Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
710d756 Robin Gögge 22 January 2024, 13:46:33 UTC ci-ipsec-upgrade: run no-unexpected-packet-drops for patch downgrades Currently we disable the no-unexpected-packet-drops test because for 1.11 the necessary APIs are missing to execute that test. Because the flag is unconditionally set, this applies to downgrades between patch AND minor versions. However, it should only apply to minor (1.12 -> 1.11) downgrades. On downgrades between patch versions (1.12.x -> 1.12.y) we should run this test and allowlist certain reasons that are known to fail. Signed-off-by: Robin Gögge <r.goegge@isovalent.com> 22 January 2024, 13:54:58 UTC
d15bbc3 Maxim Mikityanskiy 18 January 2024, 13:40:24 UTC install: Update image digests for v1.12.18 Generated from https://github.com/cilium/cilium/actions/runs/7570608537. ## Docker Manifests ### cilium `docker.io/cilium/cilium:v1.12.18@sha256:71218d52b2b9a63525e31e9be716810605696cbc02008e658953212f638d6b6b` `quay.io/cilium/cilium:v1.12.18@sha256:71218d52b2b9a63525e31e9be716810605696cbc02008e658953212f638d6b6b` ### clustermesh-apiserver `docker.io/cilium/clustermesh-apiserver:v1.12.18@sha256:237371c5e75c97389b81b5e44b6d39fd141e631efacf93fabafa6efa5174fa3a` `quay.io/cilium/clustermesh-apiserver:v1.12.18@sha256:237371c5e75c97389b81b5e44b6d39fd141e631efacf93fabafa6efa5174fa3a` ### docker-plugin `docker.io/cilium/docker-plugin:v1.12.18@sha256:f5e566a68c023aedfe34794377615f25be08a0d02a1f36ba514a5c1e130b75ae` `quay.io/cilium/docker-plugin:v1.12.18@sha256:f5e566a68c023aedfe34794377615f25be08a0d02a1f36ba514a5c1e130b75ae` ### hubble-relay `docker.io/cilium/hubble-relay:v1.12.18@sha256:c82cc7843cbc13314fdc3e0c1e8e584200ca30d9afefbbaaf7a3abb4e1246083` `quay.io/cilium/hubble-relay:v1.12.18@sha256:c82cc7843cbc13314fdc3e0c1e8e584200ca30d9afefbbaaf7a3abb4e1246083` ### operator-alibabacloud `docker.io/cilium/operator-alibabacloud:v1.12.18@sha256:1fa4cb0a255d45080c35d4fd92adb68700c864669d58ce396e18aa57488fc4fb` `quay.io/cilium/operator-alibabacloud:v1.12.18@sha256:1fa4cb0a255d45080c35d4fd92adb68700c864669d58ce396e18aa57488fc4fb` ### operator-aws `docker.io/cilium/operator-aws:v1.12.18@sha256:b106b24c317ba95d16ad55fa81c9058ccc5a5961c40afaa504eb28cd29d88422` `quay.io/cilium/operator-aws:v1.12.18@sha256:b106b24c317ba95d16ad55fa81c9058ccc5a5961c40afaa504eb28cd29d88422` ### operator-azure `docker.io/cilium/operator-azure:v1.12.18@sha256:c44725a1c55d06b02334cb226544e810f4070e524c3d859df41a48135fc7ec98` `quay.io/cilium/operator-azure:v1.12.18@sha256:c44725a1c55d06b02334cb226544e810f4070e524c3d859df41a48135fc7ec98` ### operator-generic `docker.io/cilium/operator-generic:v1.12.18@sha256:ac9b8a95d6faddacc1bca4145562c5143543dfbbc41b244383b52b8be83238ab` `quay.io/cilium/operator-generic:v1.12.18@sha256:ac9b8a95d6faddacc1bca4145562c5143543dfbbc41b244383b52b8be83238ab` ### operator `docker.io/cilium/operator:v1.12.18@sha256:b1b230432c7035f64eb54927e90c195613dce73a5c28810fa8cca2ca6c1418d0` `quay.io/cilium/operator:v1.12.18@sha256:b1b230432c7035f64eb54927e90c195613dce73a5c28810fa8cca2ca6c1418d0` Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> 18 January 2024, 14:50:30 UTC
04ea620 Maxim Mikityanskiy 17 January 2024, 18:26:48 UTC Prepare for release v1.12.18 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> 18 January 2024, 12:04:11 UTC
a8fc017 Jarno Rajahalme 28 November 2023, 08:18:18 UTC option: Add --dnsproxy-enable-transparent-mode (default false) [ upstream commit 35162d1fb57c6aaeb8a57d3ec866625f1a2838b5 ] Add dnsproxy-enable-transparent-mode option to enable DNS Proxy transparent mode. If 'true', Cilium DNS proxy will use the original source address of the source pod in the forwarded DNS requests. Local host sources and destinations are excepted due to networking stack compatibility reasons, but the use of the original address is typically not significant for node local traffic. Defaults to 'false' for backwards compatibility for upgrades, or to 'true' for Cilium 1.12 onwards. Transparent mode is not compatible with CNI chaning modes, so if CNI chaining is used, transparent mode will not be set unless explicitly set with helm value 'dnsProxy.enableTransparentMode=true'. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 16 January 2024, 11:49:49 UTC
1cb258d Jarno Rajahalme 11 January 2024, 16:48:21 UTC dnsproxy: Do not use original source when not possible [ upstream commit 824e969f26d8bc68ee1a00cddbe25c29a876544c ] Do not use original source for server running in the local node, or when the destination is outside of the cluster, as there is a risk of missing masquarade on the upstream connection. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 16 January 2024, 11:49:49 UTC
0540515 Jarno Rajahalme 21 November 2023, 09:45:02 UTC dnsproxy: Use original source address in connections to dns servers [ upstream commit 94f6553f5b79383b561e8630bdf40bd824769ede ] Set transparent, reuseaddr, and reuseport options and use the original source address on connections from DNS proxy to DNS servers to allow use of non-local source address as well as recreate sockets on the same 5-tuple without needing to wait for the TCP TIME_WAIT to finish. Use the MagicMarkEgress mark on connections to the dns servers instead the generic MagicMarkIdentity. Use original source address in connections to dns servers when the source address is not one of the host IPs. The original source address and port can not be reused if there is already socket with them to the same destination on the same networking namespace. Use new dns.SharedClients to reuse DNS clients between all requests that originate from the same source address and port. This allows multiple different requests to be pending at the same time on the same dns Client, which happens whenever the source pod sends multiple DNS requests from the same resolver invocation, e.g., for A and AAAA records. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 16 January 2024, 11:49:49 UTC
e29c57a Julian Wiedmann 11 January 2024, 06:42:12 UTC workflows: Increase IPsec e2e test's timeout [ upstream commit 680b0d11591c31988ba576150486bd9294c5e589 ] Bump the timeout to fix cancelled test runs that have started to pop up in CI. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 January 2024, 11:21:37 UTC
396ae77 renovate[bot] 19 December 2023, 11:03:22 UTC fix(deps): update module golang.org/x/crypto to v0.17.0 [security] [ upstream commit 4ad57189e6e979669c7993995e73eac84179663c ] Signed-off-by: renovate[bot] <bot@renovateapp.com> 15 January 2024, 08:51:59 UTC
8b4e028 Julian Wiedmann 21 November 2023, 12:17:21 UTC iptables: remove logic to control non-existent net.ipv6.ip_early_demux [ upstream commit 0cdfe30ce656ad06bebe19b2ab50890f127f7844 ] Early demux for both IP protocols is controlled by the IPv4 sysctl. Trying to control net.ipv6.ip_early_demux would just result in awkward error scenarios. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 15 January 2024, 08:51:59 UTC
9234e10 Paul Chaignon 11 January 2024, 11:15:59 UTC conn-disrupt: Allowlist CT buffer drops Commit 94ec45a6bdcc ("bpf: unconditionally migrate cilium_calls_* maps during ELF load") in main fixed a set of packet drops that can happen during a short time on agent restarts. Now that our CI is more sensitive to such drops, we are noticing them on all stable branches. Unfortunately, the fix is too invasive to confidently backport to v1.12. Instead, this commit allowlist the CT buffer drops we are seeing in CI. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 15 January 2024, 08:09:16 UTC
0baecff Paul Chaignon 13 January 2024, 21:18:11 UTC workflow/ipsec-e2e: Bump CLI to v0.15.19 Commit 3f72764830f4 already bumped the CLI to v0.15.19 for several workflows. For some reason, I skipped the update for the IPsec end-to-end test, even though we need this to be able to skip a bunch of expected packet drops and XFRM errors. This commit therefore bumps the CLI to v0.15.19 for that workflow. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 14 January 2024, 12:12:09 UTC
e83e21a Lorenz Bauer 08 December 2023, 17:18:50 UTC complexity-tests: add bpf_network configuration [ upstream commit e95f2e0ed8839e4b77343a97532484d461138139 ] [ backporter's note: - Makefile target structure is different between v1.12 and main. Took the v1.12's structure. - TRACE_NOTIFY is already defined in the bpf_align_checker.c. Avoid redefining it. - verifier_test.go doesn't exist on v1.12 branch. Removed it. ] Add an initial bpf_network configuration. The defines are taken from a sysdump for a failing CI run that seems to exhibit verifier problems. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 11 January 2024, 10:42:21 UTC
7c2ace9 Ryan Drew 04 December 2023, 23:42:35 UTC ipsec: ensure all trace events are discarded when mon. agg. is enabled [ upstream commit a495abda8528b8a07796dc1ff9f159bc0c64c028 ] [ backporter's note: backporter's note: Upstream calls do_netdev_encrypt_encap instead of wrapping it with do_netdev_encrypt. Use do_netdev_encrypt. ] This commit modifies calls to `send_trace_notify` in the datapath to drop trace events related to encrypted packets when monitor aggregation is enabled. More specifically, this commit ensures that whenever `send_trace_notify` is called with a `trace_reason` of `TRACE_REASON_ENCRYPTED`, the `monitor` argument is set to zero. A Coccinelle script is provided in this commit to add a build-time check for this requirement moving forward. This change helps to reduce the overall CPU usage of Cilium Agents when IPSec encryption is enabled, by reducing the number of trace events emitted by the datapath. Normally monitor aggregation can be used in order to reduce the number of trace events, however IPSec-related trace events are not able to be aggregated since they lack the necessary connection tracking information. See the function `emit_trace_notify` in `bpf/lib/trace.h` for more information. This same change was applied in `bpf/bpf_lxc.c` in commit 3e52822. Thank you to Lorenz who added a workaround for passing the verifier with Clang 10. See also: cilium/cilium#27168 Co-authored-by: Lorenz Bauer <lmb@isovalent.com> Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 11 January 2024, 10:42:21 UTC
d525bab Julian Wiedmann 13 December 2023, 04:32:29 UTC bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() [ upstream commit 0d35af07d21178e267f136ce1f2184983399217b ] To make it easy for callers, ipv4_handle_fragmentation() should always return a DROP_* reason on error. But for errors from l4_load_ports() we're currently just propagating those raw errors back. Return a drop reason instead. This also makes us consistent with the non-fragment path in ipv4_load_l4_ports(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 11 January 2024, 10:42:21 UTC
db2b8b2 Marcel Zieba 12 December 2023, 10:45:22 UTC preflight: fix overriding node name env variable [ upstream commit 23ef3c0190f3da4f151398749b66a36ae76384ea ] Cilium-agent is overriding K8S_NODE_NAME env variable based on node name. Cilium-preflight was not overriding it so in case that hostname did not match node name, preflight was stuck waiting for node information. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 11 January 2024, 10:42:21 UTC
448f701 Sven Haardiek 28 November 2022, 09:40:38 UTC Helm: Automount Init Container Resources [ upstream commit 2c7c69d4189a39167e9225d8e8ad703fdf162964 ] [ backporter's note: Regenerate helm-value docs and fix minor conflict in the word list. ] This patch adds the option to configure the resources of the init container automounting the cgroups. Signed-off-by: Sven Haardiek <sven.haardiek@uni-muenster.de> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 11 January 2024, 10:42:21 UTC
3f72764 renovate[bot] 18 December 2023, 14:12:44 UTC chore(deps): update dependency cilium/cilium-cli to v0.15.19 [ upstream commit 2f1b3756c8b89b86e5abba8f11d490672d03ada9 ] [ backporter's notes: Many trivial conflicts due to workflows using older CLI versions. For the downgrade test to v1.11 in the IPsec workflow, we need to skip checking packet drops because the CLI doesn't support the v1.11 API to retrieve those. ] Signed-off-by: renovate[bot] <bot@renovateapp.com> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 10 January 2024, 11:12:37 UTC
be672e7 Sebastian Wicki 06 July 2023, 08:47:06 UTC ipam: Fix invalid PodCIDR in CiliumNode in ENI/Azure/MultiPool mode [ upstream commit 15685580c9a44a7831f7c5ffc6185a0293f53e3b ] This commit fixes an issue where Cilium-Agent would announce its internal auto-generated IPv4/IPv6AllocRange by writing it into the local CiliumNode resource. Cilium-Agents IPv4/IPv6AllocRange is Cilium's internal representation of the local node's PodCIDR. The concept of a single allocation CIDR however is outdated, since in many IPAM modes (ENI, Azure, AlibabaCloud, MultiPool) there either is no PodCIDR to begin with (and pod IPs are allocated using a different scheme), or there are multiple PodCIDRs (in the case of MultiPool). Before this commit, cilium-agent used to copy its internal PodCIDR into the CiliumNode resource, but this behavior is only correct in Kubernetes IPAM mode. In Kubernetes IPAM mode, the IPv4/IPv6AllocRange is taken from the Kubernetes Node resource, and thus it makes sense to announce it to other cilium-agent instances via the CiliumNode resource. This field then is for example used by `auto-direct-node-routes` to install routes for direct routing mode. However, in all other IPAM modes that we have, copying the internal PodCIDR into the CiliumNode resource does not make sense: - In ClusterPool mode, the CiliumNode PodCIDR field is populated by cilium-operator. Therefore, we should not try to overwrite it ourselves. This behavior is unchanged by this commit. - In all other current IPAM modes, the CiliumNode PodCIDR field is not used. Instead we use fields specific to those IPAM modes (c.f. CiliumNode.Spec.IPAM). In those modes, the previous code therefore wrote a auto-generatead, but otherwise valid IPv4/IPv6AllocRange into the field. That auto-generated PodCIDR is not used for pod IP allocation in those modes, so it does not make sense to announce it either. The announced auto-generated PodCIDR is causing issues in IPAM MultiPool mode. With this commit, we will no longer install invalid routes for the auto-generated PodCIDR. This was mostly harmless (since the auto-generated PodCIDR rarely overlapped with the real ones), but still a potential cause for confusion and bugs. In addition, ENI-mode users have reported that they are confused by the this "fake" PodCIDR, which is understandable, since that PodCIDR is meaningless in ENI mode (#9409). Long term, we want to remove the concept of the IPv4/IPv6AllocCIDR completely (and remove the auto-generation code), but this is a first incremental step towards that goal. Fixes: #9409 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 10 January 2024, 09:38:50 UTC
b975300 Sebastian Wicki 28 August 2023, 14:57:08 UTC ipsec: Do not use AllocCIDR with subnet encryption [ upstream commit a4c43f358eee14c717f88b26386d458a6ddfd597 ] [ backporter's notes: Had to reimplement the changes because that code moved from node.go to ipsec.go, but otherwise it didn't change. ] IPSec relies on the "pod subnet" CIDRs for encryption in IPAM modes (e.g. ENI, Azure) which do not have a pod CIDR (aka. alloc CIDR). Therefore, we should not use the alloc CIDR in such modes. This commit moves the setup of routes based on the alloc CIDR into the conditions which are executed if we do are not in pod subnet based encryption. In addition, we add some temporary code to remove the old bogus route based for the local node in subnet encryption mode. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 10 January 2024, 09:38:50 UTC
30485f9 Martynas Pumputis 20 December 2023, 07:28:40 UTC docs: Fix keyid derivation in IPsec docs [ upstream commit b26d9be1738c200274d0fb94b69ba2da03d024f0 ] Previously, when determing a keyid before the rotation, the doc suggested to run "cut -c 1". This returns only the first digit (e.g., if keyid is "15", then "1" is returned). This breaks the rotation 15=>1. Fixes: 42ef7f3f814 ("docs: Update IPsec key rotation command") Reported-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 04 January 2024, 07:07:04 UTC
c75d324 Paul Chaignon 17 December 2023, 22:13:42 UTC workflows: Increase IPsec upgrade test's timeout [ upstream commit 1bf697f8f97435ecadb28f752b16b4acee883d93 ] The IPsec upgrade test started timing out from time to time on main's CI. This commit bumps the timeout a bit to avoid such failures. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 04 January 2024, 07:07:04 UTC
03e2b8f Martynas Pumputis 04 August 2023, 14:08:08 UTC datapath: Fix TestNodeChurnXFRMLeaks [ upstream commit a0f4a321b95ab8efe1ace82257837830347db9b5 ] This commit fixes the following issues: * Missed enablement of the churn tests in the non-subnet mode. * The subnet mode being broken when v4 and v6 enabled [1]. [1]: https://github.com/cilium/cilium/issues/27280 Fixes: 9207b7898 ("datapath: Cover subnet encryption in XFRM leak test") Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 04 January 2024, 07:07:04 UTC
a2c2577 Paul Chaignon 02 August 2023, 10:22:59 UTC datapath: Cover subnet encryption in XFRM leak test [ upstream commit 9207b7898ea23fc625a78def5066137c90f2a579 ] This commit complements 27a8fb113b ("datapath: Integration test for XFRM leaks on node churn"). In that previous commit, subnet encryption (the XFRM config used for ENI and Azure IPAM modes) was not covered. This commit covers it. There are two pre-conditions to subnet encryption: nodes must have a list of pod subnets (cf. IPv{4,6}PodSubnets) and the encryption interface must exist and have an IP address. The test configures these two preconditions before running the usual checks for XFRM config leaks. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 04 January 2024, 07:07:04 UTC
83869b1 Paul Chaignon 01 August 2023, 12:25:30 UTC datapath: Integration test for XFRM leaks on node churn [ upstream commit 27a8fb113b72d7bd30f7f2fbf62d64bc8ea534f3 ] In the past, we had a bug where we would leak some XFRM policies when nodes were deleted. This commit adds an integration test to ensure we don't leak XFRM policies or states when nodes are created and deleted. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 04 January 2024, 07:07:04 UTC
c92aff2 Paul Chaignon 01 August 2023, 14:06:41 UTC datapath: Expose loadIPSecKeys outside pkg for use in tests [ upstream commit 8b671b3a2a5d800748ba5499b71c550e78c7acad ] This is unfortunately necessary to test some IPsec effects of the node lifecycle. Exposing this function allows us to load a test IPsec key from memory instead of from a file, to prepare the state for the creation and deletion of XFRM configs. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 04 January 2024, 07:07:04 UTC
f68f463 Sebastian Wicki 18 December 2023, 15:41:41 UTC nodediscovery: Fix bug where CiliumInternalIP was flapping [ upstream commit 263e689a299688e2233e009c22a131d77a1cc89b ] [ backporter's notes: Various conflicts. net.IPFamilyOfString(x) doesn't exist so it had to be replaced with ParseIPSloppy(x).To4(). slices.DeleteFunc doesn't exist so it had to be defined in our own slices package as done on v1.14. mutateNodeResource's logic was significantly refactored so the new code to clean node IP addresses had to be moved before all appending of node IP addresses. ] This fixes a bug in `UpdateCiliumNodeResource` where the `CiliumInternalIP` (aka `cilium_host` IP, aka router IP) was flapping in the node manager during restoration (i.e. during cilium-agent restarts). In particular in `cluster-pool` mode, `UpdateCiliumNodeResource` is called before the `cilium_host` IP has been restored, as there are some circular dependencies: The restored IP can only be fully validated after the IPAM subsystem is ready, but that in turn can only happen if the `CiliumNode` object has been created. The `UpdateCiliumNodeResource` function however will only announce the `cilium_host` IP if it has been restored. This commit attempts to break that cycle by not overwriting any already existing `CiliumInternalIP` in the CiliumNode resource. Overall, this change is rather hacky, in particular it does not address the fact that other less crucial node information (like the health IP) also flaps. But since we want to backport this bugfix to older stable branches too, this change is intentionally kept as minimal as possible. Example node event (as observed by other nodes) before this change: ``` 2023-12-18T12:58:20.070330814Z level=debug msg="Received node update event from custom-resource" node="{\"Name\":\"kind-worker\",\"Cluster\":\"default\",\"IPAddresses\":[{\"Type\":\"InternalIP\",\"IP\":\"172.18.0.4\"},{\"Type\":\"InternalIP\",\"IP\":\"fc00:c111::4\"}],..." subsys=nodemanager 2023-12-18T12:58:20.208082226Z level=debug msg="Received node update event from custom-resource" node="{\"Name\":\"kind-worker\",\"Cluster\":\"default\",\"IPAddresses\":[{\"Type\":\"InternalIP\",\"IP\":\"172.18.0.4\"},{\"Type\":\"InternalIP\",\"IP\":\"fc00:c111::4\"},{\"Type\":\"CiliumInternalIP\",\"IP\":\"10.0.1.245\"}],..." subsys=nodemanager ``` After this change (note the `CiliumInternalIP` present in both events): ``` 2023-12-18T15:38:23.695653876Z level=debug msg="Received node update event from custom-resource" node="{\"Name\":\"kind-worker\",\"Cluster\":\"default\",\"IPAddresses\":[{\"Type\":\"CiliumInternalIP\",\"IP\":\"10.0.1.245\"},{\"Type\":\"InternalIP\",\"IP\":\"172.18.0.4\"},{\"Type\":\"InternalIP\",\"IP\":\"fc00:c111::4\"}],..." subsys=nodemanager 2023-12-18T15:38:23.838604573Z level=debug msg="Received node update event from custom-resource" node="{\"Name\":\"kind-worker\",\"Cluster\":\"default\",\"IPAddresses\":[{\"Type\":\"InternalIP\",\"IP\":\"172.18.0.4\"},{\"Type\":\"InternalIP\",\"IP\":\"fc00:c111::4\"},{\"Type\":\"CiliumInternalIP\",\"IP\":\"10.0.1.245\"}],...}" subsys=nodemanager ``` Reported-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 20 December 2023, 08:07:36 UTC
2650925 Sebastian Wicki 18 December 2023, 12:53:05 UTC node/manager: Improve debug logging [ upstream commit 7084c17c9241606405338f5891c1f9d9de4e2788 ] [ backporter's notes: Trivial conflicts in includes and due to a new functions. ] This commit improves the debug logging of node update events by using the JSON representation instead of the Go syntax representation of the node. This makes it easier to parse the log message, as IP addresses are now printed as strings instead of byte arrays. Before: ``` level=debug msg="Received node update event from custom-resource: types.Node{Name:\"kind-worker\", Cluster:\"default\", IPAddresses:[]types.Address{types.Address{Type:\"InternalIP\", IP:net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xac, 0x12, 0x0, 0x3}}, types.Address{Type:\"InternalIP\", IP:net.IP{0xfc, 0x0, 0xc1, 0x11, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}}, types.Address{Type:\"CiliumInternalIP\", IP:net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xa, 0x0, 0x0, 0xd2}}}, IPv4AllocCIDR:(*cidr.CIDR)(0xc000613180), IPv4SecondaryAllocCIDRs:[]*cidr.CIDR(nil), IPv6AllocCIDR:(*cidr.CIDR)(nil), IPv6SecondaryAllocCIDRs:[]*cidr.CIDR(nil), IPv4HealthIP:net.IP{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xa, 0x0, 0x0, 0x30}, IPv6HealthIP:net.IP(nil), IPv4IngressIP:net.IP(nil), IPv6IngressIP:net.IP(nil), ClusterID:0x0, Source:\"custom-resource\", EncryptionKey:0x0, Labels:map[string]string{\"beta.kubernetes.io/arch\":\"amd64\", \"beta.kubernetes.io/os\":\"linux\", \"kubernetes.io/arch\":\"amd64\", \"kubernetes.io/hostname\":\"kind-worker2\", \"kubernetes.io/os\":\"linux\"}, Annotations:map[string]string(nil), NodeIdentity:0x0, WireguardPubKey:\"\"}" subsys=nodemanager ``` After: ``` level=debug msg="Received node update event from custom-resource" node="{\"Name\":\"kind-worker\",\"Cluster\":\"default\",\"IPAddresses\":[{\"Type\":\"InternalIP\",\"IP\":\"172.18.0.3\"},{\"Type\":\"InternalIP\",\"IP\":\"fc00:c111::3\"},{\"Type\":\"CiliumInternalIP\",\"IP\":\"10.0.1.245\"}],\"IPv4AllocCIDR\":{\"IP\":\"10.0.1.0\",\"Mask\":\"////AA==\"},\"IPv4SecondaryAllocCIDRs\":null,\"IPv6AllocCIDR\":null,\"IPv6SecondaryAllocCIDRs\":null,\"IPv4HealthIP\":\"10.0.1.120\",\"IPv6HealthIP\":\"\",\"IPv4IngressIP\":\"\",\"IPv6IngressIP\":\"\",\"ClusterID\":0,\"Source\":\"custom-resource\",\"EncryptionKey\":0,\"Labels\":{\"beta.kubernetes.io/arch\":\"amd64\",\"beta.kubernetes.io/os\":\"linux\",\"kubernetes.io/arch\":\"amd64\",\"kubernetes.io/hostname\":\"kind-worker\",\"kubernetes.io/os\":\"linux\"},\"Annotations\":null,\"NodeIdentity\":0,\"WireguardPubKey\":\"\"}" subsys=nodemanager ``` Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 20 December 2023, 08:07:36 UTC
2ec3341 John Fastabend 11 December 2023, 23:18:13 UTC Revert "cilium: Ensure xfrm state is initialized for route IP before publish" [ upstream commit 0d1ee39 ] This reverts commit c9ea7a52bd59c167c6e7611d4976e3c041f4e7f0. This works around a condition where restarting the agent uses a new IP for Cilium Internal IP. But, it turns out this is because of an incorrect set helm chart option in our reproducer. When configured correctly we require CiliumInternalIP to reused so this patch is not necessary. In fact it complicates the code so lets drop it. The helm option is cleanState. It must be set to false cleanState=false Note that cleanState="false" is a string type and will default to true because of bool typing. Creating a subtle and broke config. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 14 December 2023, 23:31:50 UTC
2524ad9 Martynas Pumputis 06 December 2023, 10:52:08 UTC ci-ipsec-upgrade: Add vxlan w/ no EP routes [ upstream commit f7894740c1bdd5ac877ad14ec0e6c1bf60687c73 ] This is more common configuration than the existing vxlan + EP one. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 14 December 2023, 14:55:07 UTC
622d2c4 Paul Chaignon 05 December 2023, 10:34:44 UTC workflows: Make the conn-disrupt test more sensitive [ upstream commit 13efef3ef6606302e460d53a77324a0535a4496a ] [ backporter's notes: changes to `tests-clustermesh-upgrade.yaml` and `tests-e2e-upgrade.yaml` were ignored as they were depending on changes not backported to v1.12. Bumped the Cilium CLI version in `conformance-ipsec-e2e` to the latest available (v0.15.17), as `conn-disrupt-dispatch-interval` was introduced in v0.15.8. ] By reducing the interval between two sent packets to 0ms, we are making the conn-disrupt test more sensitive to drops. That should help us identify remaining bugs in upgrades, key rotations, etc. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 14 December 2023, 14:55:07 UTC
1534fa7 Marco Iorio 06 December 2023, 15:58:08 UTC gha: enable IPv6 in clustermesh upgrade/downgrade workflow [ upstream commit dbe56dda26eb430c0af71670efc92981dfd4cd11 ] Now that known issues causing connection disruption (which appeared to mostly affect dual stack clusters) have been fixed, let's enable IPv6 again in the clustermesh upgrade/downgrade workflow. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 December 2023, 16:22:52 UTC
a4ca33e Marco Hofstetter 07 December 2023, 10:20:58 UTC ci: always use full matrix for scheduled cloud-provider workflows [ upstream commit 1f1c3840be09a54e84e08320611c8b72994410ba ] [ backporter's notes: skipped changes in conformance-aks.yaml, as that workflow is not present in v1.12. ] Cloud provider related workflows use the full configuration as matrix when being executed on a scheduled basis on stable branches, whereas only the default configuration is used on PR workflows. Currently, this decision checks whether the workflow is triggered via `event_name == schedule`. This is working fine on `main`, but not on all other stable branches where the workflows are triggered via workflow_dispatch event (called by a scheduled workflow (ariane-scheduled.yaml) on main). Therefore, this commit extends the decision to check for the input `PR-number` starting with a "v". This is the case for Ariane triggered runs - as they pass the branch name as PR-number (PR runs pass the actual numeric PR number). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 December 2023, 16:22:52 UTC
3c577c1 Maciej Kwiek 12 December 2023, 10:42:50 UTC install: Update image digests for v1.12.17 Generated from https://github.com/cilium/cilium/actions/runs/7180144198. `docker.io/cilium/cilium:v1.12.17@sha256:323e5762a2412e4f274c34ffb655d57b439d3c057ada48167f8aa038729c1661` `quay.io/cilium/cilium:v1.12.17@sha256:323e5762a2412e4f274c34ffb655d57b439d3c057ada48167f8aa038729c1661` `docker.io/cilium/clustermesh-apiserver:v1.12.17@sha256:7bf626ebaafeaf51870f9f5dc4d5127797da97ab5365405cccadb480dae900cf` `quay.io/cilium/clustermesh-apiserver:v1.12.17@sha256:7bf626ebaafeaf51870f9f5dc4d5127797da97ab5365405cccadb480dae900cf` `docker.io/cilium/docker-plugin:v1.12.17@sha256:f2c7392a06baf33084115ea98f96620eb49fc12a1815b08d5bcbb5976f58035f` `quay.io/cilium/docker-plugin:v1.12.17@sha256:f2c7392a06baf33084115ea98f96620eb49fc12a1815b08d5bcbb5976f58035f` `docker.io/cilium/hubble-relay:v1.12.17@sha256:4387d06a9c0089de6a27d815a9a475f539b2f9eaf6ec7d95d1670b502e18f7ea` `quay.io/cilium/hubble-relay:v1.12.17@sha256:4387d06a9c0089de6a27d815a9a475f539b2f9eaf6ec7d95d1670b502e18f7ea` `docker.io/cilium/operator-alibabacloud:v1.12.17@sha256:06e7a741d4b74790dc8c9fcc594608630517cc7366e4d4ba97eef7133bd94bfb` `quay.io/cilium/operator-alibabacloud:v1.12.17@sha256:06e7a741d4b74790dc8c9fcc594608630517cc7366e4d4ba97eef7133bd94bfb` `docker.io/cilium/operator-aws:v1.12.17@sha256:aa2ba6331ec84e64f46205dbd9043a69b89f2eb177bbd29d7c5c88a052809cb0` `quay.io/cilium/operator-aws:v1.12.17@sha256:aa2ba6331ec84e64f46205dbd9043a69b89f2eb177bbd29d7c5c88a052809cb0` `docker.io/cilium/operator-azure:v1.12.17@sha256:a1f1151454586b7aa7e93564975074d861d8020cb52bd82a565ce645ab671645` `quay.io/cilium/operator-azure:v1.12.17@sha256:a1f1151454586b7aa7e93564975074d861d8020cb52bd82a565ce645ab671645` `docker.io/cilium/operator-generic:v1.12.17@sha256:17a1b1cbc38bcce00fd4d793c7b6ab630fdaaa464d53e05967625c7b7306730d` `quay.io/cilium/operator-generic:v1.12.17@sha256:17a1b1cbc38bcce00fd4d793c7b6ab630fdaaa464d53e05967625c7b7306730d` `docker.io/cilium/operator:v1.12.17@sha256:e777fff0f61af556ad6c0c67abb1524dbfddb95da80875aa6456ad4b6899ae41` `quay.io/cilium/operator:v1.12.17@sha256:e777fff0f61af556ad6c0c67abb1524dbfddb95da80875aa6456ad4b6899ae41` Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 12 December 2023, 12:28:22 UTC
4ceb82a Maciej Kwiek 11 December 2023, 14:00:00 UTC Prepare for release v1.12.17 Co-authored-by: Andrew Sauber <2046750+asauber@users.noreply.github.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 11 December 2023, 22:20:59 UTC
0186818 Andrew Sauber 11 December 2023, 18:48:48 UTC travis: install buildkit in pre-install Signed-off-by: Andrew Sauber <2046750+asauber@users.noreply.github.com> 11 December 2023, 22:20:59 UTC
fffa54e Julian Wiedmann 05 November 2023, 09:24:31 UTC ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() [ upstream commit dfbae95eb544fc218a9cb251edd281afac6a96c2 ] [ backporter's notes: also bring back isDsrEntry() ] The BPF datapath potentially re-creates a CT entry, in particular when a DSR connection gets re-opened as local connection. Such a re-purposed CT entry then leaves a DSR NAT entry behind. Currently we wouldn't clean up such NAT entries (as the matching CT entry still exists). But once we look at the CT entry's .dsr flag, we understand that the CT entry is actually no longer a match for the NAT entry. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 December 2023, 09:58:02 UTC
7fc9ee2 Julian Wiedmann 30 October 2023, 03:34:56 UTC ctmap: set `dsr` flag for relevant CT entries in TestOrphanNatGC() [ upstream commit 74b3f56af06823a0c0c3716731e72090df172cc1 ] CT entries that get created for a DSR connection by the datapath will have the `dsr` flag set. Reflect this in the CT entries that we use for tests. The flag currently doesn't make a difference for the GC logic, but let's still be a bit more accurate. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 11 December 2023, 09:58:02 UTC
78b2638 renovate[bot] 08 December 2023, 16:52:20 UTC chore(deps): update hubble cli to v0.12.3 Signed-off-by: renovate[bot] <bot@renovateapp.com> 08 December 2023, 22:39:51 UTC
ad1a8aa Cilium Imagebot 08 December 2023, 15:03:17 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 08 December 2023, 19:13:35 UTC
482f492 Casey Callendrello 05 December 2023, 10:11:12 UTC images: bump cni plugins to v1.4.0 [ upstream commit 1248536a55b692ada3749da08e52afc91e10b2b2 ] The result of running ``` images/scripts/update-cni-version.sh 1.4.0 ``` Signed-off-by: Casey Callendrello <cdc@isovalent.com> 08 December 2023, 19:13:35 UTC
e9acb55 Cilium Imagebot 06 December 2023, 13:44:08 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 08 December 2023, 14:58:55 UTC
2a553f7 renovate[bot] 06 December 2023, 12:37:24 UTC chore(deps): update docker.io/library/golang docker tag to v1.20.12 Signed-off-by: renovate[bot] <bot@renovateapp.com> 08 December 2023, 14:58:55 UTC
641c175 Robin Hahling 06 December 2023, 15:14:43 UTC vendor: update logrus v1.9.0 => v1.9.3 Release v1.9.3 address a potential DoS vulnerability. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 08 December 2023, 14:22:08 UTC
6654492 André Martins 22 November 2023, 23:01:49 UTC images/cilium: copy the cilium-envoy binary into Cilium image [ upstream commit 807e494b8e689c05c6103cd1e438e305ee847fbe ] When we integrated cilium-envoy into Cilium's image we have made the assumption that the image only contained the cilium-envoy binary, which made it safe to copy the entire image into Cilium's. However, since 3698c40e878c, the cilium-envoy's base image was switched to Ubuntu's instead of "scratch". This had the consequence of overwriting the files of Cilium's Runtime image with Cilium-envoy's base image. To fix this, we should only copy the cilium-envoy binary available on the cilium-envoy image. Fixes: 3698c40e878c ("cilium/proxy: updating proxy image to latest version") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Tam Mach <tam.mach@cilium.io> 08 December 2023, 08:45:00 UTC
fb7097a Andrii Iuspin 05 December 2023, 17:32:32 UTC helm: add resources via initResources for the agent init containers [ upstream commit de788fa9be616383c0146cd7282db032408f1b6b ] Signed-off-by: Andrii Iuspin <yuspin@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Tam Mach <tam.mach@cilium.io> 08 December 2023, 07:59:30 UTC
263a2c0 Andrii Iuspin 30 November 2023, 14:56:48 UTC helm: Add extraVolumes and extraVolumeMounts to hubble-relay [ upstream commit 76126b7ef3024ae6589fe38ddd2c49df056ef8eb ] Signed-off-by: Andrii Iuspin <yuspin@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> 08 December 2023, 07:59:30 UTC
a352c47 Andrii Iuspin 30 November 2023, 14:14:53 UTC helm: Add extraVolumeMounts to etcd-init and etcd [ upstream commit 22a4d1d6c1d173831bfadc946b5f3b063d4af648 ] Signed-off-by: Andrii Iuspin <yuspin@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> 08 December 2023, 07:59:30 UTC
113a96d Andrii Iuspin 30 November 2023, 14:00:59 UTC helm: Add automount related fields to preflight [ upstream commit 6f544480504b77afd8e5b852d64e25ac500b4f5e ] This commit is to add automountServiceAccountToken, extraVolumes and extraVolumeMounts field to preflight workload. Signed-off-by: Andrii Iuspin <yuspin@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> 08 December 2023, 07:59:30 UTC
9b3cc45 Andrii Iuspin 29 November 2023, 21:49:48 UTC helm: Add extraVolumeMounts to cilium-monitor and clean-cilium-state [ upstream commit 4a5cbba14aa51e1c5ae83feb4d8771b20b1e5dd1 ] Signed-off-by: Andrii Iuspin <yuspin@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> 08 December 2023, 07:59:30 UTC
fb56b84 darox 12 April 2023, 11:21:11 UTC Add SA and extravolume to nodeinit ds [ upstream commit e771a9cc1032bf88fe7ce9bdaa65b606fe9548ac ] This commit is to make sure that users can enable/disable SA token auto mount, which is recommended in NSA security hardening guide. This PR is for the cilium-nodeinit daemonset. https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF Signed-off-by: darox <maderdario@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> 08 December 2023, 07:59:30 UTC
c0d2681 Marco Iorio 07 December 2023, 08:44:50 UTC gha: align ci-ipsec-e2e workflow name to main Otherwise the name of the workflow displayed by GitHub bounces depending on which one is executed last. This specific change seems to have been lost while backporting e9e43fe3f8c7 ("ci: rename name fields"). Fixes: bdb02d4281d9 ("ci: rename name fields") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 07 December 2023, 13:16:36 UTC
0e8c53f Tam Mach 06 December 2023, 11:02:34 UTC envoy: Bump cilium-envoy with golang 1.21.5 This is mainly for recently golang version v1.21.5 Relates build: https://github.com/cilium/proxy/actions/runs/7113088396/job/19364351580 Signed-off-by: Tam Mach <tam.mach@cilium.io> 06 December 2023, 21:33:39 UTC
46d5b5a Chris Tarazi 02 December 2023, 07:30:43 UTC health/server: Fix stale references to old nodes during health probe [ upstream commit 7c7b72393c8afd7595f976db2ba64ef9227c0c1b ] Given the order of operations in prober.OnIdle, it is possible for the health probe to have a stale references to a deleted nodes. When that occurs, node connectivity metrics which were previously deleted [1] would be brought back, causing confusion. If users defined alerts for node connectivity health checks metrics (see example below), then this would erroneously trigger because the old nodes would appear in the metric labels as a failing health check. Example given deletion of "kind-worker2" node: ``` cilium_node_connectivity_status source_cluster="kind-kind" source_node_name="kind-worker" target_cluster="kind-kind" target_node_name="kind-control-plane" target_nod e_type="remote_intra_cluster" type="endpoint" 1.000000 cilium_node_connectivity_status source_cluster="kind-kind" source_node_name="kind-worker" target_cluster="kind-kind" target_node_name="kind-control-plane" target_nod e_type="remote_intra_cluster" type="node" 1.000000 cilium_node_connectivity_status source_cluster="kind-kind" source_node_name="kind-worker" target_cluster="kind-kind" target_node_name="kind-worker" target_node_type= "local_node" type="endpoint" 1.000000 cilium_node_connectivity_status source_cluster="kind-kind" source_node_name="kind-worker" target_cluster="kind-kind" target_node_name="kind-worker" target_node_type= "local_node" type="node" 1.000000 cilium_node_connectivity_status source_cluster="kind-kind" source_node_name="kind-worker" target_cluster="kind-kind" target_node_name="kind-worker2" target_node_type ="remote_intra_cluster" type="endpoint" 0.000000 ``` Fixes: d9e1ff897d ("cilium-health: Remove unnecessary goroutine") [1]: e9f97cd0e3 ("Ensures prometheus metrics associated with a deleted node are no longer reported.") Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 17:15:51 UTC
ac0e18c Chris Tarazi 02 December 2023, 07:29:23 UTC node/manager: Add info logs for added and deleted nodes [ upstream commit 4787f8ee43249085a02592ed82d3396eaf09eebb ] [ backporter's notes: had to resolve rename conflicts. ] Similar to how useful log msgs are when endpoints created and deleted, this log is useful for understanding when nodes are added and deleted in production clusters. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 17:15:51 UTC
3876191 viktor-kurchenko 29 November 2023, 16:17:54 UTC CountUniqueIPsecKeys function returns error to allow consumers to implement error handling. [ upstream commit 6f227fbd59450d9aefa3fd1f95c6f76640dc1245 ] [ backporter's notes: conflicts due to `cilium/cmd` having been renamed to `cilium-dbg/cmd`. ] Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 17:15:51 UTC
a9ca54e viktor-kurchenko 15 November 2023, 09:59:33 UTC cmd: Handle non-AEAD IPsec keys in encrypt status [ upstream commit da354d96b40e1030f1f62ca69587a8f12c34917f ] CountUniqueIPsecKeys function fixed to count non-Aead keys and catch unsupported XfrmStateAlgo combinations. Fixes cilium#29181. Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 06 December 2023, 17:15:51 UTC
be374aa Marco Hofstetter 05 December 2023, 07:56:33 UTC guestbook: update example & test with leader/follower naming The guestbook in version v5 fails trying to connect to `redis-leader`. The reason is that the deployment is still named `redis-master`. Therefore, this commit renames the example & test guestbook deployments to use the leader/follower naming. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 05 December 2023, 14:02:55 UTC
888779d Marco Hofstetter 04 December 2023, 13:18:20 UTC examples: update guestbook example with new image registry The GCP Kubernetes Engine Samples migrated their image registry from Google Container Registry to Google Artifact Registry. Hence, the image gb-frontend from the guestbook example is no longer available. Therefore, this commit changes the example to use the new registry. Issue: GoogleCloudPlatform/kubernetes-engine-samples#209 Guestbook PR: GoogleCloudPlatform/kubernetes-engine-samples#194 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 05 December 2023, 14:02:55 UTC
c1ea85b Marco Hofstetter 04 December 2023, 13:22:33 UTC ci: remove empty github workflow file tests-nightly.yaml This commit removes the empty workflow file `tests-nightly.yaml`. This prevents the workflow from failing. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 04 December 2023, 20:20:21 UTC
3cb86ef Paul Chaignon 21 November 2023, 19:09:59 UTC workflows: Add debug info to IPsec key rotation test [ upstream commit a6e22ba7c4e8e25a50f36b35361b49f38c27776f ] To detect that the key rotation began or that it successfully ended, we rely on the number of keys in use reported by `cilium-dbg encrypt status`. When either of those steps times out, it would be good to have information on what the number of keys was. This commit adds that debug information to the test. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 12:21:52 UTC
eb17c7b Marco Iorio 27 November 2023, 15:29:23 UTC gha: wait for downgrade images to be ready in clustermesh upgrade test [ upstream commit a587b8837be1b6d67021593cb13fa6bdd783ec0a ] Currently, we only wait for the images from the current PR/main to be available in the clustermesh upgrade tests. Yet, it can happen that the ones from the stable branch are not available (either because they are being built, or something went wrong), leading to confusing failures (as the installation eventually fails due to ImagePullBackOff errors). To prevent this, let's add an explicit step to additionally wait for downgrade images to be available before proceeding with the installation step, so that also the error message is clear. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 12:21:52 UTC
1d82aa5 Paul Chaignon 22 November 2023, 19:45:22 UTC ipsec: Merge functions ipSecJoinState and ipSecNewState [ upstream commit ba3fa898ee40ab5a581a27c5f2c0dad2f1876286 ] ipSecJoinState is never called without ipSecNewState and vice versa. So let's just merge both to have all XFRM state initialization in the same place. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 12:21:52 UTC
37d892b Paul Chaignon 22 November 2023, 19:30:26 UTC ipsec: Move SPI parsing to own function and test it [ upstream commit f7a58affe5597bd6299a92aa48e9f4a86aa87cf7 ] The SPI parsing logic is fairly complex so let's move it to its own function and write a unit test for that. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 12:21:52 UTC
9c527b3 Julian Wiedmann 16 July 2023, 14:39:24 UTC bpf: nat: only set SNAT_DONE when packet was actually SNATed [ upstream commit 2393707606c409351118fda59207de3131375730 ] With eff26cf680e5 ("datapath: Fix double SNAT") the outbound SNAT path now sets ctx_snat_done_set() after checking whether a packet requires SNAT. This was meant to avoid double-NATing when a packet passes through multiple network interfaces with a to-netdev program. But looking at the SNAT code in detail, some of its conditions only apply on specific interfaces (see nodeport_has_nat_conflict_ipv4(), which checks for `NATIVE_DEV_IFINDEX == DIRECT_ROUTING_DEV_IFINDEX`). So if a packet passes through multiple interfaces which all have `to-netdev` attached, the first `to-netdev` program might set SNAT_DONE even when some subsequent program (attached to DIRECT_ROUTING_DEV_IFINDEX) would still want to apply SNAT to the packet. Therefore we should apply the SNAT checks on *each* interface, until we have actually SNATed the packet. Only then set the SNAT_DONE marker. Note that this also fixes an EgressGW bug in nodeport_snat_fwd_ipv4(), where we would redirect the packet even if snat_v4_nat() reported an error. Fixes: eff26cf680e5 ("datapath: Fix double SNAT") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 December 2023, 12:21:52 UTC
a40e6fc Casey Callendrello 22 June 2023, 09:54:48 UTC endpoint: add policy engine race test [ upstream commit 8e163a9b70d9b5e09516828831a5378f0bed79bf ] This adds a small test that ensures incremental updates are never lost, even in the face of significant identity churn. It simulates a churning ipcache flinging identities in to the policy engine, and similarly recalculates policy constantly. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 29 November 2023, 23:42:05 UTC
6d479af Casey Callendrello 22 June 2023, 09:53:40 UTC test/MockIdentityAllocator: Sanitize the generated ID [ upstream commit 9623641f6092f28e7f6974864194b146a0cdc187 ] This ensures the generated ID works like IDs allocated normally - that their LabelArray is set. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 29 November 2023, 23:42:05 UTC
6aa6a1e Casey Callendrello 02 June 2023, 13:44:57 UTC endpoint: don't hold the endpoint lock while generating policy [ upstream commit f048a6a88b7bbffb1295358cfbc3c9a7bfbf4ff1 ] As preparation for other refactors of the policy engine, no longer hold the endpoint lock while calculating policy. This is safe to do, since the only input is the endpoint's security identity. Furthermore, if, somehow, policy were to be calculated in parallel, we can reject an update if its revision is too old. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 29 November 2023, 23:42:05 UTC
aa8d4aa Casey Callendrello 05 June 2023, 12:26:57 UTC pkg/proxy: mechanical: remove unused methods from interface [ upstream commit b63115b4c80a5014a8de93a107b19af0b90837e2 ] These methods are no longer used; remove them from the EndpointInfoSource interface. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 29 November 2023, 23:42:05 UTC
9142a65 Casey Callendrello 05 June 2023, 12:17:47 UTC pkg/endpoint: make some more accessor methods lock-free [ upstream commit e20b16d70843530aefad9ac8c3ae0834c7b6b057 ] [ backporter's notes: 1. manager_test: we don't yet have ipcache test infra structure, use the real thing instead (as other tests do) 2. go1.18 compat: atomic.Pointer -> atomic.Value ] It turns out that most of the endpoint identities, e.g. pod name / namespace, are actually immutable. So, there's no need to grab a lock before reading them. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 29 November 2023, 23:42:05 UTC
401025e Casey Callendrello 05 June 2023, 11:15:28 UTC pkg/endpoint: make GetNamedPorts lock-free [ upstream commit 3ca309d6e1da798126f55f8696663dfa07d62717 ] [ backporter's notes: 1. adjust types.NamedPortMap -> policy.NamedPortMap 2. EndpointInfoSource is in proxy/logger/epinfo.go instead of proxy/endpoint/endpoint.go 3. Go1.18 compat: atomic.Pointer -> atomic.Value ] This function is called deep within the policy generation hierarchy, and is at a risk of causing deadlocks. Given that it's just reading a pointer to a never-mutated map, we can safely stash this behind an atomic Pointer and remove the lock. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 29 November 2023, 23:42:05 UTC
409f46c renovate[bot] 27 November 2023, 21:15:11 UTC chore(deps): update all lvh-images main Signed-off-by: renovate[bot] <bot@renovateapp.com> 29 November 2023, 20:26:46 UTC
23f56f9 Sebastian Wicki 22 November 2023, 15:51:32 UTC datapath: Fix ENI egress routing table for cilium_host IP [ upstream commit 0fcd1c86e347b2701880c9034e7ea3a74cd6b13e ] On ENI, we install source-based egress routing rules that steer traffic from Cilium-mananged IPs (i.e. pods, but also the health IP, ingress IP and router IP) to the correct egress interface. For pod IPs, this is done in the CNI plugin: https://github.com/cilium/cilium/blob/7875f6acb5a2fd2b0e3e6c993c9995c0d322e55d/plugins/cilium-cni/interface.go#L59-L63 For ingress and health IP, this is done from cilium-agent: https://github.com/cilium/cilium/blob/ed20c8acde8c76d405d6c9fac3c9de44aa3bb403/daemon/cmd/ipam.go#L401-L405 https://github.com/cilium/cilium/blob/e49430286b5d63b00062758a10a2b37458f94525/cilium-health/launch/endpoint.go#L329-L333 For the `cilium_host` (aka router) IP however, this was done differently. Commit f34371ce8f added a new `routing.SetupRules` function that duplicated parts of the `routing.RoutingInfo.Configure` logic, but missed a crucial part: Namely the creation of the per-ENI routing table that the source-based egress rule points towards. This means that if the `cilium_host` IP address was allocated from a different ENI than the pod, health and ingress IP addresses, that the routing table for that ENI was never created. This led to connectivity issues, in particular in combination with IPSec. This commit addresses that issue by having the `cilium_host` IP use the same code path as the other IP users: Using `RoutingInfo.Configure`. This not only fixes the bug, but removes some code that was otherwise only used for the router IP. There is one major difference between other users of `RoutingInfo.Configure` and the newly introduced use for the `cilium_host` IP: For the `cilium_host` IP, we skip the creation of the ingress rule (by passing in `host=true`), as otherwise the `cilium_host` IP would not be considered a local address of the host network namespace. This is consistent with the old `SetupRules` function did also not create such an ingress rule. Long-term, it remains questionable if the setup of egress rules in ENI mode should be left to IPAM clients, as every client seems to do it slightly differently. Maybe this is better done by either the IPAM subsystem or a separate device manager. Fixes: f34371ce8f27 ("ipam: Add routes for cilium_host ENI address") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 28 November 2023, 11:02:10 UTC
93eb548 Sebastian Wicki 23 November 2023, 13:51:21 UTC eni/routing: Allow ingress rule to be skipped [ upstream commit db336796b6f723a8c0872476bb7058c4755b41ad ] This commit extends the `Configure` method of `RoutingInfo` with a flag to skip the creation of the ingress rule. The ingress rule is needed for endpoints such that those are forwarded via the `main` routing table. But for the `cilium_host` (aka. router) IP, we want to route it via the `local` table (which would be skipped by the ingress rule). Without a lookup in the `local` routing table, Linux will not consider `cilium_host` to be an address of the local host, and for example not respond to ICMP requests. Note that this commit does not yet use `RoutingInfo.Configure` to set up the `cilium_host` IP, this will be done in the next commit. This commit here merely prepares the method for that and does not contain any functional changes by itself (which can be observed by the fact that all callers pass in `host=false`). Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 28 November 2023, 11:02:10 UTC
3986585 Cilium Imagebot 27 November 2023, 09:59:59 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 28 November 2023, 09:46:56 UTC
110405d renovate[bot] 27 November 2023, 09:47:24 UTC chore(deps): update docker.io/library/ubuntu:20.04 docker digest to ed4a422 Signed-off-by: renovate[bot] <bot@renovateapp.com> 28 November 2023, 09:46:56 UTC
038ef59 Tam Mach 27 November 2023, 09:23:30 UTC envoy: Bump envoy container image The new build is with golang 1.21.4 and grpc v1.59.0, mainly for recent HTTP/2 related CVEs. Related build: https://github.com/cilium/proxy/actions/runs/7002314626/job/19047286335 Relates: https://github.com/cilium/proxy/pull/439 Signed-off-by: Tam Mach <tam.mach@cilium.io> 28 November 2023, 03:26:26 UTC
22c5718 Quentin Monnet 26 October 2023, 15:56:38 UTC ci/ipsec: Skip upgrade/downgrade test to patch release on main branch [ upstream commit c9dedb49f5a65dda4af26af6ee79abe863153171 ] Skip upgrade/downgrade test to patch release when we fail to retrieve the number for the previous patch release. This happens mostly for the main branch (where testing upgrades/downgrades is covered by the tests to the previous stable (minor) release already). This may also happen on top of release preparation commits, where we set the patch number to 90, and where it is non-trivial to retrieve the previous patch release number. This case doesn't matter much, because commits for preparing releases are Not Expected To Break IPsec (TM). Signed-off-by: Quentin Monnet <quentin@isovalent.com> 28 November 2023, 03:21:37 UTC
83025ce Quentin Monnet 26 October 2023, 13:59:16 UTC ci/ipsec: Add upgrade/downgrade tests for patch releases [ upstream commit ed59edc9f34596c871e45430c9378579eed9a12a ] Currently, we test upgrades and downgrades for IPsec against the previous stable branch, for example: - On main branch (v1.15-dev): v1.14 (branch tip) -> main (PR HEAD) -> v1.14 (branch tip) - On older stable branches: v1.13 (branch tip) -> v1.14 (PR HEAD) -> v1.13 (branch tip) For stable branches, this commit adds support for testing upgrades and downgrades against the latest patch release as well, for example: - On v1.14: v1.14.4 (tag) -> v1.14 (PR HEAD) -> v1.14.4 (tag) The workflow currently fails on the main branch (this case is covered by the upgrade/downgrade test to the previous stable branch already). This is addressed by skipping most of the steps on main branch, in a follow-up commit. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 28 November 2023, 03:21:37 UTC
a6d90de Martynas Pumputis 09 November 2023, 08:34:51 UTC ci-ipsec-upgrade: Add missed tail calls check for upgrade [ upstream commit ced884f22c62585431fe048c872897a009d3d064 ] The downgrade is still affected [1]. [1]: https://github.com/cilium/cilium/issues/26739#issuecomment-1803373334 Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 28 November 2023, 03:21:37 UTC
4734e3d Martynas Pumputis 09 November 2023, 08:27:54 UTC ci-ipsec-upgrade: Use branch tip instead of released version [ upstream commit 502bbc7bcc19c8a43c7a94a8ad9a16b1fb666e11 ] [1] changed the upgrade path from "v1.14 (branch tip) -> main -> v1.14 (branch tip)" to "v1.14.x (last release) -> main -> v1.14.x (last release)". The downside of the former path is that we catch any upgrade/downgrade regressions only after a release. This commit brings back the previous path. [1]: https://github.com/cilium/cilium/commit/31afd0211984f170f2844e455f6e48ad055e586d Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 28 November 2023, 03:21:37 UTC
8a20618 Gray Liang 08 September 2023, 06:47:35 UTC CI: Let actions/cilium-config use Chart.yaml-specified image by default [ upstream commit 31afd0211984f170f2844e455f6e48ad055e586d ] Previously cilium-config action always generates helm-set flags for image settings, but in some cases we can just rely on Chart.yaml since we always set chart-dir. This helps when: 1. We want to install release version instead of ci version. Currently cilium-config action sets `cilium-ci` unconditionally. 2. We have complicated image tag requirements such as `v1.14.1-beta.1`. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 28 November 2023, 03:21:37 UTC
f3bc386 Quentin Monnet 26 October 2023, 13:39:03 UTC contrib/scripts: Support patch releases in print-downgrade-version.sh [ upstream commit 56dfec2f1ac5126bd5eeed3e30607b215e4ab991 ] Script contrib/scripts/print-downgrade-version.sh is used to derive the name of the previous stable branch, based on the current version number found in the repository. This is useful for testing upgrades and dowgrades in CI, between the current branch and the previous stable branch. For some tests we need to perform similar checks between the current tip of a branch and the latest patch release on the branch. For example, when working on branch 1.14, we want to downgrade to the latest patch release, 1.14.3 at this time, then upgrade back to the tip of 1.14. On the main branch, this is not relevant, because we don't usually have patch releases on that branch. The current commit updates print-downgrade-version.sh to add support for patch releases. When a user pass "patch" as first argument to the patch, then instead of decrementing the minor version by one, the script decrements the patch release number by one, and prints the results. When the patch release number is 0 (new minor release) or 90 (release preparation), the script returns an error, because it is non-trivial to find the preceding patch release number in such cases (at least without Git and the Git history). From the workflow's perspective (for supporting upgrades from patch releases in a follow-up commit), for new minor releases, update/downgrade is already covered in this case by working with the previous stable branch; and for 90, we just don't have an easy way to retrieve the previous number. We make the script print errors on stderr, in order to make it easier to compare the string returned on stdout (empty in case of error). Some examples of numbers from VERSION and the corresponding values returned: VERSION Previous minor Previous patch release 1.14.3 v1.13 v1.14.2 1.14.1 v1.13 v1.14.0 1.14.0 v1.13 <error> 1.14.1-dev v1.13 v1.14.0 1.15.0-dev v1.14 <error> 1.13.90 v1.12 <error> In order to test the script easily, this commit also allows setting $VERSION from the command line, defaulting to the content of file VERSION if no value is provided. Let's also add the errexit and nounset options to the script. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 28 November 2023, 03:21:37 UTC
0c276e5 Michi Mutsuzaki 06 September 2023, 19:09:32 UTC Clean up tests-ipsec-upgrade workflow [ upstream commit d51a932aa483c5c9f24caf5eca72ae2752516e08 ] - Add a script to get the Cilium version to downgrade to instead of hardcoding it in the workflow file. The script uses the top-level VERSION file to infer the previous version. - Check out the git branch to get the Helm chart instead of doing a wget to download the source archive. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 28 November 2023, 03:21:37 UTC
04a4106 renovate[bot] 20 November 2023, 19:26:52 UTC chore(deps): update myrotvorets/set-commit-status-action action to v2 Signed-off-by: renovate[bot] <bot@renovateapp.com> 27 November 2023, 09:44:37 UTC
1e5983d Cilium Imagebot 19 November 2023, 00:01:00 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 27 November 2023, 09:38:54 UTC
d875245 renovate[bot] 18 November 2023, 23:49:24 UTC chore(deps): update docker/dockerfile docker tag to v1.6 Signed-off-by: renovate[bot] <bot@renovateapp.com> 27 November 2023, 09:38:54 UTC
f7a5a42 renovate[bot] 18 November 2023, 23:49:18 UTC chore(deps): update docker/dockerfile docker tag to v1.6 Signed-off-by: renovate[bot] <bot@renovateapp.com> 27 November 2023, 09:37:16 UTC
cd66b4c renovate[bot] 18 November 2023, 23:49:11 UTC chore(deps): update docker/dockerfile docker tag to v1.6 Signed-off-by: renovate[bot] <bot@renovateapp.com> 27 November 2023, 09:37:05 UTC
0f12826 renovate[bot] 20 November 2023, 19:26:13 UTC chore(deps): update all lvh-images main Signed-off-by: renovate[bot] <bot@renovateapp.com> 24 November 2023, 10:38:02 UTC
8dd8379 Martynas Pumputis 15 November 2023, 13:19:51 UTC ci-ipsec-upgrade: Check for erros when upgrading [ upstream commit 38a705bfd9dc4c01e686c66fe82e1c8d93e310e3 ] See https://github.com/cilium/cilium-cli/pull/2110. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Tam Mach <tam.mach@cilium.io> 24 November 2023, 09:19:46 UTC
6b369fe renovate[bot] 21 November 2023, 13:37:46 UTC chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> 22 November 2023, 11:12:18 UTC
31e0273 renovate[bot] 21 November 2023, 09:26:02 UTC chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> 21 November 2023, 13:34:58 UTC
e94b0f6 renovate[bot] 20 November 2023, 19:26:44 UTC chore(deps): update actions/github-script action to v7 Signed-off-by: renovate[bot] <bot@renovateapp.com> 21 November 2023, 10:51:44 UTC
804443f renovate[bot] 20 November 2023, 19:26:36 UTC chore(deps): update actions/checkout action to v4 Signed-off-by: renovate[bot] <bot@renovateapp.com> 21 November 2023, 08:30:33 UTC
aef5580 Martynas Pumputis 16 November 2023, 14:55:35 UTC ariane: Run ci-ipsec-upgrade when testing backports Signed-off-by: Martynas Pumputis <m@lambda.lt> 21 November 2023, 06:10:20 UTC
c91ad39 Tim Horner 15 November 2023, 20:59:14 UTC Revert dnsproxy: Use original source address in connections to dns servers This reverts commit 4357e7ab585d5cad7c45a8a8c41334d32ff97f7c. This change was reverted in main at 4dc8ca2. Since this was an author backport and required special care, I'm reverting the commit in the branch rather than backporting. [upstream commit 4dc8ca2 ] Signed-off-by: Tim Horner <timothy.horner@isovalent.com> 16 November 2023, 13:44:25 UTC
4764e4f David Bimmler 14 November 2023, 15:02:02 UTC endpoint: lock the selector cache for reading As in 52ace8e9ea318fe79e86731bddbc0abc97843311, there have been reports of a runtime crash with with following error: fatal error: concurrent map read and map write (This commit message is heavily inspired by the above commit in the hopes of achieving a similar level of clarity.) The path for this issue is printed also in the logs, with the following call stack: github.com/cilium/cilium/pkg/policy.(*SelectorCache).GetNetsLocked(...) github.com/cilium/cilium/pkg/policy.getNets(...) github.com/cilium/cilium/pkg/policy.identityIsSupersetOf(...) github.com/cilium/cilium/pkg/policy.(*mapState).DenyPreferredInsertWithChanges(...) Given the abovementioned commit has fixed the issue on main, there must be a different call stack present in 1.12. Indeed, as shown below, there's the flow involving `addNewRedirects` which isn't covered by locking in `DistillPolicy`. INCOMING CALLS GetNetsLocked github.com/cilium/cilium/pkg/policy • selectorcache.go getNets github.com/cilium/cilium/pkg/policy • mapstate.go identityIsSupersetOf github.com/cilium/cilium/pkg/policy • mapstate.go DenyPreferredInsertWithChanges github.com/cilium/cilium/pkg/policy • mapstate.go addNewRedirectsFromDesiredPolicy github.com/cilium/cilium/pkg/policy • bpf.go addNewRedirects github.com/cilium/cilium/pkg/endpoint • bpf.go <--- No SelectorCache lock DenyPreferredInsert github.com/cilium/cilium/pkg/policy • mapstate.go ToMapState github.com/cilium/cilium/pkg/policy • l4.go addNewRedirectsFromDesiredPolicy github.com/cilium/cilium/pkg/policy • bpf.go addNewRedirects github.com/cilium/cilium/pkg/endpoint • bpf.go <--- No SelectorCache lock computeDirectionL4PolicyMapEntries github.com/cilium/cilium/pkg/policy • resolve.go computeDesiredL4PolicyMapEntries github.com/cilium/cilium/pkg/policy • resolve.go DistillPolicy github.com/cilium/cilium/pkg/policy • resolve.go <--- SelectorCache.RLock() DetermineAllowLocalhostIngress github.com/cilium/cilium/pkg/policy • mapstate.go DistillPolicy github.com/cilium/cilium/pkg/policy • resolve.go <--- SelectorCache.RLock() computeDirectionL4PolicyMapEntries github.com/cilium/cilium/pkg/policy • resolve.go computeDesiredL4PolicyMapEntries github.com/cilium/cilium/pkg/policy • resolve.go DistillPolicy github.com/cilium/cilium/pkg/policy • resolve.go <--- SelectorCache.RLock() consumeMapChanges github.com/cilium/cilium/pkg/policy • mapstate.go ConsumeMapChanges github.com/cilium/cilium/pkg/policy • resolve.go <--- SelectorCache.Lock() Read the above tree as "GetNetsLocked() is called by getNets()", "getNets() is called by entryIdentityIsSupersetOf()", and so on. Siblings at the same level of indent represent alternate callers of the function that is one level of indentation less in the tree, ie addNewRedirectsFromDesiredPolicy and DenyPreferredInsert() both call DenyPreferredInsertWithChanges(). As annotated above, we see that calls through addNewRedirects() do not grab the SelectorCache lock. Given that consumeMapChanges() grabs the SelectorCache lock, we cannot introduce a new lock acquisition in any descendent function, otherwise it would introduce a deadlock in goroutines that follow that call path. This provides us the option to lock at some point from the sibling of consumeMapChanges() or higher in the call stack. As addNewRedirectsFromDesiredPolicy calls DenyPreferredInsertWithChanges both directly and indirectly (via ToMapState), it represents the lower bound of the call stack range where we can lock. The further up we traverse in the call stack, the greater the risk of a deadlock becomes, as more and more code now runs under the SelectorCache lock. Hence, we opt for locking at the lower bound, in addNewRedirectsFromDesiredPolicy. Unfortunately, this function lives in pkg endpoint, not policy, and we thus need to allow pkg-external access to the SelectorCache mutex, which is not great. The only silver lining is that this hack has an expiration time, as it is not present on main. Fixes: d68efba3de (endpoint: Remove GetLabelsLocked) Co-authored-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 16 November 2023, 13:08:36 UTC
df576f3 Martynas Pumputis 15 November 2023, 09:02:13 UTC ci-ipsec-upgrade: Do not run conn tests after installing Cilium [ upstream commit 1fe228197cc7685a10dd38461d7a4b77ea4b8a95 ] The same connectivity tests should be run by ci-ipsec-e2e. Suggested-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 15 November 2023, 20:31:02 UTC
3877d59 Nate Sweet 13 November 2023, 16:59:00 UTC install: Update image digests for v1.12.16 Generated from https://github.com/cilium/cilium/actions/runs/6852674790. `docker.io/cilium/cilium:v1.12.16@sha256:74d0c8d91821bf5fb7a7a7ad4acdebd6f74dd52ba1d1e3d40fa543a506a7ee14` `quay.io/cilium/cilium:v1.12.16@sha256:74d0c8d91821bf5fb7a7a7ad4acdebd6f74dd52ba1d1e3d40fa543a506a7ee14` `docker.io/cilium/clustermesh-apiserver:v1.12.16@sha256:de5b80e9c95c94e2605f9aaf59965c8c22dab80d94d34189adbe30e728476326` `quay.io/cilium/clustermesh-apiserver:v1.12.16@sha256:de5b80e9c95c94e2605f9aaf59965c8c22dab80d94d34189adbe30e728476326` `docker.io/cilium/docker-plugin:v1.12.16@sha256:74eb31f091fe94f62c423ca5eafa57006ff086901db7df26ce8d2aa0accb65e3` `quay.io/cilium/docker-plugin:v1.12.16@sha256:74eb31f091fe94f62c423ca5eafa57006ff086901db7df26ce8d2aa0accb65e3` `docker.io/cilium/hubble-relay:v1.12.16@sha256:503d39c3a2cb98d662f90c7952b58edbab1acff45abb212f8bb4c6ad607a7089` `quay.io/cilium/hubble-relay:v1.12.16@sha256:503d39c3a2cb98d662f90c7952b58edbab1acff45abb212f8bb4c6ad607a7089` `docker.io/cilium/operator-alibabacloud:v1.12.16@sha256:40a1e332e64735a5f91c2c286b738b200b7d96ceba1f9fd988dd9fcb818922bb` `quay.io/cilium/operator-alibabacloud:v1.12.16@sha256:40a1e332e64735a5f91c2c286b738b200b7d96ceba1f9fd988dd9fcb818922bb` `docker.io/cilium/operator-aws:v1.12.16@sha256:b29e4a4f6c068e3500cc2091c6c3bf144e704d60723a2c49ae43904ee414a37f` `quay.io/cilium/operator-aws:v1.12.16@sha256:b29e4a4f6c068e3500cc2091c6c3bf144e704d60723a2c49ae43904ee414a37f` `docker.io/cilium/operator-azure:v1.12.16@sha256:8226a2b106f76e7a37f20dd7216ba9bdd3bcbf5287a3b39ed21bcaffe34af21f` `quay.io/cilium/operator-azure:v1.12.16@sha256:8226a2b106f76e7a37f20dd7216ba9bdd3bcbf5287a3b39ed21bcaffe34af21f` `docker.io/cilium/operator-generic:v1.12.16@sha256:3132b821c1d3f617a1763ce32be8e42b33adfa8dbd267c7ec45f368794c5dcae` `quay.io/cilium/operator-generic:v1.12.16@sha256:3132b821c1d3f617a1763ce32be8e42b33adfa8dbd267c7ec45f368794c5dcae` `docker.io/cilium/operator:v1.12.16@sha256:076351699a55ec3b48753615cb24edb120e8fd8578d8a382fb01353de39d75b9` `quay.io/cilium/operator:v1.12.16@sha256:076351699a55ec3b48753615cb24edb120e8fd8578d8a382fb01353de39d75b9` Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 13 November 2023, 17:33:23 UTC
6b7226a Nate Sweet 12 November 2023, 20:38:13 UTC Prepare for release v1.12.16 Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 13 November 2023, 15:22:28 UTC
back to top