New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.14 Backports 2023-09-04 #27917
v1.14 Backports 2023-09-04 #27917
Conversation
296d85f
to
ec9e19f
Compare
ci-e2e fails due to:
To fix that we need to bump the CLI version to v0.15.7 |
waiting on #27919 then will rebase |
ec9e19f
to
14455dc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
[ upstream commit 03ac4b1 ] This refactoring moves the actual logic to extract the maximum sequence number into a dedicated function. That will be useful to allow us to test this logic in a following commit. This commit has no functionnal changes. As a reminder, we can't use netlink.XfrmStatesList here because it doesn't have the sequence numbers. We can't use JSON format because the ip xfrm commands don't support it. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 165db3a ] maxSequenceNumber currently iterates over all XFRM states in the ip xfrm state list output to find the largest sequence number. It however does so while keeping the parsed sequence numbers as hexadecimal strings. Hence, a number like "0xc1" is understood as being larger than e.g. "0x1234". This commit fixes it by parsing the sequence numbers into int64 before comparing them. We also need to adapt the regular expression slightly to avoid considering the "0x" prefix as part of the number, given strconv.ParseInt doesn't support it. Fixes: 2842c49 ("cli: add helper functions for `cilium encrypt`") Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 21d7d0a ] This commit simply adds two small unit tests for the extractMaxSequenceNumber function. The first test covers the bug fixed in the previous commit. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 9d0ffdf ] Currently, the Envoy DaemonSet loglevel is not set correctly if multiple verbose debug groups are passed as helm values. Comma is used as group separator instead of a space. (Got confused because Go Viper flags are separated by a comma.) This commit fixes this by changing the separator. Backporting conflicts: * minor conflict as we don't check the.Values.debug.enabled condition in main Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 5b7b3bb ] Affects: * operator_ipam_available_ips * operator_ipam_used_ips * operator_ipam_needed_ips Which have the label "target_name", previously when a Node was deleted the metric continued to be emitted by the Prometheus exporter, leading to confusing sum() values across a cluster. Fixes changes in #24776 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 042765e ] Previously, parsing the listeners of a Gateway object only worked correctly, if only one listener of a given type (HTTP or TLS) was present, as looping over them was incorrectly handled. Fixes: #27533 Fixes: 677e8b4 ("Implement TLSRoute") Signed-off-by: Patrick Reich <patrick@neodyme.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit b46867c ] The sorting function for DNSZombies was subtly broken, and didn't do what it advertised. Write some tests to confirm the suspicion and fix the function. Reported-by: Jussi Maki <joamaki@isovalent.com> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 843afec ] Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 953e83e ] Currently, defining an `Ingress` without an `HTTPIngressRule` (e.g. only Host set) results in a panic in the Cilium Operator. Therefore, this commit changes the ingress ingestion to process the HTTP paths only if the HTTPIngressRule is set on the rule. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 7e64fb6 ] * Expose mutual-auth setting. * Expose devices (to support multi-network tests). * Set cluster name. Required by older versions of Cilium CLI when doing upgrades. * Add misc option to set bpfClockProbe (#26955) and cni.uninstall (for upgrade tests it can result in pods being restarted). Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
…esInit [ upstream commit e0b7e81 ] The default value of an atomic.Bool is already false. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 1f0c4c3 ] Avoid under- or overallocating the map and thus increasing memory pressure. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 926973d ] Currently (*namespaceUpdater).oldLabels is never updated with the namespace's labels after they have been synced to endpoints. This can e.g. lead to updates mistakenly being skipped. This in turn can lead to situations as described in #27626 where namespace derived labels are not removed from CEPs when the corresponding label is removed from the namespace. Fix this by always updating (*namespaceUpdater).oldLabels on successful endpoint label update. Fixes: 83391b4 ("pkg/k8s: ignore namespace events that do not change labels") Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit e7ca5da ] This avoids unnecessarily filtering old labels on successive calls to (*namespaceUpdater).update. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 7fbfd5d ] The demo.proto download directory has been renamed from 'pb' to 'protos' by the commit [1]. Also, update the microservices-demo brance name to 'main'. [1] GoogleCloudPlatform/microservices-demo@76571f5 Signed-off-by: Haiyue Wang <haiyue.wang@intel.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 141ac8b ] Cosmetic changes. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit e4c4a5c ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit c667c54 ] Small optimization. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 814036b ] This will enable secondary NodePort tests [1]. [1]: cilium/cilium-cli#1942 Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 2bd2a36 ] Replaced by the tests in the previous commit. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit bf25136 ] Currently, some workflows use a timeout of 10 minutes when waiting for images to be built and become available on quay. However, when there are lots of open PRs and thus image builds, this timeout is occasionally hit in CI. Thus, consistently bump the timeout to 30 minutes which is already used in some workflows. Backporting conflicts: * minor conflicts in conformance-e2e as the "wait for images" job was in a different position Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit c103882 ] This just makes it easier for editing. No changes. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit a568868 ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 503417a ] This commit adds two missing packet traces for reply traffic to the proxy. Because of those missing traces, we would see a from-container not followed by any to-xxx trace. Backporting conflicts: * replaced SECLABEL_IPV{4,6} with SECLABEL Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> add missing traces
14455dc
to
636580a
Compare
/test-backport-1.14 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My changes look good. Thanks for fixing up the conflicts and documenting the resolution in the commit messages!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#27572 LGTM, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My PRs look good. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I checked the Gateway API PR as well.
PRs skipped due to conflicts:
#ifndef DISABLE_LOOPBACK_LB
block in lib/conntrack.h missing in v1.14enableIPSecIPv{4,6}
don't return an error in v1.14Once this PR is merged, you can update the PR labels via:
or with