| e9d8122 | Marco Iorio | 10 June 2024, 07:23:55 UTC | renovate: prevent upgrading certgen to v0.2 in stable branches certgen v0.2 is going to introduce breaking changes. Hence, let's introduce a new renovate rule to prevent it from being upgraded in stable version. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 11 June 2024, 08:02:42 UTC |
| 96989f4 | Marco Iorio | 10 June 2024, 07:14:44 UTC | renovate: remove unnecessary etcd-related constraint This etcd-related constraint appears to have been added in the blamed commit. However, it doesn't seem intentional, considering that the latest etcd version is currently v3.5.14. Hence, let's just drop it. Fixes: b3d7d4d1dcd2 ("renovate: try to group dependency updates on single PR") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 11 June 2024, 08:02:42 UTC |
| 936f928 | Tam Mach | 29 May 2024, 05:10:31 UTC | ci-e2e: Add the coverage for Ingress + bpf.masquerade Hopefully, this will help to catch some issues with Ingress. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 11 June 2024, 07:01:14 UTC |
| 6947d82 | Julian Wiedmann | 06 June 2024, 20:26:00 UTC | maps: nat: remove rtp.log Looks like this was accidentally checked in by https://github.com/cilium/cilium/pull/32152. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 10 June 2024, 19:40:44 UTC |
| 719eb4f | Sebastian Wicki | 29 May 2024, 16:08:46 UTC | fqdn: ToFQDN policy performance improvements This commit implements `CFP-28427: ToFQDN policy performance improvements`. It is highly recommended to consult the CFP, as it contains all the high-level design decisions and mechanism found in this commit. The rest of this commit message therefore only explains the "what" and "where", and not the "why". Before this commit, there was circular interaction between the `SelectorCache` and `NameManager`: `SelectorCache` would tell `NameManager` about new `ToFQDN` selectors, and `NameManager` would in turn inform `SelectorCache` about the IPs selected by that `ToFQDN` selector. This commit simplifies this logic by removing the backlink from the `NameManager` to the `SelectorCache`. IPs are instead now labelled with the selector as an `fqdn` identity label in IPCache, thus not requiring any direct changes to the `SelectorCache` when a new IP is discovered that shares the identity with an old IP. If there is identity allocation needed for an observed IP, the `SelectorCache` is still updated, but only via `IPCache`, and no longer directly from `NameManager`. I recommend first looking at the changes to `SelectorCache` in `pkg/policy`. Note the following changes: 1. The `identityNotifier` interface (implemented by `NameManger`) is simplified: We no longer care about IPs selected by a FQDN selector, and we no longer need to care about potential deadlocks, as there are no calls back from `NameManager` to `SelectorCache` in the invoked functions (the indirect backlink from `NameManager` to `SelectorCache` via `IPCache` happens in `NameManager.UpdateGenerateDNS` - but this function is called by the DNS proxy whenever it observes a new DNS lookup and thus is called without the selector cache lock held. 2. `UpdateFQDNSelector` (previously invoked by `NameManager`) is removed - `SelectorCache` no longer directly needs to know the IPs matched by a selector. 3. The `fqdnSelector` type is simplified: Instead of containing the list of CIDR identities (one for each selected IP) and checking for the CIDR identity in `matches`, we now can simply treat the FQDN selector as a label and thus check if the requested identity has the FQDN selector label. 4. All the unit test logic around managing the selected IPs is removed, as all the responsibility for updating IPs now lies in `NameManager`. For the `NameManager` in `pkg/fqdn`, the changes are as follows: 1. Minor changes to for the query functions in `DNSCache`: Instead of just listing or checking the existence of an IP, we now want to know about `(name, IP)` pairs (needed later for updating `IPCache`). 2. Similarly, where before we only cared about the mapping between an `FQDNSelector` and the selected IPs, we now want to know what `(name, IP)` pairs are matched by a particular selector. Thus `mapSelectorsToIPsLocked` is replaced with `mapSelectorsToNamesLocked` and the unit tests are updated as well. 3. `RegisterFQDNSelector` now checks if the new selector needs to be added to any known `(name, IP)` pairs as an `fqdn` label, and `UnregisterFQDNSelector` potentially removes `fqdn` labels from IPs. 4. `UpdateGenerateDNS` (invoked for DNS lookups) determines the labels of any newly discovered IP and now directly spawns the go routine to wait for the new `(IP, identity)` pair to be injected into `IPCache`. Previously, this waiting was done as part of the call to `UpdateSelectors`, previously implemented in `daemon/cmd/fqdn.go` (and now removed). 5. `ForceGenerateDNS` is removed. It was previously called by the `NameManager` GC to remove IPs from the `SelectorCache`, but since the `SelectorCache` no longer knows about IPs, the function is obsolete (note that `IPCache` removals are still performed upon GC) 6. Changes in `CompleteBootstrap` to deal with the upgrade logic when upgrading from Cilium v1.15. See bullet point 9 below for details. 7. `updateDNSIPs` (called from `UpdateGenerateDNS`, i.e. upon new DNS lookups) now determines the labels for every newly observed IP based on the available FQDN selectors, and no longer upserts CIDR identites. Note that we only update the labels matching the looked up `dnsName`. If an IP happens to also map to a different domain name and uses a different set of selectors for the alternative name, those labels in IPCache are unaffected by the call to `updateMetadata`, as every call to IPCache uses the DNS name as the resource owner. 8. The `ipcacheResource`, `updateMetadata`, and `maybeRemoveMetadata` contain the calls to `IPCache` to update labels for a given `(name, IP)` pair. There are two main differences to before: Instead of upserting or removing CIDR prefixes, we now add labels. And instead of having one update per prefix, we now have one update per `(name, IP)` pair, meaning a single prefix (aka "IP") might have multiple IPCache resource owners in the `NameManager` (i.e. one for each `name` mapping to that IP). 9. `RestoreCache` and `CompleteBootstrap` contain the logic to initialize `IPCache` when upgrading from Cilium v1.15. This requires the previous Cilium instance to have checkpointed the known `ToFQDN` selectors, which are read in during upgrade and used to derive and inject the `IPCache` labels we expect to have once endpoint regeneration has finished. After endpoint regeneration, those restored labels are then removed, leaving the real labels in place. In contrast to all other `IPCache` updates (where each update to an IP is "owned" by the DNS name mapping to that IP, and we rely on `IPCache` to merge those labels), the resource owner here is static. This is, because they are all added at once (in `RestoreCache`) and removed at once (in `CompleteBootstrap`), and no per-name tracking is required. 10. Various changes to unit tests. The old unit tests tested the interaction between `NameManager` and `SelectorCache`, where as the new unit tests now test the interaction between `NameManager` and `IPCache`. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 10 June 2024, 16:06:10 UTC |
| 625e39f | Sebastian Wicki | 04 June 2024, 14:49:11 UTC | fqdn: Derive domain labels from FQDN selectors This commit adds logic to derive identity labels for `(name, IP)` pairs from selectors. The basic idea is that any ToFQDN selector matching the qname of the DNS lookup is added to a label to each IP returned by that DNS lookup. The functions added here will be used in a subsequent commit. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 10 June 2024, 16:06:10 UTC |
| dfc11ab | Sebastian Wicki | 04 June 2024, 12:17:19 UTC | daemon: Wait for initial IPCache revision This introduces a wait for the initial IPCache revision after K8s caches have synced. This ensures that all prefix labels are injected and available in the new IPCache before restoration starts. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 10 June 2024, 16:06:10 UTC |
| ed299a3 | Sebastian Wicki | 29 May 2024, 15:16:35 UTC | ipcache: Always add world label to identities with fqdn label A subsequent commit will change prefix labels upserted by the name manager to use `fqdn`-labels instead of `cidr`-labels. Because a CIDR identity currently always also have the world label, we want to mirror that logic for identities with an `fqdn` label, as such IPs allowed by a ToFQDN policy remains selectable by a `reserved:world` selector. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 10 June 2024, 16:06:10 UTC |
| 4035fea | Sebastian Wicki | 29 May 2024, 08:21:25 UTC | labels: Simplify `IsReserved` implementation This contians no functional changes and is a drive-by cleanup. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 10 June 2024, 16:06:10 UTC |
| 999d5f0 | Sebastian Wicki | 04 June 2024, 13:17:10 UTC | daemon: Also restore checkpointed FQDN identities This commit modifies the IPCache restoration to restore all local identity entries, not just CIDR identities. This is required because FQDN labels are derived from ToFQDN selectors, which are only available during endpoint regeneration. To ensure that identities of prefixes in IPCache don't change during initial regeneration, we provide the expected `fqdn` labels before regeneration. The real labels are added during regeneration, therefore the restored ones can be safely removed in `releaseRestoredIdentities`. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 10 June 2024, 16:06:10 UTC |
| fda5b55 | Marco Iorio | 07 June 2024, 17:00:44 UTC | clustermesh: drain all known entries upon cluster ID change Recent changes introduced improved validation to ensure that the information retrieved from remote clusters matches the advertised cluster ID, and discard it otherwise. Let's additionally fully drain all previously known entries upon cluster ID change. Indeed, although synthetic deletion events would be generated in any case upon initial listing (as the entries with the incorrect cluster ID would not pass validation), that would leave a window of time in which there would still be stale entries for a cluster ID that has already been released, potentially leading to inconsistencies if the same ID is acquired again in the meanwhile by a different cluster. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 10 June 2024, 16:06:02 UTC |
| 17882e9 | Casey Callendrello | 22 May 2024, 18:36:48 UTC | policy/api: add more CRD validations Copying some logic from `Sanitize()` in to CRD validations: - use the OpenAPI `cidr` format directly, remove baroque regex - add OneOf for FQDN selector pattern vs. name - add pre-existing MaxItems for port & ICMP rules - add OneOf for L7 filter types None of these add any new restrictions; they were always in the policy engine. Now these validation errors will be caught by the apiserver. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 10 June 2024, 15:49:28 UTC |
| fdc9bf9 | Dylan Reimerink | 22 May 2024, 08:33:09 UTC | contrib,tool: Add tool + script to check for legacy header guards This tool checks for legacy header guards and will throw an error if it finds any. Adding this to the CI should ensure that we don't add any more legacy header guards once we switched to prama-once. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 10 June 2024, 14:50:12 UTC |
| 54eb9b8 | Dylan Reimerink | 02 May 2024, 11:34:21 UTC | bpf/tests: remove config_replacement.h The config_replacement.h was originally meant to replace static_data variables for tests. But since then the implementation has changed so static_data always has valid defaults and values can be changed with special test macros. So we no longer need config_replacement.h. Removing it now since it relied on header guards to prevent multiple inclusions of the replaced variables, which we removed. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 10 June 2024, 14:50:12 UTC |
| eeb41d1 | Dylan Reimerink | 02 May 2024, 11:32:22 UTC | bpf/tests: Change nodeport lb4 nat tests to not use global variables This test was using global variables to store mocking settings. This is triggering CI, likely due to a change in the Go code somewhere. So switching the test over to using a map to store these settings. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 10 June 2024, 14:50:12 UTC |
| fe9272d | Dylan Reimerink | 29 April 2024, 15:11:32 UTC | bpf: Replace old school header guards with #pragma once This commit replaces the old school header guards with #pragma once. This is a more modern way of preventing multiple inclusion of the same header file. In future we will be using scripts to remove macros, by replacing these now with the proper #pragma once we avoid having to write exceptions for these in the scripts. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 10 June 2024, 14:50:12 UTC |
| 5faea37 | Ovidiu Tirla | 07 June 2024, 12:26:39 UTC | pkg/identity: Move GetCIDKeyFromK8sLabels to GlobalIdentity Moves the method from ciliumidentity package to GlobalIdentity and makes the method more generic by accepting the source to be used in mapping. Related #27752 Signed-off-by: Ovidiu Tirla <otirla@google.com> | 10 June 2024, 14:47:07 UTC |
| f0384a8 | Julian Wiedmann | 10 June 2024, 05:41:36 UTC | api: bump protobuf version Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 10 June 2024, 14:23:28 UTC |
| fd27c83 | Cilium Imagebot | 10 June 2024, 05:12:37 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 10 June 2024, 14:23:28 UTC |
| 3a91460 | cilium-renovate[bot] | 10 June 2024, 00:05:40 UTC | chore(deps): update all-dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 10 June 2024, 14:23:28 UTC |
| e3de640 | Marek Chodor | 10 June 2024, 08:21:06 UTC | Fix #32587 concurrent hubble dynamic exporter stop and reload In rare cases when dynamic exporter lifecycle Stop() function is called during config reload it may cause deadlock on mutex. This change stops config watcher ticker before locking the mutex, as mutex lock is effectively needed only to terminate configured exporters, not for terminating config watcher itself. Fixes: #32587 Signed-off-by: Marek Chodor <mchodor@google.com> | 10 June 2024, 13:41:24 UTC |
| 4e2a66d | Julian Wiedmann | 16 January 2024, 13:50:18 UTC | conformance-ipsec-e2e: run leak check before/after key rotation This is because we saw a racing issue if leak detection covers the whole rotation + conn-disrupt-check: cilium connectivity will remove conn-disrupt pods in the end of connectivity test, leaving some linger packets recognized as leaked traffic. This commit avoids the issue by running leak checks separately for key rotation and after-rotation test. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: gray <gray.liang@isovalent.com> | 10 June 2024, 12:43:03 UTC |
| 230c200 | gray | 06 June 2024, 06:58:18 UTC | ci: check-ipsec-leaks.bt can tolerate proxy traffic not found Add an argument to tell check-ipsec-leaks.bt whether to report errors if proxy traffic not found. Signed-off-by: gray <gray.liang@isovalent.com> | 10 June 2024, 12:43:03 UTC |
| e3fe4bc | Marco Iorio | 11 October 2023, 09:49:45 UTC | conformance-ipsec-e2e: add leaked unencrypted packets check Extend the conformance-ipsec-e2e GHA workflow to additionally check that we don't leak any unencrypted packets during the connectivity test. This aims to complement the validation already performed as part of the connectivity tests by the Cilium CLI. Specifically, we leverage bpftrace to analyze the packets forwarded by the bridge device (used by kind), and report those that are not encrypted. We flag packets with both the source and the destination belonging to the IPv4/6 PodCIDR, and we consider the inner headers if packets are encapsulated. In this case, we additionally skip packets originating or targeting CiliumInternalIP addresses (as these are used for node-to-pod traffic when running in tunnel mode, which is not encrypted by design). Extra checks are finally added to always include packets originating from the L7 and DNS proxies, as their source IP is not that of a pod. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 10 June 2024, 12:43:03 UTC |
| ec1b796 | gray | 06 June 2024, 03:56:28 UTC | ci: Delete deprecated conn-disrupt-test action Signed-off-by: gray <gray.liang@isovalent.com> | 10 June 2024, 12:43:03 UTC |
| 364ff9e | gray | 06 June 2024, 03:55:55 UTC | ci: Use conn-disrupt-test-{setup,check} for ci-ipsec-upgrade Signed-off-by: gray <gray.liang@isovalent.com> | 10 June 2024, 12:43:03 UTC |
| c430572 | gray | 06 June 2024, 03:42:45 UTC | ci: Decouple ipsec-key-rotate action from conn-disrupt-test action So in future we can add encryption leak detection right after key rotation to avoid certain issues. ci-ipsec-e2e and ci-eks also has been adjusted to use conn-disrupt-test-* actions before and after ipsec-key-rotate action. Signed-off-by: gray <gray.liang@isovalent.com> | 10 June 2024, 12:43:03 UTC |
| 0f957a7 | gray | 30 May 2024, 09:35:24 UTC | ci: Add conn-disrupt-test-{setup,check} actions They are to replace conn-disrupt-test action for better flexibility. Please note the new conn-disrupt-test-check doesn't run full tests by default. Signed-off-by: gray <gray.liang@isovalent.com> | 10 June 2024, 12:43:03 UTC |
| 6a0d178 | Marcel Zieba | 10 June 2024, 10:14:17 UTC | ci: fix cluster name in CI tests In these workflows we used specific cluster name for kops. Cilium-cli fetched cluster name from context resulting in validation error. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 10 June 2024, 12:40:28 UTC |
| 1cfc5a9 | cilium-renovate[bot] | 10 June 2024, 11:05:18 UTC | chore(deps): update docker/build-push-action action to v5.4.0 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 10 June 2024, 12:35:17 UTC |
| 597e2b3 | Daniel Borkmann | 10 June 2024, 10:02:36 UTC | cilium, netkit: Add CI e2e coverage Add various netkit and netkit-l2 test coverage to CI: - netkit/netkit-l2 with recommended performance profile (https://docs.cilium.io/en/latest/operations/performance/tuning/) - netkit/netkit-l2 with vxlan/geneve under BPF host routing and legacy routing with ingress Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 10 June 2024, 12:38:50 UTC |
| 8b1f64a | Dylan Reimerink | 07 June 2024, 09:21:50 UTC | Bandwidth map: fix missing table in reconciler config The table wasn't assigned to the reconciler config for the bandwidth map this causes an error on startup when bandwidth manager is enabled. This commit should resolve the issue. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 10 June 2024, 12:09:49 UTC |
| f3e65e3 | cilium-renovate[bot] | 10 June 2024, 01:31:08 UTC | chore(deps): update dependency cilium/cilium-cli to v0.16.10 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 10 June 2024, 10:28:03 UTC |
| 6a203d4 | cilium-renovate[bot] | 10 June 2024, 03:04:57 UTC | chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 10 June 2024, 10:26:01 UTC |
| 03afbcc | Aleksander Mistewicz | 13 May 2024, 10:43:16 UTC | Add active connection tracking to eBPF Add new map - LB_ACT_MAP - behind ENABLE_ACTIVE_CONNECTION_TRACKING flag with counters of opened and closed connections. Behavior of eBPF remains completely unchanged when ENABLE_ACTIVE_CONNECTION_TRACKING flag is not set. When an entry, to conntrack table is created, an entry in LB_ACT_MAP.opened is incremented by one. When connection is closed, the related LB_ACT_MAP.closed is incremented by one. This works only for traffic originating from the local pods. LB_ACT_MAP is keyed by svc_id (also known as rev_nat_index) and zone, which is obtained from backend entry. Zone field in backend is populated only when EndpointSlice contains a reference to zone in FixedZoneMapping (so it is possible to convert between uint8 ID and string). Signed-off-by: Aleksander Mistewicz <amistewicz@google.com> | 10 June 2024, 10:14:28 UTC |
| 95886de | Philip Schmid | 03 June 2024, 14:38:07 UTC | GwAPI: externalTrafficPolicy support for GwAPI Added externalTrafficPolicy (eTP) support for Cilium GatewayAPI. eTP is globally configurable via `gatewayAPI.externalTrafficPolicy` Helm flag. Signed-off-by: Philip Schmid <phisch@cisco.com> | 10 June 2024, 09:42:24 UTC |
| 5af8e22 | Philip Schmid | 31 May 2024, 17:44:51 UTC | ingress, docs: eTP support for dedicated ingress Added externalTrafficPolicy support for dedicated Cilium Ingress instances. Configurable via new `ingress.cilium.io/service-external-traffic-policy` Ingress annotation. Signed-off-by: Philip Schmid <phisch@cisco.com> | 10 June 2024, 09:42:24 UTC |
| 1a1a048 | Philip Schmid | 30 May 2024, 20:12:04 UTC | helm: externalTrafficPolicy for shared ingress Added configuration option to explicitly configure the externalTrafficPolicy for the Cilium Ingress Kubernetes Service. Signed-off-by: Philip Schmid <phisch@cisco.com> | 10 June 2024, 09:42:24 UTC |
| bfa6e5c | cilium-renovate[bot] | 10 June 2024, 02:21:03 UTC | fix(deps): update aws-sdk-go-v2 monorepo Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 10 June 2024, 09:03:56 UTC |
| 2bf8ae7 | Jarno Rajahalme | 03 June 2024, 18:08:04 UTC | envoy/xds: Await until endpoint restoration is done Wait until endpoint restoration is done before serving any xDS resources to Envoy, when agent is restoring and envoy daemonset is used. This reduces Envoy resource churn during agent restart. Endpoint restoration does not wait for Envoy ACKs during restart. This is needed to break dependency cycle as resources are not sent to Envoy during restoration, so they will not be ACKed. With this we only get one no-op policy update in Envoy: [cilium/network_policy.cc:1175] NetworkPolicyMap::onConfigUpdate(cilium.policymap.10.244.1.193.1.), 3 resources, version: 17 xternal/envoy/source/common/init/watcher_impl.cc:31] init manager NetworkPolicyMap manager for version 16 destroyed [cilium/network_policy.cc:1200] Received Network Policy for endpoint 1830 in onConfigUpdate() version 17 [cilium/network_policy.cc:1214] New policy is equal to old one, not updating. [cilium/network_policy.cc:1200] Received Network Policy for endpoint 3283 in onConfigUpdate() version 17 [cilium/network_policy.cc:1214] New policy is equal to old one, not updating. [cilium/network_policy.cc:1200] Received Network Policy for endpoint 3268 in onConfigUpdate() version 17 [cilium/network_policy.cc:1214] New policy is equal to old one, not updating. [external/envoy/source/common/init/target_impl.cc:34] target NetworkPolicyMap manager for version 16 destroyed [cilium/network_policy.cc:1266] Reopening ipcache on new stream [cilium/ipcache.cc:81] cilium.ipcache: Opened ipcache. [cilium/network_policy.cc:1273] Skipping empty or duplicate policy update. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 10 June 2024, 06:30:44 UTC |
| 3660e4d | Jarno Rajahalme | 03 June 2024, 09:55:08 UTC | envoy/xds: Call the callback even if wg == nil Call the callback if given even if wg == nil. Define 'wait := wg != nil' to make code more readable. Move UseCurrent to ack_test.go and remove from the interface, as it is only used for testing. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 10 June 2024, 06:30:44 UTC |
| 4a00efb | Jarno Rajahalme | 31 May 2024, 15:38:18 UTC | daemon: Remove endpointstate promise dependency on daemon Remove endpointstate resolver's dependency on the daemon, so that it can be used in daemon's dependencies. Suggested-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 10 June 2024, 06:30:44 UTC |
| 02304ca | Jarno Rajahalme | 31 May 2024, 14:07:37 UTC | daemon: Do not create l7 policies for health endpoint The special health endpoint should not be subject to L7 policies, so we can disable l7 proxy for it altogether. This helps reduce churn on Envoy policy updates. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 10 June 2024, 06:30:44 UTC |
| f1b5334 | Rob Scott | 21 May 2024, 22:12:17 UTC | Adding support for TrafficDistribution This commit adds support for Service Traffic Distribution, a Kubernetes feature that is on track to go beta/available-by-default in v1.31. TrafficDistribution represents the latest and hopefully final iteration in Kubernetes topology aware routing. The default logic is quite simple - route traffic within the same zone if there are any healthy endpoints in that zone. The kube-proxy implementation of that is still based on the EndpointSlice hints field, but does not strictly need to be. This KEP also comes with a more fundamental change to the implementation logic. As part of a broader goal of separating concerns, we've removed the check from Kube-Proxy that verified that a topology annotation was set before honoring hints on EndpointSlices. Now we simply check that all endpoints for an EndpointSlice have hints, and honor them if so. In this commit I've left some logic to determine if a Service is likely to have hints set, but that is now only used to determine if a Service should be reconciled again if the local node labels change. Signed-off-by: Rob Scott <robertjscott@google.com> | 10 June 2024, 06:10:46 UTC |
| 3bdfd9d | Jarno Rajahalme | 04 June 2024, 09:36:13 UTC | dnsproxy: Pick up cilium/dns with ID retry logic Update to cilium/dns with request ID retry logic to reduce the likelihood of failures like this: level=error msg="Cannot forward proxied DNS lookup" error="duplicate request id 31372" subsys=fqdn/dnsproxy Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 09 June 2024, 15:50:29 UTC |
| e364fec | Jarno Rajahalme | 07 June 2024, 19:29:13 UTC | envoy: Call given callback also when reusing a listener Call the given callback function of addListener(), if any, in all return cases, or by passing it to the completion. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 09 June 2024, 12:18:35 UTC |
| 025fc0f | Marco Iorio | 21 May 2024, 10:13:56 UTC | docs: document the cluster name format Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| 32e7736 | Marco Iorio | 21 May 2024, 09:12:01 UTC | gha: configure extreme cluster names in conformance clustermesh To detect and prevent possible regressions causing valid names to not be correctly supported. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| 32416d2 | Marco Iorio | 21 May 2024, 09:05:38 UTC | helm: formalize and validate cluster name format Describe the cluster name specifications, and mimic the same checks performed by the Cilium components, to provide early feedback in case the cluster name is invalid. To enable users performing a smooth transition, helm validation can be skipped setting upgradeCompatibility to 1.15 or earlier. In that case, Cilium components will still emit error logs to warn users in case the cluster name is invalid. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| e15911e | Marco Iorio | 31 May 2024, 10:20:36 UTC | clustermesh: validate remote cluster name Following the formalization of the cluster name format, let's additionally emit an error log when trying to connect to a cluster associated with an invalid name. Starting from v1.17, Cilium will reject connecting to a cluster with an invalid name. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| b1f10bc | Marco Iorio | 21 May 2024, 07:54:16 UTC | options: formalize and validate cluster name format Formally define and validate that a cluster name must respect the following constraints: * It must contain at most 32 characters; * It must begin and end with a lower case alphanumeric character; * It may contain lower case alphanumerics and dashes between; * The "default" name is reserved, and forbidden with ClusterID != 0. The specification almost matches the cluster name definition from the Kubernetes multi-cluster services API [1] (except for the shorter maximum length), and derives from the already implicit requirements due to the usage of the cluster name as: * a k8s label value [2] (for CiliumIdentities), * a hostname [3] when configuring the host aliases during clustermesh interconnection; * part of TLS certificates common name [4]. The goal of the explicit validation is to ensure that Cilium components fail to start with a clear error if the cluster name is invalid, rather than failing silently at a later stage. Given the above constraints, the vast majority of existing deployments are not expected to affected by this change. Still, to enable users performing a smooth transition, we currently only emit an error log in case of invalid cluster names. The cluster name format will start being strictly enforced starting from the Cilium version. [1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-multicluster/1645-multi-cluster-services-api#proposal [2]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set [3]: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names [4]: https://stackoverflow.com/a/5142550 Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| c94af82 | Marco Iorio | 31 May 2024, 10:10:30 UTC | clustermesh, operator: slightly rework invoke function registration Directly register the target function, rather than creating a wrapper, both for simplicity, and to make a subsequent introduction of a new parameter in ClusterInfo.Validate transparent from this point of view. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| 13d257f | Daniel Borkmann | 06 June 2024, 12:10:37 UTC | cilium, docs: Add performance profile recommendation Add a small summary to help guide users. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 4fda7ad | Daniel Borkmann | 06 June 2024, 08:55:12 UTC | cilium, docs: Add netkit section to performance doc Add a section on netkit. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 073a772 | Daniel Borkmann | 03 May 2024, 13:11:53 UTC | cilium, netkit: Add Helm support Add bpf.datapathMode to Helm, so that netkit can be selected as alternative to veth. Example via Cilium CLI: ./cilium-cli install --wait --chart-directory=install/kubernetes/cilium --helm-set=hubble.eventBufferCapacity=65535 --helm-set=bpf.monitorAggregation=none --helm-set=cluster.name=default --nodes-without-cilium --helm-set-string=kubeProxyReplacement=true --set='' --helm-set=image.repository=localhost:5000/cilium/cilium-dev --helm-set=image.useDigest=false --helm-set=image.tag=local --helm-set=image.pullPolicy=IfNotPresent --helm-set=operator.image.repository=localhost:5000/cilium/operator --helm-set=operator.image.suffix="" --helm-set=operator.image.tag=local --helm-set=operator.image.pullPolicy=IfNotPresent --helm-set=operator.image.useDigest=false --helm-set-string=bpf.datapathMode=netkit --helm-set=ipv6.enabled=true --helm-set=tunnelProtocol=geneve Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 895e7f9 | Daniel Borkmann | 07 June 2024, 16:08:28 UTC | cilium, loader: Unify tcx and netkit detach methods Both just remove the link file, therefore create a common helper. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| fbddb07 | Daniel Borkmann | 03 May 2024, 15:10:39 UTC | cilium, status: Add datapath mode to status Dump the status for the used device mode into cilium status, so that this is picked up by the sysdump. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| bd6ca1f | Daniel Borkmann | 29 May 2024, 10:03:20 UTC | cilium, bpf: Handle local Pod redirect for netkit under host routing The programs we attach via tcx on the physical devices are using bpf_redirect_peer() for inbound traffic into netkit device. Similarly, we use bpf_redirect_neigh() for the way out, pushing from netkit peer to phys device directly. For local Pod-Pod on the same node, it is slightly different in that as opposed to veth devices we do not use bpf_redirect_peer() to go from ingress->ingress since we're on egress for the case of netkit. Thus egress->egress needs to use the regular bpf_redirect(). From a performance PoV there is no difference since both cases need to go via per-CPU backlog once. The detection whether we are on ingress or egress side is based on the ingress_ifindex. In case of netkit, it is set to 0 shortly before via skb scrubbing. In case of tcx at the ingress side it's set to the host facing veth (> 0). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 51da8e2 | Daniel Borkmann | 05 April 2024, 11:44:58 UTC | cilium, loader: Wire-up netkit support Add a similar loading mechanism as we recently got with tcx, but for netkit attachments. Given both utilize bpf_mprog underneath the API looks very similar. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 6895341 | Daniel Borkmann | 15 March 2024, 16:27:05 UTC | cilium, connector: Add netkit connector Add netkit support to Cilium. netkit is a new, minimal BPF-programmable device we presented at LSF/MM/BPF, LPC and KubeCons some time ago. The core idea is that BPF programs are executed within the drivers xmit routine and therefore e.g. in case of containers/Pods moving BPF processing closer to the source. One of the goals was that in case of Pod egress traffic, this allows to move BPF programs from hostns tcx ingress into the device itself, providing earlier drop or forward mechanisms, for example, if the BPF program determines that the skb must be sent out of the node, then a redirect to the physical device can take place directly without going through per-CPU backlog queue. This helps to shift processing for such traffic from softirq to process context, leading to better scheduling decisions/performance (see measurements in the slides). Going forward, we plan to use netkit devices in Cilium as the main device type for connecting Pods. They will be operated in L3 mode in order to simplify a Pod's neighbor management and the peer will operate in default drop mode, so that no traffic is leaving between the time when a Pod is brought up by the CNI plugin and programs attached by the agent. This PR supports both netkit operation modes with the L3 mode being the main/recommended one. Note: netkit in L3 mode has an all-zero mac, so the eth header has dst == src == zero mac, hence the tests for mac len in the template code as node mac is not needed/used. Also in L3 mode any ARP responder is compiled out as the Pod with netkit does not attempt to resolve mac addresses (it's a NOARP device). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20231024214904.29825-1-daniel@iogearbox.net Link: https://sched.co/1R2s5 | 07 June 2024, 22:00:37 UTC |
| 5d7d6fd | Daniel Borkmann | 15 March 2024, 16:24:48 UTC | cilium, api: Extend daemon api for netkit mode Add netkit as well as netkit-l2 mode as another option next to veth. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| ce48c39 | Tam Mach | 07 June 2024, 16:13:01 UTC | precheck: Avoid using unbounded io.ReadAll func Fixes: 48a9976a09015a0e411997780c8b260d59593071 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 07 June 2024, 18:12:51 UTC |
| 48a9976 | Tam Mach | 05 June 2024, 04:11:54 UTC | bugtool: Add post-processing masking function for Envoy This commit is to explicitly mask the below fields from Envoy config dump: - api_key (used in kafka L7 policy) - TLSContext (used in Cilium NetworkPolicy) One round of scanning on existing Cilium protobuf was done. Related docs: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--config_dump Signed-off-by: Tam Mach <tam.mach@cilium.io> | 07 June 2024, 15:20:19 UTC |
| 568dbc5 | Tam Mach | 05 June 2024, 05:01:04 UTC | bugtool: Add json masking function This commit is to add a generic json field masking based on the field name. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 07 June 2024, 15:20:19 UTC |
| 4dc5898 | Fabio Falzoi | 05 June 2024, 08:30:13 UTC | k8s: cegp: Use ipv4 as validation format for EgressIP Instead of relying on a regex based kubebuilder validation pattern, use the ipv4 format to validate EgressIP field in CEGP. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 07 June 2024, 13:16:27 UTC |
| 037623d | Fabio Falzoi | 04 June 2024, 09:10:44 UTC | egressgw: Stop CEGP parsing in case of non-empty invalid EgressIP EgressIP field of CiliumEgressGatewayPolicy spec is optional, but if specified, it is used to SNAT egress traffic. Being an optional parameter, no error is logged in case the conversion to netip.Addr fails, and the field is silently ignored. To inform the user of the failure in setting the requested egress IP, fail the CEGP parsing in case of an invalid non-empty egress IP. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 07 June 2024, 13:16:27 UTC |
| ec8e73a | dependabot[bot] | 06 June 2024, 23:27:06 UTC | build(deps): bump tornado from 6.3.3 to 6.4.1 in /Documentation Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.3.3 to 6.4.1. - [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst) - [Commits](https://github.com/tornadoweb/tornado/compare/v6.3.3...v6.4.1) --- updated-dependencies: - dependency-name: tornado dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> | 07 June 2024, 13:01:19 UTC |
| f056579 | Lorenz Bauer | 07 June 2024, 09:57:00 UTC | loader: remove datapathSHA256 datapathSHA256 was added in commit a530ac0b70 ("loader: Hash datapath objects and store results"). It is fed into the endpoint / template hash to ensure that templates are recompiled when bundled source code changes. Since at least 48591d8f42 ("loader: simplify template cache invalidation") the endpoint program cache doesn't reuse results from an older / different cilium process. This means that we're always using the correct source code by construction. Remove datapathSHA256 and related machinery. In the process of refactoring it turns out that we swallow errors from WriteNodeConfig in hashDatapath, which has so far obscured failing tests. The comment that writing to an in-memory hash is correct, but misleading. WriteNodeConfig also returns errors when certain devices are missing. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> | 07 June 2024, 11:06:27 UTC |
| c52bee9 | Marco Iorio | 04 June 2024, 08:14:03 UTC | clustermesh: periodically enforce cluster config presence Currently, we only write the cluster configuration once, when the clustermesh-apiserver starts and when kvstoremesh connects to a remote cluster. However, the cluster configuration presence is critical, as otherwise remote clusters cannot connect to the given cluster. Hence, let's introduce a periodic enforcement mechanism (every 5 minutes), to ensure that it gets eventually restored in case of external modifications or deletions (e.g., if the associated lease unexpectedly expires). No changes are performed in the cilium operator, as the configuration is already periodically enforced there. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 10:49:45 UTC |
| 70b592f | Marco Iorio | 04 June 2024, 07:36:04 UTC | clustermesh: add {Get,Set}ClusterConfig unit tests Add basic unit tests to ensure the correct functioning of the GetClusterConfig and SetClusterConfig functions. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 10:49:45 UTC |
| 9c5ad72 | Marco Iorio | 04 June 2024, 07:13:05 UTC | clustermesh: define reduced clusterConfigBackend interface Instead of using the generic kvstore.Backend interface, to explicit the two methods which are actually used, and simplify mocking them out for testing purposes. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 10:49:45 UTC |
| 6079830 | hacktivist123 | 07 June 2024, 09:40:44 UTC | chore: replace straight quotes with backticks for commands and functions Signed-off-by: Shedrack Akintayo <akintayoshedrack@gmail.com> | 07 June 2024, 10:43:18 UTC |
| 99f8871 | Yutaro Hayakawa | 04 June 2024, 07:11:06 UTC | helm: Decouple sysctlfix from cgroup.autoMount Currently, the sysctlfix is only enabled when cgroup.autoMount is enabled which is not a directly-related feature. This dependency is introduced because the host procfs mount is only enabled when cgroup.autoMount is enabled. Due to this limitation, we recently observed the issue that disabling cgroup.autoMount in the environment that runs systemd 245+ makes a connectivity loss between nodes in tunnel mode due to the rp_filter. To fix the above issue, introduce a new configuration knob to enable/disable sysctlfix individually. It is enabled by default. Fixes: #20643 Co-authored-by: Nick Young <inocuo@gmail.com> Signed-off-by: Yutaro Hayakawa <yhayakawa3720@gmail.com> | 07 June 2024, 09:13:53 UTC |
| 8401331 | Joe Stringer | 07 June 2024, 04:35:06 UTC | ci: l4lb: Don't hang on gathering logs forever It doesn't make sense to pass `--follow` when the container is still running, this will hang forever and fail to complete the remaining steps in the workflow. Remove the follow flag. Fixes: 93927457779d ("ci: l4lb: gather more infos about docker-in-docker issues") Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 08:41:17 UTC |
| 3c3e769 | Gilberto Bertin | 06 June 2024, 12:55:52 UTC | bpf: use tail calls to run host firewall in cil_to_host to tackle the complexity issue introduced by the previous commit in cil_to_host in the bpf_host program, use the already existing CILIUM_CALL_IPV{4,6}_TO_HOST_POLICY_ONLY tail calls to handle the enforcement of the ingress host firewall policies Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 07 June 2024, 07:35:02 UTC |
| ee10671 | Gilberto Bertin | 06 June 2024, 08:32:04 UTC | bpf: allow policy verdict notifications in bpf_host 300236c ("Add the datapath filtering for policy verdict logs.") introduced a mechanism to generate policy verdict logs only if an endpoint has a network policy enforced on the direction of the traffic, to reduce the number of allow events that otherwise would have been notified in case of default allow policies. Unfortunately this logic doesn't take into account the case where send_policy_verdict_notify is called from the bpf_host program (e.g. Host Firewall policies), as POLICY_VERDICT_LOG_FILTER is always set to 0 for that program, resulting in no policy verdicts being notified. This change tries to address this by ignoring the filter if send_policy_verdict_notify is evaluated in the context of bpf_host. Moreover, to prevent a flood of notifications, the ones for default allow policies are ignored. Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 07 June 2024, 07:35:02 UTC |
| 4853fb1 | Maxim Mikityanskiy | 03 June 2024, 19:14:57 UTC | bpf: Use __align_stack_8 on IPv6 structs LLVM 18 doesn't align these structs to 8 by default, and our memcpy implementation fails to pass the verifier when applied to these structs, because the verifier requires stack access to be aligned. Align all affected structs. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> | 07 June 2024, 07:33:31 UTC |
| 4420034 | Maxim Mikityanskiy | 04 June 2024, 17:44:38 UTC | Remove the unused LPM_LOOKUP_FN macro Since commit 7628b19e7313 ("bpf, ipcache: unconditionally assume support for LPM trie maps"), LPM_LOOKUP_FN is only used in its own test. Remove the macro and the test, as it's not used in any actual code, and it causes verifier errors when upgrading to LLVM 18: the verifier can't track a pointer spilled to a map (a global variable). Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> | 07 June 2024, 07:33:31 UTC |
| 26e15dc | Joe Stringer | 06 June 2024, 02:52:07 UTC | docs: Document stable release timing We've recently been trending towards a process that looks something like this with for instance a target date of the 15th and a stable branch cutoff date a week prior, such as the 8th (or earlier weekday if it falls on a weekend). Document this in general terms without making hard commitments to ship or not ship any specific change, subject to the discretion of the release team. Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 02:56:57 UTC |
| acdd363 | Joe Stringer | 06 June 2024, 02:40:29 UTC | docs: Document feature release process Document the process that the Cilium release team typically follows around publishing prereleases and release candidates, and outline the expectations around feature freeze / thaw. Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 02:56:57 UTC |
| 9c36c72 | Joe Stringer | 06 June 2024, 01:55:42 UTC | docs: Remove unrelated paragraph for releases This paragraph doesn't make sense in context of releases, as release management is a task for maintainers / committers of the project. Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 02:56:57 UTC |
| fbb1e8a | Joe Stringer | 06 June 2024, 01:48:27 UTC | docs: Fix organization docs flow This page referred to GitHub projects being used for tracking upcoming work, but in general we don't have mechanisms in the project to reliably track work in this manner. The projects tooling we were using is also being deprecated in favor of a newer tool in GitHub, so the links etc. will stop working soon. We can always re-introduce that wording if we find a good way to maintain and manage such projects. Additionally, there is some minor wording improvements we can make to the release cadence to clarify the statements according to the way we manage releases as a project. Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 02:56:57 UTC |
| df03e88 | André Martins | 06 June 2024, 12:12:31 UTC | remove release scripts These scripts will only be available under github.com/cilium/release to avoid any confusion when performing releases. Signed-off-by: André Martins <andre@cilium.io> | 07 June 2024, 01:47:19 UTC |
| 129a200 | André Martins | 06 June 2024, 12:03:42 UTC | remove unused files Signed-off-by: André Martins <andre@cilium.io> | 07 June 2024, 01:47:19 UTC |
| 55bf8fa | Marcel Zieba | 04 June 2024, 10:37:26 UTC | Cleanup leftovers from node statuses in CNP/CCNP Fixes: #29590 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 06 June 2024, 19:25:24 UTC |
| 4ee8ae5 | harsimran pabla | 04 June 2024, 19:49:08 UTC | bgp/configmap: remove unnecessary else statement Making BGP config-map settings similar to how rest of the feature flags are deduced. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 06 June 2024, 19:24:40 UTC |
| c269031 | Fabio Falzoi | 03 June 2024, 15:31:34 UTC | iptables: Remove unneeded cell.Health param The cell.Health reporter is not needed anymore, since one it is already provided to the job registered in the manager by the JobGroup. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 06 June 2024, 19:24:26 UTC |
| e1eb623 | Marco Iorio | 27 May 2024, 07:43:45 UTC | clustermesh: drop clustermesh/remoteCluster circular reference Currently, the remoteCluster struct holds a reference to the clustermesh object, leading to a sort of circular dependency. Let's simplify this by explicitly propagating only the necessary parameters, for improved separation and clarity. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 06 June 2024, 19:24:08 UTC |
| b43dd5f | Marco Hofstetter | 30 May 2024, 10:50:04 UTC | daemon: cleanup daemon fields This commit cleans up the fields from the daemon and daemonParams struct: - EgressGatewayManager (unused - removed from daemon and daemonParams) - HealthProvider (unused - removed from daemon and daemonParams) - DeviceManager (keep in daemonParams) - EndpointManager (set when initializing daemon struct) Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 06 June 2024, 19:23:50 UTC |
| 6ece4c9 | Julian Wiedmann | 18 May 2024, 12:15:15 UTC | bpf: tests: add test for encrypted overlay Exercise the whole codepath in to-netdev that's needed for encrypted overlay. This allows us to validate the whole machinery of packet rewrites and IPsec-related context in the skb mark/cb. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 06 June 2024, 17:04:20 UTC |
| c55d352 | Julian Wiedmann | 18 May 2024, 12:15:00 UTC | bpf: tests: add helper to insert NODE_MAP entry This will be used in a subsequent patch. Also clean up the existing usage. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 06 June 2024, 17:04:20 UTC |
| b38d139 | Julian Wiedmann | 18 May 2024, 11:37:48 UTC | bpf: tests: add endpoint parameter for security identity Enable a subsequent patch to specify the security identity of an inserted endpoint. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 06 June 2024, 17:04:20 UTC |
| fec6a95 | hacktivist123 | 06 June 2024, 11:09:55 UTC | documentation: fix AKS note positioning Signed-off-by: Shedrack Akintayo <akintayoshedrack@gmail.com> Signed-off-by: Quentin Monnet <qmo@qmon.net> | 06 June 2024, 15:19:19 UTC |
| 378e881 | hacktivist123 | 06 June 2024, 10:53:07 UTC | documentation: embed eCHO episodes in Cilium docs Signed-off-by: Shedrack Akintayo <akintayoshedrack@gmail.com> Signed-off-by: Quentin Monnet <qmo@qmon.net> | 06 June 2024, 15:19:19 UTC |
| 38e1001 | Tam Mach | 05 June 2024, 13:20:51 UTC | envoy: Bump envoy version to v1.29.5 This commit is to bump envoy version to v1.29.5 for below CVEs: - [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv) - [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4) - [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26) - [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299) - [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc) - [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m) - [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c) Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.29.5 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 06 June 2024, 12:24:52 UTC |
| a3dafbd | André Martins | 06 June 2024, 09:08:32 UTC | .github: fix renovate GitHub workflow config The renovate config had some errors, as pointed out by GitHub, this commit fixes the errors. Fixes: 38e90f3f15f0 ("Renovate SPIRE images in makefile values") Signed-off-by: André Martins <andre@cilium.io> | 06 June 2024, 09:45:25 UTC |
| 38e90f3 | Maartje Eyskens | 09 January 2024, 14:13:07 UTC | Renovate SPIRE images in makefile values This points the Renovate SPIRE update to the Makefile.values file. After the version update Renovate will run the Makefile to update the Helm charts. Signed-off-by: Maartje Eyskens <maartje@eyskens.me> | 06 June 2024, 09:02:37 UTC |
| f1d7e56 | Maartje Eyskens | 10 January 2024, 15:23:31 UTC | Add Renovate GHA file This adds a file that is similar to the one in the cilium/tetragon repo to run a self hosted Renovate bot inside GitHub Actions Signed-off-by: Maartje Eyskens <maartje@eyskens.me> | 06 June 2024, 09:02:37 UTC |
| 65bdb0c | Maartje Eyskens | 09 January 2024, 12:33:16 UTC | Add validation on change of Renovate config This change adds a GHA to validate the Renovate configuration when it is changed inside a PR. This is analog to the one in the Tetragon repository Signed-off-by: Maartje Eyskens <maartje@eyskens.me> | 06 June 2024, 09:02:37 UTC |
| 5ee8be7 | Jarno Rajahalme | 21 May 2024, 16:06:19 UTC | datapath: Deprecate trace reason REOPENED Datapath no longer returns a trace reason for REOPENED. Keep the Go symbol for compatibility with older datapaths, but rename it to mark it as deperecated. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 06 June 2024, 07:36:10 UTC |
