-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.12 backports 2023-01-24 #23301
v1.12 backports 2023-01-24 #23301
Conversation
Docs failure looks legit: https://github.com/cilium/cilium/actions/runs/3998896373/jobs/6862118816 |
093ceee
to
3c04fcf
Compare
/test-backport-1.12 Job 'Cilium-PR-K8s-1.20-kernel-4.9' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My 3 PRs look good. Thanks!
/test-1.20-4.9 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apart from below points, the rest looks good to me, thanks a lot 💯
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some changes needed for conflict resolutions.
3c04fcf
to
9951d93
Compare
@julianwiedmann fixed your issues, please check again. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM after we remove the unneeded changes, as said by @sayboras :)
9951d93
to
282946c
Compare
dropped #23099 ✅ |
[ upstream commit 10738e7 ] Handle any error returned by ipv6_store_daddr(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 9ccaaf8 ] If XDS listener configuration validation failed, addListener() would not unlock the XDSServer.mutex, leading to the lock being locked forever. Fix it by using a standard defer() approach. CC: Jarno Rajahalme <jarno@isovalent.com> Fixes: 1042b81 ("envoy: Add xDS resource validation") Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit a65ffa2 ] We anticipate fixing this soon, but we will likely not backport the fix to all branches. For older releases, update the documentation to highlight the details of the issue and how to track ongoing progress / which releases will address it. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 71eb25e ] Several of the IPsec troubleshooting tips are outdated or misleading. For example, they show an output that can differ a lot between IPAM providers (e.g., GKE vs. EKS) and may lead users to think that this is cause for concern. Reported-by: Liz Rice <liz@lizrice.com> Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 5f0894a ] To troubleshoot IPsec issues, we can now rely on the cilium encrypt status CLI command, which should expose the required information without needing to dig into Linux XFRM state. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 4db75c9 ] In the IPsec guide, we use tcpdump to check that traffic is indeed encrypted. tcpdump can however buffer the output which can lead to users thinking that the traffic is not encrypted when the output is actually just delayed a bit. We can avoid that with the -l flag which makes the stdout line buffered. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 95e7b0c ] The interface shown in the output of the tcpdump command doesn't match the interface passed as an argument. This commit fixes it. Reported-by: Liz Rice <liz@lizrice.com> Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 0a9fa2f ] Signed-off-by: fsl <1171313930@qq.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 58449da ] These messages are reported to be very noisy in some environments, where hubble can't keep up with the load (e.g. frequent traffic bursts). There are also equally noisy "hubble events queue is processing messages again" messages. We consider the queue "back to normal" after only one event is received, but then it's full again and another line is logged. This patch mitigates the issue by: * simply rate limiting the "queue is full" logs * reducing the level of "N messages were lost" logs from warning to info Fixes cilium#19202 Signed-off-by: Anna Kapuscinska <anna@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit cea9e65 ] Signed-off-by: Bill Mulligan <billmulligan516@gmail.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 21efbd2 ] This is just to use check box so that individual reviewer can just tick after review. IMO, this is helpful for a few cases: - Backport with long list of commits, e.g. cilium#23001. Tophat can quickly check which one is pending. - Backport with commits from external contributor. Tophat can easily and quickly focus on these commits and review again if required. Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 6bb084a ] ipSecReplaceStateIn was called with the local IP first and the remote IP second but its prototype indicates that the first argument is the remoteIP and the second is the localIP (inverted). This all worked fine because the function would then set the XFRM IN state source to the `localIP` (actually the remote IP). That doesn't make any sense given that the XFRM IN state is for decryption so the source of the packet is the remote IP. This commit fixes it such that the state source is set to the `remoteIP` variable as one would expect. This commit doesn't have any functional changes. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 6345321 ] This is simply for consistency with ipSecReplaceStateIn Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 974232c ] Since the page https://github.com/cilium/cilium-olm/archive/ does not exist anymore, for fetching the cilium manifests a git clone is performed instead of the curl to the non-existing site. Signed-off-by: Zisis Lianas <zl@consol.de> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit ef73a50 ] The label used to identify the gateway node isn't the same in the guide and in the example policy, leading to an unapplied egress policy. This commit fixes it. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit bc2ed14 ] Because the helm chart generates cert manager issuers and attaches them to certificates, we have to remove validations which fail if we don't specify certManagerIssuerRef. Fixes: cilium#22784 Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit c5996e9 ] Make it easier to find users of the TCP flags, and hide the gory details. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 9f35b12 ] For DSR on TCP connections, we only want to insert the DSR information into the SYN packet. This is an obvious optimization, and allows us to avoid any risk of exceeding the MTU. The support for this functionality currently only exists in the IPv4 path. Also add it to the IPv6 path. Fixes: cilium#21991 Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
[ upstream commit 1d5b321 ] Add some minimal coverage for the IPv6 path. Also fix up a simple copy&paste error in an error message, and slightly improve the log output for testCurlFromOutsideWithLocalPort(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
282946c
to
e3d6f9a
Compare
/test-backport-1.12 Job 'Cilium-PR-K8s-1.22-kernel-4.9' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
/mlh new-flake Cilium-PR-K8s-1.22-kernel-4.9 👍 created #23368 |
/test-1.22-4.9 |
ipSecReplaceState{In,Out}
functions #23158 -- IPsec: RefactoripSecReplaceState{In,Out}
functions (@pchaigno)Dropped PRs:
Once this PR is merged, you can update the PR labels via: