Skip to main content

Browse the archive

https://github.com/cilium/cilium
17 August 2024, 22:12:05 UTC
sort by:
Revision Author Date Message Commit Date
4c9a630 Joe Stringer 15 August 2022, 23:29:39 UTC Prepare for release v1.12.1 Signed-off-by: Joe Stringer <joe@cilium.io> 16 August 2022, 00:11:16 UTC
fe49b55 Gilberto Bertin 12 August 2022, 15:17:38 UTC iptables: skip NOTRACK rules deletion [ upstream commit 4bd2478db37a6859c57372dcc97ac43922d26e90 ] The Iptables version shipped with Cilium (1.8.4) does not fully support the iptables-legacy - nft translation of NOTRACK rules, which in turn causes the agent to crash whenever it tries to delete any old/backup ruleset. This commit introduces a workaround for this by ignoring the `-j NOTRACK` and `-j CT --notrack` rules when deleting all rules belonging to an old/backup ruleset. This is not an issue (although it's not optimal) as eventually the agent will just flush and remove all the Cilium managed Iptables chains. Fixes: #20714 Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 15 August 2022, 16:58:28 UTC
5420f5c ArthurChiao 07 May 2022, 08:16:07 UTC ipcache/kvstore: fix panic when processing ip=<nil> entries [ upstream commit 630b219cb229c91d61c928f8927b0471ee32b874 ] This problem was introduced in 6cbf5daf46d, which results in a "nil pointer dereference" panic. Signed-off-by: ArthurChiao <arthurchiao@hotmail.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
354f751 André Martins 10 August 2022, 10:13:57 UTC cilium-health: fix probing for IPv6-only clusters [ upstream commit 862e191b3574e4a7c5d2046d28d980c163b50a6f ] Due some refactoring done in ed934cb958c5, a bug was introduced in the code that overwrote the IP address used to perform health checks. In IPv6-only clusters, this IP address was overwritten by an empty IPv4 address which would then be used to perform health checks. Obviously failing to perform such health checks since the address was "<nil>", Cilium would report that `cilium-health-ep` controllers were failing. Fixes: ed934cb958c5 ("health: Move endpoint IP to node package") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
641b3af Michi Mutsuzaki 09 August 2022, 16:16:57 UTC helm: Refer to the correct Helm value [ upstream commit 07ea75249f682e1224d0e68c27d2dddaeac07b81 ] The operator deployment template was incorrectly referring to dnsPolicy instead of operator.dnsPolicy. Fixes: 307df356c2 ("helm: Make DNS policy for agent and operator configurable") Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
c7e493a Joe Stringer 08 August 2022, 22:35:55 UTC docs: Clarify identity table for reserved identities [ upstream commit c59864a83658993ececfb4d080e29779880154d6 ] Reserved identities take up the first 255 values (per pkg/identity/numericidentity.go), as already described in this document. Add these to the table for completeness. I didn't bother to fully explain this point for clustermesh but in practice this range (0x00xx0001->0x00xx00FF) is reserved in each cluster. These are not synchronized across all clusters. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
9744b0e Martynas Pumputis 08 August 2022, 12:48:44 UTC gh/workflows: Do not disable IPv6 in the LB-only suite [ upstream commit e6bc8ec74cabd9589a708dc130d944f36c9c9d87 ] Enabling allows us to check whether the LB-only program with the IPv6 processing parts can be accepted by the BPF verifier. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
eab9c90 Nikhil Jha 08 August 2022, 00:43:32 UTC ingress: add websockets configuration [ upstream commit 234f9a8878fc87b736c7acf674a1a25a542d44fb ] Some popular web software (e.x. Jupyterhub, Home Assistant) requires websocket support from the ingress. This commit provides an annotation to enable this support in Envoy. It is enabled by default to be in-line with other popular Ingress implementations (Traefik, ingress-nginx). Fixes: #20427 Signed-off-by: Nikhil Jha <hi@nikhiljha.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
beda2c1 Chris Tarazi 02 August 2022, 19:14:45 UTC pkg/netns: Expand godoc on ReplaceNetNSWithName [ upstream commit 8940bf0c4ba29b8d618f4d5e5d647ba7f5db8ed2 ] It is useful to have an example usage of how ReplaceNetNSWithName() is typically used so developers don't have to research how to use network namespaces in Go again. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
a426a8c Chris Tarazi 01 August 2022, 18:53:35 UTC daemon/cmd: Add new privileged test suite [ upstream commit a0c0732eb380108d12702ffd7935edf8402edb72 ] This test suite can be used to unit test the daemon code under daemon/cmd/daemon.go. As a first attempt, sanity check tests for removing old router (cilium_host) state have been added. This is intended not to be exhaustive for now. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
b0541a2 Chris Tarazi 04 August 2022, 22:38:24 UTC pkg/datapath/loader: Export SetupBaseDevice [ upstream commit 205810f2785ec09f149251ec827a880ff7560e26 ] This is useful for the upcoming new privileged daemon test suite. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
364764f Chris Tarazi 01 August 2022, 19:25:24 UTC daemon/cmd: Fix complaint about nil IP address on restore of cilium_host [ upstream commit 08205dde0f6dad5cfaf18a947d17e7c67f60cbcc ] Previously, the msg "Failed to remove old router IPs (restored IP: <nil>) from cilium_host. Manual intervention is required to remove all other old IPs." would pollute the logs for no good reason. This commit prevents this log from being printed by avoiding the condition. The condition is when the cilium_host device has been removed and there are no IPs detected to restore. The following commit will add unit tests to verify this behavior. Fixes: fcd00390c30 ("daemon, node: Remove old, discarded router IPs from `cilium_host`") Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
e1c497f Vincent Li 21 July 2022, 00:39:09 UTC ipvlan: clean up leftovers in setupBaseDevice() [ upstream commit 9ef7f24103aef25264e2f51748eaec8f35f16a8f ] commit c3adaec9dc06a68 removed IPVLAN code, cleanup setupBaseDevice(). found this through https://github.com/cilium/cilium/issues/20603 don't think setupBaseDevice() IPVLAN leftover code is related to that issue. Signed-off-by: Vincent Li <v.li@f5.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
2494ce4 Tam Mach 12 July 2022, 07:45:55 UTC k8s: Filter out cilium owned from pod labels This commit is to make sure that any of cilium owned labels (i.e. prefix by io.cilium.k8s.*) should be filtered out if available in pod labels. The main reason is to prevent any malicious injection of cilium labels especially io.cilium.k8s.namespace.labels.*. Test Application ```yaml --- apiVersion: apps/v1 kind: Deployment metadata: labels: io.cilium.k8s.namespace.labels.foo.bar/baz: malicious-pod-level-override io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name: kube-system io.cilium.k8s.policy.cluster: minikube-bad io.cilium.k8s.policy.serviceaccount: root io.cilium.k8s.namespace.labels.random: foo app: netshoot name: netshoot spec: selector: matchLabels: io.cilium.k8s.namespace.labels.foo.bar/baz: malicious-pod-level-override io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name: kube-system io.cilium.k8s.policy.cluster: minikube-bad io.cilium.k8s.policy.serviceaccount: root io.cilium.k8s.namespace.labels.random: foo app: netshoot replicas: 1 template: metadata: labels: io.cilium.k8s.namespace.labels.foo.bar/baz: malicious-pod-level-override io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name: kube-system io.cilium.k8s.policy.cluster: minikube-bad io.cilium.k8s.policy.serviceaccount: root io.cilium.k8s.namespace.labels.random: foo app: netshoot spec: containers: - name: netshoot args: - sleep - infinity image: nicolaka/netshoot:latest ``` Before: ``` 31978 k8s:app=netshoot k8s:io.cilium.k8s.namespace.labels.foo.bar/baz=malicious-pod-level-override k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default k8s:io.cilium.k8s.namespace.labels.random=foo k8s:io.cilium.k8s.policy.cluster=default k8s:io.cilium.k8s.policy.serviceaccount=default k8s:io.kubernetes.pod.namespace=default ``` After: ``` 768 k8s:app=netshoot k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default k8s:io.cilium.k8s.policy.cluster=default k8s:io.cilium.k8s.policy.serviceaccount=default k8s:io.kubernetes.pod.namespace=default ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> 11 August 2022, 23:50:28 UTC
0a26852 Tam Mach 12 July 2022, 07:47:10 UTC k8s: Add unit test for GetPodMetadata labels Signed-off-by: Tam Mach <tam.mach@cilium.io> 11 August 2022, 23:50:28 UTC
7066e2c Tam Mach 11 July 2022, 12:28:25 UTC k8s: Add cilium Label prefix This commit is to add const for io.cilium.k8s. Signed-off-by: Tam Mach <tam.mach@cilium.io> 11 August 2022, 23:50:28 UTC
cee2229 dependabot[bot] 11 August 2022, 14:49:23 UTC build(deps): bump actions/cache from 3.0.6 to 3.0.7 Bumps [actions/cache](https://github.com/actions/cache) from 3.0.6 to 3.0.7. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/f4278025ab0f432ce369118909e46deec636f50c...a7c34adf76222e77931dedbf4a45b2e4648ced19) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 11 August 2022, 17:58:06 UTC
649e1f0 Joe Stringer 09 August 2022, 04:14:17 UTC ipcache: Fix lock leak [ upstream commit 9238841856546e250ce919b59534a525f24a6903 ] Commit 40e13ea2a5a9 ("ipcache: Fix race in identity/ipcache release") unintentionally took the lock on the IPCache and failed to release it if the loop returned in the middle. This case is a bit unusual given that allocation fails in this case. Fix it. Found by inspection. Fixes: 40e13ea2a5a9 ("ipcache: Fix race in identity/ipcache release") Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
0b12ed3 Daniel Borkmann 09 August 2022, 10:30:15 UTC tests: Small extension to nat46x64 test suite to check maglev content [ upstream commit e0c07f3d10dc47c09d95aecdb4eb28307ecabc94 ] Small assertion that Maglev BPF map in both NAT46 and NAT64 is empty for the IPv4 case and populated for IPv6. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
dccbd68 Daniel Borkmann 09 August 2022, 09:47:23 UTC bugtool: Add maglev map list to bugtool dump [ upstream commit 2d27cc5547e2552ffc8914f53e90cad5057475c7 ] Useful for debugging state of the maglev table. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
30bffc0 Daniel Borkmann 08 August 2022, 21:55:21 UTC maglev: Don't populate v4 inner table upon nat46 service [ upstream commit c1932b072f525ce6c409e7396ca2ef21c0294e9d ] [ backporter's notes: fixed `GetOrderedBackends` conflict in `lbmap.go` due to 3f1e808ee96e672f516fa891932f01eae9854e1b not having been backported to `v1.12`.] The UpsertMaglevLookupTable() call to populate the inner table should be moved under the backendsOk boolean. For NAT46, populating the IPv4 table doesn't make sense since we redirect to the IPv6 datapath anyway, thus it is unnecessary memory overhead. The situation is analog to the random backend selection - there we do not populate the backends for the svc map for NAT46 under v4 either. Example: # cilium service list ID Frontend Service Type Backend 1 1.1.1.1:80 ExternalIPs 1 => [f00d::1]:80 (active) # cilium bpf lb list SERVICE ADDRESS BACKEND ADDRESS (REVNAT_ID) (SLOT) [1.1.1.1]:80 [f00d::1]:80 (1) (1) [::]:0 (1) (0) [ExternalIPs, 46x64] 1.1.1.1:80 0.0.0.0:0 (1) (0) [ExternalIPs, 46x64] Before: # cilium bpf lb maglev list SVC ID LOOKUP TABLE [1]/v4 [1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [...]] [1]/v6 [1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [...]] After: # cilium bpf lb maglev list SVC ID LOOKUP TABLE [1]/v6 [1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [...]] Also tested that restoration upon agent restart works. Fixes: 9898cb6 ("cilium: Initial implementation of agent NAT46/64 handling") Co-authored-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
e53d75e André Martins 08 August 2022, 21:36:05 UTC fix k8s latency metrics label cardinality [ upstream commit 4ad5e94f0c0c99fee6ebcaf4bb2ab3933a17c7d0 ] The functionality provided by the finalURLTemplate is still used by Cilium to track the request latency for requests performed to Kubernetes. Until this is reverted upstream we will maintain this fork with this change so that we can still used the functionality provided by finalURLTemplate. This functionality prevents the explosion of label cardinality in prometheus metrics since it aggregates in a way that common URLs requests will be reported as being the same. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
c62c7c6 Joe Stringer 29 July 2022, 20:35:55 UTC fqdn: Upsert all identities to ipcache [ upstream commit e6ad7438357da93e5c5dbf823e71ae349adde61d ] Previously, the logic would only upsert identities into the IPCache if the identity was newly allocated. Logically this makes sense, as the relationship between a CIDR identity and the ipcache should be tightly coupled. However, we have observed in some user environments that ipcache entries may end up being removed from the datapath and the corresponding identity would remain allocated in userspace. As a result, the next time a DNS request arrives which intends to make use of that identity for subsequent connection attempts, it would not populate the ipcache with the identity, leading to packet loss on the connection allowed by ToFQDNs policy. In order to mitigate this issue, ensure that all identities used in DNS responses are populated into the datapath, and track a metric for any cases where this occurs for identities that we expect to already be present in the IPCache. This way, active issues should be mitigated, but we also still have a way to detect whether this mitigation is necessary and whether we need to further investigate the root cause of this issue. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
faefee7 Joe Stringer 29 July 2022, 19:39:41 UTC ipcache: Fix race in identity/ipcache release [ upstream commit 40e13ea2a5a944a45761fc433c4c971536957f4b ] Create a critical section for identity release + removal from ipcache. Otherwise, it's possible to trigger the following race condition: Goroutine 1 | Goroutine 2 ---------------------------+-------------------------------------- releaseCIDRIdentities() | AllocateCIDRs() -> Release(..., id, ...) | | -> allocate(...) | -> ipc.UpsertGeneratedIdentities(...) -> ipc.deleteLocked(...) | In this case, the expectation from Goroutine 2 is that a new identity is allocated and that identity is inserted into the ipcache, but the result is that the identity is allocated but the ipcache entry is missing. This is partly because the identity released in goroutine 1 is different from the newly allocated identity in goroutine 2, however goroutine 1 will delete the ipcache entry based on the prefix and not the identity. Therefore it's possible for goroutine 1 to delete the ipcache entry corresponding to the identity allocated in goroutine 2. Note that for balancing the upsert / release, we perhaps should cover the entire allocation + ipcache push in Upsert() with the same locking. However, on upsert there is an optional feature of the API to defer the ipcache upsert to a later point, governed by the caller. There is currently no way to extend the locking over that much longer time period, so we only cover the allocation step there. This should still be safe, as one of the following cases should occur: Goroutine 1 | Goroutine 2 ---------------------------+-------------------------------------- Lock | Release() | deleteLocked() | Unlock | | Lock | ipc.allocate() | Unlock | .... (repeat below) | Lock | Upsert | Unlock Goroutine 1 | Goroutine 2 ---------------------------+-------------------------------------- | Lock | ipc.allocate() (increment refcount) | Unlock Lock | Release() | (no deleteLocked()() due | to refcount from (2)) | Unlock | | .... (repeat below) | Lock | Upsert | Unlock Found by code inspection. Suggested-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
f2a80cc Joe Stringer 29 July 2022, 21:01:42 UTC ipcache: Add metrics for upsert/delete/recover [ upstream commit 044cd8f23cc531d7441127a15832c39fc43d159d ] These errors, total metrics will help users and developers to gather understanding about ipcache operations at runtime. One specific "recover" error that will occur at runtime will be measured in an upcoming commit. This is the primary motivation for introducing these metrics. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
7e36e89 Tam Mach 03 August 2022, 16:11:12 UTC envoy: Bump envoy version to 1.21.5 [ upstream commit 3c4efc66a2f916ebe362e13722428c1500c3ac69 ] This new image digest is coming from below build. Also, I take this change to upgrade cilium/proxy in go.mod as well. https://github.com/cilium/proxy/runs/7656147038?check_suite_focus=true Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
e4e83e8 Tobias Klauser 04 August 2022, 11:08:47 UTC docs: fix formatting in BGP control plane installation docs [ upstream commit 1abc980de53d9663483c98374bfe64699c66ddf6 ] Add missing title underline and format paragraphs/lists correctly. Suggested-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
663aeee Tobias Klauser 03 August 2022, 09:27:23 UTC docs: correct IPAM mode name in BGP control plane installation docs [ upstream commit 66a53de567b59bd83c7fda7d2384c34d5361b2bf ] The IPAM mode is currently called "cluster-pool-v2beta", not "cluster-pool-v2". Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
b8e041d Quentin Monnet 08 July 2022, 14:38:07 UTC bpf: Add send_trace_notify hook for redirect_direct_{v4,v6} [ upstream commit 737262d8d52d47c50ef08c1269ae9da6c9fb6e6d ] When BPF host routing is enabled, Hubble is missing outgoing flows from the Pod that are directed to the outside of the node. Add such trace point, so they become visible. Note: This patch was first dismissed because we believed that commit 322510d4d9f4 ("bpf: Add missing packet tracing for handle_nat_fwd") would address it. We thought that adding tracepoints in to-netdev in bpf_host would be enough to catch the flows. However, to the tracepoints added in that commit, we pass a "monitor" value at 0, and when aggregation is on this results in the trace being dismissed by emit_trace_notify() called in send_trace_notify(). Here is some sample output, taken from the development setup (Vagrant machine), with current net-next, and the following agent configuration causing BPF host routing to be selected: - KPR strict - tunneling disabled - BPF masquerade (IPv6 and related options disabled) - Monitor aggregation set to medium Full set of flags (CILIUM_OPTS in /etc/sysconfig/cilium) for reproducing: [default] --debug --pprof --enable-hubble --hubble-listen-address :4244 --enable-k8s-event-handover --k8s-require-ipv4-pod-cidr --enable-bandwidth-manager --enable-remote-node-identity --k8s-kubeconfig-path /var/lib/cilium/cilium.kubeconfig --identity-allocation-mode=crd --enable-k8s-event-handover=false [changed] --kube-proxy-replacement=strict -t disabled --ipv4-native-routing-cidr=10.11.0.0/16 --enable-bpf-masquerade --enable-ipv6=false --monitor-aggregation=medium To reproduce: Boot the VM, make sure Cilium runs, deploy a Pod, run a curl request to the outside from that Pod (e.g. "curl www.google.com"). Observe the resulting flows with Hubble. Before the patch: $ cilium status | grep 'Host Routing' Host Routing: BPF $ hubble observe --pod my-nginx-6b5c9cc6ff-zh5hd -f Jul 12 11:42:05.331: default/my-nginx-6b5c9cc6ff-zh5hd:35297 -> kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:42:05.332: default/my-nginx-6b5c9cc6ff-zh5hd:35297 <- kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:42:05.332: default/my-nginx-6b5c9cc6ff-zh5hd:58056 <- kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:42:05.332: default/my-nginx-6b5c9cc6ff-zh5hd:58056 -> kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:42:05.332: default/my-nginx-6b5c9cc6ff-zh5hd:52504 -> kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:42:05.332: default/my-nginx-6b5c9cc6ff-zh5hd:52504 <- kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:42:05.332: default/my-nginx-6b5c9cc6ff-zh5hd:56149 -> kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:42:05.344: default/my-nginx-6b5c9cc6ff-zh5hd:56149 <- kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:42:05.446: default/my-nginx-6b5c9cc6ff-zh5hd:59528 <- 142.250.178.4:80 to-endpoint FORWARDED (TCP Flags: ACK, FIN) We can observe that the TCP exchange is incomplete. After the patch: $ hubble observe --pod my-nginx-6b5c9cc6ff-zh5hd -f Jul 12 11:46:23.524: default/my-nginx-6b5c9cc6ff-zh5hd:52493 -> kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:46:23.526: default/my-nginx-6b5c9cc6ff-zh5hd:36326 -> kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:46:23.526: default/my-nginx-6b5c9cc6ff-zh5hd:52493 <- kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:46:23.526: default/my-nginx-6b5c9cc6ff-zh5hd:36326 <- kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:46:23.528: default/my-nginx-6b5c9cc6ff-zh5hd:53587 -> kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:46:23.529: default/my-nginx-6b5c9cc6ff-zh5hd:53587 <- kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:46:23.530: default/my-nginx-6b5c9cc6ff-zh5hd:36108 -> kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:46:23.531: default/my-nginx-6b5c9cc6ff-zh5hd:36108 <- kube-system/coredns-9777cd7c9-4kxqd:53 to-endpoint FORWARDED (UDP) Jul 12 11:46:23.532: default/my-nginx-6b5c9cc6ff-zh5hd:43264 -> 142.250.178.4:80 to-network FORWARDED (TCP Flags: SYN) Jul 12 11:46:23.615: default/my-nginx-6b5c9cc6ff-zh5hd:43264 -> 142.250.178.4:80 to-network FORWARDED (TCP Flags: ACK, FIN) Jul 12 11:46:23.625: default/my-nginx-6b5c9cc6ff-zh5hd:43264 <- 142.250.178.4:80 to-endpoint FORWARDED (TCP Flags: ACK, FIN) Jul 12 11:46:23.625: default/my-nginx-6b5c9cc6ff-zh5hd:43264 -> 142.250.178.4:80 to-network FORWARDED (TCP Flags: ACK) This is what we want. [Implementation details] Now as a side note, we had to unroll the "nh ? sizeof(*nh)" in bpf/lib/fib.h in this commit. This is because following the other changes, and for some datapath configurations, tc fails would fail to load bpf_lxc's tail_handle_ipv4 with the verifier returning the following error: [...] 2312: (85) call bpf_skb_store_bytes#9 ; R0=scalar() ; if (no_neigh) 2313: (16) if w6 == 0x0 goto pc+12 ; R6=P1 ; return redirect_neigh(*oif, nh, nh ? sizeof(*nh) : 0, 0); 2314: (15) if r9 == 0x0 goto pc+2 ; R9=fp-32 2315: (b4) w1 = 20 ; R1_w=20 2316: (63) *(u32 *)(r10 -204) = r1 ; R1_w=20 R10=fp0 fp-208=mmmmmmmm 2317: (61) r6 = *(u32 *)(r10 -196) ; R6_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R10=fp0 ; return redirect_neigh(*oif, nh, nh ? sizeof(*nh) : 0, 0); 2318: (bc) w1 = w6 ; R1_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R6_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) 2319: (bf) r2 = r9 ; R2_w=fp-32 R9=fp-32 2320: (61) r3 = *(u32 *)(r10 -204) ; R3_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R10=fp0 2321: (b4) w4 = 0 ; R4_w=0 2322: (85) call bpf_redirect_neigh#152 R3 unbounded memory access, use 'var &= const' or 'if (var < const)' processed 1430 insns (limit 1000000) max_states_per_insn 4 total_states 97 peak_states 97 mark_read 58 2022-07-12T18:00:34.424824616Z level=warning subsys=datapath-loader libbpf: -- END LOG -- libbpf: failed to load program 'tail_handle_ipv4' The compiler puts the size for nh (either 0 or the size of the struct) onto the stack, and loses track of its bounds when passing it as an argument to bpf_redirect_neigh(). Dissociating the cases where nh is NULL and non-NULL apparently helped it track the value correctly. Co-authored-by: Daniel Borkmann <daniel@iogearbox.net> Co-authored-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
8990fe8 Tobias Klauser 02 August 2022, 14:58:27 UTC tools/customvet: consider $GO environment variable [ upstream commit 920094b35dc22bbd92fb9c7738ceb8d9597f5277 ] For backports it's usually convenient to be able to set the $GO environment variable to the version used in the particular stable branch, e.g. on v1.10 we'd set GO=go1.16.15. However, that setting is currently not considered in tools/customvet. This can lead to unexpected failures such as the followin when running `GO=go1.16.15 make precheck` on v1.10 branch: contrib/scripts/custom-vet-check.sh main: internal error: package "sync" without types was imported from "github.com/cilium/cilium/pkg/cleanup" exit status 1 Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
943ae2d Tobias Klauser 02 August 2022, 14:59:13 UTC contrib/scripts: consider $GO in check-fmt.sh [ upstream commit cb0b2562dbf394dbbad9f0d9c20c98a8b8350a4c ] For backports it's usually convenient to be able to set the $GO environment variable to the version used in the particular stable branch, e.g. on v1.10 we'd set GO=go1.16.15. However, that setting is currently not considered in contrib/scripts/check-fmt.sh. If there were changes in how gofmt formats code between Go versions and the system's Go version is newer than the $GO setting, using that gofmt binary might lead to check-fmt failure. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
9e06e37 André Martins 03 August 2022, 09:03:10 UTC pkg/k8s: set the right IP addresses in log messages [ upstream commit a25e41872e998d8cfb802c060aab32f7ed18f016 ] The host-IPs being printed in the log messages were from the pod IP addresses which is incorrect. Fixes: e92dc6ac6b76 ("pkg/k8s: add pod IP event change") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
09a6ad2 Bruno M. Custódio 02 August 2022, 09:28:16 UTC Fix ineffective post-start hook in ENI mode [ upstream commit 17d807b8bf9565e5239dc6c97ba0e5652f19cbd6 ] https://github.com/cilium/cilium/pull/16840 introduced code to remove some SNAT-related iptables rules which are known to be problematic when Cilium is running in ENI mode. However, said PR didn't account for the fact that this needs to run from inside the host mount and network namespaces (like the existing pre-stop hook does), and not from inside the 'node-init' container itself. This commit fixes that by making the script run with the right 'nsenter' magic. As a result of this, the `xtables.lock` mount is no longer necessary and can be removed. Fixes: #19421 Signed-off-by: Bruno M. Custódio <brunomcustodio@gmail.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
002cdd8 Joe Stringer 02 August 2022, 17:48:43 UTC fqdn/metrics: Fix ProxyUpstreamTime error=timeout [ upstream commit 07f49ed483109b2108d3eb46813a6ab573706adf ] Previously, regardless of whether there was an error or not, the proxy upstream time metric would report "error=timeout". This was confusing, since successful DNS transactions with the upstream server would be reported with this timeout label. Fix this by using the local metricError variable which reflects either that the request was allowed ("error=allow"), or only if the upstream request times out, error="timeout". This is at least more consistent with the existing metrics. We can follow up separately whether "allow" should be split from the "error" label. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
ea183ff André Martins 02 August 2022, 09:26:15 UTC Revert "Revert "doc: update the api spec for fqdn egress policies code comments."" [ upstream commit f5b24e46ec504b1c4e86ed1cced00b7d0e135b0c ] This reverts commit 8e0197ad01cd168592399893e24e7fddfacb8b09 and adds the generated manifests with the documentation changes. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
be309b5 Quentin Monnet 29 July 2022, 16:18:38 UTC docs: Update Helm values [ upstream commit c97fa1e2f1503797524be826b077bd951d6707e8 ] Run "make -C Documentation update-helm-values" as a follow-up to #20572. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
a85282b Haitao Li 28 July 2022, 23:37:55 UTC docs: Add required ec2:DescribeInstances when instance-tags-filter is used [ upstream commit c7ebfeeb2ecabe420ab17b898dc8a1a3aee7e1be ] PR #19181 introduced option `instance-tags-filter` for filtering instances that need to be kept in sync. The implementation uses AWS EC2 API DescribeInstances. Without the permission, the operator would fail with message: level=warning msg="Unable to synchronize EC2 interface list" error="operation error EC2: DescribeInstances, https response error StatusCode: 403, RequestID: <snap>, api error UnauthorizedOperation: You are not authorized to perform this operation." subsys=eni This patches documents the necessary permission the operator needs to be granted when using option `instance-tags-filter`. Signed-off-by: Haitao Li <lihaitao@gmail.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
cbcbd77 Tobias Klauser 27 July 2022, 21:58:55 UTC cilium-cni: don't set interface link up twice [ upstream commit 59115a47286e33785cdc140ed219ca2ffff2a736 ] There is no need to set the interface link up in addIPConfigToLink because it was already set up in configureIface right before calling addIPConfigToLink. The special case for IPVLAN interfaces no longer applies since support for IPVLAN was removed in commit c3adaec9dc06 ("Remove IPVLAN code"). Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
7af9460 Dmitry Kharitonov 19 July 2022, 08:01:24 UTC ui: release v0.9.1 [ upstream commit 5eb146914e59d97b387f4020b5d60538d0d4afc9 ] Signed-off-by: Dmitry Kharitonov <dmitry@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
1432c6f xiaoqing 09 July 2022, 03:12:00 UTC eni: fix subnet_id label value is empty in metrics [ upstream commit 95035190c08c64c1510d31fb706ec25fa785fd1a ] This affects the following metrics: * cilium_operator_ipam_allocation_ops * cilium_operator_ipam_interface_creation_ops Fixes: #20431 Signed-off-by: xiaoqing <xiaoqingnb@gmail.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
5f8e5c0 Gilberto Bertin 28 July 2022, 14:02:11 UTC iptables: handle case where kernel IPv6 support is disabled [ upstream commit 03b89ec25edc538f9627b3e82a9e698ce7bba1a0 ] Currently, even if the kernel IPv6 support is disabled (i.e. the ipv6.disable=1 kernel parameter is set), the agent will try to find or load the ip6tables kernel modules, and if successful it will assume ip6tables is supported. This will result in a fatal error since all ip6tables commands will fail with "Address family not supported". This commit fixes this by setting the haveIp6tables IptablesManager's property to false in case the kernel does not support IPv6. Fixes: d812b925de ("iptables: don't ignore errors") Fixes: #18513 Fixes: #20672 Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
6518608 Nicolas Busseneau 28 July 2022, 13:57:40 UTC ci: remove unnecessary actions / parameters [ upstream commit fc628ef672d783da9742cba7e7dd16412eaf6e99 ] We have set up CodeQL checks so that code detection only runs for `pull_request` events, thus we can remove the code checkout (only necessary for non-`pull_request` events) and `base`/`ref` parameters based on `pull_request` (already done by `dorny/paths-filter` itself). Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
1be2d2f Nicolas Busseneau 28 July 2022, 13:52:56 UTC ci: fix code changes detection on `push` events [ upstream commit e8114c4e81a300dbf1f737355b8eaef796a88a0d ] The `dorny/paths-filter` actions needs to know against which `base` to compare on `push` events, as otherwise it will default to the default repository branch (`master` in our case). Since we have checks for stable branchs (e.g. `v1.12`), we want these to check against the proper `base` and not `master`, thus we use GitHub context to determine to which branch we pushed. The `base` parameter is ignored for `pull_request` events, so we need not have additional safeguards. Doc: https://github.com/dorny/paths-filter#supported-workflows Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
18b28ea Yutaro Hayakawa 28 July 2022, 00:29:12 UTC clustermesh: Add EndpointSlice support for API server [ upstream commit 5b2b93fceee26179fb009dc898c575b8bca7ebfe ] Currently, clustermesh-apiserver doesn't support synchronizing EndpointSlice to kvstore. This happens because clustermesh-apiserver always set DaemonConfig.K8sEnableEndpointSlice option to false while calling DaemonConfig.Populate(). As a result, clustermesh-apiserver always fallbacks to the Endpoints. The problem of this is we cannot support dual-stack global service since Endpoints only contains the backends for primary IP address family (Service.spec.ipFamilies[0]). Thus, clustermesh-apiserver only synchronizes backends with single IP address family. Also, when cilium-agents are running with EndpoitSlice and clustermesh-apiservers are running with Endpoints, it will make a state that global services only contain local endpoints for secondary IP address family which is unexpected from users' perspective. To fix that, we expose a new command line configuration knob --enable-k8s-endpointslice=<bool> for clustermesh-apiserver and populate its value from cilium-config ConfigMap. So that cilium-agent and clustermesh-apiserver always use the same endpoint type. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
43ad661 Tobias Klauser 27 July 2022, 08:55:21 UTC docs: update the version specific notes table for v1.12 release [ upstream commit 75fec3420b2c5c2489b5f477b74bbd9312022391 ] Update the table in the "Version Specific Notes" subsection of the "Upgrade" page to mention upgrade path to v1.12. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
4f0d334 Tobias Klauser 27 July 2022, 16:08:30 UTC command: fix parsing of string map strings with multiple separators [ upstream commit af44d4401620eec7970bd820aeb1ba52b2bb47a6 ] [ backporter's notes: changes from 5d7e5918f70dc4a1a71cb2b59f709ed5ab66ae70 were skipped due to `CODEOWNERS` being specific to stable branches. ] We need to check the last substring, i.e. the string after the last separator for the key/value separator as well. Otherwise a string such as a=b,c=d,e=f,g=h with more than two separators will not be considered a valid string map string. Fixes: #20666 Fixes: 070ded019adb ("cmd: Allow more complicated patterns in map string type.") Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
54cadf8 Will Daly 21 July 2022, 19:05:47 UTC cilium-cni: delegated IPAM DEL even when netns does not exist [ upstream commit 645c8d5e566295d9ccf9c3d2e8d18375cdbb7eb6 ] If the network namespace has been deleted before CNI DEL is invoked, Cilium CNI should still invoke the delegated IPAM plugin to release the IP address. This matches the behavior of the "bridge" reference plugin, which invokes delegated plugin DEL when the network namespace has been deleted: https://github.com/containernetworking/plugins/issues/685 https://github.com/containernetworking/plugins/pull/686 I tested the changes in a kind cluster configuring Cilium CNI to use the reference host-local plugin for IPAM. The cilium connectivity tests pass. I also repeatedly deleted pods from a deployment to trigger the "Unable to enter namespace" warning in the Cilium CNI logs, then verified that the delegated IPAM plugin DEL was invoked to release the IPs. Signed-off-by: Will Daly <widaly@microsoft.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
80456d5 Tam Mach 21 June 2022, 10:18:58 UTC docs: Add related TLS secrets used by clustermesh [ upstream commit 96b63e63f0f6ab514ced0f00a04c664d5e5853da ] This commit is to mainly add related TLS secrets and how they are used in clustermesh. Also, taking this chance to update format and styles for consistency. Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
710ce76 Tam Mach 21 June 2022, 09:36:48 UTC docs: Move clustermesh troubleshooting to separate file [ upstream commit 26c280826b81428a885cb383fef9beac6bae4cd9 ] This commit is to lift and shift clustermesh part to another file for better management. No change in the content. Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
cb218bd Fabio Falzoi 22 July 2022, 15:44:18 UTC option: remove intSlice from config map validation [ upstream commit dd79881fffca2cd275141009be0735837bb88d19 ] The configuration options validation is carried out in the spf13/viper package. To accomplish that, the package uses internally the spf13/cast package that has some limitations with the IntSlice type. Therefore,the IntSlice option type has been forbidden since 66d9aacac0 (daemon, option: fix vlan bpf bypass ids loading). No validation related to this type of option should take place either be successful. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
0df2477 Martynas Pumputis 21 July 2022, 05:38:31 UTC docs: Do not disable KPR on Kind [ upstream commit b935be47942e0d407ab48189d3bc3cbf9c1d0ece ] [ backporter's notes: conflict due to e01f4345739e8c95a21dcd7c4d70260801233590 not having been backported to `v1.12`. ] It's disabled by default. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
a749628 Martynas Pumputis 21 July 2022, 05:28:41 UTC helm: Set KPR default to "disabled" for >= 1.12 [ upstream commit 74d719cb0b59ecd701a264dccc9b892c451e69e9 ] The commit 7463d9f12 ("daemon: Deprecate KPR=probe") deprecated the KPR=probe option. However, it missed to explicitly set the default for >= 1.12 installations. The result of it is that the "probe" is used as a default for a new installation. This is because the following condition evaluates to true when ".Values.upgradeCompatibility" is not set: {{- /* Default values when 1.9 was initially deployed */ -}} {{- if semverCompare ">=1.9" (default "1.9" .Values.upgradeCompatibility) -}} {{- $defaultKubeProxyReplacement = "probe" -}} {{- end -}} NB: I find this very confusing and error prone. The following makes more sense: - the default ".Values.upgradeCompatibility" should be the latest version - "==" instead of ">=" should be used Otherwise, all "semverCompare" if-clauses we have will evaluate to true. Fixes: 7463d9f12 ("daemon: Deprecate KPR=probe") Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
d8ed1c1 Tam Mach 24 July 2022, 11:22:11 UTC helm: Guard apply sysctl init container [ upstream commit 6d920b25ae069f58c9f98ab87b54c94e7218da05 ] The newly added init container (e.g. sysctl init) requires hostproc volume mount, however, this volume is only mounted based on the helm flag .Values.cgroup.autoMount.enabled. This commit is to make sure that such condition is added to avoid any failure. Relates: https://github.com/cilium/cilium/pull/20072 Fixes: https://github.com/cilium/cilium/issues/20626 Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
c34ed67 xiaoqing 21 July 2022, 15:20:28 UTC Trigger NodeManager.Resync immediately after new ENI successfully created [ upstream commit e597da49a226203b2c867f064df3a823e1c7b68c ] Current successfully call createInterface not trigger n.manager.resyncTrigger. It cause spec.ipam.pool update delay, so agent not able allocate ip for new pod until periodic trigger NodeManager.Resync. This patch trigger NodeManager.Resync immediately to update ciliumNode resource. Fixes: #20595 Fixes: bcdb763ca31cd (Fix for excess IP release race condition | handshake between agent and operator) Signed-off-by: xiaoqing <xiaoqingnb@gmail.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
7e22239 Vincent Li 20 July 2022, 17:54:43 UTC doc: Clarify CentOS 7 kernel upgrade and Cilium advance features [ upstream commit 57cd2aab756e8e8bd5d55df417e219275cb1a7af ] Users run CentOS 7 with third-party kernel upgrade with Cilium advance features should check various advance features kernel config options requirements. Suggested-by: Joe Stringer <joe@cilium.io> Signed-off-by: Vincent Li <v.li@f5.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
e7e8d74 Tobias Klauser 21 July 2022, 11:40:40 UTC ci: pick up cilium-cli v0.12.0 for master, v1.11 and v1.12 workflows [ upstream commit 608e2e3d6fd0115ed538e92df5704aa75a03bf75 ] Release notes: https://github.com/cilium/cilium-cli/releases/tag/v0.12.0 Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
6fdea67 dependabot[bot] 10 August 2022, 14:36:55 UTC build(deps): bump library/alpine from 3.16.1 to 3.16.2 in /images/cache Bumps library/alpine from 3.16.1 to 3.16.2. --- updated-dependencies: - dependency-name: library/alpine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 10 August 2022, 17:29:54 UTC
756510c Joe Stringer 25 July 2022, 16:45:46 UTC daemon: Improve dnsproxy error when EP not found [ upstream commit 69a9913e275943c8c1145df2c7bddbffef70e132 ] When the local endpoint is not found, at least print the tuple so there's a clue which pod could have been impacted. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 10 August 2022, 10:40:19 UTC
d790b42 Marga Manterola 22 July 2022, 13:57:00 UTC Remove completed items from Service Mesh Roadmap [ upstream commit 4b021f98eda30b036a68fd3e2a6bd8b37090f8f6 ] The Service Mesh branch has already been merged into the main branch, and Ingress has been released as stable, so removed those two items from the roadmap. Signed-off-by: Marga Manterola <marga@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 10 August 2022, 10:40:19 UTC
de6f906 Joe Stringer 18 July 2022, 14:44:26 UTC contrib: Add CRD generation to release process [ upstream commit 9e71971447a8cfeec3046b0a6ffa8d79ac7fde54 ] This step is currently separate in the https://github.com/cilium/release process. Add it to this script so it doesn't need to be run manually by the release manager. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 10 August 2022, 10:40:19 UTC
bf2a579 hhoover 21 July 2022, 15:11:40 UTC docs: update etcd kvstore migration instructions [ upstream commit 2778eb5f9dee2a85f3145a8c6c404c5adeb40f33 ] The Helm chart does not have a "global" section for etcd. This also updates the pod name to cilium-preflight-check-1234 and adds a way to confirm a successful migration. Signed-off-by: hhoover <hart@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 10 August 2022, 10:40:19 UTC
d56b2cc Paul Chaignon 10 July 2022, 17:48:23 UTC docs: Note on removal of IPVLAN in upgrade guide [ upstream commit 8bcc5fe2c594b5fb4b9d2966906c490dea215d83 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 10 August 2022, 10:40:19 UTC
cafedad Paul Chaignon 18 July 2022, 11:03:59 UTC bpf: Remove ENABLE_HOST_REDIRECT [ upstream commit a05856a37a2577b1e1490dde30488620b5d949cf ] Because we removed the IPVLAN feature, ENABLE_HOST_REDIRECT is now always defined. We can thus remove all guards with that macro in the datapath code. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 10 August 2022, 10:40:19 UTC
1f1face Paul Chaignon 18 July 2022, 10:28:28 UTC bpf: Remove ENABLE_EXTRA_HOST_DEV [ upstream commit 79e4db9399dfab0ed129f09e1c7f6762c1b55d92 ] Because we removed the IPVLAN feature, ENABLE_EXTRA_HOST_DEV is now never defined. We can thus remove all datapath code guarded by that macro. Suggested-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 10 August 2022, 10:40:19 UTC
d7af9ef Paul Chaignon 18 July 2022, 10:56:55 UTC Remove IPVLAN code [ upstream commit c3adaec9dc06a68f19c4a5af425312930d0fe507 ] IPVLAN support was deprecated in v1.11 and can now be fully removed. This commit removes all IPVLAN code in the agent and in the datapath. Additional simplifications of the code may be possible following this. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 10 August 2022, 10:40:19 UTC
cee7698 Paul Chaignon 15 July 2022, 15:18:59 UTC loader: Allow TestCompileAndLoadHostEndpoint to work without IPVLAN [ upstream commit a428914c27d4e6c14964bfd76ea15bcc07b054b2 ] The TestCompileAndLoadHostEndpoint "unit" test is covering the loading of the host datapath (reloadHostDatapath). Currently, when IPVLAN is disabled, part of this code path consists in patching and loading a second object file for the second host device (cilium_net). This part is a trickier to test because it requires a bit more information. So the test skips it by enabling IPVLAN. A subsequent commit will remove all IPVLAN support, so we need to find another way to make the test work. This commit achieves that by setting up all configuration necessary for the patching and loading of cilium_net's BPF programs to succeed. The main struggle here is that instead of working from the object file for cilium_host and patching it with the information for cilium_net, we are working from an object file compiled with node_config.h's default contents. First, the node_config.h defines the endpoint ID as 65535 so we need to assign that ID to the host endpoint to avoid errors such as: no such string \"test_cilium_calls_00001\" in ELF Then, node_config.h adds a test_ prefix to map names so we need to redefine map names in the agent to avoid the following errors. In order to do that, we make callsmap.{Host,Netdev}MapName variables instead of constants. failed to write ELF file: test_loader/bpf_host_cilium_net.o: no such string \"cilium_policy_65535\" in ELF failed to write ELF file: test_loader/bpf_host_cilium_net.o: no such string \"cilium_calls_hostns_65535\" in ELF Of course, we also need to create the endpoint's state directory to be able to write the patched object file there. Finally, we need to make SECCTX_FROM_IPCACHE into a proper static data variable in our node_config.h so that it appears as a symbol we can replace in the object file. With all that, we can patch and load the object file for cilium_net. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 10 August 2022, 10:40:19 UTC
94a4ca6 Vincent Li 19 July 2022, 15:27:06 UTC vtep: skipping symbol substitution cilium_vtep_map [ upstream commit 1edd058ba72093ff810737862cc27b3d1a825575 ] cilium agent logs: level=warning msg="Skipping symbol substitution" subsys=elf symbol=cilium_vtep_map add cilium_vtep_map to ignoredELFPrefixes to avoid the warning log. Signed-off-by: Vincent Li <v.li@f5.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 10 August 2022, 10:40:19 UTC
9245c15 Vincent Li 14 July 2022, 22:28:45 UTC vtep: remove vtep route debug log [ upstream commit 131029775e1c64f09e58b512671e432d9493fec7 ] the vtep route debug log is not needed since it is there to aid development and now bugtool includes the vtep route for trouble shooting Signed-off-by: Vincent Li <v.li@f5.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 10 August 2022, 10:40:19 UTC
cc5fbff dependabot[bot] 05 August 2022, 14:29:33 UTC build(deps): bump docker/build-push-action from 3.1.0 to 3.1.1 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/1cb9d22b932e4832bb29793b7777ec860fc1cde0...c84f38281176d4c9cdb1626ffafcd6b3911b5d94) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 05 August 2022, 21:30:01 UTC
2d242c8 dependabot[bot] 05 August 2022, 14:29:38 UTC build(deps): bump actions/cache from 3.0.5 to 3.0.6 Bumps [actions/cache](https://github.com/actions/cache) from 3.0.5 to 3.0.6. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/0865c47f36e68161719c5b124609996bb5c40129...f4278025ab0f432ce369118909e46deec636f50c) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 05 August 2022, 21:29:31 UTC
c083bd4 dependabot[bot] 04 August 2022, 14:44:35 UTC build(deps): bump github/codeql-action from 2.1.17 to 2.1.18 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.17 to 2.1.18. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0c670bbf0414f39666df6ce8e718ec5662c21e03...2ca79b6fa8d3ec278944088b4aa5f46912db5d63) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 04 August 2022, 15:41:47 UTC
7715ba9 Tobias Klauser 02 August 2022, 10:23:25 UTC Update Go to 1.18.5 This includes various security fixes, see https://go.dev/doc/devel/release#go1.18.5 for details. Signed-off-by: Tobias Klauser <tobias@cilium.io> 02 August 2022, 16:28:20 UTC
59891cd dependabot[bot] 29 July 2022, 12:57:00 UTC build(deps): bump github/codeql-action from 2.1.16 to 2.1.17 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.16 to 2.1.17. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/3e7e3b32d0fb8283594bb0a76cc60a00918b0969...0c670bbf0414f39666df6ce8e718ec5662c21e03) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 29 July 2022, 15:47:50 UTC
da450d0 André Martins 28 July 2022, 14:51:02 UTC CHANGELOG: fix v1.12.0 changelog The changelog script contains more entries than what it should. Some of the PRs were already backported to v1.11 so they should be part of the v1.12.0 changelog. Signed-off-by: André Martins <andre@cilium.io> 28 July 2022, 15:59:27 UTC
f3d1dc3 dependabot[bot] 19 July 2022, 11:53:26 UTC build(deps): bump KyleMayes/install-llvm-action from 1.5.3 to 1.5.4 Bumps [KyleMayes/install-llvm-action](https://github.com/KyleMayes/install-llvm-action) from 1.5.3 to 1.5.4. - [Release notes](https://github.com/KyleMayes/install-llvm-action/releases) - [Commits](https://github.com/KyleMayes/install-llvm-action/compare/f0cccbdf563688c6e0f9273d4bc27a8c5278de85...c538b5e281d5fc40848a3a62636a3a2b6f5a1cfa) --- updated-dependencies: - dependency-name: KyleMayes/install-llvm-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 20 July 2022, 15:48:50 UTC
3fe32cf dependabot[bot] 19 July 2022, 20:51:24 UTC build(deps): bump docker/build-push-action from 3.0.0 to 3.1.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/e551b19e49efd4e98792db7592c17c09b89db8d8...1cb9d22b932e4832bb29793b7777ec860fc1cde0) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 20 July 2022, 15:47:24 UTC
e125a9a dependabot[bot] 19 July 2022, 14:44:17 UTC build(deps): bump library/alpine from 3.16.0 to 3.16.1 in /images/cache Bumps library/alpine from 3.16.0 to 3.16.1. --- updated-dependencies: - dependency-name: library/alpine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 20 July 2022, 15:25:25 UTC
7460b94 André Martins 19 July 2022, 12:43:58 UTC install: Update image digests for v1.12.0 Generated from https://github.com/cilium/cilium/actions/runs/2697439362. `docker.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade` `quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade` `docker.io/cilium/cilium:stable@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade` `quay.io/cilium/cilium:stable@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade` `docker.io/cilium/clustermesh-apiserver:v1.12.0@sha256:3f5a6298bd70a2b555c88e291eec1583a6478c3e2272e3fc721aa03b3300d299` `quay.io/cilium/clustermesh-apiserver:v1.12.0@sha256:3f5a6298bd70a2b555c88e291eec1583a6478c3e2272e3fc721aa03b3300d299` `docker.io/cilium/clustermesh-apiserver:stable@sha256:3f5a6298bd70a2b555c88e291eec1583a6478c3e2272e3fc721aa03b3300d299` `quay.io/cilium/clustermesh-apiserver:stable@sha256:3f5a6298bd70a2b555c88e291eec1583a6478c3e2272e3fc721aa03b3300d299` `docker.io/cilium/docker-plugin:v1.12.0@sha256:b55ec7b5f60d167a96eae7dcfa43a57b467212199388d8a11d68a1e55921ad22` `quay.io/cilium/docker-plugin:v1.12.0@sha256:b55ec7b5f60d167a96eae7dcfa43a57b467212199388d8a11d68a1e55921ad22` `docker.io/cilium/docker-plugin:stable@sha256:b55ec7b5f60d167a96eae7dcfa43a57b467212199388d8a11d68a1e55921ad22` `quay.io/cilium/docker-plugin:stable@sha256:b55ec7b5f60d167a96eae7dcfa43a57b467212199388d8a11d68a1e55921ad22` `docker.io/cilium/hubble-relay:v1.12.0@sha256:ca8033ea8a3112d838f958862fa76c8d895e3c8d0f5590de849b91745af5ac4d` `quay.io/cilium/hubble-relay:v1.12.0@sha256:ca8033ea8a3112d838f958862fa76c8d895e3c8d0f5590de849b91745af5ac4d` `docker.io/cilium/hubble-relay:stable@sha256:ca8033ea8a3112d838f958862fa76c8d895e3c8d0f5590de849b91745af5ac4d` `quay.io/cilium/hubble-relay:stable@sha256:ca8033ea8a3112d838f958862fa76c8d895e3c8d0f5590de849b91745af5ac4d` `docker.io/cilium/operator-alibabacloud:v1.12.0@sha256:93dddf88e92119a141a913b44ab9cb909f19b9a7bf01e30b98c1e8afeec51cd5` `quay.io/cilium/operator-alibabacloud:v1.12.0@sha256:93dddf88e92119a141a913b44ab9cb909f19b9a7bf01e30b98c1e8afeec51cd5` `docker.io/cilium/operator-alibabacloud:stable@sha256:93dddf88e92119a141a913b44ab9cb909f19b9a7bf01e30b98c1e8afeec51cd5` `quay.io/cilium/operator-alibabacloud:stable@sha256:93dddf88e92119a141a913b44ab9cb909f19b9a7bf01e30b98c1e8afeec51cd5` `docker.io/cilium/operator-aws:v1.12.0@sha256:cb73df18b03b4fc914c80045d0ddb6c9256972449382e3c4b294fd9c371ace22` `quay.io/cilium/operator-aws:v1.12.0@sha256:cb73df18b03b4fc914c80045d0ddb6c9256972449382e3c4b294fd9c371ace22` `docker.io/cilium/operator-aws:stable@sha256:cb73df18b03b4fc914c80045d0ddb6c9256972449382e3c4b294fd9c371ace22` `quay.io/cilium/operator-aws:stable@sha256:cb73df18b03b4fc914c80045d0ddb6c9256972449382e3c4b294fd9c371ace22` `docker.io/cilium/operator-azure:v1.12.0@sha256:98ffa2c8ebff33d4e91762fb57d4c36f152bb044c4e2141e15362cf95ecc24ba` `quay.io/cilium/operator-azure:v1.12.0@sha256:98ffa2c8ebff33d4e91762fb57d4c36f152bb044c4e2141e15362cf95ecc24ba` `docker.io/cilium/operator-azure:stable@sha256:98ffa2c8ebff33d4e91762fb57d4c36f152bb044c4e2141e15362cf95ecc24ba` `quay.io/cilium/operator-azure:stable@sha256:98ffa2c8ebff33d4e91762fb57d4c36f152bb044c4e2141e15362cf95ecc24ba` `docker.io/cilium/operator-generic:v1.12.0@sha256:bb2a42eda766e5d4a87ee8a5433f089db81b72dd04acf6b59fcbb445a95f9410` `quay.io/cilium/operator-generic:v1.12.0@sha256:bb2a42eda766e5d4a87ee8a5433f089db81b72dd04acf6b59fcbb445a95f9410` `docker.io/cilium/operator-generic:stable@sha256:bb2a42eda766e5d4a87ee8a5433f089db81b72dd04acf6b59fcbb445a95f9410` `quay.io/cilium/operator-generic:stable@sha256:bb2a42eda766e5d4a87ee8a5433f089db81b72dd04acf6b59fcbb445a95f9410` `docker.io/cilium/operator:v1.12.0@sha256:6e4c7c270a6a9b5ba9d4b628d0df1d32bc6f72259b179af377aaad373aa65335` `quay.io/cilium/operator:v1.12.0@sha256:6e4c7c270a6a9b5ba9d4b628d0df1d32bc6f72259b179af377aaad373aa65335` `docker.io/cilium/operator:stable@sha256:6e4c7c270a6a9b5ba9d4b628d0df1d32bc6f72259b179af377aaad373aa65335` `quay.io/cilium/operator:stable@sha256:6e4c7c270a6a9b5ba9d4b628d0df1d32bc6f72259b179af377aaad373aa65335` Signed-off-by: André Martins <andre@cilium.io> 19 July 2022, 13:08:39 UTC
9447cd1 André Martins 19 July 2022, 10:22:00 UTC Prepare for release v1.12.0 Signed-off-by: André Martins <andre@cilium.io> 19 July 2022, 11:52:53 UTC
06347d5 André Martins 18 July 2022, 21:13:09 UTC pkg/k8s: do not wait for endpointslice cache sync in k8s >= 1.17 [ upstream commit 25e35f166166eca7676fb6c67bfda04278e0544a ] When stopping the EndpointSlice Kubernetes watchers we should also cancel the waiting to sync this group resource. In failing doing it so, Cilium will timeout on waiting for these resources on Kubernetes versions that should have EndpointSlice v1beta1 available but it's not enabled. Fixes: a0c1ad657ddb ("pkg/k8s/version: Set EndpointSlice cap when version >=1.17") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 19 July 2022, 09:53:01 UTC
e68e567 Tam Mach 14 July 2022, 23:24:34 UTC k8s/crds: Allow ingress identity in CNP [ upstream commit 8fc97268e321fe36b6237b118a24221d2897ace4 ] Relates: https://github.com/cilium/cilium/pull/19764 Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 23:19:33 UTC
af8c36f Li Chengyuan 17 July 2022, 02:10:36 UTC Fix mtu setting for tunnel interface in init.sh [ upstream commit 4afdae82f50619e9e3e29d3b40f0f8fb9b54affd ] The mtu setting could be overwritten to default value (1500) if interface is re-created (in TUNNEL_PORT isnot nil case), so move mtu setting after tunnel interface is re-created. Signed-off-by: Li Chengyuan <chengyuanli@hotmail.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 23:19:33 UTC
96860e6 Fabio Falzoi 14 July 2022, 16:18:32 UTC docs: add more details to the Egress Gateway GSG [ upstream commit 90e25f726022eedf4d0c770e5c575c28af6276d3 ] The example Egress Gateway Policy mentioned in the Getting Started Guide cannot be applied as is. First, the IP address of the user external service must be specified instead of the example one in the policy yaml. Then, it is necessary to add the proper label to the node selected as the Egress Gateway. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 23:19:33 UTC
252eaf0 Fabio Falzoi 14 July 2022, 15:46:18 UTC docs: fix rollout suggestion in Egress Gateway guide [ upstream commit 16e32245d05914858c6ee7ae36651254dd22b881 ] To make the changes effective after a `helm upgrade`, both the operator pods and the agent pods must be restarted. The option `--rollOutCiliumPods=true`` will not restart the operator pods, thus leaving the agent pods in an incorrect state after the restart. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 23:19:33 UTC
03f214c Raphaël Pinson 15 July 2022, 10:58:38 UTC fix(masquerading): typo [ upstream commit 522da61dd9ea3928dc813a2dc874491f9840a110 ] Signed-off-by: Raphaël Pinson <raphael@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 23:19:33 UTC
18865ef Raphaël Pinson 15 July 2022, 10:56:55 UTC docs(masquerading): add missing "address" [ upstream commit 908316c9939c7b01dea883749b72e28e24de6912 ] Signed-off-by: Raphaël Pinson <raphael@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 23:19:33 UTC
460e5b2 Michi Mutsuzaki 13 July 2022, 21:24:57 UTC helm: Add an option to wait for kube-proxy [ upstream commit 03516f207a137b99f09194a9da508c047440da2a ] This commit is to add the flag in helm, which will enable init container waiting for kube-proxy if required. The main reason is to avoid any potential race condition between kube-proxy and cilium agent. More context can be found in below related PR. Relates: https://github.com/cilium/cilium/pull/20123 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 23:19:33 UTC
40bbca4 Paul Chaignon 15 July 2022, 18:24:50 UTC images: update cilium-{runtime,builder} [ upstream commit 225007322961276b7f038938447d9f0e8df38ad9 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 11:49:09 UTC
0922528 Paul Chaignon 15 July 2022, 18:23:50 UTC images: Update cilium-iproute2 [ upstream commit 9ff94b95dab0c2bcebe613491559a83e788effb5 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 11:49:09 UTC
177de24 Paul Chaignon 15 July 2022, 18:18:34 UTC test: Update test-verifier image [ upstream commit e3e1a299678c775fc1364f038506d313bcd975b0 ] Our cilium/iproute2 and cilium/libbpf dependencies were updated to fix an issue where we don't bump the rlimit and thus sometimes fail to load BPF programs and maps. See [1] for more details. As a result, we've also updated the test-verifier image to reference the new cilium-iproute2 image. This commit updates the test-verifier reference in our K8sVerifier test. 1 - https://github.com/cilium/cilium/issues/20288#issuecomment-1185551102 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 11:49:09 UTC
b93a4c3 Tobias Klauser 15 July 2022, 09:55:54 UTC fqdn/dnsproxy: fix test build [ upstream commit 11b678b2e3d984591d6d85f791b1ecdee7e8b1c5 ] Commit 372407fbb580 exported errFailedAcquireSemaphore and errTimedOutAcquireSemaphore but didn't update the tests to use the new types. This wasn't caught because privileged tests weren't run on the corresponding PR #20491. Fixes: 372407fbb580 ("Add metric on number of requests rejected by DNS Proxy semaphore") Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 11:49:09 UTC
0c89157 Jussi Maki 01 July 2022, 13:15:33 UTC pkg/k8s/version: Set EndpointSlice cap when version >=1.17 [ upstream commit a0c1ad657ddb962273fc278aa0a2ba31f962e543 ] updateVersion only set EndpointSliceV1, but not EndpointSlice. Fix this, so that tests can set the capabilities correctly via Force() for older k8s versions. Fixes: 7a1039f414 ("k8s: Consolidate check for EndpointSlice support") Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 11:49:09 UTC
2c91659 Tobias Klauser 14 July 2022, 13:55:50 UTC test: remove nightly test leftovers [ upstream commit 4d880731e9f1336915279e16e0d6f74804dc338f ] PR #20128 removed the nightly test suites. Remove the accompanying Makefile targets, test helper integration and documentation as well. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 11:49:09 UTC
508d043 Tobias Klauser 14 July 2022, 09:47:29 UTC cilium/cmd, test/runtime: convert test loading invalid policy JSON to unit test [ upstream commit 0e441c9652bb0f0e5c8b3d212d54b0d75d6918f4 ] Instead of invoking the per-node cilium command to validate that loading an invalid policy JSON file fails, convert it to a unit test. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 11:49:09 UTC
0985636 Tobias Klauser 13 July 2022, 13:55:20 UTC test/runtime: remove unused policy manifest [ upstream commit f5936bb45864ac66368f7a0d37fcafe495ec193d ] The respective test was removed by commit 07c81c63cd25 ("test/runtime: remove no endpoint selector Ginkgo test"). Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 11:49:09 UTC
629b177 Martynas Pumputis 13 July 2022, 09:03:17 UTC test: Remove sockops test cases [ upstream commit 985e667319ff4b81598c6eb832ab58c188900bc3 ] The --sockops-enable=true is barely used (and working), and it might get deprecated. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 11:49:09 UTC
2cc5446 Jarno Rajahalme 11 July 2022, 09:15:50 UTC envoy: Support ca.crt Secrets [ upstream commit d45d305a6b5c707db0d1821b8941fa2150c9c33d ] Add support for CA certificates in generic secrets with `ca.crt` key. These are translated to Envoy validation contexts. Adding support for remaining Envoy validation context configs is TBD. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 11:49:09 UTC
50c03ab tommyp1ckles 08 July 2022, 01:18:24 UTC docs: Improve kubeproxy replacement and OKD GSG guide. [ upstream commit 28f4ae85fb5f22087f8e8ae95a02b8fa6dfab5f2 ] Made some clarifications in the kube-proxy replacement guide. Use variables instead of hardcoded port number to make executing commands easier. Addresses: #20375 Signed-off-by: tommyp1ckles <tom.hadlaw@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 11:49:09 UTC
a5b9738 Dylan Reimerink 08 July 2022, 13:58:51 UTC docs: Add cluster install/prep guide for AKS-to-AKS clustermesh [ upstream commit 44fffff66301964ab1f362ea695695dfa0e9a40c ] I discovered that getting clustermesh to work for two AKS clusters is a non-trivial task. I got it to work eventually, and documented the required steps in this guide. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 11:49:09 UTC
4beb889 Chance Zibolski 06 July 2022, 21:55:45 UTC Documentation: Download cilium-cli and hubble cli based on architecture [ upstream commit d4f22b8587c2d30ddc613b07e1e9f329d0fb462b ] Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 18 July 2022, 11:49:09 UTC
back to top