-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.14 Backports 2023-12-13 #29863
v1.14 Backports 2023-12-13 #29863
Conversation
[ upstream commit 28975e3 ] [ backporter's notes: introduced a simplified version of the 'identity.IsWorld()' method, which was not present in v1.14, as added in a94fa56 ("Fix CIDR to World Entity Conversion Bug"). ] In Hubble, ignore certain cases where the datapath security ID does not match the userspace security ID. Signed-off-by: Lucas Leblow <lucasleblow@mailbox.org> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 1c10df2 ] With the removal of setting a nameserver via the little-vm-helper GitHub action, conformance-runtime tests are failing quite often with the following error. ``` dial tcp: lookup quay.io on 127.0.0.53:53: read udp 127.0.0.1:40553->127.0.0.53:53: read: connection refused ``` The assumption is that the local DNS resolver isn't ready at that time when pulling the image. Therefore, this way temporarily re-adds the nameserver `1.1.1.1` manually. See: cilium/little-vm-helper#118 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit a2694fc ] [ backporter's notes: skipped changes in tests-e2e-upgrade.yaml, as not present in v1.14. ] The property dns-resolver has been removed from the little-vm-helper GitHub action. Therefore, this commit removes the usage of it in the cilium repository. See: cilium/little-vm-helper#118 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
ecc880d
to
3b9e28e
Compare
/test-backport-1.14 |
3b9e28e
to
2ea8d6c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I see |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My commits look good. Thanks @giorio94
Let's 🙏 that the tests succeed :)
[ upstream commit 1f1c384 ] Cloud provider related workflows use the full configuration as matrix when being executed on a scheduled basis on stable branches, whereas only the default configuration is used on PR workflows. Currently, this decision checks whether the workflow is triggered via `event_name == schedule`. This is working fine on `main`, but not on all other stable branches where the workflows are triggered via workflow_dispatch event (called by a scheduled workflow (ariane-scheduled.yaml) on main). Therefore, this commit extends the decision to check for the input `PR-number` starting with a "v". This is the case for Ariane triggered runs - as they pass the branch name as PR-number (PR runs pass the actual numeric PR number). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 7e13f1a ] [ backporter's notes: dropped the Registry parameter from the new invoke function in pkg/metrics/cell.go, as it is not provided. ] Because legacy metrics are now initialized in Hive, the logging hook was being set to the NoOpCounterVec instance. This moves initializing the errors/warnings metric out of the NewLegacyMetrics function and provides a manual way to init metrics that must be initialized prior to Hive. Fixes: #29525 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 83b87c4 ] This comment is over 5 years old and no longer seems relevant. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 854ea3d ] The poststart-eni.sh script got recently modified to delete both AWS-SNAT and AWS-CONNMARK related chains. Yet, the filter is now a regular expression, and does not return any match with plain grep. Let's fix this by setting the `-E` (--extended-regexp) flag. Fixes: b836cb1 ("helm: Add missing type to poststart iptables regex") Fixes: 8c86d07 ("install: Remove AWS-CONNMARK-CHAIN iptables") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit dbe56dd ] Now that known issues causing connection disruption (which appeared to mostly affect dual stack clusters) have been fixed, let's enable IPv6 again in the clustermesh upgrade/downgrade workflow. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 5107391 ] Recently, a regression of the poststart-eni.sh script got unnoticed, as we are not explicitly testing it as part of the E2E pipelines. Let's add a step to the Conformance EKS and Conformance AWS-CNI workflows to assert that, in the former case, the stale AWS iptables chains are removed, and in the latter they are not modified. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit c947484 ] It turns out that the following find command is subtle: find . -name foo -o -name bar -exec ... This means: execute the command for bar. It doesn't execute the command for foo. For this reason verifier logs are currently not being copied correctly into GH artifacts. Fixes: 735807f ("test/verifier: fix complexity tests not being recompiled") Signed-off-by: Lorenz Bauer <lmb@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 83425f2 ] It seems that even though we're setting the nameserver at the top of `/etc/resolv.conf`, in some cases docker still uses 127.0.0.53 to resolve names while pulling the cilium docker plugin in the ci-runtime test. It seems as docker tries to use nameserver information from `systemd-resolved`. Therefore, this commit tries to force docker to use the nameserver 1.1.1.1, by removing the resolv.conf symlink, deleting the resolv.conf from systemd-resolved and restarting the docker service after applying the changes. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
39a3aab
to
66ea795
Compare
Dropped, thanks for confirming. |
/test-backport-1.14 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried removing myself from the reviewer list after my PR was dropped but that seems to cause my requested changes to block the PR again. Approving to unblock this PR.
Both Conformance E2E and Conformance Cluster Mesh failures appear to be due to slow image retrieval from quay. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, approving #27894
The same happened for one of the Conformance IPsec E2E matrix entries. Currently rerunning |
CI is green. Marking ready to merge as it only misses the final approval from @cilium/tophat, who will be merging the PR. |
identity.IsWorld()
method, which was not present in v1.14, as added in a94fa56 ("Fix CIDR to World Entity Conversion Bug")fqdn: avoid converting fromnetip.Addr
tonet.IP
and back #29625 (@tklauser)pkg/metrics/cell.go
, as it is not provided.Once this PR is merged, a GitHub action will update the labels of these PRs: