v1.13 Backports 2023-06-22 #26421
Merged
v1.13 Backports 2023-06-22 #26421
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit 81bd556 ] Fixes cilium#22917 Signed-off-by: vipul-21 <vipul21sept@gmail.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit e772ba8 ] Currently, the support for external workloads is always enabled in the clustermesh-apiserver. Yet, this feature requires the synchronization of all the services present in the cluster to the kvstore, including the corresponding backends (plain clustermesh instead only requires the synchronization of shared services and associated backends). Given that full synchronization is quite onerous in large clusters, let's make it configurable through a dedicated flag. By default, it is enabled, in order not to modify the current behavior when unspecified (e.g., by the legacy Cilium CLI). When installing cilium through Helm, instead, it is configured according to the pre-existing externalWorkloads.enabled configuration entry. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 13f146e ] New Docker desktop may have a default builder with name "desktop-linux" that is not buildx capable. Detect that name as well as the old "default" for the need to create a new buildx builder. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit a571731 ] When the NAT path in to-overlay/to-netdev is included as tail_handle_nat_fwd_ipv6(), skip the hop through handle_nat_fwd_ipv6() and call the actual RevDNAT implementation straight away. This allows us to pass through a trace_ctx struct, so that the RevDNAT can return precise trace information from its CT lookup. The IPv4 path already does this, so we must have missed the boat at some point. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 458479b ] b2de07a ("bpf: Fix missing drop notifications on ct lookup failures") took care of most paths. But we also need to throw a drop notification when ipv6_hdrlen() returns an error. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit a808972 ] Signed-off-by: Pat Riehecky <riehecky@fnal.gov> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 7f7a285 ] as the egress gateway feature would not be supported Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 5ddc2d9 ] Parsed Envoy Listeners have qualified names, so explicit listener references must also be qualified for name comparison to work. Usually listener reference is implicit (== first listener in the CiliumEnvoyConfig) so this bug was not hit in practice. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 98f41d8 ] Make ResourceQualifiedName gracefully return the given resource name, if it is already qualified, or if it is empty. Optionally also qualify resource names with a different namespace as a prefix to force namespacing where applicable. Passing through empty resource names without qualifying them is important so that a potentially invalid envoy config, where a required name is missing, remains invalid also after qualifying resource names. Currently, a CiliumEnvoyConfig may use backendServices in a different namespace, so resource namespacing can not be encorced on the referred backend services. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit a18cd16 ] Qualify cluster names that are not already qualified. This helps avoid accidental resource name collision when multiple CiliumEnvoyConfigs are defined. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 6618e5d ] Validate also Listener resources after parsing them from CiliumEnvoyConfig. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 8ce6f3b ] Qualify Envoy Secret resource names and references with the namespace and CEC name when not already namespaced. This helps prevent accidental Secret resource name collisions between different CEC/CCEC resources when they use the same (unqualified) name locally. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 87ac446 ] 'SetNodeOnFirstMessageOnly: true' was missing from the XDS reference used for secrets, which causes larger than necessary XDS messages. Let Cilium agent fill in the XDS reference instead. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 0cbe507 ] Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit f68f0d4 ] Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 231e65a ] Add envoyConfig value to be able to enable CiliumEnvoyConfig with access to a secrets namespace in cases where Cilium Ingress nor GatewayAPI is enabled, or a different secrets namespace is needed. envoyConfig.secretsNamespace.name defines the namespace to which Cilium Agent is given read access to. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit ba0b957 ] Prevent falling through from IPv6 to IPIP when creating SRV6 state entries based on the encapsulated header protocol. Caught by compiling with -Wimplicit-fallthrough. Fixes: bfba740 ("bpf: Handle reply SRv6 traffic") Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 93cc419 ] Signed-off-by: amitmavgupta <115551423+amitmavgupta@users.noreply.github.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 68bff35 ] Fixing incorrect description of the GET /public policy in the L7 section. Signed-off-by: Peter Jausovec <peter.jausovec@solo.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit e0931df ] Add a note to the L3 policy documentation clarifying that L3 DNS policies require the L7 proxy enabled and an L7 policy for DNS traffic so Cilium can intercept DNS responses. Previously, the documentation linked to other sections describing the DNS Proxy, but I know at least a few people who were surprised that a policy under "L3 Examples" would require an L7 proxy. Hopefully adding a note near the beginning of the section will make this requirement more obvious. Signed-off-by: Will Daly <widaly@microsoft.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 18f85a0 ] To help to detect when IPcache is out of sync with locally stored Node IDs. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit e956bb1 ] The Node ID is used in SKB mark used by XFRM policies. The latter print it in hex. So, let's reduce a mental strain by a bit when debugging IPsec issues. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit f4f3656 ] We expect deprioritizeOldOutPolicy() to be executed for IPv4 and IPv6, but removeStaleXFRMOnce prevents the second call. If both IPv4 and IPv6 are enabled, v6 xfrm policy won't be deprioritized due to this issue. This commit fixes it by spliting removeStaleXFRMOnce into removeStaleIPv4XFRMOnce and removeStaleIPv6XFRMOnce. Fixes: cilium@688dc9a Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 1198055 ] Signed-off-by: amitmavgupta <115551423+amitmavgupta@users.noreply.github.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 390b4dc ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 104dafd ] Observed a panic: runtime.boundsError{x:0, y:0, signed:true, code:0x0} (runtime error: index out of range [0] with length 0) github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).deallocateIDForNode(0xc003e871f0?, 0xc003e87108?) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node_ids.go:110 +0x335 Signed-off-by: qifeng guo <qifeng.guo@daocloud.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
nbusseneau
added
kind/backports
nbusseneau
requested review from
brb,
jschwinger233,
joestringer,
giorio94,
jibi,
ti-mo and
qmonnet
|
/test-backport-1.13 |
jschwinger233
approved these changes
Jun 22, 2023
giorio94
approved these changes
Jun 23, 2023
jibi
approved these changes
Jun 23, 2023
ti-mo
approved these changes
Jun 23, 2023
|
Looks all in order, thanks! |
qmonnet
approved these changes
Jun 23, 2023
julianwiedmann
approved these changes
Jun 26, 2023
|
1.22 / 4.19 https://jenkins.cilium.io/job/Cilium-PR-K8s-1.22-kernel-4.19/80/ has hit our old friend #25467. |
|
/test-1.22-4.19 |
nbusseneau
added
the
ready-to-merge
|
CI passed and most reviews are in (most importantly those for commits with conflicts), marking ready to merge. |
jcpunk
approved these changes
Jun 28, 2023
maintainer-s-little-helper
bot
removed
the
ready-to-merge
nbusseneau
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PRs skipped due to conflicts:
Once this PR is merged, you can update the PR labels via:
or with