| 26526a1 | Michi Mutsuzaki | 21 June 2023, 21:47:38 UTC | Test extending cilium-cli Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> | 21 June 2023, 21:47:38 UTC |
| 054ae88 | Michi Mutsuzaki | 21 June 2023, 15:27:57 UTC | Consistently use cilium-cli Helm mode Put CILIUM_CLI_MODE environment variable at the top level to use the Helm mode for all cilium-cli commands consistently. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> | 21 June 2023, 20:59:16 UTC |
| 7f8a540 | renovate[bot] | 16 June 2023, 15:37:31 UTC | fix(deps): update module github.com/prometheus/procfs to v0.11.0 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 21 June 2023, 20:43:40 UTC |
| 93bcd42 | Michi Mutsuzaki | 21 June 2023, 02:01:44 UTC | Set CILIUM_CLI_MODE env variable at the top level Set CILIUM_CLI_MODE environment variable to helm at the top level so that all the cilium commands use the Helm mode consistently. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> | 21 June 2023, 20:06:55 UTC |
| b7cd3e0 | Michi Mutsuzaki | 05 June 2023, 23:32:06 UTC | conformance-externalworkloads: Use Helm mode cilium-cli Ref: https://github.com/cilium/cilium-cli#experimental-helm-installation-mode Ref: #25156 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> | 21 June 2023, 20:06:40 UTC |
| f978157 | Michi Mutsuzaki | 13 June 2023, 00:24:17 UTC | ci-aks: Use cilium-cli Helm mode Ref: #25156 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> | 21 June 2023, 20:06:40 UTC |
| 104dafd | cyclinder | 04 June 2023, 11:55:20 UTC | fix panic in linuxNodeHandler.NodeDelete Observed a panic: runtime.boundsError{x:0, y:0, signed:true, code:0x0} (runtime error: index out of range [0] with length 0) github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).deallocateIDForNode(0xc003e871f0?, 0xc003e87108?) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node_ids.go:110 +0x335 Signed-off-by: qifeng guo <qifeng.guo@daocloud.io> | 21 June 2023, 19:42:29 UTC |
| 34aaeae | Birol Bilgin | 21 June 2023, 17:05:16 UTC | ci/workflows: fix matrix generation With recent changes matrix strategies added to conformance tests. Matrix is generated from action yaml files, which are currently pulled from PR which not exists. This fails the workflows. This commit fixes the issue by pulling from the main. Signed-off-by: Birol Bilgin <birol@cilium.io> | 21 June 2023, 19:35:55 UTC |
| d9b9e65 | Jarno Rajahalme | 16 June 2023, 10:13:09 UTC | policy: Optimize getNets() getNets is used in DenyPreferredInsert for MapState. It is somewhat costly, and uses a cache to compute the result at most once for each MapStateEntry. Speed up the computation with two strategies: - skip looking for CIDR labels when the identity is not a local identity. This works due to CIDR identities always being locally allocated - skip allocating a slice when not needed, returning a nil map instead if the locally allocated identity has no CIDR labels Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 21 June 2023, 18:41:38 UTC |
| f75b0e8 | Marco Iorio | 16 June 2023, 13:12:18 UTC | kvstoremesh: make cilium-kvstoremesh secret optional Currently, the cilium-kvstoremesh secret is not marked as optional, causing the clustermesh-apiserver to not start in case it is not present. Yet, that secret is created only when `.Values.clustermesh.config.enabled` is set, and it might not be enabled when clustermesh/kvstoremesh is initially enabled (e.g., through the CLI). Hence, let's mark it as optional so that the pod can start correctly even if it is not present. It will be loaded automatically when it is created afterwards. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 21 June 2023, 17:08:18 UTC |
| 020afc1 | renovate[bot] | 21 June 2023, 09:42:31 UTC | chore(deps): update docker.io/library/golang docker tag to v1.20.5 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 21 June 2023, 12:59:32 UTC |
| 9173f77 | Paul Chaignon | 19 June 2023, 16:17:30 UTC | test: Fix the attempted fix for the hostfw flake Commit 0cfce97f31 ("test/k8s: add host firewall workaround for svc host policy test.") ported the fix from 439a0a059 ("test: Fix ACK and FIN+ACK policy drops in hostfw tests") to a new set of host firewall tests. It is however not enough to call the same function. We also need to ensure that the same policy as in the tests themselves is loaded during the preparation. This commit makes that small change. Fixes: 0cfce97f31 ("test/k8s: add host firewall workaround for svc host policy test.") Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 21 June 2023, 12:33:31 UTC |
| 0dbf373 | Daniel Borkmann | 21 June 2023, 11:12:20 UTC | cilium, client: Dump G{R,S}OIPv{4,6} for status on client side This is useful for having as part of the sysdump, thus wire up the GRO/GSO settings on client side: # ./cilium/cilium status [...] IPv4 BIG TCP: Enabled [196608] IPv6 BIG TCP: Enabled [196608] [...] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 21 June 2023, 12:33:05 UTC |
| 2ad2ef5 | Daniel Borkmann | 21 June 2023, 11:04:10 UTC | cilium, status: Dump G{R,S}OIPv{4,6} for status on server side Hook up the bigTCPConfig dump from agent side. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 21 June 2023, 12:33:05 UTC |
| 418ac29 | Daniel Borkmann | 21 June 2023, 10:55:10 UTC | cilium, api: Add auto-generated API code for maxGRO/maxGSO Auto-generated code, not much to see otherwise. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 21 June 2023, 12:33:05 UTC |
| 97a1843 | Daniel Borkmann | 21 June 2023, 10:52:37 UTC | cilium, api: Add maxGRO/maxGSO sizes for the status dump Given we have probing, it is useful to dump this into the cilium status for visibility. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 21 June 2023, 12:33:05 UTC |
| 2cbdba1 | Tobias Klauser | 21 June 2023, 09:40:33 UTC | .github/workflows: let renovate update kind in ingress workflow This was missed in commit d722d513dc8d (".github/workflows: let renovate update kind"). Signed-off-by: Tobias Klauser <tobias@cilium.io> | 21 June 2023, 11:06:38 UTC |
| eb4ae07 | Birol Bilgin | 19 June 2023, 15:55:17 UTC | ci/workflow: add all aws supported k8s versions The current awd conformance tests run against one version of k8s either a specific version or the default version that is provided by the cloud provider. This commit adds all the supported k8s versions by AWS in a matrix strategy. Signed-off-by: Birol Bilgin <birol@cilium.io> | 21 June 2023, 10:35:29 UTC |
| 823831f | Birol Bilgin | 19 June 2023, 17:51:02 UTC | ci/workflow: add all gke supported k8s version The current conformance tests run against one version of k8s either a specific version or the default version that is provided GCP. This commit adds all the supported k8s version by GCP in a matrix strategy. Signed-off-by: Birol Bilgin <birol@cilium.io> | 21 June 2023, 10:35:09 UTC |
| e8f8fa9 | Birol Bilgin | 21 June 2023, 06:17:56 UTC | ci/workflow: add schema validation This commit adds schema validation for conformance tests action files Signed-off-by: Birol Bilgin <birol@cilium.io> | 21 June 2023, 10:34:47 UTC |
| 80924f4 | Birol Bilgin | 20 June 2023, 17:24:36 UTC | ci/workflow: add all azure supported k8s versions The current aks conformance tests run against one version of k8s either a specific version or the default version that is provided by the cloud provider. This commit adds all the supported k8s versions by Azure in a matrix strategy. Signed-off-by: Birol Bilgin <birol@cilium.io> | 21 June 2023, 10:34:47 UTC |
| 4ec2c36 | Steven Johnson | 01 April 2023, 15:12:50 UTC | Log error message on unhealthy /healthz check I was looking into kubelet liveness checks returning HTTP 503 response codes recently and noticed that there was not any logging in the agent that indicated the issue. The logging I'm adding in this PR allowed me to track down why the liveness checks were failing by giving the error message associated with the current subsystem's unhealthy state. Signed-off-by: Steven Johnson <sjdot@protonmail.com> | 21 June 2023, 08:53:55 UTC |
| 5a1770c | Marco Iorio | 21 June 2023, 07:11:04 UTC | clustermesh: fix broken test due to merge race Due to a merge race, one of the clustermesh tests is currently broken. Let's fix it, removing a leftover reference to checkmate. Fixes: 081c4d2e1a50 ("kvstore: prevent multiple test clients from being created in parallel") Fixes: 5409bc51b398 ("clustermesh: improve reliability of TestClusterMesh") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 21 June 2023, 07:29:25 UTC |
| 0f64b95 | networkop | 21 June 2023, 06:03:18 UTC | Documentation: retire Cilium-integrated Istio documentation * Update Istio integration documentation including caveats and limitations * Remove old istio bookinfo application in /examples/kubernetes-istio and replaces it with a simpler client/server application Signed-off-by: Michael Kashin <michael.kashin@isovalent.com> | 21 June 2023, 07:18:18 UTC |
| 390b4dc | Joe Stringer | 15 June 2023, 22:19:25 UTC | install: Don't install CNI binaries if cni.install=false Signed-off-by: Joe Stringer <joe@cilium.io> | 21 June 2023, 06:33:33 UTC |
| 5409bc5 | Marco Iorio | 20 June 2023, 09:13:56 UTC | clustermesh: improve reliability of TestClusterMesh Currently, TestClusterMesh is subject to possible race conditions caused by the conjoint usage of defer (i.e., to stop the identity allocator) and Cleanup (i.e., to execute the stop hook of the clustermesh subsystem). Additionally, some cluster ID reservation assertions may fail due race conditions as they are not "eventually" tested. Let's fix this possible issues to improve the reliability of the test. While at it, let's also convert it to leverage the testing framework. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 21 June 2023, 06:32:36 UTC |
| ae13023 | Daniel Borkmann | 21 June 2023, 06:10:12 UTC | cilium, bigtcp: Add ice to the list of supported drivers Now that we support lowering GRO/GSO, we can also add ice. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Tested-by: Haiyue Wang <haiyue.wang@intel.com> | 21 June 2023, 06:32:01 UTC |
| dfca201 | Daniel Borkmann | 20 June 2023, 16:16:31 UTC | cilium, bigtcp: Make probing for GRO/GSO max size more graceful This would in particular help drivers which do not have bigTCPGSOMaxSize of 196608, for example, ice. Lower the maximum if BIG TCP is supported and smaller than the default of 196608. We might make the bigTCP{GSO,GRO}MaxSize also manually tweakable in future. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 21 June 2023, 06:32:01 UTC |
| 3ee561e | Daniel Borkmann | 20 June 2023, 15:50:51 UTC | cilium, bigtcp: Misc comment improvements Just some tiny tweaks, that's all. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 21 June 2023, 06:32:01 UTC |
| 1198055 | amitmavgupta | 14 June 2023, 03:46:58 UTC | Call out support for Multi-AZ in EKS Signed-off-by: amitmavgupta <115551423+amitmavgupta@users.noreply.github.com> | 20 June 2023, 21:27:34 UTC |
| c4f8b59 | ZSC | 16 June 2023, 19:44:04 UTC | Publish 2022 security audits Signed-off-by: ZSC <sarah.corleissen@isovalent.com> | 20 June 2023, 21:17:02 UTC |
| 4daf0fe | Marcel Zieba | 19 June 2023, 13:09:45 UTC | docs: Update kvstore documentation with potential circular dependency. Current documentation does not inform about potential circular dependency between Cilium and kvstore. This commit explains how this dependecy can happen and also gives two potential ways of resolving it. Also, bump Etcd version requirement to 3.4.0+, as previous minor releases are no longer supported. Fixes https://github.com/cilium/cilium/issues/25632 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 20 June 2023, 19:47:59 UTC |
| 03fdfef | Marco Iorio | 19 June 2023, 08:51:38 UTC | kvstoremesh: re-enable the integration tests Now that a locking mechanism is in place to prevent the interaction between different tests using the kvstore, let's enable again the kvstoremesh integration tests. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 20 June 2023, 19:46:09 UTC |
| 081c4d2 | Marco Iorio | 19 June 2023, 08:45:03 UTC | kvstore: prevent multiple test clients from being created in parallel Multiple tests might be running in parallel by go test if they are part of different packages. This can lead to race conditions and tests flakiness if different tests touch the same keys. Hence, let's add a locking mechanism to the client initialization logic used in tests to prevent that two clients are created in parallel. Additionally, let's automatically register the appropriate cleanup logic to delete all keys and close the client when the test terminates. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 20 June 2023, 19:46:09 UTC |
| 6850614 | Marco Iorio | 19 June 2023, 08:26:38 UTC | kvstore: refactor the EtcdRateLimiter test In view of the subsequent commit that will introduce a locking mechanism to prevent the execution of two kvstore tests in parallel, we need to refactor the EtcdRateLimiter test to avoid initializing two clients during the same test (as it would lead to a deadlock). While being at it, let's also convert it to leverage the testing framework. No functional differences are expected to be introduced by this refactoring. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 20 June 2023, 19:46:09 UTC |
| 74cea2d | Marco Iorio | 19 June 2023, 07:13:48 UTC | kvstore: TestGetSet misc improvements Currently, the kvstore GetSet test repeats the same set of operations for 256 times. Yet, due to the rate limiting settings (i.e., 20 QPS), this ends up requiring quite a lot of time in the etcd case. Hence, let's reduce the number of iterations to 8, to speed up the test execution, given that the overall coverage would not be affected. Before: --- PASS: Test/EtcdSuite/TestGetSet (101.76s) After: --- PASS: Test/EtcdSuite/TestGetSet (2.55s) Additionally, this commit updates one of the checks that was identical to another performed immediately before. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 20 June 2023, 19:46:09 UTC |
| c75aef9 | renovate[bot] | 19 June 2023, 15:54:08 UTC | fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> | 20 June 2023, 19:34:33 UTC |
| 66f3359 | Haiyue Wang | 20 June 2023, 14:21:14 UTC | datapath: bigtcp: Fix the IPv4 BIG TCP may not work The kernel will also update the IPv4 GRO/GSO setting if the new value of "gso/gro_max_size" isn't greater than 65536: 1. Enable IPv4 and IPv6 BIG TCP firstly: a). Dump the agent's log: $ kubectl -n kube-system logs cilium-tfhz5 2>&1 | grep "big-tcp" level=info msg=" --enable-ipv4-big-tcp='true'" subsys=daemon level=info msg=" --enable-ipv6-big-tcp='true'" subsys=daemon level=info msg="Setting up BIG TCP" subsys=big-tcp level=info msg="Setting IPv4 gso_max_size to 131072 and gro_max_size to 131072" device=enp0 subsys=big-tcp level=info msg="Setting IPv6 gso_max_size to 131072 and gro_max_size to 131072" device=enp0 subsys=big-tcp b). Check the GSO value on the host's net device: $ ip -d -j link show dev enp0 | jq -c '.[0].gso_max_size' 131072 $ ip -d -j link show dev enp0 | jq -c '.[0].gso_ipv4_max_size' 131072 2. Then re-install the cilium by enabling IPv4 BIG TCP only: a). Dump the agent's log: $ kubectl -n kube-system logs cilium-zwpg6 2>&1 | grep "big-tcp" level=info msg=" --enable-ipv4-big-tcp='true'" subsys=daemon level=info msg=" --enable-ipv6-big-tcp='false'" subsys=daemon level=info msg="Setting up BIG TCP" subsys=big-tcp level=info msg="Setting IPv4 gso_max_size to 131072 and gro_max_size to 131072" device=enp0 subsys=big-tcp level=info msg="Setting IPv6 gso_max_size to 65536 and gro_max_size to 65536" device=enp0 subsys=big-tcp b). Check the GSO value on the host's net device: $ ip -d -j link show dev enp0 | jq -c '.[0].gso_max_size' 65536 $ip -d -j link show dev enp0 | jq -c '.[0].gso_ipv4_max_size' 65536 No errors about the BIG TCP setting in cilium agent's log, but the value of net device's '{gso,gro}_ipv4_max_size' is wrong. So it needs to handle the IPv6 BIG TCP setting firstly, then IPv4. Signed-off-by: Haiyue Wang <haiyue.wang@intel.com> Link: https://lore.kernel.org/netdev/7e1f733cc96c7f7658fbf3276a90281b2f37acd1.1674921359.git.lucien.xin@gmail.com/ | 20 June 2023, 15:45:58 UTC |
| 4045d0d | Jack-R-lantern | 13 June 2023, 13:28:38 UTC | bpf: add __section_entry macro for tagging entrypoints Now the ELF section name is no longer used for generating names of tc filters (after moving off of iproute2 for bpf loading), remove the non-standard section names from the bpf C code base in favor of libbpf-compatible ones. Ignore tc and xdp sections during ELF rewriting. Signed-off-by: Jack-R-lantern <tjdfkr2421@gmail.com> Signed-off-by: Timo Beckers <timo@isovalent.com> | 20 June 2023, 15:39:45 UTC |
| 85388ee | Gilberto Bertin | 19 June 2023, 13:14:44 UTC | bpf: test: add egressgw_status_check helper which is used to verify that a test returned a given action Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 20 June 2023, 15:31:01 UTC |
| b12114c | Gilberto Bertin | 19 June 2023, 20:09:39 UTC | bpf: test: move egressgw common helpers in lib/egressgw.h and rename egressgw_snat_pktgen to egressgw_pktgen, to reuse it in tc_egressgw_redirect.c and xdp_egressgw_reply.c Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 20 June 2023, 15:31:01 UTC |
| 6ff3216 | Gilberto Bertin | 19 June 2023, 20:05:44 UTC | bpf: test: use CT dir instead of reply in egressgw_test_ctx this should make it a bit more explicit what the test is doing Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 20 June 2023, 15:31:01 UTC |
| 45fc79c | Gilberto Bertin | 19 June 2023, 10:01:23 UTC | bpf: test: switch helpers to egressgw_test_ctx since egressgw_snat_check has reached a high number of parameters, introduce a new egressgw_test_ctx struct that describes the context of a test/check, and use that as parameter of the egressgw_snat_{pktgen,snat} helpers Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 20 June 2023, 15:31:01 UTC |
| d458551 | Gilberto Bertin | 19 June 2023, 13:19:48 UTC | bpf: test: add {add, del}_allow_all_egress_policy helpers these helpers are used to install and remove an allow policy in the egressgw redirect tests to avoid packets being dropped Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 20 June 2023, 15:31:01 UTC |
| e5a496a | Gilberto Bertin | 16 June 2023, 21:57:01 UTC | bpf: test: add {add, del}_egressgw_policy_entry helpers and use them to always clean up egress gateway policies after each test run Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 20 June 2023, 15:31:01 UTC |
| 6376158 | Gilberto Bertin | 19 June 2023, 08:55:13 UTC | bpf: test: use different client port for each egressgw test otherwise different tests will share and reuse the same NAT/CT entries, causing unexpected results due to the existing connections Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 20 June 2023, 15:31:01 UTC |
| 253b5e8 | Gilberto Bertin | 19 June 2023, 08:52:55 UTC | bpf: test: pass expected status code to egressgw_snat_check this is to decouple it from the reply parameter and make it more generic, in preparation for a new test Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 20 June 2023, 15:31:01 UTC |
| d511b55 | Gilberto Bertin | 16 June 2023, 22:41:15 UTC | bpf: test: add egressgw_test enum this new type will be used in a subsequent commit to identify the context of each individual egress gateway test. Also rename tc_egressgw_snat2_reply to tc_egressgw_snat1_2_reply as tests 1 and 2 share the same context Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 20 June 2023, 15:31:01 UTC |
| f4f3656 | gray | 12 June 2023, 10:58:43 UTC | ipsec: Split removeStaleXFRMOnce to fix deprioritization issue We expect deprioritizeOldOutPolicy() to be executed for IPv4 and IPv6, but removeStaleXFRMOnce prevents the second call. If both IPv4 and IPv6 are enabled, v6 xfrm policy won't be deprioritized due to this issue. This commit fixes it by spliting removeStaleXFRMOnce into removeStaleIPv4XFRMOnce and removeStaleIPv6XFRMOnce. Fixes: https://github.com/cilium/cilium/commit/688dc9ac802b11f6c16a9cbc5d60baaf77bd6ed0 Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> | 20 June 2023, 14:54:02 UTC |
| 2f39f57 | Marco Hofstetter | 01 June 2023, 16:24:59 UTC | docu: envoy daemonset This commit adds the section "Deployment as DaemonSet" to the "Envoy" page, which describes the new deployment mode. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 20 June 2023, 14:53:12 UTC |
| c8eeebe | Casey Callendrello | 31 May 2023, 20:59:08 UTC | Increase the max wait time for EndpointCreate API requests In the event that a node has a burst of PodSanboxCreate requests, API requests will pile up. However, we should wait longer for the queue to clear before short-circuting and returing failure. This is because the kubelet has a relatively relaxed timeout for PodSandbox creation -- 4 minutes. Furthermore, if we return a failure here, it is propagated all the way back through containerd to kubelet, which will tear down the entire PodSandbox and try again, which can be expensive. So, increase the maximum queue duration time to 1 minute. That should hopefully give enough time for the queue to clear. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 20 June 2023, 14:52:36 UTC |
| e956bb1 | Martynas Pumputis | 12 June 2023, 15:44:32 UTC | cli: Print NodeID in hex The Node ID is used in SKB mark used by XFRM policies. The latter print it in hex. So, let's reduce a mental strain by a bit when debugging IPsec issues. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 20 June 2023, 14:51:51 UTC |
| 18f85a0 | Martynas Pumputis | 12 June 2023, 15:27:49 UTC | bugtool: Add cilium bpf nodeid list To help to detect when IPcache is out of sync with locally stored Node IDs. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 20 June 2023, 14:51:51 UTC |
| 1095227 | Daneyon Hansen | 13 June 2023, 19:06:43 UTC | BGP CP: Adds Intro to Docs Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io> | 20 June 2023, 14:51:10 UTC |
| cd67881 | harsimran pabla | 19 June 2023, 13:32:07 UTC | Documentation: Add graceful restart section in BGP documentation Introduce BGP Graceful Restart documentation in bgp-control-plane.rst document. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 20 June 2023, 14:50:10 UTC |
| 31ff4cf | Marco Hofstetter | 19 June 2023, 08:04:58 UTC | auth: delete cache-entry on ErrKeyNotExist In the unlikely event of trying to delete an auth map entry which is no longer present in the auth map, the entry should also be removed from the auth map cache. Currently it gets kept in the cache, which would result in unnecessary retries. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 20 June 2023, 14:49:35 UTC |
| 00edc42 | harsimran pabla | 19 June 2023, 18:04:08 UTC | bgpv1: skip invalid node selector config in policy selection This change skip BGP policy if LabelSelectorAsSelector returns error in parsing node selector fields. Fixes: #23227 Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 20 June 2023, 14:48:52 UTC |
| 39d9570 | harsimran pabla | 16 June 2023, 19:28:25 UTC | bgpv1: set N-bit in graceful restart Set N-bit in graceful restart negotiation, so peer can trigger graceful restart helper mode if HoldTime expires. Further details in RFC-8538. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 20 June 2023, 14:48:25 UTC |
| 6decd65 | gray | 30 May 2023, 06:44:25 UTC | bpf: test IPSec datapath on from-overlay These testcases cover IPsec datapath for both IPv4 and IPv6. An ingress skb will reach `from-overlay` twice, for the 1st time the skb is ESP-encrypted, for the 2nd time the skb is ESP-decrypted with mark `0xd00`. For the 1st reach, we check the following behaviors: 1. skb is passed to stack 2. skb->mark is set to 0xd00 3. skb->data doesn't change For the 2nd reach, we check: 1. skb is redirected to the target lxc veth 2. skb->mark is cleared to 0 Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> | 20 June 2023, 14:46:04 UTC |
| dee0683 | gray | 29 May 2023, 08:15:49 UTC | bpf: test IPSec datapath on from-host These testcases cover IPSec datapath on `from-host` for both IPv4 and IPv6. The input skb should be ESP-encrypted with mark set to `node_id << 16 | key << 12 | 0xe00` and cb[4] set to sec_id. We will check the following behaviors after execution of `from-host`: 1. skb->mark is cleared to 0 2. skb->cb[4] is cleared to 0 3. skb is redirected to cilium_vxlan 4. skb->data doesn't change 5. VxLAN VNI is set to sec_id Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> pktgen | 20 June 2023, 14:46:04 UTC |
| b760a99 | gray | 26 May 2023, 03:20:22 UTC | bpf: test IPSec datapath on from-container These testcases cover IPSec datapath on `from-container` for both IPv4 and IPv6. The following behaviors are checked after execution of `from-container`: 1. skb->mark should be set to `node_id << 16 | key << 12 | 0xe00` 2. skb->cb[4] should be set to source sec_id 3. skb should be passed to stack 4. skb->data doesn't change Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> | 20 June 2023, 14:46:04 UTC |
| 51d7f70 | gray | 26 May 2023, 03:18:40 UTC | test: run BPF test program with context The previous implementation of BPFProgram.Test() only allowed passing and returning bytes as *skb->data, without the ability to specify input skb metadata or check output skb metadata. This commit introduces a new function named runBpfProgram, which passes an additional []byte as input skb metadata and returns an additional []byte as output skb metadata. By utilizing this function, we ensure that the skb->mark set in PKTGEN can be properly passed to the SETUP , and any modifications to skb->mark or skb->cb can be accurately examined during the CHECK for validation purposes. The input ctx bytes will be set as the input skb, briefly you can expect `memcpy(skb, ctx, sizeof(*skb))` happening inside, and you can get skb->mark by `mark := ctx[offset(skb, mark): sizeof(skb->mark)]`. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> | 20 June 2023, 14:46:04 UTC |
| 5039106 | gray | 28 April 2023, 07:39:38 UTC | bpf: skip policy check for IPv6 NDP traffic Previously, our policy check for IPv6 NDP traffic caused issues such as #23852 and #23910 because this traffic was identified as WORLD_ID, which would be given a verdict of drop when CiliumNetworkPolicy is applied for per-endpoint routing. To resolve this issue, we pass all IPv6 NDP traffic to the stack without policy check. This change aligns with how we handle IPv4 ARP: the cilium bpf never performs policy check for ARP, regardless of whether we enable `ENABLE_ARP_PASSTHROUGH` or `ENABLE_ARP_RESPONDER`. Fixes: #23852 Fixes: #23910 Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> | 20 June 2023, 14:45:25 UTC |
| c1dffab | spacewander | 16 February 2023, 14:15:25 UTC | datapath: Introduce helpers for __ctx_is checks Only macros in function body are updated so it doesn't affect function definitions. Fixes: #23008 Signed-off-by: spacewander <spacewanderlzx@gmail.com> | 20 June 2023, 14:45:04 UTC |
| a188358 | Haiyue Wang | 17 June 2023, 18:44:29 UTC | test: bigtcp: Update the BIG TCP checking message The commit 795d0716cf38 ("cilium: IPv4 BIG TCP support") has updated the "Setting up IPv6 BIG TCP" to "Setting up BIG TCP". Signed-off-by: Haiyue Wang <haiyue.wang@intel.com> | 20 June 2023, 14:36:32 UTC |
| e0931df | Will Daly | 09 June 2023, 20:54:13 UTC | docs: clarify that L3 DNS policies require L7 proxy enabled Add a note to the L3 policy documentation clarifying that L3 DNS policies require the L7 proxy enabled and an L7 policy for DNS traffic so Cilium can intercept DNS responses. Previously, the documentation linked to other sections describing the DNS Proxy, but I know at least a few people who were surprised that a policy under "L3 Examples" would require an L7 proxy. Hopefully adding a note near the beginning of the section will make this requirement more obvious. Signed-off-by: Will Daly <widaly@microsoft.com> | 20 June 2023, 12:36:29 UTC |
| 68bff35 | Peter Jausovec | 09 June 2023, 22:22:12 UTC | docs: reword incorrect L7 policy description Fixing incorrect description of the GET /public policy in the L7 section. Signed-off-by: Peter Jausovec <peter.jausovec@solo.io> | 20 June 2023, 12:16:01 UTC |
| 93cc419 | amitmavgupta | 08 June 2023, 07:56:54 UTC | Adding an AWS architecture diagram for AWS FTR review Signed-off-by: amitmavgupta <115551423+amitmavgupta@users.noreply.github.com> | 20 June 2023, 11:57:53 UTC |
| 95b264d | Hao Zhang | 11 May 2023, 14:28:57 UTC | alibabacloud: use NextToken and MaxResults to list instance types Currently, there is no paging query used to retrieve instance types. When there are many instance types, some instances can not obtain ENI and IPPerENI limits. The cilium operator log is as follows. ``` level=warning msg="Unable to maintain ip pool of node" error="Unable to determine limits" instanceID=<ID> name=<NAME> subsys=ipam ``` This patch fixes this problem by using NextToken and MaxResults for paging query. Signed-off-by: Hao Zhang <hao.zhang.am.i@gmail.com> | 20 June 2023, 10:49:43 UTC |
| 29b75ee | Tam Mach | 14 June 2023, 12:30:44 UTC | gateway-api: Enable HTTPRouteListenerHostnameMatching test This was fixed as part of recent refactor and v0.7.0 upgrade. Fixes: #24217 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 20 June 2023, 10:38:09 UTC |
| cabc477 | Dorde Lapcevic | 13 April 2023, 16:56:09 UTC | Decouple CES work queue and k8s client rate limiting Currently CiliumEndpointSlice (CES) work queue uses rate limiting values specified for the k8s client. Changes: 1. Add a new set of flags for CES work queue limit and burst rates, `CESWriteQPSLimit` to ` and `CESWriteQPSBurst`. The processed work queue items always trigger a single CES create, update or write request to the kube-apiserver. The work queue rate limiting effectively limits the rate of writes to the kube-apiserver for CES api objects. 2. Set the default `CESWriteQPSLimit` to `10` and `CESWriteQPSBurst` to `20`. 3. Set the maximums for qps `50` and burst `100`. 4. Unhide `CESMaxCEPsInCES` and `CESSlicingMode` flags from appearing in logs when `CES` is enabled. Signed-off-by: Dorde Lapcevic <dordel@google.com> | 20 June 2023, 09:43:27 UTC |
| 2716ff7 | Daniel Borkmann | 19 June 2023, 14:43:21 UTC | cilium: Unbreak updateDevicesFromRoutes route.Dst check Referenced vishvananda/netlink breaks Cilium as it stops propagating route.Dst == nil, but instead generates a zero net for these. Therefore update the test in the device manager to fix it again, so that we do not need to rely on the Cilium-based fork with revert of mentioned commit. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://github.com/vishvananda/netlink/commit/acdc658b8613655ddb69f978e9fb4cf413e2b830 | 20 June 2023, 07:33:33 UTC |
| 9f0be9e | Daniel Borkmann | 19 June 2023, 13:50:14 UTC | vendor: Update vishvananda/netlink/ Update vishvananda/netlink and point it back to its upstream location instead of our local Cilium repo. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 20 June 2023, 07:33:33 UTC |
| 15a7365 | Timo Beckers | 18 June 2023, 19:18:26 UTC | lbmap,vtep: fix SockRevNat6Key and VtepEndpointInfo padding These don't pass the improved alignchecker. The vtep map value was reported to be broken after the recent bpf.Map changes: `update map cilium_vtep_map: can't marshal value: *vtep.VtepEndpointInfo doesn't marshal to 16 bytes`. Fixes #26287 Signed-off-by: Timo Beckers <timo@isovalent.com> | 19 June 2023, 18:51:40 UTC |
| e6d40ee | Timo Beckers | 18 June 2023, 18:56:10 UTC | alignchecker: require binary.Size and unsafe.Sizeof of all types to match With the recent switch to ebpf-go's native map k/v (un)marshaling code, a few MapKey and MapValue types came up that were lacking trailing padding. These will be fixed in a follow-up commit, but to avoid future regressions, the alignchecker needed to be improved to catch these errors during agent startup, to guarantee catching it in CI instead of randomly during runtime. ebpf-go uses binary.Read and binary.Write to convert values exchanged with the kernel APIs to and from Go types. However, package 'binary' ignores all padding in the given type. When calling binary.Write on a struct, all data will be nicely packed into the resulting byte slice. Since the Cilium agent was previously passing unsafe.Pointers to MapKeys and MapValues to ebpf-go's Map APIs, it uses the reflect.Value().Size() (equivalent of unsafe.Sizeof()) to populate Map.KeySize and .ValueSize. This value _does_ account for all padding, unlike binary.Size used by binary.Read() and .Write(). This blows up when interacting with the Map, since ebpf-go checks the amount of bytes produced by binary.Write against the configured KeySize value of the Map. This commit modifies the alignchecker so it receives the actual Go types instead of a reflect.Type, since we cannot call binary.Size on the latter. It also fixes a logic bug in TestAlignChecker where the test returned after checking the first test with an expected error. Signed-off-by: Timo Beckers <timo@isovalent.com> | 19 June 2023, 18:51:40 UTC |
| 9813a0b | renovate[bot] | 16 June 2023, 13:11:08 UTC | chore(deps): update actions/setup-go action to v4.0.1 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 19 June 2023, 09:42:57 UTC |
| bfa8697 | Ondrej Blazek | 01 June 2023, 13:51:47 UTC | endpoint: remove DisableSIPVerification func from Endpoint iface Signed-off-by: Ondrej Blazek <ondrej.blazek@firma.seznam.cz> | 18 June 2023, 20:06:32 UTC |
| c7184c5 | Ondrej Blazek | 13 April 2023, 06:45:29 UTC | endpoint: add endpoint datapath options unit test Add unit test to test SourceIPVerification datapath option can always be overridden by endpoint specific DisableSipVerification datapath configuration. Signed-off-by: Ondrej Blazek <ondrej.blazek@firma.seznam.cz> | 18 June 2023, 20:06:32 UTC |
| d7dbb85 | Li Chengyuan | 03 March 2023, 09:19:04 UTC | fix: Remove the duplicate ENABLE_SIP_VERIFICATION in ep_config.h Currently ENABLE_SIP_VERIFICATION runtime option can define ENABLE_SIP_VERIFICATION macro just like DisableSIPVerification endpoint datapath option can. If DatapathConfiguration.DisableSipVerification value is not inline with SourceIPVerification, the two macros in ep_config.h may conflict. Secondly calling of SetDefaultConfiguration() func is removed from AddEndpoint() as that is being called for the second time - although not using this wrapper but via SetDefaultOpts() directly. Related slack thread https://cilium.slack.com/archives/C2B917YHE/p1680518197957369 Signed-off-by: Li Chengyuan <chengyuanli@hotmail.com> Signed-off-by: Ondrej Blazek <ondrej.blazek@firma.seznam.cz> | 18 June 2023, 20:06:32 UTC |
| 489d812 | Joe Stringer | 16 June 2023, 20:50:43 UTC | README: Bump latest snapshot release version Signed-off-by: Joe Stringer <joe@cilium.io> | 16 June 2023, 22:25:22 UTC |
| c0ae00d | Joe Stringer | 16 June 2023, 20:11:39 UTC | Revert "Prepare for release v1.14.0-snapshot.4" This reverts commit 5268019f37da9bd181190993f580f0e7f194092c. Signed-off-by: Joe Stringer <joe@cilium.io> | 16 June 2023, 20:14:39 UTC |
| 6c8db75 | Joe Stringer | 16 June 2023, 19:17:20 UTC | Prepare for release v1.14.0-snapshot.4 Signed-off-by: Joe Stringer <joe@cilium.io> | 16 June 2023, 20:14:39 UTC |
| c8cdadc | Joe Stringer | 16 June 2023, 19:15:10 UTC | Update AUTHORS for recent contributors Signed-off-by: Joe Stringer <joe@cilium.io> | 16 June 2023, 20:14:39 UTC |
| 7519783 | Joe Stringer | 16 June 2023, 19:17:27 UTC | docs: Fix formatting for check-crd-compat script This script was generating an improperly formatted table due to the longer release names recently, X.Y.Z-snapshot.N. Fix it. Signed-off-by: Joe Stringer <joe@cilium.io> | 16 June 2023, 20:14:39 UTC |
| 0aa6853 | ChrsMark | 13 June 2023, 13:22:49 UTC | "Security Implications" section in "Layer 7 Protocol Visibility" doc Co-authored-by: Ioannis Androulidakis <androulidakis.ioannis@gmail.com> Signed-off-by: ChrsMark <chrismarkou92@gmail.com> | 16 June 2023, 18:24:39 UTC |
| 9f2b011 | ChrsMark | 29 May 2023, 17:03:52 UTC | Add support for --hubble-redact=http-url-query Co-authored-by: Ioannis Androulidakis <androulidakis.ioannis@gmail.com> Signed-off-by: ChrsMark <chrismarkou92@gmail.com> | 16 June 2023, 18:24:39 UTC |
| d710a08 | ChrsMark | 12 June 2023, 12:08:36 UTC | Fix decodeHTTP to avoid accesslog mutation on URL's password redact Co-authored-by: Ioannis Androulidakis <androulidakis.ioannis@gmail.com> Signed-off-by: ChrsMark <chrismarkou92@gmail.com> | 16 June 2023, 18:24:39 UTC |
| 766e62b | Marcel Zieba | 12 June 2023, 10:58:15 UTC | clustermesh: Introduce ClusterID reservation mechanism Currently, the ClusterIDs for each remoteClusters are managed by each remote cluster controllers with rc.config. This makes very hard to control the access to the ClusterIDs. For example, when we have a new remote cluster connection and receive a new cluster config, we need to ensure the new ClusterID is not used by other remote cluster controller. To ensure that, we need to iterate over all remoteCluster objects and also access to the rc.config which may be changed over time depending on each remote cluster's connection state. For every time the remoteCluster controller start to use a new ClusterID, it "reserves" the ClusterID from central registry. By correctly performing mutex for this reservation, we can guarantee that no one else uses the reserved ClusterID. So that after the reservation, each remoteCluster controller can exclusively access to the corresponding CT/SNAT per-cluster map slots. This can also replace the complicated canConnect() validation with ClusterID reservation. Instead of iterate over all clusters and check ClusterID uniqueness, we can simply try to reserve the ID and if it fails, reject a new connection. Once the remote cluster controller finish using the ClusterID, it cleanups any resources bounded to the ClusterID (e.g. per-cluster maps) and "releases" the ClusterID. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 16 June 2023, 16:12:00 UTC |
| 627f518 | harsimran pabla | 25 May 2023, 21:00:43 UTC | Documentation: include bgp cli commands in bgp-cp documentation Added CLI section in bgp control plane document. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 16 June 2023, 15:41:43 UTC |
| bc8f580 | Dylan Reimerink | 16 June 2023, 13:09:33 UTC | l2announcer: Fix panic when service labels are nil There are scenarios in which the labels fields of a service object returns `nil` instead of an empty map. When this happens a panic is triggered, so we have to check for that and init the map if it is `nil` Fixes: #26163 Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 16 June 2023, 15:32:26 UTC |
| d1b6815 | renovate[bot] | 16 June 2023, 14:06:04 UTC | fix(deps): update module github.com/docker/docker to v24 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 16 June 2023, 15:12:59 UTC |
| d6fe7de | Tobias Klauser | 16 June 2023, 15:08:57 UTC | renovate: exclude github.com/{cilium,vishvananda}/netlink The netlink library was switch to a custom fork in commit 142c7c817baa ("vendor: Update vishvananda/netlink/") and updated in commit eb6bf8671f98 ("vendor: Update vishvananda/netlink/"). Avoid accidentially updating this dependencies, so exclude the module from being updated until we switch back to the upstream version. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 16 June 2023, 15:10:54 UTC |
| f2e0274 | Rastislav Szabo | 13 June 2023, 19:10:03 UTC | Docs: Update BGP docs to reflect CRD consolidation Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> | 16 June 2023, 14:25:05 UTC |
| d722d51 | Tobias Klauser | 16 June 2023, 12:55:19 UTC | .github/workflows: let renovate update kind Add required renovate annotations such that kind_version will be updated automatically in GH action workflows. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 16 June 2023, 14:18:09 UTC |
| dd06feb | Dylan Reimerink | 16 June 2023, 08:34:41 UTC | resources,metrics: Add metrics to resources This commit makes the pkg/k8s/resources emit the same metrics as their k8s watcher counterparts. The only difference is that due to the asynchronous nature of resource consumers, we are not able to track when all consumers have processed the same event, thus we increment the processed event metric for every consumer. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 16 June 2023, 14:01:03 UTC |
| b76bcd8 | Marco Iorio | 14 June 2023, 14:07:58 UTC | docs: remove clustermesh-apiserver gops port from system requirements clustermesh-apiserver runs in pod network, hence there is no risk of port conflicts with services running on the underlying nodes. Hence, let's remove its gops port from the system requirements table. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 June 2023, 13:44:33 UTC |
| 277ba6f | Cilium Imagebot | 16 June 2023, 11:34:35 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 16 June 2023, 13:43:25 UTC |
| a21eaf4 | Timo Beckers | 13 June 2023, 09:14:50 UTC | Documentation: remove references to cilium-iproute2 See previous commit, a custom version of iproute2 is no longer required to run Cilium, and we no longer ship it in the official container images. Signed-off-by: Timo Beckers <timo@isovalent.com> | 16 June 2023, 13:43:25 UTC |
| 57274b6 | Timo Beckers | 13 June 2023, 09:13:42 UTC | images: remove dependency on cilium/iproute2 fork As of Cilium 1.14, it no longer uses the ip command to load BPF programs into the kernel. This means we no longer need to maintain our patches on top of iproute2 and we no longer depend on a custom build in order for Cilium to run. Signed-off-by: Timo Beckers <timo@isovalent.com> | 16 June 2023, 13:43:25 UTC |
| 550c8fc | Timo Beckers | 14 June 2023, 07:58:06 UTC | images: point to dev documentation when runtime/builder images outdated Also fix a typo in runtime/builder image anchor. Signed-off-by: Timo Beckers <timo@isovalent.com> | 16 June 2023, 13:43:25 UTC |
