Merge branch 'main' into main

cilium · Dec 4, 2023 · 0103bf3 · 0103bf3
2 parents e88f1d6 + 5ef0f10
commit 0103bf3
Show file tree

Hide file tree

Showing 957 changed files with 43,903 additions and 36,145 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,6 +1,6 @@
 {
   "name": "Cilium",
-  "image": "quay.io/cilium/cilium-builder:c43357ef8317d6dc42f71a046c9adfc756e98b35@sha256:914163868d208197babf623174b13e767cfee67f00036804fb5f9550e34a0a6c",
+  "image": "quay.io/cilium/cilium-builder:de8b7345efb5af7c6c370e95a33f24048af89cdb@sha256:ab7ef53e12551597e2f54eae46dfc446c016de63ae9501d2ef391438e2ef4a07",
   "workspaceFolder": "/go/src/github.com/cilium/cilium",
   "workspaceMount": "source=${localWorkspaceFolder},target=/go/src/github.com/cilium/cilium,type=bind",
   "features": {

diff --git a/.github/actions/aws/k8s-versions.yaml b/.github/actions/aws/k8s-versions.yaml
@@ -4,11 +4,13 @@ include:
   - version: "1.23"
     region: eu-central-1
   - version: "1.24"
-    region: ap-northeast-1
+    region: eu-west-1
   - version: "1.25"
-    region: us-east-2
+    region: ap-northeast-1
   - version: "1.26"
-    region: ca-central-1
+    region: us-east-2
   - version: "1.27"
+    region: ca-central-1
+  - version: "1.28"
     region: eu-north-1
     default: true
diff --git a/.github/actions/azure/k8s-versions.yaml b/.github/actions/azure/k8s-versions.yaml
@@ -10,4 +10,7 @@ include:
   - version: "1.27"
     location: eastasia
     index: 3
+  - version: "1.28"
+    location: eastus
+    index: 4
     default: true
diff --git a/.github/actions/ginkgo/main-focus.yaml b/.github/actions/ginkgo/main-focus.yaml
@@ -79,7 +79,6 @@ include:
     cliFocus: "K8sAgentPolicyTest Multi-node policy test validates ingress"
 
   ###
-  # K8sAgentPolicyTest Basic Test Invalid Policy report status correctly
   # K8sAgentPolicyTest Basic Test Traffic redirections to proxy Tests DNS proxy visibility without policy
   # K8sAgentPolicyTest Basic Test Traffic redirections to proxy Tests HTTP proxy visibility without policy
   # K8sAgentPolicyTest Basic Test Traffic redirections to proxy Tests proxy visibility interactions with policy lifecycle operations
@@ -216,19 +215,37 @@ include:
 exclude:
   # The bandwidth test is disabled and hubble tests are not meant
   # to run on net-next.
-  - k8s-version: "1.28"
+  - k8s-version: "1.29"
     focus: "f10-agent-hubble-bandwidth"
 
   # These tests are meant to run with kube-proxy which is not available
   # with net-next
-  - k8s-version: "1.28"
+  - k8s-version: "1.29"
     focus: "f16-datapath-service-ew-2"
 
   # These tests are meant to run with kube-proxy which is not available
   # with net-next
-  - k8s-version: "1.28"
+  - k8s-version: "1.29"
     focus: "f17-datapath-service-ew-kube-proxy"
 
+  # These tests require an external node which is only available on 1.28
+  # / net-next so there's no point on running them
+  - k8s-version: "1.28"
+    focus: "f05-agent-policy-multi-node-2"
+
+  # These tests require kernel net-next so there's no point on running them
+  - k8s-version: "1.28"
+    focus: "f11-datapath-service-ns-tc"
+
+  - k8s-version: "1.28"
+    focus: "f12-datapath-service-ns-misc"
+
+  - k8s-version: "1.28"
+    focus: "f13-datapath-service-ns-xdp-1"
+
+  - k8s-version: "1.28"
+    focus: "f14-datapath-service-ns-xdp-2"
+
   # These tests require an external node which is only available on 1.28
   # / net-next so there's no point on running them
   - k8s-version: "1.27"

diff --git a/.github/actions/ginkgo/main-k8s-versions.yaml b/.github/actions/ginkgo/main-k8s-versions.yaml
@@ -1,23 +1,30 @@
 # This file contains which kernel versions should be run with which k8s versions
 ---
 include:
+  - k8s-version: "1.29"
+    ip-family: "dual"
+    # renovate: datasource=docker
+    kube-image: "quay.io/cilium/kindest-node:v1.29.0-rc.1@sha256:6631d58da3569930cf21697c2113feb9c76bc044c1c13d98808a3695dd91d8b0"
+    # renovate: datasource=docker depName=quay.io/lvh-images/kind
+    kernel: "bpf-next-20231128.012937@sha256:bd63100dd6b77cce9566a093ce7bad4c3936edbf40862cc491f30de875bc68e7"
+
   - k8s-version: "1.28"
     ip-family: "dual"
     # renovate: datasource=docker
     kube-image: "kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31"
     # renovate: datasource=docker depName=quay.io/lvh-images/kind
-    kernel: "bpf-next-20231123.012848@sha256:d086bbc65808e0ab471e69dd99b11e79c58f518ef58502ceb2596c1e553e1b10"
+    kernel: "4.19-20231124.100406@sha256:66bb0396f461b845c62de678cc9b9598f08c0fb0080139a9830dc9e7992952d6"
 
   - k8s-version: "1.27"
     ip-family: "dual"
     # renovate: datasource=docker
     kube-image: "kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72"
     # renovate: datasource=docker depName=quay.io/lvh-images/kind
-    kernel: "4.19-20231026.065108@sha256:a70d8180e9e6c1b1b6f7b049f802aa0dd829c64a9284604779c3dc9a9bec9ae8"
+    kernel: "4.19-20231124.100406@sha256:66bb0396f461b845c62de678cc9b9598f08c0fb0080139a9830dc9e7992952d6"
 
   - k8s-version: "1.26"
     ip-family: "dual"
     # renovate: datasource=docker
     kube-image: "kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb"
     # renovate: datasource=docker depName=quay.io/lvh-images/kind
-    kernel: "5.4-20231026.065108@sha256:09bb2ddc1073cd361bd89e34de99c12375f1f5d90dce954776a3aa67ec64570e"
+    kernel: "5.4-20231124.100406@sha256:cf42860d2918e033c51d2885e385e84ed67e96312a775c9677cc3b26c67a3cb8"
diff --git a/.github/actions/ginkgo/main-prs.yaml b/.github/actions/ginkgo/main-prs.yaml
@@ -1,6 +1,6 @@
 # This file contain which k8s-versions should be executed for each PR
 ---
 k8s-version:
-  - "1.28"
+  - "1.29"
   - "1.27"
   - "1.26"
diff --git a/.github/actions/ginkgo/main-scheduled.yaml b/.github/actions/ginkgo/main-scheduled.yaml
@@ -1,6 +1,7 @@
 # This file contain which k8s-versions should be executed for on a regular basis
 ---
 k8s-version:
+  - "1.29"
   - "1.28"
   - "1.27"
   - "1.26"
diff --git a/.github/actions/gke/k8s-versions.yaml b/.github/actions/gke/k8s-versions.yaml
@@ -2,15 +2,18 @@
 ---
 k8s:
   - version: "1.24"
-    zone: us-west2-a
+    zone: europe-west6-b
     vmIndex: 1
   - version: "1.25"
-    zone: asia-northeast1-c
+    zone: us-west2-a
     vmIndex: 2
   - version: "1.26"
-    zone: europe-north1-b
+    zone: asia-northeast1-c
     vmIndex: 3
   - version: "1.27"
-    zone: us-east5-a
+    zone: europe-north1-b
     vmIndex: 4
+  - version: "1.28"
+    zone: us-east5-a
+    vmIndex: 5
     default: true
diff --git a/.github/actions/lvh-kind/action.yaml b/.github/actions/lvh-kind/action.yaml
@@ -0,0 +1,43 @@
+name: K8s on LVH
+description: Creates K8s cluster inside LVH VM, and then exposes K8s cluster to GHA runner.
+
+inputs:
+  kernel:
+    required: true
+    type: string
+  kind-params:
+    required: true
+    type: string
+  test-name:
+    required: true
+    type: string
+
+runs:
+  using: composite
+  steps:
+    - name: Provision LVH VMs
+      uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13
+      with:
+        test-name: ${{ inputs.test-name }}
+        image-version: ${{ inputs.kernel }}
+        host-mount: ./
+        cpu: 4
+        mem: 12G
+        install-dependencies: 'true'
+        port-forward: '6443:6443'
+        cmd: |
+          git config --global --add safe.directory /host
+
+    - name: Create K8s cluster
+      uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13
+      with:
+        provision: 'false'
+        cmd: |
+          cd /host
+          ./contrib/scripts/kind.sh ${{ inputs.kind-params }} 0.0.0.0 6443
+
+    - name: Copy kubeconfig
+      shell: bash
+      run: |
+        mkdir ~/.kube
+        scp -o StrictHostKeyChecking=no -P 2222 root@localhost:/root/.kube/config ~/.kube/config
diff --git a/.github/actions/set-env-variables/action.yml b/.github/actions/set-env-variables/action.yml
@@ -12,5 +12,5 @@ runs:
         echo "EGRESS_GATEWAY_HELM_VALUES=--helm-set=egressGateway.enabled=true" >> $GITHUB_ENV
         echo "CILIUM_CLI_RELEASE_REPO=cilium/cilium-cli" >> $GITHUB_ENV
         # renovate: datasource=github-releases depName=cilium/cilium-cli
-        CILIUM_CLI_VERSION="v0.15.14"
+        CILIUM_CLI_VERSION="v0.15.16"
         echo "CILIUM_CLI_VERSION=$CILIUM_CLI_VERSION" >> $GITHUB_ENV
diff --git a/.github/actions/setup-eks-cluster/action.yml b/.github/actions/setup-eks-cluster/action.yml
@@ -14,6 +14,10 @@ inputs:
     description: ''
     required: false
     default: ''
+  spot:
+    description: ''
+    required: false
+    default: 'true'
 runs:
   using: composite
   steps:
@@ -37,7 +41,7 @@ runs:
           instanceTypes:
            - t3.medium
           desiredCapacity: 1
-          spot: true
+          spot: ${{ inputs.spot }}
           privateNetworking: true
           volumeType: "gp3"
           volumeSize: 10
@@ -49,7 +53,7 @@ runs:
           instanceTypes:
            - t4g.medium
           desiredCapacity: 1
-          spot: true
+          spot: ${{ inputs.spot }}
           privateNetworking: true
           volumeType: "gp3"
           volumeSize: 10

diff --git a/.github/ariane-config.yaml b/.github/ariane-config.yaml
@@ -32,6 +32,9 @@ triggers:
   /ci-e2e:
     workflows:
     - conformance-e2e.yaml
+  /ci-e2e-upgrade:
+    workflows:
+    - tests-e2e-upgrade.yaml
   /ci-ipsec-upgrade:
     workflows:
     - tests-ipsec-upgrade.yaml
@@ -107,5 +110,7 @@ workflows:
     paths-regex: (bpf|test/verifier|vendor)/
   tests-l4lb.yaml:
     paths-regex: (bpf|daemon|images|pkg|test/l4lb|vendor)/
+  tests-e2e-upgrade.yaml:
+    paths-ignore-regex: (test|Documentation)/
   tests-ipsec-upgrade.yaml:
     paths-ignore-regex: (test|Documentation)/
diff --git a/.github/kind-config-ipv6.yaml b/.github/kind-config-ipv6.yaml
@@ -2,7 +2,7 @@ kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
   - role: control-plane
-    image: kindest/node:v1.28.0
+    image: quay.io/cilium/kindest-node:v1.29.0-rc.1
     kubeadmConfigPatches:
       # To make sure that there is no taint for master node.
       # Otherwise additional worker node might be required for conformance testing.
@@ -12,7 +12,7 @@ nodes:
         nodeRegistration:
           taints: []
   - role: worker
-    image: kindest/node:v1.28.0
+    image: quay.io/cilium/kindest-node:v1.29.0-rc.1
 networking:
   ipFamily: ipv6
   disableDefaultCNI: true

diff --git a/.github/kind-config.yaml b/.github/kind-config.yaml
@@ -2,7 +2,7 @@ kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
   - role: control-plane
-    image: kindest/node:v1.28.0
+    image: quay.io/cilium/kindest-node:v1.29.0-rc.1
     kubeadmConfigPatches:
       # To make sure that there is no taint for master node.
       # Otherwise additional worker node might be required for conformance testing.
@@ -12,7 +12,7 @@ nodes:
         nodeRegistration:
           taints: []
   - role: worker
-    image: kindest/node:v1.28.0
+    image: quay.io/cilium/kindest-node:v1.29.0-rc.1
 networking:
   disableDefaultCNI: true
   podSubnet: "10.244.0.0/16"

diff --git a/.github/workflows/build-images-ci.yaml b/.github/workflows/build-images-ci.yaml
@@ -187,7 +187,7 @@ jobs:
             quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
           target: release
           build-args: |
-            BASE_IMAGE=quay.io/cilium/cilium-runtime:f15b7a816a75363f8f3130aaaafb570f3bc88f77@sha256:c18977fde2465ffd381efc76357bb87d6f7a1d027af37a38b90862ca6432ab86
+            BASE_IMAGE=quay.io/cilium/cilium-runtime:11e4ea8be7c51848675d7b9778870a5bedd2b8aa@sha256:b720f3dbe2f2856134c6841014e99e8f4f2fe5d60fa1144c234dd6c431a9d289
             LOCKDEBUG=1
             RACE=1
             OPERATOR_VARIANT=${{ matrix.name }}
@@ -321,7 +321,7 @@ jobs:
             quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race
           target: release
           build-args: |
-            BASE_IMAGE=quay.io/cilium/cilium-runtime:f15b7a816a75363f8f3130aaaafb570f3bc88f77@sha256:c18977fde2465ffd381efc76357bb87d6f7a1d027af37a38b90862ca6432ab86
+            BASE_IMAGE=quay.io/cilium/cilium-runtime:11e4ea8be7c51848675d7b9778870a5bedd2b8aa@sha256:b720f3dbe2f2856134c6841014e99e8f4f2fe5d60fa1144c234dd6c431a9d289
             LOCKDEBUG=1
             RACE=1
             OPERATOR_VARIANT=${{ matrix.name }}

diff --git a/.github/workflows/conformance-aks.yaml b/.github/workflows/conformance-aks.yaml
@@ -160,14 +160,14 @@ jobs:
           echo owner=${OWNER} >> $GITHUB_OUTPUT
 
       - name: Install Cilium CLI
-        uses: cilium/cilium-cli@446392499db483906bcc3ade85f023912a79e5ee # v0.15.14
+        uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16
         with:
           repository: ${{ env.CILIUM_CLI_RELEASE_REPO }}
           release-version: ${{ env.CILIUM_CLI_VERSION }}
           ci-version: ${{ env.cilium_cli_ci_version }}
 
       - name: Login to Azure
-        uses: azure/login@4c88f01b0e3a5600e08a37889921afd060f75cf0 # v1.5.0
+        uses: azure/login@de95379fe4dadc2defb305917eaa7e5dde727294 # v1.5.1
         with:
           creds: ${{ secrets.AZURE_PR_SP_CREDS }}
 
@@ -229,7 +229,7 @@ jobs:
 
       - name: Wait for Cilium status to be ready
         run: |
-          cilium status --wait
+          cilium status --wait --wait-duration=10m
 
       - name: Port forward Relay
         run: |
@@ -268,7 +268,7 @@ jobs:
 
       - name: Wait for Cilium status to be ready
         run: |
-          cilium status --wait
+          cilium status --wait --wait-duration=10m
 
       - name: Port forward Relay
         run: |