| e0790a9 | Gaurav Genani | 07 May 2021, 20:16:18 UTC | bugtool: add missing bpftool map dumps [ upstream commit c573ff85c02a3a404bfd6873baf65b5ea408cdf0 ] Fixes:#16008 Signed-off-by: Gaurav Genani <h3llix.pvt@gmail.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 51a492c | Alex Romanov | 27 May 2021, 03:14:56 UTC | typo [ upstream commit a0e3269547d9b1a3e67071fbac92d9f77ba8cb86 ] Signed-off-by: Alex Romanov <alex@romanov.ws> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| ab9d556 | Paul Chaignon | 26 May 2021, 13:48:09 UTC | .github: Don't wait for GKE cluster cleanup [ upstream commit 689a725c520ded0e2c4aa54c1164c7b8baf21117 ] In commit ba737f3 (".github: Parallelize cleanup of multicluster setup"), I missed that gcloud can also take an --async flag to not wait for the actual cluster deletion to happen and return immediately (similarly to AKS' --no-wait). This commit therefore reverts ba737f3 (".github: Parallelize cleanup of multicluster setup") and makes use of --async instead. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 04fbf71 | Aditi Ghag | 18 May 2021, 00:53:19 UTC | test: Make LRP restore test case robust and optimized [ upstream commit 6a3e846599b9bfbbc8f0d954f5406e87173aae38 ] The goal of the test is to check if curl to a clusterIP svc endpoint is redirected to both the backends when the original svc entry is restored upon LRP removal. However, the current test logic expects the same backend should be selected for all the pod clients simultaneously, and this can lengthen test duration. This doesn't seem right since backend selection is not exactly deterministic. More importantly, we only need both backends to be selected at least once for all the client pods. Flip the order in which we loop over backends and client pods. Loop over client pods first, and then make curl calls until we hit both the backends on each of the client pods. This way we can potentially avoid making some of the curl duplicate calls by not having to synchronize what backends VIP calls are redirected to across multiple nodes. Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 4f14d71 | Aditi Ghag | 18 May 2021, 00:49:40 UTC | test: Don't keep (hard-coded) wait group count [ upstream commit 1d8f8e20cf033ca3f8d8e9fc8b6e8475ab760a24 ] This can be error-prone, and unnecessary. Fixes: 7387ca2 Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| fc951a4 | Quentin Monnet | 13 May 2021, 11:31:06 UTC | docs: document the policy for backporting documentation changes [ upstream commit 2a356d98c878a8cb8767b72aa1167fd11225a822 ] Documentation changes should be backported "as far as they go" on the supported branches, so that users can get relevant information from the documentation branch associated to the software version they run. Document this as part as the criteria for backports. Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 8ae62a8 | Vlad Ungureanu | 06 May 2021, 22:23:23 UTC | Support custom Azure clouds [ upstream commit 34424b08c6b4c9dfdb5ed50597c58f0ebdf956c6 ] This commit swaps the creation of Azure service clients to use the Azure Resource Manager baseURI which points to the right Azure cloud extracted from the environment. Signed-off-by: Vlad Ungureanu <vladu@palantir.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 1f79983 | Vlad Ungureanu | 06 May 2021, 22:19:49 UTC | Bump azure vendor [ upstream commit 943f7923ee0f4664331ac71e87e1dfb3f14b9cdc ] github.com/Azure/azure-sdk-for-go/services/compute -> 2021-03-01 github.com/Azure/azure-sdk-for-go/services/network -> 2020-11-01 [ backport note: Update azure vendor from v50.0.0+incompatible instead of v50.2.0+incompatible as for master branch. ] Signed-off-by: Vlad Ungureanu <vladu@palantir.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 18994b8 | André Martins | 17 May 2021, 12:50:52 UTC | contrib: simplify check-docker-images script [ upstream commit 8e1ef9c2dd97518247c9e9d315c7e0d65f0ccae2 ] The curl URL fails if the sha256 is no longer part of the tag. Running with `docker buildx imagetools inspect` it is possible to verify if an image digest exists regardless even if no longer belongs to a tag. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 6faabb4 | Paul Chaignon | 25 May 2021, 15:33:46 UTC | Revert "endpoint: Refactor init of EndpointDatapathConfiguration" [ upstream commit 8da8b88c7509a1a57f928f43ffe46d676a71ca66 ] Commit 0875453 ("endpoint: Refactor init of EndpointDatapathConfiguration") leads to .RequireEgressProg being overwritten on endpoint creation. That in turns breaks reverse NAT when running in chaining mode [1]. This commit is a partial revert of commit 0875453afda841d3bba50fb16ed0929e72c08ddf, keeping only a helper function. 1 - https://github.com/cilium/cilium/blob/v1.10.0/plugins/cilium-cni/chaining/generic-veth/generic-veth.go#L165 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 04afac6 | Paul Chaignon | 21 May 2021, 12:25:37 UTC | test/K8sCustomCalls: Deploy pods after Cilium only [ upstream commit db93de572629fecc31b160beeec529f4f80426c3 ] We need to deploy pods after Cilium is installed or they may receive the datapath corresponding to a previous Cilium installation. Fixes: 37f6192 ("test: add CI test for tail calls hooks for custom programs") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| b8aba30 | Paul Chaignon | 19 May 2021, 21:54:14 UTC | Revert "endpoint: Overwrite endpoint datapath config. on restore" [ upstream commit 320ea0d9e1eaae533ad648c91acc1c63041ef6e3 ] This commit partially reverts commit a9ecab17278d05b0492d450c239bbfed367f6d5e. Disabling endpoint routes in an existing cluster is not supported for now. We first need to find a way to properly remove the endpoint routes (see previous commit) before we can support this. We keep the override of endpoint datapath config. for the host endpoint as otherwise host firewall test will error due to a failure to load bpf_host. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| ddf4433 | Paul Chaignon | 19 May 2021, 16:07:20 UTC | loader: Revert removal of endpoint routes [ upstream commit f937df79f3cc9083bf41f29767393865e3bc5630 ] This commit is a partial revert of 72e6238 ("loader: Remove program and route when disable endpoint routes"). Commit 72e6238 started removing existing endpoint routes when enable-endpoint-routes is disabled in the agent. In chaining mode however, if Cilium isn't the primary CNI, it isn't responsible for the endpoint's networking. In that case, the primary CNI may install and rely on those endpoint routes and we shouldn't remove them. This commit reverts the removal of endpoint routes. We'll provide a proper solution to remove only endpoint routes Cilium "owns" in a subsequent commit. Fixes: 72e6238 ("loader: Remove program and route when disable endpoint routes") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| fc4354b | Jarno Rajahalme | 21 May 2021, 17:56:19 UTC | endpoint: Skip waiting-to-regenerate -> waiting-for-identity transitions [ upstream commit 1e5f74d64ffd01626ac29166972ca44e0c3c3412 ] Regeneration logic fails if waiting-for-identity changes to ready state in a scenario like this: builder: ready -> waiting-to-regenerate .. label change etc: waiting-to-regenerate -> waiting-for-identity .. labels resolved: waiting-for-identity -> ready .. builder: (ready) -> regenerating (FAILS as this is not expected) Resolve this by giving precedence to the waiting-to-regenerate state over the waiting-for-identity state. Compensate for possibly blocking this state change in Cilium endpoint PATCH API. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 9e214e6 | André Martins | 25 May 2021, 00:05:13 UTC | pkg/k8s: set right logic to ignore ipcache errors [ upstream commit e6ae6fb9c9992c7d5eac833a636c1e589ee7edcc ] The logic to ignore errors is inverted and the errors are still being printed as warnings. This commit inverts the logic so that only relevant warnings are printed. Fixes: 0ab4fa184d3a ("pkg/k8s: ignore certain ipcache errors") Fixes: 465cac1b740b ("pkg/k8s: ignore overwrite source "custom-resource" with "k8s" errors") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 1f20871 | Jarno Rajahalme | 19 May 2021, 00:10:53 UTC | envoy: Remove request headers from response access logs [ upstream commit 415c62407be2145b76aa32aa4942054ce3521115 ] Remove request headers from response access logs, except for 'x-request-id', which is retained for request/response correlation purposes. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| b15554e | Paul Chaignon | 25 May 2021, 21:25:56 UTC | .github: Skip paths-filter when possible [ upstream commit e6b5788391271fb74e3edbf6a4100c3c35728f42 ] Commit 50df544 (".github: Skip unnecessary ci-xxx tests") introduced a new job in each of the comment-triggered workflows (ConformanceXXX) to inspect the code modified by pull requests and skip the end-to-end tests when possible. This commit copies the workflow conditions (i.e., scheduled on cilium/cilium or specific trigger phrase in comment) from the second job to the first in the workflow to ensure we also skip the new, first job when possible. As a consequence the first job won't run for every single comment posted on pull request. Even though that first job is very quick (~3s), it can quickly add up in busy hours. It also won't run in forks. The dependence of the second job on the first (via 'needs') already ensures the second job won't run if the first is skipped. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| f3df568 | Paul Chaignon | 25 May 2021, 20:18:10 UTC | .github: Fix concurrency group for comment-triggered workflows [ upstream commit c569eadd8f5e3f4e2a074c79ef5663e095a2ad5c ] Commit 7e953b9 (".github: Cancel outdated comment workflows") introduced concurrency groups for workflows triggered by comments. In each concurrency group, a single workflow can be running at any time, with previous workflows cancelled when more recent are scheduled. However, in the context of comment-triggered workflows, a workflow is triggered for every single comment in the pull request. The actual tests on the other hand are only triggered for specific comments. But even if those comments don't contain a phrase that triggers the test (e.g., test-me-please or ci-gke), they will cancel previously-running workflows. To fix this, we need to ensure that the concurrency group with comments that trigger tests does not include any comments which don't trigger tests. We can achieve that by appending the actual comment text to the concurrency group name. So for example, a comment with "test-me-please" on PR 12345 will trigger a workflow which belong to concurrency group: ConformanceEKS (ci-eks) https://github.com/cilium/cilium/pull/12345 test-me-please If GKE tests are then triggered with ci-gke, the new workflow will belong to a second concurrency group and won't cancel the first: ConformanceEKS (ci-eks) https://github.com/cilium/cilium/pull/12345 ci-gke That is probably okay since it will preserve most of the benefits of concurrency groups without cancelling everything as soon as someone posts a comment. Fixes: 7e953b9 (".github: Cancel outdated comment workflows") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 41615a6 | André Martins | 25 May 2021, 01:21:09 UTC | docs: remove 1.7 upgrade guide and add upgradeCompatibility for 1.9 [ upstream commit 076f475863d6627ac2163554e69038333f30118c ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 15cbe79 | André Martins | 21 May 2021, 17:20:54 UTC | pkg/k8s: ignore namespace events that do not change labels [ upstream commit 83391b41d23c3e4fb0941a7e15bd4c45e035cd41 ] As we can receive different type of namespace events, like difference in the annotations. We can ignore all of these events unless the labels are different. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 2bdba60 | Tom Payne | 11 May 2021, 10:48:33 UTC | docs: Update troubleshooting for 1.10 [ upstream commit 205f3003c15fc025547346e7688c5b6b04657765 ] * Update links to download scripts * Tweak examples * Update k8s-cilium-exec.sh to handle multiple containers in a pod * Update k8s-get-cilium-pod.sh to handle non-standard cilium namespace Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| cfb5e39 | Sebastian Wicki | 25 May 2021, 10:10:46 UTC | docs: Fix WireGuard spelling [ upstream commit 5d2e72f5f8714a742777af377ccde1b53e18114b ] According to WireGuard's Trademark Usage Policy [1], WireGuard must be written with a capital W and a capital G. [1] https://www.wireguard.com/trademark-policy/ Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 230f0b9 | Paul Chaignon | 21 May 2021, 21:10:24 UTC | .github: Fix scheduled end-to-end tests [ upstream commit 802d25447fa1d325d3713220f8ad08e7938f6dd4 ] Commit 50df544 added a new job in the end-to-end workflows to checkout the tested code and run paths-filter on it. That first job fails when the workflows are scheduled (vs. triggered by PR comment) because we try to grab the pull request URL, which doesn't exist: curl ${{ github.event.issue.pull_request.url }} > pr.json results in error: Run curl > pr.json curl: try 'curl --help' or 'curl --manual' for more information We can avoid this by skipping steps in the first job when triggered by schedule. We can't skip the entire first job because the second job has a dependency on the first and would fail if we skipped the first. Fixes: 50df544 (".github: Skip unnecessary ci-xxx tests") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| e942366 | xentobias | 21 May 2021, 13:40:47 UTC | docs: Fix Helm instructions for BGP [ upstream commit 6c0604e5dd7a3192e4de9d436def160b815ecf4c ] Signed-off-by: Tobias Mose <tobias.mose@xentom.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| bf9f32b | Nicolas Busseneau | 12 May 2021, 20:42:27 UTC | docs: refactor installation validation steps [ upstream commit 497ac33077380a3c43f2eef903f52b5b5aa049d4 ] In #15979, the old `k8s-install-validate.rst` and `k8s-install-connectivity-test.rst` were refactored to use the CLI, which broke the flow of several pages: in particular, all installations based on Helm were half-broken due to referencing Cilium CLI commands when the user was never instructed to install it. This commit moves all CLI-related operations to independent `cli-*.rst`, and then refactors `k8s-install-validate.rst` to have both the new CLI status check and connectivity test and the older manual status check and connectivity test. It then refactors CLI-based installation guides to use the `cli-*.rst` in the order that makes the most sense for each page. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| a770107 | Nicolas Busseneau | 12 May 2021, 17:50:31 UTC | docs: rework command examples in DNS policy GSG [ upstream commit 35de58ab5f2f6c9ebe3e17dc141ed4a99a96f099 ] `parsed-literal` blocks are required for parsing RST references but they don't play nice with console examples: they allow copy-pasting `$` prefixes even though they're not part of the commands. `shell-session` blocks play nice with console examples but do not work with RST references... This is compromise where we remove `$` prefixes from parsed-literal blocks for easier copy/pasting and switch to proper `shell-session` blocks otherwise. Also reworked the `curl` commands to add `--max-time` for commands supposed to fail so that user doesn't have to cancal, and switch to `curl -I {url} | head -1` notation to avoid output flood. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 4c596fe | Nicolas Busseneau | 12 May 2021, 14:37:10 UTC | docs: add cilium-cli checksum when installing [ upstream commit 85f4c569bcafae2b70d326f409fbf4ae077a432e ] Also refactor hubble-cli installation accordingly. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 9fd089c | Paul Chaignon | 07 May 2021, 19:50:55 UTC | .github: Don't persist credentials in repository [ upstream commit b553845559a55dd0f56ca1174181c1209d28c918 ] When using actions/checkout, the default behavior [1] is to persist git credentials in the checked out code. This is ill-advised, so let's disable with persist-credentials. 1 - https://github.com/actions/checkout#usage 2 - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| eda1454 | dependabot[bot] | 03 June 2021, 07:15:48 UTC | build(deps): bump aws-actions/configure-aws-credentials Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 1.5.9 to 1.5.10. - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/master/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/0309c38ebd10f90dfbb3889431bcf4ea38088012...13d241b293754004c80624b5567555c4a39ffbe3) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> | 03 June 2021, 19:17:32 UTC |
| de53e80 | André Martins | 02 June 2021, 15:58:17 UTC | .github: add 'stable' tag as part of the v1.10 releases Signed-off-by: André Martins <andre@cilium.io> | 02 June 2021, 16:25:34 UTC |
| cda3e49 | dependabot[bot] | 31 May 2021, 07:49:25 UTC | build(deps): bump actions/cache from 2.1.5 to 2.1.6 Bumps [actions/cache](https://github.com/actions/cache) from 2.1.5 to 2.1.6. - [Release notes](https://github.com/actions/cache/releases) - [Commits](https://github.com/actions/cache/compare/v2.1.5...v2.1.6) Signed-off-by: dependabot[bot] <support@github.com> | 01 June 2021, 11:36:39 UTC |
| 1589f51 | Paul Chaignon | 18 May 2021, 18:44:18 UTC | .github: Don't wait for AKS cluster deletion [ upstream commit d3b54929c51235850a1132efa558c0554f961886 ] To speed up the cluster deletion in the AKS test, we probably don't want to wait on the long-running operations to finish. That is the default behavior in EKS, but not in AKS. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 62d08ce | Paul Chaignon | 18 May 2021, 18:31:05 UTC | .github: Parallelize cleanup of multicluster setup [ upstream commit ba737f3c60394d8ce2b34b7887b2722b71104466 ] When a GitHub job is cancelled, we have 5 minutes to perform any cleanup action [1]. After that time, the job is forcefully stopped. That means for jobs creating Kubernetes clusters, we have 5 minutes to delete the cluster(s) or they will be left behind. In the GKE test, it takes us around 2 minutes to delete the cluster. In the multicluster test however, deleting the two GKE clusters takes us a bit more than 5 minutes on average. This commit parallelize the deletion of the two clusters in the multicluster test to get the cleanup step below the 5-minutes runtime threshold. 1 - https://docs.github.com/en/actions/managing-workflow-runs/canceling-a-workflow#steps-github-takes-to-cancel-a-workflow-run Reported-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 6facc4e | Chris Tarazi | 17 May 2021, 19:18:09 UTC | vendor: Bump go.universe.tf/metallb [ upstream commit 451de22f43aedac34f9dd9d1389bfe0b2843e0ae ] This bump fixes a data race reported in https://github.com/cilium/cilium/issues/16181. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| adebe72 | Paul Chaignon | 14 May 2021, 09:23:22 UTC | docs: Revert host firewall to beta for kube-proxy setups [ upstream commit 4c8a0b06c4def362e6de9d825fbac49f9d1587b2 ] Two high-impact bugs [1, 2] affecting the host firewall were not resolved in v1.10.0. They affect users running with native routing and without our kube-proxy replacement. We should therefore consider the host firewall as in beta when running without our kube-proxy-replacement. This commit reverts 2b209df ("docs: Move host firewall out of beta"). 1 - https://github.com/cilium/cilium/issues/14859 2 - https://github.com/cilium/cilium/issues/12205 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 09bc017 | Chris Tarazi | 03 May 2021, 21:25:46 UTC | docs: Clarify coordination for backporting process [ upstream commit 946f52cf100c87668fb97ccf91659df1b4d24fe3 ] Document the common workflow that we've been working under. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 88a7039 | Paul Chaignon | 15 May 2021, 15:31:15 UTC | .github: Skip unnecessary ci-xxx tests [ upstream commit 50df544831b1694a49f907057b6a4bf317bf134e ] We don't need to run the ci-xxx end-to-end tests if only Documentation/ or test/ are touched. We therefore skip them in case of the trigger phrase 'test-me-please'. If these tests are explicitly requested via the 'ci-xxx' trigger phrase, we run them. Obviously, we could extend this beyond these two directories, but the goal here is to keep the list simple while catching the most common cases. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| afbdd95 | Paul Chaignon | 17 May 2021, 20:49:15 UTC | .github: Skip unnecessary smoke tests [ upstream commit 71400bad7163120c99c8fd51319778ed0199dbb3 ] We don't need to run the smoke tests if only Documentation/ or test/ are touched. We therefore skip them in such case. Obviously, we could extend this beyond these two directories, but the goal here is to keep the list simple while catching the most common cases. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 0b25844 | Paul Chaignon | 14 May 2021, 16:58:04 UTC | .github: Skip unnecessary docs test [ upstream commit 3ceb7425a60a89d6ba90fbf3a8cc3c04f518c460 ] We don't need to run documentation tests if the documentation is untouched. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 7afdb22 | Paul Chaignon | 14 May 2021, 16:56:58 UTC | .github: Skip unnecessary bpf checks [ upstream commit e07188cb3c7034e0e6fd841ea8427e86d7811b73 ] The coccinelle and build checks are unnecessary when files under bpf/ and contrib/coccinelle/ are untouched. We still need to run checkpatch because it actually verifies all commits and not only code touching bpf/. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| adcd460 | Paul Chaignon | 14 May 2021, 16:00:41 UTC | .github: Skip unnecessary per-commit build of datapath [ upstream commit 74c1c32e5c2b13520e9b341987f78c1070089470 ] If a pull request doesn't touch the bpf/ directory, we don't need to check that the datapath compiles for every commit. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| ce22853 | Chris Tarazi | 14 May 2021, 16:48:39 UTC | examples, connectivity-check, test: Use even-numbered nodePort [ upstream commit c983bd18fcbb42eda1dcfb93c2ee2923fe7a8f56 ] Following the same logic as https://github.com/cilium/cilium/pull/15988, we want to use an even-numbered port to reduce the likelihood that the underlying kernel allocates a conflicting port for the nodePort. Fixes: https://github.com/cilium/cilium/issues/13071 Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 3efda08 | Maciej Kwiek | 19 May 2021, 10:08:00 UTC | ci: add slack notification to GH actions [ upstream commit c132e65b65793a04345b97196ebc2c929d5ce924 ] Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 1306458 | Eric M. Yanulis | 12 May 2021, 02:21:01 UTC | daemon: Ignore cilium_* interfaces when deriving NodePort device [ upstream commit 9366190aa1fec27cd44da62628ef66224eec4f54 ] Any Cilium-created interface (cilium_host, etc) will never be a valid interface for kube-proxy-replacement NodePort (or direct routing). In certain cases, it is possible for the NodePort auto-derivation code to select one of these interfaces. This notably happens when the k8s node IP is an IPv6 address: the node IP is cloned to cilium_host, and the IP (sans netmask) is used as a map key - so cilium_host may be viewed as the only interface with an address matching the node IP. Add a check bypassing any interface whose name is prefixed with "cilium_" during NodePort device detection. Add a test mimicking the IPv6 cilium_host case: node IP assigned to a "real" interface and a "cilium_foo" interface, we should ignore "cilium_foo". Fixes: #16019 Signed-off-by: Eric M. Yanulis <eric@eyanulis.net> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 4ed04ad | l1b0k | 18 May 2021, 09:48:01 UTC | alibabacloud: fix race [ upstream commit 124b81a4fd4f3a33c2c898cd66f2218754484081 ] Signed-off-by: l1b0k <libokang.dev@gmail.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 8e0d4e0 | Christian Hörtnagl | 19 May 2021, 05:11:20 UTC | Specify scrape interval for Hubble metrics [ upstream commit 45689ece6f242c4c2546a3f32ddd80f6464f6e24 ] Fixes: #16148 I have checked that 30s (instead of 10s) works as well. Signed-off-by: Christian Hörtnagl <christian2@univie.ac.at> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 00b9637 | Paul Chaignon | 15 May 2021, 10:36:41 UTC | .github: Cancel outdated comment workflows [ upstream commit 7e953b9e4c62dfdc6208f41b20c8bc05dae30d9e ] When updating a pull request, workflows associated with the previous version continue to run. A way to prevent that and cancel outdated workflows is to use concurrency groups. This commit fixes workflows running on a schedule or on PR comment. We define each concurrency group such that they are unique to the pull request (via PR URL) if triggered by event issue_comment. For each workflow, there's a single concurrency group for all scheduled runs. That assumes the timeout of scheduled workflows is always shorter than the duration between two runs. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 030f20b | Paul Chaignon | 14 May 2021, 21:40:03 UTC | .github: Cancel outdated PR and push workflows [ upstream commit dacbd859b7cf0c18b42a3b46f349a0e81d01cf61 ] When updating a pull request, workflows associated with the previous version continue to run. A way to prevent that and cancel outdated workflows is to use concurrency groups. This commit handles workflows triggered by pull requests and pushes. We define each concurrency group such that they are unique to the pull request (via PR number) if triggered by event pull_request or to the commit (via SHA) if triggered by event push. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| ed638f2 | Joe Stringer | 27 April 2021, 21:31:20 UTC | bpf: Test build with -DHAVE_FIB_LOOKUP [ upstream commit 4722a2bdde99bbadf68f94dbc08ebdb977ef3e57 ] Add extra build options with this to catch build-time errors with/without this option. This is normally controlled by kernel version support, but we don't currently factor variants of such feature detection into the build testing. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| e2a8c7b | Joe Stringer | 26 April 2021, 22:44:02 UTC | bpf: Enable IP_POOLS in testing [ upstream commit ab5d9aff63d73d12ab4d987b8482406540a7f48a ] Whenever we test ENABLE_IPSEC, also enable IP_POOLS which enables extra code in most circumstances, except in one or two situations where it is equivalent to the alternative (basically just determines which skb->cb0[] offset to use for storing encryption bits). Signed-off-by: Joe Stringer <joe@cilium.io> Conflicts due to various changes in Makefile on `master`. Resolved by staying close to original commit and just adding `DIP_POOLS` while ignoring the conflicting new code. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 832a866 | Joe Stringer | 26 April 2021, 22:37:20 UTC | bpf: Compile ipsec in tree [ upstream commit 22998809b93d22b52a80e371481b0e71cfc6db95 ] Previously, the default compile of bpf_network.o in the tree wouldn't compile with IPv4, IPv6, or IPSEC enabled, which limited its ability to catch compile failures at development time. Fix it up by adding these to the BPF_SIMPLE_OPTIONS. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 62fd2c1 | Bruno Miguel Custódio | 13 May 2021, 16:45:29 UTC | helm: add back 'wellKnownIdentities' [ upstream commit 50c004509146864af72c03ed0ed04ae44babb656 ] This reverts commit 25f45b5bbe6fba4165dccf3bd72492fb32cf42de. Some users rely on this functionality while using externally managed etcd clusters. Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| a89dc7e | Joe Stringer | 28 April 2021, 02:25:36 UTC | AUTHORS: Fix up some author names [ upstream commit 6d128d201bbecfdc06a809a17bf3e89fbd494a71 ] Bokang Li informed me out-of-band that this is the correct representation of their name, fix it up. Yurii Komar has their name on their github profile. Signed-off-by: Joe Stringer <joe@cilium.io> Authors updated with `make update-authors`. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| d1f53b5 | Joe Stringer | 28 April 2021, 00:43:47 UTC | .mailmap: Update authors for v1.10 dev cycle [ upstream commit acba9d12dc09fd925c16abf69f02626709f8ba4d ] [ upstream commit 622d841c9b5408f33170179eabdc71923d8a2b28 ] Pull this commit from the v1.10 branch used during that release, and re-generate the authors file based on it. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 2339d55 | Joe Stringer | 18 May 2021, 00:01:39 UTC | contrib: Skip vagrant authors in extract_authors [ upstream commit 6d6ff65dc767b459864e616cac32ed9c1161d84d ] Authors in the git log who have used the vagrant VM have always been repeat contributors who have resolved invalid git authorship issues in subsequent submissions, so there is no need to take these authors into account when calculating the authors list. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| ebe3664 | Joe Stringer | 17 May 2021, 23:52:53 UTC | contrib: Optimize extract_authors.sh script [ upstream commit 1cd5be9e79d6094b4b472a1d0e9073ad0d834480 ] By using built-in formatting primitives instead of independently fetching names and emails from git in separate commands, we can reduce git history iteration by 50%, saving 30s per authors update on my system. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 8e36be5 | Paul Chaignon | 07 May 2021, 19:36:28 UTC | test: Quarantine fragment tracking test on GKE [ upstream commit 0b00c9f7a4acf087499ff7bea4fb0c37a462c7cf ] The fragment tracking test is very flaky on GKE. Let's quarantine. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 95bdc0b | dependabot[bot] | 28 May 2021, 06:26:55 UTC | build(deps): bump docker/build-push-action from 2.4.0 to 2.5.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/e1b7f96249f2e4c8e4ac1519b9608c0d48944a1f...ad44023a93711e3deb337508980b4b5e9bcdc5dc) Signed-off-by: dependabot[bot] <support@github.com> | 28 May 2021, 13:41:08 UTC |
| c0393c2 | Nate Sweet | 20 May 2021, 16:25:39 UTC | k8s: Update k8s libraries to 1.21.1 Also update test libraries to latest patch releases Signed-off-by: Nate Sweet <nathanjsweet@pm.me> | 28 May 2021, 01:02:04 UTC |
| dd8a6c4 | dependabot[bot] | 27 May 2021, 06:52:56 UTC | build(deps): bump docker/setup-qemu-action from 1.1.0 to 1.2.0 Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 1.1.0 to 1.2.0. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](https://github.com/docker/setup-qemu-action/compare/c308fdd69d26ed66f4506ebd74b180abe5362145...27d0a4f181a40b142cce983c5393082c365d1480) Signed-off-by: dependabot[bot] <support@github.com> | 28 May 2021, 00:59:48 UTC |
| 63db7a3 | André Martins | 20 May 2021, 12:46:46 UTC | install: Update image digests for v1.10.0 `docker.io/cilium/cilium:v1.10.0@sha256:587627d909ffe0418c0bd907516496844867a21812946af82096d367760e4c1e` `quay.io/cilium/cilium:v1.10.0@sha256:587627d909ffe0418c0bd907516496844867a21812946af82096d367760e4c1e` `docker.io/cilium/clustermesh-apiserver:v1.10.0@sha256:c5dbcb2708529e4a3ccc007183d99c5171df5ee1db7e7218d48d7660c8158193` `quay.io/cilium/clustermesh-apiserver:v1.10.0@sha256:c5dbcb2708529e4a3ccc007183d99c5171df5ee1db7e7218d48d7660c8158193` `docker.io/cilium/docker-plugin:v1.10.0@sha256:52ccc5f5ab5d791c6f6b89dc57f7f0c2c202dfaef044dc61d4e276e693d43851` `quay.io/cilium/docker-plugin:v1.10.0@sha256:52ccc5f5ab5d791c6f6b89dc57f7f0c2c202dfaef044dc61d4e276e693d43851` `docker.io/cilium/hubble-relay:v1.10.0@sha256:e92e6778c71aa9e181618d61e9403761ad061c3960a9203aa2cf8e6cde95c9d7` `quay.io/cilium/hubble-relay:v1.10.0@sha256:e92e6778c71aa9e181618d61e9403761ad061c3960a9203aa2cf8e6cde95c9d7` `docker.io/cilium/operator-alibabacloud:v1.10.0@sha256:ab68157bd70c6158ec5fc03f17de81639d5a3ee7acd64120c2788354fa6f1cfc` `quay.io/cilium/operator-alibabacloud:v1.10.0@sha256:ab68157bd70c6158ec5fc03f17de81639d5a3ee7acd64120c2788354fa6f1cfc` `docker.io/cilium/operator-aws:v1.10.0@sha256:c704c40862aa8eecd6ba66d456701f7514b9db57ae956a8e22f640eea89003ed` `quay.io/cilium/operator-aws:v1.10.0@sha256:c704c40862aa8eecd6ba66d456701f7514b9db57ae956a8e22f640eea89003ed` `docker.io/cilium/operator-azure:v1.10.0@sha256:eed06e79fd5efed2fc9ccebd98e5c38c610429334389a3da939a40f701c1f399` `quay.io/cilium/operator-azure:v1.10.0@sha256:eed06e79fd5efed2fc9ccebd98e5c38c610429334389a3da939a40f701c1f399` `docker.io/cilium/operator-generic:v1.10.0@sha256:65143311a62a95dbe23c69ff2f624e0fdf030eb225e6375d889da66a955dd828` `quay.io/cilium/operator-generic:v1.10.0@sha256:65143311a62a95dbe23c69ff2f624e0fdf030eb225e6375d889da66a955dd828` `docker.io/cilium/operator:v1.10.0@sha256:d0ec430f14a39e0993abef058176c8e41387b58b4354e4bf658af47411867be7` `quay.io/cilium/operator:v1.10.0@sha256:d0ec430f14a39e0993abef058176c8e41387b58b4354e4bf658af47411867be7` Signed-off-by: André Martins <andre@cilium.io> | 20 May 2021, 13:17:44 UTC |
| 952d9d3 | André Martins | 19 May 2021, 16:42:32 UTC | Prepare for release v1.10.0 Signed-off-by: André Martins <andre@cilium.io> | 20 May 2021, 12:00:45 UTC |
| f4d2aef | Sebastian Wicki | 17 May 2021, 14:27:25 UTC | wireguard: Fix traffic counters in `cilium debuginfo` [ upstream commit f3fed9a0c4dfa3e82a28f3fdac40c09e4bd841a9 ] Wireguard keeps track of the traffic sent and receive for each peer. We print this information in `cilium debuginfo`. Because the agent failed to populate them the JSON response, the counters were always wrongly reported as zero. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| 7442687 | Joe Stringer | 14 May 2021, 18:39:41 UTC | contrib: Make upstream commit check more generic [ upstream commit 8a2d2d3d2ff4df24eac37b565869f45c3dda7d8f ] This bash function is super close to being generically useful across different repositories, by allowing to check whether a commit is in any particular upstream (including hubble repos). Make it a bit more generic without changing the default args, that way we don't have to update any of the existing scripts. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| 672d982 | Chris Tarazi | 14 May 2021, 21:20:50 UTC | docs: Add caveat for OpenShift [ upstream commit 30f30116f18a00d82ff695ed6a6be0b6e73ebb2d ] This will help users avoid running into issues during installation. It is possible that OpenShift will be updated to support this in the future. Source: https://docs.okd.io/latest/installing/installing_bare_metal/installing-bare-metal.html#machine-requirements_installing-bare-metal Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| 36f7242 | André Martins | 13 May 2021, 14:39:02 UTC | docs: add information about ConfigMap updates [ upstream commit e95a201ffa54d05d313d048d9b61f043a397c566 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| 9a1265e | André Martins | 14 May 2021, 14:48:43 UTC | pkg/k8s: ignore overwrite source "custom-resource" with "k8s" errors [ upstream commit 465cac1b740bdd370326607cdcedef1059df9e12 ] As pointed out in the code changes, it is expected to receive k8s events after custom-resource events as the propagation delay is often higher than CRs. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| 5c82954 | Daniel Borkmann | 17 May 2021, 11:36:02 UTC | docs, gsg: add link to plumbers talk on service lb mechanisms [ upstream commit d5d072740ec9d61c85d76a1021ab4b1148346691 ] Given this details the various service types and our implementation, add this to further reading. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| c85621d | Daniel Borkmann | 17 May 2021, 07:29:52 UTC | docs, gsg: minor edits to kpr guide and note on hybrid use [ upstream commit 107fb8f5a177ba9dbf9c97815645d6bfb558ee6f ] b2d2d69e8f85 ("docs: Add how to remove kube-proxy from existing clusters") added the howto for removing kube-proxy right into the middle of the kubeadm setup given right afterwards we talk about kubeadm join. Detangle this to make it more clear that both don't have anything to do with each other. Also add a warning to removing kube-proxy that this is disruptive. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| 31e5071 | Smaine Kahlouch | 22 April 2021, 11:59:47 UTC | eni: Support Instance Metadata Service Version 2 [ upstream commit 5d5f5d2c932b7c94bde88ae75f0ba48574e67573 ] Make use of the version 2 of AWS's instance metadata API which is recommended for security purposes. More info [here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) Fixes: #15520 Signed-off-by: Smaine Kahlouch <smainklh@gmail.com> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| 1abcf13 | Gilberto Bertin | 11 May 2021, 17:24:26 UTC | daemon: require BPF masq to enable --install-no-conntrack-iptables-rules [ upstream commit 8aed9d9a4bbe0108744835045f01b46b95685d29 ] It's currently possible to enable the no CT Iptables rules together with Iptables masquerading, which results in Iptables failing to masquerade traffic. With this commit, when this setup is detected, we return a fatal error. Fixes: #16046 Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| 4c3aeb4 | Ilya Dmitrichenko | 10 May 2021, 14:27:47 UTC | docs: Improve wording around Helm values in OKD GSG [ upstream commit acab730364007fffaddcaedeccd0a76de6424515 ] Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| fe8ed3f | Paul Chaignon | 07 May 2021, 19:57:52 UTC | test: Fix incorrect uninstall in K8sBandwidth [ upstream commit 15437e408e75b595281567ff3e15b7dadede24b6 ] The statement to uninstall Cilium in K8sBandwidth/AfterAll doesn't match the statements to install it, meaning we could try to disable Cilium even though we never installed it. This commit fixes it. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| fd7f839 | Paul Chaignon | 10 May 2021, 09:54:11 UTC | test: Parallelize host firewall test [ upstream commit 9e141aa68066d4f676774a7d2d5623488aa7bdc5 ] For each of the host firewall test cases, we check both an allowed and a blocked request. We therefore spend a fair amount of time waiting for the timeout to occur on blocked requests. We can parallelize test cases to waste less time. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| 1f717f7 | Paul Chaignon | 10 May 2021, 09:51:03 UTC | test: Parallelize to-entities and from-entities tests [ upstream commit 79e5351b50c5e0e7466660a582a1e507906c12ae ] We may spend a lot of time just waiting in these tests because the requests are sometimes expected to fail (in which case we wait for the timeout). Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| c38a253 | Paul Chaignon | 10 May 2021, 08:51:59 UTC | test: Parallelize LRP test cases [ upstream commit 7387ca26996f3abdc2350e34d407f715cff310bd ] By parallelizing the verification of test cases, we save 5min. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| d760cdf | Paul Chaignon | 10 May 2021, 08:28:32 UTC | test: Increase frequency of wait helpers to 1 per sec [ upstream commit aaa7b8da4ff930d7eaf80447c4333039703f8dd5 ] We use a number of WaitXXX helper function to wait for pods to be deployed, policies to be enforced, service endpoints to be created, etc. The default frequency at which these functions check the expected output is 5s. So for namespace deletions and policy enforcements, we often wait 10s, because the output is not as expected after the first 5s check. This is unnecessary. We can instead check the output every 1s and shave off a few seconds every time we wait for something to happen (and we do that a lot!). Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| f321ae9 | Paul Chaignon | 10 May 2021, 08:28:15 UTC | test: Remove duplicate log messages [ upstream commit e75b46ae113fc9d18b6f02a80070853fc7f60782 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| b1b9794 | Paul Chaignon | 10 May 2021, 12:02:17 UTC | test: Return non-zero code if building tests fails [ upstream commit 3882893e4f886e269d611464819396e69338e044 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| e85a8c7 | Youssef Azrak | 05 May 2021, 21:25:08 UTC | Fix logging for expired FQDN IPs [ upstream commit 6522dfd9bbdeedacccd05136810023f0923e0a74 ] Current logging has been implemented in #14878 using Warning level. As reported in #15935 this causes lots of log lines to be generated at each garbage collection cycle. The fix here is to move the log generation from Warning to Debug. Fixes: #15935 Signed-off-by: Youssef Azrak <yazrak.tech@gmail.com> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 19 May 2021, 15:14:25 UTC |
| cef3b46 | dependabot[bot] | 12 May 2021, 06:18:31 UTC | build(deps): bump aws-actions/configure-aws-credentials Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 1.5.8 to 1.5.9. - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/master/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/cefc5912bc61e2b5a3b049c839fc283c7712d4e0...0309c38ebd10f90dfbb3889431bcf4ea38088012) Signed-off-by: dependabot[bot] <support@github.com> | 17 May 2021, 20:21:05 UTC |
| 74607b6 | André Martins | 17 May 2021, 12:17:22 UTC | install: Update image digests for v1.10.0-rc2 `docker.io/cilium/cilium:v1.10.0-rc2@sha256:f1645ef7d012d185de0d44e3957dd60e5dc2898c7f433232189da5249f8cfca7` `quay.io/cilium/cilium:v1.10.0-rc2@sha256:f1645ef7d012d185de0d44e3957dd60e5dc2898c7f433232189da5249f8cfca7` `docker.io/cilium/clustermesh-apiserver:v1.10.0-rc2@sha256:d631be3bff2877ee9e307e8f68f33a384cabfbf61439e996428cba87a5651ac8` `quay.io/cilium/clustermesh-apiserver:v1.10.0-rc2@sha256:d631be3bff2877ee9e307e8f68f33a384cabfbf61439e996428cba87a5651ac8` `docker.io/cilium/docker-plugin:v1.10.0-rc2@sha256:67fbc1382ab0d8f7c9d055ac8b5fb864a0f2aa146b3e210c17b82de3f0ec12ce` `quay.io/cilium/docker-plugin:v1.10.0-rc2@sha256:67fbc1382ab0d8f7c9d055ac8b5fb864a0f2aa146b3e210c17b82de3f0ec12ce` `docker.io/cilium/hubble-relay:v1.10.0-rc2@sha256:5b0d185c0e544bd4ac2dba8ca256e6735a25ff475ab00f86aed5b9032d74c296` `quay.io/cilium/hubble-relay:v1.10.0-rc2@sha256:5b0d185c0e544bd4ac2dba8ca256e6735a25ff475ab00f86aed5b9032d74c296` `docker.io/cilium/operator-alibabacloud:v1.10.0-rc2@sha256:9ff54bb42782517800b6a5f978014f296e53ab4290b0e77cd45bd4d65ba9e746` `quay.io/cilium/operator-alibabacloud:v1.10.0-rc2@sha256:9ff54bb42782517800b6a5f978014f296e53ab4290b0e77cd45bd4d65ba9e746` `docker.io/cilium/operator-aws:v1.10.0-rc2@sha256:29defa47afae62685ea49cf2c4877c24e065a1300cd177baf1c24cc38ecdb1c9` `quay.io/cilium/operator-aws:v1.10.0-rc2@sha256:29defa47afae62685ea49cf2c4877c24e065a1300cd177baf1c24cc38ecdb1c9` `docker.io/cilium/operator-azure:v1.10.0-rc2@sha256:ff09332fd72b85dc3dde1b00be9b8dd013a43ff6ee9cc3b5a4d9489db79c9a98` `quay.io/cilium/operator-azure:v1.10.0-rc2@sha256:ff09332fd72b85dc3dde1b00be9b8dd013a43ff6ee9cc3b5a4d9489db79c9a98` `docker.io/cilium/operator-generic:v1.10.0-rc2@sha256:3ea7c4ccd9be2c9484fb0d78390039c82441a4208fd650d4acbaf213e30d9eec` `quay.io/cilium/operator-generic:v1.10.0-rc2@sha256:3ea7c4ccd9be2c9484fb0d78390039c82441a4208fd650d4acbaf213e30d9eec` `docker.io/cilium/operator:v1.10.0-rc2@sha256:ddef5d8a0febe65ce32269a3b005fb438fc6b2bc6235e5021df0ef14c3af57c1` `quay.io/cilium/operator:v1.10.0-rc2@sha256:ddef5d8a0febe65ce32269a3b005fb438fc6b2bc6235e5021df0ef14c3af57c1` Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 13:50:07 UTC |
| d65e51a | André Martins | 17 May 2021, 03:04:32 UTC | Prepare for release v1.10.0-rc2 Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 11:46:50 UTC |
| 9e889fd | André Martins | 14 May 2021, 22:11:33 UTC | test: set kubeProxyReplacement=probe for upstream k8s tests Running with kube-proxy-replacement=disabled fails e2e tests for k8s conformance tests. Therefore we should enable kpr until the underlying issue is fixed. Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| 524fb8b | Thomas Graf | 12 May 2021, 16:42:52 UTC | install: Disable kube-proxy-replacement by default [ upstream commit 541214272750a74ac141ed007e4a57ebf20d0bb3 ] The default value of "probe" is not ideal. It leads to a situation where users are unaware who is performing the load-balancing. This can be desirable for some and undesirable for others. A couple of examples: * It typically leads to users continuing to run kube-proxy * It can lead to a situation where users believe they are running in kube-proxy replacement mode but the kernel requirement disables the feature automatically. * Automatic enabling of host-services can lead to incompatibility with Istio. Because of a the probe nature, a kernel upgrade in a cluster can lead to sudden issues with Istio without any additional action by the user. It is generally preferred for users to take an explicit action to enable kube-proxy and set it to strict so the cilium-agent fails if the mode is not available. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| 9a2491b | Bruno Miguel Custódio | 12 May 2021, 17:09:23 UTC | docs: add ids to the list of special identities [ upstream commit 519fa82d18e4c59a882c65f078b17dfe7c9a3fbd ] A few users have been asking about where to find the numeric IDs associated with a given identity, so maybe it's worth adding them to the table. Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| 73c36ee | Paul Chaignon | 11 May 2021, 14:06:38 UTC | bpf/Makefile: Remove workaround for complexity issue [ upstream commit 05512b2851fce6eab19722bd7d284d88068795e5 ] On master and with kernels 5.10+, we have a complexity issue when ENABLE_HOST_SERVICES_FULL is undefined (i.e., socket-level load balancing is disabled and additional code compiled in bpf_lxc as a replacement). Our verifier test included a workaround for that issue, by always defining ENABLE_HOST_SERVICES_FULL on newer kernels. This commit removes that workaround since the previous commit fixed the complexity issue. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| d86bd70 | Paul Chaignon | 11 May 2021, 13:55:25 UTC | loader, bpf: Use mcpu=v3 on kernels 5.10+ [ upstream commit 631f3510efe3260b097bae465a8e82cdc13db08b ] Set mcpu=v3 in the compiler on kernels 5.10+ to use all available eBPF instructions and 32-bit registers. This change fixes the complexity issue we're hitting on v5.10+ when socket-level load balancing is disabled (via enable-host-services=false or kube-proxy-replacement=disabled). Using the third eBPF instruction set doesn't reduce complexity for all BPF programs but it leads to more standard numbers, with less variations in complexities. A big part of this improvement is due to the implicit use of mattr=+alu32 to enable 32-bit eBPF registers. In addition to the end-to-end test on bpf-next, this change was tested on kernels 5.10 and 5.11 with the existing verifier-test.sh, compiling the datapath with both KERNEL=netnext and KERNEL=419. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| 5f01697 | Paul Chaignon | 21 April 2021, 15:15:14 UTC | bpf: Fixes to support mattr=+alu32 [ upstream commit ad0d3cf341402feaf34cb612c0f57732b0f5d5b4 ] mattr=+alu32, supported since LLVM 7.0 and implied by mcpu=v3, enables the use of 32-bit registers in BPF bytecode. Enabling this compiler option can however result in loading issues as illustrated below. 12: (61) r1 = *(u32 *)(r0 +80) // ctx->data_end 13: (61) r6 = *(u32 *)(r0 +76) // ctx->data 14: (bc) w7 = w6 // <- verifier looses track of inferred pkt type here. [...] 38: (71) r1 = *(u8 *)(r7 +20) R7 invalid mem access 'inv' These errors typically happen because the data and data_end pointers are actually 32-bit registers. Depending on how these pointers are used, LLVM sometimes makes use of that assumption (e.g., 32-bit assignment on instruction 14 above). The verifier is however not able to follow and reject such programs. We can usually work around those by ensuring these pointers are only used via 64-bit types. This commit implements this wherever needed to pass the verifier. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| 2b5adac | Martynas Pumputis | 11 May 2021, 16:47:45 UTC | node-neigh: Skip neigh update if arping is stale [ upstream commit dd46cc182a51da031c34e2cfdd1b2785904a0543 ] It's possible that in the case of multiple concurrent insertNeighbor() executions the oldest (or older) goroutine will overwrite the latest arping result due to the fine-grained locking. To fix this, avoid updating neigh entry if we detect that prev last ping timestamp is after our arping timestamp. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| 7d51f10 | Martynas Pumputis | 10 May 2021, 18:17:08 UTC | node-neigh: Wait instead of sleeping in unit tests [ upstream commit 6ee44eda0f68dcc21eea10e6fe3eaf8e2bf83263 ] We can inspect the neighLastPingByNextHop map to check when insertNeighbor() or deleteNeighbor() was called. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| 16ff1a0 | Martynas Pumputis | 10 May 2021, 15:16:53 UTC | node-neigh: Set lastPing if arping was successful [ upstream commit bf750f6cf343df882adbb362c4c7ebddf7b30629 ] We don't return early if arping was skipped. This can happen when insertNeighbor() is invoked by the non-refresh path and nexthop is not new. Make sure that lastPing is updated only if arping was sent and it was successful (if hwAddr != nil condition). Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| d039352 | Tom Payne | 11 May 2021, 14:35:07 UTC | docs: Remove unnecessary flags to kubectl exec and trailing whitespace [ upstream commit c3f6ee615fb39562123fc438714c30893c5b17dd ] Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| f5e278d | Tom Payne | 11 May 2021, 14:33:14 UTC | docs: Add note about DNS-related policies on OpenShift [ upstream commit b4c38f0af49fb97988d69f54941c82f3c3de4f3c ] Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| 0df4e32 | Thomas Graf | 11 May 2021, 17:54:32 UTC | doc: Add more generic install section for egress gateway guide [ upstream commit aa3a5d2140ee97d3cea013ec7e33dadf69bee4b2 ] Refer to the common installation instructions and document how to enable the feature. Fixes: #15976 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| 74f9b96 | Jarno Rajahalme | 11 May 2021, 00:28:47 UTC | envoy: Update Envoy to release 1.17.3 [ upstream commit d7b7672c3980bd8d3ba2f2ca4c51ad6284da2464 ] Update Envoy to release 1.17.3 which fixes CVE-2021-29492. Configure cilium-envoy with path normalization, path slash merge, and path escaped slash unescaping by default. This setting can be reverted with Cilium agent option --http-normalize-path=false. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| 03a5166 | Jarno Rajahalme | 04 May 2021, 21:21:56 UTC | envoy: Add response headers access logging [ upstream commit 094d141b5aedf189765e0f821fb06b5474669afb ] Use cilium-envoy image that adds response headers to response access log messages. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| 497bfe0 | Thomas Graf | 10 May 2021, 11:32:22 UTC | doc: Update benchmark results [ upstream commit a6eebde51e0c1268e8de26c9492b7b37b20590fe ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: André Martins <andre@cilium.io> | 17 May 2021, 02:37:58 UTC |
| 9f5dd00 | Chris Tarazi | 06 May 2021, 22:04:30 UTC | datapath/linux/ipsec: Insert additional In rule when tunneling [ upstream commit a9f18f36ee63fab88cbe2262c0fbfbd777604080 ] This is needed to fix the L7 ingress policy case. In tunneling mode when a packet is received on the destination node, it makes two passes through the stack. The first pass decrypts the packet because it matches the XFRM IN policy with mark 0xd00, indicating it needs decryption. The second pass through, since L7 ingress policy is enabled, the packet mark is set to 0x200 meaning the packet is destined to the proxy. The problem occurs because there is only one XFRM IN policy matching on mark 0xd00. Since the packet mark is 0x200, the match fails and the packet is dropped by the stack. Therefore, we add a new XFRM policy that matches packets destined for the proxy so that they're allowed. Why doesn't this happen in direct routing mode? The reason is because the skb extension bits[1] are cleared in DR, whereas they are not in tunneling. When the bits are toggled on, then this causes extra logic to be executed in the kernel inside `__xfrm_policy_check()`. This logic upon a policy lookup failure drops the packet [2]. When the bits are cleared, there is no logic to cause a drop upon policy lookup failure. Why are the skb extension bits cleared in DR and not in tunneling? Because the packet path traversal in DR is `cilium_host` -> `cilium_net` -> stack, where the veth pair of `cilium_host` and `cilium_net` calls the kernel `veth_forward_skb()`, which eventually calls `skb_scrub_packet()` where the extension bits are cleared. The path for tunneling is `cilium_{vxlan,geneve}` -> stack, where there is no veth pair traversal, and thus no call to `skb_scrub_packet()`. Hence why we only create a new XFRM policy in tunneling mode. (This was debugged with the help of the following bpftrace script: https://gist.github.com/christarazi/4bb48eb623a03f25026be21856ea10fb) [1]: https://elixir.bootlin.com/linux/v5.12.2/source/net/xfrm/xfrm_policy.c#L3558 [2]: https://elixir.bootlin.com/linux/v5.12.2/source/net/xfrm/xfrm_policy.c#L3590 Co-authored-by: John Fastabend <chris@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Glib Smaga <code@gsmaga.com> | 13 May 2021, 12:30:51 UTC |
| 37e2749 | Chris Tarazi | 06 May 2021, 21:51:33 UTC | datapath/linux: Add RouteMarkToProxy constant [ upstream commit ebd3833938b152157ffd7757f536504f7a58e427 ] This will be used in the subsequent commit, when creating a XFRM policy specifically to allow to-proxy traffic. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Glib Smaga <code@gsmaga.com> | 13 May 2021, 12:30:51 UTC |
