| d515de3 | Marco Hofstetter | 06 June 2023, 14:29:01 UTC | auth: adjust logmessages in spire module This commit adjusts the log messages by using fields for providing context. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 08 June 2023, 14:24:35 UTC |
| b7d3427 | Marco Hofstetter | 06 June 2023, 14:07:17 UTC | auth: adjust logmessages This commit adjusts the log messages by using fields for providing context and by removing the prefix `auth: ` which is redundant to the logger' subsystem. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 08 June 2023, 14:24:35 UTC |
| a329fc1 | Marco Hofstetter | 06 June 2023, 13:37:03 UTC | auth: rename module from auth-manager to auth This commit renames the auth module' id from `auth-manager` to `auth`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 08 June 2023, 14:24:35 UTC |
| 63cbc27 | Marco Hofstetter | 06 June 2023, 13:35:20 UTC | auth: replace global logger with injected one Currently package auth is using a package global defined logger. Hive provides the possibility to have a logger injected, which provides the context of the hive module. This way refactors all occurrences to use the injected logger by configuring all components accordingly. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 08 June 2023, 14:24:35 UTC |
| 60d063b | Ryan Drew | 01 June 2023, 20:10:25 UTC | ci: Wait for hubble-relay to be ready before port-forward This commit adds calls to `cilium status --wait` between places where hubble is enabled and hubble-relay is port forwarded. Flakes in CI were occurring due to a race conditition, where an attempt to forward the hubble-relay port was occurring before the hubble-relay pod was ready. Related: https://github.com/cilium/cilium-cli/pull/986 Fixes: https://github.com/cilium/cilium/issues/25560 Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> | 08 June 2023, 14:24:08 UTC |
| 9fab23d | Donia Chaiehloudj | 05 June 2023, 13:34:24 UTC | helm: Check EndpointCRD is enabled when CiliumEndpointSlice is enabled too This commit adds a supplementary check during the deployment to prevent installing Cilium with incompatibles flags enableCiliumEndpointSlice=true disableEndpointCRD=true. Signed-off-by: Donia Chaiehloudj <donia.cld@isovalent.com> | 08 June 2023, 14:03:27 UTC |
| c6bc4d6 | Donia Chaiehloudj | 07 June 2023, 13:36:01 UTC | helm: Change disableEndpointCRD type from string to boolean Signed-off-by: Donia Chaiehloudj <donia.cld@isovalent.com> | 08 June 2023, 14:03:27 UTC |
| c53a392 | Donia Chaiehloudj | 31 May 2023, 13:35:13 UTC | operator: fix crash when cep CRD is disabled, CES enabled with kvstore Make the operator crash early in config.go if CiliumEndpointSlice is enabled and CiliumEndpointCRD is disabled. Note that CiliumEndpointSlice feature needs CiliumEndpoint CRDs to run. In operator/cmd/root.go, remove the condition on CiliumEndpointCRD since at this point of the lifecycle, the operator should have crash if we end up in this case. This fix is only relevant for kvstore mode, because in identity-allocation-mode CRD, we forcefully enable the CiliumEndpoint CRD. Fixes #24396 Signed-off-by: Donia Chaiehloudj <donia.cld@isovalent.com> | 08 June 2023, 14:03:27 UTC |
| 38f430d | Timo Beckers | 31 May 2023, 11:25:02 UTC | bpf, maps: rename DeepCopyMapKey/Value() interface methods to New() Since the deep copying semantic was removed in a prior commit, rename the interface methods and all their implementations to New(). Signed-off-by: Timo Beckers <timo@isovalent.com> | 08 June 2023, 13:39:14 UTC |
| c5d15fc | Timo Beckers | 31 May 2023, 09:24:47 UTC | bpf, maps: remove k8s DeepCopy generators from all bpf.MapKey/Values Since the DeepCopy semantic for map k/v types was basically unused, remove it and all the code generation needed to support it. Implementing new k/v types is now much more straightforward. Signed-off-by: Timo Beckers <timo@isovalent.com> | 08 June 2023, 13:39:14 UTC |
| 0af7a24 | Timo Beckers | 31 May 2023, 11:08:22 UTC | maps, daemon: remove use of MapKey/Value DeepCopies outside of package bpf To reduce the bpf.MapKey and bpf.MapValue interface footprints, wind down usage of DeepCopy methods outside of package bpf. A future commit will replace this method with New(), which is currently what it's primarily abused for (in DumpWithCallback and friends). Map keys and values cannot contain pointer types, so the presence of deep copy methods is questionable. Copying these types by value should be sufficient to achieve 'deep' copying behaviour. The changes in this patch aim to be no-ops: - The ToHost() methods implemented on lbmap.BackendValue, AffinityMatchKey and ServiceValue all copy their receivers by value and already return new copies. - The callback in policymap dereferences the pointer (and DumpCallbacks already receive pointers to unshared copies), so an additional copy is unnecessary. - The lxcmap callback was changed to dereference the pointers received in the callback and return a map of EndpointInfos instead of pointers. Signed-off-by: Timo Beckers <timo@isovalent.com> | 08 June 2023, 13:39:14 UTC |
| 58bc8c4 | Timo Beckers | 24 May 2023, 11:28:10 UTC | bpf: unexport Map.MapKey and Map.MapValue Since these are really for internal use only (returning the correct types from Lookup and Dump*), unexport the variable. Signed-off-by: Timo Beckers <timo@isovalent.com> | 08 June 2023, 13:39:14 UTC |
| 1d1b385 | Timo Beckers | 24 May 2023, 11:25:54 UTC | bpf: remove MapKey/Value footgun from OpenMap It was documented in a few places that OpenMap requires the caller to manually set Map.MapKey and MapValue. Make OpenMap take those values as parameters instead. Signed-off-by: Timo Beckers <timo@isovalent.com> | 08 June 2023, 13:39:14 UTC |
| 82a1f93 | Timo Beckers | 23 May 2023, 11:05:43 UTC | bpf: remove MapKey.NewValue() This ended up only being used by lbmap, which has its own ServiceKey and ServiceValue interfaces. Added ServiceValue.New() instead. Remove NewValue() from all types implementing MapKey. Fix a few linter errors regarding unused struct padding. Signed-off-by: Timo Beckers <timo@isovalent.com> | 08 June 2023, 13:39:14 UTC |
| 356861d | Timo Beckers | 23 May 2023, 09:26:25 UTC | bpf, maps: remove DumpParser and ConvertKeyValue ebpf-go already has the capability to unmarshal map keys and values into any given pointer type. DumpParser was only ever nil or ConvertKeyValue, so cut it out entirely and let the library unmarshal directly into MapKey and MapValue. This means we no longer need pkg/bpf/binary, remove it. Signed-off-by: Timo Beckers <timo@isovalent.com> | 08 June 2023, 13:39:14 UTC |
| 8ae20c7 | Timo Beckers | 17 May 2023, 10:03:59 UTC | bpf: remove UnpinMapIfExists(), use Map.Unpin() This was only used in tests, not sure why it was useful. Works on closed Maps regardless, and was an glorified (and expensive) version of os.RemoveAll(). Signed-off-by: Timo Beckers <timo@isovalent.com> | 08 June 2023, 13:39:14 UTC |
| 991f71e | Timo Beckers | 17 May 2023, 09:33:13 UTC | bpf: remove MapKey.GetKeyPtr() and MapValue.GetValuePtr() Currently, the MapKey and MapValue interfaces are a little bloated for what they're supposed to accomplish: identifying types to be used as map keys and values. The MapKey and MapValue interfaces provide useful methods, but also contain a few that are either not strictly necessary, sidestep Go's runtime safety, actively hurt performance, or all three. This series of patches aims to drive down the burden of implementing and maintaining k/v types by removing some of these methods, starting by GetKeyPtr() and GetValuePtr(). The legacy (now removed) implementations of map operations (update, lookup, delete) had underlying primitives that operated exclusively on unsafe.Pointers. The burden of returning those pointers was put on the MapKey and MapValue types themselves by requiring the implementation of methods that returned them. With the move to ebpf-go-based map operations, this is no longer necessary, as standard Go pointers are now supported, and values are marshaled to/from []byte under the hood. The new implementation also checks if the length of the input type corresponds to the key or value type configured on the map, which was not previously possible with the opaque unsafe.Pointer approach. This change surfaced cases where structs used as map k/v were lacking the appropriate padding. Signed-off-by: Timo Beckers <timo@isovalent.com> | 08 June 2023, 13:39:14 UTC |
| 1e9c567 | Timo Beckers | 16 May 2023, 12:49:43 UTC | bpf: replace MapInfo with ebpf.MapSpec and MapType with ebpf.MapType This commit removes pkg/bpf.MapType and inlines its allowsPreallocation and requiresPreallocation methods into GetPreallocateMapFlags. Also removes its MapType* enum and replaces all of its uses by constants exported from ebpf-go. GetPreallocateMapFlags and NewMap now take an ebpf.MapType instead of a pkg/bpf.MapType. NewMap and friends no longer take key/value sizes. Removed pkg/bpf.MapInfo in favor of Map.spec field containing an *ebpf.MapSpec. Getter methods like Map.Type(), Map.MaxEntries() etc. replace direct MapInfo field accesses. Signed-off-by: Timo Beckers <timo@isovalent.com> | 08 June 2023, 13:39:14 UTC |
| 49298ca | Timo Beckers | 11 May 2023, 13:00:30 UTC | bpf: replace GetMapInfo with ebpf.Map in objCheck The ebpf.Map contained in a bpf.Map already contains the necessary map info for running the comparison in objCheck. Signed-off-by: Timo Beckers <timo@isovalent.com> | 08 June 2023, 13:39:14 UTC |
| bc88e69 | Timo Beckers | 01 June 2023, 13:56:00 UTC | bpf: add benchmark for Map.Lookup() Signed-off-by: Timo Beckers <timo@isovalent.com> | 08 June 2023, 13:39:14 UTC |
| 77a01f1 | Timo Beckers | 08 June 2023, 08:16:26 UTC | vendor: bump cilium/ebpf dependency to unreleased master A subsequent commit will get rid of doing map operations using unsafe.Pointer in favor of passing plain, safe Go pointers. ebpf-go was not re-using bytes.Buffers in the key marshaling path, leading to a rather severe performance hit. This shortcoming has been addressed on cilium/ebpf@master, but there is no release yet. Signed-off-by: Timo Beckers <timo@isovalent.com> | 08 June 2023, 13:39:14 UTC |
| 6b8adac | Daneyon Hansen | 31 May 2023, 21:37:17 UTC | BGPv1: Adds Peer Port Support A user can annotate a node with `local-port` to have BGPRouterManager listen on a port other than 179. However, the BgpServerInstance only creates a peering connection using port 179. This means either passive mode is required when one node specifies a non standard port or two Cilium nodes cannot establish a BGP neighbor relationship when both specify a non-standard port. This PR adds an optional `PeerPort` field to the CiliumBGPVirtualRouter API type, allowing a user to specify the BGP peer's TCP port. When unspecified, the BgpServerInstance continues to use port 179. Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io> | 08 June 2023, 11:27:13 UTC |
| 0ee2a6f | Yutaro Hayakawa | 07 June 2023, 05:54:38 UTC | docs: Add externalTrafficPolicy=Local description to BGP CPlane doc As we now implemented the support for externalTrafficPolicy in 24e37ed4f42916333335e678db1ae78022ac3e4c. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> | 08 June 2023, 11:26:19 UTC |
| 745cd32 | Chris Tarazi | 27 January 2023, 07:23:21 UTC | dameon: Convert ingress restoration code to async ipcache API Move to the new async ipcache API, see GH-21142. Signed-off-by: Chris Tarazi <chris@isovalent.com> | 08 June 2023, 10:50:41 UTC |
| f8094af | Chris Tarazi | 27 January 2023, 07:20:51 UTC | ip: Add IPNetToPrefix() helper This will be useful going forward when wanting to convert net.IPNet prefixes to netip.Prefix. Signed-off-by: Chris Tarazi <chris@isovalent.com> | 08 June 2023, 10:50:41 UTC |
| 9ad27a8 | Chris Tarazi | 19 January 2023, 19:08:39 UTC | daemon: Convert host IP sync to async ipcache API Switch over from using direct ipcache insertion with raw identities to a label-based model, see GH-21142. Signed-off-by: Chris Tarazi <chris@isovalent.com> | 08 June 2023, 10:50:41 UTC |
| 6bf30e4 | Dylan Reimerink | 05 June 2023, 09:22:40 UTC | node: Replace node managers dynamic metrics with modular metrics The node manager does dynamic metrics registration and cleanup. This commit replaces it with modular metrics to remove the usage of the global registry functions. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 08 June 2023, 10:03:14 UTC |
| d3cbea3 | Jacopo Nardiello | 01 June 2023, 16:45:36 UTC | Update USERS.md Adding SIGHUP to the USERS list Signed-off-by: Jacopo Nardiello <jnardiello@users.noreply.github.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 08 June 2023, 10:00:08 UTC |
| 2178f93 | Marco Iorio | 06 June 2023, 16:26:20 UTC | kvstore: extend the SyncStore to observe lease expirations The SyncStore now registers an observer to get notified in case the lease attached to any managed key expires, so that the given key can be enqueued to be synchronized again in the kvstore. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 08 June 2023, 09:38:39 UTC |
| 52eb992 | Marco Iorio | 06 June 2023, 16:18:43 UTC | kvstore: allow to register an observer for expired leases Now that we track the keys attached to each leases, let's allow to register callbacks to be executed for each key attached to a lease that has expired or failed to be renewed. This allows possible subscribers to be notified and take care of inserting again the given keys. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 08 June 2023, 09:38:39 UTC |
| b7fd190 | Marco Iorio | 06 June 2023, 16:15:20 UTC | kvstore: switch from single session to lease manager This commit modifies the etcd client to use the newly introduced lease manager in place of the static session, adapting the different call sites. One side effect is that we now create only one lease (instead of two) in case the client is used in read-only mode (e.g., in the clustermesh case). Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 08 June 2023, 09:38:39 UTC |
| e9b4795 | Marco Iorio | 06 June 2023, 15:55:05 UTC | kvstore: introduce the lease manager Currently, each etcd client is associated with a single session, and the corresponding lease is attached to all upserted keys (if the lease parameter is set). This approach, though, suffers from performance issues, because put requests in etcd take linear apply time depending on the number of keys already attached to the lease (etcd-io/etcd#15993). This performance penalty is planned to be fixed in etcd (at least for the common case in which the user which performs the request has root role). In the meanwhile, let's make sure that we attach a limited number of keys to a single lease. In particular, this commit introduces the etcd lease manager, which is responsible for managing the lease acquisitions, tracking the keys that are attached to each of them. Once the number of keys per lease exceeds the configured threshold, a new lease gets automatically acquired. The lease usage counter is decremented when a given key gets deleted. Finally, in case one of the leases fails to be renewed, the manager allows to emit a notification event for all the keys that were attached to it. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 08 June 2023, 09:38:39 UTC |
| 6f864ea | Marco Iorio | 08 June 2023, 08:18:33 UTC | auth: add missing stream package import This commit adds back the stream package import, which appears to be missing due to a merge race between #25927 and #25934. Fixes: eb653b60338e ("auth: use Resource.Observe for jobs") Fixes: ebb6fc38803a ("auth: implement re-authentication in case of rotated certificates") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 08 June 2023, 08:37:28 UTC |
| 4c8f8dd | renovate[bot] | 02 June 2023, 00:26:26 UTC | chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> | 08 June 2023, 07:56:30 UTC |
| 131b587 | Marco Hofstetter | 07 June 2023, 08:53:30 UTC | auth: add missing config values to helm values Currently, some auth-related config properties are not exposed/configurable via Helm Chart. This commit adds the missing properties to the Helm Chart. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 08 June 2023, 07:53:39 UTC |
| 4dfc90a | Eugene Starchenko | 07 June 2023, 14:35:31 UTC | Add ZeroHash as user to Cilium Signed-off-by: Eugene Starchenko <17835122+eugenestarchenko@users.noreply.github.com> | 08 June 2023, 07:52:46 UTC |
| d18cf57 | Sebastian Wicki | 30 May 2023, 14:20:26 UTC | docs: Deprecate `cluster-pool-v2beta` The `cluster-pool-v2beta` IPAM mode has been added in Cilium v1.12 as a preview feature. Since then, we have added a more flexible `multi-pool` IPAM mode, which addresses some of the shortcomings of `cluster-pool-v2`. Mainly, `multi-pool` supports multiple pod CIDR pools, it has a simpler CIDR release mechanism, and it allows users to specify what IP pool a certain pod should allocate from via pod annotation. Therefore, since `cluster-pool-v2beta` was never made generally available and was never recommended for production (and indeed still has a few known limitations and bugs), we therefore deprecate it in v1.14, with the plan to remove it in v1.15. The only `cluster-pool-v2beta` feature that is lacking in `multi-pool` IPAM mode is BGP support. We intend to add BGP support to multi-pool IPAM in Cilium v1.15. This commit also hides a few mentions of the `cluster-pool-v2beta` mode from the command-line help page. This does not impact any functional behavior. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 08 June 2023, 07:52:01 UTC |
| aee97b4 | Tim Horner | 31 May 2023, 23:39:58 UTC | Makefile: use CLI to set local images for kind-install-cilium-clustermesh `make-kind-clustermesh-images` uses `KIND_ENV` to set image repositories for local images to be pushed to kind clusters, however these are not actually used when installing Cilium on the kind clusters in `kind-install-cilium-clustermesh`. The hardcoded image overrides have been removed from the helm values for these clusters and replaced with CLI flags to specify using the local images for Agent and Operator. Signed-off-by: Tim Horner <timothy.horner@isovalent.com> | 08 June 2023, 07:50:55 UTC |
| eb653b6 | Marco Hofstetter | 06 June 2023, 11:14:07 UTC | auth: use Resource.Observe for jobs This commit replaces Resource.Events in combination with stream.FromChannel by using Resource.Observe(...) directly. This has the additional advantage that context handling is automatically handled. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 08 June 2023, 07:50:26 UTC |
| 9dc8dae | Marco Hofstetter | 06 June 2023, 09:49:56 UTC | resource: implement stream.Observable This commit lets resource.Resource implement stream.Observable to easily use k8s resources as observable without wrapping them with stream.FromChannel. This is especially useful with hive jobs and make direct use of the context handling. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 08 June 2023, 07:50:26 UTC |
| 532d810 | Marco Iorio | 15 May 2023, 10:04:19 UTC | clustermesh: delete stale ipcache entries on reconnect/disconnect Currently, a new ipcache watcher is created for each connection to the kvstore backend of a remote cluster, and the old one is dropped. Yet, this approach leads to missing the deletion event for possible entries that are removed in the remote cluster during the reconnection process (added entries would instead be detected by the initial "list" operation). This commit fixes this issue moving to a single ipcache watcher per remote cluster, which is reused upon reconnection. Specifically, it now leverages the newly introduced RestartableWatchStore to automatically trigger a deletion event for all previously known entries that are no longer present after a reconnection. Special handling is performed in case the ClusterID associated with the watcher is changed, draining all previously known entries as no longer valid (even if still present, they need to be observed again with the new ClusterID). Additionally, all ipcache entries are drained when disconnecting from a remote cluster, to properly clean-up the status without requiring to restart the agent. Differently, they are not drained when simply shutting down, to avoid breaking existing connections on restart. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 08 June 2023, 07:47:58 UTC |
| 6df9d10 | Hemanth Malla | 22 May 2023, 19:34:53 UTC | pkg/ipam: Update histogram buckets for trigger metrics Currently, trigger related histogram metrics in pgk/ipam use the default prometheus histogram buckets. Resync operation in cloud providers like Azure tend to take a long time and the current buckets are inadequate to track changes in behavior. This commit extends the buckets to allow for measuring longer durations. Signed-off-by: Hemanth Malla <hemanth.malla@datadoghq.com> | 08 June 2023, 07:47:45 UTC |
| 438d00b | Hemanth Malla | 24 April 2023, 14:37:38 UTC | Add detailed panic messages for slim ObjectMeta and ListMeta Currently its hard to track down which method panics are coming from when we do hit them during upgrades. Stacktraces don't seem to have enough information to pinpoint the origin either. Signed-off-by: Hemanth Malla <hemanth.malla@datadoghq.com> | 08 June 2023, 07:46:04 UTC |
| 72cb0f9 | Chris Tarazi | 06 June 2023, 18:35:05 UTC | cilium/cmd: Deprecate `cilium endpoint regenerate` command As mentioned in GH-25948, let's deprecate this command and queue it for removal in v1.15. Signed-off-by: Chris Tarazi <chris@isovalent.com> | 07 June 2023, 22:58:53 UTC |
| 5eb9012 | renovate[bot] | 07 June 2023, 22:04:29 UTC | chore(deps): update golangci/golangci-lint docker tag to v1.53.2 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 07 June 2023, 22:24:42 UTC |
| 0717155 | renovate[bot] | 07 June 2023, 17:06:37 UTC | chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 07 June 2023, 22:03:54 UTC |
| 68ae82e | Tobias Klauser | 07 June 2023, 06:41:10 UTC | ipam/allocator: remove unused allocator types The PoolGroupAllocator and NoOpAllocator allocator types are unused since commit 24cb0618756b ("azure: Calculate available addresses based on subnet resource"). These are the only types implementing the corresponding Allocator interface. The PoolAllocator type (not to be confused with ipam/allocator/multipool.PoolAllocator) was only used by PoolGroupAllocator allocator, so remove it as well. Also remove the now empty AllocatorSuite test suite. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 07 June 2023, 19:57:24 UTC |
| 8d6a6bf | Cilium Imagebot | 06 June 2023, 21:23:47 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 07 June 2023, 18:50:26 UTC |
| 58f1666 | renovate[bot] | 06 June 2023, 21:13:51 UTC | chore(deps): update go to v1.20.5 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 07 June 2023, 18:50:26 UTC |
| f8d93a4 | Rastislav Szabo | 05 June 2023, 13:07:59 UTC | Documentation: Document BGP timers & neighbor update behavior Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> | 07 June 2023, 17:01:14 UTC |
| 894aa4e | Jarno Rajahalme | 07 June 2023, 09:26:56 UTC | proxy: Increment non-DNS proxy ports on failure Increment non-DNS proxy ports on failure even if DNS has been configured with a static port. Fixes: #20896 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 07 June 2023, 17:00:46 UTC |
| ca61998 | Jarno Rajahalme | 07 June 2023, 09:22:20 UTC | proxy: Only update redirects with configured proxy ports Only update an existing redirect if it is configured. This prevents Cilium agent panic when trying to update redirect with released proxy port. This has only been observed to happen with explicit Envoy listener redirects in CiliumNetworkPolicy when the listener has been removed. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 07 June 2023, 17:00:46 UTC |
| 525007f | Jarno Rajahalme | 07 June 2023, 08:04:31 UTC | proxy: Do not panic on local error CreateOrUpdateRedirect called nil revertFunc when any local error was returned. This was done using the pattern `return 0, err, nil, nil` which sets the revertFunc return variable as nil, but this was called on a deferred function to revert any changes on a local error. Fix this by calling ReverStack.Revert() directly on the deferred function, and setting the return variable if there was no local error. This was hit any time a CiliumNetworkPolicy referred to a non-existing listener. Add a test case that reproduced the panic and works after the fix. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 07 June 2023, 17:00:46 UTC |
| 63db66a | James Laverack | 06 June 2023, 13:33:46 UTC | Remove references to GOPATH in documentation It is no longer nessicary to build or develop Cilium from your GOPATH, and any directory can be used. Signed-off-by: James Laverack <james@isovalent.com> | 07 June 2023, 15:22:32 UTC |
| 23bac97 | André Martins | 07 June 2023, 08:59:48 UTC | .github/workflows: update comment list with test names Signed-off-by: André Martins <andre@cilium.io> | 07 June 2023, 14:57:32 UTC |
| 5c46c8a | André Martins | 06 June 2023, 22:26:41 UTC | .github/workflows: add linter to check out-of-sync test comments With this linter we will be able to catch out-of-sync comments whenever tests are added or removed from Ginkgo test suite. Once the linter catches out-of-sync comments, the developer can add or remove the comments in the appropriate focus section of the workflow file. Signed-off-by: André Martins <andre@cilium.io> | 07 June 2023, 14:57:32 UTC |
| 41a48c5 | Marco Hofstetter | 07 June 2023, 10:04:38 UTC | k8s: fix ciliumpodippools CRD controller-gen version This commit fixes the outdated version in the annotation `controller-gen.kubebuilder.io/version` of the CRD ciliumpodippools by updating it to `v0.11.4`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 07 June 2023, 13:17:43 UTC |
| b302f77 | Rastislav Szabo | 07 June 2023, 08:40:16 UTC | bgpv1: Extend the timeout for the Test_NeighborAddDel test After the recent GoBGP version upgrade the Test_NeighborAddDel test takes a bit longer than it used to. Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> | 07 June 2023, 12:22:16 UTC |
| e3580a0 | Quentin Monnet | 01 June 2023, 10:01:20 UTC | ci/datapath-verifier: Don't overwrite artifacts between jobs In the tests-datapath-verifier workflow, all jobs generated from the matrix (for running the tests with different kernel versions) upload files to the same artifact on failure. This means that a job may overwrite the upload from a previous job, and in the end we only get the uploads from the last job to complete. If several jobs fail with different errors, then we lose useful debugging information. Let's have the jobs upload their files to separate artifacts, named after the kernel version in use. Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 07 June 2023, 12:21:20 UTC |
| 163e292 | Quentin Monnet | 05 June 2023, 14:40:19 UTC | test/verifier: Preserve generated object files over multiple runs For a given source file, we build the object multiple times, with a different set of build options. This results in object files being lost on failure. To address this, we rename the object files to include the iteration number, so that they're still present when we upload to the CI artifact. Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 07 June 2023, 12:21:20 UTC |
| d3ef5b2 | Quentin Monnet | 01 June 2023, 11:00:24 UTC | test/verifier: Avoid pruning object files before testing the next file The verifier tests include a run of "make -C bpf/ clean" prior to testing the programs in each BPF source files. While this sounds like a sane practice, this means that at the end of the run, we're left with only one object file under bpf/, the one used by the last tests (namely: bpf_sock.o). While the object files are trivial to rebuild locally, this prevents the CI workflow to find and upload the relevant object files for instances where the verifier's logs are not enough to debug. Let's run instead a single "make -C bpf/ clean" on startup. Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 07 June 2023, 12:21:20 UTC |
| 376d005 | Dylan Reimerink | 06 June 2023, 11:38:06 UTC | l2responder: Send gARP when acquiring a new IP When failover occurs a different node will start responding to ARP. But other nodes on the network will not know this has happened and thus keep using the ARP entry from their local cache. This commit makes it so we broadcast a gARP reply with the new MAC address of the IP any time we reconcile a IP+ifidx tuple that was not yet present in the L2 responder map. Nodes that honor gARP replies will update their ARP cache to minimize downtime. Those who do not honer these replies will have more downtime until their ARP cache entry expires and they perform a ARP request themselves. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 07 June 2023, 10:25:13 UTC |
| 68f6e4b | Dylan Reimerink | 06 June 2023, 11:35:08 UTC | garp: Changed send function to send replies instead of requests The garp package was sending out ARP requests, while valid in some situations, what we actually need is to send out ARP replies which tell nodes on the network what the new MAC address is for a given IP instead of asking the nodes. This commit also changes the `SendOnInterface` to `SendOnInterfaceIdx` since the only call site for this function has indices not names available. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 07 June 2023, 10:25:13 UTC |
| f3a88e4 | Tobias Klauser | 05 June 2023, 15:17:47 UTC | operator: add support for CiliumPodIPPool CRD The operator watches CiliumPodIPPool resources when using the multi-pool IPAM mode and propagates upsert and delete operations to the internal IPAM multipool allocator bookkeeping using the interfaces added in the preceding commits. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 07 June 2023, 09:38:47 UTC |
| c004344 | Tobias Klauser | 05 June 2023, 15:08:26 UTC | ipam/allocator/multipool: retry node allocations on all failures In case a CiliumPodIPPool didn't yet exist on resync, allocating a CIDR to a restored CiliumNode would currently fail without being retried. This e.g. leads to a bootstrapping problem when the cilium-operator didn't yet register the CiliumPodIPPool CRD with the k8s apiserver, but nodes would already come up before the CiliumPodIPPool they request their podCIDR from has been created. Fix this by keeping nodes in the map of nodes to be restored in case of all errors until either the resync is completed (and the controller would take care to consolidate the state) or the allocation succeeds. Co-authored-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> | 07 June 2023, 09:38:47 UTC |
| 8bb033b | Tobias Klauser | 05 June 2023, 15:08:20 UTC | ipam/allocator/multipool: allow to update and delete pools This will allow to update pool CIDRs using the CiliumPodIPPool CRD. However, changing of mask sizes is rejected. Unfortunately, this requirement cannot be enforced in the CRD itself using kubebuilder validator, so the allocator checks whether the mask sizes match on update. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 07 June 2023, 09:38:47 UTC |
| 0e04978 | Tobias Klauser | 05 June 2023, 15:04:46 UTC | ipam/allocator/multipool: always delete node from pending allocations Make sure we no longer track eventual allocations for the node being deleted in (*NodeHandler).Delete. Co-authored-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> | 07 June 2023, 09:38:47 UTC |
| 02cb2eb | Tobias Klauser | 05 June 2023, 15:01:14 UTC | ipam/allocator/multipool: track mask size in cidrPool This will be used in a successive commit to check and reject a pool update when mask size was changed in a CiliumPodIPPool CRD. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 07 June 2023, 09:38:47 UTC |
| 7545b60 | Tobias Klauser | 05 June 2023, 15:01:11 UTC | ipam/allocator/multipool: introduce RWMutex protecting PoolAllocator fields A successive commit will add the ability to update and delete pools dynamically and concurrently, thus the PoolAllocator fields needs to be protected from concurrent access. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 07 June 2023, 09:38:47 UTC |
| f6fdc91 | Tobias Klauser | 05 June 2023, 12:27:48 UTC | ipam/allocator/multipool: remove unused NodeHandler.nodesPendingK8sUpdate The map is only initialized but never used. While at it, also fix the import group ordering in node_handler.go Signed-off-by: Tobias Klauser <tobias@cilium.io> | 07 June 2023, 09:38:47 UTC |
| 1a866a7 | Tobias Klauser | 05 June 2023, 09:34:50 UTC | ipam/allocator: add CIDRAllocator.Prefix method This allows to get the prefix of a *CidrSet as a netip.Prefix and will be used in a successive commit. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 07 June 2023, 09:38:47 UTC |
| 4a48927 | Tobias Klauser | 05 June 2023, 08:15:26 UTC | ipam/allocator: add CIDRAllocator.IsClusterCIDR method This allows to check the exact CIDR of a *CidrSet and will be used in a successive commit. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 07 June 2023, 09:38:47 UTC |
| b7b7fb7 | Tobias Klauser | 05 June 2023, 08:15:23 UTC | k8s: add CiliumPodIPPool CRD and scaffolding This generates the CiliumPodIPPool and CiliumPodIPPoolList types, to specify an IP pool to be used with IP pools in the multi-pool IPAM mode. See [1] for details. [1] https://docs.google.com/document/d/1FIyfhVegljG9anXpyA25gEYzuUGpfHo_MycZ-Wk0VeE Signed-off-by: Tobias Klauser <tobias@cilium.io> | 07 June 2023, 09:38:47 UTC |
| e4cf16a | André Martins | 06 June 2023, 21:01:53 UTC | .github: conformance ginkgo improve UX for issue_comments To be consistent with other workflows that use matrixes, conformance-e2e.yaml, we should also report the workflow status in a similar way. Signed-off-by: André Martins <andre@cilium.io> | 07 June 2023, 08:50:44 UTC |
| 91fa97a | André Martins | 06 June 2023, 19:01:49 UTC | .github: fix conditional check on conformance ginkgo In order for needs.*.outputs.* work, the job needs to depend on the job that is being checked. Fixes: 79e1c31260c3 (".github: add missing job to check for code changes") Signed-off-by: André Martins <andre@cilium.io> | 07 June 2023, 08:50:44 UTC |
| 592777d | Jussi Maki | 06 June 2023, 12:32:26 UTC | loader: In IPsec reload ignore veth devices & fix settle wait reloadIPSecOnLinkChanges() did not ignore veth device updates causing reload to be triggered when new endpoints were created. Ignore any updates with "veth" as device type. The draining of updates during settle wait was broken due to unintentional breaking out of the loop. Removed the break. Fixes: bf0940b4ff ("loader: Reinitialize IPsec on device changes on ENI") Signed-off-by: Jussi Maki <jussi@isovalent.com> | 07 June 2023, 06:48:52 UTC |
| 4704655 | Jussi Maki | 06 June 2023, 12:31:43 UTC | loader: Do not fatal on IPsec reinitialization Now that the code is reloading the bpf_network program at runtime we should not fatal if we fail to reload the program since this may be caused by ongoing interface changes (e.g. interface was being removed). Change the log.Fatal into log.Error and keep loading to other interfaces. Fixes: bf0940b4ff ("loader: Reinitialize IPsec on device changes on ENI") Signed-off-by: Jussi Maki <jussi@isovalent.com> | 07 June 2023, 06:48:52 UTC |
| fa85a7f | harsimran pabla | 05 June 2023, 20:21:33 UTC | bgpv1: graceful restart component test Added component test for bgp graceful restart configuration knobs and corresponding get peer state validation. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 07 June 2023, 06:39:32 UTC |
| 05bb6ce | Dorde Lapcevic | 20 April 2023, 13:54:42 UTC | Identity GC skips IDs that are used in CESs When Cilium Endpoint Slices are enabled, Cilium Identities shouldn’t be deleted while they are still used by CES. This is a fix in the operator to check if CESs from the CES store are using Identities before deleting them. ```release-note Fix for Identities that can be deleted before CESs are reconciled ``` Signed-off-by: Dorde Lapcevic <dordel@google.com> | 07 June 2023, 06:16:46 UTC |
| be6b6ed | Feroz Salam | 24 May 2023, 10:03:08 UTC | Update threat model Adds information on the possibility of spoofing attacks carried out by network attackers with knowledge of pod network configuration. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> | 07 June 2023, 06:15:37 UTC |
| 505ccc0 | Andy Allred | 06 June 2023, 10:07:42 UTC | Adding Eficode to USERS.md Signed-off-by: Andy Allred <andy.allred@eficode.com> | 07 June 2023, 06:14:47 UTC |
| 686924e | Liz Rice | 14 April 2023, 14:53:58 UTC | Add APAC timezone meeting to README.rst Co-authored-by: Sarah Corleissen <sarah.corleissen@isovalent.com> Signed-off-by: Liz Rice <liz@lizrice.com> | 07 June 2023, 06:14:10 UTC |
| ebb6fc3 | Marco Hofstetter | 31 May 2023, 12:09:28 UTC | auth: implement re-authentication in case of rotated certificates This commit introduces mutual auth re-authentication. Whenever an authhandler is emiting CertificateRotatedEvents, an authentication will be triggered. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 07 June 2023, 06:13:36 UTC |
| 4c9e938 | Marco Hofstetter | 26 May 2023, 12:48:31 UTC | auth: refactor auth with job This commit refactors the authentication triggered by the signal map to use the hive job framework. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 07 June 2023, 06:13:36 UTC |
| e5979b5 | Rastislav Szabo | 26 May 2023, 08:39:25 UTC | vendor: Update GoBGP to v3.15.1-0.20230605074248-03982e597eac Updates GoBGP to the newest version to incorporate upstream fixes for eBGP multihop and graceful restart. It can be updated to the next patch/minor release version one it is out. Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> | 07 June 2023, 06:13:24 UTC |
| 7b0ae2a | Rastislav Szabo | 22 May 2023, 07:24:11 UTC | bgpv1: Add support for eBGP-multihop in BGP control plane Extends the CiliumBGPNeighbor CRD with a new option , which controls the multi-hop feature for eBGP peers. If non-zero, the given value is used in BGP packets sent to the neighbor. Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> | 07 June 2023, 06:13:24 UTC |
| 7362cbe | Julian Wiedmann | 06 June 2023, 06:06:44 UTC | bpf: nat: limit scope of CT lookup SNAT should only care about outbound connections, while RevSNAT only wants the replies for such connections. Apply the corresponding scope to their CT lookups. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 June 2023, 05:29:07 UTC |
| 35fe012 | Julian Wiedmann | 04 June 2023, 10:15:03 UTC | bpf: nat: pull snat_*_track_connection() into callers The behaviour for SNAT and RevSNAT is sufficiently different that it makes little sense to squeeze everything into a shared helper. Just open-code the CT lookup in the callers. For the RevSNAT case this even allows us to remove one of the temporary CT tuples. Also remove the relevant BPF unit tests - we still have coverage for these paths through `bpf_nat_tests.c`. (Note that this doesn't completely remove the unused `ext_err` from the RevSNAT path. I expect we will be using it pretty soon for other errors, so let's avoid the churn for now). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 June 2023, 05:29:07 UTC |
| 50831ae | Julian Wiedmann | 04 June 2023, 09:52:29 UTC | bpf: nat: don't create new CT entries from RevSNAT path The NAT code's CT helper currently doesn't differentiate whether it's called from SNAT or RevSNAT context. If the CT lookup doesn't return an entry, it unconditionally creates a new CT entry. But RevSNAT should only be applied to replies of outbound connections. The expected behaviour is that when such a connection's first packet is handled by the SNAT path, we create (1) a NAT entry, (2) a RevNAT entry, and (3) a CT entry that keeps the NAT entries from being GCed. Thus we should never encounter a situation where the RevSNAT path finds a matching RevNAT entry for a packet, but then doesn't find the corresponding CT entry. And the CT entry we *would* create in this case does not match what we create from the SNAT path at all (for a start, the type is CT_INGRESS when it should be CT_EGRESS). So skip the ct_create*() call from the RevSNAT path. This gives us more robust behaviour, and reduces code size. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 June 2023, 05:29:07 UTC |
| 4ffe892 | Michi Mutsuzaki | 06 June 2023, 17:52:13 UTC | conformance-runtime: Bump timeout to wait for images There have been some timeouts. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> | 06 June 2023, 22:53:41 UTC |
| e727175 | Julian Wiedmann | 06 June 2023, 09:41:50 UTC | bpf: nodeport: don't reset aggregate ID when revDNAT is called by bpf_lxc tail_rev_nodeport_lb*() is typically used for RevDNAT of replies by a remote service backend, on a NAT connection. To avoid accidental rate-limiting in to-netdev, we need to clear the EDT aggregate-ID (which is stored in skb->queue_mapping). But in the "legacy" path for replies by local service backends, from-container also tail-calls to CILIUM_CALL_IPV*_NODEPORT_REVNAT for RevDNAT handling. Current code would then accidentally clear the aggregate-ID that was previously set by bpf_lxc, and the traffic would pass through to-netdev without rate-limiting. Fix this by excluding the relevant code for bpf_lxc. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 06 June 2023, 16:09:53 UTC |
| c2b5e70 | Liz Rice | 26 May 2023, 17:35:12 UTC | docs: Slack updates List some more of the existing Slack channels Clarify that not all Slack channels have to be listed in the docs Document how to request a new Slack channel Signed-off-by: Liz Rice <liz@lizrice.com> Co-authored-by: David Bimmler <david.bimmler@isovalent.com> | 06 June 2023, 14:42:33 UTC |
| 2d1f68c | Michi Mutsuzaki | 06 June 2023, 00:02:01 UTC | conformance-k8s-kind: Use Helm mode cilium-cli Ref: https://github.com/cilium/cilium-cli#experimental-helm-installation-mode Ref: #25156 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> | 06 June 2023, 14:39:42 UTC |
| 8582a62 | Marcel Zieba | 31 May 2023, 10:13:47 UTC | docs: Deprecate CNPStatusUpdates/K8sEventHandover CNP Status Updates are known to cause scalability-related issues. Deprecate it in preparation to remove support in a future release, to minimize the maintenance burden of this code. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 06 June 2023, 13:28:37 UTC |
| 31f6ab1 | Paul Chaignon | 05 June 2023, 09:26:00 UTC | helm: Value for ipsec-key-rotation-duration This commit defines a Helm value for the agent flag added in commit b7ecd9018 ("ipsec, option: Make the IPsec key rotation delay configurable"). Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 06 June 2023, 12:22:22 UTC |
| 3ee2fb7 | Paul Chaignon | 05 June 2023, 09:16:50 UTC | helm: Value for enable-ipsec-key-watcher This commit adds a Helm value for the enable-ipsec-key-watcher agent flag introduced in the previous commit. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 06 June 2023, 12:22:22 UTC |
| a579e9b | Paul Chaignon | 05 June 2023, 08:55:45 UTC | ipsec, option: Allow users to disable the IPsec key watcher The IPsec key watcher is used to automatically detect and apply changes in the key (typically during key rotations). Having this watcher avoids having to restart the agents to apply the key change. It can however be desired to only apply the key change when the agent is restarted. It gives control to the user on when exactly the change happens. It may also be used as a way to switch from one IPsec implementation to another (XFRM configs specifically): the user rotates the key just before the upgrade; on upgrade, the SPI is implicitly used to distinguish between the old and new implementations as well as the old and new keys. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 06 June 2023, 12:22:22 UTC |
| 1bc9e90 | Tam Mach | 05 June 2023, 13:00:43 UTC | build: Avoid cross compilation issue on Windows Happens in cilium-cli PR when trying to import the latest cilium/cilium main hash. This commit is to perform the following: - Remove unix.SIGINT as it's same as os.Interrupt - Replace unix.SIGTERM by syscall.SIGTERM for cross compilation ``` Error: vendor/github.com/cilium/cilium/pkg/hive/hive.go:202:44: undefined: unix.SIGINT Error: vendor/github.com/cilium/cilium/pkg/hive/hive.go:202:57: undefined: unix.SIGTERM Error: Process completed with exit code 1. ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> | 06 June 2023, 12:22:05 UTC |
| 887a853 | Julian Wiedmann | 06 June 2023, 08:57:00 UTC | bpf: xdp: fix coccicheck warning about DROP_MISSED_TAIL_CALL The coccicheck workflow strictly wants us to throw the drop notification right away. It's not enough to fall through to the drop notification below. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 06 June 2023, 12:05:27 UTC |
| 96c8b47 | Paul Chaignon | 01 June 2023, 14:41:51 UTC | test/artifacts: Skip various duplicate kubectl commands Those kubectl commands are already part of the sysdump collected for artifacts since commit e93fdd87b ("test: Collect sysdump as part of artifacts"). Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 06 June 2023, 11:58:16 UTC |
