Skip to main content

Browse the archive

https://github.com/cilium/cilium
17 August 2024, 22:12:05 UTC
sort by:
Revision Author Date Message Commit Date
b1fbba4 Dylan Reimerink 26 July 2024, 10:24:05 UTC nodediscovery: Split fill local node and fill some fields early When in cluster pool IPAM mode we update the Cilium node before we initialize the local node via `StartDiscovery` -> `fillLocalNode`. When this happens during a restart the bootID is not set yet and the other nodes will see us go from a known boot ID to no bootID and back which triggers IPSec logic to replace xfrm states. The `fillLocalNode` function can only be called at a certain point in the startup sequence, but this doesn't apply to all fields it sets including the boot ID. So this change splits the function into two and moves all fields that can be initialized early to a new function which is called in the node discovery constructor. This ensures the boot ID is always set when doing an early Cilium node update. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 29 July 2024, 10:15:32 UTC
b3e3554 Marco Iorio 19 July 2024, 14:12:55 UTC gha: simplify the call-backport-label-updater workflow [ upstream commit e91378b34f9451c2f9016333efc65b3af8c57cf4 ] [ backporter's notes: took the new version as-is ] Currently, the call-backport-label-updater workflow performs a first step to determine the branch that the backport PR was merged into, based on the backport label. However, the target branch is already known in advance, as it is the one the workflow got triggered on. Hence, let's simplify this mechanism, so that we don't need to update the list of stable branches every time a new one gets added. While being there, let's also slightly generalize the branches filter to allow arbitrary suffixes to the branch name as well. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 25 July 2024, 11:56:49 UTC
1b0161b Sebastian Wicki 18 July 2024, 12:27:54 UTC helm: Allow socket linger timeout to be set to zero [ upstream commit 644cb7c93ae2405e866a9ae1092522d84198f3e3 ] Before this commit, if one explicitly wanted to set the linger timeout to 0 (which is a valid value), our Helm chart skipped the ConfigMap entry, thereby ignoring the user-specified value of 0 and falling back on the default value in the agent (which is 10). This commit fixes that by using checking if the Helm value is `nil` or unset. Fixes: f534200249da ("helm: expose socket linger timeout helm option") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 25 July 2024, 11:56:49 UTC
e488aaa Marco Iorio 16 July 2024, 14:08:53 UTC gha: ensure that helm values.schema.json is not accidentally backported [ upstream commit 2ab017fa6016c9fb680f38f9599c6d70bfbdf55a ] 79733d2dafe6 ("helm: Introduce values.schema.json and tooling") introduced the helm schema file for Cilium v1.16 and later. Let's add a CI check to prevent accidentally backporting it to v1.15 and earlier, as we always hit a conflict if the upstream commit modifies it, due to this file not being present in the target branch. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 25 July 2024, 11:56:49 UTC
8c073e2 Marco Iorio 24 November 2023, 13:28:34 UTC gha: add spot input to setup-eks-cluster action [ upstream commit 4279b10377f8938aa03cb9579e0898393c9a2a5c ] The blamed commit was supposed to disable the usage of spot instances, as causing unnecessary flakes. However, it didn't work as intended, because the setup-eks-cluster action did hard-code the usage of spot instances. This is a stripped down backport of 83cbb19f8617 ("Switch to on-demand instances for AWS tests on scheduled runs."), as the rest is now obsolete, so that the spot input takes actually effect. Fixes: c8084210d89a ("eks: Don't use spot instances") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 25 July 2024, 11:56:49 UTC
11cb039 cilium-renovate[bot] 22 July 2024, 16:07:48 UTC chore(deps): update cilium/little-vm-helper action to v0.0.19 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 23 July 2024, 13:02:18 UTC
79fb832 Cilium Imagebot 16 July 2024, 23:16:47 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 22 July 2024, 16:19:43 UTC
c969d7c cilium-renovate[bot] 16 July 2024, 23:12:10 UTC chore(deps): update go to v1.22.5 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 22 July 2024, 16:19:43 UTC
6864e43 Marco Iorio 15 July 2024, 14:07:09 UTC gha: don't fail if all cloud provider matrix entries are filtered out [ upstream commit 54796b085eb2f8c695db74cef95521e732effacf ] Cloud provider related E2E workflows have been recently updated to automatically filter out the matrix entries if the corresponding k8s version is EOL [1,2,3]. However, if that happen, the corresponding workflow currently fails due to both the empty matrix and the impossibility of subsequently merging the artifacts. Let's fix this by checking if the resulting matrix is empty, and explicitly skipping the subsequent tasks in that case. As additional validations to prevent incorrectly breaking the workflows on the main branch in the future, we output "Skipped" as description, and cause the workflow to fail if not test is run when triggered on schedule (which is only performed for the default branch). [1]: dbcdd7dbe2e9 ("ci: Filter supported versions of AKS") [2]: 720927534b26 ("ci: Filter supported versions of EKS") [3]: dd947b3a3830 ("ci: Filter supported versions of GKE.") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 18 July 2024, 19:31:15 UTC
2989311 David Bimmler 08 July 2024, 07:18:33 UTC helm: expose socket linger timeout helm option [ upstream commit f534200249dac2eb018ddbe3ac840a1fd1333ac2 ] [ backporter's notes: dropped the `values.schema.json` hunk, as not applicable in v1.13. Additionally regenerated helm values documentation. ] Signed-off-by: David Bimmler <david.bimmler@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 18 July 2024, 19:31:15 UTC
3ba98b4 Sebastian Wicki 04 July 2024, 13:41:59 UTC fqdn: add socket linger timeout flag [ upstream commit 75289b3f89294a802416afe4d60025bcd515753c ] [ backporter's notes: hit minor conflicts due to different surrounding context; resolved accepting combination. Additionally adapted flag registration, changing `vp` to `Vp`. ] Add a flag to allow setting the SO_LINGER socketopt on the socket for the connection of DNS proxy to the upstream DNS server. The flag is a tristate: -1 to disable, 0 to send TCP RST on close, and a timeout value (in seconds) to let close block at most. Setting linger can positively impact the operation of Cilium's DNS proxy due to the following circumstances: 1. When a DNS response is large, the server can truncate its reply. Using the truncated flag on DNS responses, the server can signal to the client that it did not receive the full response, and that it should retry the query using TCP. 2. DNS clients often simultaneously request both A and AAAA records. Typically, they do so from the same source port. When using TCP, both queries are sent via the same, persistent TCP connection. 3. Cilium's DNS proxy fails to correctly handle this persistent TCP connection - it opens a connection to the upstream DNS server _per query_. 4. When running in transparent mode, the DNS proxy thus may attempt to bind the same local source IP/port combination rapidly - this only works since the proxy sets the SO_REUSEADDR socket opt. Unfortunately, depending on network circumstances, the second bind-then-connect can fail due to a kernel bug. Setting the linger timeout to zero has the effect of sending a TCP RST as soon as the connection is closed - i.e. forcefully slamming the connection shut. This works around the issue of DNS proxy's errors when reusing the same local ip/port combination in a relatively non-invasive way, since it avoid the kernel bug around socket reuse. However, it doesn't solve the root cause of the proxy attempting to open two connections when it should persist the connection just like the client does. Co-authored-by: David Bimmler <david.bimmler@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 18 July 2024, 19:31:15 UTC
eab0ef7 Marco Iorio 08 July 2024, 07:59:42 UTC docs: remove mention of clustermesh + L7 policies + tunnel limitation [ upstream commit 7c68b7aa4f4ba40dde575bfa2bb51477c0998cdf ] The mention of this limitation appears to have been introduced as part of an early clustermesh documentation version [1], more than 5 years ago. However, since then, the limitation must have been lifted, as we have been successfully testing this combination of features in CI for quite some time. Hence, let's remove this outdated mention from the docs. [1]: 23a71f242a63 ("doc: Update ClusterMesh documentation for 1.4") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 18 July 2024, 19:31:15 UTC
cead5ad Marco Iorio 17 July 2024, 08:55:55 UTC test: explicitly configure kubeadm image repository The old k8s.gcr.io Kubernetes image registry has been frozen in Apr, 2023, in favor of registry.k8s.io. Although old images are still present in the old registry, we have recently started witnessing failures (e.g., [1]) in the k8s-1.16-kernel-4.19 Jenkins test during the provisioning phase, with errors along the lines of: [ERROR ImagePull]: failed to pull image k8s.gcr.io/etcd:3.3.15-0: output: Error response from daemon: Head "https://k8s.gcr.io/v2/etcd/manifests/3.3.15-0": unable to decode token response: invalid character '<' looking for beginning of value Let's attempt to address this error by explicitly configuring the usage of the newer registry, until v1.13 goes EOL and we can finally get rid of these tests. Additionally, we explicitly specify the coredns image repository, as it seems that in certain versions (v1.21 in particular) it otherwise defaults to using an incorrect path (i.e., without the coredns subpath) if a custom registry is specified [2]: ERROR ImagePull]: failed to pull image registry.k8s.io/coredns:v1.8.0: output: Error response from daemon: manifest for registry.k8s.io/coredns:v1.8.0 not found: manifest unknown: Failed to fetch "v1.8.0" Finally, let's hard-code the coredns version for older k8s versions, as coredns older than v1.8.0 seems to follow yet another versioning scheme in the registry. [1]: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-kernel-4.19/1323/console [2]: https://github.com/kubernetes/kubeadm/issues/2714 Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 18 July 2024, 12:56:36 UTC
f305dd1 Cilium Imagebot 17 June 2024, 02:49:04 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 16 July 2024, 00:05:52 UTC
b49e853 cilium-renovate[bot] 12 July 2024, 11:07:36 UTC chore(deps): update all-dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 16 July 2024, 00:05:52 UTC
c28fe12 Cilium Release Bot 11 July 2024, 17:43:04 UTC install: Update image digests for v1.13.18 Generated from https://github.com/cilium/cilium/actions/runs/9895453344 ## Docker Manifests ### cilium `docker.io/cilium/cilium:v1.13.18@sha256:9dc74ba5321c999e498b5f05202c7e27015360dd19278f19b15a25bee79d22f1` `quay.io/cilium/cilium:v1.13.18@sha256:9dc74ba5321c999e498b5f05202c7e27015360dd19278f19b15a25bee79d22f1` ### clustermesh-apiserver `docker.io/cilium/clustermesh-apiserver:v1.13.18@sha256:c2a38a7fd080c4159ef6a499945f3af069333385255ddc80c2fd35328f6b512a` `quay.io/cilium/clustermesh-apiserver:v1.13.18@sha256:c2a38a7fd080c4159ef6a499945f3af069333385255ddc80c2fd35328f6b512a` ### docker-plugin `docker.io/cilium/docker-plugin:v1.13.18@sha256:34ec3e5ed73ccea9d38fabce7d0578d568dd4c831611e93d573bd9df860f7c65` `quay.io/cilium/docker-plugin:v1.13.18@sha256:34ec3e5ed73ccea9d38fabce7d0578d568dd4c831611e93d573bd9df860f7c65` ### hubble-relay `docker.io/cilium/hubble-relay:v1.13.18@sha256:220ac4b70ffb5ecf598af1024dc0997affdf86f2e4c1a12f5aa9ede490cd181d` `quay.io/cilium/hubble-relay:v1.13.18@sha256:220ac4b70ffb5ecf598af1024dc0997affdf86f2e4c1a12f5aa9ede490cd181d` ### operator-alibabacloud `docker.io/cilium/operator-alibabacloud:v1.13.18@sha256:27da1054d0aa105970ae150133cd0ed5a17e9696533e055f2f93902d4e4d3359` `quay.io/cilium/operator-alibabacloud:v1.13.18@sha256:27da1054d0aa105970ae150133cd0ed5a17e9696533e055f2f93902d4e4d3359` ### operator-aws `docker.io/cilium/operator-aws:v1.13.18@sha256:20740ff319ea3169f40593f514887769461167c64f83703c43dcd0ffe3641a95` `quay.io/cilium/operator-aws:v1.13.18@sha256:20740ff319ea3169f40593f514887769461167c64f83703c43dcd0ffe3641a95` ### operator-azure `docker.io/cilium/operator-azure:v1.13.18@sha256:5cc125efdfd2dbdf8d0361c714c4f27699603f47a18e5abad5223ffd7bda9b6c` `quay.io/cilium/operator-azure:v1.13.18@sha256:5cc125efdfd2dbdf8d0361c714c4f27699603f47a18e5abad5223ffd7bda9b6c` ### operator-generic `docker.io/cilium/operator-generic:v1.13.18@sha256:6a6332840d4df6eef48bb81ced12af8d860438aa2974b39b875cd6c234302b69` `quay.io/cilium/operator-generic:v1.13.18@sha256:6a6332840d4df6eef48bb81ced12af8d860438aa2974b39b875cd6c234302b69` ### operator `docker.io/cilium/operator:v1.13.18@sha256:9c45df2974f412341177144ff131be5faee34ee507310c4505d7b1161111b7b4` `quay.io/cilium/operator:v1.13.18@sha256:9c45df2974f412341177144ff131be5faee34ee507310c4505d7b1161111b7b4` Signed-off-by: Cilium Release Bot <noreply@cilium.io> 11 July 2024, 18:55:13 UTC
19ff6c6 Cilium Release Bot 10 July 2024, 20:43:30 UTC Prepare for release v1.13.18 Signed-off-by: Cilium Release Bot <noreply@cilium.io> 11 July 2024, 15:36:20 UTC
f2d1c3c Julian Wiedmann 03 July 2024, 07:17:10 UTC bpf: lxc: fix up reporting of drop reason in drop_for_direction() [ upstream commit 83fa353200d4576fd0fa8a706be70e0af3644f86 ] [ backporter's notes: minor conflict due to different function signature ] DROP_* reasons are negative values. Reported-by: Nikita V. Shirokov <tehnerd@tehnerd.com> Relates: https://github.com/cilium/cilium/issues/32473 Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 10 July 2024, 09:35:03 UTC
47620cc Jason Aliyetti 01 July 2024, 20:15:11 UTC ipsec: do not nil out EncryptInterface when using IPAM ENI [ upstream commit 9343a62c9e3b0af18ce1fc50983e598a48f20897 ] [ backporter's note: conflicts in imported packages, the use of Cilium's own internal time package has been replaced with the Go's stdlib one ] netlink.LinkList() can return a transient kernel interrupt error. This commit adds a retry when this occurs in loader.reinitializeIPSec() to prevent nilling out or misconfiguring EncryptInterface. Additionally, it will now surface an error instead of swallowing it. Signed-off-by: Jason Aliyetti <jaliyetti@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 10 July 2024, 09:35:03 UTC
303e17c Julian Wiedmann 01 July 2024, 16:12:24 UTC gh: ipsec: clarify check for leaked proxy traffic during key rotation [ upstream commit fb55ad6a1bfee262b3f15d9b4319017b05e456d7 ] Add a comment to explain why we need to disable the check for proxy traffic when running the bpftrace leak detection during key rotation. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 10 July 2024, 09:35:03 UTC
b529f2c André Martins 08 July 2024, 15:26:44 UTC github: fix concurrency groups for push events Due to 32fea9e18f81, the concurrency groups aren't working properly for 'push' events. This commit fixes the concurrency group so that pushes to a branch don't stop runs from other branch pushes. Fixes: 32fea9e18f81 ("run CI automatically for renovate") Signed-off-by: André Martins <andre@cilium.io> 09 July 2024, 08:42:56 UTC
75acbcb André Martins 05 July 2024, 19:18:58 UTC renovate: add auto-approve bot for renovate PRs [ upstream commit d65f9afb57fb176b9f073a3a6745c241c9525153 ] Enable the GitHub "auto-merge" feature in the repository settings at https://github.com/<org>/<repo>/settings. If Renovate detects this feature, it allows PRs to be auto-merged by GitHub. GitHub will auto-merge a PR if all required checks pass and CODEOWNERS have reviewed it. If these conditions are unmet, GitHub won't merge the PR. To allow Renovate to auto-approve its own PRs, configure Renovate to request a review from the bot `ciliumbot` for PRs with trusted dependencies. The `reviewers` configuration in Renovate will ensure `ciliumbot` is the sole reviewer of Renovate's PRs. Create a GitHub Action triggered by a review request event, ensuring the PR review was requested by the Renovate bot, the PR was created by Renovate, and the review request is for `ciliumbot`. Ensure `ciliumbot` belongs to some teams of the CODEOWNERS file but is not auto-assigned reviews by GitHub. This setup allows `ciliumbot` to provide the necessary approvals without manual intervention, enabling seamless integration of Renovate to auto-approve PRs. The teams that `ciliumbot` will belong to are the ones that usually are selected to review renovate PRs when a trusted dependency is updated. Signed-off-by: André Martins <andre@cilium.io> 08 July 2024, 18:12:36 UTC
b276d32 gray 05 July 2024, 09:15:39 UTC doc: Instruct users to manually clean stale routing after downgrade Signed-off-by: gray <gray.liang@isovalent.com> 08 July 2024, 17:07:26 UTC
4b23863 gray 05 July 2024, 08:54:33 UTC ci-ipsec-upgrade: Run manual cleanups only for minor downgrade Recent security fixes require some new ip routing rules like "fwmark 0xb00/0xf00 lookup 2005" in 1.13, which leave a downgrade problem when users want to rollback after an unsuccessful 1.12->1.13 upgrade. Because 1.12 is EOL, there is no way to do graceful downgrade automatically, we should run some commands to delete those stale routing rules in old 1.12 cilium. Those commands are also set in ci-ipsec-upgrade to ensure healthy CI status. As we explained above, this manual step is necessary only for 1.13->1.12 downgrade (minor downgrade). This patch therefore runs manual cleanups only for minor downgrade. Suggested-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: gray <gray.liang@isovalent.com> 08 July 2024, 17:07:26 UTC
f69c46c Julian Wiedmann 08 April 2024, 03:52:51 UTC bpf: test: add LB test for terminating backend [ upstream commit 7ece278d42cca541b2e8e862e717f2536935af11 ] [ backporter's notes: open-code all the non-existent helpers ] Once a LB connection has been established, we expect to continue using its CT entry to obtain the backend. Even if the backend is in terminating state, and the service has lost all of its backends. Keeping this separate from the fix, in case we can't easily backport. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 08 July 2024, 09:21:42 UTC
e28aea0 Julian Wiedmann 04 April 2024, 14:12:45 UTC bpf: lb: un-break terminating backends for service without backend [ upstream commit 0de6f0f230be10e084f30fb3128c215edde1611f ] [ backporter's notes: add the ->count checks in slightly different locations, as we're missing a bunch of LB cleanup PRs. ] Continue to forward traffic for established connections, even when a service loses its last active backends. This needs a small adjustment in a BPF test that was relying on this behaviour. Fixes: 183501124869 ("bpf: drop SVC traffic if no backend is available") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 08 July 2024, 09:21:42 UTC
5f46a77 Julian Wiedmann 04 July 2024, 08:36:29 UTC ci: ipsec-e2e: fine-tune L7 proxy check For v1.13 the CLI doesn't test IPv6 connectivity with L7 policies when per-EP routes are enabled [1]. Disable the warning for missing L7 traffic accordingly, instead of disabling it unconditionally. [1] https://github.com/cilium/cilium-cli/blob/5df839f3a77d5c7ce5efa1cff6066438ee0c3206/connectivity/check/test.go#L897-L905 Co-authored-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 04 July 2024, 14:40:39 UTC
0c4a7f5 Cilium Imagebot 03 July 2024, 13:15:14 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 04 July 2024, 09:06:06 UTC
0e78347 cilium-renovate[bot] 03 July 2024, 13:10:37 UTC chore(deps): update go to v1.21.12 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 04 July 2024, 09:06:06 UTC
e484dfa Tam Mach 03 July 2024, 09:39:33 UTC envoy: Bump golang version to v1.22.5 Relates: https://github.com/cilium/proxy/pull/827 Signed-off-by: Tam Mach <tam.mach@cilium.io> 03 July 2024, 15:58:37 UTC
b8f0a80 Tam Mach 26 June 2024, 10:31:46 UTC envoy: Avoid short circuit BE filtering [ upstream commit 2123732670cc43989fb895df0f7d81c44f96b5f7 ] The same service can be used with multiple port types (e.g number and name), so we should continue matching port values for both. Signed-off-by: Tam Mach <tam.mach@cilium.io> 03 July 2024, 13:18:57 UTC
578b99d André Martins 02 July 2024, 09:31:36 UTC renovate: remove concurrency group from renovate's Base Image Release Build [ oss commit 1a33ff0d12653cabc27b95066bba64bf33121e44 ] The "Base Image Release Build - Renovate" workflow doesn't need a concurrency group has it will use the concurrency group of the workflow that it uses, the "./.github/workflows/build-images-base.yaml". Using the concurrency groups on both workflows will result in the following error: Canceling since a deadlock for concurrency group 'Base Image Release Build - Renovate-refs/heads/renovate/main-all-dependencies' was detected between 'top level workflow' and 'build-base-images-from-renovate' Fixes: f054f94b24b9 (".github: add workflow for renovate to build base images") Signed-off-by: André Martins <andre@cilium.io> 03 July 2024, 12:24:04 UTC
a4c1199 André Martins 07 August 2023, 19:07:52 UTC renovate: add all dependencies of Makefile.values [ oss commit 99846fd67db870f4d6ff2ae0e9f73df43e2a4e7b ] Now we can let renovate update the dependencies of all images from Makefile.values. Signed-off-by: André Martins <andre@cilium.io> 03 July 2024, 12:24:04 UTC
ada10b2 Julian Wiedmann 16 January 2024, 13:50:18 UTC conformance-ipsec-e2e: run leak check before/after key rotation [ upstream commit: 4e2a66d131243bad2daff58dd4e9deab87b776ec ] [ backporter's note: In 1.13 ci-ipsec-e2e disables IPv6, we need to suppress "no IPv6 connections" errors in check-ipsec-leaks.bt ] This is because we saw a racing issue if leak detection covers the whole rotation + conn-disrupt-check: cilium connectivity will remove conn-disrupt pods in the end of connectivity test, leaving some linger packets recognized as leaked traffic. This commit avoids the issue by running leak checks separately for key rotation and after-rotation test. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: gray <gray.liang@isovalent.com> 03 July 2024, 10:47:38 UTC
31fca8b gray 06 June 2024, 06:58:18 UTC ci: check-ipsec-leaks.bt can tolerate proxy traffic not found [ upstream commit: 230c200353f2c647d9b21774cf177706f919ad23 ] Add an argument to tell check-ipsec-leaks.bt whether to report errors if proxy traffic not found. Signed-off-by: gray <gray.liang@isovalent.com> 03 July 2024, 10:47:38 UTC
6de9984 Marco Iorio 11 October 2023, 09:49:45 UTC conformance-ipsec-e2e: add leaked unencrypted packets check [ upstream commit: e3fe4bc5bb8073eb7d52f95b367ce6470d5e3ade ] Extend the conformance-ipsec-e2e GHA workflow to additionally check that we don't leak any unencrypted packets during the connectivity test. This aims to complement the validation already performed as part of the connectivity tests by the Cilium CLI. Specifically, we leverage bpftrace to analyze the packets forwarded by the bridge device (used by kind), and report those that are not encrypted. We flag packets with both the source and the destination belonging to the IPv4/6 PodCIDR, and we consider the inner headers if packets are encapsulated. In this case, we additionally skip packets originating or targeting CiliumInternalIP addresses (as these are used for node-to-pod traffic when running in tunnel mode, which is not encrypted by design). Extra checks are finally added to always include packets originating from the L7 and DNS proxies, as their source IP is not that of a pod. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: gray <gray.liang@isovalent.com> 03 July 2024, 10:47:38 UTC
3b7c76e gray 11 June 2024, 09:41:50 UTC ci: Delete deprecated conn-disrupt-test action [ upstream commit: ec1b79628d0e9af6ce689505e4b1415537363481 ] Signed-off-by: gray <gray.liang@isovalent.com> 03 July 2024, 10:47:38 UTC
9532f0a gray 12 June 2024, 05:40:11 UTC ci: Use conn-disrupt-test-{setup,check} for ci-ipsec-upgrade [ upstream commit: 364ff9e ] Signed-off-by: gray <gray.liang@isovalent.com> 03 July 2024, 10:47:38 UTC
6389d1c gray 12 June 2024, 05:34:27 UTC ci: Decouple ipsec-key-rotate action from conn-disrupt-test action [ upstream commit: c430572 ] [ backporter's note: 1.13 doesn't have ipsec-key-rotate action, we just get ride of conn-disrupt-test from ci-ipsec-e2e. ] So in future we can add encryption leak detection right after key rotation to avoid certain issues. ci-ipsec-e2e and ci-eks also has been adjusted to use conn-disrupt-test-* actions before and after ipsec-key-rotate action. Signed-off-by: gray <gray.liang@isovalent.com> 03 July 2024, 10:47:38 UTC
2f6ca2d gray 30 May 2024, 09:35:24 UTC ci: Add conn-disrupt-test-{setup,check} actions [ upstream commit: 0f957a7a4644211202465de878dd2bd4c35463d3 ] They are to replace conn-disrupt-test action for better flexibility. Please note the new conn-disrupt-test-check doesn't run full tests by default. Signed-off-by: gray <gray.liang@isovalent.com> 03 July 2024, 10:47:38 UTC
f6e8827 Jason Aliyetti 30 June 2024, 06:00:23 UTC Update ipsec to handle larger psk values [ oss commit 866829248fe718776c21f59be9013c24f0f7baea ] [ Backporter's notes: TestLoadKeys changed to use gopkg.in/check ] For psk values <= 32 bytes use SHA256 to compute the node key. Otherwise use SHA512. This is needed to support GCM-256-AES since a PSK for this would require a 36 bytes as per RFC 4106. Fixes: #33457 Fixes: c28e046d4c6 ("ipsec: Compute per-node-pair IPsec keys") Signed-off-by: Jason Aliyetti <jaliyetti@gmail.com> 03 July 2024, 09:46:37 UTC
0078828 Sebastian Wicki 27 June 2024, 09:08:28 UTC daemon: Allow DNS transparent mode to be turned off with encryption [ oss commit 6cb07c19ddcef5f8e8d2c24c943a6dd963b540cf ] [ Backporter's notes: Dropped change in config_test.go since TestDaemonConfig_StoreInFile is missing in v1.13 ] DNS transparent mode was introduced to make sure that DNS traffic is always encrypted if the user is running with transparent encryption. If DNS proxy transparent mode is turned off, proxied DNS traffic will be leaked. However, DNS transparent mode is suffering from various bugs, e.g. - https://github.com/cilium/cilium/issues/31535 - https://github.com/cilium/cilium/issues/31197 - https://github.com/cilium/cilium/issues/33144 While we are working on addressing these bugs, some users might be fine with proxied DNS traffic being leaked. Therefore, this commit introduces a hidden and undocumented flag which requires DNS proxy transparent mode to be enabled with IPSec. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 03 July 2024, 09:46:37 UTC
76d7675 André Martins 27 June 2024, 09:09:05 UTC Documentation: accept ORG and REPO [ oss commit 1267ff92b0831aa24b1286afcf800b996eb537e6 ] By default, the check-crd-compat-table script will get the remote from cilium/cilium. This script won't work if there isn't a remote under these names. As a workaround, and to avoid many refactoring, the script will detect if ORG and / or REPO environment variables are set and use those as inputs to get the remote name. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 03 July 2024, 09:46:37 UTC
79072c3 Marcel Zieba 27 June 2024, 11:23:39 UTC install/kubernetes: update nodeinit image to latest version [ oss commit ea393843824ef59c1767bb2605206af17e5bd595 ] [ Backporter's notes: trivial conflicts due to different pullPolicy, solved keeping "IfNotPresent". ] Renovate does not pick up new version as tag is in sha format rather than regular semver. Related: #32181 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 03 July 2024, 09:46:37 UTC
8d641ba Sebastian Wicki 25 June 2024, 12:18:52 UTC docs: Improve note on kube-apiserver entity limitations [ oss commit 3a669e931e894c7c7c54d894daaa17bcb243ffe1 ] Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 03 July 2024, 09:46:37 UTC
6c75589 cilium-renovate[bot] 01 July 2024, 13:09:22 UTC chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 02 July 2024, 09:16:21 UTC
53de6bb Lorenz Bauer 19 June 2024, 11:39:11 UTC pkg/endpoint: make state synchronization atomic (partial backport) [ upstream commit acf3141f35 ] [ backporter's notes: only needed a single line from this patch, the rest was not compatible ] BPF regeneration writes state into a new temporary directory. Once it has succeeded we need to swap the old and new directory. This is currently achieved by "backing up" the current state by renaming the directory. This code has a bunch of corner cases around cleaning up old directories and so on which are necessary since the synchronization isn't truly atomic. Instead, use the RENAME_EXCHANGE flag to atomically exchange the two existing directories. Also use hard links to retain existing state so that killing the agent during a synchronization doesn't lead to corruption. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> Signed-off-by: Timo Beckers <timo@isovalent.com> 02 July 2024, 08:41:43 UTC
22f377f Lorenz Bauer 09 August 2023, 16:59:28 UTC health: only launch /hello after host datapath is ready [ upstream commit 916a2ce2c2 ] Delay starting the /hello endpoint until we've loaded the host datapath at least once. This means that the presence of /health can be used to infer not only that the cilium unix socket API is up but also that the datapath can do basic packet processing. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 02 July 2024, 08:41:43 UTC
605fd8f Lorenz Bauer 13 May 2024, 17:45:39 UTC pkg/endpoint: do not rely on bpf_host.o to detect host endpoint [ upstream commit 8c97a2119d ] The code to restore endpoint state checks for the presence of bpf_host.o to determine whether the host endpoint ID needs to be restored. Use ep.IsHost instead to decouple the restore process from what the loader is doing under the covers. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 02 July 2024, 08:41:43 UTC
9d39eeb Tam Mach 01 July 2024, 04:17:29 UTC envoy: Update envoy 1.28.x to v1.28.5 This is mainly to pick up the below CVE fix from the upstream. Related CVE: https://github.com/envoyproxy/envoy/security/advisories/GHSA-fp35-g349-h66f Relates: https://github.com/cilium/proxy/pull/819 Relates: https://github.com/envoyproxy/envoy/releases/tag/v1.28.5 Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 July 2024, 12:10:57 UTC
41d2bee cilium-renovate[bot] 25 June 2024, 15:06:33 UTC chore(deps): update docker.io/library/alpine docker tag to v3.17.8 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 01 July 2024, 07:27:19 UTC
d86f23b André Martins 24 June 2024, 12:54:08 UTC build-images-base: push to branch if pull request ref doesn't exist [ upstream commit 56494b13a40a768f8069ce85bec404351deaf3bd ] With the introduction of workflow_call by f054f94b24b9, pushing changes to the branch was not possible when the event was type "workflow_call" as the github.event.pull_request.head.ref does not exist. Fixes: f054f94b24b9 (".github: add workflow for renovate to build base images") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 27 June 2024, 15:13:50 UTC
3ff04ff Ryan Drew 20 June 2024, 22:43:40 UTC cni: Revert "cni: Use correct route MTU for various cloud cidrs" [ upstream commit a31dcbd5d90d6c2507d09e78ae72d1de0b60427d ] The PR #32244, that was merged with commit 29a340e, was intended to fix IP fragmentation with WireGuard deployments, causing poor network throughput and increased network latency. Unfortunately, after this PR was merged, users began reporting issues with Cilium modifying the MTU of the default interface of the node. This commit reverts the blamed commit in an attempt to fix said issues. The surfaced side-effect is tracked in issue #33303. Fixes: #33258 Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 27 June 2024, 15:13:50 UTC
d85268a André Martins 24 June 2024, 12:54:08 UTC build-images-base: cancel github runs based on branch name [ upstream commit de873916584ce98164a869a6a2db714d9fbcaffb ] With the introduction of workflow_call by f054f94b24b9, the concurrency group started to cancel jobs based on the workflow name alone which has caused workflow runs created by this workflow were canceled even if they were opened from different branches. Fixes: f054f94b24b9 (".github: add workflow for renovate to build base images") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 27 June 2024, 15:13:50 UTC
434913b Cilium Imagebot 18 June 2024, 10:22:55 UTC ci: update docs-builder [ upstream commit 97f4e25b9093ab19aadd2a60f4ee73c5d4e80f22 ] [ backporter's note: Took upstream change. ] Signed-off-by: Cilium Imagebot <noreply@cilium.io> 27 June 2024, 15:13:50 UTC
e0cbb06 dependabot[bot] 17 June 2024, 22:18:52 UTC build(deps): bump urllib3 from 2.0.7 to 2.2.2 in /Documentation [ upstream commit 0378d78af1e8c3c1498aa59b1f8181e4410bea8a ] [ backporter's note: Fix minor conflict and only apply urllib change. ] Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.7 to 2.2.2. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.0.7...2.2.2) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> 27 June 2024, 15:13:50 UTC
fe51ac8 André Martins 17 June 2024, 20:47:10 UTC build-images: fetch artifacts with specific pattern [ upstream commit 112a16db227093f490ba07f557261378da331145 ] It seems that docker/build-push-action started to store artifacts on GitHub. This sort of affected the digests of the image build process as it timeout while trying to download these artifacts. To fix this issue we will only download the artifacts with the pattern "*image-digest *" which are the only artifacts relevant for the image digests. Fixes: b86d5fc1aa64 ("chore(deps): update docker/build-push-action action to v6") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 27 June 2024, 15:13:50 UTC
1a97f3a Marco Iorio 06 June 2024, 16:31:24 UTC cilium-dbg: improve troubleshoot clustermesh output for local cluster [ upstream commit c46e6be716d1c283b0fb908a2bfdd97413cfc00a ] [ backporter's note: Fix minor conflict. ] Users may additionally configure a clustermesh entry for the local cluster as well, to reuse the same configuration in all clusters, as Cilium then automatically ignores it. Let's improve the output of the cilium-dbg troubleshoot clustermesh (and kvstoremesh-dbg troubleshoot) commands in this situation, removing the usage of the term "remote", and displaying a note for the entry matching the local cluster name. The retrieval of the local cluster name is performed in a best effort fashion, and may not always work. Suggested-by: Bruno M. Custódio <bruno@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 27 June 2024, 15:13:50 UTC
fd3f277 Marco Iorio 06 June 2024, 14:43:37 UTC cilium-dbg: minor clarifications to the clustermesh status output [ upstream commit ab579235446ad2f77146f61a85dc2c8201554122 ] [ backporter's note: Fixed minor conflict. ] Add the term remote to clarify that the number of clusters reported by the cilium-dbg and kvstoremesh-dbg status commands do not include the local one, regardless of whether it is included in the clustermesh configuration or not. Similarly, let's replace the term failures with reconnections, as failures has a negative connotation, but they are actually expected to happen when the clustermesh-apiserver in the given remote cluster is restarted. Suggested-by: Bruno M. Custódio <bruno@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 27 June 2024, 15:13:50 UTC
c58abec Feroz Salam 12 July 2023, 08:52:01 UTC ci: use env variable to store branch name [ upstream commit 22e066d7b1825d338cf78bda7a4a5fe8c69e9235 ] Instead of using the branch name directly in the run command. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 27 June 2024, 15:13:50 UTC
b91a5e2 Cilium Imagebot 17 June 2024, 02:49:04 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 25 June 2024, 14:27:00 UTC
51cb485 cilium-renovate[bot] 24 June 2024, 17:06:08 UTC chore(deps): update docker.io/library/golang:1.21.11 docker digest to b405b62 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 25 June 2024, 14:27:00 UTC
d15bd48 cilium-renovate[bot] 24 June 2024, 19:06:28 UTC chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 25 June 2024, 00:01:56 UTC
2227fa7 cilium-renovate[bot] 24 June 2024, 09:46:48 UTC chore(deps): update stable lvh-images Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 24 June 2024, 14:22:44 UTC
6a89627 André Martins 21 June 2024, 12:26:11 UTC .github: add workflow for renovate to build base images [ upstream commit f054f94b24b9c242611b956ba3f3698e8394c884 ] As renovate can automate a lot of our dependency updates it will also be possible for it to trigger the workflow to build base images. For this to happen we need to create a new workflow that reuses the existing workflow by using a different environment. This environment is protected to only be executed on the branches that are created by renovate. Signed-off-by: André Martins <andre@cilium.io> 24 June 2024, 10:50:01 UTC
9497114 André Martins 21 June 2024, 13:02:49 UTC .github: fix cloud workflows for renovate Ensure consistency by sanitizing the 'OWNER' field in these workflows. This matches the approach used in other workflows. Fixes: 6f461ea592ca ("run CI automatically for renovate") Signed-off-by: André Martins <andre@cilium.io> 21 June 2024, 15:39:37 UTC
fe824e0 André Martins 21 June 2024, 07:16:12 UTC .github: fix worfklows used by renovate With the introduction of 6f461ea592ca, some of the workflows were not prepared to handle concurrency for "push" events so we had to add the group for these type of events. Also, some of the workflows were not running the "commit-status-final" as this step was only running for events that were not type "push". As the list of required workflows are based on the name created by this step, we also need to run this step for the "push" events. Some existing workflows already push "commit-status-final" for pushes as well so the introduction for these workflows will be consistent with existing ones. Finally, the push events should only be triggered for pushes done respective to the "main" branch, thus we will be using the prefix "renovate/main-**" instead of "renovate/**" to avoid triggering the GH main workflows from stable branches and vice-versa. Fixes: 6f461ea592ca ("run CI automatically for renovate") Signed-off-by: André Martins <andre@cilium.io> 21 June 2024, 15:39:37 UTC
32fea9e André Martins 20 June 2024, 11:28:06 UTC run CI automatically for renovate Renovate is a trusted contributor of Cilium. We can skip the need to run the CI manually by the triager if the CI is automatically ran after a push to renovate's branches. [ upstream commit 6f461ea592ca00115c82b91520d8951b2529d1eb ] Signed-off-by: André Martins <andre@cilium.io> 21 June 2024, 15:39:37 UTC
430cbc4 Cilium Imagebot 17 June 2024, 11:18:08 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 19 June 2024, 08:17:31 UTC
01972d5 cilium-renovate[bot] 17 June 2024, 08:13:18 UTC chore(deps): update docker.io/library/golang:1.21.11 docker digest to 2eb85b8 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 19 June 2024, 08:17:31 UTC
b71c080 cilium-renovate[bot] 17 June 2024, 15:07:09 UTC chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 17 June 2024, 19:04:28 UTC
ca3823e cilium-renovate[bot] 17 June 2024, 09:11:46 UTC chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 17 June 2024, 13:40:08 UTC
8bb85e2 cilium-renovate[bot] 17 June 2024, 09:11:39 UTC chore(deps): update stable lvh-images Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 17 June 2024, 13:39:30 UTC
4b726ca André Martins 13 June 2024, 12:26:21 UTC remove tracking of backports with MLH With the sunset of GH projects by GH [1], we will now create organization-projects to track which PR is available on which release after a CHANGELOG of a release is performed. Thus, we can also sunset this feature from MLH. [1] https://github.blog/changelog/2024-05-23-sunset-notice-projects-classic/ Signed-off-by: André Martins <andre@cilium.io> 15 June 2024, 09:56:49 UTC
3afc2f8 Julian Wiedmann 11 June 2024, 14:28:11 UTC docs: ipsec: mention dependency on transparent mode for DNS proxy [ upstream commit 26325a8b9c94c731c54111e87b903c2c2f6a189f ] For connections that are established by the DNS proxy, this is required to detect the original source IP and apply IPsec policy accordingly. The agent fatals if IPsec and L7 proxy are enabled, but the DNS proxy is not set to transparent mode. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 June 2024, 09:40:28 UTC
6926b19 Tam Mach 12 June 2024, 14:41:21 UTC gha: Only retrieve IPv4 CIDR from docker network [ upstream commit b49f9128cb8916b56b5b218dabc11820df79d2b3 ] [ backporter's notes: hit conflicts due to the usage of MetalLB rather than Cilium LB. Preserved the main hunk, and adapted the debug output. ] It seems like github runner is enabled with docker dual stack, so the current docker network inspect command might return IPv6 instead of IPv6 CIDR, which breaks LB IPPool configuration. Sample output of `docker network inspect kind` command can be found as per below. This commit is to make sure that we only retrieve IPv4 CIDR in docker network inspect command. Additionally, some echo/cat statement are added to make similar issue more visible in the future. ``` [ { "Name": "kind", "Id": "43e3b3267092150f5f2e6f2053157d912ad6b5a4ce20f700e1e9be547a437f75", "Created": "2024-06-12T14:18:17.733107881Z", "Scope": "local", "Driver": "bridge", "EnableIPv6": true, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "fc00:f853:ccd:e793::/64" }, { "Subnet": "172.18.0.0/16", "Gateway": "172.18.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "748d7161857ca5e610f196299828eacafcbdb069d38c00e4e6c14cdeefada9c5": { "Name": "chart-testing-control-plane", "EndpointID": "0f1a5bbeb14929200ed13cb289afd6bf5f9f455d4ed75bb3a26e167e67bf7784", "MacAddress": "02:42:ac:12:00:02", "IPv4Address": "172.18.0.2/16", "IPv6Address": "fc00:f853:ccd:e793::2/64" }, "c2030425e24a11ea208b87c5d70e194b0f51eee133f09b67404fd2bf97410f13": { "Name": "chart-testing-worker", "EndpointID": "81489bd101e483be7270e2b5dd7e0bf3a0163b89650d7ef69cc4ce43454479e3", "MacAddress": "02:42:ac:12:00:03", "IPv4Address": "172.18.0.3/16", "IPv6Address": "fc00:f853:ccd:e793::3/64" } }, "Options": { "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 June 2024, 09:40:01 UTC
04f12e1 cilium-renovate[bot] 10 June 2024, 16:05:37 UTC chore(deps): update docker/build-push-action action to v5.4.0 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 12 June 2024, 08:16:04 UTC
b98da7f Julian Wiedmann 05 June 2024, 10:01:21 UTC docs: ipsec: remove limitation for native-routing with L7 egress policy [ upstream commit: 5f18d88b973c20490e923c5312caf3afc516e5f2 ] This was addressed by https://github.com/cilium/cilium/pull/32683. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: gray <gray.liang@isovalent.com> 11 June 2024, 13:43:58 UTC
21a4316 gray 06 June 2024, 11:43:32 UTC proxy/routes: Also routes egress proxy's return traffic to 2005 [ upstream commit: 1ce4c7f31844c0577fdd9bff324ba6bead422b91 ] [ backporter's note: v1.14 still uses bpf/init.sh to install routing rules, we have to re-implement the logic in bash. ] This commit installs "0xb00/0xf00 lookup 2005" routing rule when IPsec is enabled with native routing and envoy. This is a necessary step towards fixing encryption leaks, otherwise egress proxy's return traffic gets no chance to be set IPsec mark. The new routing rule ensures these packets are routed to cilium_host, where we have bpf_host to handle encryption datapath. This patch uses a different condition from requireFromProxyRoutes() to determine whether to install the new routing rule, otherwise we will see breakage on IPsec=off + envoy=on. Specially, the new routing rule is isolated to IPsec only. Signed-off-by: gray <gray.liang@isovalent.com> 11 June 2024, 13:43:58 UTC
6741ada gray 13 May 2024, 09:51:31 UTC iptables: Ensure iptables masquerading works for proxy traffic [ upstream commit: 3384d73c12ea8bc9e24fc4c30193f95775b23005 ] After https://github.com/cilium/proxy/pull/742, proxy traffic keeps original pod IP as source IP for to-world packets, which must be masqueraded to eth0 IP. There is no issue for now, but the new routing rule (0xb00 lookup 2005) to be added for https://github.com/cilium/cilium/issues/31984 will cause a side effect breaking masquerading. This patch fixes the that side effect as a precaution, otherwise git-bisect breaks. The new routing rule (0xb00 lookup 2005) will cause proxy packets going through POSTROUTING for twice: first time happens when proxy sends packets which are routed to cilium_host, these are hitting OUTPUT + **POSTROUTING**; the second time takes place after packets ingressed from cilium_net, these skbs will traverse PREROUTING + FORWARD + **POSTROUTING**. However, due to kernel's implementation details, an skb won't be processed by nat POSTROUTING for twice: after the first POSTROUTING check, skb's ct `(struct nf_conn*)(skb->_nfct & ~7)` has a status IPS_SRC_NAT_DONE to skip the further traversal at all. [1] To avoid being set the IPS_SRC_NAT_DONE flag, this patch adds an iptables rule `--mark 0xb00 -j CT --notrack` at OUTPUT to skip the first round iptables ct, just for proxy traffic which is characterized by 0xb00 mark. [1] https://elixir.bootlin.com/linux/v6.6.2/source/net/netfilter/nf_nat_core.c#L825 [1] https://elixir.bootlin.com/linux/v6.6.2/source/include/net/netfilter/nf_nat.h#L111 Signed-off-by: gray <gray.liang@isovalent.com> 11 June 2024, 13:43:58 UTC
7449728 gray 28 May 2024, 07:57:23 UTC Don't set 0x200 mark for proxy to world traffic in iptables PREROUTING [ upstream commit: f93a40c7283b2b60acbcbad3819dd0ea18204190 ] We have an iptables rule to set 0x200 mark for transparent socket: ``` *mangle -A PREROUTING -m comment --comment "cilium-feeder: CILIUM_PRE_mangle" -j CILIUM_PRE_mangle -A CILIUM_PRE_mangle -m socket --transparent -m mark ! --mark 0xe00/0xf00 -m comment --comment "cilium: any->pod redirect proxied traffic to host proxy" -j MARK --set-xmark 0x200/0xffffffff ``` This rule is in the mangle PREROUTING which checks packets ingressed from a netdev. Let's then focus on the pod to world traffic when IPsec=on + proxy=on + tunnel=off. Currently, a pod-to-world packet will go through the path: 1. from_lxc@lxc: skb->mark is set to 0x200 and returned to stack 2. iptables: skb is hijacked by tproxy (due to 0x200), to be accepted by proxy 3. proxy process: the old skb is consumed by proxy, an new skb is sent to upstream (world) 4. stack routing: the new skb is routed to eth0 5. stack iptables: the new skb is traversing OUTPUT chain and POSTROUTING chain 6. to_netdev@eth0: the new skb is going to world Please note the new skb won't hit PREROUTING chain, where there is a rule setting skb->mark=0x200. To fix https://github.com/cilium/cilium/issues/31984, we are going to change the routing for packets from egress proxy; consequently, on the step 4 above, the new skb will be routed to cilium_host instead: 4. stack routing: the new skb is routed to cilium_host 5. from_host@cilium_host: the new skb is returned to stack 6. to_host@cilium_net: the new skb is returned to stack 7. stack: PREROUTING, routing, FORWARD, POSTROUTING Look at step 7, we are hitting PREROUTING! Because of https://github.com/cilium/proxy/pull/742, this to-world skb is also linked to a transparent socket, matching the "-m socket --transparent" condition, the packet will fortunately have the 0x200 mark. If we do nothing, this to-world skb marked with 0x200 will then hit routiong rule "from all fwmark 0x200/0xf00 lookup 2004" and be routed to local. It should have gone to the world. This patch fixes this future issue as a precaution (otherwise we'll break git-bisect). This patch provides a straightforward solution: at step 5 from_host@cilium_host, we set a specical mark 0x800 (MARK_MAGIC_PROXY_TO_WORLD), then iptables can exclude this mark using "-m mark ! --mark 0x800/0xf00". Signed-off-by: gray <gray.liang@isovalent.com> 11 June 2024, 13:43:58 UTC
0e4c523 gray 07 June 2024, 09:08:38 UTC ci: Manually clean stale routing rules for downgrade It's basically https://github.com/cilium/cilium/pull/31930 what we can't merge due to 1.12 EOL. Signed-off-by: gray <gray.liang@isovalent.com> 11 June 2024, 13:43:58 UTC
ae30ccb cilium-renovate[bot] 10 June 2024, 12:06:28 UTC chore(deps): update stable lvh-images Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 10 June 2024, 16:06:25 UTC
7cbb86e Quentin Monnet 10 June 2024, 14:58:21 UTC install: Update image digests for v1.13.17 Generated from https://github.com/cilium/cilium/actions/runs/9449889419. Docker Manifests ================ cilium - docker.io/cilium/cilium:v1.13.17@sha256:db7553ec384eeeb786aa3f7472bb8ecfc1b50d37a64a8309e94e4a82fda4882e - quay.io/cilium/cilium:v1.13.17@sha256:db7553ec384eeeb786aa3f7472bb8ecfc1b50d37a64a8309e94e4a82fda4882e clustermesh-apiserver - docker.io/cilium/clustermesh-apiserver:v1.13.17@sha256:bce520cc4e234a63cf3eb58b51f18fb24c3a7c38365241ba59b395fa4bb07b38 - quay.io/cilium/clustermesh-apiserver:v1.13.17@sha256:bce520cc4e234a63cf3eb58b51f18fb24c3a7c38365241ba59b395fa4bb07b38 docker-plugin - docker.io/cilium/docker-plugin:v1.13.17@sha256:ea64f2abca1271cf03904da37c123c3013926eb8610226c548a251f61343561e - quay.io/cilium/docker-plugin:v1.13.17@sha256:ea64f2abca1271cf03904da37c123c3013926eb8610226c548a251f61343561e hubble-relay - docker.io/cilium/hubble-relay:v1.13.17@sha256:9398e764708197aee93f5ee3d6a42b087b9c777ef13c81b175be7235be1fb478 - quay.io/cilium/hubble-relay:v1.13.17@sha256:9398e764708197aee93f5ee3d6a42b087b9c777ef13c81b175be7235be1fb478 operator-alibabacloud - docker.io/cilium/operator-alibabacloud:v1.13.17@sha256:5d8d5253339f1fba9404730a8f44aa6ea10439b97098e84325051c6877bfc9f7 - quay.io/cilium/operator-alibabacloud:v1.13.17@sha256:5d8d5253339f1fba9404730a8f44aa6ea10439b97098e84325051c6877bfc9f7 operator-aws - docker.io/cilium/operator-aws:v1.13.17@sha256:a99201ecf60265f4a38cb78805023af12c19c9a309b86a73ffcd815a26962279 - quay.io/cilium/operator-aws:v1.13.17@sha256:a99201ecf60265f4a38cb78805023af12c19c9a309b86a73ffcd815a26962279 operator-azure - docker.io/cilium/operator-azure:v1.13.17@sha256:b2f504420114da2f6f8138e9c7e4a8700684f15b9cce4304a8616649ed91aa4c - quay.io/cilium/operator-azure:v1.13.17@sha256:b2f504420114da2f6f8138e9c7e4a8700684f15b9cce4304a8616649ed91aa4c operator-generic - docker.io/cilium/operator-generic:v1.13.17@sha256:caa8e0da2b3946463ed9206ff97a88115522999a8b276e09841f4bbd7974da3a - quay.io/cilium/operator-generic:v1.13.17@sha256:caa8e0da2b3946463ed9206ff97a88115522999a8b276e09841f4bbd7974da3a operator - docker.io/cilium/operator:v1.13.17@sha256:febf6ffa2e44717165e985b6ef65d89f4d3caff6288750084c0a12013d2fdd81 - quay.io/cilium/operator:v1.13.17@sha256:febf6ffa2e44717165e985b6ef65d89f4d3caff6288750084c0a12013d2fdd81 Signed-off-by: Quentin Monnet <qmo@qmon.net> 10 June 2024, 15:53:02 UTC
7e88b2e Michi Mutsuzaki 08 June 2024, 22:47:53 UTC Prepare for release v1.13.17 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Quentin Monnet <qmo@qmon.net> 10 June 2024, 10:37:56 UTC
21475ae Quentin Monnet 10 June 2024, 10:04:29 UTC check-crd-compat-table.sh: Fix script following main branch renaming The main branch in Cilium's repository has been renamed from master to main a while ago. Script check-crd-compat-table.sh in branch v1.13 was not updated at the same time, and this led to failures to update the relevant value in the compatibility table for the latest branch. Let's fix the script now. Signed-off-by: Quentin Monnet <qmo@qmon.net> 10 June 2024, 10:37:56 UTC
bf9a1ae Tam Mach 05 June 2024, 04:11:54 UTC bugtool: Add post-processing masking function for Envoy [upstream commit 48a9976a09015a0e411997780c8b260d59593071] This commit is to explicitly mask the below fields from Envoy config dump: - api_key (used in kafka L7 policy) - TLSContext (used in Cilium NetworkPolicy) One round of scanning on existing Cilium protobuf was done. Related docs: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--config_dump Signed-off-by: Tam Mach <tam.mach@cilium.io> 08 June 2024, 03:49:49 UTC
958d7b7 Tam Mach 05 June 2024, 05:01:04 UTC bugtool: Add json masking function [upstream commit 568dbc5ad884e37614992f59ceb89ad89feb9135] This commit is to add a generic json field masking based on the field name. [ Quentin: Replaced the use of slices.Contains(), unsupported with the Go version used with v1.13. ] Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Quentin Monnet <qmo@qmon.net> 08 June 2024, 03:49:49 UTC
dc19b3d Joe Stringer 07 June 2024, 04:35:06 UTC ci: l4lb: Don't hang on gathering logs forever [ upstream commit 84013315bdc3167dfb2f33d074403170c8bacebe ] It doesn't make sense to pass `--follow` when the container is still running, this will hang forever and fail to complete the remaining steps in the workflow. Remove the follow flag. Fixes: 93927457779d ("ci: l4lb: gather more infos about docker-in-docker issues") Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> 07 June 2024, 22:36:07 UTC
a443aee André Martins 06 June 2024, 12:12:31 UTC remove release scripts [ upstream commit df03e886bcddc4f3f94d31ad443d922b0f9fd2f5 ] [ backporter notes: trivial deletion conflict.] These scripts will only be available under github.com/cilium/release to avoid any confusion when performing releases. Signed-off-by: André Martins <andre@cilium.io> 07 June 2024, 22:36:07 UTC
d8dc81f André Martins 06 June 2024, 12:03:42 UTC remove unused files [ upstream commit 129a20004a8ac32b055d97cef5e9c4cc64399cad ] [ backporter notes: trivial deletion conflict. ] Signed-off-by: André Martins <andre@cilium.io> 07 June 2024, 22:36:07 UTC
4456760 cilium-renovate[bot] 07 June 2024, 06:05:16 UTC chore(deps): update dependency cilium/hubble to v0.13.5 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 07 June 2024, 09:12:21 UTC
2ddb190 Cilium Imagebot 06 June 2024, 02:34:56 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 06 June 2024, 17:05:02 UTC
04c5d13 renovate[bot] 06 June 2024, 02:28:53 UTC chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 19478ce Signed-off-by: renovate[bot] <bot@renovateapp.com> 06 June 2024, 17:05:02 UTC
bf494e3 renovate[bot] 05 June 2024, 21:32:27 UTC chore(deps): update google/cloud-sdk docker tag to v479 Signed-off-by: renovate[bot] <bot@renovateapp.com> 06 June 2024, 11:54:25 UTC
14a7eec Cilium Imagebot 05 June 2024, 01:42:45 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 06 June 2024, 02:18:19 UTC
d5a0f9b renovate[bot] 05 June 2024, 00:23:00 UTC chore(deps): update go to v1.21.11 Signed-off-by: renovate[bot] <bot@renovateapp.com> 06 June 2024, 02:18:19 UTC
b39584f Marcel Zieba 16 May 2024, 14:46:02 UTC ipsec: cache xfrm state list [ upstream commit 3a4c57f12b61d336de26c24ac2b9b15dc4fc0368 ] [ Backporter's notes: switch default to false - so not enabled by default. Switch from testing package to checkmate in unit tests. Flags use Vp instead of vp. Minor conflicts with netlink.XfrmState* calls. Switched from pkg/time to time. Switch from checkmate to check.v1 ] Reduces GC CPU usage and memory allocations coming from XfrmStateList. To ensure we have up-to-date cache, wrap all XfrmState related functions inside cache, which is invalidated whenever XfrmState changes. This is follow-up to #32577 While that PR averages out CPU usage over time, in large cluster 100+ nodes amount of allocations coming from netlink.XfrmStateList() is high due to backgroundSync where we usually don't change any Xfrm states. This becomes more and more expensive as number of nodes increases. Added CI test to make sure that we accidentally don't add calls that modify XFRMState without going through cache. Also, added hidden option that allows to turn of caching. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 05 June 2024, 21:08:46 UTC
f995bb0 Tam Mach 05 June 2024, 12:27:07 UTC envoy: Bump envoy version to v1.28.4 This commit is to bump envoy version to v1.28.4 for below CVEs: - [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv) - [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4) - [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26) - [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299) - [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc) - [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m) - [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c) Additionally, this build also includes a couple of Cilium fixes, more details can be found in #786. Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4 Relates: https://github.com/cilium/proxy/pull/786 Signed-off-by: Tam Mach <tam.mach@cilium.io> 05 June 2024, 21:08:27 UTC
decca29 André Martins 03 June 2024, 22:37:41 UTC .github/workflows: fix digests file creation [ upstream commit deee47cac2f7c56d376e1877d1fb4bd9f3c9fd84 ] With the introduction of 57db22b2029c, Syft creates the sbom files under the same directory the image digest files are created. This resulted on image-digest-output.txt file to contain all the SBOMs unexpectedly. Thus, using find, we will make sure that only the files that start with the "image-digests" are used to by copied into the image-digest-output.txt file. Tested in https://github.com/aanm/cilium/actions/runs/9358191181 Fixes: 57db22b2029c ("Generate SBOMs using Syft instead of bom") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> 05 June 2024, 20:15:13 UTC
back to top