v1.12 backports 2023-01-24 #23301
Merged
v1.12 backports 2023-01-24 #23301
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ldelossa
added
backport/1.12
ldelossa
requested review from
chancez,
jibi,
joestringer,
julianwiedmann,
lambdanis,
pchaigno,
sayboras and
xmulligan
github-actions
bot
added
the
kind/community-contribution
|
Docs failure looks legit: https://github.com/cilium/cilium/actions/runs/3998896373/jobs/6862118816 |
michi-covalent
force-pushed
the
pr/v1.12-backport-2023-01-24
branch
from
093ceee
to
3c04fcf
Compare
michi-covalent
approved these changes
Jan 24, 2023
|
/test-backport-1.12 Job 'Cilium-PR-K8s-1.20-kernel-4.9' failed: Click to show.Test NameFailure OutputIf it is a flake and a GitHub issue doesn't already exist to track it, comment |
This was referenced Jan 24, 2023
|
/test-1.20-4.9 |
sayboras
approved these changes
Jan 24, 2023
michi-covalent
added
the
release-blocker/1.12
julianwiedmann
requested changes
Jan 25, 2023
ldelossa
force-pushed
the
pr/v1.12-backport-2023-01-24
branch
from
3c04fcf
to
9951d93
Compare
|
@julianwiedmann fixed your issues, please check again. |
nbusseneau
approved these changes
Jan 25, 2023
There was a problem hiding this comment.
LGTM after we remove the unneeded changes, as said by @sayboras :)
michi-covalent
force-pushed
the
pr/v1.12-backport-2023-01-24
branch
from
9951d93
to
282946c
Compare
|
dropped #23099 ✅ |
[ upstream commit 10738e7 ] Handle any error returned by ipv6_store_daddr(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 9ccaaf8 ] If XDS listener configuration validation failed, addListener() would not unlock the XDSServer.mutex, leading to the lock being locked forever. Fix it by using a standard defer() approach. CC: Jarno Rajahalme <jarno@isovalent.com> Fixes: 1042b81 ("envoy: Add xDS resource validation") Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit a65ffa2 ] We anticipate fixing this soon, but we will likely not backport the fix to all branches. For older releases, update the documentation to highlight the details of the issue and how to track ongoing progress / which releases will address it. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 71eb25e ] Several of the IPsec troubleshooting tips are outdated or misleading. For example, they show an output that can differ a lot between IPAM providers (e.g., GKE vs. EKS) and may lead users to think that this is cause for concern. Reported-by: Liz Rice <liz@lizrice.com> Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 5f0894a ] To troubleshoot IPsec issues, we can now rely on the cilium encrypt status CLI command, which should expose the required information without needing to dig into Linux XFRM state. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 4db75c9 ] In the IPsec guide, we use tcpdump to check that traffic is indeed encrypted. tcpdump can however buffer the output which can lead to users thinking that the traffic is not encrypted when the output is actually just delayed a bit. We can avoid that with the -l flag which makes the stdout line buffered. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 95e7b0c ] The interface shown in the output of the tcpdump command doesn't match the interface passed as an argument. This commit fixes it. Reported-by: Liz Rice <liz@lizrice.com> Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 0a9fa2f ] Signed-off-by: fsl <1171313930@qq.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 58449da ] These messages are reported to be very noisy in some environments, where hubble can't keep up with the load (e.g. frequent traffic bursts). There are also equally noisy "hubble events queue is processing messages again" messages. We consider the queue "back to normal" after only one event is received, but then it's full again and another line is logged. This patch mitigates the issue by: * simply rate limiting the "queue is full" logs * reducing the level of "N messages were lost" logs from warning to info Fixes cilium#19202 Signed-off-by: Anna Kapuscinska <anna@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit cea9e65 ] Signed-off-by: Bill Mulligan <billmulligan516@gmail.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 21efbd2 ] This is just to use check box so that individual reviewer can just tick after review. IMO, this is helpful for a few cases: - Backport with long list of commits, e.g. cilium#23001. Tophat can quickly check which one is pending. - Backport with commits from external contributor. Tophat can easily and quickly focus on these commits and review again if required. Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 6bb084a ] ipSecReplaceStateIn was called with the local IP first and the remote IP second but its prototype indicates that the first argument is the remoteIP and the second is the localIP (inverted). This all worked fine because the function would then set the XFRM IN state source to the `localIP` (actually the remote IP). That doesn't make any sense given that the XFRM IN state is for decryption so the source of the packet is the remote IP. This commit fixes it such that the state source is set to the `remoteIP` variable as one would expect. This commit doesn't have any functional changes. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 6345321 ] This is simply for consistency with ipSecReplaceStateIn Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 974232c ] Since the page https://github.com/cilium/cilium-olm/archive/ does not exist anymore, for fetching the cilium manifests a git clone is performed instead of the curl to the non-existing site. Signed-off-by: Zisis Lianas <zl@consol.de> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit ef73a50 ] The label used to identify the gateway node isn't the same in the guide and in the example policy, leading to an unapplied egress policy. This commit fixes it. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit bc2ed14 ] Because the helm chart generates cert manager issuers and attaches them to certificates, we have to remove validations which fail if we don't specify certManagerIssuerRef. Fixes: cilium#22784 Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit c5996e9 ] Make it easier to find users of the TCP flags, and hide the gory details. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 9f35b12 ] For DSR on TCP connections, we only want to insert the DSR information into the SYN packet. This is an obvious optimization, and allows us to avoid any risk of exceeding the MTU. The support for this functionality currently only exists in the IPv4 path. Also add it to the IPv6 path. Fixes: cilium#21991 Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 1d5b321 ] Add some minimal coverage for the IPv6 path. Also fix up a simple copy&paste error in an error message, and slightly improve the log output for testCurlFromOutsideWithLocalPort(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
michi-covalent
force-pushed
the
pr/v1.12-backport-2023-01-24
branch
from
282946c
to
e3d6f9a
Compare
|
/test-backport-1.12 Job 'Cilium-PR-K8s-1.22-kernel-4.9' failed: Click to show.Test NameFailure OutputIf it is a flake and a GitHub issue doesn't already exist to track it, comment |
|
/mlh new-flake Cilium-PR-K8s-1.22-kernel-4.9 👍 created #23368 |
|
/test-1.22-4.9 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ipSecReplaceState{In,Out}functions #23158 -- IPsec: RefactoripSecReplaceState{In,Out}functions (@pchaigno)Dropped PRs:
Once this PR is merged, you can update the PR labels via: