Skip to main content

Browse the archive

https://github.com/cilium/cilium
17 August 2024, 22:12:05 UTC
sort by:
Revision Author Date Message Commit Date
8602409 Joe Stringer 22 December 2022, 22:31:53 UTC Prepare for release v1.13.0-rc4 Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 22:59:33 UTC
c6bf21d Joe Stringer 22 December 2022, 22:44:56 UTC install/kubernetes: Hardcode release, branch variables This fixes a linting failure while preparing releases. Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 22:59:33 UTC
363ca03 Joe Stringer 22 December 2022, 22:30:43 UTC Update AUTHORS Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 22:59:33 UTC
abe315d dependabot[bot] 22 December 2022, 14:19:03 UTC build(deps): bump actions/cache from 3.0.11 to 3.2.0 Bumps [actions/cache](https://github.com/actions/cache) from 3.0.11 to 3.2.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7...c17f4bf4666a8001b1a45c09eb7a485c41aa64c3) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 22 December 2022, 21:27:16 UTC
7e59300 Tam Mach 27 September 2022, 14:28:34 UTC envoy: Support default LB algorithm flag [ upstream commit 19f2ed152a721520a286bac1ea5f62751f6b513a ] The default load balancer algorithm can still be overridden by service annotation (e.g. io.cilium.service/lb-algorithm). Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 21:22:33 UTC
b769039 Tam Mach 18 September 2022, 12:08:42 UTC envoy: Support list of global ports for redirect [ upstream commit 281d95a6ae18c18ffa51d2b44262ad943626cb60 ] This commit is to support envoy redirect for all services having port number in list, so that user didn't need to annotate one by one. Just a note that for more customized and advanced use case, service annotation will be still required. One caveat is that the current CEC operates in service level i.e. there is no granular control to only redirect one particular service port. Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 21:22:33 UTC
da45536 Tam Mach 12 September 2022, 14:19:20 UTC envoy: Add annotation support for lb mode [ upstream commit 1c257e35ac2007d67fc8849b500a95477a4bf7bc ] This commit is to add simple mutation function to set LB mode in envoy cluster. By default, round-robin mode is used. Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 21:22:33 UTC
7c8fcb9 Tam Mach 12 September 2022, 13:59:03 UTC envoy: Add upgrade configuration for websocket [ upstream commit 69218ef9a3b3c5280a123191fe87ae6e3378bdf1 ] This commit is to add simple mutation function for grpc service. Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 21:22:33 UTC
70a6102 Tam Mach 11 September 2022, 14:30:06 UTC envoy: Add L7 service loadbalancing capability [ upstream commit c5a2d90be34abef337a434cca1e00a846105f3b1 ] This commit is to add a first cut to support l7 service lb capability via envoy. The base configuration is generated from service spec, more advance features via annotation will be added in subsequent commits. Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 21:22:33 UTC
ec5d408 Tam Mach 08 September 2022, 08:52:45 UTC cli: Add configuration flag for service LB [ upstream commit c44b0f037f8a69b456adba2965001db20ad5a19e ] Just to add a CLI flag along with how to configure this flag from helm Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 21:22:33 UTC
a15a817 Tam Mach 08 September 2022, 08:24:05 UTC envoy: Add skeleton for service LB via envoy [ upstream commit 260a90ed5c351a18ea567759bf7bf1379d1ed7e9 ] This commit contains just a simple skeleton for L7 load balancing capability via envoy proxy. There is no processing logic at all right now. Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 21:22:33 UTC
71f0fb5 obaranov1 20 December 2022, 00:20:37 UTC Update Layer 7 Protocol Visibility Document. [ upstream commit dc7f561207f5084599281279c528b3fe9fdff64b ] Fixes #22615. Signed-off-by: Oksana Baranova <oksana.baranova@intel.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 21:22:33 UTC
861cb67 Patrice Chalin 17 November 2022, 00:47:50 UTC Enable Google Analytics 4 [ upstream commit 488240f419f40e29875622ae20b98091c0e7e6c7 ] Signed-off-by: Patrice Chalin <chalin@cncf.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 21:22:33 UTC
b92c31c Julian Wiedmann 16 December 2022, 14:41:58 UTC bpf: nodeport: wire up trace aggregation for rev_nodeport_lb6() [ upstream commit ae9dbd87beb8860abc1e0a914d63f14f198a6296 ] Pass the `monitor` feedback from the CT lookup to __encap_with_nodeid(). A previous commit already added this for rev_nodeport_lb4(), so aim for commonality here. Fixes: 428abc92abe8 ("bpf: pipe forwarding reason into traces for TO_OVERLAY") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 21:22:33 UTC
a3c4613 Jussi Maki 15 December 2022, 11:46:57 UTC operator: Wait for informers to shut down when stopping [ upstream commit f487647f4b5da61bd047a36d561cc61effe4943c ] Now that the control-plane tests are running multiple test cases against the operator we're seeing more flakes due to global variables that left behind goroutines from previous test cases. For example: panic: close of closed channel goroutine 697 [running]: github.com/cilium/cilium/operator/watchers.UnmanagedKubeDNSPodsInit({0x3ad76a8?, 0xc00083ed40?}) /home/vagrant/go/src/github.com/cilium/cilium/operator/watchers/pod.go:140 +0x268 The proper fix would be to refactor the operator to not use global variables and implement it as cells with their own Start and Stop hooks that don't leave goroutines behind, Since that refactoring will take significant time, we can apply band aid to the flaky test problem by propagating a Context and WaitGroup to the places where goroutines are left behind (as indicated by goleak check). This commit does not apply this to every feature in operator due to gaps in test coverage (e.g. operator/pkg/ingress was not modified). Fixes: #22748 Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 21:22:33 UTC
537ad71 Jussi Maki 15 December 2022, 11:34:03 UTC hive: Use mutex in DefaultLifecycle [ upstream commit 64866c2b05f8c849f510239599e1457bd401c2f2 ] The DefaultLifecycle is used concurrently in the operator: it is started when operator is elected leader and stopped when the application stops. In control-plane tests I observed that the operator was stopped before it was fully started, which lead to skipping of stop hooks which then caused subsequent tests to fail. Fix the issue by adding a mutex to DefaultLifeycle so that Stop() won't observe partial starts. Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 21:22:33 UTC
698cb2a Jarno Rajahalme 26 October 2022, 12:10:49 UTC auth: Update conntrack entry [ upstream commit fd24b10253466e09903e5919c51ce4b2d1b1c3fe ] Tell datapath connection is authenticated by clearing the auth_required flag on the conntrack entry. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
d776695 Jarno Rajahalme 26 October 2022, 11:44:19 UTC bpf: Enforce zero dst_id for egress [ upstream commit a246aa0ce4f5879219069eb6055ce022f346d280 ] Drop notification 'dst_id' is non-zero only for ingress. Enforcing this we can detect ingress/egress based on this property when receiving drop notifications. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
7f46106 Jarno Rajahalme 26 October 2022, 15:53:18 UTC bpf: Add CT map flag for auth required [ upstream commit 1f7ed72e6b132202caaa085d6774bb62f58ca7b4 ] Add a new conntrack flag for auth required, and create CT entries for connections that are dropped due to not being authenticated yet. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
a1b3422 Jarno Rajahalme 27 October 2022, 15:31:41 UTC bpf: Used ENABLE_L7_LB in complexity test [ upstream commit a3f679653c721abe24fd0fececcead4b0b7e646d ] Add -DENABLE_L7_LB=1 to MAX_BASE_OPTIONS to pull that code in for load testing. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
8f49b9f Jarno Rajahalme 25 October 2022, 10:46:44 UTC bpf: Skip policy enforcement for return traffic [ upstream commit c9d40dd416f0e41acf6fc905b6f19a2ef80fee51 ] Policy lookup results were already ignored for return traffic, so we can skip policy lookup for CT_REPLY and CT_RELATED altogether. This allows simplification of the policy verdict reporting logic as well. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
dcdfdd4 Jarno Rajahalme 25 October 2022, 10:43:07 UTC bpf: Flip emit_policy_verdict logic [ upstream commit a7a1add00cf133b6bcf6fac125add3a2681fc7f1 ] Set 'emit_policy_verdict' to 'true' only if policy lookup is performed. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
8ec3b7a Jarno Rajahalme 25 October 2022, 10:36:01 UTC bpf: Make proxy_port an explicit parameter to policy lookup [ upstream commit be21f8849ccf778d68f16101ffd44b5a6c855391 ] Later on we need to be able to return both a drop reason and a proxy port, so make proxy port an explicit parameter rater than folding it into the function return value. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
e70c8bd Jarno Rajahalme 19 October 2022, 08:22:10 UTC examples: Add auth policy example [ upstream commit e4685f21317709ab06713e5fbd3ee70bf2101d45 ] Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
758c20a Jarno Rajahalme 18 October 2022, 06:06:49 UTC bpf: Add drop due to missing authentication [ upstream commit 9882a4946e3e608b5100caef1d18de752bc87865 ] Add new drop reason for missing authentication. Pass authentication type as extended error in the drop event. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
68b8bab Jarno Rajahalme 17 October 2022, 15:51:15 UTC policy: Add Auth member to CNP ingress and egress [ upstream commit df0eebc1e713a1f183c592349f064be3e1d3c4cf ] Add optional Auth object to L3 policy (ingress/egress) rules. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
168fd2f Jarno Rajahalme 18 October 2022, 05:06:53 UTC policy: Refactor per-selector policy handling [ upstream commit 67b14602c4cf5e16b9cba65894c64f91313cc97d ] Rename L7RulesPerSelector in L4Filter as PerSelectorPolicies, as the map values already hold more than just the L7 rules (e.g., if the L3 or L4 rule is a deny rule or not). Following commits will add more non-L7 related fields, which would be even more confusing with the old name. JSON name 'l7-rules' is kept for backwards compatibility, should consider if backwards compatibility is needed here, though. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
7dbab33 Tom Hadlaw 07 December 2022, 16:57:25 UTC daemon/cmd: improve stale cilium endpoint error handling. [ upstream commit cec554b5e9c9acfc77eaff8e3983c9d97e408a24 ] A CEP that is already gone by the time cleanup occurs (but may still be attempted to be cleaned up due it still being in ciliums k8s cache) should be skipped. This happens occasionally in CI as Pods/CEPs are deleted in close proximity to Cilium agent restarts. Logging error was causing the tests to fail unecessarily. This captures the NotFound case separately and instead logs an info message. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
a71e6b4 Patrice Chalin 21 December 2022, 00:20:14 UTC Add sphinxcontrib-googleanalytics to doc requirements [ upstream commit 4bc562961138d2877f662a9b211c880e3c9dfc8a ] Signed-off-by: Patrice Chalin <chalin@cncf.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
c4ea211 Sebastian Wicki 19 December 2022, 10:49:47 UTC ci: Replace deprecated `hubble observe -o json` with `-o jsonpb` [ upstream commit 31093c19abf790ac45f9f0dbfd60949d607d04e3 ] This commit replaces the use of the deprecated `-o json` flag on Hubble observe with `-o jsonpb`. Future versions of Hubble will make `-o json` an alias to `-o jsonpb`, so this commit should be future-proof. The new output wraps each flow in a `GetFlowsResponse`, meaning the old object is now accessible in the `.flow` attribute. All jsonpath queries in the code have been changed to reflect this change. Notably, some parts of CI (namely the `hubble-flows-*.json` files used for troubleshooting CI flakes) already used `-o jsonpb` and thus this commit should not cause any change in usual the CI troubleshooting workflow. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
ed5dddb Julian Wiedmann 16 December 2022, 07:31:32 UTC test: service: fix formatting of error msg in doFragmentedRequest() [ upstream commit 965ca0d4c035f0069a9412e01c2b9c38f4cdd884 ] Fix up the string formatting to include the `dstIP` parameter. Spotted in a Jenkins run: /home/jenkins/workspace/Cilium-PR-K8s-1.26-kernel-net-next/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:515 Failed to account for INGRESS IPv4 fragments in BPF metrics%!(EXTRA string=10.100.188.224) Fixes: 938b4940f92b ("bpf: add metrics for fragmented IPv4 packets") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
3df41f9 Marek Chodor 02 December 2022, 13:08:32 UTC Add tests for hubble metrics handlers: Drop, Tcp, PortDistribution. [ upstream commit 00eb46e733d8aac2616d10a62c15387caf399157 ] Signed-off-by: Marek Chodor <mchodor@google.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
a67b58c Anton Protopopov 08 December 2022, 13:01:23 UTC fqdn: dnsproxy: fix data race in dns proxy implementation [ upstream commit 06c5754b4dfa822553484d9615ad18dc0a0bcbfb ] A recent commit patched dnsproxy to configure a net.Dialer for every outgoing request. However, the dialer was assigned to a single shared copy of dns.Client which lead to data corruption. Create a new dns.Client each time we do a client, so the state is not shared between threads. Fixes: cf3cc16289b762 ("fqdn: dnsproxy: fix forwarding of the original security identity for TCP") Signed-off-by: Anton Protopopov <aspsk@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
fde2848 Jussi Maki 13 December 2022, 10:39:29 UTC cilium: Add deprecation warning for service ids [ upstream commit e50bf2e726b98fb75a6bdaa5a5066d7e86dc69b7 ] The NodePort service frontends are currently expanded early in the K8sWatcher and the IDs used by datapath are allocated for these expanded frontends in pkg/service. A NodePort frontend is created for the Node IP and other routable IPs on the system. As this is now something that can be reconfigured at runtime when devices change, we would like to make the frontend expansion and the service and backend identifiers implementation details of the datapath and not expose them to the user via the REST API (PUT /service/{id}) or the "cilium service update" command. In v1.14 we will implement this by changing the {id} from int into a string (something like "1.2.3.4:80:TCP" or "[f00d::1]:80:TCP"). We're expecting this change to only affect standalone load-balancer users that are using the "cilium service" commands directly. We do not expect there to be direct use of the "/service/" REST endpoints. Based on this we deem the backwards incompatible change to the type of the {id} parameter acceptable. In order to give advance warning to the users, this commit adds deprecation warnings to the cilium-agent logs when the /service endpoints are used and to the cilium command-line utility when "cilium service update" or "cilium service delete" is used. Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
7f45566 David Bimmler 09 December 2022, 14:35:27 UTC backporting: leave backport/author PRs alone [ upstream commit 396135588213aaabf9de60d6bed5d041b590d3eb ] This label means that the backport will be performed by the author, and thus the backporting automation should ignore it. It's okay to not filter by backport-done/<branch> because these labels should not be present at the same time. (Notably, if resiliency was the intention, we should already be filtering backport-pending too.) Signed-off-by: David Bimmler <david.bimmler@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
a745194 Julian Wiedmann 12 December 2022, 07:46:52 UTC bpf: add drop notification for missed L7 LB tailcall in to-netdev [ upstream commit 49db46744e981f73cc690b3768c2915373b2a930 ] cil_to_netdev() is the upper-most function in the program. So don't just return a raw DROP reason to the kernel, but translate it to CTX_ACT_DROP and raise a drop notification. Fixes: d1d8e7a35b35 ("datapath: Add support for re-entering LXC egress path after L7 LB") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
079a787 Tobias Klauser 14 December 2022, 10:47:16 UTC install/kubernetes: make securityContext SELinux options configurable [ upstream commit 76837ead2978467e1033ee40c35d7a26beadf39d ] Make the hardcoded SELinux options in the helm charts configurable. Fixes #22703 Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
6e8656d Casey Callendrello 02 December 2022, 12:27:11 UTC .github: manually clean up RBAC artifacts [ upstream commit 43cb8e9124d0a0fa42644dc45c5a545e5acb5521 ] [ Backporter's notes: Dropped changes to files deleted from v1.13 tree. ] We just need this until https://github.com/cilium/cilium-cli/issues/1257 is fixed. Ths problem is that, right now, reinstalling after "cilium uninstall" is broken. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
ef36e2b Casey Callendrello 02 December 2022, 12:17:38 UTC install/kubernetes: label all RBAC objects [ upstream commit 08b33b27c0d6457bb7e809dd860a14bb192652a2 ] This is so we can delete them as part of cleanup. Also, it's good practice, especially for non-namespaced objects (ClusterRole / ClusterRoleBinding). Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
b42dfb8 Casey Callendrello 15 November 2022, 14:34:46 UTC Documentation: add additional place were CRDs must be referenced [ upstream commit 1ef7889f485e271da9b6dac12908a5c06ef5d551 ] The existing documentation missed a point where new CRDs need to be added. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
2e02845 Casey Callendrello 14 November 2022, 23:35:08 UTC helm: wire in the config-builder [ upstream commit 0dbde96dd504ddb5d35e3c5b28a6833535fa79b3 ] This changes the agent daemonset to use the config-builder rather than directly reading from the ConfigMap. This adds an initContainer that does the configuration resolution and writes to a temporary directory. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
0a2a08e Casey Callendrello 14 November 2022, 23:33:37 UTC cmd: add build-config command [ upstream commit 6c62ce6b0a7da963cd39c2faa965ff4b21cdedc1 ] The build-config command is responsible for doing configuration resolution on the node. By default, it retrieves ConfigMaps, CiliumConfigOverrides, and Node objects. However, the list of sources is customizable. The intended usage is to allow administrators to roll changes out in a controlled manner to a cluster. This implements the proposed "Per-node configuration overrides" feature. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
9939170 Casey Callendrello 14 November 2022, 23:32:24 UTC CRDs: add CiliumNodeConfig CRD and scaffolding [ upstream commit 884ccc1398096fb6d61478a5bd8e326dbda3edce ] This generates the CiliumNodeConfig type, a new way to set configuration overrides on a set of nodes. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
9cb2a81 Martynas Pumputis 29 November 2022, 11:37:55 UTC gh/workflows: Enable encryption tests in conformance DP [ upstream commit 843c07276ac6029e86d78b60d3bd9f4aff98e8a0 ] The encryption test details - https://github.com/cilium/cilium-cli/pull/1241. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
8106e52 Paul Chaignon 14 December 2022, 15:51:54 UTC bpf: Preserve overlay->lxc path with kube-proxy [ upstream commit 3d2ceaf3b24d8f9dcbb96ee00b077c0226069ba4 ] The previous commit changed the packet handling on the path overlay->lxc to fix a bug. More presicely, when endpoint routes are enabled, we won't enforce ingress policies on both the overlay and the lxc devices but only on the latter. However, as a consequence of that patch, we don't go through the policy-only program in bpf_lxc and we therefore changed the way the packet is transmitted between overlay and lxc devices in some cases. As a summary of changes made in the previous path, consider the following table for the path overlay -> lxc. Before the previous patch: | Endpoint routes | Enforcement | Path | |-----------------|-----------------|----------------------| | Enable | overlay AND lxc | bpf_redirect if KPR; | | | | stack otherwise | | Disabled | overlay | bpf_redirect | Now: | Endpoint routes | Enforcement | Path | |-----------------|-------------|--------------| | Enable | lxc | bpf_redirect | | Disabled | overlay | bpf_redirect | The previous patch intended to fix the enforcement to avoid the double policy enforcement, but it also changed the packet path in case endpoint routes are enabled. This patch now fixes this by adding the same exception we have in bpf_lxc to the l3.h logic we have. Hence, with the current patch, the table will look like: | Endpoint routes | Enforcement | Path | |-----------------|-------------|----------------------| | Enable | lxc | bpf_redirect if KPR; | | | | stack otherwise | | Disabled | overlay | bpf_redirect | I've kept this in a separate commit from the previous in an attempt to split up and the logic and more clearly show the deltas. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
f9ad3c9 Paul Chaignon 23 November 2022, 10:33:06 UTC datapath: Don't enforce policies at overlay if ep routes are enabled [ upstream commit e49ab12c9765c71fb13a58a40e25bf4be324c23e ] When endpoint routes are enabled, we should enforce ingress policies at the destination lxc interface, to which a BPF program will be attached. Nevertheless, today, for packets coming from the overlay, we enforce ingress policies twice, once at the e.g. cilium_vxlan interface and a second time at the lxc device. This is happening for two reasons: 1. bpf_overlay is not aware of the endpoint routes settings so it doesn't even know that it's not responsible for enforcing ingress policies. 2. We have a flag to force the enforcement of ingress policies at the source in this case. This flag exists for historic reasons that are not valid anymore. A separate patch will fix the reason 2 above. This commit fixes reason 1 by telling bpf_overlay to *not* enforce ingress policies when endpoint routes are enabled. Note that we do not support the case where some endpoint have endpoint routes enabled and others don't. If we did, additional logic would be required. Fixes: 3179a4773 ("datapath: Support enable-endpoint-routes with encapsulation") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
aeb5fc6 Chris Tarazi 13 December 2022, 21:47:46 UTC test/helpers: Fix retry condition for CiliumExecContext [ upstream commit dab8723c01c94998fd082ae1630a58f62f19658f ] Previously, 11cb4d0bad8 assumed that 137 was the exit code for when a process exists due to a SIGKILL. However, upon reading the Go source code as of 1.20 rc1, this is not the case, and that -1 is set for all exit codes due to signals [1]. Fixes: 11cb4d0bad8 ("test: Keep trying exec if killed") Fixes: https://github.com/cilium/cilium/pull/22570 [1]: https://github.com/golang/go/blob/go1.20rc1/src/os/exec_posix.go#L128-L130 Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
f3ffc18 Chris Tarazi 13 December 2022, 18:29:03 UTC test/helpers: Use switch case for readability [ upstream commit bf3fd5fcf92b2404b935e00f0fcf58065a1ebbdd ] Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
5f77413 Chris Tarazi 13 December 2022, 18:26:48 UTC test/helpers: Disambiguate executor logs [ upstream commit 527f5fd59356387d9a3f7136d0c21904fd275038 ] This makes it much easier to track down which code path the executor logs are coming from, so that when debugging issues, we can focus on the relevant code path. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
52a4464 Jarno Rajahalme 11 July 2022, 10:22:29 UTC policy: Add CRD Listener support for egress policies [ upstream commit 9159609ad757cf259a48f4ec932ecd302f433a52 ] Add `listener` field to CNP and CCNP, that causes traffic to the specified port(s) to be redirected to the named Envoy listener. If the listener does not exist the traffic is not allowed at all. When `listener.envoyConfig.kind` is left out it defaults to namespaced `CiliumEnvoyConfig` for rules in namespaced policies (CNP) or to cluster-scoped `CiliumClusterwideEnvoyConfig` for rules in cluster-scoped policies (CCNP). Namespaced policies can also refer to cluster-scoped listeners with an explicit `listener.envoyConfig.kind: CiliumClusterwideEnvoyConfig`. Cluster-scoped policies can not refer to namespaced listeners. Endpoint policies are regenerated whenever Envoy listeners change to update potential listener redirections in the bpf policy maps. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
9818303 Jarno Rajahalme 05 December 2022, 17:29:33 UTC envoy: Move resourceQualifiedName() to policy/api [ upstream commit ede26fb9542f47ed48a3dfb75867e7d32e596fd4 ] Move resourceQualifiedName() to policy/api and export it so that it can be used in policy as well as in envoy package. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
2b414da Jarno Rajahalme 02 December 2022, 12:07:53 UTC proxy: Find CRD proxy ports by name instead of by type [ upstream commit 06ed0a453d5b3d903971ac35f0b598e6e2415c1a ] Find CRD proxy port by name instead of type. This is needed for enabling CEC CRD defined listeners to be used in CNPs. Prior to this CRD proxy ports did not use this code path, which is only called from endpoint policy updates, so there was no need to find CRD proxy ports by name. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
428f3f5 Jarno Rajahalme 02 December 2022, 11:36:53 UTC proxy: Do not create Envoy redirects for listeners defined in CEC CRDs [ upstream commit aff0655ee436fc22005b34ea631709a18d02b1c8 ] Add a new no-op CRDRedirect type to be used with Envoy listeners defined in CEC CRDs. In this case the listeners already exist and new Envoy Listener resources do not need to be created for them. This is needed for the forthcoming policy feature where policy can refer to a Listener defined in CEC CRD. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
79c516a Jarno Rajahalme 01 December 2022, 16:07:49 UTC proxy: use egress in test as CRD proxy ports only work for egress for now [ upstream commit a679c40a7de6148bcb56315be7b4c5f41adfb985 ] Specify proxy port as egress (or not-ingress) in test cases as the datapath currently supports ProxyTypeCRD only for L7 LB which is always on the egress path. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
0aae324 Jarno Rajahalme 01 December 2022, 14:42:01 UTC envoy: Configure CEC Listners without L7LB for policy redirection [ upstream commit 41fe8c85d3ff4c3a21c7d33046d34641c9e5d3b7 ] Tell envoy.ParseResources() if the resources are intended for a L7 load balancer. If so, the Envoy filter chain is configured to not use original source address and use the socket mark as the source endpoint ID. This was the current behavior with all CEC CRDs. When the CEC CRD does not contain a frontend service that is redirected to the defined listener, then the new 'isL7LB' flag is passed as 'false'. In this case the Envoy filter chain is configured to allow use of the original source address, and mark the upstream socket with the numeric source security identity. This is also the way in which Cilium uses Envoy Listener filter chains when enforcing policy for HTTP, for example. In this mode L4 LB is assumed to be taken place, if applicable, before traffic is redirected to the Envoy listener. Prior to this change CEC CRDs were mostly only usable for L7 LB uses, such as with Cilium Ingress. After this change CEC CRDs without a Service redirect can be used in place of Cilium policy enforcement filter chains, if desired. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
242ac0e Jarno Rajahalme 01 December 2022, 14:22:54 UTC envoy: Inject Cilium Envoy filters to CEC with TcpProxy filter [ upstream commit 0036e24c0c0586a5093d67d85f0c117170a7f126 ] Support injecting Cilium Network filter also to TcpProxy filter chains. This enables SNI and other L3/L4 policy enforcement features also on custom Envoy listeners applied via Cilium Envoy Config resources that contain Envoy filter chains using TcpProxy filter, in addition to Http Connection Manager filter. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
5d6c4aa Jarno Rajahalme 01 December 2022, 15:10:31 UTC envoy: Wait for Cluster before Listeners [ upstream commit 7b0145965620089ac46d5b5e33708266da6c2505 ] Listener config can fail if we don't wait for clusters to be configured first, so wait for clusters to be configured if both clusters and listeners are configured at the same time. While failure like this was once seen on local testing for the custom listener support in a CNP, similar failure could also happen for Cilium Ingress and Gateway API. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
a184301 Jarno Rajahalme 21 June 2022, 15:04:25 UTC policy: Cache redirect status on PerSelectorPolicy [ upstream commit 27861aea01cd7da4d31f16a15a4450708df8fdd4 ] Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
c29651f Jarno Rajahalme 20 June 2022, 09:22:39 UTC policy: Add ParserTypeCRD [ upstream commit 38589e79839cd772cffdcebcc8f4586c79a8e08f ] Add a sticky parser type for CiliumEnvoyConfig CRDs. This will be used for policy based redirect to custom Envoy listeners. While CRD parser type will be redirected to Envoy, it is generally handled by a custom Listener, which may not perform HTTP policy enforcement. Thus this parser type is incompatible with HTTP rules. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
dbdfa13 Jarno Rajahalme 21 June 2022, 05:42:05 UTC policy: Precompute redirect type on Attach() [ upstream commit 9eb0bfb50ed20fa15cb3bb639c98cf35e40a3058 ] Optimize policy processing by precomputing redirect types for the policy when ready to avoid multiple scans of the policy filters later. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
9af718f Chris Tarazi 03 November 2022, 00:16:21 UTC daemon, fqdn: Fix race between parallel DNS requests for the same name [ upstream commit 604eb210915faeeee90ccb7514168976804e5efc ] It is possible for parallel DNS requests handled by separate goroutines (controlled by --dnsproxy-concurrency-limit) to race if they are for the same DNS name, i.e. both goroutines handling cilium.io. Here is a diagram for this race: ``` G1 G2 T0 --> NotifyOnDNSMsg() NotifyOnDNSMsg() <-- T0 T1 --> UpdateGenerateDNS() UpdateGenerateDNS() <-- T1 T2 ----> mutex.Lock() +---------------------------+ |No identities need updating| T3 ----> mutex.Unlock() +---------------------------+ T4 --> UpsertGeneratedIdentities() UpsertGeneratedIdentities() <-- T4 T5 ----> Upsert() DNS released back to pod <-- T5 | T6 --> DNS released back to pod | | | | | v v Traffic flows fine Leads to policy drop ``` Note how G2 releases the DNS msg back to the pod at T5 because UpdateGenerateDNS() was a no-op. It's a no-op because G1 had executed UpdateGenerateDNS() first at T1 and performed the necessary identity allocation for the response IPs. Due to G1 performing all the work first, G2 executes T4 also as a no-op and releases the msg back to the pod at T5 before G1 would at T6. The above results in a policy drop because it is assumed that when the DNS msg is released back to the pod / endpoint, then the ipcache has been updated with the proper IP <-> identity mapping. In other words, because G2 releases the DNS msg back to the pod / endpoint, the app attempts to use the IPs returned in the DNS response, but the ipcache lookup fails in the datapath because the IP <-> identity mappings don't exist. In essence, this is a race between DNS requests to the ipcache. To fix, we create a critical section when handling the DNS response IPs. Allocating identities and associating them to IPs in the ipcache is now atomic because of the critical section. This is especially important as we've already seen for multiple DNS requests are in-flight for the same name (i.e. cilium.io). The critical section is implemented using a fixed sized array of mutexes. Why? Because the other options (listed below) all have flaws which may result in drops. Other options considered: 1) A map of mutexes keyed on DNS name 2) A map of mutexes keyed on set of DNS response IPs 3) A map of mutexes keyed on endpoint ID 4) A slice of mutexes with hash based on individual IPs from the set of DNS response IPs (1) could cause a race between the DNS response IPs from `a.com` and the set of DNS response IPs from `b.com` especially if the sets are the same. (2) could race between a super / subset of DNS response IPs, i.e. only an intersection of sets would have protection. Any IPs that are not in the intersection are vulnerable to race. (3) could cause a race between different endpoints querying the same name, i.e. two endpoints querying cilium.io. (4) could work but this is approach is not ideal as the slice scales with the number of unique IPs seen by the DNS proxy. This has memory consumption concerns. Therefore, we opt for a fixed size array of mutexes where we hash the individual IPs from the set of DNS response IPs. For example, say we attempt to resolve cilium.io and the response IPs are A and B. hash(A) % mod = 8 hash(B) % mod = 3 where mod is --dnsproxy-lock-count, i.e. size of array What's returned is a slice containing the above array indices that's sorted in ascending order. This is the order in which the mutexes must be locked and unlocked. To be specific, [3, 8] is the sorted resulted and it means we acquire & release mutex at index 3 and then do the same for mutex at index 8. What this does is essentially serialize parallel DNS requests which involve the same IP <-> identity mappings in the ipcache. It's possible that the hash of the IPs collide (map to the same mutex) when the IPs are different, but this is OK because it's overprotecting, rather then underprotecting which the other options above suffer from. Overprotecting results in a small performance hit because we are potentially serializing completely different / unrelated DNS requests, i.e. no intersection in the response IP sets. For --dnsproxy-lock-count, a default of 128 was chosen as a reasonable balance between memory usage and hash collisions, for most deployments of Cilium. An increased lock count will result in more memory usage, but faster DNS processing as there are less IP hash collisions, and therefore less mutexes to acquire. A decreased lock count will save memory at the cost of slower DNS processing as the IP hash collisions are more likely, and this tends towards behavior similar to a single, shared mutex. Users who need to tune this value because they have many parallel DNS requests (1000s) can make the trade-off of using more memory to avoid hash collisions. It's worth mentioning that the memory usage is for storing a instance of a mutex which is 64 bits as of Go 1.19 [1]. Benchmark run comparing the code before this commit, changing the fixed sized array to one to simulate a single mutex, and this commit (multiple-locks): ``` $ go test -v -tags integration_tests ./daemon/cmd -check.b -check.bmem -check.f DaemonFQDNSuite.Benchmark_notifyOnDNSMsg -test.benchtime 100x -test.count 8 ``` ``` $ benchstat no-lock.txt single-lock.txt multiple-locks.txt name \ time/op no-lock.txt single-lock.txt multiple-locks.txt _notifyOnDNSMsg 93.2µs ± 9% 179.6µs ± 3% 143.2µs ±28% name \ alloc/op no-lock.txt single-lock.txt multiple-locks.txt _notifyOnDNSMsg 36.5kB ± 2% 35.3kB ± 0% 33.8kB ± 1% name \ allocs/op no-lock.txt single-lock.txt multiple-locks.txt _notifyOnDNSMsg 485 ± 1% 474 ± 0% 453 ± 1% ``` Reproducing the bug and performance testing on a real cluster included running the 3 different modes and comparing the average processing time of the DNS proxy code. The cluster was 2 nodes with 32 replicas of the following workload: # websites.txt contains different common URLs, some duplicated. while [[ true ]]; do curl --parallel --parallel-immediate --parallel-max 5 --config websites.txt sleep 0.25s done No lock: 4.61ms, 18.3ms Single lock: 7.42ms, 18.3ms Multiple locks: 5.25ms, 17.9ms [1]: https://cs.opensource.google/go/go/+/refs/tags/go1.19.3:src/sync/mutex.go;l=34 Co-authored-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
5059424 Chris Tarazi 15 November 2022, 00:53:23 UTC daemon, cmd: Add benchmark for notifyOnDNSMsg() [ upstream commit 25fa14c4f98e594674b475f5a74b7809e866c94e ] This allows us to stress / benchmark the main callback function of the DNS proxy within Cilium. This callback is called on each DNS request and response made by each endpoint managed by Cilium. For this commit, we are only considering the DNS response path because it is the path which contains the most work to be done. This includes policy calculation, identity allocation, and ipcache upsert. It is useful to establish baseline performance numbers so that we can compare against changes to this code path. In the following commits, a mutex will be added to this path to fix a race condition during parallel DNS response handling. Baseline: ``` $ go test -v -tags integration_tests ./daemon/cmd -check.b -check.bmem -check.f DaemonFQDNSuite.Benchmark_notifyOnDNSMsg -test.benchtime 100x ... PASS: fqdn_test.go:180: DaemonFQDNSuite.Benchmark_notifyOnDNSMsg 20000 96078 ns/op 36567 B/op 482 allocs/op ``` Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
fc1e81a Tam Mach 11 December 2022, 13:52:40 UTC gha: Add retry mechanism for conformance ingress (shared) [ upstream commit 303d2e7cd970582fa477d65314607fc97e725e9c ] This is to make sure http retry was done as part of the test. Fixes: #21710 Fixes: #21993 Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
ce54e5a Yutaro Hayakawa 06 December 2022, 06:00:44 UTC clustermesh: Add test case for the case that cluster config is missing [ upstream commit 398cf5e051c49a46941d1efedf9659740d80f52c ] For compatibility with an old Cilium that doesn't support cluster configuration feature, we should be able to connect to the remote cluster even if the configuration is missing. Test it. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
1f94efe Yutaro Hayakawa 02 December 2022, 05:50:43 UTC clustermesh: Implement a basic connect-time validation [ upstream commit 5e5a26e5da4dc2dba3afa006bc401c8fab3b739a ] Implement a basic connect-time validation using CiliumClusterConfig. clustermesh-apiserver is modified to set local CiliumClusterConfig on start-up time and cilium-agent is modified to get CiliumClusterConfig of remote clusters and validates it. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
413bc43 Yutaro Hayakawa 24 November 2022, 01:03:13 UTC clustermesh: Add helper functions to set/get cluster configuration [ upstream commit b24973ebb1e859df9cea0731515e6b3336fd14f6 ] Add hepler functions to set/get cluster information on kvstore. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
6580b31 Yutaro Hayakawa 23 November 2022, 01:32:32 UTC clustermesh: Introduce CiliumClusterConfig [ upstream commit 857060bbcf07c667f6586ad4130f30d2d8f95aea ] Add a new type CiliumClusterConfig which represents a cluster configuration. This will be serialized and stored into kvstore during the clustermesh-apiserver startup time. Later on, cilium-agent on each node reads it when connecting to new clusters. The current use case of this is getting ClusterID at connect time, but by exposing the cluster configuration, we can also do some useful validation such as - Make sure the cluster id is not conflicting with existing clusters. - Make sure the new cluster doesn't have any capability mismatch. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
cb37337 Martynas Pumputis 12 December 2022, 09:19:20 UTC daemon: Do not remove PERM L2 entries in L4LB [ upstream commit ced77b3fb6fb1a6fa8207c3927e1e54559542f7f ] In the L4LB mode, the PERM L2 entries are managed by users. So, in this mode Cilium should not mess with them. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
0f407c6 Jaff Cheng 01 December 2022, 11:28:32 UTC ipam/crd: Fix agent fatal on router initialization [ upstream commit 4d7acac3d875e5ce20681db350df97dfcee204a9 ] Currently, when a cilium-agent in eni/alibabacloud mode initializes router info, it might encounter the following fatal: ``` level=fatal msg="Error while creating daemon" error="failed to create router info invalid ip: " subsys=daemon ``` The gateway IP of routing info is derived from the CIDR of the subnet, the eni.Subnet.CIDR in InstanceMap is set as empty after ENI creation. In normal cases it will be filled by a later resyncTrigger after maintainIPPool. But if another goroutine (periodic resync or pool maintainer of another node) happens to sync local InstanceMap cache to k8s, cilium-agent would be informed of that ENI IP pool with empty cidr and router IP allocation would fatal due to empty gateway IP. This patch fixes this by filling the CIDR right after ENI creation. Signed-off-by: Jaff Cheng <jaff.cheng.sh@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
5394028 Yutaro Hayakawa 03 September 2022, 09:20:14 UTC Introduce v3 backend maps [ upstream commit c6e53ea42bccbe8507e7df0f49319a2a853c054e ] Extend current backend map values (struct lb4_backend and struct lb6_backend) to contain a new cluster_id field. With this field, we can distinguish two backends which have the same IP address, but belong to different clusters. Since we don't have available padding bit for both structs anymore, we need to extend the structs and bump the map version as well. This commit also contains migration code from v2 backend map to v3 backend map. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
03e030b Yutaro Hayakawa 02 September 2022, 14:42:06 UTC clustermesh: Add some helper functions required for v3 backend map [ upstream commit 0f2f3fec244e4d961587a439991e610333779832 ] Add some missing helper functions to implement v3 backend map. 1. A new AddrCluster constructor AddrClusterFrom 2. A new method of AddrCluster to extract ClusterID Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
34d33ca Casey Callendrello 08 December 2022, 21:20:50 UTC test/l4lb,nat46x64: pass k8s api server to the standalone proxy [ upstream commit bdc23f536b65605d1e7ea5744182e66fb0bd804c ] These tests deploy the standalone agent in a funny way; using the existing helm chart, but not configuring it fully. This breaks the config-resolver, which expects to be able to reach a functioning in-cluster apiserver. So, just pass the correct apiserver to the config resolver. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 22 December 2022, 02:25:07 UTC
8530948 renovate[bot] 10 December 2022, 12:05:08 UTC chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 27cb6e6 Signed-off-by: Renovate Bot <bot@renovateapp.com> 21 December 2022, 03:29:16 UTC
b1ee33b dependabot[bot] 14 December 2022, 14:14:59 UTC build(deps): bump github/codeql-action from 2.1.36 to 2.1.37 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.36 to 2.1.37. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/a669cc5936cc5e1b6a362ec1ff9e410dc570d190...959cbb7472c4d4ad70cdfe6f4976053fe48ab394) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 21 December 2022, 03:16:54 UTC
bf584b7 dependabot[bot] 13 December 2022, 14:12:23 UTC build(deps): bump helm/kind-action from 1.4.0 to 1.5.0 Bumps [helm/kind-action](https://github.com/helm/kind-action) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/helm/kind-action/releases) - [Commits](https://github.com/helm/kind-action/compare/9e8295d178de23cbfbd8fa16cf844eec1d773a07...d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00) --- updated-dependencies: - dependency-name: helm/kind-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 13 December 2022, 21:59:27 UTC
50e509f dependabot[bot] 13 December 2022, 14:12:12 UTC build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/d0a58c1c4d2b25278816e339b944508c875f3613...6edd4406fa81c3da01a34fa6f6343087c207a568) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 13 December 2022, 21:58:37 UTC
694cf32 Cilium Imagebot 09 December 2022, 11:38:23 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 10 December 2022, 12:02:15 UTC
c98398f renovate[bot] 09 December 2022, 11:31:50 UTC chore(deps): update base-images Signed-off-by: Renovate Bot <bot@renovateapp.com> 10 December 2022, 12:02:15 UTC
e845e1d Joe Stringer 08 December 2022, 07:12:56 UTC Prepare v1.13 stable branch The only curious thing here is to bump the v2alpha1 schema version down to match the v2 schema version. The minor version was inadvertently bumped in the tree recently, but we only need to bump the minor when we create a new minor branch. Some scripts also expect that the schema versions match between v2 and v2alpha1. Signed-off-by: Joe Stringer <joe@cilium.io> 09 December 2022, 11:26:06 UTC
5f7ac91 renovate[bot] 08 December 2022, 16:17:57 UTC chore(deps): update docker.io/library/alpine docker tag to v3.17.0 Signed-off-by: Renovate Bot <bot@renovateapp.com> 09 December 2022, 10:08:16 UTC
dbc4a20 dependabot[bot] 05 December 2022, 14:03:31 UTC build(deps): bump github.com/hashicorp/consul/api from 1.17.0 to 1.18.0 Bumps [github.com/hashicorp/consul/api](https://github.com/hashicorp/consul) from 1.17.0 to 1.18.0. - [Release notes](https://github.com/hashicorp/consul/releases) - [Changelog](https://github.com/hashicorp/consul/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/consul/compare/api/v1.17.0...api/v1.18.0) --- updated-dependencies: - dependency-name: github.com/hashicorp/consul/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 09 December 2022, 10:06:05 UTC
80be2cb dependabot[bot] 09 December 2022, 00:51:24 UTC build(deps): bump github/codeql-action from 2.1.35 to 2.1.36 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.35 to 2.1.36. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/b2a92eb56d8cb930006a1c6ed86b0782dd8a4297...a669cc5936cc5e1b6a362ec1ff9e410dc570d190) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 09 December 2022, 10:05:39 UTC
d96e6f0 dependabot[bot] 05 December 2022, 14:03:19 UTC build(deps): bump golang.org/x/sys from 0.2.0 to 0.3.0 Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/golang/sys/releases) - [Commits](https://github.com/golang/sys/compare/v0.2.0...v0.3.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 09 December 2022, 10:05:19 UTC
09f0ac5 dependabot[bot] 08 December 2022, 14:03:29 UTC build(deps): bump go.opentelemetry.io/otel from 1.11.1 to 1.11.2 Bumps [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) from 1.11.1 to 1.11.2. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.11.1...v1.11.2) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 09 December 2022, 10:03:04 UTC
6462a4b Paul Chaignon 08 December 2022, 22:50:56 UTC Revert "per-node configuration overrides" pull request This reverts commits 07c8039c49a1971748c2507021107de961635ce6, 868dc464d1612a20f0458dc3b3b9dfa4379c6cdc, ea7bb8f4370580907120682ca81156f05790626b, eef66792055d62923606b30b784c293b389b574b, cf7b01caecdf66e959135078fbd8d2fa5bf318d0, and 24bab1bb7aaf5bfcf93882eeb64d82cbb014f170. This pull request is currently causing the L4LB workflow to fail because the new cilium build-config command expects a connection to kube-apiserver, which we don't have in the standalone load balancer. Signed-off-by: Paul Chaignon <paul@cilium.io> 09 December 2022, 00:50:40 UTC
82b9a8e Nikolay Aleksandrov 08 December 2022, 13:21:56 UTC docs: gettingstarted: add a note about EKS aws-node daemonset issues Add a note about aws-node flushing Linux routing tables which could cause connectivity issues if Cilium is uninstalled through the cli. Also suggest that deleting aws-node daemonset prior to Cilium installation is recommended. Suggested-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 08 December 2022, 22:02:34 UTC
7a6b4d9 Nikolay Aleksandrov 08 December 2022, 12:03:46 UTC docs: installation: update eks install steps to patch aws-node daemonset Update the EKS helm install guide to patch the aws-node daemonset instead of deleting it prior to installation. That aligns with how the cilium cli install works and also the EKS tests. Also a minor style fix - remove the `` around aws-node because they don't get rendered properly in that section (i.e. they're written as-is). Suggested-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 08 December 2022, 22:02:34 UTC
57765a4 Paul Chaignon 07 December 2022, 20:24:07 UTC workflows: Reduce verbosity of connectivity tests This commit simply extend 8f66eea9 ("workflows: Reduce verbosity of connectivity tests on AKS") to the GKE and Datapath workflows by removing timestamps (already included in GitHub workflow logs) and debug logs for the connectivity tests. Signed-off-by: Paul Chaignon <paul@cilium.io> 08 December 2022, 17:16:15 UTC
56ae61a Paul Chaignon 08 December 2022, 12:06:39 UTC workflow: Reenable IPsec tests in EKS for v1.12 I thought I double checked, but apparently commit e1464d75b ("Revert "Revert "workflows: Reenable IPsec test in EKS workflow""") missed a workflow where the IPsec test needed to be reenabled. Fixes: e1464d75b ("Revert "Revert "workflows: Reenable IPsec test in EKS workflow""") Signed-off-by: Paul Chaignon <paul@cilium.io> 08 December 2022, 17:11:45 UTC
9ff6404 yulng 04 December 2022, 11:54:12 UTC pkg: Follow Go convention on capitalization According to the golang-lint specification, generic nouns need to be capitalized Use API instead of Api Signed-off-by: yulng <wei.yang@daocloud.io> 08 December 2022, 11:44:18 UTC
01651b2 Martynas Pumputis 29 November 2022, 15:21:03 UTC gh/workflows: Tune LVH VM params The tuning has happened due to the LVH action vsn bump which includes the [1] changes - from 2 to 8 CPUs, and from 4GB to 6GB of mem. Also, drop the DNS setting and "set -eu", as this is already done by the LVH action [2]. [1]: https://github.com/cilium/little-vm-helper/pull/25 [2]: https://github.com/cilium/little-vm-helper/pull/23 Signed-off-by: Martynas Pumputis <m@lambda.lt> 08 December 2022, 11:42:00 UTC
8a65959 dependabot[bot] 07 December 2022, 23:40:38 UTC build(deps): bump certifi from 2022.6.15 to 2022.12.7 in /Documentation Bumps [certifi](https://github.com/certifi/python-certifi) from 2022.6.15 to 2022.12.7. - [Release notes](https://github.com/certifi/python-certifi/releases) - [Commits](https://github.com/certifi/python-certifi/compare/2022.06.15...2022.12.07) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> 07 December 2022, 23:53:39 UTC
07c8039 Casey Callendrello 02 December 2022, 12:27:11 UTC .github: manually clean up RBAC artifacts We just need this until https://github.com/cilium/cilium-cli/issues/1257 is fixed. Ths problem is that, right now, reinstalling after "cilium uninstall" is broken. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 07 December 2022, 23:50:38 UTC
868dc46 Casey Callendrello 02 December 2022, 12:17:38 UTC install/kubernetes: label all RBAC objects This is so we can delete them as part of cleanup. Also, it's good practice, especially for non-namespaced objects (ClusterRole / ClusterRoleBinding). Signed-off-by: Casey Callendrello <cdc@isovalent.com> 07 December 2022, 23:50:38 UTC
ea7bb8f Casey Callendrello 15 November 2022, 14:34:46 UTC Documentation: add additional place were CRDs must be referenced The existing documentation missed a point where new CRDs need to be added. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 07 December 2022, 23:50:38 UTC
eef6679 Casey Callendrello 14 November 2022, 23:35:08 UTC helm: wire in the config-builder This changes the agent daemonset to use the config-builder rather than directly reading from the ConfigMap. This adds an initContainer that does the configuration resolution and writes to a temporary directory. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 07 December 2022, 23:50:38 UTC
cf7b01c Casey Callendrello 14 November 2022, 23:33:37 UTC cmd: add build-config command The build-config command is responsible for doing configuration resolution on the node. By default, it retrieves ConfigMaps, CiliumConfigOverrides, and Node objects. However, the list of sources is customizable. The intended usage is to allow administrators to roll changes out in a controlled manner to a cluster. This implements the proposed "Per-node configuration overrides" feature. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 07 December 2022, 23:50:38 UTC
24bab1b Casey Callendrello 14 November 2022, 23:32:24 UTC CRDs: add CiliumNodeConfig CRD and scaffolding This generates the CiliumNodeConfig type, a new way to set configuration overrides on a set of nodes. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 07 December 2022, 23:50:38 UTC
26db6e0 dependabot[bot] 07 December 2022, 21:11:10 UTC build(deps): bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) from 0.24.2 to 0.25.0. - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](https://github.com/go-openapi/runtime/compare/v0.24.2...v0.25.0) --- updated-dependencies: - dependency-name: github.com/go-openapi/runtime dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 07 December 2022, 23:39:46 UTC
4346315 Dylan Reimerink 28 November 2022, 15:59:57 UTC docs: Add documentation for BGP-CP loadbalancer service announcements This commit updates the existing BGP Control Plane docs to explain the new field in the CRD and how to use it. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 07 December 2022, 23:01:41 UTC
back to top