New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.14 Backports 2023-07-26 #27097
v1.14 Backports 2023-07-26 #27097
Conversation
[ upstream commit ebbe02b ] The nexthop and default IP routes don't require any endpoint-specific information. So instead of re-inserting the identical routes for every processed endpoint, do it just once per active EgressGW policy that uses the local node as gateway. Also remove the `gwc.localNodeConfiguredAsGateway` condition from the per-EP helper, we now already check this in the caller. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 9b9e7c2 ] To delete stale EgressGW-specific IP routes, we currently iterate over all interfaces on the node. If an interface is not in active use by the EgressGW, we fetch any old EgressGW routes and delete them. But under the covers, the netlink.RouteListFiltered() will *fetch* all routes and only then apply the filter. Considering the potential number of links on a worker node with many pods, this can add up to quite a bit of overhead. Take a different approach instead - fetch all routes just *once*, and then simply delete all those EgressGW-associated routes that don't point to an active EgressGW interface. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit fabbc5d ] route.ReplaceRule() internally fetches the whole set of IP rules in the system. So calling addEgressIpRule() for every EgressGW-eligible endpoint causes quite a bit of churn. Instead fetch the rules just once per EgressGW policy (filtered for the policy's routing table). Then check for each of the policy's endpoints whether its IP rule already exists, and insert any rule that is missing. Note that there is further potential for improvement here - ideally we would fetch the whole rule set just once, dynamically filter it down to each policy's routing table, and only match the policy's endpoints against those specific rules. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit c40d2db ] The current message looks copy&pasted from the previous error case. Adjust the text to describe what operation actually failed. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit f979bd8 ] Without specifying a filter, we're only getting the routes from the default table. So explicitly get the routes from all tables for the reconciliation of stale EgressGW IP routes. Fixes: 9b9e7c2 ("egressgw: improve removal of IP routes") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 944dddf ] To generate the gRPC API reference, we copy the "api" repository at the root of the repository to "Documentation/_api". This step is required everywhere we need to build the docs: - Locally, we run it through the "copy-api" target in Documentation/Makefile, before generating the HTML. - Same thing for the Netlify preview, where "copy-api" is a dependency for the "html-netlify" target. - However, on ReadTheDocs, where we generate and host the online documentation, we do not perform this step; nor do we use the Makefile at all. As a workaround, let's simplify the way we access the API reference. Instead of copying the docs, just symlink them from the Documentation directory. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
[ upstream commit 4772468 ] - Use `kubeProxyReplacement=true` as `partial` and `strict` settings have been deprecated in v1.14. - Specify the same Helm values for Helm and Cilium-CLI instructions. - Move the Cilium CLI installation instructions out of the tabs. It's required for both Helm and Cilium-CLI instructions. Fixes: #27060 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
/test-backport-1.14 |
Note for maintainers: After merge, the following checks will need to be unmarked as required on
And the following checks will need to be marked as required instead:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i guess we need to update branch protection rules for v1.14 once this PR gets merged? cc @joestringer
ah i missed your comment. you are way ahead of me 🥰 |
Merged and applied the new branch protection settings. Thanks! |
Once this PR is merged, you can update the PR labels via:
or with