v1.14 Backports 2023-07-14

.github/workflows/conformance-e2e.yaml

@@ -67,6 +67,7 @@ jobs:
 
   setup-and-test:
     runs-on: ubuntu-latest-4cores-16gb
+    name: 'Setup & Test'
     env:
       job_name: 'Setup & Test'
     strategy:

Documentation/Makefile

@@ -113,6 +113,7 @@ $(HELM_VALUES): FORCE
 	$(QUIET)$(HELM_DOCS) -d -c $(HELM_DOCS_CHARTS_DIR) -t $(HELM_DOCS_OUTPUT_DIR)/$(TMP_FILE_1).tmpl > $(TMP_FILE_1)
 	$(QUIET)awk -F'|' '{print "|"$$2"|"$$5"|"$$3"|"$$4"|"}' $(TMP_FILE_1) > $(TMP_FILE_2)
 	$(QUIET)$(M2R) --overwrite $(TMP_FILE_2)
+	$(QUIET)sed -i 's/^\(   \* - \)\([[:print:]]\+\)$$/\1:spelling:ignore:`\2`/' $@
 	$(QUIET)printf '..\n  %s\n\n%s\n' "AUTO-GENERATED. Please DO NOT edit manually." "$$(cat $@)" > $@
 	$(QUIET)$(RM) -- $(TMP_FILE_1) $(TMP_FILE_2)
 

Documentation/check-build.sh

@@ -112,7 +112,7 @@ run_linter() {
         --ignore-languages "bash,c" \
         --ignore-messages "${ignored_messages}" \
         --ignore-directives "tabs,openapi" \
-        --ignore-roles "${CONF_PY_ROLES}" \
+        --ignore-roles "${CONF_PY_ROLES},spelling:ignore" \
         --ignore-substitutions "${CONF_PY_SUBSTITUTIONS}" \
        -r . ../README.rst 2>&1 | \
        grep -v 'CRITICAL:rstcheck_core.checker:An `AttributeError` error occured. This is most propably due to a code block directive (code/code-block/sourcecode) without a specified language.'

Documentation/security/network/encryption-ipsec.rst

@@ -220,4 +220,5 @@ Limitations
       top of other CNI plugins. For more information, see :gh-issue:`15596`.
     * :ref:`HostPolicies` are not currently supported with IPsec encryption.
     * IPsec encryption is not currently supported in combination with IPv6-only clusters.
-    * IPsec encryption is not supported on clusters with more than 65535 nodes.
+    * IPsec encryption is not supported on clusters or clustermeshes with more
+      than 65535 nodes.

Documentation/spelling_wordlist.txt

@@ -175,9 +175,9 @@ agentNotReadyTaintKey
 agentSocketPath
 aksbyocni
 alibabacloud
-allocateLoadBalancerNodePorts
 allocator
 allocators
+allowRemoteNodeIdentities
 allowedConfigOverrides
 amd
 analytics
@@ -302,6 +302,7 @@ clusterPoolIPv
 clusterSize
 clustermesh
 clustermeshcertgen
+clustermeshes
 clusterwide
 cmdref
 cni
@@ -916,7 +917,6 @@ rebase
 rebased
 rebasing
 recompiles
-reconciliationTriggerInterval
 recv
 recvmsg
 refactoring

install/kubernetes/cilium/templates/cilium-configmap.yaml

@@ -442,6 +442,10 @@ data:
 {{- else if eq .Values.tunnel "geneve" }}
   routing-mode: "tunnel"
   tunnel-protocol: "geneve"
+{{- else if not (or .Values.gke.enabled .Values.aksbyocni.enabled) }}
+  # Default case
+  routing-mode: "tunnel"
+  tunnel-protocol: "vxlan"
 {{- end }}
 
 {{- if .Values.routingMode }}

pkg/bpf/map_linux.go

@@ -672,6 +672,11 @@ func (m *Map) DumpReliablyWithCallback(cb DumpCallback, stats *DumpStats) error
 				// map, nextKey may be the actual key element after the deleted
 				// one, or the first element in the map.
 				currentKey = nextKey
+				// To avoid having nextKey and currentKey pointing at the same memory
+				// we allocate a new key for nextKey. Without this currentKey and nextKey
+				// would be the same pointer value and would get double iterated on the next
+				// iterations m.NextKey(...) call.
+				nextKey = m.key.New()
 				stats.Interrupted++
 			}
 			continue

pkg/bpf/map_linux_test.go

@@ -4,6 +4,7 @@
 package bpf
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"os"
@@ -501,6 +502,99 @@ func (s *BPFPrivilegedTestSuite) TestDump(c *C) {
 	})
 }
 
+// TestDumpReliablyWithCallbackOveralapping attempts to test that DumpReliablyWithCallback
+// will reliably iterate all keys that are known to be in a map, even if keys that are ahead
+// of the current iteration can be deleted or updated concurrently.
+// This test is not deterministic, it establishes a condition where we have keys that are known
+// to be in the map and other keys which are volatile.  The test passes if the dump can reliably
+// iterate all keys that are not volatile.
+func (s *BPFPrivilegedTestSuite) TestDumpReliablyWithCallbackOveralapping(c *C) {
+	iterations := 10000
+	maxEntries := uint32(128)
+	m := NewMap("cilium_dump_test2",
+		ebpf.Hash,
+		&TestKey{},
+		&TestValue{},
+		int(maxEntries),
+		BPF_F_NO_PREALLOC).WithCache()
+	err := m.OpenOrCreate()
+	c.Assert(err, IsNil)
+	defer func() {
+		path, _ := m.Path()
+		os.Remove(path)
+	}()
+	defer m.Close()
+
+	// Prepopulate the map.
+	for i := uint32(0); i < maxEntries; i++ {
+		err := m.Update(&TestKey{Key: i}, &TestValue{Value: i + 200})
+		c.Check(err, IsNil)
+	}
+
+	// used to block the update/delete goroutine so that both start at aprox the same time.
+	start := make(chan struct{})
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	wg := sync.WaitGroup{}
+	wg.Add(1)
+	// This goroutine will continuously delete and reinsert even keys.
+	// Thus, when this is running in parallel with DumpReliablyWithCallback
+	// it is unclear whether any even key will be iterated.
+	go func() {
+		defer wg.Done()
+		<-start
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			default:
+			}
+
+			for i := uint32(0); i < maxEntries; i += 2 {
+				m.Delete(&TestKey{Key: i})
+				err := m.Update(&TestKey{Key: i}, &TestValue{Value: i + 200})
+				c.Check(err, IsNil)
+			}
+		}
+	}()
+
+	// We expect that DumpReliablyWithCallback will iterate all odd key/value pairs
+	// even if the even keys are being deleted and reinserted.
+	expect := map[string]string{}
+	for i := uint32(0); i < maxEntries; i++ {
+		if i%2 != 0 {
+			expect[fmt.Sprintf("key=%d", i)] = fmt.Sprintf("value=%d", i+200)
+		}
+	}
+	close(start) // start testing.
+	for i := 0; i < iterations; i++ {
+		dump := map[string]string{}
+		ds := NewDumpStats(m)
+		err := m.DumpReliablyWithCallback(func(key MapKey, value MapValue) {
+			k := key.(*TestKey).Key
+			if k%2 != 0 {
+				k := key.(*TestKey).Key
+				ks := dump[fmt.Sprintf("key=%d", k)]
+				if _, ok := dump[ks]; ok {
+					c.FailNow()
+				}
+				dump[fmt.Sprintf("key=%d", key.(*TestKey).Key)] = fmt.Sprintf("value=%d", value.(*TestValue).Value)
+			}
+		}, ds)
+		if err == nil {
+			c.Check(dump, checker.DeepEquals, expect)
+		} else {
+			c.Check(err, Equals, ErrMaxLookup)
+		}
+	}
+	cancel()
+	wg.Wait()
+}
+
+// TestDumpReliablyWithCallback tests that DumpReliablyWithCallback by concurrently
+// upserting/removing keys in range [0, 4) in the map and then continuously dumping
+// the map.
+// The test validates that all keys that are not being removed/added are contained in the dump.
 func (s *BPFPrivilegedTestSuite) TestDumpReliablyWithCallback(c *C) {
 	maxEntries := uint32(256)
 	m := NewMap("cilium_dump_test",

pkg/client/client.go

@@ -120,6 +120,8 @@ func NewRuntime(host string) (*runtime_client.Runtime, error) {
 		return nil, fmt.Errorf("invalid host format '%s'", host)
 	}
 
+	hostHeader := tmp[1]
+
 	switch tmp[0] {
 	case "tcp":
 		if _, err := url.Parse("tcp://" + tmp[1]); err != nil {
@@ -128,11 +130,15 @@ func NewRuntime(host string) (*runtime_client.Runtime, error) {
 		host = "http://" + tmp[1]
 	case "unix":
 		host = tmp[1]
+		// For local communication (unix domain sockets), the hostname is not used. Leave
+		// Host header empty because otherwise it would be rejected by net/http client-side
+		// sanitization, see https://go.dev/issue/60374.
+		hostHeader = "localhost"
 	}
 
 	transport := configureTransport(nil, tmp[0], host)
 	httpClient := &http.Client{Transport: transport}
-	clientTrans := runtime_client.NewWithClient(tmp[1], clientapi.DefaultBasePath,
+	clientTrans := runtime_client.NewWithClient(hostHeader, clientapi.DefaultBasePath,
 		clientapi.DefaultSchemes, httpClient)
 	return clientTrans, nil
 }

pkg/health/client/client.go

@@ -88,6 +88,8 @@ func NewClient(host string) (*Client, error) {
 		return nil, fmt.Errorf("invalid host format '%s'", host)
 	}
 
+	hostHeader := tmp[1]
+
 	switch tmp[0] {
 	case "tcp":
 		if _, err := url.Parse("tcp://" + tmp[1]); err != nil {
@@ -96,11 +98,15 @@ func NewClient(host string) (*Client, error) {
 		host = "http://" + tmp[1]
 	case "unix":
 		host = tmp[1]
+		// For local communication (unix domain sockets), the hostname is not used. Leave
+		// Host header empty because otherwise it would be rejected by net/http client-side
+		// sanitization, see https://go.dev/issue/60374.
+		hostHeader = "localhost"
 	}
 
 	transport := configureTransport(nil, tmp[0], host)
 	httpClient := &http.Client{Transport: transport}
-	clientTrans := runtime_client.NewWithClient(tmp[1], clientapi.DefaultBasePath,
+	clientTrans := runtime_client.NewWithClient(hostHeader, clientapi.DefaultBasePath,
 		clientapi.DefaultSchemes, httpClient)
 	return &Client{*clientapi.New(clientTrans, strfmt.Default)}, nil
 }