| 6c69033 | Jarno Rajahalme | 24 February 2018, 00:25:08 UTC | envoy: Fix access log path config. Access log path and listener ID were swapped between the callers and the constructor. Fix by swapping them in the constructor. Backports: 12a05ed465ccfdca510bf70c40949871094ed7a7 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 24 February 2018, 02:42:37 UTC |
| 583d87a | Thomas Graf | 23 February 2018, 16:18:06 UTC | cilium: Add identity and lifetime to cilium bpf proxy list Signed-off-by: Thomas Graf <thomas@cilium.io> | 23 February 2018, 17:46:14 UTC |
| e7f4f57 | Thomas Graf | 23 February 2018, 16:18:06 UTC | bpf: Always update the lifetime of proxymap entries The proxymap insertion logic depends on the NEEDS_UPDATE define to decide whether the lifetime fields should be filled. NEEDS_UPDATE is defined if the kernel does not support LRU maps. Unfortunately, the proxymaps are not converted to LRU maps even if available which caused the lifetime not to be updated on kernels which support LRU maps. Signed-off-by: Thomas Graf <thomas@cilium.io> | 23 February 2018, 17:46:14 UTC |
| 23a6156 | Thomas Graf | 23 February 2018, 16:18:06 UTC | kafka: Report error message when writing access log to debug log Signed-off-by: Thomas Graf <thomas@cilium.io> | 23 February 2018, 17:46:14 UTC |
| 2dac62c | Thomas Graf | 23 February 2018, 16:18:06 UTC | proxy: Cleanup BPF proxy map on removal of redirect Entries will still expire but this accelerates the removal which is required in combination with the extended lifetime. Signed-off-by: Thomas Graf <thomas@cilium.io> | 23 February 2018, 17:46:14 UTC |
| a805b25 | Thomas Graf | 23 February 2018, 16:18:06 UTC | bpf: Keep connection tracking entries around for at least 12h Signed-off-by: Thomas Graf <thomas@cilium.io> | 23 February 2018, 17:46:14 UTC |
| 72c4d20 | Thomas Graf | 23 February 2018, 16:18:06 UTC | bpf: Increase proxymap entry expire time to 1d Signed-off-by: Thomas Graf <thomas@cilium.io> | 23 February 2018, 17:46:14 UTC |
| f8e147b | Michal Rostecki | 21 February 2018, 16:36:36 UTC | test: Increase line count for bpf tunnel list command After introducing TablePrinter for all bpf-related commands, `bpf tunnel list` command has a header, which increases the line count by 1. Signed-off-by: Michal Rostecki <mrostecki@suse.com> | 23 February 2018, 09:17:44 UTC |
| 9340ff2 | Michal Rostecki | 16 February 2018, 16:51:16 UTC | cilium/cmd: Use Dump method from maps and TableWriter In order to minimize the amount of code doing the same things on BPF map printing, this change introduces usage of Dump method from BPF map objects (which dumps the whole map into the given Go map) and usage of TableWriter (which prints any data contained in map[string][]string). Signed-off-by: Michal Rostecki <mrostecki@suse.com> | 23 February 2018, 09:17:44 UTC |
| 9bd16da | Michal Rostecki | 16 February 2018, 16:49:22 UTC | cilium/cmd: Add TablePrinter helper To avoid using tabwriter in the same way several times in different commands, this utility is able to print any table with two columns, using data represented as map[string][]string. Signed-off-by: Michal Rostecki <mrostecki@suse.com> | 23 February 2018, 09:17:44 UTC |
| f22a811 | Michal Rostecki | 19 February 2018, 07:58:59 UTC | daemon: Call DeleteAll on LXCMap directly After recent changes in BPF map structures and interfaces, we access map objects directly and call their methods. Signed-off-by: Michal Rostecki <mrostecki@suse.com> | 23 February 2018, 09:17:44 UTC |
| 3071bf9 | Michal Rostecki | 16 February 2018, 15:55:20 UTC | daemon: Use the new DumpWithCallback method After recent changes in pkg/bpf and pkg/maps, Dump method returns a Go map and custom dump functionality moved to DumpWithCallback. Signed-off-by: Michal Rostecki <mrostecki@suse.com> | 23 February 2018, 09:17:44 UTC |
| f20fda7 | Michal Rostecki | 16 February 2018, 15:54:27 UTC | pkg/proxy: Use the new pkg/maps/proxymap package Signed-off-by: Michal Rostecki <mrostecki@suse.com> | 23 February 2018, 09:17:44 UTC |
| a0469a4 | Michal Rostecki | 16 February 2018, 15:40:53 UTC | pkg/maps/proxymap: Move out ProxyMap from pkg/proxy All map definitions should belong to the pkg/maps package. Also, the new ProxyMap packages uses the new pkg/bpf interfaces. Signed-off-by: Michal Rostecki <mrostecki@suse.com> | 23 February 2018, 09:17:44 UTC |
| 7bde61a | Michal Rostecki | 16 February 2018, 15:52:26 UTC | pkg/maps: Export all map objects and adjust them to new interfaces Since Dump method is a part of Map struct, we need to export all maps to make them accessible for dumping by the other modules. Also, all maps needed to be adjusted to new definitions of interfaces in pkg/bpf. Signed-off-by: Michal Rostecki <mrostecki@suse.com> | 23 February 2018, 09:17:44 UTC |
| 9820c82 | Michal Rostecki | 16 February 2018, 15:43:36 UTC | pkg/bpf: Unify dumping for all maps Before this change, every module in cilium/cmd which lists the content of maps, implemented its own callback function for dumping BPF maps as Go maps. That resulted in many copied&pasted code. After introducing the Dump method for all maps, and moving the functionality of dumping with custom callback function to DumpWithCallback, we can get rid of repetetive code in CLI. Signed-off-by: Michal Rostecki <mrostecki@suse.com> | 23 February 2018, 09:17:44 UTC |
| b0f98ed | Thomas Graf | 22 February 2018, 20:32:04 UTC | agent: Fix --debug-verbose flag The version of Viper vendored seems broken when in use with StringSlice. It is expecting whitespaces instead of coma separated strings. Move to using a slice variable instead of relying on viper. Signed-off-by: Thomas Graf <thomas@cilium.io> | 23 February 2018, 02:16:52 UTC |
| c3ec9c0 | Joe Stringer | 23 February 2018, 00:30:22 UTC | docs: Describe precedence of services and L4 policy Signed-off-by: Joe Stringer <joe@covalent.io> | 23 February 2018, 02:16:05 UTC |
| d2b28b1 | Joe Stringer | 23 February 2018, 00:30:13 UTC | docs: Fix typo in l4 examples Signed-off-by: Joe Stringer <joe@covalent.io> | 23 February 2018, 02:16:05 UTC |
| 89a3ed7 | Joe Stringer | 23 February 2018, 00:28:09 UTC | docs: Describe caveats of policy trace Signed-off-by: Joe Stringer <joe@covalent.io> | 23 February 2018, 02:16:05 UTC |
| 6db26d1 | Joe Stringer | 22 February 2018, 22:56:24 UTC | bpf: Make L4 egress policy aware of services When services are configured, it's expected that L4 egress policy takes this into account. For example, when an endpoint is sending to port 80, then a service converts this port 80 => 8080, the egress L4 policy should be written to match port 8080. This is already the case for IPv6, make IPv4 consistent with IPv6. Signed-off-by: Joe Stringer <joe@covalent.io> | 23 February 2018, 02:15:34 UTC |
| 03ac14f | Joe Stringer | 22 February 2018, 23:36:16 UTC | runtime/lb: Test egress policy with services on L4 Signed-off-by: Joe Stringer <joe@covalent.io> | 23 February 2018, 02:15:34 UTC |
| 3525490 | Joe Stringer | 22 February 2018, 22:54:32 UTC | test/runtime: Refactor client request port This will make the next test easier to introduce. This commit should have no functional impact. Signed-off-by: Joe Stringer <joe@covalent.io> | 23 February 2018, 02:15:34 UTC |
| cb48934 | Manali Bhutiyani | 21 February 2018, 22:33:34 UTC | Add support for K1.6 ginkgo tests. Fixes Issue: #2602 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> | 22 February 2018, 23:41:21 UTC |
| 72a0c11 | Manali Bhutiyani | 20 February 2018, 05:06:17 UTC | Ginkgo : Move Kafka specific helpers in KafkaPolicies.go Fixes Issue: #2602 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> | 22 February 2018, 23:41:21 UTC |
| 4d66f2b | Manali Bhutiyani | 19 February 2018, 22:52:14 UTC | Ginkgo : Refactoring: K8s CI Coverage for Kafka GSG This change refactors all the common utility functions between HTTP tests in Policy.go, Nightly.go and KafkaPolicy.go Fixes Issue: #2602 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> | 22 February 2018, 23:41:21 UTC |
| 8600de6 | Manali Bhutiyani | 13 February 2018, 19:18:46 UTC | Ginkgo : Support multinode K8s CI Coverage for Kafka GSG These changes add support for testing Kafka GSG on a multinode K8s environment in Ginkgo. They follow the same steps as GSG and in addition a couple of other tests like policy trace, to test validity of Kafka L7 policy enforcement on K8s multinode environment. Fixes Issue: #2602 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> | 22 February 2018, 23:41:21 UTC |
| 80e7094 | Eloy Coto | 16 February 2018, 17:16:15 UTC | Nightly: Fix some fails on Nightly testcases - Fixed issues with index on Manifest Generator - Change restart endpoints from Nighlty to Chaos. Move the function to master runs, it's important to know the state. - On restart endpoints made a refactoring to send traffic always in background. To be sure that the loop never finished. - Change the Endpoints time, added more endpoints and small refactoring. (The Jenkins error message was not clear with the xargs) Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 22 February 2018, 18:33:02 UTC |
| 5d65d77 | Thomas Graf | 20 February 2018, 21:28:40 UTC | proxy: Provide proxy status via cilium status $ cilium status [...] Proxy Status: OK, ip 10.11.28.238, 1 redirects, port-range 10000-20000 $ cilium status --all-redirects [...] Proxy Status: OK, ip 10.11.28.238, 1 redirects, port-range 10000-20000 Redirect http, endpoint 38939 [container:id.bar], ingress 80->13949 (created 44m26s ago, last-updated 44m26s ago) - from {}: [{"path":"/public","method":"GET"}] -> 36 received, 20 forwarded, 16 denied, 0 error <- 20 received, 20 forwarded, 0 denied, 0 error Signed-off-by: Thomas Graf <thomas@cilium.io> | 22 February 2018, 14:14:46 UTC |
| 403de45 | Thomas Graf | 20 February 2018, 21:37:12 UTC | api: Regenerate API code for proxy status fields Signed-off-by: Thomas Graf <thomas@cilium.io> | 22 February 2018, 14:14:46 UTC |
| 0b1bb83 | Thomas Graf | 20 February 2018, 15:25:25 UTC | api: Proxy status fields Signed-off-by: Thomas Graf <thomas@cilium.io> | 22 February 2018, 14:14:46 UTC |
| 6cc61ca | Eloy Coto | 15 February 2018, 18:22:47 UTC | Ginkgo: Add a jenkinsfile to trigger kubernetes 1.7 and 1.9 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 22 February 2018, 00:01:54 UTC |
| a43cbfb | Joe Stringer | 19 February 2018, 22:57:36 UTC | endpoint: Keep failed bpf load objects around If BPF endpoint generation fails, move the relevant objects to /var/run/cilium/state/$(EPID)_next_fail for later debugging. Fixes: #2859 Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 21:39:55 UTC |
| 34b3e11 | Joe Stringer | 21 February 2018, 18:25:13 UTC | test/runtime: Remove unnecessary sprintf Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 21:39:55 UTC |
| 0de6157 | Joe Stringer | 19 February 2018, 20:00:53 UTC | test: Add `make clean` target This will clean up the various manifests and other things left over by running the testsuite. Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 21:39:55 UTC |
| 89a4f47 | Ian Vernon | 21 February 2018, 00:37:11 UTC | misc: fix import order and add copyright headers Signed-off by: Ian Vernon <ian@cilium.io> | 21 February 2018, 21:21:50 UTC |
| a77ba96 | Ian Vernon | 13 February 2018, 00:42:18 UTC | create identity package Factor out code from policy package related to identity allocation, types, etc. into a separate package. This was motivated by cyclic import issues faced in PR #2875. Update code to use this package accordingly. No change in functionality should occur as part of this commit. Signed-off by: Ian Vernon <ian@cilium.io> | 21 February 2018, 21:21:50 UTC |
| aabb2a2 | Ian Vernon | 21 February 2018, 18:14:29 UTC | test/runtime: fix typo in error message Signed-off by: Ian Vernon <ian@cilium.io> | 21 February 2018, 21:12:33 UTC |
| c666ffe | Romain Lenglet | 21 February 2018, 17:12:11 UTC | envoy: Add logging into envoy_test.go Signed-off-by: Romain Lenglet <romain@covalent.io> | 21 February 2018, 21:07:01 UTC |
| 8802da6 | Romain Lenglet | 20 February 2018, 00:27:14 UTC | envoy: Create and configure the caches for NPDS and NPHDS Signed-off-by: Romain Lenglet <romain@covalent.io> | 21 February 2018, 21:07:01 UTC |
| 600833f | Eloy Coto | 20 February 2018, 14:24:15 UTC | Ginkgo: Fix cilium state on RuntimeValidatedConntrackTest On Build 688 on recovery the policy was in place, so it fails after restart. The main issue was the leftover policy on the test that run just before. This ensure that the status are the same after finished the test https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated/688 ``` /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/src/github.com/cilium/cilium/test/runtime/chaos.go:66 Expected <string>: "... Disabl..." to equal | <string>: "... Enable..." /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/src/github.com/cilium/cilium/test/runtime/chaos.go:88 level=info msg="Cilium status is true" testName=RuntimeValidatedChaos STEP: original: ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS ENFORCEMENT ENFORCEMENT 15009 Enabled Disabled 3749 container:id.server f00d::a0f:0:0:3aa1 10.15.222.0 ready 63264 Disabled Disabled 6263 container:id.client f00d::a0f:0:0:f720 10.15.154.57 ready STEP: new: ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS ENFORCEMENT ENFORCEMENT 15009 Disabled Disabled 3749 container:id.server f00d::a0f:0:0:3aa1 10.15.222.0 ready 63264 Disabled Disabled 6263 container:id.client f00d::a0f:0:0:f720 10.15.154.57 ready ``` Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 21 February 2018, 18:11:52 UTC |
| 9a04c3c | Joe Stringer | 20 February 2018, 22:32:18 UTC | test/runtime: Clarify the services+policies tests Do some minor refactoring and clarifying the style of the By() statements to make it more clear exactly what kind of tests each portion of the function are making. Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| f499586 | Joe Stringer | 20 February 2018, 22:31:24 UTC | test/runtime: Test ingress deny with app3 The LB tests were previously testing ingress deny with app2, which actually has an egress policy applied. Use app3 instead, which has no policy (therefore it should only hit the ingress policy of the service) Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| 45da844 | Joe Stringer | 20 February 2018, 22:05:51 UTC | test/runtime: Clean up after LB test The LB device wasn't being cleaned up properly after each test. This commit introduces some basic cleanup for that device. Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| ad0a020 | Joe Stringer | 20 February 2018, 22:05:29 UTC | test/runtime: Remove unnecessary containers Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| 27550ee | Joe Stringer | 20 February 2018, 21:46:29 UTC | test/runtime: Add missing test cases * Pinging from the host => lb => container * Pinging from httpd1 => lb => httpd1 Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| 1630e44 | Joe Stringer | 20 February 2018, 19:56:14 UTC | test/runtime: Document steps in service recovery test Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| 65bef17 | Joe Stringer | 20 February 2018, 19:08:34 UTC | test/runtime: Shift L3=>L4 test to basic test This test doesn't validate traffic, shift it to the "basic service management functionality" test. Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| b2ea4f6 | Joe Stringer | 20 February 2018, 19:07:29 UTC | test/runtime: Clarify operation of L4 LB test Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| bc74500 | Joe Stringer | 20 February 2018, 18:56:43 UTC | test/runtime: Wait for containers in each test This was done inconsistently in different tests. Make these consistent. Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| f4d46f9 | Joe Stringer | 20 February 2018, 18:26:19 UTC | test/runtime: Clarify operation of L3 LB test Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| dd316da | Joe Stringer | 20 February 2018, 18:16:46 UTC | Ginkgo: Simplify ssh.ServiceAdd() revnat handling The revnat parameter in Cilium is a boolean, but it was being passed as an integer to this function, and was almost always invalid large numbers. --rev is enabled by default, so we can remove this parameter without any change in behaviour. Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| f816c0b | Joe Stringer | 20 February 2018, 02:01:33 UTC | test/runtime: Clarify basic service create/delete test Reword the test to (hopefully) improve the readability of the basic service management (create / delete) tests. No functional difference should be introduced. Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| 8372d06 | Joe Stringer | 20 February 2018, 01:22:04 UTC | test/runtime: Improve lb test readability Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| 098b262 | Joe Stringer | 20 February 2018, 22:29:31 UTC | Ginkgo: Add By() statement when configuring policy This should naturally start to document the tests a bit better for when they fail, without having to update each individual test. Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| 7e17828 | Joe Stringer | 20 February 2018, 22:04:51 UTC | Ginkgo: Log all node execution in verbose mode When in verbose mode, print all commands that are executing on the node. This extends the logging previously introduced in commit 44c9a9548ab7 ("Ginkgo: log docker execution in verbose mode") to more cases than just docker. Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| 56faee2 | Joe Stringer | 20 February 2018, 21:29:09 UTC | Ginkgo: Introduce ssh.RestartCilium() helper Handle these cases consistently across the testsuite. Signed-off-by: Joe Stringer <joe@covalent.io> | 21 February 2018, 17:59:38 UTC |
| cb3974f | Ian Vernon | 20 February 2018, 23:05:43 UTC | pkg/policy: specify when lock is acquired for reserved identity Consumables Signed-off by: Ian Vernon <ian@cilium.io> | 21 February 2018, 06:53:18 UTC |
| 16ca226 | Ian Vernon | 19 February 2018, 20:00:20 UTC | test: update test to work with removal of ReverseRules * Import a policy that allows traffic in both directions when Conntrack is disabled for an endpoint. * Fix some improper log messages * Dump output of `cilium policy get` during connectivity test. Signed-off by: Ian Vernon <ian@cilium.io> | 21 February 2018, 06:53:18 UTC |
| 4dcb29a | Ian Vernon | 19 February 2018, 19:27:40 UTC | pkg/policy: explicitly update reserved Consumables The removal of ReverseRules necessitates explicit updating of Consumables which correspond to the reserved identities, because Consumables are only regenerated for endpoints. Since the Consumables representing reserved identities are not related to endpoints, they have to be updated accordingly whenever a Consumable corresponding to an endpoint is updated (that is, whenever an endpoint allows a reserved identity, the Consumable representing the reserved identity must be updated to allow traffic from the endpoint's Consumable). Signed-off by: Ian Vernon <ian@cilium.io> | 21 February 2018, 06:53:18 UTC |
| 4c972cb | Ian Vernon | 19 February 2018, 19:20:56 UTC | pkg/policy: add IsReservedIdentity function Add function which checks whether the specified NumericIdentity corresponds to a reserved identity. Signed-off by: Ian Vernon <ian@cilium.io> | 21 February 2018, 06:53:18 UTC |
| 7c07806 | Ian Vernon | 19 February 2018, 19:20:03 UTC | pkg/endpoint: specify that Consumable mutex must be held during regenerateConsumable Signed-off by: Ian Vernon <ian@cilium.io> | 21 February 2018, 06:53:18 UTC |
| 6012303 | Ian Vernon | 19 February 2018, 19:19:27 UTC | pkg/policy: finish incomplete documentation of Init Signed-off by: Ian Vernon <ian@cilium.io> | 21 February 2018, 06:53:18 UTC |
| 1b026cd | Ian Vernon | 13 February 2018, 18:45:29 UTC | pkg/policy: remove ReverseRules from Consumable If connection-tracking was not enabled for an endpoint, in order to ensure that traffic between endpoints managed by Cilium would flow, if a policy allowed ingress to endpoint A from endpoint B, then B's policy maps were also updated to allow ingress to itself from A as well. However, this only worked if both endpoints were local to the same node, as the sharing of this information is done on a per-daemon level; security identities are not resolved on each node in the cluster. As such, remove ReverseRules, which was used to store such data, from the Consumable structure. Signed-off by: Ian Vernon <ian@cilium.io> | 21 February 2018, 06:53:18 UTC |
| 9297e70 | Maciej Kwiek | 19 February 2018, 14:45:01 UTC | Test cilium monitor filters by multiple types Signed-off-by: Maciej Kwiek <maciej@covalent.io> | 21 February 2018, 06:48:08 UTC |
| 5bca12d | André Martins | 20 February 2018, 13:49:24 UTC | pkg/k8s: add default deny for k8s 1.7 Since k8s 1.7 doesn't have the PolicyTypes field, to detect if the podSelector affects ingress or egress traffic, the defautl deny translation to cilium network policy was not correctly made. The translation of a default-deny ingress policy is made by checking if the PolicyTypes is *not* egress and the podSelector is empty. Signed-off-by: André Martins <andre@cilium.io> | 21 February 2018, 05:22:05 UTC |
| b3301ed | Ian Vernon | 21 February 2018, 00:31:24 UTC | test/runtime: create and delete containers before policy tests This ensures that Cilium can handle invalid policy while endpoints are running, and that cleanup tests are tested with endpoints running. Signed-off by: Ian Vernon <ian@cilium.io> | 21 February 2018, 04:06:07 UTC |
| daf89cb | Ian Vernon | 21 February 2018, 00:30:27 UTC | test/helpers: always log current state of endpoints Always log the number of "ready" endpoints to the logger in WaitEndpointsReady. Signed-off by: Ian Vernon <ian@cilium.io> | 21 February 2018, 04:06:07 UTC |
| 825f932 | Jarno Rajahalme | 16 February 2018, 01:32:18 UTC | envoy: Review fixes. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 21 February 2018, 00:39:24 UTC |
| 116f014 | Jarno Rajahalme | 16 February 2018, 00:48:42 UTC | envoy: Bump Bazel to 0.10.1 Upstream Envoy builds with this now. Pushed a new builder image (cilium/cilium-builder:2018-02-16) using the new bazel, changed the Dockerfile to depend on it. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 21 February 2018, 00:39:24 UTC |
| c43f923 | Jarno Rajahalme | 16 February 2018, 00:48:41 UTC | envoy: Depend on upstream Envoy repo. Now that all our Envoy infra enhancements have been upstreamed, we can change our Envoy dependency to the official Envoy repo. Pushed a new builder image using the updated dependencies, changed the Dockerfile to depend on it. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 21 February 2018, 00:39:24 UTC |
| d21d799 | Jarno Rajahalme | 16 February 2018, 01:12:44 UTC | envoy: Use V2 config for L7 filter as well. This gets rid of the last bit of deprecated v1 config we were using. Also restored the v1 config default for the bpf filter configuration option "bpf_path". Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 21 February 2018, 00:39:24 UTC |
| 1842fcf | Jarno Rajahalme | 16 February 2018, 00:48:41 UTC | ginkgo: Bump timeouts to 90 minutes Ginkgo tests run out of time, when Envoy build added 20 minutes due to caches not been updated yet. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 21 February 2018, 00:39:24 UTC |
| 9a74109 | Jarno Rajahalme | 20 February 2018, 22:13:34 UTC | envoy: Limit jobs to 1 on tests. Saw out of memory error on test run on CI. Hope limiting number of parallel jobs will help. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 21 February 2018, 00:39:24 UTC |
| 649f95f | Jarno Rajahalme | 20 February 2018, 22:13:34 UTC | envoy: Docker builder update. apt update for 16.10 did not work any more, testing with 17.10. Not sure yet if runtime needs to be upgraded as well. Use envoy/BAZEL_VERSION to automatially install the correct Bazel version for the builder image. Use more separate steps in Dockerfile.builder so that we don't need to start from scratch each time. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 21 February 2018, 00:39:24 UTC |
| 13372c2 | Jarno Rajahalme | 20 February 2018, 22:13:33 UTC | envoy: Rebase to upstream Envoy repo. Now that we have upstreamed all new Envoy features that are needed to run Envoy as a (more) transparent proxy with the Cilium bpf datapath, we can rebase to the upstream Envoy repo. The interface and implementation details were refined during the upstreaming process, which requires corresponding changes in the cilium listener filter. Compile all Envoy API protos, except for the ones that are in draft status and do not compile (currently metrics and trace services). Envoy API protobuf files were also reorganized which requires changes on how we build the golang stubs, and to make that easier we also restructure the generated file layout in the subdirectories of pkg/envoy as follows: - pkg/envoy/envoy: .pb.go files generated from Envoy APIs - pkg/envoy/cilium: .pb.go files generated from Cilium filter protobuf APIs Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 21 February 2018, 00:39:24 UTC |
| b018ccc | Jarno Rajahalme | 20 February 2018, 22:13:33 UTC | vendor: google.golang.org/genproto update. Generated Envoy API proto files depend on these. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 21 February 2018, 00:39:24 UTC |
| eba3510 | Jarno Rajahalme | 20 February 2018, 22:13:33 UTC | vendor: gogo-protobuf update. More packages from github.com/gogo/protobuf are now needed to compile Envoy APIs. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 21 February 2018, 00:39:24 UTC |
| ff9fd98 | Martin Charles | 20 February 2018, 13:20:30 UTC | README: Fixed Typo Signed-off-by: Martin Charles <martincharles07@gmail.com> | 20 February 2018, 17:12:02 UTC |
| c6aac27 | Thomas Graf | 19 February 2018, 22:17:50 UTC | monitor: Report the direction of L7 records Signed-off-by: Thomas Graf <thomas@cilium.io> | 20 February 2018, 03:16:59 UTC |
| e6401a7 | Thomas Graf | 19 February 2018, 21:00:25 UTC | kafka: Emit L7 error record when original destination can't be reached Signed-off-by: Thomas Graf <thomas@cilium.io> | 20 February 2018, 03:16:59 UTC |
| d0d81ff | Thomas Graf | 19 February 2018, 20:58:19 UTC | kafka: Log Kafka responses Existing code only emitted a single response log record per connection. Fix this and report individual responses. Also changes the request record being passed around to be a copy instead of a pointer to ensure that it is not modified underneath. Signed-off-by: Thomas Graf <thomas@cilium.io> | 20 February 2018, 03:16:59 UTC |
| e89daec | Romain Lenglet | 20 February 2018, 01:26:38 UTC | kafka: Log unknown / unsupported API keys when denying requests Signed-off-by: Romain Lenglet <romain@covalent.io> | 20 February 2018, 03:16:40 UTC |
| 6c0b3f3 | Thomas Graf | 16 February 2018, 20:38:51 UTC | kafka: Enable TCP Keepalive on proxy dialed connections This ensures that TCP connections established by the proxy are never accidentally expired from the proxy BPF map. Signed-off-by: Thomas Graf <thomas@cilium.io> | 20 February 2018, 01:31:44 UTC |
| 5ea87f3 | ashwinp | 19 February 2018, 02:39:41 UTC | Support rolling update strategy for ds/cilium Signed-off-by: Ashwin Paranjpe <ashwin@covalent.io> | 20 February 2018, 00:17:09 UTC |
| 6de20c7 | Joe Stringer | 16 February 2018, 21:29:43 UTC | cilium: Print cluster status in 'cilium status' This commit adds a cluster status to `cilium status` via an API call to `cilium-health`. By default, it prints a single line listing how many nodes are reachable and the timestamp: $ cilium status ... Cluster health: 1/1 reachable (2018-02-16T13:25:53-08:00) If any nodes or health endpoints are unreachable, they will be listed below this message (up to 10 entries by default). In verbose mode, it also prints every node and its status: $ cilium status --all-health Cluster health: 1/1 reachable (2018-02-16T13:30:53-08:00) Name IP Reachable Endpoints reachable cilium-master 10.0.2.15 true false Signed-off-by: Joe Stringer <joe@covalent.io> | 19 February 2018, 22:12:03 UTC |
| cb0f9fd | Joe Stringer | 16 February 2018, 00:20:43 UTC | cilium: Don't print list of nodes in status `cilium status` shouldn't really report known cluster nodes, this was primarily used for debugging during development of cilium-health. An upcoming patch will fetch `cilium-health status` and format it in some way from this command, which will provide most of the same information (exceptions: IP address type, IP allocation for node). Drop this now. If we really need this, it's still available in the json output format. Signed-off-by: Joe Stringer <joe@covalent.io> | 19 February 2018, 22:12:03 UTC |
| f733101 | Joe Stringer | 16 February 2018, 21:28:28 UTC | cilium-health: Add '--succinct' mode This new '--succinct' mode prints simpler output with one node per line. The same output will be used by an upcoming commit to present cluster status in 'cilium status'. Signed-off-by: Joe Stringer <joe@covalent.io> | 19 February 2018, 22:12:03 UTC |
| ae74fac | Joe Stringer | 16 February 2018, 02:36:38 UTC | cilium-health: Refactor output printing to pkg/ Shift the formatting of results to pkg/health/client/ so that a subsequent patch can reuse the formatting code. Signed-off-by: Joe Stringer <joe@covalent.io> | 19 February 2018, 22:12:03 UTC |
| 715f452 | Romain Lenglet | 19 February 2018, 20:22:17 UTC | kafka: Close connection immediately on any read error Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 February 2018, 22:11:16 UTC |
| 7fc1a24 | Romain Lenglet | 19 February 2018, 05:17:42 UTC | endpoint: Stop using Consumable policy to store redirect ports The Consumable's L4Policy was used to store endpoint-specific proxy redirect ports. Therefore, if two or more endpoints had the same security identity on the same node, only the first of those endpoints to be regenerated would have proxy redirects created, and all other endpoints would incorrectly use the same proxy redirects. Remove the L7RedirectPort from L4Filter, so that it now contains only desired state. Replace it with storing the redirect ports in each endpoint's realizedRedirects map. Ensure all accesses to realizedRedirects are protected by the Endpoint.Mutex. Signed-off-by: Romain Lenglet <romain@covalent.io> | 19 February 2018, 17:51:02 UTC |
| 8599021 | Ian Vernon | 16 February 2018, 21:36:25 UTC | test/runtime: add checks for setting of configuration values Check that values that are set via are indeed set for each endpoint. Add a variety of helper functions / refactoring to reduce code duplication. Signed-off by: Ian Vernon <ian@cilium.io> | 19 February 2018, 17:46:28 UTC |
| 86a9e76 | Ian Vernon | 16 February 2018, 21:35:28 UTC | test/helpers: add GetEndpointMutableConfigurationOption function Add helper function which gets the value of a configuration option for a specific endpoint. Signed-off by: Ian Vernon <ian@cilium.io> | 19 February 2018, 17:46:28 UTC |
| e60b28d | Ian Vernon | 15 February 2018, 01:22:15 UTC | test: fix issues with runtime/connectivity.go test The test `RuntimeValidatedConntrackTest` was not properly testing the Conntrack and ConntrackLocal endpoint configuration options. To start, it was testing Cilium in its default policy enforcement mode, which by default allows all traffic for endpoints which no rules select in the policy repository. This is an issue because the test was ran with no policy imported, meaning that the configuration flags were not really being tested appropriately. The following changes were made to fix this, and to ensure the test has true parity with its Bash-script counterpart, `tests/01-ct.sh`: * Import the same policy from the corresponding Bash test. * Set policy enforcement mode for Cilium to be 'always'. * Add checks for curl, and bidirectional connectivity. The following changes were made to enhance the test: * Miscellaneous variable renaming to make it easier to read the test code. * Combining all Its into one It, which results in the containers used for the tests only having to be launched and removed once, instead of three times (one for each previous It). Also made logs in `test/helpers/cilium.go:PolicyImportAndWait` use logrus Fields to reduce the amount of custom string formatting in its log messages. Signed-off by: Ian Vernon <ian@cilium.io>" | 19 February 2018, 17:46:28 UTC |
| c052ba9 | Ian Vernon | 16 February 2018, 19:16:04 UTC | pkg/endpoint: get configuration model in endpoint model Signed-off by: Ian Vernon <ian@cilium.io> | 19 February 2018, 17:46:28 UTC |
| 0b50ba8 | Ian Vernon | 16 February 2018, 18:58:56 UTC | api: add endpoint configuration as part of endpoint model Signed-off by: Ian Vernon <ian@cilium.io> | 19 February 2018, 17:46:28 UTC |
| 755ee49 | Thomas Graf | 19 February 2018, 02:32:28 UTC | monitor: Support filtering on multiple message types Signed-off-by: Thomas Graf <thomas@cilium.io> | 19 February 2018, 14:57:25 UTC |
| 69ab728 | Thomas Graf | 19 February 2018, 02:01:55 UTC | monitor: Support filtering for L7 and agent notifications Signed-off-by: Thomas Graf <thomas@cilium.io> | 19 February 2018, 14:57:25 UTC |
| e080791 | Thomas Graf | 18 February 2018, 20:54:00 UTC | accesslog: Enable L7 monitor logging by default Do not require the accesslog file to be configured Signed-off-by: Thomas Graf <thomas@cilium.io> | 19 February 2018, 14:57:25 UTC |
| f710fc0 | Thomas Graf | 16 February 2018, 18:59:31 UTC | release: Print the uploaded binaries in markdown Extended the binary upload script to print the markdown required for the release: https://github.com/cilium/cilium/releases/edit/v1.0.0-rc4 Release binaries ---------------- * [cilium-agent-x86_64](http://releases.cilium.io/v1.0.0-rc4/cilium-agent-x86_64) ([c58a3a05d8531bd8f677](http://releases.cilium.io/v1.0.0-rc4/cilium-agent-x86_64.sha256sum)) * * [cilium-bugtool-x86_64](http://releases.cilium.io/v1.0.0-rc4/cilium-bugtool-x86_64) ([5ba0547857d71a96d99c](http://releases.cilium.io/v1.0.0-rc4/cilium-bugtool-x86_64.sha256sum)) * * [cilium-health-x86_64](http://releases.cilium.io/v1.0.0-rc4/cilium-health-x86_64) ([f0015f1345e9bb7eccec](http://releases.cilium.io/v1.0.0-rc4/cilium-health-x86_64.sha256sum)) * * [cilium-node-monitor-x86_64](http://releases.cilium.io/v1.0.0-rc4/cilium-node-monitor-x86_64) ([81e189969dcf2a97aca3](http://releases.cilium.io/v1.0.0-rc4/cilium-node-monitor-x86_64.sha256sum)) * * [cilium-x86_64](http://releases.cilium.io/v1.0.0-rc4/cilium-x86_64) ([2f63b204753aa7a96bb0](http://releases.cilium.io/v1.0.0-rc4/cilium-x86_64.sha256sum)) * * [v1.0.0-rc4.tar.gz](http://releases.cilium.io/v1.0.0-rc4/v1.0.0-rc4.tar.gz) ([39ff5357ea5920af6bca](http://releases.cilium.io/v1.0.0-rc4/v1.0.0-rc4.tar.gz.sha256sum)) * * [v1.0.0-rc4.zip](http://releases.cilium.io/v1.0.0-rc4/v1.0.0-rc4.zip) ([1c371d84ccad990c6915](http://releases.cilium.io/v1.0.0-rc4/v1.0.0-rc4.zip.sha256sum)) Signed-off-by: Thomas Graf <thomas@cilium.io> | 19 February 2018, 06:45:40 UTC |
