| c4782aa | Joe Stringer | 21 June 2024, 20:06:22 UTC | Revert "policy: Change test helper key() to work with wildcard port" This reverts commit 6613b1cb6996ca515961993510da0b8f51bc4b83. Signed-off-by: Joe Stringer <joe@cilium.io> | 21 June 2024, 20:08:13 UTC |
| f051660 | Joe Stringer | 21 June 2024, 20:06:22 UTC | Revert "policy: Add a runtime panics for invalid port wildcard" This reverts commit 10a0d433afe4637c0000f1ba9a25d27a11f7a171. Signed-off-by: Joe Stringer <joe@cilium.io> | 21 June 2024, 20:08:10 UTC |
| 10a0d43 | Jarno Rajahalme | 20 June 2024, 21:46:25 UTC | policy: Add a runtime panics for invalid port wildcard Add a runtime panics for an invalid port wildcard. Panic produces a stack trace that allows offending code to be easily fixed. Fix code that produces panics. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 21 June 2024, 15:57:37 UTC |
| 6613b1c | Jarno Rajahalme | 20 June 2024, 21:31:57 UTC | policy: Change test helper key() to work with wildcard port Change the test helper key() to allow 0 port for a wildcarded port, simplify testing code using it. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 21 June 2024, 15:57:37 UTC |
| 9368f21 | Jarno Rajahalme | 20 June 2024, 21:26:05 UTC | policy: Move AllowsIdentity into tests AllowsIdentity is only used for testing, move it there. Add the missing InvertedPortMask field on the wildcard port lookup. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 21 June 2024, 15:57:37 UTC |
| d97069c | Joe Stringer | 20 June 2024, 19:03:19 UTC | examples: Fix subject selector in ingress policy This policy example selected *all* Endpoints rather than just the Ingress Endpoint. Since the policy is intended to allow traffic to the Ingress and not other managed Endpoints, restrict the selector. CC: Tam Mach <tam.mach@cilium.io> Fixes: b68cf99c3bb5 ("ingress: Update docs with network policy example") Signed-off-by: Joe Stringer <joe@cilium.io> | 21 June 2024, 14:08:40 UTC |
| 9a80d42 | André Martins | 21 June 2024, 07:16:12 UTC | .github: fix worfklows used by renovate With the introduction of 6f461ea592ca, some of the workflows were not prepared to handle concurrency for "push" events so we had to add the group for these type of events. Also, some of the workflows were not running the "commit-status-final" as this step was only running for events that were not type "push". As the list of required workflows are based on the name created by this step, we also need to run this step for the "push" events. Some existing workflows already push "commit-status-final" for pushes as well so the introduction for these workflows will be consistent with existing ones. Finally, the push events should only be triggered for pushes done respective to the "main" branch, thus we will be using the prefix "renovate/main-**" instead of "renovate/**" to avoid triggering the GH main workflows from stable branches and vice-versa. Fixes: 6f461ea592ca ("run CI automatically for renovate") Signed-off-by: André Martins <andre@cilium.io> | 21 June 2024, 11:50:17 UTC |
| 4d41865 | André Martins | 21 June 2024, 09:25:06 UTC | renovate add trusted dependencies Add google/cloud-sdk and docker/build-push-action to the list of trusted dependencies for auto-merge PRs. Signed-off-by: André Martins <andre@cilium.io> | 21 June 2024, 10:53:50 UTC |
| 63b7bc5 | Lorenz Bauer | 20 June 2024, 08:28:11 UTC | pkg/endpoint: store template hash in template.txt The loader uses two subtly different hashes to identify endpoint configuration. The endpoint hash is unique for each endpoint and is used to detect when configuration changes. The template hash is shared between multiple endpoints and is used as a cache key of sorts. When I rewrote the loader to not fiddle with the endpoint state directory anymore I made the mistake of persisting the endpoint hash into template.txt. This means that it is not possible to correlate an endpoint state directory with a template cache entry. Fix this by returning the template hash as a sort of ID from ReloadDatapath and writing that into template.txt. Fixes: 76ca09a108 ("loader: stop linking template.o into ep.StateDir()") Signed-off-by: Lorenz Bauer <lmb@isovalent.com> | 21 June 2024, 08:08:56 UTC |
| 8ebdd24 | Marcel Zieba | 17 June 2024, 11:47:22 UTC | ci: add dispatch for 100-nodes scale test and network perf Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 21 June 2024, 07:36:00 UTC |
| ed5bcdd | Nate Sweet | 18 June 2024, 18:32:07 UTC | bitlpm: Add Comment for UintTrie Signed-off-by: Nate Sweet <nathanjsweet@pm.me> | 21 June 2024, 07:36:45 UTC |
| 6552e09 | Yusuke Suzuki | 18 June 2024, 04:49:32 UTC | bpf: recreate CT entry if proxy_redirect is stale for non-tcp This commit fixes the issue that datapath erroneously redirects (or doesn't redirect) the reply packets to the proxy if the packet hits the stale CT entry. The PR #32653 fixed the issue when the TCP connection hits a closing stale entry by having __ct_lookup return CT_NEW in that case so that the caller can recreate an entry to update the proxy_redirect flag. This commit lets datapath recreate an entry in the case where non-TCP packets hit the stale CT entry with the proxy_redirect flag, or an active TCP connection suddenly comes into the scope of an L7 policy. Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com> | 21 June 2024, 07:00:02 UTC |
| 4c8c03d | Tom Hadlaw | 18 June 2024, 21:54:34 UTC | k8s: improve user facing error logging for k8s decode errors. Errors such as "invalid character 'T' looking for beginning of value" can be emitted by k8s client-go libraries if there is a problem decoding the underlying k8s object from the apiserver. Specifically, this can occur if apiserver is sending a json containing an error message and not a k8s object. These errors can be confusing, so this adds a k8s error handler case to catch these and emit a more user friendly message. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> | 21 June 2024, 06:31:26 UTC |
| 3fc57b3 | Ryan Drew | 20 June 2024, 17:30:15 UTC | ci: Fix CES Migration workflow failing when skipped The CES migration workflow was recently modified in commit ffb8443 to only execute if the changes in the tested commit are relevant to the tests executed in the workflow. If the setup-and-test job is skipped based on this precondition, the commit-status-final job will fail to execute properly. This is because the status of the setup-and-test job is piped directly into the status parameter of the set-commit-status action, which does not support the value "skipped". This commit removes the commit-status-final job from the workflow, as this job is only needed if the workflow is executed via a workflow_dispatch trigger that takes a SHA as an input. Additionally, the workflow does not contain a corresponding commit-status-start job, indicating that the commit-status-final job may not be needed. An example failure can be found here: https://github.com/cilium/cilium/actions/runs/9601333957/job/26479710471?pr=33288. The logs for the failed commit-status-final job are: ``` Error: state must be one of "error", "failure", "pending", "success" ``` Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> | 20 June 2024, 19:13:27 UTC |
| c276888 | André Martins | 16 June 2024, 14:38:03 UTC | renovate: update k8s dependencies automatically Now that we are running renovate as a GH action this allow us to run postUpgradeTasks. Some of these upgrade tasks will be to generate some manifests or k8s go client files after we update the k8s dependencies. Signed-off-by: André Martins <andre@cilium.io> | 20 June 2024, 19:00:01 UTC |
| 5273a46 | André Martins | 18 June 2024, 14:59:12 UTC | images/builder: add /.cache directory The builder image is used to generate Kubernetes manifests and some Go code for Kubernetes clients. Currently, Docker run commands are executed as the root user inside the container, resulting in files being created with the root UID. This prevents the user who executed the Docker run command from managing these files. Running the Docker container with the executing user's UID causes "go run" commands to fail due to insufficient permissions to write to the /.cache directory. To resolve this, we need to create a /.cache directory with write permissions for all users. Signed-off-by: André Martins <andre@cilium.io> | 20 June 2024, 19:00:01 UTC |
| 6f461ea | André Martins | 20 June 2024, 11:28:06 UTC | run CI automatically for renovate Renovate is a trusted contributor of Cilium. We can skip the need to run the CI manually by the triager if the CI is automatically ran after a push to renovate's branches. Signed-off-by: André Martins <andre@cilium.io> | 20 June 2024, 18:58:31 UTC |
| fc7655a | André Martins | 16 June 2024, 14:50:48 UTC | renovate: add auto merge for certain dependencies If we enable auto merge for trusted dependencies we will be able to reduce the load on reviewers by skipping the reviews of certain trusted libraries. Signed-off-by: André Martins <andre@cilium.io> | 20 June 2024, 18:58:31 UTC |
| 8e6d288 | Gilberto Bertin | 20 June 2024, 14:32:57 UTC | workflows: integration-test: allow to configure bigger runner Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 20 June 2024, 18:58:04 UTC |
| 8c745b2 | Sebastian Wicki | 20 June 2024, 12:20:51 UTC | ci/runtime: Dump identity labels on failure This commit dumps the idenity labels if the "DNS proxy policy works if Cilium stops" test fails. This should help troubleshoot the workflow if it fails in CI, as the previous output was rather sparse. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 20 June 2024, 18:57:44 UTC |
| d3490bd | Sebastian Wicki | 20 June 2024, 11:52:49 UTC | test/provision: Use SIGTERM to stop cilium container Instead of killing the container with `docker rm -f` (which sends a SIGKILL), let's use `docker stop` (which sends a SIGTERM). This ensures that cilium-agent shutdown runs properly, allowing it for example checkpoint local identitites, which is needed for some runtime tests. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 20 June 2024, 18:57:44 UTC |
| 7cae329 | Sebastian Wicki | 20 June 2024, 09:27:20 UTC | identity: Ensure checkpoint runs on shutdown This commit wraps the identity checkpoint function in a controller. This has two effects: 1. If the checkpoint fails due to I/O errors, the checkpoint is retried until it succeeds. Previously, we relied on it being triggered again for it to be re-ran (though so far we have not observed any I/O failures in CI, so this likely was not an issue) 2. By using a controller `StopFunc` and calling `RemoveControllerAndWait` we ensure the checkpoint function is ran one last time during shutdown. This is important, since `Trigger.Shutdown` by itself does not run any pending triggers. Note that any errors during shutdown are only logged and the controller is not re-tried. The identity allocator is closed when the policy trifecta cell is stopped, which happens e.g. when SIGTERM is received. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 20 June 2024, 18:57:44 UTC |
| 29b35e2 | Ryan Drew | 20 June 2024, 16:47:05 UTC | docs: Add deprecation warning in Ginkgo E2E docs This commit adds a warning at the top of the Ginkgo-based E2E testing documentation, making it explicitly clear that the framework is deprecated. The Ginkgo-based E2E testing documentation is already marked with a "legacy" note in the title of the page, so the goal of this commit is to extend this note and make it clear that the cilium-cli framework should be used moving forward. Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> | 20 June 2024, 17:51:54 UTC |
| 8190bf8 | Marcel Zieba | 07 June 2024, 11:27:06 UTC | ipsec-tests: ensure that XFRMState is created Seems like we didn't have a test that was checking if we create any xfrmState on UpsertIPsecEndpoint. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 20 June 2024, 14:57:52 UTC |
| 39e4471 | Marcel Zieba | 06 June 2024, 11:48:01 UTC | ipsec-tests: Fix flaky TestUpsertIPSecKeyMissing In case previous test failed, it did not clean up ipSecKeysGlobal resulting in failing TestUpsertIPSecKeyMissing too. Let's ensure that global ipsec key is cleaned up. Fixes: #32933 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 20 June 2024, 14:57:52 UTC |
| 8b24e96 | Lorenz Bauer | 19 June 2024, 09:02:12 UTC | bpf: fix skip_tunnel_nodeport_revnat The test contains a bug since it passes min_port and max_port in struct ip{4,6}_nat_target in network instead of host byte order. It doesn't fail because of a series of "fortunate" circumstances, which boil down to invoking the following function __u16 __snat_try_keep_port(__u16 start, __u16 end, __u16 val) { return val >= start && val <= end ? val : __snat_clamp_port_range(start, end, (__u16)get_prandom_u32()); } with the following arguments: __snat_try_keep_port(htons(port), htons(port), port) since htons(port) <= port <= htons(port) is (almost) never true, we end up invoking __u16 __snat_clamp_port_range(__u16 start, __u16 end, __u16 val) { return (val % (__u16)(end - start)) + start; } Since start == end, we end up executing val % 0. This seems to cause UB which somehow leads to the code just using val. Of course, this all comes crashing down when trying to modify any of the code in this path. Fix the test by converting to host byte order as appropriate and by extending the valid port range by one. Fixes: c1761f75ec ("bpf: Implement handling of flag_skip_tunnel for revNAT nodeport traffic") Signed-off-by: Lorenz Bauer <lmb@isovalent.com> | 20 June 2024, 09:01:15 UTC |
| f7dc70f | David Swafford | 10 June 2024, 22:44:30 UTC | BGPv1 and BGPv2 - Reject all inbound BGP advertisements Cilium's BGPv1 and BGPv2 Control Plane accepts all BGP Paths advertised to it. However, these paths do not program the datapath. This PR modifies Cilium's BGP implementation to reject all inbound BGP advertisements. Fixes: #32826 Signed-off-by: David Swafford <dswafford@coreweave.com> | 20 June 2024, 08:38:48 UTC |
| c93fe99 | Julian Wiedmann | 19 June 2024, 12:20:38 UTC | bpf: nodeport: clean up redundant 0-initializations The whole ct_state_new struct is already 0-initialized. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 20 June 2024, 07:58:39 UTC |
| 335188d | Julian Wiedmann | 18 June 2024, 09:59:54 UTC | bpf: host: use NATIVE_DEV_IFINDEX in to-netdev Indicate the current interface in the trace notification. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 20 June 2024, 07:23:10 UTC |
| 1138e91 | Julian Wiedmann | 18 June 2024, 09:58:29 UTC | bpf: nodeport: use NATIVE_DEV_IFINDEX in TRACE_TO_PROXY notification Indicate the originating interface in the trace notification. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 20 June 2024, 07:23:10 UTC |
| 29dc273 | Julian Wiedmann | 18 June 2024, 10:08:05 UTC | datapath: always populate NATIVE_DEV_IFINDEX The ifindex is useful even outside of nodeport-related context. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 20 June 2024, 07:23:10 UTC |
| d3285ef | harsimran pabla | 19 June 2024, 16:12:16 UTC | bgpv1: reorder neighbor creation and deletion steps This change reorders peer creation and deletion order in peer reconciler. This is done because if ASN is modified, we need to delete old peer and then add new one. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 20 June 2024, 07:21:42 UTC |
| 4775694 | harsimran pabla | 19 June 2024, 16:03:49 UTC | bgpv2: use peer asn and address in the key On updating peer ASN and address, we need to remove old peer and readd it again. This change adds ASN and address in the key of peer along with the name. Secondly, order of changing peer is now delete, update and add. This is done because adding before deleting old peer is going to fail when changing ASN. This change also allows setting local peer port to 0 (random port selection from kernel) Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 20 June 2024, 07:21:38 UTC |
| ad85cd5 | Marco Iorio | 19 June 2024, 07:41:22 UTC | clustermesh: fix spurious cluster configuration add event In order to prevent possible race conditions when watching clustermesh config file changes, once we receive a file change notification, we first add that path to the list of watched ones and, if it wasn't already registered, recurse again. This prevents missing possible updates that could have happened in the time window between the reading of the file and the registration of the watcher. However, the previous implementation was lacking a return statement, hence causing the add notification to be actually triggered twice, if the two iterations read two different versions of the file. Practically speaking, this is extremely unlikely to lead to actual issues, unless multiple back-to-back changes are performed in sequence (as we do in the unit tests). Regardless, let's fix it by adding the missing return statement. Fixes: 106d0981ee35 ("clustermesh: fix config watcher race condition with back-to-back changes") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 20 June 2024, 05:43:35 UTC |
| db1cd13 | Mark Pashmfouroush | 19 June 2024, 12:17:23 UTC | Revert "Fix CiliumEnvoyConfig Nodeport handling" This reverts commit 24061be70360e31137d23fec08dc637e4393b03c. Signed-off-by: Mark Pashmfouroush <mark@isovalent.com> | 19 June 2024, 15:24:09 UTC |
| 52200d5 | Mark Pashmfouroush | 19 June 2024, 12:13:37 UTC | Revert "Handle nil service retrieved from Resource store" This reverts commit 919e20727e89267647f76d61f773b08f9e3e0958. Signed-off-by: Mark Pashmfouroush <mark@isovalent.com> | 19 June 2024, 15:24:09 UTC |
| fb7e01b | Sebastian Wicki | 18 June 2024, 10:24:34 UTC | fqdn: Skip "open ports" check for statically configured ports When restoring the previous DNS proxy port, we check if the port is already in-use. However, if the port we retrieved from `GetProxyPort` was previously set via `SetProxyPort`, then we want to use it unconditionally. We rely on `isStatic` for this, as static ports cannot change and the open port may be open with `SO_REUSEPORT` (which `proxy.OpenLocalPorts()` does not check). Restored ports never have `isStatic` set to true, so this does retain the "open ports" check if the port was restored. In addition, when restoring ports we want to make sure that previous calls to `SetProxyPort` are also not overwritten, thus this commit also only restores the port if it wasn't explicitly set. This is the same behavior we had previously, which did not check the returned port of `d.l7Proxy.GetProxyPort` against the list of open ports. Fixes: d11e4d261279 ("proxy: Reuse proxy ports from datapath on restart") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 19 June 2024, 14:03:48 UTC |
| 6aa4fa8 | Dylan Reimerink | 13 June 2024, 14:54:05 UTC | lbipam: Remove cidrs field from CiliumLoadBalancerIPPool Originally the CiliumLoadBalancerIPPool only had CIDRs, and thus a field called `cidrs` containing a list of CIDRs. In v1.15 it became possible to specify ranges of IPs with a start and end IP. A new field was added called `blocks` which was treated as an alias of `cidrs`. This was done to allow for a smooth transition. This commit removes the `cidrs` field to complete the transition. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 19 June 2024, 09:50:44 UTC |
| f27470f | Dylan Reimerink | 13 June 2024, 14:39:38 UTC | lbipam: Make `AllowFirstLastIP` default to `yes` In v1.15, we introduced this setting and defaulted to `no` for `AllowFirstLastIP` to preserve the previous behavior. However, in most cases its preferable to default to `yes`. Users should explicitly set this field to their desired value if they don't want the behavior of pools to change. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 19 June 2024, 09:50:44 UTC |
| 3c8ff5b | Julian Wiedmann | 12 June 2024, 07:18:42 UTC | bpf: lxc: report ifindex in ingress trace notifications ipv*_policy() takes an `ifindex` parameter, and exclusively uses it to fill trace notifications. But for some cases the provided ifindex is currently 0 (for instance in a configuration with per-EP routing, when calling from to-container). Just provide the actual interface index instead. Reported-by: Tomasz Tarczyński <tomasz.tarczynski@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 19 June 2024, 08:15:57 UTC |
| 7898d95 | Julian Wiedmann | 12 June 2024, 06:34:01 UTC | datapath: template the interface index into bpf_lxc Make the ifindex of an endpoint available to the attached BPF program, so that it can be used by a subsequent patch. We can most likely unify this later with NATIVE_DEV_IFINDEX, which is only provided for native devices. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 19 June 2024, 08:15:57 UTC |
| 3d0b9c2 | Marcel Zieba | 18 June 2024, 09:49:57 UTC | cilium-agent: remove unused permissions for CNP/CCNP status CNP/CCNP node statuses have been removed in #24503 Currently, only the operator is updating CNP/CCNP status for derived policies. Related #29590 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 19 June 2024, 08:15:20 UTC |
| 45d2bed | Julian Wiedmann | 18 June 2024, 07:34:18 UTC | bpf: ct: return actual error from CT lookup The CT lookup potentially returns an error (with some DROP_* value). But there are a few code paths that currently handle such an error as part of their `default` case for the `switch(ct_result)` statement, and just return DROP_UNKNOWN_CT. Fix them up to return the actual error. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 19 June 2024, 06:47:27 UTC |
| ace0444 | Julian Wiedmann | 17 June 2024, 05:41:19 UTC | bpf: lxc: prefer SECLABEL_IPV4 over SECLABEL in ipv4_policy() Match what ipv6_policy() uses in these locations. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 19 June 2024, 03:03:36 UTC |
| 34b9c7f | Julian Wiedmann | 17 June 2024, 05:58:29 UTC | bpf: host: sanitize whole skb->cb in to-netdev We can't trust the cb if a packet passed through the network stack. Instead of selectively clearing cb slots, just clear the whole array. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 19 June 2024, 03:03:11 UTC |
| 97f4e25 | Cilium Imagebot | 18 June 2024, 10:22:55 UTC | ci: update docs-builder Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 18 June 2024, 11:52:12 UTC |
| 0378d78 | dependabot[bot] | 17 June 2024, 22:18:52 UTC | build(deps): bump urllib3 from 2.0.7 to 2.2.2 in /Documentation Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.7 to 2.2.2. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.0.7...2.2.2) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> | 18 June 2024, 11:52:12 UTC |
| ffb9a18 | André Martins | 17 June 2024, 21:08:51 UTC | README: Update releases Signed-off-by: André Martins <andre@cilium.io> | 18 June 2024, 11:51:39 UTC |
| 522564b | Julian Wiedmann | 17 June 2024, 17:41:09 UTC | datapath: clean up unused SECLABEL_NB Looks like the last user was removed with 32a921aab817 ("bpf: Remove flowlabel optimization for identity"). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 18 June 2024, 08:48:10 UTC |
| 278ec19 | Hemanth Malla | 14 June 2024, 20:35:59 UTC | Reconcile qdiscs accurately when using BW manager Current logic bails out without updating leaf qdiscs when first item in the qdisc list is of type mq. Other qdiscs could be pfifo_fast for example. Encountered this in my local testing. The second qdisc was never replaced with fq. qdisc mq 0: dev enX0 root qdisc pfifo_fast 0: dev enX0 parent :1 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Co-developed-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Hemanth Malla <hemanth.malla@datadoghq.com> | 18 June 2024, 08:19:17 UTC |
| d08aa3d | cilium-renovate[bot] | 17 June 2024, 17:05:01 UTC | chore(deps): update cilium/scale-tests-action digest to 511e3d9 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 18 June 2024, 08:00:51 UTC |
| 112a16d | André Martins | 17 June 2024, 20:47:10 UTC | build-images: fetch artifacts with specific pattern It seems that docker/build-push-action started to store artifacts on GitHub. This sort of affected the digests of the image build process as it timeout while trying to download these artifacts. To fix this issue we will only download the artifacts with the pattern "*image-digest *" which are the only artifacts relevant for the image digests. Fixes: b86d5fc1aa64 ("chore(deps): update docker/build-push-action action to v6") Signed-off-by: André Martins <andre@cilium.io> | 18 June 2024, 06:56:36 UTC |
| 5179460 | Marco Iorio | 06 June 2024, 16:54:57 UTC | docs: add troubleshoot clustermesh command clarification note Let's explicitly mention that the output of the cilium-dbg troubleshoot command refers to the connections from the agents to the local clustermesh-apiserver when KVStoreMesh is enabled, as potentially confusing. In this case, it is expected that the output is the same for all the clusters the agents are connected to. Differently, the connectivity to the remote clusters can be troubleshooted using the dedicated kvstoremesh-dbg command. Suggested-by: Bruno M. Custódio <bruno@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 18 June 2024, 05:58:31 UTC |
| c46e6be | Marco Iorio | 06 June 2024, 16:31:24 UTC | cilium-dbg: improve troubleshoot clustermesh output for local cluster Users may additionally configure a clustermesh entry for the local cluster as well, to reuse the same configuration in all clusters, as Cilium then automatically ignores it. Let's improve the output of the cilium-dbg troubleshoot clustermesh (and kvstoremesh-dbg troubleshoot) commands in this situation, removing the usage of the term "remote", and displaying a note for the entry matching the local cluster name. The retrieval of the local cluster name is performed in a best effort fashion, and may not always work. Suggested-by: Bruno M. Custódio <bruno@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 18 June 2024, 05:58:31 UTC |
| ab57923 | Marco Iorio | 06 June 2024, 14:43:37 UTC | cilium-dbg: minor clarifications to the clustermesh status output Add the term remote to clarify that the number of clusters reported by the cilium-dbg and kvstoremesh-dbg status commands do not include the local one, regardless of whether it is included in the clustermesh configuration or not. Similarly, let's replace the term failures with reconnections, as failures has a negative connotation, but they are actually expected to happen when the clustermesh-apiserver in the given remote cluster is restarted. Suggested-by: Bruno M. Custódio <bruno@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 18 June 2024, 05:58:31 UTC |
| 919e207 | Nick Young | 14 June 2024, 06:17:23 UTC | Handle nil service retrieved from Resource store Signed-off-by: Nick Young <nick@isovalent.com> | 18 June 2024, 01:51:16 UTC |
| 24061be | Nick Young | 11 June 2024, 06:03:27 UTC | Fix CiliumEnvoyConfig Nodeport handling Adds additional service redirect handling for Services with Nodeports set, which will automatically include the Nodeport in the set of redirected ports if ports to redirect are specified. Also removes a hack in the Dedicated Ingress code that was introduced to solve this problem previously. Signed-off-by: Nick Young <nick@isovalent.com> | 18 June 2024, 01:51:16 UTC |
| 1defd4c | Marco Hofstetter | 12 June 2024, 15:12:57 UTC | ipam: remove ipam from cilium-dbg debuginfo Currently, IPAM gets registered as debuginfo statusobject before it gets initialized. This is visible when displaying the debuginfo from within an agent pod. ``` cilium-dbg statusinfo ... <nil> ... ``` After moving the initialization of IPAM into it's own cell, IPAM is fully initialized at that point in time. The problem is that with the added dependencies it seems as the output is way too big and results in memory issues (also results in failing tests due to OOM on GitHub). Therefore, this commit removes the registration of IPAM to the debuginfo (and the related implementation of the interface in IPAM). This shouldn't be an issue as it seems that this was no longer part of the debuginfo output for quite some time. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 17 June 2024, 16:35:54 UTC |
| 4a36fe9 | Marco Hofstetter | 12 June 2024, 11:39:07 UTC | ipam: set metadata manager during initialization Currently, there's an extra method `setMetadata` to set the optional metadata manager for IPAM. With the introduction of the cell, it's possible to treat this as internal and set it during the initialization of the IPAM struct. This way we can get rid of the exported method. In addition, the metadata manager cell defaults to a new defaultIPPoolManager in case IPAM Multi Pool is disabled. This way, a metadata manager implementation is always provided and prevents from the need for additional (and potential enhanced) nil checks. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 17 June 2024, 16:35:54 UTC |
| 2302e9c | Marco Hofstetter | 12 June 2024, 11:16:01 UTC | ipam: treat IPAM metadata manager as IPAM internal With the introduction of the IPAM cell, the IPAM metadata manager can be treated and registered as internal cell. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 17 June 2024, 16:35:54 UTC |
| 9dd9790 | Marco Hofstetter | 12 June 2024, 09:29:59 UTC | ipam: move rest api implementation into cell Currently, the IPAM REST API is implemented by the daemon. With the extraction of the IPAM initialization into its own cell it's also possible to extract the IPAM REST API handler into the same cell. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 17 June 2024, 16:35:54 UTC |
| 86a5c88 | Marco Hofstetter | 12 June 2024, 08:15:46 UTC | ipam: provide ipam via cell Currently, IPAM is initialized and configured during the agent/daemon initialization. This commit moves the initialization of the IPAM struct (with all its dependencies) into its own cell. The provider initialization is still triggered from the agent initialization code. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 17 June 2024, 16:35:54 UTC |
| 2e2f553 | cilium-renovate[bot] | 17 June 2024, 14:08:27 UTC | chore(deps): update dependency renovatebot/renovate to v37.410.1 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 17 June 2024, 16:35:17 UTC |
| c22eceb | André Martins | 17 June 2024, 14:32:13 UTC | Revert "Prepare for release v1.16.0-rc.0" This reverts commit e462433c4ee3685fd8c3c5867128889acf01d886. Signed-off-by: André Martins <andre@cilium.io> | 17 June 2024, 14:55:51 UTC |
| 14c2b3d | André Martins | 17 June 2024, 14:32:13 UTC | Prepare for release v1.16.0-rc.0 Signed-off-by: André Martins <andre@cilium.io> | 17 June 2024, 14:55:51 UTC |
| 447c92d | André Martins | 17 June 2024, 14:32:13 UTC | update AUTHORS and Documentation Signed-off-by: André Martins <andre@cilium.io> | 17 June 2024, 14:55:51 UTC |
| 2fc54dd | Daneyon Hansen | 04 March 2024, 23:58:46 UTC | IPAM: Adds IPv6 Prefix Delegation Config Option - `operator/option/config.go`: Adds an option for enabling AWS IPv6 prefix delegation (PD). - `*_test.go`: Updates IPAM implementation unit tests to call `NewNodeManager()` with IPv6 PD config option. - `pkg/ipam/node.go`: Adds `ipv6Alloc` field to `Node` type to represent IPv6-specific allocation node attributes. - `pkg/ipam/node_manager.go`: Adds IPv6 PD field to the `NodeManager` type and associated `NewNodeManager()`. Supports: #30684 Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io> | 17 June 2024, 14:16:33 UTC |
| 51ff384 | Dorde Lapcevic | 03 June 2024, 15:04:55 UTC | Documentation for decoupling k8s-heartbeat-timeout Signed-off-by: Dorde Lapcevic <dordel@google.com> | 17 June 2024, 14:06:02 UTC |
| 95536f1 | Dorde Lapcevic | 03 June 2024, 15:03:10 UTC | Decouple k8s client heartbeat from connection timeout and keep alive The main reason to introduce this is to be able to increase the heartbeat interval without affecting the k8s client connection settings. It also allows the possibility to disable heartbeat, by setting `k8s-heartbeat-timeout` to 0, without disable the k8s client itself. ```release-note When upgrading, users can experience a change to their configuration if they were overriding the `k8s-heartbeat-timeout` flag. k8s client timeout and keep alive are no longer getting values from the `k8s-heartbeat-timeout` flag, but rather would have default values (30 seconds). ``` Signed-off-by: Dorde Lapcevic <dordel@google.com> | 17 June 2024, 14:06:02 UTC |
| c228c5e | cilium-renovate[bot] | 17 June 2024, 11:05:54 UTC | chore(deps): update dependency renovatebot/renovate to v37.409.2 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 17 June 2024, 13:39:07 UTC |
| d6a9529 | Tam Mach | 17 June 2024, 11:58:17 UTC | gha: Grant write status permission This is to fix the below issue when the step is trying to update status. > Error: Resource not accessible by integration Sample run with failure https://github.com/cilium/cilium/actions/runs/9534715391/job/26279677470?pr=33092 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 17 June 2024, 12:35:44 UTC |
| 8ce020c | Ovidiu Tirla | 07 June 2024, 11:53:20 UTC | pkg/identitybackend: Make sanitizeK8sLabels method public The method will be used by operator managing CIDs. Related #27752 Signed-off-by: Ovidiu Tirla <otirla@google.com> | 17 June 2024, 12:02:04 UTC |
| a2388a6 | Tam Mach | 17 June 2024, 06:38:19 UTC | gha: Add more flags for Ingress Conformance test This is to add enable-http-debug flag to capture more information in case of failure. Additionally, the stop-on-failure flag is added for faster feedback. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 17 June 2024, 11:20:51 UTC |
| 7e7e77e | Tam Mach | 17 June 2024, 05:58:51 UTC | fix(deps): Bump ingress-controller-conformance This is to mainly pick up the below changes https://github.com/cilium/ingress-controller-conformance/pull/2 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 17 June 2024, 11:20:51 UTC |
| b7237b1 | Arthur Outhenin-Chalandre | 10 June 2024, 12:37:33 UTC | clustermesh: add namespace index to service resource Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> | 17 June 2024, 10:48:51 UTC |
| 14f5764 | Arthur Outhenin-Chalandre | 08 June 2024, 00:03:57 UTC | clustermesh: fix reconciliation when a remote service gets deleted This commit fixes the case when a remote service gets deleted while the local service remains. Previously the Reconcile on the controller wasn't called because we weren't returning the deleted Service in the service informer List method which may leave some EndpointSlice in the cluster that should be deleted. In an usual Kubernetes environment this is not an issue since the OwnerReference should be deleting the EndpointSlices as well. In our case the actual Service still exist because we have this mechanism of creating "virtual" service by adding the cluster name in suffix to trigger a reconcile on each remote cluster. To fix that we are now returning the combination of all the local Services and the remote clusters instead of returning all the remote services. This allows to trigger a reconcile on all the possible services including some of them that don't exist which would make the Get method of the Service informer to return a not found error which will then trigger a deletion via our cleanup hook. Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> | 17 June 2024, 10:48:51 UTC |
| 6f9b8fd | Arthur Outhenin-Chalandre | 07 June 2024, 13:08:22 UTC | clustermesh: use EventuallyWithT in endpointslicemeshsync Use EventuallyWithT instead of waiting for the controller queue to be empty. The queue being empty does not signify that the reconciliation is done as the controller pops elements when the reconciliation starts and not when it ends. Suggested-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> | 17 June 2024, 10:48:51 UTC |
| b86d5fc | cilium-renovate[bot] | 17 June 2024, 10:05:40 UTC | chore(deps): update docker/build-push-action action to v6 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 17 June 2024, 10:46:11 UTC |
| 7511f74 | Jussi Maki | 12 June 2024, 12:06:53 UTC | scripts: Add linter for logrus usage To catch reintroduction of logrus after a package has been converted over to slog, add a whitelist-based linter for finding imports of logrus from already converted packages. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 17 June 2024, 10:39:39 UTC |
| 981c761 | Jussi Maki | 13 June 2024, 11:29:40 UTC | ipsec: Switch to slog Refactor the ipsec code to use slog logging. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 17 June 2024, 10:39:39 UTC |
| 53fc716 | Jussi Maki | 12 June 2024, 11:08:54 UTC | sysctl: Switch to slog Refactor to use the slog logging. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 17 June 2024, 10:39:39 UTC |
| 698026d | Jussi Maki | 12 June 2024, 10:20:42 UTC | linux: Switch linuxNodeHandler to use slog Refactor the linuxNodeHandler to use the slog logging. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 17 June 2024, 10:39:39 UTC |
| 59fb337 | Jussi Maki | 12 June 2024, 11:02:39 UTC | devices: Switch to slog Refactor the DeviceManager to use slog logging. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 17 June 2024, 10:39:39 UTC |
| 5c57430 | Jussi Maki | 12 June 2024, 10:14:50 UTC | config: Switch to slog Refactor to use the slog logging. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 17 June 2024, 10:39:39 UTC |
| 949f983 | Jussi Maki | 12 June 2024, 10:10:31 UTC | bigtcp: Switch to slog Refactor to use the slog logging Signed-off-by: Jussi Maki <jussi@isovalent.com> | 17 June 2024, 10:39:39 UTC |
| 1b57a7a | Jussi Maki | 12 June 2024, 10:09:18 UTC | bandwidth: Switch to slog Refactor to use the slog logging. Signed-off-by: Jussi Maki <jussi@isovalent.com> | 17 June 2024, 10:39:39 UTC |
| 63e90a8 | cilium-renovate[bot] | 17 June 2024, 09:11:04 UTC | fix(deps): update all go dependencies main Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 17 June 2024, 10:31:06 UTC |
| 7de5df0 | Cilium Imagebot | 17 June 2024, 02:49:04 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 17 June 2024, 09:58:04 UTC |
| fd4134b | cilium-renovate[bot] | 17 June 2024, 00:06:29 UTC | chore(deps): update docker.io/library/golang:1.22.4 docker digest to c2010b9 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 17 June 2024, 09:58:04 UTC |
| 304b7fd | Jacob Henner | 12 June 2024, 22:00:07 UTC | operator: ignore identity delete conflicts Ignore CiliumIdentity delete conflicts during the gc run (by skipping deletion and emitting a warning), allowing gc to continue if a subset of identities are conflicted. Prior to this change conflicts would cause gc to error, which could lead to an unexpected accumulation of stale CiliumIdentity objects. Signed-off-by: Jacob Henner <henner@arcesium.com> | 17 June 2024, 09:39:38 UTC |
| 6a63598 | Donia Chaiehloudj | 15 June 2024, 19:07:19 UTC | doc: Update doc for CRD CiliumNodeConfig from v2alpha1 to v2 Signed-off-by: Donia Chaiehloudj <donia.cld@isovalent.com> | 17 June 2024, 09:18:28 UTC |
| 77ea8e9 | Alexandre Perrin | 03 June 2024, 14:46:57 UTC | hubble/cli: add --node-label Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 17 June 2024, 09:15:27 UTC |
| 0de97e7 | Alexandre Perrin | 03 June 2024, 14:30:06 UTC | hubble: add node label filter Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 17 June 2024, 09:15:27 UTC |
| 9b6ee33 | Alexandre Perrin | 31 May 2024, 14:24:15 UTC | hubble: wire the localNodeWatcher in the observer setup Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 17 June 2024, 09:15:27 UTC |
| 6db7004 | Alexandre Perrin | 31 May 2024, 13:47:34 UTC | hubble/observer: add a local node watcher This commit introduce the observer LocalNodeWatcher, which cache the local node information to be filled in Hubble flows. Because the labels representation differ between the internal node.LocalNode struct and Hubble flows (a map and a key=val slice, respectively), we need to maintain a cache in order to avoid re-building the labels slice for each flow. The LocalNodeWatcher aim to solve this and can be hooked to the observer's OnGetFlows. Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 17 June 2024, 09:15:27 UTC |
| d6fb43b | Alexandre Perrin | 31 May 2024, 12:54:07 UTC | hubble/api: add node_labels to Hubble flows This is the first commit of a set introducing local node labels to Hubble flows. Filtering flows emitted from nodes having particular labels can be useful to debug the Egress Gateway feature: combined with the recently added network interface filter and/or SNAT IP filter one could then see egress flows related to a given CiliumEgressGatewayPolicy. Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 17 June 2024, 09:15:27 UTC |
| 09ac42f | cilium-renovate[bot] | 17 June 2024, 07:05:38 UTC | chore(deps): update all lvh-images main Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 17 June 2024, 09:07:11 UTC |
| badf925 | Aurelien Benoist | 12 June 2024, 22:48:13 UTC | Add appArmorProfile to the securityContext as well Signed-off-by: Aurelien Benoist <aurelien.larcin@gmail.com> | 17 June 2024, 08:35:00 UTC |
| 3790121 | Aurelien Benoist | 11 June 2024, 21:58:33 UTC | add securityContext for cronjob & disable hostNetwork Signed-off-by: Aurelien Benoist <aurelien.larcin@gmail.com> | 17 June 2024, 08:35:00 UTC |
| ba713d0 | cilium-renovate[bot] | 17 June 2024, 01:32:54 UTC | fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.164.1 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 17 June 2024, 08:26:04 UTC |
