Skip to main content

Browse the archive

https://github.com/cilium/cilium
17 August 2024, 22:12:05 UTC
sort by:
Revision Author Date Message Commit Date
9887848 André Martins 01 September 2022, 15:08:45 UTC Prepare for release v1.13.0-rc0 Signed-off-by: André Martins <andre@cilium.io> 01 September 2022, 16:55:01 UTC
d7264ff André Martins 01 September 2022, 15:08:17 UTC update AUTHORS and Documentation Signed-off-by: André Martins <andre@cilium.io> 01 September 2022, 16:55:01 UTC
d0098d5 Michi Mutsuzaki 31 August 2022, 23:01:54 UTC Create a composite action to define environment variables This makes it easier to share common environment variables across workflows. To use this action, you can add a step like this: - name: Set Environment Variables uses: ./.github/actions/set-env-variables In https://github.com/cilium/cilium/pull/21110 I attempted to use secrets for this purpose, but secrets are not available for pull requests from users without write access to cilium/cilium repo. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 01 September 2022, 16:52:27 UTC
3e45261 dependabot[bot] 01 September 2022, 14:10:59 UTC build(deps): bump github/codeql-action from 2.1.21 to 2.1.22 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.21 to 2.1.22. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/c7f292ea4f542c473194b33813ccd4c207a6c725...b398f525a5587552e573b247ac661067fafa920b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 01 September 2022, 14:46:18 UTC
df02863 André Martins 01 September 2022, 14:20:26 UTC Documention: fix crd-compat-table script The file was moved but the script path was not updated which is preventing the release script from function properly. Fixes: 05252d181074 ("docs: Update Networking, Contributor Guides and Reference sections") Signed-off-by: André Martins <andre@cilium.io> 01 September 2022, 14:29:30 UTC
d418824 Jussi Maki 01 September 2022, 08:00:32 UTC hive: Make cell config decoding strict To keep things clean, this enforces that: - All flags declared by CellFlags() must be used in the config struct - Fields in the config struct must have a matching flag in CellFlags(). - The fields are populated only from flags declared by CellFlags(). Signed-off-by: Jussi Maki <jussi@isovalent.com> 01 September 2022, 14:08:08 UTC
c722abb Tam Mach 31 August 2022, 14:55:28 UTC test/e2e: Remove cilium identity list test This test is to check if a cilium endpoint is created with required security labels. However, the current set of unit tests are already offering such coverage, not to mention that connectivity tests are checking similar points. https://github.com/cilium/cilium/blob/master/pkg/k8s/labels_test.go Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 14:03:01 UTC
491bb7d Tam Mach 31 August 2022, 13:09:27 UTC test/e2e: Remove check for reserved identity This test is to check if reserved identities are available from CLI output, which didn't provide any value at all, not to mention that the current list is not completed (i.e. the test is not maintained for a while). Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 14:03:01 UTC
b368688 Tam Mach 31 August 2022, 12:24:22 UTC test/e2e: Remove cli output test This test is just to check if the output is either stdout or stderr, which is kind of unnecessary. Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 14:03:01 UTC
c3feb60 Dmitry Kharitonov 30 August 2022, 10:52:38 UTC hubble-ui: release v0.9.2 Added `hubble.ui.frontend.server.ipv6.enabled` helm flag to control nginx server ipv6 listener Signed-off-by: Dmitry Kharitonov <dmitry@isovalent.com> 01 September 2022, 14:01:47 UTC
751e2df John Watson 18 August 2022, 22:15:00 UTC helm: Fix post-start and pre-stop hooks for cilium-nodeinit Signed-off-by: John Watson <johnw@planetscale.com> 01 September 2022, 13:47:59 UTC
fa5b1fc Casey Callendrello 17 August 2022, 20:10:49 UTC cni-install: bump to v0.4.0, switch to ConfList CNI v0.4.0 introduces CHECK, which we support. CNI v1.0.0 no longer supports single-plugin configs, so let's switch to the list now. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 01 September 2022, 13:47:40 UTC
f462376 Casey Callendrello 17 August 2022, 20:08:21 UTC cilium-cni: implement cni CHECK The cni CHECK action asks the plugin to ensure that the container's networking is configured as desired. Fortunately, the agent already exposes a "healthz"-style api; all we need to do is call it. Also, verify that the veth interface exists and is configured correctly. Fixes: #17251 Signed-off-by: Casey Callendrello <cdc@isovalent.com> 01 September 2022, 13:47:40 UTC
c87cdeb Federico Hernandez 22 August 2022, 14:49:11 UTC daemon: Coalesce endpoint CIDRs in ENI mode Fixes: #18868. Multiple CIDRs are currently not coalesced for the health endpoint when setting up routing the corresponding routing tables. This results in orphaned routing entries that may conflict when IPs are reused for workload pods after an agent restart. Addresses comment https://github.com/cilium/cilium/pull/20112#issuecomment-1180343763 Signed-off-by: Simone Sciarrati <s.sciarrati@gmail.com> Signed-off-by: Federico Hernandez <f@ederi.co> 01 September 2022, 13:44:51 UTC
b9e6d82 MikeLing 08 August 2022, 12:00:35 UTC pkg/bgpv1/annotations: Optimize annotations Errors Avoiding to use fmt.Sprintf() so that Go won't over-allocate the memory. issue reference : cilium#19571 Result: ``` $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrNotVRouterAnnoError' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrNotVRouterAnnoError_old.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrErrNoASNAnno' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrErrNoASNAnno_old.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrASNAnno' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrASNAnno_old.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrNotVRouterAnnoError' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrNotVRouterAnnoError_new.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrErrNoASNAnno' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrErrNoASNAnno_new.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrASNAnno' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrASNAnno_new.txt $ benchcmp BenchmarkErrNotVRouterAnnoError_old.txt BenchmarkErrNotVRouterAnnoError_new.txt benchcmp is deprecated in favor of benchstat: https://pkg.go.dev/golang.org/x/perf/cmd/benchstat benchmark old ns/op new ns/op delta BenchmarkErrNotVRouterAnnoError-12 186 47.2 -74.67% benchmark old allocs new allocs delta BenchmarkErrNotVRouterAnnoError-12 2 1 -50.00% benchmark old bytes new bytes delta BenchmarkErrNotVRouterAnnoError-12 96 80 -16.67% $ benchcmp BenchmarkErrErrNoASNAnno_old.txt BenchmarkErrErrNoASNAnno_new.txt benchcmp is deprecated in favor of benchstat: https://pkg.go.dev/golang.org/x/perf/cmd/benchstat benchmark old ns/op new ns/op delta BenchmarkErrErrNoASNAnno-12 143 45.0 -68.49% benchmark old allocs new allocs delta BenchmarkErrErrNoASNAnno-12 2 1 -50.00% benchmark old bytes new bytes delta $ benchcmp BenchmarkErrASNAnno_old.txt BenchmarkErrASNAnno_new.txt benchcmp is deprecated in favor of benchstat: https://pkg.go.dev/golang.org/x/perf/cmd/benchstat benchmark old ns/op new ns/op delta BenchmarkErrASNAnno-12 252 61.6 -75.59% benchmark old allocs new allocs delta BenchmarkErrASNAnno-12 3 1 -66.67% benchmark old bytes new bytes delta BenchmarkErrASNAnno-12 112 80 -28.57% ``` Signed-off-by: MikeLing <sabergeass@gmail.com> 01 September 2022, 13:39:49 UTC
1f34277 Tam Mach 28 August 2022, 14:53:48 UTC test/e2e: Remove CNP update test This test is to check the scenario if the same policy name can be updated with new rules successfully, which should be covered in unit tests (e.g. merging rules), not to mention that we should not test k8s watcher mechanism. Also, remove l7 related test in this Context, as the updated policies (e.g. cnp-update*.yaml) didn't have anything related to kafka. Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 13:24:37 UTC
6759d64 Tam Mach 28 August 2022, 14:47:03 UTC test/e2e: Remove entity related connectivity test This commit is to remove entity related connectivity test, as this test is already covered in connectivity tests: https://github.com/cilium/cilium-cli/tree/master/connectivity/manifests - deny-all-entities.yaml - allow-host-entity.yaml - allow-cluster-entity.yaml Relates: https://github.com/cilium/cilium-cli/pull/1066 Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 13:24:37 UTC
4a60a89 Tam Mach 31 August 2022, 10:29:02 UTC test/e2e: Remove l7 connectivity test This commit is to remove L7 connecivity test, as this test is already covered in connectivity tests: https://github.com/cilium/cilium-cli/tree/master/connectivity/manifests - echo-ingress-l7-http.yaml - echo-ingress-l7-http-named-port.yaml Relates: https://github.com/cilium/cilium-cli/pull/1066 Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 13:24:37 UTC
fd87fd4 Tam Mach 28 August 2022, 13:55:51 UTC test/e2e: Remove k8s default allowed network polices The network policy translation logic is already covered extensively as part of unit tests, connectivity tests for equivalent CNP polices are covered as well. Hence, these k8s network policy tests provides neither extra coverage nor value. Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 13:24:37 UTC
5447b9b Tam Mach 28 August 2022, 13:54:51 UTC test/e2e: Remove k8s default denied network polices The network policy translation logic is already covered extensively as part of unit tests, connectivity tests for equivalent CNP polices are covered as well. Hence, these k8s network policy tests provides neither extra coverage nor value. Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 13:24:37 UTC
93a3ba2 Tam Mach 31 August 2022, 10:23:48 UTC test/e2e: Remove default ingress and egress deny related tests This commit is to remove default CNP ingress, egress denied related tests, as these are covered in connectivity tests: https://github.com/cilium/cilium-cli/tree/master/connectivity/manifests - deny-all-ingress.yaml - deny-all-egress.yaml Relates: https://github.com/cilium/cilium-cli/pull/1066 Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 13:24:37 UTC
fcb65a6 Tam Mach 31 August 2022, 10:26:56 UTC test/e2e: Remove toEntities related tests This commit is to remove toEntities related tests, as these are covered in connectivity tests: https://github.com/cilium/cilium-cli/tree/master/connectivity/manifests - client-egress-to-entities-world.yaml - allow-all-except-world.yaml Relates: https://github.com/cilium/cilium-cli/pull/1028 Relates: https://github.com/cilium/cilium/pull/21112 Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 13:24:37 UTC
0b17fab Tam Mach 28 August 2022, 12:41:11 UTC test/e2e: Remove l3 l4 related tests This commit is to remove l3-l4 related tests, as these are covered in connectivity tests: https://github.com/cilium/cilium-cli/tree/master/connectivity/manifests - client-egress-to-echo-service-account-deny.yaml - echo-ingress-l7-http.yaml - client-egress-to-echo.yaml - client-egress-to-echo-service-account.yaml - client-egress-to-echo-named-port-deny.yaml Relates: https://github.com/cilium/cilium-cli/pull/1028 Relates: https://github.com/cilium/cilium/pull/21112 Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 13:24:37 UTC
d769c4d Tam Mach 28 August 2022, 12:28:26 UTC test/e2e: Remove named port related tests This commit is to remove named port related tests, as these are covered in connectivity tests: https://github.com/cilium/cilium-cli/tree/master/connectivity/manifests - client-egress-l7-http-named-port.yaml - client-egress-to-echo-named-port-deny.yaml - echo-ingress-l7-http-named-port.yaml Relates: https://github.com/cilium/cilium-cli/pull/1028 Relates: https://github.com/cilium/cilium/pull/21112 Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 13:24:37 UTC
2bdcdc1 Tam Mach 28 August 2022, 12:25:39 UTC test/e2e: Remove ICMP related tests This commit is to remove ICMP related tests, as these are covered in connectivity tests: https://github.com/cilium/cilium-cli/tree/master/connectivity/manifests - echo-ingress-icmp.yaml - echo-ingress-icmp-deny.yaml Relates: https://github.com/cilium/cilium-cli/pull/1028 Relates: https://github.com/cilium/cilium/pull/21112 Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 13:24:37 UTC
ad49fc4 Tam Mach 28 August 2022, 12:24:06 UTC test/e2e: Remove service account related tests This commit is to remove service account related tests, as these are covered in connectivity tests: https://github.com/cilium/cilium-cli/tree/master/connectivity/manifests - client-egress-to-echo-service-account.yaml - client-egress-to-echo-service-account-deny.yaml Relates: https://github.com/cilium/cilium-cli/pull/1028 Relates: https://github.com/cilium/cilium/pull/21112 Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 13:24:37 UTC
6ee04e9 Tam Mach 28 August 2022, 12:21:22 UTC test/e2e: Remove matchExpression tests This commit is to remove matchExpression related tests, as these are covered in connectivity tests: https://github.com/cilium/cilium-cli/tree/master/connectivity/manifests - client-egress-to-entities-world.yaml - client-egress-to-fqdns-one-one-one-one.yaml - client-egress-to-echo.yaml - client-egress-to-echo-expression.yaml - client-egress-to-echo-expression-deny.yaml Relates: https://github.com/cilium/cilium-cli/pull/1028 Relates: https://github.com/cilium/cilium/pull/21112 Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 September 2022, 13:24:37 UTC
48d46eb Timo Beckers 30 August 2022, 09:17:27 UTC datapath: allow packets to and from eni+ container interfaces AWS CNI chaining yields container interface names like 'eni621c0fc8425', not the usual 'lxcXYZ'. This causes packets for local endpoints to be dropped in CILIUM_FORWARD when they are called through a NodePort. Before the patch, the CILIUM_FORWARD chain looks like this: ``` -A CILIUM_FORWARD -o cilium_host -m comment --comment "cilium: any->cluster on cilium_host forward accept" -j ACCEPT -A CILIUM_FORWARD -i cilium_host -m comment --comment "cilium: cluster->any on cilium_host forward accept (nodeport)" -j ACCEPT -A CILIUM_FORWARD -i lxc+ -m comment --comment "cilium: cluster->any on lxc+ forward accept" -j ACCEPT -A CILIUM_FORWARD -i cilium_net -m comment --comment "cilium: cluster->any on cilium_net forward accept (nodeport)" -j ACCEPT -A CILIUM_FORWARD -o lxc+ -m comment --comment "cilium: any->cluster on lxc+ forward accept" -j ACCEPT -A CILIUM_FORWARD -i lxc+ -m comment --comment "cilium: cluster->any on lxc+ forward accept (nodeport)" -j ACCEPT ``` This doesn't match any packets to or from `eni+` container interfaces, letting them fall through to the `KUBE-FORWARD` chain instead: ``` -A FORWARD -m comment --comment "cilium-feeder: CILIUM_FORWARD" -j CILIUM_FORWARD -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD ... -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP ``` Initial SYN packets go through to the Pod, SYN-ACK responses from local NodePort services are bpf_redirect'ed back out the physical interface to the client, but any follow-up packets from the client arriving at the node are considered invalid by netfilter's conntrack since the reply packet bypassed the stack, and thus dropped. This commit takes care of adding `-i eni+` and `-o eni+` iptables rules to make sure world->container packets are never dropped in the stack. Signed-off-by: Timo Beckers <timo@isovalent.com> 01 September 2022, 13:24:17 UTC
9911435 Timo Beckers 30 August 2022, 09:06:15 UTC daemon,pkg: pull cni-chaining-mode configmap key into DaemonConfig The `cni-chaining-mode` ConfigMap key was introduced with the initial implementation of AWS CNI chaining, b568d2a179 ("cni: Add support for AWS CNI chaining") but was only used as an environment variable in the CNI installer script(s), not in the agent itself. This commit pulls in the key as a DaemonConfig value from the Cilium ConfigMap and removes manual parsing of CILIUM_CNI_CHAINING_MODE. Signed-off-by: Timo Beckers <timo@isovalent.com> 01 September 2022, 13:24:17 UTC
344863a xiaoqing 30 August 2022, 02:59:01 UTC eni: fix new node not triggering creation of ENI 1. Sync the instances network interface information from instances api when a new node is created but not in `instanceManager.instances`. This is fix errors in `ResyncInterfacesAndIPs` "Instance not found! Please delete corresponding ciliumnode if instance has already been deleted" when new node created in cloud provider then add to cluster and before resync triggered. 2. Delete instance from `instanceManager.instances` on node deleted. This will cause `NodeManager.Update()` to invoke `instancesAPIResync` if this instance rejoins the cluster. This ensures that `Node.recalculate()` does not use stale data for instances which rejoin the cluster after their EC2 configuration has changed. Fixes: #20678 Signed-off-by: xiaoqing <xiaoqingnb@gmail.com> Signed-off-by: Chris Tarazi <chris@isovalent.com> 01 September 2022, 13:24:01 UTC
86e736f Julian Wiedmann 31 August 2022, 09:43:22 UTC datapath: tolerate missing ifaces when setting rp_filter sysctl At the point where systemd-sysctl applies our rp_filter settings, the host might not have any cilium_* and/or lxc_* interfaces yet. But systemd-sysctl treats the failure to resolve these globs as an hard error: systemd-sysctl[9354]: Couldn't resolve glob 'net/ipv4/conf/lxc*/rp_filter': No such file or directory systemd[1]: systemd-sysctl.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: systemd-sysctl.service: Failed with result 'exit-code'. Adding the `-` option makes systemd-sysctl tolerate such errors. Fixes: 6432558898aa ("datapath: Create sysctl `rp_filter` overwrite config on agent init") Suggested-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 01 September 2022, 13:22:44 UTC
5c057be André Martins 26 August 2022, 12:28:35 UTC test: update k8s versions to the latest patched releases Signed-off-by: André Martins <andre@cilium.io> 01 September 2022, 13:21:51 UTC
a175d65 Robin Gögge 15 July 2022, 16:54:00 UTC probes: replace GetMapTypes, GetHelpers() and GetMisc() in ProbeManager To replace the usage of bpftool to do feature checks in cilium this commit replaces calls to the ProbeManager with calls to the features API in github.com/cilium/ebpf. GetMapTypes(), GetHelpers() and GetMisc() were fully replaced and removed. Signed-off-by: Robin Gögge <r.goegge@isovalent.com> 01 September 2022, 13:19:39 UTC
632187d Robin Gögge 22 July 2022, 12:43:35 UTC vendor: add github.com/cilium/ebpf/features Signed-off-by: Robin Gögge <r.goegge@isovalent.com> 01 September 2022, 13:19:39 UTC
c6c3766 Robin Gögge 16 August 2022, 13:04:41 UTC daemon: only set rlimit Memlock once This commit removes all calls to rlimit.RemoveMemlock() in favor of calling it once when the agent starts up. Signed-off-by: Robin Gögge <r.goegge@isovalent.com> 01 September 2022, 13:19:39 UTC
62548f2 André Martins 17 August 2022, 23:32:12 UTC operator: do not GC kvstore nodes if CiliumNodes are not available If users deploy Cilium without creating any CiliumNodes, Cilium Operator will GC all kvstore nodes once it starts. This commits adds a guardrail to prevent such behavior. Signed-off-by: André Martins <andre@cilium.io> 31 August 2022, 20:15:55 UTC
a42651b André Martins 30 August 2022, 21:49:40 UTC test/controlplane: run some tests with against the last k8s version There is no need to test with all k8s versions if some tests don't depend on them. Thus, we can simply run the tests with the last stable version. Signed-off-by: André Martins <andre@cilium.io> 31 August 2022, 20:15:49 UTC
ead1c2f André Martins 30 August 2022, 21:44:52 UTC test/controlplane: update all tests with k8s 1.23, 1.24 and 1.25 We will only support the last three stable k8s releases and these controlplane tests should only be tested for these versions. Signed-off-by: André Martins <andre@cilium.io> 31 August 2022, 20:15:49 UTC
dddd88e André Martins 30 August 2022, 20:50:09 UTC test/controlplane: add make target file to update k8s kind images Signed-off-by: André Martins <andre@cilium.io> 31 August 2022, 20:15:49 UTC
4679729 André Martins 30 August 2022, 20:40:37 UTC test/controlplane: add some steps to pre-pull docker images When generating the input files, the generate script runs cilium install which will pull the cilium docker image. Instead, we can pre-pull this docker image in the host and load it in the kind cluster. Signed-off-by: André Martins <andre@cilium.io> 31 August 2022, 20:15:49 UTC
22d14fd André Martins 30 August 2022, 15:06:19 UTC test/controlplane: add consistency in generate.sh files All generate.sh have similar logic. Some changes were made into the files so that it would be possible to run them in a separate directory from where they are stored. Also, they will all use the same k8s versions as defined in a top-level file which will bring some consistency in the k8s versions that are being tested. Signed-off-by: André Martins <andre@cilium.io> 31 August 2022, 20:15:49 UTC
d51fba7 André Martins 26 August 2022, 13:17:45 UTC test/controlplane: set a single variable with all k8s versions tested With a single variable it will make it easier to modify the k8s versions that we support rather than changing them on each test individually. Signed-off-by: André Martins <andre@cilium.io> 31 August 2022, 20:15:49 UTC
1d55ea4 André Martins 26 August 2022, 12:49:05 UTC test: use discovery.k8s.io/v1 for EndpointSlices since k8s 1.21 EndpointSlices have been promoted to GA since k8s 1.21 so we don't need to have specify files for all versions starting from 1.21. More info: https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/ Suggested-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 31 August 2022, 20:15:49 UTC
a943827 Joe Stringer 26 August 2022, 01:09:04 UTC Makefile: Split agent and operator kind targets Split the image build targets for building the agent vs. the operator, so that developers who only want to update one or the other during their local debugging can do so. For more information, see the output of 'make help | grep kind'. Signed-off-by: Joe Stringer <joe@cilium.io> 31 August 2022, 19:14:35 UTC
f26d0f0 Joe Stringer 31 August 2022, 18:25:22 UTC images: Fix image build for qemu workflow This image doesn't really have a "release" version so the earlier commit that added release targets didn't add the target here. However, the CI workflows expect that all the dockerfiles have a release target now. We could make a special case in the workflows, but that might get broken again in future. Instead, just add a 'release' target to the final image defined in the dockerfile here. CC: Joe Stringer <joe@cilium.io> Fixes: fdf4f7ee3ed1 ("images: Name final docker target as 'release'") Reported-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 31 August 2022, 18:57:22 UTC
d193526 Nikhil Sharma 17 August 2022, 00:25:18 UTC proxy: Iterate proxy ports on port open failure If the user do not specify a proxy port and it fails to listen on the port, instead of retrying again for that specific one, increment it. Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com> 31 August 2022, 18:56:43 UTC
d61e0c0 Michi Mutsuzaki 31 August 2022, 16:33:52 UTC Revert "Read quay organization names from secrets" This reverts commit 1935a653172ddc0148deb379600433a8e5df1dca. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 31 August 2022, 17:52:46 UTC
95c209c Michi Mutsuzaki 31 August 2022, 16:33:50 UTC Revert "Don't push to "-ci" repos from release / beta image workflows" This reverts commit c173792ec658fa63deb8f6b10850f6731de8f3f0. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 31 August 2022, 17:52:46 UTC
16f9d6c Tobias Klauser 30 August 2022, 14:42:22 UTC ci: bump external workloads workflow timeouts After commit 233cec30270e ("gha: Bump cilium cli to v1.12.2") the external workloads workflow started timing out occasionally because more tests were added in cilium-cli v0.12.2 and thus run times increased. Bump the workflow timeouts to avoid this. Signed-off-by: Tobias Klauser <tobias@cilium.io> 31 August 2022, 13:45:52 UTC
4c77f54 Louis DeLosSantos 30 August 2022, 23:27:06 UTC metallb: bump to latest fork version bumps to Cilium's latest metallb fork version. this bump alleviates a plain log message which ran in a hot loop. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 31 August 2022, 09:46:15 UTC
8cb5cf2 Louis DeLosSantos 30 August 2022, 14:20:35 UTC go-mod: bump go mod version to 1.19 Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 31 August 2022, 09:45:49 UTC
aa06a2d Tobias Klauser 29 August 2022, 09:35:24 UTC test/k8s: remove unused swapi cert and key These are unused since commit 92aa025e9012 ("docs, test: replace swapi by artii.herokuapp.com for TLS visibility"). Signed-off-by: Tobias Klauser <tobias@cilium.io> 31 August 2022, 09:45:35 UTC
a15c81e Tobias Klauser 29 August 2022, 09:33:46 UTC test/k8s: remove unused manifests The following manifests are unused since the following commits: Commit e9cb43c03179 ("Helm: full refactor of helm charts, default values implemented, tests updated, kind cni integration"): - ci-required-values.yaml Commit 25ee77eb9c3e ("test: fix upgrade-downgrade test with helm instalation"): - cilium-ds-clean-only.yaml Commit 67d83c00f2d9 ("CI: fix test 'with remote-node identity disabled'"): - cnp-from-entities-world.yaml Commit 2782bc5f5c04 ("test/k8s: remove identity gc Ginkgo test"): - dummy_identity.yaml Commit 53736573fc59 ("test: Remove deprecated Nightly tests"): - netcat-ds.yaml Unused manifests were found using the following command: % for t in test/k8s/manifests/*.yaml; do rg -q $(basename $t); if [ $? -ne 0 ]; then echo $t; fi; done Signed-off-by: Tobias Klauser <tobias@cilium.io> 31 August 2022, 09:45:35 UTC
be641bb Julian Wiedmann 29 August 2022, 08:09:10 UTC egressgw: reduce log noise in good paths Demote the various Info() log statements to Debug(), so that we don't spam the logs when everything works as expected. Also fix a typo in one log message. Suggested-by: Bruno M. Custódio <brunomcustodio@gmail.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 31 August 2022, 09:45:13 UTC
d741e20 Julian Wiedmann 29 August 2022, 07:32:08 UTC egressgw: reduce log noise when installing IP rules/routes When updating the IP rules/routes, reconcile() tolerates that the first attempt at installing some new rules/routes fails (as they might conflict with existing rules/routes that haven't been removed yet). After removing all unused rules, it calls addMissingIpRulesAndRoutes() again and hopefully succeeds. Adjust the log severity accordingly when encountering errors on the first attempt. It's only a real problem when they occur on the retry. Suggested-by: Bruno M. Custódio <brunomcustodio@gmail.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 31 August 2022, 09:45:13 UTC
c173792 Michi Mutsuzaki 29 August 2022, 23:15:45 UTC Don't push to "-ci" repos from release / beta image workflows CI image workflow already pushes the same image. Ref: https://github.com/cilium/cilium/blob/master/.github/workflows/build-images-ci.yaml#L130 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 31 August 2022, 09:44:59 UTC
1935a65 Michi Mutsuzaki 26 August 2022, 22:09:06 UTC Read quay organization names from secrets Use secrets to explicitly define quay.io organization names instead of assuming they are the same as the Cilium GitHub repository name. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 31 August 2022, 09:44:59 UTC
266f705 Maciej Kwiek 05 August 2022, 12:06:16 UTC dnsproxy: add cleanup This change adds Cleanup function to dnsproxy which is added to daemon cleanup module. The cleanup closes TCP and UDP sockets, which will cause proxy to stop serving DNS traffic before shutdown. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 31 August 2022, 09:44:49 UTC
5885550 Maciej Kwiek 05 August 2022, 11:06:32 UTC dnsproxy: populate DNS clients before proxy start This change causes DNS clients that dnsproxy uses to connect to upstream DNS servers to be populated before proxy binds to it's sockets. Clients being set after proxy binds might have caused some DNS traffic to be dropped while proxy was starting up. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 31 August 2022, 09:44:49 UTC
d65058b Dorde Lapcevic 30 August 2022, 11:32:19 UTC Always insert CEPs into the largest available CES Currently, with FCFS (First Come, First Served) batching mode, CiliumEndpoints are inserted into the first available (non-full, non-empty) CiliumEndpointSlice, which comes in an unordered list from the cache. The change is to go through the list and pick the largest available CES, instead of the first available. With this change, it’s guaranteed that the creation of CEPs will cause the minimum number of CES updates, using the FCFS batching mode. Signed-off-by: Dorde Lapcevic <dordel@google.com> 31 August 2022, 09:44:27 UTC
ba42515 Tam Mach 29 August 2022, 22:45:23 UTC gha: Remove debug logs in conformance tests The previous PR #19825 set log level as debug mainly for debugging newly added Ingress Conformance. Considered that this test is pretty much stable, so debug logs can be removed. Signed-off-by: Tam Mach <tam.mach@cilium.io> 30 August 2022, 19:19:59 UTC
4b87ccc Tom Hadlaw 23 August 2022, 05:23:00 UTC pkg/k8s/watcher: fix deadlock with service event handler & CES watcher. There is a deadlock that can occur when a k8s service update and a policy update occur at the same time. In practice, this can occur in the following situation: 1. CiliumEndpointSlice k8s watcher performs an update due to a new watcher event. The handler logic for this first goes to hold a lock on the IPCache. Next, this triggers an endpoint regeneration via the endpoint manager. Note: This code path will wait for endpoint regeneration to complete via a passed WaitGroup. To complete this task, endpoint manager attempts to lock policyRepository. Effectively, this means that CES handler has locking dependencies on IPCache's lock and policyRepos lock (transitively, by waiting on endpointManager endpoint regeneration). It will not release the IPCache lock until endpoint regen is done, thus waiting on the policyRepo lock. 2. The k8sServiceHandler control loop performs an update due to kube-apiserver service record change (i.e. this is common on EKS where the control plane IPs change often). A new policyRepository.Translator is constructed with k8s.RuleTranslator{} with AllocatedPrefixes being enabled. This implementation of the Translator holds a reference to ipcache and uses that to make necessary prefix updates to ipcache during the translation. This is passed to policyRepository to perform policy rule translation, which locks itself before proceeding to use translator.Translate(...) to perform translation on its state. The k8sServiceHandler now holds nested locks on policyRepo -> ipcache. At this point, let's say codepath 1. can is holding a lock on both ipcache and waiting on a lock for policyRepo (nested ipCache -> policyRepo). At the same time, codepath 2. (i.e. k8sServiceHandler) just grabbed a policyRepo lock and is waiting for the ipcache lock. Codepath 2 (which holds policyRepo) needs ipcache to unlock, which is held by Codepath 1, Which is waiting for policyRepo to unlock. The following is a stack trace of such a case occurring: 101 occurences. Sample stack trace: 6 occurences. Sample stack trace: sync.runtime_SemacquireMutex(0xc0018f0e08?, 0x20?, 0xc000c12740?) /usr/local/go/src/runtime/sema.go:71 +0x25 sync.(*RWMutex).RLock(...) /usr/local/go/src/sync/rwmutex.go:63 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regeneratePolicy(0xc0010c7c00) /go/src/github.com/cilium/cilium/pkg/endpoint/policy.go:198 +0x11a github.com/cilium/cilium/pkg/endpoint.(*Endpoint).runPreCompilationSteps(0xc0010c7c00, 0xc0005be400) /go/src/github.com/cilium/cilium/pkg/endpoint/bpf.go:814 +0x2c5 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerateBPF(0xc0010c7c00, 0xc0005be400) /go/src/github.com/cilium/cilium/pkg/endpoint/bpf.go:584 +0x189 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerate(0xc0010c7c00, 0xc0005be400) /go/src/github.com/cilium/cilium/pkg/endpoint/policy.go:398 +0x7a5 github.com/cilium/cilium/pkg/endpoint.(*EndpointRegenerationEvent).Handle(0xc0099405b0, 0x2a27540?) /go/src/github.com/cilium/cilium/pkg/endpoint/events.go:53 +0x325 github.com/cilium/cilium/pkg/eventqueue.(*EventQueue).run.func1() /go/src/github.com/cilium/cilium/pkg/eventqueue/eventqueue.go:245 +0x13b sync.(*Once).doSlow(0x2f14d01?, 0x4422a5?) /usr/local/go/src/sync/once.go:68 +0xc2 sync.(*Once).Do(...) /usr/local/go/src/sync/once.go:59 github.com/cilium/cilium/pkg/eventqueue.(*EventQueue).run(0x0?) /go/src/github.com/cilium/cilium/pkg/eventqueue/eventqueue.go:233 +0x45 created by github.com/cilium/cilium/pkg/eventqueue.(*EventQueue).Run /go/src/github.com/cilium/cilium/pkg/eventqueue/eventqueue.go:229 +0x76 1 occurences. Sample stack trace: sync.runtime_Semacquire(0xc0003f44d0?) /usr/local/go/src/runtime/sema.go:56 +0x25 sync.(*WaitGroup).Wait(0xc0003f5420?) /usr/local/go/src/sync/waitgroup.go:136 +0x52 github.com/cilium/cilium/pkg/ipcache.(*IPCache).UpdatePolicyMaps(0xc001003580, {0x3468338, 0xc00007e038}, 0xa?, 0xc008c15e60) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:235 +0xc7 github.com/cilium/cilium/pkg/ipcache.(*IPCache).removeLabelsFromIPs(0xc001003580, 0xc005d73778?, {0x2f35b2b, 0xf}) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:414 +0x7c5 github.com/cilium/cilium/pkg/ipcache.(*IPCache).RemoveLabelsExcluded(0xc001003580, 0xc0000e3110, 0xc001506dd8?, {0x2f35b2b, 0xf}) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:328 +0x1ab github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).handleKubeAPIServerServiceEPChanges(0xc001586d80, 0xc003ec89b0?) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint.go:135 +0x5b github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).addKubeAPIServerServiceEPSliceV1(0xf3c386?, 0xc001ab7d40) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint_slice.go:205 +0x452 github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).updateK8sEndpointSliceV1(0xc001586d80, 0xc001ab7d40?, 0xc001ab7d40?) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint_slice.go:178 +0x69 github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).endpointSlicesInit.func2({0x2ec7ea0?, 0xc00294c410?}, {0x2ec7ea0, 0xc001ab7d40}) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint_slice.go:71 +0x125 k8s.io/client-go/tools/cache.ResourceEventHandlerFuncs.OnUpdate(...) /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/controller.go:239 github.com/cilium/cilium/pkg/k8s/informer.NewInformerWithStore.func1({0x2a4b9c0?, 0xc00057d1e8?}) /go/src/github.com/cilium/cilium/pkg/k8s/informer/informer.go:103 +0x2fe k8s.io/client-go/tools/cache.(*DeltaFIFO).Pop(0xc001b805a0, 0xc000927940) /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/delta_fifo.go:554 +0x566 k8s.io/client-go/tools/cache.(*controller).processLoop(0xc001bda1b0) /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/controller.go:184 +0x36 k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0x40d6a5?) /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155 +0x3e k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xed53e5?, {0x343e1c0, 0xc000d50450}, 0x1, 0xc000929980) /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156 +0xb6 k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc001bda218?, 0x3b9aca00, 0x0, 0x30?, 0x7f587b87fd30?) /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133 +0x89 k8s.io/apimachinery/pkg/util/wait.Until(...) /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90 k8s.io/client-go/tools/cache.(*controller).Run(0xc001bda1b0, 0xc000929980) /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/controller.go:155 +0x2c5 created by github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).endpointSlicesInit /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint_slice.go:156 +0x759 1 occurences. Sample stack trace: sync.runtime_SemacquireMutex(0xc000880000?, 0x20?, 0x21?) /usr/local/go/src/runtime/sema.go:71 +0x25 sync.(*RWMutex).RLock(...) /usr/local/go/src/sync/rwmutex.go:63 github.com/cilium/cilium/pkg/ipcache.(*metadata).get(0xc00104f770?, {0xc0069e9160?, 0x9?}) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:90 +0x66 github.com/cilium/cilium/pkg/ipcache.(*IPCache).GetIDMetadataByIP(...) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:86 github.com/cilium/cilium/pkg/ipcache.(*IPCache).AllocateCIDRs(0xc001003580, {0xc008680cf0, 0x2, 0x0?}, {0x0, 0x0, 0x0?}, 0x0) /go/src/github.com/cilium/cilium/pkg/ipcache/cidr.go:57 +0x22b github.com/cilium/cilium/pkg/k8s.RuleTranslator.generateToCidrFromEndpoint({0xc001003580, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, {0xc008c15e00}, 0xc001905e60, 0x0, 0x1}, 0xc001f667e0, ...) /go/src/github.com/cilium/cilium/pkg/k8s/rule_translate.go:124 +0xb3 github.com/cilium/cilium/pkg/k8s.RuleTranslator.populateEgress({0xc001003580, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, {0xc008c15e00}, 0xc001905e60, 0x0, 0x1}, 0xc001f667e0, ...) /go/src/github.com/cilium/cilium/pkg/k8s/rule_translate.go:62 +0x172 github.com/cilium/cilium/pkg/k8s.RuleTranslator.TranslateEgress({0xc001003580, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, {0xc008c15e00}, 0xc001905e60, 0x0, 0x1}, 0xc001f667e0, ...) /go/src/github.com/cilium/cilium/pkg/k8s/rule_translate.go:51 +0x18e github.com/cilium/cilium/pkg/k8s.RuleTranslator.Translate({0xc001003580, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, {0xc008c15e00}, 0xc001905e60, 0x0, 0x1}, 0xc001c66750, ...) /go/src/github.com/cilium/cilium/pkg/k8s/rule_translate.go:33 +0x117 github.com/cilium/cilium/pkg/policy.(*Repository).TranslateRules(0xc0003f5490, {0x3440260, 0xc0025fd280}) /go/src/github.com/cilium/cilium/pkg/policy/repository.go:627 +0x10b github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).k8sServiceHandler.func1({0x0, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, 0xc0015f0c80, 0x0, 0xc003165f50, 0xc001bc9c80}) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/watcher.go:586 +0xc9e github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).k8sServiceHandler(0xc001586d80) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/watcher.go:623 +0x9f created by github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).RunK8sServiceHandler /go/src/github.com/cilium/cilium/pkg/k8s/watchers/watcher.go:629 +0x56 This commit solves this situation by moving the IPCache allocation out of the k8s.RuleTranslator Translator implementation. Thus moving the responsibility of the IPCache updating out of the translator. This removes the nested policyRepo -> ipcache locks in translator. So, in situations like the one described, the translation no longer has a dependency on ipcache. Codepath 2 will be able to complete, releasing the policyRepo lock and allowing Codepath 1 to proceed. Note: Rule translation prefixes are not used in other usages of k8s.RuleTranslator called from endpoint watcher handler. So we don't have to add the same ipcache logic as in k8sServiceHandler. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Reported-by: Michi Mutsuzaki <michi@isovalent.com> 30 August 2022, 18:54:41 UTC
5928807 Julian Wiedmann 25 August 2022, 11:07:47 UTC ip: rename IsExcluded() to ListContainsIP() The name is rather confusing. Make it easier to understand what the function actually does, without having to look at the comment or code. No functional change. Suggested-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 30 August 2022, 18:00:26 UTC
8a68b72 Chance Zibolski 22 August 2022, 23:14:35 UTC Add workload name and kind into L7 flows Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> 30 August 2022, 17:58:12 UTC
0625497 André Martins 25 August 2022, 12:59:47 UTC pkg/k8s: fix node update sync from k8s to kvstore This commit simplifies the synchronization between the k8s node and kvstore. The local node state has all the information up to date so whenever we want to update it to the KVStore, or re-push it to the CiliumNode CRD, we should use this information. Fixes: 01cbc595ad48 ("k8s: keep CiliumNode labels synced with Node object") Signed-off-by: André Martins <andre@cilium.io> 30 August 2022, 09:36:24 UTC
233cec3 Tam Mach 27 August 2022, 07:52:24 UTC gha: Bump cilium cli to v1.12.2 The main goal is to pick newly introduced connectivity tests. Signed-off-by: Tam Mach <tam.mach@cilium.io> 29 August 2022, 22:23:59 UTC
60f2039 Tam Mach 26 August 2022, 06:46:07 UTC Revert "Revert "update cilium-{runtime,builder}"" This reverts commit 95f3909cbea3c76b94122c50505aefac304f6f35. Signed-off-by: Tam Mach <tam.mach@cilium.io> 29 August 2022, 22:12:15 UTC
cc355d2 Tam Mach 26 August 2022, 06:46:05 UTC Revert "Revert "image: Bump base image to ubuntu 22.04"" This reverts commit b42d331b01bca1d0434dbed44c7fbc2884bb9f80. Signed-off-by: Tam Mach <tam.mach@cilium.io> 29 August 2022, 22:12:15 UTC
219bc2d Tam Mach 26 August 2022, 06:46:03 UTC Revert "Revert "gha: Update base image for race detection build"" This reverts commit df5de3d5b7583676b4c3d956deea3bc88566326b. Signed-off-by: Tam Mach <tam.mach@cilium.io> 29 August 2022, 22:12:15 UTC
0308584 Tam Mach 18 August 2022, 09:41:11 UTC Revert "Revert "test/k8s: Update test-verifier images"" This reverts commit 215baff69bfa41ec47453acc66ca154f08b2b75f. Signed-off-by: Tam Mach <tam.mach@cilium.io> 29 August 2022, 22:12:15 UTC
2fe9888 Nate Sweet 19 August 2022, 19:51:17 UTC Caveat Differences Between K8s and Cilium Network Policies K8s Network Policies do have functionality that Cilium lacks. These limitations should be documented for a variety of reasons. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 29 August 2022, 16:20:54 UTC
fdf4f7e Joe Stringer 26 August 2022, 00:43:41 UTC images: Name final docker target as 'release' This is in preparation for a subsequent additional target that is used to wrap the existing logic with a debugger. This should be a purely internal detail with no external impacts. Signed-off-by: Joe Stringer <joe@cilium.io> 29 August 2022, 15:28:19 UTC
dbc538e dependabot[bot] 25 August 2022, 14:07:37 UTC build(deps): bump github/codeql-action from 2.1.20 to 2.1.21 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.20 to 2.1.21. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/7fee4ca032ac341c12486c4c06822c5221c76533...c7f292ea4f542c473194b33813ccd4c207a6c725) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 29 August 2022, 09:31:32 UTC
fbc53d0 yoyo-go 07 August 2022, 16:20:55 UTC docs: Update Security and the remaining sections This is part of a reorganisation of Cilium's docs (GSoD project). Signed-off-by: Yoyo Wu <yoyo19980720@126.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 29 August 2022, 09:15:06 UTC
05252d1 yoyo-go 16 July 2022, 13:18:51 UTC docs: Update Networking, Contributor Guides and Reference sections This is part of a reorganisation of Cilium's docs (GSoD project). Signed-off-by: Yoyo Wu <yoyo19980720@126.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 29 August 2022, 09:15:06 UTC
e364d06 Gilberto Bertin 26 August 2022, 06:18:37 UTC iptables: add support for iptables >= 1.8.7 Starting from iptables 1.8.7, whenever we try to list the rules of a non existing chain with iptables-nft, the command will return the following error: chain `$chain' in table `$table' is incompatible, use 'nft' tool. error rather than the usual one: No chain/target/match by that name. This commit adds support for these versions of iptables by handling this special case in the logic responsible for checking if a chain exists. Signed-off-by: Gilberto Bertin <jibi@cilium.io> 29 August 2022, 09:14:53 UTC
00b917e Tobias Klauser 24 August 2022, 14:31:08 UTC go.mod, vendor: update github.com/cilium/ipam to latest version This pulls in performance improvements and cleanups for the cidrset package. Signed-off-by: Tobias Klauser <tobias@cilium.io> 29 August 2022, 09:14:11 UTC
b14ceef Tobias Klauser 24 August 2022, 09:36:10 UTC ipam/allocator/podcidr: remove unused CIDRAllocator.IsIPv6 The CIDRAllocator interface's IsIPv6 method is unused across the entire Cilium code base since it was added in commit 513296652c02 ("add Cilium-operator podCIDR allocator"). This change would allow to also drop it from github.com/cilium/ipam/cidrset.CidrSet which was forked from k8s.io/kubernetes/pkg/controller/nodeipam/ipam/cidrset and amended with the IsIPv6 method. Signed-off-by: Tobias Klauser <tobias@cilium.io> 29 August 2022, 09:14:11 UTC
07e7fb0 Quentin Monnet 26 August 2022, 14:42:52 UTC vagrant: Bump 4.9 Vagrant box (Linux 4.9.326, to fix a kernel bug) We have been hitting a kernel bug on 4.9 for the verifier tests. An underflow on the memlock rlimit counter, caused by the reallocation of BPF programs not updating the charged values, makes the counter go under zero and convert into a huge value, blocking all further loads of BPF objects [0]. This has been fixed in kernel 4.10 [1], and was backported at last in 4.9.326. We generated a new Ubuntu image based on that, let's update. [0] cilium/cilium#20288 [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=5ccb071e97fbd9ffe623a0d3977cc6d013bee93c Signed-off-by: Quentin Monnet <quentin@isovalent.com> 26 August 2022, 21:24:00 UTC
6f9e470 Bill Mulligan 26 August 2022, 10:28:36 UTC Update Cilium README description and overview image Signed-off-by: Bill Mulligan <billmulligan516@gmail.com> 26 August 2022, 16:07:28 UTC
8c9d567 Nicolas Busseneau 26 August 2022, 12:38:48 UTC mlh: update Jenkins jobs following 1.25 support K8s 1.25 support was added in ce69afdc3ad196cf5b9f9093406f760433233329. We have rotated / expanded the Jenkins test jobs as follow: - Changed: Kernel 5.4 on K8s 1.23 (instead of 1.22, triggered on `/test`). - Changed: Kernel 4.19 on K8s 1.24 (instead of 1.23, triggered on `/test`). - Changed: Kernel net-next on K8s 1.25 (instead of 1.24, triggered on `/test`). - Added: Kernel 4.9 on K8s 1.23 (triggered on `/test-missed-k8s`). See the Table of Truth™️ for up to date status on all trigger phrases: https://docs.google.com/spreadsheets/d/1TThkqvVZxaqLR-Ela4ZrcJ0lrTJByCqrbdCjnI32_X0/edit#gid=0 Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 26 August 2022, 12:55:02 UTC
f111563 André Martins 25 August 2022, 15:02:00 UTC test: ignore HostPort Conformance test This test is currently failing and will be skipped until https://github.com/cilium/cilium/issues/21060 is fixed. Signed-off-by: André Martins <andre@cilium.io> 26 August 2022, 12:25:09 UTC
ce69afd André Martins 19 August 2022, 14:06:48 UTC add support for k8s 1.25.0 We have dropped the requirement for the kubernetes-cni version because that is already defined as a requirement for the kubeadm package. Signed-off-by: André Martins <andre@cilium.io> 26 August 2022, 12:25:09 UTC
90f41f0 André Martins 25 August 2022, 11:43:21 UTC pkg/endpoint: set labels for local node from k8s events Not setting these labels in the local node can cause the node to be out-of-sync in the KVStore. When IPSec configuration changes, Cilium will propagate these changes into the KVStore by executing [1] which eventually calls [2]. If the node labels are not up to date, Cilium will never be able to have this information in the KVStore as it will always re-use the labels fetched when Cilium started. [1] https://github.com/cilium/cilium/blob/dc0f7aa7687bf37078bc3db93161e936efb9cb94/pkg/datapath/linux/ipsec/ipsec_linux.go#L698 [2] https://github.com/cilium/cilium/blob/9fd55dd7e849ee5edaf72d75d339213e10b97940/pkg/nodediscovery/nodediscovery.go#L247 Fixes: 8d0211c37537 ("pkg/identity: Watch and update labels for the host") Signed-off-by: André Martins <andre@cilium.io> 26 August 2022, 10:25:33 UTC
b0f7b91 André Martins 25 August 2022, 11:38:23 UTC pkg/nodediscovery: protect variable against concurrent access This variable can be accessed concurrently since controllers run on a separate go routine. Using its mutex and performing a DeepCopy will help protecting it against concurrent access. Fixes: e52fe1d59d1c ("nodediscovery: Make LocalNode object private") Signed-off-by: André Martins <andre@cilium.io> 26 August 2022, 10:13:45 UTC
18efa85 André Martins 26 August 2022, 08:43:12 UTC controlplane: use right node name in tests The node that is being tested is "cilium-nodes-worker" so we should define that name when creating a new control plane test. Fixes: 896aba311809 ("test/controlplane: Switch to imperative API and rewrite tests") Signed-off-by: André Martins <andre@cilium.io> 26 August 2022, 10:12:20 UTC
124357f Joe Stringer 23 August 2022, 20:37:33 UTC docs: Update ToServices docs section Update this section to highlight the limitation, improve wording, and remove future-looking statements. Signed-off-by: Joe Stringer <joe@cilium.io> 25 August 2022, 17:41:10 UTC
5256d74 Joe Stringer 24 August 2022, 04:07:05 UTC contrib: Fix jenkins-failures.sh triage script This script looks for recent failures (default: 1 day) in jenkins and reports them on the commandline if they haven't been directly triaged on Jenkins (ie the build description got updated). The links were a bit out-of-date, but with some minor touchups this script can continue to work. Signed-off-by: Joe Stringer <joe@cilium.io> 25 August 2022, 17:40:34 UTC
e0537f9 Jussi Maki 18 August 2022, 10:06:58 UTC option: Drop RegisteredOptions in favour of viper.AllKeys All registered options can be accessed via viper.AllKeys(). Removing use of RegisteredOptions makes it easier to integrate with flags added via other means (e.g. via pkg/hive). The checking of duplicate flags is already performed via pflag, so the redundant check can be dropped from option.BindEnv. Signed-off-by: Jussi Maki <jussi@isovalent.com> 25 August 2022, 17:38:48 UTC
a64ff19 Jussi Maki 18 August 2022, 09:52:33 UTC gops: Create the gops cell for the gops agent Add a hive cell for running the gops agent. Signed-off-by: Jussi Maki <jussi@isovalent.com> 25 August 2022, 17:38:48 UTC
6b7c7b3 Jussi Maki 18 August 2022, 09:28:11 UTC daemon: Convert app.go to hive, add dump commands Renames app.go to root.go and move the cobra command definitions there. The fx.App is replaced by hive.New and to support inspecting the object graph the starting of the daemon is moved into start hooks. The following sub-commands are added: cmdref: Same as --cmdref before, but makes more sense as sub-command. dot-graph: Dump the dependency graph in graphviz format. Try running "./cilium-agent dot-graph | dot -Tx11". objects: Dumps the objects supplied or provided when constructing the application. Useful when creating new cells to inspect what is available. Pair with "go doc" to look at APIs. Signed-off-by: Jussi Maki <jussi@isovalent.com> 25 August 2022, 17:38:48 UTC
8be0a82 Jussi Maki 18 August 2022, 09:15:31 UTC hive: Add the hive package for modular applications The hive package extends uber/fx to support modules ("cells") with configuration. A Hive is a modular application consisting of Cells. Cells consists of an optional configuration and uber/fx options for constructing objects. While these are similar to fx.App (Hive) and fx.Module (Cell), these new names are introduced to avoid confusion. This extension is required to support registering of command-line flags prior to constructing the application graph in order to support use-cases where a single binary may have multiple (cobra) commands with different sets of flags: we should not construct the object graph before we know it's needed and what it's configuration is, hence we need a layer outside uber/fx to collect the command-line flags of the modules we use for that command. The configuration associated with a cell can register command-line flags and this configuration is populated from Viper and supplied to the hive when it is started. Signed-off-by: Jussi Maki <jussi@isovalent.com> 25 August 2022, 17:38:48 UTC
34427c8 Jussi Maki 18 August 2022, 09:07:14 UTC logging: Move app_logger.go to pkg/logging/fx_logger.go Migrate the fx event logger to the logging package so it can be used by other applications besides cilium-agent. Add support to the logger for dumping the objects that are constructed when app is created. Signed-off-by: Jussi Maki <jussi@isovalent.com> 25 August 2022, 17:38:48 UTC
0acee00 Joe Stringer 24 August 2022, 19:45:07 UTC docs/contrib: Add extra guidance on large PRs Signed-off-by: Joe Stringer <joe@cilium.io> 25 August 2022, 17:28:20 UTC
5092e14 Joe Stringer 23 August 2022, 22:56:20 UTC docs/contrib: Update hat duties guide The three hats were combined into the "top" hat some time back. Update these instructions to reflect the single duty. Most notably, we changed from having the tophat own backport PRs beyond their assigned week to instead handing the backport PRs over to the next tophat to resolve and merge (subject to negotiation with the subsequent hatter) Signed-off-by: Joe Stringer <joe@cilium.io> 25 August 2022, 17:28:20 UTC
ffd0db5 Joe Stringer 23 August 2022, 22:17:41 UTC docs/contrib: Add suggestions for review focus This is just documenting a process that we have used regularly during Cilium development over the past years. Signed-off-by: Joe Stringer <joe@cilium.io> 25 August 2022, 17:28:20 UTC
cf343d5 Joe Stringer 23 August 2022, 22:08:36 UTC docs/contrib: Improve paragraph formatting The contributors' guide was using ordered lists in places where they don't make sense or don't format correctly. Shuffle the formatting a bit to more clearly denote where things are intended as an ordered list of tasks or just a general description of how the process works. Signed-off-by: Joe Stringer <joe@cilium.io> 25 August 2022, 17:28:20 UTC
e5e801a Joe Stringer 23 August 2022, 21:27:13 UTC docs/ci: Update triage steps for current practice We use the "#testing" channel on Slack to coordinate testing issues, and we no longer use the CI triage project to track flakes. Signed-off-by: Joe Stringer <joe@cilium.io> 25 August 2022, 17:28:20 UTC
449cbb9 Joe Stringer 23 August 2022, 21:26:33 UTC docs/ci: Fix triage link location This link was pointing to jobs rather than the triage step, which is what other parts of the docs are referring to when they link to this section. Move the link to point to the correct title. Signed-off-by: Joe Stringer <joe@cilium.io> 25 August 2022, 17:28:20 UTC
18f5ce6 Quentin Monnet 23 August 2022, 09:31:36 UTC ci: Update docs-builder image for documentation workflow We have recently upgraded Sphinx and some of its extensions used for building the docs. There should be nothing breaking, and the documentation should still build with the older image, but it's probably better to validate doc changes with a setup closer to what we're using to deploy the documentation. Joe generated and tagged a new image: let's use it. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 25 August 2022, 17:16:11 UTC
back to top