v1.10 backports 2021-10-20 #17659
Closed
v1.10 backports 2021-10-20 #17659
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit 785bd5d ] For pull requests, paths-filter retrieves the list of changed files via the GitHub API, but for pushes it needs access to the code. When a workflow is triggered by a push to master, we therefore need to checkout the source code before using paths-filter. This change fixes the errors: Run dorny/paths-filter@78ab00f Get current git ref /usr/bin/git branch --show-current fatal: not a git repository (or any of the parent directories): .git Error: The process '/usr/bin/git' failed with exit code 128 Reported-by: André Martins <andre@cilium.io> Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com>
[ upstream commit 54fdf6e ] This new method will be used in the following commit to check if tunneling is enabled from the node package. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com>
[ upstream commit 7d58110 ] Before this commit, if IPsec is enabled, we add all remote node IP addresses to the ipcache of all nodes, regardless of whether enable-remote-node-identity is true or false. This commit reverts that behavior to only add those IP addresses if remote-node identities, node encryption, or encryption+tunneling are enabled. If encryption+native routing is enabled, we don't need to expose the remote node IP addresses via the ipcache. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com>
[ upstream commit 2cea16f ] Wrap all the package dependencies in the Dockerfile. Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com>
[ upstream commit 6bd608a ] Until now, K8sVerifier relied only on bpf/Makefile to compile BPF programs for verifier tests. The Makefile would define, for each BPF program, the set of configs to enable to maximize program size and complexity. All BPF programs would then be compiled at once and loaded with a single call to verifier-test.sh. This commit rewrites most of K8sVerifier to support testing more than one datapath config per BPF program. The list of datapath configs to test for each program is defined in a file at bpf/complexity-tests/[kernel]/[program].txt. For each BPF program and for each config in the file, K8sVerifier then compiles and loads the program. This change will allow us to significantly increase our complexity coverage by testing more configurations. Backport note: 040d264 removed some macros, so we need to add them back. Used: s/-DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1/-DENABLE_NODEPORT=1 -DENABLE_EXTERNAL_IP=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_HOSTPORT=1 -DENABLE_LOADBALANCER -DENABLE_DSR_HYBRID=1/ as suggested by Paul. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
[ upstream commit 9acd9d3 ] In bpf_host and bpf_lxc, we split some BPF programs into tail calls conditionally depending on whether both IPv4 and IPv6 are enabled or only one of the two. These two options can therefore have an impact on whether we reach the complexity limit. This commit duplicates the existing tested datapath configurations of bpf_host and bpf_lxc, but with only one of IPv4 or IPv6 enabled. We are now testing 3 datapath configurations per kernel instead of 1. Backport note: 040d264 removed some macros, so we need to add them back. Used: s/-DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1/-DENABLE_NODEPORT=1 -DENABLE_EXTERNAL_IP=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_HOSTPORT=1 -DENABLE_LOADBALANCER -DENABLE_DSR_HYBRID=1/ as suggested by Paul. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
|
TIL: you can push into other peoples' repositories, if they make a PR on your repo. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[Draft for now, until we figure out if we can use the existing #17652 or not]
Once this PR is merged, you can update the PR labels via:
or with