sort by:
Revision Author Date Message Commit Date
00b7717 proxy: Clear the proxy port on failure Clear proxy port on failure so that we'll try another random port next time. We have two failure cases for creating new redirects: - syncronous, for DNS proxy. Simply zero the proxy port in the retry loop. - asynchronous, for Envoy proxy. Clear proxy port state on revert callback. Noticed the need for this change when accidentally trying to use port 1 for Envoy when developing another feature. In this case Envoy can't bind the port, and all further tries were also trying the same port, as the proxy port was not cleared on revert. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 14 June 2024, 10:12:59 UTC
b30a3a9 ipcache: Fix orphaned ipcache entries when mixing Upsert and Inject When a prefix is initially created by the synchronous Upsert() API, it is flagged as such so that InjectLabels() knows it is shared. However, this flag is not removed if the legacy caller releases all references to this prefix. Thus, the timeline 1. AllocateCIDRs("1.1.1.1/32") 2. UpsertPrefixes("1.1.1.1/32") 3. ReleaseCIDRIdentities("1.1.1.1/32") 4. RemovePrefixes("1.1.1.1/32") leaves us with the prefix still in the ipcache, but the identity fully released. This leads to traffic drops, as the identity is unknown to the policy system and thus not present in the BPF policymaps. The fix is to forcibly remove the prefix if the identity reference reaches zero and the prefix is not in the metadata layer. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 14 June 2024, 09:55:50 UTC
e879425 ctmap: dump CT entry's BackendID Service connections store their selected backend ID in the SVC-type CT entry. Dump this field on `cilium-dbg bpf ct list global`. This then looks like: TCP SVC 10.244.0.62:55394 -> 10.96.0.1:443 expires=158116 ... BackendID=1 Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 14 June 2024, 07:25:53 UTC
fd29852 fqdn: Exit go routines early if datapath update times out This commit changes the `UpdateGenerateDNS` function to return a errgroup instead of a waitgroup. This allows the caller to determine after `Wait` if the datapath update timed out or not. This then allows `UpdateGenerateDNS` to stop the errgroup, allowing the go routine spawned in `notifyOnDNSMsg` to exit early as well upon cancellation. This way, the go routine in `notifyOnDNSMsg` does not need to linger until the datapath update has finished. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 June 2024, 07:16:43 UTC
b9152ae ipcache: Allow WaitForRevision to be cancelled This adds a context argument to WaitForRevision, allowing callers to abort the call. For logic for the cancellation of the `Cond` var using `context.AfterFunc` was taken from the Go docs: https://pkg.go.dev/context#AfterFunc The commit also fixes an issue with the existing unit test where it waited for revision 0 instead of revision 1. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 June 2024, 07:16:43 UTC
8868b39 renovate: Add the configuration for spire images Signed-off-by: Tam Mach <tam.mach@cilium.io> 14 June 2024, 07:03:14 UTC
8482b03 docs: egressgw: remove stale enable-l7-proxy option This option was suggested to deal with an incompatibility between EGW and L7 policies. The incompatibility has been addressed by https://github.com/cilium/cilium/pull/32828. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 14 June 2024, 06:50:40 UTC
b6f6867 daemon: remove unnecessary method DebugEnabled The method `Daemon.DebugEnabled` is used in two cases. 1. In an optionChanged callback that can directly access the config property 2. As hubble observer option that is actually no longer used Therefore, this commit removes the unnecessary method from the daemon. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 14 June 2024, 06:11:51 UTC
5e27f67 bgpv2: pass types.Router in path and policy reconcilers This change passes only required field to Policy and Path reconcilers. Instead of passing BGPInstance, we pass only the Router interface which is required by underlying implementation. Signed-off-by: harsimran pabla <hpabla@isovalent.com> 14 June 2024, 05:33:40 UTC
3e30619 bpf: move tunnel map to encap.h Declutter the maps.h header, and reduce the usage of HAVE_ENCAP. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 14 June 2024, 04:25:14 UTC
dfb6b94 bpf: move throttle map to edt.h Declutter the maps.h header, and reduce the usage of ENABLE_BANDWIDTH_MANAGER Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 14 June 2024, 04:25:14 UTC
50c38aa bpf: move egressgw map to egress_gateway.h Declutter the maps.h header, and reduce the usage of ENABLE_EGRESS_GATEWAY. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 14 June 2024, 04:25:14 UTC
2a0bc76 bpf: encap: fix ifindex in TO_OVERLAY trace notification The encap helpers were meant to abstract from differences between TC and XDP. Therefore ctx_set_encap_info() provides the ifindex for TC, and setting the ifindex also indicates that a redirect to encap interface is possible (rather than manually adding the overlay headers + FIB lookup). The downside is that __encap_with_nodeid() for TC currently emits a trace notification without the ifindex set to ENCAP_IFINDEX. Fix this up manually by moving the `ifindex` initialization up. Reported-by: Tomasz Tarczyński <tomasz.tarczynski@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 14 June 2024, 04:22:26 UTC
d107719 gateway-api: Check for matching controller name Basically, we should do nothing for a given Gateway resource, till it's confirmed that its GatewayClass is managed by Cilium. Just a note that other watched and owned resources can by-pass the predicate function NewPredicateFuncs(hasMatchingControllerFn), the explicit check in reconcile method is required. This commit is to perform the controller name check for Gateway resource to avoid unnecessary and wrong reconciliation. Fixes: #31978 Signed-off-by: Tam Mach <tam.mach@cilium.io> 14 June 2024, 03:44:56 UTC
81adc5c remove tracking of backports with MLH With the sunset of GH projects by GH [1], we will now create organization-projects to track which PR is available on which release after a CHANGELOG of a release is performed. Thus, we can also sunset this feature from MLH. [1] https://github.blog/changelog/2024-05-23-sunset-notice-projects-classic/ Signed-off-by: André Martins <andre@cilium.io> 13 June 2024, 20:03:54 UTC
4b00124 fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.164.0 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 13 June 2024, 20:03:13 UTC
ef50a9a chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 13 June 2024, 17:25:01 UTC
bb0c48a daemon: remove unused method GetOptions This commit removes the unused method `GetOptions() *option.IntOptions` from the daemon. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 13 June 2024, 15:57:10 UTC
183f0fa iptables: Run an initial full reconciliation Run an initial full reconciliation before listening on partial reconciliation request channels like the ones related to proxy rules and no track pod rules. This avoid spurious errors at startup when a partial reconciliation request was seen by the reconciler before the 200 ms interval needed for the first full reconciliation. In that case, the partial reconciliation failed due to missing chains installed by the first full reconciliation. Reported-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Suggested-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 13 June 2024, 15:11:45 UTC
0b8f9e3 iptables: Fix usage of firstInit flag The firstInit flag is meant to avoid partial reconciliations (like the ones for proxy rules and no track pod rules) until the first full reconciliation is successfully completed. This is done to avoid trying a partial reconciliation when all the required chains have been created. The commit fixes the if conditions checking the flag that turned out to be inverted. Though the reconciler was already able to recover with the next full reconciliation, this led to spurious errors during Cilium startup where partial reconciliations were attempted too soon. Reported-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 13 June 2024, 15:11:45 UTC
38278b5 chore(deps): update dependency grpc-ecosystem/grpc-health-probe to v0.4.27 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 13 June 2024, 14:59:54 UTC
4358595 fix(deps): update all go dependencies main Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 13 June 2024, 14:55:36 UTC
f88fade chore(deps): update cilium/cilium-cli action to v0.16.10 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 13 June 2024, 14:35:04 UTC
2fd9150 bpf: introduce CILIUM_PIN_REPLACE map pinning flag This commit adds support for the custom CILIUM_PIN_REPLACE pinning flag. It signals to the loader that a map should be pinned without being reused in subsequent ELF loads. This replaces bespoke cilium_calls_-specific logic in the loader with a generic map flag, opening it up for other use cases as well. The reasons for this behaviour are widely documented and present in the code for posterity. Also, give each netdev its own instance of cilium_calls. Sharing a tail call map across all XDP entry points causes multiple netdevs' programs to clobber the shared cilium_calls_xdp bpffs pin. Signed-off-by: Timo Beckers <timo@isovalent.com> 13 June 2024, 13:51:55 UTC
8f5e88f bpf: replace bpf map migration with commit mechanism At its inception, Cilium had an external ebpf loader (iproute2) that didn't deal with changes to map properties (type/k/v/maxentries/flags). To allow the agent to upgrade/downgrade maps, a 'map migration' system was introduced that would take the new ELF and compare its maps against their pinned counterparts on the system's bpffs. Incompatible maps were renamed using a ':pending' suffix to allow the loader to create and pin a new instance of the map at its old path. If all went well, the :pending map was removed. Even though it served us for many years, this system wasn't without its drawbacks, primarily the many moving parts (files) to manage on bpffs, as well as its obscuring of subtle bugs in managing tail call map lifecycle. This commit replaces the map migration system with a commit-based system that doesn't modify any bpffs-related resources until all of an ELF's entrypoints are attached and all cross-ELF tail calls (policy progs) have been inserted. After commit() has run for a Collection, only one copy of each map pin will be present on bpffs. This removes all possibility of previous ELF generations being partially attached somewhere, still handling traffic using an old tail call map. Such cases will now fail loudly with the 'missed tail call' metric increasing due to the old tail call map pins being removed. Signed-off-by: Timo Beckers <timo@isovalent.com> 13 June 2024, 13:51:55 UTC
8fae0eb bpf: deprecate legacy PIN_* constants for map definitions Treat the bpf_elf_map.pinning field just like BTF map definitions do, and replace PIN_GLOBAL_NS with LIBBPF_PIN_BY_NAME. Pass the values through directly when parsing MapSpec.Extra on the Go side. A future commit will assign meaning to a value higher than LIBBPF_PIN_BY_NAME. Signed-off-by: Timo Beckers <timo@isovalent.com> 13 June 2024, 13:51:55 UTC
0c0800c ci: make runtime privileged tests not run in parallel There was a significant flakiness of IPSec-related privileged tests due to the fact that tests in different packages were modifying xfrm states/policies concurrently. While increasing timeout for test and making it last longer is non-ideal, less flaky tests outweight it. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 13 June 2024, 13:35:20 UTC
c464e66 helm: mount kvstoremesh-specific certificate into cilium agents Let's additionally mount the kvstoremesh-specific certificate into cilium agents, so that it can be used to authenticate against the local etcd instance storing the cached data. The secret entry is always configured (although marked as optional), regardless of whether KVStoreMesh is actually enabled or not, so that it can be automatically mounted in case it gets subsequently enabled, without requiring a restart of the agents. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 June 2024, 13:01:41 UTC
9ffeba1 helm: generate dedicated certificate for kvstoremesh access Extend the helm chart to additionally generate the "local" certificate with the common name matching the newly introduced "local" etcd user, when kvstoremesh is enabled. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 June 2024, 13:01:41 UTC
cb6a58b clustermesh: granular etcd permissions for kvstoremesh cached data Currently, the same etcd user (i.e., remote) is granted permissions to read the whole content of the clustermesh-apiserver's sidecar etcd instance, including also the data cached by kvstoremesh, when enabled. In an effort to harden the overall clustermesh posture, let's introduce a separate and dedicated user for local access, to ensure that remote clusters cannot access cached data, as it may include information that they would not normally have access to. Specifically, the remote user is intended to have access only to the information regarding the local cluster, while the local user can access cached data about remote clusters only. Still, for backward compatibility purposes, the remote user still retains access to cached data as well in this release. The reason being that there would otherwise be a time window upon upgrade in which Cilium Agents would lose access to the kvstoremesh data (especially in large clusters). Indeed, the new certificate would be mounted by the agents only upon rollout, but the configuration would be immediately reloaded (thus targeting the new, not yet mounted, certificate), hence breaking the access to the information cached by kvstoremesh. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 June 2024, 13:01:41 UTC
22bab80 Fix release build SBOM generation - Use the correct image to generate SBOMs - Stop release asset uploads, which can require extra permissions (that this workflow doesn't have) and that we don't need. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> 13 June 2024, 12:08:45 UTC
70db218 endpoint: remove unused parameter from Add/NewEndpoint functions This commit removes unused parameters from the functions `Add*Endpoint` and `New*Endpoint` from the EndpointManager. - `reason` - `nodeName` Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 13 June 2024, 12:07:31 UTC
9f6d52e bpf: avoid race when selecting the RevSNAT port The logic to allocate SNAT mapping contains a race condition. At a high level it does the following: if (!revsnat_exists(port)) { if (!create_revsnat(port) return error; ... } Two concurrent executions of the datapath may succeed the revsnat_exists check, which then leads to one of them bailing out since create_revsnat fails. Instead simply try to create the RevSNAT entry. If that fails we retry with another port. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 13 June 2024, 12:03:41 UTC
dc52072 clustermesh: switch to surge upgrade strategy. With introduction of Clustermesh support for HA deployment in #31677 let's change upgrade strategy to make sure that Clustermesh control plane is always available. This is also configuration that we test against in CI tests - maxSurge=1 and maxUnavailable=0. On top of that change required to preferred antiAffinity to cover case with a single node cluster. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 13 June 2024, 12:01:54 UTC
55a9d2e loader: cache parsed CollectionSpec The object cache parses an ELF from disk any time it is asked for a template. This is wasteful since parsing the ELF is quite resource intensive. Cache the parsed CollectionSpec instead. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 13 June 2024, 11:55:56 UTC
70f6608 loader: evict object cache when datapath config changes The object cache currently does no invalidation, which means that we accumulate cachedObject in memory and template ELF on disk. Use update of the base datapath hash as an opportunity to evict some of that cache. In practice this is probably not a big issue: datapath config changes rarely if every, and we only have templates for endpoints and host endpoint. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 13 June 2024, 11:55:56 UTC
ec651ea service: remove monitoragent nil-check Currently, accessing the monitoragent from the service manager is guarded with nil-checks as unit-tests don't provide a monitoragent. This commit removes the check in favor of a fake implementation that is used and passed in the tests. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 13 June 2024, 11:54:09 UTC
2e308f9 service: unexport NewService NewService is no longer used as the service manager is provided via Hive Cell. Therefore, this commit un-exports the function `NewService`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 13 June 2024, 11:54:09 UTC
0078c6a logging: Pass debug to slog as well Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 13 June 2024, 12:00:36 UTC
de97dd8 chore(deps): update all lvh-images main Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 13 June 2024, 11:06:19 UTC
74039b5 k8s: remove unused method NewStandaloneClientset This commit removes the deprecated and now unused method `NewStandaloneClientset`. In the meantime, all usages have been moved to use the Hive Cell dependency directly. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 13 June 2024, 10:41:35 UTC
511f077 clustermesh: enable kvstoremesh by default KVStoreMesh has been introduced in v1.14. We have been running KVStoreMesh tests since then, while also testing upgrade path from "vanilla" Clustermesh to KVStoreMesh and back since then. There has been also a visible adaptation by users in community. Let's mark KVStoreMesh as stable and enable it by default. Note: Once 1.16 is out, we will need to update CI test Cilium Cluster Mesh upgrade (ci-clustermesh) Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 13 June 2024, 10:14:43 UTC
fd0b235 bpf: overlay: remove wireguard.h include This probably is no longer needed since 81c45d2280d7 ("bpf: Remove strict encrypt check from bpf_overlay"). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 13 June 2024, 07:14:02 UTC
28f7863 bpf: encap: clean up some unneeded includes The include for l3.h is no longer needed since 3aa51eb3052d ("bpf: ipsec: move get_min_encrypt_key() to encrypt.h"), and the last wireguard usage went away with b67291f03926 ("bpf: Encap with cilium_{vxlan,geneve} before passing to WG"). This uncovered some implicit includes for hs-ipcache, fix them up. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 13 June 2024, 07:14:02 UTC
dbd33db helm/certgen: add generation of hubble-ui-client-certs certificate This certificate appeared not to be generated by certgen, hence leading to an inconsistency with respect to the other certificate generation modes. Let's fix this divergence to ensure that they are all equivalent. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 June 2024, 06:58:19 UTC
b7ac7c3 helm/certgen: bump certgen to v0.2.0 and adapt configuration Bump certgen to v0.2.0, which enables the definition of the certificates to be generated via a generic configuration, agnostic of the Cilium specific details. Hence, let's refactor the certgen configuration and explicitly define the characteristics of the certificates to be generated. While being there, let's also correctly propagate the extra DNS names and IP addresses, that were previously ignored if certgen was used. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 June 2024, 06:58:19 UTC
8910af5 helm/certgen: explicitly specify CA secret namespace and CN In preparation for bumping the certgen version, which changes the default values to be independent of Cilium, let's explicitly specify the namespace containing the CA secret and its common name. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 June 2024, 06:58:19 UTC
dd97ac3 helm/certgen: always specify --ca-secret-name Currently, we specify the --ca-secret-name certgen parameter only if both tls.ca.cert and tls.ca.key are specified. However, the secret name is always relevant, regardless of whether the CA is explicitly specified, and the default value historically matched the specified one. As a preparation for bumping the certgen version, which changes the default secret name to be independent of Cilium, let's always specify the corresponding parameter. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 June 2024, 06:58:19 UTC
b429b08 bpf: transport source identity in MARK_MAGIC_OVERLAY Provide easy access to the security identity which is embedded into Cilium's overlay traffic. And start making use of it in the encrypted-overlay path, to avoid some manual packet parsing. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 13 June 2024, 06:34:52 UTC
b0e0b0c bpf: propagate src sec id from ingress bpf_overlay to egress bpf_host as in a subsequent change bpf_host will need to access the source identity that was carried over the tunnel Signed-off-by: Gilberto Bertin <jibi@cilium.io> 13 June 2024, 06:08:14 UTC
c3fcea2 gateway-api: Add periodic headless service sync This is to handle the case of late arrival or late creation of Endpoint or EndpointSlice associated to headless service. Fixes: cce40804c3ac9f564859d788faef981a697de7ac Signed-off-by: Tam Mach <tam.mach@cilium.io> 13 June 2024, 04:03:39 UTC
7ab2a58 gateway-api: Add support for listener isolation This commit is to support Listener Isolation concept from the upstream, which allows at most one Listener matches a request, and only Routes attached to that Listener are used for routing. Relates: https://github.com/kubernetes-sigs/gateway-api/pull/2465 Relates: https://github.com/kubernetes-sigs/gateway-api/pull/3047 Signed-off-by: Tam Mach <tam.mach@cilium.io> 13 June 2024, 04:03:39 UTC
4f92330 gateway-api: Shorten the service name in CEC We already perform the shortening in the below commit, this is to make sure that the same service is used. Relates: d6fbccf96cdc0a5f3bdf7aa7ac6006a100a09ba9 Signed-off-by: Tam Mach <tam.mach@cilium.io> 13 June 2024, 04:03:39 UTC
8efbb71 gateway-api: Avoid unnecessary reconciliation in GAMMA This is to avoid any unnecessary reconciliation for non-GAMMA HTTPRoute: - Explicitly check if Kind and Group are not nil, as per the Gateway API spec, the nil values is meant for Gateway. - Add GAMMA check for backend services and listening service. Additionally, one small correction on Reason status is added to make sure that the space character is not used. ``` 2024-06-06T05:34:31.583996151Z time="2024-06-06T05:34:31Z" level=error msg="Reconciler error" HTTPRoute="{attaches-to-wildcard-example-com-with-hostname-intersection gateway-conformance-infra}" controller=httproute controllerGroup=gateway.networking.k8s.io controllerKind=HTTPRoute error="failed to update HTTPRoute status: HTTPRoute.gateway.networking.k8s.io \"attaches-to-wildcard-example-com-with-hostname-intersection\" is invalid: parents[0].conditions[0].reason: Invalid value: \"Invalid HTTPRoute\": parents[0].conditions[0].reason in body should match '^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$'" name=attaches-to-wildcard-example-com-with-hostname-intersection namespace=gateway-conformance-infra reconcileID="\"2c43d9eb-52ad-4344-b0ff-e58c227221fb\"" subsys=controller-runtime ``` Relates: 363fdd4ff951e02ebf666b1dccf17d0dfb5a0f47 Signed-off-by: Tam Mach <tam.mach@cilium.io> 13 June 2024, 04:03:39 UTC
4d6bee1 gateway-api: Avoid partial wildcards in server names This is to make sure that we don't have any "*" in server name slice, and avoid the below NACK issue in Envoy. ``` 2024-06-06T05:15:22.640515083Z time="2024-06-06T05:15:22Z" level=warning msg="NACK received for versions after 233 and up to 234; waiting for a version update before sending again" subsys=xds xdsAckedVersion=233 xdsClientNode="host~127.0.0.1~no-id~localdomain" xdsDetail="Error adding/updating listener(s) gateway-conformance-infra/cilium-gateway-same-namespace-with-https-listener/listener: error adding listener '127.0.0.1:14239': partial wildcards are not supported in \"server_names\"\n" xdsNonce=234 xdsStreamID=6 xdsTypeURL=type.googleapis.com/envoy.config.listener.v3.Listener ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> 13 June 2024, 04:03:39 UTC
5b9364a gha: Update conformance profiles for Gateway API As part of v1.1.0, there is a new list of valid conformance profile values (e.g. GATEWAY-HTTP,GATEWAY-TLS,GATEWAY-GRPC,MESH-HTTP,MESH-GRPC). Signed-off-by: Tam Mach <tam.mach@cilium.io> 13 June 2024, 04:03:39 UTC
f03eca9 gha: Swap feature flag name for MeshConsumerRoute As mentioned in 8de7a903400aa237600c1f49d0d4ef16503c2ee3, we can use the feature flag MeshConsumerRoute in v1.1.0 instead. Relates: 8de7a903400aa237600c1f49d0d4ef16503c2ee3 Signed-off-by: Tam Mach <tam.mach@cilium.io> 13 June 2024, 04:03:39 UTC
f29c6c4 gateway-api: Bump to version v1.1.0 While GRPCRoute is still available in beta/alpha version, some of the related attribute structs are only available in v1, hence it's better to bump GRPRRoute to v1 as well. Another goal is to pick up the new conformance tests as well as bug fixes from the upstream. Signed-off-by: Tam Mach <tam.mach@cilium.io> 13 June 2024, 04:03:39 UTC
3f8585a gh: e2e-upgrade: disable config 7 The config is reliably failing [0]. Stabilize the workflow so that we can make it required. [0] https://github.com/cilium/cilium/issues/32689 Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 13 June 2024, 00:49:27 UTC
b49f912 gha: Only retrieve IPv4 CIDR from docker network It seems like github runner is enabled with docker dual stack, so the current docker network inspect command might return IPv6 instead of IPv6 CIDR, which breaks LB IPPool configuration. Sample output of `docker network inspect kind` command can be found as per below. This commit is to make sure that we only retrieve IPv4 CIDR in docker network inspect command. Additionally, some echo/cat statement are added to make similar issue more visible in the future. ``` [ { "Name": "kind", "Id": "43e3b3267092150f5f2e6f2053157d912ad6b5a4ce20f700e1e9be547a437f75", "Created": "2024-06-12T14:18:17.733107881Z", "Scope": "local", "Driver": "bridge", "EnableIPv6": true, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "fc00:f853:ccd:e793::/64" }, { "Subnet": "172.18.0.0/16", "Gateway": "172.18.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "748d7161857ca5e610f196299828eacafcbdb069d38c00e4e6c14cdeefada9c5": { "Name": "chart-testing-control-plane", "EndpointID": "0f1a5bbeb14929200ed13cb289afd6bf5f9f455d4ed75bb3a26e167e67bf7784", "MacAddress": "02:42:ac:12:00:02", "IPv4Address": "172.18.0.2/16", "IPv6Address": "fc00:f853:ccd:e793::2/64" }, "c2030425e24a11ea208b87c5d70e194b0f51eee133f09b67404fd2bf97410f13": { "Name": "chart-testing-worker", "EndpointID": "81489bd101e483be7270e2b5dd7e0bf3a0163b89650d7ef69cc4ce43454479e3", "MacAddress": "02:42:ac:12:00:03", "IPv4Address": "172.18.0.3/16", "IPv6Address": "fc00:f853:ccd:e793::3/64" } }, "Options": { "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> 12 June 2024, 22:23:31 UTC
7af9a1e chore(deps): update golangci/golangci-lint docker tag to v1.59.1 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 12 June 2024, 20:57:25 UTC
6aa1bc8 Update CEPS watchdog Given the inherent reconciliation to check on ceps bfp programs, using logs with error severity could be confusing. Also we currently don't log out the cep name which will help for further investigation. * Change logger from error to warning * Add cep name to log message Signed-off-by: Fernand Galiana <fernand.galiana@isovalent.com> 12 June 2024, 20:54:31 UTC
2e2c6c5 policy: determine subject identities via SelectorCache In order to determine applicable identities to which a policy applies, we need to evaluate label selectors. Given that we already have an efficient mechanism for caching label selectors (the SelectorCache), we should use that for subject endpoints as well. This refactors the PolicyRepository to use the SelectorCache when determining subject identities. It removes yet another static cache of matched identities and a corresponding event bus. It also saves memory in the case of reused selectors, which is common. An important consideration is that any new identities must be in the selectorcache *before* that endpoint is regenerated, or else it will not get the correct set of policies. Indeed this is safe, because identity allocation updates the SelectorCache synchronously, and endpoints must have their security identity allocated before they can use it. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 12 June 2024, 18:32:24 UTC
437cc73 policy/selectorcache: correctly handle mutating IDs While computing the delta on an ID allocation, the SelectorCache incorretly handled the case where a label change caused an identity to no longer be selected by a selectior. The only identity that should have mutable labels is the local host, so this is not actually a visible bug. In preparation for using the SelectorCache to determine policy targets, however, it is now necessary. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 12 June 2024, 18:32:24 UTC
e20ed9c bpf: host: add host_egress_policy hook this commit adds a hooking point to cil_to_netdev in bpf_host.c that can be used by cilium plugins to extend the functionality of this function. Signed-off-by: Gilberto Bertin <jibi@cilium.io> 12 June 2024, 14:53:20 UTC
9d4b3de removed deprecated calls and added nolint for strings.Title Signed-off-by: yogesh1801 <yogeshsingla481@gmail.com> 12 June 2024, 13:29:10 UTC
a1be027 docs: egressgw: remove kernel requirement We already require a 5.4 kernel (https://github.com/cilium/cilium/pull/30869). We also explicitly check for HAVE_LARGE_INSN_LIMIT (https://github.com/cilium/cilium/pull/30896), which afaik was the main reason for the 5.2 kernel requirement. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 12 June 2024, 12:54:26 UTC
b5ad1e4 daemon: remove unused policyupdater dependency from daemon/daemonparams With the removal of the k8swatcher initialization from the daemon bootstrap, the dependency to the policyUpdater can be removed from the daemon & daemonParams struct. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 12 June 2024, 11:47:59 UTC
5375256 nodediscovery: explicit dependency to k8sNodeWatcher Currently, the k8sWatcher is set as dependency on the nodeDiscovery during agent initialization by using the method `RegisterK8sSetters`. Trying to add an explicit dependency from the NodeDiscovery to the `K8sWatcher` results in a cyclic dependency via datapath. With the modularization of the k8sWatcher into smaller cells, it's possible to define the explicit dependency only to the `k8sCiliumNodeWatcher`, as this is the only part the NodeDiscovery is intersted in. This way, there's no cyclic dependency. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 12 June 2024, 11:47:59 UTC
0f586d0 k8s: move init test to new watcher_test.go This commit extracts the k8sWatcher related unit test into it's own file `watcher_test.go`. (Separate commit to keep the git history). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 12 June 2024, 11:47:59 UTC
e44d411 k8s: rename watcher_test.go to service_test.go Currently, the file `watcher_test.go` mostly contains service related unit tests. Therefore, the file gets renamed to `service_test.go`. An upcoming commit will extract the only K8sWatcher related test into `watcher_test.go`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 12 June 2024, 11:47:59 UTC
4780989 k8s: remove k8sSvcCache from k8swatcher and use directly as daemon dep Currently, during daemon initialization, multiple components access the k8sSvcCache through the corresponding exported field in the k8sWatcher. This commit removes the field from the k8swatcher and forces the daemon to depend on the `k8sSvcCache` directly. In addition, some tests of the k8sWatcher would have been freed up from using the k8sWatcher at all, as they were only testing service logic. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 12 June 2024, 11:47:59 UTC
da23ff4 k8s: extract k8sCiliumEndpointsWatcher Currently, all the k8s watchers of the `k8sWatcher` are defined in the same struct, have access to all the same dependency fields and are provided as one Cell. This commit extracts the k8s CiliumEndpoints watcher into it's own sub-cell that is provided privately. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 12 June 2024, 11:47:59 UTC
62e214b k8s: extract k8sCiliumLRPWatcher Currently, all the k8s watchers of the `k8sWatcher` are defined in the same struct, have access to all the same dependency fields and are provided as one Cell. This commit extracts the k8s CiliumLRP watcher into it's own sub-cell that is provided privately. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 12 June 2024, 11:47:59 UTC
0c8ab4f k8s: extract k8sEndpointsManager Currently, all the k8s watchers of the `k8sWatcher` are defined in the same struct, have access to all the same dependency fields and are provided as one Cell. This commit extracts the k8s Endpoints watcher into it's own sub-cell that is provided privately. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 12 June 2024, 11:47:59 UTC
5249766 k8s: extract k8sServiceManager Currently, all the k8s watchers of the `k8sWatcher` are defined in the same struct, have access to all the same dependency fields and are provided as one Cell. This commit extracts the k8s Service watcher into it's own sub-cell that is provided privately. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 12 June 2024, 11:47:59 UTC
35bbd26 k8s: extract k8sNamespaceWatcher Currently, all the k8s watchers of the `k8sWatcher` are defined in the same struct, have access to all the same dependency fields and are provided as one Cell. This commit extracts the k8s Namespace watcher into it's own sub-cell that is provided privately. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 12 June 2024, 11:47:59 UTC
7b44b07 k8s: extract k8sCiliumNodeWatcher Currently, all the k8s watchers of the `k8sWatcher` are defined in the same struct, have access to all the same dependency fields and are provided as one Cell. This commit extracts the k8s CiliumNode watcher into it's own sub-cell that is provided privately. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 12 June 2024, 11:47:59 UTC
de58c84 k8s: extract k8sPodWatcher Currently, all the k8s watchers of the `k8sWatcher` are defined in the same struct, have access to all the same dependency fields and are provided as one Cell. This commit extracts the k8s Pod watcher into it's own sub-cell that is provided privately. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 12 June 2024, 11:47:59 UTC
914063a k8s: extract k8sEventReporter Currently, k8s event reporting is part of the k8sWatcher. It's used by sub-watchers of the k8swatcher itself, but also by external watchers (e.g. IPAM watcher). As a first step to further modularize the k8swatcher into its smaller components, the k89s event reporting is extracted into an own cell and struct `k8sEventReporter`. This way, other components can depend on it. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 12 June 2024, 11:47:59 UTC
a7c3744 k8s: introduce k8s watcher cell Currently, the k8swatcher is initialized in the daemon bootstrap function `newDaemon`. With the modularization of all its dependencies into their own Hive Cell, it's about time to move the initialization of the k8sWatcher into its own Hive Cell too. In a first step, the cell only provides the pre-initialized struct, without moving any of the lifecycle aspects into the Cell. For the time being, these are being kept in the daemon initialization. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 12 June 2024, 11:47:59 UTC
973d540 envoy: Remove un-necessary warning log filtering Relates: https://github.com/cilium/cilium/pull/31108 Relates: https://github.com/envoyproxy/envoy/pull/30735 Signed-off-by: Tam Mach <tam.mach@cilium.io> 12 June 2024, 09:58:44 UTC
ca81c9c bpf: host: use security identities in to-netdev's trace notifications For some types of traffic, to-netdev derives precise security identities. Consistently use these values in the trace notifications. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 12 June 2024, 08:20:41 UTC
65e93a2 ci: add tests for migration to CiliumEndpointSlice This commit adds CI to test that the migration from CiliumEndpoint to CiliumEndpointSlice does not disturb long-lived connections. A Kind cluster is set up without CiliumEndpointSlice enabled. Long-lived connections are set up. Then, CES is enabled, the operator is restarted and then the agent, after the CES CRD is created. Then, the connectivity test is run to ensure long-lived connections were not broken. Signed-off-by: jshr-w <shjayaraman@microsoft.com> 12 June 2024, 08:17:42 UTC
811cb7f make: Add include to Makefile.override within binary-specific makefiles make: Add include to Makefile.override in binary Makefiles This commit adds an include statement for Makefile.override in Makefiles specific to building Cilium's go binaries. Makefile.override is included in the top-level Makefile as a method for optionally overriding variables, however it is not included in any of these binary-specific Makefiles. This means that the ability to override variables is only available for targets in the top-level Makefile, preventing use cases where overriding variables used in these binary-specific Makefiles can be useful. As an example, this commit would allow one to override the GO variable to specify a specific go binary to use in order to build a target. Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> 12 June 2024, 08:17:30 UTC
9cfa1a2 make, docker: Add ADDITIONAL_MODIFIERS environment variable This commit adds a new environment variable to the docker-specific aspects of the Cilium Makefiles named `ADDITIONAL_MODIFIERS`. This environment variable can be used to modify the `MODIFIERS` docker build arg, adding in any extra values that haven't previously been specified via a preset, such as `RACE` or `NOSTRIP`. Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> 12 June 2024, 08:17:30 UTC
c4aebae docker, ci: Create generalized MODIFIERS build arg This commit replaces the NOSTRIP, NOOPT, LOCKDEBUG, RACE, V and LIBNETWORK_PLUGIN docker build args with a single, generic build arg named "MODIFIERS". This allows for arbitrary flags to be passed to make when building a docker image as well as removes the need for modifications to dockerfiles when a new build-time modifier is added. One example use case is using `Makefile.overrides` to define a new flag that can be passed to make when building docker images. The new flag could enable appending values to the MODIFIERS build argument, which would allow the propagation of configuration variables down to make invocations used to build binaries within a Dockerfile. Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> 12 June 2024, 08:17:30 UTC
9334d97 l2-discovery: fix health reporting for link updater As-is, when l2 neighbor discovery is enabled, the node-neighbor-link-updater controller fails with "invalid node spec found in queue". This is due to a bug in the controller's DoFunc, where an empty list is treated the same as an invalid queue entry. When this controller fails, `cilium status` reports errors for all nodes in the cluster similar to the following: ``` cilium cilium-mgstt controller node-neighbor-link-updater is failing since 21s (49x): invalid node spec found in queue: (*manager.nodeQueueEntry)(nil) ``` To differentiate between an empty queue and a nil item, the queue's `pop` method now also returns a bool to indicate whether an element was successfully retrieved from the queue. Fixes: #8d525fe Signed-off-by: Tim Horner <timothy.horner@isovalent.com> 12 June 2024, 08:17:06 UTC
22b3e82 bgpv2: Allow empty advertisement Remove unnecessary restriction. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 12 June 2024, 08:08:24 UTC
26325a8 docs: ipsec: mention dependency on transparent mode for DNS proxy For connections that are established by the DNS proxy, this is required to detect the original source IP and apply IPsec policy accordingly. The agent fatals if IPsec and L7 proxy are enabled, but the DNS proxy is not set to transparent mode. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 12 June 2024, 05:14:37 UTC
9c7bd8a gha: bump status wait timeouts in clustermesh upgrade/downgrade tests The blamed commit already increased the post-upgrade timeout. However, we have now started witnessing failures in the other wait operations as well, due to endpoint regeneration not completing on time. Hence. let's bump all timeouts to 10m. Related: 01c3b8376046 ("gha: bump post-upgrade timeout in clustermesh upgrade/downgrade tests") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 12 June 2024, 01:53:58 UTC
a57393f README: Update releases Signed-off-by: Quentin Monnet <qmo@qmon.net> 11 June 2024, 20:45:44 UTC
a1d0307 images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 11 June 2024, 20:08:20 UTC
8afe844 images: Fix copyo mistake in error message This error message was copied from the equivalent runtime script. Fix it. Signed-off-by: Joe Stringer <joe@cilium.io> 11 June 2024, 20:08:20 UTC
f639135 .github: Regenerate api/v1 when updating builder The builder image contains the 'protoc' binary which can generate different API files when it's updated, notably because protoc decides to encode its own version into the files it outputs. Add a step in the builder image update workflow to update the api/v1 files. Signed-off-by: Joe Stringer <joe@cilium.io> 11 June 2024, 20:08:20 UTC
a37eaad ci: Enable LRP connectivity tests Signed-off-by: Aditi Ghag <aditi@cilium.io> 11 June 2024, 16:34:05 UTC
478e637 bpf: Disable conflicting per packet LB Per-packet LB is disabled in certain cases like when socket-LB is enabled, and load-balancing is handled in bpf_sock. However, there are other features (e.g., L7 LB) that require per-packet LB. This can conflict with processing local-redirect services in some cases. Based on user configured local redirect policies, load-balancing can be skipped for certain local-redirect services. More specifically, LB is skipped in some cases when users deploy LRPs with skipRedirectFromBackend flag. Per packet LB should not override LB decisions made for local-redirect services in bpf_sock. Signed-off-by: Aditi Ghag <aditi@cilium.io> 11 June 2024, 16:34:05 UTC
961820e docs: Promote local redirect policy feature to stable Signed-off-by: Aditi Ghag <aditi@cilium.io> 11 June 2024, 15:05:14 UTC
4a3b6c8 bgpv2: Remove node selector check from v2 PodCIDRReconciler Remove unnecessary CiliumNode label selector check for PodCIDR advertisements. This was reflected from the BGPv1 code, but for BGPv2 we would like to avoid it, as this behavior is inconsistent with other advertisement types (other advertisement types advertise the paths for selected resources, but PodCIDR only applies to the local node). Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> 11 June 2024, 13:44:33 UTC
085343b docs: add upgrade note about the slightly different dialer behavior The port specified as part of the kvstore address is now respected also when the address matches a Kubernetes service, to prevent inconsistencies if the service includes multiple ports. Additionally, mention that the etcd.operator option is no longer required, and has been removed. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 11 June 2024, 13:43:14 UTC
back to top