Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
c7516b9 Maciej Kwiek 14 September 2022, 13:25:06 UTC Prepare for release v1.12.2 Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 14 September 2022, 14:28:27 UTC
ceb2b5d Timo Beckers 12 September 2022, 10:51:25 UTC Documentation: run with endpoint routes under aws-cni chaining [ upstream commit 13bcd1b617fa83d14b74da70cea2640f1707e26d ] Similar to #19088, endpoint routes are also required for some features like NodePort-type services to work under aws-cni chaining. This commit adds the endpointRoutes.enabled setting to the Helm snippet in the docs. Related: #21126 Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 14 September 2022, 13:16:52 UTC
1af026f ArthurChiao 06 September 2022, 10:42:49 UTC kvstore/allocator: fix panic on receiving identity keys with an empty value [ upstream commit 6fef26f23e53c05ca5082c3d776f99338242e3dc ] This problem is triggered when the event type is "UPDATE" AND the value is an empty string, resulting in the `key` variable uninitialized: ``` panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x1cc4362] goroutine 1430 [running]: github.com/cilium/cilium/pkg/allocator.(*Allocator).encodeKey(0xc00f4fab00, 0x0, 0x0, 0xc0207a5838, 0x2ac8c01) /go/src/github.com/cilium/cilium/pkg/allocator/allocator.go:457 +0x22 github.com/cilium/cilium/pkg/allocator.(*cache).OnModify(0xc00f4fab98, 0x333f4, 0x2f28b38, 0xc03d7b2318) /go/src/github.com/cilium/cilium/pkg/allocator/cache.go:144 +0x22d github.com/cilium/cilium/pkg/kvstore/allocator.(*kvstoreBackend).ListAndWatch(0xc005029e80, 0x2f1c088, 0xc0000c8008, 0x2f1c3d0, 0xc00f4fab98, 0xc00f5aaea0) /go/src/github.com/cilium/cilium/pkg/kvstore/allocator/allocator.go:624 +0x2a7 github.com/cilium/cilium/pkg/allocator.(*cache).start.func1(0xc00f4fab98) /go/src/github.com/cilium/cilium/pkg/allocator/cache.go:198 +0x73 created by github.com/cilium/cilium/pkg/allocator.(*cache).start /go/src/github.com/cilium/cilium/pkg/allocator/cache.go:197 +0xee ``` "CREATE" event handlings are not suffered previously as there is nil pointer checking in `OnAdd()` handler. Signed-off-by: ArthurChiao <arthurchiao@hotmail.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 14 September 2022, 13:16:52 UTC
1952e38 Casey Callendrello 22 August 2022, 08:28:02 UTC install: add TerminationMessagePolicy to cilium pods [ upstream commit f62b617059407f437757458fc4318064076c32e7 ] This "captures" the last few lines of logs and sets them as the TerminationMessage in the Status. This means that errors are preserved even if logs are lost (e.g. because of node restarts). Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 14 September 2022, 13:16:52 UTC
6c5d26d Jarno Rajahalme 19 August 2022, 15:31:15 UTC envoy: Use image that sets reuseport when needed [ upstream commit 042e854c3aac3c22e21f2989fa0ae7cc80faf52f ] Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 14 September 2022, 13:16:52 UTC
d854b97 Joe Stringer 24 August 2022, 03:53:19 UTC docs/contrib: Autogenerate CODEOWNERS docs pages [ upstream commit 92ab33612fdb26809a714a3f30f6d80b4684995b ] Convert the text at the top of the codeowners file into a restructured text document, complete with links to github teams and include this into the contributor documentation so that it's easier to find this information directly from the Cilium docs. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 14 September 2022, 13:16:52 UTC
66f2c49 Joe Stringer 23 August 2022, 22:56:20 UTC CODEOWNERS: Document codeowners review [ upstream commit 64be186c1b2dea09f8509065eb5ff3749278390e ] Add some descriptions about the sorts of things that committers can be aware of when they are reviewing contributions. Document also a bit of the philosophy behind codeowner teams and how committers can become codeowners for aspects of the project. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 14 September 2022, 13:16:52 UTC
3fa0522 André Martins 05 September 2022, 21:07:38 UTC docs: fix check-crd-compat-table script [ upstream commit ab21ecbd53546abbc8d472498f1bbfae22842ee5 ] Since `head` terminates its execution before reading the input from the previous command, the previous command will receive a SIGPIPE signal. This, together with the fact that the scripts are set with `set -o pipefail` and `set -e`, makes the script to terminate abruptly causing the CRD compatibility table to be incorrectly created. For more information see: https://www.greenend.org.uk/rjk/tech/shellmistakes.html#pipeerrors Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 14 September 2022, 13:16:52 UTC
d713831 Tam Mach 07 September 2022, 09:13:23 UTC ingress: Rename LB annotation to annotation prefixes [ upstream commit 481493b5910804d953060010e485a4ce05e4fb73 ] This is to avoid any potential confusion from user. Also, related docs are updated. Related: https://github.com/cilium/cilium/pull/20860 Signed-off-by: Tam Mach <tam.mach@cilium.io> 13 September 2022, 09:30:33 UTC
0537b56 Tam Mach 09 September 2022, 11:36:41 UTC propagate required annotations from Ingress to Load Balancer Service [ upstream commit c9ccf17cbfca2f4b31e27c1c756193bca3e5b7a5 ] Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> 13 September 2022, 09:30:33 UTC
693a0cf Tobias Klauser 09 September 2022, 08:56:45 UTC vagrant: Bump 4.9 Vagrant box (Linux 4.9.326, to fix a kernel bug) [ upstream commit 07e7fb0073ab387108ac6b4c126df1a34e36d5d2 ] (Backporters note: only update the v4.9 image, not the cilium-dev image because version 232 also contains an updated Go version, i.e. 1.19 instead of 1.18 still used on the v1.12 branch. This is fine for VM images used in tests because they use CI images built by GH actions using the proper Go version for the branch.) We have been hitting a kernel bug on 4.9 for the verifier tests. An underflow on the memlock rlimit counter, caused by the reallocation of BPF programs not updating the charged values, makes the counter go under zero and convert into a huge value, blocking all further loads of BPF objects [0]. This has been fixed in kernel 4.10 [1], and was backported at last in 4.9.326. We generated a new Ubuntu image based on that, let's update. [0] #20288 [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=5ccb071e97fbd9ffe623a0d3977cc6d013bee93c Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Tobias Klauser <tobias@isovalent.com> 13 September 2022, 09:28:42 UTC
c9a62af Tom Hadlaw 06 September 2022, 23:40:49 UTC k8s: fix test flake in TestGenerateToCIDRFromEndpoint. Fixes: #21145 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 12 September 2022, 16:13:05 UTC
43e4a3b Chance Zibolski 30 August 2022, 21:54:07 UTC hubble/parser: Use Deployment name in flow workload [ upstream commit 3dee8f8fbf3e0bc174dcf93404fbc496988e2ee1 ] In #16514 support for retrieving workload names and storing them in flows was added for L3/L4 flows. In #21039 this same functionality has been added to L7 flows. However, currently for pods owned by ReplicaSets, this is somewhat limited, as most usages of ReplicaSets are via Deployments, and most users would want the Deployment name for the workload, rather than the ReplicaSet names. This is particularly important for metrics, where you would want to be able to identify the source/destination workload or filter/aggregate by the workload name, which is common in other service meshes. With this commit, we extend the previous functionality to now determine the Deployment name from the pod. This functionality was taken from https://github.com/istio/istio/blob/1aca7a67afd7b3e1d24fafb2fbfbeaf1e41534c0/pkg/kube/util.go and adapted to work with the cilium slim API types. This approach reverses the way pod names are generated for Deployments (and a few other types such as ReplicationControllers, CronJobs, and DeploymentConfigs), meaning we can do this without adding more k8s watchers and caches for additional Kubernetes resources, which means less memory consumption. Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
9c440bc Chance Zibolski 25 August 2022, 17:52:13 UTC k8s/utils: Add GetWorkloadMetaFromPod from Istio [ upstream commit 0b74665fc9bf7e1c3d62aaa5e5d7235154b0c3bb ] Vendor a modified version of Istio's GetDeployMetaFromPod from github.com/istio/istio/pkg/kube/util.go as GetWorkloadMetaFromPod. It has been modified to work with the cilium slim API types and renamed to use the workload terminology. Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
3e93784 Chance Zibolski 25 August 2022, 17:49:48 UTC k8s/slim: Add GenerateName to ObjectMeta and Controller to OwnerReference [ upstream commit 138b74f20d8d144a694ab43605c373320c421c36 ] These are needed to heuristically lookup the workload owner for a pod based on the ownerReference of a pod. Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
6e98efe Nikhil Sharma 31 August 2022, 09:31:56 UTC filter out pod labels from synchronizing with cilium endpoint labels [ upstream commit 796de9d1bb37ef287c5877ed3b4b66371b00848a ] Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
7cff587 Tobias Klauser 05 September 2022, 12:30:02 UTC operator: update CiliumNode in kvstore without lease [ upstream commit 3abbf57b079ddf5ccfd9d1e57f4ef8eadbf9fa98 ] Under normal circumstances, the agents should keep their own CiliumNode up to date in the kvstore. In case of an agent restarting or otherwise failing to renew the lease, the operator's sync logic might take over and update the key with its own lease. This could lead to problems when the respective agent comes back up and tries to renew the lease for its own CiliumNode entry. To prevent this situation, let the operator k8s->kvstore sync logic for CiliumNodes update the entries without taking a lease. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
65c8ee9 Tobias Klauser 29 August 2022, 16:01:36 UTC kvstore/store: refactor syncLocalKey{,s} to take a lease argument [ upstream commit 93ad408292d9808b3adaafec5cee91de8be5affe ] Rather that always setting lease=true in the call to the backend's UpdateIfDifferent method, allow callers to request attachment of a lease. Convert all current callers to call with lease=true. Refactoring change only, no change in functionality. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
d0a5615 Tobias Klauser 29 August 2022, 16:01:32 UTC kvstore/store: remove unused (*SharedStore).UpdateLocalKey [ upstream commit 4fe3615efcabe7d0cf25d6102e54bb1fc16fddf5 ] It's unused since commit 960da244c42d ("kvstore/store: Do not remove local key on sync failure"). Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
e20b067 Tobias Klauser 29 August 2022, 16:01:28 UTC kvstore: use (*etcdClient).GetSessionLeaseID [ upstream commit 8bde91aea6c4542d58edeec80e5f1b873ca707ab ] Use the existing method instead of open-coding it in (*etcdClient).UpdateIfDifferentIfLocked and (*etcdClient).UpdateIfDifferent. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
8bf8ff7 Chance Zibolski 22 August 2022, 20:45:25 UTC install: Support configuring metricsRelabelings on ServiceMonitors [ upstream commit 3687585bbc291d4b83750a327bdeb8bdf8be0f54 ] This allows adding or removing labels in metrics collected by Prometheus. Additionally, I removed the node relabeling in the hubble ServiceMonitor because this is automatically added by prometheus-operator already, so it was redundant and unnecessary for our ServiceMonitor to configure itself. Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
c092f5a Dmitry Kharitonov 30 August 2022, 10:52:38 UTC hubble-ui: release v0.9.2 [ upstream commit c3feb60e6f63f8a88c668d5e030dd1ac94160395 ] Added `hubble.ui.frontend.server.ipv6.enabled` helm flag to control nginx server ipv6 listener Signed-off-by: Dmitry Kharitonov <dmitry@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
65a0373 Federico Hernandez 22 August 2022, 14:49:11 UTC daemon: Coalesce endpoint CIDRs in ENI mode [ upstream commit c87cdeb2496ed99fe3550efa25b515797fe6ab20 ] Fixes: #18868. Multiple CIDRs are currently not coalesced for the health endpoint when setting up routing the corresponding routing tables. This results in orphaned routing entries that may conflict when IPs are reused for workload pods after an agent restart. Addresses comment https://github.com/cilium/cilium/pull/20112#issuecomment-1180343763 Signed-off-by: Simone Sciarrati <s.sciarrati@gmail.com> Signed-off-by: Federico Hernandez <f@ederi.co> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
21833b3 MikeLing 08 August 2022, 12:00:35 UTC pkg/bgpv1/annotations: Optimize annotations Errors [ upstream commit b9e6d8233c9ff12aac08b5a2d0a9b8b13747dc3e ] Avoiding to use fmt.Sprintf() so that Go won't over-allocate the memory. issue reference : cilium#19571 Result: ``` $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrNotVRouterAnnoError' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrNotVRouterAnnoError_old.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrErrNoASNAnno' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrErrNoASNAnno_old.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrASNAnno' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrASNAnno_old.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrNotVRouterAnnoError' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrNotVRouterAnnoError_new.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrErrNoASNAnno' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrErrNoASNAnno_new.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrASNAnno' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrASNAnno_new.txt $ benchcmp BenchmarkErrNotVRouterAnnoError_old.txt BenchmarkErrNotVRouterAnnoError_new.txt benchcmp is deprecated in favor of benchstat: https://pkg.go.dev/golang.org/x/perf/cmd/benchstat benchmark old ns/op new ns/op delta BenchmarkErrNotVRouterAnnoError-12 186 47.2 -74.67% benchmark old allocs new allocs delta BenchmarkErrNotVRouterAnnoError-12 2 1 -50.00% benchmark old bytes new bytes delta BenchmarkErrNotVRouterAnnoError-12 96 80 -16.67% $ benchcmp BenchmarkErrErrNoASNAnno_old.txt BenchmarkErrErrNoASNAnno_new.txt benchcmp is deprecated in favor of benchstat: https://pkg.go.dev/golang.org/x/perf/cmd/benchstat benchmark old ns/op new ns/op delta BenchmarkErrErrNoASNAnno-12 143 45.0 -68.49% benchmark old allocs new allocs delta BenchmarkErrErrNoASNAnno-12 2 1 -50.00% benchmark old bytes new bytes delta $ benchcmp BenchmarkErrASNAnno_old.txt BenchmarkErrASNAnno_new.txt benchcmp is deprecated in favor of benchstat: https://pkg.go.dev/golang.org/x/perf/cmd/benchstat benchmark old ns/op new ns/op delta BenchmarkErrASNAnno-12 252 61.6 -75.59% benchmark old allocs new allocs delta BenchmarkErrASNAnno-12 3 1 -66.67% benchmark old bytes new bytes delta BenchmarkErrASNAnno-12 112 80 -28.57% ``` Signed-off-by: MikeLing <sabergeass@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
dc13b76 Timo Beckers 30 August 2022, 09:17:27 UTC datapath: allow packets to and from eni+ container interfaces [ upstream commit 48d46eb621494c09af916d156c286af6aa23e4de ] AWS CNI chaining yields container interface names like 'eni621c0fc8425', not the usual 'lxcXYZ'. This causes packets for local endpoints to be dropped in CILIUM_FORWARD when they are called through a NodePort. Before the patch, the CILIUM_FORWARD chain looks like this: ``` -A CILIUM_FORWARD -o cilium_host -m comment --comment "cilium: any->cluster on cilium_host forward accept" -j ACCEPT -A CILIUM_FORWARD -i cilium_host -m comment --comment "cilium: cluster->any on cilium_host forward accept (nodeport)" -j ACCEPT -A CILIUM_FORWARD -i lxc+ -m comment --comment "cilium: cluster->any on lxc+ forward accept" -j ACCEPT -A CILIUM_FORWARD -i cilium_net -m comment --comment "cilium: cluster->any on cilium_net forward accept (nodeport)" -j ACCEPT -A CILIUM_FORWARD -o lxc+ -m comment --comment "cilium: any->cluster on lxc+ forward accept" -j ACCEPT -A CILIUM_FORWARD -i lxc+ -m comment --comment "cilium: cluster->any on lxc+ forward accept (nodeport)" -j ACCEPT ``` This doesn't match any packets to or from `eni+` container interfaces, letting them fall through to the `KUBE-FORWARD` chain instead: ``` -A FORWARD -m comment --comment "cilium-feeder: CILIUM_FORWARD" -j CILIUM_FORWARD -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD ... -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP ``` Initial SYN packets go through to the Pod, SYN-ACK responses from local NodePort services are bpf_redirect'ed back out the physical interface to the client, but any follow-up packets from the client arriving at the node are considered invalid by netfilter's conntrack since the reply packet bypassed the stack, and thus dropped. This commit takes care of adding `-i eni+` and `-o eni+` iptables rules to make sure world->container packets are never dropped in the stack. Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
428c6d2 Timo Beckers 30 August 2022, 09:06:15 UTC daemon,pkg: pull cni-chaining-mode configmap key into DaemonConfig [ upstream commit 99114351abd69f8859fd856ec45040002c95bcc0 ] The `cni-chaining-mode` ConfigMap key was introduced with the initial implementation of AWS CNI chaining, b568d2a179 ("cni: Add support for AWS CNI chaining") but was only used as an environment variable in the CNI installer script(s), not in the agent itself. This commit pulls in the key as a DaemonConfig value from the Cilium ConfigMap and removes manual parsing of CILIUM_CNI_CHAINING_MODE. Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
633ae6d Julian Wiedmann 31 August 2022, 09:43:22 UTC datapath: tolerate missing ifaces when setting rp_filter sysctl [ upstream commit 86e736f285c923c144b96b6078ddcd19def59074 ] At the point where systemd-sysctl applies our rp_filter settings, the host might not have any cilium_* and/or lxc_* interfaces yet. But systemd-sysctl treats the failure to resolve these globs as an hard error: systemd-sysctl[9354]: Couldn't resolve glob 'net/ipv4/conf/lxc*/rp_filter': No such file or directory systemd[1]: systemd-sysctl.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: systemd-sysctl.service: Failed with result 'exit-code'. Adding the `-` option makes systemd-sysctl tolerate such errors. Fixes: 6432558898aa ("datapath: Create sysctl `rp_filter` overwrite config on agent init") Suggested-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
195d394 André Martins 17 August 2022, 23:32:12 UTC operator: do not GC kvstore nodes if CiliumNodes are not available [ upstream commit 62548f2bc1fad0093b88eef34edc477bd4aad98c ] If users deploy Cilium without creating any CiliumNodes, Cilium Operator will GC all kvstore nodes once it starts. This commits adds a guardrail to prevent such behavior. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
1cec6bf Nikhil Sharma 17 August 2022, 00:25:18 UTC proxy: Iterate proxy ports on port open failure [ upstream commit d193526f950d78009cb84aa68cd4d5a32b736a75 ] If the user do not specify a proxy port and it fails to listen on the port, instead of retrying again for that specific one, increment it. Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
c1312da Louis DeLosSantos 30 August 2022, 23:27:06 UTC metallb: bump to latest fork version [ upstream commit 4c77f5476fb0d9424bda051612212ae72bc58087 ] bumps to Cilium's latest metallb fork version. this bump alleviates a plain log message which ran in a hot loop. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
cc01d2f Julian Wiedmann 29 August 2022, 08:09:10 UTC egressgw: reduce log noise in good paths [ upstream commit be641bb60f1d365f8ce0faee1fdc3442e2b0484f ] Demote the various Info() log statements to Debug(), so that we don't spam the logs when everything works as expected. Also fix a typo in one log message. Suggested-by: Bruno M. Custódio <brunomcustodio@gmail.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
1cc6fe6 Julian Wiedmann 29 August 2022, 07:32:08 UTC egressgw: reduce log noise when installing IP rules/routes [ upstream commit d741e20bf34fe7c0ff151b836c2b61671c443d06 ] When updating the IP rules/routes, reconcile() tolerates that the first attempt at installing some new rules/routes fails (as they might conflict with existing rules/routes that haven't been removed yet). After removing all unused rules, it calls addMissingIpRulesAndRoutes() again and hopefully succeeds. Adjust the log severity accordingly when encountering errors on the first attempt. It's only a real problem when they occur on the retry. Suggested-by: Bruno M. Custódio <brunomcustodio@gmail.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
b01b561 Maciej Kwiek 05 August 2022, 12:06:16 UTC dnsproxy: add cleanup [ upstream commit 266f70588825716c5ef4d0ceff9201ba8e6fa44b ] This change adds Cleanup function to dnsproxy which is added to daemon cleanup module. The cleanup closes TCP and UDP sockets, which will cause proxy to stop serving DNS traffic before shutdown. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
19b9e11 Maciej Kwiek 05 August 2022, 11:06:32 UTC dnsproxy: populate DNS clients before proxy start [ upstream commit 588555069ac08bbbd31af77943e33c128c5344e8 ] This change causes DNS clients that dnsproxy uses to connect to upstream DNS servers to be populated before proxy binds to it's sockets. Clients being set after proxy binds might have caused some DNS traffic to be dropped while proxy was starting up. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
1823586 Tom Hadlaw 23 August 2022, 05:23:00 UTC pkg/k8s/watcher: fix deadlock with service event handler & CES watcher. [ upstream commit 4b87ccc9809bb8a37e51bf5c22726bbff866e541 ] There is a deadlock that can occur when a k8s service update and a policy update occur at the same time. In practice, this can occur in the following situation: 1. CiliumEndpointSlice k8s watcher performs an update due to a new watcher event. The handler logic for this first goes to hold a lock on the IPCache. Next, this triggers an endpoint regeneration via the endpoint manager. Note: This code path will wait for endpoint regeneration to complete via a passed WaitGroup. To complete this task, endpoint manager attempts to lock policyRepository. Effectively, this means that CES handler has locking dependencies on IPCache's lock and policyRepos lock (transitively, by waiting on endpointManager endpoint regeneration). It will not release the IPCache lock until endpoint regen is done, thus waiting on the policyRepo lock. 2. The k8sServiceHandler control loop performs an update due to kube-apiserver service record change (i.e. this is common on EKS where the control plane IPs change often). A new policyRepository.Translator is constructed with k8s.RuleTranslator{} with AllocatedPrefixes being enabled. This implementation of the Translator holds a reference to ipcache and uses that to make necessary prefix updates to ipcache during the translation. This is passed to policyRepository to perform policy rule translation, which locks itself before proceeding to use translator.Translate(...) to perform translation on its state. The k8sServiceHandler now holds nested locks on policyRepo -> ipcache. At this point, let's say codepath 1. can is holding a lock on both ipcache and waiting on a lock for policyRepo (nested ipCache -> policyRepo). At the same time, codepath 2. (i.e. k8sServiceHandler) just grabbed a policyRepo lock and is waiting for the ipcache lock. Codepath 2 (which holds policyRepo) needs ipcache to unlock, which is held by Codepath 1, Which is waiting for policyRepo to unlock. The following is a stack trace of such a case occurring: 101 occurences. Sample stack trace: 6 occurences. Sample stack trace: sync.runtime_SemacquireMutex(0xc0018f0e08?, 0x20?, 0xc000c12740?) /usr/local/go/src/runtime/sema.go:71 +0x25 sync.(*RWMutex).RLock(...) /usr/local/go/src/sync/rwmutex.go:63 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regeneratePolicy(0xc0010c7c00) /go/src/github.com/cilium/cilium/pkg/endpoint/policy.go:198 +0x11a github.com/cilium/cilium/pkg/endpoint.(*Endpoint).runPreCompilationSteps(0xc0010c7c00, 0xc0005be400) /go/src/github.com/cilium/cilium/pkg/endpoint/bpf.go:814 +0x2c5 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerateBPF(0xc0010c7c00, 0xc0005be400) /go/src/github.com/cilium/cilium/pkg/endpoint/bpf.go:584 +0x189 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerate(0xc0010c7c00, 0xc0005be400) /go/src/github.com/cilium/cilium/pkg/endpoint/policy.go:398 +0x7a5 github.com/cilium/cilium/pkg/endpoint.(*EndpointRegenerationEvent).Handle(0xc0099405b0, 0x2a27540?) /go/src/github.com/cilium/cilium/pkg/endpoint/events.go:53 +0x325 github.com/cilium/cilium/pkg/eventqueue.(*EventQueue).run.func1() /go/src/github.com/cilium/cilium/pkg/eventqueue/eventqueue.go:245 +0x13b sync.(*Once).doSlow(0x2f14d01?, 0x4422a5?) /usr/local/go/src/sync/once.go:68 +0xc2 sync.(*Once).Do(...) /usr/local/go/src/sync/once.go:59 github.com/cilium/cilium/pkg/eventqueue.(*EventQueue).run(0x0?) /go/src/github.com/cilium/cilium/pkg/eventqueue/eventqueue.go:233 +0x45 created by github.com/cilium/cilium/pkg/eventqueue.(*EventQueue).Run /go/src/github.com/cilium/cilium/pkg/eventqueue/eventqueue.go:229 +0x76 1 occurences. Sample stack trace: sync.runtime_Semacquire(0xc0003f44d0?) /usr/local/go/src/runtime/sema.go:56 +0x25 sync.(*WaitGroup).Wait(0xc0003f5420?) /usr/local/go/src/sync/waitgroup.go:136 +0x52 github.com/cilium/cilium/pkg/ipcache.(*IPCache).UpdatePolicyMaps(0xc001003580, {0x3468338, 0xc00007e038}, 0xa?, 0xc008c15e60) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:235 +0xc7 github.com/cilium/cilium/pkg/ipcache.(*IPCache).removeLabelsFromIPs(0xc001003580, 0xc005d73778?, {0x2f35b2b, 0xf}) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:414 +0x7c5 github.com/cilium/cilium/pkg/ipcache.(*IPCache).RemoveLabelsExcluded(0xc001003580, 0xc0000e3110, 0xc001506dd8?, {0x2f35b2b, 0xf}) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:328 +0x1ab github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).handleKubeAPIServerServiceEPChanges(0xc001586d80, 0xc003ec89b0?) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint.go:135 +0x5b github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).addKubeAPIServerServiceEPSliceV1(0xf3c386?, 0xc001ab7d40) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint_slice.go:205 +0x452 github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).updateK8sEndpointSliceV1(0xc001586d80, 0xc001ab7d40?, 0xc001ab7d40?) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint_slice.go:178 +0x69 github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).endpointSlicesInit.func2({0x2ec7ea0?, 0xc00294c410?}, {0x2ec7ea0, 0xc001ab7d40}) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint_slice.go:71 +0x125 k8s.io/client-go/tools/cache.ResourceEventHandlerFuncs.OnUpdate(...) /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/controller.go:239 github.com/cilium/cilium/pkg/k8s/informer.NewInformerWithStore.func1({0x2a4b9c0?, 0xc00057d1e8?}) /go/src/github.com/cilium/cilium/pkg/k8s/informer/informer.go:103 +0x2fe k8s.io/client-go/tools/cache.(*DeltaFIFO).Pop(0xc001b805a0, 0xc000927940) /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/delta_fifo.go:554 +0x566 k8s.io/client-go/tools/cache.(*controller).processLoop(0xc001bda1b0) /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/controller.go:184 +0x36 k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0x40d6a5?) /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155 +0x3e k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xed53e5?, {0x343e1c0, 0xc000d50450}, 0x1, 0xc000929980) /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156 +0xb6 k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc001bda218?, 0x3b9aca00, 0x0, 0x30?, 0x7f587b87fd30?) /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133 +0x89 k8s.io/apimachinery/pkg/util/wait.Until(...) /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90 k8s.io/client-go/tools/cache.(*controller).Run(0xc001bda1b0, 0xc000929980) /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/controller.go:155 +0x2c5 created by github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).endpointSlicesInit /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint_slice.go:156 +0x759 1 occurences. Sample stack trace: sync.runtime_SemacquireMutex(0xc000880000?, 0x20?, 0x21?) /usr/local/go/src/runtime/sema.go:71 +0x25 sync.(*RWMutex).RLock(...) /usr/local/go/src/sync/rwmutex.go:63 github.com/cilium/cilium/pkg/ipcache.(*metadata).get(0xc00104f770?, {0xc0069e9160?, 0x9?}) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:90 +0x66 github.com/cilium/cilium/pkg/ipcache.(*IPCache).GetIDMetadataByIP(...) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:86 github.com/cilium/cilium/pkg/ipcache.(*IPCache).AllocateCIDRs(0xc001003580, {0xc008680cf0, 0x2, 0x0?}, {0x0, 0x0, 0x0?}, 0x0) /go/src/github.com/cilium/cilium/pkg/ipcache/cidr.go:57 +0x22b github.com/cilium/cilium/pkg/k8s.RuleTranslator.generateToCidrFromEndpoint({0xc001003580, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, {0xc008c15e00}, 0xc001905e60, 0x0, 0x1}, 0xc001f667e0, ...) /go/src/github.com/cilium/cilium/pkg/k8s/rule_translate.go:124 +0xb3 github.com/cilium/cilium/pkg/k8s.RuleTranslator.populateEgress({0xc001003580, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, {0xc008c15e00}, 0xc001905e60, 0x0, 0x1}, 0xc001f667e0, ...) /go/src/github.com/cilium/cilium/pkg/k8s/rule_translate.go:62 +0x172 github.com/cilium/cilium/pkg/k8s.RuleTranslator.TranslateEgress({0xc001003580, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, {0xc008c15e00}, 0xc001905e60, 0x0, 0x1}, 0xc001f667e0, ...) /go/src/github.com/cilium/cilium/pkg/k8s/rule_translate.go:51 +0x18e github.com/cilium/cilium/pkg/k8s.RuleTranslator.Translate({0xc001003580, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, {0xc008c15e00}, 0xc001905e60, 0x0, 0x1}, 0xc001c66750, ...) /go/src/github.com/cilium/cilium/pkg/k8s/rule_translate.go:33 +0x117 github.com/cilium/cilium/pkg/policy.(*Repository).TranslateRules(0xc0003f5490, {0x3440260, 0xc0025fd280}) /go/src/github.com/cilium/cilium/pkg/policy/repository.go:627 +0x10b github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).k8sServiceHandler.func1({0x0, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, 0xc0015f0c80, 0x0, 0xc003165f50, 0xc001bc9c80}) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/watcher.go:586 +0xc9e github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).k8sServiceHandler(0xc001586d80) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/watcher.go:623 +0x9f created by github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).RunK8sServiceHandler /go/src/github.com/cilium/cilium/pkg/k8s/watchers/watcher.go:629 +0x56 This commit solves this situation by moving the IPCache allocation out of the k8s.RuleTranslator Translator implementation. Thus moving the responsibility of the IPCache updating out of the translator. This removes the nested policyRepo -> ipcache locks in translator. So, in situations like the one described, the translation no longer has a dependency on ipcache. Codepath 2 will be able to complete, releasing the policyRepo lock and allowing Codepath 1 to proceed. Note: Rule translation prefixes are not used in other usages of k8s.RuleTranslator called from endpoint watcher handler. So we don't have to add the same ipcache logic as in k8sServiceHandler. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Reported-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
b9f3004 André Martins 25 August 2022, 12:59:47 UTC pkg/k8s: fix node update sync from k8s to kvstore [ upstream commit 062549799357504bb13ceb1e7854aef56ecf6130 ] This commit simplifies the synchronization between the k8s node and kvstore. The local node state has all the information up to date so whenever we want to update it to the KVStore, or re-push it to the CiliumNode CRD, we should use this information. Fixes: 01cbc595ad48 ("k8s: keep CiliumNode labels synced with Node object") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
f72d62b Simone Sciarrati 08 June 2022, 10:11:53 UTC Coalesce of health endpoint CIDRs [ upstream commit 10f1193f887b11629c6c3bde4bc2f5bdc13c8358 ] Fixes: #18868. Multiple CIDRs are currently not coalesced for the health endpoint when setting up routing the corresponding routing tables. This results in orphaned routing entries that may conflict when IPs are reused for workload pods after an agent restart. Signed-off-by: Simone Sciarrati <s.sciarrati@gmail.com> Signed-off-by: Federico Hernandez <f@ederi.co> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
521f6e6 Tobias Klauser 07 September 2022, 14:48:53 UTC Update Go to 1.18.6 This version fixes a security issue in the net/http package. See the release notes [1] for more details [1] https://go.dev/doc/devel/release#go1.18.6 Signed-off-by: Tobias Klauser <tobias@cilium.io> 09 September 2022, 08:43:28 UTC
6511bda André Martins 26 August 2022, 12:29:51 UTC test: update k8s versions to the latest patched releases Also update k8s libraries to v0.24.4 Signed-off-by: André Martins <andre@cilium.io> 08 September 2022, 18:58:55 UTC
f67b975 Nate Sweet 19 August 2022, 19:51:17 UTC Caveat Differences Between K8s and Cilium Network Policies [ upstream commit 2fe9888090cf9de72d5fca272bce9ea3e62f7075 ] K8s Network Policies do have functionality that Cilium lacks. These limitations should be documented for a variety of reasons. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
2eb2753 André Martins 25 August 2022, 11:43:21 UTC pkg/endpoint: set labels for local node from k8s events [ upstream commit 90f41f02d422c6913aceb99dfa75bb46af7f95c8 ] Not setting these labels in the local node can cause the node to be out-of-sync in the KVStore. When IPSec configuration changes, Cilium will propagate these changes into the KVStore by executing [1] which eventually calls [2]. If the node labels are not up to date, Cilium will never be able to have this information in the KVStore as it will always re-use the labels fetched when Cilium started. [1] https://github.com/cilium/cilium/blob/dc0f7aa7687bf37078bc3db93161e936efb9cb94/pkg/datapath/linux/ipsec/ipsec_linux.go#L698 [2] https://github.com/cilium/cilium/blob/9fd55dd7e849ee5edaf72d75d339213e10b97940/pkg/nodediscovery/nodediscovery.go#L247 Fixes: 8d0211c37537 ("pkg/identity: Watch and update labels for the host") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
4d912c3 André Martins 25 August 2022, 11:38:23 UTC pkg/nodediscovery: protect variable against concurrent access [ upstream commit b0f7b91bdaece8e54e52077206d0a0111cd6b3a8 ] This variable can be accessed concurrently since controllers run on a separate go routine. Using its mutex and performing a DeepCopy will help protecting it against concurrent access. Fixes: e52fe1d59d1c ("nodediscovery: Make LocalNode object private") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
48a3f79 Joe Stringer 23 August 2022, 20:37:33 UTC docs: Update ToServices docs section [ upstream commit 124357f3754b24f036d2cb1dd3febea485b1456d ] Update this section to highlight the limitation, improve wording, and remove future-looking statements. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
54aedb5 Joe Stringer 24 August 2022, 19:45:07 UTC docs/contrib: Add extra guidance on large PRs [ upstream commit 0acee007c2718000b5f1e883306b9925f8c0ea0d ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
690b615 Joe Stringer 23 August 2022, 22:56:20 UTC docs/contrib: Update hat duties guide [ upstream commit 5092e14fe22c08203062c9d843ef57786b604546 ] The three hats were combined into the "top" hat some time back. Update these instructions to reflect the single duty. Most notably, we changed from having the tophat own backport PRs beyond their assigned week to instead handing the backport PRs over to the next tophat to resolve and merge (subject to negotiation with the subsequent hatter) Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
07dd6c9 Joe Stringer 23 August 2022, 22:17:41 UTC docs/contrib: Add suggestions for review focus [ upstream commit ffd0db59f1eaa8be25a898042b930c0cfd2a0356 ] This is just documenting a process that we have used regularly during Cilium development over the past years. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
58ddb39 Joe Stringer 23 August 2022, 22:08:36 UTC docs/contrib: Improve paragraph formatting [ upstream commit cf343d5bc1805eb1ad9ceafe795139acdb83e202 ] The contributors' guide was using ordered lists in places where they don't make sense or don't format correctly. Shuffle the formatting a bit to more clearly denote where things are intended as an ordered list of tasks or just a general description of how the process works. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
ba7463a Joe Stringer 23 August 2022, 21:27:13 UTC docs/ci: Update triage steps for current practice [ upstream commit e5e801a66813f2ee6ad482215b4a48aeb90e8aac ] We use the "#testing" channel on Slack to coordinate testing issues, and we no longer use the CI triage project to track flakes. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
bd0414c Joe Stringer 23 August 2022, 21:26:33 UTC docs/ci: Fix triage link location [ upstream commit 449cbb962e01f0416364eb84c6b77b0ff2432659 ] This link was pointing to jobs rather than the triage step, which is what other parts of the docs are referring to when they link to this section. Move the link to point to the correct title. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
235b6d2 Tam Mach 21 August 2022, 15:05:38 UTC helm: Add check for apparmor annotations [ upstream commit 5b8f0925ae6a3527dffc5a0160c37640d7587a67 ] These two initContainers might be optional based on some conditions, it is better to guard apparmor annotations with the same condition. Fixes: #21007 Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
cb7728a Tobias Klauser 24 August 2022, 22:17:19 UTC clustermesh-apiserver: fix key name for delete during k8s->kvstore sync [ upstream commit af2dc7494f536e91c611e5212811dc75602b3356 ] The handler which synchronizes CiliumNodes from k8s to the KV store includes the cluster name in the update operation but not the delete operation. This might lead to nodes not being correctly deleted from the KV store when they disappear. Follows commit 0ea6cba801d4 ("operator: fix key name for delete during k8s->kvstore sync") which did the same for the operator. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
a298057 Andrey Klimentyev 24 August 2022, 07:41:21 UTC Do not enable health checks on Terminating backends [ upstream commit c462868b82a0d0019fb45d40440329a362dde90d ] Previously cilium-agent did not switch off the health check server if only Terminating Endpoints are present on a Node with trafficPolicy: Local Service. Fixes: #21061 Signed-off-by: Andrey Klimentyev <andrey.klimentyev@flant.com> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
15ed2cb Nikhil Sharma 23 August 2022, 02:44:02 UTC add kvstore TTL flag in cilium-operator [ upstream commit e5b902054b6036bdff625828810051473b2d5390 ] Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
9b4f631 André Martins 19 August 2022, 21:22:37 UTC pkg/endpoint: change CEP policy status message [ upstream commit ca023707153d26e1a548ee94c48a43ef6db2c937 ] To make it clear to users that only the status of the policy enforcement is not enabled this commit changes the message wording from "disabled" to "<status disabled>". Fixes: 5452034199d2 ("kubectl get cep returns empty columns of policies statuses") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
bfa10aa Julian Wiedmann 04 August 2022, 11:44:40 UTC datapath: avoid delete/add flap for cilium_vxlan on startup [ upstream commit f4942353a58939ce076835f856152515019f63a6 ] In a configuration with EgressGW and direct-routing, cilium still uses a cilium_vxlan interface to transport the EgressGW traffic between source nodes and Gateway nodes. If no --tunnel-port is configured we stick to the default value (0) instead of using the VXLAN default port (8472), and when bpf/init.sh later tries to create the interface with port 0 the kernel simply falls back to using port 8472 instead. But if cilium_vxlan already exists from a previous run, the corresponding check in bpf/init.sh fails (as we look for dstport 0, but find cilium_vxlan with dstport 8472). So we delete the interface, just to add it again in the same effective configuration. Avoid the overhead (and flapping ifindex) by initializing c.TunnelPort with the VXLAN port, even when the user didn't select tunneling mode. Fixes: 030077272e9c ("datapath: Add a flag to set VXLAN and Geneve ports") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
3b66de7 Michi Mutsuzaki 31 August 2022, 23:32:08 UTC Update wrk2 repository It's been moved to quay.io/isovalent-dev/wrk2. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 02 September 2022, 19:05:21 UTC
da8a59f dependabot[bot] 01 September 2022, 14:46:55 UTC build(deps): bump github/codeql-action from 2.1.21 to 2.1.22 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.21 to 2.1.22. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/c7f292ea4f542c473194b33813ccd4c207a6c725...b398f525a5587552e573b247ac661067fafa920b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 01 September 2022, 15:13:08 UTC
a770aec dependabot[bot] 25 August 2022, 14:39:20 UTC build(deps): bump github/codeql-action from 2.1.20 to 2.1.21 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.20 to 2.1.21. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/7fee4ca032ac341c12486c4c06822c5221c76533...c7f292ea4f542c473194b33813ccd4c207a6c725) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 29 August 2022, 09:31:36 UTC
4260f47 dependabot[bot] 22 August 2022, 14:49:30 UTC build(deps): bump actions/cache from 3.0.7 to 3.0.8 Bumps [actions/cache](https://github.com/actions/cache) from 3.0.7 to 3.0.8. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/a7c34adf76222e77931dedbf4a45b2e4648ced19...fd5de65bc895cf536527842281bea11763fefd77) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 24 August 2022, 22:16:05 UTC
4c8af7c André Martins 16 August 2022, 22:14:02 UTC pkg/identity: fix identity garbage collection in clustermesh Since the identity.MinimalAllocationIdentity and identity.MaximumAllocationIdentity variables are initialized before the option.Config.ClusterID is set and their values will be 256 and 65535 respectively. This will prevent Cilium Operator from garbage collecting identities in the clusters, in a clustermesh environment, where their cluster-id is not 0. Fixes: bb6ad22f14a0 ("operator: fix identity GC collection") Signed-off-by: André Martins <andre@cilium.io> 24 August 2022, 16:48:01 UTC
0f435b7 André Martins 16 August 2022, 22:10:33 UTC pkg/identity: refactor function to set min and max identities This will allow to initialize the MinimalAllocationIdentity and MaximumAllocationIdentity without executing InitWellKnownIdentities. Signed-off-by: André Martins <andre@cilium.io> 24 August 2022, 16:48:01 UTC
e9f8d21 dependabot[bot] 22 August 2022, 21:54:44 UTC build(deps): bump 8398a7/action-slack from 3.13.0 to 3.13.2 Bumps [8398a7/action-slack](https://github.com/8398a7/action-slack) from 3.13.0 to 3.13.2. - [Release notes](https://github.com/8398a7/action-slack/releases) - [Commits](https://github.com/8398a7/action-slack/compare/a74b761b4089b5d730d813fbedcd2ec5d394f3af...22048831299719d772f51719ca7384e34b4cc61d) --- updated-dependencies: - dependency-name: 8398a7/action-slack dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 24 August 2022, 11:17:17 UTC
f4ec972 dependabot[bot] 23 August 2022, 14:50:09 UTC build(deps): bump actions/setup-go from 3.2.1 to 3.3.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.2.1 to 3.3.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/84cbf8094393cdc5fe1fe1671ff2647332956b1a...268d8c0ca0432bb2cf416faae41297df9d262d7f) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 24 August 2022, 09:55:01 UTC
612f3d7 Tom Hadlaw 18 August 2022, 22:01:01 UTC spanstat: fix flakey test case. [ upstream commit 8ce927aa08c847a8c1d76d4df00282f0af3f4167 ] This test case fails often when running this test. Add small sleep duration to ensure that second measure can be identified as distinct from first. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
de53d5d Tom Hadlaw 18 August 2022, 16:42:17 UTC metrics: fix ts_events API timestamp and scope label cardinality. [ upstream commit 1cc489d9617b9804b7e94457c5323952b904a899 ] Regression caused ts_events gauge to be scoped with url path including url parameter causing high cardinality metrics. This fixes that to follow the same scoping as the API metrics middleware histogram metrics. As well fixes ts_events metrics only ever being reported as 0. Also adds unit test for metrics middleware. Fixes: #20967 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
bc6700e Julian Wiedmann 22 August 2022, 13:10:21 UTC gh/workflows: stop using ubuntu-18.04 runner [ upstream commit 05091f874fcd24e036ff1712c62a89e60c64174d ] The ubuntu-18.04 runner is deprecated, and GH has introduced brownouts so that users start to migrate. Move on to ubuntu-20.04. See https://github.com/actions/runner-images/issues/6002 Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
7e90b13 kikiodazie 21 July 2022, 12:52:36 UTC docs: Add eCHO episode 8: Exploring the Cilium CLI [ upstream commit 6aaa55e4effc4b61c48f1f5988834df97bcf94f7 ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
5c02291 Nikhil Sharma 19 August 2022, 14:11:43 UTC document all available options for annotations in ingress implementation [ upstream commit 720803f1c3c1daa243b30a047303c7e04ef0823a ] Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
7b0a78a Yuan Liu 12 August 2022, 00:21:05 UTC don't merge stderr into iptable stdout [ upstream commit c8d5d28ae30f5a4de666581b6c37c4c182da45c6 ] runProgCombinedOutput merges stdout and stderr of iptables into a single string and parse iptables rules out from it. But stderr is never rules but warnings/errors. For example, stderr can be "# Warning: iptables-legacy tables present, use iptables-legacy-save to see them" This commit changes it to use exec.Output but merge stderr into err. Fixes: #20894 Signed-off-by: Yuan Liu <liuyuan@google.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
b6a54f1 kikiodazie 26 July 2022, 11:55:05 UTC docs: Add talks to reference further reading [ upstream commit 6117e7ed2ddc4e9e690fd8522138abf233174181 ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
05efc85 kikiodazie 21 July 2022, 12:52:36 UTC docs: Add eCHO episode 8: Exploring the Cilium CLI [ upstream commit 6aaa55e4effc4b61c48f1f5988834df97bcf94f7 ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
b0b47fe kikiodazie 18 July 2022, 13:09:17 UTC docs: add KubeCon talk on Better Bandwidth Management [ upstream commit 1c0589e1a31198d1e128c901292fe0c7e1d74acc ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
d32e5e3 kikiodazie 18 July 2022, 11:50:11 UTC docs: Add AWS VPC CNI to Cilium migration video [ upstream commit 8804f7f813a4f2a3be777ebced8d823960d8f6d2 ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
0196ecd kikiodazie 15 July 2022, 21:21:33 UTC docs: add eCHO Episode 40 [ upstream commit f0ed135f65c932e917b0c30c6f9face2ad9110f1 ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
afe1770 kikiodazie 15 July 2022, 20:17:40 UTC docs: add eCHO episode 39 [ upstream commit 61c302790872f602e1831d4c3782a8e06acacbdf ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
ed41090 kikiodazie 02 August 2022, 17:45:57 UTC docs: Add known Argo CD issues to docs [ upstream commit e295f1f8d220ebb552237700486988882356a769 ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
0a83ad2 André Martins 15 August 2022, 22:04:12 UTC pkg/endpoint: set namedPortsGetter interface on ParseEndpoint [ upstream commit 7eb68cb0270443e8dc682ef83487ace126f3cbeb ] When restoring endpoints from the state directory we need to also initialize their internal "getters" as they will not be initialized on restore. This prevents Cilium from crashing upon initialization when a CNP with a named port is available on the cluster. ``` goroutine 827 [running]: github.com/cilium/cilium/pkg/endpoint.(*Endpoint).GetNamedPortLocked(0xc00024a000, 0x50?, {0xc000ba1cd0, 0x9}, 0xc0?) /go/src/github.com/cilium/cilium/pkg/endpoint/policy.go:68 +0x4f github.com/cilium/cilium/pkg/policy.(*L4Filter).ToMapState(0xc001080000, {0x3434870, 0xc00024a000}, 0x1) /go/src/github.com/cilium/cilium/pkg/policy/l4.go:345 +0x2c3 github.com/cilium/cilium/pkg/policy.(*EndpointPolicy).computeDirectionL4PolicyMapEntries(0xc0019e8540, 0xc0019e8540?, 0xc0019e80d8?, 0x40?) /go/src/github.com/cilium/cilium/pkg/policy/resolve.go:171 +0xba github.com/cilium/cilium/pkg/policy.(*EndpointPolicy).computeDesiredL4PolicyMapEntries(0xc0019e8540) /go/src/github.com/cilium/cilium/pkg/policy/resolve.go:164 +0x56 github.com/cilium/cilium/pkg/policy.(*selectorPolicy).DistillPolicy(0xc000d180c0, {0x3434870?, 0xc00024a000}, 0x0) /go/src/github.com/cilium/cilium/pkg/policy/resolve.go:141 +0x105 github.com/cilium/cilium/pkg/policy.(*cachedSelectorPolicy).Consume(0xc000123770?, {0x3434870?, 0xc00024a000?}) /go/src/github.com/cilium/cilium/pkg/policy/distillery.go:202 +0x35 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regeneratePolicy(0xc00024a000) /go/src/github.com/cilium/cilium/pkg/endpoint/policy.go:234 +0x3f7 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).runPreCompilationSteps(0xc00024a000, 0xc000399400) /go/src/github.com/cilium/cilium/pkg/endpoint/bpf.go:814 +0x2c5 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerateBPF(0xc00024a000, 0xc000399400) /go/src/github.com/cilium/cilium/pkg/endpoint/bpf.go:584 +0x189 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerate(0xc00024a000, 0xc000399400) /go/src/github.com/cilium/cilium/pkg/endpoint/policy.go:398 +0x7a5 github.com/cilium/cilium/pkg/endpoint.(*EndpointRegenerationEvent).Handle(0xc0014a2b70, 0x29fef80?) /go/src/github.com/cilium/cilium/pkg/endpoint/events.go:53 +0x325 ``` Example of such CNP: ``` apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: namespace: cilium-test name: client-egress-to-echo-deny-named-port spec: endpointSelector: matchLabels: kind: client egressDeny: - toPorts: - ports: - port: "http-8080" protocol: TCP toEndpoints: - matchLabels: io.kubernetes.pod.namespace: cilium-test kind: echo ``` Fixes: 6e7e9468be4b ("endpoint: Remove references to global ipcache") Reported-by: Tam Mach <tam.mach@isovalent.com> Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
481d6cc Jaff Cheng 11 August 2022, 06:35:35 UTC k8s/watchers: fix panic in CiliumEndpoint labels update [ upstream commit c8b6d2eb82c067403d0d9dad255d6e74e847008c ] Cilium agent would panic if the assiciated k8s pod of CiliumEndpoint is nil: panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x2154821] goroutine 1499073313 [running]: github.com/cilium/cilium/pkg/k8s/watchers.updateCiliumEndpointLabels.func1(0x2f1c050, 0xc0346c6a40, 0x428e6e0, 0x455600) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/pod.go:483 +0x341 github.com/cilium/cilium/pkg/controller.(*Controller).runController(0xc0299d3d40) /go/src/github.com/cilium/cilium/pkg/controller/controller.go:217 +0xb29 created by github.com/cilium/cilium/pkg/controller.(*Manager).updateController /go/src/github.com/cilium/cilium/pkg/controller/manager.go:122 +0xbd2 This patch adds a check for the pod. Fixes: 732188fb47b2 ("pkg/k8s: mirror parent pod labels to cilium endpoints") Signed-off-by: Jaff Cheng <jaff.cheng.sh@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
cf2ec85 dependabot[bot] 22 August 2022, 14:49:35 UTC build(deps): bump github/codeql-action from 2.1.19 to 2.1.20 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.19 to 2.1.20. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f5d217be74900c6ac8fbbe53f3c10376ba4e64da...7fee4ca032ac341c12486c4c06822c5221c76533) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 22 August 2022, 21:54:00 UTC
a7675d1 Rahul Joshi 09 August 2022, 22:07:59 UTC Fix typos in FQDN semaphore metric enablement. [ upstream commit 2a1c607b879bc98022cbc8b491c837166de9c54a ] Signed-off-by: Rahul Joshi <rkjoshi@google.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
0818807 Paul Chaignon 14 August 2022, 09:14:49 UTC ipsec: Fix incorrect parsing of SPI from mark [ upstream commit dc0f7aa7687bf37078bc3db93161e936efb9cb94 ] Commit b2331289c70 introduced helpers to set and retrieve the SPI from the XFRM mark. The SPI number is encoded into 4 bits at positions 12-15 (LSB first). However, function ipSecXfrmMarkGetSPI extracts 8 bits at positions 12-19 instead of 4. This commit fixes it. This bug would only have an impact if some other software used the 4 upper bits; no such case is currently known. Fixes: b2331289c70 ("ipsec: add ipSecXfrmMark{Set,Get}SPI helpers") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
b986246 Quentin Monnet 11 August 2022, 11:48:51 UTC docs: Switch to our own fork of sphinxcontrib-openapi [ upstream commit 4f893e8d3e0fa7e3a5204d3ccf132a2d2eaf530f ] Sphinxcontrib-openapi relies on m2r. But m2r is unmaintained [0]. It relies on mistune, but is not compatible with mistune versions >= 2.0 [1]. This makes it impossible to update mistune, even though there is a CVE in the old versions of the package [2]. Switch to sphinx-mdinclude instead. There is also m2r2, but it is not a suitable alternative because they simply force the use of an older mistune version [3]. [0] https://github.com/sphinx-contrib/openapi/issues/123 [1] https://github.com/miyakogi/m2r/issues/66 [2] https://github.com/advisories/GHSA-fw3v-x4f2-v673 [3] https://github.com/CrossNox/m2r2/pull/43 Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
d364d76 Raphaël Pinson 16 August 2022, 10:50:27 UTC docs(bandwidth-manager): add note on per-pod limits [ upstream commit 0fdd2908550e8ed10b12d75b87eaec32cbdef985 ] Signed-off-by: Raphaël Pinson <raphael@isovalent.com> Co-authored-by: Paul Chaignon <paul@cilium.io> Co-authored-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
32ce957 Joe Stringer 11 August 2022, 18:25:52 UTC docs: Apply crd schema update to local tree [ upstream commit 13d6778802281c954f9de0ba18fbf6d3d943fe8b ] During the release process, we occasionally execute the latest version of this script from one path in the filesystem, expecting the changes to apply within the current directory for an older branch. Update the script to ensure that any files updated in-place are updated in the local directory, not the directory where the script is invoked from. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
91c4d68 Joe Stringer 11 August 2022, 18:13:34 UTC docs: Ignore newlines in crd compat file listing [ upstream commit 5cdc987ce3743756e20f8e34c443d69823b111ba ] This should fix an issue where the commands wrap multiple lines and hence can't be copy/pasted correctly. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
0ffd9a7 Joe Stringer 11 August 2022, 18:14:14 UTC docs: Set -e in crd compat script [ upstream commit 03fd6cbc9d421d610850d119258f3a016f13b1ca ] This script seemed to be missing the option to enable failing out on errors, so add it in to prevent silently ignoring issues. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
982863b Anurag Aggarwal 20 June 2022, 19:37:44 UTC docs: Added `Default` column in metrics details [ upstream commit 1133bd5d30b55049a74414a3fb369926e1cb1d7c ] This commit adds a new column `Default` to metrics details which distinguishes if the metric is enabled by default or not. Fixes: #20235 Signed-off-by: Anurag Aggarwal <kanurag94@gmail.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
83797ae romanspb80 27 July 2022, 19:02:20 UTC kubectl get cep returns empty columns of policies statuses [ upstream commit 5452034199d271bdd5ae181c6c4caa8d02356ee8 ] This patch set "disabled" for the fields INGRESS ENFORCEMENT, EGRESS ENFORCEMENT, VISIBILITY POLICY if Cilium run with --endpoint-status disabled. $ kubectl get cep NAME ENDPOINT ID IDENTITY ID INGRESS ENFORCEMENT EGRESS ENFORCEMENT VISIBILITY POLICY ENDPOINT STATE IPV4 IPV6 deathstar-f694cf746-f2tf4 1239 28002 disabled disabled disabled ready 10.11.0.52 fd04::6e90 deathstar-f694cf746-gnrg6 3603 28002 disabled disabled disabled ready 10.11.0.78 fd04::6dd9 tiefighter 810 35802 disabled disabled disabled ready 10.11.0.72 fd04::3ccb xwing 1629 58767 disabled disabled disabled ready 10.11.0.136 fd04::bc93 56 58767 Status N.A. Status N.A. Status N.A. ready 10.11.0.53 fd04::d70d Fixes: #17880 Signed-off-by: Roman Ptitcyn <romanspb@yahoo.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
dacb945 Chris Tarazi 16 June 2022, 19:50:30 UTC docs: Document existing FQDN metrics [ upstream commit 7dae6aa81a30ed27408a71794cd476dfc50c5efc ] Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
64c60f5 Chris Tarazi 16 June 2022, 19:41:31 UTC docs: Add enabled by default column to FQDN metrics [ upstream commit fa4e8a1047637b3b60c5433bb9093a4f7ac997a2 ] This will make it easier to see which metrics are enabled by default and which ones the user must configure Cilium manually to enable. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
aeb18a6 Chris Tarazi 16 June 2022, 19:35:56 UTC docs: Fix typo in FQDN metric name [ upstream commit f44e7ec3a04fae002423754da2150c44761d56d2 ] Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
9c9fba5 Tobias Klauser 18 August 2022, 10:54:24 UTC operator: fix key name for delete during k8s->kvstore sync [ upstream commit 0ea6cba801d482d70ef24678641e2a488381ff3a ] The handler which synchronizes CiliumNodes from k8s to the KV store includes the cluster name in the update operation but not the delete operation. This might lead to nodes not being correctly deleted from the KV store when they disappear. Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:16:38 UTC
86a67bf dependabot[bot] 19 August 2022, 14:38:15 UTC build(deps): bump github/codeql-action from 2.1.18 to 2.1.19 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.18 to 2.1.19. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2ca79b6fa8d3ec278944088b4aa5f46912db5d63...f5d217be74900c6ac8fbbe53f3c10376ba4e64da) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 19 August 2022, 15:08:42 UTC
b7d6e8c Joe Stringer 16 August 2022, 17:28:05 UTC install: Update image digests for v1.12.1 Generated from https://github.com/cilium/cilium/actions/runs/2869795287. `docker.io/cilium/cilium:v1.12.1@sha256:ea2db1ee21b88127b5c18a96ad155c25485d0815a667ef77c2b7c7f31cab601b` `quay.io/cilium/cilium:v1.12.1@sha256:ea2db1ee21b88127b5c18a96ad155c25485d0815a667ef77c2b7c7f31cab601b` `docker.io/cilium/cilium:stable@sha256:ea2db1ee21b88127b5c18a96ad155c25485d0815a667ef77c2b7c7f31cab601b` `quay.io/cilium/cilium:stable@sha256:ea2db1ee21b88127b5c18a96ad155c25485d0815a667ef77c2b7c7f31cab601b` `docker.io/cilium/clustermesh-apiserver:v1.12.1@sha256:c80a8d6ffdf7cab4699441496f628a09a31d0300e623cadb2837c86fa368c02f` `quay.io/cilium/clustermesh-apiserver:v1.12.1@sha256:c80a8d6ffdf7cab4699441496f628a09a31d0300e623cadb2837c86fa368c02f` `docker.io/cilium/clustermesh-apiserver:stable@sha256:c80a8d6ffdf7cab4699441496f628a09a31d0300e623cadb2837c86fa368c02f` `quay.io/cilium/clustermesh-apiserver:stable@sha256:c80a8d6ffdf7cab4699441496f628a09a31d0300e623cadb2837c86fa368c02f` `docker.io/cilium/docker-plugin:v1.12.1@sha256:cb30dd4f9942fc86f2e65a837d331656d1ece9163680bc36d970a729976ce13a` `quay.io/cilium/docker-plugin:v1.12.1@sha256:cb30dd4f9942fc86f2e65a837d331656d1ece9163680bc36d970a729976ce13a` `docker.io/cilium/docker-plugin:stable@sha256:cb30dd4f9942fc86f2e65a837d331656d1ece9163680bc36d970a729976ce13a` `quay.io/cilium/docker-plugin:stable@sha256:cb30dd4f9942fc86f2e65a837d331656d1ece9163680bc36d970a729976ce13a` `docker.io/cilium/hubble-relay:v1.12.1@sha256:646582b22bf41ad29dd7739b12aae77455ee5757b9ee087f2d45d684afef5fa1` `quay.io/cilium/hubble-relay:v1.12.1@sha256:646582b22bf41ad29dd7739b12aae77455ee5757b9ee087f2d45d684afef5fa1` `docker.io/cilium/hubble-relay:stable@sha256:646582b22bf41ad29dd7739b12aae77455ee5757b9ee087f2d45d684afef5fa1` `quay.io/cilium/hubble-relay:stable@sha256:646582b22bf41ad29dd7739b12aae77455ee5757b9ee087f2d45d684afef5fa1` `docker.io/cilium/operator-alibabacloud:v1.12.1@sha256:a5ae07d5866c3299f6ff2d00634fa500b911fe2629dcabfcd119026aa8062b58` `quay.io/cilium/operator-alibabacloud:v1.12.1@sha256:a5ae07d5866c3299f6ff2d00634fa500b911fe2629dcabfcd119026aa8062b58` `docker.io/cilium/operator-alibabacloud:stable@sha256:a5ae07d5866c3299f6ff2d00634fa500b911fe2629dcabfcd119026aa8062b58` `quay.io/cilium/operator-alibabacloud:stable@sha256:a5ae07d5866c3299f6ff2d00634fa500b911fe2629dcabfcd119026aa8062b58` `docker.io/cilium/operator-aws:v1.12.1@sha256:cbd07141fb2c6ef172b3241d4cf3edac21922959b9325ef1f2d12d9f67e13ea3` `quay.io/cilium/operator-aws:v1.12.1@sha256:cbd07141fb2c6ef172b3241d4cf3edac21922959b9325ef1f2d12d9f67e13ea3` `docker.io/cilium/operator-aws:stable@sha256:cbd07141fb2c6ef172b3241d4cf3edac21922959b9325ef1f2d12d9f67e13ea3` `quay.io/cilium/operator-aws:stable@sha256:cbd07141fb2c6ef172b3241d4cf3edac21922959b9325ef1f2d12d9f67e13ea3` `docker.io/cilium/operator-azure:v1.12.1@sha256:73f3ecfc331a3bd3017017492489c45979cf43103d61c6eb6af1662e28e499ac` `quay.io/cilium/operator-azure:v1.12.1@sha256:73f3ecfc331a3bd3017017492489c45979cf43103d61c6eb6af1662e28e499ac` `docker.io/cilium/operator-azure:stable@sha256:73f3ecfc331a3bd3017017492489c45979cf43103d61c6eb6af1662e28e499ac` `quay.io/cilium/operator-azure:stable@sha256:73f3ecfc331a3bd3017017492489c45979cf43103d61c6eb6af1662e28e499ac` `docker.io/cilium/operator-generic:v1.12.1@sha256:93d5aaeda37d59e6c4325ff05030d7b48fabde6576478e3fdbfb9bb4a68ec4a1` `quay.io/cilium/operator-generic:v1.12.1@sha256:93d5aaeda37d59e6c4325ff05030d7b48fabde6576478e3fdbfb9bb4a68ec4a1` `docker.io/cilium/operator-generic:stable@sha256:93d5aaeda37d59e6c4325ff05030d7b48fabde6576478e3fdbfb9bb4a68ec4a1` `quay.io/cilium/operator-generic:stable@sha256:93d5aaeda37d59e6c4325ff05030d7b48fabde6576478e3fdbfb9bb4a68ec4a1` `docker.io/cilium/operator:v1.12.1@sha256:137be4e4b293558e763648b8242f3d351a3edf3709c8362a62a998487e32cf82` `quay.io/cilium/operator:v1.12.1@sha256:137be4e4b293558e763648b8242f3d351a3edf3709c8362a62a998487e32cf82` `docker.io/cilium/operator:stable@sha256:137be4e4b293558e763648b8242f3d351a3edf3709c8362a62a998487e32cf82` `quay.io/cilium/operator:stable@sha256:137be4e4b293558e763648b8242f3d351a3edf3709c8362a62a998487e32cf82` Signed-off-by: Joe Stringer <joe@cilium.io> 16 August 2022, 18:09:32 UTC
cf8932e Martynas Pumputis 16 August 2022, 12:44:11 UTC test: Switch to kindest/node:v1.24.3 See [1] and [2] for motivation. [1]: https://github.com/cilium/cilium/pull/20682 [2]: https://github.com/cilium/cilium/pull/20834 Signed-off-by: Martynas Pumputis <m@lambda.lt> 16 August 2022, 13:00:59 UTC
4c9a630 Joe Stringer 15 August 2022, 23:29:39 UTC Prepare for release v1.12.1 Signed-off-by: Joe Stringer <joe@cilium.io> 16 August 2022, 00:11:16 UTC
fe49b55 Gilberto Bertin 12 August 2022, 15:17:38 UTC iptables: skip NOTRACK rules deletion [ upstream commit 4bd2478db37a6859c57372dcc97ac43922d26e90 ] The Iptables version shipped with Cilium (1.8.4) does not fully support the iptables-legacy - nft translation of NOTRACK rules, which in turn causes the agent to crash whenever it tries to delete any old/backup ruleset. This commit introduces a workaround for this by ignoring the `-j NOTRACK` and `-j CT --notrack` rules when deleting all rules belonging to an old/backup ruleset. This is not an issue (although it's not optimal) as eventually the agent will just flush and remove all the Cilium managed Iptables chains. Fixes: #20714 Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 15 August 2022, 16:58:28 UTC
5420f5c ArthurChiao 07 May 2022, 08:16:07 UTC ipcache/kvstore: fix panic when processing ip=<nil> entries [ upstream commit 630b219cb229c91d61c928f8927b0471ee32b874 ] This problem was introduced in 6cbf5daf46d, which results in a "nil pointer dereference" panic. Signed-off-by: ArthurChiao <arthurchiao@hotmail.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
354f751 André Martins 10 August 2022, 10:13:57 UTC cilium-health: fix probing for IPv6-only clusters [ upstream commit 862e191b3574e4a7c5d2046d28d980c163b50a6f ] Due some refactoring done in ed934cb958c5, a bug was introduced in the code that overwrote the IP address used to perform health checks. In IPv6-only clusters, this IP address was overwritten by an empty IPv4 address which would then be used to perform health checks. Obviously failing to perform such health checks since the address was "<nil>", Cilium would report that `cilium-health-ep` controllers were failing. Fixes: ed934cb958c5 ("health: Move endpoint IP to node package") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
641b3af Michi Mutsuzaki 09 August 2022, 16:16:57 UTC helm: Refer to the correct Helm value [ upstream commit 07ea75249f682e1224d0e68c27d2dddaeac07b81 ] The operator deployment template was incorrectly referring to dnsPolicy instead of operator.dnsPolicy. Fixes: 307df356c2 ("helm: Make DNS policy for agent and operator configurable") Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
back to top