Skip to main content

Browse the archive

https://github.com/cilium/cilium
12 July 2024, 03:14:21 UTC
sort by:
Revision Author Date Message Commit Date
4391c8f André Martins 03 June 2024, 20:19:09 UTC Prepare for release v1.16.0-pre.3 Signed-off-by: André Martins <andre@cilium.io> 03 June 2024, 21:23:03 UTC
0ba23ff André Martins 03 June 2024, 20:18:56 UTC update AUTHORS and Documentation Signed-off-by: André Martins <andre@cilium.io> 03 June 2024, 21:23:03 UTC
d81d918 renovate[bot] 03 June 2024, 00:30:54 UTC chore(deps): update all lvh-images main to bpf-next-20240529.013128 Signed-off-by: renovate[bot] <bot@renovateapp.com> 03 June 2024, 19:29:01 UTC
7fe1ebc renovate[bot] 03 June 2024, 01:53:46 UTC chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.14 Signed-off-by: renovate[bot] <bot@renovateapp.com> 03 June 2024, 18:29:36 UTC
c75469c Marco Hofstetter 29 May 2024, 18:55:54 UTC k8s: remove unused policyRepository from k8swatcher This commit removes the unused field and interface `policyRepository` from the k8sWatcher. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 03 June 2024, 18:19:19 UTC
09872a6 renovate[bot] 03 June 2024, 11:18:33 UTC fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> 03 June 2024, 15:35:39 UTC
32e76ff Marcel Zieba 29 May 2024, 10:10:44 UTC fqdn-perf: add ariane trigger for fqdn-perf Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 03 June 2024, 13:06:41 UTC
24ad731 Marcel Zieba 29 May 2024, 10:04:52 UTC fqdn-perf: move counters to separate prometheus measurement Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 03 June 2024, 13:06:41 UTC
38f30ae Casey Callendrello 22 May 2024, 20:07:11 UTC policy: parse policies in the operator, update informational conditions Without this, the only way to determine if a policy is valid is to read the agent logs. This is unfortunate (and impossible for most cluster end-users). This change adds a Cell to the operator that watches all CNPs and CCNPs. It validates policies using the same logic as the agent, setting an informational Condition when a policy is not valid. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 03 June 2024, 12:58:34 UTC
d5cf1cc Casey Callendrello 27 May 2024, 09:50:34 UTC policy: ignore policy events if generation unchanged Now that we are setting status, we should ignore policy update events if the Generation has not changed. The generation is only bumped by the apiserver when Spec / Specs is updated, but kept constant when Status is updated. So, we can ignore a policy recalculation when nothing has changed. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 03 June 2024, 12:58:34 UTC
451090b Casey Callendrello 27 May 2024, 08:37:55 UTC CRD: add Conditions to network policy status. This is the idiomatic way to report back multidimensional status on a resource. This will be used for components to report information such as validity. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 03 June 2024, 12:58:34 UTC
dc186ca Casey Callendrello 23 May 2024, 06:19:38 UTC CODEOWNERS: add sig-policy to network policy controller Signed-off-by: Casey Callendrello <cdc@isovalent.com> 03 June 2024, 12:58:34 UTC
3de3d37 Ondrej Blazek 22 May 2024, 09:18:13 UTC policy: skip validation of policies behind a flag Both `cilium policy import` and `cilium policy validate` command not only use server side validation of policies but both also use client side validation of policies - meaning they both run `r.Sanitize()` without being able to properly check cilium-agent's configuration flags. This can result in being unable to validate/import policy that uses a field (like fromNodes, toNodes) which is not available by default and it's configuration is false by default. In existing examples this "only" runs `r.Sanitize()` twice. The problem is in a situation where some of the features are not enabled by default. In that case client side validation fails even though server side validation would run properly. This can also be a problem when we do `./check-examples.sh` in documentation which runs only client side validation. Let's skip client side validation of rules that are validatable only on the server side. Signed-off-by: Ondrej Blazek <ondrej.blazek@firma.seznam.cz> 03 June 2024, 11:27:13 UTC
123ac94 Fabio Falzoi 10 May 2024, 09:40:39 UTC bugtool: Deduplicate tc qdisc commands The same tc commands to get information about queue discipline are repeated twice. Fix this deduplicating them. Related: b13dc89166 ("Bugtool: Add additional tc commands.") Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 03 June 2024, 11:26:57 UTC
9153cfd Robin Hahling 03 June 2024, 11:01:27 UTC renovate: ignore dependency github.com/google/go-licenses Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 03 June 2024, 11:07:45 UTC
909f0db Ovidiu Tirla 31 May 2024, 11:21:05 UTC pkg/endpoint: make identity resolver use the current revision The endpoint runIdentityResolver should always aim to try resolving with the matching identity revision of the identity labels used. Otherwise the endpoint state can endup in a weird status due to #29015. Signed-off-by: Ovidiu Tirla <otirla@google.com> 03 June 2024, 09:25:21 UTC
3a4c57f Marcel Zieba 16 May 2024, 14:46:02 UTC ipsec: cache xfrm state list Reduces GC CPU usage and memory allocations coming from XfrmStateList. To ensure we have up-to-date cache, wrap all XfrmState related functions inside cache, which is invalidated whenever XfrmState changes. This is follow-up to #32577 While that PR averages out CPU usage over time, in large cluster 100+ nodes amount of allocations coming from netlink.XfrmStateList() is high due to backgroundSync where we usually don't change any Xfrm states. This becomes more and more expensive as number of nodes increases. Added CI test to make sure that we accidentally don't add calls that modify XFRMState without going through cache. Also, added hidden option that allows to turn of caching. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 03 June 2024, 09:13:55 UTC
8159412 Marco Iorio 28 May 2024, 10:08:40 UTC clustermesh: forbid connecting to cluster with same ID as local Prevent connecting to a remote cluster which advertises the same clusterID of the local cluster, as that's a clear indicator of a misconfiguration, and a possible source of other further issues. While being there, let's also uniform the cluster ID and cluster name used as part of the clustermesh tests. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 03 June 2024, 08:46:26 UTC
87e0f02 Marco Iorio 28 May 2024, 10:24:55 UTC clustermesh: fix TestClusterMeshUsedIDs test Let's correctly test reserving a released ID, as per comment. Fixes: d7715082f985 ("clustermesh: generalize ClusterID reservation mechanism") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 03 June 2024, 08:46:26 UTC
ec138d3 renovate[bot] 03 June 2024, 03:18:39 UTC chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> 03 June 2024, 07:54:13 UTC
cfdbed5 renovate[bot] 03 June 2024, 00:31:09 UTC chore(deps): update dependency cilium/cilium-cli to v0.16.9 Signed-off-by: renovate[bot] <bot@renovateapp.com> 03 June 2024, 07:09:10 UTC
fe91a40 renovate[bot] 03 June 2024, 01:53:55 UTC chore(deps): update golangci/golangci-lint docker tag to v1.59.0 Signed-off-by: renovate[bot] <bot@renovateapp.com> 03 June 2024, 07:09:08 UTC
4b81d22 Lukas Stehlik 03 May 2024, 07:56:25 UTC Remove `hubble.ui.securityContext.enabled` from hubble-ui helm template Signed-off-by: Lukas Stehlik <stehlik.lukas@gmail.com> 03 June 2024, 06:59:22 UTC
7c4582d Tom Hadlaw 28 May 2024, 19:43:34 UTC datapath: add fake nat.NatMap{4,6} provider. These are rejected as 'MapDisabled', such that the nat/stats is disabled. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 03 June 2024, 06:14:17 UTC
5e4cc85 Tom Hadlaw 15 May 2024, 22:34:11 UTC documentation: add section for NAT metrics Documents nat_endpoint_max_connection as well as giving a brief overview of NAT based metrics. This is being put into a separate new section as there will likely be more similar metrics added in the future. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 03 June 2024, 06:14:17 UTC
4908ee6 Tom Hadlaw 10 May 2024, 21:46:43 UTC cilium-dbg: add nat-stats table to statedb dump. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 03 June 2024, 06:14:17 UTC
5c64c58 Tom Hadlaw 21 May 2024, 02:01:26 UTC nat/stats/cell: export statedb.Table[NatMapStats] to hive. This will serve as the primary interface for future components to access nat map stats data. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 03 June 2024, 06:14:17 UTC
a868776 Tom Hadlaw 18 April 2024, 04:29:24 UTC nat/stats: adds metric and table for nat table stats. Adds nat/stats which adds a module that computes stats for nat maps. This uses the batched iteration of the nat map added in previous commits to count the number of allocated ports there are in each nat connection tuple: {source_ip, endpoint_ip, endpoint_port}. This is necessary to monitor saturation of endpoint connections based on datapath allocation of source ports. ex. for a node with NAT mappings for endpoint addr: 10.0.0.123:8080 each new connection will be mapped a source port creating a unique tuple of {source_ip, allocated_port, remote_addr, remote_port}. This means that we can only allocate within the ephemeral port range within that "bucket". nat/stats uses batched iteration to efficiently count these buckets and use that to: i) Store the top-k (defautl 32) bucket sizes in a statedb table. ii) emit the max bucket size (for each ip family) as a metric. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 03 June 2024, 06:14:17 UTC
fe00f21 Tom Hadlaw 01 June 2024, 02:13:17 UTC datapath/probes: add probe function to check for batch lookup api. Kernel >=5.6 includes batched lookup API, this provides a probe function for detecting this functionality by create a small temporary map and attempting to do a batch lookup syscall. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 03 June 2024, 06:14:17 UTC
12f4824 Tom Hadlaw 10 May 2024, 22:21:51 UTC pkg/maps/nat: expose global nat maps to hive. Previously, global nat ip4/ip6 maps are accessed from the package variables. To make accessing the maps easier for subsequent functionality this commit adds pkg/maps/nat/cell.go which exports a cell.Module(...) of global maps via the interfaces NatMap4 & NatMap6. Because setup of nat maps depends on the outcome of EnableNodePort which is not finalized until after newDaemon, this provides the maps via promises. Provided NAT maps are not used by loader, so we don't need to wrap with MapOut[T] as that creates a dependency cycle in hive in newDaemonPromise. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 03 June 2024, 06:14:17 UTC
0f3ac66 Tom Hadlaw 15 May 2024, 22:32:44 UTC datapath/config: add constant for NODEPORT_PORT_MAX_NAT. This will be useful for counting stats for nat map utilization in subsequent commits. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 03 June 2024, 06:14:17 UTC
6fafdf9 Tom Hadlaw 10 May 2024, 20:41:37 UTC daemon: newDaemon returns promise for *option.DaemonConfig. This resolves in the same way that the daemon promise resolves, but resolves to *option.DaemonConfig notifying that newDaemon init tasks have completed. Providing daemon config as a resolvable promise allows code that is being added to the Daemon cells to wait for this resolution without introducing cyclic package dependencies. This is necessary as newDaemon may override fields in DaemonConfig such as when doing kube proxy replacement init or device detection. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 03 June 2024, 06:14:17 UTC
7a9fdf1 Tom Hadlaw 10 May 2024, 22:21:55 UTC pkg/maps/nat: add batched stats counting of nat map. This will be used to efficiently walk the map to generate stats for nat table port utilization. Lookup batch on LRU hash map may fail if the buffer passed is not big enough to accomadate the largest bucket size in the LRU map [1] This sets a dynamic buffer size based on the expected bucket size within the LRU map. Because bucket size, cannot be known, we take a probabilistic approach by starting with a size that is over sqrt(max_entries * 2) which is the number of elements before we expect to see a collision (i.e. elements hashed into the same bucket). For cases where we hit this case, given this assumed bucket size, we will double the size of the chunks and try again, up to 3 times, leading to a 3 fold increase. Default NAT map size is 262144 -> 2^ceil(log2(sqrt(262144 * 2))) = 1024, with key + entry size being ~ 432 bits, this means we'll need to allocate 55kb to accommodate this iteration. To avoid unbounded growth, each ENOSPC will result in a doubling of the chuck chunkSize which will persist into subsequent calls of Stats, up to a maximum of 3 (fold-increase). [1] https:elixir.bootlin.com/linux/latest/source/kernel/bpf/hashtab.c#L1776 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 03 June 2024, 06:14:17 UTC
1780559 Aleksander Mistewicz 27 May 2024, 10:32:22 UTC Use HubbleListenAddress to infer HubblePort If port can't be parsed from HubbleListenAddress, a warning will be emitted and port information will be omitted from Hubble peer's change notification messages (current behavior). Signed-off-by: Aleksander Mistewicz <amistewicz@google.com> 03 June 2024, 06:07:46 UTC
e5c1fc9 Aleksander Mistewicz 27 May 2024, 10:14:58 UTC Add WithHubblePort configuration option The default is "no port specified" to keep backwards-compatibility. Signed-off-by: Aleksander Mistewicz <amistewicz@google.com> 03 June 2024, 06:07:46 UTC
259fa4e Aleksander Mistewicz 27 May 2024, 09:59:02 UTC Add hubblePort to peer.Handler It let's the caller specify the Hubble observer port that should be used by the Hubble relay (or other consumer of Hubble peer service). Signed-off-by: Aleksander Mistewicz <amistewicz@google.com> 03 June 2024, 06:07:46 UTC
423fa49 Aditi Ghag 31 May 2024, 14:56:15 UTC pkg/lbmap: Fix skip_lb map iteration callback Fixes panic caused on deletion of certain LRPs - ``` Observed a panic: &runtime.TypeAssertionError{_interface:(*abi.Type)(0x34d74c0), concrete:(*abi.Type)(0x36d6020), asserted:(*abi.Type)(0x36d5fa0), missingMethod:""} (interface conversion: interface {} is *lbmap.SkipLB4Value, not lbmap.SkipLB4Value) goroutine 467 [running]: k8s.io/apimachinery/pkg/util/runtime.logPanic({0x3604780, 0xc00440c870}) /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:75 +0x85 k8s.io/apimachinery/pkg/util/runtime.HandleCrash({0x0, 0x0, 0xc00229a4d0?}) /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:49 +0x6b panic({0x3604780?, 0xc00440c870?}) ``` Fixes: 33552812c3 (pkg/maps: Add new maps to skip service load-balancing) Signed-off-by: Aditi Ghag <aditi@cilium.io> 03 June 2024, 06:06:45 UTC
703ae41 Jussi Maki 30 May 2024, 13:01:56 UTC cilium-dbg: Reprint header line periodically with statedb When watching a table for changes it's easy to get lost with what the columns meant. Add a periodic reprinting of the header line to make it easier to follow. As this makes it easier to mix up the header line with the rows, add a '# ' to the front. Output of "cilium-dbg statedb health --watch=100ms" looks like this now: ... agent.datapath.agent-liveness-updater timer-job-agent-liveness-updater OK ... # Module Component Level ... agent.datapath.agent-liveness-updater timer-job-agent-liveness-updater OK ... .. Signed-off-by: Jussi Maki <jussi@isovalent.com> 31 May 2024, 16:01:16 UTC
3115031 Marco Hofstetter 30 May 2024, 17:53:21 UTC bgp: check announce LBIP in speaker This commit moves the check whether LBIP BGP announcement via MetalLB speaker is enabled or not into the speaker itself. This way, the dependecy to the config properties can be removed from the callers. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 31 May 2024, 15:04:10 UTC
c8b84e0 Marco Hofstetter 30 May 2024, 17:41:55 UTC bgp: introduce interface and noop implementation This commit introduces a interface and noop implementation for the BGP speaker logic. The noop implementation is used if MetalLB BGP functionality is completely disabled. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 31 May 2024, 15:04:10 UTC
ee368c3 Marco Hofstetter 30 May 2024, 17:07:18 UTC bgp: move speaker node subscription logic into cell Currently, the node event subscription of the MetalLB bgp speaker is setup during the agent initialization. This commit moves this logic into the new Hive Cell. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 31 May 2024, 15:04:10 UTC
abd0278 Marco Hofstetter 30 May 2024, 16:54:37 UTC bgp: speaker explicitly depends on k8s service cache Currently, the k8s ServiceCache gets registered during the agent initialization. Because the k8s ServiceCache is provided by its own Hive Cell, this commit introduces an explicit dependency from the MetalLB BGP speaker to the K8s ServiceCache and removes the explicit method `RegisterSvcCache`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 31 May 2024, 15:04:10 UTC
8eab009 Marco Hofstetter 30 May 2024, 16:47:29 UTC bgp: introduce speaker hive cell This commit introduces a new Hive Cell for the MetalLB based BGP speaker. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 31 May 2024, 15:04:10 UTC
014d45f harsimran pabla 30 May 2024, 19:30:09 UTC bgpv2/docs: adding BGP resource diagram Adding bgpv2.png file which shows relationship between various BGP configuration resources. Signed-off-by: harsimran pabla <hpabla@isovalent.com> 31 May 2024, 15:03:35 UTC
b87274c harsimran pabla 27 May 2024, 13:40:44 UTC bgpv2: update documentation to introduce bgpv2 Introducing BGPv2 configuration guide. It includes how to configure BGP control plane with new APIs like - Cilium BGP Cluster Config - Cilium BGP Peer Config - Cilium BGP Advertisements Various snippets of configuration are added with this documentation. Signed-off-by: harsimran pabla <hpabla@isovalent.com> 31 May 2024, 15:03:35 UTC
51d1f28 harsimran pabla 29 May 2024, 19:30:17 UTC bgp-control-plane: update documentation structure Adding bgp-control-plane directory under Documentation/network, since there are multiple documents related to BGP control plane and it makes it easier to navigate. Second change is to have dedicated BGP control plane landing page which then have references to configuration and other guides. Signed-off-by: harsimran pabla <hpabla@isovalent.com> 31 May 2024, 15:03:35 UTC
d1ce709 Tobias Klauser 31 May 2024, 12:08:42 UTC k8s: use netip.IPv{4,6}Unspecified Instead of converting it from the respective net.IPv{4,6}zero constants which may induce an additional allocation. Signed-off-by: Tobias Klauser <tobias@cilium.io> 31 May 2024, 14:06:43 UTC
2af18f1 David Bimmler 17 May 2024, 11:29:16 UTC hive/health: use slog/logger and minor cleanups This ensures that logging output of the metrics job and the rest of the health subsystem are piped through the same logging mechanism. In addition, unexport what need not be exported, and avoid some amount of stuttering in "health.HealthTableName", for example. Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 31 May 2024, 13:34:05 UTC
69a65ec David Bimmler 17 May 2024, 09:48:08 UTC hive/health: readd module health metrics Somewhere in the move from pkg/hive to cilium/hive we lost the module health metrics. Add them back in the new form of a query on the status table, and add a test. Fixes: 2311f3d781 (treewide: rebase on cilium/hive) Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 31 May 2024, 13:34:05 UTC
d404ee7 David Bimmler 27 May 2024, 08:35:30 UTC node/manager: test: avoid future race in status With the introduction of the hive module health metric publisher in a subsequent path, a precondition of the node manager EmitStatus test will break: the test assumes the node manager to be the only writer to the status table. Without this patch, a race occurs. Since it seems likely that the set of default hive cells will grow (and that they may want to update their status too) change the test so that it no longer assumes exclusivity. It now looks specifically at its own status, and uses revisions to understand when the status changes. Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 31 May 2024, 13:34:05 UTC
5942460 David Bimmler 29 May 2024, 07:35:58 UTC vendor: upgrade cilium/hive dep Pulling this bugfix in manually to ensure we don't hit race conditions after the next commit. Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 31 May 2024, 13:34:05 UTC
2b0ab4e David Bimmler 14 May 2024, 15:20:51 UTC hive/health: move healthv2 to hive and rename it Moves the healthv2 implementation to hive/health to get rid of the somewhat ugly v2 part of the pkg name, and to give some logical structure. Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 31 May 2024, 13:34:05 UTC
686876c David Swafford 23 May 2024, 21:20:54 UTC Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields In https://github.com/cilium/cilium/commit/27322f3959c3fa05b9b1c4f9827527b4a3642687, the CiliumLoadBalancerIPPool's field named "cidrs" was deprecated. The documentation on https://docs.cilium.io/en/stable/network/lb-ipam/ provides an example of configuring a CiliumLoadBalancerIPPool using the field named "blocks". While testing a BGP policy configured with the Advertised Path Attributes feature, I was not able to achieve the desired policy. BGP attributes configured were not being applied. While discussing this in Cilium's Slack channel, it was pointed out that the BGPv1 reconciler was only aware of the deprecated field. This commit updates Cilium's BGPv1 reconciler to support both the deprecated and updated fields. Fixes: #32693 Signed-off-by: David Swafford <dswafford@coreweave.com> 31 May 2024, 11:56:54 UTC
d4ce450 renovate[bot] 21 May 2024, 09:35:46 UTC chore(deps): update all lvh-images main to bpf-next-20240521.012924 Signed-off-by: renovate[bot] <bot@renovateapp.com> 31 May 2024, 11:28:05 UTC
abcfaf4 hasan-alkama 09 May 2024, 17:01:36 UTC Improved boolean parsing using hasKey Fixes: #28381 Signed-off-by: hasan-alkama <gl3118@myamu.ac.in> 31 May 2024, 11:17:32 UTC
a7f2084 Tomoya Fujita 17 May 2024, 20:53:31 UTC docs: Add user manual how to enable and configure multicast feature. Signed-off-by: Tomoya Fujita <Tomoya.Fujita@sony.com> 31 May 2024, 11:14:45 UTC
b1b7ea9 soggiest 25 April 2024, 18:18:12 UTC Helm: Add Clustermesh certificate creation variable This commit adds the `.Values.clustermesh.apiserver.tls.enableSecrets` variable and new conditional statements to the `tls-provided` Helm templates. The purpose of this is to provide control over secret creation for out-of-band TLS certificate management. The new value defaults to `true` which will maintain the current clustermesh secret creation functionality. If the value is set to `false` Helm will not create TLS secrets for Clustermesh. Signed-off-by: soggiest <nicholas@isovalent.com> 31 May 2024, 11:09:39 UTC
7d1e89a Patrik Cyvoct 27 March 2024, 12:28:19 UTC ingress: add a new annotation for dedicated LoadBalancerClass This adds a way to configure the `LoadBalancerClass` on dedicated LB created by the operator. Signed-off-by: Patrik Cyvoct <patrik@ptrk.io> 31 May 2024, 11:09:35 UTC
b0221ce Rauan Mayemir 11 May 2024, 15:29:09 UTC helm: add .Values.gatewayAPI.enableAlpn `enable-gateway-api-alpn` flag is false by default, setting it explicitly will enable ALPN support alongside appProtocol. Signed-off-by: Rauan Mayemir <rauan@mayemir.io> 31 May 2024, 11:03:56 UTC
b05630b Rauan Mayemir 11 May 2024, 14:51:50 UTC gateway-api: ALPN support This feature is hidden behind `enable-gateway-api-alpn` flag on the operator gwapi cell. The implementation will change envoy listener configuration to expose ALPN suggesting both HTTP/2 and HTTP/1.1. Fixes: #30794 Signed-off-by: Rauan Mayemir <rauan@mayemir.io> 31 May 2024, 11:03:56 UTC
c4d2b63 Cilium Imagebot 30 May 2024, 19:21:59 UTC ci: update docs-builder Signed-off-by: Cilium Imagebot <noreply@cilium.io> 31 May 2024, 10:31:50 UTC
5a7d69d dependabot[bot] 21 May 2024, 05:46:43 UTC --- updated-dependencies: - dependency-name: requests dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> 31 May 2024, 10:31:50 UTC
eb69919 Eric Mountain 10 April 2024, 11:32:07 UTC [debug] Always include debug symbols in the agent debug image When building stripped binaries (i.e. NOSTRIP unset) we end up with a Cilium Agent `debug` image that has no debug symbols available. So Delve for instance doesn't work properlyi (breakpoints can't be set, goroutine stacks are unavailable, etc). With this change: - If the build is invoked with `NOSTRIP=0`, then the `release` image has stripped binaries and the `debug` image has stripped binaries + debug symbol files in `/usr/lib/debug`. - If the build is invoked with `NOSTRIP=1`, then the `release` image has non-stripped binaries and the `debug` image has non-stripped binaries + debug symbol files in `/usr/lib/debug`. This ensures the `debug` image always has symbols available, so Delve works, regardless of the NOSTRIP setting at build. Signed-off-by: Eric Mountain <eric.mountain@datadoghq.com> 31 May 2024, 10:22:39 UTC
cfb72f7 Jussi Maki 27 May 2024, 15:03:39 UTC datapath: Extend LocalNodeConfiguration with devices and addresses The loader and the config writer were accessing node IP address information and devices via either the StateDB tables or via pkg/node globals. This made these components hard to test and made it hard to reason about reinitialization when data changed. Clean this up by extending the LocalNodeConfiguration with additional fields that capture this dynamic data that was accessed out-of-band previously. The creation of LocalNodeConfiguration is moved from NodeDiscovery into the datapath orchestrator where it belongs. Signed-off-by: Jussi Maki <jussi@isovalent.com> 31 May 2024, 10:11:26 UTC
a86ac24 Jussi Maki 24 May 2024, 12:45:11 UTC datapath: Move NodeAddressing out from tables NodeAddressing doesn't make sense to live in the tables package as it isn't about defining a common StateDB table. It also introduces dependency on the datapath types package which makes it impossible to use the tables package types in datapath types. Eventually whole NodeAddressing will be removed as it is just a wrapper around LocalNodeStore and Table[Device], and a harmful one at that as it hides the fact that the underlying data may change over time. Signed-off-by: Jussi Maki <jussi@isovalent.com> 31 May 2024, 10:11:26 UTC
0a02d60 Jussi Maki 24 May 2024, 12:24:23 UTC loader: Remove duplicated Loader interface There was no pressing need for having two separate Loader interfaces. Simplify things by just keeping the datapath types version. Refactor DetachXDP() to take an interface name to avoid leaking netlink.Link in the export methods. It anyway did a link lookup again anyway, so there was no benefit to reusing the passed in Link. Signed-off-by: Jussi Maki <jussi@isovalent.com> 31 May 2024, 10:11:26 UTC
7209275 Marcel Zieba 02 May 2024, 11:13:28 UTC ci: Filter supported versions of EKS Whenever EKS stopped supporting a particular version of EKS, we had to manually remove it from all stable branches. Now instead of that, we will dynamically check if it's supported and only then run the test. This implementation is not great as supported versions are hard-coded in eksctl until EKS fixes it: https://github.com/aws/containers-roadmap/issues/982#issuecomment-2050635472 Because of that, we always fetch newest eksctl version. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 31 May 2024, 09:55:16 UTC
cd8c236 Casey Callendrello 30 May 2024, 19:30:46 UTC policy: fix flaky unit test Some tests relied on a fixed rule order, which is no longer the case. Rule order in production was always non-deterministic, but not for certain unit tests. Fixes: df42a7d8 Signed-off-by: Casey Callendrello <cdc@isovalent.com> 31 May 2024, 08:54:58 UTC
e7e1e36 Joe Stringer 30 May 2024, 16:59:39 UTC api: Re-generate protobuf files A recent commit updated the protobuf implementation, which generates different output code in the api directory. Apply those updates. Signed-off-by: Joe Stringer <joe@cilium.io> 31 May 2024, 08:33:23 UTC
acada3b Cilium Imagebot 29 May 2024, 17:24:13 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 31 May 2024, 08:33:23 UTC
eddad21 renovate[bot] 29 May 2024, 14:46:04 UTC chore(deps): update dependency protocolbuffers/protobuf to v27 Signed-off-by: renovate[bot] <bot@renovateapp.com> 31 May 2024, 08:33:23 UTC
8383f56 Robin Hahling 29 May 2024, 14:50:30 UTC images/builder: fix install protoc script for renovate Renovate adds the "v" as part of the protoc version so update the script so that it works regardless. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 31 May 2024, 08:33:23 UTC
a9c1e5f Marco Hofstetter 30 May 2024, 06:58:08 UTC config: remove ingress & gateway api leftovers from global agent config After moving all of the Ingress Controller & Gateway API logic into dedicated Hive Cells with their own configs, the leftovers in the global config of the Cilium Agent can be removed. The only use of the config whether Ingress Controller is enabled, is during the IPAMDelegatedPlugin validation. I think it's ok to remove this check and just keep the one that checks that the IPAMDelegate Plugin is disabled when CiliumEnvoyConfig is enabled. This is implicitly the case if Ingress Controller and/or Gateway API are enabled. Gateway API isn't covered explicitly. Therefore, this commit removes the config properties from the global Agent config. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 31 May 2024, 08:30:18 UTC
d91e18c Marco Iorio 27 May 2024, 09:28:00 UTC clustermesh: test nodes and services draining upon clusterID change Now that we enforce the correspondence of the advertised clusterID with the one present as part of node and service objects, let's add an extra test to ensure that node and service entries associated with the old clusterID are eventually drained upon reconnection. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 31 May 2024, 08:28:16 UTC
50aa900 Marco Iorio 27 May 2024, 08:56:14 UTC clustermesh: additional validation of shared services Extend the validation performed upon retrieval of shared services from a remote cluster, to ensure improved consistency and prevent the propagation of corrupted data. In particular, let's ensure that the cluster, namespace and name fields are always set, that the cluster name matches that of the cluster we are connected to, and that the namespaced name corresponds to the kvstore key. Additionally, let's provide the possibility of validating the clusterID correspondence as well. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 31 May 2024, 08:28:16 UTC
35a200b Marco Iorio 28 May 2024, 08:40:49 UTC clustermesh: rework prepareServiceUpdate testing helper function Let's generate the kvstore key and value data representing a shared service marshalling the ClusterService structure, rather than by means of strings concatentation. That makes it easier to understand and extend in the future. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 31 May 2024, 08:28:16 UTC
108d87e Marco Iorio 23 May 2024, 15:45:27 UTC clustermesh: extract and generalize the service observer logic Extract and generalize the clustermesh service observer logic, to additionally reduce code duplication and ensure that the two usages are always synchronized. While being there, let's also slightly improve the log messages, and drop the type check, as always guaranteed to be correct. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 31 May 2024, 08:28:16 UTC
e564c0c Marco Iorio 27 May 2024, 10:13:27 UTC clustermesh: additional validation of remote nodes Extend the validation performed upon retrieval of node entries from a remote cluster, to ensure improved consistency and prevent the propagation of corrupted data. In particular, let's ensure that the cluster and name fields are always set, that the cluster name matches that of the cluster we are connected to, and that the name corresponds to the kvstore key. Additionally, let's provide the possibility of validating the clusterID correspondence as well. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 31 May 2024, 08:28:16 UTC
29302e0 Marco Iorio 27 May 2024, 13:37:33 UTC clustermesh: don't propagate node observer and key creator through hive As a preparation for the subsequent commits, let's hard-code the node key creator and observer implementations, rather than propagating them through hive, given that they are just tiny wrappers. This simplifies further extensions, and ensures that we use the same approach in tests as well, allowing to early catch possible issues. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 31 May 2024, 08:28:16 UTC
d3aedc8 Marco Iorio 27 May 2024, 13:30:40 UTC node: move NodeSync to a separate extended NodeManager interface The NodeObserver does not depend on the NodeSync method. Hence, let's move it to a separate interface, to avoid having to implement it needlessly, e.g., in tests. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 31 May 2024, 08:28:16 UTC
389bef9 Julian Wiedmann 14 December 2023, 08:17:40 UTC encrypt: constrain ENCRYPT_MAP to ENABLE_IPSEC The map isn't needed otherwise. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 31 May 2024, 06:24:27 UTC
32c13cc Julian Wiedmann 14 December 2023, 08:17:12 UTC bpf: move some ipsec-specific code into encrypt.h The ENCRYPT_MAP and MAX_KEY_INDEX are only needed by ipsec code. Maintain them in a single place. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 31 May 2024, 06:24:27 UTC
e31b50d Chris Tarazi 22 May 2024, 23:31:37 UTC metrics, docs: Deprecate some policy regeneration metrics Following the prior commits, officially mark the policy regeneration metrics as deprecated in favor of the corresponding endpoint regeneration metrics. Signed-off-by: Chris Tarazi <chris@isovalent.com> 30 May 2024, 18:58:28 UTC
b5050c7 Chris Tarazi 22 May 2024, 23:23:07 UTC endpoint: Remove unused policy regeneration stat code Now that in prior commits, the policy regeneration/recalculation has been consolidated with the general endpoint regeneration statistics, we can remove the policy-specific statistics code. Signed-off-by: Chris Tarazi <chris@isovalent.com> 30 May 2024, 18:58:28 UTC
e1406d3 Chris Tarazi 22 May 2024, 23:16:06 UTC endpoint: Remove unused span stat Since commit eb46448260 ("policy: Use selector cache in policy computation"), this span is no longer used, so remove it. Signed-off-by: Chris Tarazi <chris@isovalent.com> 30 May 2024, 18:58:28 UTC
78f035f Chris Tarazi 22 May 2024, 23:12:04 UTC endpoint: Consolidate regeneration metrics accounting This commit consolidates the policy regeneration/recalculation metrics into the broader `regenerationStatistics` struct. The policy regeneration count metric is equivalent to the endpoint regeneration count, by inspecting the values on a local deployment of Cilium. Additionally through code inspection, it occurred to me that the entirety of the `policyRegenerationStatistics` struct already exists in `regenerationStatistics` struct, except for the policy repository span. Therefore, it is waste to have duplicated metrics because it unnecessarily increases the number of metrics Cilium sends to Prometheus which has costs to the user. Subsequent commits will remove this redundancy altogether and deprecate the corresponding metrics to reduce cardinality. Signed-off-by: Chris Tarazi <chris@isovalent.com> 30 May 2024, 18:58:28 UTC
8fa5f60 harsimran pabla 29 May 2024, 19:49:37 UTC bgpv2: update multi-homing lab to use config overrides There are two changes to multi-homing container lab - Use loopback address on FRR side for peering. - Add example of CiliumBGPNodeConfigOverride resource to set custom router-id and local peering address. Signed-off-by: harsimran pabla <hpabla@isovalent.com> 30 May 2024, 17:15:36 UTC
83fe8c6 Marco Hofstetter 30 May 2024, 09:04:30 UTC k8s: un-export function k8sWatcher.ResourceGroups Currently, (AFAIK) the method `k8sWatcher.ResourceGroups` is just exposed for testing purposes. With the consequence that the method `k8sWatcher.InitK8sSubsystem` has the list of resourceGroups and cachedOnlyResourceGroups in its signature. This is unnecessary, as the agent daemon gathers these lists from the k8swatcher itself. Therefore, this commit treats this logic as an internal fact of the k8sWatcher by un-exporting the method `ResourceGroups` and removing the respective parameters from the method signature of `InitK8sSubsystem`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 May 2024, 17:14:32 UTC
9431418 Marco Hofstetter 30 May 2024, 08:17:39 UTC k8s: delete delegation methods to k8sResourcesSynced Currently, the k8sWatcher provides many methods that just delegate to its field `k8sResourceSynced` - even if just used for internal purposes. This commit removes all unnecessary methods by using the functions on the field directly. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 May 2024, 17:14:32 UTC
7d8805f Marco Hofstetter 30 May 2024, 07:47:16 UTC k8s: move cilium endpoint(slice) related functions into cilium_endpoint.go To remove the size and scope of the file k8s/watchers/watcher.go, this commit moves the init function for Cilium endpoint(slices) into the file cilium_endpoint.go. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 May 2024, 17:14:32 UTC
87b4aae Marco Hofstetter 30 May 2024, 07:44:13 UTC k8s: move service related functions into service.go To reduce the size and scope of the file k8s/watchers/watcher.go, this commit moves all service relevant functions into the file service.go. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 May 2024, 17:14:32 UTC
cd4fb83 Marco Hofstetter 30 May 2024, 07:37:17 UTC k8s: remove unnecessary policy config interface This commit flattens the unnecessary policy config interface into the WatcherConfiguration interface. Previously config flags that used the same mechanism (e.g. Ingress Controller, Gateway API) have been removed in the meantime. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 May 2024, 17:14:32 UTC
32447d8 Marco Hofstetter 30 May 2024, 07:31:07 UTC k8s: extract metrics related code in separate metrics.go file To reduce the size and scope of the k8s/watchers/watcher.go file, this commit extracts all metrics relevant structs and their initialization/registration into a separate file metrics.go. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 May 2024, 17:14:32 UTC
1529fa6 Vipul Singh 30 May 2024, 03:14:06 UTC refactor: config options combined into DNS proxy config struct Signed-off-by: Vipul Singh <singhvipul@microsoft.com> 30 May 2024, 16:55:44 UTC
bb31eba Casey Callendrello 02 May 2024, 11:44:46 UTC defaults: reduce identity-restore-grace-period to 30 seconds for k8s For k8s-only agents, we will never release restored identities until after k8s caches have synced. So, there's no point in such a long grace period. Since we now restore all labels, this is a window in which external CIDRs could potentially have stale labels, so we should keep this as short as possible. So, reduce the default to 30 seconds for agents not using kvstore. However, we have no such waiting period for kvstore-based workloads, so we must still wait the full 10 minutes. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 30 May 2024, 15:13:35 UTC
f78a815 Casey Callendrello 02 May 2024, 10:48:46 UTC daemon: use local allocator checkpoint on restore This uses the local allocator checkpoint to ensure that prefixes get identical labels on restart. As before, it dumps the ipache, but now it reconstructs the set of labels identically. In the case where the identity is not present in the allocator cache, it requests the same numeric identity instead. This allows us to remove a tiny bit of logic in `IPCache.resolveIdentity()` that was needed to reconstruct node identities; this heuristic is no longer needed with the checkpoint. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 30 May 2024, 15:13:35 UTC
d067b63 Casey Callendrello 02 May 2024, 09:45:46 UTC identity/cache: checkpoint & restore local allocator state This writes the state of the local identity allocators to disk, asynchronously, so that it is available for use during agent restarts. Checkpoints happen, at most, every 10 seconds, triggered by identity allocation. JSON streaming is used to reduce memory allocations. Right now, local identities / labels are restored using heuristics to try and reconstruct the set of labels for each prefix. Rather than falling back to heuristics, we should just write out the allocator state directly. A subsequent commit will tie this in to the daemon identity restoration logic. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 30 May 2024, 15:13:35 UTC
66e4f87 Casey Callendrello 02 May 2024, 09:39:40 UTC go.mod: use json-iterator directly Previously, it was a transitive dependency. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 30 May 2024, 15:13:35 UTC
55090ec Casey Callendrello 08 May 2024, 11:18:28 UTC identity: add AllocateLocalIdentity() to restrict global allocation This is useful for circumstances in which we *know* we never want to allocate a global identity, such as the ipcache for CIDR prefixes. A subsequent commit will make use of this functionality. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 30 May 2024, 15:13:35 UTC
8e08799 Michi Mutsuzaki 29 May 2024, 23:50:25 UTC helm: Remove CILIUM_BRANCH variable This variable is only used to construct the URL for Cilium icon. Remove CILIUM_BRANCH variable and always use the icon in the main branch [^1] so that there is one less thing to update when you create a stable branch from main. Also, one could potentially argue it's better to have a single up-to-date icon image for all the Helm charts. [^1]: https://github.com/cilium/cilium/blob/main/Documentation/images/logo-solo.svg Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 30 May 2024, 14:10:41 UTC
back to top