Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v1.14 Backports 2023-07-18 #26887

Merged
merged 10 commits into from
Jul 19, 2023
Merged

v1.14 Backports 2023-07-18 #26887

merged 10 commits into from
Jul 19, 2023

Commits on Jul 18, 2023

  1. envoy: Bump envoy to v1.25.8

    [ upstream commit 1543c46 ]
    
    This is to include the fix for the below CVE.
    
    CVE: GHSA-jfxv-29pc-x22r
    GHA build: https://github.com/cilium/proxy/actions/runs/5548261876/jobs/10131017073
    
    Signed-off-by: Tam Mach <tam.mach@cilium.io>
    Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
    sayboras authored and gandro committed Jul 18, 2023
    Configuration menu
    Copy the full SHA
    30d23fa View commit details
    Browse the repository at this point in the history
  2. docs: Remove jenkins CI references

    [ upstream commit 1c18f5c ]
    
    We recently dropped usage of Jenkins for the main CI workloads in the
    Cilium repository in favour of running the same ginkgo jobs directly in
    GitHub Actions workflows. Remove the documentation for the older Jenkins
    systems.
    
    Signed-off-by: Joe Stringer <joe@cilium.io>
    Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
    joestringer authored and gandro committed Jul 18, 2023
    Configuration menu
    Copy the full SHA
    d12e9c1 View commit details
    Browse the repository at this point in the history
  3. docs: Improve CI introductory content

    [ upstream commit 5f3e24c ]
    
    Add an initial breakdown of the types of tests and how they are
    triggered so that newer contributors can more easily understand what's
    going on in CI and how to interact with it.
    
    Signed-off-by: Joe Stringer <joe@cilium.io>
    Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
    joestringer authored and gandro committed Jul 18, 2023
    Configuration menu
    Copy the full SHA
    59a1c1a View commit details
    Browse the repository at this point in the history
  4. docs: Remove custom entities note

    [ upstream commit cfaa674 ]
    
    This was functionally mostly provided by CiliumCIDRSet in v1.14.
    
    Signed-off-by: Joe Stringer <joe@cilium.io>
    Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
    joestringer authored and gandro committed Jul 18, 2023
    Configuration menu
    Copy the full SHA
    2dc06ad View commit details
    Browse the repository at this point in the history
  5. docs/testing/e2e: correct cilium-cli usage for helm mode

    [ upstream commit 87cda2d ]
    
    When using CILIUM_CLI_MODE=helm (which is the default as of cilium-cli
    v0.15.0), the --rollback option is no longer available. Omit it from
    commands.
    
    Also include the already existing cilium-cli download and installation
    instructions.
    
    Signed-off-by: Tobias Klauser <tobias@cilium.io>
    Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
    tklauser authored and gandro committed Jul 18, 2023
    Configuration menu
    Copy the full SHA
    1f59c78 View commit details
    Browse the repository at this point in the history
  6. Fix "make -C Documentation builder-image"

    [ upstream commit 04d48fe ]
    
    Use this workaround until the issue gets fixed:
    
    yaml/pyyaml#601 (comment)
    
    Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>
    Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
    michi-covalent authored and gandro committed Jul 18, 2023
    Configuration menu
    Copy the full SHA
    8e1d9c7 View commit details
    Browse the repository at this point in the history
  7. docs: add mutual-tls authentication

    [ upstream commit 0a9b289 ]
    
    Signed-off-by: Nico Vibert <nicolas.vibert@isovalent.com>
    Signed-off-by: André Martins <andre@cilium.io>
    Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
    nvibert authored and gandro committed Jul 18, 2023
    Configuration menu
    Copy the full SHA
    b221886 View commit details
    Browse the repository at this point in the history
  8. ci/github: Set useDigest=false for Hubble Relay

    [ upstream commit 98003d5 ]
    
    As with all other `*-ci` images, we should not use check the digest when
    pulling the image, as it is different for CI builds. On `main` this has
    not been an issue, because `useDigest` already defaults to `false`, but
    on release branches (such as `v1.14`), we do check the digest by
    default. This caused failing workflows on the v1.14 branch which should
    be fixed by this commit.
    
    Reported-by: Joe Stringer <joe@cilium.io>
    Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
    Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
    gandro committed Jul 18, 2023
    Configuration menu
    Copy the full SHA
    d8d4f9e View commit details
    Browse the repository at this point in the history
  9. certloader: Correctly support RequestClientCert in WatchedClientConfig

    [ upstream commit 0bf7cc5 ]
    
    Only configure GetClientCertificate if client keypair is configured,
    allowing servers to Request ClientCertificates without requiring them.
    
    In docs for `GetClientCertificate` it specifies:
    
    >  GetClientCertificate must return a non-nil Certificate. If
    >  Certificate.Certificate is empty then no certificate will be sent to the
    >  server.
    
    If a nil certificate is sent when the server requests a client
    certificate, the client will return an error. Instead, only configure
    GetClientCertificate if certificates are provided and the server may
    choose to how to handle the lack of a client certificate.
    
    This is needed primarily for when the server is using RequestClientCert,
    which requests a certificate, but does not require the client to send
    one.
    
    Previously, you would see this log message:
    
    ```
    transport: authentication handshake failed: mTLS client certificate requested, but not provided
    ```
    
    Now, if a server requires a client certificate it should reject the TLS
    connection and the client will receive the error from the server.
    
    Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com>
    Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
    chancez authored and gandro committed Jul 18, 2023
    Configuration menu
    Copy the full SHA
    f450306 View commit details
    Browse the repository at this point in the history
  10. docs: Pick up PyYAML 6.0.1

    [ upstream commit e06e70e ]
    
    Revert commit 04d48fe, and pick up PyYAML 6.0.1.
    
    Fixes: #26873
    
    Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>
    Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
    michi-covalent authored and gandro committed Jul 18, 2023
    Configuration menu
    Copy the full SHA
    387a44a View commit details
    Browse the repository at this point in the history