v1.14 Backports 2023-12-13 #29863
Merged
v1.14 Backports 2023-12-13 #29863
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
giorio94
added
kind/backports
[ upstream commit 28975e3 ] [ backporter's notes: introduced a simplified version of the 'identity.IsWorld()' method, which was not present in v1.14, as added in a94fa56 ("Fix CIDR to World Entity Conversion Bug"). ] In Hubble, ignore certain cases where the datapath security ID does not match the userspace security ID. Signed-off-by: Lucas Leblow <lucasleblow@mailbox.org> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 1c10df2 ] With the removal of setting a nameserver via the little-vm-helper GitHub action, conformance-runtime tests are failing quite often with the following error. ``` dial tcp: lookup quay.io on 127.0.0.53:53: read udp 127.0.0.1:40553->127.0.0.53:53: read: connection refused ``` The assumption is that the local DNS resolver isn't ready at that time when pulling the image. Therefore, this way temporarily re-adds the nameserver `1.1.1.1` manually. See: cilium/little-vm-helper#118 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit a2694fc ] [ backporter's notes: skipped changes in tests-e2e-upgrade.yaml, as not present in v1.14. ] The property dns-resolver has been removed from the little-vm-helper GitHub action. Therefore, this commit removes the usage of it in the cilium repository. See: cilium/little-vm-helper#118 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
giorio94
force-pushed
the
pr/v1.14-backport-2023-12-13
branch
from
ecc880d
to
3b9e28e
Compare
|
/test-backport-1.14 |
tklauser
requested changes
Dec 13, 2023
giorio94
force-pushed
the
pr/v1.14-backport-2023-12-13
branch
from
3b9e28e
to
2ea8d6c
Compare
Ah, I see |
mhofstetter
approved these changes
Dec 13, 2023
There was a problem hiding this comment.
My commits look good. Thanks @giorio94
Let's 🙏 that the tests succeed :)
[ upstream commit 1f1c384 ] Cloud provider related workflows use the full configuration as matrix when being executed on a scheduled basis on stable branches, whereas only the default configuration is used on PR workflows. Currently, this decision checks whether the workflow is triggered via `event_name == schedule`. This is working fine on `main`, but not on all other stable branches where the workflows are triggered via workflow_dispatch event (called by a scheduled workflow (ariane-scheduled.yaml) on main). Therefore, this commit extends the decision to check for the input `PR-number` starting with a "v". This is the case for Ariane triggered runs - as they pass the branch name as PR-number (PR runs pass the actual numeric PR number). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 7e13f1a ] [ backporter's notes: dropped the Registry parameter from the new invoke function in pkg/metrics/cell.go, as it is not provided. ] Because legacy metrics are now initialized in Hive, the logging hook was being set to the NoOpCounterVec instance. This moves initializing the errors/warnings metric out of the NewLegacyMetrics function and provides a manual way to init metrics that must be initialized prior to Hive. Fixes: #29525 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 83b87c4 ] This comment is over 5 years old and no longer seems relevant. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 854ea3d ] The poststart-eni.sh script got recently modified to delete both AWS-SNAT and AWS-CONNMARK related chains. Yet, the filter is now a regular expression, and does not return any match with plain grep. Let's fix this by setting the `-E` (--extended-regexp) flag. Fixes: b836cb1 ("helm: Add missing type to poststart iptables regex") Fixes: 8c86d07 ("install: Remove AWS-CONNMARK-CHAIN iptables") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit dbe56dd ] Now that known issues causing connection disruption (which appeared to mostly affect dual stack clusters) have been fixed, let's enable IPv6 again in the clustermesh upgrade/downgrade workflow. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 5107391 ] Recently, a regression of the poststart-eni.sh script got unnoticed, as we are not explicitly testing it as part of the E2E pipelines. Let's add a step to the Conformance EKS and Conformance AWS-CNI workflows to assert that, in the former case, the stale AWS iptables chains are removed, and in the latter they are not modified. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit c947484 ] It turns out that the following find command is subtle: find . -name foo -o -name bar -exec ... This means: execute the command for bar. It doesn't execute the command for foo. For this reason verifier logs are currently not being copied correctly into GH artifacts. Fixes: 735807f ("test/verifier: fix complexity tests not being recompiled") Signed-off-by: Lorenz Bauer <lmb@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 83425f2 ] It seems that even though we're setting the nameserver at the top of `/etc/resolv.conf`, in some cases docker still uses 127.0.0.53 to resolve names while pulling the cilium docker plugin in the ci-runtime test. It seems as docker tries to use nameserver information from `systemd-resolved`. Therefore, this commit tries to force docker to use the nameserver 1.1.1.1, by removing the resolv.conf symlink, deleting the resolv.conf from systemd-resolved and restarting the docker service after applying the changes. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
giorio94
force-pushed
the
pr/v1.14-backport-2023-12-13
branch
from
39a3aab
to
66ea795
Compare
Dropped, thanks for confirming. |
|
/test-backport-1.14 |
tklauser
approved these changes
Dec 13, 2023
There was a problem hiding this comment.
I tried removing myself from the reviewer list after my PR was dropped but that seems to cause my requested changes to block the PR again. Approving to unblock this PR.
lmb
approved these changes
Dec 13, 2023
|
Both Conformance E2E and Conformance Cluster Mesh failures appear to be due to slow image retrieval from quay. |
gandro
approved these changes
Dec 13, 2023
viktor-kurchenko
approved these changes
Dec 13, 2023
tommyp1ckles
approved these changes
Dec 13, 2023
The same happened for one of the Conformance IPsec E2E matrix entries. Currently rerunning |
|
CI is green. Marking ready to merge as it only misses the final approval from @cilium/tophat, who will be merging the PR. |
giorio94
added
the
ready-to-merge
maintainer-s-little-helper
bot
removed
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
identity.IsWorld()method, which was not present in v1.14, as added in a94fa56 ("Fix CIDR to World Entity Conversion Bug")fqdn: avoid converting fromnetip.Addrtonet.IPand back #29625 (@tklauser)pkg/metrics/cell.go, as it is not provided.Once this PR is merged, a GitHub action will update the labels of these PRs: