cilium · sayboras · Apr 11, 2024 · Mar 20, 2024 · Mar 6, 2024 · Mar 7, 2024
@@ -1,17 +1,16 @@
 # List of k8s version for AKS tests
 ---
 include:
-  - version: "1.25"
+  - version: "1.26"
     location: westus3
     index: 1
-    disabled: true
-  - version: "1.26"
+  - version: "1.27"
     location: westus2
     index: 2
-  - version: "1.27"
+  - version: "1.28"
     location: eastus2
     index: 3
     default: true
-  - version: "1.28"
+  - version: "1.29"
     location: eastus
     index: 4
@@ -9,7 +9,4 @@
 Governance
 ----------
 
-.. toctree::
-   :maxdepth: 3
-
-   commit_access
+Governance documentation can be found in the `Cilium Community repository <https://github.com/cilium/community/blob/main/GOVERNANCE.md>`__.
@@ -145,7 +145,6 @@ Hubble provides visibility into network flows through the :ref:`Hubble CLI<hubbl
 and :ref:`UI<hubble_ui>` (beta), with support for Prometheus and OpenTelemetry metrics. Areas of
 focus currently include:
 
-* Graduating the `Hubble OpenTelemetry collector`_ to stable
 * Hubble UI additional features
 
 CI Test Improvements
@@ -226,7 +225,6 @@ anything other than trivial fixes.
 .. _point releases: https://cilium.io/blog/categories/release/
 .. _Get Involved: https://cilium.io/get-involved
 .. _CNCF Graduation: https://github.com/cncf/toc/pull/952
-.. _Hubble OpenTelemetry collector: https://github.com/cilium/hubble-otel
 .. _CI improvements: https://github.com/cilium/cilium/issues?q=is%3Aopen+is%3Aissue+label%3Aarea%2FCI-improvement
 .. _good-first-issue: https://github.com/cilium/cilium/labels/good-first-issue
 .. _enterprise: https://cilium.io/enterprise

@@ -132,17 +132,17 @@ Metrics
 
 All API calls subject to rate limiting will expose :ref:`metrics_api_rate_limiting`. Example::
 
-    cilium_api_limiter_adjustment_factor                  api_call="endpoint-create"                               0.695787
-    cilium_api_limiter_processed_requests_total           api_call="endpoint-create" outcome="success"             7.000000
-    cilium_api_limiter_processing_duration_seconds        api_call="endpoint-create" value="estimated"             2.000000
-    cilium_api_limiter_processing_duration_seconds        api_call="endpoint-create" value="mean"                  2.874443
-    cilium_api_limiter_rate_limit                         api_call="endpoint-create" value="burst"                 4.000000
-    cilium_api_limiter_rate_limit                         api_call="endpoint-create" value="limit"                 0.347894
-    cilium_api_limiter_requests_in_flight                 api_call="endpoint-create" value="in-flight"             0.000000
-    cilium_api_limiter_requests_in_flight                 api_call="endpoint-create" value="limit"                 0.000000
-    cilium_api_limiter_wait_duration_seconds              api_call="endpoint-create" value="max"                  15.000000
-    cilium_api_limiter_wait_duration_seconds              api_call="endpoint-create" value="mean"                  0.000000
-    cilium_api_limiter_wait_duration_seconds              api_call="endpoint-create" value="min"                   0.000000
+    cilium_api_limiter_adjustment_factor                  api_call="endpoint-create"                                                0.695787
+    cilium_api_limiter_processed_requests_total           api_call="endpoint-create" outcome="success" return_code="200"            7.000000
+    cilium_api_limiter_processing_duration_seconds        api_call="endpoint-create" value="estimated"                              2.000000
+    cilium_api_limiter_processing_duration_seconds        api_call="endpoint-create" value="mean"                                   2.874443
+    cilium_api_limiter_rate_limit                         api_call="endpoint-create" value="burst"                                  4.000000
+    cilium_api_limiter_rate_limit                         api_call="endpoint-create" value="limit"                                  0.347894
+    cilium_api_limiter_requests_in_flight                 api_call="endpoint-create" value="in-flight"                              0.000000
+    cilium_api_limiter_requests_in_flight                 api_call="endpoint-create" value="limit"                                  0.000000
+    cilium_api_limiter_wait_duration_seconds              api_call="endpoint-create" value="max"                                    15.000000
+    cilium_api_limiter_wait_duration_seconds              api_call="endpoint-create" value="mean"                                   0.000000
+    cilium_api_limiter_wait_duration_seconds              api_call="endpoint-create" value="min"                                    0.000000
 
 Understanding the log output
 ============================

@@ -119,7 +119,7 @@ get started and experiment with Cilium.
    :maxdepth: 2
    :caption: Community
 
-   community/governance/index
+   community/governance
    community/community
    community/roadmap
 

@@ -573,17 +573,17 @@ Name                                                Labels                Defaul
 API Rate Limiting
 ~~~~~~~~~~~~~~~~~
 
-============================================== ================================ ========== ========================================================
-Name                                           Labels                           Default    Description
-============================================== ================================ ========== ========================================================
-``api_limiter_adjustment_factor``              ``api_call``                     Enabled    Most recent adjustment factor for automatic adjustment
-``api_limiter_processed_requests_total``       ``api_call``, ``outcome``        Enabled    Total number of API requests processed
-``api_limiter_processing_duration_seconds``    ``api_call``, ``value``          Enabled    Mean and estimated processing duration in seconds
-``api_limiter_rate_limit``                     ``api_call``, ``value``          Enabled    Current rate limiting configuration (limit and burst)
-``api_limiter_requests_in_flight``             ``api_call``  ``value``          Enabled    Current and maximum allowed number of requests in flight
-``api_limiter_wait_duration_seconds``          ``api_call``, ``value``          Enabled    Mean, min, and max wait duration
-``api_limiter_wait_history_duration_seconds``  ``api_call``                     Disabled   Histogram of wait duration per API call processed
-============================================== ================================ ========== ========================================================
+============================================== ========================================== ========== ========================================================
+Name                                           Labels                                     Default    Description
+============================================== ========================================== ========== ========================================================
+``api_limiter_adjustment_factor``              ``api_call``                               Enabled    Most recent adjustment factor for automatic adjustment
+``api_limiter_processed_requests_total``       ``api_call``, ``outcome``, ``return_code`` Enabled    Total number of API requests processed
+``api_limiter_processing_duration_seconds``    ``api_call``, ``value``                    Enabled    Mean and estimated processing duration in seconds
+``api_limiter_rate_limit``                     ``api_call``, ``value``                    Enabled    Current rate limiting configuration (limit and burst)
+``api_limiter_requests_in_flight``             ``api_call``  ``value``                    Enabled    Current and maximum allowed number of requests in flight
+``api_limiter_wait_duration_seconds``          ``api_call``, ``value``                    Enabled    Mean, min, and max wait duration
+``api_limiter_wait_history_duration_seconds``  ``api_call``                               Disabled   Histogram of wait duration per API call processed
+============================================== ========================================== ========== ========================================================
 
 cilium-operator
 ---------------
@@ -1120,15 +1120,15 @@ Name                                     Labels
 API Rate Limiting
 ~~~~~~~~~~~~~~~~~
 
-============================================== ================================ ========================================================
-Name                                           Labels                           Description
-============================================== ================================ ========================================================
-``api_limiter_processed_requests_total``       ``api_call``, ``outcome``        Total number of API requests processed
-``api_limiter_processing_duration_seconds``    ``api_call``, ``value``          Mean and estimated processing duration in seconds
-``api_limiter_rate_limit``                     ``api_call``, ``value``          Current rate limiting configuration (limit and burst)
-``api_limiter_requests_in_flight``             ``api_call``  ``value``          Current and maximum allowed number of requests in flight
-``api_limiter_wait_duration_seconds``          ``api_call``, ``value``          Mean, min, and max wait duration
-============================================== ================================ ========================================================
+============================================== ========================================== ========================================================
+Name                                           Labels                                     Description
+============================================== ========================================== ========================================================
+``api_limiter_processed_requests_total``       ``api_call``, ``outcome``, ``return_code`` Total number of API requests processed
+``api_limiter_processing_duration_seconds``    ``api_call``, ``value``                    Mean and estimated processing duration in seconds
+``api_limiter_rate_limit``                     ``api_call``, ``value``                    Current rate limiting configuration (limit and burst)
+``api_limiter_requests_in_flight``             ``api_call``  ``value``                    Current and maximum allowed number of requests in flight
+``api_limiter_wait_duration_seconds``          ``api_call``, ``value``                     Mean, min, and max wait duration
+============================================== ========================================== ========================================================
 
 Controllers
 ~~~~~~~~~~~
@@ -1195,15 +1195,15 @@ Name                                     Labels
 API Rate Limiting
 ~~~~~~~~~~~~~~~~~
 
-============================================== ================================ ========================================================
-Name                                           Labels                           Description
-============================================== ================================ ========================================================
-``api_limiter_processed_requests_total``       ``api_call``, ``outcome``        Total number of API requests processed
-``api_limiter_processing_duration_seconds``    ``api_call``, ``value``          Mean and estimated processing duration in seconds
-``api_limiter_rate_limit``                     ``api_call``, ``value``          Current rate limiting configuration (limit and burst)
-``api_limiter_requests_in_flight``             ``api_call``  ``value``          Current and maximum allowed number of requests in flight
-``api_limiter_wait_duration_seconds``          ``api_call``, ``value``          Mean, min, and max wait duration
-============================================== ================================ ========================================================
+============================================== ========================================== ========================================================
+Name                                           Labels                                     Description
+============================================== ========================================== ========================================================
+``api_limiter_processed_requests_total``       ``api_call``, ``outcome``, ``return_code`` Total number of API requests processed
+``api_limiter_processing_duration_seconds``    ``api_call``, ``value``                    Mean and estimated processing duration in seconds
+``api_limiter_rate_limit``                     ``api_call``, ``value``                    Current rate limiting configuration (limit and burst)
+``api_limiter_requests_in_flight``             ``api_call``  ``value``                    Current and maximum allowed number of requests in flight
+``api_limiter_wait_duration_seconds``          ``api_call``, ``value``                    Mean, min, and max wait duration
+============================================== ========================================== ========================================================
 
 Controllers
 ~~~~~~~~~~~

@@ -446,6 +446,7 @@ Changed Metrics
 * The ``cilium_cidrgroup_policies`` metric has been renamed to
   ``cilium_cidrgroups_referenced`` for better clarity.
 * The ``cilium_cidrgroup_translation_time_stats_seconds`` metric has been disabled by default.
+* The ``cilium_api_limiter_processed_requests_total`` has now label ``return_code`` to specify the http code of the request.
 
 .. _earlier_upgrade_notes:
 

@@ -537,7 +537,7 @@ DNS policies are used to define Layer 3 policies to endpoints that are not
 managed by Cilium, but have DNS queryable domain names. The IP addresses
 provided in DNS responses are allowed by Cilium in a similar manner to IPs in
 `CIDR based`_ policies. They are an alternative when the remote IPs may change
-or are not know a priori, or when DNS is more convenient. To enforce policy on
+or are not know prior, or when DNS is more convenient. To enforce policy on
 DNS requests themselves, see `Layer 7 Examples`_.
 
 .. note::

@@ -1,6 +1,6 @@
 # Maintainers
 
-See [Governance](Documentation/community/governance/commit_access.rst) for
+See [Governance](https://github.com/cilium/community/blob/main/GOVERNANCE.md) for
 governance, commit, and vote guidelines as well as committer responsibilities.
 Everybody listed is a committer as per governance definition. See the 
 [Contributor Ladder](https://github.com/cilium/community/blob/main/CONTRIBUTOR-LADDER.md)

@@ -303,7 +303,7 @@ We host a weekly community `YouTube livestream called eCHO <https://www.youtube.
 Governance
 ----------
 The Cilium project is governed by a group of `Maintainers and Committers <https://raw.githubusercontent.com/cilium/cilium/main/MAINTAINERS.md>`__.
-How they are selected and govern is outlined in our `governance document <https://docs.cilium.io/en/latest/community/governance/commit_access/>`__.
+How they are selected and govern is outlined in our `governance document <https://github.com/cilium/community/blob/main/GOVERNANCE.md>`__.
 
 Adopters
 --------

@@ -546,14 +546,21 @@ snat_v4_needs_masquerade(struct __ctx_buff *ctx __maybe_unused,
 		target->from_local_endpoint = true;
 
 		err = ct_extract_ports4(ctx, ip4, l4_off, CT_EGRESS, tuple, NULL);
-		if (err < 0)
-			return err;
+		switch (err) {
+		case 0:
+			is_reply = ct_is_reply4(get_ct_map4(tuple), tuple);
 
-		is_reply = ct_is_reply4(get_ct_map4(tuple), tuple);
+			/* SNAT code has its own port extraction logic: */
+			tuple->dport = 0;
+			tuple->sport = 0;
 
-		/* SNAT code has its own port extraction logic: */
-		tuple->dport = 0;
-		tuple->sport = 0;
+			break;
+		case DROP_CT_UNKNOWN_PROTO:
+			/* tolerate L4 protocols not supported by CT: */
+			break;
+		default:
+			return err;
+		}
 	}
 
 /* Check if the packet matches an egress NAT policy and so needs to be SNAT'ed.
@@ -1327,14 +1334,21 @@ snat_v6_needs_masquerade(struct __ctx_buff *ctx __maybe_unused,
 		target->from_local_endpoint = true;
 
 		err = ct_extract_ports6(ctx, l4_off, tuple);
-		if (err < 0)
-			return err;
+		switch (err) {
+		case 0:
+			is_reply = ct_is_reply6(get_ct_map6(tuple), tuple);
 
-		is_reply = ct_is_reply6(get_ct_map6(tuple), tuple);
+			/* SNAT code has its own port extraction logic: */
+			tuple->dport = 0;
+			tuple->sport = 0;
 
-		/* SNAT code has its own port extraction logic: */
-		tuple->dport = 0;
-		tuple->sport = 0;
+			break;
+		case DROP_CT_UNKNOWN_PROTO:
+			/* tolerate L4 protocols not supported by CT: */
+			break;
+		default:
+			return err;
+		}
 	}
 
 # ifdef IPV6_SNAT_EXCLUSION_DST_CIDR

@@ -81,6 +81,8 @@ var (
 	parallelWorkers          int
 	ciliumAgentContainerName string
 	excludeObjectFiles       bool
+	hubbleMetrics            bool
+	hubbleMetricsPort        int
 )
 
 func init() {
@@ -111,6 +113,8 @@ func init() {
 	BugtoolRootCmd.Flags().IntVar(&parallelWorkers, "parallel-workers", 0, "Maximum number of parallel worker tasks, use 0 for number of CPUs")
 	BugtoolRootCmd.Flags().StringVarP(&ciliumAgentContainerName, "cilium-agent-container-name", "", "cilium-agent", "Name of the Cilium Agent main container (when k8s-mode is true)")
 	BugtoolRootCmd.Flags().BoolVar(&excludeObjectFiles, "exclude-object-files", false, "Exclude per-endpoint object files. Template object files will be kept")
+	BugtoolRootCmd.Flags().BoolVar(&hubbleMetrics, "hubble-metrics", true, "When set, hubble prometheus metrics")
+	BugtoolRootCmd.Flags().IntVar(&hubbleMetricsPort, "hubble-metrics-port", 9965, "Port to query for hubble metrics")
 }
 
 func getVerifyCiliumPods() (k8sPods []string) {
@@ -221,6 +225,12 @@ func runTool() {
 			}
 		}
 
+		if hubbleMetrics {
+			if err := dumpHubbleMetrics(cmdDir); err != nil {
+				fmt.Fprintf(os.Stderr, "Unable to retrieve hubble prometheus metrics: %s\n", err)
+			}
+		}
+
 		// Check if there is a user supplied configuration
 		if config, _ := loadConfigFile(configPath); config != nil {
 			// All of of the commands run are from the configuration file
@@ -498,6 +508,12 @@ func getCiliumPods(namespace, label string) ([]string, error) {
 	return ciliumPods, nil
 }
 
+func dumpHubbleMetrics(rootDir string) error {
+	httpClient := http.DefaultClient
+	url := fmt.Sprintf("http://localhost:%d/metrics", hubbleMetricsPort)
+	return downloadToFile(httpClient, url, filepath.Join(rootDir, "hubble-metrics.txt"))
+}
+
 func dumpEnvoy(rootDir string, resource string, fileName string) error {
 	// curl --unix-socket /var/run/cilium/envoy/sockets/admin.sock http:/admin/config_dump\?include_eds > dump.json
 	c := &http.Client{

@@ -456,9 +456,11 @@ func writeMarkdown(data []byte, path string) {
 	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0600)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Could not create file %s", path)
+		os.Exit(1)
 	}
 	w := tabwriter.NewWriter(f, 5, 0, 3, ' ', 0)
 	w.Write(data)
+	f.Close()
 }
 
 func writeFile(data []byte, path string) {
@@ -468,6 +470,7 @@ func writeFile(data []byte, path string) {
 		os.Exit(1)
 	}
 	f.Write(data)
+	f.Close()
 }
 
 func writeJSON(data []byte, path string) {
@@ -477,6 +480,8 @@ func writeJSON(data []byte, path string) {
 		os.Exit(1)
 	}
 
+	defer f.Close()
+
 	db := &models.DebugInfo{}
 
 	// Unmarshal the binary so we can indent the JSON appropriately when we