v1.14 Backports 2023-07-26 #27097
Merged
v1.14 Backports 2023-07-26 #27097
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit ebbe02b ] The nexthop and default IP routes don't require any endpoint-specific information. So instead of re-inserting the identical routes for every processed endpoint, do it just once per active EgressGW policy that uses the local node as gateway. Also remove the `gwc.localNodeConfiguredAsGateway` condition from the per-EP helper, we now already check this in the caller. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 9b9e7c2 ] To delete stale EgressGW-specific IP routes, we currently iterate over all interfaces on the node. If an interface is not in active use by the EgressGW, we fetch any old EgressGW routes and delete them. But under the covers, the netlink.RouteListFiltered() will *fetch* all routes and only then apply the filter. Considering the potential number of links on a worker node with many pods, this can add up to quite a bit of overhead. Take a different approach instead - fetch all routes just *once*, and then simply delete all those EgressGW-associated routes that don't point to an active EgressGW interface. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit fabbc5d ] route.ReplaceRule() internally fetches the whole set of IP rules in the system. So calling addEgressIpRule() for every EgressGW-eligible endpoint causes quite a bit of churn. Instead fetch the rules just once per EgressGW policy (filtered for the policy's routing table). Then check for each of the policy's endpoints whether its IP rule already exists, and insert any rule that is missing. Note that there is further potential for improvement here - ideally we would fetch the whole rule set just once, dynamically filter it down to each policy's routing table, and only match the policy's endpoints against those specific rules. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit c40d2db ] The current message looks copy&pasted from the previous error case. Adjust the text to describe what operation actually failed. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit f979bd8 ] Without specifying a filter, we're only getting the routes from the default table. So explicitly get the routes from all tables for the reconciliation of stale EgressGW IP routes. Fixes: 9b9e7c2 ("egressgw: improve removal of IP routes") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 944dddf ] To generate the gRPC API reference, we copy the "api" repository at the root of the repository to "Documentation/_api". This step is required everywhere we need to build the docs: - Locally, we run it through the "copy-api" target in Documentation/Makefile, before generating the HTML. - Same thing for the Netlify preview, where "copy-api" is a dependency for the "html-netlify" target. - However, on ReadTheDocs, where we generate and host the online documentation, we do not perform this step; nor do we use the Makefile at all. As a workaround, let's simplify the way we access the API reference. Instead of copying the docs, just symlink them from the Documentation directory. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 4772468 ] - Use `kubeProxyReplacement=true` as `partial` and `strict` settings have been deprecated in v1.14. - Specify the same Helm values for Helm and Cilium-CLI instructions. - Move the Cilium CLI installation instructions out of the tabs. It's required for both Helm and Cilium-CLI instructions. Fixes: #27060 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
nbusseneau
added
kind/backports
|
/test-backport-1.14 |
|
Note for maintainers: After merge, the following checks will need to be unmarked as required on
And the following checks will need to be marked as required instead:
|
qmonnet
approved these changes
Jul 26, 2023
julianwiedmann
approved these changes
Jul 26, 2023
michi-covalent
approved these changes
Jul 26, 2023
There was a problem hiding this comment.
i guess we need to update branch protection rules for v1.14 once this PR gets merged? cc @joestringer
|
ah i missed your comment. you are way ahead of me 🥰 |
joestringer
approved these changes
Jul 26, 2023
joestringer
added
dont-merge/wait-until-release
|
Merged and applied the new branch protection settings. Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, you can update the PR labels via:
or with