[ upstream commit 03ac4b1 ]

This refactoring moves the actual logic to extract the maximum sequence
number into a dedicated function. That will be useful to allow us to
test this logic in a following commit.

This commit has no functionnal changes.

As a reminder, we can't use netlink.XfrmStatesList here because it
doesn't have the sequence numbers. We can't use JSON format because the
ip xfrm commands don't support it.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit 165db3a ]

maxSequenceNumber currently iterates over all XFRM states in the ip xfrm
state list output to find the largest sequence number. It however does
so while keeping the parsed sequence numbers as hexadecimal strings.
Hence, a number like "0xc1" is understood as being larger than e.g.
"0x1234".

This commit fixes it by parsing the sequence numbers into int64 before
comparing them.

We also need to adapt the regular expression slightly to avoid
considering the "0x" prefix as part of the number, given
strconv.ParseInt doesn't support it.

Fixes: 2842c49 ("cli: add helper functions for `cilium encrypt`")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit 21d7d0a ]

This commit simply adds two small unit tests for the
extractMaxSequenceNumber function. The first test covers the bug fixed
in the previous commit.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit b46867c ]

The sorting function for DNSZombies was subtly broken, and didn't do
what it advertised. Write some tests to confirm the suspicion and fix
the function.

Reported-by: Jussi Maki <joamaki@isovalent.com>
Signed-off-by: David Bimmler <david.bimmler@isovalent.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit ca5de0f ]

A user pointed out that what we call "Labels-based" policies are
actually matching the labels on Endpoints, but also explicitly *not*
matching labels on Services. To make this more clear, change the name
in the docs to Endpoints based policies.

Co-authored-by: Nathan Sweet <nathanjsweet@users.noreply.github.com>
Signed-off-by: Joe Stringer <joe@cilium.io>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit 38b4a32 ]

A user pointed out that the position of this callout made it seem like
the callout only applies to the first example rather than applying to
all Services based policies. Move the callout to the top of the section
to make the relationship clearer.

Signed-off-by: Joe Stringer <joe@cilium.io>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit 953e83e ]

Currently, defining an `Ingress` without an `HTTPIngressRule`
(e.g. only Host set) results in a panic in the Cilium Operator.

Therefore, this commit changes the ingress ingestion to process
the HTTP paths only if the HTTPIngressRule is set on the rule.

Backporting conflicts:
* minor conflict in operator/pkg/model/ingestion/ingress_test.go

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit 7e64fb6 ]

* Expose devices (to support multi-network tests).
* Set cluster name. Required by older versions of Cilium CLI when doing
  upgrades.
* Add misc option to set bpfClockProbe
  (#26955) and cni.uninstall (for
  upgrade tests it can result in pods being restarted).

Backporting conflicts:
* minor conflict in .github/actions/cilium-config/action.yml due to L7
  config not being defined in main
* removed mutual-auth setting as v1.13 doesn't support that

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit 7fbfd5d ]

The demo.proto download directory has been renamed from 'pb' to 'protos'
by the commit [1].

Also, update the microservices-demo brance name to 'main'.

[1]
GoogleCloudPlatform/microservices-demo@76571f5

Signed-off-by: Haiyue Wang <haiyue.wang@intel.com>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit 141ac8b ]

Cosmetic changes.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit e4c4a5c ]

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit c667c54 ]

Small optimization.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit 836598a ]

* cni.uninstall - to avoid pods from being rescheduled during the
  upgrade.
* bpfClockProbe - #26955.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit bf25136 ]

Currently, some workflows use a timeout of 10 minutes when waiting for
images to be built and become available on quay. However, when there are
lots of open PRs and thus image builds, this timeout is occasionally
hit in CI. Thus, consistently bump the timeout to 30 minutes which is
already used in some workflows.

Backporting conflicts:
* minor conflict in conformance-e2e, and tests-l4lb has been updated as
  well

Signed-off-by: Tobias Klauser <tobias@cilium.io>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit c103882 ]

This just makes it easier for editing. No changes.

Signed-off-by: Joe Stringer <joe@cilium.io>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit a568868 ]

Signed-off-by: Joe Stringer <joe@cilium.io>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>

[ upstream commit 0da3f7e ]

Currently, the feature is not used, and its test is blocking the LVH
upgrade [1][2]. Let's remove the test case. Once it is in use, we should
rethink the testing approach (either implement as a BPF unit test, or
an advanced CLI connectivity test).

[1]: #27599
[2]: #27688

Backporting conflicts:
* .github/actions/ginkgo/main-focus.yaml doesn't exist in v1.13

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>