v1.14 Backports 2023-09-04 #27917
Merged
v1.14 Backports 2023-09-04 #27917
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jibi
added
kind/backports
jibi
requested review from
brb,
mhofstetter,
tommyp1ckles,
joestringer,
tklauser,
pchaigno and
bimmlerd
jibi
force-pushed
the
pr/v1.14-backport-2023-09-04
branch
3 times, most recently
from
296d85f
to
ec9e19f
Compare
mhofstetter
approved these changes
Sep 4, 2023
|
ci-e2e fails due to:
To fix that we need to bump the CLI version to v0.15.7 |
|
waiting on #27919 then will rebase |
jibi
force-pushed
the
pr/v1.14-backport-2023-09-04
branch
from
ec9e19f
to
14455dc
Compare
[ upstream commit 03ac4b1 ] This refactoring moves the actual logic to extract the maximum sequence number into a dedicated function. That will be useful to allow us to test this logic in a following commit. This commit has no functionnal changes. As a reminder, we can't use netlink.XfrmStatesList here because it doesn't have the sequence numbers. We can't use JSON format because the ip xfrm commands don't support it. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 165db3a ] maxSequenceNumber currently iterates over all XFRM states in the ip xfrm state list output to find the largest sequence number. It however does so while keeping the parsed sequence numbers as hexadecimal strings. Hence, a number like "0xc1" is understood as being larger than e.g. "0x1234". This commit fixes it by parsing the sequence numbers into int64 before comparing them. We also need to adapt the regular expression slightly to avoid considering the "0x" prefix as part of the number, given strconv.ParseInt doesn't support it. Fixes: 2842c49 ("cli: add helper functions for `cilium encrypt`") Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 21d7d0a ] This commit simply adds two small unit tests for the extractMaxSequenceNumber function. The first test covers the bug fixed in the previous commit. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 9d0ffdf ] Currently, the Envoy DaemonSet loglevel is not set correctly if multiple verbose debug groups are passed as helm values. Comma is used as group separator instead of a space. (Got confused because Go Viper flags are separated by a comma.) This commit fixes this by changing the separator. Backporting conflicts: * minor conflict as we don't check the.Values.debug.enabled condition in main Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 5b7b3bb ] Affects: * operator_ipam_available_ips * operator_ipam_used_ips * operator_ipam_needed_ips Which have the label "target_name", previously when a Node was deleted the metric continued to be emitted by the Prometheus exporter, leading to confusing sum() values across a cluster. Fixes changes in #24776 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 042765e ] Previously, parsing the listeners of a Gateway object only worked correctly, if only one listener of a given type (HTTP or TLS) was present, as looping over them was incorrectly handled. Fixes: #27533 Fixes: 677e8b4 ("Implement TLSRoute") Signed-off-by: Patrick Reich <patrick@neodyme.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit b46867c ] The sorting function for DNSZombies was subtly broken, and didn't do what it advertised. Write some tests to confirm the suspicion and fix the function. Reported-by: Jussi Maki <joamaki@isovalent.com> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 843afec ] Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 953e83e ] Currently, defining an `Ingress` without an `HTTPIngressRule` (e.g. only Host set) results in a panic in the Cilium Operator. Therefore, this commit changes the ingress ingestion to process the HTTP paths only if the HTTPIngressRule is set on the rule. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 7e64fb6 ] * Expose mutual-auth setting. * Expose devices (to support multi-network tests). * Set cluster name. Required by older versions of Cilium CLI when doing upgrades. * Add misc option to set bpfClockProbe (#26955) and cni.uninstall (for upgrade tests it can result in pods being restarted). Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
…esInit [ upstream commit e0b7e81 ] The default value of an atomic.Bool is already false. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 1f0c4c3 ] Avoid under- or overallocating the map and thus increasing memory pressure. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 926973d ] Currently (*namespaceUpdater).oldLabels is never updated with the namespace's labels after they have been synced to endpoints. This can e.g. lead to updates mistakenly being skipped. This in turn can lead to situations as described in #27626 where namespace derived labels are not removed from CEPs when the corresponding label is removed from the namespace. Fix this by always updating (*namespaceUpdater).oldLabels on successful endpoint label update. Fixes: 83391b4 ("pkg/k8s: ignore namespace events that do not change labels") Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit e7ca5da ] This avoids unnecessarily filtering old labels on successive calls to (*namespaceUpdater).update. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 7fbfd5d ] The demo.proto download directory has been renamed from 'pb' to 'protos' by the commit [1]. Also, update the microservices-demo brance name to 'main'. [1] GoogleCloudPlatform/microservices-demo@76571f5 Signed-off-by: Haiyue Wang <haiyue.wang@intel.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 141ac8b ] Cosmetic changes. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit e4c4a5c ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit c667c54 ] Small optimization. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 814036b ] This will enable secondary NodePort tests [1]. [1]: cilium/cilium-cli#1942 Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 2bd2a36 ] Replaced by the tests in the previous commit. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit bf25136 ] Currently, some workflows use a timeout of 10 minutes when waiting for images to be built and become available on quay. However, when there are lots of open PRs and thus image builds, this timeout is occasionally hit in CI. Thus, consistently bump the timeout to 30 minutes which is already used in some workflows. Backporting conflicts: * minor conflicts in conformance-e2e as the "wait for images" job was in a different position Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit c103882 ] This just makes it easier for editing. No changes. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit a568868 ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 503417a ] This commit adds two missing packet traces for reply traffic to the proxy. Because of those missing traces, we would see a from-container not followed by any to-xxx trace. Backporting conflicts: * replaced SECLABEL_IPV{4,6} with SECLABEL Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> add missing traces
jibi
force-pushed
the
pr/v1.14-backport-2023-09-04
branch
from
14455dc
to
636580a
Compare
|
/test-backport-1.14 |
haiyuewa
approved these changes
Sep 5, 2023
tklauser
approved these changes
Sep 5, 2023
bimmlerd
approved these changes
Sep 5, 2023
tommyp1ckles
approved these changes
Sep 6, 2023
joestringer
approved these changes
Sep 6, 2023
youngnick
approved these changes
Sep 7, 2023
maintainer-s-little-helper
bot
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PRs skipped due to conflicts:
#ifndef DISABLE_LOOPBACK_LBblock in lib/conntrack.h missing in v1.14enableIPSecIPv{4,6}don't return an error in v1.14Once this PR is merged, you can update the PR labels via:
or with