-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.13 Backports 2023-06-22 #26421
v1.13 Backports 2023-06-22 #26421
Conversation
[ upstream commit 81bd556 ] Fixes cilium#22917 Signed-off-by: vipul-21 <vipul21sept@gmail.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit e772ba8 ] Currently, the support for external workloads is always enabled in the clustermesh-apiserver. Yet, this feature requires the synchronization of all the services present in the cluster to the kvstore, including the corresponding backends (plain clustermesh instead only requires the synchronization of shared services and associated backends). Given that full synchronization is quite onerous in large clusters, let's make it configurable through a dedicated flag. By default, it is enabled, in order not to modify the current behavior when unspecified (e.g., by the legacy Cilium CLI). When installing cilium through Helm, instead, it is configured according to the pre-existing externalWorkloads.enabled configuration entry. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 13f146e ] New Docker desktop may have a default builder with name "desktop-linux" that is not buildx capable. Detect that name as well as the old "default" for the need to create a new buildx builder. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit a571731 ] When the NAT path in to-overlay/to-netdev is included as tail_handle_nat_fwd_ipv6(), skip the hop through handle_nat_fwd_ipv6() and call the actual RevDNAT implementation straight away. This allows us to pass through a trace_ctx struct, so that the RevDNAT can return precise trace information from its CT lookup. The IPv4 path already does this, so we must have missed the boat at some point. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 458479b ] b2de07a ("bpf: Fix missing drop notifications on ct lookup failures") took care of most paths. But we also need to throw a drop notification when ipv6_hdrlen() returns an error. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit a808972 ] Signed-off-by: Pat Riehecky <riehecky@fnal.gov> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 7f7a285 ] as the egress gateway feature would not be supported Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 5ddc2d9 ] Parsed Envoy Listeners have qualified names, so explicit listener references must also be qualified for name comparison to work. Usually listener reference is implicit (== first listener in the CiliumEnvoyConfig) so this bug was not hit in practice. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 98f41d8 ] Make ResourceQualifiedName gracefully return the given resource name, if it is already qualified, or if it is empty. Optionally also qualify resource names with a different namespace as a prefix to force namespacing where applicable. Passing through empty resource names without qualifying them is important so that a potentially invalid envoy config, where a required name is missing, remains invalid also after qualifying resource names. Currently, a CiliumEnvoyConfig may use backendServices in a different namespace, so resource namespacing can not be encorced on the referred backend services. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit a18cd16 ] Qualify cluster names that are not already qualified. This helps avoid accidental resource name collision when multiple CiliumEnvoyConfigs are defined. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 6618e5d ] Validate also Listener resources after parsing them from CiliumEnvoyConfig. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 8ce6f3b ] Qualify Envoy Secret resource names and references with the namespace and CEC name when not already namespaced. This helps prevent accidental Secret resource name collisions between different CEC/CCEC resources when they use the same (unqualified) name locally. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 87ac446 ] 'SetNodeOnFirstMessageOnly: true' was missing from the XDS reference used for secrets, which causes larger than necessary XDS messages. Let Cilium agent fill in the XDS reference instead. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 0cbe507 ] Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit f68f0d4 ] Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 231e65a ] Add envoyConfig value to be able to enable CiliumEnvoyConfig with access to a secrets namespace in cases where Cilium Ingress nor GatewayAPI is enabled, or a different secrets namespace is needed. envoyConfig.secretsNamespace.name defines the namespace to which Cilium Agent is given read access to. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit ba0b957 ] Prevent falling through from IPv6 to IPIP when creating SRV6 state entries based on the encapsulated header protocol. Caught by compiling with -Wimplicit-fallthrough. Fixes: bfba740 ("bpf: Handle reply SRv6 traffic") Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 93cc419 ] Signed-off-by: amitmavgupta <115551423+amitmavgupta@users.noreply.github.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 68bff35 ] Fixing incorrect description of the GET /public policy in the L7 section. Signed-off-by: Peter Jausovec <peter.jausovec@solo.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit e0931df ] Add a note to the L3 policy documentation clarifying that L3 DNS policies require the L7 proxy enabled and an L7 policy for DNS traffic so Cilium can intercept DNS responses. Previously, the documentation linked to other sections describing the DNS Proxy, but I know at least a few people who were surprised that a policy under "L3 Examples" would require an L7 proxy. Hopefully adding a note near the beginning of the section will make this requirement more obvious. Signed-off-by: Will Daly <widaly@microsoft.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 18f85a0 ] To help to detect when IPcache is out of sync with locally stored Node IDs. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit e956bb1 ] The Node ID is used in SKB mark used by XFRM policies. The latter print it in hex. So, let's reduce a mental strain by a bit when debugging IPsec issues. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit f4f3656 ] We expect deprioritizeOldOutPolicy() to be executed for IPv4 and IPv6, but removeStaleXFRMOnce prevents the second call. If both IPv4 and IPv6 are enabled, v6 xfrm policy won't be deprioritized due to this issue. This commit fixes it by spliting removeStaleXFRMOnce into removeStaleIPv4XFRMOnce and removeStaleIPv6XFRMOnce. Fixes: cilium@688dc9a Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 1198055 ] Signed-off-by: amitmavgupta <115551423+amitmavgupta@users.noreply.github.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 390b4dc ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 104dafd ] Observed a panic: runtime.boundsError{x:0, y:0, signed:true, code:0x0} (runtime error: index out of range [0] with length 0) github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).deallocateIDForNode(0xc003e871f0?, 0xc003e87108?) /go/src/github.com/cilium/cilium/pkg/datapath/linux/node_ids.go:110 +0x335 Signed-off-by: qifeng guo <qifeng.guo@daocloud.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
/test-backport-1.13 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My commit looks good. Thanks!
Looks all in order, thanks! |
1.22 / 4.19 https://jenkins.cilium.io/job/Cilium-PR-K8s-1.22-kernel-4.19/80/ has hit our old friend #25467. |
/test-1.22-4.19 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good for my PRs :)
CI passed and most reviews are in (most importantly those for commits with conflicts), marking ready to merge. |
PRs skipped due to conflicts:
Once this PR is merged, you can update the PR labels via:
or with