
- refs/heads/pr/aanm/test-31027
- refs/heads/pr/add-controller-identity
- refs/heads/pr/aditighag/lrp-skip-lb
- refs/heads/pr/asauber/link-local-as-host
- refs/heads/pr/asauber/max-ifindex-metric
- refs/heads/pr/avoid-ct-for-dsr
- refs/heads/pr/backend-state
- refs/heads/pr/bbb-cpy
- refs/heads/pr/bimmlerd/modularize-bandwidth-manager
- refs/heads/pr/bimmlerd/v1.12-backport-quay-org-from-env
- refs/heads/pr/bounded-loops
- refs/heads/pr/bpf-based-masquerading
- refs/heads/pr/bpf-edt-proxy
- refs/heads/pr/brb/arping-nexthop
- refs/heads/pr/brb/arping-via-gw
- refs/heads/pr/brb/auto-multi-dev-v2
- refs/heads/pr/brb/backport-1.8.5-nat-gc
- refs/heads/pr/brb/bpf-host-routing-wg
- refs/heads/pr/brb/bpf-lxc-no-redirect
- refs/heads/pr/brb/bpf-masq-veth
- refs/heads/pr/brb/bpf-multihoming
- refs/heads/pr/brb/cgroup-v2-test
- refs/heads/pr/brb/check-errors-in-logs
- refs/heads/pr/brb/ci
- refs/heads/pr/brb/ci-1111
- refs/heads/pr/brb/ci-2
- refs/heads/pr/brb/ci-4.19
- refs/heads/pr/brb/ci-arping-flake
- refs/heads/pr/brb/ci-bigtcp
- refs/heads/pr/brb/ci-bpf-netdev-without-egress
- refs/heads/pr/brb/ci-cleanup-svc
- refs/heads/pr/brb/ci-dbg-conformance-kind
- refs/heads/pr/brb/ci-dbg-external
- refs/heads/pr/brb/ci-dbg-flake-from-outside
- refs/heads/pr/brb/ci-demo
- refs/heads/pr/brb/ci-disable-ces-for-egress-gw
- refs/heads/pr/brb/ci-dp-disable-bpf-host-routing
- refs/heads/pr/brb/ci-dp-hubble-flows
- refs/heads/pr/brb/ci-dp-more-diversity
- refs/heads/pr/brb/ci-dp-v1.13
- refs/heads/pr/brb/ci-dp-v6
- refs/heads/pr/brb/ci-dp-verifier
- refs/heads/pr/brb/ci-e2e-enable-debug-ipsec
- refs/heads/pr/brb/ci-e2e-helm-mode-v1.13
- refs/heads/pr/brb/ci-e2e-lvh-retry
- refs/heads/pr/brb/ci-e2e-more-nodes
- refs/heads/pr/brb/ci-e2e-new-cli
- refs/heads/pr/brb/ci-e2e-nft
- refs/heads/pr/brb/ci-e2e-unsafe
- refs/heads/pr/brb/ci-e2e-unsafe-v2
- refs/heads/pr/brb/ci-e2e-upgrade-tests
- refs/heads/pr/brb/ci-e2e-upgrade-tests-ipsec
- refs/heads/pr/brb/ci-eks-ipsec-upgrade
- refs/heads/pr/brb/ci-fix-ip-masq-dry-run
- refs/heads/pr/brb/ci-ipsec-upgrade-fix
- refs/heads/pr/brb/ci-ipsec-upgrade-missed-tail-calls
- refs/heads/pr/brb/ci-ipsec-upgrade-v1.13
- refs/heads/pr/brb/ci-ipsec-upgrade-vol2
- refs/heads/pr/brb/ci-keep-missed-tail-calls
- refs/heads/pr/brb/ci-l7-nodeport
- refs/heads/pr/brb/ci-lvh-4.19
- refs/heads/pr/brb/ci-lvh-5.4
- refs/heads/pr/brb/ci-lvh-5.4-v2
- refs/heads/pr/brb/ci-lvh-bpf-next
- refs/heads/pr/brb/ci-no-self-hosted
- refs/heads/pr/brb/ci-pass-kernel-env
- refs/heads/pr/brb/ci-prepull-l4lb
- refs/heads/pr/brb/ci-refactor-svc-suite
- refs/heads/pr/brb/ci-rm-smoke-tests
- refs/heads/pr/brb/ci-sanity
- refs/heads/pr/brb/ci-test
- refs/heads/pr/brb/ci-test-2
- refs/heads/pr/brb/ci-test-k8s-vsn-swap
- refs/heads/pr/brb/ci-test-large-runners
- refs/heads/pr/brb/ci-uffff
- refs/heads/pr/brb/ci-upgrade-vol-2
- refs/heads/pr/brb/ci-upgrade-vol-3
- refs/heads/pr/brb/cilium-host-v6-from-ipam
- refs/heads/pr/brb/cli-bump-test
- refs/heads/pr/brb/datapath-loop-dbg
- refs/heads/pr/brb/dbg-ci
- refs/heads/pr/brb/dbg-conformance-gke
- refs/heads/pr/brb/dbg-master-np-vxlan-ipcache-ci
- refs/heads/pr/brb/debug-nodeport-bpf-flake
- refs/heads/pr/brb/do-not-derive-pod-cidrs-from-dev
- refs/heads/pr/brb/do-not-query-dev-for-arping
- refs/heads/pr/brb/docs--wg-what-encrypted
- refs/heads/pr/brb/docs-clarify-egress-gw-ip-addr-dp
- refs/heads/pr/brb/drop-notify
- refs/heads/pr/brb/dsr
- refs/heads/pr/brb/dsr-v2
- refs/heads/pr/brb/dualstack-ci
- refs/heads/pr/brb/enable-ipv6-per-endpoint-routes
- refs/heads/pr/brb/fib-lookup-src
- refs/heads/pr/brb/fix-backend-id-u32
- refs/heads/pr/brb/fix-ci-dp-deprecation-warn
- refs/heads/pr/brb/fix-clang-vsn-regexp
- refs/heads/pr/brb/fix-egress-ip-16147
- refs/heads/pr/brb/fix-external-ip-dp
- refs/heads/pr/brb/fix-maglev-del
- refs/heads/pr/brb/fix-nodeport-hostnetns
- refs/heads/pr/brb/fix-np-redir-l3-to-tunnel
- refs/heads/pr/brb/fix-stale-dsr
- refs/heads/pr/brb/fix-svc-backend-selection
- refs/heads/pr/brb/fix-third-host
- refs/heads/pr/brb/gh-action-cgr
- refs/heads/pr/brb/gh-action-lvh
- refs/heads/pr/brb/gh-install-cli-backup
- refs/heads/pr/brb/ginkgo-kpr-strict
- refs/heads/pr/brb/ginkgo-rm-update-tests
- refs/heads/pr/brb/go-crazy
- refs/heads/pr/brb/hubble-tcp-ack-seq-no
- refs/heads/pr/brb/improve-svc-restore
- refs/heads/pr/brb/istio-getsockopt
- refs/heads/pr/brb/it-cannot-be-truth
- refs/heads/pr/brb/kpr-svc-mesh
- refs/heads/pr/brb/kubeproxy-free-ci
- refs/heads/pr/brb/l7-np-bpf
- refs/heads/pr/brb/l7-rerevert
- refs/heads/pr/brb/lets-be-friends-with-ipsec
- refs/heads/pr/brb/lvh-kind-127
- refs/heads/pr/brb/lvh-kind-ipsec-upgrade
- refs/heads/pr/brb/meyskens/auth-ep-gc-locks
- refs/heads/pr/brb/multi-network
- refs/heads/pr/brb/no-cache-snat
- refs/heads/pr/brb/no-rev-nat-bpf-lxc-ingress
- refs/heads/pr/brb/node-id-per-fam
- refs/heads/pr/brb/nodeport-xlr-flag
- refs/heads/pr/brb/perf-wg
- refs/heads/pr/brb/pin-lvh
- refs/heads/pr/brb/push-ci-charts
- refs/heads/pr/brb/pwru
- refs/heads/pr/brb/rm-arping-l2-addr-check
- refs/heads/pr/brb/rm-no-redirect
- refs/heads/pr/brb/rm-np-deadcode
- refs/heads/pr/brb/rm-partial-host-svc
- refs/heads/pr/brb/rm-test-gke
- refs/heads/pr/brb/test-bpf-masq
- refs/heads/pr/brb/test-ci-e2e
- refs/heads/pr/brb/test-ci-e2e-v1.13
- refs/heads/pr/brb/test-kind
- refs/heads/pr/brb/third-host-more-pain
- refs/heads/pr/brb/timing-l4lb-gh-action
- refs/heads/pr/brb/triage-flake-v2
- refs/heads/pr/brb/triage-lb-flake
- refs/heads/pr/brb/unquarantine-svc
- refs/heads/pr/brb/v1.10-istio-snat
- refs/heads/pr/brb/v1.12-ci-e2e
- refs/heads/pr/brb/v1.12-ci-ipsec-upgrade
- refs/heads/pr/brb/v1.12-test-ipsec-upgrade
- refs/heads/pr/brb/v1.13-ci-e2e
- refs/heads/pr/brb/v1.13-remote-np
- refs/heads/pr/brb/v1.13-upgrade-fixes
- refs/heads/pr/brb/v1.14-ci-e2e-upgrade
- refs/heads/pr/brb/v1.14-drop-notify
- refs/heads/pr/brb/v1.6.9-iptables-W
- refs/heads/pr/brb/v1.8-fix-icmp-port-check
- refs/heads/pr/brb/wg-encrypt-node-test
- refs/heads/pr/brb/wg-hack
- refs/heads/pr/brb/wg-ipam-fix
- refs/heads/pr/brb/wg-kpr
- refs/heads/pr/brb/wg-test
- refs/heads/pr/brb/wip
- refs/heads/pr/brb/wip-ci
- refs/heads/pr/brb/wip-sync-policy-map
- refs/heads/pr/brb/xdp-egress-gw
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming-v2
- refs/heads/pr/brlbil/ci-remove-unsupported-k8s-version-1.13
- refs/heads/pr/bruno/sleepy-pawn
- refs/heads/pr/bugtool-systemd
- refs/heads/pr/bwm-base2
- refs/heads/pr/bwm-priority
- refs/heads/pr/chancez/add_hubble_l7_dashboard_prometheus_example
- refs/heads/pr/chancez/fix_websocket_l7_policies
- refs/heads/pr/chancez/flow_filter_namespace
- refs/heads/pr/chancez/hubble_cel
- refs/heads/pr/chancez/hubble_plus_plus
- refs/heads/pr/chancez/static_peers_hubble_relay
- refs/heads/pr/christarazi/controlplane-fqdn
- refs/heads/pr/christarazi/ipcache-async-cep-pods-namedports
- refs/heads/pr/christarazi/k8s-1.30
- refs/heads/pr/christarazi/prep-from-cidr-tests
- refs/heads/pr/datapath-opt
- refs/heads/pr/dbkm/nodeport-lb
- refs/heads/pr/debug-dns-timeout
- refs/heads/pr/eproutes-redir
- refs/heads/pr/example/neigh-state-manager
- refs/heads/pr/fastdp
- refs/heads/pr/fastdp2
- refs/heads/pr/fib-consolidation
- refs/heads/pr/fix-aks-workflow
- refs/heads/pr/fix-k8s-all-sha1
- refs/heads/pr/fix-pod-pacing
- refs/heads/pr/fix-tail-call-replace
- refs/heads/pr/fristonio/feat-19038
- refs/heads/pr/fristonio/fix-istio-k8sT
- refs/heads/pr/fristonio/ipv6-masquerading
- refs/heads/pr/fristonio/test-dual-stack
- refs/heads/pr/fristonio/test-ipv6-dualstack
- refs/heads/pr/gandro+brb/fix-monitor-aggregation-np-v2
- refs/heads/pr/gandro+brb/mv-trace-point-to-rev-nodeport
- refs/heads/pr/gandro+brb/wg-host-encryption-v3
- refs/heads/pr/gandro+brb/wg-host2host
- refs/heads/pr/gandro+brb/wg-host2host-kind
- refs/heads/pr/gandro/bump-hubble-2020-03-25
- refs/heads/pr/gandro/ci-conformance-multicluster-fix-log-gathering
- refs/heads/pr/gandro/ci-delete-crds-in-cleanupcomponents
- refs/heads/pr/gandro/ci-fix-status-if-workflows-are-skipped
- refs/heads/pr/gandro/ci-wait-for-all-relevant-images-do-not-merge-test
- refs/heads/pr/gandro/enable-hubble-by-default
- refs/heads/pr/gandro/portmap-refcount
- refs/heads/pr/gandro/re-enable-wireguard-in-multicluster-ci
- refs/heads/pr/gandro/svc-healthchecknodeport
- refs/heads/pr/gc-on-svc-update
- refs/heads/pr/getname-hooks
- refs/heads/pr/giorio94/1.14/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/gha-cluster-name
- refs/heads/pr/giorio94/main/gha-clustermesh-endpointslice-sync
- refs/heads/pr/giorio94/main/gha-fully-qualified-dns
- refs/heads/pr/giorio94/main/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/tests-clustermesh-upgrade-interrupted
- refs/heads/pr/gray/30837-with-pwru
- refs/heads/pr/gray/pwru-action
- refs/heads/pr/health-data-path
- refs/heads/pr/hubble-tls-cert-gen-via-k8s-job
- refs/heads/pr/ianvernon/kvstore-client-type
- refs/heads/pr/ianvernon/kvstore-context
- refs/heads/pr/ianvernon/more-endpoint-cleanup
- refs/heads/pr/ianvernon/resolve-cidr-policy-perf-improvement
- refs/heads/pr/increase-verifier-test-build-timeout
- refs/heads/pr/ipip
- refs/heads/pr/ipip-encap
- refs/heads/pr/ipip-encap2
- refs/heads/pr/ipip2
- refs/heads/pr/ipip4
- refs/heads/pr/ipip6
- refs/heads/pr/jibi/fix-differentiate-udp-tcp-svc-upgrade
- refs/heads/pr/jibi/ip-list-contains-addr
- refs/heads/pr/joamaki/gather-network-info
- refs/heads/pr/joamaki/idless-service-restapi
- refs/heads/pr/joe/ariane-scheduled-cilium-only
- refs/heads/pr/joe/backport-28007-1.11
- refs/heads/pr/joe/bump-ginkgo-seed
- refs/heads/pr/joe/docker-build-log-tracing
- refs/heads/pr/joe/ipcache-cidr-policy
- refs/heads/pr/joe/lost-identity
- refs/heads/pr/joe/sw-quay
- refs/heads/pr/joe/test-lvh-fix
- refs/heads/pr/joe/v1.13-stability-check
- refs/heads/pr/joe/v1.7-dev-env
- refs/heads/pr/jrajahalme/gh-filter-test-files
- refs/heads/pr/jrfastab/backport-ooo-ipsec-fixes
- refs/heads/pr/jrfastab/backport-v111-loopback
- refs/heads/pr/jrfastab/backport-v115
- refs/heads/pr/jrfastab/dbgNodeId
- refs/heads/pr/jrfastab/dbgNodeId111
- refs/heads/pr/jrfastab/dbgNodeId111v2
- refs/heads/pr/jrfastab/dbgv114
- refs/heads/pr/jrfastab/eks-encrypt-ipamupdate
- refs/heads/pr/jrfastab/fix-encrypt-subnets
- refs/heads/pr/jrfastab/fix-ixsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/fixes-ipsec-init
- refs/heads/pr/jrfastab/v1.8-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v1.9-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v111-debug-ooo
- refs/heads/pr/jrfastab/v111-debug-ooo-v2
- refs/heads/pr/jwi/main/ipsec-rhel8
- refs/heads/pr/jwi/main/test
- refs/heads/pr/jwi/v1.13/test
- refs/heads/pr/jwi/v1.14/test
- refs/heads/pr/jwi/v1.15/bpf-complexity
- refs/heads/pr/jwi/v1.15/test
- refs/heads/pr/k8s-nat46x64
- refs/heads/pr/k8s-nat46x64-2
- refs/heads/pr/kaworu/helm-hubble-cli.yaml
- refs/heads/pr/kkourt/azure-ipam-test-race
- refs/heads/pr/kkourt/bpftool-update
- refs/heads/pr/kkourt/ct-rst-timeout-wip
- refs/heads/pr/kkourt/v1.11-backport-2022-01-26
- refs/heads/pr/kkourt/v1.9-lxc-complexity
- refs/heads/pr/learnitall/add-pprofs-scale-tests
- refs/heads/pr/learnitall/ginkgo-race-workflow
- refs/heads/pr/marga/v1.11-without-deny-precedence
- refs/heads/pr/max/ci-clang-builder
- refs/heads/pr/max/llvm17-fixes-2
- refs/heads/pr/max/llvm17-fixes-3
- refs/heads/pr/max/upgrade-llvm-17-2
- refs/heads/pr/max/upgrade-llvm-17-3
- refs/heads/pr/max/upgrade-llvm-17-3-test
- refs/heads/pr/max/upgrade-llvm-17-3-test-alt
- refs/heads/pr/meyskens/renovate-gha
- refs/heads/pr/mhofstetter/guestbook-registry
- refs/heads/pr/mhofstetter/junit-fetch-nullglob
- refs/heads/pr/mhofstetter/ssh-store-consolelog
- refs/heads/pr/mhofstetter/test-ingress
- refs/heads/pr/michi/circular-struggle
- refs/heads/pr/michi/crdregister
- refs/heads/pr/michi/debug
- refs/heads/pr/michi/description
- refs/heads/pr/michi/dns-refactor12
- refs/heads/pr/michi/l7drop
- refs/heads/pr/michi/majestic-ketchup
- refs/heads/pr/michi/mega-ketchup
- refs/heads/pr/michi/peerapi
- refs/heads/pr/michi/sleep-on-it
- refs/heads/pr/michi/test
- refs/heads/pr/michi/weekly-bot
- refs/heads/pr/monitor-wait-ci
- refs/heads/pr/move-image-to-one-repo
- refs/heads/pr/nat-gw-tests
- refs/heads/pr/nathanjsweet/add-complex-allow-test-to-policy-map-tests
- refs/heads/pr/nathanjsweet/add-lockdown-mode-for-policy-map-overflows
- refs/heads/pr/nathanjsweet/add-packet-size-to-flow-structure
- refs/heads/pr/nathanjsweet/add-policy-port-range-mapping
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-13
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-14
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-15
- refs/heads/pr/nathanjsweet/differentiate-protocol-in-services
- refs/heads/pr/nathanjsweet/document-test-and-fix-descendants-bug
- refs/heads/pr/nathanjsweet/node-port-addresses
- refs/heads/pr/nathanjsweet/refactor-mapstate
- refs/heads/pr/nathanjsweet/update-k8s-control-plane-tests-to-1-27
- refs/heads/pr/nebril/add-dns-concurrency-limit
- refs/heads/pr/nebril/fix-precheck
- refs/heads/pr/nebril/fqdn-proxy-ha
- refs/heads/pr/nebril/fqdn-proxy-interface
- refs/heads/pr/nebril/gke-workflow-migrate-from-cli
- refs/heads/pr/nebril/quarantine-1.14-nodeport
- refs/heads/pr/nebril/test-bottlerocket
- refs/heads/pr/nebril/test-helm-gke-fix
- refs/heads/pr/nebril/test-our-ghaction-shenanigans
- refs/heads/pr/nebril/test-rebase-helm
- refs/heads/pr/nebril/trololo
- refs/heads/pr/nebril/update-cli-9.1-test
- refs/heads/pr/netkit
- refs/heads/pr/netns-switch
- refs/heads/pr/netns-switch-no-peer
- refs/heads/pr/nodeport-fix
- refs/heads/pr/nodeport-improvements2
- refs/heads/pr/nodeport-nat-improvements
- refs/heads/pr/nodeport-nat-improvements2
- refs/heads/pr/nodeport-retry-sport
- refs/heads/pr/pchaigno/deprecate-bpf_network-f
- refs/heads/pr/pchaigno/fix-4.19-bpf-program-size
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix-brb-v0
- refs/heads/pr/pchaigno/ipsec-kpr
- refs/heads/pr/pchaigno/optim-complexity-ipcache-lookup
- refs/heads/pr/pchaigno/rework-config-probes
- refs/heads/pr/pchaigno/tmp-base-branch
- refs/heads/pr/pin-1.10-workflows-k8s-version
- refs/heads/pr/pin-1.11-workflows-k8s-version
- refs/heads/pr/pin-1.12-workflows-k8s-version
- refs/heads/pr/pin-1.13-workflows-k8s-version
- refs/heads/pr/pin-cloud-provider-master-workflows
- refs/heads/pr/pr/fix-ipam-node-manager-semaphore-error-handling
- refs/heads/pr/publish-test-images
- refs/heads/pr/qmonnet/docs-20230224
- refs/heads/pr/qmonnet/docs-bump
- refs/heads/pr/qmonnet/ipsec/no-missed-tail-call-1.13
- refs/heads/pr/qmonnet/ipsec/test-1.13
- refs/heads/pr/qmonnet/ipsec/test-1.14
- refs/heads/pr/qmonnet/ipsec/test-1.15
- refs/heads/pr/qmonnet/ipsec/test-main
- refs/heads/pr/qmonnet/standalone-lb-docs
- refs/heads/pr/qmonnet/sync-joblists
- refs/heads/pr/ray/late-dns-proxy
- refs/heads/pr/rgo3/1.12-run-no-unexpected-drops-for-patch
- refs/heads/pr/rgo3/fix-k8s-vm-provisioning-1.13
- refs/heads/pr/rolinh/better-policy-verdict
- refs/heads/pr/rolinh/hubble-dump-all
- refs/heads/pr/rolinh/hubble-fix-maxflows-rounding
- refs/heads/pr/rolinh/mitchellh
- refs/heads/pr/route-test
- refs/heads/pr/run-tests-in-parallel
- refs/heads/pr/scalability-crd-only
- refs/heads/pr/squeed/make-ccache
- refs/heads/pr/squeed/per-node-config
- refs/heads/pr/squeed/remote-cluster-leak
- refs/heads/pr/stacy/docs-update
- refs/heads/pr/tammach/ci-tunnel
- refs/heads/pr/tammach/cni-logging-improvement
- refs/heads/pr/tammach/envoy-1.28.2
- refs/heads/pr/tammach/fun-with-flake-xds
- refs/heads/pr/tammach/sync-up-gwapi
- refs/heads/pr/tc-np-test
- refs/heads/pr/test-419-ci
- refs/heads/pr/test-increase-update-delete-timeout
- refs/heads/pr/test-k8s-all-tests
- refs/heads/pr/test-lb-super-netperf
- refs/heads/pr/test-nightly
- refs/heads/pr/test-upstream-timeout
- refs/heads/pr/tgraf/chaos-testing
- refs/heads/pr/tgraf/clustermesh-stale-state
- refs/heads/pr/tgraf/eni-ipam
- refs/heads/pr/tgraf/new-endpoint-state
- refs/heads/pr/tgraf/new-policy
- refs/heads/pr/tgraf/remove-tunnel-map
- refs/heads/pr/tgraf/scoped-ipam
- refs/heads/pr/tgraf/sctp
- refs/heads/pr/tgraf/split-lxc-prog
- refs/heads/pr/thorn3r/clustermesh511
- refs/heads/pr/tklauser/labelsfilter-silence-logs
- refs/heads/pr/tklauser/rm-contexthelper
- refs/heads/pr/tklauser/rm-safe-rand
- refs/heads/pr/tommyp1ckles/debugging-aks-conformance
- refs/heads/pr/tp/add-logging-for-wait-for-pods-term-condition
- refs/heads/pr/tp/backport-31380
- refs/heads/pr/tp/bump-cilium-cli
- refs/heads/pr/tp/complexity-issue-verifier-case-main
- refs/heads/pr/tp/eps-modular-health
- refs/heads/pr/tp/fix-stuck-ginko-pod-v2
- refs/heads/pr/tp/forward-hubble-for-e2e
- refs/heads/pr/tp/forward-hubble-for-e2e-v2
- refs/heads/pr/tp/switch-1.24-eks-region
- refs/heads/pr/tp/switch-1.24-eks-region-v1.13
- refs/heads/pr/tp/use-helm-default-vars-for-clustermesh-downgrade-c1
- refs/heads/pr/tweak-github-action-ref
- refs/heads/pr/twpayne/hubble-recent-events-buffer
- refs/heads/pr/twpayne/hubble-ring-buffer-benchmarks
- refs/heads/pr/update-tm-network
- refs/heads/pr/v1.10-backport-2022-06-13
- refs/heads/pr/v1.10-backport-2022-10-03
- refs/heads/pr/v1.10-eni-stability-improvements-v1
- refs/heads/pr/v1.10-neigh-clean
- refs/heads/pr/v1.11-backport-2022-10-03
- refs/heads/pr/v1.11-test/issue-692
- refs/heads/pr/v1.12-backport-2023-10-10
- refs/heads/pr/v1.12-test/issue-692
- refs/heads/pr/v1.13-backport-2023-10-31
- refs/heads/pr/v1.13-test/issue-692
- refs/heads/pr/v1.14.1
- refs/heads/pr/v1.7-stability-test
- refs/heads/pr/v1.7.9-hf-13205
- refs/heads/pr/v3-cpu
- refs/heads/pr/v6-host-addr2
- refs/heads/pr/vk/azure/oidc
- refs/heads/pr/vk/doc/ipsec
- refs/heads/pr/vk/ipsec/key/rotate
- refs/heads/regex_improved
- refs/heads/renovate/main-all-dependencies
- refs/heads/renovate/main-all-go-deps-main
- refs/heads/renovate/main-patch-all-lvh-images-main
- refs/heads/renovate/main-patch-go
- refs/heads/renovate/v1.13-all-github-action
- refs/heads/renovate/v1.13-patch-stable-lvh-images
- refs/heads/renovate/v1.14-patch-stable-lvh-images
- refs/heads/renovate/v1.15-patch-stable-lvh-images
- refs/heads/revert-29086-2023-11-09-backport-1.14
- refs/heads/rib
- refs/heads/run-ci-wihout-building-cilium
- refs/heads/sh-dep-test-l4lb
- refs/heads/sidecar-http-proxy
- refs/heads/sockmap-v5
- refs/heads/sockops-build-fix
- refs/heads/tam/integration-tests
- refs/heads/tam/more-ingress-tests
- refs/heads/tam/proxy-tunnel
- refs/heads/tb/bpf-remove-bear
- refs/heads/test-branch
- refs/heads/test-ipsec
- refs/heads/test-sig-bgp-notifs
- refs/heads/test/brlbil/upload
- refs/heads/test/skip-workflows
- refs/heads/test_scale
- refs/heads/testing_envoy_default
- refs/heads/tgraf/process-policy
- refs/heads/tklauser+brb/wip/multi-homing
- refs/heads/unit-test-ipsec
- refs/heads/v0.10
- refs/heads/v0.11
- refs/heads/v0.12
- refs/heads/v0.13
- refs/heads/v0.8
- refs/heads/v0.9
- refs/heads/v1.0
- refs/heads/v1.0.0-rc2
- refs/heads/v1.0.0-rc3
- refs/heads/v1.1
- refs/heads/v1.10
- refs/heads/v1.11
- refs/heads/v1.12
- refs/heads/v1.12.11-base
- refs/heads/v1.13
- refs/heads/v1.14
- refs/heads/v1.15
- refs/heads/v1.2
- refs/heads/v1.3
- refs/heads/v1.3.1
- refs/heads/v1.3.1-release
- refs/heads/v1.3.7-release
- refs/heads/v1.4
- refs/heads/v1.4.5-release
- refs/heads/v1.5
- refs/heads/v1.5.2-rc1-with-clusterip-fix
- refs/heads/v1.5.4-release
- refs/heads/v1.6
- refs/heads/v1.7
- refs/heads/v1.7.9-1
- refs/heads/v1.7.9.1
- refs/heads/v1.8
- refs/heads/v1.9
- refs/heads/verify-external-workload-dns-setup-redux
- refs/heads/vladu/identity-type-metrics
- refs/heads/weavescope
- refs/heads/wip-ktls-tx-rx
- refs/heads/wip-sockmap
- refs/heads/wip-sockmap-v2
- refs/heads/wip-sockmap-v3
- refs/heads/wip-sockmap-v4
- refs/heads/xfrm-subnet-test
- refs/heads/yutaro/bgp-cplane-etp-local/doc
- refs/heads/yutaro/oss/eni-overlapping-mark
- refs/remotes/bruno/hf/v1.10/v1.10.3-bpf-snat-and-masq-fixes
- refs/remotes/joe/submit/quarantine-etcd
- refs/remotes/origin/1.2-backports-18-09-12
- refs/remotes/origin/ipvlan3
- refs/remotes/origin/pr/add-reserved-health
- refs/remotes/origin/pr/brb/nodeport-lb
- refs/remotes/origin/pr/ianvernon/5859
- refs/remotes/origin/pr/ianvernon/dynamic-ep-cfg
- refs/remotes/origin/pr/tgraf/kube-dns-fixed-identity
- refs/semaphoreci/6384f501b324813e55cfbe818c04a40f2a923765
- refs/semaphoreci/7f69b285bac8a1be414e8769799962ae1408d9e1
- refs/semaphoreci/b5eb6622da121ad36b8f375a084392f7feeec64a
- refs/semaphoreci/d9e7e28f39d34a7050a9c1cad2a26d84f5f4eff1
- refs/semaphoreci/f55ec535d85f387ef981265967fabb3c1b5f1ec6
- refs/tags/0.10.1
- refs/tags/1.1.1
- refs/tags/1.9.0-rc0
- refs/tags/v0.11
- refs/tags/v0.12.0
- refs/tags/v0.13.1
- refs/tags/v0.8.0
- refs/tags/v0.8.1
- refs/tags/v0.8.2
- refs/tags/v0.9.0
- refs/tags/v0.9.0-rc1
- refs/tags/v1.0.0-rc2
- Branches list truncated to 652 entries, 4 were omitted.
- v1.11.0-rc0
- v1.11.0
- v1.10.9
- v1.10.8
- v1.10.7
- v1.10.6
- v1.10.5
- v1.10.4
- v1.10.3
- v1.10.20
- v1.10.2
- v1.10.19
- v1.10.18
- v1.10.17
- v1.10.16
- v1.10.15
- v1.10.14
- v1.10.13
- v1.10.12
- v1.10.11
- v1.10.10
- v1.10.1
- v1.10.0-rc2
- v1.10.0-rc1
- v1.10.0-rc0
- v1.10.0
- v1.1.6
- v1.1.5
- v1.1.4
- v1.1.3
- v1.1.2
- v1.1.1
- v1.1.0-rc4
- v1.1.0-rc3
- v1.1.0-rc2
- v1.1.0-rc1
- v1.1.0-rc0
- v1.1.0
- v1.0.7
- v1.0.6
- v1.0.5
- v1.0.4
- v1.0.3
- v1.0.2
- v1.0.1
- v1.0.0-rc9
- v1.0.0-rc8
- v1.0.0-rc7
- v1.0.0-rc6
- v1.0.0-rc5
- v1.0.0-rc4
- v1.0.0-rc14
- v1.0.0-rc13
- v1.0.0-rc11
- v1.0.0-rc10
- v1.0.0-rc1
- v1.0.0
- v0.13.9
- v0.13.8
- v0.13.7
- v0.13.6
- v0.13.5
- v0.13.4
- v0.13.3
- v0.13.28
- v0.13.25
- v0.13.24
- v0.13.23
- v0.13.22
- v0.13.21
- v0.13.20
- v0.13.2
- v0.13.19
- v0.13.18
- v0.13.17
- v0.13.16
- v0.13.15
- v0.13.14
- v0.13.13
- v0.13.12
- v0.13.11
- v0.13.10
- v0.10.0
- 1.9.9
- 1.9.8
- 1.9.7
- 1.9.6
- 1.9.5
- 1.9.4
- 1.9.3
- 1.9.2
- 1.9.18
- 1.9.17
- 1.9.16
- 1.9.15
- 1.9.14
- 1.9.13
- 1.9.12
- 1.9.11
- 1.9.10
- 1.9.1
- 1.9.0-rc3
- 1.9.0-rc2
- 1.9.0-rc1
- 1.9.0
- 1.8.9
- 1.8.8
- 1.8.7
- 1.8.6
- 1.8.5
- 1.8.4
- 1.8.3
- 1.8.2
- 1.8.13
- 1.8.12
- 1.8.11
- 1.8.10
- 1.8.1
- 1.8.0-rc4
- 1.8.0-rc3
- 1.8.0-rc2
- 1.8.0-rc1
- 1.8.0
- 1.7.9
- 1.7.8
- 1.7.7
- 1.7.6
- 1.7.5
- 1.7.4
- 1.7.3
- 1.7.2
- 1.7.16
- 1.7.15
- 1.7.14
- 1.7.13
- 1.7.12
- 1.7.11
- 1.7.10
- 1.7.1
- 1.7.0-rc4
- 1.7.0-rc3
- 1.7.0
- 1.6.9
- 1.6.8
- 1.6.7
- 1.6.6
- 1.6.5
- 1.6.4
- 1.6.3
- 1.6.2
- 1.6.12
- 1.6.11
- 1.6.10
- 1.6.1
- 1.6.0
- 1.5.9
- 1.5.8
- 1.5.7
- 1.5.6
- 1.5.5
- 1.5.4
- 1.5.3
- 1.5.2
- 1.5.13
- 1.5.12
- 1.5.11
- 1.5.10
- 1.5.1
- 1.5.0-rc6
- 1.5.0-rc5
- 1.5.0-rc4
- 1.5.0-rc3
- 1.5.0-rc2
- 1.5.0
- 1.4.9
- 1.4.8
- 1.4.7
- 1.4.6
- 1.4.5
- 1.4.4
- 1.4.3
- 1.4.2
- 1.4.10
- 1.4.1
- 1.4.0-rc9
- 1.4.0-rc8
- 1.4.0-rc7
- 1.4.0-rc6
- 1.4.0-rc5
- 1.4.0-rc2
- 1.4.0
- 1.3.8
- 1.3.7
- 1.3.6
- 1.3.5
- 1.3.4
- 1.3.3
- 1.3.2
- 1.3.1
- 1.3.0-rc5
- 1.3.0-rc4
- 1.3.0
- 1.2.8
- 1.2.7
- 1.2.6
- 1.2.5
- 1.2.4
- 1.2.3
- 1.2.2
- 1.2.1
- 1.2.0-rc3
- 1.2.0-rc2
- 1.2.0-rc1
- 1.2.0
- 1.16.0-pre.1
- 1.16.0-pre.0
- 1.15.3
- 1.15.2
- 1.15.1
- 1.15.0-rc.1
- 1.15.0-rc.0
- 1.15.0-pre.3
- 1.15.0-pre.2
- 1.15.0-pre.1
- 1.15.0-pre.0
- 1.15.0
- 1.14.9
- 1.14.8
- 1.14.7
- 1.14.6
- 1.14.5
- 1.14.4
- 1.14.3
- 1.14.2
- 1.14.1
- 1.14.0-snapshot.4
- 1.14.0-snapshot.3
- 1.14.0-snapshot.2
- 1.14.0-snapshot.1
- 1.14.0-snapshot.0
- 1.14.0-rc.1
- 1.14.0-rc.0
- 1.14.0-pre.2
- 1.14.0
- 1.13.9
- 1.13.8
- 1.13.7
- 1.13.6
- 1.13.5
- 1.13.4
- 1.13.3
- 1.13.2
- 1.13.14
- 1.13.13
- 1.13.12
- 1.13.11
- 1.13.10
- 1.13.1
- 1.13.0-rc5
- 1.13.0-rc4
- 1.13.0-rc3
- 1.13.0-rc2
- 1.13.0-rc1
- 1.13.0-rc0
- 1.13.0
- 1.12.9
- 1.12.8
- 1.12.7
- 1.12.6
- 1.12.5
- 1.12.4
- 1.12.3
- 1.12.2
- 1.12.19
- 1.12.18
- 1.12.17
- 1.12.16
- 1.12.15
- 1.12.14
- 1.12.13
- 1.12.12
- 1.12.11
- 1.12.10
- 1.12.1
- 1.12.0-rc3
- 1.12.0-rc2
- 1.12.0-rc1
- 1.12.0-rc0
- 1.12.0
- 1.11.9
- 1.11.8
- 1.11.7
- 1.11.6
- 1.11.5
- 1.11.4
- 1.11.3
- 1.11.20
- 1.11.2
- 1.11.19
- 1.11.18
- 1.11.17
- 1.11.16
- 1.11.15
- 1.11.14
- 1.11.13
- 1.11.12
- 1.11.11
- 1.11.10
- 1.11.1
- 1.11.0-rc3
- 1.11.0-rc2
- 1.11.0-rc1
- 1.11.0-rc0
- 1.11.0
- 1.10.9
- 1.10.8
- 1.10.7
- 1.10.6
- 1.10.5
- 1.10.4
- 1.10.3
- 1.10.20
- 1.10.2
- 1.10.19
- 1.10.18
- 1.10.17
- 1.10.16
- 1.10.15
- 1.10.14
- 1.10.13
- 1.10.12
- 1.10.11
- 1.10.10
- 1.10.1
- 1.10.0-rc2
- 1.10.0-rc1
- 1.10.0-rc0
- 1.10.0
- 1.1.6
- 1.1.5
- 1.1.4
- 1.1.3
- 1.1.2
- 1.1.0
- 1.0.7
- 1.0.6
- 1.0.5
- 1.0.4
- Releases list truncated to 348 entries, 258 were omitted.
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.
Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| 18ea8b8 | Joe Stringer | 25 January 2024, 19:52:03 UTC | .github: Override LVH binary with custom one Signed-off-by: Joe Stringer <joe@cilium.io> | 25 January 2024, 19:56:16 UTC |
| f0fe881 | Joe Stringer | 25 January 2024, 19:52:10 UTC | Revert ".github: Test LVH PR 152" This reverts commit d79272e064c5fa50db24aeec2504f2aafa3be302. Signed-off-by: Joe Stringer <joe@cilium.io> | 25 January 2024, 19:52:10 UTC |
| d79272e | Joe Stringer | 25 January 2024, 18:43:31 UTC | .github: Test LVH PR 152 Signed-off-by: Joe Stringer <joe@cilium.io> | 25 January 2024, 18:43:31 UTC |
| 0ea1bc9 | Vipul Singh | 10 August 2023, 17:23:55 UTC | docs: Updating Azure CNI chaining as Legacy approach Signed-off-by: Vipul Singh <singhvipul@microsoft.com> | 25 January 2024, 14:23:12 UTC |
| 068dc47 | Cilium Imagebot | 15 January 2024, 12:12:10 UTC | ci: update docs-builder Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 25 January 2024, 14:28:53 UTC |
| a388c42 | dependabot[bot] | 11 January 2024, 20:01:29 UTC | build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/jinja/compare/3.1.2...3.1.3) --- updated-dependencies: - dependency-name: jinja2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> | 25 January 2024, 14:28:53 UTC |
| 450a541 | Jussi Maki | 12 December 2023, 09:59:53 UTC | bandwidth: Reconciler for qdisc setup Implement the qdisc setup for bandwidth manager using the generic reconciler. The desired state is derived from Table[*Device] using the Derive() helper. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 25 January 2024, 14:18:47 UTC |
| 6771737 | David Bimmler | 12 December 2023, 12:37:17 UTC | datapath: move BandwidthManager interface to types To prevent an import cycle from occurring when importing the device table for the bandwidth manager. Signed-off-by: David Bimmler <david.bimmler@isovalent.com> | 25 January 2024, 14:18:47 UTC |
| 0388c0e | renovate[bot] | 25 January 2024, 08:42:56 UTC | fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> | 25 January 2024, 14:04:51 UTC |
| 39a4749 | Marco Hofstetter | 24 January 2024, 09:15:36 UTC | envoy: Bump envoy image to fix SO_REUSEPORT with BPF TPROXY Currently, if BPF TPROXY is enabled (`bpf.tproxy=true`), the BPF socket lookup for the proxy port fails because Envoys Proxy listener socket is always configured with the socket option `SO_REUSEPORT`. It ignores the fact that port reuse on the Listener socket is explicitly disabled via Envoy Listener API (`enable_reuse_port=false`) if BPF TPROXY is enabled (due to incompatibilities). Therefore, this commit bumps the envoy image to the latest version that doesn't set the socket option `SO_REUSEPORT` on the Listener socket. Relates: cilium/proxy#505 Fixes: #27498 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 25 January 2024, 10:19:52 UTC |
| 5850128 | Daneyon Hansen | 22 January 2024, 18:34:33 UTC | Docs: Adds IPv6 Tunneling Caveat to Networking Concepts Previously, the network concepts doc did not state an IPv4 networking requirement. Therefore, users are safe to assume that tunnel mode is supported for IPv6-only networks. This PR adds the IPv4 network support to the list of tunnel mode requirements. Fixes #30360 Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io> | 25 January 2024, 10:10:23 UTC |
| 87d948e | Tommo Cowling | 24 January 2024, 09:02:52 UTC | Fix quoting in nodeinit temporary cilium config The Cilium nodeinit startup script lays down a temporary CNI config in order to be able to restart a version of containerd that doesn't allow a missing CNI config. This commit fixes an issue with missing double quotes in the temporary config which causes an error in containerd and leads to NotReady Kubernetes nodes I also considered heredoc or escaping the quote characters but settled on single quoting as I think its the most readable one line solution without needing to deal with the indentation issue with heredoc Signed-off-by: Tom Cowling <952241+tlcowling@users.noreply.github.com> | 25 January 2024, 09:51:48 UTC |
| 4d7902f | Quentin Monnet | 24 January 2024, 13:03:47 UTC | contrib/scripts: Remove special handling for patch release number 90 In commit 56dfec2f1ac5 ("contrib/scripts: Support patch releases in print-downgrade-version.sh"), we added support to disaply the previous patch release for a given version number to the print-downgrade-version.sh script. We treated to patch release values as special cases: 0, because this means that we don't have a previous patch release on the branch, and 90, because it used to be a temporary value used during release processes. But as Joe commented, we no longer use this "90" convention, but we use something like vX.Y.Z-dev instead. Let's remove the reverence to 90 from the script (and the workflow calling it). Comparing with the commit introducing the special cases in the script, the output remains nearly the same as when it was introduced, only the previous patch release for "1.13.90" naturally turns to "1.13.89" instead of providing an error. VERSION Previous minor Previous patch release 1.14.3 v1.13 v1.14.2 1.14.1 v1.13 v1.14.0 1.14.0 v1.13 <error> 1.14.1-dev v1.13 v1.14.0 1.15.0-dev v1.14 <error> 1.13.90 v1.12 v1.13.89 Reported-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 25 January 2024, 09:47:27 UTC |
| a8181cd | renovate[bot] | 24 January 2024, 09:10:10 UTC | chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> | 25 January 2024, 08:48:51 UTC |
| 03e2292 | renovate[bot] | 23 January 2024, 00:00:59 UTC | chore(deps): update all lvh-images main Signed-off-by: renovate[bot] <bot@renovateapp.com> | 25 January 2024, 08:14:52 UTC |
| bee02b9 | renovate[bot] | 24 January 2024, 09:12:22 UTC | fix(deps): update module github.com/docker/docker to v25 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 25 January 2024, 08:14:10 UTC |
| 2742e30 | Marco Hofstetter | 17 January 2024, 09:53:41 UTC | cec: migrate CEC resource parser unit test from checkmate to testify This commit migrates the CEC resource parser unit tests from checkmate to testify. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 24 January 2024, 15:30:17 UTC |
| 65acbb3 | Marco Hofstetter | 16 January 2024, 19:14:57 UTC | cec: retrieve Ingress IPs from LocalNodeStore In case of L7LB, the Cilium Envoy ListenerFilter `BPFMetadata` is configured to use the Ingress IPs (v4/v6) that have been restored from the local Node. Currently, this is done by accessing global functionality provided by the node package. This is the reason why the CEC k8s watch functionality needs for the local Node being properly initialized before starting the reconciliation. This commit uses the already existing dependency to the `LocalNodeStore` to retrieve the Ingress IPs when initializing the `CECResourceParser`. This way, the purpose of the dependency becomes explicit. Note: Because this Ingress IP functionality is only used in case of L7LB (and not in L7 policy enforcement), the function `getListenerFilter` has been duplicated. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 24 January 2024, 15:30:17 UTC |
| fd2fd10 | Marco Hofstetter | 16 January 2024, 17:19:13 UTC | cec: error messages in lower case This commit refactors the error messasges in the resource parser to be lowercase. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 24 January 2024, 15:30:17 UTC |
| 6b79aa1 | Marco Hofstetter | 16 January 2024, 16:25:56 UTC | cec: move CEC resource parser to package pkg/ciliumenvoyconfig Package `pkg/ciliumenvoyconfig` that handles the CRD `CiliumEnvoyConfig` is the user of function `ParseResources` in package `pkg/envoy`. This commit moves the parse logic into package `pkg/ciliumenvoyconfig` and converts it into a struct. Note: The following helper functions were moved to the bottom of the file without any changes: * `qualifyTcpProxyResourceNames` * `qualifyRouteConfigurationResourceNames` Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 24 January 2024, 15:30:17 UTC |
| 17baa6d | Marco Hofstetter | 16 January 2024, 15:32:11 UTC | envoy: move all methods from xDSServer into xds_server.go Currently, `pkg/envoy/ciliumenvoyconfig.go` contains parts of the `xdsServer` (implementing functions related to `resources`) and the "parse logic" that is used when parsing the `CiliumEnvoyConfig`. In preparation to move the parse logic into package `pkg/ciliumenvoyconfig`, this commit moves the `resources` and the following implementing methods of `xdsServer` from `pkg/envoy/ciliumenvoyconfig.go` into `pkg/envoy/xds_server.go`. * `UpsertEnvoyResources` * `UpdateEnvoyResources` * `DeleteEnvoyResources` Note: No changes were made at the actual implementations. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 24 January 2024, 15:30:17 UTC |
| 368cdcc | Marco Hofstetter | 16 January 2024, 15:16:54 UTC | cec: move EnvoyL7LBBackendSyncer to package pkg/ciliumenvoyconfig With the introduction of a dedicated k8s watcher for the CRDS `CiliumEnvoyConfig` and `CiliumClusterwideEnvoyConfig`, the package `pkg/ciliumenvoyconfig` is the only user of the `EnvoyL7LBBackendSyncer`. Hence, let's move the syncer to this package and make it package private. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 24 January 2024, 15:30:17 UTC |
| 537a8be | Quentin Monnet | 24 January 2024, 12:23:54 UTC | release/bump-readme.sh: Don't overwrite latest -rc with older -pre tag After publishing patch releases, we call bump-readme.rst to update the versions of the latest releases for the different branches in README.rst. For stable branches, this works fine. For the development branch for the next minor release, when it exists (for example: currently, branch v1.15), we may have an issue. The script automatically picks up the latest tag from the main branch, which at this stage should be one of the preview tags created during the development of the oncoming minor release (say "v1.15.0-pre.3"). However, we have already forked the v1.15 branch from main, and we may have created release candidates on that branch (say "v1.15.0-rc.1"), and updated the README.rst with a reference to this release candidate. In such a case, we do not want to overwrite the release candidate tag with an older preview tag. Let's update the script to skip the update when: - the current reference points to a release candidate tag - the tag found in the branch is a preview tag - both tags are for the same minor release - the release candidate tag is newer than the preview tag Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 24 January 2024, 15:07:36 UTC |
| 355f2ff | Jussi Maki | 22 January 2024, 09:15:29 UTC | test/nat46x64: Use LoadBalancer service type As NodePort services by definition are serviced only from the node's IP addresses we cannot use them in the nat46x64 test with an IP address not assigned to the node, but must instead use LoadBalancer service. This fixes the test failure that was caused by the newly added reconciliation of the NodePort frontends. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 24 January 2024, 14:28:55 UTC |
| fffd98f | Jussi Maki | 17 January 2024, 12:18:27 UTC | service: Add reconciler for NodePort frontend addresses When node addresses change we need to synchronize the NodePort frontends. This commit removes the earlier version in device-reloader.go and adds a reconciler to the service package. It also addresses the race with ParseService() by periodically checking that there are no unexpected service frontends. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 24 January 2024, 14:28:55 UTC |
| 33c84ca | Jussi Maki | 17 January 2024, 12:16:43 UTC | statedb: Add Filter function for filtering iterators Useful in combination with Collect/CollectSet/Map: var iter statedb.Iterator[MyObject] iter = statedb.Filter(iter, func(o MyObject) bool { return o.interesting }) iter = statedb.Map(iter, func(o MyObject) Attr { return o.Attr }) objs := statedb.Collect(iter) Signed-off-by: Jussi Maki <jussi@isovalent.com> | 24 January 2024, 14:28:55 UTC |
| 3932a4b | Julian Wiedmann | 24 January 2024, 11:57:24 UTC | bpf: lb: return drop reasons from __lb4_rev_nat() Fix up some ctx_load_bytes() usage to return a drop reason, and not the raw kernel errno. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 24 January 2024, 14:08:25 UTC |
| db14f4b | Yingnan Zhang | 25 December 2023, 10:49:43 UTC | init well-known identity before new policy repository Fixes: #30051 Signed-off-by: Yingnan Zhang <342144303@qq.com> | 24 January 2024, 13:25:48 UTC |
| 09f18fd | Filip Nikolic | 24 January 2024, 12:21:18 UTC | docs: warn users that IPsec and KPR are mutual exclusive Signed-off-by: Filip Nikolic <oss.filipn@gmail.com> | 24 January 2024, 12:52:10 UTC |
| 502ae0b | Dylan Reimerink | 23 January 2024, 10:08:30 UTC | loader: Make loader into cell and provide to hive This commit changes the loader into a cell. The Datapath object depends on it and re-distributes it still (for now). All locations that created a loader now reuse the loader instance from hive. The exception being tests which did not yet use hive. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 24 January 2024, 12:36:40 UTC |
| fcbed11 | Dylan Reimerink | 16 January 2024, 15:19:02 UTC | loader: Make loader API boundary more explicit This commit unexports all types and functions on the package itself except for the Loader interface. All functions accessed from outside the package now are methods of this interface. This makes the API boundary of the loader package more explicit and easier to reason about and refactor. It is also a first step towards turning the loader package into a module. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 24 January 2024, 12:36:40 UTC |
| 0ba3591 | Maxim Mikityanskiy | 23 January 2024, 19:57:19 UTC | README: Update releases Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> | 24 January 2024, 12:33:15 UTC |
| e817812 | renovate[bot] | 16 January 2024, 12:54:06 UTC | chore(deps): update hubble cli to v0.13.0 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 24 January 2024, 10:07:07 UTC |
| be4799a | Marco Hofstetter | 22 January 2024, 10:22:37 UTC | iptables: early skip proxy rules install if BPF tproxy enabled Currently, the iptables manager skips installing iptables proxy rules if BPF tproxy support is configured. But it doesn't happen right after entering the method - which potentially leads to the following confusing log output. ``` level=info msg="Adding new proxy port rules for cilium-dns-egress:40223" id=cilium-dns-egress subsys=proxy level=debug msg="Skipping proxy rule install due to BPF support" port=40223 subsys=iptables level=info msg="Iptables proxy rules installed" subsys=iptables ``` `Iptables proxy rules installed` is missleading and should not be logged if we skip the iptables. Therefore, this commit moves the check at the beginning of the method `InstallProxyRules`. This way, only `Skipping proxy rule install due to BPF support` gets logged. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 24 January 2024, 09:05:02 UTC |
| 945ad0c | Robin Gögge | 17 January 2024, 15:00:07 UTC | proxy: fix rule deletion if protocol family is unsupported Currently we try to remove IPv6 proxy rules if the IPv6 option is disabled. This is to clean up those rules if a previously running agent has installed them but was restarted with a configuration change. This can fail if the underlying kernel has no IPv6 support. This commit fixes this, by allowing the necessary netlink syscall to fail with EAFNOSUPPORT. Fixes: #29965 Signed-off-by: Robin Gögge <r.goegge@isovalent.com> | 24 January 2024, 08:42:06 UTC |
| 8672b82 | Rastislav Szabo | 22 January 2024, 17:29:55 UTC | go.mod: Bump controller-tools fork version to v0.8.0-2 Bump to the newly released version v0.8.0-2 which adds support for kubebuilder XValidation markers. Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> | 24 January 2024, 08:41:50 UTC |
| 64bd97c | Marcel Zieba | 11 January 2024, 17:08:26 UTC | node-throughput: migrate to upstream k8s perf-tests Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 24 January 2024, 08:40:22 UTC |
| 9ebe3cc | Marcel Zieba | 11 January 2024, 15:59:21 UTC | scale-test: Update scale-test-actions Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 24 January 2024, 08:40:22 UTC |
| d09b866 | Marcel Zieba | 04 January 2024, 13:27:06 UTC | scale-test: Add GCP SSH key Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 24 January 2024, 08:40:22 UTC |
| 5bb67b6 | Marcel Zieba | 14 December 2023, 13:05:38 UTC | scale-test: remove kops version parameter Let's remove kops version as scale-test-action of creating cluster depends on version of kops. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 24 January 2024, 08:40:22 UTC |
| a8e095e | Marcel Zieba | 13 December 2023, 14:34:16 UTC | scale-test: change CL2 verbosity to 2 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 24 January 2024, 08:40:22 UTC |
| 3233e6a | Marcel Zieba | 13 December 2023, 13:37:36 UTC | scale-test: switch to kubernetes/perf-tests Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 24 January 2024, 08:40:22 UTC |
| 4a26b8e | Marcel Zieba | 13 December 2023, 13:24:23 UTC | scale-test: Disable scraping kube-proxy This removes need for hack in https://github.com/cilium/perf-tests/commit/761e51799a7c226f30deb2c25679cd102e8a94cd Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 24 January 2024, 08:40:22 UTC |
| 4fe2fd3 | bingshen.wbs | 05 January 2024, 08:53:29 UTC | k8s: allow any value that is not "disabled" for service topology mode k8s will support multiple topologies type in service annotations: Auto, PreferZone, ProportionalZoneCPU and etc., https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/2433-topology-aware-hints/README.md. So cilium should allow more configurability on topology mode annotation. The kube-proxy has changed in https://github.com/kubernetes/kubernetes/pull/116522/commits. Signed-off-by: bingshen.wbs <bingshen.wbs@alibaba-inc.com> | 24 January 2024, 05:45:32 UTC |
| 9b8f011 | harsimran pabla | 22 November 2023, 20:18:10 UTC | bgpv2: adding unit tests for BGP operator Adding BGP operator unit tests using hive dependency injection of various kubernetes resources. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 24 January 2024, 01:15:59 UTC |
| 491a5a5 | harsimran pabla | 22 November 2023, 20:17:49 UTC | bgpv2: introducing BGP operator Introducing BGP control plane operator. This operator generates per node CiliumBGPNodeConfig object based on CiliumBGPClusterConfig or CiliumBGPPeeringPolicy. Operator also provides backwards compatibility by creating various BGPv2 objects based on CiliumBGPPeeringPolicy object. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 24 January 2024, 01:15:59 UTC |
| 9912505 | harsimran pabla | 22 November 2023, 21:11:53 UTC | bgpv2: introduce flag to enable bgpv2 APIs Introducing helm field and feature flag to enable BGPv2 APIs. This is done so we can safely introduce BGPv2 changes. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 24 January 2024, 01:15:59 UTC |
| a1ddc6e | harsimran pabla | 22 November 2023, 20:16:59 UTC | bgpv2: make CiliumBGPNodeConfig status optional Changing status field in CiliumBGPNodeConfig to optional field. This is done so when we create this resource from the operator, status field is not set. Status field will be set by cilium agent BGP CP component. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 24 January 2024, 01:15:59 UTC |
| d721b8b | Daneyon Hansen | 11 January 2024, 22:19:40 UTC | daemon/cmd: Updates restoreIPCache() to use errors.Is() Previously, the restoreIPCache() method would return an error on new installs because it was checking for the presence of the "file or dir missing" error but this error was being wrapped by another method in the call tree. This PR updates the restoreIPCache() method to use errors.Is() that reports whether any error in err's tree matches the target and thus reports a nil error on new installs when the "cilium_ipcache" file does not exist. Fixes: #29328 Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io> | 23 January 2024, 22:04:04 UTC |
| 0b19d66 | Julian Wiedmann | 23 January 2024, 14:27:27 UTC | CODEOWNERS: pull in sig-wireguard for wireguard-related files Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 23 January 2024, 17:31:02 UTC |
| 0b8cebd | Jussi Maki | 17 January 2024, 17:01:23 UTC | reconciler: Benchmark program A simple benchmark program for the generic reconciler. Example run: benchmark % go build . benchmark % ./benchmark -objects=100000 -batchsize=1000 Inserting batch 100/100 ... Waiting for reconciliation to finish ... 100000 objects reconciled in 0.35 seconds (batch size 1000) Throughput 283977.47 objects per second Signed-off-by: Jussi Maki <jussi@isovalent.com> | 23 January 2024, 15:07:50 UTC |
| 0123a12 | Jussi Maki | 17 January 2024, 17:00:01 UTC | reconciler: Add an example application Example application for showing how to use the reconciler to reconcile set of files on disk ("memos") created through an HTTP API. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 23 January 2024, 15:07:50 UTC |
| 89fc604 | Jussi Maki | 17 January 2024, 16:59:35 UTC | reconciler: Add statedb reconciler utility This implements a generic utility for reconciling a StateDB table and a target defined as a set of idempotent operations. It implements incremental reconciliation with per-object retries and a periodic full reconciliation (forced per-object update and pruning). A single shared reconciler implementation helps building a more resilient architecture as it centralizes the decisions on how to deal with failures and how to report them. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 23 January 2024, 15:07:50 UTC |
| 16bb927 | Jussi Maki | 17 January 2024, 17:43:42 UTC | hive: Add Realize to Scope for forcing updates Tests that check that a module status is properly updated incur a 500ms wait. To remedy this, add a Realize() method to Scope that does immediate synchronous realization of the status. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 23 January 2024, 15:07:50 UTC |
| 4cb8aa4 | Ryan Drew | 23 January 2024, 00:31:32 UTC | gitignore: add files related to direnv This commit modifies gitignore to ignore files related to direnv, which is a developer tool whose files shouldn't be committed into the repository. Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> | 23 January 2024, 13:39:59 UTC |
| a603c43 | Marco Hofstetter | 17 January 2024, 14:03:24 UTC | cec: skip L7LB service redirect if no listener resource in CEC With the change from using `Resources` instead of a plain k8s informer for the CEC watcher, any reconciliation error gets logged as error. When the CEC logic redirects a k8s service to a proxy port for L7 loadbalancing, it tries to find the proxy port in the any listener if no explicit listener name is defined for the service. If no listener is present, an error gets returned - and gets logged eventually. This breaks the Cilium connectivity tests checking for error messages. This is the case for the shared CiliumEnvoyConfig in the Cilium namespace, if there's no shared Ingress in the cluster. Therefore, this commit changes the behaviour, that the proxy redirection gets skipped in this cased. In addition, a info gets logged. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 23 January 2024, 13:30:53 UTC |
| a4b362a | Marco Hofstetter | 16 January 2024, 20:09:13 UTC | k8s: remove afterNodeInit functionality With the removal of the CEC & CCEC from the global k8s watcher, the "afterNodeInit"-functionality is no longer used. Therefore, this commit removes the functionality. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 23 January 2024, 13:30:53 UTC |
| 57889ca | Marco Hofstetter | 16 January 2024, 15:04:09 UTC | k8s watcher: remove dependencies to Proxy & EnvoyBackendSyncer The global `k8swatcher` no longer depends on the `Proxy` and the `EnvoyL7BackendSyncer`. Hence, let's remove the dependencies from the `k8swatcher` and the daemon (`EnvoyL7BackendSyncer` only - as other components initialized by the daemon rely on the `Proxy`). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 23 January 2024, 13:30:53 UTC |
| 2190094 | Marco Hofstetter | 16 January 2024, 20:29:58 UTC | cec: introduce package pkg/ciliumenvoyconfig This commit moves the extracted logic and Hive Cell from the previous commit into its own package `pkg/ciliumenvoyconfig`. (Split change and move to keep git history). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 23 January 2024, 13:30:53 UTC |
| 2d08230 | Marco Hofstetter | 16 January 2024, 14:19:24 UTC | cec: extract hive cell for CiliumEnvoyConfig watcher Currently, the k8s watchers for the CRDs `CiliumEnvoyConfig` and `CiliumClusterwideEnvoyConfig` are part of the global k8s watcher in package `pkg/k8s`. This commit extracts the CEC k8s watch logic into its own Hive Cell and uses `Resources` instead of plain k8s informers. In order to keep the existing logic (parsing the resources of the previous CEC resource state), the applied C(C)EC's are stored in a Map (Currently as-is - to keep the existing logic). This is necessary, because the `Resources` no longer provide the "old state" in an update event. In addition, this will be of use for an upcoming future change that will trigger reconciliation of CECs when the labels of the local Node change. Note: The following commit will move the Cell into its own package `pkg/ciliumenvoyconfig` (Keeping as git move). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 23 January 2024, 13:30:53 UTC |
| 12eb00e | Marco Hofstetter | 16 January 2024, 14:17:48 UTC | k8s: introduce resource.Resource for CiliumEnvoyConfig (&CCEC) This commit introduces k8s Resource for the CRDs `CiliumEnvoyConfig` and `CiliumClusterwideEnvoyConfig`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 23 January 2024, 13:30:53 UTC |
| eb74664 | Jussi Maki | 07 December 2023, 14:11:22 UTC | hive/job: Speed up tests with short rate-limiting and parallelism The tests took 16s before, now down to less than a second. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 23 January 2024, 11:40:26 UTC |
| a3ac7a2 | Jussi Maki | 07 December 2023, 14:03:03 UTC | hive/job: Add support for infinite retries for OneShot jobs Allow specifying a negative retry count for infinite retries of OneShot jobs. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 23 January 2024, 11:40:26 UTC |
| d84a650 | Ludovic Ortega | 18 December 2023, 00:00:19 UTC | fix: PromQL syntax on cilium policy query Signed-off-by: Ludovic Ortega <ludovic.ortega@adminafk.fr> | 23 January 2024, 11:32:05 UTC |
| 033dac9 | Carson Yang | 23 January 2024, 03:55:44 UTC | USERS.md: Add Sealos to the list of users [Sealos Cloud](https://sealos.io) switched our CNI to Cilium early on, we would like to appear in the list of satisfied users. Signed-off-by: Carson Yang <yangchuansheng33@gmail.com> | 23 January 2024, 10:18:55 UTC |
| 5b04e08 | derailed | 27 November 2023, 21:51:09 UTC | Fix unchecked error in datapath/linux/ipsec Ensure errs are checked for the calls below: - deleteNodeIPSecOutRoute - replaceNodeIPSecOutRoute Signed-off-by: Fernand Galiana <fernand.galiana@isovalent.com> | 23 January 2024, 10:16:55 UTC |
| 63e2676 | chaunceyjiang | 14 December 2023, 02:15:45 UTC | Pod MAC Address Specification Fixes: #22119 Specify the MAC address of the pod in the annotation, store the MAC address in the endpoint, and then cilium-cni obtains the specified MAC address by querying the endpoint and sets the MAC address of the interface inside the pod. Signed-off-by: chaunceyjiang <chaunceyjiang@gmail.com> | 23 January 2024, 09:26:28 UTC |
| 000edce | viktor-kurchenko | 19 January 2024, 13:55:14 UTC | Encryption status refactored. Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> | 23 January 2024, 08:03:29 UTC |
| 7cdadbc | viktor-kurchenko | 10 January 2024, 10:27:49 UTC | OpenAPI spec updated and used for encrypt status. Global variable `countErrors` converted to the function local. Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> | 23 January 2024, 08:03:29 UTC |
| f299dc1 | viktor-kurchenko | 10 January 2024, 08:57:26 UTC | IPsec encrypt status JSON output implementation. Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> | 23 January 2024, 08:03:29 UTC |
| 7fcdb47 | Jarno Rajahalme | 21 January 2024, 16:33:04 UTC | policy: Move Listener from L4Filter to PerSelectorPolicy Allow different selectors on the same L4Filter use different Envoy Listeners. This relaxes the policy import (L4Filter merge) logic by only failing out if there is a Listener conflict on the same cached selector. This change is needed to allow different Envoy Listeners to be applied on traffic on the same port, depending on the destination (for an egress policy). Consequently, we must handle conflicting proxy ports on the same MapState key, originating from different selectors selecting the same remote identity. We do this with a new optional Listener priority value. Listener priority, if not specified, or for redirects for which an explicit listener name is not given, defaults to the value of the proxy port itself. This serves as a tie-breaking rule so that the redirection is deterministic also in cases where a policy with a listener reference and a CNP L7 policy on a different selectors that then happen to select the same identities. The proxy port value is also used as a tie-breaker when the same identity is selected by two different selectors on different rules that specify different listeners but with the same priority. While this is an arbitrary choice, it is better than allowing the selected listener vary depending on rule insertion order, or the random Go map iteration order when generating the map state. By convention proxy port values are between 10000-20000, so defining any (allowed) priority value gives precedence to that listener reference against listener references without an explicit priority. Use MapState.Diff to report the difference between the obtained and expected MapState on test failures. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 22 January 2024, 20:06:39 UTC |
| 02c6fcd | Jarno Rajahalme | 21 January 2024, 18:15:14 UTC | policy: Look up proxy port when creating mapstate entries Populate mapstate entries with the actual proxy redirection port number when creating MapState entries. New redirects may not be realized at the point when new identities related to them are first accumulated. Thus the accumulated MapChanges may still use in invalid proxy port internally, but that is resolved before exposing the accumulated mapstate to the endpoint package via ConsumeMapChanges. Endpoint.realizedRedirects map now holds zero valued redirect ports for Istio sidecars, so that the lookup can be made without taking endpoint's mutex (without using Endpoint.hasSidecarProxy). Zero valued redirects are not created or removed from the proxy package. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 22 January 2024, 20:06:39 UTC |
| c49b976 | Jarno Rajahalme | 05 December 2023, 13:55:08 UTC | endpoint: Make realizedRedirects lockless Endpoint's realizedRedirects is used to look up a proxy port for a redirect in during policy map updates. Make access to it lockless by storing an atomic pointer to the map, and considering the stored map immutable. The set of realized redirects initially starts empty, and all required (desired) redirects are added to it. After that the unwanted redirects are removed by comparing the old realized redirects and the new desired redirects. After this the desired redirects becomes the new realized redirects. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 22 January 2024, 20:06:39 UTC |
| 49da4b6 | Jarno Rajahalme | 05 July 2023, 15:16:59 UTC | endpoint: Add listener to proxyID Add listener to the proxyID. This is needed so that different listeners can be supported on the same port, for different destinations/sources. The listener name also needs to be passed on via policy.MapStateEntry. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 22 January 2024, 20:06:39 UTC |
| 76b2a52 | Jarno Rajahalme | 06 December 2023, 10:45:57 UTC | endpoint: Add proxy port to proxy stats key Proxy stats contains the destination port of redirected traffic. When a single port can be redirected to multiple listeners, depending on the destination (or source), their stats entries need to be kept separate. One way of doing this is to add the proxy port to the proxy stats key. Proxy port is wired through the ProxyId field in the cilium.bpf_metadata filter config, and will be carried over to the access log messages from there. Proxy stats are endpoint specific, so the endpoint id need not be in proxy stats key. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 22 January 2024, 20:06:39 UTC |
| 8682cdf | derailed | 27 November 2023, 22:15:30 UTC | Refactor: Pre allocate slices where applicable To avoid unnecessary GC churn ensure slices are pre allocated. Signed-off-by: Fernand Galiana <fernand.galiana@isovalent.com> | 22 January 2024, 16:11:51 UTC |
| bf144bb | derailed | 27 November 2023, 22:11:23 UTC | Fix typo in datapath/linux/ipsec.go previousa -> previous Signed-off-by: Fernand Galiana <fernand.galiana@isovalent.com> | 22 January 2024, 16:11:51 UTC |
| ab4b7b0 | derailed | 27 November 2023, 22:08:25 UTC | Dry up ip validation check Validate Ipv4/Ipv6 was replicated across several calls. Introduce helper to perform the checks to a single location. Signed-off-by: Fernand Galiana <fernand.galiana@isovalent.com> | 22 January 2024, 16:11:51 UTC |
| 5eee9de | Marco Iorio | 16 January 2024, 17:26:18 UTC | linux/node: don't run validation functions if not yet initialized The Node{Add,Update,Delete} functions of the linux node handler are already guarded in order not to execute the underlying logic if the node subsystem is not yet fully initialized. Once initialized, all updates are then automatically replayed. Yet, this does not apply to the NodeValidateImplementation and AllNodeValidateImplementation functions, which can also be invoked asynchronously, leading to a panic if not fully initialized (even without panicing, we would be enforcing an incorrect configuration, possibly disrupting existing connections): github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).nodeUpdate(0xc0022be1a0, 0x0, 0xc001936480, 0x0) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:1030 +0x142d github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).NodeValidateImplementation(_, {{0xc000f10720, 0x1b}, {0xc00068b2d8, 0x13}, {0xc000d6a3c0, 0x4, 0x4}, 0xc0005fc0e8, {0x0, ...}, ...}) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:1337 +0xc8 github.com/cilium/cilium/pkg/node/manager.(*manager).backgroundSync.func1({0x4019e80, 0xc0022be1a0}) /go/src/github.com/cilium/cilium/pkg/node/manager/manager.go:342 +0x9a github.com/cilium/cilium/pkg/node/manager.(*manager).Iter(0x3251f40?, 0xc001f0bdb8) /go/src/github.com/cilium/cilium/pkg/node/manager/manager.go:174 +0xdb github.com/cilium/cilium/pkg/node/manager.(*manager).backgroundSync(0xc00083c460, {0x400c390, 0xc00135b630}) /go/src/github.com/cilium/cilium/pkg/node/manager/manager.go:341 +0x4ab github.com/cilium/workerpool.(*WorkerPool).run.func1() Let's fix this by also checking the initialization status there. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 22 January 2024, 16:10:05 UTC |
| 04044c3 | harsimran pabla | 19 January 2024, 14:25:59 UTC | bgpv1: remove references to advertisement from CiliumBGPPeeringPolicy Advertisement field got introduced into CiliumBGPFamily type when adding v2 APIs. This field is only required in new CiliumBGPPeerConfig structures. This change removes advertisement from CiliumBGPFamily and introduces new type CiliumBGPFamilyWithAdverts which will be used in v2 APIs. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 22 January 2024, 16:09:04 UTC |
| 5cdd325 | Julian Wiedmann | 22 January 2024, 09:08:27 UTC | bpf: ct: make ct_state parameter optional for CT lookup Some callers don't care about any detailed information from the CT lookup. Allow them to just pass NULL and remove the placeholder struct. Also extract a helper to copy the information from ct_entry to ct_struct. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 22 January 2024, 15:21:42 UTC |
| 5322af5 | Julian Wiedmann | 22 January 2024, 08:46:25 UTC | bpf: ct: make ct_state parameter optional for ct_create*() Some callers don't want to pass any detailed information. Allow them to just pass NULL and remove the placeholder struct. Also extract a shared helper to copy the information from ct_state to ct_entry. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 22 January 2024, 15:21:42 UTC |
| bcd8e58 | Julian Wiedmann | 22 January 2024, 08:32:12 UTC | bpf: ct: pass {proxy_redirect, from_l7lb} via ct_state to ct_create*() ct_create*() takes a ct_state struct to pass detailed information about the desired CT entry. As the ct_state already has flags for .proxy_redirect and .from_l7lb, use them to replace two redundant bool parameters. Note that this introduces a few additional explicit initializations of the fields in ct_state, and we can potentially avoid some of them. But this in-detail investigation is best done in a later patch. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 22 January 2024, 15:21:42 UTC |
| a6bfb79 | Alexandre Perrin | 16 January 2024, 12:25:04 UTC | hubble: add support for TRACE_REASON_SRV6_{ENCAP,DECAP} Consider encap/decap as egress/ingress (respectively) and both as unknown reply ct status. Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 22 January 2024, 14:19:21 UTC |
| 2de0fea | ldelossa | 09 January 2024, 13:17:48 UTC | srv6,bpf: add srv6 related trace reasons Include a trace reason for SRv6 encapsulation and decapsulation. This greatly improves the debugging process, indicating whether SRv6 VPN related packets are processed by our datapath. Signed-off-by: ldelossa <louis.delos@gmail.com> | 22 January 2024, 14:19:21 UTC |
| b09561c | ldelossa | 08 January 2024, 19:14:21 UTC | srv6,bpf: rename egress_policies.h to srv6.h The only functions left in egress_policies.h are SRv6 related. Let's rename this to 'srv6.h' and update references to the old file name. Signed-off-by: ldelossa <louis.delos@gmail.com> | 22 January 2024, 14:19:21 UTC |
| 85abef4 | Anish Shah | 18 January 2024, 01:18:19 UTC | eni: sync AWS instance type info periodically With this change, we will periodically sync ENI limits using EC2 API. This will help dynamically updating the ENI limits when a new AWS instance is launched without needing to restart cilium. Fixes #28424 Signed-off-by: Anish Shah <anishshah@google.com> | 22 January 2024, 13:15:54 UTC |
| 5a57f68 | Anish Shah | 18 January 2024, 00:27:40 UTC | eni: unit tests to ensure ENI limits update via EC2 API. This commit refactors the limits package. Instead of passing the ec2Client struct, we define an interface containing the GetInstanceTypes EC2 API method. This allows us to write unit tests for this function using EC2 mock API client. Signed-off-by: Anish Shah <anishshah@google.com> | 22 January 2024, 13:15:54 UTC |
| 918e47b | Julian Wiedmann | 05 January 2024, 08:46:34 UTC | bpf: egressgw: handle missing L2 resolution in from-overlay With a previous patch, egress_gw_fib_lookup_and_redirect() now potentially doesn't redirect the packet, and just returns CTX_ACT_OK instead. Handle this by forwarding the packet to the stack, as was done prior to 9c1d1defb8ba ("egressgateway: Redirect from bpf_overlay to egress gw SNAT netdev"). Ideally this happens just once per connection - the pass through the stack should trigger a fresh ARP resolution, and subsequent traffic can obtain a L2 resolution from the FIB lookup. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 22 January 2024, 12:54:15 UTC |
| e2760e6 | Julian Wiedmann | 13 December 2023, 05:22:37 UTC | bpf: egressgw: tolerate missing L2 resolution on FIB lookup When egress_gw_fib_lookup_and_redirect() in to-netdev selects the final egress interface for a packet (based on its desired EgressIP), the FIB lookup potentially returns BPF_FIB_LKUP_RET_NO_NEIGH. For 5.10+ kernels this is gracefully handled in fib_do_redirect() by redirecting to the neigh subsystem. But for older kernels we have no possibility to fall back to the NEIGH map, and the packet would just get dropped with DROP_NO_FIB / BPF_FIB_MAP_NO_NEIGH. Have egress_gw_fib_lookup_and_redirect() catch this case, and just let the packet continue on the current egress interface. Users that strictly require the *correct* egress interface need to run a 5.10+ kernel. We'll update the relevant code in from-overlay with a subsequent patch. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 22 January 2024, 12:54:15 UTC |
| bc65ca3 | Julian Wiedmann | 17 January 2024, 07:21:10 UTC | bpf: complexity-tests: enable EgressGW for bpf-overlay Commit 9c1d1defb8ba ("egressgateway: Redirect from bpf_overlay to egress gw SNAT netdev") introduced some EgressGW code into bpf_overlay. Cover it in the complexity configs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 22 January 2024, 12:54:15 UTC |
| 00b1e5e | Dylan Reimerink | 19 January 2024, 18:30:59 UTC | l2announcer: Retry getting lease after losing it Once a service gets selected we start leader election. However, if we lose the lease for some reason, we don't retry getting it until the service is deselected and reselect, recreated or the agent restarts. This commit surrounds the lease leader election logic with a loop that ends when the context is cancelled. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 22 January 2024, 11:16:13 UTC |
| 1ab043d | Julian Wiedmann | 22 January 2024, 07:53:16 UTC | bpf: overlay: restore bpf_clear_meta() in from-overlay Prior to 8ea31e07de2f ("bpf: Decapsulate traffic encapsulated with pod IPs") we were clearing the skb->cb on entry of from-overlay. For hs-ipcache this wasn't possible anymore, as from-netdev manually strips the tunnel encap and transfers its content via skb->cb. But we should still clear the skb->cb when hs-ipcache is disabled, and thus avoid handling stale data. Reported-by: Gray Lian <gray.liang@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 22 January 2024, 10:16:08 UTC |
| 3e09aa1 | Nick Young | 08 January 2024, 04:54:34 UTC | Add ServiceMonitor config for Agent Envoy when enabled This commit adds Prometheus config to scrape Envoy metrics from the Envoy port (default 9964) on the Agent when Envoy is enabled. It uses the newer `.Values.envoy` section of the Helm chart, as we want to emphasize using that config regardless of where Envoy is running (in-agent or in a separate Daemonset). Signed-off-by: Nick Young <nick@isovalent.com> | 22 January 2024, 09:27:01 UTC |
| 5a0698c | Eric Mountain | 05 December 2023, 15:14:51 UTC | dockerfile: define Envoy image using ARG Move the cilium-envoy image reference to an ARG so that it can be overridden via build-args. This allows overrides using mirrored images for instance and is useful in build environments without Internet access as well as avoiding API throttling on public registries. Signed-off-by: Eric Mountain <eric.mountain@datadoghq.com> | 20 January 2024, 13:01:23 UTC |
| b20038e | Marco Iorio | 19 January 2024, 08:39:44 UTC | gha: explicilty specify beefier runner type for clustermesh workflows Clustermesh workflows need to setup two multi-node kind clusters, which don't fit well in the default GH runners (2 vCPU and 7GiB or RAM). Although GitHub recently upgraded [1] the default runners for OSS projects to 4 vCPU and 16GiB of RAM, let's still make it explicit that these workflow actually need that amount of power to run seamlessly. [1]: https://github.blog/2024-01-17-github-hosted-runners-double-the-power-for-open-source/ Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 19 January 2024, 15:03:59 UTC |
| 8609c5f | Marco Iorio | 08 January 2024, 10:35:51 UTC | makefile: make kind clustermesh clusters dual stack Create the clustermesh kind clusters as dual stack, and configure Cilium to enable both IP families, to simplify testing IPv6-related changes and features. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 19 January 2024, 10:14:06 UTC |
| fb4e560 | Andrii Iuspin | 08 January 2024, 17:36:10 UTC | helm: Add extraVolumeMounts to config init container Signed-off-by: Andrii Iuspin <andrii.iuspin@isovalent.com> | 19 January 2024, 09:52:17 UTC |
| 8180cac | Tamilmani | 08 August 2023, 00:41:59 UTC | doc: Add Azure CNI Powered by cilium as external installer Added a doc to update installation instructions of cilium via Azure CNI Powered by Cilium AKS cluster. Added a page to describe about delegated ipam. Signed-off-by: Tamilmani <tamanoha@microsoft.com> | 19 January 2024, 09:48:00 UTC |
| 7e3b41b | Chance Zibolski | 08 January 2024, 20:44:38 UTC | api: Promote field_mask from experimental to stable Also deprecated experimental field_mask option Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> | 18 January 2024, 18:51:59 UTC |
