https://github.com/cilium/cilium
- HEAD
- refs/heads/1.2.7-hotfix1-fqdn-regen
- refs/heads/EndpointPolicyEnformcement
- refs/heads/all-scalability-improvements
- refs/heads/beta/service-mesh
- refs/heads/bpf-metrics
- refs/heads/brb/brb-patch-2
- refs/heads/cilium-envoy-crd-pre-beta
- refs/heads/cilium-no-gopath
- refs/heads/cli-upgrade-v1.12-ci-test
- refs/heads/clustermesh511-upgrade-test
- refs/heads/committers-codeowners
- refs/heads/debug
- refs/heads/dev/joe/v1.8-with-hostfw-fixes
- refs/heads/enable_cnp_latency
- refs/heads/encrypt-node-fixes
- refs/heads/ensure-macos-build-succeeds
- refs/heads/envoy-policy-precedence
- refs/heads/envoy-warnings-cleanup
- refs/heads/extension-mysql
- refs/heads/feature/cep-scalability
- refs/heads/feature/devices-and-addresses
- refs/heads/feature/devices-reconciliation-v1.16
- refs/heads/feature/main/svc-icmp-response
- refs/heads/feature/service-refactor
- refs/heads/feature/service-refactor-fresh
- refs/heads/feature/v1.11/beta-test
- refs/heads/feature/v1.11/k8s-ingress
- refs/heads/fix-iphealth
- refs/heads/fqdn-fixl3-wildcard
- refs/heads/fristonio/iptables-manager-fix
- refs/heads/ft/main/chancez/push-dev-charts
- refs/heads/ft/main/push_chart_stable_branches_fix
- refs/heads/ft/main/test_push_chart_updates
- refs/heads/gce-example
- refs/heads/gh-readonly-queue/main/pr-27509-78a5f177693fb443cd946441f45826bf7fa2437a
- refs/heads/ginkgo-better-timeout
- refs/heads/graduation
- refs/heads/hf/main/ipam-pools-build-230605
- refs/heads/hf/master/v1.12-rc2-health-dbg-v1
- refs/heads/hf/master/wg-fix-ipam-k8s-v2
- refs/heads/hf/v1.10/cls-prio2
- refs/heads/hf/v1.10/debug-taint-removal
- refs/heads/hf/v1.10/v1.10.10-with-19452
- refs/heads/hf/v1.10/v1.10.2-fix-ipsec-ep-routes
- refs/heads/hf/v1.10/v1.10.5-with-identity-leak-fix
- refs/heads/hf/v1.10/v1.10.7-additional-logs
- refs/heads/hf/v1.10/v1.10.7-exclude-local
- refs/heads/hf/v1.10/v1.10.7-exclude-loopback
- refs/heads/hf/v1.10/v1.10.7-extra-logs
- refs/heads/hf/v1.10/v1.10.7-more-logs
- refs/heads/hf/v1.10/v1.10.8-deadlock-and-complexity-fix
- refs/heads/hf/v1.10/v1.10.8-deadlock-fix
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v3
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v4
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v5
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v6
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v7
- refs/heads/hf/v1.11/1.11.4-custom-taint
- refs/heads/hf/v1.11/19247-custom-taint-key
- refs/heads/hf/v1.11/dbg-svc-restore
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attach-and-logging
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attachment
- refs/heads/hf/v1.11/v1.11.3-with-19259
- refs/heads/hf/v1.11/v1.11.4-custom-taint
- refs/heads/hf/v1.11/v1.11.5-and-19247-eed5544
- refs/heads/hf/v1.11/xdp-multidev-v1
- refs/heads/hf/v1.11/xdp-multidev-v2-ipcache-fix
- refs/heads/hf/v1.12/next-net-v1
- refs/heads/hf/v1.12/v1.12.18-994
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat-v2
- refs/heads/hf/v1.13/bpf-sock-l7-fix
- refs/heads/hf/v1.13/v1.13.12-without-deny-precedence
- refs/heads/hf/v1.13/v1.13.14-without-deny-precedence
- refs/heads/hf/v1.13/v1.13.14-without-deny-precedence-debug
- refs/heads/hf/v1.13/v1.13.14-without-deny-precedence-with-xfrm-fix
- refs/heads/hf/v1.13/v1.13.2-with-24875
- refs/heads/hf/v1.13/v1.13.3-with-26242
- refs/heads/hf/v1.14/cidr-identity-refcnt-fix
- refs/heads/hf/v1.14/v1.14-with-27327
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix-2
- refs/heads/hf/v1.8/v1.8.13-with-19452
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-15303
- refs/heads/hf/v1.8/v1.8.7-with-fqdn-underscore-fix
- refs/heads/hf/v1.8/v1.8.8-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.8-with-encrypt-fixes
- refs/heads/hf/v1.9/v1.9.8-azure-ipam-fix
- refs/heads/hf/v1.9/v1.9.9-azure-pod-egress-fix
- refs/heads/images/runtime/20210830
- refs/heads/ipc-demo
- refs/heads/ktls-tx-only
- refs/heads/ktls-tx-only-v2
- refs/heads/ktls-tx-rx
- refs/heads/ktls-tx-rx-v2
- refs/heads/ktls-tx-rx-v3
- refs/heads/ktls-tx-rx-v4
- refs/heads/ktls-tx-rx-v5
- refs/heads/ldelossa/feat/bgp-control-plane
- refs/heads/ldelossa/segment-makefiles
- refs/heads/ldelossa/segment-makefiles-v2
- refs/heads/ldelossa/srv6-encap-fib
- refs/heads/lizrice/pr/cli-confusion
- refs/heads/main
- refs/heads/multi-stack-dev-vm
- refs/heads/pr/1-9-ci-test
- refs/heads/pr/aanm-update-k8s-conformance
- refs/heads/pr/aanm/bisect
- refs/heads/pr/aanm/test-31027
- refs/heads/pr/add-controller-identity
- refs/heads/pr/aditighag/lrp-skip-lb
- refs/heads/pr/asauber/link-local-as-host
- refs/heads/pr/asauber/max-ifindex-metric
- refs/heads/pr/avoid-ct-for-dsr
- refs/heads/pr/backend-state
- refs/heads/pr/bbb-cpy
- refs/heads/pr/bimmlerd/modularize-bandwidth-manager
- refs/heads/pr/bimmlerd/v1.12-backport-quay-org-from-env
- refs/heads/pr/bounded-loops
- refs/heads/pr/bpf-based-masquerading
- refs/heads/pr/bpf-edt-proxy
- refs/heads/pr/brb/arping-nexthop
- refs/heads/pr/brb/arping-via-gw
- refs/heads/pr/brb/auto-multi-dev-v2
- refs/heads/pr/brb/backport-1.8.5-nat-gc
- refs/heads/pr/brb/bpf-host-routing-wg
- refs/heads/pr/brb/bpf-lxc-no-redirect
- refs/heads/pr/brb/bpf-masq-no-socket-lb
- refs/heads/pr/brb/bpf-masq-veth
- refs/heads/pr/brb/bpf-multihoming
- refs/heads/pr/brb/cgroup-v2-test
- refs/heads/pr/brb/check-errors-in-logs
- refs/heads/pr/brb/check-wg
- refs/heads/pr/brb/ci
- refs/heads/pr/brb/ci-1111
- refs/heads/pr/brb/ci-2
- refs/heads/pr/brb/ci-4.19
- refs/heads/pr/brb/ci-arping-flake
- refs/heads/pr/brb/ci-bigtcp
- refs/heads/pr/brb/ci-bpf-netdev-without-egress
- refs/heads/pr/brb/ci-cleanup-svc
- refs/heads/pr/brb/ci-dbg-conformance-kind
- refs/heads/pr/brb/ci-dbg-external
- refs/heads/pr/brb/ci-dbg-flake-from-outside
- refs/heads/pr/brb/ci-demo
- refs/heads/pr/brb/ci-disable-ces-for-egress-gw
- refs/heads/pr/brb/ci-dp-disable-bpf-host-routing
- refs/heads/pr/brb/ci-dp-hubble-flows
- refs/heads/pr/brb/ci-dp-more-diversity
- refs/heads/pr/brb/ci-dp-v1.13
- refs/heads/pr/brb/ci-dp-v6
- refs/heads/pr/brb/ci-dp-verifier
- refs/heads/pr/brb/ci-e2e-enable-debug-ipsec
- refs/heads/pr/brb/ci-e2e-geneve-dsr
- refs/heads/pr/brb/ci-e2e-helm-mode-v1.13
- refs/heads/pr/brb/ci-e2e-lvh-retry
- refs/heads/pr/brb/ci-e2e-more-nodes
- refs/heads/pr/brb/ci-e2e-new-cli
- refs/heads/pr/brb/ci-e2e-nft
- refs/heads/pr/brb/ci-e2e-unsafe
- refs/heads/pr/brb/ci-e2e-unsafe-v2
- refs/heads/pr/brb/ci-e2e-upgrade-tests
- refs/heads/pr/brb/ci-e2e-upgrade-tests-ipsec
- refs/heads/pr/brb/ci-early-terminate-conn-disrupt
- refs/heads/pr/brb/ci-eks-ipsec-upgrade
- refs/heads/pr/brb/ci-encrypt-l7
- refs/heads/pr/brb/ci-fix-ip-masq-dry-run
- refs/heads/pr/brb/ci-ipsec-upgrade-fix
- refs/heads/pr/brb/ci-ipsec-upgrade-missed-tail-calls
- refs/heads/pr/brb/ci-ipsec-upgrade-v1.13
- refs/heads/pr/brb/ci-ipsec-upgrade-vol2
- refs/heads/pr/brb/ci-keep-missed-tail-calls
- refs/heads/pr/brb/ci-l7-nodeport
- refs/heads/pr/brb/ci-lvh-4.19
- refs/heads/pr/brb/ci-lvh-5.4
- refs/heads/pr/brb/ci-lvh-5.4-v2
- refs/heads/pr/brb/ci-lvh-bpf-next
- refs/heads/pr/brb/ci-no-self-hosted
- refs/heads/pr/brb/ci-pass-kernel-env
- refs/heads/pr/brb/ci-prepull-l4lb
- refs/heads/pr/brb/ci-refactor-svc-suite
- refs/heads/pr/brb/ci-rm-smoke-tests
- refs/heads/pr/brb/ci-sanity
- refs/heads/pr/brb/ci-test
- refs/heads/pr/brb/ci-test-2
- refs/heads/pr/brb/ci-test-k8s-vsn-swap
- refs/heads/pr/brb/ci-test-large-runners
- refs/heads/pr/brb/ci-uffff
- refs/heads/pr/brb/ci-upgrade-vol-2
- refs/heads/pr/brb/ci-upgrade-vol-3
- refs/heads/pr/brb/ci-wg-mtu
- refs/heads/pr/brb/ci-wg-mtu-vol2
- refs/heads/pr/brb/cilium-host-v6-from-ipam
- refs/heads/pr/brb/cli-bump-test
- refs/heads/pr/brb/datapath-loop-dbg
- refs/heads/pr/brb/dbg-ci
- refs/heads/pr/brb/dbg-conformance-gke
- refs/heads/pr/brb/dbg-master-np-vxlan-ipcache-ci
- refs/heads/pr/brb/debug-nodeport-bpf-flake
- refs/heads/pr/brb/do-not-derive-pod-cidrs-from-dev
- refs/heads/pr/brb/do-not-query-dev-for-arping
- refs/heads/pr/brb/docs-clarify-egress-gw-ip-addr-dp
- refs/heads/pr/brb/drop-notify
- refs/heads/pr/brb/dsr
- refs/heads/pr/brb/dsr-v2
- refs/heads/pr/brb/dualstack-ci
- refs/heads/pr/brb/enable-ipv6-per-endpoint-routes
- refs/heads/pr/brb/enable-route-mtu-cni
- refs/heads/pr/brb/fib-lookup-src
- refs/heads/pr/brb/fix-backend-id-u32
- refs/heads/pr/brb/fix-ci-dp-deprecation-warn
- refs/heads/pr/brb/fix-clang-vsn-regexp
- refs/heads/pr/brb/fix-egress-ip-16147
- refs/heads/pr/brb/fix-external-ip-dp
- refs/heads/pr/brb/fix-maglev-del
- refs/heads/pr/brb/fix-nodeport-hostnetns
- refs/heads/pr/brb/fix-stale-dsr
- refs/heads/pr/brb/fix-svc-backend-selection
- refs/heads/pr/brb/fix-third-host
- refs/heads/pr/brb/gh-action-cgr
- refs/heads/pr/brb/gh-action-lvh
- refs/heads/pr/brb/gh-install-cli-backup
- refs/heads/pr/brb/ginkgo-kpr-strict
- refs/heads/pr/brb/ginkgo-rm-update-tests
- refs/heads/pr/brb/go-crazy
- refs/heads/pr/brb/hubble-tcp-ack-seq-no
- refs/heads/pr/brb/improve-svc-restore
- refs/heads/pr/brb/istio-getsockopt
- refs/heads/pr/brb/it-cannot-be-truth
- refs/heads/pr/brb/kpr-svc-mesh
- refs/heads/pr/brb/kubeproxy-free-ci
- refs/heads/pr/brb/l7-np-bpf
- refs/heads/pr/brb/l7-rerevert
- refs/heads/pr/brb/lets-be-friends-with-ipsec
- refs/heads/pr/brb/lvh-kind-127
- refs/heads/pr/brb/lvh-kind-ipsec-upgrade
- refs/heads/pr/brb/meyskens/auth-ep-gc-locks
- refs/heads/pr/brb/multi-network
- refs/heads/pr/brb/no-cache-snat
- refs/heads/pr/brb/no-rev-nat-bpf-lxc-ingress
- refs/heads/pr/brb/node-id-per-fam
- refs/heads/pr/brb/nodeport-xlr-flag
- refs/heads/pr/brb/perf-wg
- refs/heads/pr/brb/pin-lvh
- refs/heads/pr/brb/push-ci-charts
- refs/heads/pr/brb/pwru
- refs/heads/pr/brb/rm-arping-l2-addr-check
- refs/heads/pr/brb/rm-no-redirect
- refs/heads/pr/brb/rm-np-deadcode
- refs/heads/pr/brb/rm-partial-host-svc
- refs/heads/pr/brb/rm-test-gke
- refs/heads/pr/brb/test-bpf-masq
- refs/heads/pr/brb/test-ci-e2e
- refs/heads/pr/brb/test-ci-e2e-v1.13
- refs/heads/pr/brb/test-kind
- refs/heads/pr/brb/third-host-more-pain
- refs/heads/pr/brb/timing-l4lb-gh-action
- refs/heads/pr/brb/triage-flake-v2
- refs/heads/pr/brb/triage-lb-flake
- refs/heads/pr/brb/unquarantine-svc
- refs/heads/pr/brb/v1.10-istio-snat
- refs/heads/pr/brb/v1.12-ci-e2e
- refs/heads/pr/brb/v1.12-ci-ipsec-upgrade
- refs/heads/pr/brb/v1.12-test-ipsec-upgrade
- refs/heads/pr/brb/v1.13-ci-e2e
- refs/heads/pr/brb/v1.13-remote-np
- refs/heads/pr/brb/v1.13-upgrade-fixes
- refs/heads/pr/brb/v1.14-ci-e2e-upgrade
- refs/heads/pr/brb/v1.14-drop-notify
- refs/heads/pr/brb/v1.15-enable-route-mtu-cni
- refs/heads/pr/brb/v1.6.9-iptables-W
- refs/heads/pr/brb/v1.8-fix-icmp-port-check
- refs/heads/pr/brb/wg-duplicate-node-ip
- refs/heads/pr/brb/wg-encrypt-node-test
- refs/heads/pr/brb/wg-hack
- refs/heads/pr/brb/wg-ipam-fix
- refs/heads/pr/brb/wg-kpr
- refs/heads/pr/brb/wg-test
- refs/heads/pr/brb/wip
- refs/heads/pr/brb/wip-ci
- refs/heads/pr/brb/wip-sync-policy-map
- refs/heads/pr/brb/xdp-egress-gw
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming-v2
- refs/heads/pr/bruno/sleepy-pawn
- refs/heads/pr/bugtool-systemd
- refs/heads/pr/bwm-base2
- refs/heads/pr/bwm-fq
- refs/heads/pr/bwm-priority
- refs/heads/pr/chancez/add_hubble_l7_dashboard_prometheus_example
- refs/heads/pr/chancez/fix_websocket_l7_policies
- refs/heads/pr/chancez/flow_filter_namespace
- refs/heads/pr/chancez/hubble_metrics_tls_docs
- refs/heads/pr/chancez/hubble_plus_plus
- refs/heads/pr/chancez/static_peers_hubble_relay
- refs/heads/pr/christarazi/controlplane-fqdn
- refs/heads/pr/christarazi/ipcache-async-cep-pods-namedports
- refs/heads/pr/christarazi/prep-from-cidr-tests
- refs/heads/pr/ci-k8s-1.30
- refs/heads/pr/datapath-opt
- refs/heads/pr/dbkm/nodeport-lb
- refs/heads/pr/debug-dns-timeout
- refs/heads/pr/eproutes-redir
- refs/heads/pr/example/neigh-state-manager
- refs/heads/pr/fastdp
- refs/heads/pr/fastdp2
- refs/heads/pr/feroz/allow-sbom-read
- refs/heads/pr/feroz/set-container-scan-failure-flag
- refs/heads/pr/fib-consolidation
- refs/heads/pr/fix-aks-workflow
- refs/heads/pr/fix-k8s-all-sha1
- refs/heads/pr/fix-net-next-1.16
- refs/heads/pr/fix-pod-pacing
- refs/heads/pr/fix-tail-call-replace
- refs/heads/pr/fristonio/feat-19038
- refs/heads/pr/fristonio/fix-istio-k8sT
- refs/heads/pr/fristonio/ipv6-masquerading
- refs/heads/pr/fristonio/test-dual-stack
- refs/heads/pr/fristonio/test-ipv6-dualstack
- refs/heads/pr/gandro+brb/fix-monitor-aggregation-np-v2
- refs/heads/pr/gandro+brb/mv-trace-point-to-rev-nodeport
- refs/heads/pr/gandro+brb/wg-host-encryption-v3
- refs/heads/pr/gandro+brb/wg-host2host
- refs/heads/pr/gandro+brb/wg-host2host-kind
- refs/heads/pr/gandro/bump-hubble-2020-03-25
- refs/heads/pr/gandro/ci-conformance-multicluster-fix-log-gathering
- refs/heads/pr/gandro/ci-delete-crds-in-cleanupcomponents
- refs/heads/pr/gandro/ci-fix-status-if-workflows-are-skipped
- refs/heads/pr/gandro/ci-wait-for-all-relevant-images-do-not-merge-test
- refs/heads/pr/gandro/enable-hubble-by-default
- refs/heads/pr/gandro/portmap-refcount
- refs/heads/pr/gandro/re-enable-wireguard-in-multicluster-ci
- refs/heads/pr/gandro/svc-healthchecknodeport
- refs/heads/pr/gc-on-svc-update
- refs/heads/pr/getname-hooks
- refs/heads/pr/giorio94/1.14/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/cluster-name-validation-strict
- refs/heads/pr/giorio94/main/clustermesh-deprecated-cleanup
- refs/heads/pr/giorio94/main/gha-cl2-agents-pprof
- refs/heads/pr/giorio94/main/gha-cl2-compress-agent-pprofs
- refs/heads/pr/giorio94/main/gha-cluster-name
- refs/heads/pr/giorio94/main/gha-conformance-clustermesh-lb
- refs/heads/pr/giorio94/main/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/tests-clustermesh-upgrade-interrupted
- refs/heads/pr/gray/30837-with-pwru
- refs/heads/pr/gray/main/connectivity-wg-proxy-nodeport
- refs/heads/pr/gray/main/decouple-ipsec-gh-actions
- refs/heads/pr/gray/main/egress-proxy-ipsec-fix2
- refs/heads/pr/gray/main/fix-leak-detection-race
- refs/heads/pr/gray/main/xfrm-delete-flake
- refs/heads/pr/gray/main/xfrm-delete-flake2
- refs/heads/pr/gray/pwru-action
- refs/heads/pr/gray/v1.15/decouple-ipsec-gh-actions
- refs/heads/pr/health
- refs/heads/pr/health-data-path
- refs/heads/pr/hubble-tls-cert-gen-via-k8s-job
- refs/heads/pr/ianvernon/kvstore-client-type
- refs/heads/pr/ianvernon/kvstore-context
- refs/heads/pr/ianvernon/more-endpoint-cleanup
- refs/heads/pr/ianvernon/resolve-cidr-policy-perf-improvement
- refs/heads/pr/increase-verifier-test-build-timeout
- refs/heads/pr/ipip
- refs/heads/pr/ipip-encap
- refs/heads/pr/ipip-encap2
- refs/heads/pr/ipip2
- refs/heads/pr/ipip4
- refs/heads/pr/ipip6
- refs/heads/pr/jibi/differentiate-udp-tcp-svcs-take-4
- refs/heads/pr/jibi/fix-differentiate-udp-tcp-svc-upgrade
- refs/heads/pr/jibi/ip-list-contains-addr
- refs/heads/pr/joamaki/gather-network-info
- refs/heads/pr/joamaki/idless-service-restapi
- refs/heads/pr/joe/ariane-scheduled-cilium-only
- refs/heads/pr/joe/backport-28007-1.11
- refs/heads/pr/joe/bump-ginkgo-seed
- refs/heads/pr/joe/docker-build-log-tracing
- refs/heads/pr/joe/ipcache-cidr-policy
- refs/heads/pr/joe/lost-identity
- refs/heads/pr/joe/policymap-format-test
- refs/heads/pr/joe/ready-to-merge
- refs/heads/pr/joe/release-codeowners
- refs/heads/pr/joe/sw-quay
- refs/heads/pr/joe/test-labeler
- refs/heads/pr/joe/test-lvh-fix
- refs/heads/pr/joe/v1.13-stability-check
- refs/heads/pr/joe/v1.7-dev-env
- refs/heads/pr/jrajahalme/gh-filter-test-files
- refs/heads/pr/jrfastab/backport-ooo-ipsec-fixes
- refs/heads/pr/jrfastab/backport-v111-loopback
- refs/heads/pr/jrfastab/backport-v115
- refs/heads/pr/jrfastab/dbgNodeId
- refs/heads/pr/jrfastab/dbgNodeId111
- refs/heads/pr/jrfastab/dbgNodeId111v2
- refs/heads/pr/jrfastab/dbgv114
- refs/heads/pr/jrfastab/eks-encrypt-ipamupdate
- refs/heads/pr/jrfastab/fix-encrypt-subnets
- refs/heads/pr/jrfastab/fix-ixsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/fixes-ipsec-init
- refs/heads/pr/jrfastab/v1.8-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v1.9-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v111-debug-ooo
- refs/heads/pr/jrfastab/v111-debug-ooo-v2
- refs/heads/pr/jwi/main/ipsec-rhel8
- refs/heads/pr/jwi/v1.14/ci-ipsec
- refs/heads/pr/jwi/v1.15/bpf-complexity
- refs/heads/pr/jwi/v1.15/ci-ipsec
- refs/heads/pr/k8s-nat46x64
- refs/heads/pr/k8s-nat46x64-2
- refs/heads/pr/kaworu/helm-hubble-cli.yaml
- refs/heads/pr/kkourt/azure-ipam-test-race
- refs/heads/pr/kkourt/bpftool-update
- refs/heads/pr/kkourt/ct-rst-timeout-wip
- refs/heads/pr/kkourt/v1.11-backport-2022-01-26
- refs/heads/pr/kkourt/v1.9-lxc-complexity
- refs/heads/pr/l4lb-improvements-tmp
- refs/heads/pr/learnitall/ginkgo-race-workflow
- refs/heads/pr/learnitall/test-startup-script-changes
- refs/heads/pr/lmb/1.14-cni
- refs/heads/pr/lmb/1.15-cni
- refs/heads/pr/lmb/update-cni-plugin
- refs/heads/pr/marga/v1.11-without-deny-precedence
- refs/heads/pr/marseel/scale_test_1_15
- refs/heads/pr/max/upgrade-llvm-18-1-6
- refs/heads/pr/mhofstetter/guestbook-registry
- refs/heads/pr/mhofstetter/junit-fetch-nullglob
- refs/heads/pr/mhofstetter/ssh-store-consolelog
- refs/heads/pr/mhofstetter/test-ingress
- refs/heads/pr/michi/circular-struggle
- refs/heads/pr/michi/clustermesh
- refs/heads/pr/michi/crdregister
- refs/heads/pr/michi/debug
- refs/heads/pr/michi/description
- refs/heads/pr/michi/dns-refactor12
- refs/heads/pr/michi/ipsec-workflows
- refs/heads/pr/michi/l7drop
- refs/heads/pr/michi/majestic-ketchup
- refs/heads/pr/michi/mega-ketchup
- refs/heads/pr/michi/peerapi
- refs/heads/pr/michi/rest
- refs/heads/pr/michi/scaletest
- refs/heads/pr/michi/sleep-on-it
- refs/heads/pr/michi/test
- refs/heads/pr/michi/weekly-bot
- refs/heads/pr/monitor-wait-ci
- refs/heads/pr/move-image-to-one-repo
- refs/heads/pr/nat-gw-tests
- refs/heads/pr/nathanjsweet/add-complex-allow-test-to-policy-map-tests
- refs/heads/pr/nathanjsweet/add-lockdown-mode-for-policy-map-overflows
- refs/heads/pr/nathanjsweet/differentiate-protocol-in-services
- refs/heads/pr/nathanjsweet/node-port-addresses
- refs/heads/pr/nathanjsweet/refactor-mapstate
- refs/heads/pr/nathanjsweet/update-k8s-control-plane-tests-to-1-27
- refs/heads/pr/nebril/add-dns-concurrency-limit
- refs/heads/pr/nebril/fix-precheck
- refs/heads/pr/nebril/fqdn-proxy-ha
- refs/heads/pr/nebril/fqdn-proxy-interface
- refs/heads/pr/nebril/gke-workflow-migrate-from-cli
- refs/heads/pr/nebril/quarantine-1.14-nodeport
- refs/heads/pr/nebril/test-bottlerocket
- refs/heads/pr/nebril/test-helm-gke-fix
- refs/heads/pr/nebril/test-our-ghaction-shenanigans
- refs/heads/pr/nebril/test-rebase-helm
- refs/heads/pr/nebril/trololo
- refs/heads/pr/nebril/update-cli-9.1-test
- refs/heads/pr/netkit
- refs/heads/pr/netkit3
- refs/heads/pr/netns-switch
- refs/heads/pr/netns-switch-no-peer
- refs/heads/pr/nodeport-fix
- refs/heads/pr/nodeport-improvements2
- refs/heads/pr/nodeport-nat-improvements
- refs/heads/pr/nodeport-nat-improvements2
- refs/heads/pr/nodeport-retry-sport
- refs/heads/pr/pchaigno/deprecate-bpf_network-f
- refs/heads/pr/pchaigno/fix-4.19-bpf-program-size
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix-brb-v0
- refs/heads/pr/pchaigno/optim-complexity-ipcache-lookup
- refs/heads/pr/pchaigno/rework-config-probes
- refs/heads/pr/pchaigno/tmp-base-branch
- refs/heads/pr/pin-1.10-workflows-k8s-version
- refs/heads/pr/pin-1.11-workflows-k8s-version
- refs/heads/pr/pin-1.12-workflows-k8s-version
- refs/heads/pr/pin-1.13-workflows-k8s-version
- refs/heads/pr/pin-cloud-provider-master-workflows
- refs/heads/pr/pr/fix-ipam-node-manager-semaphore-error-handling
- refs/heads/pr/publish-test-images
- refs/heads/pr/qmonnet/docs-20230224
- refs/heads/pr/qmonnet/docs-bump
- refs/heads/pr/qmonnet/ipsec/no-missed-tail-call-1.13
- refs/heads/pr/qmonnet/standalone-lb-docs
- refs/heads/pr/qmonnet/sync-joblists
- refs/heads/pr/rastislavs/bgp-e2e-test
- refs/heads/pr/ray/late-dns-proxy
- refs/heads/pr/rgo3/1.12-run-no-unexpected-drops-for-patch
- refs/heads/pr/rgo3/fix-k8s-vm-provisioning-1.13
- refs/heads/pr/rgo3/fix-missing-health-endpoint
- refs/heads/pr/rolinh/better-policy-verdict
- refs/heads/pr/rolinh/hubble-dump-all
- refs/heads/pr/rolinh/hubble-fix-maxflows-rounding
- refs/heads/pr/route-test
- refs/heads/pr/run-tests-in-parallel
- refs/heads/pr/scalability-crd-only
- refs/heads/pr/squeed/make-ccache
- refs/heads/pr/squeed/per-node-config
- refs/heads/pr/squeed/remote-cluster-leak
- refs/heads/pr/stacy/docs-update
- refs/heads/pr/tammach/accesslog-envoy
- refs/heads/pr/tammach/ci-cm
- refs/heads/pr/tammach/cleanup-helm-1.16
- refs/heads/pr/tammach/envoy-1.30
- refs/heads/pr/tammach/headless-service-flake
- refs/heads/pr/tammach/ingress-controller-e2e-config6
- refs/heads/pr/tammach/more-ingress-tests
- refs/heads/pr/tammach/rennovate-statedb
- refs/heads/pr/tammach/revert/fib-lookup
- refs/heads/pr/tammach/ubuntu-24.04
- refs/heads/pr/tammach/ubuntu-24.04-no-llvm
- refs/heads/pr/tc-np-test
- refs/heads/pr/tcx
- refs/heads/pr/tcx-helm
- refs/heads/pr/tcx-misc
- refs/heads/pr/test-419-ci
- refs/heads/pr/test-increase-update-delete-timeout
- refs/heads/pr/test-k8s-all-tests
- refs/heads/pr/test-lb-super-netperf
- refs/heads/pr/test-nightly
- refs/heads/pr/test-upstream-timeout
- refs/heads/pr/tgraf/chaos-testing
- refs/heads/pr/tgraf/clustermesh-stale-state
- refs/heads/pr/tgraf/eni-ipam
- refs/heads/pr/tgraf/new-endpoint-state
- refs/heads/pr/tgraf/new-policy
- refs/heads/pr/tgraf/remove-tunnel-map
- refs/heads/pr/tgraf/scoped-ipam
- refs/heads/pr/tgraf/sctp
- refs/heads/pr/tgraf/split-lxc-prog
- refs/heads/pr/thorn3r/cesBlanketTest
- refs/heads/pr/thorn3r/clustermesh511
- refs/heads/pr/tklauser/build-push-images-env-var
- refs/heads/pr/tommyp1ckles/debugging-aks-conformance
- refs/heads/pr/tp/add-logging-for-wait-for-pods-term-condition
- refs/heads/pr/tp/backport-31380
- refs/heads/pr/tp/bump-cilium-cli
- refs/heads/pr/tp/cleanup-ipam-ips-metric-docs
- refs/heads/pr/tp/complexity-issue-verifier-case-main
- refs/heads/pr/tp/dont-terminate-on-node-config-changee
- refs/heads/pr/tp/eps-modular-health
- refs/heads/pr/tp/fix-stuck-ginko-pod-v2
- refs/heads/pr/tp/forward-hubble-for-e2e
- refs/heads/pr/tp/forward-hubble-for-e2e-v2
- refs/heads/pr/tp/switch-1.24-eks-region
- refs/heads/pr/tp/switch-1.24-eks-region-v1.13
- refs/heads/pr/tp/use-helm-default-vars-for-clustermesh-downgrade-c1
- refs/heads/pr/tweak-github-action-ref
- refs/heads/pr/twpayne/hubble-recent-events-buffer
- refs/heads/pr/twpayne/hubble-ring-buffer-benchmarks
- refs/heads/pr/update-azure
- refs/heads/pr/update-readme-for-releases
- refs/heads/pr/update-tm-network
- refs/heads/pr/v1.10-backport-2022-06-13
- refs/heads/pr/v1.10-backport-2022-10-03
- refs/heads/pr/v1.10-eni-stability-improvements-v1
- refs/heads/pr/v1.10-neigh-clean
- refs/heads/pr/v1.11-backport-2022-10-03
- refs/heads/pr/v1.11-test/issue-692
- refs/heads/pr/v1.12-backport-2023-10-10
- refs/heads/pr/v1.12-test/issue-692
- refs/heads/pr/v1.13-backport-2023-10-31
- refs/heads/pr/v1.13-backport-2024-04-22-03-42
- refs/heads/pr/v1.13-test/issue-692
- refs/heads/pr/v1.14-backport-2024-06-18-02-46
- refs/heads/pr/v1.14.1
- refs/heads/pr/v1.7-stability-test
- refs/heads/pr/v1.7.9-hf-13205
- refs/heads/pr/v3-cpu
- refs/heads/pr/v6-host-addr2
- refs/heads/pr/vk/bpf/tests/csum
- refs/heads/pr/vk/ci/test/concurrent/run
- refs/heads/pr/vk/doc/ipsec
- refs/heads/pr/vk/ipsec/key/rotate
- refs/heads/pr/vk/test/ipsec/tests/concurrent/run
- refs/heads/pr/wip/bijective-nodemap
- refs/heads/regex_improved
- refs/heads/renovate/v1.13-all-dependencies
- refs/heads/renovate/v1.14-all-dependencies
- refs/heads/renovate/v1.15-aanm-test
- refs/heads/renovate/v1.15-all-dependencies
- refs/heads/renovate/v1.16-cilium-cli
- refs/heads/renovate/v1.16-go
- refs/heads/revert-29086-2023-11-09-backport-1.14
- refs/heads/revert-33302-policy-catch-invalid-port-wildcard
- refs/heads/rib
- refs/heads/run-ci-wihout-building-cilium
- refs/heads/sh-dep-test-l4lb
- refs/heads/sidecar-http-proxy
- refs/heads/sockmap-v5
- refs/heads/sockops-build-fix
- refs/heads/tam/integration-tests
- refs/heads/tam/more-ingress-tests
- refs/heads/tb/bpf-remove-bear
- refs/heads/test-branch
- refs/heads/test-ipsec
- refs/heads/test-sig-bgp-notifs
- refs/heads/test/brlbil/upload
- refs/heads/test/skip-workflows
- refs/heads/tgraf/process-policy
- refs/heads/thorn3r/cesScaleTest
- refs/heads/thorn3rCES
- refs/heads/tinker/learnitall/scale-test-1
- refs/heads/tinker/learnitall/scale-test-2
- refs/heads/tklauser+brb/wip/multi-homing
- refs/heads/unit-test-ipsec
- refs/heads/v0.10
- refs/heads/v0.11
- refs/heads/v0.12
- refs/heads/v0.13
- refs/heads/v0.8
- refs/heads/v0.9
- refs/heads/v1.0
- refs/heads/v1.0.0-rc2
- refs/heads/v1.0.0-rc3
- refs/heads/v1.1
- refs/heads/v1.10
- refs/heads/v1.11
- refs/heads/v1.12
- refs/heads/v1.12.11-base
- refs/heads/v1.13
- refs/heads/v1.14
- refs/heads/v1.15
- refs/heads/v1.16
- refs/heads/v1.2
- refs/heads/v1.3
- refs/heads/v1.3.1
- refs/heads/v1.3.1-release
- refs/heads/v1.3.7-release
- refs/heads/v1.4
- refs/heads/v1.4.5-release
- refs/heads/v1.5
- refs/heads/v1.5.2-rc1-with-clusterip-fix
- refs/heads/v1.5.4-release
- refs/heads/v1.6
- refs/heads/v1.7
- refs/heads/v1.7.9-1
- refs/heads/v1.7.9.1
- refs/heads/v1.8
- refs/heads/v1.9
- refs/heads/verify-external-workload-dns-setup-redux
- refs/heads/vladu/identity-type-metrics
- refs/heads/weavescope
- refs/heads/wip-ktls-tx-rx
- refs/heads/wip-sockmap
- refs/heads/wip-sockmap-v2
- refs/heads/wip-sockmap-v3
- refs/heads/wip-sockmap-v4
- refs/heads/xfrm-subnet-test
- refs/heads/yutaro/bgp-cplane-etp-local/doc
- refs/heads/yutaro/oss/eni-overlapping-mark
- refs/remotes/bruno/hf/v1.10/v1.10.3-bpf-snat-and-masq-fixes
- refs/remotes/joe/submit/quarantine-etcd
- refs/remotes/origin/1.2-backports-18-09-12
- refs/remotes/origin/ipvlan3
- refs/remotes/origin/pr/add-reserved-health
- refs/remotes/origin/pr/brb/nodeport-lb
- refs/remotes/origin/pr/ianvernon/5859
- refs/remotes/origin/pr/ianvernon/dynamic-ep-cfg
- refs/remotes/origin/pr/tgraf/kube-dns-fixed-identity
- refs/semaphoreci/6384f501b324813e55cfbe818c04a40f2a923765
- refs/semaphoreci/7f69b285bac8a1be414e8769799962ae1408d9e1
- refs/semaphoreci/b5eb6622da121ad36b8f375a084392f7feeec64a
- refs/semaphoreci/d9e7e28f39d34a7050a9c1cad2a26d84f5f4eff1
- refs/semaphoreci/f55ec535d85f387ef981265967fabb3c1b5f1ec6
- refs/tags/0.10.1
- refs/tags/1.1.1
- refs/tags/1.9.0-rc0
- refs/tags/v0.11
- refs/tags/v0.12.0
- refs/tags/v0.13.1
- refs/tags/v0.8.0
- refs/tags/v0.8.1
- refs/tags/v0.8.2
- refs/tags/v0.9.0
- refs/tags/v0.9.0-rc1
- refs/tags/v1.0.0-rc2
- Branches list truncated to 687 entries, 4 were omitted.
- v1.0.0-rc14
- v1.0.0-rc13
- v1.0.0-rc11
- v1.0.0-rc10
- v1.0.0-rc1
- v1.0.0
- v0.13.9
- v0.13.8
- v0.13.7
- v0.13.6
- v0.13.5
- v0.13.4
- v0.13.3
- v0.13.28
- v0.13.25
- v0.13.24
- v0.13.23
- v0.13.22
- v0.13.21
- v0.13.20
- v0.13.2
- v0.13.19
- v0.13.18
- v0.13.17
- v0.13.16
- v0.13.15
- v0.13.14
- v0.13.13
- v0.13.12
- v0.13.11
- v0.13.10
- v0.10.0
- 1.9.9
- 1.9.8
- 1.9.7
- 1.9.6
- 1.9.5
- 1.9.4
- 1.9.3
- 1.9.2
- 1.9.18
- 1.9.17
- 1.9.16
- 1.9.15
- 1.9.14
- 1.9.13
- 1.9.12
- 1.9.11
- 1.9.10
- 1.9.1
- 1.9.0-rc3
- 1.9.0-rc2
- 1.9.0-rc1
- 1.9.0
- 1.8.9
- 1.8.8
- 1.8.7
- 1.8.6
- 1.8.5
- 1.8.4
- 1.8.3
- 1.8.2
- 1.8.13
- 1.8.12
- 1.8.11
- 1.8.10
- 1.8.1
- 1.8.0-rc4
- 1.8.0-rc3
- 1.8.0-rc2
- 1.8.0-rc1
- 1.8.0
- 1.7.9
- 1.7.8
- 1.7.7
- 1.7.6
- 1.7.5
- 1.7.4
- 1.7.3
- 1.7.2
- 1.7.16
- 1.7.15
- 1.7.14
- 1.7.13
- 1.7.12
- 1.7.11
- 1.7.10
- 1.7.1
- 1.7.0-rc4
- 1.7.0-rc3
- 1.7.0
- 1.6.9
- 1.6.8
- 1.6.7
- 1.6.6
- 1.6.5
- 1.6.4
- 1.6.3
- 1.6.2
- 1.6.12
- 1.6.11
- 1.6.10
- 1.6.1
- 1.6.0
- 1.5.9
- 1.5.8
- 1.5.7
- 1.5.6
- 1.5.5
- 1.5.4
- 1.5.3
- 1.5.2
- 1.5.13
- 1.5.12
- 1.5.11
- 1.5.10
- 1.5.1
- 1.5.0-rc6
- 1.5.0-rc5
- 1.5.0-rc4
- 1.5.0-rc3
- 1.5.0-rc2
- 1.5.0
- 1.4.9
- 1.4.8
- 1.4.7
- 1.4.6
- 1.4.5
- 1.4.4
- 1.4.3
- 1.4.2
- 1.4.10
- 1.4.1
- 1.4.0-rc9
- 1.4.0-rc8
- 1.4.0-rc7
- 1.4.0-rc6
- 1.4.0-rc5
- 1.4.0-rc2
- 1.4.0
- 1.3.8
- 1.3.7
- 1.3.6
- 1.3.5
- 1.3.4
- 1.3.3
- 1.3.2
- 1.3.1
- 1.3.0-rc5
- 1.3.0-rc4
- 1.3.0
- 1.2.8
- 1.2.7
- 1.2.6
- 1.2.5
- 1.2.4
- 1.2.3
- 1.2.2
- 1.2.1
- 1.2.0-rc3
- 1.2.0-rc2
- 1.2.0-rc1
- 1.2.0
- 1.16.0-rc.1
- 1.16.0-rc.0
- 1.16.0-pre.3
- 1.16.0-pre.2
- 1.16.0-pre.1
- 1.16.0-pre.0
- 1.15.7
- 1.15.6
- 1.15.5
- 1.15.4
- 1.15.3
- 1.15.2
- 1.15.1
- 1.15.0-rc.1
- 1.15.0-rc.0
- 1.15.0-pre.3
- 1.15.0-pre.2
- 1.15.0-pre.1
- 1.15.0-pre.0
- 1.15.0
- 1.14.9
- 1.14.8
- 1.14.7
- 1.14.6
- 1.14.5
- 1.14.4
- 1.14.3
- 1.14.2
- 1.14.13
- 1.14.12
- 1.14.11
- 1.14.10
- 1.14.1
- 1.14.0-snapshot.4
- 1.14.0-snapshot.3
- 1.14.0-snapshot.2
- 1.14.0-snapshot.1
- 1.14.0-snapshot.0
- 1.14.0-rc.1
- 1.14.0-rc.0
- 1.14.0-pre.2
- 1.14.0
- 1.13.9
- 1.13.8
- 1.13.7
- 1.13.6
- 1.13.5
- 1.13.4
- 1.13.3
- 1.13.2
- 1.13.18
- 1.13.17
- 1.13.16
- 1.13.15
- 1.13.14
- 1.13.13
- 1.13.12
- 1.13.11
- 1.13.10
- 1.13.1
- 1.13.0-rc5
- 1.13.0-rc4
- 1.13.0-rc3
- 1.13.0-rc2
- 1.13.0-rc1
- 1.13.0-rc0
- 1.13.0
- 1.12.9
- 1.12.8
- 1.12.7
- 1.12.6
- 1.12.5
- 1.12.4
- 1.12.3
- 1.12.2
- 1.12.19
- 1.12.18
- 1.12.17
- 1.12.16
- 1.12.15
- 1.12.14
- 1.12.13
- 1.12.12
- 1.12.11
- 1.12.10
- 1.12.1
- 1.12.0-rc3
- 1.12.0-rc2
- 1.12.0-rc1
- 1.12.0-rc0
- 1.12.0
- 1.11.9
- 1.11.8
- 1.11.7
- 1.11.6
- 1.11.5
- 1.11.4
- 1.11.3
- 1.11.20
- 1.11.2
- 1.11.19
- 1.11.18
- 1.11.17
- 1.11.16
- 1.11.15
- 1.11.14
- 1.11.13
- 1.11.12
- 1.11.11
- 1.11.10
- 1.11.1
- 1.11.0-rc3
- 1.11.0-rc2
- 1.11.0-rc1
- 1.11.0-rc0
- 1.11.0
- 1.10.9
- 1.10.8
- 1.10.7
- 1.10.6
- 1.10.5
- 1.10.4
- 1.10.3
- 1.10.20
- 1.10.2
- 1.10.19
- 1.10.18
- 1.10.17
- 1.10.16
- 1.10.15
- 1.10.14
- 1.10.13
- 1.10.12
- 1.10.11
- 1.10.10
- 1.10.1
- 1.10.0-rc2
- 1.10.0-rc1
- 1.10.0-rc0
- 1.10.0
- 1.1.6
- 1.1.5
- 1.1.4
- 1.1.3
- 1.1.2
- 1.1.0
- 1.0.7
- 1.0.6
- 1.0.5
- 1.0.4
- Releases list truncated to 313 entries, 325 were omitted.
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.
Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| 46de47b | viktor-kurchenko | 18 March 2024, 08:35:04 UTC | workflows: IPsec key rotation using CLI Use Cilium CLI encryption status and key rotation commands instead of bash scripts. The workflow IPsec key count logic was replaced with the `cilium-cli encryption status` command that implements the necessary logic. IPsec algorithms were renamed according the CLI `--auth-algo` parameter for the `cilium-cli encryption rotate-key` command: * gcm(aes) -> gcm-aes * cbc(aes) -> hmac-sha256 Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> | 16 May 2024, 08:09:02 UTC |
| b339452 | Julian Wiedmann | 02 May 2024, 14:27:17 UTC | images: update cilium-{runtime,builder} Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 02 May 2024, 17:09:08 UTC |
| 9bd92c0 | renovate[bot] | 02 May 2024, 11:55:27 UTC | chore(deps): update docker.io/library/golang:1.22.2 docker digest to d5302d4 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 02 May 2024, 17:09:08 UTC |
| 8c9e022 | Quentin Monnet | 02 May 2024, 14:38:01 UTC | Revert "test: Disable hostfw in monitor aggregation test" This reverts commit 7a1a76e3cbda75ed42d874f1127007aedc651bb6. The complexity issue occurred on kernel 4.19, which is no longer supported. We closed https://github.com/cilium/cilium/issues/14552 and we can now have the Host Firewall, monitorAggregation=medium and monitorFlags=syn together. Signed-off-by: Quentin Monnet <qmo@qmon.net> | 02 May 2024, 16:37:36 UTC |
| b71cd07 | Tobias Klauser | 02 May 2024, 13:01:35 UTC | ci: only install llvm/clang and gingko for gingko test suite changes Since commit ade7f22ec5e6 (".github: Build documentation and BPF code in builder images") the ginkgo test suite build is using native builds and needs llvm/clang and ginkgo installed. All other steps are run using in a cilium-builder container which already has all the required tools installed. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 02 May 2024, 16:09:44 UTC |
| dbcdd7d | Marcel Zieba | 02 May 2024, 10:36:50 UTC | ci: Filter supported versions of AKS Whenever AKS stopped supporting a particular version of AKS, we had to manually remove it from all stable branches. Now instead of that, we will dynamically check if it's supported and only then run the test. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 02 May 2024, 16:09:32 UTC |
| 76d6670 | Paul Chaignon | 29 April 2024, 16:09:48 UTC | ipsec: Log XFRM errors during temporary state removal Context: During IPsec upgrades, we may have to temporarily remove some XFRM states due to conflicts with the new states and because the Linux API doesn't enable us to perform this atomically as we do for XFRM policies. This temporary removal should be very short but can still cause drops under heavy throughput. This commit logs how many such drops happened. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 02 May 2024, 15:59:49 UTC |
| bba016e | Paul Chaignon | 29 April 2024, 15:27:34 UTC | ipsec: Log duration of temporary XFRM state removal Context: During IPsec upgrades, we may have to temporarily remove some XFRM states due to conflicts with the new states and because the Linux API doesn't enable us to perform this atomically as we do for XFRM policies. This temporary removal should be very short but can still cause drops under heavy throughput. This commit logs the duration of the removal so we can validate that it's actually always short and estimate the impact on packet drops. Note the log message will now be displayed only once the XFRM state is re-added, instead of when it's removed like before. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 02 May 2024, 15:59:49 UTC |
| e7db879 | Paul Chaignon | 29 April 2024, 15:50:51 UTC | ipsec: Refactor temporary removal of XFRM state Context: During IPsec upgrades, we may have to temporarily remove some XFRM states due to conflicts with the new states and because the Linux API doesn't enable us to perform this atomically as we do for XFRM policies. This commit moves this removal logic to its own function. That logic will grow in subsequent commits as I'll add debugging information to the log message. This commit doesn't make any functional changes. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 02 May 2024, 15:59:49 UTC |
| c1f370f | Quentin Monnet | 02 May 2024, 15:17:13 UTC | ci: Fix typo on "Ginkgo" Let's fix a typo: "Ginko" -> "Ginkgo". Given that the strings appear in the list of jobs on GitHub Pull Requests, it's easier to search for the specific job without the typo. Signed-off-by: Quentin Monnet <qmo@qmon.net> | 02 May 2024, 15:56:46 UTC |
| 962e78d | Markus Nilsson | 25 March 2024, 20:42:44 UTC | Remove CiliumOperatorName constant There are no longer any references to this constant so we should be able to remove it. Signed-off-by: Markus Nilsson <markus.nilsson@yubico.com> | 02 May 2024, 14:29:58 UTC |
| 8397e45 | Casey Callendrello | 31 January 2024, 10:42:51 UTC | pkg: don't cache Host identity rule matches Unlike every other identity, the set of labels for the reserved:host identity is mutable. That means that rules should not cache matches for this identity. So, clean up the code around determining matches. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 02 May 2024, 12:22:47 UTC |
| de55fd8 | Julian Wiedmann | 02 May 2024, 06:36:29 UTC | bpf: hide dynamic/static variant for policy tail-call Whether the tail-call is executed as dynamic or static is an implementation detail. Hide it in a generic tail_call_policy() helper. Suggested-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 02 May 2024, 11:57:14 UTC |
| 92dfbc5 | Paul Chaignon | 08 April 2024, 20:49:41 UTC | workflows: Cover IPsec + KPR in EKS To be able to cover this configuration without removing coverage for others, we need to add one more test case. Fortunately, it will run in parallel to other test case. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 02 May 2024, 11:45:54 UTC |
| d5bf4ae | Paul Chaignon | 03 April 2024, 22:03:42 UTC | workflows: Cover KPR in end-to-end IPsec tests We can reuse the two configs that had --devices set because KPR will cause devices to be autodetected anyway. We then need to add one other config to cover VXLAN. Upgrade tests are not extended to cover KPR because it isn't supported in the previous stable. We will need to wait for the next minor release to be able to extend those tests. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 02 May 2024, 11:45:54 UTC |
| c31e2f4 | Paul Chaignon | 03 April 2024, 21:59:37 UTC | daemon: Allow KPR with IPsec With previous fixes, we can now have IPsec enabled together with KPR. IPsec will encrypt traffic between pods as usual. Note that requests to a NodePort that are being forwarded from the receiving node to a node with a backend won't be encrypted. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 02 May 2024, 11:45:54 UTC |
| 077ad27 | Julian Wiedmann | 17 January 2024, 08:43:40 UTC | bpf: nodeport: avoid revalidation in nodeport_rev_dnat_ingress_ipv4() Set up saddr/daddr for the fib_params struct a bit earlier, so that we don't have to revalidate after the ipv4_l3() call. In case of XDP manually pushing tunnel headers, we can just set the selected outer IP addresses. Apply the same logic to the IPv6 path for consistency, and to untangle the goto flow a tiny bit. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 02 May 2024, 11:35:14 UTC |
| acf98ff | Lucas Rattz | 26 April 2024, 18:28:48 UTC | Add Syself to USERS.md Signed-off-by: Lucas Rattz <lucas.rattz@syself.com> | 02 May 2024, 10:28:42 UTC |
| 3f22794 | Daniel Borkmann | 30 April 2024, 11:51:52 UTC | cilium, docs: Add note to upgrade guide on tcx Add a note on tcx for the 1.16 upgrade guide. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 02 May 2024, 10:13:51 UTC |
| aa7fb02 | Daniel Borkmann | 30 April 2024, 08:49:00 UTC | cilium, api: Extend API with datapath attach mode Extend the agent API to indicate whether Cilium is actually using tcx or relying on legacy tc so that this can be displayed in `cilium status`. Status when tcx is active: # kubectl exec cilium-4m7nq -- cilium-dbg status [...] BandwidthManager: Disabled Routing: Network: Tunnel [geneve] Host: Legacy Attach Mode: TCX Masquerading: IPTables [IPv4: Enabled, IPv6: Enabled] [...] Status when inactive: # kubectl exec cilium-4m7nq -- cilium-dbg status [...] BandwidthManager: Disabled Routing: Network: Tunnel [geneve] Host: Legacy Attach Mode: Legacy TC Masquerading: IPTables [IPv4: Enabled, IPv6: Enabled] [...] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 02 May 2024, 10:13:51 UTC |
| ad8b50e | Timo Beckers | 29 April 2024, 10:17:22 UTC | Helm: add bpf.enableTCX Helm value, enable by default This commit adds the 'bpf.enableTCX' Helm value to allow disabling tcx attachments if external tooling integrating with Cilium hasn't caught up yet, as attaching a tcx program to an interface disables the legacy tc ingress/egress pipelines. The agent upgrades and downgrades interfaces seamlessly based on tcx being enabled or not, so any existing workloads are migrated automatically at runtime if the config flag is changed and the agent restarted. Rebooting the node is not necessary. Signed-off-by: Timo Beckers <timo@isovalent.com> | 02 May 2024, 10:13:51 UTC |
| 6b8c995 | Timo Beckers | 29 April 2024, 10:17:42 UTC | loader: wire up tcx attachment logic behind --enable-tcx agent flag This commit puts the tcx logic in the endpoint attachment path and gates it behind a new --enable-tcx agent flag. A follow-up commit will use the flag in the Helm charts' configmap. attachSKBProgram() now takes a bool to indicate if the user has requested tcx attachments and seamlessly migrates programs between tcx and legacy attachment modes in both directions. Of course, this process is contingent on no other tcx programs being attached to the interface, as that disables legacy tc execution. Signed-off-by: Timo Beckers <timo@isovalent.com> | 02 May 2024, 10:13:51 UTC |
| 0a25351 | Robin Gögge | 26 April 2024, 11:24:44 UTC | loader: infrastructure for attaching skb programs using the tcx API This commit adds the necessary infrastructure to attach bpf programs operating on sk_buff using the kernel's new tcx hook. Enabling the functionality in the agent's endpoint attachment path happens in a follow-up commit. Signed-off-by: Robin Gögge <r.goegge@isovalent.com> Co-authored-by: Timo Beckers <timo@isovalent.com> | 02 May 2024, 10:13:51 UTC |
| 77769ea | Daniel Borkmann | 26 April 2024, 13:49:10 UTC | bpf, tcx: Clear tc_classid field This is needed for tcx given it does not automatically clear the tc_classid cb field and could contain garbage from upper layers of the stack. This later maps to skb->tc_index and given in Cilium code we utilize it, we should explicitly zero the field like we do with other cb buffers. Under tcx and endpoint routes, the test below breaks if the field if not cleared: ./cilium-cli connectivity test --test client-ingress After the fix the test passes. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 02 May 2024, 10:13:51 UTC |
| 6de4e5c | renovate[bot] | 30 April 2024, 11:14:41 UTC | fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> | 02 May 2024, 09:25:52 UTC |
| d4ad5bc | mvtab | 17 April 2024, 16:23:07 UTC | Deactivated Grafana reporting in monitoring example yaml. Signed-off-by: mvtab <mvtabilitas@protonmail.com> | 02 May 2024, 09:18:00 UTC |
| 579d3b6 | Anton Ippolitov | 05 April 2024, 13:54:14 UTC | docs: Improve CES documentation to prepare graduation to "Stable" Signed-off-by: Anton Ippolitov <anton.ippolitov@datadoghq.com> | 02 May 2024, 09:12:58 UTC |
| d5efd28 | Jarno Rajahalme | 30 April 2024, 19:25:00 UTC | envoy: Update to use source port in connection pool hash Update Envoy image to a version that includes the source port in upstream connection pool hash, so that each unique downstream connection gets a dedicated upstream connection. Fixes: #27762 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 02 May 2024, 09:03:19 UTC |
| b2ff580 | Tam Mach | 30 April 2024, 12:43:56 UTC | pkg/envoy: Replace gocheck with built-in go test One point worth noting is the custom checker is migrated to assert.AssertComparision interface. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 02 May 2024, 08:35:54 UTC |
| f7f6ba6 | Cilium Imagebot | 29 April 2024, 18:14:15 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 02 May 2024, 06:49:17 UTC |
| 230de7c | renovate[bot] | 29 April 2024, 16:48:07 UTC | chore(deps): update all-dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 02 May 2024, 06:49:17 UTC |
| fe6c1a9 | renovate[bot] | 02 May 2024, 05:53:22 UTC | chore(deps): update cilium/cilium-cli action to v0.16.6 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 02 May 2024, 06:45:28 UTC |
| 3011a9d | renovate[bot] | 29 April 2024, 15:33:21 UTC | chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> | 02 May 2024, 05:29:29 UTC |
| a8b21ee | Martynas Pumputis | 30 April 2024, 19:28:25 UTC | gh/actions: Bump CLI to v0.16.6 Signed-off-by: Martynas Pumputis <m@lambda.lt> | 02 May 2024, 05:24:57 UTC |
| 1ab24d0 | Joe Stringer | 25 January 2022, 23:32:15 UTC | test/helpers: Skip CiliumUninstall if not installed Various tests will call UninstallCiliumFromManifest() -> DeleteAndWait() during cleanup, including when the test itself gets skipped. When running individual test cases from kind, this can mean that the file that is supposed to contain the Cilium configuration doesn't exist on the local filesystem, and then when attempting to delete that Cilium configuration from the cluster, the tesuite reports: K8sBandwidthTest Checks Bandwidth Rate-Limiting at /home/joe/git/cilium/test/ginkgo-ext/scopes.go:527 [Error removing cilium from installed manifest Expected <*exec.ExitError | 0xc0003f2420>: exit status 1 to be nil] Fix this by looking to see whether the file even exists. If we never properly configured Cilium in the first place, then the file won't exist, and then it's safe to just no-op the uninstall process. Signed-off-by: Joe Stringer <joe@cilium.io> | 01 May 2024, 22:59:21 UTC |
| 28747f6 | Tam Mach | 01 May 2024, 10:11:00 UTC | pkg/maglev: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 01 May 2024, 19:04:44 UTC |
| 40e83de | Tam Mach | 01 May 2024, 10:02:51 UTC | pkg/loadbalancer: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 01 May 2024, 19:04:44 UTC |
| 67d961e | Tam Mach | 01 May 2024, 10:01:55 UTC | pkg/service: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 01 May 2024, 19:04:44 UTC |
| 03368ef | Tam Mach | 01 May 2024, 10:40:14 UTC | pkg/source: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 01 May 2024, 19:01:33 UTC |
| a3382ab | Tam Mach | 01 May 2024, 10:40:06 UTC | pkg/ipcache: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 01 May 2024, 19:01:33 UTC |
| 2a154a6 | Brandon Ewing | 30 April 2024, 12:27:17 UTC | install/kubernetes: add extraInitContainers allow additional initContainers to be added to cilium-agent Daemonset via helm values. Signed-off-by: Brandon Ewing <brandon.ewing@imc.com> | 01 May 2024, 18:46:39 UTC |
| 7260c5f | Chance Zibolski | 22 June 2023, 20:27:30 UTC | hubble: Support --cel-expression filter in hubble observe Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> | 01 May 2024, 14:44:57 UTC |
| 2949b16 | Tam Mach | 01 May 2024, 12:27:57 UTC | docs: Add annotation for Ingress endpoint Relates: #19764 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 01 May 2024, 14:01:29 UTC |
| 1b38beb | Alexandre Perrin | 07 March 2024, 14:29:08 UTC | hubble: add datapath trace reason to hubble flows Before this patch, the datapath trace reason was not exposed in Hubble flows. In Hubble, the trace reason is used to infer the traffic direction and reply status. Before a6bfb7928e74f11211449f16ec778dc3e0721317 all trace reasons were CT related, so the information was "converted" by Hubble into higher level concept / terminology. Since a6bfb7928e74f11211449f16ec778dc3e0721317 there are now non-CT trace reason that don't map with Hubble's traffic direction and/or reply status, and thus it make sense to start exposing the underlying trace reason. Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 01 May 2024, 13:08:16 UTC |
| 29a9dea | Alexandre Perrin | 27 March 2024, 15:30:32 UTC | hubble: fix traffic direction for TraceReasonEncryptOverlay flows Before this patch, TraceReasonEncryptOverlay traces would result in flows with ingress traffic direction. Since the flow source is the local host and destination a remote node, egress arguably make more sense to expose at a high level. Thus, this patch set the traffic direction to egress consistently for TraceReasonEncryptOverlay hubble flows. Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 01 May 2024, 13:08:16 UTC |
| bc90fc8 | Alexandre Perrin | 06 March 2024, 19:45:10 UTC | monitor: provide trace reason helpers Before this patch, both the monitor package and Hubble's "threefour" parser would access the TraceNotify.Reason field directly. However, it is easy to miss that the Reason field contains the "encrypted" bit and has to be masked to retrieve the actual trace reason (e.g. TraceReasonCtReply), as shown by 9939fa2b0848ddd056e81f14a548f179f59027f3. This commit introduces several TraceNotify helpers around trace reason and encryption status, so that both the monitor code and Hubble "threefour" parser don't have to access the Reason field anymore. Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 01 May 2024, 13:08:16 UTC |
| e493adb | Alexandre Perrin | 06 March 2024, 16:49:23 UTC | CODEOWNERS: add sig-hubble to review datapath trace changes https://github.com/cilium/cilium/pull/30154 and https://github.com/cilium/cilium/pull/31073 introduced new datapath trace reasons and had an impact on Hubble, but the sig-hubble team doesn't get automatically pulled in for review. This patch adds the sig-hubble team to review datapath_trace.go changes. Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 01 May 2024, 13:08:16 UTC |
| baec8dd | Tam Mach | 01 May 2024, 00:09:00 UTC | dev: Clean-up development setup Main points are as per below: - Remove cfssl and cfssljson as these tools are used for provisioning Vagrant dev cluster, which is un-maintained now. - Update versions in dev-tool for helm, kubectl, clang and gingko Signed-off-by: Tam Mach <tam.mach@cilium.io> | 01 May 2024, 09:27:34 UTC |
| d1b9062 | Charles Uneze | 27 April 2024, 14:28:11 UTC | Update intro.rst Signed-off-by: Charles Uneze <charlesniklaus@gmail.com> | 01 May 2024, 03:01:29 UTC |
| b6dd0f4 | Taylor | 05 April 2024, 16:11:21 UTC | cec: set default route maxstreamduration Signed-off-by: Taylor <tskinn12@gmail.com> | 01 May 2024, 03:00:47 UTC |
| 6fca78d | Tam Mach | 28 April 2024, 11:35:36 UTC | pkg/logging: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 23:49:41 UTC |
| 48fe4bf | Tam Mach | 24 April 2024, 11:31:33 UTC | pkg/command: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 23:49:41 UTC |
| 46c3de3 | Tam Mach | 24 April 2024, 11:31:31 UTC | cilium-dbg/cmd: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 23:49:41 UTC |
| 415ca1d | Tam Mach | 24 April 2024, 11:31:31 UTC | bugtool/cmd: Replace gocheck with built-in go test The setup and teardown steps are simplified by t.TempDir function. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 23:49:41 UTC |
| c132abb | Martynas Pumputis | 30 April 2024, 08:14:48 UTC | gh/workflows: Test WG w/o KPR Extend the E2E configurations to test for WG w/o KPR. Previously, we did not have any config to test it. Considering, that it can be a widely used configuration, sacrifice the 10th config (egress GW, endpoint routes, multi-netdev all are tested in other configs). Signed-off-by: Martynas Pumputis <m@lambda.lt> | 30 April 2024, 21:19:54 UTC |
| 7897ab9 | Martynas Pumputis | 30 April 2024, 08:00:31 UTC | daemon: Do not require NodePort for WG Commit 6481b5bbb88 ("daemon: Detect bpf_host netdevs when WG is enabled") extended the disablement of NodePort. In particular, finishKubeProxyReplacementInit() does not disable NodePort if WG is enabled. This does not make any sense, as WG does not depend on NodePort, and bpf_host attachment (which WG depends on) is controlled via AreDevicesRequired(). Signed-off-by: Martynas Pumputis <m@lambda.lt> | 30 April 2024, 21:19:54 UTC |
| 79a8358 | Tim Horner | 26 April 2024, 22:07:47 UTC | operator: fix CES sync in identity-based batching When CiliumEndpointSlice is enabled, any existing CiliumEndpointSlices need to be added to the Cilium Operator's cache on start up. The 'cesManagerIdentity' used for the identity-based slicing mode has 2 additional maps to track which CES map to which identity, and vice-versa. Currently these maps are not populated on the initial sync, causing the operator to believe the identity of a CiliumEndpoint has changed and removing it from the CES on first update. This causes all CiliumEndpointSlices to be recreated whenever the operator restarts. This commit adds an override method to 'cesManagerIdentity' to populate the identity mapping on initial sync, allowing the operator to properly sync the existing CiliumEndpointSlices and avoid recreating them. Fixes: #31564 Signed-off-by: Tim Horner <timothy.horner@isovalent.com> | 30 April 2024, 18:34:10 UTC |
| cfbd7e5 | Paul Chaignon | 29 April 2024, 15:12:16 UTC | docs: Update LLVM requirement to LLVM 17 Trying to compile with LLVM versions before 14 results in the fellowing error: In file included from bpf_lxc.c:53: In file included from /cilium/bpf/lib/nat.h:24: /cilium/bpf/lib/stubs.h:24:1: error: unknown attribute 'btf_decl_tag' ignored [-Werror,-Wunknown-attributes] DEFINE_IPV6(IPV6_MASQUERADE, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /cilium/bpf/lib/static_data.h:102:2: note: expanded from macro 'DEFINE_IPV6' DECLARE_CONFIG(__u64, name##_2, "Second half of ipv6 address " #name) \ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /cilium/bpf/lib/static_data.h:26:17: note: expanded from macro 'DECLARE_CONFIG' __attribute__((btf_decl_tag(description))) \ ^~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 30 April 2024, 16:18:41 UTC |
| 85fcd15 | Tam Mach | 24 April 2024, 11:31:33 UTC | pkg/k8s: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 16:14:48 UTC |
| a602f97 | Tam Mach | 24 April 2024, 11:31:30 UTC | plugins/cilum-cni: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 16:14:48 UTC |
| 64ee261 | Tam Mach | 30 April 2024, 12:24:24 UTC | pkg/bgp: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:55:43 UTC |
| dba84b0 | Tam Mach | 28 April 2024, 14:44:38 UTC | pkg/versioncheck: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 65b5e41 | Tam Mach | 28 April 2024, 14:40:25 UTC | pkg/version: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 0f5e3e6 | Tam Mach | 28 April 2024, 14:38:01 UTC | pkg/trigger: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 1fb977e | Tam Mach | 28 April 2024, 14:35:39 UTC | pkg/status: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 295bfc6 | Tam Mach | 28 April 2024, 14:31:21 UTC | pkg/spanstat: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 83aceb0 | Tam Mach | 28 April 2024, 14:29:21 UTC | pkg/safetime: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 5f0cfaf | Tam Mach | 28 April 2024, 14:27:03 UTC | pkg/revert: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 3b55c0f | Tam Mach | 28 April 2024, 14:23:59 UTC | pkg/pidfile: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 26f17c7 | Tam Mach | 28 April 2024, 14:21:58 UTC | pkg/option: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 9932bc6 | Tam Mach | 28 April 2024, 14:02:13 UTC | pkg/node: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 2ef58d0 | Tam Mach | 28 April 2024, 13:32:28 UTC | pkg/math: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| d00bfa8 | Tam Mach | 28 April 2024, 13:30:49 UTC | pkg/ipmasq: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 8195406 | Tam Mach | 28 April 2024, 12:29:29 UTC | pkg/iana: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 1b994dc | Tam Mach | 28 April 2024, 12:26:58 UTC | pkg/health: Replace gocheck with built-in go test One extra change is to use t.Run() for subtests. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 217cfed | Tam Mach | 28 April 2024, 12:13:14 UTC | pkg/eventqueue: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| cf29e86 | Tam Mach | 24 April 2024, 13:32:09 UTC | pkg/debug: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 360dac0 | Tam Mach | 24 April 2024, 13:08:32 UTC | pkg/controller: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 11e27bf | Tam Mach | 24 April 2024, 11:31:33 UTC | pkg/common: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 87dafaa | Tam Mach | 24 April 2024, 11:31:33 UTC | pkg/cleanup: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| f808f33 | Tam Mach | 24 April 2024, 11:31:31 UTC | pkg/backoff: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 712574c | Tam Mach | 24 April 2024, 11:31:31 UTC | pkg/lock: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 15:02:59 UTC |
| 8748ef9 | Tam Mach | 29 April 2024, 13:24:49 UTC | pkg/endpoint: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 14:40:11 UTC |
| c573be4 | Tam Mach | 24 April 2024, 11:31:32 UTC | pkg/azure: Replace gocheck with built-in go test One point worth noting is the removal of api_interaction_test.go. This test is not even complied and didn't run for a long time, so better just clean it up. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 13:59:19 UTC |
| f79b6ae | Tam Mach | 24 April 2024, 11:31:31 UTC | pkg/alibabacloud: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 13:59:19 UTC |
| e4a4357 | Tam Mach | 24 April 2024, 11:31:31 UTC | pkg/aws: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 13:59:19 UTC |
| 7e01a7b | Tobias Klauser | 24 April 2024, 08:51:21 UTC | ci: use base and head SHAs from context in lint-build-commits workflow Instead of querying the GitHub API for the parent SHA, use the base and head SHA provided by the github.event.pull_request context. This works fine because the workflow only runs on pull requests. Also use a loop and git checkout instead of git rebase to avoid potential issues with merge conflicts in the presence of merge commits in the PR. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 30 April 2024, 12:16:47 UTC |
| 1bc2c75 | Marco Hofstetter | 25 April 2024, 14:52:53 UTC | l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops Currently, when L7 policies (egress or ingress) are enforced for traffic between Pods, Envoy might change x-forwarded-for related headers because the corresponding Envoy listeners don't trust the downstream headers because `XffNumTrustedHops` is set to `0`. e.g. `x-forwarded-proto` header: > Downstream x-forwarded-proto headers will only be trusted if xff_num_trusted_hops is non-zero. If xff_num_trusted_hops is zero, downstream x-forwarded-proto headers and :scheme headers will be set to http or https based on if the downstream connection is TLS or not. https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-proto This might be problematic if L7 policies are used for egress traffic for Pods from a non-Cilium ingress controller (e.g. nginx). If the Ingress Controller is terminating TLS traffic and forwards the protocol via `x-forwarded-proto=https`, Cilium Envoy Proxy changes this header to `x-forwarded-proto=http` (if no tls termination itself is used in the policy configuration). This breaks applications that depend on the forwarded protocol. Therefore, this commit introduces two new config flags `proxy-xff-num-trusted-hops-ingress` and `proxy-xff-num-trusted-hops-egresss` that configures the property `XffNumTrustedHops` on the respective L7 policy Envoy listeners. For backwards compabitility and security reasons, the values still default to `0`. Note: It's also possible to configure these values via Helm (`envoy.xffNumTrustedHopsL7PolicyIngress` & `envoy.xffNumTrustedHopsL7PolicyEgress`). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 30 April 2024, 11:12:01 UTC |
| 6633ca8 | Timo Beckers | 24 April 2024, 11:10:26 UTC | datapath,endpoint: explicitly remove TC filters during endpoint teardown Prior to this commit, we left it up to the kernel to clean up tc attachments when the CNI finally removes the veth when a Pod goes away. This leaves a window of time where an endpoint's tc programs can potentially be invoked after the endpoint's internal tail call maps have already been cleared and the endpoint has been removed from the endpoint map and ipcache, resulting in undefined behaviour. This patch clearly defines the endpoint teardown sequence as follows: - remove (endpoint) routes - set the interface down - detach tc(x) hooks - remove endpoint from endpoint map - remove endpoint policy program(s) - delete conntrack map pins - remove policy prog array map pin - remove internal tail call map pin - remove custom calls map pin This puts the agent more in control of the teardown sequence and will allow us to reason better about failures related to missed tail calls and other flakes. Signed-off-by: Timo Beckers <timo@isovalent.com> | 30 April 2024, 10:51:48 UTC |
| 51f10d0 | Tam Mach | 28 April 2024, 14:56:49 UTC | cilium/operator: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 09:50:46 UTC |
| d7c0bf5 | renovate[bot] | 29 April 2024, 15:41:22 UTC | fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> | 30 April 2024, 09:17:16 UTC |
| b5f4efa | Tam Mach | 29 April 2024, 11:20:41 UTC | pkg/ipam: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 April 2024, 09:03:27 UTC |
| cab3648 | Ryan Drew | 04 April 2024, 19:12:28 UTC | docs: Add Pod eviction warning in upgrade notes for Envoy DS This commit expands on the upgrade warning in the documentation for the Envoy DaemonSet, describing a potential case in which pod evictions could occur during upgrade. Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> | 30 April 2024, 06:34:01 UTC |
| 6b0d76a | Joe Stringer | 16 April 2024, 23:54:52 UTC | daemon: Run conntrack GC after Endpoint Restore The reverse call tree for RestoreEndpoint, which exposes all restored endpoints in the EndpointManager, is as follows: INCOMING CALLS - f RestoreEndpoint github.com/cilium/cilium/pkg/endpointmanager - f regenerateRestoredEndpoints github.com/cilium/cilium/pkg/endpointmanager - f initRestore github.com/cilium/cilium/daemon/cmd + f startDaemon github.com/cilium/cilium/daemon/cmd Previously, the `CTNATMapGC.Enable()` call, which invokes `gc.endpointsManager.GetEndpoints()`, would be called prior to exposing these endpoints in the EndpointManager. As a result, the step where the initial scan attempts to update each Endpoint's DNSHistory with the latest CT GC timers would fail, leaving the timestamps empty. The potential impact of this is that DNS entries that should expire soon after a cilium-agent restart may not time out for an extra entire conntrack garbage collection interval several minutes later. Signed-off-by: Joe Stringer <joe@cilium.io> | 30 April 2024, 01:51:39 UTC |
| 8d28663 | Tam Mach | 29 April 2024, 10:55:06 UTC | pkg/metrics: Replace gocheck with built-in go test Signed-off-by: Tam Mach <tam.mach@cilium.io> | 29 April 2024, 22:59:06 UTC |
| 41408a7 | Chance Zibolski | 27 March 2024, 21:25:34 UTC | Support configuring TLS for hubble metrics server Also supports using mTLS to secure access to the metrics endpoint. Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> | 29 April 2024, 20:53:10 UTC |
| 2136418 | André Martins | 26 April 2024, 08:00:21 UTC | install/kubernetes: add AppArmor profile to Cilium Daemonset Starting from k8s 1.30 together with Ubuntu 24.04, Cilium fails to initialize with the error: ``` Error: applying apparmor profile to container 43ed6b4ba299559e8eac46a32f3246d9c54aca71a9b460576828b662147558fa: empty localhost AppArmor profile is forbidden ``` This commit adds the "Unconfined" as default, where users can overwrite it with any of the AppArmor profiles available on their environments, to all the pods that have the "container.apparmor.security.beta.kubernetes.io" annotations. Signed-off-by: André Martins <andre@cilium.io> | 29 April 2024, 20:29:00 UTC |
| 93a6d3c | Daneyon Hansen | 04 March 2024, 20:17:39 UTC | IPAM: Updates API Types for IPv6 Allocation Statistics Previously, IPAM API types were specific to managing an IPv4 address pool. This icommit updates the API types to support separate IPAM pool maintainers for IPv4 and IPv6. - `pkg/ipam/node.go`: Updates the `Node` type to support IPv6 allocation statistics. - `pkg/ipam/stats/stats.go`: Updates the `InterfaceStats` type support IPv6 interface statistics. - `pkg/ipam/types/types.go`: Updates `IPAMSpec`, `IPAMStatus`, and `Subnet` type to support IPv6 allocation statistics. - `ciliumnodes.yaml`: Regenerated due to newly added fields of IPAM API types. Supports: #19251 Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io> | 29 April 2024, 18:49:13 UTC |
| c29a81a | renovate[bot] | 15 April 2024, 01:08:29 UTC | chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to f41b84c Signed-off-by: renovate[bot] <bot@renovateapp.com> | 29 April 2024, 15:30:46 UTC |
| 08d9b14 | Ryan Drew | 14 March 2024, 20:10:30 UTC | ci: Collect cilium-agent pprofs during 100 node scale test This commit adjusts the 100 node scale test to include the cilium-agent pprofs CL2 module. This will trigger the collection of cilium-agent pprofs throughout the duration of the test, assisting in debugging of regressions. Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> | 29 April 2024, 14:38:13 UTC |
