| f2ad82d | renovate[bot] | 19 March 2024, 09:37:34 UTC | chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> | 19 March 2024, 13:31:06 UTC |
| 0bb579b | Ryan Drew | 27 February 2024, 17:42:57 UTC | bpf: Enable monitor aggregation for all events in bpf_network.c [ upstream commit 81f14bbd4ebe898c48a918822ed30fe42ed5620d ] This commit adjusts the usage of send_trace_notify in bpf_network.c to enable monitor aggregation for all events emitted at this observation point in the datapath. This change helps improve resource usage by reducing the overall number of events that the datapath emits, while still enabling packet observability with Hubble. The events in bpf_network.c enable observability into the IPSec processing of the datapath. Before this commit, multiple other efforts have been made to increase the aggregation of events related to IPSec to reduce resource usage, see #29616 and #27168. These efforts were related to packets that were specifically marked as encrypted or decrypted by IPSec and did not include events in bpf_network.c that were emitted when either: (a) a plaintext packet has been received from the network, or (b) a packet was decrypted and reinserted into the stack by XFRM. Both of these events are candidates for aggregation because similar to-stack events will be emitted down the line in the datapath anyways. Additionally, these events are mainly useful for root-cause analysis or debugging and are not necessarily helpful from an overall observability standpoint. Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 16 March 2024, 12:49:03 UTC |
| 7531e09 | André Martins | 06 March 2024, 11:40:00 UTC | introduce ARM github workflows [ upstream commit 7a301a48c55c427714261e0686699fc2f63d2d31 ] This commit adds the GH workflow to run on arm machines. This effectively means that we can remove our travis integration and only use GH actions from now on. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 16 March 2024, 12:49:03 UTC |
| cebe45e | Paul Chaignon | 05 March 2024, 10:59:32 UTC | cilium-dbg: New --stale flag for encrypt flush [ upstream commit 5eb27e25b38bc6d073e96835f674d0748176d49e ] [ backporter's note: replaced nodemap.LoadNodeMap() with the legacy nodemap.NodeMap().OpenOrCreate() ] [ backporter's note: changes applied to cilium/cmd/encrypt_flush.go rather than cilium-dbg/cmd/encrypt_flush ] This new flag will allow users to clean stale XFRM states and policies based on the node ID map contents. If XFRM states or policies are found with a node ID that is not in the BPF map, then we probably have a leak somewhere. Such leaks can lead in extreme cases to performance degradation when the number of XFRM states and policies grows large (and if using ENI or Azure IPAM). Having a tool to cleanup these XFRM states and policies until the leak is fixed can therefore be critical. The new flag is incompatible with the --spi and --node-id filter flags. We first dump the XFRM rules and then dump the map content. In that way, if a new node ID is allocated while we're running the tool, we will simply ignore the corresponding XFRM rules. If a node ID is removed while running the tool, we will fail to remove the corresponding XFRM rules and continue with the others. Tested on a GKE cluster by adding fake XFRM states and policies that the tool was able to remove. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 16 March 2024, 12:49:03 UTC |
| c73aa10 | Paul Chaignon | 05 March 2024, 10:57:50 UTC | cilium-dbg: Refactor confirmation message for encrypt flush [ upstream commit 5c2a67fcd306329abb8f5be0a7bac753141bfea6 ] [ backporter's note: changes applied to cilium/cmd/encrypt_flush.go rather than cilium-dbg/cmd/encrypt_flush ] This commit refactors the code a bit simplify a latter commit. No functional changes. This may be a bit excessive in commit splitting, but at least I can claim my last commit is free of any refactoring :sweat_smile: Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 16 March 2024, 12:49:03 UTC |
| c1d924d | Paul Chaignon | 05 March 2024, 10:53:08 UTC | cilium-dbg: Don't fatal on XFRM rule deletion errors [ upstream commit 927969b247ed8f8b499988274a23e8ca2da42346 ] [ backporter's note: changes applied to cilium/cmd/encrypt_flush.go rather than cilium-dbg/cmd/encrypt_flush ] This commit slightly changes the behavior of the "encrypt flush" command in case of errors when trying to delete XFRM rules. The tool currently lists rules, filters them based on user-given arguments, and then deletes them. If an XFRM rule is deleted by the agent or the user while we're filtering, the deletion will fail. The current behavior in that case is to fatal. On busy clusters, that might mean that we always fatal because XFRM states and policies are constently added and removed. This commit changes the behavior to proceed with subsequent deletions in case one fails. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 16 March 2024, 12:49:03 UTC |
| c1afdbc | Tom Hadlaw | 27 February 2024, 17:30:44 UTC | cni: use default logger with timestamps. [ upstream commit a099bf1571f1a090ccfd6ccbba545828a6b3b63c ] [ backporter's node: changes applied to plugins/cilium-cni/main.go rather than plugins/cilium-cni/cmd/cmd.go ] Unlike runtime agent/operator logs, CNI logs are just written to disk so we have no way to attach timestamps to them. This makes it harder to debug CNI issues as we have no way to correlate when things happened between Agent logs and CNI events. This switches CNI to use the same default logger, except with timestamps enabled. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 16 March 2024, 12:49:03 UTC |
| 0e97258 | Tom Hadlaw | 26 February 2024, 20:41:32 UTC | loader: fix cancelled context during compile logging errors. [ upstream commit 70b405f32018af84ad8221e4bafb223a70c23736 ] [ backporter's note: replaced errors.Join with fmt.Errorf ] On Linux/Unix based implementations, exec/cmd.Run will return either context.ContextCancelled or the error "signal: killed" depending on whether the cancellation occurred while the process was running. There's several places we check on ```is.Errors(err, context.Cancelled)``` on whether to emit high level logs about failed program compilations. Because already running cmd.Run() doesn't return an error that satisfies this, this will result in spurious error logs about failed compilation (i.e. "signal: killed") This meant that in cases where a compilation is legitimately cancelled, we would still log an error such as msg="BPF template object creation failed" ... error="...: compile bpf_lxc.o: signal: killed" This can occur occasionally in CI, which enforces no error to pass, causing failures. example: ``` ctx, c := context.WithTimeout(context.Background(), time.Second) go func() { time.Sleep(time.Second) c() }() cmd := exec.CommandContext(ctx, "sleep", "2") fmt.Println(cmd.Run()) ctx, c = context.WithTimeout(context.Background(), time.Second) c() cmd = exec.CommandContext(ctx, "sleep", "2") fmt.Println(cmd.Run()) ``` To fix this, this will join in the ctx.Err() if it is: * context.Cancelled * The process has not exited itself. * The process appeared to be SIGKILL'ed. Addresses: #30991 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 16 March 2024, 12:49:03 UTC |
| ae1e87d | Marco Iorio | 14 March 2024, 15:53:15 UTC | node: correctly propagate source for CiliumInternalIP ipcache metadata Upon reception of a node update event, we first upsert the CiliumInternalIP address into the ipcache, and then associate it with the relevant metadata (i.e., labels) based on the identity. However, while the first upsertion propagates the source from the triggering event (e.g., custom-resource or kvstore), the latter hard-codes the source depending on the identity: local if ID=host, and custom-resource if ID=custom-resource. This hard-coded value is problematic in two main cases: * When kvstore is used, as the kvstore source has higher precedence than the custom-resource one. This means that the ipcache upsertion subsequently triggered by InjectLabels gets aborted as of lower priority, causing an increase in the ipcache_errors_total metric at best, and possible policies issues otherwise. * When --enable-remote-node-identity=false, that is remote node identities are disabled, remote nodes are associated with the host identity. Based on the hard-coded values mentioned above, the metadata is then associated with source=local. In turn, this will prevent any further updates for that node from the CRDs or kvstore from taking effect, as having lower priority. Hence, continuing to use stale information (e.g., tunnel endpoint and key ID) upon subsequent changes. Let's fix this by correctly propagating the source during metadata upsertion as well, matching the behavior of ipcache upsertion. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 March 2024, 12:46:41 UTC |
| 0e17ebb | Marco Iorio | 06 March 2024, 13:02:24 UTC | gha: checkout target branch instead of the default one [ upstream commit 6716a9c01b69d88da0c3316fe8b3640180bbafb1 ] Currently, the GHA workflows running tests triggered on pull_request and/or push events initially checkout the default branch to configure the environment variables, before retrieving the PR head. However, this is problematic on stable branches, as we then end up using the variables from the default (i.e., main) branch (e.g., Kubernetes version, Cilium CLI version), which may not be appropriate here. Hence, let's change the initial checkout to retrieve the target (i.e., base) branch, falling back to the commit in case of push events. This ensure that we retrieve the variables from the correct branch, and matches the behavior of Ariane triggered workflows. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 March 2024, 12:33:35 UTC |
| b6831d2 | Marco Iorio | 23 February 2024, 10:17:37 UTC | gha: don't wait for kind clusters to become ready [ upstream commit 39637d6d2385baab556078d844f431522d99f616 ] They will never, because no CNI is present at that point. Hence, let's just avoid wasting one minute waiting for the timeout to expire. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 March 2024, 12:33:35 UTC |
| 80bb011 | Marco Iorio | 22 February 2024, 17:20:43 UTC | gha: migrate workflows to use the global kind-related variables [ upstream commit aabdfa73d3d83edda3935277bd08c4c4c0bf5b68 ] Let's switch all the workflows over to using the globally defined kind-related variables, and remove the workflow specific definitions. This also addresses a few cases which didn't specify any version. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 March 2024, 12:33:35 UTC |
| 3e673e3 | Marco Iorio | 22 February 2024, 17:15:28 UTC | gha: centralize kind version and image definition in set-env-variables [ upstream commit 394b3de26a4e2235ec25399861e12886b507f335 ] [ backporter's notes: edited the KIND_K8S_IMAGE value to match the latest supported version in the v1.13 branch ] Let's define kind-related variables (i.e., version, k8s image and k8s version) inside the set-env-variables action. One all consumers will have been migrated through the subsequent commit, this will ensure consistency across workflows, simplify version bumps as well as the introduction of new workflows depending on them. One extra byproduct is that renovate updates will also stop requesting reviews from all the different teams owning each specific workflow. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 March 2024, 12:33:35 UTC |
| 120cb4c | Marco Iorio | 23 February 2024, 08:15:38 UTC | gha: drop unused check_url environment variable [ upstream commit e17cf21d9720493766c9f1d12c2d75c842f26e86 ] This variable used to be used in combination with the Sibz/github-status-action action, which we replaced with myrotvorets/set-commit-status-action when reworking the workflows to be triggered by Ariane [1]. Given it is now unused, let's get rid of the leftover environment variable, so that we also stop copying it to new workflows. [1]: 9949c5a1891a ("ci: rework workflows to be triggered by Ariane") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 16 March 2024, 12:33:35 UTC |
| c6c14ae | Tim Horner | 14 March 2024, 23:39:30 UTC | install: Update image digests for v1.13.13 Generated from https://github.com/cilium/cilium/actions/runs/8287875693. `docker.io/cilium/cilium:v1.13.13@sha256:861772857f72bf9cf7b1bab95b3a3c5dc5de1c18c26cfffd4f4dea095ce1a59c` `quay.io/cilium/cilium:v1.13.13@sha256:861772857f72bf9cf7b1bab95b3a3c5dc5de1c18c26cfffd4f4dea095ce1a59c` `docker.io/cilium/clustermesh-apiserver:v1.13.13@sha256:9f7a4a3f696f43e170b28d16e0e98d3c9d53b6f6a634bcae4c049839f6fa001d` `quay.io/cilium/clustermesh-apiserver:v1.13.13@sha256:9f7a4a3f696f43e170b28d16e0e98d3c9d53b6f6a634bcae4c049839f6fa001d` `docker.io/cilium/docker-plugin:v1.13.13@sha256:d04a8d96204d8f32f46b7bbb9e9329fc82dbc9f8197eddc39cb10915c16c97d4` `quay.io/cilium/docker-plugin:v1.13.13@sha256:d04a8d96204d8f32f46b7bbb9e9329fc82dbc9f8197eddc39cb10915c16c97d4` `docker.io/cilium/hubble-relay:v1.13.13@sha256:19348701926a6c4a2e502e8aa185ffa147368ee1e93d2f4c9e1d451b9f81b153` `quay.io/cilium/hubble-relay:v1.13.13@sha256:19348701926a6c4a2e502e8aa185ffa147368ee1e93d2f4c9e1d451b9f81b153` `docker.io/cilium/operator-alibabacloud:v1.13.13@sha256:847301ce51b1e6c3f61adddbd051c7832847dcd1df0ed2d37d2262f4c73d9880` `quay.io/cilium/operator-alibabacloud:v1.13.13@sha256:847301ce51b1e6c3f61adddbd051c7832847dcd1df0ed2d37d2262f4c73d9880` `docker.io/cilium/operator-aws:v1.13.13@sha256:166c232bb82f211e0405c7bd52e3a4c5ffc70c4b6b7c1444e2d92b5eefb52abd` `quay.io/cilium/operator-aws:v1.13.13@sha256:166c232bb82f211e0405c7bd52e3a4c5ffc70c4b6b7c1444e2d92b5eefb52abd` `docker.io/cilium/operator-azure:v1.13.13@sha256:a78a74ff804d82189144505a40841426a40edd499dd2973aae163c6450d5df2c` `quay.io/cilium/operator-azure:v1.13.13@sha256:a78a74ff804d82189144505a40841426a40edd499dd2973aae163c6450d5df2c` `docker.io/cilium/operator-generic:v1.13.13@sha256:42ca3f1a6a5ca1312119418c98d8e2b989c56e2a979da3b8c1a0d1961a78e40c` `quay.io/cilium/operator-generic:v1.13.13@sha256:42ca3f1a6a5ca1312119418c98d8e2b989c56e2a979da3b8c1a0d1961a78e40c` `docker.io/cilium/operator:v1.13.13@sha256:58d909aa2c788c58392e54c0877948b632598493e37a46a91cc324ec5d297618` `quay.io/cilium/operator:v1.13.13@sha256:58d909aa2c788c58392e54c0877948b632598493e37a46a91cc324ec5d297618` Signed-off-by: Tim Horner <timothy.horner@isovalent.com> | 15 March 2024, 13:34:13 UTC |
| ca1af73 | Tim Horner | 13 March 2024, 15:45:55 UTC | Prepare for release v1.13.13 Signed-off-by: Tim Horner <timothy.horner@isovalent.com> | 13 March 2024, 21:52:50 UTC |
| a58e3f4 | André Martins | 12 March 2024, 13:33:25 UTC | images: update cilium-{runtime,builder} Signed-off-by: André Martins <andre@cilium.io> | 12 March 2024, 19:50:22 UTC |
| bade091 | André Martins | 12 March 2024, 13:03:33 UTC | images: bump cni plugins to v1.4.1 The result of running ``` images/scripts/update-cni-version.sh 1.4.1 ``` Signed-off-by: André Martins <andre@cilium.io> | 12 March 2024, 19:50:22 UTC |
| 5f086f7 | Cilium Imagebot | 11 March 2024, 08:47:16 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 12 March 2024, 12:42:23 UTC |
| 7a03059 | renovate[bot] | 11 March 2024, 08:39:03 UTC | chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 77906da Signed-off-by: renovate[bot] <bot@renovateapp.com> | 12 March 2024, 12:42:23 UTC |
| 57722a2 | renovate[bot] | 12 March 2024, 09:09:33 UTC | chore(deps): update hubble cli to v0.13.2 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 12 March 2024, 12:41:49 UTC |
| a325017 | Feroz Salam | 11 March 2024, 15:48:05 UTC | Bump google.golang.org/protobuf (v1.13) Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> | 11 March 2024, 21:23:45 UTC |
| 739e2f0 | renovate[bot] | 11 March 2024, 08:45:34 UTC | chore(deps): update stable lvh-images Signed-off-by: renovate[bot] <bot@renovateapp.com> | 11 March 2024, 13:34:48 UTC |
| 3956694 | renovate[bot] | 11 March 2024, 09:04:15 UTC | chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> | 11 March 2024, 13:33:34 UTC |
| 5d4789c | Paul Chaignon | 26 February 2024, 12:07:43 UTC | bugtool: Capture memory fragmentation info from /proc [ upstream commit 1c3a17f672f6da2332b3731329aead13b3c17e22 ] This information can be useful to understand why memory allocation in the kernel may fail (ex. for maps or for XFRM). I've checked that these two files are accessible from a typical cilium-agent deployment (on GKE). Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 11 March 2024, 08:23:48 UTC |
| afca4ee | Dean | 26 January 2024, 13:11:44 UTC | Update kafka-sw-gen-traffic.sh [ upstream commit 7a5a4295f8ca75a21e57969ef01a4926641c2ce1 ] Fixed `kubectl exec` syntax Signed-off-by: Dean <22192242+saintdle@users.noreply.github.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 11 March 2024, 08:23:48 UTC |
| 501b20d | André Martins | 06 March 2024, 09:09:14 UTC | k8s_install.sh: specify the CNI version [ upstream commit f92b528abc30a5c66ba80d5922d4e58c48cfe7e1 ] The CNI version should be specify so that in case we have to fallback the installation of k8s via binaries it doesn't fail with the error: ``` 10:29:25 k8s1-1.25: gzip: stdin: not in gzip format 10:29:25 k8s1-1.25: tar: Child returned status 1 10:29:25 k8s1-1.25: tar: Error is not recoverable: exiting now ``` Fixes: ce69afdc3ad1 ("add support for k8s 1.25.0") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 08 March 2024, 12:16:21 UTC |
| 317016f | Tam Mach | 07 March 2024, 13:30:35 UTC | envoy: Bump golang version to 1.21.8 This is to pick up the new image with updated golang version, and other dependency bump. Related commit: https://github.com/cilium/proxy/commit/bbde4095997ea57ead209f56158790d47224a0f5 Related build: https://github.com/cilium/proxy/actions/runs/8179371187/job/22365308893 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 08 March 2024, 01:19:10 UTC |
| e373380 | Tam Mach | 05 March 2024, 14:43:34 UTC | patches: Call upstream callbacks via UpstreamFilterManager Envoy has moved the encodeHeaders() call to a new call path in upstream decoder filter. Move the upstream callbacks iteration call there to be just before the encodeHeaders() call, and call the iteration via UpstreamFilterManager so that the callbacks registered in the downstream filter manager are used. Call sendLocalReply also via the UpstreamFilterManager to have its local state updated properly for upstream processing. One more note comparing to the patches for 1.27+, the encodingHeader() call is still available in onPoolReady(), so we should move our patch on calling iterateUpstreamCallbacks() after. Relates: https://github.com/envoyproxy/envoy/pull/26916/files#r1176556258 Related commit: https://github.com/cilium/proxy/commit/860c2219c1d3a0e531c36bd2171d0b1678bba530 Related build: https://github.com/cilium/proxy/actions/runs/8156758309/job/22298887449 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> | 07 March 2024, 13:15:44 UTC |
| c743b68 | Julian Wiedmann | 11 December 2023, 07:58:44 UTC | proxy: also install from-ingress-proxy rules with per-EP routing This is a v1.13-only patch, the closest upstream equivalent is 217ae4f ("Re-introduce 2005 route table"). It slightly differs from the v1.14 variant 579d0a4ff7f5 ("proxy: also install from-ingress-proxy rules with per-EP routing"), as for v1.13 we had only merged 4c441ab536a1 ("datapath: remove 2005 route table for ipv4 only"). Thus IPv6 is still using the 2005 rule, and we want to preserve existing behaviour as much as possible. In a config with per-EP routes, we therefore only install the 2005 rule for IPv6 when IPsec strictly requires it. Egressing traffic would usually get routed straight to eth0. Install the 2005 rule to divert the traffic into cilium_host first. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 March 2024, 12:36:18 UTC |
| 840cdf1 | Gray Liang | 27 October 2023, 08:57:24 UTC | bpf: host: also handle from-egress proxy traffic [ upstream commit e96e9cd7542063ac6314f76c492e5b1ef41ee639 ] The from-host path already knows how to handle traffic that comes from the ingress proxy. Extend this logic to also cover traffic that originates from the egress proxy. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 March 2024, 12:36:18 UTC |
| 8bcd7ca | Gray Liang | 27 October 2023, 09:46:19 UTC | datapath: disable net.ipv4.ip_early_demux for IPsec + L7 proxy [ upstream commit 5201896e0a393ec4199cf9b5be4ebac6374be12a ] [ backporter's notes: this is a backport to pre-cell iptables ] After forward traffic for an egress proxy onnection has traversed through cilium_host / cilium_net, we expect IPsec-marked packets to get handled by xfrm. This currently conflicts with early demux, which matches the connection's transparent socket and assigns it to the packet: ``` // https://elixir.bootlin.com/linux/v6.2/source/net/ipv4/tcp_ipv4.c#L1770 int tcp_v4_early_demux(struct sk_buff *skb) { ... sk = __inet_lookup_established(net, net->ipv4.tcp_death_row.hashinfo, iph->saddr, th->source, iph->daddr, ntohs(th->dest), skb->skb_iif, inet_sdif(skb)); if (sk) { skb->sk = sk; ... } ``` It then gets dropped in ip_forward(), before reaching xfrm: ``` // https://elixir.bootlin.com/linux/v6.2/source/net/ipv4/ip_forward.c#L100 int ip_forward(struct sk_buff *skb) { ... if (unlikely(skb->sk)) goto drop; ... } ``` To avoid this we disable early-demux in a L7 + IPsec config. Note that the L7 proxy feature needs to deal with similar troubles, as the comment for inboundProxyRedirectRule() describes. Ideally we would build a similar solution for IPsec, diverting traffic with policy routing so that it doesn't get intercepted by early-demux. Signed-off-by: Zhichuan Liang<gray.liang@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 March 2024, 12:36:18 UTC |
| 298fa33 | Gray Liang | 27 October 2023, 09:22:10 UTC | iptables: preserve encrypt mark for egress proxy forward traffic [ upstream commit f018b20e9ef6c28bc37a94112b53ed9ad6890534 ] Once forward traffic for an egress proxy connection has traversed through cilium_host / cilium_net, we expect IPsec-marked packets to get handled by xfrm. But this currently conflicts with an iptables rule for the proxy's transparent socket, which then over-writes the mark: -A CILIUM_PRE_mangle -m socket --transparent -m comment --comment "cilium: any->pod redirect proxied traffic to host proxy" -j MARK --set-xmark 0x200/0xffffffff We can avoid this by adding an extra filter to this rule, so that it doesn't match IPsec-marked packets. Signed-off-by: Zhichuan Liang<gray.liang@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 March 2024, 12:36:18 UTC |
| c22e2fb | Julian Wiedmann | 18 December 2023, 15:31:10 UTC | bpf: host: skip from-proxy handling in from-netdev [ upstream commit d4b81c03dbdb25f3f51d90149097669c31d0d59d ] from-proxy traffic gets redirected to cilium_host. Skip the proxy paths when handle_ipv*_cont() is included by from-netdev. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 March 2024, 12:36:18 UTC |
| e3c78d0 | Gray Liang | 11 December 2023, 08:38:53 UTC | iptables: filter table accepts from-proxy packets [ upstream commit 244a5e93f0be099a3c59ee8f87fdfd26849a6de7 ] GKE has DROP policy for filter table, so we have to explicitly accept proxy traffic. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 March 2024, 12:36:18 UTC |
| 6ffa5da | Gray Liang | 04 December 2023, 11:35:16 UTC | proxy: opt-out from SNAT for L7 + Tunnel for some scenarios [ upstream commit 9fbd5a814b47131887661748996d876f541da3b8 ] Currently the L7 proxy performs SNAT for traffic when tunnel routing is enabled, even for cluster-internal traffic. This prevents cilium_host from detecting pod-level traffic, and we thus can't apply features. Modify SupportsOriginalSourceAddr(), so that the proxy doesn't SNAT such traffic when some conditions are met. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 March 2024, 12:36:18 UTC |
| 519df25 | Julian Wiedmann | 10 December 2023, 13:57:22 UTC | pkg: proxy: only install from-proxy rules/routes for native routing [ upstream commit 0ebe5162373c00f85e7ae43d0bc5d474fa08c485 ] [ backporter's notes: this is a custom backport to init.sh. Only apply the change to IPv4 rules. ] With tunnel routing, traffic to remote pods already flows via cilium_host. This is sufficient for what IPsec requires. Thus currently only native routing requires the custom redirect logic for from-ingress proxy traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 March 2024, 12:36:18 UTC |
| e2c757a | Julian Wiedmann | 08 December 2023, 08:11:01 UTC | bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic [ upstream commit d2f1ea09b48416805600c8524443468ea4ffdaaf ] With https://github.com/cilium/cilium/pull/29530 in place, we now also divert proxy traffic to cilium_host when per-EP routes are enabled. But we potentially still need to deliver this traffic to a local endpoint - say for a pod-to-pod connection on the same node, with L7 proxy inbetween. In a configuration with per-EP routes but no BPF Host-Routing, l3_local_delivery() transfers the source identity to the skb->mark and redirects to bpf_lxc, where the to-container program handles the packet. If we transfer the packet with MARK_MAGIC_IDENTITY, to-container will look up the network policy and redirect to the L7 proxy *again*. Thus we need to fully restore the proxy's actual mark, so that to-container's inherit_identity_from_host() call finds the expected magic ID. It then sets the TC_INDEX_F_FROM_INGRESS_PROXY flag, and skips the redirect to L7 proxy. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 March 2024, 12:36:18 UTC |
| 9141129 | Gray Liang | 23 October 2023, 03:13:25 UTC | bpf: work around scrubbing of skb->mark during veth transition [ upstream commit 3a93b00269b1fb762b2c9f98ab67a6ed3a333dda ] Previously we set skb->mark in from_host@cilium_host, expect the mark to remain unchanged after kernel transmits skb from cilium_host to cilium_net. The skb->mark is for instance used to transport IPsec-related information. However, as of 2023-10-19, kernel 5.10 still misses the backport patch[1] to fix a bug in skb_scrub_packet() which clears skb->mark for veth_xmit even if the veth pair is under the same netns: https://elixir.bootlin.com/linux/v5.10.198/source/include/linux/netdevice.h#L3975 To avoid hitting this issue, this patch sets metadata in skb->cb to survive skb_scrub_packet(), then to_host@cilium_net can retrieve this info and set proper mark. Only from_host bpf is setting cb, while from_lxc bpf is still using mark. [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff70202b2d1a ("dev_forward_skb: do not scrub skb mark within the same name space") Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 March 2024, 12:36:18 UTC |
| 224a481 | Gray Liang | 20 October 2023, 16:00:40 UTC | bpf_host can handle packets passed from L7 proxy [ upstream commit e78ff1690e4ab862057a6aefe5f0729340694254 ] Previously https://github.com/cilium/cilium/pull/25440 removed bpf_host's logic for host-to-remote-pod packets. However, we recently realized such host-to-remote-pod traffic can also be pod-to-pod traffic passing through L7 proxy. This commit made bpf_host capable of handling these host-to-remote-pod packets as long as they are originated from L7 proxy. Fixes: cilium/cilium#25440 Suggested-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 March 2024, 12:36:18 UTC |
| 86a2536 | Robin Gögge | 15 November 2023, 15:41:19 UTC | Re-introduce 2005 route table [ upstream commit 217ae4f64183ce5112633338c88af2f16dfa8a14 ] [ backporter's notes: this is a custom backport to init.sh ] This commit re-introduced the 2005 routes that were removed by https://github.com/cilium/cilium/commit/9dd6cfcdf4406938c35c6ce2e8cc38fb5f2e9ea8 (datapath: remove 2005 route table for ipv6 only) and https://github.com/cilium/cilium/commit/c1a0dba3c0c79dc773ed9a9f75d5aa87b30f44f0 (datapath: remove 2005 route table for ipv4 only). Signed-off-by: Robin Gögge <r.goegge@gmail.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 March 2024, 12:36:18 UTC |
| d46edac | Gray Liang | 20 October 2023, 07:57:02 UTC | Allow proxy replies to WORLD_ID [ upstream commit ac6385637a7bc39ec636e3808d3a5e9c13cb3c0e ] This is an alternative approach to fix cilium/cilium#21954, so that we can re-introduce the 2005 from-proxy routing rule in following patches to fix L7 proxy issues. This commit simply allows packets to WORLD as long as they are from ingress proxy. This was one of the solution suggested by Martynas, as recorded in commit message cilium/cilium@c534bb7: One fix was to extend the troublesome check https://github.com/cilium/cilium/blob/v1.12.3/bpf/bpf_host.c#L626 by allowing proxy replies to `WORLD_ID`. To tell if an skb is originated from ingress proxy, the commit extends the semantic of existing flags `TC_INDEX_F_SKIP_{INGRESS,EGRESS}_PROXY`, renames flags to clarify the changed meaning. Fixes: cilium/cilium#21954 (Reply from pod to outside is dropped when L7 ingress policy is used) Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 March 2024, 12:36:18 UTC |
| 13f2d90 | Julian Wiedmann | 17 February 2023, 14:00:34 UTC | bpf: remove redundant IPcache lookup in from-host path [ upstream commit 99786beebba63e5e3c01533db027c8e17b820da4 ] [ backporter's notes: needed to resolve complexity issues in subsequent patches ] We first look up the destination endpoint to check for tunnel redirection, and then look it up a second time to access its sec_label and IPSec key. Make the first look-up unconditional, so that we can remove the second. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 07 March 2024, 12:36:18 UTC |
| 64b9041 | Cilium Imagebot | 06 March 2024, 09:47:24 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 07 March 2024, 11:18:44 UTC |
| 6eaf493 | renovate[bot] | 06 March 2024, 09:39:51 UTC | chore(deps): update go to v1.21.8 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 07 March 2024, 11:18:44 UTC |
| 9235263 | renovate[bot] | 04 March 2024, 20:18:26 UTC | chore(deps): update stable lvh-images Signed-off-by: renovate[bot] <bot@renovateapp.com> | 07 March 2024, 11:18:10 UTC |
| 1b06a5c | renovate[bot] | 04 March 2024, 20:14:14 UTC | chore(deps): update kindest/node docker tag to v1.27.11 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 05 March 2024, 21:05:29 UTC |
| 8fdd9d4 | renovate[bot] | 04 March 2024, 04:15:37 UTC | chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> | 05 March 2024, 17:21:07 UTC |
| 1a6200e | Quentin Monnet | 30 January 2024, 16:18:58 UTC | ci/ipsec: Fix downgrade version retrieval [ upstream commit 6fee46f9e7531fd29ed290d5d4024dd951635e88 ] [ backporter's note: - test-e2e-upgrade doesn't exit on this branch. Remove it. - Minor conflict in tests-clustermesh-upgrade.yaml ++<<<<<<< HEAD + if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then + SHA="${{ inputs.SHA }}" + else + SHA="${{ github.sha }}" + fi ++======= + CILIUM_DOWNGRADE_VERSION=$(contrib/scripts/print-downgrade-version.sh stable) + echo "downgrade_version=${CILIUM_DOWNGRADE_VERSION}" >> $GITHUB_OUTPUT ++>>>>>>> 20a5826c31 (ci/ipsec: Fix downgrade version retrieval) ] Figuring out the right "previous patch release version number" to downgrade to in print-downgrade-version.sh turns out to be more complex than expected [0][1][2][3]. This commit is an attempt to 1) fix issues with the current script and 2) overall make the script clearer, so we can avoid repeating these mistakes. As for the fixes, there are two things that are not correct with the current version. First, we're trying to validate the existence of the tag to downgrade to, in case the script runs on top of a release preparation commit for which file VERSION has been updated to a value that does not yet contains a corresponding tag. This part of the script is actually OK, but not the way we call it in the IPsec workflow: we use "fetch-tags: true" but "fetch-depth: 0" (the default), and the two are not compatible, a shallow clone results in no tags being fetched. To address this, we retrieve the tag differently: instead of relying on "fetch-tags" from the workflow, we call "git fetch" from the script itself, provided the preconditions are met (we only run it from a Git repository, if the "origin" remote is defined). If the tag exists, either locally or remotely, then we can use it. Otherwise, the script considers that it runs from a release preparation Pull Request, and decrements the patch release number. The second issue is that we would return no value from the script if the patch release is zero. This is to avoid any attempt to find a previous patch release when working on a development branch. However, this logics is incorrect (it comes from a previous version of the script where we would always decrement the patch number). After the first release of a new minor version, it's fine to have a patch number at 0. What we should check instead is whether the version ends with "-dev". This commit brings additional changes for clarity: more comments, and a better separation between the "get latest patch release" and "get previous stable branch" cases, moving the relevant code to independent functions, plus better argument handling. We also edit the IPsec workflow to add some logs about the version retrieved. The logs should also display the script's error messages, if any, that are printed to stderr. Sample output from the script: VERSION Tag exists Prevous minor Previous patch release 1.14.3 Y v1.13 v1.14.3 1.14.1 Y v1.13 v1.14.1 1.14.0 Y v1.13 v1.14.0 1.14.1-dev N v1.13 <error> 1.15.0-dev N v1.14 <error> 1.13.90 N v1.12 v1.13.89 <- decremented 2.0.0 N <error> <error> 2.0.1 N <error> v2.0.0 <- decremented 2.1.1 N v2.0 v2.1.0 <- decremented [0] 56dfec2f1ac5 ("contrib/scripts: Support patch releases in print-downgrade-version.sh") [1] 4d7902f54a74 ("contrib/scripts: Remove special handling for patch release number 90") [2] 5581963cbf94 ("ci/ipsec: Fix version retrieval for downgrades to closest patch release") [3] 3803f539a740 ("ci/ipsec: Fix downgrade version for release preparation commits") Fixes: 3803f539a740 ("ci/ipsec: Fix downgrade version for release preparation commits") Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> | 01 March 2024, 07:42:08 UTC |
| 7bdb565 | Cilium Imagebot | 26 February 2024, 17:28:57 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 27 February 2024, 10:57:58 UTC |
| d1f1f8f | renovate[bot] | 26 February 2024, 16:53:03 UTC | chore(deps): update go to v1.21.7 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 27 February 2024, 10:57:58 UTC |
| 7ff0fe4 | renovate[bot] | 26 February 2024, 16:35:08 UTC | chore(deps): update quay.io/lvh-images/kind docker tag to v6.6-20240221.111541 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 27 February 2024, 09:57:51 UTC |
| 03c9bce | Cilium Imagebot | 26 February 2024, 08:48:04 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 26 February 2024, 15:28:02 UTC |
| 71e9e31 | renovate[bot] | 26 February 2024, 08:35:28 UTC | chore(deps): update all-dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> | 26 February 2024, 15:28:02 UTC |
| 32245ff | renovate[bot] | 26 February 2024, 08:35:57 UTC | chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> | 26 February 2024, 14:34:07 UTC |
| 581e3d8 | Birol Bilgin | 15 February 2024, 06:55:29 UTC | ci: Restrict running tests to only the organization-members team [ upstream commit b19321e0274cc168295e0c270275f0f835bbe2ae ] This commit updates the Ariane configuration to include the GitHub organization team 'organization-members' in the list of allowed teams. Consequently, only members of this specific team will have the authorization to initiate test runs via issue comments. Signed-off-by: Birol Bilgin <birol@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> | 20 February 2024, 16:31:43 UTC |
| e79ba13 | Birol Bilgin | 16 February 2024, 05:14:21 UTC | ci: change ariane config codeowners [ upstream commit bb81c06cb6a58251fb0aa966b89a52b457795433 ] The current process delegates the review of ariane-config.yaml changes to the contributing group. With this commit reviewing responsibilities be transferred to the github-sec and ci-structure groups. Signed-off-by: Birol Bilgin <birol@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> | 20 February 2024, 16:31:43 UTC |
| 8d7fda3 | Birol Bilgin | 15 February 2024, 11:12:01 UTC | ci: Update tested K8S versions across all cloud providers [ upstream commit 14d68f20830dd286be2c9710c0a10fb823ad019d ] This commit revises the Kubernetes versions tested for compatibility across all supported cloud providers. Additionally, it adjusts the default Kubernetes version to match the default version provided by each cloud provider Signed-off-by: Birol Bilgin <birol@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> | 20 February 2024, 16:31:43 UTC |
| e79f2a6 | Birol Bilgin | 15 February 2024, 11:04:24 UTC | ci: Address AKS release cycle gap [ upstream commit d7f5e58d55d77d5ad8e15cb7e564828ac6bf96ee ] In the AKS release cycle, a gap exists between the introduction of new supported Kubernetes versions and the removal of older versions, leading to failures in scheduled tests. This PR introduces the capability to disable older Kubernetes versions, mitigating test failures. Signed-off-by: Birol Bilgin <birol@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> | 20 February 2024, 16:31:43 UTC |
| ec1642a | Marcel Zieba | 14 February 2024, 10:02:28 UTC | Network performance: fix native routing case [ upstream commit dc6cf34a32859c78fe41252ed095895d31bab9f8 ] While fixing one of the review comments in PR that introduced this test, I changed datapath mode to be explicitly set from matrix.mode. Unfortunately, setting `native` makes it actually use `tunneling` mode. Switching to `gke` mode resolves this issue. Fixes #30247 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> | 20 February 2024, 16:31:43 UTC |
| 6ce6f9a | Paul Chaignon | 14 February 2024, 10:17:52 UTC | workflows: Clean IPsec test output [ upstream commit 3c479d406ab1abc548b317f02ab2ccd1a3bb20ef ] The test output are riddled with logs such as: Defaulted container "cilium-agent" out of: cilium-agent, config (init), mount-cgroup (init), apply-sysctl-overwrites (init), mount-bpf-fs (init), clean-cilium-state (init), install-cni-binaries (init) This gets particularly noisy when waiting for the key rotation to complete, during which time we run kubectl exec repeatedly. This commit fixes it. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> | 18 February 2024, 14:28:55 UTC |
| 9cbfa2d | Paul Chaignon | 09 January 2024, 11:40:08 UTC | docs: Document XfrmInStateInvalid errors [ upstream commit c19a84ef74a57ccbed4ed6ecdf810cf0c030e689 ] This error can happen if a state is being destroyed while packets are in flight. It should be rare as the window in the kernel where it can happen is very short. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> | 18 February 2024, 14:28:55 UTC |
| 00e921b | Lorenz Bauer | 16 February 2024, 16:18:56 UTC | e2e: replace 6.0 with 6.1 6.0 is EOL and therefore not built anymore. Switch to the next newer LTS which is 6.1. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> | 17 February 2024, 12:00:46 UTC |
| 2514b91 | Lorenz Bauer | 16 February 2024, 14:31:14 UTC | ipsec-e2e: update lvh images LVH images haven't been updated since April, probably because of missing renovate annotations. Update them manually and add the annotations. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> | 17 February 2024, 12:00:46 UTC |
| 0f3330b | Lorenz Bauer | 16 February 2024, 16:17:20 UTC | workflows: replace references to bpf-next with current LTS We currently don't update bpf-next kernels, since we don't want to cause additional regressions. This is a problem since lvh updates may break existing images. Instead of relying on bpf-next, use the current LTS kernel in workflows. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> | 17 February 2024, 12:00:46 UTC |
| 3aa3983 | renovate[bot] | 16 February 2024, 13:26:52 UTC | chore(deps): update stable lvh-images Signed-off-by: renovate[bot] <bot@renovateapp.com> | 17 February 2024, 12:00:46 UTC |
| 7535364 | Cilium Imagebot | 15 February 2024, 00:05:56 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 17 February 2024, 08:27:42 UTC |
| 031e75d | renovate[bot] | 13 February 2024, 12:54:12 UTC | chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e9569c2 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 17 February 2024, 08:27:42 UTC |
| 8ee4ba2 | renovate[bot] | 15 February 2024, 00:36:44 UTC | chore(deps): update all github action dependencies to v4 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 15 February 2024, 23:50:50 UTC |
| 87d2bff | Michi Mutsuzaki | 14 February 2024, 01:43:19 UTC | install: Update image digests for v1.13.12 Based on https://github.com/cilium/cilium/actions/runs/7893881735. I had to copy these digests manually because image-digest-output.txt-v1.13.12 was empty. ## Docker Manifests ### cilium `docker.io/cilium/cilium:v1.13.12@sha256:d99204aa7b3b7bd2c9ab47fd398cc9f40290799bc0c7a4386c8dc5c1780cd3d3` `quay.io/cilium/cilium:v1.13.12@sha256:d99204aa7b3b7bd2c9ab47fd398cc9f40290799bc0c7a4386c8dc5c1780cd3d3` ### clustermesh-apiserver `docker.io/cilium/clustermesh-apiserver:v1.13.12@sha256:f1b1d0a85bab65e7d6adc90d000513a56ac58bdb071aa391a8580d73d20e6b6a` `quay.io/cilium/clustermesh-apiserver:v1.13.12@sha256:f1b1d0a85bab65e7d6adc90d000513a56ac58bdb071aa391a8580d73d20e6b6a` ### docker-plugin `docker.io/cilium/docker-plugin:v1.13.12@sha256:142822829c4bccd315e6b21262b9de9084c4913420a28bedb1209fa1f3e6bdb9` `quay.io/cilium/docker-plugin:v1.13.12@sha256:142822829c4bccd315e6b21262b9de9084c4913420a28bedb1209fa1f3e6bdb9` ### hubble-relay `docker.io/cilium/hubble-relay:v1.13.12@sha256:01b23ea40bcd81145dde6bfcbfc4d542749d08c2a1c6348954c85123a8d2b1fc` `quay.io/cilium/hubble-relay:v1.13.12@sha256:01b23ea40bcd81145dde6bfcbfc4d542749d08c2a1c6348954c85123a8d2b1fc` ### operator-alibabacloud `docker.io/cilium/operator-alibabacloud:v1.13.12@sha256:56fbfd0fb9ba239191cff2daf60b09e7f6b296622d0bdd5247ee535b9fe526c5` `quay.io/cilium/operator-alibabacloud:v1.13.12@sha256:56fbfd0fb9ba239191cff2daf60b09e7f6b296622d0bdd5247ee535b9fe526c5` ### operator-aws `docker.io/cilium/operator-aws:v1.13.12@sha256:d6c9c830ac558624568af0de46562f059f1085ece47323da108d7b13a686ca4f` `quay.io/cilium/operator-aws:v1.13.12@sha256:d6c9c830ac558624568af0de46562f059f1085ece47323da108d7b13a686ca4f` ### operator-azure `docker.io/cilium/operator-azure:v1.13.12@sha256:67a574ee88fb720cab3531722d95e90a0f98a17ca5c134a56d82840ad29fbf31` `quay.io/cilium/operator-azure:v1.13.12@sha256:67a574ee88fb720cab3531722d95e90a0f98a17ca5c134a56d82840ad29fbf31` ### operator-generic `docker.io/cilium/operator-generic:v1.13.12@sha256:f83734bbe270f961d545c7929152785507ce04a05d818ebc9776941723736d02` `quay.io/cilium/operator-generic:v1.13.12@sha256:f83734bbe270f961d545c7929152785507ce04a05d818ebc9776941723736d02` ### operator `docker.io/cilium/operator:v1.13.12@sha256:cfc2c4f2adebd878a5a5d2964139fd3afbd56fba219a68000e71162c2e946cc8` `quay.io/cilium/operator:v1.13.12@sha256:cfc2c4f2adebd878a5a5d2964139fd3afbd56fba219a68000e71162c2e946cc8` Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> | 14 February 2024, 17:20:35 UTC |
| 0077555 | Michi Mutsuzaki | 13 February 2024, 02:22:18 UTC | Prepare for release v1.13.12 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> | 13 February 2024, 02:52:45 UTC |
| c8d0353 | Dmitry Kharitonov | 12 February 2024, 14:02:32 UTC | ui: release v0.13.0 [ upstream commit 60ea87e04428b43e4a56fea81e9d9dde2fe9f623 ] Signed-off-by: Dmitry Kharitonov <dmitry@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> | 13 February 2024, 02:13:41 UTC |
| e04f093 | Quentin Monnet | 30 January 2024, 16:18:58 UTC | ci/ipsec: Fix downgrade version for release preparation commits [ upstream commit 3803f539a740a4e71030a90614fc194afa6ae025 ] For the IPsec upgrade/downgrade CI test, for the jobs where we upgrade/downgrade to the closest patch release, the script print-downgrade-version.sh determines the patch release by picking up the value in file VERSION. This works most of the time. For release preparation commits, however, this approach fails because the reference in VERSION points to a release that has not been tagged or published yet. We need to pick the previous patch release in that case. However, it's non-trivial to figure out whether we're on a release preparation commit, in particular because the CI workflow does a shallow Git clone and we don't have access to the Git history. I couldn't find an ideal solution, so this commit changes the shallow-clone and makes it fetch the tags, as well, so that we're allow to check for the tag existence before returning it. If the tag is not available, we decrement the patch version found in VERSION before computing the patch release to downgrade to. Note that we do not expect this second attempt (with the patch release number decremented) to fail, so we do not check for its existence in the Git history: if we did, and printed an error in the script but returned an empty value, we'd skip the rest of the CI workflow. Instead, if we're in a situation where this decremented patch release number is returned but is not a valid one, CI will attempt to run the workflow with it, and fail loudly, which is what we want in that case. Sample output from the script: VERSION Prevous minor Previous patch release 1.14.3 v1.13 v1.14.3 1.14.1 v1.13 v1.14.1 1.14.0 v1.13 <error> 1.14.1-dev v1.13 v1.14.1 1.15.0-dev v1.14 <error> 1.13.90 v1.12 v1.13.89 <-- decremented 2.0.1 <error> v2.0.0 <-- decremented Fixes: 5581963cbf94 ("ci/ipsec: Fix version retrieval for downgrades to closest patch release") Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 12 February 2024, 20:17:32 UTC |
| 95d1d98 | Quentin Monnet | 24 January 2024, 13:03:47 UTC | contrib/scripts: Remove special handling for patch release number 90 [ upstream commit 4d7902f54a7448d4cbe40b99be338610c2a53678 ] In commit 56dfec2f1ac5 ("contrib/scripts: Support patch releases in print-downgrade-version.sh"), we added support to disaply the previous patch release for a given version number to the print-downgrade-version.sh script. We treated to patch release values as special cases: 0, because this means that we don't have a previous patch release on the branch, and 90, because it used to be a temporary value used during release processes. But as Joe commented, we no longer use this "90" convention, but we use something like vX.Y.Z-dev instead. Let's remove the reverence to 90 from the script (and the workflow calling it). Comparing with the commit introducing the special cases in the script, the output remains nearly the same as when it was introduced, only the previous patch release for "1.13.90" naturally turns to "1.13.89" instead of providing an error. VERSION Previous minor Previous patch release 1.14.3 v1.13 v1.14.2 1.14.1 v1.13 v1.14.0 1.14.0 v1.13 <error> 1.14.1-dev v1.13 v1.14.0 1.15.0-dev v1.14 <error> 1.13.90 v1.12 v1.13.89 Reported-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 12 February 2024, 20:17:32 UTC |
| 7065e37 | Tam Mach | 09 February 2024, 22:05:40 UTC | envoy: Bump envoy version to v1.26.6 This is mainly for below security fixes - [CVE-2024-23324](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6) - [CVE-2024-23325](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5m7c-mrwr-pm26) - [CVE-2024-23322](https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38) - [CVE-2024-23323](https://github.com/envoyproxy/envoy/security/advisories/GHSA-x278-4w4x-r7ch) - [CVE-2024-23327](https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j) Related build: https://github.com/cilium/proxy/actions/runs/7849677399/job/21423527703 Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.26.7 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 11 February 2024, 23:55:36 UTC |
| 19c7f45 | gailsuccess | 03 February 2024, 01:26:30 UTC | Added Last page Edit on Documentation [ upstream commit 51b3076798e84066be2ff935c7eb8bfcc6173208 ] Signed-off-by: gailsuccess <157372272+gailsuccess@users.noreply.github.com> | 09 February 2024, 11:36:30 UTC |
| d9aca91 | Birol Bilgin | 23 January 2024, 10:29:38 UTC | ci: change schedule cloud regions [ upstream commit 2c29d8faf88d4e8bf802a212ebc9b195b5428399 ] Currently, cloud regions for schedule tests are all over the world. The observation is tests in or close to us regions takes significatly less time than other regions. This causes some of tests being canceled due to timeouts. This commit changes regions to only US or closest regions. Signed-off-by: Birol Bilgin <birol@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 09 February 2024, 11:36:30 UTC |
| aa7b5a1 | Marco Iorio | 29 January 2024, 08:11:33 UTC | gha: make runner type for clustermesh workflows configurable [ upstream commit bd675975d656761fe672cd134d9760f24e64f6c2 ] b20038e242d7 ("gha: explicilty specify beefier runner type for clustermesh workflows") explicitly configured beefier runners for clustermesh workflows, as they require more power to host two multi-node kind clusters. However, this change turned out to have unexpected billing consequences, even though GitHub recently upgraded [1] the default runners for OSS projects to 4 vCPU and 16GiB of RAM (the same specs of the runner which had been configured). Hence, let's revert this change, and instead make the runner type configurable through an environment variable. This will also make it easier to change the runner type in the future, if needed. [1]: https://github.blog/2024-01-17-github-hosted-runners-double-the-power-for-open-source/ Fixes: b20038e242d7 ("gha: explicilty specify beefier runner type for clustermesh workflows") Suggested-by: André Martins <andre@cilium.io> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 09 February 2024, 11:36:30 UTC |
| 0b77521 | Tobias Klauser | 30 January 2024, 13:07:49 UTC | ci: add trigger phrase to Gateway API conformance test workflow name [ upstream commit bde37df7e19ee1d0578d6f8331872d39f7e2b95c ] Like in other GitHub actions workflows triggered by Ariane, mention the trigger phrase in the workflow name. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 09 February 2024, 11:36:30 UTC |
| 22fe2c8 | Hemanth Malla | 30 January 2024, 21:11:29 UTC | Updating ENI prefix delegation fallback to use dedicated error codes [ upstream commit ed26b072bff2d373f685192c081f231f93dbccaf ] AWS SDK now returns a dedicated error code to indicate the scenario where a subnet is out of capacity for /28 prefixes. This commit updates the fallback logic. The existing fallback logic does not work anymore since the code changed from InvalidParameterValue to InsufficientCidrBlocks Reported-by: Benjamin Pineau <benjamin.pineau@datadoghq.com> Signed-off-by: Hemanth Malla <hemanth.malla@datadoghq.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 09 February 2024, 11:36:30 UTC |
| 00a4b12 | Marcel Zieba | 23 January 2024, 08:16:31 UTC | ci: Move gs bucket env variable to set-env-variables action. [ upstream commit e9b0ae0b54c9635c852e8cbcfa6bffb653aaf7ff ] Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 09 February 2024, 11:36:30 UTC |
| dab860e | Marcel Zieba | 10 January 2024, 12:42:21 UTC | Add network performance CI test. [ upstream commit 027bd96af890c865ce0c99788e991f85dfe65389 ] For now, we cover following matrix of features: - tunneling/direct-routing - no encryption/ipsec - hubble enabled/disabled All results are exported in a format compatible with Perfdash, where we can visualize results and see regressions/improvements for specific configurations. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 09 February 2024, 11:36:30 UTC |
| a864d85 | André Martins | 09 November 2023, 09:43:54 UTC | pkg/allocator: store key in variable for error message [ upstream commit ee6043d ] In case of an error, the returned 'key' would have been nil. By storing it in a separate variable we will be able to return the error with a more descriptive message. Fixes: e39fcaea5721 ("pkg/allocator: Improve 'Key allocation attempt failed' handling for CRD mode") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Anton Ippolitov <anton.ippolitov@datadoghq.com> | 07 February 2024, 00:47:00 UTC |
| 8dc87a5 | André Martins | 26 October 2023, 10:49:34 UTC | pkg/allocator: refactor mentions of 'slave' in error messages [ upstream commit 3b2e1ad ] Renamed 'slave' to 'secondary' in the error messages that are presented to users. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Anton Ippolitov <anton.ippolitov@datadoghq.com> | 07 February 2024, 00:47:00 UTC |
| 491039b | André Martins | 26 October 2023, 10:45:28 UTC | pkg/allocator: only do DeepCopy if necessary [ upstream commit df05754 ] We don't need to always DeepCopy Cilium Identity. We just need to perform that operation if we are going perform writes. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Anton Ippolitov <anton.ippolitov@datadoghq.com> | 07 February 2024, 00:47:00 UTC |
| cc0b556 | André Martins | 26 October 2023, 10:33:38 UTC | pkg/allocator: Improve 'Key allocation attempt failed' handling for CRD mode [ upstream commit e39fcaea57 ] [ Backporter's notes: Ignoring changes from #23064, replaced maps.Clone() with Go 1.19 compatible code ] In CRD mode, the Cilium agent uses CRD to create identities. After an identity is created, the agent acquires a reference for that key. This involves fetching the CRD from the local Kubernetes cache and checking for an annotation applied by cilium-operator to mark the identity for deletion. However, there may be a delay before the Cilium Identity is cached locally, leading to the 'Key allocation attempt failed' error. This patch ensures that we fallback to the newly allocated Cilium Identity if it's not found in the Kubernetes cache. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Anton Ippolitov <anton.ippolitov@datadoghq.com> | 07 February 2024, 00:47:00 UTC |
| 02c9e38 | Quentin Monnet | 29 January 2024, 11:02:20 UTC | ci/ipsec: Fix version retrieval for downgrades to closest patch release [ upstream commit 5581963cbf9489d980b9b5a8ccf1c5e017e35d3c ] This commit brings two fixes to the script that we use to determine to which version we should upgrade/downgrade in some CI workflows. The first fix is the most important one. When looking for the closest patch version, make the script return the value in VERSION instead of decrementing it. The rationale is that for stable branches, VERSION already points to the latest patch release, there is no need to decrease it further! This fix does not affect the output for the calculation of the previous minor version number. The second fix is simply the addition of an error message in case the minor version number is 0, to get some explicit error instead of a silent failure if we ever reach Cilium 2.0.0. Updated samples of numbers from VERSION and the corresponding values returned: VERSION Previous minor Previous patch release 1.14.3 v1.13 v1.14.3 1.14.1 v1.13 v1.14.1 1.14.0 v1.13 <error> 1.14.1-dev v1.13 v1.14.1 1.15.0-dev v1.14 <error> 1.13.90 v1.12 <error> 2.0.1 <error> v2.0.1 Fixes: 56dfec2f1ac5 ("contrib/scripts: Support patch releases in print-downgrade-version.sh") Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> | 31 January 2024, 08:28:25 UTC |
| 5ae41ce | Dmitry Kharitonov | 24 January 2024, 15:24:49 UTC | hubble-ui: release v0.12.3 [ upstream commit 3092ed1bc9e26136891976a0b30955da79eaa787 ] Signed-off-by: Dmitry Kharitonov <dmitry@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> | 31 January 2024, 08:28:25 UTC |
| e4a4840 | Birol Bilgin | 24 January 2024, 13:43:35 UTC | ci: migrate upload steps [ upstream commit f017062a34cf1d38a80c1fd86db2618612625998 ] This commit migrates upload-artifact github action from v3 to v4 With version 4 artifacts are immutable so consequent uploads with the same artifact name fail. The artifact's names changes to be unique. Also, to combine all artifacts merge-upload job is added. This job downloads, merges, and uploads the merged artifact. All temporary artifacts are deleted. Signed-off-by: Birol Bilgin <birol@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com> | 31 January 2024, 08:28:25 UTC |
| 102afb5 | Birol Bilgin | 25 January 2024, 09:57:59 UTC | ci: update upload-artifact action [ upstream commit c861392e2a16c115520d2f113fc0294cbfafb6e7 ] This commit updates upload-artifact github action version from v3.1.3 hash a8a3f3ad30e3422c9c7b888a15615d19a852ae32 to v4.3.0 hash 26f96dfa697d77e81fd5907df203aa23a56210a8 Signed-off-by: Birol Bilgin <birol@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com> | 31 January 2024, 08:28:25 UTC |
| 51b7043 | Cilium Imagebot | 15 January 2024, 12:12:10 UTC | ci: update docs-builder [ upstream commit 068dc473ba94456770b6138c84832471715f0258 ] Signed-off-by: Cilium Imagebot <noreply@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com> | 31 January 2024, 08:28:25 UTC |
| 49f4f83 | dependabot[bot] | 11 January 2024, 20:01:29 UTC | build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation [ upstream commit a388c42e5d29539f98698448f8388f36c71c751f ] Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/jinja/compare/3.1.2...3.1.3) --- updated-dependencies: - dependency-name: jinja2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> | 31 January 2024, 08:28:25 UTC |
| 50e927f | Tommo Cowling | 24 January 2024, 09:02:52 UTC | Fix quoting in nodeinit temporary cilium config [ upstream commit 87d948e7f25fccc07a5b1fa4e80dc97dc79f15b8 ] The Cilium nodeinit startup script lays down a temporary CNI config in order to be able to restart a version of containerd that doesn't allow a missing CNI config. This commit fixes an issue with missing double quotes in the temporary config which causes an error in containerd and leads to NotReady Kubernetes nodes I also considered heredoc or escaping the quote characters but settled on single quoting as I think its the most readable one line solution without needing to deal with the indentation issue with heredoc Signed-off-by: Tom Cowling <952241+tlcowling@users.noreply.github.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> | 31 January 2024, 08:28:25 UTC |
| 8d62653 | Julian Wiedmann | 24 January 2024, 11:57:24 UTC | bpf: lb: return drop reasons from __lb4_rev_nat() [ upstream commit 3932a4b9f4577a2133a6d436cc20542d9b48f8ef ] Fix up some ctx_load_bytes() usage to return a drop reason, and not the raw kernel errno. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> | 31 January 2024, 08:28:25 UTC |
| 4fd193b | Filip Nikolic | 24 January 2024, 12:21:18 UTC | docs: warn users that IPsec and KPR are mutual exclusive [ upstream commit 09f18fdce65b8b020f2a5c345e199396d8bc38b1 ] Signed-off-by: Filip Nikolic <oss.filipn@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> | 31 January 2024, 08:28:25 UTC |
| 9fe247a | Cilium Imagebot | 25 January 2024, 14:13:53 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 31 January 2024, 07:06:26 UTC |
| a63b5e2 | renovate[bot] | 25 January 2024, 13:58:28 UTC | chore(deps): update go to v1.21.6 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 31 January 2024, 07:06:26 UTC |
| a11a21d | Tobias Klauser | 30 January 2024, 10:15:13 UTC | ci: update golangci-lint to a version compatible with Go 1.21 Signed-off-by: Tobias Klauser <tobias@cilium.io> | 31 January 2024, 07:06:26 UTC |
| f9d8f14 | Tam Mach | 29 January 2024, 22:43:44 UTC | envoy: Bump envoy version for x/net library Relates: https://github.com/cilium/proxy/pull/510 Related build: https://github.com/cilium/proxy/actions/runs/7702899842/job/20992171868 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 30 January 2024, 10:44:40 UTC |
| 84c03d8 | renovate[bot] | 29 January 2024, 07:29:18 UTC | chore(deps): update stable lvh-images Signed-off-by: renovate[bot] <bot@renovateapp.com> | 30 January 2024, 10:33:20 UTC |
