https://github.com/cilium/cilium
- HEAD
- refs/heads/1.2.7-hotfix1-fqdn-regen
- refs/heads/EndpointPolicyEnformcement
- refs/heads/all-scalability-improvements
- refs/heads/beta/service-mesh
- refs/heads/bpf-metrics
- refs/heads/brb/brb-patch-2
- refs/heads/cilium-envoy-crd-pre-beta
- refs/heads/cilium-no-gopath
- refs/heads/cli-upgrade-v1.12-ci-test
- refs/heads/clustermesh511-upgrade-test
- refs/heads/committers-codeowners
- refs/heads/debug
- refs/heads/dev/joe/v1.8-with-hostfw-fixes
- refs/heads/enable_cnp_latency
- refs/heads/encrypt-node-fixes
- refs/heads/ensure-macos-build-succeeds
- refs/heads/envoy-policy-precedence
- refs/heads/envoy-warnings-cleanup
- refs/heads/extension-mysql
- refs/heads/feature/cep-scalability
- refs/heads/feature/devices-and-addresses
- refs/heads/feature/devices-reconciliation-v1.16
- refs/heads/feature/main/svc-icmp-response
- refs/heads/feature/service-refactor
- refs/heads/feature/service-refactor-fresh
- refs/heads/feature/v1.11/beta-test
- refs/heads/feature/v1.11/k8s-ingress
- refs/heads/fix-iphealth
- refs/heads/fqdn-fixl3-wildcard
- refs/heads/fristonio/iptables-manager-fix
- refs/heads/ft/main/chancez/push-dev-charts
- refs/heads/ft/main/push_chart_stable_branches_fix
- refs/heads/ft/main/test_push_chart_updates
- refs/heads/gce-example
- refs/heads/gh-readonly-queue/main/pr-27509-78a5f177693fb443cd946441f45826bf7fa2437a
- refs/heads/ginkgo-better-timeout
- refs/heads/graduation
- refs/heads/hf/main/ipam-pools-build-230605
- refs/heads/hf/master/v1.12-rc2-health-dbg-v1
- refs/heads/hf/master/wg-fix-ipam-k8s-v2
- refs/heads/hf/v1.10/cls-prio2
- refs/heads/hf/v1.10/debug-taint-removal
- refs/heads/hf/v1.10/v1.10.10-with-19452
- refs/heads/hf/v1.10/v1.10.2-fix-ipsec-ep-routes
- refs/heads/hf/v1.10/v1.10.5-with-identity-leak-fix
- refs/heads/hf/v1.10/v1.10.7-additional-logs
- refs/heads/hf/v1.10/v1.10.7-exclude-local
- refs/heads/hf/v1.10/v1.10.7-exclude-loopback
- refs/heads/hf/v1.10/v1.10.7-extra-logs
- refs/heads/hf/v1.10/v1.10.7-more-logs
- refs/heads/hf/v1.10/v1.10.8-deadlock-and-complexity-fix
- refs/heads/hf/v1.10/v1.10.8-deadlock-fix
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v3
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v4
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v5
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v6
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v7
- refs/heads/hf/v1.11/1.11.4-custom-taint
- refs/heads/hf/v1.11/19247-custom-taint-key
- refs/heads/hf/v1.11/dbg-svc-restore
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attach-and-logging
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attachment
- refs/heads/hf/v1.11/v1.11.3-with-19259
- refs/heads/hf/v1.11/v1.11.4-custom-taint
- refs/heads/hf/v1.11/v1.11.5-and-19247-eed5544
- refs/heads/hf/v1.11/xdp-multidev-v1
- refs/heads/hf/v1.11/xdp-multidev-v2-ipcache-fix
- refs/heads/hf/v1.12/next-net-v1
- refs/heads/hf/v1.12/v1.12.18-994
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat-v2
- refs/heads/hf/v1.13/bpf-sock-l7-fix
- refs/heads/hf/v1.13/v1.13.12-without-deny-precedence
- refs/heads/hf/v1.13/v1.13.14-without-deny-precedence
- refs/heads/hf/v1.13/v1.13.14-without-deny-precedence-debug
- refs/heads/hf/v1.13/v1.13.14-without-deny-precedence-with-xfrm-fix
- refs/heads/hf/v1.13/v1.13.2-with-24875
- refs/heads/hf/v1.13/v1.13.3-with-26242
- refs/heads/hf/v1.14/cidr-identity-refcnt-fix
- refs/heads/hf/v1.14/v1.14-with-27327
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix-2
- refs/heads/hf/v1.8/v1.8.13-with-19452
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-15303
- refs/heads/hf/v1.8/v1.8.7-with-fqdn-underscore-fix
- refs/heads/hf/v1.8/v1.8.8-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.8-with-encrypt-fixes
- refs/heads/hf/v1.9/v1.9.8-azure-ipam-fix
- refs/heads/hf/v1.9/v1.9.9-azure-pod-egress-fix
- refs/heads/images/runtime/20210830
- refs/heads/ipc-demo
- refs/heads/ktls-tx-only
- refs/heads/ktls-tx-only-v2
- refs/heads/ktls-tx-rx
- refs/heads/ktls-tx-rx-v2
- refs/heads/ktls-tx-rx-v3
- refs/heads/ktls-tx-rx-v4
- refs/heads/ktls-tx-rx-v5
- refs/heads/ldelossa/feat/bgp-control-plane
- refs/heads/ldelossa/segment-makefiles
- refs/heads/ldelossa/segment-makefiles-v2
- refs/heads/ldelossa/srv6-encap-fib
- refs/heads/lizrice/pr/cli-confusion
- refs/heads/main
- refs/heads/multi-stack-dev-vm
- refs/heads/pr/1-9-ci-test
- refs/heads/pr/aanm-update-k8s-conformance
- refs/heads/pr/aanm/bisect
- refs/heads/pr/aanm/test-31027
- refs/heads/pr/add-controller-identity
- refs/heads/pr/aditighag/lrp-skip-lb
- refs/heads/pr/asauber/link-local-as-host
- refs/heads/pr/asauber/max-ifindex-metric
- refs/heads/pr/avoid-ct-for-dsr
- refs/heads/pr/backend-state
- refs/heads/pr/bbb-cpy
- refs/heads/pr/bimmlerd/modularize-bandwidth-manager
- refs/heads/pr/bimmlerd/v1.12-backport-quay-org-from-env
- refs/heads/pr/bounded-loops
- refs/heads/pr/bpf-based-masquerading
- refs/heads/pr/bpf-edt-proxy
- refs/heads/pr/brb/arping-nexthop
- refs/heads/pr/brb/arping-via-gw
- refs/heads/pr/brb/auto-multi-dev-v2
- refs/heads/pr/brb/backport-1.8.5-nat-gc
- refs/heads/pr/brb/bpf-host-routing-wg
- refs/heads/pr/brb/bpf-lxc-no-redirect
- refs/heads/pr/brb/bpf-masq-no-socket-lb
- refs/heads/pr/brb/bpf-masq-veth
- refs/heads/pr/brb/bpf-multihoming
- refs/heads/pr/brb/cgroup-v2-test
- refs/heads/pr/brb/check-errors-in-logs
- refs/heads/pr/brb/check-wg
- refs/heads/pr/brb/ci
- refs/heads/pr/brb/ci-1111
- refs/heads/pr/brb/ci-2
- refs/heads/pr/brb/ci-4.19
- refs/heads/pr/brb/ci-arping-flake
- refs/heads/pr/brb/ci-bigtcp
- refs/heads/pr/brb/ci-bpf-netdev-without-egress
- refs/heads/pr/brb/ci-cleanup-svc
- refs/heads/pr/brb/ci-dbg-conformance-kind
- refs/heads/pr/brb/ci-dbg-external
- refs/heads/pr/brb/ci-dbg-flake-from-outside
- refs/heads/pr/brb/ci-demo
- refs/heads/pr/brb/ci-disable-ces-for-egress-gw
- refs/heads/pr/brb/ci-dp-disable-bpf-host-routing
- refs/heads/pr/brb/ci-dp-hubble-flows
- refs/heads/pr/brb/ci-dp-more-diversity
- refs/heads/pr/brb/ci-dp-v1.13
- refs/heads/pr/brb/ci-dp-v6
- refs/heads/pr/brb/ci-dp-verifier
- refs/heads/pr/brb/ci-e2e-enable-debug-ipsec
- refs/heads/pr/brb/ci-e2e-geneve-dsr
- refs/heads/pr/brb/ci-e2e-helm-mode-v1.13
- refs/heads/pr/brb/ci-e2e-lvh-retry
- refs/heads/pr/brb/ci-e2e-more-nodes
- refs/heads/pr/brb/ci-e2e-new-cli
- refs/heads/pr/brb/ci-e2e-nft
- refs/heads/pr/brb/ci-e2e-unsafe
- refs/heads/pr/brb/ci-e2e-unsafe-v2
- refs/heads/pr/brb/ci-e2e-upgrade-tests
- refs/heads/pr/brb/ci-e2e-upgrade-tests-ipsec
- refs/heads/pr/brb/ci-early-terminate-conn-disrupt
- refs/heads/pr/brb/ci-eks-ipsec-upgrade
- refs/heads/pr/brb/ci-encrypt-l7
- refs/heads/pr/brb/ci-fix-ip-masq-dry-run
- refs/heads/pr/brb/ci-ipsec-upgrade-fix
- refs/heads/pr/brb/ci-ipsec-upgrade-missed-tail-calls
- refs/heads/pr/brb/ci-ipsec-upgrade-v1.13
- refs/heads/pr/brb/ci-ipsec-upgrade-vol2
- refs/heads/pr/brb/ci-keep-missed-tail-calls
- refs/heads/pr/brb/ci-l7-nodeport
- refs/heads/pr/brb/ci-lvh-4.19
- refs/heads/pr/brb/ci-lvh-5.4
- refs/heads/pr/brb/ci-lvh-5.4-v2
- refs/heads/pr/brb/ci-lvh-bpf-next
- refs/heads/pr/brb/ci-no-self-hosted
- refs/heads/pr/brb/ci-pass-kernel-env
- refs/heads/pr/brb/ci-prepull-l4lb
- refs/heads/pr/brb/ci-refactor-svc-suite
- refs/heads/pr/brb/ci-rm-smoke-tests
- refs/heads/pr/brb/ci-sanity
- refs/heads/pr/brb/ci-test
- refs/heads/pr/brb/ci-test-2
- refs/heads/pr/brb/ci-test-k8s-vsn-swap
- refs/heads/pr/brb/ci-test-large-runners
- refs/heads/pr/brb/ci-uffff
- refs/heads/pr/brb/ci-upgrade-vol-2
- refs/heads/pr/brb/ci-upgrade-vol-3
- refs/heads/pr/brb/ci-wg-mtu
- refs/heads/pr/brb/ci-wg-mtu-vol2
- refs/heads/pr/brb/cilium-host-v6-from-ipam
- refs/heads/pr/brb/cli-bump-test
- refs/heads/pr/brb/datapath-loop-dbg
- refs/heads/pr/brb/dbg-ci
- refs/heads/pr/brb/dbg-conformance-gke
- refs/heads/pr/brb/dbg-master-np-vxlan-ipcache-ci
- refs/heads/pr/brb/debug-nodeport-bpf-flake
- refs/heads/pr/brb/do-not-derive-pod-cidrs-from-dev
- refs/heads/pr/brb/do-not-query-dev-for-arping
- refs/heads/pr/brb/docs-clarify-egress-gw-ip-addr-dp
- refs/heads/pr/brb/drop-notify
- refs/heads/pr/brb/dsr
- refs/heads/pr/brb/dsr-v2
- refs/heads/pr/brb/dualstack-ci
- refs/heads/pr/brb/enable-ipv6-per-endpoint-routes
- refs/heads/pr/brb/enable-route-mtu-cni
- refs/heads/pr/brb/fib-lookup-src
- refs/heads/pr/brb/fix-backend-id-u32
- refs/heads/pr/brb/fix-ci-dp-deprecation-warn
- refs/heads/pr/brb/fix-clang-vsn-regexp
- refs/heads/pr/brb/fix-egress-ip-16147
- refs/heads/pr/brb/fix-external-ip-dp
- refs/heads/pr/brb/fix-maglev-del
- refs/heads/pr/brb/fix-nodeport-hostnetns
- refs/heads/pr/brb/fix-stale-dsr
- refs/heads/pr/brb/fix-svc-backend-selection
- refs/heads/pr/brb/fix-third-host
- refs/heads/pr/brb/gh-action-cgr
- refs/heads/pr/brb/gh-action-lvh
- refs/heads/pr/brb/gh-install-cli-backup
- refs/heads/pr/brb/ginkgo-kpr-strict
- refs/heads/pr/brb/ginkgo-rm-update-tests
- refs/heads/pr/brb/go-crazy
- refs/heads/pr/brb/hubble-tcp-ack-seq-no
- refs/heads/pr/brb/improve-svc-restore
- refs/heads/pr/brb/istio-getsockopt
- refs/heads/pr/brb/it-cannot-be-truth
- refs/heads/pr/brb/kpr-svc-mesh
- refs/heads/pr/brb/kubeproxy-free-ci
- refs/heads/pr/brb/l7-np-bpf
- refs/heads/pr/brb/l7-rerevert
- refs/heads/pr/brb/lets-be-friends-with-ipsec
- refs/heads/pr/brb/lvh-kind-127
- refs/heads/pr/brb/lvh-kind-ipsec-upgrade
- refs/heads/pr/brb/meyskens/auth-ep-gc-locks
- refs/heads/pr/brb/multi-network
- refs/heads/pr/brb/no-cache-snat
- refs/heads/pr/brb/no-rev-nat-bpf-lxc-ingress
- refs/heads/pr/brb/node-id-per-fam
- refs/heads/pr/brb/nodeport-xlr-flag
- refs/heads/pr/brb/perf-wg
- refs/heads/pr/brb/pin-lvh
- refs/heads/pr/brb/push-ci-charts
- refs/heads/pr/brb/pwru
- refs/heads/pr/brb/rm-arping-l2-addr-check
- refs/heads/pr/brb/rm-no-redirect
- refs/heads/pr/brb/rm-np-deadcode
- refs/heads/pr/brb/rm-partial-host-svc
- refs/heads/pr/brb/rm-test-gke
- refs/heads/pr/brb/test-bpf-masq
- refs/heads/pr/brb/test-ci-e2e
- refs/heads/pr/brb/test-ci-e2e-v1.13
- refs/heads/pr/brb/test-kind
- refs/heads/pr/brb/third-host-more-pain
- refs/heads/pr/brb/timing-l4lb-gh-action
- refs/heads/pr/brb/triage-flake-v2
- refs/heads/pr/brb/triage-lb-flake
- refs/heads/pr/brb/unquarantine-svc
- refs/heads/pr/brb/v1.10-istio-snat
- refs/heads/pr/brb/v1.12-ci-e2e
- refs/heads/pr/brb/v1.12-ci-ipsec-upgrade
- refs/heads/pr/brb/v1.12-test-ipsec-upgrade
- refs/heads/pr/brb/v1.13-ci-e2e
- refs/heads/pr/brb/v1.13-remote-np
- refs/heads/pr/brb/v1.13-upgrade-fixes
- refs/heads/pr/brb/v1.14-ci-e2e-upgrade
- refs/heads/pr/brb/v1.14-drop-notify
- refs/heads/pr/brb/v1.15-enable-route-mtu-cni
- refs/heads/pr/brb/v1.6.9-iptables-W
- refs/heads/pr/brb/v1.8-fix-icmp-port-check
- refs/heads/pr/brb/wg-duplicate-node-ip
- refs/heads/pr/brb/wg-encrypt-node-test
- refs/heads/pr/brb/wg-hack
- refs/heads/pr/brb/wg-ipam-fix
- refs/heads/pr/brb/wg-kpr
- refs/heads/pr/brb/wg-test
- refs/heads/pr/brb/wip
- refs/heads/pr/brb/wip-ci
- refs/heads/pr/brb/wip-sync-policy-map
- refs/heads/pr/brb/xdp-egress-gw
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming-v2
- refs/heads/pr/bruno/sleepy-pawn
- refs/heads/pr/bugtool-systemd
- refs/heads/pr/bwm-base2
- refs/heads/pr/bwm-fq
- refs/heads/pr/bwm-priority
- refs/heads/pr/chancez/add_hubble_l7_dashboard_prometheus_example
- refs/heads/pr/chancez/fix_websocket_l7_policies
- refs/heads/pr/chancez/flow_filter_namespace
- refs/heads/pr/chancez/hubble_metrics_tls_docs
- refs/heads/pr/chancez/hubble_plus_plus
- refs/heads/pr/chancez/static_peers_hubble_relay
- refs/heads/pr/christarazi/controlplane-fqdn
- refs/heads/pr/christarazi/ipcache-async-cep-pods-namedports
- refs/heads/pr/christarazi/prep-from-cidr-tests
- refs/heads/pr/ci-k8s-1.30
- refs/heads/pr/datapath-opt
- refs/heads/pr/dbkm/nodeport-lb
- refs/heads/pr/debug-dns-timeout
- refs/heads/pr/eproutes-redir
- refs/heads/pr/example/neigh-state-manager
- refs/heads/pr/fastdp
- refs/heads/pr/fastdp2
- refs/heads/pr/feroz/allow-sbom-read
- refs/heads/pr/feroz/set-container-scan-failure-flag
- refs/heads/pr/fib-consolidation
- refs/heads/pr/fix-aks-workflow
- refs/heads/pr/fix-k8s-all-sha1
- refs/heads/pr/fix-net-next-1.16
- refs/heads/pr/fix-pod-pacing
- refs/heads/pr/fix-tail-call-replace
- refs/heads/pr/fristonio/feat-19038
- refs/heads/pr/fristonio/fix-istio-k8sT
- refs/heads/pr/fristonio/ipv6-masquerading
- refs/heads/pr/fristonio/test-dual-stack
- refs/heads/pr/fristonio/test-ipv6-dualstack
- refs/heads/pr/gandro+brb/fix-monitor-aggregation-np-v2
- refs/heads/pr/gandro+brb/mv-trace-point-to-rev-nodeport
- refs/heads/pr/gandro+brb/wg-host-encryption-v3
- refs/heads/pr/gandro+brb/wg-host2host
- refs/heads/pr/gandro+brb/wg-host2host-kind
- refs/heads/pr/gandro/bump-hubble-2020-03-25
- refs/heads/pr/gandro/ci-conformance-multicluster-fix-log-gathering
- refs/heads/pr/gandro/ci-delete-crds-in-cleanupcomponents
- refs/heads/pr/gandro/ci-fix-status-if-workflows-are-skipped
- refs/heads/pr/gandro/ci-wait-for-all-relevant-images-do-not-merge-test
- refs/heads/pr/gandro/enable-hubble-by-default
- refs/heads/pr/gandro/portmap-refcount
- refs/heads/pr/gandro/re-enable-wireguard-in-multicluster-ci
- refs/heads/pr/gandro/svc-healthchecknodeport
- refs/heads/pr/gc-on-svc-update
- refs/heads/pr/getname-hooks
- refs/heads/pr/giorio94/1.14/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/cluster-name-validation-strict
- refs/heads/pr/giorio94/main/clustermesh-deprecated-cleanup
- refs/heads/pr/giorio94/main/gha-cl2-agents-pprof
- refs/heads/pr/giorio94/main/gha-cl2-compress-agent-pprofs
- refs/heads/pr/giorio94/main/gha-cluster-name
- refs/heads/pr/giorio94/main/gha-conformance-clustermesh-lb
- refs/heads/pr/giorio94/main/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/tests-clustermesh-upgrade-interrupted
- refs/heads/pr/gray/30837-with-pwru
- refs/heads/pr/gray/main/connectivity-wg-proxy-nodeport
- refs/heads/pr/gray/main/decouple-ipsec-gh-actions
- refs/heads/pr/gray/main/egress-proxy-ipsec-fix2
- refs/heads/pr/gray/main/fix-leak-detection-race
- refs/heads/pr/gray/main/xfrm-delete-flake
- refs/heads/pr/gray/main/xfrm-delete-flake2
- refs/heads/pr/gray/pwru-action
- refs/heads/pr/gray/v1.15/decouple-ipsec-gh-actions
- refs/heads/pr/health
- refs/heads/pr/health-data-path
- refs/heads/pr/hubble-tls-cert-gen-via-k8s-job
- refs/heads/pr/ianvernon/kvstore-client-type
- refs/heads/pr/ianvernon/kvstore-context
- refs/heads/pr/ianvernon/more-endpoint-cleanup
- refs/heads/pr/ianvernon/resolve-cidr-policy-perf-improvement
- refs/heads/pr/increase-verifier-test-build-timeout
- refs/heads/pr/ipip
- refs/heads/pr/ipip-encap
- refs/heads/pr/ipip-encap2
- refs/heads/pr/ipip2
- refs/heads/pr/ipip4
- refs/heads/pr/ipip6
- refs/heads/pr/jibi/differentiate-udp-tcp-svcs-take-4
- refs/heads/pr/jibi/fix-differentiate-udp-tcp-svc-upgrade
- refs/heads/pr/jibi/ip-list-contains-addr
- refs/heads/pr/joamaki/gather-network-info
- refs/heads/pr/joamaki/idless-service-restapi
- refs/heads/pr/joe/ariane-scheduled-cilium-only
- refs/heads/pr/joe/backport-28007-1.11
- refs/heads/pr/joe/bump-ginkgo-seed
- refs/heads/pr/joe/docker-build-log-tracing
- refs/heads/pr/joe/ipcache-cidr-policy
- refs/heads/pr/joe/lost-identity
- refs/heads/pr/joe/policymap-format-test
- refs/heads/pr/joe/ready-to-merge
- refs/heads/pr/joe/release-codeowners
- refs/heads/pr/joe/sw-quay
- refs/heads/pr/joe/test-labeler
- refs/heads/pr/joe/test-lvh-fix
- refs/heads/pr/joe/v1.13-stability-check
- refs/heads/pr/joe/v1.7-dev-env
- refs/heads/pr/jrajahalme/gh-filter-test-files
- refs/heads/pr/jrfastab/backport-ooo-ipsec-fixes
- refs/heads/pr/jrfastab/backport-v111-loopback
- refs/heads/pr/jrfastab/backport-v115
- refs/heads/pr/jrfastab/dbgNodeId
- refs/heads/pr/jrfastab/dbgNodeId111
- refs/heads/pr/jrfastab/dbgNodeId111v2
- refs/heads/pr/jrfastab/dbgv114
- refs/heads/pr/jrfastab/eks-encrypt-ipamupdate
- refs/heads/pr/jrfastab/fix-encrypt-subnets
- refs/heads/pr/jrfastab/fix-ixsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/fixes-ipsec-init
- refs/heads/pr/jrfastab/v1.8-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v1.9-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v111-debug-ooo
- refs/heads/pr/jrfastab/v111-debug-ooo-v2
- refs/heads/pr/jwi/main/ipsec-rhel8
- refs/heads/pr/jwi/v1.14/ci-ipsec
- refs/heads/pr/jwi/v1.15/bpf-complexity
- refs/heads/pr/jwi/v1.15/ci-ipsec
- refs/heads/pr/k8s-nat46x64
- refs/heads/pr/k8s-nat46x64-2
- refs/heads/pr/kaworu/helm-hubble-cli.yaml
- refs/heads/pr/kkourt/azure-ipam-test-race
- refs/heads/pr/kkourt/bpftool-update
- refs/heads/pr/kkourt/ct-rst-timeout-wip
- refs/heads/pr/kkourt/v1.11-backport-2022-01-26
- refs/heads/pr/kkourt/v1.9-lxc-complexity
- refs/heads/pr/l4lb-improvements-tmp
- refs/heads/pr/learnitall/ginkgo-race-workflow
- refs/heads/pr/learnitall/test-startup-script-changes
- refs/heads/pr/lmb/1.14-cni
- refs/heads/pr/lmb/1.15-cni
- refs/heads/pr/lmb/update-cni-plugin
- refs/heads/pr/marga/v1.11-without-deny-precedence
- refs/heads/pr/marseel/scale_test_1_15
- refs/heads/pr/max/upgrade-llvm-18-1-6
- refs/heads/pr/mhofstetter/guestbook-registry
- refs/heads/pr/mhofstetter/junit-fetch-nullglob
- refs/heads/pr/mhofstetter/ssh-store-consolelog
- refs/heads/pr/mhofstetter/test-ingress
- refs/heads/pr/michi/circular-struggle
- refs/heads/pr/michi/clustermesh
- refs/heads/pr/michi/crdregister
- refs/heads/pr/michi/debug
- refs/heads/pr/michi/description
- refs/heads/pr/michi/dns-refactor12
- refs/heads/pr/michi/ipsec-workflows
- refs/heads/pr/michi/l7drop
- refs/heads/pr/michi/majestic-ketchup
- refs/heads/pr/michi/mega-ketchup
- refs/heads/pr/michi/peerapi
- refs/heads/pr/michi/rest
- refs/heads/pr/michi/scaletest
- refs/heads/pr/michi/sleep-on-it
- refs/heads/pr/michi/test
- refs/heads/pr/michi/weekly-bot
- refs/heads/pr/monitor-wait-ci
- refs/heads/pr/move-image-to-one-repo
- refs/heads/pr/nat-gw-tests
- refs/heads/pr/nathanjsweet/add-complex-allow-test-to-policy-map-tests
- refs/heads/pr/nathanjsweet/add-lockdown-mode-for-policy-map-overflows
- refs/heads/pr/nathanjsweet/differentiate-protocol-in-services
- refs/heads/pr/nathanjsweet/node-port-addresses
- refs/heads/pr/nathanjsweet/refactor-mapstate
- refs/heads/pr/nathanjsweet/update-k8s-control-plane-tests-to-1-27
- refs/heads/pr/nebril/add-dns-concurrency-limit
- refs/heads/pr/nebril/fix-precheck
- refs/heads/pr/nebril/fqdn-proxy-ha
- refs/heads/pr/nebril/fqdn-proxy-interface
- refs/heads/pr/nebril/gke-workflow-migrate-from-cli
- refs/heads/pr/nebril/quarantine-1.14-nodeport
- refs/heads/pr/nebril/test-bottlerocket
- refs/heads/pr/nebril/test-helm-gke-fix
- refs/heads/pr/nebril/test-our-ghaction-shenanigans
- refs/heads/pr/nebril/test-rebase-helm
- refs/heads/pr/nebril/trololo
- refs/heads/pr/nebril/update-cli-9.1-test
- refs/heads/pr/netkit
- refs/heads/pr/netkit3
- refs/heads/pr/netns-switch
- refs/heads/pr/netns-switch-no-peer
- refs/heads/pr/nodeport-fix
- refs/heads/pr/nodeport-improvements2
- refs/heads/pr/nodeport-nat-improvements
- refs/heads/pr/nodeport-nat-improvements2
- refs/heads/pr/nodeport-retry-sport
- refs/heads/pr/pchaigno/deprecate-bpf_network-f
- refs/heads/pr/pchaigno/fix-4.19-bpf-program-size
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix-brb-v0
- refs/heads/pr/pchaigno/optim-complexity-ipcache-lookup
- refs/heads/pr/pchaigno/rework-config-probes
- refs/heads/pr/pchaigno/tmp-base-branch
- refs/heads/pr/pin-1.10-workflows-k8s-version
- refs/heads/pr/pin-1.11-workflows-k8s-version
- refs/heads/pr/pin-1.12-workflows-k8s-version
- refs/heads/pr/pin-1.13-workflows-k8s-version
- refs/heads/pr/pin-cloud-provider-master-workflows
- refs/heads/pr/pr/fix-ipam-node-manager-semaphore-error-handling
- refs/heads/pr/publish-test-images
- refs/heads/pr/qmonnet/docs-20230224
- refs/heads/pr/qmonnet/docs-bump
- refs/heads/pr/qmonnet/ipsec/no-missed-tail-call-1.13
- refs/heads/pr/qmonnet/standalone-lb-docs
- refs/heads/pr/qmonnet/sync-joblists
- refs/heads/pr/rastislavs/bgp-e2e-test
- refs/heads/pr/ray/late-dns-proxy
- refs/heads/pr/rgo3/1.12-run-no-unexpected-drops-for-patch
- refs/heads/pr/rgo3/fix-k8s-vm-provisioning-1.13
- refs/heads/pr/rgo3/fix-missing-health-endpoint
- refs/heads/pr/rolinh/better-policy-verdict
- refs/heads/pr/rolinh/hubble-dump-all
- refs/heads/pr/rolinh/hubble-fix-maxflows-rounding
- refs/heads/pr/route-test
- refs/heads/pr/run-tests-in-parallel
- refs/heads/pr/scalability-crd-only
- refs/heads/pr/squeed/make-ccache
- refs/heads/pr/squeed/per-node-config
- refs/heads/pr/squeed/remote-cluster-leak
- refs/heads/pr/stacy/docs-update
- refs/heads/pr/tammach/accesslog-envoy
- refs/heads/pr/tammach/ci-cm
- refs/heads/pr/tammach/cleanup-helm-1.16
- refs/heads/pr/tammach/envoy-1.30
- refs/heads/pr/tammach/headless-service-flake
- refs/heads/pr/tammach/ingress-controller-e2e-config6
- refs/heads/pr/tammach/more-ingress-tests
- refs/heads/pr/tammach/rennovate-statedb
- refs/heads/pr/tammach/revert/fib-lookup
- refs/heads/pr/tammach/ubuntu-24.04
- refs/heads/pr/tammach/ubuntu-24.04-no-llvm
- refs/heads/pr/tc-np-test
- refs/heads/pr/tcx
- refs/heads/pr/tcx-helm
- refs/heads/pr/tcx-misc
- refs/heads/pr/test-419-ci
- refs/heads/pr/test-increase-update-delete-timeout
- refs/heads/pr/test-k8s-all-tests
- refs/heads/pr/test-lb-super-netperf
- refs/heads/pr/test-nightly
- refs/heads/pr/test-upstream-timeout
- refs/heads/pr/tgraf/chaos-testing
- refs/heads/pr/tgraf/clustermesh-stale-state
- refs/heads/pr/tgraf/eni-ipam
- refs/heads/pr/tgraf/new-endpoint-state
- refs/heads/pr/tgraf/new-policy
- refs/heads/pr/tgraf/remove-tunnel-map
- refs/heads/pr/tgraf/scoped-ipam
- refs/heads/pr/tgraf/sctp
- refs/heads/pr/tgraf/split-lxc-prog
- refs/heads/pr/thorn3r/cesBlanketTest
- refs/heads/pr/thorn3r/clustermesh511
- refs/heads/pr/tklauser/build-push-images-env-var
- refs/heads/pr/tommyp1ckles/debugging-aks-conformance
- refs/heads/pr/tp/add-logging-for-wait-for-pods-term-condition
- refs/heads/pr/tp/backport-31380
- refs/heads/pr/tp/bump-cilium-cli
- refs/heads/pr/tp/cleanup-ipam-ips-metric-docs
- refs/heads/pr/tp/complexity-issue-verifier-case-main
- refs/heads/pr/tp/dont-terminate-on-node-config-changee
- refs/heads/pr/tp/eps-modular-health
- refs/heads/pr/tp/fix-stuck-ginko-pod-v2
- refs/heads/pr/tp/forward-hubble-for-e2e
- refs/heads/pr/tp/forward-hubble-for-e2e-v2
- refs/heads/pr/tp/switch-1.24-eks-region
- refs/heads/pr/tp/switch-1.24-eks-region-v1.13
- refs/heads/pr/tp/use-helm-default-vars-for-clustermesh-downgrade-c1
- refs/heads/pr/tweak-github-action-ref
- refs/heads/pr/twpayne/hubble-recent-events-buffer
- refs/heads/pr/twpayne/hubble-ring-buffer-benchmarks
- refs/heads/pr/update-azure
- refs/heads/pr/update-readme-for-releases
- refs/heads/pr/update-tm-network
- refs/heads/pr/v1.10-backport-2022-06-13
- refs/heads/pr/v1.10-backport-2022-10-03
- refs/heads/pr/v1.10-eni-stability-improvements-v1
- refs/heads/pr/v1.10-neigh-clean
- refs/heads/pr/v1.11-backport-2022-10-03
- refs/heads/pr/v1.11-test/issue-692
- refs/heads/pr/v1.12-backport-2023-10-10
- refs/heads/pr/v1.12-test/issue-692
- refs/heads/pr/v1.13-backport-2023-10-31
- refs/heads/pr/v1.13-backport-2024-04-22-03-42
- refs/heads/pr/v1.13-test/issue-692
- refs/heads/pr/v1.14-backport-2024-06-18-02-46
- refs/heads/pr/v1.14.1
- refs/heads/pr/v1.7-stability-test
- refs/heads/pr/v1.7.9-hf-13205
- refs/heads/pr/v3-cpu
- refs/heads/pr/v6-host-addr2
- refs/heads/pr/vk/bpf/tests/csum
- refs/heads/pr/vk/ci/test/concurrent/run
- refs/heads/pr/vk/doc/ipsec
- refs/heads/pr/vk/ipsec/key/rotate
- refs/heads/pr/vk/test/ipsec/tests/concurrent/run
- refs/heads/pr/wip/bijective-nodemap
- refs/heads/regex_improved
- refs/heads/renovate/v1.13-all-dependencies
- refs/heads/renovate/v1.14-all-dependencies
- refs/heads/renovate/v1.15-aanm-test
- refs/heads/renovate/v1.15-all-dependencies
- refs/heads/renovate/v1.16-cilium-cli
- refs/heads/renovate/v1.16-go
- refs/heads/revert-29086-2023-11-09-backport-1.14
- refs/heads/revert-33302-policy-catch-invalid-port-wildcard
- refs/heads/rib
- refs/heads/run-ci-wihout-building-cilium
- refs/heads/sh-dep-test-l4lb
- refs/heads/sidecar-http-proxy
- refs/heads/sockmap-v5
- refs/heads/sockops-build-fix
- refs/heads/tam/integration-tests
- refs/heads/tam/more-ingress-tests
- refs/heads/tb/bpf-remove-bear
- refs/heads/test-branch
- refs/heads/test-ipsec
- refs/heads/test-sig-bgp-notifs
- refs/heads/test/brlbil/upload
- refs/heads/test/skip-workflows
- refs/heads/tgraf/process-policy
- refs/heads/thorn3r/cesScaleTest
- refs/heads/thorn3rCES
- refs/heads/tinker/learnitall/scale-test-1
- refs/heads/tinker/learnitall/scale-test-2
- refs/heads/tklauser+brb/wip/multi-homing
- refs/heads/unit-test-ipsec
- refs/heads/v0.10
- refs/heads/v0.11
- refs/heads/v0.12
- refs/heads/v0.13
- refs/heads/v0.8
- refs/heads/v0.9
- refs/heads/v1.0
- refs/heads/v1.0.0-rc2
- refs/heads/v1.0.0-rc3
- refs/heads/v1.1
- refs/heads/v1.10
- refs/heads/v1.11
- refs/heads/v1.12
- refs/heads/v1.12.11-base
- refs/heads/v1.13
- refs/heads/v1.14
- refs/heads/v1.15
- refs/heads/v1.16
- refs/heads/v1.2
- refs/heads/v1.3
- refs/heads/v1.3.1
- refs/heads/v1.3.1-release
- refs/heads/v1.3.7-release
- refs/heads/v1.4
- refs/heads/v1.4.5-release
- refs/heads/v1.5
- refs/heads/v1.5.2-rc1-with-clusterip-fix
- refs/heads/v1.5.4-release
- refs/heads/v1.6
- refs/heads/v1.7
- refs/heads/v1.7.9-1
- refs/heads/v1.7.9.1
- refs/heads/v1.8
- refs/heads/v1.9
- refs/heads/verify-external-workload-dns-setup-redux
- refs/heads/vladu/identity-type-metrics
- refs/heads/weavescope
- refs/heads/wip-ktls-tx-rx
- refs/heads/wip-sockmap
- refs/heads/wip-sockmap-v2
- refs/heads/wip-sockmap-v3
- refs/heads/wip-sockmap-v4
- refs/heads/xfrm-subnet-test
- refs/heads/yutaro/bgp-cplane-etp-local/doc
- refs/heads/yutaro/oss/eni-overlapping-mark
- refs/remotes/bruno/hf/v1.10/v1.10.3-bpf-snat-and-masq-fixes
- refs/remotes/joe/submit/quarantine-etcd
- refs/remotes/origin/1.2-backports-18-09-12
- refs/remotes/origin/ipvlan3
- refs/remotes/origin/pr/add-reserved-health
- refs/remotes/origin/pr/brb/nodeport-lb
- refs/remotes/origin/pr/ianvernon/5859
- refs/remotes/origin/pr/ianvernon/dynamic-ep-cfg
- refs/remotes/origin/pr/tgraf/kube-dns-fixed-identity
- refs/semaphoreci/6384f501b324813e55cfbe818c04a40f2a923765
- refs/semaphoreci/7f69b285bac8a1be414e8769799962ae1408d9e1
- refs/semaphoreci/b5eb6622da121ad36b8f375a084392f7feeec64a
- refs/semaphoreci/d9e7e28f39d34a7050a9c1cad2a26d84f5f4eff1
- refs/semaphoreci/f55ec535d85f387ef981265967fabb3c1b5f1ec6
- refs/tags/0.10.1
- refs/tags/1.1.1
- refs/tags/1.9.0-rc0
- refs/tags/v0.11
- refs/tags/v0.12.0
- refs/tags/v0.13.1
- refs/tags/v0.8.0
- refs/tags/v0.8.1
- refs/tags/v0.8.2
- refs/tags/v0.9.0
- refs/tags/v0.9.0-rc1
- refs/tags/v1.0.0-rc2
- Branches list truncated to 687 entries, 4 were omitted.
- v1.0.0-rc14
- v1.0.0-rc13
- v1.0.0-rc11
- v1.0.0-rc10
- v1.0.0-rc1
- v1.0.0
- v0.13.9
- v0.13.8
- v0.13.7
- v0.13.6
- v0.13.5
- v0.13.4
- v0.13.3
- v0.13.28
- v0.13.25
- v0.13.24
- v0.13.23
- v0.13.22
- v0.13.21
- v0.13.20
- v0.13.2
- v0.13.19
- v0.13.18
- v0.13.17
- v0.13.16
- v0.13.15
- v0.13.14
- v0.13.13
- v0.13.12
- v0.13.11
- v0.13.10
- v0.10.0
- 1.9.9
- 1.9.8
- 1.9.7
- 1.9.6
- 1.9.5
- 1.9.4
- 1.9.3
- 1.9.2
- 1.9.18
- 1.9.17
- 1.9.16
- 1.9.15
- 1.9.14
- 1.9.13
- 1.9.12
- 1.9.11
- 1.9.10
- 1.9.1
- 1.9.0-rc3
- 1.9.0-rc2
- 1.9.0-rc1
- 1.9.0
- 1.8.9
- 1.8.8
- 1.8.7
- 1.8.6
- 1.8.5
- 1.8.4
- 1.8.3
- 1.8.2
- 1.8.13
- 1.8.12
- 1.8.11
- 1.8.10
- 1.8.1
- 1.8.0-rc4
- 1.8.0-rc3
- 1.8.0-rc2
- 1.8.0-rc1
- 1.8.0
- 1.7.9
- 1.7.8
- 1.7.7
- 1.7.6
- 1.7.5
- 1.7.4
- 1.7.3
- 1.7.2
- 1.7.16
- 1.7.15
- 1.7.14
- 1.7.13
- 1.7.12
- 1.7.11
- 1.7.10
- 1.7.1
- 1.7.0-rc4
- 1.7.0-rc3
- 1.7.0
- 1.6.9
- 1.6.8
- 1.6.7
- 1.6.6
- 1.6.5
- 1.6.4
- 1.6.3
- 1.6.2
- 1.6.12
- 1.6.11
- 1.6.10
- 1.6.1
- 1.6.0
- 1.5.9
- 1.5.8
- 1.5.7
- 1.5.6
- 1.5.5
- 1.5.4
- 1.5.3
- 1.5.2
- 1.5.13
- 1.5.12
- 1.5.11
- 1.5.10
- 1.5.1
- 1.5.0-rc6
- 1.5.0-rc5
- 1.5.0-rc4
- 1.5.0-rc3
- 1.5.0-rc2
- 1.5.0
- 1.4.9
- 1.4.8
- 1.4.7
- 1.4.6
- 1.4.5
- 1.4.4
- 1.4.3
- 1.4.2
- 1.4.10
- 1.4.1
- 1.4.0-rc9
- 1.4.0-rc8
- 1.4.0-rc7
- 1.4.0-rc6
- 1.4.0-rc5
- 1.4.0-rc2
- 1.4.0
- 1.3.8
- 1.3.7
- 1.3.6
- 1.3.5
- 1.3.4
- 1.3.3
- 1.3.2
- 1.3.1
- 1.3.0-rc5
- 1.3.0-rc4
- 1.3.0
- 1.2.8
- 1.2.7
- 1.2.6
- 1.2.5
- 1.2.4
- 1.2.3
- 1.2.2
- 1.2.1
- 1.2.0-rc3
- 1.2.0-rc2
- 1.2.0-rc1
- 1.2.0
- 1.16.0-rc.1
- 1.16.0-rc.0
- 1.16.0-pre.3
- 1.16.0-pre.2
- 1.16.0-pre.1
- 1.16.0-pre.0
- 1.15.7
- 1.15.6
- 1.15.5
- 1.15.4
- 1.15.3
- 1.15.2
- 1.15.1
- 1.15.0-rc.1
- 1.15.0-rc.0
- 1.15.0-pre.3
- 1.15.0-pre.2
- 1.15.0-pre.1
- 1.15.0-pre.0
- 1.15.0
- 1.14.9
- 1.14.8
- 1.14.7
- 1.14.6
- 1.14.5
- 1.14.4
- 1.14.3
- 1.14.2
- 1.14.13
- 1.14.12
- 1.14.11
- 1.14.10
- 1.14.1
- 1.14.0-snapshot.4
- 1.14.0-snapshot.3
- 1.14.0-snapshot.2
- 1.14.0-snapshot.1
- 1.14.0-snapshot.0
- 1.14.0-rc.1
- 1.14.0-rc.0
- 1.14.0-pre.2
- 1.14.0
- 1.13.9
- 1.13.8
- 1.13.7
- 1.13.6
- 1.13.5
- 1.13.4
- 1.13.3
- 1.13.2
- 1.13.18
- 1.13.17
- 1.13.16
- 1.13.15
- 1.13.14
- 1.13.13
- 1.13.12
- 1.13.11
- 1.13.10
- 1.13.1
- 1.13.0-rc5
- 1.13.0-rc4
- 1.13.0-rc3
- 1.13.0-rc2
- 1.13.0-rc1
- 1.13.0-rc0
- 1.13.0
- 1.12.9
- 1.12.8
- 1.12.7
- 1.12.6
- 1.12.5
- 1.12.4
- 1.12.3
- 1.12.2
- 1.12.19
- 1.12.18
- 1.12.17
- 1.12.16
- 1.12.15
- 1.12.14
- 1.12.13
- 1.12.12
- 1.12.11
- 1.12.10
- 1.12.1
- 1.12.0-rc3
- 1.12.0-rc2
- 1.12.0-rc1
- 1.12.0-rc0
- 1.12.0
- 1.11.9
- 1.11.8
- 1.11.7
- 1.11.6
- 1.11.5
- 1.11.4
- 1.11.3
- 1.11.20
- 1.11.2
- 1.11.19
- 1.11.18
- 1.11.17
- 1.11.16
- 1.11.15
- 1.11.14
- 1.11.13
- 1.11.12
- 1.11.11
- 1.11.10
- 1.11.1
- 1.11.0-rc3
- 1.11.0-rc2
- 1.11.0-rc1
- 1.11.0-rc0
- 1.11.0
- 1.10.9
- 1.10.8
- 1.10.7
- 1.10.6
- 1.10.5
- 1.10.4
- 1.10.3
- 1.10.20
- 1.10.2
- 1.10.19
- 1.10.18
- 1.10.17
- 1.10.16
- 1.10.15
- 1.10.14
- 1.10.13
- 1.10.12
- 1.10.11
- 1.10.10
- 1.10.1
- 1.10.0-rc2
- 1.10.0-rc1
- 1.10.0-rc0
- 1.10.0
- 1.1.6
- 1.1.5
- 1.1.4
- 1.1.3
- 1.1.2
- 1.1.0
- 1.0.7
- 1.0.6
- 1.0.5
- 1.0.4
- Releases list truncated to 313 entries, 325 were omitted.
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.
Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| 6c8db75 | Joe Stringer | 16 June 2023, 19:17:20 UTC | Prepare for release v1.14.0-snapshot.4 Signed-off-by: Joe Stringer <joe@cilium.io> | 16 June 2023, 20:14:39 UTC |
| c8cdadc | Joe Stringer | 16 June 2023, 19:15:10 UTC | Update AUTHORS for recent contributors Signed-off-by: Joe Stringer <joe@cilium.io> | 16 June 2023, 20:14:39 UTC |
| 7519783 | Joe Stringer | 16 June 2023, 19:17:27 UTC | docs: Fix formatting for check-crd-compat script This script was generating an improperly formatted table due to the longer release names recently, X.Y.Z-snapshot.N. Fix it. Signed-off-by: Joe Stringer <joe@cilium.io> | 16 June 2023, 20:14:39 UTC |
| 0aa6853 | ChrsMark | 13 June 2023, 13:22:49 UTC | "Security Implications" section in "Layer 7 Protocol Visibility" doc Co-authored-by: Ioannis Androulidakis <androulidakis.ioannis@gmail.com> Signed-off-by: ChrsMark <chrismarkou92@gmail.com> | 16 June 2023, 18:24:39 UTC |
| 9f2b011 | ChrsMark | 29 May 2023, 17:03:52 UTC | Add support for --hubble-redact=http-url-query Co-authored-by: Ioannis Androulidakis <androulidakis.ioannis@gmail.com> Signed-off-by: ChrsMark <chrismarkou92@gmail.com> | 16 June 2023, 18:24:39 UTC |
| d710a08 | ChrsMark | 12 June 2023, 12:08:36 UTC | Fix decodeHTTP to avoid accesslog mutation on URL's password redact Co-authored-by: Ioannis Androulidakis <androulidakis.ioannis@gmail.com> Signed-off-by: ChrsMark <chrismarkou92@gmail.com> | 16 June 2023, 18:24:39 UTC |
| 766e62b | Marcel Zieba | 12 June 2023, 10:58:15 UTC | clustermesh: Introduce ClusterID reservation mechanism Currently, the ClusterIDs for each remoteClusters are managed by each remote cluster controllers with rc.config. This makes very hard to control the access to the ClusterIDs. For example, when we have a new remote cluster connection and receive a new cluster config, we need to ensure the new ClusterID is not used by other remote cluster controller. To ensure that, we need to iterate over all remoteCluster objects and also access to the rc.config which may be changed over time depending on each remote cluster's connection state. For every time the remoteCluster controller start to use a new ClusterID, it "reserves" the ClusterID from central registry. By correctly performing mutex for this reservation, we can guarantee that no one else uses the reserved ClusterID. So that after the reservation, each remoteCluster controller can exclusively access to the corresponding CT/SNAT per-cluster map slots. This can also replace the complicated canConnect() validation with ClusterID reservation. Instead of iterate over all clusters and check ClusterID uniqueness, we can simply try to reserve the ID and if it fails, reject a new connection. Once the remote cluster controller finish using the ClusterID, it cleanups any resources bounded to the ClusterID (e.g. per-cluster maps) and "releases" the ClusterID. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 16 June 2023, 16:12:00 UTC |
| 627f518 | harsimran pabla | 25 May 2023, 21:00:43 UTC | Documentation: include bgp cli commands in bgp-cp documentation Added CLI section in bgp control plane document. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 16 June 2023, 15:41:43 UTC |
| bc8f580 | Dylan Reimerink | 16 June 2023, 13:09:33 UTC | l2announcer: Fix panic when service labels are nil There are scenarios in which the labels fields of a service object returns `nil` instead of an empty map. When this happens a panic is triggered, so we have to check for that and init the map if it is `nil` Fixes: #26163 Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 16 June 2023, 15:32:26 UTC |
| d1b6815 | renovate[bot] | 16 June 2023, 14:06:04 UTC | fix(deps): update module github.com/docker/docker to v24 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 16 June 2023, 15:12:59 UTC |
| d6fe7de | Tobias Klauser | 16 June 2023, 15:08:57 UTC | renovate: exclude github.com/{cilium,vishvananda}/netlink The netlink library was switch to a custom fork in commit 142c7c817baa ("vendor: Update vishvananda/netlink/") and updated in commit eb6bf8671f98 ("vendor: Update vishvananda/netlink/"). Avoid accidentially updating this dependencies, so exclude the module from being updated until we switch back to the upstream version. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 16 June 2023, 15:10:54 UTC |
| f2e0274 | Rastislav Szabo | 13 June 2023, 19:10:03 UTC | Docs: Update BGP docs to reflect CRD consolidation Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> | 16 June 2023, 14:25:05 UTC |
| d722d51 | Tobias Klauser | 16 June 2023, 12:55:19 UTC | .github/workflows: let renovate update kind Add required renovate annotations such that kind_version will be updated automatically in GH action workflows. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 16 June 2023, 14:18:09 UTC |
| dd06feb | Dylan Reimerink | 16 June 2023, 08:34:41 UTC | resources,metrics: Add metrics to resources This commit makes the pkg/k8s/resources emit the same metrics as their k8s watcher counterparts. The only difference is that due to the asynchronous nature of resource consumers, we are not able to track when all consumers have processed the same event, thus we increment the processed event metric for every consumer. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 16 June 2023, 14:01:03 UTC |
| b76bcd8 | Marco Iorio | 14 June 2023, 14:07:58 UTC | docs: remove clustermesh-apiserver gops port from system requirements clustermesh-apiserver runs in pod network, hence there is no risk of port conflicts with services running on the underlying nodes. Hence, let's remove its gops port from the system requirements table. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 June 2023, 13:44:33 UTC |
| 277ba6f | Cilium Imagebot | 16 June 2023, 11:34:35 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 16 June 2023, 13:43:25 UTC |
| a21eaf4 | Timo Beckers | 13 June 2023, 09:14:50 UTC | Documentation: remove references to cilium-iproute2 See previous commit, a custom version of iproute2 is no longer required to run Cilium, and we no longer ship it in the official container images. Signed-off-by: Timo Beckers <timo@isovalent.com> | 16 June 2023, 13:43:25 UTC |
| 57274b6 | Timo Beckers | 13 June 2023, 09:13:42 UTC | images: remove dependency on cilium/iproute2 fork As of Cilium 1.14, it no longer uses the ip command to load BPF programs into the kernel. This means we no longer need to maintain our patches on top of iproute2 and we no longer depend on a custom build in order for Cilium to run. Signed-off-by: Timo Beckers <timo@isovalent.com> | 16 June 2023, 13:43:25 UTC |
| 550c8fc | Timo Beckers | 14 June 2023, 07:58:06 UTC | images: point to dev documentation when runtime/builder images outdated Also fix a typo in runtime/builder image anchor. Signed-off-by: Timo Beckers <timo@isovalent.com> | 16 June 2023, 13:43:25 UTC |
| 92a148d | Timo Beckers | 13 June 2023, 09:11:26 UTC | contrib: remove ansible directory This has been unmaintained for years and depends on llvm7, which is unlikely to work with current versions of Cilium. Remove from the repository. Signed-off-by: Timo Beckers <timo@isovalent.com> | 16 June 2023, 13:43:25 UTC |
| 310a8ed | Marcel Zieba | 16 June 2023, 11:34:08 UTC | Ingnore updating client-go fork in renovate dependencies Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 16 June 2023, 13:11:50 UTC |
| 143738e | André Martins | 15 June 2023, 12:43:52 UTC | .github: rebuild ginkgo tests in case of cache miss When a test is re-trigger after a long period of time, the test binary might already been deleted from the GitHub cache. If we hit a cache miss we should rebuild the binary so that the test can continue to be executed. Signed-off-by: André Martins <andre@cilium.io> | 16 June 2023, 13:07:22 UTC |
| ee0ce3c | Marco Hofstetter | 08 June 2023, 08:57:09 UTC | auth: policy based auth map GC Until now, auth map entries were garbage collected based on the following criterias: * related identity has been deleted * related node has been deleted * entry has been expired The initial goal was that expiration will cover the case where no longer a policy is enforcing authentication. But the introduction of re-authentication (#25927) changed this, because the entries would have re-authenticated "forever" (until identity or node would have been deleted). Therefore, this commit introduces some rudimentary garbage collection based on policies by periodically checking whether a policy is still enforcing authentication between two identities. If not, the auth map entry gets deleted. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 16 June 2023, 12:36:00 UTC |
| d7e1ceb | Daniel Borkmann | 16 June 2023, 11:14:35 UTC | cilium: Improve feature probing for IPv6 BIG TCP With IPv6 BIG TCP the IFLA_TSO_MAX_SIZE and IFLA_TSO_MAX_SEGS attributes got added. So we better check on non-zero TSOMaxSize since only this one got added in 5.19. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/netdev/20220513183408.686447-2-eric.dumazet@gmail.com/ | 16 June 2023, 12:11:31 UTC |
| eb6bf86 | Daniel Borkmann | 16 June 2023, 10:22:42 UTC | vendor: Update vishvananda/netlink/ Update vishvananda/netlink in order to support getting IFLA_TSO_MAX_SIZE and IFLA_TSO_MAX_SEGS. Used the following series of commands: go mod edit -replace github.com/vishvananda/netlink=github.com/cilium/netlink@main go mod tidy go mod vendor git add vendor/ go.mod go.sum && git commit -sa Currently pointing to our local repo as an unrelated commit in vishvananda/netlink triggers a regression on Cilium side and given the below linked PR is not yet merged upstream. Eventually, we can move back vishvananda/netlink. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://github.com/vishvananda/netlink/pull/880 | 16 June 2023, 12:11:31 UTC |
| f7553a2 | renovate[bot] | 16 June 2023, 08:30:01 UTC | chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> | 16 June 2023, 11:27:51 UTC |
| 48094e7 | Quentin Monnet | 12 June 2023, 22:34:48 UTC | bpf: Use "fallthrough;", compile with -Wimplicit-fallthrough We can label intentional fall-throughs and tell clang to report unannotated ones, to catch bugs that would be caused by involuntarily falling through between switch labels. The bug fixed in commit 9a641116021a ("bpf: test: fix pktgen for IPv6 NEXTHDR_DEST option") was found this way. I wasn't able to pin down the exact version that got support for the relevant attribute, but clang 10 has it for sure and it seems to be much older than that, so we don't have to worry and test for its availability. Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 16 June 2023, 11:18:28 UTC |
| ba0b957 | Quentin Monnet | 14 June 2023, 09:54:58 UTC | bpf: Add missing "break;" in srv6_create_state_entry() Prevent falling through from IPv6 to IPIP when creating SRV6 state entries based on the encapsulated header protocol. Caught by compiling with -Wimplicit-fallthrough. Fixes: bfba74097e81 ("bpf: Handle reply SRv6 traffic") Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 16 June 2023, 11:18:28 UTC |
| 3ac7189 | Cilium Imagebot | 16 June 2023, 08:29:53 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 16 June 2023, 11:12:14 UTC |
| 25458dd | renovate[bot] | 16 June 2023, 01:44:15 UTC | chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2a357c4 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 16 June 2023, 11:12:14 UTC |
| c093b81 | renovate[bot] | 15 June 2023, 12:01:33 UTC | chore(deps): update docker.io/library/alpine docker tag to v3.18.2 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 16 June 2023, 11:11:34 UTC |
| 8374173 | renovate[bot] | 16 June 2023, 08:34:53 UTC | fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> | 16 June 2023, 11:09:07 UTC |
| 7eb2801 | Julian Wiedmann | 16 June 2023, 06:00:54 UTC | bpf: fib: delay smac selection until fib_do_redirect() has picked the oif fib_do_redirect() potentially takes the `oif` from the fib_params. But we currently don't consider this when selecting the smac. Fix this by delaying the smac selection until we actually need it. Fixes: 5fff05daf9f0 ("bpf,fib: introduce fib_do_redirect function") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 16 June 2023, 10:45:49 UTC |
| 019eac8 | Marco Iorio | 15 June 2023, 14:11:41 UTC | clustermesh: correctly report status of remote cluster controller 150de13bd6c6 ("clustermesh: delete stale node/service entries on reconnect/disconnect") and follow-ups changed the behavior of the controller which wraps the logic used to connect to the kvstore in a remote cluster. More specifically, we previously used to return from the controller DoFunc after completing the setup process (while executing in background the actual synchronization tasks). With that commit, instead, we don't return until the context is closed (which means that the connection needed to be restarted/stopped). While this simplifies the implementation of the cleanup logic, the change turned out to cause issues in the controller health reporting logic. In particular, given that we don't return on success, a previous failure is never cleared out. Which means incorrect metrics and status reporting through the `cilium status` commands. This commit fixes this issue reworking the logic so that we return from the controller DoFunc as soon as the initialization tasks completed, while executing the long running logic in background. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 June 2023, 10:13:24 UTC |
| bd53860 | Marco Iorio | 30 May 2023, 14:56:48 UTC | kvstoremesh: add helm configuration This commit extends the helm chart to allow configuring kvstoremesh. In particular, the clustermesh-apiserver deployment is enriched with the additional kvstoremesh sidecar container (when kvstoremesh is enabled), appropriately mounting the secret containing the remote kvstore configurations. Additionally, the configuration used by the agents is modified to connect to the local kvstore instance (through the corresponding service) instead of the remote ones. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 June 2023, 10:07:20 UTC |
| c7a5fcd | Marco Iorio | 15 June 2023, 07:04:36 UTC | clustermesh: enable apiserver metrics by default in the Helm chart The clustermesh-apiserver runs in pod network, hence there's no shortcoming in enabling those metrics by default. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 June 2023, 10:07:20 UTC |
| 654e7a9 | Marco Iorio | 30 May 2023, 15:27:02 UTC | clustermesh: add service name to server certificate DNS names Add the `clustermesh-apiserver.{namespace}.svc` DNS name to the clustermesh-apiserver etcd certificate, so that the secure connection can be successfully established when connecting to the local etcd instance through the service, rather than to a remote one through the corresponding LB/NodePort service or an external DNS name. This is required in particular in the kvstoremesh case. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 June 2023, 10:07:20 UTC |
| dd37523 | Tobias Klauser | 16 June 2023, 08:40:34 UTC | helm: address review comments regarding helm value docs Ref. https://github.com/cilium/cilium/pull/26005#pullrequestreview-1475985844 Co-authored-by: Sarah Corleissen <sarah.corleissen@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> | 16 June 2023, 10:06:43 UTC |
| c3eb7b0 | Daniel Borkmann | 14 June 2023, 06:18:09 UTC | cilium, test: Lift enableIPv6Masquerade=false Now that we have BPF IPv6 masquerading, lift the restriction that it needs to be disabled specifically. Also remove nodePort.enabled=true as this is redundant with KPR=strict. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 16 June 2023, 10:06:00 UTC |
| 491aad3 | Daniel Borkmann | 13 June 2023, 20:32:15 UTC | cilium, docs, req: Add BIG TCP kernel requirements Add the IPv4 BIG TCP kernel requirements to the table. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 16 June 2023, 10:06:00 UTC |
| 3b57d4f | Daniel Borkmann | 13 June 2023, 20:03:23 UTC | cilium, docs, tuning: Add documentation for IPv4 BIG TCP Add documentation for the tuning guide. Also improve the IPv6 section slightly. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 16 June 2023, 10:06:00 UTC |
| 03e345f | Daniel Borkmann | 13 June 2023, 20:45:37 UTC | cilium, helm: Add IPv4 BIG TCP Add Helm setting for IPv4 BIG TCP (enableIPv4BIGTCP) which defaults to false. Used "make -C install/kubernetes cilium/values.yaml" to autogenerate the values.yaml file. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 16 June 2023, 10:06:00 UTC |
| 847b7d4 | Daniel Borkmann | 13 June 2023, 19:34:52 UTC | cilium, status: Implement status dump for IPv4 BIG TCP Hook up the status field from agent and client side. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 16 June 2023, 10:06:00 UTC |
| 70f6753 | Daniel Borkmann | 13 June 2023, 18:43:47 UTC | cilium, openapi: Add generated API code for IPv4 BIG TCP Add generated API code for the status exposure. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 16 June 2023, 10:06:00 UTC |
| 6b18380 | Daniel Borkmann | 13 June 2023, 12:03:10 UTC | cilium, openapi: Add status field for IPv4 BIG TCP Add status dump field, so that this can be introspected via sysdump. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 16 June 2023, 10:06:00 UTC |
| f4046d0 | Daniel Borkmann | 14 June 2023, 18:57:11 UTC | cilium, connector: Wire up IPv4 GRO/GSO max size configuration Extend the veth setup to also configure IPv4 GRO/GSO max size configuration for every new veth for a given Pod. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 16 June 2023, 10:06:00 UTC |
| 795d071 | Daniel Borkmann | 13 June 2023, 10:59:34 UTC | cilium: IPv4 BIG TCP support Given we have IPv6 BIG TCP support already, lets also support it for IPv4. From the IPv4 BIG TCP work: Different from IPv6, IPv4 tot_len is 16-bit long only, and IPv4 header doesn't have exthdrs(options) for the BIG TCP packets' length. To make it simple, as David and Paolo suggested, we set IPv4 tot_len to 0 to indicate this might be a BIG TCP packet and use skb->len as the real IPv4 total length. This will work safely, as all BIG TCP packets are GSO/GRO packets and processed on the same host as they were created; There is no padding in GSO/GRO packets, and skb->len - network_offset is exactly the IPv4 packet total length; Also, before implementing the feature, all those places that may get iph tot_len from BIG TCP packets are taken care with some new APIs. The device settings are different from IPv6 ones, so we also need to explicitly set them via IFLA_GSO_IPV4_MAX_SIZE and IFLA_GRO_IPV4_MAX_SIZE for all involved devices to take effect. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/netdev/cover.1674921359.git.lucien.xin@gmail.com/ | 16 June 2023, 10:06:00 UTC |
| 13d957d | Daniel Borkmann | 14 June 2023, 10:20:41 UTC | cilium, openapi: Add generated API code for IPv4 BIG TCP config Add generated config API code which is needed for the veth connector code to hook up the IPv4 GSO/GRO config from the agent. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 16 June 2023, 10:06:00 UTC |
| 63ed25c | Daniel Borkmann | 13 June 2023, 10:59:34 UTC | cilium, openapi: Extend config with {GSO,GRO}IPv4MaxSize This is needed later to propagate the information to the CNI plugin. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 16 June 2023, 10:06:00 UTC |
| 142c7c8 | Daniel Borkmann | 15 June 2023, 17:45:33 UTC | vendor: Update vishvananda/netlink/ Update vishvananda/netlink in order to support setting IFLA_GRO_IPV4_MAX_SIZE and IFLA_GSO_IPV4_MAX_SIZE which is needed for IPv4 BIG TCP. Used the following series of commands: go mod edit -replace github.com/vishvananda/netlink=github.com/cilium/netlink@main go mod tidy go mod vendor git add vendor/ go.mod go.sum && git commit -sa Currently pointing to our local repo as an unrelated commit in vishvananda/netlink triggers a regression on Cilium side. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 16 June 2023, 10:06:00 UTC |
| 54c5d36 | Jarno Rajahalme | 13 June 2023, 09:30:21 UTC | policy: Track and return multiple AuthTypes for GetAuthTypes() Track and return multiple AuthTypes for GetAuthTypes(), add multiple auth types to the distillery unit test. While we currently plan to only support Spire AuthType, the policy engine is wired for supporting multiple auth types. Honor this in the new GetAuthTypes() internal API. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 16 June 2023, 10:02:24 UTC |
| 6fd9fc3 | Jarno Rajahalme | 12 June 2023, 11:07:03 UTC | policy: Add GetAuthType() Track the required authentication mode for all selected remote identities in a selector policy, and add GetAuthType() that can be used to find out the required authentication mode between a local and remote security identity. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 16 June 2023, 10:02:24 UTC |
| 2dd2fab | Jarno Rajahalme | 12 June 2023, 11:06:55 UTC | policy: Cache selector policies in distillery test Use PolicyCache in unit tests. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 16 June 2023, 10:02:24 UTC |
| 6175e23 | Julian Wiedmann | 10 June 2023, 09:21:38 UTC | bpf: xdp: use CT tuple hash for tunnel encap's source port hash_from_tuple_v*() isn't perfect (as it ignores the .daddr), but much better than what we currently have. The one path where we might notice the reduced entropy is in a config with EgressGW and native-routing, when processing EgressGW reply traffic with non-service protocol (ICMP or other exotic types). As here we currently don't extract any L4 ports either. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 16 June 2023, 09:42:19 UTC |
| 21b520e | Marco Iorio | 14 June 2023, 10:18:55 UTC | clustermesh-apiserver: don't wait for the presence of unused CRDs Currently, the clustermesh-apiserver waits for the presence of all the CRDs before starting the main logic, way more than the resource types actually used afterwards. This ends up preventing the possibility of running a newer version of the clustermesh-apiserver alongside older versions of cilium/cilium-operator due to newly introduced CRDs. This commit modifies the logic to only wait for the CRDs which are actually used (the new list matches the entries listed in the clustermesh-apiserver cluster role). Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 June 2023, 09:40:17 UTC |
| 8a86a76 | renovate[bot] | 15 June 2023, 11:33:33 UTC | chore(deps): update golangci/golangci-lint docker tag to v1.53.3 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 16 June 2023, 08:24:20 UTC |
| aaf4c6b | Anna Kapuscinska | 12 June 2023, 14:19:53 UTC | hubble: Remove pod-short metrics context option This option was deprecated in 1.13 release and should be removed in 1.14. Signed-off-by: Anna Kapuscinska <anna@isovalent.com> | 16 June 2023, 08:21:54 UTC |
| 14024ef | Marco Iorio | 16 June 2023, 07:50:07 UTC | kvstoremesh: temporarily skip the tests as too flaky It seems that the new kvstoremesh tests are badly interacting with the other clustermesh ones (they use a shared etcd instance), causing frequent flakes. Let's disable them for the moment while figuring out how to make them more resilient. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 June 2023, 08:21:19 UTC |
| e1d8411 | Marco Iorio | 16 June 2023, 07:47:39 UTC | clustermesh: delete the entire kvstore key space on test end Let's ensure that all keys are deleted when the clustermesh tests terminate, to prevent affecting the subsequent ones. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 June 2023, 08:21:19 UTC |
| cf06237 | Julian Wiedmann | 16 June 2023, 06:24:17 UTC | clustermesh: unbreak test Error: pkg/clustermesh/remote_cluster_test.go:155:54: too many arguments in call to newGlobalServiceCache have (string, string) want ("github.com/cilium/cilium/pkg/metrics/metric".Gauge) Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 16 June 2023, 08:21:19 UTC |
| 5cb8a33 | Julian Wiedmann | 16 May 2023, 06:12:34 UTC | bpf: lb: remove redundant reset of key->backend_slot For better or worse, lb*_lookup_service() already does this for us. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 16 June 2023, 08:12:03 UTC |
| dc5c159 | Julian Wiedmann | 10 June 2023, 08:32:55 UTC | bpf: lb: clean up __lb4_rev_nat() Group all the code together that handles the rewrite for the L4 header. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 16 June 2023, 08:12:03 UTC |
| c69d8cb | Julian Wiedmann | 14 June 2023, 09:13:28 UTC | bpf: lb: clean up saddr handling in __lb*_rev_nat() As workaround for older kernels, we currently copy the new_saddr from the NAT entry to a temporary stack variable. But with the bump to kernel 4.19 this is no longer needed, we can just access the NAT entry directly. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 16 June 2023, 08:12:03 UTC |
| be2cb2b | Marco Iorio | 13 June 2023, 08:17:15 UTC | metrics: provide the global services metric through the hive This commit extracts the initialization of the global services metric from the global service cache constructor, providing it through `cell.Metric` and propagating it as appropriate. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 June 2023, 03:08:02 UTC |
| 16a5ba1 | Mark Pashmfouroush | 14 June 2023, 10:02:44 UTC | garp: Switch processor to use cilium EndpointManager Signed-off-by: Mark Pashmfouroush <mark@isovalent.com> | 15 June 2023, 23:07:16 UTC |
| e10961d | Mark Pashmfouroush | 09 June 2023, 00:40:19 UTC | garp: Announce Pods with Gratuitous ARP This introduces a new feature that advertises Pod IPs on the L2 domain using Gratuitous ARP packets. When enabled, k8s Pod upsert and delete events are processed and GARP packets are sent on the chosen interface, when required. The GARP cell introduced here is what processes the k8s Pod events and maintains an internal state to make sure to only send GARP packets when the Pod is created, or the IP is changed for some reason. Pod deletion events simply erase the entry from the state. There are new agent flags and helm values introduced to enable the feature and to chose which interface to send GARP packets on. Signed-off-by: Mark Pashmfouroush <mark@isovalent.com> | 15 June 2023, 23:07:16 UTC |
| a54fde3 | Louis DeLosSantos | 15 June 2023, 17:34:18 UTC | bpf,fib: test fib_do_redirect Add unit tests for the new "fib_do_redirect" function in lib/fib.h. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> | 15 June 2023, 21:22:40 UTC |
| cb4b728 | Louis DeLosSantos | 08 June 2023, 16:54:15 UTC | bpf,srv6: perform fib lookup after encap An additional FIB lookup must be performed after encapsulation to correctly forward the encapsulated SRv6 packet to the next hop. Introduce a new function `srv6_refib` which performs an additional FIB lookup after the encapsulation has been performed. This function may redirect the egress packet to another interface, rewrite the current DMAC, or simply let the packet transmit on the current native-dev, depending on the result of the subsequent FIB lookup. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> | 15 June 2023, 21:22:40 UTC |
| e275bcf | Louis DeLosSantos | 08 June 2023, 19:33:38 UTC | bpf,fib: introduce fib_lookup_v4/6 functions Introduce functions for performing fib_lookups independent of any other actions. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> | 15 June 2023, 21:22:40 UTC |
| 5fff05d | Louis DeLosSantos | 08 June 2023, 19:15:11 UTC | bpf,fib: introduce fib_do_redirect function This commit adds a new function, 'fib_do_redirect', to 'lib/fib.h'. This function decouples the 'bpf_redirect' functionality from the 'bpf_fib_lookup' functionality while keeping the existing 'fib_redirect' logic the same. In other words, this function can pickup right after the 'fib_lookup' is performed in 'fib_redirect' and carry out the same exact operations as 'fib_redirect'. This will be used in a subsequent commit to decouple the `bpf_fib_lookup` from the `bpf_redirect`, such that each can be performed independently. This is an addition-only change and amounts to no functional changes in the data path. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> | 15 June 2023, 21:22:40 UTC |
| 3db8b14 | Jussi Maki | 13 June 2023, 14:13:42 UTC | k8s: Use LocalPodResource in pod watcher Now that Resource[*Pod] has been added as a shared resource and it is seeing use from multiple modules, refactor the pod watcher to also use it for the normal case of watching just the local pods. The "handover" case of watching all pods still creates a separate informer, but this should affect very small set of deployments. Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> | 15 June 2023, 21:21:45 UTC |
| 240a916 | Quentin Monnet | 15 June 2023, 16:32:21 UTC | Update stable releases Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 15 June 2023, 17:29:41 UTC |
| 8f360b4 | Marco Hofstetter | 15 June 2023, 13:12:38 UTC | ci: default external flags in ConformanceKindEnvoyDaemonSet This commit removes the flags `external-*` from the connectivity tests in ConformanceKindEnvoyDaemonSet. Therefore the defaults are used. This should stabilize the execution of the check on GHA. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 15 June 2023, 17:07:13 UTC |
| 6ff2eac | Marco Hofstetter | 15 June 2023, 13:11:58 UTC | ci: use KPR=strict in ConformanceKindEnvoyDaemonSet This commit changes KPR to strict in check ConformanceKindEnvoyDaemonSet. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 15 June 2023, 17:07:13 UTC |
| 68b3de3 | Marco Hofstetter | 15 June 2023, 13:10:56 UTC | ci: streamline helm-set usage in ConformanceKindEnvoyDaemonSet This commit steamlines the usage of `helm-set` by using a `=` to set the value. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 15 June 2023, 17:07:13 UTC |
| a3b4a2c | Marco Hofstetter | 15 June 2023, 13:09:45 UTC | ci: update kind in ConformanceKindEnvoyDaemonSet This commit updates the kind version to v0.19.0. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 15 June 2023, 17:07:13 UTC |
| a6720f1 | Marco Iorio | 09 June 2023, 08:38:39 UTC | docs: add upgrade note about deletion of stale entries in clustermesh 150de13bd6c6 ("clustermesh: delete stale node/service entries on reconnect/disconnect"), along with the followup commits targeting ipcache entries and identities modified the cilium agents behavior to automatically clean up stale information after reconnecting to a given remote kvstore. This was needed to fix the issue described in #24740. The behavior differs based on the remote version of the clustermesh-apiserver though. Indeed, newer versions support "sync canaries" to convey that the synchronization from k8s to the kvstore completed, while older ones don't. When sync canaries are not supported, the agents will trigger the deletion of stale entries once the corresponding etcd list operation completed: this might lead to the removal of valid entries if that information had not yet been synchronized from k8s to the kvstore, causing a temporary connectivity disruption (until that is then synchronized and propagated again to the agents). This commit extends the upgrade notes to detail this behavior and the implication. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 15 June 2023, 16:11:48 UTC |
| 9b18e1c | Marco Iorio | 13 June 2023, 07:41:53 UTC | clustermesh-apiserver: expose version metric Let's expose the cilium_clustermesh_apiserver_version metric to convey information about the version of the clustermesh-apiserver. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 15 June 2023, 16:11:27 UTC |
| dae9b22 | Marco Iorio | 12 June 2023, 08:14:24 UTC | clustermesh-apiserver: expose goroutine sched latency metrics Let's enable these optional metrics for consistency with the ones enabled in the cilium agent. They allow to troubleshoot strange behaviors in severely CPU constrained environments. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 15 June 2023, 16:11:27 UTC |
| 423ce11 | Marco Iorio | 09 June 2023, 09:10:04 UTC | docs: add missing information about clustermesh-apiserver metrics This commit extends the documentation with information about clustermesh-apiserver metrics that have been overlooked in previous commits. In particular, it mentions the new metrics in the upgrade guide, and lists the metrics concerning rate limiting in the reference table. Fixes: 7e65ca111baf ("docs: add clustermesh-apiserver metrics") Fixes: 7908f206d066 ("etcd: add max inflight requests to rate limiter") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 15 June 2023, 16:11:27 UTC |
| c3a9606 | Marco Iorio | 09 June 2023, 09:14:58 UTC | clustermesh-apiserver: fix exposed rate limiter metric The "processed requests" metric had been overlooked when selecting the list of rate limiter related metrics to expose by the clustermesh-apiserver. Hence, let's enable it now. Additionally, let's drop the one about the adjustment factor since auto adjustment is disabled. Fixes: 7908f206d066 ("etcd: add max inflight requests to rate limiter") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 15 June 2023, 16:11:27 UTC |
| 9f5a82a | Marco Iorio | 31 May 2023, 08:15:15 UTC | clustermesh: use custom dialer for service resolution When kvstoremesh is enabled, the agent connects to the local kvstore, rather to remote ones. Hence, it targets the corresponding service. Yet, since agents run in host network, service resolution requires that the DNSPolicy is set to ClusterFirstWithHostNet, introducing a dependency on CoreDNS. To prevent this requirement, let's configure a custom dialer responsible for service resolution based on the service cached information. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 15 June 2023, 16:11:00 UTC |
| e1561c3 | Marco Iorio | 12 June 2023, 16:38:31 UTC | clustermesh: add test for remoteCluster.Run() This commit adds a test to ensure that remoteCluster.Run() appropriately sets up the kvstore watchers based on the remote cluster config settings. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 15 June 2023, 16:11:00 UTC |
| 1dac15c | Marco Iorio | 25 May 2023, 15:54:51 UTC | clustermesh: enable watching the "cached" identities prefix Currently, the identities entries are stored under the kvstore prefix `cilium/state/identities/v1/id/<identity>` regardless of the configured cluster name. Yet, this is problematic if the same kvstore hosts information concerning multiple clusters, because it is impossible to watch only the entries referring to a single one. This commit adapts the identities watcher logic to use the newly introduced "cached" prefix (`cilium/state/identities/v1/<cluster>/id>` when retrieving the identities from remote clusters, in case the corresponding capability is set (i.e., it has been created by kvstoremesh). This prevents backward compatibility issues. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 15 June 2023, 16:11:00 UTC |
| f131e27 | Marco Iorio | 25 May 2023, 15:51:20 UTC | clustermesh: enable watching the "cached" ipcache prefix Currently, the ipcache entries are stored under the kvstore key `cilium/state/ip/v1/default/<ip>` regardless of the configured cluster name. Yet, this is problematic if the same kvstore hosts information concerning multiple clusters, because it is impossible to watch only the entries referring to a single one (and there would be conflicts in case of overlapping PodCIDRs). This commit adapts the ipcache watcher logic to use the newly introduced "cached" prefix (i.e., `cilium/cache/ip/v1/<cluster-name>) when retrieving the entries from remote clusters, in case the corresponding capability is set (i.e., it has been created by kvstoremesh). This prevents backward compatibility issues. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 15 June 2023, 16:11:00 UTC |
| a3ecf96 | Marco Iorio | 30 May 2023, 10:07:44 UTC | clustermesh: enable watching the "cached" node/service prefixes This commit adapts the nodes and services watchers to use the newly introduced "cache" prefixes in case the corresponding capability is set. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 15 June 2023, 16:11:00 UTC |
| a824c71 | Marco Hofstetter | 13 June 2023, 07:46:52 UTC | auth: re-enable node-based auth map gc This commit re-enables the node-based auth map garbage collection which have been temporarily disabled with #26073. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 15 June 2023, 16:10:20 UTC |
| 0ecc1ef | Marco Hofstetter | 13 June 2023, 06:38:43 UTC | auth: replace ipcache.AllocateNodeID with ipcache.GetNodeID Using `ipcache.ALlocateNodeID` to lookup the node id for a node IP during auth gc initialisation results in unintended node id allocations if the nodeids aren't yet created for the cilium nodes. By using the new method `GetNodeID` we remove this unwanted side-effect. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 15 June 2023, 16:10:20 UTC |
| 9c78f2a | Marco Hofstetter | 14 June 2023, 20:53:32 UTC | node: use RWMutex for linuxNodeHandler GetNodeIP & GetNodeID Until now, a `lock.Mutex` was securing all fields of the linuxnodehandler. With the introduction ready-only methods GetNodeIP & GetNodeID, it became useful to replace it with an RWMutex and only lock it for read in these two functions. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 15 June 2023, 16:10:20 UTC |
| fbd992b | Marco Hofstetter | 15 June 2023, 08:29:47 UTC | node_ids: return 0 for IPv6 in getNodeIDForIP too Currently, when retrieving the node id for an IP, the local node id 0 is only returned if the given IP matches the nodes IPv4 - but not IPv6. This commit adds support for IPv6. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 15 June 2023, 16:10:20 UTC |
| 5d08d9c | Marco Hofstetter | 13 June 2023, 07:37:37 UTC | node_ids: re-use fake nodeidhandler in wireguard test Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 15 June 2023, 16:10:20 UTC |
| e98c65c | Marco Hofstetter | 13 June 2023, 06:32:17 UTC | node_ids: introduce GetNodeID This commit introduces the possibility to retrieve the node id for a given node IP without having to use `AllocateNodeID` which comes with the drawback of actually allocating a new node id if it doesn't exist yet. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 15 June 2023, 16:10:20 UTC |
| 97704da | Rastislav Szabo | 13 June 2023, 08:54:07 UTC | bgpv1: Add unit tests for BGP CRD types Add unit tests to newly added SetDefaults() and Validate() methods of the BGP CRD types. Do not perform detailed defaulting / validation checks in unit tests of other packages, to have that testing logic co-located within a single package. Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> | 15 June 2023, 14:46:46 UTC |
| 1025ed7 | Rastislav Szabo | 08 June 2023, 13:55:00 UTC | bgpv1: Consolidate CRD field types to follow K8s API Conventions Modifies the types of CRD fileds to follow the K8s API Conventions rules: - "Use pointer types for all optional fields that do not have built-in nil value" - "Do not use unsigned integers, due to inconsistent support across languages and libraries" - "All public integer fields MUST use the Go (u)int32 or Go (u)int64 types, not (u)int" Also changes the types of the existing ASN CRD fileds to int64 to satisfy the above rules. Defaults ExportPodCIDR field of CiliumBGPVirtualRouter to false explicitly for consistency with other optional fields. As the default behavior remains the same, this is a backward-compatible change. Pointer types can be directly dereferenced in the reconcilers code. To allow that we provide defaulting methods for our API types, that can be used from the controllers / unit tests. Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> | 15 June 2023, 14:46:46 UTC |
| 69c5654 | Rastislav Szabo | 08 June 2023, 12:33:14 UTC | bgpv1: Move constants with default values to the API package This allows the default value to be versioned with the API. It also provides consistency with the kubebuilder tags that define the default values - both are kept in the same source file. Also moves timers validation logic to API package to co-locate the validation logic for API constraints that cannot be expressed with kubebuilder markers with the API itself. Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> | 15 June 2023, 14:46:46 UTC |
| 7ec77f2 | Rastislav Szabo | 07 June 2023, 15:18:57 UTC | bgpv1: Represent duration fields as integer fields in CRD API Modifies the type of recently added CRD fields of type `meta/v1.Duration` to integer type and their name to follow the K8s API Conventions rule: "Duration fields must be represented as integer fields with units being part of the field name (e.g. leaseDurationSeconds). We don't use Duration in the API since that would require clients to implement go-compatible parsing." Also enables defaulting for these fields on apiserver by using the kubebuilder:default tags (for static defaults). This includes the KeepaliveTimeSeconds field, which was defaulted at runtime to 1/3 of HoldTimeSeconds. As per K8s API Conventions, static defaults are preferred. It also makes the value more transparent to the user. Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> | 15 June 2023, 14:46:46 UTC |
| 00d8462 | Marcel Zieba | 15 June 2023, 09:46:33 UTC | Replace client-go with private fork. Our private fork contains fix to exponential backoff in client-go for informers, that wasn't backported: https://github.com/kubernetes/kubernetes/pull/118132 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 15 June 2023, 11:57:36 UTC |
| 7f4bf25 | Timo Beckers | 08 June 2023, 13:20:41 UTC | Documentation: add CONFIG_SCHEDSTATS to required kconfigs Commit 8531c5a7da ("bpf,datapath: read jiffies from /proc/schedstat") changed the way the kernel jiffy value is obtained. This procfs file is gated behind CONFIG_SCHEDSTATS. Signed-off-by: Timo Beckers <timo@isovalent.com> | 15 June 2023, 11:35:12 UTC |
| 44364e7 | Tam Mach | 14 June 2023, 10:22:34 UTC | gha: Increase Ingress status wait time The current value is set as 10s, which might not be enough for a small kind cluster in CI environment, hence timeout happened as per below. This commit is to increase max wait time to 60s to mitigate the issue. ``` Scenario: An Ingress with a trailing slashes in a prefix path rule should ignore the trailing slash and send traffic to the matching backend service # features/path_rules.feature:181 Then The Ingress status shows the IP address or FQDN where it is exposed # features/path_rules.feature:93 Error: waiting for ingress status update: timed out waiting for the condition ``` Fixes: #25040 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 15 June 2023, 11:34:57 UTC |
| a07b305 | Marco Iorio | 05 June 2023, 08:18:05 UTC | gha: build kvstoremesh images through the CI Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 15 June 2023, 11:33:55 UTC |
