v1.15 Backports 2024-03-05 #31154
Merged
v1.15 Backports 2024-03-05 #31154
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit dceb890 ] This commit adds the 'failed to list CRDs' log - "the server could not find the requested resource" - to the list of accepted warning logs. This message is already in the list of ignored error logs, however this message can also appear as a warning log from klog. Fixes: cilium#30776 Related: cilium#26591 Signed-off-by: Ryan Drew <ryan.drew@isovalent.com>
[ upstream commit 5d3c7c3 ] Commit a94fa56 ("Fix CIDR to World Entity Conversion Bug") seems to have inadvertently swapped a check for "is not world" to a check for "is world" in order to drop. This has likely broken the VTEP feature. Fix it. Fixes: a94fa56 ("Fix CIDR to World Entity Conversion Bug") Reported-by: Jan Hugo Prins <jhp@jhprins.org> Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit cd53c4f ] The null check for Method should be before the check for Method.Service to avoid NPE. Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 77053ae ] CNI chaining mode option has been moved to the CNI cell in commit 1254bf4. Since it is not a global config option anymore, iptables manager will not see any change to that value, and its field `CNIChainingMode` will always be an empty string. Thus, with the following config option values: - "enable-endpoint-routes": true - "cni-chaining-mode": "aws-cni" the delivery interface referenced in the rules installed by the manager is "lxc+" instead of "eni+". This commit fixes this adding a CNI config manager reference to the iptables manager parameters, in order to read the current setting for the chaining mode during rules installation. Fixes: 1254bf4 ("daemon / cni: move to Cell, watch for changes") Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit d7dba5e ] For external envoy, xds server and envoy are having different life cycles i.e. each is running in its own pod, and can be deployed or restarted independently. This commit is to handle the case that xds in cilium agent got restarted, and nonce value is always 0. Sample error ``` 2024-02-05T12:49:51.771714518Z level=warning msg="Regeneration of endpoint failed" bpfCompilation=0s bpfLoadProg=105.68356ms bpfWaitForELF="24.396µs" bpfWriteELF=1.802221ms ciliumEndpointName=cilium-test/client-56f8968958-fqdl4 containerID=245b2aaac2 containerInterface=eth0 datapathPolicyRevision=5 desiredPolicyRevision=6 endpointID=134 error="Error while configuring proxy redirects: proxy state changes failed: context canceled" identity=1713 ipv4=10.244.1.1 ipv6="fd00:10:244:1::9544" k8sPodName=cilium-test/client-56f8968958-fqdl4 mapSync=2.476505ms policyCalculation=1.240346ms prepareBuild="437.049µs" proxyConfiguration="837.119µs" proxyPolicyCalculation="234.369µs" proxyWaitForAck=2m34.697546384s reason="policy rules added" subsys=endpoint total=2m34.818201428s waitingForCTClean=270ns waitingForLock="2.605µs" ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 6b63ea2 ] Reduce code repetition by defining a 'traverse' function that is shared between multiple functions. Clarify comments. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 6b98a0b ] Avoid any odd surprises when this macro ends up being used by shared nodeport.h code. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit f604ce2 ] cilium#29000 changed how we mix WireGuard with VXLAN / Geneve tunneling. Reflect this in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 4293d2b ] When GetInterval calculates the new GC interval, it uses the result of the previous calculation as a pivot point. However, if GC was triggered by a signal, smaller time interval has passed, therefore, expectations on the delete ratio should be lower. Adjust the delete ratio proportionally to avoid increasing the interval uncontrollably when multiple signals arrive over a short period of time. Ref: cilium#27405 Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 7a5a429 ] Fixed `kubectl exec` syntax Signed-off-by: Dean <22192242+saintdle@users.noreply.github.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 5a96a95 ] Lookup currently returns the default value of the bitlpm.Trie when it fails to find a match. There are cases where comparing the default value to the return value is logically expensive (i.e. code needs to be written to do the comparison). Lookup can easily return a boolean value to indicate whether it failed. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
…e redact test functions [ upstream commit 82006e0 ] Signed-off-by: Alexandre Perrin <alex@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit fe76af5 ] Signed-off-by: Alexandre Perrin <alex@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit f7142c8 ] Before this patch, Hubble could cause a Cilium agent panic when attempting to decode invalid URLs. See cilium#31071 Signed-off-by: Alexandre Perrin <alex@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 0bd59b2 ] Before this patch, Hubble would panic when attempting to parse a accesslog.LogRecordHTTP with a nil URL. While filterURL was handling the nil case, the following caller codepath would unconditionally call String() on the URL, potentially causing a panic. This patch improves Hubble robustness and clarify the role of the filterURL (renamed filteredURL) to always return an URL such as calling String() on it is safe. Signed-off-by: Alexandre Perrin <alex@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 1c3a17f ] This information can be useful to understand why memory allocation in the kernel may fail (ex. for maps or for XFRM). I've checked that these two files are accessible from a typical cilium-agent deployment (on GKE). Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
added
kind/backports
pippolo84
requested review from
learnitall,
sayboras,
jrajahalme,
gentoo-root,
pchaigno,
joestringer,
julianwiedmann,
nathanjsweet and
kaworu
sayboras
approved these changes
Mar 5, 2024
julianwiedmann
approved these changes
Mar 5, 2024
gentoo-root
approved these changes
Mar 5, 2024
|
/test-backport-1.15 |
nathanjsweet
approved these changes
Mar 7, 2024
jrajahalme
approved these changes
Mar 11, 2024
maintainer-s-little-helper
bot
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
deprecatedEnvoyRuntimeKeyandnoConnLimitEnvoylog messages not listed in v1.15Once this PR is merged, a GitHub action will update the labels of these PRs: