| e6f34c3 | André Martins | 16 June 2021, 00:26:40 UTC | Prepare for release v1.10.1 Signed-off-by: André Martins <andre@cilium.io> | 16 June 2021, 00:40:51 UTC |
| 435c9aa | Paul Chaignon | 07 June 2021, 13:07:55 UTC | docs: Fix build failure [ upstream commit b173979dc29782e1f27783bba10782f67742ae1b ] By error, commit d5f0cd5 ("Deprecate SkipCRDCreation option for cilium-agents") was merged when the documentation build was failing. This commit fixes it. Fixes: d5f0cd5 ("Deprecate SkipCRDCreation option for cilium-agents") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| b01fbfc | Maciej Kwiek | 11 June 2021, 10:25:18 UTC | ci: restart portmap service on ci nodes [ upstream commit ad65c7939cb75e362aa24012b4a99f1db3e2a3a3 ] Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 95ed2b6 | Chris Tarazi | 02 June 2021, 22:10:34 UTC | test: Specify node-selectors in BGP configmap [ upstream commit 8ba6c28181fdb1191dc69ee39d45fdfa48c1bcfb ] We recently had a regression (https://github.com/cilium/cilium/issues/16340) that occurred when the user specified node-selectors in their BGP configmap. The node-selectors were not picked up due to the bug that was fixed in https://github.com/cilium/cilium/pull/16341. This commit is to add regression testing for the BGP integration. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 1be87fe | Jussi Maki | 10 June 2021, 13:03:17 UTC | ipam: fix crd mode [ upstream commit 4118b04d657cb7e38ca6c75c380a36b7b190ff65 ] Fix regression affecting IPAM CRD mode introduced in #15160. In buildAllocationResult an "ENI" error was wrongly constructed in fallthrough case affecting all modes not specifically handled within the switch statement. Fixes: #16492 Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| b5dbbfa | Quentin Monnet | 09 June 2021, 22:11:18 UTC | docs: split a C snippet in BPF documentation [ upstream commit 29bf12098329789804711c906010d4455700ea5a ] A snippet of code was recently marked as C, but it actually contains both C and a sample output from the kernel verifier (which is not C code). Sphinx raises a warning as it fails to apply syntax highlighting for C for that snippet. Let's split the C code from the verifier output. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| c4680f7 | Quentin Monnet | 04 June 2021, 13:59:37 UTC | docs: fix a few JSON snippets [ upstream commit b010e406fa990633329a298f74be7e6281fc8996 ] A JSON snippet in alibabacloud-eni.rst is not valid JSON, there is a spurious comma after the last element of an array. Let's remove it to make the JSON valid. Let's also update the declaration for two blocks that were recently marked as JSON. The ouptut contained in these blocks is made of JSON fragments, but each block contains _several_ fragments without a root object or array, making the entire snippet invalid JSON and trigerring reports from the linter. Let's simply use literal blocks instead. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 52d481b | Quentin Monnet | 04 June 2021, 13:57:55 UTC | docs: indent code blocks in enumerated lists [ upstream commit 56ecad231ee69bd73c59aebbd92b0c0843fd1c50 ] Following a report from rstcheck, indent the code blocks used in enumerated list items, to make them part of these items instead of "breaking" the list. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 29e76a8 | Quentin Monnet | 04 June 2021, 13:54:48 UTC | docs: remove duplicate explicit targets from RST files [ upstream commit 31c935d07a6bdc24e97fc6ed72638ccb17664991 ] The syntax for inline hyperlinks can take one or two underscores at the end of the marker. With one underscore, it is an explicit target, which means that the text for the link can be reused elsewhere without having to copy the URL again. With two underscores, the reference is anonymous and cannot be reused elsewhere. Avoid having multiple explicit targets in the documentation. Let's go for the easiest possible fix: add an additional underscore to make the targets anonymous. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 061e708 | Quentin Monnet | 04 June 2021, 13:23:27 UTC | docs: pass a linter on the RST files [ upstream commit b381918c8aea17885ad8b7470d917e8d3407523b ] Use rstcheck (https://github.com/myint/rstcheck/) as a linter for the RST Documentation files. Run the linter before syntax and spelling validation by Sphinx, because it goes much faster, so we fail faster if an error happens at that stage. Ignore the following items: - Custom directives: tabs (from Sphinx extensions). - Custom roles: any role added with the extlinks extension. - Language: skip linting for bash in ".. code-block:: bash" snippets. - Messages: - Skip an error on ordinated lists in bpf.rst (we have list with decreasing numbers, and there is also a small indent issue in a bit enumerated list in the file, but Sphinx handles it well so let's leave it untouched). - Hyperlink target not referenced: rstcheck does not seem able to recognise when targets are referenced from a different file. - Duplicate implicit target name: this happens when HTML anchors generated from section titles collide with explicit targets (or other section titles on the same page). This is harmless and we are not looking to fix those. - Malformed tables: it would be useful to have these reports if rstcheck would support ignoring substitution ("|PATTERN|") in grid tables. I reported a bug on rstcheck's tracker. - Substitutions: any custom substitution defined in conf.py. Note the existence of an alternative tool, rst-lint (https://github.com/twolfson/restructuredtext-lint), but from my experiments it does not integrate well with Sphinx at the moment. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| f29d02a | Quentin Monnet | 28 April 2021, 08:21:01 UTC | docs: fix warnings for documentation build [ upstream commit fdc282741fe97e67d508e3460f55f7a6e8fe345b ] "txt" is not a valid language to pass to "code-block" directives. Passing "none" instead of "txt" would work; but there is no need to mark the snippet as a "code-block" if no syntax highlighting is required, simply using a literal block is enough. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 2373e31 | Quentin Monnet | 04 June 2021, 10:09:51 UTC | docs: report warnings when building documentation [ upstream commit d3c72f9c61b4344fdfff4d4995ff82a484be7588 ] The check-build.sh script would check for warnings produced by running "sphinx-build -b spelling", but not those produced when generating the documentation with "sphinx-build -M html". Let's reuse the warnings.txt file to store these warnings, if any, and to return with a non-0 exit code in that case. Notes: The file can be safely truncated (we won't reach that step if warnings were generated from "sphinx-build -b spelling"). Also we do not have to care of errors produced by "sphinx-build -M html", as they would translate in an error exit code that would make the script return before we look at the warnings. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 028cd56 | André Martins | 04 May 2021, 01:03:33 UTC | remove ARP entries left from previous Cilium run [ upstream commit e68848b98004551ae9dc0782181eaaa90fb32762 ] In certain configurations, when node neighbor discovery is enabled [1], the neighbor table is populated with PERMANENT entries. If the agent is then configured to not use neighbor discovery, those entries are left behind, without being garbage collected. This can cause connectivity issues across nodes, where it's more likely to happen in the same L2 network, if a new node reuses an IP address from a previous node and its MAC address changes. In a L3 network it is unlikely to happen since the ARP entry will be associated with a L3 router and it is less likely to change its MAC address. [1] ``` n.enableNeighDiscovery = n.nodeConfig.EnableIPv4 && (option.Config.EnableNodePort || (n.nodeConfig.EnableIPSec && option.Config.Tunnel == option.TunnelDisabled)) ``` Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 75c9f20 | Quentin Monnet | 08 June 2021, 16:26:18 UTC | docs: use ".. code-block:: shell-session" wherever relevant [ upstream commit e9166c42485eba02112c3b96ff79a98e766ce4db ] The ".. code-block::" directive defined by Sphinx is more flexible, and we have tried to enforce its use over ".. code::" for some time. Similarly, the "bash" language passed as an argument to that directive is often incorrect, as it should be used for bash scripts. For commands to type in the console, "shell-session" should be preferred. In this commit: - Replace ".. code::" with ".. code-block::" everywhere. - Replace "bash" with "shell-session" everywhere relevant (most of the occurrences). - Fix the use of "::" (literal block, for raw output) versus the "code-block" directive (for code snippets). However, I have not checked all existing occurrences of ".. code-block::". - Fix the use of the "parsed-literal" directive, which should be used only when there are RST elements to parse in the block (typically some RST substitutions). - Fix a small number of minor formatting issues met when updating the directives. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| b8c4e5e | Chris Tarazi | 04 June 2021, 22:07:50 UTC | test: Instrument LB IP via BGP test with debug-events [ upstream commit e63aa2b8d6a47dbf6946d015f2eb201b154b0ba1 ] This commits instruments the test to save `hubble observe debug-events` output so that we can investigate the output when the test fails due to the flake[1]. [1]: https://github.com/cilium/cilium/issues/16399 Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 73f5353 | Alexandre Perrin | 07 June 2021, 13:57:59 UTC | examples: add an example of a hubble-cli Deployment [ upstream commit 97c73d17818d3bec8347bbacd43ef8980c2bfc73 ] In order to debug Relay to Hubble connectivity issues, it is sometimes useful to have a Pod running with the Hubble CLI. Because the Relay image is based on a scratch image, kubectl exec'ing into it is not possible. While the Hubble CLI can be found in the Cilium Pods, the Relay certificate needed to establish the mTLS handshake to the Hubble server is not mounted into the Cilium Pods. This commit introduce a new hubble-cli Deployment example. When debugging Relay mTLS issues, it can be used to quickly run a hubble-cli Pod: kubectl apply -n kube-system -f path/to/hubble-cli.yaml Since the Relay mTLS certificates are mounted into the hubble-cli Pods, one can connect to a Hubble server given it's IP address and ServerName: kubectl exec -it -n kube-system deployment/hubble-cli -- \ hubble observe --server tls://${IP?}:4244 \ --tls-server-name ${SERVERNAME?} \ --tls-ca-cert-files /var/lib/hubble-relay/tls/hubble-server-ca.crt \ --tls-client-cert-file /var/lib/hubble-relay/tls/client.crt \ --tls-client-key-file /var/lib/hubble-relay/tls/client.key Both ${IP} and ${SERVERNAME} can be obtained by either looking at the Hubble Relay Pod logs or alternatively by running: kubectl exec -it -n kube-system deployment/hubble-cli -- \ hubble watch peers --server unix:///var/run/cilium/hubble.sock Signed-off-by: Alexandre Perrin <alex@kaworu.ch> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| c88d533 | Sebastian Wicki | 17 May 2021, 17:02:08 UTC | docs: ENIs should not be unmanaged by the OS [ upstream commit b15cee151fc70274125bfbc122fb1c7c60e0671b ] When ENIs are managed by services such as NetworkManager or systemd-networkd, it can happen that they interfere with Cilium's configuration. For example, systemd-networkd can remove the ENI IP assigned by Cilium if the carrier is temporarily down, thus breaking SNAT. We previously had a similar section regarding NetworkManager and DHCP in the EKS installation guide, but the EKS guide has since been replaced by the Cilium CLI installation guide. This section here therefore acts as a replacement and states that the devices need to be unmanaged (e.g. disabling DHCP is not enough for systemd-networkd). Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 305e600 | Quentin Monnet | 07 May 2021, 10:41:24 UTC | docs: add a "Copy Commands" button for shell-session snippets [ upstream commit 869e678b1ae3461b169259155e3bb52b6b4fa072 ] Add a "Copy Commands" to some code blocks. This new button attempts to copy only commands (and not their output) to the clipboard. The distinction between commands and output relies on the presence of a prompt symbol, either "$" or "#", at the beginning of the commands. If a command ends with a trailing backslash, copy the next line as well. For example, the following snippet: .. code-block:: shell-session $ ls -l foo cat $ echo 1 \ 2 \ 3\ 4 $nospace # exit should place the following text into the clipboard: ls -l echo 1 2 3 4 exit The button is added for the following blocks, when they contain several lines and at least one command is found in the block: - "code-block", but with language "shell-session" only, - Literal blocks ("::"), - Parsed literals. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| c7c92f2 | Martynas Pumputis | 27 May 2021, 16:29:58 UTC | test: Add GH Action for Cilium L4LB XDP tests [ upstream commit 673ccd7858ac09f799db5d76cc44a71c2e2754c5 ] This commit introduces a new GH action called "Cilium L4LB XDP" which is responsible for running the standalone LB tests. The action starts a Fedora VM with vagrant. We do that because we need to run Kind on cgroupv2-only machine (otherwise, bpf_sock which is required by the LB health check is not guaranteed to work). Unfortunately, GH Action does not support any runner with cgroupv2-only. So instead we run Fedora 34 which has cgroupv1 disabled on the MacOS runner which supports nested virtualisation. For now the test issues 10 requests to LB VIP from the Fedora VM. See test.sh for more details. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| c45aec7 | Martynas Pumputis | 01 June 2021, 15:14:59 UTC | helm: Add loadBalancer.{standalone,dsrDispatch} [ upstream commit 6da22499589fe6ccd78e4d509d0a670842897b13 ] This commit introduces the following Helm options: - "loadBalancer.standalone" to enable the standalone Cilium L4LB. - "loadBalancer.dsrDispatch" to choose the DSR dispatch mode. Also, this commit replaces --node-port-{mode,acceleration} with --bpf-lb-{mode,acceleration}, respectively. The former two were deprecated by d73c572fcc. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| c74eb58 | Chris Tarazi | 27 May 2021, 22:23:16 UTC | watchers: Fix BGP subscriber potentially getting skipped [ upstream commit eb00410ffa2c2dbd73cba61e4a16e16d585d0836 ] It is possible for the BGP speaker subscriber to be skipped in a K8s node event if the host endpoint is not yet created. This can happen at the very early stages of Cilium startup, as a K8s node add event is sent to the K8s watchers as one of the first events It is also often sent before any endpoints have been generated. If that happends, then the consequence is that the MetalLB integration is not seeded with the node labels, which can prevent peering with the BGP routers if the user has node-selectors defined in their BGP configuration. In other words, the MetalLB integration would try to match the selectors against empty labels, which will always fail. The short term fix is to move the BGP speaker logic slightly above where the host endpoint logic can return so that it is guaranteed to always be executed. Longer term, we have an issue https://github.com/cilium/cilium/issues/15471 to refactor the subscribers so that they are executed separately, rather than bundled into one function like (*K8sWatcher).updateK8sNodeV1(). That would have prevented this bug. Fixes: d8dbb82bc1 ("daemon, bgp, watchers: Implement LB IP announcement via BGP") Fixes: https://github.com/cilium/cilium/issues/16340 Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| fd02bab | Bruno Miguel Custódio | 27 May 2021, 07:38:11 UTC | docs: add a reference of helm values [ upstream commit de62fa37c9ac679fd45bb617e8759dd7a4918ccb ] Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 0d7f22d | Mike Fedosin | 14 April 2021, 13:48:19 UTC | Deprecate SkipCRDCreation option for cilium-agents [ upstream commit d5f0cd5bc0a8c143e19a01b77860885dff686e1a ] This commit deprecates option.Config.SkipCRDCreation and --skip-crd-creation parameter for cilium-agents, as it's not used there anymore. Signed-off-by: Mike Fedosin <mfedosin@gmail.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| a396032 | Mike Fedosin | 12 April 2021, 13:38:09 UTC | Add helm option to disable registering CRD from Cilium Operator [ upstream commit 858430db615864660b2841292865bfcdc814e1b9 ] This commit adds a Helm option skipCRDCreation for Cilium Operator that allows to skip CRDs creation. Signed-off-by: Mike Fedosin <mfedosin@gmail.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 4eba412 | Mike Fedosin | 12 April 2021, 13:09:20 UTC | Allow to skip CRDs creation for the operator [ upstream commit 15d9d14ea58b6929340cc0041b77f2ecc8f1adbb ] This commit adds `--skip-crd-creation` flag for the operator, indicating that CRDs creation should be skipped. Signed-off-by: Mike Fedosin <mfedosin@gmail.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| ef03c70 | Quentin Monnet | 18 May 2021, 10:06:20 UTC | docs: mark node-to-node IPsec encryption as beta [ upstream commit 7eb7bc6aaff0aa8a3891843348d20249c20e8d50 ] Mark node-to-node encryption explicitly as a beta feature, to indicate that some issues might remain to be fixed. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 6b27302 | Paul Chaignon | 04 June 2021, 17:13:38 UTC | test/helpers: Fix incorrect count of endpoints [ upstream commit 123942b9319144536dd6c45e9af636e53ad7d758 ] The test helper WaitEndpointsReady waits for all endpoints on the node to be in ready state with a non-init security identity. To that end, it lists all endpoints in the format [container-name]=[state],[identity], transforms that into a Go map m1, and iterates through the map to construct a new map m2 with state => counter. If it counts as many values (endpoints) in m1 as in state m2[ready], then all endpoints are ready. However, the number of values in m1 isn't actually equal to the number of endpoints. The container name, used as the key, may be empty for several endpoints, including the host endpoint and endpoints in init state. The last endpoint with an empty container name will therefore overwrite previous entries in the map. That leads the function to such conclusions as: =ready,5 httpd3=ready,31837 app2=ready,28159 =ready,1 httpd2=ready,4632 app1=ready,49770 httpd1=ready,14980 cilium-health=ready,4 '7' containers are in a 'ready' state of a total of '7' containers." It counts 7 containers in ready state, when there are 8 containers. Here the difference matters because the first container, which got overwritten in the map, shouldn't be considered "ready" by this function since it has the init (5) identity. As a fix, we can use the Cilium endpoint ID as the key to the map, as it is guaranteed to be unique per endpoint, contrary to the container name. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| fddc805 | Yongkun Gui | 27 May 2021, 04:21:30 UTC | datapath: Use TUNNEL_MODE as indicator for tunnel mode [ upstream commit d9c982b69735924cc4e6380d1d3c088ea3750290 ] Originally ENCAP_IFINDEX is used as indicator of tunnel mode, which works well before egress gateway. In egress gateway's direct routing mode, we also have a tunnel for forwarding traffic, meaning that we also have ENCAP_IFINDEX. This will cause broken and unexpected data flow: - Pod to pod traffic could be forwarded to tunnel in direct routing mode - Some node to pod traffic is broken in direct routing mode because the return packet is masqueraded by node IP. As a fix, add a new macro TUNNEL_MODE as indicator of tunnel mode, either vxlan or geneve. Signed-off-by: Yongkun Gui <ygui@google.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 6b4a35e | Gilberto Bertin | 04 June 2021, 15:12:45 UTC | node: fix arpping test [ upstream commit 5a418a372f38004dae12275a5a3c0df6338cbd16 ] In TestArpPingHandling, wait for all goroutines that are inserting the new neighbors to finish before deleting the node. Fixes: #16221 Suggested-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 16 June 2021, 00:03:28 UTC |
| 3ae9065 | André Martins | 14 June 2021, 22:52:33 UTC | images/runtime: update runtime image Update runtime image to fix some potentially security vulnerabilities detected by image scanners. Signed-off-by: André Martins <andre@cilium.io> | 15 June 2021, 21:19:57 UTC |
| 116d56a | dependabot[bot] | 15 June 2021, 06:52:48 UTC | build(deps): bump dorny/paths-filter from 2.10.1 to 2.10.2 Bumps [dorny/paths-filter](https://github.com/dorny/paths-filter) from 2.10.1 to 2.10.2. - [Release notes](https://github.com/dorny/paths-filter/releases) - [Changelog](https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md) - [Commits](https://github.com/dorny/paths-filter/compare/78ab00f87740f82aec8ed8826eb4c3c851044126...b2feaf19c27470162a626bd6fa8438ae5b263721) --- updated-dependencies: - dependency-name: dorny/paths-filter dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> | 15 June 2021, 18:28:02 UTC |
| a6771b9 | Tobias Klauser | 07 June 2021, 08:45:31 UTC | Update Go to 1.16.5 Signed-off-by: Tobias Klauser <tobias@cilium.io> | 11 June 2021, 20:44:22 UTC |
| b7470b8 | dependabot[bot] | 08 June 2021, 06:34:42 UTC | build(deps): bump KyleMayes/install-llvm-action from 1.3.0 to 1.4.0 Bumps [KyleMayes/install-llvm-action](https://github.com/KyleMayes/install-llvm-action) from 1.3.0 to 1.4.0. - [Release notes](https://github.com/KyleMayes/install-llvm-action/releases) - [Commits](https://github.com/KyleMayes/install-llvm-action/compare/v1.3.0...v1.4.0) --- updated-dependencies: - dependency-name: KyleMayes/install-llvm-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> | 08 June 2021, 22:06:58 UTC |
| c67a187 | Chris Tarazi | 03 June 2021, 19:30:53 UTC | test/packet: Update provision installation script [ upstream commit 5bb921126b8c54712c66806c62bacc982ebb0abf ] This commit contains various updates to the script: - Drop VIRTUALBOX_VERSION as it is no longer needed because 6.0 is now the default version on the recent Ubuntu releases (after bionic) - Update the VAGRANT_VERSION to a more modern version - Install NFS client and server for better compatibility with our e2e suite Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| 8f78e9f | Chris Tarazi | 03 June 2021, 19:26:06 UTC | test/packet: Update terraform script [ upstream commit ce76a2fd032901175d0872999eb125e20af2cf10 ] This commits makes various updates to the terraform script: - Rename references from `packet` to `metal` as https://github.com/packethost/terraform-provider-packet has been deprecated in favor of https://github.com/equinix/terraform-provider-metal - Use the `metal` provider (https://registry.terraform.io/providers/equinix/metal/latest) - Add the ability to use / create an SSH key within metal / packet - Introduce `public_key_path` for specifying the public key to upload to metal / packet - Depend on the SSH key for the provisioning steps - Use Ubuntu 20.04 LTS by default Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| b402b87 | Chris Tarazi | 03 June 2021, 19:21:40 UTC | test/packet: Update README.md [ upstream commit 734c2cfbcfa84de42cdbd1e04a42cd5e9c071c81 ] This commit includes various updates: - Rework the formatting so that it is renderable and readable in the browser - Add missing instructions to create a ssh key pair - Clarify the terraform variables that need to be set - Use terraform > 0.13 syntax (drop the `.` from `terraform init .`) Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| d69fa12 | Chris Tarazi | 25 May 2021, 19:38:10 UTC | k8s, node: Restore router IPs (`cilium_host`) from K8s resource [ upstream commit beb8bdea384fdc4ccb10769142c8981bb10334d5 ] Previously, after a node reboot, Cilium would allocate a new router IP and append it slice of node IPs. Since the node IPs have already been synced to the K8s resource, meaning there are already IPs present (from the previous Cilium instance), the router IP is appended to the slice. In other parts of Cilium, it is assumed that the router IP is the first node IP (first element of the slice). Since the new router IP has been appended to the end, it is no longer where it is expected, aka no longer the first element. This causes a mismatch of which router IP is to be used. There should only ever be one router IP (one IPv4 or one IPv6). In case of a node reboot, the router IPs cannot be restored because they are wiped away due to the Cilium state dir being mounted as a tmpfs [1]. This commit fixes this to restore the router IPs from the K8s resource (Node or CiliumNode) if they are present in the annotations. This prevents the possibility of having more than one router IP, as described above. Note that router IPs from the K8s resource are only restored if no router IP was found on the filesystem, which is considered the source of truth. In other words, the filesystem takes precedence over the K8s resource. The user is warned in cases of a mismatch between the two different sources. We also check that the IP to be restored is within the pod / node CIDR range, otherwise we ignore it from restoration. [1]: Linux distributions mount /run as tmpfs and Cilium's default state directory is created under /run. (It's worth mentioning that it's also common for /var/run to be symlinked to /run.) Fixes: https://github.com/cilium/cilium/issues/16279 Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| e454b59 | Chris Tarazi | 01 June 2021, 20:08:37 UTC | node: Clear router IPs on Uninitialize() [ upstream commit d620a92632610e293d03e248ac802c0a1177dfa7 ] The subsequent commit will add unit tests that make use of ipv{4,6}RouterAddress and state will need to be cleared during testing. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| 3378f8f | Chris Tarazi | 01 June 2021, 19:33:37 UTC | node: Modify SetIPv6NodeRange() to accept cidr.CIDR [ upstream commit 0db244468ef973a19be507725f35efe2c6d164d5 ] This conforms SetIPv6NodeRange() to have the same prototype as SetIPv4AllocRange(). There was no benefit for them to be different. It will ease the subsequent commits. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| ea89a43 | Paul Chaignon | 01 June 2021, 13:20:23 UTC | helm: Disable the bandwidth manager by default [ upstream commit b0abe8e4fdcbbc6c1358e8b01f15de5e063c733f ] Commit 5412142 disabled our kube-proxy replacement (KPR) by default. If the bandwidth manager is enabled, we will still autodetect the devices. However, if we are running in native routing mode, since KPR is disabled, we will hit #12205 (connectivity issues when devices are set but KPR is disabled). We therefore should disable the bandwidth manager by default to avoid running into this bug. The same will be done for the cilium-cli default installation. The bandwidth manager is also still a beta feature, so probably best not to enable it by default. Related: 5412142 ("install: Disable kube-proxy-replacement by default") Related: https://github.com/cilium/cilium/issues/12205. Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| 7cb18c9 | Chris Tarazi | 04 May 2021, 23:48:40 UTC | docs: Recommend use of dev VM for backporting [ upstream commit 7a4184f1195c0dd81a84cd3b265de19fb0f0fbb8 ] This will reduce chances of users using their own vagrant VMs which may come with libraries that are incompatible with our dependencies. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| a71458c | Chris Tarazi | 04 May 2021, 23:41:02 UTC | docs: Update requirements for backporting [ upstream commit 6032268f7d815f858c7135cb61e8bd8afae39b95 ] Since we want to move forward with using the GitHub CLI for creating backports, the previously listed optional items are actually required. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| 3aadd76 | Martynas Pumputis | 12 May 2021, 13:51:58 UTC | daemon: Improve log msg of device auto-detection [ upstream commit 117be40f577d71ac542fccfb595d3cc97ebbdae5 ] Previously, the msg was misleading by stating that devices were being derived for the NodePort BPF. It's no longer the case, as the same devices are used by host-fw and bwm. Reported-by: Gilberto Bertin <gilberto@isovalent.com> Reported-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| 0a1ee9c | Martynas Pumputis | 12 May 2021, 13:50:20 UTC | daemon: Remove redundant device derivation for host-fw [ upstream commit b0e2881d6a2614cc6ba387e384a3dda39a0d7ee5 ] The devices are being derived by handleNativeDevices() invoked above. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| 2292c7b | Paul Chaignon | 19 May 2021, 21:33:58 UTC | test: Use new test-verifier image in K8sVerifier [ upstream commit 4b3ec5760061e24dce7c749b624e1b5bb5f64c4c ] Until now, K8sVerifier was using the cilium-builder image to build the datapath and run verifier-test.sh. Having a K8sVerifier-specific image also allows us to include a patch for the tc binary, to increase the maximum size of the verifier log buffer. In the K8sVerifier test, we load all BPF programs in verbose mode, so the log buffer is always needed (vs. only in case of retry following a load error usually). A small log buffer can lead to a load failure that is actually a false positive (it's just the log buffer being too small and not an actual issue with the BPF program). Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| 31fad65 | Nick M | 21 May 2021, 20:25:33 UTC | install: fix ordering of operator resource block [ upstream commit d31f0290add562bf8b5a13e0f4879bef91fe52a7 ] fixes #16272 Signed-off-by: Nick M <4718+rkage@users.noreply.github.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| 0113537 | John Watson | 26 May 2021, 23:21:06 UTC | install: Allow setting enable-health-check-nodeport to 'false' [ upstream commit b69258b55db65cd50ab21eb5891f107c82131c8a ] Signed-off-by: John Watson <johnw@planetscale.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| a1cb56a | Aditi Ghag | 27 May 2021, 22:44:22 UTC | docs: Clarify LRP loop related note [ upstream commit 27838336eb8de7213cc66ffcff686d1d9f6c0001 ] The previous document note can lead to confusion for readers, whereby its misinterpreted as node-local translation being skipped, but regular translation can happen. Clarify how we avoid forming a loop by rewording the note. Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| c23d164 | Sebastian Wicki | 31 May 2021, 11:33:43 UTC | helm: Fix patch failure when updating `hubble-generate-certs` [ upstream commit 5a278878952ca238ff662f65460badb11b7a1f9f ] This PR fixes an issue with Helm upgrade of users who set `hubble.tls.auto.method=cronJob`. Because the definition of the `hubble-generate-certs` Kubernetes Job can change between releases (as it did e.g. between 1.9 and 1.10), Helm will try to patch in the changes in the Job object via Kubernetes API. However, because the Job object is immutable, this PATCH request will fail with the following error: ``` Error: UPGRADE FAILED: cannot patch "hubble-generate-certs" with kind Job ``` Because jobs are immutable, the way to update them is to delete the old one and create a new one. While Helm does not seem to have a built-in mechanism for this, we can achieve the same by changing the Job name when its definition changes. This commit introduces such a logic, by appending the checksum of the job spec to the job name. This will cause the name of the job to change when the spec changes, and in turn cause Helm to do delete the old job and replace it with a new one. Fixes: #16316 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| 78a72a6 | Tom Payne | 31 May 2021, 12:34:52 UTC | operator: remove unused variable [ upstream commit ab6d9edc4549c12ae7bd518441e183ee6af2c885 ] Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| 3bc14b3 | Tom Payne | 31 May 2021, 12:26:22 UTC | operator: remove deprecated --update-ec2-apdater-limit-via-api option [ upstream commit 6136a877553f6332ba7d84604b51e7cb1317a2c2 ] Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| 042410f | Gilberto Bertin | 02 June 2021, 06:30:34 UTC | endpoint: trigger k8s sync controller on identity update [ upstream commit 9e086277de3e23450953c2afd24a68fd727d3066 ] When an endpoint's identity is updated, Cilium does not sync immediately the new state with k8s, but rather waits up to 10 seconds for the sync-to-k8s-ciliumendpoint controller to run, meaning that the the new identity can remain unannounced for up to 10 seconds. This commit fixes this by explicitly triggering the k8s sync controller whenever an endpoint's identity is updated. Fixes: #15097 Suggested-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| 04bc5ff | Gilberto Bertin | 01 June 2021, 11:48:24 UTC | controller: allow to manually trigger it [ upstream commit c61d02fc4233fe925e4d0ca87fa768723190b195 ] Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| ddfc2c9 | André Martins | 17 May 2021, 22:08:56 UTC | pkg/k8s: add pod IP event change [ upstream commit e92dc6ac6b766e793091410d0cf58c61b01d424d ] This is a follow up of 6bd98ad7e443 ("handle IP addresses modification in running nodes and CEPs") for more information read the commit description of that commit. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| b94e6f4 | Paul Chaignon | 28 May 2021, 16:52:26 UTC | .github: Fix error triggered by large comments [ upstream commit 6440f293d27719d76d239ba12e3dd91914cf5548 ] To ensure random pull request comments don't cancel ongoing workflows, commit c569ead (".github: Fix concurrency group for comment-triggered workflows") appended the comment message to the concurrency group name. Unfortunately, that results in an error when the comment is too large: The maximum allowed memory size was exceeded while evaluating the following expression This commit fixes that error by simply appending 'trigger-phrase' if the comment is one of the allowed trigger phrases and appending nothing otherwise. That way we avoid appending the whole comment to the concurrency group name, but still get a different concurrency group name for random comments and trigger comments. Fixes: c569ead (".github: Fix concurrency group for comment-triggered workflows") Reported-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 07 June 2021, 12:23:03 UTC |
| 1d85a75 | dependabot[bot] | 04 June 2021, 16:46:50 UTC | build(deps): bump actions/cache from 2.1.5 to 2.1.6 Bumps [actions/cache](https://github.com/actions/cache) from 2.1.5 to 2.1.6. - [Release notes](https://github.com/actions/cache/releases) - [Commits](https://github.com/actions/cache/compare/1a9e2138d905efd099035b49d8b7a3888c653ca8...c64c572235d810460d0d6876e9c705ad5002b353) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> | 04 June 2021, 20:50:33 UTC |
| c1c7f53 | André Martins | 26 May 2021, 01:07:07 UTC | .github: refactored base image lint GH action [ upstream commit 42a370b520b8689a680ded5542ea9bcd730483f2 ] Refactored this GH action and remove unnecessary triggers for it. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| af6e8cf | André Martins | 26 May 2021, 01:05:41 UTC | .github: pin SHAs for all GitHub actions [ upstream commit 948bb900644db0035a0e88a1f72a4ba454c01a37 ] [ backport note: Update action in documentation.yaml from actions/checkout@v1 instead of actions/checkout@v2 as for master branch. ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 8518ee5 | André Martins | 26 May 2021, 00:50:06 UTC | .github: rename workflow files [ upstream commit 38f0af9eb268455d91e80c783602b237b5b215cf ] Add prefix accordingly their main usage. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 2db306f | André Martins | 27 May 2021, 13:46:30 UTC | docs: fix some dead links [ upstream commit c97f353927fae0d149b2193421097258eca13a2b ] Replaced some dead links with alive ones. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| d9ce7bc | Chris Tarazi | 15 July 2020, 00:48:08 UTC | Makefile, contrib: Add script to create kind cluster [ upstream commit ff9be87bbca4f69e609bec65e7e3fba0d3a2aa71 ] We have the equivalent for minikube. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| e0790a9 | Gaurav Genani | 07 May 2021, 20:16:18 UTC | bugtool: add missing bpftool map dumps [ upstream commit c573ff85c02a3a404bfd6873baf65b5ea408cdf0 ] Fixes:#16008 Signed-off-by: Gaurav Genani <h3llix.pvt@gmail.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 51a492c | Alex Romanov | 27 May 2021, 03:14:56 UTC | typo [ upstream commit a0e3269547d9b1a3e67071fbac92d9f77ba8cb86 ] Signed-off-by: Alex Romanov <alex@romanov.ws> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| ab9d556 | Paul Chaignon | 26 May 2021, 13:48:09 UTC | .github: Don't wait for GKE cluster cleanup [ upstream commit 689a725c520ded0e2c4aa54c1164c7b8baf21117 ] In commit ba737f3 (".github: Parallelize cleanup of multicluster setup"), I missed that gcloud can also take an --async flag to not wait for the actual cluster deletion to happen and return immediately (similarly to AKS' --no-wait). This commit therefore reverts ba737f3 (".github: Parallelize cleanup of multicluster setup") and makes use of --async instead. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 04fbf71 | Aditi Ghag | 18 May 2021, 00:53:19 UTC | test: Make LRP restore test case robust and optimized [ upstream commit 6a3e846599b9bfbbc8f0d954f5406e87173aae38 ] The goal of the test is to check if curl to a clusterIP svc endpoint is redirected to both the backends when the original svc entry is restored upon LRP removal. However, the current test logic expects the same backend should be selected for all the pod clients simultaneously, and this can lengthen test duration. This doesn't seem right since backend selection is not exactly deterministic. More importantly, we only need both backends to be selected at least once for all the client pods. Flip the order in which we loop over backends and client pods. Loop over client pods first, and then make curl calls until we hit both the backends on each of the client pods. This way we can potentially avoid making some of the curl duplicate calls by not having to synchronize what backends VIP calls are redirected to across multiple nodes. Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 4f14d71 | Aditi Ghag | 18 May 2021, 00:49:40 UTC | test: Don't keep (hard-coded) wait group count [ upstream commit 1d8f8e20cf033ca3f8d8e9fc8b6e8475ab760a24 ] This can be error-prone, and unnecessary. Fixes: 7387ca2 Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| fc951a4 | Quentin Monnet | 13 May 2021, 11:31:06 UTC | docs: document the policy for backporting documentation changes [ upstream commit 2a356d98c878a8cb8767b72aa1167fd11225a822 ] Documentation changes should be backported "as far as they go" on the supported branches, so that users can get relevant information from the documentation branch associated to the software version they run. Document this as part as the criteria for backports. Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 8ae62a8 | Vlad Ungureanu | 06 May 2021, 22:23:23 UTC | Support custom Azure clouds [ upstream commit 34424b08c6b4c9dfdb5ed50597c58f0ebdf956c6 ] This commit swaps the creation of Azure service clients to use the Azure Resource Manager baseURI which points to the right Azure cloud extracted from the environment. Signed-off-by: Vlad Ungureanu <vladu@palantir.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 1f79983 | Vlad Ungureanu | 06 May 2021, 22:19:49 UTC | Bump azure vendor [ upstream commit 943f7923ee0f4664331ac71e87e1dfb3f14b9cdc ] github.com/Azure/azure-sdk-for-go/services/compute -> 2021-03-01 github.com/Azure/azure-sdk-for-go/services/network -> 2020-11-01 [ backport note: Update azure vendor from v50.0.0+incompatible instead of v50.2.0+incompatible as for master branch. ] Signed-off-by: Vlad Ungureanu <vladu@palantir.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 18994b8 | André Martins | 17 May 2021, 12:50:52 UTC | contrib: simplify check-docker-images script [ upstream commit 8e1ef9c2dd97518247c9e9d315c7e0d65f0ccae2 ] The curl URL fails if the sha256 is no longer part of the tag. Running with `docker buildx imagetools inspect` it is possible to verify if an image digest exists regardless even if no longer belongs to a tag. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 6faabb4 | Paul Chaignon | 25 May 2021, 15:33:46 UTC | Revert "endpoint: Refactor init of EndpointDatapathConfiguration" [ upstream commit 8da8b88c7509a1a57f928f43ffe46d676a71ca66 ] Commit 0875453 ("endpoint: Refactor init of EndpointDatapathConfiguration") leads to .RequireEgressProg being overwritten on endpoint creation. That in turns breaks reverse NAT when running in chaining mode [1]. This commit is a partial revert of commit 0875453afda841d3bba50fb16ed0929e72c08ddf, keeping only a helper function. 1 - https://github.com/cilium/cilium/blob/v1.10.0/plugins/cilium-cni/chaining/generic-veth/generic-veth.go#L165 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 04afac6 | Paul Chaignon | 21 May 2021, 12:25:37 UTC | test/K8sCustomCalls: Deploy pods after Cilium only [ upstream commit db93de572629fecc31b160beeec529f4f80426c3 ] We need to deploy pods after Cilium is installed or they may receive the datapath corresponding to a previous Cilium installation. Fixes: 37f6192 ("test: add CI test for tail calls hooks for custom programs") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| b8aba30 | Paul Chaignon | 19 May 2021, 21:54:14 UTC | Revert "endpoint: Overwrite endpoint datapath config. on restore" [ upstream commit 320ea0d9e1eaae533ad648c91acc1c63041ef6e3 ] This commit partially reverts commit a9ecab17278d05b0492d450c239bbfed367f6d5e. Disabling endpoint routes in an existing cluster is not supported for now. We first need to find a way to properly remove the endpoint routes (see previous commit) before we can support this. We keep the override of endpoint datapath config. for the host endpoint as otherwise host firewall test will error due to a failure to load bpf_host. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| ddf4433 | Paul Chaignon | 19 May 2021, 16:07:20 UTC | loader: Revert removal of endpoint routes [ upstream commit f937df79f3cc9083bf41f29767393865e3bc5630 ] This commit is a partial revert of 72e6238 ("loader: Remove program and route when disable endpoint routes"). Commit 72e6238 started removing existing endpoint routes when enable-endpoint-routes is disabled in the agent. In chaining mode however, if Cilium isn't the primary CNI, it isn't responsible for the endpoint's networking. In that case, the primary CNI may install and rely on those endpoint routes and we shouldn't remove them. This commit reverts the removal of endpoint routes. We'll provide a proper solution to remove only endpoint routes Cilium "owns" in a subsequent commit. Fixes: 72e6238 ("loader: Remove program and route when disable endpoint routes") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| fc4354b | Jarno Rajahalme | 21 May 2021, 17:56:19 UTC | endpoint: Skip waiting-to-regenerate -> waiting-for-identity transitions [ upstream commit 1e5f74d64ffd01626ac29166972ca44e0c3c3412 ] Regeneration logic fails if waiting-for-identity changes to ready state in a scenario like this: builder: ready -> waiting-to-regenerate .. label change etc: waiting-to-regenerate -> waiting-for-identity .. labels resolved: waiting-for-identity -> ready .. builder: (ready) -> regenerating (FAILS as this is not expected) Resolve this by giving precedence to the waiting-to-regenerate state over the waiting-for-identity state. Compensate for possibly blocking this state change in Cilium endpoint PATCH API. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 9e214e6 | André Martins | 25 May 2021, 00:05:13 UTC | pkg/k8s: set right logic to ignore ipcache errors [ upstream commit e6ae6fb9c9992c7d5eac833a636c1e589ee7edcc ] The logic to ignore errors is inverted and the errors are still being printed as warnings. This commit inverts the logic so that only relevant warnings are printed. Fixes: 0ab4fa184d3a ("pkg/k8s: ignore certain ipcache errors") Fixes: 465cac1b740b ("pkg/k8s: ignore overwrite source "custom-resource" with "k8s" errors") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 1f20871 | Jarno Rajahalme | 19 May 2021, 00:10:53 UTC | envoy: Remove request headers from response access logs [ upstream commit 415c62407be2145b76aa32aa4942054ce3521115 ] Remove request headers from response access logs, except for 'x-request-id', which is retained for request/response correlation purposes. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| b15554e | Paul Chaignon | 25 May 2021, 21:25:56 UTC | .github: Skip paths-filter when possible [ upstream commit e6b5788391271fb74e3edbf6a4100c3c35728f42 ] Commit 50df544 (".github: Skip unnecessary ci-xxx tests") introduced a new job in each of the comment-triggered workflows (ConformanceXXX) to inspect the code modified by pull requests and skip the end-to-end tests when possible. This commit copies the workflow conditions (i.e., scheduled on cilium/cilium or specific trigger phrase in comment) from the second job to the first in the workflow to ensure we also skip the new, first job when possible. As a consequence the first job won't run for every single comment posted on pull request. Even though that first job is very quick (~3s), it can quickly add up in busy hours. It also won't run in forks. The dependence of the second job on the first (via 'needs') already ensures the second job won't run if the first is skipped. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| f3df568 | Paul Chaignon | 25 May 2021, 20:18:10 UTC | .github: Fix concurrency group for comment-triggered workflows [ upstream commit c569eadd8f5e3f4e2a074c79ef5663e095a2ad5c ] Commit 7e953b9 (".github: Cancel outdated comment workflows") introduced concurrency groups for workflows triggered by comments. In each concurrency group, a single workflow can be running at any time, with previous workflows cancelled when more recent are scheduled. However, in the context of comment-triggered workflows, a workflow is triggered for every single comment in the pull request. The actual tests on the other hand are only triggered for specific comments. But even if those comments don't contain a phrase that triggers the test (e.g., test-me-please or ci-gke), they will cancel previously-running workflows. To fix this, we need to ensure that the concurrency group with comments that trigger tests does not include any comments which don't trigger tests. We can achieve that by appending the actual comment text to the concurrency group name. So for example, a comment with "test-me-please" on PR 12345 will trigger a workflow which belong to concurrency group: ConformanceEKS (ci-eks) https://github.com/cilium/cilium/pull/12345 test-me-please If GKE tests are then triggered with ci-gke, the new workflow will belong to a second concurrency group and won't cancel the first: ConformanceEKS (ci-eks) https://github.com/cilium/cilium/pull/12345 ci-gke That is probably okay since it will preserve most of the benefits of concurrency groups without cancelling everything as soon as someone posts a comment. Fixes: 7e953b9 (".github: Cancel outdated comment workflows") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 41615a6 | André Martins | 25 May 2021, 01:21:09 UTC | docs: remove 1.7 upgrade guide and add upgradeCompatibility for 1.9 [ upstream commit 076f475863d6627ac2163554e69038333f30118c ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 15cbe79 | André Martins | 21 May 2021, 17:20:54 UTC | pkg/k8s: ignore namespace events that do not change labels [ upstream commit 83391b41d23c3e4fb0941a7e15bd4c45e035cd41 ] As we can receive different type of namespace events, like difference in the annotations. We can ignore all of these events unless the labels are different. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 2bdba60 | Tom Payne | 11 May 2021, 10:48:33 UTC | docs: Update troubleshooting for 1.10 [ upstream commit 205f3003c15fc025547346e7688c5b6b04657765 ] * Update links to download scripts * Tweak examples * Update k8s-cilium-exec.sh to handle multiple containers in a pod * Update k8s-get-cilium-pod.sh to handle non-standard cilium namespace Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| cfb5e39 | Sebastian Wicki | 25 May 2021, 10:10:46 UTC | docs: Fix WireGuard spelling [ upstream commit 5d2e72f5f8714a742777af377ccde1b53e18114b ] According to WireGuard's Trademark Usage Policy [1], WireGuard must be written with a capital W and a capital G. [1] https://www.wireguard.com/trademark-policy/ Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 230f0b9 | Paul Chaignon | 21 May 2021, 21:10:24 UTC | .github: Fix scheduled end-to-end tests [ upstream commit 802d25447fa1d325d3713220f8ad08e7938f6dd4 ] Commit 50df544 added a new job in the end-to-end workflows to checkout the tested code and run paths-filter on it. That first job fails when the workflows are scheduled (vs. triggered by PR comment) because we try to grab the pull request URL, which doesn't exist: curl ${{ github.event.issue.pull_request.url }} > pr.json results in error: Run curl > pr.json curl: try 'curl --help' or 'curl --manual' for more information We can avoid this by skipping steps in the first job when triggered by schedule. We can't skip the entire first job because the second job has a dependency on the first and would fail if we skipped the first. Fixes: 50df544 (".github: Skip unnecessary ci-xxx tests") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| e942366 | xentobias | 21 May 2021, 13:40:47 UTC | docs: Fix Helm instructions for BGP [ upstream commit 6c0604e5dd7a3192e4de9d436def160b815ecf4c ] Signed-off-by: Tobias Mose <tobias.mose@xentom.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| bf9f32b | Nicolas Busseneau | 12 May 2021, 20:42:27 UTC | docs: refactor installation validation steps [ upstream commit 497ac33077380a3c43f2eef903f52b5b5aa049d4 ] In #15979, the old `k8s-install-validate.rst` and `k8s-install-connectivity-test.rst` were refactored to use the CLI, which broke the flow of several pages: in particular, all installations based on Helm were half-broken due to referencing Cilium CLI commands when the user was never instructed to install it. This commit moves all CLI-related operations to independent `cli-*.rst`, and then refactors `k8s-install-validate.rst` to have both the new CLI status check and connectivity test and the older manual status check and connectivity test. It then refactors CLI-based installation guides to use the `cli-*.rst` in the order that makes the most sense for each page. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| a770107 | Nicolas Busseneau | 12 May 2021, 17:50:31 UTC | docs: rework command examples in DNS policy GSG [ upstream commit 35de58ab5f2f6c9ebe3e17dc141ed4a99a96f099 ] `parsed-literal` blocks are required for parsing RST references but they don't play nice with console examples: they allow copy-pasting `$` prefixes even though they're not part of the commands. `shell-session` blocks play nice with console examples but do not work with RST references... This is compromise where we remove `$` prefixes from parsed-literal blocks for easier copy/pasting and switch to proper `shell-session` blocks otherwise. Also reworked the `curl` commands to add `--max-time` for commands supposed to fail so that user doesn't have to cancal, and switch to `curl -I {url} | head -1` notation to avoid output flood. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 4c596fe | Nicolas Busseneau | 12 May 2021, 14:37:10 UTC | docs: add cilium-cli checksum when installing [ upstream commit 85f4c569bcafae2b70d326f409fbf4ae077a432e ] Also refactor hubble-cli installation accordingly. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| 9fd089c | Paul Chaignon | 07 May 2021, 19:50:55 UTC | .github: Don't persist credentials in repository [ upstream commit b553845559a55dd0f56ca1174181c1209d28c918 ] When using actions/checkout, the default behavior [1] is to persist git credentials in the checked out code. This is ill-advised, so let's disable with persist-credentials. 1 - https://github.com/actions/checkout#usage 2 - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 04 June 2021, 16:46:12 UTC |
| eda1454 | dependabot[bot] | 03 June 2021, 07:15:48 UTC | build(deps): bump aws-actions/configure-aws-credentials Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 1.5.9 to 1.5.10. - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/master/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/0309c38ebd10f90dfbb3889431bcf4ea38088012...13d241b293754004c80624b5567555c4a39ffbe3) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> | 03 June 2021, 19:17:32 UTC |
| de53e80 | André Martins | 02 June 2021, 15:58:17 UTC | .github: add 'stable' tag as part of the v1.10 releases Signed-off-by: André Martins <andre@cilium.io> | 02 June 2021, 16:25:34 UTC |
| cda3e49 | dependabot[bot] | 31 May 2021, 07:49:25 UTC | build(deps): bump actions/cache from 2.1.5 to 2.1.6 Bumps [actions/cache](https://github.com/actions/cache) from 2.1.5 to 2.1.6. - [Release notes](https://github.com/actions/cache/releases) - [Commits](https://github.com/actions/cache/compare/v2.1.5...v2.1.6) Signed-off-by: dependabot[bot] <support@github.com> | 01 June 2021, 11:36:39 UTC |
| 1589f51 | Paul Chaignon | 18 May 2021, 18:44:18 UTC | .github: Don't wait for AKS cluster deletion [ upstream commit d3b54929c51235850a1132efa558c0554f961886 ] To speed up the cluster deletion in the AKS test, we probably don't want to wait on the long-running operations to finish. That is the default behavior in EKS, but not in AKS. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 62d08ce | Paul Chaignon | 18 May 2021, 18:31:05 UTC | .github: Parallelize cleanup of multicluster setup [ upstream commit ba737f3c60394d8ce2b34b7887b2722b71104466 ] When a GitHub job is cancelled, we have 5 minutes to perform any cleanup action [1]. After that time, the job is forcefully stopped. That means for jobs creating Kubernetes clusters, we have 5 minutes to delete the cluster(s) or they will be left behind. In the GKE test, it takes us around 2 minutes to delete the cluster. In the multicluster test however, deleting the two GKE clusters takes us a bit more than 5 minutes on average. This commit parallelize the deletion of the two clusters in the multicluster test to get the cleanup step below the 5-minutes runtime threshold. 1 - https://docs.github.com/en/actions/managing-workflow-runs/canceling-a-workflow#steps-github-takes-to-cancel-a-workflow-run Reported-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 6facc4e | Chris Tarazi | 17 May 2021, 19:18:09 UTC | vendor: Bump go.universe.tf/metallb [ upstream commit 451de22f43aedac34f9dd9d1389bfe0b2843e0ae ] This bump fixes a data race reported in https://github.com/cilium/cilium/issues/16181. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| adebe72 | Paul Chaignon | 14 May 2021, 09:23:22 UTC | docs: Revert host firewall to beta for kube-proxy setups [ upstream commit 4c8a0b06c4def362e6de9d825fbac49f9d1587b2 ] Two high-impact bugs [1, 2] affecting the host firewall were not resolved in v1.10.0. They affect users running with native routing and without our kube-proxy replacement. We should therefore consider the host firewall as in beta when running without our kube-proxy-replacement. This commit reverts 2b209df ("docs: Move host firewall out of beta"). 1 - https://github.com/cilium/cilium/issues/14859 2 - https://github.com/cilium/cilium/issues/12205 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 09bc017 | Chris Tarazi | 03 May 2021, 21:25:46 UTC | docs: Clarify coordination for backporting process [ upstream commit 946f52cf100c87668fb97ccf91659df1b4d24fe3 ] Document the common workflow that we've been working under. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 88a7039 | Paul Chaignon | 15 May 2021, 15:31:15 UTC | .github: Skip unnecessary ci-xxx tests [ upstream commit 50df544831b1694a49f907057b6a4bf317bf134e ] We don't need to run the ci-xxx end-to-end tests if only Documentation/ or test/ are touched. We therefore skip them in case of the trigger phrase 'test-me-please'. If these tests are explicitly requested via the 'ci-xxx' trigger phrase, we run them. Obviously, we could extend this beyond these two directories, but the goal here is to keep the list simple while catching the most common cases. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| afbdd95 | Paul Chaignon | 17 May 2021, 20:49:15 UTC | .github: Skip unnecessary smoke tests [ upstream commit 71400bad7163120c99c8fd51319778ed0199dbb3 ] We don't need to run the smoke tests if only Documentation/ or test/ are touched. We therefore skip them in such case. Obviously, we could extend this beyond these two directories, but the goal here is to keep the list simple while catching the most common cases. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
| 0b25844 | Paul Chaignon | 14 May 2021, 16:58:04 UTC | .github: Skip unnecessary docs test [ upstream commit 3ceb7425a60a89d6ba90fbf3a8cc3c04f518c460 ] We don't need to run documentation tests if the documentation is untouched. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 28 May 2021, 22:15:56 UTC |
