v1.11 backports 2022-05-26 #19966
Merged
v1.11 backports 2022-05-26 #19966
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
f04780a to
d6159e5
Compare
pchaigno
requested changes
May 26, 2022
There was a problem hiding this comment.
#16647 -- ipsec: Fix off-by-one error on max keyID (@pchaigno)
This PR is so old that it's actually already part of v1.11. Sorry about that, I didn't notice when adding the labels. The commit can be removed.
#19893 -- docs: Fix max SPI value for IPsec key rotations (@pchaigno)
#19930 -- docs: Fix incorrect FQDN flag (@pchaigno)
Those look good to me.
[ upstream commit 70676ec ] With "make render-docs-live-preview", we use the cilium/docs-builder image to build a preview of the documentation, to serve it locally, and to watch the source files for changes to update automatically the preview. When the Docker image is present locally, the command uses it. When this is not the case, it pulls it from Docker, in its ":latest" version by default. This can be an issue due to commit 0da7224 ("ci: pin down image for documentation workflow"), where we pinned down the docs-builder image to use in the CI. Since this commit, the reference image is not longer ":latest", but the tag in use in the CI files. As a consequence, the live preview may attempt to use an outdated version of the image. This is currently the case: running the command with no local image raises an error about a missing "myst_parser" extension, which is not present on the version tagged with ":latest". To fix this, we mark builder-image as a dependency for the render-docs-live-preview target, so that the image gets built locally. Reported-by: Yoyo Wu <yoyo19980720@163.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit f17a17a ] The first step for building the cilium/docs-builder image, used for building Cilium's documentation, consists in pre-pulling the image with Docker (to avoid failures from buildkit). The relevant command is formed by parsing the name of the Alpine image from the Dockerfile. On some setups, for example on Ubuntu running in Windows WSL with the Cilium repository mounted from a Windows partition, the Dockerfile may contain DOS-style line breaks (CR-LF). The result from "grep" being piped to xargs and passed to "docker pull", we get an error because Docker cannot recognise a valid reference with this '\r' character at the end of the string. Let's remove any carriage return characters before feeding the line to xargs. Reported-by: Yoyo Wu <yoyo19980720@163.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 0b58178 ] Configure the peerService to access hubble on the hubble.peerService.targetPort rather than determining the port from hubble.listenAddress which may be empty when using a sidecar to proxy to hubble. Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit b13dc89 ] The tc command prints out information not shown by bpftool. As well, it is possible that we may need information about tc entities that are not managed by Cilium when debugging Cilium issues. This adds extra bugtool commands to be run with cilium-bugtool. Including listing tc qdisc and getting filter/class/chain info for all network interfaces. Fixes: #17468 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 80092ce ] Since commit 67f74ff ("images/cilium: remove cilium group from Dockerfile") the cilium group is no longer created in the image running the agent, resulting in the following log message on cilium-agent start: level=info msg="Group not found" error="group: unknown group cilium" file-path=/var/run/cilium/cilium.sock group=cilium subsys=api Change the log message to debug level to avoid confusion. Suggested-by: André Martins <andre@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 54d708e ] The SPI value is expected to take 4 bits at most so it's maximum value should be 15 not 16. Let's fix that in the key rotation documentation. The agent also rejects value 0, so allowed values are [1;15]. Reported-by: Odin Ugedal via Slack Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 6260073 ] The general idea is to remove the need for our permanent pool of GKE clusters + management cluster (that manages the pool via Config Connector). Instead, we switch to ad-hoc clusters as we do on CI 3.0. This should: - Remove the upper limit on the number of concurrent Jenkins GKE jobs. - Remove the need for permanent clusters (reduce CI costs). - Have no effect on the setup time required before the tests actually start running on GKE clusters. - Improve control over GKE features (e.g. `DenyServiceExternalIPs` admission controller) that cannot be controlled via CNRM / Config Connector. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit b42e5a0 ] New GKE clusters have the automatic labelling feature gate enabled by default, so the labels used in the `Identity CLI testing` `K8sCLI` test need to be updated with the additional `k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name` automatic label. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
d6159e5 to
6a53fc2
Compare
|
/test-backport-1.11 Job 'Cilium-PR-K8s-GKE' failed: Click to show.Test NameFailure OutputIf it is a flake and a GitHub issue doesn't already exist to track it, comment |
pchaigno
approved these changes
May 26, 2022
|
/test-gke |
nbusseneau
approved these changes
May 26, 2022
Sorry, I probably just misread the conflict (so file was there but was different than the one in master, and so git complained about deleting it) |
tommyp1ckles
approved these changes
May 26, 2022
rolinh
approved these changes
May 27, 2022
chancez
approved these changes
May 27, 2022
tklauser
approved these changes
May 30, 2022
jrajahalme
approved these changes
May 31, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
builder-imagecommand was slightly differentmake -C install/kubernetes && make -C Documentation update-helm-valuesresize_cluster.shdoes not exist in 1.11 and the cli test is underk8sT/Cli.goipc->IPIdentityCacheOnce this PR is merged, you can update the PR labels via:
or with