aanm · aanm · Dec 6, 2023 · Feb 15, 2024 · Nov 14, 2023 · Oct 23, 2023
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,6 +1,6 @@
 {
   "name": "Cilium",
-  "image": "quay.io/cilium/cilium-builder:660f4e44fb79bc0856934f8466241eb7d394d270@sha256:765d44fe9fc65d11d477d0a2177daf86a343500a00901d3d8fb2ecb95e266f06",
+  "image": "quay.io/cilium/cilium-builder:f2d25e741d2e754e25fda8ebb0f65d099d6a7a49@sha256:020ddc0f54cd797f0b3e7f8b3dba0b3aedc76911d40076aa042b14fda4e3bee0",
   "workspaceFolder": "/go/src/github.com/cilium/cilium",
   "workspaceMount": "source=${localWorkspaceFolder},target=/go/src/github.com/cilium/cilium,type=bind",
   "features": {

diff --git a/.github/actions/aws/k8s-versions-schema.yaml b/.github/actions/aws/k8s-versions-schema.yaml
@@ -4,3 +4,4 @@ includeItem:
   version: str()
   region: str()
   default: bool(required=False)
+  ipsec: bool(required=False)
diff --git a/.github/actions/aws/k8s-versions.yaml b/.github/actions/aws/k8s-versions.yaml
@@ -1,14 +1,13 @@
 # List of k8s version for EKS tests
 ---
 include:
-  - version: "1.23"
-    region: ca-west-1
   - version: "1.24"
-    region: us-west-1
+    region: ca-central-1
   - version: "1.25"
-    region: us-east-2
+    region: us-west-2
   - version: "1.26"
-    region: ca-central-1
+    region: us-west-1
   - version: "1.27"
-    region: us-east-1
+    region: us-east-2
     default: true
+    ipsec: true
diff --git a/.github/actions/azure/k8s-versions.yaml b/.github/actions/azure/k8s-versions.yaml
@@ -1,13 +1,10 @@
 # List of k8s version for AKS tests
 ---
 include:
-  - version: "1.25"
-    location: westus3
-    index: 1
   - version: "1.26"
     location: westus2
-    index: 2
+    index: 1
   - version: "1.27"
     location: eastus2
-    index: 3
+    index: 2
     default: true
diff --git a/.github/actions/cilium-config/action.yml b/.github/actions/cilium-config/action.yml
@@ -40,6 +40,9 @@ inputs:
   mutual-auth:
     description: 'Enable mTLS-based Mutual Authentication'
     default: true
+  ingress-controller:
+    description: 'Enable ingress controller, required kubeProxyReplacement'
+    default: false
   devices:
     description: 'List of native devices to attach datapath programs'
     default: ''
@@ -64,7 +67,7 @@ runs:
             --helm-set=bpf.monitorAggregation=none \
             --helm-set=cluster.name=default \
             --helm-set=authentication.mutual.spire.enabled=${{ inputs.mutual-auth }} \
-            --nodes-without-cilium=kind-worker3 \
+            --nodes-without-cilium \
             --helm-set-string=kubeProxyReplacement=${{ inputs.kpr }} \
             --set='${{ inputs.misc }}'"
 
@@ -141,5 +144,12 @@ runs:
             HOST_FW="--helm-set=hostFirewall.enabled=true"
           fi
 
-          CONFIG="${DEFAULTS} ${IMAGE} ${TUNNEL} ${DEVICES} ${LB_MODE} ${ENDPOINT_ROUTES} ${IPV6} ${MASQ} ${EGRESS_GATEWAY} ${ENCRYPT} ${HOST_FW} ${LB_ACCELERATION}"
+          if [ "${{ inputs.kpr }}" == "true" ]; then
+            if [ "${{ inputs.ingress-controller }}" == "true" ]; then
+              INGRESS_CONTROLLER="--helm-set=ingressController.enabled=true"
+              INGRESS_CONTROLLER+=" --helm-set=ingressController.service.type=NodePort"
+            fi
+          fi
+
+          CONFIG="${DEFAULTS} ${IMAGE} ${TUNNEL} ${DEVICES} ${LB_MODE} ${ENDPOINT_ROUTES} ${IPV6} ${MASQ} ${EGRESS_GATEWAY} ${ENCRYPT} ${HOST_FW} ${LB_ACCELERATION} ${INGRESS_CONTROLLER}"
           echo "config=${CONFIG}" >> $GITHUB_OUTPUT
diff --git a/.github/actions/conn-disrupt-test/action.yaml b/.github/actions/conn-disrupt-test/action.yaml
@@ -22,7 +22,8 @@ runs:
         # subsequent connectivity tests with --include-conn-disrupt-test to catch any
         # interruption in such flows.
         ./cilium-cli connectivity test --include-conn-disrupt-test --conn-disrupt-test-setup \
-          --conn-disrupt-dispatch-interval 0ms
+          --conn-disrupt-dispatch-interval 0ms \
+          --expected-xfrm-errors "+inbound_no_state"
 
     - name: Operate Cilium
       shell: bash
@@ -39,4 +40,5 @@ runs:
           --sysdump-output-filename "cilium-sysdump-${{ inputs.job-name }}-<ts>" \
           --junit-file "cilium-junits/${{ inputs.job-name }}.xml" \
           ${{ inputs.extra-connectivity-test-flags }} \
-          --junit-property github_job_step="Run conn disrupt tests (${{ inputs.job-name }})"
+          --junit-property github_job_step="Run conn disrupt tests (${{ inputs.job-name }})" \
+          --expected-xfrm-errors "+inbound_no_state"
diff --git a/.github/actions/ginkgo/main-k8s-versions.yaml b/.github/actions/ginkgo/main-k8s-versions.yaml
@@ -4,62 +4,62 @@ include:
   - k8s-version: "1.27"
     ip-family: "dual"
     # renovate: datasource=docker
-    kube-image: "kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72"
+    kube-image: "kindest/node:v1.27.11@sha256:681253009e68069b8e01aad36a1e0fa8cf18bb0ab3e5c4069b2e65cafdd70843"
     # renovate: datasource=docker depName=quay.io/lvh-images/kind
-    kernel: "6.6-20240208.105738@sha256:2ae01ae28d314dfc527ca97ea16afaa1ac98c21954139f55652b5d5383ad7910"
+    kernel: "6.6-20240327.122820@sha256:dee6e22e4faa0fb0fbba1a258f3296c593b4c7d9aa274f72f5d045baf661910b"
 
   - k8s-version: "1.26"
     ip-family: "dual"
     # renovate: datasource=docker
-    kube-image: "kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb"
+    kube-image: "kindest/node:v1.26.14@sha256:5d548739ddef37b9318c70cb977f57bf3e5015e4552be4e27e57280a8cbb8e4f"
     # renovate: datasource=docker depName=quay.io/lvh-images/kind
-    kernel: "4.19-20240208.105738@sha256:f497849be92d3e808b72c9e6c87c0d6433ebaae85ff663bcccfaa0d21f668336"
+    kernel: "4.19-20240327.122820@sha256:5d40a6d8cb66c8ec7ac8873ec7039af4c449f0b50c59431179be6a0c804ebd5b"
 
   - k8s-version: "1.25"
     ip-family: "dual"
     # renovate: datasource=docker
-    kube-image: "kindest/node:v1.25.11@sha256:227fa11ce74ea76a0474eeefb84cb75d8dad1b08638371ecf0e86259b35be0c8"
+    kube-image: "kindest/node:v1.25.16@sha256:e8b50f8e06b44bb65a93678a65a26248fae585b3d3c2a669e5ca6c90c69dc519"
     # renovate: datasource=docker depName=quay.io/lvh-images/kind
-    kernel: "5.4-20240208.105738@sha256:80c6843f90875ad14b241fe5984ab5db4966d6900c2370e655c578cb2ac38816"
+    kernel: "5.4-20240327.122820@sha256:3b692b5a3094a21e4722622da0e209adc0627a23e98546bcfe72731e99f99bb7"
 
   - k8s-version: "1.24"
     ip-family: "dual"
     # renovate: datasource=docker
-    kube-image: "kindest/node:v1.24.15@sha256:7db4f8bea3e14b82d12e044e25e34bd53754b7f2b0e9d56df21774e6f66a70ab"
+    kube-image: "kindest/node:v1.24.17@sha256:bad10f9b98d54586cba05a7eaa1b61c6b90bfc4ee174fdc43a7b75ca75c95e51"
     # renovate: datasource=docker depName=quay.io/lvh-images/kind
-    kernel: "4.19-20240208.105738@sha256:f497849be92d3e808b72c9e6c87c0d6433ebaae85ff663bcccfaa0d21f668336"
+    kernel: "4.19-20240327.122820@sha256:5d40a6d8cb66c8ec7ac8873ec7039af4c449f0b50c59431179be6a0c804ebd5b"
 
   - k8s-version: "1.23"
     ip-family: "dual"
     # renovate: datasource=docker
-    kube-image: "kindest/node:v1.23.17@sha256:59c989ff8a517a93127d4a536e7014d28e235fb3529d9fba91b3951d461edfdb"
+    kube-image: "kindest/node:v1.23.17@sha256:14d0a9a892b943866d7e6be119a06871291c517d279aedb816a4b4bc0ec0a5b3"
     # renovate: datasource=docker depName=quay.io/lvh-images/kind
-    kernel: "4.19-20240208.105738@sha256:f497849be92d3e808b72c9e6c87c0d6433ebaae85ff663bcccfaa0d21f668336"
+    kernel: "4.19-20240327.122820@sha256:5d40a6d8cb66c8ec7ac8873ec7039af4c449f0b50c59431179be6a0c804ebd5b"
 
   - k8s-version: "1.22"
     ip-family: "dual"
     # renovate: datasource=docker
     kube-image: "kindest/node:v1.22.17@sha256:f5b2e5698c6c9d6d0adc419c0deae21a425c07d81bbf3b6a6834042f25d4fba2"
     # renovate: datasource=docker depName=quay.io/lvh-images/kind
-    kernel: "4.19-20240208.105738@sha256:f497849be92d3e808b72c9e6c87c0d6433ebaae85ff663bcccfaa0d21f668336"
+    kernel: "4.19-20240327.122820@sha256:5d40a6d8cb66c8ec7ac8873ec7039af4c449f0b50c59431179be6a0c804ebd5b"
 
   - k8s-version: "1.21"
     ip-family: "dual"
     # renovate: datasource=docker
     kube-image: "kindest/node:v1.21.14@sha256:8a4e9bb3f415d2bb81629ce33ef9c76ba514c14d707f9797a01e3216376ba093"
     # renovate: datasource=docker depName=quay.io/lvh-images/kind
-    kernel: "4.19-20240208.105738@sha256:f497849be92d3e808b72c9e6c87c0d6433ebaae85ff663bcccfaa0d21f668336"
+    kernel: "4.19-20240327.122820@sha256:5d40a6d8cb66c8ec7ac8873ec7039af4c449f0b50c59431179be6a0c804ebd5b"
 
   - k8s-version: "1.20"
     ip-family: "dual"
     # renovate: datasource=docker
     kube-image: "kindest/node:v1.20.15@sha256:a32bf55309294120616886b5338f95dd98a2f7231519c7dedcec32ba29699394"
     # renovate: datasource=docker depName=quay.io/lvh-images/kind
-    kernel: "4.19-20240208.105738@sha256:f497849be92d3e808b72c9e6c87c0d6433ebaae85ff663bcccfaa0d21f668336"
+    kernel: "4.19-20240327.122820@sha256:5d40a6d8cb66c8ec7ac8873ec7039af4c449f0b50c59431179be6a0c804ebd5b"
 
   - k8s-version: "1.19"
     ip-family: "ipv4"
     # renovate: datasource=docker
     kube-image: "kindest/node:v1.19.16@sha256:476cb3269232888437b61deca013832fee41f9f074f9bed79f57e4280f7c48b7"
     # renovate: datasource=docker depName=quay.io/lvh-images/kind
-    kernel: "4.19-20240208.105738@sha256:f497849be92d3e808b72c9e6c87c0d6433ebaae85ff663bcccfaa0d21f668336"
+    kernel: "4.19-20240327.122820@sha256:5d40a6d8cb66c8ec7ac8873ec7039af4c449f0b50c59431179be6a0c804ebd5b"
diff --git a/.github/actions/gke/k8s-versions.yaml b/.github/actions/gke/k8s-versions.yaml
@@ -1,16 +1,10 @@
 # List of k8s version for GKE tests
 ---
 k8s:
-  - version: "1.24"
-    zone: us-west2-a
+  - version: "1.26"
+    zone: us-west2-c
     vmIndex: 1
-  - version: "1.25"
+  - version: "1.27"
     zone: us-west3-a
     vmIndex: 2
-  - version: "1.26"
-    zone: us-east4-b
-    vmIndex: 3
-  - version: "1.27"
-    zone: us-east5-a
-    vmIndex: 4
     default: true
diff --git a/.github/actions/ipsec-key-rotate/action.yaml b/.github/actions/ipsec-key-rotate/action.yaml
@@ -0,0 +1,80 @@
+name: IPsec key rotation test
+description: Rotates keys and checks that established connections are not interrupted
+inputs:
+  key-algo:
+    required: true
+    type: string
+    description: "gcm(aes) or cbc(aes)"
+  key-type-one:
+    required: true
+    type: string
+    description: "'+' if we started with the per-tunnel key system"
+  key-type-two:
+    required: true
+    type: string
+    description: "'+' to rotate to the per-tunnel key system"
+  extra-connectivity-test-flags:
+    required: false
+    type: string
+runs:
+  using: composite
+  steps:
+    - name: Rotate IPsec Key & Test
+      uses: ./.github/actions/conn-disrupt-test
+      with:
+        job-name: conformance-ipsec-e2e-key-rotation
+        extra-connectivity-test-flags: ${{ inputs.extra-connectivity-test-flags }}
+        operation-cmd: |
+          KEYID=$(kubectl get secret -n kube-system cilium-ipsec-keys -o go-template --template={{.data.keys}} | base64 -d | grep -oP "^\d+")
+          if [[ $KEYID -ge 15 ]]; then KEYID=0; fi
+
+          if [[ "${{ inputs.key-algo }}" == "gcm(aes)" ]]; then
+            key="rfc4106(gcm(aes)) $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64) 128"
+          elif [[ "${{ inputs.key-algo }}" == "cbc(aes)" ]]; then
+            key="hmac(sha256) $(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64) cbc(aes) $(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64)"
+          else
+            echo "Invalid key type"; exit 1
+          fi
+          data="{\"stringData\":{\"keys\":\"$((($KEYID+1)))${{ inputs.key-type-two }} ${key}\"}}"
+
+          echo "Updating IPsec secret with $data"
+          kubectl patch secret -n kube-system cilium-ipsec-keys -p="$data" -v=1
+
+          # Compute number of expected keys during key rotation depending on
+          # whether we use the single-key system (1 key) or the per-tunnel
+          # keys system (4 keys).
+          exp_nb_keys=2
+          if [[ "${{ inputs.key-type-one }}" == "+" ]]; then
+            ((exp_nb_keys+=7))
+          fi
+          if [[ "${{ inputs.key-type-two }}" == "+" ]]; then
+            ((exp_nb_keys+=7))
+          fi
+
+          # Wait until key rotation starts
+          # We expect the amount of keys in use to grow during rotation.
+          while true; do
+            keys_in_use=$(kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium encrypt status | awk '/Keys in use/ {print $NF}')
+            if [[ $keys_in_use == $exp_nb_keys ]]; then
+              break
+            fi
+            echo "Waiting until key rotation starts (seeing $keys_in_use keys, expected $exp_nb_keys)"
+            sleep 30s
+          done
+
+          exp_nb_keys=1
+          if [[ "${{ inputs.key-type-two }}" == "+" ]]; then
+            exp_nb_keys=8
+          fi
+
+          # Wait until key rotation completes
+          # By default the key rotation cleanup delay is 5min, let's sleep 4min before actively polling
+          sleep $((4*60))
+          while true; do
+            keys_in_use=$(kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium encrypt status | awk '/Keys in use/ {print $NF}')
+            if [[ $keys_in_use == $exp_nb_keys ]]; then
+              break
+            fi
+            echo "Waiting until key rotation completes (seeing $keys_in_use keys, expected $exp_nb_keys)"
+            sleep 30s
+          done
diff --git a/.github/actions/kvstore/action.yaml b/.github/actions/kvstore/action.yaml
@@ -7,7 +7,7 @@ inputs:
     default: "1"
   etcd-image:
     description: "etcd docker image"
-    default: gcr.io/etcd-development/etcd:v3.5.11@sha256:8eff25cf636711fb48426005b55fc9f4d6ffa4f38f483fa87c8cc82976347bbb
+    default: gcr.io/etcd-development/etcd:v3.5.13@sha256:f435f2be55ca8fbaa56126419f3d0d3a43695a856ffcb7e51a3b82dcab784c14
   name:
     description: "Base name of the etcd containers (to which the index is appended)"
     default: kvstore

diff --git a/.github/actions/lvh-kind/action.yaml b/.github/actions/lvh-kind/action.yaml
@@ -8,7 +8,8 @@ inputs:
   kind-params:
     required: true
     type: string
-  kind-image-vsn:
+  kind-image:
+    required: true
     type: string
   test-name:
     required: true
@@ -18,7 +19,7 @@ runs:
   using: composite
   steps:
     - name: Provision LVH VMs
-      uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
+      uses: cilium/little-vm-helper@a4311c6d054de3008bdf9195b0fabf6ee60d8bdd # v0.0.17
       with:
         test-name: ${{ inputs.test-name }}
         image-version: ${{ inputs.kernel }}
@@ -27,18 +28,18 @@ runs:
         mem: 12G
         install-dependencies: 'true'
         port-forward: '6443:6443'
+        ssh-startup-wait-retries: 600
         cmd: |
           git config --global --add safe.directory /host
 
     - name: Create K8s cluster
-      uses: cilium/little-vm-helper@9d758b756305e83718a51b792a5aeabd022a39ec # v0.0.16
+      uses: cilium/little-vm-helper@a4311c6d054de3008bdf9195b0fabf6ee60d8bdd # v0.0.17
       with:
         provision: 'false'
         cmd: |
           cd /host
-          if [ "${{ inputs.kind-image-vsn }}" != "" ]; then
-            export IMAGE=quay.io/cilium/kindest-node:${{ inputs.kind-image-vsn }}
-          fi
+
+          export IMAGE=${{ inputs.kind-image }}
           ./contrib/scripts/kind.sh ${{ inputs.kind-params }} 0.0.0.0 6443
 
     - name: Copy kubeconfig

diff --git a/.github/actions/set-env-variables/action.yml b/.github/actions/set-env-variables/action.yml
@@ -10,6 +10,16 @@ runs:
         # no prod yet
         echo "QUAY_CHARTS_ORGANIZATION_DEV=cilium-charts-dev" >> $GITHUB_ENV
         # renovate: datasource=github-releases depName=cilium/cilium-cli
-        CILIUM_CLI_VERSION="v0.15.21"
+        CILIUM_CLI_VERSION="v0.16.4"
         echo "CILIUM_CLI_VERSION=$CILIUM_CLI_VERSION" >> $GITHUB_ENV
         echo "GCP_PERF_RESULTS_BUCKET=gs://cilium-scale-results" >> $GITHUB_ENV
+
+        # renovate: datasource=github-releases depName=kubernetes-sigs/kind
+        KIND_VERSION="v0.22.0"
+        # renovate: datasource=docker
+        KIND_K8S_IMAGE="kindest/node:v1.27.11@sha256:681253009e68069b8e01aad36a1e0fa8cf18bb0ab3e5c4069b2e65cafdd70843"
+        KIND_K8S_VERSION=$(echo "$KIND_K8S_IMAGE" | sed -r 's|.+:(v[0-9a-z.-]+)(@.+)?|\1|')
+
+        echo "KIND_VERSION=$KIND_VERSION" >> $GITHUB_ENV
+        echo "KIND_K8S_IMAGE=$KIND_K8S_IMAGE" >> $GITHUB_ENV
+        echo "KIND_K8S_VERSION=$KIND_K8S_VERSION" >> $GITHUB_ENV
diff --git a/.travis/build.sh → .github/actions/unit-tests/build.sh b/.travis/build.sh → .github/actions/unit-tests/build.sh
diff --git a/.travis/prepare.sh → .github/actions/unit-tests/prepare.sh b/.travis/prepare.sh → .github/actions/unit-tests/prepare.sh
@@ -45,5 +45,4 @@ install_clang
 
 export PATH="/usr/local/clang/bin:$PATH"
 
-go install github.com/mattn/goveralls@a36c7ef8f23b2952fa6e39663f52107dfc8ad69d # v0.0.11
 go install github.com/mfridman/tparse@28967170dce4f9f13de77ec857f7aed4c4294a5f # v0.12.3 (main) with -progress
diff --git a/.github/ariane-config.yaml b/.github/ariane-config.yaml
@@ -1,3 +1,6 @@
+allowed-teams:
+  - organization-members
+
 triggers:
   /test-backport-1.14:
     workflows:

diff --git a/.github/kind-config-ipv6.yaml b/.github/kind-config-ipv6.yaml
@@ -2,7 +2,6 @@ kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
   - role: control-plane
-    image: kindest/node:v1.27.0
     kubeadmConfigPatches:
       # To make sure that there is no taint for master node.
       # Otherwise additional worker node might be required for conformance testing.
@@ -12,7 +11,6 @@ nodes:
         nodeRegistration:
           taints: []
   - role: worker
-    image: kindest/node:v1.27.0
 networking:
   ipFamily: ipv6
   disableDefaultCNI: true

diff --git a/.github/kind-config.yaml b/.github/kind-config.yaml
@@ -2,7 +2,6 @@ kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
   - role: control-plane
-    image: kindest/node:v1.27.0
     kubeadmConfigPatches:
       # To make sure that there is no taint for master node.
       # Otherwise additional worker node might be required for conformance testing.
@@ -12,7 +11,6 @@ nodes:
         nodeRegistration:
           taints: []
   - role: worker
-    image: kindest/node:v1.27.0
 networking:
   disableDefaultCNI: true
   podSubnet: "10.244.0.0/16"