| 1a06642 | cilium-renovate[bot] | 13 June 2024, 13:19:36 UTC | chore(deps): update docker.io/library/golang:1.22.4 docker digest to 0f76912 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 15 June 2024, 09:00:23 UTC |
| 3a0a3fc | Damian Sawicki | 13 June 2024, 11:43:50 UTC | Choose optimal algorithm depending on input size This adds a check to ImmSet methods Insert and Delete, whether there is a single or multiple elements being inserted or deleted. Depending on that, two different algorithms are used. For a single element, both algorightms are linear in the size of the ImmSet, but we choose the one that benchmarking shows to be faster. Signed-off-by: Damian Sawicki <dsawicki@google.com> | 15 June 2024, 08:22:04 UTC |
| 304f8b1 | Damian Sawicki | 14 June 2024, 11:10:51 UTC | Replace existing ImmSet methods with proposed ones The rationale is given in the previous commit message. Signed-off-by: Damian Sawicki <dsawicki@google.com> | 15 June 2024, 08:22:04 UTC |
| 8f5bbad | Damian Sawicki | 13 June 2024, 08:41:41 UTC | Add and benchmark alternative immset methods This commit adds alternative implementations of methods of ImmSet: * InsertNew(xs ...T) * DeleteNew(xs ...T) * UnionNew(s2 ImmSet[T]) * DifferenceNew(s2 ImmSet[T]) and benchmarks these implementations agains the existing ones. Benchmarking results: * for Insert, the proposed method becomes faster already with the container of size 1000, and then it performed 10x faster for size 10,000 and 100x faster for size 100,000; * for Delete, the proposed method becomes faster already with the container of size 1000, and then it performed ~5x faster for size 10,000; * for Difference, the proposed method was already 4x faster for size 100, and then it performed 7x faster for size 1000, 35x times faster for size 10,000, and 193x faster for size 100,000; * for Union, the proposed method performs slightly faster, but gains do not visibly grow with increasing size. Theoretically, the proposed solutions have improved computational complexity: * the complexity of Insert is O(len(s.xs)*len(xs)), and the complexity of InsertNew is O(len(s.xs)+len(xs)); * the complexity of Delete is O(len(s.xs)*len(xs)), and the complexity of DeleteNew is O(len(s.xs)+len(xs)); * the complexity of Difference is O(len(s.xs)*len(s2.xs)) because it uses Delete internally, and the complexity of DifferenceNew O(len(s.xs)+len(s2.xs)); * the complexity of Union is harder to estimate: it involves sorting a slice of size n=len(s.xs)+len(s2.xs), but this slice is a concatenation of two sorted slices, so most likely this does not lead to the usual O(n*log(n)) complexity; of course, it is at least O(n); the complexity of UnionNew is O(n). Signed-off-by: Damian Sawicki <dsawicki@google.com> | 15 June 2024, 08:22:04 UTC |
| 5aa52b0 | tamanoha | 02 May 2024, 07:08:43 UTC | feat: Configure static cilium network policy Cilium reads CNP yaml if `static-cnp-path` is specified in cilium config. It converts to rules and add those rules to policy engine. This allows admin to configure policy to not allow traffic to certain secure infrastructure endpoints from pods running in cloud. Signed-off-by: Tamilmani <tamanoha@microsoft.com> | 15 June 2024, 08:17:50 UTC |
| 4195bdc | Tam Mach | 13 June 2024, 13:25:47 UTC | chore: Bump spire agent and server versions Ideally, this should be taken care by renovate bot with postUpgradeTask, however, there is some issues with the configuration. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 15 June 2024, 08:14:22 UTC |
| 268d28e | renyunkang | 14 June 2024, 15:19:06 UTC | dev-doctor: update hint links Signed-off-by: renyunkang <rykren1998@gmail.com> | 15 June 2024, 07:56:46 UTC |
| cf63069 | Fabio Falzoi | 13 June 2024, 14:18:22 UTC | k8s: Fix usage of assert in TestWaitForCacheSyncWithTimeout TestWaitForCacheSyncWithTimeout is relying on subtests, so a new assert object should be derived from each subtest testing.T, in order to report the failing one correctly. Temporarily changing the code to force a failure in the "Not invoking BlockWaitGroupToSyncResources should cause wait to succeed immediately" case, it can be seen that no subtest is reported as failing: --- FAIL: TestWaitForCacheSyncWithTimeout (0.00s) --- PASS: TestWaitForCacheSyncWithTimeout/Waiting_for_no_resources_should_always_sync (0.00s) --- PASS: TestWaitForCacheSyncWithTimeout/Not_invoking_BlockWaitGroupToSyncResources_should_cause_wait_to_succeed_immediately (0.00s) --- PASS: TestWaitForCacheSyncWithTimeout/Should_timeout_due_to_watched_resource_exceeding_timeout (0.20s) --- PASS: TestWaitForCacheSyncWithTimeout/Any_one_timeout_should_cause_error (0.60s) --- PASS: TestWaitForCacheSyncWithTimeout/Should_complete_due_to_event_causing_timeout_to_be_extended_past_initial_timeout (0.70s) While after this change the expected subtest is correctly reported as the offending one: --- FAIL: TestWaitForCacheSyncWithTimeout (0.00s) --- PASS: TestWaitForCacheSyncWithTimeout/Waiting_for_no_resources_should_always_sync (0.00s) --- FAIL: TestWaitForCacheSyncWithTimeout/Not_invoking_BlockWaitGroupToSyncResources_should_cause_wait_to_succeed_immediately (0.00s) --- PASS: TestWaitForCacheSyncWithTimeout/Should_timeout_due_to_watched_resource_exceeding_timeout (0.20s) --- PASS: TestWaitForCacheSyncWithTimeout/Any_one_timeout_should_cause_error (0.60s) --- PASS: TestWaitForCacheSyncWithTimeout/Should_complete_due_to_event_causing_timeout_to_be_extended_past_initial_timeout (0.70s) Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 14 June 2024, 20:16:13 UTC |
| 33d64e1 | Tam Mach | 13 June 2024, 11:16:46 UTC | gateway-api: Update docs for v1.1.0 This is the follow-up item for #32233. Relates: https://github.com/cilium/cilium/pull/32233 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 14 June 2024, 16:59:43 UTC |
| 2fdd17b | Nate Sweet | 13 June 2024, 17:01:51 UTC | policy: Fix Rare Deny Merge Bug While fixing the distillery tests I noticed that the test "broad_allow_is_a_portproto_subset_of_a_specific_deny" was failing intermittently. This revealed that in very rare circumstances the policy engine would merge a deny entry into a pre-existing allow that was set to be deleted completely (not just have an ownership entry removed). Signed-off-by: Nate Sweet <nathanjsweet@pm.me> | 14 June 2024, 16:29:33 UTC |
| 2710e71 | Nate Sweet | 12 June 2024, 22:38:02 UTC | policy: Fix Deny Precedence Distillery Tests Deny precedence tests have not been using correct comparison logic for mapstates. This updates it to use the correct logic. It makes the named-port sub-test and port-range tests more legible. Some test data has been renamed because it was incorrectly named. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> | 14 June 2024, 16:29:33 UTC |
| 9b57c0b | Nate Sweet | 12 June 2024, 22:34:40 UTC | policy: Fix Proxy Port Tests The default proxy port is 1. The dummy proxy port value of 4242 should no longer be the default. Addtionally, almost all distillery tests have had their comparison logic fixed to compare mapstates. The last distillery test to be fixed will be fixed in another commit. Co-authored-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nate Sweet <nathanjsweet@pm.me> | 14 June 2024, 16:29:33 UTC |
| 8458e5c | Nate Sweet | 12 June 2024, 22:32:02 UTC | policy: Fix InvertedPortMask Logic Inverted port masks were introduced in a previous commit, but they did not take into account all of the wildcard policy keys that are hardcoded both in tests and, unfortunately, in production code. This fixes all InvertedPortMask logic so that wild cards are correctly instantiated and accounted for. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> | 14 June 2024, 16:29:33 UTC |
| f174b5e | Marco Hofstetter | 13 June 2024, 07:28:25 UTC | recorder: move API handler into cell Currently, the recordder API handler is implemented by the daemon. This commit extracts the implementation and moves it into the recorder hive cell. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 14 June 2024, 16:32:04 UTC |
| 248a9be | Marco Hofstetter | 13 June 2024, 07:10:59 UTC | recorder: use hive injected logger This commit replaces the static logger with the one that has been injected via Hive Framework. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 14 June 2024, 16:32:04 UTC |
| 58dfad2 | Marco Hofstetter | 13 June 2024, 07:05:28 UTC | recorder: introduce cell for recorder This commit introduces a hive cell for the pcap recorder. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 14 June 2024, 16:32:04 UTC |
| 736af68 | Julian Wiedmann | 13 June 2024, 09:01:24 UTC | bpf: extract ethertype in to-netdev / to-overlay just once Remove some duplicated logic. Ideally we would only do the extraction if at least *one* feature is enabled that actually requires the ethertype. But managing these dependencies doesn't seem worth the hassle. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 14 June 2024, 14:43:48 UTC |
| ae4ffd4 | Julian Wiedmann | 09 November 2023, 16:16:56 UTC | bpf: eth: extract eth_is_supported_ethertype() helper In preparation for a subsequent patch. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 14 June 2024, 14:43:48 UTC |
| aa10df3 | Marco Iorio | 14 June 2024, 08:39:15 UTC | kvstore: correctly assign permissions to single key, rather than prefix Fix the recently introduced rangeForKey function leveraged by the etcdinit logic to only grant permissions to the given key, and not the full prefix starting with that key, when appropriate. Fixes: cb6a58bef00b ("clustermesh: granular etcd permissions for kvstoremesh cached data") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 14 June 2024, 13:03:22 UTC |
| 96336a0 | Marco Hofstetter | 12 June 2024, 18:45:27 UTC | lrp: move api handler from daemon to lrp hive cell Currently, the daemon implements the LRP API handler. With it comes the last dependency to the LRP manager from the daemon. Therefore, this commit moves the LRP API handler from the daemon to the existing LRP hive cell and removes the dependency from the daemon to the LRP manager. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 14 June 2024, 13:03:05 UTC |
| d21f654 | Julian Wiedmann | 13 June 2024, 12:32:56 UTC | bpf: test Wireguard with ENCRYPTION_STRICT_MODE Run compile & complexity tests for Wireguard with Strict-mode enabled. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 14 June 2024, 12:21:24 UTC |
| 4cd716c | Julian Wiedmann | 13 June 2024, 12:28:26 UTC | bpf: clean up compile testing for ENABLE_WIREGUARD Wireguard completely lives in bpf_host. Remove the config from bpf_overlay, bpf_xdp and bpf_lxc. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 14 June 2024, 12:21:24 UTC |
| 572bca4 | Julian Wiedmann | 10 May 2024, 21:11:12 UTC | bpf: l3: remove unused loopback code in local-delivery The `hairpin_flow` parameter was previously needed so that loopback replies could bypass the ingress network policy. But now that all callers set this parameter to `false`, we can safely remove the corresponding logic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 14 June 2024, 11:45:10 UTC |
| 34337f0 | Julian Wiedmann | 10 May 2024, 21:05:55 UTC | bpf: lxc: simplify RevNAT path for loopback replies The usual flow for handling service traffic to a local backend is as follows: * requests are load-balanced in from-container. This entails selecting a backend (and caching the selection in a CT_SERVICE entry), DNATing the packet, creating a CT_EGRESS entry for the resulting `client -> backend` flow, applying egress network policy, and local delivery to the backend pod. As part of the local delivery, we also create a CT_INGRESS entry and apply ingress network policy. * replies bypass the backend's egress network policy (because the CT lookup returns CT_REPLY), and pass to the client via local delivery. In the client's ingress path they bypass ingress network policy (the packets match as reply against the CT_EGRESS entry), and we apply RevDNAT based on the `rev_nat_index` in the CT_EGRESS entry. For a loopback connection (where the client pod is selected as backend for the connection) this looks slightly more complicated: * As we can't establish a `client -> client` connection, the requests are also SNATed with IPV4_LOOPBACK. Network policy in forward direction is explicitly skipped (as the matched CT entries have the `.loopback` flag set). * In reply direction, we can't deliver to IPV4_LOOPBACK (as that's not a valid IP for an endpoint lookup). So a reply already gets fully RevNATed by from-container, using the CT_INGRESS entry's `rev_nat_index`. But this means that when passing into the client pod (either via to-container, or via the ingress policy tail-call), the packet doesn't match as reply to the CT_EGRESS entry - and so we don't benefit from automatic network policy bypass. We ended up with two workarounds for this aspect: (1) when to-container is installed, it contains custom logic to match the packet as a loopback reply, and skip ingress policy (see https://github.com/cilium/cilium/pull/27798). (2) otherwise we skip the ingress policy tailcall, and forward the packet straight into the client pod. The downside of these workarounds is that we bypass the *whole* ingress program, not just the network policy part. So the CT_EGRESS entry doesn't get updated (lifetime, statistics, observed packet flags, ...), and we have the hidden risk that when we add more logic to the ingress program, it doesn't get executed for loopback replies. This patch aims to eliminate the need for such workarounds. At its core, it detects loopback replies in from-container and overrides the packet's destination IP. Instead of attempting an endpoint lookup for IPV4_LOOPBACK, we can now look up the actual client endpoint - and deliver to the ingress policy program, *without* needing to early-RevNAT the packet. Instead the replies follow the usual packet flow, match the CT_EGRESS entry in the ingress program, naturally bypass ingress network policy, and are *then* RevNATed based on the CT_EGRESS entry's `rev_nat_index`. Consequently we follow the standard datapath, without needing to skip over policy programs. The CT_EGRESS entry is updated for every reply. Thus we can also remove the manual policy bypass for loopback replies, when using per-EP routing. It's no longer needed and in fact the replies will no longer match the lookup logic, as they haven't been RevNATed yet. This effectively reverts e2829a061a53 ("bpf: lxc: support Pod->Service->Pod hairpinning with endpoint routes"). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 14 June 2024, 11:45:10 UTC |
| b66862a | Nate Sweet | 13 June 2024, 21:12:52 UTC | endpoint: Fix Policy Sync Method The endpoint package had the last code in the Cilium repository that was updating mapstate during iteration. Updating mapstate during iteration will result in corrupting the mapstate. Fixes: #32959 Signed-off-by: Nate Sweet <nathanjsweet@pm.me> | 14 June 2024, 11:27:46 UTC |
| 42ee1f6 | Yusuke Suzuki | 14 June 2024, 06:32:26 UTC | egressgw: skip gressgw handling if the packet is from host The egress gateway handling code at bpf_host only cares about packets from the egress proxy, so we can ignore the packets from the host. Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com> | 14 June 2024, 11:14:28 UTC |
| 7f6df2d | Marco Hofstetter | 12 June 2024, 19:16:06 UTC | prefilter: move api handler from daemon to prefilter hive cell Currently, the daemon implements the Prefilter API handler. With it comes the last dependency from the daemon to the prefilter itself. Therefore, this commit moves the prefilter API handler from the daemon to the existing prefilter hive cell and removes the dependency from the daemon to the prefilter. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 14 June 2024, 11:08:23 UTC |
| 9f210b5 | Jarno Rajahalme | 09 June 2024, 11:27:21 UTC | proxy: Persists proxy ports in /var/run/cilium/state Write proxy ports into /var/cilium/state/proxy_ports_state.json and restore from there. If the file is not available, only then restore from iptables rules. Restoration from iptables is still needed for upgrades. This fixes the issue with bpf TPROXY, as it does not rely on iptables rules, so the proxy ports can not be recovered from them. Note: File IO is patterned after similar methods for cache.CachingIdentityAllocator. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 14 June 2024, 10:12:59 UTC |
| d11e4d2 | Jarno Rajahalme | 07 June 2024, 07:08:36 UTC | proxy: Reuse proxy ports from datapath on restart Previously we only reused the DNS proxy port from the datapath. Change to reuse the old proxy ports for all proxy redirects from datapath, if possible. This reduces Listener churn on daemonset Envoy on agent restart. With this change the listener update in Envoy logs after agent restart looks like this: begin add/update listener: name=cilium-http-egress:13563 hash=11560876577076369351 duplicate/locked listener 'cilium-http-egress:13563'. no add/update lds: add/update listener 'cilium-http-egress:13563' skipped Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 14 June 2024, 10:12:59 UTC |
| 8149af7 | Jarno Rajahalme | 08 June 2024, 12:01:45 UTC | proxy: Remove deprecated "localOnly" We now only ever have 'localOnly = true' so that we always bind the proxy listeners to localhost address. Remove support for all-hosts addresses. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 14 June 2024, 10:12:59 UTC |
| ee1cf1c | Jarno Rajahalme | 08 June 2024, 12:18:38 UTC | proxy: Fix AllocateProxyPort Rename AllocateProxyPort as AllocateCRDProxyPort to make it clear that it is only to be used for CEC/CCEC CRD listeners. Also enforce the current practice where CRD proxy ports are only accessed by name, and 'ingress' member is always false for CRD ports. Fix the unit test to verify that the proxy port was not reallocated for the same listener name. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 14 June 2024, 10:12:59 UTC |
| bfbd3d6 | Jarno Rajahalme | 08 June 2024, 11:20:26 UTC | proxy: Try previously used port first "rulesPort" is non-zero when we have a datapath (iptables) rules with a specific port. Try re-creating a redirect with that port if no other port is configured. This reduces churn on the datapath, as the existing rule can be reused without a need for an update. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 14 June 2024, 10:12:59 UTC |
| 00b7717 | Jarno Rajahalme | 08 June 2024, 11:13:30 UTC | proxy: Clear the proxy port on failure Clear proxy port on failure so that we'll try another random port next time. We have two failure cases for creating new redirects: - syncronous, for DNS proxy. Simply zero the proxy port in the retry loop. - asynchronous, for Envoy proxy. Clear proxy port state on revert callback. Noticed the need for this change when accidentally trying to use port 1 for Envoy when developing another feature. In this case Envoy can't bind the port, and all further tries were also trying the same port, as the proxy port was not cleared on revert. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 14 June 2024, 10:12:59 UTC |
| b30a3a9 | Casey Callendrello | 13 June 2024, 11:33:32 UTC | ipcache: Fix orphaned ipcache entries when mixing Upsert and Inject When a prefix is initially created by the synchronous Upsert() API, it is flagged as such so that InjectLabels() knows it is shared. However, this flag is not removed if the legacy caller releases all references to this prefix. Thus, the timeline 1. AllocateCIDRs("1.1.1.1/32") 2. UpsertPrefixes("1.1.1.1/32") 3. ReleaseCIDRIdentities("1.1.1.1/32") 4. RemovePrefixes("1.1.1.1/32") leaves us with the prefix still in the ipcache, but the identity fully released. This leads to traffic drops, as the identity is unknown to the policy system and thus not present in the BPF policymaps. The fix is to forcibly remove the prefix if the identity reference reaches zero and the prefix is not in the metadata layer. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 14 June 2024, 09:55:50 UTC |
| e879425 | Julian Wiedmann | 16 May 2024, 06:16:51 UTC | ctmap: dump CT entry's BackendID Service connections store their selected backend ID in the SVC-type CT entry. Dump this field on `cilium-dbg bpf ct list global`. This then looks like: TCP SVC 10.244.0.62:55394 -> 10.96.0.1:443 expires=158116 ... BackendID=1 Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 14 June 2024, 07:25:53 UTC |
| fd29852 | Sebastian Wicki | 05 June 2024, 14:24:49 UTC | fqdn: Exit go routines early if datapath update times out This commit changes the `UpdateGenerateDNS` function to return a errgroup instead of a waitgroup. This allows the caller to determine after `Wait` if the datapath update timed out or not. This then allows `UpdateGenerateDNS` to stop the errgroup, allowing the go routine spawned in `notifyOnDNSMsg` to exit early as well upon cancellation. This way, the go routine in `notifyOnDNSMsg` does not need to linger until the datapath update has finished. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 14 June 2024, 07:16:43 UTC |
| b9152ae | Sebastian Wicki | 04 June 2024, 17:03:47 UTC | ipcache: Allow WaitForRevision to be cancelled This adds a context argument to WaitForRevision, allowing callers to abort the call. For logic for the cancellation of the `Cond` var using `context.AfterFunc` was taken from the Go docs: https://pkg.go.dev/context#AfterFunc The commit also fixes an issue with the existing unit test where it waited for revision 0 instead of revision 1. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 14 June 2024, 07:16:43 UTC |
| 8868b39 | Tam Mach | 12 June 2024, 03:53:58 UTC | renovate: Add the configuration for spire images Signed-off-by: Tam Mach <tam.mach@cilium.io> | 14 June 2024, 07:03:14 UTC |
| 8482b03 | Julian Wiedmann | 11 June 2024, 13:55:59 UTC | docs: egressgw: remove stale enable-l7-proxy option This option was suggested to deal with an incompatibility between EGW and L7 policies. The incompatibility has been addressed by https://github.com/cilium/cilium/pull/32828. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 14 June 2024, 06:50:40 UTC |
| b6f6867 | Marco Hofstetter | 12 June 2024, 20:02:27 UTC | daemon: remove unnecessary method DebugEnabled The method `Daemon.DebugEnabled` is used in two cases. 1. In an optionChanged callback that can directly access the config property 2. As hubble observer option that is actually no longer used Therefore, this commit removes the unnecessary method from the daemon. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 14 June 2024, 06:11:51 UTC |
| 5e27f67 | harsimran pabla | 11 June 2024, 19:05:23 UTC | bgpv2: pass types.Router in path and policy reconcilers This change passes only required field to Policy and Path reconcilers. Instead of passing BGPInstance, we pass only the Router interface which is required by underlying implementation. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 14 June 2024, 05:33:40 UTC |
| 3e30619 | Julian Wiedmann | 30 May 2024, 10:02:25 UTC | bpf: move tunnel map to encap.h Declutter the maps.h header, and reduce the usage of HAVE_ENCAP. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 14 June 2024, 04:25:14 UTC |
| dfb6b94 | Julian Wiedmann | 30 May 2024, 10:01:36 UTC | bpf: move throttle map to edt.h Declutter the maps.h header, and reduce the usage of ENABLE_BANDWIDTH_MANAGER Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 14 June 2024, 04:25:14 UTC |
| 50c38aa | Julian Wiedmann | 14 December 2023, 10:17:28 UTC | bpf: move egressgw map to egress_gateway.h Declutter the maps.h header, and reduce the usage of ENABLE_EGRESS_GATEWAY. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 14 June 2024, 04:25:14 UTC |
| 2a0bc76 | Julian Wiedmann | 12 June 2024, 06:45:57 UTC | bpf: encap: fix ifindex in TO_OVERLAY trace notification The encap helpers were meant to abstract from differences between TC and XDP. Therefore ctx_set_encap_info() provides the ifindex for TC, and setting the ifindex also indicates that a redirect to encap interface is possible (rather than manually adding the overlay headers + FIB lookup). The downside is that __encap_with_nodeid() for TC currently emits a trace notification without the ifindex set to ENCAP_IFINDEX. Fix this up manually by moving the `ifindex` initialization up. Reported-by: Tomasz Tarczyński <tomasz.tarczynski@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 14 June 2024, 04:22:26 UTC |
| d107719 | Tam Mach | 11 June 2024, 11:25:32 UTC | gateway-api: Check for matching controller name Basically, we should do nothing for a given Gateway resource, till it's confirmed that its GatewayClass is managed by Cilium. Just a note that other watched and owned resources can by-pass the predicate function NewPredicateFuncs(hasMatchingControllerFn), the explicit check in reconcile method is required. This commit is to perform the controller name check for Gateway resource to avoid unnecessary and wrong reconciliation. Fixes: #31978 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 14 June 2024, 03:44:56 UTC |
| 81adc5c | André Martins | 13 June 2024, 12:26:21 UTC | remove tracking of backports with MLH With the sunset of GH projects by GH [1], we will now create organization-projects to track which PR is available on which release after a CHANGELOG of a release is performed. Thus, we can also sunset this feature from MLH. [1] https://github.blog/changelog/2024-05-23-sunset-notice-projects-classic/ Signed-off-by: André Martins <andre@cilium.io> | 13 June 2024, 20:03:54 UTC |
| 4b00124 | cilium-renovate[bot] | 13 June 2024, 13:21:30 UTC | fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.164.0 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 13 June 2024, 20:03:13 UTC |
| ef50a9a | cilium-renovate[bot] | 13 June 2024, 13:25:14 UTC | chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 13 June 2024, 17:25:01 UTC |
| bb0c48a | Marco Hofstetter | 12 June 2024, 19:46:21 UTC | daemon: remove unused method GetOptions This commit removes the unused method `GetOptions() *option.IntOptions` from the daemon. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 13 June 2024, 15:57:10 UTC |
| 183f0fa | Fabio Falzoi | 12 June 2024, 15:28:53 UTC | iptables: Run an initial full reconciliation Run an initial full reconciliation before listening on partial reconciliation request channels like the ones related to proxy rules and no track pod rules. This avoid spurious errors at startup when a partial reconciliation request was seen by the reconciler before the 200 ms interval needed for the first full reconciliation. In that case, the partial reconciliation failed due to missing chains installed by the first full reconciliation. Reported-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Suggested-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 13 June 2024, 15:11:45 UTC |
| 0b8f9e3 | Fabio Falzoi | 12 June 2024, 15:22:33 UTC | iptables: Fix usage of firstInit flag The firstInit flag is meant to avoid partial reconciliations (like the ones for proxy rules and no track pod rules) until the first full reconciliation is successfully completed. This is done to avoid trying a partial reconciliation when all the required chains have been created. The commit fixes the if conditions checking the flag that turned out to be inverted. Though the reconciler was already able to recover with the next full reconciliation, this led to spurious errors during Cilium startup where partial reconciliations were attempted too soon. Reported-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 13 June 2024, 15:11:45 UTC |
| 38278b5 | cilium-renovate[bot] | 13 June 2024, 13:19:45 UTC | chore(deps): update dependency grpc-ecosystem/grpc-health-probe to v0.4.27 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 13 June 2024, 14:59:54 UTC |
| 4358595 | cilium-renovate[bot] | 13 June 2024, 13:20:34 UTC | fix(deps): update all go dependencies main Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 13 June 2024, 14:55:36 UTC |
| f88fade | cilium-renovate[bot] | 13 June 2024, 13:19:40 UTC | chore(deps): update cilium/cilium-cli action to v0.16.10 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 13 June 2024, 14:35:04 UTC |
| 2fd9150 | Timo Beckers | 11 June 2024, 16:01:00 UTC | bpf: introduce CILIUM_PIN_REPLACE map pinning flag This commit adds support for the custom CILIUM_PIN_REPLACE pinning flag. It signals to the loader that a map should be pinned without being reused in subsequent ELF loads. This replaces bespoke cilium_calls_-specific logic in the loader with a generic map flag, opening it up for other use cases as well. The reasons for this behaviour are widely documented and present in the code for posterity. Also, give each netdev its own instance of cilium_calls. Sharing a tail call map across all XDP entry points causes multiple netdevs' programs to clobber the shared cilium_calls_xdp bpffs pin. Signed-off-by: Timo Beckers <timo@isovalent.com> | 13 June 2024, 13:51:55 UTC |
| 8f5e88f | Timo Beckers | 11 June 2024, 14:08:54 UTC | bpf: replace bpf map migration with commit mechanism At its inception, Cilium had an external ebpf loader (iproute2) that didn't deal with changes to map properties (type/k/v/maxentries/flags). To allow the agent to upgrade/downgrade maps, a 'map migration' system was introduced that would take the new ELF and compare its maps against their pinned counterparts on the system's bpffs. Incompatible maps were renamed using a ':pending' suffix to allow the loader to create and pin a new instance of the map at its old path. If all went well, the :pending map was removed. Even though it served us for many years, this system wasn't without its drawbacks, primarily the many moving parts (files) to manage on bpffs, as well as its obscuring of subtle bugs in managing tail call map lifecycle. This commit replaces the map migration system with a commit-based system that doesn't modify any bpffs-related resources until all of an ELF's entrypoints are attached and all cross-ELF tail calls (policy progs) have been inserted. After commit() has run for a Collection, only one copy of each map pin will be present on bpffs. This removes all possibility of previous ELF generations being partially attached somewhere, still handling traffic using an old tail call map. Such cases will now fail loudly with the 'missed tail call' metric increasing due to the old tail call map pins being removed. Signed-off-by: Timo Beckers <timo@isovalent.com> | 13 June 2024, 13:51:55 UTC |
| 8fae0eb | Timo Beckers | 06 October 2023, 15:21:32 UTC | bpf: deprecate legacy PIN_* constants for map definitions Treat the bpf_elf_map.pinning field just like BTF map definitions do, and replace PIN_GLOBAL_NS with LIBBPF_PIN_BY_NAME. Pass the values through directly when parsing MapSpec.Extra on the Go side. A future commit will assign meaning to a value higher than LIBBPF_PIN_BY_NAME. Signed-off-by: Timo Beckers <timo@isovalent.com> | 13 June 2024, 13:51:55 UTC |
| 0c0800c | Marcel Zieba | 12 June 2024, 12:53:54 UTC | ci: make runtime privileged tests not run in parallel There was a significant flakiness of IPSec-related privileged tests due to the fact that tests in different packages were modifying xfrm states/policies concurrently. While increasing timeout for test and making it last longer is non-ideal, less flaky tests outweight it. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 13 June 2024, 13:35:20 UTC |
| c464e66 | Marco Iorio | 11 June 2024, 08:48:55 UTC | helm: mount kvstoremesh-specific certificate into cilium agents Let's additionally mount the kvstoremesh-specific certificate into cilium agents, so that it can be used to authenticate against the local etcd instance storing the cached data. The secret entry is always configured (although marked as optional), regardless of whether KVStoreMesh is actually enabled or not, so that it can be automatically mounted in case it gets subsequently enabled, without requiring a restart of the agents. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 13 June 2024, 13:01:41 UTC |
| 9ffeba1 | Marco Iorio | 11 June 2024, 08:42:38 UTC | helm: generate dedicated certificate for kvstoremesh access Extend the helm chart to additionally generate the "local" certificate with the common name matching the newly introduced "local" etcd user, when kvstoremesh is enabled. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 13 June 2024, 13:01:41 UTC |
| cb6a58b | Marco Iorio | 11 June 2024, 09:43:48 UTC | clustermesh: granular etcd permissions for kvstoremesh cached data Currently, the same etcd user (i.e., remote) is granted permissions to read the whole content of the clustermesh-apiserver's sidecar etcd instance, including also the data cached by kvstoremesh, when enabled. In an effort to harden the overall clustermesh posture, let's introduce a separate and dedicated user for local access, to ensure that remote clusters cannot access cached data, as it may include information that they would not normally have access to. Specifically, the remote user is intended to have access only to the information regarding the local cluster, while the local user can access cached data about remote clusters only. Still, for backward compatibility purposes, the remote user still retains access to cached data as well in this release. The reason being that there would otherwise be a time window upon upgrade in which Cilium Agents would lose access to the kvstoremesh data (especially in large clusters). Indeed, the new certificate would be mounted by the agents only upon rollout, but the configuration would be immediately reloaded (thus targeting the new, not yet mounted, certificate), hence breaking the access to the information cached by kvstoremesh. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 13 June 2024, 13:01:41 UTC |
| 22bab80 | Feroz Salam | 11 June 2024, 17:01:15 UTC | Fix release build SBOM generation - Use the correct image to generate SBOMs - Stop release asset uploads, which can require extra permissions (that this workflow doesn't have) and that we don't need. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> | 13 June 2024, 12:08:45 UTC |
| 70db218 | Marco Hofstetter | 11 June 2024, 17:11:36 UTC | endpoint: remove unused parameter from Add/NewEndpoint functions This commit removes unused parameters from the functions `Add*Endpoint` and `New*Endpoint` from the EndpointManager. - `reason` - `nodeName` Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 13 June 2024, 12:07:31 UTC |
| 9f6d52e | Lorenz Bauer | 11 June 2024, 15:23:53 UTC | bpf: avoid race when selecting the RevSNAT port The logic to allocate SNAT mapping contains a race condition. At a high level it does the following: if (!revsnat_exists(port)) { if (!create_revsnat(port) return error; ... } Two concurrent executions of the datapath may succeed the revsnat_exists check, which then leads to one of them bailing out since create_revsnat fails. Instead simply try to create the RevSNAT entry. If that fails we retry with another port. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> | 13 June 2024, 12:03:41 UTC |
| dc52072 | Marcel Zieba | 10 June 2024, 08:08:35 UTC | clustermesh: switch to surge upgrade strategy. With introduction of Clustermesh support for HA deployment in #31677 let's change upgrade strategy to make sure that Clustermesh control plane is always available. This is also configuration that we test against in CI tests - maxSurge=1 and maxUnavailable=0. On top of that change required to preferred antiAffinity to cover case with a single node cluster. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 13 June 2024, 12:01:54 UTC |
| 55a9d2e | Lorenz Bauer | 07 June 2024, 15:34:32 UTC | loader: cache parsed CollectionSpec The object cache parses an ELF from disk any time it is asked for a template. This is wasteful since parsing the ELF is quite resource intensive. Cache the parsed CollectionSpec instead. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> | 13 June 2024, 11:55:56 UTC |
| 70f6608 | Lorenz Bauer | 07 June 2024, 14:05:57 UTC | loader: evict object cache when datapath config changes The object cache currently does no invalidation, which means that we accumulate cachedObject in memory and template ELF on disk. Use update of the base datapath hash as an opportunity to evict some of that cache. In practice this is probably not a big issue: datapath config changes rarely if every, and we only have templates for endpoints and host endpoint. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> | 13 June 2024, 11:55:56 UTC |
| ec651ea | Marco Hofstetter | 11 June 2024, 15:36:27 UTC | service: remove monitoragent nil-check Currently, accessing the monitoragent from the service manager is guarded with nil-checks as unit-tests don't provide a monitoragent. This commit removes the check in favor of a fake implementation that is used and passed in the tests. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 13 June 2024, 11:54:09 UTC |
| 2e308f9 | Marco Hofstetter | 11 June 2024, 15:21:45 UTC | service: unexport NewService NewService is no longer used as the service manager is provided via Hive Cell. Therefore, this commit un-exports the function `NewService`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 13 June 2024, 11:54:09 UTC |
| 0078c6a | Jarno Rajahalme | 09 June 2024, 18:57:46 UTC | logging: Pass debug to slog as well Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 13 June 2024, 12:00:36 UTC |
| de97dd8 | cilium-renovate[bot] | 13 June 2024, 10:05:22 UTC | chore(deps): update all lvh-images main Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 13 June 2024, 11:06:19 UTC |
| 74039b5 | Marco Hofstetter | 11 June 2024, 13:11:10 UTC | k8s: remove unused method NewStandaloneClientset This commit removes the deprecated and now unused method `NewStandaloneClientset`. In the meantime, all usages have been moved to use the Hive Cell dependency directly. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 13 June 2024, 10:41:35 UTC |
| 511f077 | Marcel Zieba | 05 June 2024, 12:08:51 UTC | clustermesh: enable kvstoremesh by default KVStoreMesh has been introduced in v1.14. We have been running KVStoreMesh tests since then, while also testing upgrade path from "vanilla" Clustermesh to KVStoreMesh and back since then. There has been also a visible adaptation by users in community. Let's mark KVStoreMesh as stable and enable it by default. Note: Once 1.16 is out, we will need to update CI test Cilium Cluster Mesh upgrade (ci-clustermesh) Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 13 June 2024, 10:14:43 UTC |
| fd0b235 | Julian Wiedmann | 12 June 2024, 11:05:37 UTC | bpf: overlay: remove wireguard.h include This probably is no longer needed since 81c45d2280d7 ("bpf: Remove strict encrypt check from bpf_overlay"). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 13 June 2024, 07:14:02 UTC |
| 28f7863 | Julian Wiedmann | 08 April 2024, 04:00:52 UTC | bpf: encap: clean up some unneeded includes The include for l3.h is no longer needed since 3aa51eb3052d ("bpf: ipsec: move get_min_encrypt_key() to encrypt.h"), and the last wireguard usage went away with b67291f03926 ("bpf: Encap with cilium_{vxlan,geneve} before passing to WG"). This uncovered some implicit includes for hs-ipcache, fix them up. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 13 June 2024, 07:14:02 UTC |
| dbd33db | Marco Iorio | 10 June 2024, 14:10:11 UTC | helm/certgen: add generation of hubble-ui-client-certs certificate This certificate appeared not to be generated by certgen, hence leading to an inconsistency with respect to the other certificate generation modes. Let's fix this divergence to ensure that they are all equivalent. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 13 June 2024, 06:58:19 UTC |
| b7ac7c3 | Marco Iorio | 10 June 2024, 14:01:55 UTC | helm/certgen: bump certgen to v0.2.0 and adapt configuration Bump certgen to v0.2.0, which enables the definition of the certificates to be generated via a generic configuration, agnostic of the Cilium specific details. Hence, let's refactor the certgen configuration and explicitly define the characteristics of the certificates to be generated. While being there, let's also correctly propagate the extra DNS names and IP addresses, that were previously ignored if certgen was used. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 13 June 2024, 06:58:19 UTC |
| 8910af5 | Marco Iorio | 10 June 2024, 13:38:28 UTC | helm/certgen: explicitly specify CA secret namespace and CN In preparation for bumping the certgen version, which changes the default values to be independent of Cilium, let's explicitly specify the namespace containing the CA secret and its common name. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 13 June 2024, 06:58:19 UTC |
| dd97ac3 | Marco Iorio | 10 June 2024, 13:27:58 UTC | helm/certgen: always specify --ca-secret-name Currently, we specify the --ca-secret-name certgen parameter only if both tls.ca.cert and tls.ca.key are specified. However, the secret name is always relevant, regardless of whether the CA is explicitly specified, and the default value historically matched the specified one. As a preparation for bumping the certgen version, which changes the default secret name to be independent of Cilium, let's always specify the corresponding parameter. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 13 June 2024, 06:58:19 UTC |
| b429b08 | Julian Wiedmann | 13 May 2024, 09:55:21 UTC | bpf: transport source identity in MARK_MAGIC_OVERLAY Provide easy access to the security identity which is embedded into Cilium's overlay traffic. And start making use of it in the encrypted-overlay path, to avoid some manual packet parsing. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 13 June 2024, 06:34:52 UTC |
| b0e0b0c | Gilberto Bertin | 04 June 2024, 12:25:00 UTC | bpf: propagate src sec id from ingress bpf_overlay to egress bpf_host as in a subsequent change bpf_host will need to access the source identity that was carried over the tunnel Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 13 June 2024, 06:08:14 UTC |
| c3fcea2 | Tam Mach | 07 June 2024, 06:10:43 UTC | gateway-api: Add periodic headless service sync This is to handle the case of late arrival or late creation of Endpoint or EndpointSlice associated to headless service. Fixes: cce40804c3ac9f564859d788faef981a697de7ac Signed-off-by: Tam Mach <tam.mach@cilium.io> | 13 June 2024, 04:03:39 UTC |
| 7ab2a58 | Tam Mach | 06 June 2024, 12:18:54 UTC | gateway-api: Add support for listener isolation This commit is to support Listener Isolation concept from the upstream, which allows at most one Listener matches a request, and only Routes attached to that Listener are used for routing. Relates: https://github.com/kubernetes-sigs/gateway-api/pull/2465 Relates: https://github.com/kubernetes-sigs/gateway-api/pull/3047 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 13 June 2024, 04:03:39 UTC |
| 4f92330 | Tam Mach | 06 June 2024, 09:29:12 UTC | gateway-api: Shorten the service name in CEC We already perform the shortening in the below commit, this is to make sure that the same service is used. Relates: d6fbccf96cdc0a5f3bdf7aa7ac6006a100a09ba9 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 13 June 2024, 04:03:39 UTC |
| 8efbb71 | Tam Mach | 06 June 2024, 05:43:36 UTC | gateway-api: Avoid unnecessary reconciliation in GAMMA This is to avoid any unnecessary reconciliation for non-GAMMA HTTPRoute: - Explicitly check if Kind and Group are not nil, as per the Gateway API spec, the nil values is meant for Gateway. - Add GAMMA check for backend services and listening service. Additionally, one small correction on Reason status is added to make sure that the space character is not used. ``` 2024-06-06T05:34:31.583996151Z time="2024-06-06T05:34:31Z" level=error msg="Reconciler error" HTTPRoute="{attaches-to-wildcard-example-com-with-hostname-intersection gateway-conformance-infra}" controller=httproute controllerGroup=gateway.networking.k8s.io controllerKind=HTTPRoute error="failed to update HTTPRoute status: HTTPRoute.gateway.networking.k8s.io \"attaches-to-wildcard-example-com-with-hostname-intersection\" is invalid: parents[0].conditions[0].reason: Invalid value: \"Invalid HTTPRoute\": parents[0].conditions[0].reason in body should match '^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$'" name=attaches-to-wildcard-example-com-with-hostname-intersection namespace=gateway-conformance-infra reconcileID="\"2c43d9eb-52ad-4344-b0ff-e58c227221fb\"" subsys=controller-runtime ``` Relates: 363fdd4ff951e02ebf666b1dccf17d0dfb5a0f47 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 13 June 2024, 04:03:39 UTC |
| 4d6bee1 | Tam Mach | 06 June 2024, 05:26:25 UTC | gateway-api: Avoid partial wildcards in server names This is to make sure that we don't have any "*" in server name slice, and avoid the below NACK issue in Envoy. ``` 2024-06-06T05:15:22.640515083Z time="2024-06-06T05:15:22Z" level=warning msg="NACK received for versions after 233 and up to 234; waiting for a version update before sending again" subsys=xds xdsAckedVersion=233 xdsClientNode="host~127.0.0.1~no-id~localdomain" xdsDetail="Error adding/updating listener(s) gateway-conformance-infra/cilium-gateway-same-namespace-with-https-listener/listener: error adding listener '127.0.0.1:14239': partial wildcards are not supported in \"server_names\"\n" xdsNonce=234 xdsStreamID=6 xdsTypeURL=type.googleapis.com/envoy.config.listener.v3.Listener ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> | 13 June 2024, 04:03:39 UTC |
| 5b9364a | Tam Mach | 06 June 2024, 12:57:41 UTC | gha: Update conformance profiles for Gateway API As part of v1.1.0, there is a new list of valid conformance profile values (e.g. GATEWAY-HTTP,GATEWAY-TLS,GATEWAY-GRPC,MESH-HTTP,MESH-GRPC). Signed-off-by: Tam Mach <tam.mach@cilium.io> | 13 June 2024, 04:03:39 UTC |
| f03eca9 | Tam Mach | 06 June 2024, 04:23:17 UTC | gha: Swap feature flag name for MeshConsumerRoute As mentioned in 8de7a903400aa237600c1f49d0d4ef16503c2ee3, we can use the feature flag MeshConsumerRoute in v1.1.0 instead. Relates: 8de7a903400aa237600c1f49d0d4ef16503c2ee3 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 13 June 2024, 04:03:39 UTC |
| f29c6c4 | Tam Mach | 29 April 2024, 13:38:58 UTC | gateway-api: Bump to version v1.1.0 While GRPCRoute is still available in beta/alpha version, some of the related attribute structs are only available in v1, hence it's better to bump GRPRRoute to v1 as well. Another goal is to pick up the new conformance tests as well as bug fixes from the upstream. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 13 June 2024, 04:03:39 UTC |
| 3f8585a | Julian Wiedmann | 12 June 2024, 15:07:06 UTC | gh: e2e-upgrade: disable config 7 The config is reliably failing [0]. Stabilize the workflow so that we can make it required. [0] https://github.com/cilium/cilium/issues/32689 Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 13 June 2024, 00:49:27 UTC |
| b49f912 | Tam Mach | 12 June 2024, 14:41:21 UTC | gha: Only retrieve IPv4 CIDR from docker network It seems like github runner is enabled with docker dual stack, so the current docker network inspect command might return IPv6 instead of IPv6 CIDR, which breaks LB IPPool configuration. Sample output of `docker network inspect kind` command can be found as per below. This commit is to make sure that we only retrieve IPv4 CIDR in docker network inspect command. Additionally, some echo/cat statement are added to make similar issue more visible in the future. ``` [ { "Name": "kind", "Id": "43e3b3267092150f5f2e6f2053157d912ad6b5a4ce20f700e1e9be547a437f75", "Created": "2024-06-12T14:18:17.733107881Z", "Scope": "local", "Driver": "bridge", "EnableIPv6": true, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "fc00:f853:ccd:e793::/64" }, { "Subnet": "172.18.0.0/16", "Gateway": "172.18.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "748d7161857ca5e610f196299828eacafcbdb069d38c00e4e6c14cdeefada9c5": { "Name": "chart-testing-control-plane", "EndpointID": "0f1a5bbeb14929200ed13cb289afd6bf5f9f455d4ed75bb3a26e167e67bf7784", "MacAddress": "02:42:ac:12:00:02", "IPv4Address": "172.18.0.2/16", "IPv6Address": "fc00:f853:ccd:e793::2/64" }, "c2030425e24a11ea208b87c5d70e194b0f51eee133f09b67404fd2bf97410f13": { "Name": "chart-testing-worker", "EndpointID": "81489bd101e483be7270e2b5dd7e0bf3a0163b89650d7ef69cc4ce43454479e3", "MacAddress": "02:42:ac:12:00:03", "IPv4Address": "172.18.0.3/16", "IPv6Address": "fc00:f853:ccd:e793::3/64" } }, "Options": { "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> | 12 June 2024, 22:23:31 UTC |
| 7af9a1e | cilium-renovate[bot] | 10 June 2024, 01:31:12 UTC | chore(deps): update golangci/golangci-lint docker tag to v1.59.1 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 12 June 2024, 20:57:25 UTC |
| 6aa1bc8 | derailed | 12 April 2024, 16:26:08 UTC | Update CEPS watchdog Given the inherent reconciliation to check on ceps bfp programs, using logs with error severity could be confusing. Also we currently don't log out the cep name which will help for further investigation. * Change logger from error to warning * Add cep name to log message Signed-off-by: Fernand Galiana <fernand.galiana@isovalent.com> | 12 June 2024, 20:54:31 UTC |
| 2e2c6c5 | Casey Callendrello | 21 May 2024, 16:35:02 UTC | policy: determine subject identities via SelectorCache In order to determine applicable identities to which a policy applies, we need to evaluate label selectors. Given that we already have an efficient mechanism for caching label selectors (the SelectorCache), we should use that for subject endpoints as well. This refactors the PolicyRepository to use the SelectorCache when determining subject identities. It removes yet another static cache of matched identities and a corresponding event bus. It also saves memory in the case of reused selectors, which is common. An important consideration is that any new identities must be in the selectorcache *before* that endpoint is regenerated, or else it will not get the correct set of policies. Indeed this is safe, because identity allocation updates the SelectorCache synchronously, and endpoints must have their security identity allocated before they can use it. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 12 June 2024, 18:32:24 UTC |
| 437cc73 | Casey Callendrello | 21 May 2024, 18:00:56 UTC | policy/selectorcache: correctly handle mutating IDs While computing the delta on an ID allocation, the SelectorCache incorretly handled the case where a label change caused an identity to no longer be selected by a selectior. The only identity that should have mutable labels is the local host, so this is not actually a visible bug. In preparation for using the SelectorCache to determine policy targets, however, it is now necessary. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 12 June 2024, 18:32:24 UTC |
| e20ed9c | Gilberto Bertin | 29 May 2024, 14:40:48 UTC | bpf: host: add host_egress_policy hook this commit adds a hooking point to cil_to_netdev in bpf_host.c that can be used by cilium plugins to extend the functionality of this function. Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 12 June 2024, 14:53:20 UTC |
| 9d4b3de | yogesh1801 | 06 June 2024, 10:35:42 UTC | removed deprecated calls and added nolint for strings.Title Signed-off-by: yogesh1801 <yogeshsingla481@gmail.com> | 12 June 2024, 13:29:10 UTC |
| a1be027 | Julian Wiedmann | 11 June 2024, 15:18:44 UTC | docs: egressgw: remove kernel requirement We already require a 5.4 kernel (https://github.com/cilium/cilium/pull/30869). We also explicitly check for HAVE_LARGE_INSN_LIMIT (https://github.com/cilium/cilium/pull/30896), which afaik was the main reason for the 5.2 kernel requirement. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 12 June 2024, 12:54:26 UTC |
| b5ad1e4 | Marco Hofstetter | 04 June 2024, 05:56:58 UTC | daemon: remove unused policyupdater dependency from daemon/daemonparams With the removal of the k8swatcher initialization from the daemon bootstrap, the dependency to the policyUpdater can be removed from the daemon & daemonParams struct. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 12 June 2024, 11:47:59 UTC |
