https://github.com/cilium/cilium
- HEAD
- refs/heads/1.2.7-hotfix1-fqdn-regen
- refs/heads/EndpointPolicyEnformcement
- refs/heads/all-scalability-improvements
- refs/heads/beta/service-mesh
- refs/heads/bpf-metrics
- refs/heads/brb/brb-patch-2
- refs/heads/cilium-envoy-crd-pre-beta
- refs/heads/cilium-no-gopath
- refs/heads/cli-upgrade-v1.12-ci-test
- refs/heads/clustermesh511-upgrade-test
- refs/heads/committers-codeowners
- refs/heads/debug
- refs/heads/dev/joe/v1.8-with-hostfw-fixes
- refs/heads/enable_cnp_latency
- refs/heads/encrypt-node-fixes
- refs/heads/ensure-macos-build-succeeds
- refs/heads/envoy-policy-precedence
- refs/heads/envoy-warnings-cleanup
- refs/heads/extension-mysql
- refs/heads/feature/cep-scalability
- refs/heads/feature/devices-and-addresses
- refs/heads/feature/devices-reconciliation-v1.16
- refs/heads/feature/main/svc-icmp-response
- refs/heads/feature/service-refactor
- refs/heads/feature/service-refactor-fresh
- refs/heads/feature/v1.11/beta-test
- refs/heads/feature/v1.11/k8s-ingress
- refs/heads/fix-iphealth
- refs/heads/fqdn-fixl3-wildcard
- refs/heads/fristonio/iptables-manager-fix
- refs/heads/ft/main/chancez/push-dev-charts
- refs/heads/ft/main/push_chart_stable_branches_fix
- refs/heads/ft/main/test_push_chart_updates
- refs/heads/gce-example
- refs/heads/gh-readonly-queue/main/pr-27509-78a5f177693fb443cd946441f45826bf7fa2437a
- refs/heads/ginkgo-better-timeout
- refs/heads/graduation
- refs/heads/hf/main/ipam-pools-build-230605
- refs/heads/hf/master/v1.12-rc2-health-dbg-v1
- refs/heads/hf/master/wg-fix-ipam-k8s-v2
- refs/heads/hf/v1.10/cls-prio2
- refs/heads/hf/v1.10/debug-taint-removal
- refs/heads/hf/v1.10/v1.10.10-with-19452
- refs/heads/hf/v1.10/v1.10.2-fix-ipsec-ep-routes
- refs/heads/hf/v1.10/v1.10.5-with-identity-leak-fix
- refs/heads/hf/v1.10/v1.10.7-additional-logs
- refs/heads/hf/v1.10/v1.10.7-exclude-local
- refs/heads/hf/v1.10/v1.10.7-exclude-loopback
- refs/heads/hf/v1.10/v1.10.7-extra-logs
- refs/heads/hf/v1.10/v1.10.7-more-logs
- refs/heads/hf/v1.10/v1.10.8-deadlock-and-complexity-fix
- refs/heads/hf/v1.10/v1.10.8-deadlock-fix
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v3
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v4
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v5
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v6
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v7
- refs/heads/hf/v1.11/1.11.4-custom-taint
- refs/heads/hf/v1.11/19247-custom-taint-key
- refs/heads/hf/v1.11/dbg-svc-restore
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attach-and-logging
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attachment
- refs/heads/hf/v1.11/v1.11.3-with-19259
- refs/heads/hf/v1.11/v1.11.4-custom-taint
- refs/heads/hf/v1.11/v1.11.5-and-19247-eed5544
- refs/heads/hf/v1.11/xdp-multidev-v1
- refs/heads/hf/v1.11/xdp-multidev-v2-ipcache-fix
- refs/heads/hf/v1.12/next-net-v1
- refs/heads/hf/v1.12/v1.12.18-994
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat-v2
- refs/heads/hf/v1.13/bpf-sock-l7-fix
- refs/heads/hf/v1.13/v1.13.12-without-deny-precedence
- refs/heads/hf/v1.13/v1.13.14-without-deny-precedence
- refs/heads/hf/v1.13/v1.13.14-without-deny-precedence-debug
- refs/heads/hf/v1.13/v1.13.14-without-deny-precedence-with-xfrm-fix
- refs/heads/hf/v1.13/v1.13.2-with-24875
- refs/heads/hf/v1.13/v1.13.3-with-26242
- refs/heads/hf/v1.14/cidr-identity-refcnt-fix
- refs/heads/hf/v1.14/v1.14-with-27327
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix-2
- refs/heads/hf/v1.8/v1.8.13-with-19452
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-15303
- refs/heads/hf/v1.8/v1.8.7-with-fqdn-underscore-fix
- refs/heads/hf/v1.8/v1.8.8-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.8-with-encrypt-fixes
- refs/heads/hf/v1.9/v1.9.8-azure-ipam-fix
- refs/heads/hf/v1.9/v1.9.9-azure-pod-egress-fix
- refs/heads/images/runtime/20210830
- refs/heads/ipc-demo
- refs/heads/ktls-tx-only
- refs/heads/ktls-tx-only-v2
- refs/heads/ktls-tx-rx
- refs/heads/ktls-tx-rx-v2
- refs/heads/ktls-tx-rx-v3
- refs/heads/ktls-tx-rx-v4
- refs/heads/ktls-tx-rx-v5
- refs/heads/ldelossa/feat/bgp-control-plane
- refs/heads/ldelossa/keep-mark-definitions-consistent
- refs/heads/ldelossa/segment-makefiles
- refs/heads/ldelossa/segment-makefiles-v2
- refs/heads/ldelossa/srv6-encap-fib
- refs/heads/lizrice/pr/cli-confusion
- refs/heads/main
- refs/heads/multi-stack-dev-vm
- refs/heads/pr/1-9-ci-test
- refs/heads/pr/aanm-update-k8s-conformance
- refs/heads/pr/aanm/bisect
- refs/heads/pr/aanm/test-31027
- refs/heads/pr/add-controller-identity
- refs/heads/pr/aditighag/lrp-skip-lb
- refs/heads/pr/asauber/link-local-as-host
- refs/heads/pr/asauber/max-ifindex-metric
- refs/heads/pr/avoid-ct-for-dsr
- refs/heads/pr/backend-state
- refs/heads/pr/bbb-cpy
- refs/heads/pr/bimmlerd/modularize-bandwidth-manager
- refs/heads/pr/bimmlerd/v1.12-backport-quay-org-from-env
- refs/heads/pr/bounded-loops
- refs/heads/pr/bpf-based-masquerading
- refs/heads/pr/bpf-edt-proxy
- refs/heads/pr/brb/arping-nexthop
- refs/heads/pr/brb/arping-via-gw
- refs/heads/pr/brb/auto-multi-dev-v2
- refs/heads/pr/brb/backport-1.8.5-nat-gc
- refs/heads/pr/brb/bpf-host-routing-wg
- refs/heads/pr/brb/bpf-lxc-no-redirect
- refs/heads/pr/brb/bpf-masq-veth
- refs/heads/pr/brb/bpf-multihoming
- refs/heads/pr/brb/cgroup-v2-test
- refs/heads/pr/brb/check-errors-in-logs
- refs/heads/pr/brb/check-wg
- refs/heads/pr/brb/ci
- refs/heads/pr/brb/ci-1111
- refs/heads/pr/brb/ci-2
- refs/heads/pr/brb/ci-4.19
- refs/heads/pr/brb/ci-arping-flake
- refs/heads/pr/brb/ci-bigtcp
- refs/heads/pr/brb/ci-bpf-netdev-without-egress
- refs/heads/pr/brb/ci-cleanup-svc
- refs/heads/pr/brb/ci-dbg-conformance-kind
- refs/heads/pr/brb/ci-dbg-external
- refs/heads/pr/brb/ci-dbg-flake-from-outside
- refs/heads/pr/brb/ci-demo
- refs/heads/pr/brb/ci-disable-ces-for-egress-gw
- refs/heads/pr/brb/ci-dp-disable-bpf-host-routing
- refs/heads/pr/brb/ci-dp-hubble-flows
- refs/heads/pr/brb/ci-dp-more-diversity
- refs/heads/pr/brb/ci-dp-v1.13
- refs/heads/pr/brb/ci-dp-v6
- refs/heads/pr/brb/ci-dp-verifier
- refs/heads/pr/brb/ci-e2e-enable-debug-ipsec
- refs/heads/pr/brb/ci-e2e-geneve-dsr
- refs/heads/pr/brb/ci-e2e-helm-mode-v1.13
- refs/heads/pr/brb/ci-e2e-lvh-retry
- refs/heads/pr/brb/ci-e2e-more-nodes
- refs/heads/pr/brb/ci-e2e-new-cli
- refs/heads/pr/brb/ci-e2e-nft
- refs/heads/pr/brb/ci-e2e-unsafe
- refs/heads/pr/brb/ci-e2e-unsafe-v2
- refs/heads/pr/brb/ci-e2e-upgrade-tests
- refs/heads/pr/brb/ci-e2e-upgrade-tests-ipsec
- refs/heads/pr/brb/ci-early-terminate-conn-disrupt
- refs/heads/pr/brb/ci-eks-ipsec-upgrade
- refs/heads/pr/brb/ci-encrypt-l7
- refs/heads/pr/brb/ci-fix-ip-masq-dry-run
- refs/heads/pr/brb/ci-ipsec-upgrade-fix
- refs/heads/pr/brb/ci-ipsec-upgrade-missed-tail-calls
- refs/heads/pr/brb/ci-ipsec-upgrade-v1.13
- refs/heads/pr/brb/ci-ipsec-upgrade-vol2
- refs/heads/pr/brb/ci-keep-missed-tail-calls
- refs/heads/pr/brb/ci-l7-nodeport
- refs/heads/pr/brb/ci-lvh-4.19
- refs/heads/pr/brb/ci-lvh-5.4
- refs/heads/pr/brb/ci-lvh-5.4-v2
- refs/heads/pr/brb/ci-lvh-bpf-next
- refs/heads/pr/brb/ci-no-self-hosted
- refs/heads/pr/brb/ci-pass-kernel-env
- refs/heads/pr/brb/ci-prepull-l4lb
- refs/heads/pr/brb/ci-refactor-svc-suite
- refs/heads/pr/brb/ci-rm-smoke-tests
- refs/heads/pr/brb/ci-sanity
- refs/heads/pr/brb/ci-test
- refs/heads/pr/brb/ci-test-2
- refs/heads/pr/brb/ci-test-k8s-vsn-swap
- refs/heads/pr/brb/ci-test-large-runners
- refs/heads/pr/brb/ci-uffff
- refs/heads/pr/brb/ci-upgrade-vol-2
- refs/heads/pr/brb/ci-upgrade-vol-3
- refs/heads/pr/brb/ci-wg-mtu
- refs/heads/pr/brb/ci-wg-mtu-vol2
- refs/heads/pr/brb/cilium-host-v6-from-ipam
- refs/heads/pr/brb/cli-bump-test
- refs/heads/pr/brb/datapath-loop-dbg
- refs/heads/pr/brb/dbg-ci
- refs/heads/pr/brb/dbg-conformance-gke
- refs/heads/pr/brb/dbg-master-np-vxlan-ipcache-ci
- refs/heads/pr/brb/debug-nodeport-bpf-flake
- refs/heads/pr/brb/do-not-derive-pod-cidrs-from-dev
- refs/heads/pr/brb/do-not-query-dev-for-arping
- refs/heads/pr/brb/docs-clarify-egress-gw-ip-addr-dp
- refs/heads/pr/brb/drop-notify
- refs/heads/pr/brb/dsr
- refs/heads/pr/brb/dsr-v2
- refs/heads/pr/brb/dualstack-ci
- refs/heads/pr/brb/enable-ipv6-per-endpoint-routes
- refs/heads/pr/brb/enable-route-mtu-cni
- refs/heads/pr/brb/fib-lookup-src
- refs/heads/pr/brb/fix-backend-id-u32
- refs/heads/pr/brb/fix-ci-dp-deprecation-warn
- refs/heads/pr/brb/fix-clang-vsn-regexp
- refs/heads/pr/brb/fix-egress-ip-16147
- refs/heads/pr/brb/fix-external-ip-dp
- refs/heads/pr/brb/fix-maglev-del
- refs/heads/pr/brb/fix-nodeport-hostnetns
- refs/heads/pr/brb/fix-stale-dsr
- refs/heads/pr/brb/fix-svc-backend-selection
- refs/heads/pr/brb/fix-third-host
- refs/heads/pr/brb/gh-action-cgr
- refs/heads/pr/brb/gh-action-lvh
- refs/heads/pr/brb/gh-install-cli-backup
- refs/heads/pr/brb/ginkgo-kpr-strict
- refs/heads/pr/brb/ginkgo-rm-update-tests
- refs/heads/pr/brb/go-crazy
- refs/heads/pr/brb/hubble-tcp-ack-seq-no
- refs/heads/pr/brb/improve-svc-restore
- refs/heads/pr/brb/istio-getsockopt
- refs/heads/pr/brb/it-cannot-be-truth
- refs/heads/pr/brb/kpr-svc-mesh
- refs/heads/pr/brb/kubeproxy-free-ci
- refs/heads/pr/brb/l7-np-bpf
- refs/heads/pr/brb/l7-rerevert
- refs/heads/pr/brb/lets-be-friends-with-ipsec
- refs/heads/pr/brb/lvh-kind-127
- refs/heads/pr/brb/lvh-kind-ipsec-upgrade
- refs/heads/pr/brb/meyskens/auth-ep-gc-locks
- refs/heads/pr/brb/multi-network
- refs/heads/pr/brb/no-cache-snat
- refs/heads/pr/brb/no-rev-nat-bpf-lxc-ingress
- refs/heads/pr/brb/node-id-per-fam
- refs/heads/pr/brb/nodeport-xlr-flag
- refs/heads/pr/brb/perf-wg
- refs/heads/pr/brb/pin-lvh
- refs/heads/pr/brb/push-ci-charts
- refs/heads/pr/brb/pwru
- refs/heads/pr/brb/rm-arping-l2-addr-check
- refs/heads/pr/brb/rm-no-redirect
- refs/heads/pr/brb/rm-np-deadcode
- refs/heads/pr/brb/rm-partial-host-svc
- refs/heads/pr/brb/rm-test-gke
- refs/heads/pr/brb/test-bpf-masq
- refs/heads/pr/brb/test-ci-e2e
- refs/heads/pr/brb/test-ci-e2e-v1.13
- refs/heads/pr/brb/test-kind
- refs/heads/pr/brb/third-host-more-pain
- refs/heads/pr/brb/timing-l4lb-gh-action
- refs/heads/pr/brb/triage-flake-v2
- refs/heads/pr/brb/triage-lb-flake
- refs/heads/pr/brb/unquarantine-svc
- refs/heads/pr/brb/v1.10-istio-snat
- refs/heads/pr/brb/v1.12-ci-e2e
- refs/heads/pr/brb/v1.12-ci-ipsec-upgrade
- refs/heads/pr/brb/v1.12-test-ipsec-upgrade
- refs/heads/pr/brb/v1.13-ci-e2e
- refs/heads/pr/brb/v1.13-remote-np
- refs/heads/pr/brb/v1.13-upgrade-fixes
- refs/heads/pr/brb/v1.14-ci-e2e-upgrade
- refs/heads/pr/brb/v1.14-drop-notify
- refs/heads/pr/brb/v1.15-enable-route-mtu-cni
- refs/heads/pr/brb/v1.6.9-iptables-W
- refs/heads/pr/brb/v1.8-fix-icmp-port-check
- refs/heads/pr/brb/wg-duplicate-node-ip
- refs/heads/pr/brb/wg-encrypt-node-test
- refs/heads/pr/brb/wg-hack
- refs/heads/pr/brb/wg-ipam-fix
- refs/heads/pr/brb/wg-kpr
- refs/heads/pr/brb/wg-test
- refs/heads/pr/brb/wip
- refs/heads/pr/brb/wip-ci
- refs/heads/pr/brb/wip-sync-policy-map
- refs/heads/pr/brb/xdp-egress-gw
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming-v2
- refs/heads/pr/bruno/sleepy-pawn
- refs/heads/pr/bugtool-systemd
- refs/heads/pr/bwm-base2
- refs/heads/pr/bwm-fq
- refs/heads/pr/bwm-priority
- refs/heads/pr/chancez/add_hubble_l7_dashboard_prometheus_example
- refs/heads/pr/chancez/fix_websocket_l7_policies
- refs/heads/pr/chancez/flow_filter_namespace
- refs/heads/pr/chancez/hubble_plus_plus
- refs/heads/pr/chancez/hubble_relay_robustness
- refs/heads/pr/chancez/static_peers_hubble_relay
- refs/heads/pr/christarazi/controlplane-fqdn
- refs/heads/pr/christarazi/ipcache-async-cep-pods-namedports
- refs/heads/pr/christarazi/prep-from-cidr-tests
- refs/heads/pr/ci-k8s-1.30
- refs/heads/pr/datapath-opt
- refs/heads/pr/dbkm/nodeport-lb
- refs/heads/pr/debug-dns-timeout
- refs/heads/pr/eproutes-redir
- refs/heads/pr/example/neigh-state-manager
- refs/heads/pr/fastdp
- refs/heads/pr/fastdp2
- refs/heads/pr/feroz/allow-sbom-read
- refs/heads/pr/feroz/set-container-scan-failure-flag
- refs/heads/pr/fib-consolidation
- refs/heads/pr/fix-aks-workflow
- refs/heads/pr/fix-k8s-all-sha1
- refs/heads/pr/fix-pod-pacing
- refs/heads/pr/fix-tail-call-replace
- refs/heads/pr/fristonio/feat-19038
- refs/heads/pr/fristonio/fix-istio-k8sT
- refs/heads/pr/fristonio/ipv6-masquerading
- refs/heads/pr/fristonio/test-dual-stack
- refs/heads/pr/fristonio/test-ipv6-dualstack
- refs/heads/pr/gandro+brb/fix-monitor-aggregation-np-v2
- refs/heads/pr/gandro+brb/mv-trace-point-to-rev-nodeport
- refs/heads/pr/gandro+brb/wg-host-encryption-v3
- refs/heads/pr/gandro+brb/wg-host2host
- refs/heads/pr/gandro+brb/wg-host2host-kind
- refs/heads/pr/gandro/bump-hubble-2020-03-25
- refs/heads/pr/gandro/ci-conformance-multicluster-fix-log-gathering
- refs/heads/pr/gandro/ci-delete-crds-in-cleanupcomponents
- refs/heads/pr/gandro/ci-fix-status-if-workflows-are-skipped
- refs/heads/pr/gandro/ci-wait-for-all-relevant-images-do-not-merge-test
- refs/heads/pr/gandro/enable-hubble-by-default
- refs/heads/pr/gandro/portmap-refcount
- refs/heads/pr/gandro/re-enable-wireguard-in-multicluster-ci
- refs/heads/pr/gandro/svc-healthchecknodeport
- refs/heads/pr/gc-on-svc-update
- refs/heads/pr/getname-hooks
- refs/heads/pr/giorio94/1.14/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/cluster-name-validation-strict
- refs/heads/pr/giorio94/main/gha-cluster-name
- refs/heads/pr/giorio94/main/gha-conformance-clustermesh-lb
- refs/heads/pr/giorio94/main/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/tests-clustermesh-upgrade-interrupted
- refs/heads/pr/giorio94/v1.13/bump-gke-version
- refs/heads/pr/gray/30837-with-pwru
- refs/heads/pr/gray/main/connectivity-wg-proxy-nodeport
- refs/heads/pr/gray/main/decouple-ipsec-gh-actions
- refs/heads/pr/gray/main/egress-proxy-ipsec-fix2
- refs/heads/pr/gray/main/fix-leak-detection-race
- refs/heads/pr/gray/main/xfrm-delete-flake
- refs/heads/pr/gray/main/xfrm-delete-flake2
- refs/heads/pr/gray/pwru-action
- refs/heads/pr/gray/v1.15/decouple-ipsec-gh-actions
- refs/heads/pr/health
- refs/heads/pr/health-data-path
- refs/heads/pr/hubble-tls-cert-gen-via-k8s-job
- refs/heads/pr/ianvernon/kvstore-client-type
- refs/heads/pr/ianvernon/kvstore-context
- refs/heads/pr/ianvernon/more-endpoint-cleanup
- refs/heads/pr/ianvernon/resolve-cidr-policy-perf-improvement
- refs/heads/pr/increase-verifier-test-build-timeout
- refs/heads/pr/ipip
- refs/heads/pr/ipip-encap
- refs/heads/pr/ipip-encap2
- refs/heads/pr/ipip2
- refs/heads/pr/ipip4
- refs/heads/pr/ipip6
- refs/heads/pr/jibi/differentiate-udp-tcp-svcs-take-4
- refs/heads/pr/jibi/fix-differentiate-udp-tcp-svc-upgrade
- refs/heads/pr/jibi/ip-list-contains-addr
- refs/heads/pr/jibi/wip
- refs/heads/pr/joamaki/gather-network-info
- refs/heads/pr/joamaki/idless-service-restapi
- refs/heads/pr/joe/ariane-scheduled-cilium-only
- refs/heads/pr/joe/backport-28007-1.11
- refs/heads/pr/joe/bump-ginkgo-seed
- refs/heads/pr/joe/docker-build-log-tracing
- refs/heads/pr/joe/ipcache-cidr-policy
- refs/heads/pr/joe/lost-identity
- refs/heads/pr/joe/policymap-format-test
- refs/heads/pr/joe/release-codeowners
- refs/heads/pr/joe/sw-quay
- refs/heads/pr/joe/test-labeler
- refs/heads/pr/joe/test-lvh-fix
- refs/heads/pr/joe/v1.13-stability-check
- refs/heads/pr/joe/v1.7-dev-env
- refs/heads/pr/jrajahalme/gh-filter-test-files
- refs/heads/pr/jrfastab/backport-ooo-ipsec-fixes
- refs/heads/pr/jrfastab/backport-v111-loopback
- refs/heads/pr/jrfastab/backport-v115
- refs/heads/pr/jrfastab/dbgNodeId
- refs/heads/pr/jrfastab/dbgNodeId111
- refs/heads/pr/jrfastab/dbgNodeId111v2
- refs/heads/pr/jrfastab/dbgv114
- refs/heads/pr/jrfastab/eks-encrypt-ipamupdate
- refs/heads/pr/jrfastab/fix-encrypt-subnets
- refs/heads/pr/jrfastab/fix-ixsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/fixes-ipsec-init
- refs/heads/pr/jrfastab/v1.8-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v1.9-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v111-debug-ooo
- refs/heads/pr/jrfastab/v111-debug-ooo-v2
- refs/heads/pr/jwi/main/bpf-dsr-geneve
- refs/heads/pr/jwi/main/ci-geneve-dsr
- refs/heads/pr/jwi/main/ipsec-rhel8
- refs/heads/pr/jwi/v1.15/bpf-complexity
- refs/heads/pr/k8s-nat46x64
- refs/heads/pr/k8s-nat46x64-2
- refs/heads/pr/kaworu/helm-hubble-cli.yaml
- refs/heads/pr/kkourt/azure-ipam-test-race
- refs/heads/pr/kkourt/bpftool-update
- refs/heads/pr/kkourt/ct-rst-timeout-wip
- refs/heads/pr/kkourt/v1.11-backport-2022-01-26
- refs/heads/pr/kkourt/v1.9-lxc-complexity
- refs/heads/pr/l4lb-improvements-tmp
- refs/heads/pr/learnitall/ginkgo-race-workflow
- refs/heads/pr/learnitall/init-egw-scale-test
- refs/heads/pr/learnitall/test-startup-script-changes
- refs/heads/pr/lmb/1.14-cni
- refs/heads/pr/lmb/1.15-cni
- refs/heads/pr/lmb/update-cni-plugin
- refs/heads/pr/marga/v1.11-without-deny-precedence
- refs/heads/pr/marseel/improve_net_perf
- refs/heads/pr/marseel/scale_test_1_15
- refs/heads/pr/max/upgrade-llvm-18-1-6
- refs/heads/pr/mhofstetter/guestbook-registry
- refs/heads/pr/mhofstetter/junit-fetch-nullglob
- refs/heads/pr/mhofstetter/ssh-store-consolelog
- refs/heads/pr/mhofstetter/test-ingress
- refs/heads/pr/michi/circular-struggle
- refs/heads/pr/michi/crdregister
- refs/heads/pr/michi/debug
- refs/heads/pr/michi/description
- refs/heads/pr/michi/dns-refactor12
- refs/heads/pr/michi/faster
- refs/heads/pr/michi/l7drop
- refs/heads/pr/michi/majestic-ketchup
- refs/heads/pr/michi/mega-ketchup
- refs/heads/pr/michi/newer-branch
- refs/heads/pr/michi/peerapi
- refs/heads/pr/michi/sleep-on-it
- refs/heads/pr/michi/test
- refs/heads/pr/michi/weekly-bot
- refs/heads/pr/monitor-wait-ci
- refs/heads/pr/move-image-to-one-repo
- refs/heads/pr/nat-gw-tests
- refs/heads/pr/nathanjsweet/add-complex-allow-test-to-policy-map-tests
- refs/heads/pr/nathanjsweet/add-lockdown-mode-for-policy-map-overflows
- refs/heads/pr/nathanjsweet/differentiate-protocol-in-services
- refs/heads/pr/nathanjsweet/node-port-addresses
- refs/heads/pr/nathanjsweet/refactor-mapstate
- refs/heads/pr/nathanjsweet/update-k8s-control-plane-tests-to-1-27
- refs/heads/pr/nebril/add-dns-concurrency-limit
- refs/heads/pr/nebril/fix-precheck
- refs/heads/pr/nebril/fqdn-proxy-ha
- refs/heads/pr/nebril/fqdn-proxy-interface
- refs/heads/pr/nebril/gke-workflow-migrate-from-cli
- refs/heads/pr/nebril/quarantine-1.14-nodeport
- refs/heads/pr/nebril/test-bottlerocket
- refs/heads/pr/nebril/test-helm-gke-fix
- refs/heads/pr/nebril/test-our-ghaction-shenanigans
- refs/heads/pr/nebril/test-rebase-helm
- refs/heads/pr/nebril/trololo
- refs/heads/pr/nebril/update-cli-9.1-test
- refs/heads/pr/netkit
- refs/heads/pr/netkit3
- refs/heads/pr/netns-switch
- refs/heads/pr/netns-switch-no-peer
- refs/heads/pr/nodeport-fix
- refs/heads/pr/nodeport-improvements2
- refs/heads/pr/nodeport-nat-improvements
- refs/heads/pr/nodeport-nat-improvements2
- refs/heads/pr/nodeport-retry-sport
- refs/heads/pr/pchaigno/deprecate-bpf_network-f
- refs/heads/pr/pchaigno/fix-4.19-bpf-program-size
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix-brb-v0
- refs/heads/pr/pchaigno/optim-complexity-ipcache-lookup
- refs/heads/pr/pchaigno/rework-config-probes
- refs/heads/pr/pchaigno/test-ipsec-workflows
- refs/heads/pr/pchaigno/tmp-base-branch
- refs/heads/pr/pin-1.10-workflows-k8s-version
- refs/heads/pr/pin-1.11-workflows-k8s-version
- refs/heads/pr/pin-1.12-workflows-k8s-version
- refs/heads/pr/pin-1.13-workflows-k8s-version
- refs/heads/pr/pin-cloud-provider-master-workflows
- refs/heads/pr/pr/fix-ipam-node-manager-semaphore-error-handling
- refs/heads/pr/publish-test-images
- refs/heads/pr/qmonnet/docs-20230224
- refs/heads/pr/qmonnet/docs-bump
- refs/heads/pr/qmonnet/standalone-lb-docs
- refs/heads/pr/qmonnet/sync-joblists
- refs/heads/pr/ray/late-dns-proxy
- refs/heads/pr/rgo3/1.12-run-no-unexpected-drops-for-patch
- refs/heads/pr/rgo3/fix-k8s-vm-provisioning-1.13
- refs/heads/pr/rgo3/fix-missing-health-endpoint
- refs/heads/pr/rolinh/better-policy-verdict
- refs/heads/pr/rolinh/hubble-dump-all
- refs/heads/pr/rolinh/hubble-fix-maxflows-rounding
- refs/heads/pr/route-test
- refs/heads/pr/run-tests-in-parallel
- refs/heads/pr/scalability-crd-only
- refs/heads/pr/squeed/make-ccache
- refs/heads/pr/squeed/per-node-config
- refs/heads/pr/squeed/remote-cluster-leak
- refs/heads/pr/stacy/docs-update
- refs/heads/pr/tammach/accesslog-envoy
- refs/heads/pr/tammach/ci-cm
- refs/heads/pr/tammach/cleanup-helm-1.16
- refs/heads/pr/tammach/envoy-1.30
- refs/heads/pr/tammach/headless-service-flake
- refs/heads/pr/tammach/ingress-controller-e2e-config6
- refs/heads/pr/tammach/more-ingress-tests
- refs/heads/pr/tammach/rennovate-statedb
- refs/heads/pr/tammach/revert/fib-lookup
- refs/heads/pr/tc-np-test
- refs/heads/pr/tcx
- refs/heads/pr/tcx-helm
- refs/heads/pr/tcx-misc
- refs/heads/pr/test-419-ci
- refs/heads/pr/test-increase-update-delete-timeout
- refs/heads/pr/test-k8s-all-tests
- refs/heads/pr/test-lb-super-netperf
- refs/heads/pr/test-nightly
- refs/heads/pr/test-upstream-timeout
- refs/heads/pr/tgraf/chaos-testing
- refs/heads/pr/tgraf/clustermesh-stale-state
- refs/heads/pr/tgraf/eni-ipam
- refs/heads/pr/tgraf/new-endpoint-state
- refs/heads/pr/tgraf/new-policy
- refs/heads/pr/tgraf/remove-tunnel-map
- refs/heads/pr/tgraf/scoped-ipam
- refs/heads/pr/tgraf/sctp
- refs/heads/pr/tgraf/split-lxc-prog
- refs/heads/pr/thorn3r/cesBlanketTest
- refs/heads/pr/thorn3r/clustermesh511
- refs/heads/pr/tklauser/build-push-images-env-var
- refs/heads/pr/tommyp1ckles/debugging-aks-conformance
- refs/heads/pr/tp/add-logging-for-integration-etcd
- refs/heads/pr/tp/add-logging-for-wait-for-pods-term-condition
- refs/heads/pr/tp/backport-31380
- refs/heads/pr/tp/bump-cilium-cli
- refs/heads/pr/tp/cleanup-ipam-ips-metric-docs
- refs/heads/pr/tp/complexity-issue-verifier-case-main
- refs/heads/pr/tp/dont-terminate-on-node-config-changee
- refs/heads/pr/tp/eps-modular-health
- refs/heads/pr/tp/fix-stuck-ginko-pod-v2
- refs/heads/pr/tp/forward-hubble-for-e2e
- refs/heads/pr/tp/forward-hubble-for-e2e-v2
- refs/heads/pr/tp/nat-stats-helm
- refs/heads/pr/tp/switch-1.24-eks-region
- refs/heads/pr/tp/switch-1.24-eks-region-v1.13
- refs/heads/pr/tp/use-helm-default-vars-for-clustermesh-downgrade-c1
- refs/heads/pr/tweak-github-action-ref
- refs/heads/pr/twpayne/hubble-recent-events-buffer
- refs/heads/pr/twpayne/hubble-ring-buffer-benchmarks
- refs/heads/pr/update-azure
- refs/heads/pr/update-readme-for-releases
- refs/heads/pr/update-tm-network
- refs/heads/pr/v1.10-backport-2022-06-13
- refs/heads/pr/v1.10-backport-2022-10-03
- refs/heads/pr/v1.10-eni-stability-improvements-v1
- refs/heads/pr/v1.10-neigh-clean
- refs/heads/pr/v1.11-backport-2022-10-03
- refs/heads/pr/v1.11-test/issue-692
- refs/heads/pr/v1.12-backport-2023-10-10
- refs/heads/pr/v1.12-test/issue-692
- refs/heads/pr/v1.13-backport-2023-10-31
- refs/heads/pr/v1.13-backport-2024-04-22-03-42
- refs/heads/pr/v1.13-test/issue-692
- refs/heads/pr/v1.14-backport-2024-06-18-02-46
- refs/heads/pr/v1.14.1
- refs/heads/pr/v1.7-stability-test
- refs/heads/pr/v1.7.9-hf-13205
- refs/heads/pr/v3-cpu
- refs/heads/pr/v6-host-addr2
- refs/heads/pr/vk/bpf/tests/csum
- refs/heads/pr/vk/ci/test/concurrent/run
- refs/heads/pr/vk/doc/ipsec
- refs/heads/pr/vk/ipsec/key/rotate
- refs/heads/pr/vk/test/ipsec/tests/concurrent/run
- refs/heads/pr/wip/bijective-nodemap
- refs/heads/pr/ysksuzuki/lrp-node-dns
- refs/heads/regex_improved
- refs/heads/renovate/main-all-dependencies
- refs/heads/renovate/main-all-go-deps-main
- refs/heads/renovate/main-aws-sdk-go-v2-monorepo
- refs/heads/renovate/main-go
- refs/heads/renovate/main-patch-all-github-action
- refs/heads/renovate/main-patch-all-lvh-images-main
- refs/heads/renovate/v1.13-go
- refs/heads/renovate/v1.13-stable-lvh-images
- refs/heads/renovate/v1.14-go
- refs/heads/renovate/v1.15-aanm-test
- refs/heads/renovate/v1.16-go
- refs/heads/renovate/v1.16-patch-stable-lvh-images
- refs/heads/revert-29086-2023-11-09-backport-1.14
- refs/heads/revert-33302-policy-catch-invalid-port-wildcard
- refs/heads/rib
- refs/heads/run-ci-wihout-building-cilium
- refs/heads/sh-dep-test-l4lb
- refs/heads/sidecar-http-proxy
- refs/heads/sockmap-v5
- refs/heads/sockops-build-fix
- refs/heads/tam/integration-tests
- refs/heads/tam/more-ingress-tests
- refs/heads/tb/bpf-remove-bear
- refs/heads/test-branch
- refs/heads/test-ipsec
- refs/heads/test-sig-bgp-notifs
- refs/heads/test/brlbil/upload
- refs/heads/test/skip-workflows
- refs/heads/tgraf/process-policy
- refs/heads/thorn3r/cesScaleTest
- refs/heads/thorn3rCES
- refs/heads/tinker/learnitall/scale-test-1
- refs/heads/tinker/learnitall/scale-test-2
- refs/heads/tklauser+brb/wip/multi-homing
- refs/heads/unit-test-ipsec
- refs/heads/v0.10
- refs/heads/v0.11
- refs/heads/v0.12
- refs/heads/v0.13
- refs/heads/v0.8
- refs/heads/v0.9
- refs/heads/v1.0
- refs/heads/v1.0.0-rc2
- refs/heads/v1.0.0-rc3
- refs/heads/v1.1
- refs/heads/v1.10
- refs/heads/v1.11
- refs/heads/v1.12
- refs/heads/v1.12.11-base
- refs/heads/v1.13
- refs/heads/v1.14
- refs/heads/v1.15
- refs/heads/v1.16
- refs/heads/v1.2
- refs/heads/v1.3
- refs/heads/v1.3.1
- refs/heads/v1.3.1-release
- refs/heads/v1.3.7-release
- refs/heads/v1.4
- refs/heads/v1.4.5-release
- refs/heads/v1.5
- refs/heads/v1.5.2-rc1-with-clusterip-fix
- refs/heads/v1.5.4-release
- refs/heads/v1.6
- refs/heads/v1.7
- refs/heads/v1.7.9-1
- refs/heads/v1.7.9.1
- refs/heads/v1.8
- refs/heads/v1.9
- refs/heads/verify-external-workload-dns-setup-redux
- refs/heads/vladu/identity-type-metrics
- refs/heads/weavescope
- refs/heads/wip-debug-link-not-found
- refs/heads/wip-debug-link-not-found-v2
- refs/heads/wip-ktls-tx-rx
- refs/heads/wip-sockmap
- refs/heads/wip-sockmap-v2
- refs/heads/wip-sockmap-v3
- refs/heads/wip-sockmap-v4
- refs/heads/xfrm-subnet-test
- refs/heads/yutaro/bgp-cplane-etp-local/doc
- refs/heads/yutaro/oss/eni-overlapping-mark
- refs/remotes/bruno/hf/v1.10/v1.10.3-bpf-snat-and-masq-fixes
- refs/remotes/joe/submit/quarantine-etcd
- refs/remotes/origin/1.2-backports-18-09-12
- refs/remotes/origin/ipvlan3
- refs/remotes/origin/pr/add-reserved-health
- refs/remotes/origin/pr/brb/nodeport-lb
- refs/remotes/origin/pr/ianvernon/5859
- refs/remotes/origin/pr/ianvernon/dynamic-ep-cfg
- refs/remotes/origin/pr/tgraf/kube-dns-fixed-identity
- refs/semaphoreci/6384f501b324813e55cfbe818c04a40f2a923765
- refs/semaphoreci/7f69b285bac8a1be414e8769799962ae1408d9e1
- refs/semaphoreci/b5eb6622da121ad36b8f375a084392f7feeec64a
- refs/semaphoreci/d9e7e28f39d34a7050a9c1cad2a26d84f5f4eff1
- refs/semaphoreci/f55ec535d85f387ef981265967fabb3c1b5f1ec6
- refs/tags/0.10.1
- refs/tags/1.1.1
- refs/tags/1.9.0-rc0
- refs/tags/v0.11
- refs/tags/v0.12.0
- refs/tags/v0.13.1
- refs/tags/v0.8.0
- refs/tags/v0.8.1
- refs/tags/v0.8.2
- refs/tags/v0.9.0
- refs/tags/v0.9.0-rc1
- Branches list truncated to 691 entries, 5 were omitted.
- v1.0.0
- v0.13.9
- v0.13.8
- v0.13.7
- v0.13.6
- v0.13.5
- v0.13.4
- v0.13.3
- v0.13.28
- v0.13.25
- v0.13.24
- v0.13.23
- v0.13.22
- v0.13.21
- v0.13.20
- v0.13.2
- v0.13.19
- v0.13.18
- v0.13.17
- v0.13.16
- v0.13.15
- v0.13.14
- v0.13.13
- v0.13.12
- v0.13.11
- v0.13.10
- v0.10.0
- 1.9.9
- 1.9.8
- 1.9.7
- 1.9.6
- 1.9.5
- 1.9.4
- 1.9.3
- 1.9.2
- 1.9.18
- 1.9.17
- 1.9.16
- 1.9.15
- 1.9.14
- 1.9.13
- 1.9.12
- 1.9.11
- 1.9.10
- 1.9.1
- 1.9.0-rc3
- 1.9.0-rc2
- 1.9.0-rc1
- 1.9.0
- 1.8.9
- 1.8.8
- 1.8.7
- 1.8.6
- 1.8.5
- 1.8.4
- 1.8.3
- 1.8.2
- 1.8.13
- 1.8.12
- 1.8.11
- 1.8.10
- 1.8.1
- 1.8.0-rc4
- 1.8.0-rc3
- 1.8.0-rc2
- 1.8.0-rc1
- 1.8.0
- 1.7.9
- 1.7.8
- 1.7.7
- 1.7.6
- 1.7.5
- 1.7.4
- 1.7.3
- 1.7.2
- 1.7.16
- 1.7.15
- 1.7.14
- 1.7.13
- 1.7.12
- 1.7.11
- 1.7.10
- 1.7.1
- 1.7.0-rc4
- 1.7.0-rc3
- 1.7.0
- 1.6.9
- 1.6.8
- 1.6.7
- 1.6.6
- 1.6.5
- 1.6.4
- 1.6.3
- 1.6.2
- 1.6.12
- 1.6.11
- 1.6.10
- 1.6.1
- 1.6.0
- 1.5.9
- 1.5.8
- 1.5.7
- 1.5.6
- 1.5.5
- 1.5.4
- 1.5.3
- 1.5.2
- 1.5.13
- 1.5.12
- 1.5.11
- 1.5.10
- 1.5.1
- 1.5.0-rc6
- 1.5.0-rc5
- 1.5.0-rc4
- 1.5.0-rc3
- 1.5.0-rc2
- 1.5.0
- 1.4.9
- 1.4.8
- 1.4.7
- 1.4.6
- 1.4.5
- 1.4.4
- 1.4.3
- 1.4.2
- 1.4.10
- 1.4.1
- 1.4.0-rc9
- 1.4.0-rc8
- 1.4.0-rc7
- 1.4.0-rc6
- 1.4.0-rc5
- 1.4.0-rc2
- 1.4.0
- 1.3.8
- 1.3.7
- 1.3.6
- 1.3.5
- 1.3.4
- 1.3.3
- 1.3.2
- 1.3.1
- 1.3.0-rc5
- 1.3.0-rc4
- 1.3.0
- 1.2.8
- 1.2.7
- 1.2.6
- 1.2.5
- 1.2.4
- 1.2.3
- 1.2.2
- 1.2.1
- 1.2.0-rc3
- 1.2.0-rc2
- 1.2.0-rc1
- 1.2.0
- 1.16.0-rc.2
- 1.16.0-rc.1
- 1.16.0-rc.0
- 1.16.0-pre.3
- 1.16.0-pre.2
- 1.16.0-pre.1
- 1.16.0-pre.0
- 1.15.7
- 1.15.6
- 1.15.5
- 1.15.4
- 1.15.3
- 1.15.2
- 1.15.1
- 1.15.0-rc.1
- 1.15.0-rc.0
- 1.15.0-pre.3
- 1.15.0-pre.2
- 1.15.0-pre.1
- 1.15.0-pre.0
- 1.15.0
- 1.14.9
- 1.14.8
- 1.14.7
- 1.14.6
- 1.14.5
- 1.14.4
- 1.14.3
- 1.14.2
- 1.14.13
- 1.14.12
- 1.14.11
- 1.14.10
- 1.14.1
- 1.14.0-snapshot.4
- 1.14.0-snapshot.3
- 1.14.0-snapshot.2
- 1.14.0-snapshot.1
- 1.14.0-snapshot.0
- 1.14.0-rc.1
- 1.14.0-rc.0
- 1.14.0-pre.2
- 1.14.0
- 1.13.9
- 1.13.8
- 1.13.7
- 1.13.6
- 1.13.5
- 1.13.4
- 1.13.3
- 1.13.2
- 1.13.18
- 1.13.17
- 1.13.16
- 1.13.15
- 1.13.14
- 1.13.13
- 1.13.12
- 1.13.11
- 1.13.10
- 1.13.1
- 1.13.0-rc5
- 1.13.0-rc4
- 1.13.0-rc3
- 1.13.0-rc2
- 1.13.0-rc1
- 1.13.0-rc0
- 1.13.0
- 1.12.9
- 1.12.8
- 1.12.7
- 1.12.6
- 1.12.5
- 1.12.4
- 1.12.3
- 1.12.2
- 1.12.19
- 1.12.18
- 1.12.17
- 1.12.16
- 1.12.15
- 1.12.14
- 1.12.13
- 1.12.12
- 1.12.11
- 1.12.10
- 1.12.1
- 1.12.0-rc3
- 1.12.0-rc2
- 1.12.0-rc1
- 1.12.0-rc0
- 1.12.0
- 1.11.9
- 1.11.8
- 1.11.7
- 1.11.6
- 1.11.5
- 1.11.4
- 1.11.3
- 1.11.20
- 1.11.2
- 1.11.19
- 1.11.18
- 1.11.17
- 1.11.16
- 1.11.15
- 1.11.14
- 1.11.13
- 1.11.12
- 1.11.11
- 1.11.10
- 1.11.1
- 1.11.0-rc3
- 1.11.0-rc2
- 1.11.0-rc1
- 1.11.0-rc0
- 1.11.0
- 1.10.9
- 1.10.8
- 1.10.7
- 1.10.6
- 1.10.5
- 1.10.4
- 1.10.3
- 1.10.20
- 1.10.2
- 1.10.19
- 1.10.18
- 1.10.17
- 1.10.16
- 1.10.15
- 1.10.14
- 1.10.13
- 1.10.12
- 1.10.11
- 1.10.10
- 1.10.1
- 1.10.0-rc2
- 1.10.0-rc1
- 1.10.0-rc0
- 1.10.0
- 1.1.6
- 1.1.5
- 1.1.4
- 1.1.3
- 1.1.2
- 1.1.0
- 1.0.7
- 1.0.6
- 1.0.5
- 1.0.4
- Releases list truncated to 309 entries, 331 were omitted.
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.
Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| 479c7a4 | Cilium Imagebot | 07 July 2024, 04:19:34 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 07 July 2024, 04:29:56 UTC |
| 42b26f5 | cilium-renovate[bot] | 07 July 2024, 04:15:32 UTC | chore(deps): update docker.io/library/golang:1.22.5 docker digest to fcae9e0 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 07 July 2024, 04:15:32 UTC |
| ebbb0cf | Cilium Imagebot | 03 July 2024, 15:17:44 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 04 July 2024, 07:38:26 UTC |
| 50a09d4 | cilium-renovate[bot] | 03 July 2024, 15:13:53 UTC | chore(deps): update go to v1.22.5 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 04 July 2024, 07:38:26 UTC |
| be000ef | André Martins | 02 July 2024, 09:31:36 UTC | renovate: remove concurrency group from renovate's Base Image Release Build [ oss commit 1a33ff0d12653cabc27b95066bba64bf33121e44 ] The "Base Image Release Build - Renovate" workflow doesn't need a concurrency group has it will use the concurrency group of the workflow that it uses, the "./.github/workflows/build-images-base.yaml". Using the concurrency groups on both workflows will result in the following error: Canceling since a deadlock for concurrency group 'Base Image Release Build - Renovate-refs/heads/renovate/main-all-dependencies' was detected between 'top level workflow' and 'build-base-images-from-renovate' Fixes: f054f94b24b9 (".github: add workflow for renovate to build base images") Signed-off-by: André Martins <andre@cilium.io> | 03 July 2024, 12:23:28 UTC |
| 4116562 | André Martins | 07 August 2023, 19:07:52 UTC | renovate: add all dependencies of Makefile.values [ oss commit 99846fd67db870f4d6ff2ae0e9f73df43e2a4e7b ] Now we can let renovate update the dependencies of all images from Makefile.values. Signed-off-by: André Martins <andre@cilium.io> | 03 July 2024, 12:23:28 UTC |
| 5030488 | cilium-renovate[bot] | 01 July 2024, 23:06:37 UTC | chore(deps): update kindest/node docker tag to v1.30.2 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 02 July 2024, 09:20:07 UTC |
| 5973d91 | cilium-renovate[bot] | 01 July 2024, 03:06:23 UTC | chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20240628.013131 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 02 July 2024, 09:16:09 UTC |
| 5020775 | cilium-renovate[bot] | 01 July 2024, 02:27:40 UTC | chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 02 July 2024, 09:16:06 UTC |
| e7f47e6 | Joe Stringer | 28 June 2024, 22:11:00 UTC | install: Update image digests for v1.16.0-rc.1 Generated from https://github.com/cilium/cilium/actions/runs/9718847068 ## Docker Manifests ### cilium `quay.io/cilium/cilium:v1.16.0-rc.1@sha256:0729d9eff50c2c6b798c073c6ecac15c880095c989bf4312b43da7be90bb44f2` ### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.16.0-rc.1@sha256:59ddda649562bbf369dc6584f4bf8a699e80b9db3db8f93010df8ccf11ea5eb6` ### docker-plugin `quay.io/cilium/docker-plugin:v1.16.0-rc.1@sha256:93b95ca13e00b3178ae2efa063bb44cbb1fc3030c84277fbaea8f0415bc6a8bf` ### hubble-relay `quay.io/cilium/hubble-relay:v1.16.0-rc.1@sha256:8c941e9c9cb94d23874b988adb9794a497e6d35f9893ef741e37838add909413` ### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.16.0-rc.1@sha256:488cf234f6730b989162e2cb2de4b479ff312d0392ec6a4bb57d697606e36a3a` ### operator-aws `quay.io/cilium/operator-aws:v1.16.0-rc.1@sha256:798917d351dc2ec53e9b71be6d3397c10a0d2d12135ac6a6e9d999862107d432` ### operator-azure `quay.io/cilium/operator-azure:v1.16.0-rc.1@sha256:0f8b0ebe8e5dc9908418602be49dfb40e5f938ed99fe1d3ddc1fec066fb42e37` ### operator-generic `quay.io/cilium/operator-generic:v1.16.0-rc.1@sha256:300d55216909d163060aae17de6305084c8208871d25f8e5962e643f6b58e216` ### operator `quay.io/cilium/operator:v1.16.0-rc.1@sha256:52adead4d4440bc85e66b32fe2ed4336cdb6b89cf4c7b2658f394e00705c2e92` Signed-off-by: Joe Stringer <joe@cilium.io> | 28 June 2024, 22:23:43 UTC |
| ab10ea7 | Joe Stringer | 28 June 2024, 21:04:36 UTC | Prepare for release v1.16.0-rc.1 Signed-off-by: Joe Stringer <joe@cilium.io> | 28 June 2024, 21:43:32 UTC |
| f5bdf28 | André Martins | 28 June 2024, 15:03:27 UTC | Prepare v1.16 stable branch Signed-off-by: André Martins <andre@cilium.io> | 28 June 2024, 20:13:38 UTC |
| 5614531 | viktor-kurchenko | 24 June 2024, 16:53:42 UTC | contrib,tool: exclude slice cleanup The config_replacement.h was removed. So we no longer need in the exclude slice. Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> | 28 June 2024, 12:45:05 UTC |
| 0666847 | Marco Iorio | 27 June 2024, 15:54:19 UTC | clustermesh: grant read permissions to the cilium/.heartbeat prefix The blamed commits introduced the configuration of more granular permissions to access the different data stored in etcd. Among the others, it granted the access to the cilium/.heartbeat key, which is used to check the connection healthiness. However, this setup turned out being too restrictive, as we actually watch the entire corresponding prefix on the client side, triggering warnings like: msg="Unable to list keys before starting watcher" error="etcdserver: permission denied" prefix=cilium/.heartbeat Let's address this by relaxing the configuration and granting access to the entire cilium/.heartbeat prefix. Although we could also change the client to only retrieve and watch the specific key, this would still pose backward compatibility issues, as old clients would continue attempting to access the entire prefix. Fixes: cb6a58bef00b ("clustermesh: granular etcd permissions for kvstoremesh cached data" Fixes: aa10df3a4c6a ("kvstore: correctly assign permissions to single key, rather than prefix") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 28 June 2024, 12:44:55 UTC |
| 0d27ba2 | Paulo Castello da Costa | 23 June 2024, 01:50:17 UTC | Makefile: suppress error in comment line. Prior to this change, integration tests on Ubuntu Minimal 20.04 LTS fail with an error on this comment line. Adding `-@` before the comment allows integration tests to pass. Signed-off-by: Paulo Castello da Costa <pcastello@google.com> | 28 June 2024, 10:29:20 UTC |
| 486515e | Rastislav Szabo | 25 June 2024, 18:02:21 UTC | bgpv2: Cleanup defaulting of peer config Use default peer config only when PeerConfigRef is not specified. If it is specified but not existing, skip the peer configuration instead of using the default values. Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> | 28 June 2024, 09:43:16 UTC |
| 7918efb | Stefan Zwanenburg | 12 June 2024, 17:57:14 UTC | gateway-api: Un-set externalTrafficPolicy on LB service for host network Support has recently been added for setting an `externalTrafficPolicy` on the service generated for a Gateway. Unfortunately, this broke support for the case when `hostNetworkEnabled` is enabled, as only _externally-facing_ services (which services of type `ClusterIP` are _not_) may have an `externalTrafficPolicy`. This commit addresses that by explicitly removing the `externalTrafficPolicy` when `hostNetworkEnabled == true`. Fixes: 95886de65f7 Signed-off-by: Stefan Zwanenburg <stefan@zwanenburg.info> | 28 June 2024, 07:20:32 UTC |
| 0a5d2f7 | David Bimmler | 25 June 2024, 14:53:47 UTC | policy: wrong cidrGroupRefs select nothing not all When current code translates a CNP with _only_ a dangling cidrGroupRef, it fails distinguish between nil (meaning an unset selector, selecting everything) and the empty list (selecting nothing). This leads to bizarre situations, such as the following. With "dangling" pointing to a non-existant cidrGroup, the CNP below allowed egress traffic to port 80 instead of denying it. egress: - toCIDRSet: [{cidrGroupRef: dangling}] toPorts: ( ... 80 ... ) To fix this, transform the nil to an empty list in an overly explicit manner to make clear why this is necessary. It's somewhat subtle as in Go, most of the time, nil and empty list are equivalent, hence be explicit to avoid an easy refactor breaking this again. In addition, of course, adapt the tests so that they would catch it too. Signed-off-by: David Bimmler <david.bimmler@isovalent.com> | 28 June 2024, 07:17:47 UTC |
| 10da51d | David Bimmler | 25 June 2024, 14:18:58 UTC | policy: add test for non-existent cidrgroupref Dangling CIDR group references should not be part of the result set, as the code currently correctly handles, but the tests don't specify. Add a test for this condition. Signed-off-by: David Bimmler <david.bimmler@isovalent.com> | 28 June 2024, 07:17:47 UTC |
| ea39384 | Marcel Zieba | 27 June 2024, 11:23:39 UTC | install/kubernetes: update nodeinit image to latest version Renovate does not pick up new version as tag is in sha format rather than regular semver. Related: #32181 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 28 June 2024, 07:17:18 UTC |
| 2f56ef2 | Martynas Pumputis | 27 June 2024, 11:57:58 UTC | docs: Add note about WG and MTU with CNI chaining Mention cni.enableRouteMTUForCNIChaining introduced by https://github.com/cilium/cilium/pull/33190. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 28 June 2024, 05:50:24 UTC |
| 5c2b51b | Nick Young | 26 June 2024, 05:52:05 UTC | Requeue CEC handling on service details lookup failure This commit ensures that if, during the handling of a CEC or CCEC, the manager cannot lookup the details of a Service, the reconcile of that object will fail, and Hive will requeue the update. Also changes the logs here to be Info rather than Error and makes clear that this will be retried. Also changes Dedicated Ingress resource creation so that the Loadbalancer Service is created _before_ the CiliumEnvoyConfig, which should reduce the incidence of Service lookup failures during CEC or CCEC processing. Signed-off-by: Nick Young <nick@isovalent.com> | 28 June 2024, 04:50:38 UTC |
| a2a9a72 | Nick Young | 14 June 2024, 06:17:23 UTC | Handle nil service retrieved from Resource store Signed-off-by: Nick Young <nick@isovalent.com> | 28 June 2024, 04:50:38 UTC |
| 97e883d | Nick Young | 11 June 2024, 06:03:27 UTC | Fix CiliumEnvoyConfig Nodeport handling Adds additional service redirect handling for Services with Nodeports set, which will automatically include the Nodeport in the set of redirected ports if ports to redirect are specified. Also removes a hack in the Dedicated Ingress code that was introduced to solve this problem previously. Signed-off-by: Nick Young <nick@isovalent.com> | 28 June 2024, 04:50:38 UTC |
| ca01c05 | Fabio Falzoi | 21 June 2024, 08:16:40 UTC | egressgw: Validate endpoint identity before fetching labels Validate endpoint identity metadata before dereferencing it to fetch identity labels. In case of missing identity, the update is rejected. Fixes: #33268 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 28 June 2024, 00:18:32 UTC |
| 28f7309 | Marco Hofstetter | 25 June 2024, 14:08:32 UTC | operator: include CRD categories when applying cilium CRDs Currently, when the Cilium Operator applies the Cilium CRDs to the cluster, the categories of the CRD aren't configured. This prevents listing all resources by category. This commit fixes this by including the categories when applying the CRDs. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 28 June 2024, 00:16:51 UTC |
| c2edc7c | Aditi Ghag | 26 June 2024, 20:56:31 UTC | docs: Add node-local dns troubleshooting steps Signed-off-by: Aditi Ghag <aditi@cilium.io> | 28 June 2024, 00:15:56 UTC |
| 69e5ede | Aditi Ghag | 25 June 2024, 01:04:50 UTC | codeowners: Update teams for local-redirect-policy docs Signed-off-by: Aditi Ghag <aditi@cilium.io> | 28 June 2024, 00:15:56 UTC |
| c9ccf08 | Chris Tarazi | 26 June 2024, 00:05:04 UTC | Revert "IPAM: Adds IPv6 Prefix Delegation Config Option" This reverts commit 2fc54dd6dd9edb507cb3111e175071000189b81c. Signed-off-by: Chris Tarazi <chris@isovalent.com> | 27 June 2024, 18:29:17 UTC |
| aeb5f5d | Martynas Pumputis | 27 June 2024, 09:54:09 UTC | bpf/tests: Add test to check L3 -> tunnel redirect To test the fix in the previous commit. Ideally, we would want to test against running L3 netdev and vxlan netdev with Cilium's BPF progs loaded. Unfortunately, we don't have an infrastructure for such a test. Thus, only check that the L2 hdr is appended before the redirect. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 27 June 2024, 17:57:06 UTC |
| d4d3aa0 | Martynas Pumputis | 27 June 2024, 09:53:48 UTC | datapath: Fix redirect from L3 netdev to tunnel Previously, the redirect from L3 netdev (in nodeport.h) to Cilium's tunnel device failed due to the bpf_redirect returning -ERANGE [1]. Further investigation revealed the following values for the troublesome skb: skb->len = 60 skb->data = 0x000000009566a77e skb->head = 0x000000001a70ff88 skb->network_header = 64 "skb->data" was set to a weird location when compared to "skb->head", and thus made the check to fail. Adding the L2 hdr before redirecting to the tunnel device resolved the issue. P.S., I wanted to use "if (__ctx_is == __ctx_skb)" instead of the #if. Unfortunately, then the bpf_xdp.c fails to compile with: error: use of undeclared identifier 'ENCAP_IFINDEX' [1]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/core/filter.c?h=v6.7.4# n2147 Signed-off-by: Martynas Pumputis <m@lambda.lt> | 27 June 2024, 17:57:06 UTC |
| 5024cb8 | Ovidiu Tirla | 10 June 2024, 12:19:32 UTC | operator/identitygc: Disable identitygc when Operator manages CID EnableOperatorManageCIDs enables operator to manage CID by running a CID controller. If enabled, Identity GC cell is then disabled because CID controller takes care of garbage collection. Signed-off-by: Ovidiu Tirla <otirla@google.com> | 27 June 2024, 15:44:46 UTC |
| 63e4767 | Filip Nikolic | 27 June 2024, 13:12:57 UTC | helm: ensure that envoy daemonset is installed only when needed As `.Values.ingressController.enabled` and `.Values.gatewayAPI.enabled` require `.Values.l7Proxy` to be set it's sufficient to just perform a check on that value. Signed-off-by: Filip Nikolic <oss.filipn@gmail.com> | 27 June 2024, 15:18:16 UTC |
| e49c7b3 | Martynas Pumputis | 26 June 2024, 13:08:26 UTC | bpf/tests: Add BPF_TEST_FILE to run a single test Signed-off-by: Martynas Pumputis <m@lambda.lt> | 27 June 2024, 14:04:37 UTC |
| af4ebb7 | Martynas Pumputis | 17 June 2024, 11:56:38 UTC | gh/workflows: Set enableRenableRouteMTUForCNIChaining in ci-awscni This is one of a very few CI workflows which use the CNI chaining. Enable the new option to get some test coverage. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 27 June 2024, 07:39:02 UTC |
| d10c92c | Martynas Pumputis | 20 June 2024, 09:58:20 UTC | gh: Split actions/aws into two This commit splits actions/aws into actions/aws-cni and actions/eks. This is needed for a subsequent commit in which conformance-aws-cni.yaml will enable WireGuard in one of its matrix configurations. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 27 June 2024, 07:39:02 UTC |
| 512b708 | Martynas Pumputis | 17 June 2024, 08:53:00 UTC | helm: Add cni.enableRouteMTUForCNIChaining Signed-off-by: Martynas Pumputis <m@lambda.lt> | 27 June 2024, 07:39:02 UTC |
| 0cee8ad | Martynas Pumputis | 17 June 2024, 08:47:07 UTC | daemon,cni,mtu: Add EnableRouteMTUForCNIChaining flag The new flag ("--enable-route-mtu-for-cni-chaning") enables the route MTU for pod netns when CNI chaning is used. The feature was introduced by [1]. Initially, the feature could have been enabled only via a CNI config. However, modifying Cilium's CNI config in the case of the CNI chaining has proven to difficult. Therefore, this commit exposes the feature via the cilium-agent flag. [1]: https://github.com/cilium/cilium/pull/26495/ Signed-off-by: Martynas Pumputis <m@lambda.lt> | 27 June 2024, 07:39:02 UTC |
| 4a38c68 | Martynas Pumputis | 17 June 2024, 08:25:29 UTC | api: Add enableRouteMTUForCNIChaining The daemon option is going to be used to enable [1] via an cilium-agent flag. [1]: https://github.com/cilium/cilium/pull/26495/ Signed-off-by: Martynas Pumputis <m@lambda.lt> | 27 June 2024, 07:39:02 UTC |
| 2de95c0 | Tim Horner | 18 June 2024, 17:04:03 UTC | bpf: rename UINT8_MAX to UINT16_max and fix cluster_id casts The UINT8_MAX macro is defined as the 16bit hex value 0xFFFF. Since cluster_id is now a uint16 to allow for extended Cluster Mesh, this renames the macro to UINT16_MAX, rather than changing the value. Lingering casts of cluster_id as a uint8 have also been corrected to ensure its usage as uint16. Fixes: e8752ec125fc ("bpf: Define UINT8_MAX") Signed-off-by: Tim Horner <timothy.horner@isovalent.com> | 27 June 2024, 02:03:12 UTC |
| 5c89cca | Sebastian Wicki | 26 June 2024, 09:32:54 UTC | ci: Extend K8s FQDN test to assert numeric identities after restoration This extends the "Restart Cilium validate that FQDN is still working" Ginkgo test to check that numeric identities do not change after a Cilium agent restart. It does this by fetching the numeric identity of the looked up IP from IPCache and compares it to the numeric identity selected by the ToFQDN selector. In addition, the test also checks that these identities are stable across the restart. This should imply that connections during restoration should also not observe any drops. This is added to Ginkgo rather than Cilium CLI as these kind of state assertions across Cilium agent restarts would require changes to the `conn-disrupt-test-setup`, which in turn also requires us to set up additional client and server pods for checking ToFQDN connectivity, which the current upgrade tests do not facilitate. This might be added in the future as follow-up work, but to have basic coverage of ToFQDN restart persistence with K8s policies this commit provides an easy intermediate solution. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 26 June 2024, 19:25:58 UTC |
| a0c0a1f | cilium-renovate[bot] | 26 June 2024, 10:09:50 UTC | chore(deps): update all lvh-images main Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 26 June 2024, 19:12:30 UTC |
| ab10324 | Daniel Borkmann | 26 June 2024, 11:41:05 UTC | cilium, docs: Add note about netkit in upgrade guide To provide a pointer to the performance guide but also to add a note about in-place upgrades. Closed: #33291 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 26 June 2024, 15:11:48 UTC |
| d2425c8 | Daniel Borkmann | 26 June 2024, 11:33:17 UTC | cilium, docs: Add note about upgrades in performance doc Add information about how to deal with the settings in context of existing clusters. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 26 June 2024, 15:11:48 UTC |
| 631ff6f | Dylan Reimerink | 25 June 2024, 13:57:37 UTC | Documentation: Add troubleshooting section to L2 Announcements Since its introduction, there has been a small yet steady stream of similar issues reported by users who are trying to use L2. This patch adds a troubleshooting section to the L2 Announcements which should help users to diagnose and resolve common issues on their own. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 26 June 2024, 14:26:28 UTC |
| 601123c | Tam Mach | 26 June 2024, 12:41:02 UTC | envoy: update envoy 1.29.x to v1.29.6 (main) Relates: https://github.com/cilium/proxy/pull/816 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 26 June 2024, 13:57:26 UTC |
| 53060c6 | cilium-renovate[bot] | 26 June 2024, 10:09:55 UTC | chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 26 June 2024, 13:38:32 UTC |
| bb211e7 | David Swafford | 20 June 2024, 23:57:59 UTC | docs: BGPv2 CP documentation update This PR updates Cilium's documentation for the BGPv2 Control Plane. In specific, it adds a caution note for the transport section. Signed-off-by: David Swafford <dswafford@coreweave.com> | 26 June 2024, 13:24:20 UTC |
| 3a669e9 | Sebastian Wicki | 25 June 2024, 12:18:52 UTC | docs: Improve note on kube-apiserver entity limitations Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 26 June 2024, 13:22:03 UTC |
| 471f19a | Tam Mach | 25 June 2024, 12:53:54 UTC | envoy: Enable DaemonSet only for new installation This commit is to _only_ enable Envoy DS for new installation. The existing cilium installation can opt in by setting upgradeCompatibility value as per recommended upgrade guide. One user-defined function (e.g envoyDeamonSetEnabled) is added to avoid code duplication. Another point worth noting is the usage of eq function to enforce boolean data type for inline variable Relates: #30034, #33261 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 26 June 2024, 09:21:16 UTC |
| 43642e5 | Ovidiu Tirla | 10 June 2024, 11:59:39 UTC | pkg/k8s: Index Pod resources by namespace The Pod resource will be used by Operator Managing CIDs to reconcile all the pods in a namespace when the namespace labels are added or removed. Related #27752 Signed-off-by: Ovidiu Tirla <otirla@google.com> | 25 June 2024, 21:18:38 UTC |
| 037480a | Ovidiu Tirla | 10 June 2024, 11:58:12 UTC | operator/k8s: Add Namespace resource to operator resources cell The Namespace resource will be used by Operator Managing CIDs to fetch relevant labels to create CIDs. Related #27752 Signed-off-by: Ovidiu Tirla <otirla@google.com> | 25 June 2024, 21:18:38 UTC |
| d0a299b | Ovidiu Tirla | 10 June 2024, 10:06:06 UTC | pkg/k8s: Add indexer for CiliumIdentity objects based on security labels Add indexer for CiliumIdentity objects based on security labels to enable efficient lookup of existing CIDs for reuse during allocation when Cilium Operator manages Cilium Identities. Related #27752 Signed-off-by: Ovidiu Tirla <otirla@google.com> | 25 June 2024, 21:18:38 UTC |
| fdf435a | cilium-renovate[bot] | 24 June 2024, 20:06:06 UTC | fix(deps): update module github.com/hashicorp/go-hclog to v1.6.3 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 25 June 2024, 18:54:35 UTC |
| 0c9b710 | André Martins | 25 June 2024, 09:30:51 UTC | .github: update kindest to 1.30.0 Signed-off-by: André Martins <andre@cilium.io> | 25 June 2024, 15:11:16 UTC |
| 1e4d3ae | Dylan Reimerink | 25 June 2024, 08:10:01 UTC | hive: Fixed copy-paste error in reconciler.Metrics implementation The code checked if `IncrementalReconciliationTotalErrors` was enabled but then modified `IncrementalReconciliationCurrentErrors`. Seems like a copy-paste error from the case above, fixed it. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 25 June 2024, 10:57:36 UTC |
| b3ed575 | Steve Gargan | 19 June 2024, 12:32:13 UTC | use CiliumEndpoint watcher to remove pod metrics across all nodes Fixes #31889 by using the CiliumEndpoints watcher to drive metrics deletion instead of the Pod watcher. Metrics deletion was being handled by the pod watcher when a pod was deleted so to were all the metrics associated with it. However, if a cilium agent is configured with CiliumEndpointCRD enabled, it will only watch for pods on the current node. This leads to a leak where metrics would never be reaped up on nodes where the pod was not running. Every node watches all the CiliumEndpoints and the endpoint resources contains contain enough information to trigger the deletion of the metrics. This change moves the deletion to the CiliumEndpoint watcher and uses the endpoint name and namespace to delete the metric when the endpoint is deleted. Signed-off-by: Steve Gargan <steve.gargan@gmail.com> | 25 June 2024, 10:43:37 UTC |
| 638be8f | Sebastian Wicki | 18 June 2024, 16:14:54 UTC | docs: Mention new `toFQDNs` implementation in upgrade notes This adds the upgrade notes for the new ``toFQDNs`` implementation. It mentions upgrade impact and the new metrics added to troubleshoot it. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 25 June 2024, 10:22:58 UTC |
| c1c3164 | Sebastian Wicki | 18 June 2024, 15:44:53 UTC | docs: Add section on `toFQDNs` metrics This adds a section in the `toFQDNs` troubleshooting guide on how the identity usage can be monitored. It makes use of the metrics added in previous commits. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 25 June 2024, 10:22:58 UTC |
| af5c1e8 | Sebastian Wicki | 18 June 2024, 14:01:34 UTC | docs: Update troubleshooting guides for ToFQDN This commit updates our docs to use the new `fqdn` identities introduced by commit 719eb4f8cb0831db11184ed7d6667268fbb83720 - rather than the previously used `cidr` identities. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 25 June 2024, 10:22:58 UTC |
| 9518639 | Sebastian Wicki | 18 June 2024, 13:09:37 UTC | metrics: Add `fqdn_selectors` metric This adds a new simple metric which counts the number of registered `ToFQDN` selectors. This, in combination with the previously added `identity_label_sources` metric, allows users to monitor how many `fqdn` identities are allocated compared to how may `ToFQDN` selectors are registered. If there are orders of magnitude more identities than selectors, then this indicates that selectors are overlapping in different combinations, which can cause the local identity space to exhaust quickly. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 25 June 2024, 10:22:58 UTC |
| 64cd9f8 | Sebastian Wicki | 18 June 2024, 08:53:18 UTC | metrics: Add `identity_label_sources` metric This adds a new metric which counts the number of identities per label source. This allows users to have a bit more precise breakdown of what types of identities are allocated over the existing `identities` metrics. For example, the new metric allows users to track precisely how many identities contain a `fqdn` or `cidr` label, where as the per-type metric puts them in the same bucket. There are only about a dozen different label sources, so cardinality of the metric should be low. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 25 June 2024, 10:22:58 UTC |
| aca59cd | Casey Callendrello | 24 June 2024, 09:48:03 UTC | policy: take SelectorCache read lock when applying incremental changes We need to take a lock on the SelectorCache for a subtle reason: deny insertion needs the ability to convert a numerical ID to a CIDR, and the SelectorCache provides this functionality. Accordingly, we must lock the SelectorCache while applying changes. Most trees that lead to this take a RLock() of the SelectorCache. This call was an oversight. It does not modify the SelectorCache and thus may safely take an RLock as well. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 25 June 2024, 08:53:26 UTC |
| ac28fb9 | Marco Iorio | 19 June 2024, 09:09:36 UTC | clustermesh: synchronously close backend on reconnection The historical comment mentioned that the resources needed to be released asynchronously as they may time out in case of errors. However, all watchers have been refactored over time, and are now released synchronously. The only remaining bit regards closing the etcd client, which is not blocking. Hence, let's close it synchronously as well (as we already do in case of errors), for consistency and to simplify catching possible issues in tests. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 25 June 2024, 08:53:11 UTC |
| f30d83a | Marco Iorio | 19 June 2024, 09:08:14 UTC | kvstore: drop context from the Close() signature The context parameter is never used, and close is not expected to be a blocking operation, hence let's just clean it up. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 25 June 2024, 08:53:11 UTC |
| 5a64653 | Casey Callendrello | 05 June 2024, 13:06:28 UTC | endpoint: skip unnecessary syncPolicyMaps on first regeneration Endpoints on first regeneration are in a funny state. They reference an old IPCache (which is recreated on agent restart), but their policy maps are not swapped. This means they may be in a state where IPs map to old identities, but those identities are no longer in the new ipcache. This is not 100% fixable as long as we do not recreate the BPF PolicyMap, but we can significantly reduce the time we are in this skewed state, by eliding the first syncPolicyMaps() call. We call syncPolicyMaps twice. Once before compilation, and once after. The first call is to make it safe to clean up stale Envoy resources. However, the first-ever call to syncPolicyMaps will have no stale redirects to clean up regardless. Even worse, it all-but guarantees we are in this skewed state for a partcularly long time, as we will be certainly recompiling the endpoints BPF code. Fortunately, the fix is easy: we can skip the first syncPolicyMaps, and rely on the second, which occurs very quickly after compliation finishes. This minimizes the potential for spurious policy drops. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 25 June 2024, 08:25:13 UTC |
| 56494b1 | André Martins | 24 June 2024, 12:54:08 UTC | build-images-base: push to branch if pull request ref doesn't exist With the introduction of workflow_call by f054f94b24b9, pushing changes to the branch was not possible when the event was type "workflow_call" as the github.event.pull_request.head.ref does not exist. Fixes: f054f94b24b9 (".github: add workflow for renovate to build base images") Signed-off-by: André Martins <andre@cilium.io> | 25 June 2024, 07:34:20 UTC |
| e13fa8b | Marco Iorio | 17 June 2024, 08:53:18 UTC | helm: drop IDENTITY_ALLOCATION_MODE env var from clustermesh-apiserver The associated flag is no longer configurable since 26d08a888d8a ("clustermesh-apiserver: extract external workloads in a separate cell"), because the clustermesh-apiserver cannot be enabled in combination with kvstore identity allocation mode. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 25 June 2024, 04:58:06 UTC |
| 036ecab | Nate Sweet | 21 March 2024, 20:24:52 UTC | policy: Enable Port Ranges - Remove EndPort warning - Add CRD/API support for Endport. - Modify the prefix logic for bpf map insertion to account for port ranges. - Update all policymap calls that need to add port mask to the argument. - Update the k8s network policy tests with a range look up test. - Pass Endport to Envoy. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> | 24 June 2024, 21:27:54 UTC |
| d63157d | Nate Sweet | 29 May 2024, 21:10:03 UTC | policy: Refactor L4PolicyMap to Index Port Ranges The L4PolicyMap needs to index L4Filters by port and protocol. With the introduction of port ranges the golang builtin map type no longer suffices to index the L4Filters. This commit refactors the type to take a mix of named ports (which can never have an EndPort) as well as simple port numbers, and ranges. All usage of the type is rewritten to account for the changes. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> | 24 June 2024, 21:27:54 UTC |
| bc13dbb | Sebastian Wicki | 24 June 2024, 13:40:54 UTC | Revert "CI: bump default FQDN datapath timeout from 100 to 250ms" This reverts commit 34caeb233b0d47a0e4f9553fbd7ac532e0c1a5f8. Thanks to recent improvements on `main`, P99 latency for Cilium DNS in the fqdn-perf workflow has dropped from ~100ms to ~15ms. This should allow us to fall back to the default FQDN timeout to 100ms. Note that in contrast to the above commit, this commit here should not be backported to older branches, as the performance fixes are not backported either. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 24 June 2024, 19:31:53 UTC |
| c43b5b4 | cilium-renovate[bot] | 24 June 2024, 15:10:33 UTC | fix(deps): update all go dependencies main Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 24 June 2024, 19:28:23 UTC |
| 24f6630 | Dean | 21 June 2024, 15:37:28 UTC | correct spelling mistake in bgp docs Signed-off-by: Dean <22192242+saintdle@users.noreply.github.com> | 24 June 2024, 16:52:07 UTC |
| a31dcbd | Ryan Drew | 20 June 2024, 22:43:40 UTC | cni: Revert "cni: Use correct route MTU for various cloud cidrs" The PR #32244, that was merged with commit 29a340e, was intended to fix IP fragmentation with WireGuard deployments, causing poor network throughput and increased network latency. Unfortunately, after this PR was merged, users began reporting issues with Cilium modifying the MTU of the default interface of the node. This commit reverts the blamed commit in an attempt to fix said issues. The surfaced side-effect is tracked in issue #33303. Fixes: #33258 Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> | 24 June 2024, 16:12:03 UTC |
| 50f29b3 | Jarno Rajahalme | 22 June 2024, 20:27:33 UTC | policy: Replace panics with error logs with stacktrace Production code should not panic on a subsystem error. Log an error instead and include a stacktrace in the error log message. github.com/hashicorp/go-hclog was already vendored, so this is not adding a new dependency to the project. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 24 June 2024, 15:38:43 UTC |
| ba10b99 | Viktor Kurchenko | 24 June 2024, 09:30:19 UTC | bpf,tests: Add IPv4 checsum validation The PR adds eBPF tests IPv4 checksum calculation and check. Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> | 24 June 2024, 15:10:57 UTC |
| 748176f | cilium-renovate[bot] | 24 June 2024, 11:05:47 UTC | chore(deps): update dependency renovatebot/renovate to v37.415.0 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 24 June 2024, 14:31:28 UTC |
| 2ce0d2e | cilium-renovate[bot] | 24 June 2024, 09:46:18 UTC | chore(deps): update all lvh-images main Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 24 June 2024, 14:31:17 UTC |
| 5afc247 | Cilium Imagebot | 17 June 2024, 02:49:04 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> Signed-off-by: André Martins <andre@cilium.io> | 24 June 2024, 14:26:46 UTC |
| 7a7200d | cilium-renovate[bot] | 22 June 2024, 10:09:25 UTC | chore(deps): update docker.io/library/golang:1.22.4 docker digest to a66eda6 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 24 June 2024, 14:26:46 UTC |
| 5143566 | cilium-renovate[bot] | 21 June 2024, 22:27:42 UTC | fix(deps): update all go dependencies main Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 24 June 2024, 14:23:46 UTC |
| 6496430 | Alexandre Perrin | 20 June 2024, 14:52:52 UTC | hubble: deflake TestLocalObserverServer_NodeLabels Before this patch, TestLocalObserverServer_NodeLabels was flaky because it didn't wait on the LocalNodeWatcher to have been updated at least once before using it. This commit makes NewLocalNodeWatcher retrieve the local node info so that the returned LocalNodeWatcher is usable right away. This means that the Hubble startup will block until the LocalNodeStore is ready with local node info, which in practice should not be an issue. Reported-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 24 June 2024, 13:54:30 UTC |
| de87391 | André Martins | 24 June 2024, 12:54:08 UTC | build-images-base: cancel github runs based on branch name With the introduction of workflow_call by f054f94b24b9, the concurrency group started to cancel jobs based on the workflow name alone which has caused workflow runs created by this workflow were canceled even if they were opened from different branches. Fixes: f054f94b24b9 (".github: add workflow for renovate to build base images") Signed-off-by: André Martins <andre@cilium.io> | 24 June 2024, 13:05:53 UTC |
| b8464fd | Sebastian Wicki | 20 June 2024, 13:38:03 UTC | ctmap: Stop GC handler if signal map is closed When Cilium receives a SIGTERM, the signal manager (`pkg/signal`) cell stop hook is invoked, which in turn informs all signal handlers that the manager has been closed (by passing in a `nil` reader). This causes handlers such as `ChannelHandler` to close their respective channels too. This means that the CT GC (which uses a `ChannelHandler`) needs to deal with the case where its channel is closed during cilium-agent shutdown. This commit addresses that by stopping the GC go routine if the signals channel is closed. Previously, the GC go routine interpreted the closed channel as a signal to run GC and started do back to back GC in a busy loop, resulting in wasted CPU cycles during shutdown. This was also visibly by the following log lines being repeated many times during shutdown: ``` level=info msg="Starting initial GC of connection tracking" subsys=ct-nat-map-gc level=debug msg="Registered BPF map" path=/sys/fs/bpf/tc/globals/cilium_ct4_global subsys=bpf level=debug msg="Registered BPF map" path=/sys/fs/bpf/tc/globals/cilium_ct_any4_global subsys=bpf level=debug msg="Unregistered BPF map" path=/sys/fs/bpf/tc/globals/cilium_ct_any4_global subsys=bpf level=debug msg="Unregistered BPF map" path=/sys/fs/bpf/tc/globals/cilium_ct4_global subsys=bpf ``` With this commit applied, the GC go routine exits properly, emitting a log line while doing so. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 24 June 2024, 10:08:26 UTC |
| 1ac7ffd | cilium-renovate[bot] | 22 June 2024, 10:29:47 UTC | chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 24 June 2024, 10:08:07 UTC |
| c969368 | cilium-renovate[bot] | 22 June 2024, 10:24:56 UTC | fix(deps): update kubernetes packages to v0.30.2 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 24 June 2024, 10:07:51 UTC |
| 22fbf3c | cilium-renovate[bot] | 22 June 2024, 10:26:17 UTC | fix(deps): update aws-sdk-go-v2 monorepo Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 24 June 2024, 09:38:12 UTC |
| 7f98d35 | Lorenz Bauer | 20 June 2024, 10:39:06 UTC | bpf: ensure test objects are compiled before tests are run The run target doesn't have a prerequisite on the .o files it ends up testing, so an invocation like make -j2 run has an undefined order. The go test may be invoked before all objects have been compiled. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> | 24 June 2024, 09:02:33 UTC |
| 0477a09 | David Bimmler | 20 June 2024, 14:20:44 UTC | daemon/ipam: don't swallow parse error of CIDR It's possible that an invalid CIDR is passed to coalesceCIDRs, so we should not swallow the error of parsing it. Signed-off-by: David Bimmler <david.bimmler@isovalent.com> | 24 June 2024, 04:18:40 UTC |
| c3836a5 | cilium-renovate[bot] | 22 June 2024, 10:09:32 UTC | chore(deps): update all lvh-images main Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 22 June 2024, 16:24:33 UTC |
| 78f3457 | cilium-renovate[bot] | 21 June 2024, 22:17:07 UTC | chore(deps): update all-dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 22 June 2024, 08:36:47 UTC |
| 114935b | André Martins | 21 June 2024, 13:02:49 UTC | .github: fix cloud workflows for renovate Ensure consistency by sanitizing the 'OWNER' field in these workflows. This matches the approach used in other workflows. Fixes: 6f461ea592ca ("run CI automatically for renovate") Signed-off-by: André Martins <andre@cilium.io> | 21 June 2024, 22:09:33 UTC |
| 4e63fac | Chris Tarazi | 20 June 2024, 23:20:59 UTC | operator: Remove deprecated CES sync errors metric Deprecated in v1.14 so we can remove it in v1.16. Fixes: https://github.com/cilium/cilium/issues/23747 Signed-off-by: Chris Tarazi <chris@isovalent.com> | 21 June 2024, 21:21:27 UTC |
| c929bef | Jarno Rajahalme | 09 June 2024, 11:28:55 UTC | k8s: Wait for CEC/CCEC sync on bootstrap Include CEC and CCEC into the set of k8s resources that must be synchronized before endpoints are regenerated. This reduces endpoint regenerations during restart and reduces L7 policy churn. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 21 June 2024, 21:16:39 UTC |
| 99a1539 | Jarno Rajahalme | 10 June 2024, 18:41:15 UTC | Revert "policy/k8s: Fix bug where policy synchronization event was lost" This reverts commit 3f9c28810b543bf95d8c169c73f670fc45a9726e. In addition to the reject: - registerResourceWithSyncFn() are moved from the start hook to the constructor so that they are called before daemon.InitK8sSubsystem(). - PolicyManager promise is resolved by newDaemonPromise() after Daemon has been constructed, but before the daemon waits for the k8s resources to have synced. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 21 June 2024, 21:16:39 UTC |
| 369e927 | Jarno Rajahalme | 12 June 2024, 08:33:15 UTC | daemon: Check that DaemonConfig is not changed after being published Add sha256 sum to config and validate no change between DaemonConfig promise and Daemon promise are resolved. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 21 June 2024, 21:16:39 UTC |
| f3f78f7 | Jarno Rajahalme | 15 June 2024, 09:33:48 UTC | option: Make ConfigPatchMutex a pointer Make ConfigPatchMutex a pointer to be able to take a shallow copy for summing the immutable parts of Config (everything else than the IntOptions). Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 21 June 2024, 21:16:39 UTC |
| 17faa10 | Jarno Rajahalme | 15 June 2024, 09:33:18 UTC | daemon: Do not stall hive Stop if k8s caches are never synced Make wait on k8s cache sync conditional on the daemon context not being canceled. Apply same logic in the goroutine waiting for endpoint restoration. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 21 June 2024, 21:16:39 UTC |
| 9463a86 | Jarno Rajahalme | 10 June 2024, 17:06:44 UTC | daemon: Avoid blocking during hive start Execute startDaemon() in a goroutine, which resolves daemon promise when done. Change dependent start hooks to await for daemon promise in goroutines so that the execution of start hooks is not stalled. This way the hive may run concurrently with daemon start. Move some early validation from startDaemon() to the start hook so that we can fail out while we can simply return the error from the start hook. Move saving of daemon config to file also away from startDaemon, so that we can resolve the DaemonConfig promise from the start hook itself. The daemon promise will be resolved from the goroutine that runs startDaemon(), or rejected if there was any error. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 21 June 2024, 21:16:39 UTC |
| d56b5d1 | Jarno Rajahalme | 13 June 2024, 16:00:35 UTC | k8s/synced: Log an error if a resource is added to blocking set too late Log an error so that CI will flake when a resource is added to the blocking set after caches have already synchronized. Moved provision of k8s.CacheStatus type to k8s/synced and provision it in k8s/synced to avoid circular dependency. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 21 June 2024, 21:16:39 UTC |
