Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
53f97a7 Joe Stringer 17 July 2023, 07:45:13 UTC Prepare for release v1.14.0-rc.1 Signed-off-by: Joe Stringer <joe@cilium.io> 17 July 2023, 12:10:50 UTC
29211d8 Tom Hadlaw 08 July 2023, 21:16:38 UTC pkg/bpf: add additional unit test to avoid dump bugs/regressions. [ upstream commit 6acedeebbead8747122c761c65f539ad56d72152 ] This test is an improvement on the previous TestDumpReliablyWithCallback test. The goal of this one is to provide more robust testing of the reliable dump mechanism. Specifically, it does the following: 1. Creates a map with a small number of entries, populate it with [1, maxEntries) 2. Start a goroutine that continuously dumps the map and checks that the dump contains all odd elements in the range [1, maxEntries). 3. At the same time, start another goroutine that continuously deletes and re-adds even elements in the map. The motivation here is to provide a test that better catches regressions in code that is inherently prone to race-condition. This creates a situation where we have interleaved updates and dumps, we're interested in ensuring that each dump contains all odd elements in the range [1, maxEntries). This will catch bugs and regressions related where elements are skipped in the dump. For example, while running this without the fix: 74f71841e9c037ddd10bedc3128f3b28cb023597 this will fail a majority of the time. Following this fix, this test should always pass. This was tested locally by running this several times with a million iterations - both with the fix and without. For practical purposes we will lower the number of iterations to 1000 to avoid slowing down the test suite too much. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: André Martins <andre@cilium.io> 17 July 2023, 07:32:00 UTC
0353ea4 Tom Hadlaw 30 June 2023, 17:35:34 UTC pkg/bpf: fix bug where bpf map entries may not be reliably dumped. [ upstream commit b5312923d9b42dc0ca0c5d5e2758161a7869c4e9 ] DumpReliablyWithCallback will skip a value callback in some situations. This may result in incorrect cilium map dumps or garbage collection. In situations where the initial key is deleted just after being retrieved, there is no previous key to fallback on. The reliable dump will attempt to use the current nextKey (that was based on the deleted current key). The local currentKey and nextKey Key types are being passed to NextKey which eventually writes the nextKey output to the nextKeys pointer location (via the bpf syscall). The currentValue was simply being assinged by the equals operator, which was copying the underlying interface pointer. Thus in this situation, the next iteration attempt was passing the same pointer twice to NextKey causing the currentKey to be set to the next key a second time - skipping a map element. Fixes #26491 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: André Martins <andre@cilium.io> 17 July 2023, 07:32:00 UTC
549b51f Paul Chaignon 13 July 2023, 17:55:09 UTC docs/ipsec: Clarify limitation on number of nodes [ upstream commit 39a9def6c24ff08fc2e7d66d6284586051a30146 ] The limitation on the number of nodes in the cluster when using IPsec applies to clustermeshes as well and is the total number of nodes. This limitation arises from the use of the node IDs, which are encoded on 16-bits. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: André Martins <andre@cilium.io> 17 July 2023, 07:32:00 UTC
42c4977 Leonard Cohnen 07 July 2023, 15:13:18 UTC helm: add default tunnel values in configmap [ upstream commit 881c250c6f76444b92235df05aa13cd32bc8116c ] Signed-off-by: Leonard Cohnen <lc@edgeless.systems> Signed-off-by: André Martins <andre@cilium.io> 17 July 2023, 07:32:00 UTC
f13bc1d André Martins 12 July 2023, 17:22:19 UTC .github: add 'name' field for the conformance-e2e job [ upstream commit ce9d4b939b44bf06fef62c2df1d3c933c66cd650 ] jobs.<job>.env.job_name should be the same as the job name. Thus, adding the field 'name' to the job will make sure that connectivity tests junit test results are stored in bigquery for lookerstudio visualization. Fixes: 12d7643ccd0a ("ci/workflows: add junit reports upload") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 17 July 2023, 07:32:00 UTC
eb2aa35 Tobias Klauser 13 July 2023, 08:26:42 UTC client, health/client: set dummy host header on unix:// local communication [ upstream commit b9ec2aaece578278733e473a72bb5594f621d495 ] Go 1.20.6 added a security fix [1] which leads to stricter sanitization of the HTTP host header in the net/http client. Cilium's pkg/client currently sets the Host header to the UDS path (e.g. /var/run/cilium/cilium.sock), however the slashes in that Host header now lead net/http to reject it. RFC 7230, Section 5.4 states [2]: > If the authority component is missing or undefined for the target URI, > then a client MUST send a Host header field with an empty field-value. The authority component is undefined for the unix:// scheme. Thus, the correct value to use would be the empty string. However, this does not work due to OpenAPI runtime using the same value for the URL's host and the http client's host header. Thus, use a dummy value "localhost". [1] https://go.dev/issue/60374 [2] https://datatracker.ietf.org/doc/html/rfc7230#section-5.4 Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 17 July 2023, 07:32:00 UTC
9222147 Quentin Monnet 11 July 2023, 12:20:00 UTC docs: Trim down spelling list [ upstream commit e846b71196e4c0cffd95bfe7b0cfd650237b488c ] We have accumulated a number of words in the spelling list over time, and some of them are no longer necessary (especially now that we ignore Helm value names from the Helm reference). Let's trim down the list. The following process was applied: 1. Empty the list of spelling exceptions 2. Run 'make html' to get the command to add missing words (update-spelling_wordlist.sh) 3. Run that command to add all words 4. Remove all entries starting with an upper case from the list, as some of them are unnecessary given that they have a corresponding lowercase entry (which is case-insensitive) 5. Re-run 'make html' to get the command to add the exceptions that are still missing 6. Run that command 7. Manually edit the file to make sure we don't change/add existing entries (no Git addition) 8. Re-add names of contributors that are recognised locally, but that CI fails to recognise because it doesn't have the Git history Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: André Martins <andre@cilium.io> 17 July 2023, 07:32:00 UTC
6ed2910 Quentin Monnet 11 July 2023, 11:44:53 UTC docs: Ignore Helm value names for spellcheck [ upstream commit 2e9b20fcf1a7ee002f97e4e84996adde3459762f ] Updating the list of exceptions for spellchecking each time we add a Helm value is painfull, and hardly useful at all. It's trivial to mark these strings as ignored to the spell-checker when building the reference, so let's just do that. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: André Martins <andre@cilium.io> 17 July 2023, 07:32:00 UTC
b6b5797 Tam Mach 27 June 2023, 10:34:46 UTC helm: Allow nodeport allocation for Ingress LB svc [ upstream commit bbdad5d38364ce9d715f57986fa2f11361a326d9 ] This commit is to make sure that users can have option to disable node port allocation for LB service used by Ingress. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
3e8db02 Gilberto Bertin 10 July 2023, 15:38:59 UTC egressgw: decouple On{Update,Delete}Endpoint from reconciliation logic [ upstream commit ab64a4676b721044d22377b901a6a6fe45f39828 ] by: * making locking more granular by introducing a new pendingEndpointEventsLock lock that protects accesses to the pendingEndpointEvents field * using the endpoint workqueue to handle also CiliumEndpoint deletion events we can completely decouple the On{Update,Delete}Endpoint methods from the reconciliation logic, as the caller will not have to block anymore on the main manager lock (which is held during the entire reconciliation process) Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
300d91f Gilberto Bertin 10 July 2023, 15:28:36 UTC egressgw: switch to trigger based reconciliaction [ upstream commit d834b39aad98fe3b501706e9e8a74236ec9468d6 ] instead of running the reconciliation logic for each event received by the egress gateway manager, switch to a trigger based approach where each event simply triggers a reconciliation, and the actual reconciliation is be performed at most once every --egress-gateway-reconciliation-trigger-interval time interval. This should help reducing the CPU load in case the manager is dealing with lots of events (for example high churn of endpoints) Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
5faabf5 Robin Hahling 11 July 2023, 08:25:11 UTC replace cilium/customvet by cilium/linters [ upstream commit 41c41747df33abb84260e45edc12c6c64277da28 ] The cilium/customvet repository is now archived and replaced by cilium/linters. backporting conflicts: * had to rerun go mod tidy && go mod vendor Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
e0adcc3 Odin Ugedal 08 June 2023, 09:07:49 UTC Fix endpoint slice filtering when talking to Kubernetes [ upstream commit 0790d0ff9a21c7533bab94a02481655f2c1c7cd6 ] This fixes the filtering of endpoint slices to ensure that we support all the k8s versions we intend to. This ensures that we always filter out endpoint slices with the well-known "headless" label, and _do not_ filter out any endpoint slices based on the service proxy label. In pre Kubernetes v1.20, the labels on a service were not mirrored into the labels of the endpoint slice. The headless label was not applied. See PR 94443 in kubernetes/kubernetes for more info. When no longer supporting Kubernetes v1.20, we can remove this custom logic - and use the same label filter for endpoints, services and endpoint slices. Historically, we had no filters on the endpoint slice objects, but with the two referred commits, the same filter we had for endpoints and services was introduced to endpoint slices as part of the refactor. The reason we don't revert the behavior directly, is that we _do want_ to filter out endpoint slices for headless services, like we do with normal endpoints. For completeness; the end user behavior will now be equal for both endpoints and endpoint slices; since we will always filter the services in the same way, and when we get an endpoint slice without a corresponding service in state, we effectively ignore that endpoint slice. Fixes: ca3a4df01023 ("k8s: Add Resource[*Endpoints] to shared resources") Fixes: 82a728aa1780 ("agent, operator, clustermesh-apiserver: use Resource[*Endpoints]") Signed-off-by: Odin Ugedal <ougedal@palantir.com> Signed-off-by: Odin Ugedal <odin@uged.al> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
f17a630 Marco Iorio 11 July 2023, 07:56:03 UTC make: rework kind-install-cilium-clustermesh for Cilium CLI Helm mode [ upstream commit c25b96dac4ad9017747bea84eb1173fa821a1130 ] Cilium CLI v0.15 leverages the Helm-based installation mode by default, and it is the one which supports Cilium v1.14 and above. Let's adapt the kind-install-cilium-clustermesh Makefile target to work properly with it. While being there, let's also add the possibility to enable kvstoremesh if the dedicated variable is set. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
9f2acc8 Antonio Ojea 11 July 2023, 10:21:36 UTC reduce network policy parallelism to avoid starving the runner [ upstream commit 08196fe0bac19a03b725602ee1d26e93f15d373d ] Github runners does not have enough resources to deal with the network policy test that runs multiple pods in parallal and it may happen that the tests get stuck and start to timeout causing flakiness on the CI. Signed-off-by: Antonio Ojea <aojea@google.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
b835808 Antonio Ojea 11 July 2023, 10:21:05 UTC disable legacy network policy tests (deprecated) [ upstream commit 718d774e75d3c5f6c97bd5481077fec93dd11f95 ] Signed-off-by: Antonio Ojea <aojea@google.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
de4adf1 Casey Callendrello 06 July 2023, 08:08:02 UTC docs: remove no-longer-valid known policy issue [ upstream commit d242b88db2eab4ca89a8c8712ac79ecc39e4ebb8 ] This issue was resolved and the fix shipped in v1.13.3. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
1e99bf6 Glib Smaga 28 June 2023, 23:04:08 UTC hubble: Optimize namespace tracking [ upstream commit 941093222b456bb0f2bf1af4aa19010bbd1d744b ] Avoiding the use of varargs saves some allocations Before ``` Benchmark_TrackNamespaces-12 5122684 231.8 ns/op 192 B/op 6 allocs/op ``` After ``` Benchmark_TrackNamespaces-12 6114062 187.9 ns/op 168 B/op 4 allocs/op ``` Signed-off-by: Glib Smaga <code@gsmaga.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
34de200 Marco Iorio 03 July 2023, 14:19:06 UTC clustermesh: correctly propagate remote cluster validation errors [ upstream commit 856e3f88650d559482cd7941ecd0ec357b8edfd2 ] This commit fixes the propagation of the possible error which can be returned by `rc.Run()` (e.g., if the validation of the cluster ID failed). This ensures that the controller registers the failure and performs another attempt. Fixes: 019eac8fb0fe ("clustermesh: correctly report status of remote cluster controller") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
050c9cf Casey Callendrello 10 July 2023, 11:08:01 UTC daemon: fix issue where IPAM options in custom CNI confs was ignored [ upstream commit afbac04be5ffd48b49ce5f96473b4cc69f64b5f6 ] As part of a CNI refactor, a bug was introduced where node-specific IPAM overrides were no longer being loaded. Specifically, the parsed network configuration wasn't properly being passed down to the NodeDiscovery manager. Fixes: #26731 Fixes: 1254bf403f Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
723cd50 Dylan Reimerink 07 July 2023, 14:13:54 UTC helm,docs: Add client rate limit helm values [ upstream commit e2f475dfd088af34559657f09a77fc6937f431d6 ] This commit adds the helm values for the client rate limit feature. This makes it easier for users to tune the client rate limit which is necessary for L2 announcements to work properly. Added warnings about client rate limits and sizing instructions to the L2 announcements documentation. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
11e5f59 Julian Wiedmann 10 July 2023, 05:02:04 UTC bpf: nodeport: only set outer src IP for tunnel encap in XDP [ upstream commit 5e1139d09b2da79d57a95f99b62dcf03549a83cb ] As part of introducing native tunnel support for XDP, we started passing a `src_ip` parameter to `__encap_with_nodeid()`. This was needed to manually build the packet's outer headers. But for TC context we actually don't want to specify the outer src IP, and defer its selection to the kernel stack instead. Worse, specifying the outer src IP means that the skb implementation for `ctx_set_encap_info()` starts to use the `local_ipv4` field in the `bpf_tunnel_key`. And that's not supported on older kernels, resulting in drops. Fix this by only setting the `src_ip` parameter in XDP context. Reported-by: Yusuke Suzuki <yusuke-suzuki@cybozu.co.jp> Fixes: 43dffb298173 ("bpf: encap: manually set src IP and port from nodeport XDP paths") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
8becfb5 Tam Mach 27 June 2023, 11:09:59 UTC docs: Update Go Extension docs [ upstream commit 3b979b73fe8554d2cde3ab0f5032e551321e01cf ] This is to make sure that related docs is pointing to cilium/proxy repo. Relates: https://github.com/cilium/cilium/pull/26101 Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 14 July 2023, 13:55:30 UTC
3bb64b8 Jarno Rajahalme 10 July 2023, 19:53:08 UTC policy: Editorial corrections [ upstream commit 4547c0ad6874a0346281c4941f0f7a8bffc0b0d4 ] Comment corrections for readability and camel-casing a local variable. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
299b07c Jarno Rajahalme 10 July 2023, 19:21:52 UTC policy: Do not merge mapstate entries when they are deeply equal [ upstream commit 78b91bc46bfb13b76044afe140920d6ba63e9bd4 ] Merging of deeply equal map state entries is not necessary, and it is clearer to skip the merge in this case. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
82d0c2e Jarno Rajahalme 30 June 2023, 22:56:37 UTC policy: Refactor toMapState arguments [ upstream commit 82203d839b7f4467bb6f6ddbbcbfbbfacc56e8c5 ] Simplify code by grouping change tracking arguments to a single "changes" argument. Change location of "identities" argument in mapstate functions to be more consistent with 'toMapState'. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
73dae67 Jarno Rajahalme 30 June 2023, 23:27:24 UTC policy: Use addKeysWithChanges in AddvisibilityKeys [ upstream commit cb50a885f7ca86115ff8bb4522fcde0b4b5a492b ] Use addKeysWithChanges in AddVisibilityKeys instead of directly manipulating the maps to keep track of changes in a uniform fashion. Also record changes when adding dependents to existing keys. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
71a607f Jarno Rajahalme 28 June 2023, 12:39:15 UTC policy: Inline selectorPolicy.L4Policy [ upstream commit 7877f35e64f719c4c2a5e57218413fae695829be ] There is no reason selectorPolicy.L4Policy needs to be a pointer as we can initialize an empty L4Policy for it. Refactor by inlining L4Policy instead of pointing to it, as this simplifies code by removing the need for pointer nil checks. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
f1b70ba Jarno Rajahalme 30 June 2023, 19:31:46 UTC policy: Apply authentication from more general rules to more specific ones [ upstream commit b2018215ae69f4e8f9f6db50ab20890bf315da46 ] Apply authentication policy from more general rules to more specific rules, unless explicitly specified. Restructure addKeyWithChanges to make it easier to understand: - if an old entry exists, the new one is merged to it, honoring the precedence rules for deny, proxy redirection, and auth type. - new entries get their own containers for owners, dependents, and DerivedFromRules so that each entry in MapState has separate containers. This was already the case previously, but the code was had to reason about. redirectPreferredInsertWithChanges() is no longer needed as a separate function, as addKeyWithChanges now follows the same logic, but instead of simply overriding the old entry with the new one considers the precedence rules for deny, proxy redirect and auth type. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
a03445f Jarno Rajahalme 30 June 2023, 19:00:52 UTC policy: Handle l4-only covering l3l4 rules explicitly [ upstream commit 8e3cf49f8becff8821c2836211db3f5fc14b9db5 ] When considering if an l3l4 rule can be skipped due to a l4-only (wildcard L3) rule on the same filter we must also consider the auth types of both rules. More specifically, the l3l4 rule must be poshed to the datapath if it has an authentication policy while the l4-only rule does not, or if both have different auth policies. This opens up a possiblity that due to this auth type discrepency the redirect status of the l4-only rule must be explicitly applied to the l3l4 rule as the l3l4 rule can no longer be skipped in all cases. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
1ac15cd Jarno Rajahalme 30 June 2023, 19:40:16 UTC policy: return hasAuthType from GetAuthType [ upstream commit 59e7981947bcfbece2ad73250e72205cc7595854 ] Make GetAuthType return both if the auth type is explicitly present, and the auth type itself. This becomes necessary when considering if the auth type of a more generic entiry should override the one in a more specific entry in future. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
356314b Jarno Rajahalme 01 July 2023, 06:20:09 UTC policy: Fix PerSelectorPolicy.Equal [ upstream commit 8be4aefbfb0eb9fd118407d1daa2947337922363 ] The receiver of an autogenerated DeepEqual function can not be nil, must check for it explicitly. Generated api.Authentication.DeepEqual returns false whenever 'other' is nil, even if the receiver is also nil. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
376e413 Jarno Rajahalme 01 July 2023, 00:03:42 UTC policy: Simplify logic in addKeyWithchanges() [ upstream commit c018ac856063fa5ecc961977649abd5f562abdbb ] Restructure addKeyWithChanges to make it easier to understand: - if an old entry exists, the new one is merged to it, honoring the precedence rules for deny, proxy redirection, and auth type. - new entries get their own containers for owners, dependents, and DerivedFromRules so that each entry in MapState has separate containers. This was already the case previously, but the code was had to reason about. - when storing old values for reverting, clone containers so any futher changes in the values in the map will be change the stored old values. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
c19d41e Jarno Rajahalme 26 June 2023, 10:43:42 UTC policy: Merge DerivedFromRules when merging map state entries [ upstream commit 807919b2c765c3f821cf2750816ea1710ae22aea ] Keep track of all contributing rule's labels in merged map state entries. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
435dc8c Jarno Rajahalme 26 June 2023, 10:43:16 UTC labels: Export MergeSorted, sort in place [ upstream commit 0d188c2451dd391f9d83873e6d3dc1629d7e9e6e ] Export MergeSorted and make it more efficient by adding entries to the receiver as needed. Use MergeSorted in policy where it is known that the LabelArrayLists are in sorted order already. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
6795994 Jarno Rajahalme 18 June 2023, 11:11:16 UTC policy: Track policy features [ upstream commit 33bc74550cf43bf9347f8f80033712b1b12719b7 ] Track policy features in use across all PortRules in a given traffic direction, and skip policy computations not needed when specific features are not in use. This is needed as processing deny rules involves scanning all MapState entries for each new entry (O(N^2)), which can be skipped when there are no deny rules in the policy. This will also be used for Authentication policy processing for the same reason, so that if Authentication is not used, there is no additional CPU overhead. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
76eb31a Jarno Rajahalme 17 June 2023, 10:29:48 UTC policy: Add UpdateRedirects() [ upstream commit 1b577eb9069a5918474921493200326050eeff5c ] Add EndpointPolicy.UpdateRedirects() to keep more of the policy internals within the policy package. Rename GetLabels to GetLabelsLocked and note in the implementations that the lock of the implementing object is held when it is called. Make ToMapState non-exported, and simplify callers now that they are all in the policy package. Rename computeDesiredL4PolicyMapEntries and computeDirectionL4PolicyMapEntries to 'toMapState' for their respective receivers, as they do the same function and eventually call the L4Filter.toMapState. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
a2c4e26 Jarno Rajahalme 16 June 2023, 13:09:51 UTC policy: Add L4DirectionPolicy [ upstream commit 4ee2124c267d58a8f630fa455576f8adb0fa6050 ] Add L4DirectionPolicy containting the L4PolicyMap, so that additional fields can be added in later commits. This should be a pure refactor without functional changes. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
1ab7da2 Jarno Rajahalme 15 June 2023, 13:56:13 UTC policy: Streamline ToMapState() use [ upstream commit 569074d92c3522523ac6bc3a37c57da7c20a6599 ] Users of ToMapState() combine the results from a single-filter ToMapState call to a policy-wide MapState using DenyPreferredInsert, which causes the heavy logic needed for giving preference to deny entries to be computed at least twice per entry, once within ToMapState, and then again in the caller. Since DenyPreferredInsert may add new entries, the 2nd round may actually involve more entries than the first. Change the ToMapState to match its current use by: - take the final map where entries are to be added as a parameter to avoid the need for an intermediate return MapState - take in a filter function so that the caller may update an entry without iterating over the mapstate again (e.g., replace temporary proxy port with the actual proxy port), and the caller has the option to skip adding the entry by returning 'false'. - take Keys arguments for 'adds' and 'deletes' that are passed to DenyPreferredInsertWithChanges(). This change reduces the computational cost of policy updates, and makes it easier to reason about the MapState processed with DenyPreferredInsertWithChanges, now that it is done in a single pass, rather than multiple passes like before. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
bd165d4 Jarno Rajahalme 30 June 2023, 23:53:03 UTC endpoint: Use RevertChanges for visibility redirects too [ upstream commit 2d8fbce011f24e4c21a0eaa2c68404d2f99cac4c ] Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
40e6316 Jarno Rajahalme 20 June 2023, 06:17:59 UTC endpoint: Do not override deny entries with proxy redirects [ upstream commit 8aa89ef7088108fe7c5dfdb482ee57fb4ee02d25 ] Use DenyPreferredInsert instead of directly manipulating policy map state to make sure deny entries are not overridden by new proxy redirect entries. Prior to this fix it was possible for a proxy redirect to be pushed onto the policy map when it should have been overridden by a deny at least in these cases: - L3-only deny with L3/L4 redirect: No redirect should be added as the L3 is denied - L3-only deny with L4-only redirect: L4-only redirect should be added and an L3/L4 deny should also be added, but the L3/L4 deny is only added by deny preferred insert, and is missed when the map is manipulated directly. A new test case verifies this. It is clear that in the latter case the addition of the redirect can not be completely blocked, so we can't fix this by making AllowsL4 more restrictive. But also in the former case it is possible that the deny rule only covers a subset of security identities, while the redirect rule covers some of the same security identities, but also some more that should not be blocked. Hence the correct fix here is to leave AllowsL4 to be L3-independent, and cover these cases with deny preferred insert instead of adding redirect entries to the map directly. This commit also contains a related change that allows a redirect entry to be updated, maybe with a changed proxy port. I've not seen evidence that this is currently fixing a bug, but it feels like a real possibility. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
f4c4c1b Jarno Rajahalme 06 July 2023, 07:18:45 UTC policy: Export DenyPreferredInsertWithChanges, make revertible [ upstream commit 9f52abbfdb6d5570b91fe4c1809e4ac02bc7cc0f ] Export DenyPreferredInsertWithChanges and make it revertible by taking a map of old values as a new optional argument. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 July 2023, 13:28:01 UTC
03bd9bd renovate[bot] 11 July 2023, 14:32:03 UTC chore(deps): update hubble cli to v0.12.0 Signed-off-by: renovate[bot] <bot@renovateapp.com> 12 July 2023, 19:30:04 UTC
4ce0c18 renovate[bot] 12 July 2023, 14:27:12 UTC chore(deps): update dependency cilium/cilium-cli to v0.15.2 Signed-off-by: renovate[bot] <bot@renovateapp.com> 12 July 2023, 15:39:15 UTC
fc58ee2 Cilium Imagebot 11 July 2023, 11:43:43 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 11 July 2023, 14:41:16 UTC
35465ce renovate[bot] 11 July 2023, 11:32:08 UTC chore(deps): update docker.io/library/golang:1.20.5 docker digest to fd9306e Signed-off-by: renovate[bot] <bot@renovateapp.com> 11 July 2023, 14:41:16 UTC
64f4ef7 renovate[bot] 07 July 2023, 10:36:03 UTC chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> 11 July 2023, 14:21:42 UTC
c124efd renovate[bot] 07 July 2023, 10:36:11 UTC chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> 11 July 2023, 14:20:38 UTC
41d6025 Cilium Imagebot 07 July 2023, 10:45:35 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 11 July 2023, 11:05:15 UTC
71e3392 renovate[bot] 07 July 2023, 10:35:55 UTC chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 0bced47 Signed-off-by: renovate[bot] <bot@renovateapp.com> 11 July 2023, 11:05:15 UTC
2d32db8 Dylan Reimerink 06 July 2023, 12:05:59 UTC bugtool: Added map dump for L2 responder map to bugtool [ upstream commit 93da6ae208449dee363e04a204d3a542bad251f1 ] Currently sysdumps do not contain the L2 responder map dumps. This commit adds these so that we can debug issues with the L2 announcements if they come up in the future. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
56849bd Tobias Klauser 10 July 2023, 09:32:43 UTC ariane: don't skip verifier and l4lb tests on vendor/ changes [ upstream commit 1f35bafb3d1f754a20374d177a65ed8076ee9486 ] Both of these workflows use binaries that are built in CI making use of various vendored dependencies, so run them as well on PRs only changing vendor/. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
f0146eb Tobias Klauser 07 July 2023, 10:10:18 UTC .github/workflows: use Helm mode cilium-cli in K8sUpstreamNetConformance [ upstream commit 03bb181d1f8c06f451121014c080a55a58b16074 ] Ref: https://github.com/cilium/cilium-cli#experimental-helm-installation-mode Ref: #25156 Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
a49a373 Chris Tarazi 06 July 2023, 21:18:22 UTC docs: Add debugging guide for inspecting gops / pprof profiles [ upstream commit d3b3c7a631e43fa6e34861ec2a4a942f99ea6113 ] Document what is already known in the community for debugging CPU bottlenecks and memory leaks within Cilium. Fixes: https://github.com/cilium/cilium/issues/23004 Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
5837e56 Gilberto Bertin 29 June 2023, 09:24:53 UTC egressgw: move endpoint.Networking.Addressing check [ upstream commit a1007efd7cfb793422723c86f0862e9677c22b27 ] inside getEndpointMetadata as that's where the rest of the checks for the received CiliumEndpoint event live Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
a98c353 Gilberto Bertin 29 June 2023, 09:23:49 UTC egressgw: retry getIdentityLabels on failure [ upstream commit 9fb24de93ebe34fef773df6fe55420195c4e6d8f ] when the manager fails to resolve the identity of an endpoint to a set of labels, instead of discarding the endpoint update, enqueue the event and retry identity labels resolution following the same exponential backoff logic used by the identity allocator Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
9cce0ac Martynas Pumputis 01 May 2023, 16:32:07 UTC docs: Add LVH section [ upstream commit 16ef64bc65d42ede22b4da8940e7bed263c9b9c3 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
90cb7c1 Martynas Pumputis 01 May 2023, 13:17:06 UTC docs: Add how to run cilium-cli e2e tests locally [ upstream commit cb7f447cc91a2ab66d56d90bc7e650cbb1532425 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
f2fbd41 Martynas Pumputis 01 May 2023, 12:43:23 UTC docs: Add legacy mark to Ginkgo-based e2e page [ upstream commit a33f2344f8a277910316ce8b55b61399c56ef513 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
aedc602 Fabio Falzoi 26 June 2023, 13:45:20 UTC endpointmanager: Remove stale comment for OnUpdateNode [ upstream commit 1bbe80cb7e1fb6c91539145049b57932369eda31 ] Since OnUpdateNode is actually implemented for the endpointmanager, remove the stale commit that said the opposite. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
f129b61 Fabio Falzoi 26 June 2023, 13:43:43 UTC k8s: Add OnAddNode handlers for CiliumNodeUpdater and EndpointManager [ upstream commit 83a90664a09d93134bbd9c5e11a2e848af931b99 ] The k8s Node watcher receives events related to the local node from the Resource[T] framework Events() method. The Resource[T] framework starts a single informer for each type, alongside a workqueue for each new subscriber that calls the Events() method. The workqueue is used to accumulate the keys related to the objects that are added and/or updated. When Store() is called before Events(), the informer is started, but no queue exists to receive the events yet. Only when the Events() is called, the framework iterates over all the keys in the store to send the related updates to the new subscriber. Doing that, events like an ADD followed by one or more UPDATE might be coalesced in a single ADD event carrying the last available version of the object. What this means for the consumers of the NodeChain subscription mechanism, is that discarding the ADD events with an empty handler might lead to missing update events too. In order to avoid this, all the NodeChain subscribers like the CiliumNodeUpdater and the EndpointManager should have a ADD handler that mimics what their UPDATE handler is already doing. Fixes: #26082 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
0c40874 Chris Tarazi 06 July 2023, 16:19:59 UTC docs: Remove old unsupported Kubernetes versions in testing section [ upstream commit b48c7d456333c72c598d443cf5e4641642eb453b ] Fixes: e6748209b2 ("Update k8s tests and libraries to v1.27.2") Fixes: https://github.com/cilium/cilium/pull/25602 Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
7e1e0c2 Chris Tarazi 06 July 2023, 16:15:37 UTC docs: Update Kubernetes compatibility section with K8s 1.27 [ upstream commit 2141d67b716cda113e6ea1dda812bf346a526da8 ] It was missed in e6748209b2 ("Update k8s tests and libraries to v1.27.2"). Fixes: e6748209b2 ("Update k8s tests and libraries to v1.27.2") Fixes: https://github.com/cilium/cilium/pull/25602 Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
d3157ea Sebastian Wicki 06 July 2023, 08:27:44 UTC multi-pool: Document unsupported kvstore mode [ upstream commit 751fc715b94a3caf2565d7e727002545fea1e244 ] This commit adds a check and documentation that kvstore-based identity allocation mode is currently not supported. This is due to #26621. We intend to fix that in Cilium v1.15. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
04f7239 Yash Shetty 16 December 2022, 22:38:12 UTC Validate "ownership" of hostPort service being deleted [ upstream commit af4d7619ecada7650f489d92c55b9a91d6317a29 ] This addresses a bug where deleting a completed pod would wind up deleting the service map entry for the corresponding running pod on the same node, due to the hostPort mapping key being the same for the old and the new pod. Ideally we want to validate whether the completed pod "owns" the host port service, before deleting it, thus preventing breakage of host port connectivity for any running pods with the same service as frontend. This commit adds such a validation. Testing- Automated (Control Plane): This fix is captured by a control plane test case that does the following: 1. Create a hostport pod, and terminate it's running containers to mark it as "Completed". 2. Create another hostport pod using the same port as the "Completed" pod. 3. Delete the "Completed" pod, and verify that the hostport service has not been deleted in the Datapath. Manual Testing - 1. Add the GracefulNodeShutdown in the kubelet config on all nodes by modifying the configuration in `/var/lib/kubelet/config.yaml` ``` featureGates: GracefulNodeShutdown: true shutdownGracePeriod: 30s shutdownGracePeriodCriticalPods: 10s ``` 2. Run `sudo systemctl restart kubelet` on each node to apply the kubelet config change 3. Deploy an nginx web server with hostPort set, as well as a nodeSelector, so pods get scheduled on the same node after node restarts. ``` apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: selector: matchLabels: app: nginx replicas: 1 template: metadata: labels: app: nginx spec: nodeSelector: kubernetes.io/hostname: <node-name> containers: - name: nginx image: nginx:1.14.2 ports: - containerPort: 80 hostPort: 8081 ``` 4. Run `systemctl reboot` on the worker node to restart the machine. 5. After reboot spot the old pod in `Completed state`, while the new pod is `Running`. ``` $ kubectl get pods NAME READY STATUS RESTARTS AGE nginx-deployment-645797c867-8p2hp 0/1 Completed 0 13m nginx-deployment-645797c867-dx2m8 1/1 Running 0 4m2s ``` 6. `curl nodeIP:hostPort` successfully get the result. 7. Manually deleted the old pod which is in Completed state. ``` $ kubectl delete pod/nginx-deployment-645797c867-8p2hp ``` 8. Redo the `curl nodeIP:hostPort`, and successfully get the result again. // hostPort service has been preserved. Signed-off-by: Yash Shetty <yashshetty@google.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
4a475aa Michi Mutsuzaki 03 July 2023, 20:23:40 UTC docs: Update the docs for Helm mode Cilium CLI [ upstream commit ba52226fbef42df727a4101d78eeef0f5a5e772c ] - Consistently use the --set flag. - Replace --helm-auto-gen-values with --dry-run-helm-values. - Set kubeProxyReplacement to "true" instead of "strict". - Add a section in the upgrade guide. - Add a warning in cilium-cli installation instructions to highlight that you need to upgrade cilium-cli to v0.15.0 or later. Ref: #26430 Co-authored-by: Marco Iorio <marco.iorio@isovalent.com> Co-authored-by: Ryan Drew <ryan.drew@isovalent.com> Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
ca217f2 Marco Iorio 04 July 2023, 16:27:31 UTC service: use DialContext in custom dialer [ upstream commit ad7686241ef0c89df2ad9624174c4f0aff659667 ] Currently, the custom dialer ignores the context it is passed to. Let's switch to using DialContext, so that we properly propagate it. This mimics also the default behavior when no custom dialer is configured [1]. [1] vendor/google.golang.org/grpc/internal/transport/http2_client.go:179 Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
fdb6d1b Marco Iorio 03 July 2023, 15:54:04 UTC clustermesh: silence custom dialer failure log messages [ upstream commit a361b2dd06e30ad63a23430e08bde9aef60f3757 ] 9f5a82aba625 ("clustermesh: use custom dialer for service resolution") configured a custom dialer to perform service resolution when the etcd address refers to a local service (mainly in the kvstoremesh case). Yet, the custom dialer function outputs quite verbose log messages, which can be misleading when the address does not point to a local service (as it is correct that the address cannot be parsed). One example being: level=error msg="Unable to parse etcd service URL" error="parse \"172.19.0.2:2379\": first path segment in URL cannot contain colon" Hence, let's silence them, as they do more harm than good in this specific situation. We still print (at debug level) the outcome of the translation, so that we know to whom we are actually connecting. Fixes: 9f5a82aba625 ("clustermesh: use custom dialer for service resolution") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
29f4265 Tobias Klauser 06 July 2023, 13:27:46 UTC ipam/multipool: wait for restoration before releasing CIDRs [ upstream commit 90cfb2628bb824183902aeef2dd0568d673071b8 ] This fixes a bug where Cilium agent would release CIDRs it considered unused because the endpoints using them weren't restored yet. We fix this by not releasing any CIDRs before endpoint restoration has finished. Co-authored-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Tobias Klauser <tobias@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
58fdea4 Yutaro Hayakawa 03 July 2023, 06:19:42 UTC bgpv1: Unconditionally select node when empty nodeSelector is given [ upstream commit 8a5f1c62d6ca86dbcc0281f69f07a21487473852 ] The CRD spec of CiliumBGPPeeringPolicy states ``` NodeSelector selects a group of nodes where this BGP Peering Policy applies. If empty / nil this policy applies to all nodes. ``` However, our current implementation treats empty / nil selector as an error. This commit fixes it. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
f4f8039 Marco Hofstetter 05 July 2023, 11:09:36 UTC auth: optimize log output for pending auth [ upstream commit 31592e7ce066c32934fa3faa14d990dcc80f3678 ] This commit optimizes the logoutput by given insights when an authentication request is skipped due to a pending auth request. Without this log entry, it might be quite irritating why so many auth requests are logged without further insights. In addition, a log output is added when the pending auth is cleared. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
68a51da gray 04 July 2023, 09:32:11 UTC Document cilium_host's IPv6 change in upgrade guide [ upstream commit a0366e31668e5683ea167362d19aead2fa82283b ] Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
7c361c0 Martynas Pumputis 30 June 2023, 12:55:16 UTC docs: Adjust KPR GSG to --kpr=boolean changes [ upstream commit 1a4e7d442543b5b09756c5ef2d0a5e68393f1020 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
8584b8c Martynas Pumputis 30 June 2023, 12:40:08 UTC docs: Mention changes of --kpr=boolean in upgrade guide [ upstream commit 2e2fc63ca52eae984a853ecf69a295b8aa11dae8 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
408783f Michi Mutsuzaki 03 July 2023, 23:00:30 UTC docs: Update cluster mesh instructions [ upstream commit c426dc86007bdde8ddc4b76d25aa67eae683ae33 ] - Only document using the Helm mode. Time to deprecate the classic mode. - Remove "clustermesh enable" and "clustermesh connect" output samples. These outputs might change in the future, and I think output samples from the subsequent "clustermesh status" commands give users enough context to confirm that "clustermesh enable" and "clustermesh connect" commands succeeded. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
1cb004b Michi Mutsuzaki 03 July 2023, 22:16:59 UTC docs: Update external workloads instructions [ upstream commit b9f467addd9414fa873fe5602fb4b205ae01f2cb ] Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 11 July 2023, 08:45:30 UTC
84e0ed0 renovate[bot] 07 July 2023, 10:36:22 UTC chore(deps): update dependency cilium/cilium-cli to v0.15.0 Signed-off-by: renovate[bot] <bot@renovateapp.com> 10 July 2023, 14:16:19 UTC
60ab9a9 Marco Hofstetter 04 July 2023, 13:25:21 UTC loader: check enabled L7 proxy via config property [ upstream commit c6aff5c2e568297c80197b406f3f9bd6ba4a5d03 ] Currently, the check whether l7 proxy functionality is enabled is based on whether the passed proxy reference is `nil` or not. Due to Go's nil-handling on Interfaces, this result in calls to `proxy.ReinstallRules` even though l7 proxy functionality isn't enabled. Therefore, this commit changes the check towards checking the config property. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
904138e Marco Hofstetter 03 July 2023, 07:02:57 UTC auth: use NodeManager instead of k8s.CiliumNodeResource in auth gc [ upstream commit f3f9971f05bdac0e78a5ecee62b5c903730ff5c3 ] Auth map garbage collection is using the k8s.CiliumNodeResource to get notified about added and deleted nodes. This comes with the drawback of not supporting ClusterMesh and introducing an additional k8s watcher for CiliumNodes (as long as the NodeManager is using the legacy k8s watcher). Therefore, this commit is refactoring the auth map garbage collection to register itself as NodeHandler to the NodeManager to get notified about node events. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
f92a0ce Marek Chodor 22 May 2023, 12:47:24 UTC Add flag to enforce mTLS on hubble relay clients [ upstream commit 15db6297a41cb41ec7ba366614f642b38beec948 ] Fixes: #24265 Signed-off-by: Marek Chodor <mchodor@google.com> Co-authored-by: ZSC <zacharysarah@users.noreply.github.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
0f673f8 Philip Schmid 12 June 2023, 20:31:05 UTC doc: Documented incompatibility of EgressGW and kvstore [ upstream commit dcc0a0ea6b3f8195edb4c6ba2182c69291d2949b ] Signed-off-by: Philip Schmid <philip.schmid@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
422426b Rastislav Szabo 29 June 2023, 13:30:00 UTC bgpv1: Use max int32 as max value for ConnectRetryTimeSeconds [ upstream commit c4dc46c2ee5499a0cbfb9b46ad29ccdb2659106b ] ConnectRetryTime is not negotiated with the peer and therefore there is no strict protocol limit for it. Internally, GoBGP uses int type to manage this timeout. Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
4533d73 harsimran pabla 28 June 2023, 18:21:19 UTC bgpv1: set upper limits to BGP timers and GR restart time in BGP CRD [ upstream commit 907537c0617dc18636a9485e82579426275c3f83 ] BGP holdtime is 16bits unsigned int and GR restart time is 12bits. Setting this limit in cilium BGP CRDs, so configuration can validated at the API layer. Signed-off-by: harsimran pabla <hpabla@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
3310f69 Julian Wiedmann 04 July 2023, 04:58:18 UTC bpf: dsr: fix IPIP health-encap on older kernels [ upstream commit bb0126fdafcf959626d25de4f0c013fea13806a1 ] 87855a957541 ("bpf: Set outer source IP to pod IP") added a field for the source IP to the `bpf_tunnel_key` struct. But as this isn't supported on older kernels, we need to reduce the key length for the IPIP health path's usage of ctx_set_tunnel_key(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
d3dedba Mark Pashmfouroush 27 June 2023, 23:28:02 UTC docs: Add L2 Pod Announcements docs [ upstream commit c068a443049b5dedb34608069df4b1721b1e4669 ] Add some brief documentation about the L2 Pod Annoucements feature to the existing L2 Annoucements docs page, as the features are very similar. Signed-off-by: Mark Pashmfouroush <mark@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
885836b Julian Wiedmann 30 June 2023, 14:42:44 UTC docs: update KPR section on DSR [ upstream commit 780c6971a1edc4dae69ae9d380a8205698d6b536 ] Rephrase the DSR section to clarify the differences between the two dispatch mechanisms (IP option/extension, or Geneve option). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
7e92830 Tobias Klauser 30 June 2023, 08:45:43 UTC Documentation/community: add multi-pool IPAM to list of beta features [ upstream commit cc6310cda1545f720795c847042992996c268fe0 ] Multi-pool IPAM was added during the 1.14 release cycle and is currently considered a beta feature. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
a6a9486 Sebastian Wicki 28 June 2023, 08:50:11 UTC docs: Multi-Pool IPAM now partially supports iptables-based NAT [ upstream commit 970f881388ece97ec350147b4159658469b35627 ] With #26397 merged, iptables-based masquerading can now be used together with Multi-Pool IPAM, as long as `egressMasqueradeInterfaces` is set too. This commit adjusts the documentation to reflect that and improves the wording of that section a bit. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
7a7add4 networkop 28 June 2023, 09:40:42 UTC docs: Istio docs fix sidecar inject method [ upstream commit 119c85af84a8de069a12f8da01156f3266206f63 ] Turns out `istioctl kube-inject` does not work with URLs, so this commit changes how the sidecards are injected in the demo application example. Signed-off-by: Michael Kashin <michael.kashin@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
eee404b Feroz Salam 29 June 2023, 18:39:18 UTC vendor: Update go-restful [ upstream commit 1cb6bc7dad7d130c21b892914abcbfdf20dc5421 ] This resolves a high severity vulnerability reported by Prisma Cloud. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
744e3fb Julian Wiedmann 29 June 2023, 06:59:07 UTC bpf: nodeport: provide L4 ports for SNAT in LB egress path [ upstream commit e8fa91ddbc1a54d22baa7320e60ba96b560b870e ] For LB traffic that gets forwarded to a remote backend in non-DSR mode, tail_nodeport_nat_egress_ipv*() calls snat_v*_nat() to perform SNAT on the packet. Under the covers, this extracts a fresh CT tuple to look up / build a SNAT entry. But for LB traffic we don't require any of the ICMP handling in that code path, and we already extract a CT tuple for building tunnel headers in XDP mode. So we can optimize this code path, and provide a fully populated CT tuple to the SNAT helper. One additional benefit is that we fix handling for fragmented IPv4 packets, as lb4_extract_tuple() knows how to extract their L4 ports while snat_v4_nat() doesn't. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
6cb40d4 Quentin Monnet 29 June 2023, 08:27:41 UTC bpf: Replace deprecated "-target bpf" with "--target=bpf" for clang [ upstream commit dff7aa1288febbba7eab15c7553cb4880806b1fc ] Passing the target to clang with "-target <name>" has been considered deprecated since clang 3.4 [0], released in 2013, in favour of the more recent syntax "--target=<name>". Let's update our code and documentation to use the recommended syntax. This replicates a similar patch submitted to the Linux kernel [1]. [0] https://github.com/llvm/llvm-project/commit/274b6f0c87a6a1798de0a68135afc7f95def6277 [1] https://lore.kernel.org/all/20230624001856.1903733-1-maskray@google.com/ Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
f72f60b Marco Hofstetter 22 June 2023, 10:17:37 UTC auth: cleanup auth module [ upstream commit 28de75d593eb87f75fa66d2fc31f8cfaf2877567 ] This commit cleans up the auth module. * improve comments * renamed newAuthManager -> registerAuthManager * grouped params in authManagerParams * rename gc job names * split registration into instantiation & job/lifecycle registration sections Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
47a6233 Marco Hofstetter 22 June 2023, 08:57:57 UTC auth: dedicated auth map gc test case per type [ upstream commit d7b96fd5e32f4be26956ccf4c1a139a5ad99d77f ] This commit separates the existing auth map gc tests into multiple tests per "type" * identities * nodes * policies * expiration Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
0310e51 Marco Hofstetter 19 June 2023, 09:18:17 UTC auth: fix cleanup expired auth entries log message [ upstream commit ea0514b7be0aee8572cfaf8732a0569804395919 ] Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
981746b Marco Hofstetter 19 June 2023, 07:31:28 UTC auth: combine auth map gcs [ upstream commit 443e98c057ff1cd081ce4ace046e5a9baf95a7f6 ] This commit combines the different timer based auth map gc jobs into a single job. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
4e0cea5 Marco Hofstetter 19 June 2023, 07:18:20 UTC auth: delete nodes related auth map entries in gc job [ upstream commit a35e88423ab7780a708a4b61e93a0775d4502a12 ] Currently, auth map entries related to a deleted node are immediately deleted when the event has been received. To prevent events result in errors, the events should no longer delete auth map entries. Therefore, this commit refactors that the deletion information is stored within the garbage collector, and the actual garbage collection run uses these information to cleanup the map. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
938360a Marco Hofstetter 19 June 2023, 06:40:43 UTC auth: reordered garbage collector [ upstream commit e992ff23a2d0b7c7e7099e0d77af92aa5814a69f ] This commit reorders the functions within the garbage collector Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
21a61f6 Marco Hofstetter 19 June 2023, 06:23:24 UTC auth: delete identity related auth map entries in gc job [ upstream commit 4258ae3dbf3634fba047afeab929f91c51e33a17 ] Currently, auth map entries related to a deleted cilium identity are immediately deleted when the event has been received. The actual deletion might result in errors, which no longer can be reported back to the IdentityAllocator which emits the events. To prevent events result in errors, the events should no longer delete auth map entries. Therefore, this commit refactors that the deletion information is stored within the garbage collector, and the actual garbage collection run uses these information to cleanup the map. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 July 2023, 09:58:54 UTC
back to top