diff --git a/.github/workflows/kind.yaml b/.github/workflows/kind.yaml index 61ee94f085..fffbf0a4be 100644 --- a/.github/workflows/kind.yaml +++ b/.github/workflows/kind.yaml @@ -278,6 +278,7 @@ jobs: run: | cilium upgrade --reuse-values --context $CLUSTER1 \ --wait=true \ + --version=${{ env.cilium_version }} \ --set clustermesh.useAPIServer=true \ --set clustermesh.apiserver.service.type=NodePort \ --set clustermesh.apiserver.tls.server.extraDnsNames={"$CLUSTER1.mesh.cilium.io,$CLUSTER2.mesh.cilium.io"} @@ -294,6 +295,7 @@ jobs: run: | cilium upgrade --reuse-values --context $CLUSTER2 \ --wait=true \ + --version=${{ env.cilium_version }} \ --set clustermesh.useAPIServer=true \ --set clustermesh.apiserver.service.type=NodePort \ --set clustermesh.apiserver.tls.server.extraDnsNames={"$CLUSTER1.mesh.cilium.io,$CLUSTER2.mesh.cilium.io"} diff --git a/README.md b/README.md index 7b853e4a92..e8f431688a 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ binary releases. | Release | Maintained | Compatible Cilium Versions | |------------------------------------------------------------------------|------------|----------------------------| -| [v0.16.24](https://github.com/cilium/cilium-cli/releases/tag/v0.16.24) | Yes | Cilium 1.15 and newer | +| [v0.16.25](https://github.com/cilium/cilium-cli/releases/tag/v0.16.25) | Yes | Cilium 1.15 and newer | ## Capabilities diff --git a/RELEASE.md b/RELEASE.md index 7b1b16ee15..08ed6d076d 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -19,7 +19,7 @@ table](https://github.com/cilium/cilium-cli#releases) for the most recent suppor Set `RELEASE` environment variable to the new version. This variable will be used in the commands throughout the documenat to allow copy-pasting. - export RELEASE=v0.16.25 + export RELEASE=v0.16.26 ## Update local checkout diff --git a/go.mod b/go.mod index 0d76f59c37..29ee897b12 100644 --- a/go.mod +++ b/go.mod @@ -4,16 +4,16 @@ module github.com/cilium/cilium-cli go 1.23.0 // Replace directives from github.com/cilium/cilium. Keep in sync when updating Cilium! -// Copied from https://github.com/cilium/cilium/blob/a50d083bc18f52d676d296ba2ed20ba97d27c13c/go.mod#L318-L320 +// Copied from https://github.com/cilium/cilium/blob/47d3a25180a23beeb205daadd3ff3e67cd6766d4/go.mod#L320-L322 // Using private fork of controller-tools. See commit msg for more context // as to why we are using a private fork. replace sigs.k8s.io/controller-tools => github.com/cilium/controller-tools v0.16.5-1 -require github.com/cilium/cilium v1.17.0-pre.3.0.20250129155153-a50d083bc18f +require github.com/cilium/cilium v1.17.0-pre.3.0.20250218164107-47d3a25180a2 require ( - cel.dev/expr v0.18.0 // indirect + cel.dev/expr v0.19.1 // indirect dario.cat/mergo v1.0.1 // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect @@ -29,15 +29,15 @@ require ( github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect - github.com/cilium/charts v0.0.0-20250122005123-9aa3c2db578d // indirect + github.com/cilium/charts v0.0.0-20250204154402-8a35f8210901 // indirect github.com/cilium/ebpf v0.17.1 // indirect - github.com/cilium/hive v0.0.0-20250121145729-e67f66eb0375 // indirect - github.com/cilium/proxy v0.0.0-20241219105110-b2e1bb5839df // indirect - github.com/cilium/statedb v0.3.5 // indirect + github.com/cilium/hive v0.0.0-20250217113459-914947d44393 // indirect + github.com/cilium/proxy v0.0.0-20250214115704-3e4b99dc5d1f // indirect + github.com/cilium/statedb v0.3.6 // indirect github.com/cilium/stream v0.0.0-20241203114243-53c3e5d79744 // indirect github.com/cilium/workerpool v1.2.0 // indirect github.com/cloudflare/cfssl v1.6.5 // indirect - github.com/cncf/xds/go v0.0.0-20241213214725-57cfbe6fad57 // indirect + github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 // indirect github.com/containerd/containerd v1.7.24 // indirect github.com/containerd/errdefs v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect @@ -54,8 +54,8 @@ require ( github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-metrics v0.0.1 // indirect github.com/emicklei/go-restful/v3 v3.12.0 // indirect - github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect - github.com/evanphx/json-patch v5.9.0+incompatible // indirect + github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect + github.com/evanphx/json-patch v5.9.11+incompatible // indirect github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect github.com/fatih/color v1.18.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect @@ -98,6 +98,7 @@ require ( github.com/hashicorp/go-hclog v1.6.3 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/hcl v1.0.1-vault-5 // indirect + github.com/hmarr/codeowners v1.2.1 // indirect github.com/huandu/xstrings v1.5.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jmoiron/sqlx v1.4.0 // indirect @@ -130,7 +131,7 @@ require ( github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect - github.com/osrg/gobgp/v3 v3.33.0 // indirect + github.com/osrg/gobgp/v3 v3.34.0 // indirect github.com/pelletier/go-toml v1.9.5 // indirect github.com/pelletier/go-toml/v2 v2.2.2 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect @@ -153,10 +154,10 @@ require ( github.com/spf13/afero v1.12.0 // indirect github.com/spf13/cast v1.7.1 // indirect github.com/spf13/cobra v1.8.1 // indirect - github.com/spf13/pflag v1.0.6-0.20250109003754-5ca813443bd2 // indirect + github.com/spf13/pflag v1.0.6 // indirect github.com/spf13/viper v1.19.0 // indirect github.com/subosito/gotenv v1.6.0 // indirect - github.com/vishvananda/netlink v1.3.1-0.20250121061148-364253875734 // indirect + github.com/vishvananda/netlink v1.3.1-0.20250209162617-655392bc778a // indirect github.com/vishvananda/netns v0.0.5 // indirect github.com/weppos/publicsuffix-go v0.30.0 // indirect github.com/x448/float16 v0.8.4 // indirect @@ -166,49 +167,49 @@ require ( github.com/xlab/treeprint v1.2.0 // indirect github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300 // indirect github.com/zmap/zlint/v3 v3.5.0 // indirect - go.etcd.io/etcd/api/v3 v3.5.17 // indirect - go.etcd.io/etcd/client/pkg/v3 v3.5.17 // indirect - go.etcd.io/etcd/client/v3 v3.5.17 // indirect + go.etcd.io/etcd/api/v3 v3.5.18 // indirect + go.etcd.io/etcd/client/pkg/v3 v3.5.18 // indirect + go.etcd.io/etcd/client/v3 v3.5.18 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect go.opentelemetry.io/otel v1.34.0 // indirect go.opentelemetry.io/otel/metric v1.34.0 // indirect go.opentelemetry.io/otel/trace v1.34.0 // indirect - go.opentelemetry.io/proto/otlp v1.4.0 // indirect + go.opentelemetry.io/proto/otlp v1.5.0 // indirect go.uber.org/dig v1.17.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect - golang.org/x/crypto v0.32.0 // indirect + golang.org/x/crypto v0.33.0 // indirect golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa // indirect - golang.org/x/net v0.34.0 // indirect - golang.org/x/oauth2 v0.25.0 // indirect - golang.org/x/sync v0.10.0 // indirect - golang.org/x/sys v0.29.0 // indirect - golang.org/x/term v0.28.0 // indirect - golang.org/x/text v0.21.0 // indirect - golang.org/x/time v0.9.0 // indirect - golang.org/x/tools v0.29.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241216192217-9240e9c98484 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250122153221-138b5a5a4fd4 // indirect - google.golang.org/grpc v1.69.4 // indirect - google.golang.org/protobuf v1.36.3 // indirect + golang.org/x/net v0.35.0 // indirect + golang.org/x/oauth2 v0.26.0 // indirect + golang.org/x/sync v0.11.0 // indirect + golang.org/x/sys v0.30.0 // indirect + golang.org/x/term v0.29.0 // indirect + golang.org/x/text v0.22.0 // indirect + golang.org/x/time v0.10.0 // indirect + golang.org/x/tools v0.30.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250207221924-e9438ea467c6 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6 // indirect + google.golang.org/grpc v1.70.0 // indirect + google.golang.org/protobuf v1.36.5 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect helm.sh/helm/v3 v3.17.0 // indirect - k8s.io/api v0.32.1 // indirect - k8s.io/apiextensions-apiserver v0.32.1 // indirect - k8s.io/apimachinery v0.32.1 // indirect - k8s.io/apiserver v0.32.1 // indirect - k8s.io/cli-runtime v0.32.1 // indirect - k8s.io/client-go v0.32.1 // indirect - k8s.io/component-base v0.32.1 // indirect + k8s.io/api v0.32.2 // indirect + k8s.io/apiextensions-apiserver v0.32.2 // indirect + k8s.io/apimachinery v0.32.2 // indirect + k8s.io/apiserver v0.32.2 // indirect + k8s.io/cli-runtime v0.32.2 // indirect + k8s.io/client-go v0.32.2 // indirect + k8s.io/component-base v0.32.2 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect - k8s.io/kubectl v0.32.1 // indirect + k8s.io/kubectl v0.32.2 // indirect k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect oras.land/oras-go v1.2.5 // indirect sigs.k8s.io/controller-runtime v0.20.1 // indirect @@ -216,7 +217,7 @@ require ( sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect sigs.k8s.io/kustomize/api v0.18.0 // indirect sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect - sigs.k8s.io/mcs-api v0.1.1-0.20250116162235-62ede9a032dc // indirect + sigs.k8s.io/mcs-api v0.1.1-0.20250129110323-a7986579439f // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/go.sum b/go.sum index 3637569d79..cf0adafa02 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -cel.dev/expr v0.18.0 h1:CJ6drgk+Hf96lkLikr4rFf19WrU0BOWEihyZnI2TAzo= -cel.dev/expr v0.18.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= +cel.dev/expr v0.19.1 h1:NciYrtDRIR0lNCnH1LFJegdjspNx9fI59O7TWcua/W4= +cel.dev/expr v0.19.1/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= @@ -54,26 +54,26 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= -github.com/cilium/charts v0.0.0-20250122005123-9aa3c2db578d h1:LHfNg3xAHRnM/lhlG/nqFf7gQOXwaOg4AvsK5wVJi8M= -github.com/cilium/charts v0.0.0-20250122005123-9aa3c2db578d/go.mod h1:M3C9VOlFvRzuV+a01t07Tw4uFLSfkCH3L542IWjf6BU= -github.com/cilium/cilium v1.17.0-pre.3.0.20250129155153-a50d083bc18f h1:NPkFHPlXg7SDNIHl3ZC5x6kQ3dGjFjoehy2V423iQkI= -github.com/cilium/cilium v1.17.0-pre.3.0.20250129155153-a50d083bc18f/go.mod h1:bRqIXIkzYoKPyPNHSe2fEc1yfOhpNqvCtC/kKfseDcE= +github.com/cilium/charts v0.0.0-20250204154402-8a35f8210901 h1:5RH3uJeR2kGU2uOdEHh/dzFgFMaSi5wKQbGolcYUFBc= +github.com/cilium/charts v0.0.0-20250204154402-8a35f8210901/go.mod h1:M3C9VOlFvRzuV+a01t07Tw4uFLSfkCH3L542IWjf6BU= +github.com/cilium/cilium v1.17.0-pre.3.0.20250218164107-47d3a25180a2 h1:BOt1It3Exdl0NxlQezP5+h2caHUSLDunM+uG7bvpzas= +github.com/cilium/cilium v1.17.0-pre.3.0.20250218164107-47d3a25180a2/go.mod h1:U6j/2Tl7I6S57sGhFTy0hs9LXkeOlJsTNAlCyW/gvLw= github.com/cilium/ebpf v0.17.1 h1:G8mzU81R2JA1nE5/8SRubzqvBMmAmri2VL8BIZPWvV0= github.com/cilium/ebpf v0.17.1/go.mod h1:vay2FaYSmIlv3r8dNACd4mW/OCaZLJKJOo+IHBvCIO8= -github.com/cilium/hive v0.0.0-20250121145729-e67f66eb0375 h1:EhoCO0AI3qJavnhfAls4w7VpVVpAr12wIh293sNA0hQ= -github.com/cilium/hive v0.0.0-20250121145729-e67f66eb0375/go.mod h1:pI2GJ1n3SLKIQVFrKF7W6A6gb6BQkZ+3Hp4PAEo5SuI= -github.com/cilium/proxy v0.0.0-20241219105110-b2e1bb5839df h1:wrv1jOKhBnFOhHb9jpE/C6Fm2kaXUDvT0HrdoeETLnQ= -github.com/cilium/proxy v0.0.0-20241219105110-b2e1bb5839df/go.mod h1:BsqJTwrsaSy5DsyH+y5zATYYCsg8/fc/K0qnsNM+43A= -github.com/cilium/statedb v0.3.5 h1:/lN7noYjC+JP6+fII7dhUNRS2FuLrlE0CtNOtuBtI9c= -github.com/cilium/statedb v0.3.5/go.mod h1:n2lNVxi8vz5Up1Y1rRD++aQP2izQA932fUwTkedKSV0= +github.com/cilium/hive v0.0.0-20250217113459-914947d44393 h1:x2VYGSK1hnX6N7j2V6rtIDN0E+dO6ozTyYz8iYOugD8= +github.com/cilium/hive v0.0.0-20250217113459-914947d44393/go.mod h1:pI2GJ1n3SLKIQVFrKF7W6A6gb6BQkZ+3Hp4PAEo5SuI= +github.com/cilium/proxy v0.0.0-20250214115704-3e4b99dc5d1f h1:e+c0sFbzPfKjDtsG06uZah+aqpDycdpGF/StqtaUg7Y= +github.com/cilium/proxy v0.0.0-20250214115704-3e4b99dc5d1f/go.mod h1:WcTUEfsCIVY9uvjRLUvl0G+G7RiK5BfOVdg/LknXMpk= +github.com/cilium/statedb v0.3.6 h1:dGwzZTJgVWlnG7io0Wl0XsI7ULsz2TbNqH8Ag+dP6is= +github.com/cilium/statedb v0.3.6/go.mod h1:n2lNVxi8vz5Up1Y1rRD++aQP2izQA932fUwTkedKSV0= github.com/cilium/stream v0.0.0-20241203114243-53c3e5d79744 h1:f+CgYUy2YyZ2EX31QSqf3vwFiJJQSAMIQLn4d3QQYno= github.com/cilium/stream v0.0.0-20241203114243-53c3e5d79744/go.mod h1:/e83AwqvNKpyg4n3C41qmnmj1x2G9DwzI+jb7GkF4lI= github.com/cilium/workerpool v1.2.0 h1:Wc2iOPTvCgWKQXeq4L5tnx4QFEI+z5q1+bSpSS0cnAY= github.com/cilium/workerpool v1.2.0/go.mod h1:GOYJhwlnIjR+jWSDNBb5kw47G1H/XA9X4WOBpgr4pQU= github.com/cloudflare/cfssl v1.6.5 h1:46zpNkm6dlNkMZH/wMW22ejih6gIaJbzL2du6vD7ZeI= github.com/cloudflare/cfssl v1.6.5/go.mod h1:Bk1si7sq8h2+yVEDrFJiz3d7Aw+pfjjJSZVaD+Taky4= -github.com/cncf/xds/go v0.0.0-20241213214725-57cfbe6fad57 h1:put7Je9ZyxbHtwr7IqGrW4LLVUupJQ2gbsDshKISSgU= -github.com/cncf/xds/go v0.0.0-20241213214725-57cfbe6fad57/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 h1:Om6kYQYDUk5wWbT0t0q6pvyM49i9XZAv9dDrkDA7gjk= +github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw= github.com/containerd/containerd v1.7.24 h1:zxszGrGjrra1yYJW/6rhm9cJ1ZQ8rkKBR48brqsa7nA= @@ -121,10 +121,10 @@ github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1 h1:ZClxb8laGDf5arX github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE= github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= -github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= -github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= -github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8= +github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU= +github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8= +github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= @@ -181,7 +181,6 @@ github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZs github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg= @@ -254,6 +253,8 @@ github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+l github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= +github.com/hmarr/codeowners v1.2.1 h1:+9yndrwG0UVP1GkLBEQMSbSUNeLpbrbL924SRthA/9k= +github.com/hmarr/codeowners v1.2.1/go.mod h1:KPlR1p/B4owPjwfNIBueWlOP4CmqlQFX9b6nANG6j40= github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= @@ -369,8 +370,8 @@ github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQ github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:FfH+VrHHk6Lxt9HdVS0PXzSXFyS2NbZKXv33FYPol0A= github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b/go.mod h1:AC62GU6hc0BrNm+9RK9VSiwa/EUe1bkIeFORAMcHvJU= -github.com/osrg/gobgp/v3 v3.33.0 h1:G8NlY1gzz0DOfiwfiYv2++vWpPLm+CMAKYRVzSmaJow= -github.com/osrg/gobgp/v3 v3.33.0/go.mod h1:8m+kgkdaWrByxg5EWpNUO2r/mopodrNBOUBhMnW/yGQ= +github.com/osrg/gobgp/v3 v3.34.0 h1:DDIWsAIE7j1dwhSV3tGsTKs9OO8MTOS4atErebZxTtA= +github.com/osrg/gobgp/v3 v3.34.0/go.mod h1:l2nPaHaLmIoKbFxMUzKon/h6c9BTzCp5zJI9Dhnrx5c= github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8= github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM= @@ -443,8 +444,8 @@ github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cA github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/pflag v1.0.6-0.20250109003754-5ca813443bd2 h1:VXx/BSJSJC/DjbDkZMZw8MhF9at8Rxo5I0PrDA5Bui4= -github.com/spf13/pflag v1.0.6-0.20250109003754-5ca813443bd2/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= +github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI= github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -467,8 +468,8 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= -github.com/vishvananda/netlink v1.3.1-0.20250121061148-364253875734 h1:JORba7blBByKVn3heVQNxLZqLl5PZn/5Dzao98bVH7A= -github.com/vishvananda/netlink v1.3.1-0.20250121061148-364253875734/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs= +github.com/vishvananda/netlink v1.3.1-0.20250209162617-655392bc778a h1:P8YrhmisX/O76LxBpE0Bj9jk3WEzO/tYVv+HHRQsrQQ= +github.com/vishvananda/netlink v1.3.1-0.20250209162617-655392bc778a/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs= github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY= github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= @@ -508,12 +509,12 @@ github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300/go.mod h1:mOd4yUMgn2f github.com/zmap/zlint/v3 v3.0.0/go.mod h1:paGwFySdHIBEMJ61YjoqT4h7Ge+fdYG4sUQhnTb1lJ8= github.com/zmap/zlint/v3 v3.5.0 h1:Eh2B5t6VKgVH0DFmTwOqE50POvyDhUaU9T2mJOe1vfQ= github.com/zmap/zlint/v3 v3.5.0/go.mod h1:JkNSrsDJ8F4VRtBZcYUQSvnWFL7utcjDIn+FE64mlBI= -go.etcd.io/etcd/api/v3 v3.5.17 h1:cQB8eb8bxwuxOilBpMJAEo8fAONyrdXTHUNcMd8yT1w= -go.etcd.io/etcd/api/v3 v3.5.17/go.mod h1:d1hvkRuXkts6PmaYk2Vrgqbv7H4ADfAKhyJqHNLJCB4= -go.etcd.io/etcd/client/pkg/v3 v3.5.17 h1:XxnDXAWq2pnxqx76ljWwiQ9jylbpC4rvkAeRVOUKKVw= -go.etcd.io/etcd/client/pkg/v3 v3.5.17/go.mod h1:4DqK1TKacp/86nJk4FLQqo6Mn2vvQFBmruW3pP14H/w= -go.etcd.io/etcd/client/v3 v3.5.17 h1:o48sINNeWz5+pjy/Z0+HKpj/xSnBkuVhVvXkjEXbqZY= -go.etcd.io/etcd/client/v3 v3.5.17/go.mod h1:j2d4eXTHWkT2ClBgnnEPm/Wuu7jsqku41v9DZ3OtjQo= +go.etcd.io/etcd/api/v3 v3.5.18 h1:Q4oDAKnmwqTo5lafvB+afbgCDF7E35E4EYV2g+FNGhs= +go.etcd.io/etcd/api/v3 v3.5.18/go.mod h1:uY03Ob2H50077J7Qq0DeehjM/A9S8PhVfbQ1mSaMopU= +go.etcd.io/etcd/client/pkg/v3 v3.5.18 h1:mZPOYw4h8rTk7TeJ5+3udUkfVGBqc+GCjOJYd68QgNM= +go.etcd.io/etcd/client/pkg/v3 v3.5.18/go.mod h1:BxVf2o5wXG9ZJV+/Cu7QNUiJYk4A29sAhoI5tIRsCu4= +go.etcd.io/etcd/client/v3 v3.5.18 h1:nvvYmNHGumkDjZhTHgVU36A9pykGa2K4lAJ0yY7hcXA= +go.etcd.io/etcd/client/v3 v3.5.18/go.mod h1:kmemwOsPU9broExyhYsBxX4spCTDX3yLgPMWtpBXG6E= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= @@ -526,14 +527,14 @@ go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY= go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI= go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ= go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE= -go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk= -go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0= -go.opentelemetry.io/otel/sdk/metric v1.31.0 h1:i9hxxLJF/9kkvfHppyLL55aW7iIJz4JjxTeYusH7zMc= -go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8= +go.opentelemetry.io/otel/sdk v1.32.0 h1:RNxepc9vK59A8XsgZQouW8ue8Gkb4jpWtJm9ge5lEG4= +go.opentelemetry.io/otel/sdk v1.32.0/go.mod h1:LqgegDBjKMmb2GC6/PrTnteJG39I8/vJCAP9LlJXEjU= +go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU= +go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ= go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k= go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE= -go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg= -go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY= +go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4= +go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4= go.uber.org/dig v1.17.1 h1:Tga8Lz8PcYNsWsyHMZ1Vm0OQOUaJNDyvPImgbAu9YSc= go.uber.org/dig v1.17.1/go.mod h1:Us0rSJiThwCv2GteUN0Q7OKvU7n5J4dxZ9JKUXozFdE= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -552,16 +553,16 @@ golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWP golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc= -golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc= +golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus= +golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M= golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa h1:ELnwvuAXPNtPk1TJRuGkI9fDTwym6AYBu0qzT8AcHdI= golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= -golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= +golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM= +golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -576,10 +577,10 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0= -golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k= -golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70= -golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8= +golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk= +golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE= +golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -587,8 +588,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= -golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= +golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -614,45 +615,45 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU= -golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= +golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg= -golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek= +golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= +golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= -golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= -golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= -golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= +golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= +golang.org/x/time v0.10.0 h1:3usCWA8tQn0L8+hFJQNgzpWbd89begxN66o1Ojdn5L4= +golang.org/x/time v0.10.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.29.0 h1:Xx0h3TtM9rzQpQuR4dKLrdglAmCEN5Oi+P74JdhdzXE= -golang.org/x/tools v0.29.0/go.mod h1:KMQVMRsVxU6nHCFXrBPhDB8XncLNLM0lIy/F14RP588= +golang.org/x/tools v0.30.0 h1:BgcpHewrV5AUp2G9MebG4XPFI1E2W41zU1SaqVA9vJY= +golang.org/x/tools v0.30.0/go.mod h1:c347cR/OJfw5TI+GfX7RUPNMdDRRbjvYTS0jPyvsVtY= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/api v0.0.0-20241216192217-9240e9c98484 h1:ChAdCYNQFDk5fYvFZMywKLIijG7TC2m1C2CMEu11G3o= -google.golang.org/genproto/googleapis/api v0.0.0-20241216192217-9240e9c98484/go.mod h1:KRUmxRI4JmbpAm8gcZM4Jsffi859fo5LQjILwuqj9z8= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250122153221-138b5a5a4fd4 h1:yrTuav+chrF0zF/joFGICKTzYv7mh/gr9AgEXrVU8ao= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250122153221-138b5a5a4fd4/go.mod h1:+2Yz8+CLJbIfL9z73EW45avw8Lmge3xVElCP9zEKi50= -google.golang.org/grpc v1.69.4 h1:MF5TftSMkd8GLw/m0KM6V8CMOCY6NZ1NQDPGFgbTt4A= -google.golang.org/grpc v1.69.4/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4= -google.golang.org/protobuf v1.36.3 h1:82DV7MYdb8anAVi3qge1wSnMDrnKK7ebr+I0hHRN1BU= -google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/genproto/googleapis/api v0.0.0-20250207221924-e9438ea467c6 h1:L9JNMl/plZH9wmzQUHleO/ZZDSN+9Gh41wPczNy+5Fk= +google.golang.org/genproto/googleapis/api v0.0.0-20250207221924-e9438ea467c6/go.mod h1:iYONQfRdizDB8JJBybql13nArx91jcUk7zCXEsOofM4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6 h1:2duwAxN2+k0xLNpjnHTXoMUgnv6VPSp5fiqTuwSxjmI= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6/go.mod h1:8BS3B93F/U1juMFq9+EDk+qOT5CO1R9IzXxG3PTqiRk= +google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ= +google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw= +google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM= +google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -676,26 +677,26 @@ gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY= gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= helm.sh/helm/v3 v3.17.0 h1:DUD4AGdNVn7PSTYfxe1gmQG7s18QeWv/4jI9TubnhT0= helm.sh/helm/v3 v3.17.0/go.mod h1:Mo7eGyKPPHlS0Ml67W8z/lbkox/gD9Xt1XpD6bxvZZA= -k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc= -k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k= -k8s.io/apiextensions-apiserver v0.32.1 h1:hjkALhRUeCariC8DiVmb5jj0VjIc1N0DREP32+6UXZw= -k8s.io/apiextensions-apiserver v0.32.1/go.mod h1:sxWIGuGiYov7Io1fAS2X06NjMIk5CbRHc2StSmbaQto= -k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs= -k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= -k8s.io/apiserver v0.32.1 h1:oo0OozRos66WFq87Zc5tclUX2r0mymoVHRq8JmR7Aak= -k8s.io/apiserver v0.32.1/go.mod h1:UcB9tWjBY7aryeI5zAgzVJB/6k7E97bkr1RgqDz0jPw= -k8s.io/cli-runtime v0.32.1 h1:19nwZPlYGJPUDbhAxDIS2/oydCikvKMHsxroKNGA2mM= -k8s.io/cli-runtime v0.32.1/go.mod h1:NJPbeadVFnV2E7B7vF+FvU09mpwYlZCu8PqjzfuOnkY= -k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU= -k8s.io/client-go v0.32.1/go.mod h1:aTTKZY7MdxUaJ/KiUs8D+GssR9zJZi77ZqtzcGXIiDg= -k8s.io/component-base v0.32.1 h1:/5IfJ0dHIKBWysGV0yKTFfacZ5yNV1sulPh3ilJjRZk= -k8s.io/component-base v0.32.1/go.mod h1:j1iMMHi/sqAHeG5z+O9BFNCF698a1u0186zkjMZQ28w= +k8s.io/api v0.32.2 h1:bZrMLEkgizC24G9eViHGOPbW+aRo9duEISRIJKfdJuw= +k8s.io/api v0.32.2/go.mod h1:hKlhk4x1sJyYnHENsrdCWw31FEmCijNGPJO5WzHiJ6Y= +k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscghPCvV4= +k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA= +k8s.io/apimachinery v0.32.2 h1:yoQBR9ZGkA6Rgmhbp/yuT9/g+4lxtsGYwW6dR6BDPLQ= +k8s.io/apimachinery v0.32.2/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= +k8s.io/apiserver v0.32.2 h1:WzyxAu4mvLkQxwD9hGa4ZfExo3yZZaYzoYvvVDlM6vw= +k8s.io/apiserver v0.32.2/go.mod h1:PEwREHiHNU2oFdte7BjzA1ZyjWjuckORLIK/wLV5goM= +k8s.io/cli-runtime v0.32.2 h1:aKQR4foh9qeyckKRkNXUccP9moxzffyndZAvr+IXMks= +k8s.io/cli-runtime v0.32.2/go.mod h1:a/JpeMztz3xDa7GCyyShcwe55p8pbcCVQxvqZnIwXN8= +k8s.io/client-go v0.32.2 h1:4dYCD4Nz+9RApM2b/3BtVvBHw54QjMFUl1OLcJG5yOA= +k8s.io/client-go v0.32.2/go.mod h1:fpZ4oJXclZ3r2nDOv+Ux3XcJutfrwjKTCHz2H3sww94= +k8s.io/component-base v0.32.2 h1:1aUL5Vdmu7qNo4ZsE+569PV5zFatM9hl+lb3dEea2zU= +k8s.io/component-base v0.32.2/go.mod h1:PXJ61Vx9Lg+P5mS8TLd7bCIr+eMJRQTyXe8KvkrvJq0= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y= k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4= -k8s.io/kubectl v0.32.1 h1:/btLtXLQUU1rWx8AEvX9jrb9LaI6yeezt3sFALhB8M8= -k8s.io/kubectl v0.32.1/go.mod h1:sezNuyWi1STk4ZNPVRIFfgjqMI6XMf+oCVLjZen/pFQ= +k8s.io/kubectl v0.32.2 h1:TAkag6+XfSBgkqK9I7ZvwtF0WVtUAvK8ZqTt+5zi1Us= +k8s.io/kubectl v0.32.2/go.mod h1:+h/NQFSPxiDZYX/WZaWw9fwYezGLISP0ud8nQKg+3g8= k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0= k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo= @@ -710,8 +711,8 @@ sigs.k8s.io/kustomize/api v0.18.0 h1:hTzp67k+3NEVInwz5BHyzc9rGxIauoXferXyjv5lWPo sigs.k8s.io/kustomize/api v0.18.0/go.mod h1:f8isXnX+8b+SGLHQ6yO4JG1rdkZlvhaCf/uZbLVMb0U= sigs.k8s.io/kustomize/kyaml v0.18.1 h1:WvBo56Wzw3fjS+7vBjN6TeivvpbW9GmRaWZ9CIVmt4E= sigs.k8s.io/kustomize/kyaml v0.18.1/go.mod h1:C3L2BFVU1jgcddNBE1TxuVLgS46TjObMwW5FT9FcjYo= -sigs.k8s.io/mcs-api v0.1.1-0.20250116162235-62ede9a032dc h1:oQrn1nrTacXiaXEYg+0TozPznSDIHFl2U/KZ5UFiYT8= -sigs.k8s.io/mcs-api v0.1.1-0.20250116162235-62ede9a032dc/go.mod h1:Uicqc5FnWP4dco2y7+AEg2mzNN20mVX1TDB3aDfmvhc= +sigs.k8s.io/mcs-api v0.1.1-0.20250129110323-a7986579439f h1:VUD0/ipPthw+Q6eLYtbEPfStDidsKavey7fTKw+U30M= +sigs.k8s.io/mcs-api v0.1.1-0.20250129110323-a7986579439f/go.mod h1:M1Zjh0Jn/Z5e/2JHsZyEeLMw0qGBBmkJqEOc+OceERY= sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA= sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= diff --git a/vendor/github.com/cilium/charts/README.md b/vendor/github.com/cilium/charts/README.md index fb414cf4cc..8521919ba6 100644 --- a/vendor/github.com/cilium/charts/README.md +++ b/vendor/github.com/cilium/charts/README.md @@ -1,5 +1,7 @@ This repository holds helm templates for the following Cilium releases: +* [v1.17.0](https://github.com/cilium/cilium/releases/tag/v1.17.0) (_[source](https://github.com/cilium/cilium/tree/v1.17.0/install/kubernetes/cilium)_) +* [v1.17.0-rc.2](https://github.com/cilium/cilium/releases/tag/v1.17.0-rc.2) (_[source](https://github.com/cilium/cilium/tree/v1.17.0-rc.2/install/kubernetes/cilium)_) * [v1.17.0-rc.1](https://github.com/cilium/cilium/releases/tag/v1.17.0-rc.1) (_[source](https://github.com/cilium/cilium/tree/v1.17.0-rc.1/install/kubernetes/cilium)_) * [v1.17.0-rc.0](https://github.com/cilium/cilium/releases/tag/v1.17.0-rc.0) (_[source](https://github.com/cilium/cilium/tree/v1.17.0-rc.0/install/kubernetes/cilium)_) * [v1.17.0-pre.3](https://github.com/cilium/cilium/releases/tag/v1.17.0-pre.3) (_[source](https://github.com/cilium/cilium/tree/v1.17.0-pre.3/install/kubernetes/cilium)_) diff --git a/vendor/github.com/cilium/charts/cilium-1.17.0-rc.2.tgz b/vendor/github.com/cilium/charts/cilium-1.17.0-rc.2.tgz new file mode 100644 index 0000000000..a8352efe1c Binary files /dev/null and b/vendor/github.com/cilium/charts/cilium-1.17.0-rc.2.tgz differ diff --git a/vendor/github.com/cilium/charts/cilium-1.17.0.tgz b/vendor/github.com/cilium/charts/cilium-1.17.0.tgz new file mode 100644 index 0000000000..9bcc105504 Binary files /dev/null and b/vendor/github.com/cilium/charts/cilium-1.17.0.tgz differ diff --git a/vendor/github.com/cilium/charts/index.yaml b/vendor/github.com/cilium/charts/index.yaml index f9aa9b5f38..86c23d64f8 100644 --- a/vendor/github.com/cilium/charts/index.yaml +++ b/vendor/github.com/cilium/charts/index.yaml @@ -1,6 +1,218 @@ apiVersion: v1 entries: cilium: + - annotations: + artifacthub.io/crds: "- kind: CiliumNetworkPolicy\n version: v2\n name: ciliumnetworkpolicies.cilium.io\n + \ displayName: Cilium Network Policy\n description: |\n Cilium Network + Policies provide additional functionality beyond what\n is provided by + standard Kubernetes NetworkPolicy such as the ability\n to allow traffic + based on FQDNs, or to filter at Layer 7.\n- kind: CiliumClusterwideNetworkPolicy\n + \ version: v2\n name: ciliumclusterwidenetworkpolicies.cilium.io\n displayName: + Cilium Clusterwide Network Policy\n description: |\n Cilium Clusterwide + Network Policies support configuring network traffic\n policiies across + the entire cluster, including applying node firewalls.\n- kind: CiliumExternalWorkload\n + \ version: v2\n name: ciliumexternalworkloads.cilium.io\n displayName: Cilium + External Workload\n description: |\n Cilium External Workload supports + configuring the ability for external\n non-Kubernetes workloads to join + the cluster.\n- kind: CiliumLocalRedirectPolicy\n version: v2\n name: ciliumlocalredirectpolicies.cilium.io\n + \ displayName: Cilium Local Redirect Policy\n description: |\n Cilium + Local Redirect Policy allows local redirects to be configured\n within + a node to support use cases like Node-Local DNS or KIAM.\n- kind: CiliumNode\n + \ version: v2\n name: ciliumnodes.cilium.io\n displayName: Cilium Node\n + \ description: |\n Cilium Node represents a node managed by Cilium. It + contains a\n specification to control various node specific configuration + aspects\n and a status section to represent the status of the node.\n- + kind: CiliumIdentity\n version: v2\n name: ciliumidentities.cilium.io\n + \ displayName: Cilium Identity\n description: |\n Cilium Identity allows + introspection into security identities that\n Cilium allocates which identify + sets of labels that are assigned to\n individual endpoints in the cluster.\n- + kind: CiliumEndpoint\n version: v2\n name: ciliumendpoints.cilium.io\n displayName: + Cilium Endpoint\n description: |\n Cilium Endpoint represents the status + of individual pods or nodes in\n the cluster which are managed by Cilium, + including enforcement status,\n IP addressing and whether the networking + is successfully operational.\n- kind: CiliumEndpointSlice\n version: v2alpha1\n + \ name: ciliumendpointslices.cilium.io\n displayName: Cilium Endpoint Slice\n + \ description: |\n Cilium Endpoint Slice represents the status of groups + of pods or nodes\n in the cluster which are managed by Cilium, including + enforcement status,\n IP addressing and whether the networking is successfully + operational.\n- kind: CiliumEgressGatewayPolicy\n version: v2\n name: ciliumegressgatewaypolicies.cilium.io\n + \ displayName: Cilium Egress Gateway Policy\n description: |\n Cilium + Egress Gateway Policy provides control over the way that traffic\n leaves + the cluster and which source addresses to use for that traffic.\n- kind: CiliumClusterwideEnvoyConfig\n + \ version: v2\n name: ciliumclusterwideenvoyconfigs.cilium.io\n displayName: + Cilium Clusterwide Envoy Config\n description: |\n Cilium Clusterwide + Envoy Config specifies Envoy resources and K8s service mappings\n to be + provisioned into Cilium host proxy instances in cluster context.\n- kind: + CiliumEnvoyConfig\n version: v2\n name: ciliumenvoyconfigs.cilium.io\n displayName: + Cilium Envoy Config\n description: |\n Cilium Envoy Config specifies Envoy + resources and K8s service mappings\n to be provisioned into Cilium host + proxy instances in namespace context.\n- kind: CiliumBGPPeeringPolicy\n version: + v2alpha1\n name: ciliumbgppeeringpolicies.cilium.io\n displayName: Cilium + BGP Peering Policy\n description: |\n Cilium BGP Peering Policy instructs + Cilium to create specific BGP peering\n configurations.\n- kind: CiliumBGPClusterConfig\n + \ version: v2alpha1\n name: ciliumbgpclusterconfigs.cilium.io\n displayName: + Cilium BGP Cluster Config\n description: |\n Cilium BGP Cluster Config + instructs Cilium operator to create specific BGP cluster\n configurations.\n- + kind: CiliumBGPPeerConfig\n version: v2alpha1\n name: ciliumbgppeerconfigs.cilium.io\n + \ displayName: Cilium BGP Peer Config\n description: |\n CiliumBGPPeerConfig + is a common set of BGP peer configurations. It can be referenced \n by + multiple peers from CiliumBGPClusterConfig.\n- kind: CiliumBGPAdvertisement\n + \ version: v2alpha1\n name: ciliumbgpadvertisements.cilium.io\n displayName: + Cilium BGP Advertisement\n description: |\n CiliumBGPAdvertisement is + used to define source of BGP advertisement as well as BGP attributes \n to + be advertised with those prefixes.\n- kind: CiliumBGPNodeConfig\n version: + v2alpha1\n name: ciliumbgpnodeconfigs.cilium.io\n displayName: Cilium BGP + Node Config\n description: |\n CiliumBGPNodeConfig is read only node specific + BGP configuration. It is constructed by Cilium operator.\n It will also + contain node local BGP state information.\n- kind: CiliumBGPNodeConfigOverride\n + \ version: v2alpha1\n name: ciliumbgpnodeconfigoverrides.cilium.io\n displayName: + Cilium BGP Node Config Override\n description: |\n CiliumBGPNodeConfigOverride + can be used to override node specific BGP configuration.\n- kind: CiliumLoadBalancerIPPool\n + \ version: v2alpha1\n name: ciliumloadbalancerippools.cilium.io\n displayName: + Cilium Load Balancer IP Pool\n description: |\n Defining a Cilium Load + Balancer IP Pool instructs Cilium to assign IPs to LoadBalancer Services.\n- + kind: CiliumNodeConfig\n version: v2alpha1\n name: ciliumnodeconfigs.cilium.io\n + \ displayName: Cilium Node Configuration\n description: |\n CiliumNodeConfig + is a list of configuration key-value pairs. It is applied to\n nodes indicated + by a label selector.\n- kind: CiliumCIDRGroup\n version: v2alpha1\n name: + ciliumcidrgroups.cilium.io\n displayName: Cilium CIDR Group\n description: + |\n CiliumCIDRGroup is a list of CIDRs that can be referenced as a single + entity from CiliumNetworkPolicies.\n- kind: CiliumL2AnnouncementPolicy\n version: + v2alpha1\n name: ciliuml2announcementpolicies.cilium.io\n displayName: Cilium + L2 Announcement Policy\n description: |\n CiliumL2AnnouncementPolicy is + a policy which determines which service IPs will be announced to\n the + local area network, by which nodes, and via which interfaces.\n- kind: CiliumPodIPPool\n + \ version: v2alpha1\n name: ciliumpodippools.cilium.io\n displayName: Cilium + Pod IP Pool\n description: |\n CiliumPodIPPool defines an IP pool that + can be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n" + apiVersion: v2 + appVersion: 1.17.0 + created: "2025-02-04T15:44:02.158877648Z" + description: eBPF-based Networking, Security, and Observability + digest: 72a820bf01bb3e02c01856892a0508da92dfc94174f8705c7bcb5dbb15e228fe + home: https://cilium.io/ + icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg + keywords: + - BPF + - eBPF + - Kubernetes + - Networking + - Security + - Observability + - Troubleshooting + kubeVersion: '>= 1.21.0-0' + name: cilium + sources: + - https://github.com/cilium/cilium + urls: + - cilium-1.17.0.tgz + version: 1.17.0 + - annotations: + artifacthub.io/crds: "- kind: CiliumNetworkPolicy\n version: v2\n name: ciliumnetworkpolicies.cilium.io\n + \ displayName: Cilium Network Policy\n description: |\n Cilium Network + Policies provide additional functionality beyond what\n is provided by + standard Kubernetes NetworkPolicy such as the ability\n to allow traffic + based on FQDNs, or to filter at Layer 7.\n- kind: CiliumClusterwideNetworkPolicy\n + \ version: v2\n name: ciliumclusterwidenetworkpolicies.cilium.io\n displayName: + Cilium Clusterwide Network Policy\n description: |\n Cilium Clusterwide + Network Policies support configuring network traffic\n policiies across + the entire cluster, including applying node firewalls.\n- kind: CiliumExternalWorkload\n + \ version: v2\n name: ciliumexternalworkloads.cilium.io\n displayName: Cilium + External Workload\n description: |\n Cilium External Workload supports + configuring the ability for external\n non-Kubernetes workloads to join + the cluster.\n- kind: CiliumLocalRedirectPolicy\n version: v2\n name: ciliumlocalredirectpolicies.cilium.io\n + \ displayName: Cilium Local Redirect Policy\n description: |\n Cilium + Local Redirect Policy allows local redirects to be configured\n within + a node to support use cases like Node-Local DNS or KIAM.\n- kind: CiliumNode\n + \ version: v2\n name: ciliumnodes.cilium.io\n displayName: Cilium Node\n + \ description: |\n Cilium Node represents a node managed by Cilium. It + contains a\n specification to control various node specific configuration + aspects\n and a status section to represent the status of the node.\n- + kind: CiliumIdentity\n version: v2\n name: ciliumidentities.cilium.io\n + \ displayName: Cilium Identity\n description: |\n Cilium Identity allows + introspection into security identities that\n Cilium allocates which identify + sets of labels that are assigned to\n individual endpoints in the cluster.\n- + kind: CiliumEndpoint\n version: v2\n name: ciliumendpoints.cilium.io\n displayName: + Cilium Endpoint\n description: |\n Cilium Endpoint represents the status + of individual pods or nodes in\n the cluster which are managed by Cilium, + including enforcement status,\n IP addressing and whether the networking + is successfully operational.\n- kind: CiliumEndpointSlice\n version: v2alpha1\n + \ name: ciliumendpointslices.cilium.io\n displayName: Cilium Endpoint Slice\n + \ description: |\n Cilium Endpoint Slice represents the status of groups + of pods or nodes\n in the cluster which are managed by Cilium, including + enforcement status,\n IP addressing and whether the networking is successfully + operational.\n- kind: CiliumEgressGatewayPolicy\n version: v2\n name: ciliumegressgatewaypolicies.cilium.io\n + \ displayName: Cilium Egress Gateway Policy\n description: |\n Cilium + Egress Gateway Policy provides control over the way that traffic\n leaves + the cluster and which source addresses to use for that traffic.\n- kind: CiliumClusterwideEnvoyConfig\n + \ version: v2\n name: ciliumclusterwideenvoyconfigs.cilium.io\n displayName: + Cilium Clusterwide Envoy Config\n description: |\n Cilium Clusterwide + Envoy Config specifies Envoy resources and K8s service mappings\n to be + provisioned into Cilium host proxy instances in cluster context.\n- kind: + CiliumEnvoyConfig\n version: v2\n name: ciliumenvoyconfigs.cilium.io\n displayName: + Cilium Envoy Config\n description: |\n Cilium Envoy Config specifies Envoy + resources and K8s service mappings\n to be provisioned into Cilium host + proxy instances in namespace context.\n- kind: CiliumBGPPeeringPolicy\n version: + v2alpha1\n name: ciliumbgppeeringpolicies.cilium.io\n displayName: Cilium + BGP Peering Policy\n description: |\n Cilium BGP Peering Policy instructs + Cilium to create specific BGP peering\n configurations.\n- kind: CiliumBGPClusterConfig\n + \ version: v2alpha1\n name: ciliumbgpclusterconfigs.cilium.io\n displayName: + Cilium BGP Cluster Config\n description: |\n Cilium BGP Cluster Config + instructs Cilium operator to create specific BGP cluster\n configurations.\n- + kind: CiliumBGPPeerConfig\n version: v2alpha1\n name: ciliumbgppeerconfigs.cilium.io\n + \ displayName: Cilium BGP Peer Config\n description: |\n CiliumBGPPeerConfig + is a common set of BGP peer configurations. It can be referenced \n by + multiple peers from CiliumBGPClusterConfig.\n- kind: CiliumBGPAdvertisement\n + \ version: v2alpha1\n name: ciliumbgpadvertisements.cilium.io\n displayName: + Cilium BGP Advertisement\n description: |\n CiliumBGPAdvertisement is + used to define source of BGP advertisement as well as BGP attributes \n to + be advertised with those prefixes.\n- kind: CiliumBGPNodeConfig\n version: + v2alpha1\n name: ciliumbgpnodeconfigs.cilium.io\n displayName: Cilium BGP + Node Config\n description: |\n CiliumBGPNodeConfig is read only node specific + BGP configuration. It is constructed by Cilium operator.\n It will also + contain node local BGP state information.\n- kind: CiliumBGPNodeConfigOverride\n + \ version: v2alpha1\n name: ciliumbgpnodeconfigoverrides.cilium.io\n displayName: + Cilium BGP Node Config Override\n description: |\n CiliumBGPNodeConfigOverride + can be used to override node specific BGP configuration.\n- kind: CiliumLoadBalancerIPPool\n + \ version: v2alpha1\n name: ciliumloadbalancerippools.cilium.io\n displayName: + Cilium Load Balancer IP Pool\n description: |\n Defining a Cilium Load + Balancer IP Pool instructs Cilium to assign IPs to LoadBalancer Services.\n- + kind: CiliumNodeConfig\n version: v2alpha1\n name: ciliumnodeconfigs.cilium.io\n + \ displayName: Cilium Node Configuration\n description: |\n CiliumNodeConfig + is a list of configuration key-value pairs. It is applied to\n nodes indicated + by a label selector.\n- kind: CiliumCIDRGroup\n version: v2alpha1\n name: + ciliumcidrgroups.cilium.io\n displayName: Cilium CIDR Group\n description: + |\n CiliumCIDRGroup is a list of CIDRs that can be referenced as a single + entity from CiliumNetworkPolicies.\n- kind: CiliumL2AnnouncementPolicy\n version: + v2alpha1\n name: ciliuml2announcementpolicies.cilium.io\n displayName: Cilium + L2 Announcement Policy\n description: |\n CiliumL2AnnouncementPolicy is + a policy which determines which service IPs will be announced to\n the + local area network, by which nodes, and via which interfaces.\n- kind: CiliumPodIPPool\n + \ version: v2alpha1\n name: ciliumpodippools.cilium.io\n displayName: Cilium + Pod IP Pool\n description: |\n CiliumPodIPPool defines an IP pool that + can be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n" + apiVersion: v2 + appVersion: 1.17.0-rc.2 + created: "2025-01-24T16:21:25.188869058Z" + description: eBPF-based Networking, Security, and Observability + digest: 7fccfe9f3977241a5890f2a429b7ac8e4a778edf56d08fd833773c43b4496dbb + home: https://cilium.io/ + icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg + keywords: + - BPF + - eBPF + - Kubernetes + - Networking + - Security + - Observability + - Troubleshooting + kubeVersion: '>= 1.21.0-0' + name: cilium + sources: + - https://github.com/cilium/cilium + urls: + - cilium-1.17.0-rc.2.tgz + version: 1.17.0-rc.2 - annotations: artifacthub.io/crds: "- kind: CiliumNetworkPolicy\n version: v2\n name: ciliumnetworkpolicies.cilium.io\n \ displayName: Cilium Network Policy\n description: |\n Cilium Network @@ -22069,4 +22281,4 @@ entries: urls: - tetragon-0.8.0.tgz version: 0.8.0 -generated: "2025-01-22T00:49:12.598906696Z" +generated: "2025-02-04T15:44:02.149628206Z" diff --git a/vendor/github.com/cilium/cilium/.authors.aux b/vendor/github.com/cilium/cilium/.authors.aux new file mode 100644 index 0000000000..ece4ffc5ab --- /dev/null +++ b/vendor/github.com/cilium/cilium/.authors.aux @@ -0,0 +1,9 @@ + +The following additional people are mentioned in commit logs as having provided +helpful bug reports, suggestions or have otherwise provided value to the +project: + +Brenden Blanco bblanco@plumgrid.com +Jakub Kicinski jakub.kicinski@netronome.com +Salvatore Orlando salv.orlando@gmail.com +Tomás Senart tsenart@gmail.com diff --git a/vendor/github.com/cilium/cilium/.clang-format b/vendor/github.com/cilium/cilium/.clang-format new file mode 100644 index 0000000000..c41e4c1d98 --- /dev/null +++ b/vendor/github.com/cilium/cilium/.clang-format @@ -0,0 +1,180 @@ +# Configuration file for clang-format. +# Intended for clang-format >= 15. +# +# The list and meaning of the options is available at: +# +# https://clang.llvm.org/docs/ClangFormatStyleOptions.html +--- +# BasedOnStyle # No base style in use +# AccessModifierOffset # We don't use access modifiers +AlignAfterOpenBracket: Align +AlignArrayOfStructures: Left +AlignConsecutiveAssignments: false +AlignConsecutiveBitFields: + Enabled: true + AcrossEmptyLines: true + AcrossComments: true +AlignConsecutiveDeclarations: false +AlignConsecutiveMacros: + Enabled: true + AcrossEmptyLines: true + AcrossComments: true +AlignEscapedNewlines: Left +AlignOperands: true +AlignTrailingComments: true +AllowAllArgumentsOnNextLine: false +# AllowAllConstructorInitializersOnNextLine # Deprecated +AllowAllParametersOfDeclarationOnNextLine: false +AllowShortBlocksOnASingleLine: Never +AllowShortCaseLabelsOnASingleLine: false +AllowShortEnumsOnASingleLine: false +AllowShortFunctionsOnASingleLine: None +AllowShortIfStatementsOnASingleLine: Never +# AllowShortLambdasOnASingleLine # We don't use lambdas +AllowShortLoopsOnASingleLine: false +# AlwaysBreakAfterDefinitionReturnType # Deprecated +AlwaysBreakAfterReturnType: None +AlwaysBreakBeforeMultilineStrings: false +# AlwaysBreakTemplateDeclarations # We don't use templates +# AttributeMacros # Unused at this time +BinPackArguments: true +BinPackParameters: true +BitFieldColonSpacing: None +BraceWrapping: + AfterCaseLabel: true + # AfterClass # We don't use classes + AfterControlStatement: Never + AfterEnum: false + AfterFunction: true + # AfterNamespace # We don't use namespaces + # AfterObjCDeclaration # We don't use ObjC + AfterStruct: false + AfterUnion: false + AfterExternBlock: false + # BeforeCatch # We don't use try/catch + BeforeElse: false + # BeforeLambdaBody # We don't use lambdas + BeforeWhile: false + IndentBraces: false + SplitEmptyFunction: true + SplitEmptyRecord: true + # SplitEmptyNamespace # We don't use namespaces +# BreakAfterJavaFieldAnnotations # We don't use Java +BreakBeforeBinaryOperators: None +BreakBeforeBraces: Custom +# BreakBeforeConceptDeclarations # We don't use concepts +BreakBeforeTernaryOperators: false +# BreakConstructorInitializers # We don't use constructors +# BreakInheritanceList # We don't use inheritance +BreakStringLiterals: false +ColumnLimit: 80 +# CommentPragmas # Unused at this time +# CompactNamespaces # We don't use namespaces +# ConstructorInitializerAllOnOneLineOrOnePerLine # Deprecated +# ConstructorInitializerIndentWidth # We don't use constructors +ContinuationIndentWidth: 8 +Cpp11BracedListStyle: false +# DeriveLineEnding # Deprecated +DerivePointerAlignment: false +DisableFormat: false +# EmptyLineAfterAccessModifier # We don't use access modifiers +# EmptyLineBeforeAccessModifier # We don't use access modifiers +# ExperimentalAutoDetectBinPacking # Experimental, "Use at your own risk" +# FixNamespaceComments # We don't use namespaces +# ForEachMacros # Unused at this time +# IfMacros # Unused at this time +IncludeBlocks: Preserve +# IncludeCategories # Unused at this time +# IncludeIsMainRegex # Unused at this time +# IncludeIsMainSourceRegex # Unused at this time +# IndentAccessModifiers # We don't use access modifiers +IndentCaseBlocks: false +IndentCaseLabels: false +# IndentExternBlock # We don't use extern blocks +IndentGotoLabels: false +IndentPPDirectives: AfterHash +# IndentRequiresClause # We don't use equire clauses +IndentWidth: 8 +IndentWrappedFunctionNames: false +InsertBraces: false +# InsertTrailingCommas # We don't use JavaScript +# JavaImportGroups # We don't use Java +# JavaScriptQuotes # We don't use JavaScript +# JavaScriptWrapImports # We don't use JavaScript +KeepEmptyLinesAtTheStartOfBlocks: false +# LambdaBodyIndentation # We don't use lambdas +Language: Cpp +# MacroBlockBegin # Unused at this time +# MacroBlockEnd # Unused at this time +MaxEmptyLinesToKeep: 1 +# NamespaceIndentation # We don't use namespaces +# NamespaceMacros # We don't use namespaces +# ObjCBinPackProtocolList # We don't use ObjC +# ObjCBlockIndentWidth # We don't use ObjC +# ObjCBreakBeforeNestedBlockParam # We don't use ObjC +# ObjCSpaceAfterProperty # We don't use ObjC +# ObjCSpaceBeforeProtocolList # We don't use ObjC +PPIndentWidth: 1 +# PackConstructorInitializers # We don't use constructors + +# Penalties decide in what order (weighting) things should be done if a line is +# too long: 100 = try everything else before this. +# See https://stackoverflow.com/a/46749925 +PenaltyBreakAssignment: 10 +PenaltyBreakBeforeFirstCallParameter: 0 +PenaltyBreakComment: 0 +PenaltyBreakFirstLessLess: 0 +PenaltyBreakOpenParenthesis: 100 +PenaltyBreakString: 10 +# PenaltyBreakTemplateDeclaration # We don't use templates +PenaltyExcessCharacter: 100 +PenaltyIndentedWhitespace: 100 +PenaltyReturnTypeOnItsOwnLine: 100 + +PointerAlignment: Right +QualifierAlignment: Leave +# QualifierOrder # Unused at this time +# RawStringFormats # Unused at this time +# ReferenceAlignment # We don't use references +ReflowComments: false +RemoveBracesLLVM: false +# RequiresClausePosition # We don't use require clauses +SeparateDefinitionBlocks: Leave +# ShortNamespaceLines # We don't use namespaces +SortIncludes: Never +# SortJavaStaticImport # We don't use Java +# SortUsingDeclarations # We don't use using declarations +SpaceAfterCStyleCast: false +SpaceAfterLogicalNot: false +# SpaceAfterTemplateKeyword # We don't use templates +SpaceAroundPointerQualifiers: Default +SpaceBeforeAssignmentOperators: true +SpaceBeforeCaseColon: false +# SpaceBeforeCpp11BracedList # We don't use C++11 braced lists to initialize objects +# SpaceBeforeCtorInitializerColon # We don't use constructors +# SpaceBeforeInheritanceColon # We don't use inheritance +SpaceBeforeParens: ControlStatements +# SpaceBeforeParensOptions # No need for custom SpaceBeforeParens options +# SpaceBeforeRangeBasedForLoopColon # We don't use range-based for loops +SpaceBeforeSquareBrackets: false +SpaceInEmptyBlock: false +SpaceInEmptyParentheses: false +SpacesBeforeTrailingComments: 1 +# SpacesInAngles # We don't use templates +SpacesInCStyleCastParentheses: false +SpacesInConditionalStatement: false +SpacesInContainerLiterals: false +SpacesInLineCommentPrefix: + Minimum: 1 + Maximum: 1 +SpacesInParentheses: false +SpacesInSquareBrackets: false +Standard: C++03 +# StatementAttributeLikeMacros # Unused at this time +# StatementMacros # Unused at this time +TabWidth: 8 +# TypenameMacros # Unused at this time +# UseCRLF # Deprecated +UseTab: Always +# WhitespaceSensitiveMacros # Unused at this time +... diff --git a/vendor/github.com/cilium/cilium/.clomonitor.yml b/vendor/github.com/cilium/cilium/.clomonitor.yml new file mode 100644 index 0000000000..a5b76a6b13 --- /dev/null +++ b/vendor/github.com/cilium/cilium/.clomonitor.yml @@ -0,0 +1,22 @@ +# CLOMonitor metadata file + +exemptions: + - check: slack_presence + reason: "The Cilium slack community can be found at https://slack.cilium.io" # Justification of this exemption + + - check: dangerous_workflow + reason: > + "It is safe to run code checkout '${{ github.event.pull_request.head.sha }}' + and 'github.event.pull_request.head.ref' in .github/workflows/build-images-base.yaml + as this workflow is only permitted to be executed after an explicit approval of a + subset of committers." + + - check: signed_releases + reason: > + "All Cilium release images are cryptographically signed during build by cosign. + Images are hosted in Quay. OpenSSF Scorecard check is currently limited to repositories + hosted on GitHub, and does not support other source hosting repositories." + + - check: token_permissions + reason: > + "Reason to use every non-read-only token in GitHub workflows is commented in the respective workflow files." diff --git a/vendor/github.com/cilium/cilium/.gitattributes b/vendor/github.com/cilium/cilium/.gitattributes new file mode 100644 index 0000000000..f2a9481120 --- /dev/null +++ b/vendor/github.com/cilium/cilium/.gitattributes @@ -0,0 +1,18 @@ +/install/kubernetes/cilium/values.yaml.tmpl linguist-language=yml +/install/kubernetes/cilium/values.yaml linguist-generated +/install/kubernetes/cilium/README.md linguist-generated +go.sum linguist-generated +examples/kubernetes/connectivity-check/connectivity-*.yaml linguist-generated +pkg/k8s/apis/cilium.io/v2/client/crds/*.yaml linguist-generated +test/controlplane/**/v1.[0-9][0-9]/*.yaml linguist-generated +test/controlplane/services/graceful-termination/*.yaml linguist-generated +Documentation/cmdref/** linguist-generated +Documentation/crdlist.rst linguist-generated +Documentation/helm-values.rst linguist-generated +Documentation/codeowners.rst linguist-generated +Documentation/_static/* -diff +*svg -diff +pkg/k8s/client/clientset/** linguist-generated +pkg/k8s/client/informers/** linguist-generated +pkg/k8s/client/listers/** linguist-generated +*.bt linguist-language=D diff --git a/vendor/github.com/cilium/cilium/.gitignore b/vendor/github.com/cilium/cilium/.gitignore new file mode 100644 index 0000000000..184fff7076 --- /dev/null +++ b/vendor/github.com/cilium/cilium/.gitignore @@ -0,0 +1,118 @@ +# Compiled Object files, Static and Dynamic libs (Shared Objects) +*.o +*.a +*.so +*.so.* +*.d + +# LLVM IR files +*.ll +*.ll-* + +# Folders +_obj +_test +_build/ + +# Architecture specific extensions/prefixes +*.cgo1.go +*.cgo2.c +_cgo_defun.c +_cgo_gotypes.go +_cgo_export.* + +_testmain.go + +*.exe +*.test +*.prof + +*.swn +*.swp +.vagrant +vagrant.kubeconfig +coverage.out +coverage-all.out +coverage-all.html +coverage-all-tmp.out +bpf-coverage.html +bpf-coverage.cover + +.DS_Store +.idea/ +.vscode/* +!.vscode/launch.json +!.vscode/extensions.json +*.plist + +*_bash_completion +*.swo +outgoing + +*cscope.files +*cscope.out +*cscope.in.out +*cscope.po.out +*tags +.gdb_history +compile_commands.json + +man/ + +test/envoy/cilium-files +test/test_results* +test/.vagrant +test/tmp.yaml +test/*_manifest.yaml +test/*.xml +test/*.json +test/*.log +test/cilium-[0-9a-f]*.yaml +test/*tmp +test/cilium-istioctl + +# Testdata, includes generated .o +!**/testdata/* + +# Updates E2E Test +old-charts/ + +# generated test files +test/k8s/manifests/cnp-second-namespaces.yaml +test/cilium.conf.ginkgo + +# Emacs backup files +*~ + +# generated from make targets +*.ok +*.build_all +LICENSE.all + +# Temporary files that allow build containers/VMs work without git +# Not to be ignored by docker. +GIT_VERSION + +# The following files get created during image builds +.buildx +.buildx_builder + +# Local developer config to be executed in the dev VM and CI VMs started locally +.devvmrc + +# Generated dockerignore files +images/*/Dockerfile.dockerignore + +# Local Emacs files +.dir-locals.el + +# Clangd cache for indexed bpf code +bpf/.cache +.cache + +# Include dummy bpf object necessary for XDP_TX +!test/l4lb/bpf_xdp_veth_host.o + +# Files used for direnv +.direnv +.envrc diff --git a/vendor/github.com/cilium/cilium/.golangci.yaml b/vendor/github.com/cilium/cilium/.golangci.yaml new file mode 100644 index 0000000000..91b20b440d --- /dev/null +++ b/vendor/github.com/cilium/cilium/.golangci.yaml @@ -0,0 +1,179 @@ +# options for analysis running +run: + # default concurrency is a available CPU number + concurrency: 4 + + # timeout for analysis, e.g. 30s, 5m, default is 1m + timeout: 20m + + # exit code when at least one issue was found, default is 1 + issues-exit-code: 1 + + # include test files or not, default is true + tests: true + + # which dirs to skip: they won't be analyzed; + # can use regexp here: generated.*, regexp is applied on full path; + # default value is empty list, but next dirs are always skipped independently + # from this option's value: + # vendor$, third_party$, testdata$, examples$, Godeps$, builtin$ + # skip-dirs: + # - ^test.* + + # by default isn't set. If set we pass it to "go list -mod={option}". From "go help modules": + # If invoked with -mod=readonly, the go command is disallowed from the implicit + # automatic updating of go.mod described above. Instead, it fails when any changes + # to go.mod are needed. This setting is most useful to check that go.mod does + # not need updates, such as in a continuous integration and testing system. + # If invoked with -mod=vendor, the go command assumes that the vendor + # directory holds the correct copies of dependencies and ignores + # the dependency descriptions in go.mod. + modules-download-mode: readonly + +# all available settings of specific linters +linters-settings: + depguard: + rules: + main: + deny: + - pkg: "math/rand$" + desc: "Use math/rand/v2 instead" + exhaustruct: + # Ensure that command-line flags are explicitly default-initialized. + include: + - '.+\.[Cc]onfig' + - '.+[Cc]fg' + exclude: + - '.+cache\.Config' # k8s + - '.+fqdn\.Config' # internal API + - '.+tls\.Config' # Go TLS + - '.+v3\.Config' # etcd + - '.+translation\.Config' # internal gateway-api config + govet: + enable: + - nilness + goimports: + local-prefixes: github.com/cilium/cilium/ + goheader: + values: + regexp: + PROJECT: 'Cilium|Hubble' + template: |- + SPDX-License-Identifier: Apache-2.0 + Copyright Authors of {{ PROJECT }} + gosec: + includes: + - G402 + gomodguard: + blocked: + modules: + - github.com/miekg/dns: + recommendations: + - github.com/cilium/dns + reason: "use the cilium fork directly to avoid replace directives in go.mod, see https://github.com/cilium/cilium/pull/27582" + - gopkg.in/check.v1: + recommendations: + - testing + - github.com/stretchr/testify/assert + reason: "gocheck has been deprecated, see https://github.com/cilium/cilium/issues/28596" + - github.com/cilium/checkmate: + recommendations: + - github.com/stretchr/testify/assert + - github.com/stretchr/testify/require + reason: "cilium/checkmate has been deprecated, see https://github.com/cilium/cilium/issues/28596" + - go.uber.org/multierr: + recommendations: + - errors + reason: "Go 1.20+ has support for combining multiple errors, see https://go.dev/doc/go1.20#errors" + - golang.org/x/exp/maps: + recommendations: + - maps + - slices + reason: "Go 1.23+ has support for maps and slices, see https://go.dev/doc/go1.23#iterators" + - golang.org/x/exp/constraints: + recommendations: + - cmp + reason: "Go 1.21+ has support for Ordered constraint, see https://go.dev/doc/go1.21#cmp" + - golang.org/x/exp/slices: + recommendations: + - slices + reason: "Go 1.21+ provides many common operations for slices using generic functions, see https://go.dev/doc/go1.21#slices" + - k8s.io/utils/pointer: + recommendations: + - k8s.io/utils/ptr + reason: "k8s.io/utils/pointer is deprecated, see https://pkg.go.dev/k8s.io/utils/pointer" + + stylecheck: + checks: ["ST1019"] + + testifylint: + enable-all: true + disable: # TODO: remove each disabled rule and fix it + - float-compare + - go-require + - require-error + +issues: + exclude-dirs-use-default: true + + # Excluding configuration per-path, per-linter, per-text and per-source + exclude-rules: + - linters: [staticcheck] + text: "SA1019" # this is rule for deprecated method + - linters: [staticcheck] + text: "SA9003: empty branch" + - linters: [staticcheck] + text: "SA2001: empty critical section" + - linters: [err113] + text: "do not define dynamic errors, use wrapped static errors instead" # This rule to avoid opinionated check fmt.Errorf("text") + # Skip goimports check on generated files + - path: \\.(generated\\.deepcopy|pb)\\.go$ + linters: + - goimports + # Skip goheader check in the example files as these are included in the + # documentation. + - path: "contrib/examples/.+\\.go" + linters: + - goheader + # Skip goheader check on files imported and modified from upstream k8s + - path: "pkg/ipam/(cidrset|service)/.+\\.go" + linters: + - goheader + - path: "pkg/hubble/dropeventemitter/fake_recorder.go" + linters: + - goheader + +linters: + disable-all: true + enable: + - depguard + - errorlint + - err113 + - exhaustruct + - gofmt + - goimports + - govet + - ineffassign + - misspell + - staticcheck + - stylecheck + - testifylint + - unused + - goheader + - gosec + - gomodguard + - gosimple + +# To enable later if makes sense +# - deadcode +# - errcheck +# - gocyclo +# - golint +# - gosec +# - gosimple +# - lll +# - maligned +# - misspell +# - prealloc +# - structcheck +# - typecheck diff --git a/vendor/github.com/cilium/cilium/.mailmap b/vendor/github.com/cilium/cilium/.mailmap new file mode 100644 index 0000000000..4994e3f9a1 --- /dev/null +++ b/vendor/github.com/cilium/cilium/.mailmap @@ -0,0 +1,168 @@ +Àbéjídé Àyodélé +Adam Korcz +Adam Bocim +Alexei Starovoitov +Alex Waring +Alkama Hasan +André Martins +Andrew Sy Kim +Andrew Li +Anthony Rabbito +Arika Chen +Arthur Chiao +Arthur Evstifeev +Arthur Evstifeev +Arvind Soni +Ashwin Paranjpe +Ashwin Paranjpe +Augustas Berneckas +Barun Acharya +Barun Acharya +Bingshen Wang +Bingwu Yang +Bob Bouteillier +Bruno Miguel Custódio +Carlos Andrés Rocha +Changyu Wang +Charles-Henri Guérin +chenyahui +Chen Kang +Chen Yaqi +Chen Yaqi +Christine Chen +Christopher Biscardi +Claudia J. Kang +Craig Box +Dan Wendlandt +Daniel Qian +Dario Mader <9934402+darox@users.noreply.github.com> +Dario Mader +Darren Mackintosh +Darshan Chaudhary +David Chen +David Cheng +David Chosrova David CHOSROVA +Dawn +Devarshi Sathiya +Divine Odazie +Divya Mohan +Dmitriy Zinin +El-Fadel Bonfoh +Emin Aktas +Fankaixi Li +Felix Färjsjö +fengshunli <1171313930@qq.com> +Fernand Galiana +Florian Koch +François Joulaud <48206448+joulaud@users.noreply.github.com> +Gaurav Genani +Gaurav Yadav +George Kontridze +Gray Liang +Gowtham Sundara +huangxuesen +HaoTian Qi +Hart Hoover +Hui Kong +Ian Vernon +Ifeanyi Ubah +Ivan Makarychev +Jarno Rajahalme +Jarno Rajahalme +James Bodkin +James McShane +Jed Salazar +Jerry J. Muzsik +Jim Ntosas +Jomen Xiao +Jonathan Davies +Jones Shi +Joshua Roppo +Jun Chen +Junli Ou +Kamil Lach +Kaito Ii +Karl Heins +Kevin Holditch <82885135+kevholditch-f3@users.noreply.github.com> +Bokang Li +Li Cheng +Lior Rozen +Liu Qun +Livingstone S E +LongHui Li +LongHui Li +Louis DeLosSantos +Madhu Challa +Mahadev Panchal +Mandar U Jog +Marc Stulz +Marcel Zięba Marcel Zieba +Marcel Zięba Marcel Zieba +Matthew Gumport +Maxime Visonneau +Michael Kashin +Michael Vorburger +Neela Jacques <68304471+Neelajacques@users.noreply.github.com> +Oksana Baranova +Oliver Hofmann <91730056+olinux-dev@users.noreply.github.com> +Ondrej Blazek +Parth Patel +Peiqi Shi +Pengfei Song +Philippe Lafoucrière +Pierre-Yves Aillet +Pratyush Singhal +Qifeng Guo +Quentin Monnet +Raam +Raphael Campos +Rei Shimizu +renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> +Roman Ptitcyn +Sachin Maurya +Sadik Kuzu +Salvatore Mazzarino +Sami Yessou +Sander Timmerman +Sarah Corleissen +Sean Winn +Sebastien Thomas +Sergey Generalov +Simon Felding <45149055+simonfelding@users.noreply.github.com> +Steven Shuang +Tam Mach +Thomas Graf +Tobias Mose +Tobias Mose +Tom Hadlaw +Tomoki Sugiura +Tomoki Sugiura +Tony Lu +Trevor Tao +Vance Li +Vance Li vanceli +Viktor Kurchenko viktor-kurchenko +Viktor Kurchenko viktor-kurchenko <69600804+viktor-kurchenko@users.noreply.github.com> +Ville Ojamo <14869000+bluikko@users.noreply.github.com> +Vlad Ungureanu +Vipul Singh +Vipul Singh +Wang Dong > +Wayne Haber <41373231+whaber@users.noreply.github.com> +Wei Yang <31728060+yulng@users.noreply.github.com> +Weilong Cui +Weizhou Lan +Wenhu Wang +Wongyu Lee +Will Stewart +Yiannis Yiakoumis +Youssef Azrak +Yoyo Wu +Yugo Kobayashi +Yurii Dzobak +Yurii Komar +Yves Blusseau +Xiaoqing +Xiaoyang Zhu +Xin Li +Zhu Yan diff --git a/vendor/github.com/cilium/cilium/CODEOWNERS b/vendor/github.com/cilium/cilium/CODEOWNERS new file mode 100644 index 0000000000..c71a3065fb --- /dev/null +++ b/vendor/github.com/cilium/cilium/CODEOWNERS @@ -0,0 +1,666 @@ +# Code owners are used by the Cilium community to consolidate common knowledge +# into teams that can provide consistent and actionable feedback to +# contributors. This section will describe groups of teams and suggestions +# about the focus areas for review. +# +# The primary motivation for these teams is to provide structure around review +# processes to ensure that contributors know how to reach out to community +# members to conduct discussions, ensure contributions meet the expectations of +# the community, and align on the direction of proposed changes. Furthermore, +# while these teams are primarily drawn upon to provide review on specific pull +# requests, they are also encouraged to self-organize around how to make +# improvements to their areas of the Cilium project over time. +# +# Any committer may self-nominate to code owner teams. Reach out to the core +# team on the #committers channel in Slack to coordinate. Committers do not +# require expert knowledge in an area in order to join a code owner team, +# only a willingness to engage in discussions and learn about the area. +# +# Project-wide +# ++++++++++++ +# +# These code owners may provide feedback for Pull Requests submitted to any +# repository in the Cilium project: +# +# - @cilium/api: +# Ensure the backwards-compatibility of Cilium REST and gRPC APIs, excluding +# Hubble which is owned by @cilium/sig-hubble-api. +# - @cilium/build: +# Provide feedback on languages and scripting used for build and packaging +# system: Make, Shell, Docker. +# - @cilium/cli: +# Provide user experience feedback on changes to Command-Line Interfaces. +# These owners are a stand-in for the user community to bring a user +# perspective to the review process. Consider how information is presented, +# consistency of flags and options. +# - @cilium/ci-structure: +# Provide guidance around the best use of Cilium project continuous +# integration and testing infrastructure, including GitHub actions, VM +# helpers, testing frameworks, etc. +# - @cilium/community: +# Maintain files that refer to Cilium community users such as USERS.md. +# - @cilium/contributing: +# Encourage practices that ensure an inclusive contributor community. Review +# tooling and scripts used by contributors. +# - @cilium/docs-structure: +# Ensure the consistency and layout of documentation. General feedback on the +# use of Sphinx, how to communicate content clearly to the community. This +# code owner is not expected to validate the technical correctness of +# submissions. Correctness is typically handled by another code owner group +# which is also assigned to any given piece of documentation. +# - @cilium/sig-foundations: +# Review changes to the core libraries and provide guidance to overall +# software architecture. +# - @cilium/github-sec: +# Responsible for maintaining the security of repositories in the Cilium +# project by maintaining best practices for workflow usage, for instance +# preventing malicious use of GitHub actions. +# - @cilium/helm: +# Provide input on the way that Helm can be used to configure features. These +# owners are a stand-in for the user community to bring a user perspective to +# the review process. Ensure that Helm changes are defined in manners that +# will be forward-compatible for upgrade and follow best practices for +# deployment (for example, being GitOps-friendly). +# - @cilium/sig-hubble-api: +# Review Hubble API changes related to gRPC endpoints. +# The team ensures that API changes are backward +# compatible or that a new API version is created for backward incompatible +# changes. +# - @cilium/metrics: +# Provide recommendations about the types, names and labels for metrics to +# follow best practices. This includes considering the cardinality impact of +# metrics being added or extended. +# - @cilium/release-managers: +# Review files related to releases like AUTHORS and VERSION. +# - @cilium/security: +# Provide feedback on changes that could have security implications for Cilium, +# and maintain security-related documentation. +# - @cilium/vendor: +# Review vendor updates for software dependencies to check for any potential +# upstream breakages / incompatibilities. Discourage the use of unofficial +# forks of upstream libraries if they are actively maintained. +# +# Repository Owners +# +++++++++++++++++ +# +# The following code owners are responsible for a range of general feedback for +# contributions to specific repositories: +# +# - @cilium/sig-hubble: +# Review all Cilium and Hubble code related to observing system events, +# exporting those via gRPC protocols outside the node and outside the +# cluster. those event channels, for example via TLS. +# - @cilium/hubble-metrics: +# Review code related to Hubble metrics, ensure changes in exposed metrics are +# consistent and not breaking without careful consideration. +# - @cilium/hubble-ui: +# Maintain the Hubble UI graphical interface. +# - @cilium/tetragon: +# Review of all Tetragon code, both for Go and C (for eBPF). +# +# The teams above are responsible for reviewing the majority of contributions +# to the corresponding repositories. Additionally, there are "maintainer" teams +# listed below which may not be responsible for overall code review for a +# repository, but they have administrator access to the repositories and so +# they can assist with configuring GitHub repository settings, secrets, and +# related processes. For the full codeowners for individual repositories, see +# the CODEOWNERS file in the corresponding repository. +# +# - @cilium/cilium-cli-maintainers +# - @cilium/cilium-maintainers +# - @cilium/cilium-packer-ci-build-maintainers +# - @cilium/ebpf-lib-maintainers +# - @cilium/hubble-maintainers +# - @cilium/image-tools-maintainers +# - @cilium/metallb-maintainers +# - @cilium/openshift-terraform-maintainers +# - @cilium/proxy-maintainers +# - @cilium/tetragon-maintainers +# +# Cloud Integrations +# ++++++++++++++++++ +# +# The following codeowner groups provide insight into the integrations with +# specific cloud providers: +# +# - @cilium/alibabacloud +# - @cilium/aws +# - @cilium/azure +# +# Cilium Internals +# ++++++++++++++++ +# +# The following codeowner groups cover more specific knowledge about Cilium +# Agent internals or the way that particular Cilium features interact with +# external software and protocols: +# +# - @cilium/docker: +# Maintain the deprecated docker-plugin. +# - @cilium/endpoint: +# Provide background on how the Cilium Endpoint package fits into the overall +# agent architecture, relationship with generation of policy / datapath +# constructs, serialization and restore from disk. +# - @cilium/envoy: +# Maintain the L7 proxy integration with Envoy. This includes the +# configurations for Envoy via xDS protocols as well as the extensible +# proxylib framework for Go-based layer 7 filters. +# - @cilium/egress-gateway: +# Maintain the egress gateway control plane and datapath logic. +# - @cilium/fqdn: +# Maintain the L7 DNS proxy integration. +# - @cilium/ipcache: +# Provide background on how the userspace IPCache structure fits into the +# overall agent architecture, ordering constraints with respect to network +# policies and encryption. Handle the relationship between Kubernetes state +# and datapath state as it pertains to remote peers. +# - @cilium/ipsec: +# Maintain the kernel IPsec configuration and related eBPF logic to ensure +# traffic is correctly encrypted. +# - @cilium/kvstore: +# Review Cilium interactions with key-value stores, particularly etcd. +# Understand the client libraries used by Cilium for sharing state between +# nodes and clusters. +# - @cilium/loader: +# Maintain the tooling that allows eBPF programs to be loaded into the +# kernel: LLVM, bpftool, use of cilium/ebpf for loading programs in the +# agent, ELF templating, etc. +# - @cilium/operator: +# Review operations that occur once per cluster via the Cilium Operator +# component. Take care of the corresponding garbage collection and leader +# election logic. +# - @cilium/proxy: +# Review low-level implementations used to redirect L7 traffic to the actual +# proxy implementations (FQDN, Envoy, ...). +# - @cilium/sig-agent: +# Provide Cilium (agent) general Go review. Internal architecture, core data +# structures and daemon startup. +# - @cilium/sig-bgp: +# Review changes to our BGP integration. +# - @cilium/sig-clustermesh: +# Ensure the reliability of state sharing between clusters to ensure that +# each cluster maintains a separate fault domain. +# - @cilium/sig-datapath: +# Provide feedback on all eBPF code changes, use of the kernel APIs for +# configuring the networking and socket layers. Coordination of kernel +# subsystems such as xfrm (IPsec), iptables / nftables, tc. Maintain the +# control plane layers that populate most eBPF maps; account for endianness +# and system architecture impacts on the datapath code. +# - @cilium/sig-encryption +# Review control and data plane logic related with encryption (IPSec and +# WireGuard). +# - @cilium/sig-hubble: +# Review all Cilium and Hubble code related to observing system events, +# exporting those via gRPC protocols outside the node and outside the +# cluster. Ensure the security of those event channels, for example via TLS. +# - @cilium/sig-ipam: +# Coordinate the implementation between all of the IP Address Management +# modes, provide awareness/insight into IP resource exhaustion and garbage +# collection concerns. +# - @cilium/sig-k8s: +# Provide input on all interactions with Kubernetes, both for standard +# resources and CRDs. Ensure best practices are followed for the coordination +# of clusterwide state in order to minimize memory usage. +# - @cilium/sig-lb: +# Maintain the layers necessary to coordinate all load balancing +# configurations within the agent control plane, including Services, +# ClusterIP, NodePorts, Maglev, local redirect policies, and +# NAT46/NAT64. +# - @cilium/sig-policy: +# Ensure consistency of semantics for all network policy representations. +# Responsible for all policy logic from Kubernetes down to eBPF policymap +# entries, including all intermediate layers such as the Policy Repository, +# SelectorCache, PolicyCache, CachedSelectorPolicy, EndpointPolicy, etc. +# - @cilium/sig-scalability: +# Maintain scalability and performance tests. Provide input on scalability +# and performance related changes. +# - @cilium/sig-servicemesh: +# Provide input on the way that Service Mesh constructs such as Gateway API +# are converted into lower-level constructs backed by eBPF or Envoy +# configurations. Maintain the CRDs necessary for Service Mesh functionality. +# - @cilium/wireguard: +# Maintain the kernel WireGuard configuration and datapath impacts related to +# ensuring traffic is encrypted correctly when WireGuard mode is enabled. +# +# END_CODEOWNERS_DOCS +# +# The following filepaths should be sorted so that more specific paths occur +# after the less specific paths, otherwise the ownership for the specific paths +# is not properly picked up in Github. +/AUTHORS @cilium/release-managers +/CODE_OF_CONDUCT.md @cilium/contributing +/CODEOWNERS @cilium/contributing +/CONTRIBUTING.md @cilium/contributing +/.authors.aux @cilium/contributing +/.clomonitor.yml @cilium/contributing +/.devcontainer @cilium/ci-structure +/.gitattributes @cilium/contributing +/.github/ @cilium/contributing +/.github/ariane-config.yaml @cilium/github-sec @cilium/ci-structure +/.github/renovate.json5 @cilium/github-sec @cilium/ci-structure +/.github/actions/ @cilium/github-sec @cilium/ci-structure +/.github/actions/ipsec* @cilium/ipsec @cilium/github-sec @cilium/ci-structure +/.github/actions/kvstore/ @cilium/sig-clustermesh @cilium/kvstore @cilium/github-sec @cilium/ci-structure +/.github/workflows/ @cilium/github-sec @cilium/ci-structure +/.github/workflows/auto-approve.yaml @cilium/cilium-maintainers +/.github/workflows/*cilium-cli*.yaml @cilium/cli @cilium/github-sec @cilium/ci-structure +/.github/workflows/*clustermesh*.yaml @cilium/sig-clustermesh @cilium/github-sec @cilium/ci-structure +/.github/workflows/*datapath*.yaml @cilium/sig-datapath @cilium/github-sec @cilium/ci-structure +/.github/workflows/*gateway-api*.yaml @cilium/sig-servicemesh @cilium/github-sec @cilium/ci-structure +/.github/workflows/*hubble*.yaml @cilium/sig-hubble @cilium/github-sec @cilium/ci-structure +/.github/workflows/*ipsec*.yaml @cilium/ipsec @cilium/github-sec @cilium/ci-structure +/.github/workflows/*ingress*.yaml @cilium/sig-servicemesh @cilium/github-sec @cilium/ci-structure +/.github/actions/cl2-modules/ @cilium/sig-scalability +/.github/workflows/*scale*.yaml @cilium/sig-scalability @cilium/github-sec @cilium/ci-structure +/.github/workflows/*perf*.yaml @cilium/sig-scalability @cilium/github-sec @cilium/ci-structure +/.github/workflows/tests-ces-migrate.yaml @cilium/sig-scalability @cilium/github-sec @cilium/ci-structure +/.gitignore @cilium/contributing +/.golangci.yaml @cilium/ci-structure +/.mailmap @cilium/release-managers +/.nvim @cilium/contributing +/.vscode @cilium/contributing +/api/ @cilium/api +/api/v1/Makefile @cilium/sig-hubble-api +/api/v1/Makefile.protoc @cilium/sig-hubble-api +/api/v1/flow/ @cilium/sig-hubble-api +/api/v1/health/ @cilium/api @cilium/sig-agent +/api/v1/observer/ @cilium/sig-hubble-api +/api/v1/operator/ @cilium/api @cilium/operator +/api/v1/peer/ @cilium/sig-hubble-api +/api/v1/recorder/ @cilium/sig-hubble-api +/api/v1/relay/ @cilium/sig-hubble-api +/assets.go @cilium/sig-agent +/bpf/ @cilium/sig-datapath +/bpf/lib/egress_gateway.h @cilium/egress-gateway +Makefile* @cilium/build +/bpf/Makefile* @cilium/loader +/bpf/custom/Makefile* @cilium/build @cilium/loader +/bpf/lib/auth.h @cilium/sig-datapath @cilium/sig-servicemesh +/bpf/lib/encrypt.h @cilium/ipsec +/bpf/lib/policy.h @cilium/sig-datapath @cilium/sig-policy +/bpf/lib/wireguard.h @cilium/wireguard @cilium/sig-datapath +/bpf/bpf_wireguard.c @cilium/wireguard @cilium/sig-datapath +/bpf/lib/ids.h @cilium/loader +/bpf/lib/proxy.h @cilium/proxy @cilium/sig-datapath +/bpf/include/bpf/tailcall.h @cilium/loader +/bugtool/ @cilium/cli +/cilium-dbg/ @cilium/cli +/cilium-dbg/cmd/encrypt* @cilium/ipsec @cilium/cli +/cilium-dbg/cmd/preflight_k8s_valid_cnp.go @cilium/sig-k8s +/cilium-cli/ @cilium/cli +/cilium-cli/bgp/ @cilium/sig-bgp +/cilium-cli/cmd/ @cilium/cli +/cilium-cli/clustermesh/ @cilium/sig-clustermesh +/cilium-cli/connectivity/ @cilium/ci-structure +/cilium-cli/connectivity/check/frr.go @cilium/sig-bgp +/cilium-cli/connectivity/check/ipcache.go @cilium/ipcache +/cilium-cli/connectivity/check/metrics*.go @cilium/metrics +/cilium-cli/connectivity/check/policy.go @cilium/sig-policy +/cilium-cli/connectivity/builder/** @cilium/ci-structure +/cilium-cli/connectivity/builder/all_ingress_deny_from_outside.go @cilium/sig-encryption +/cilium-cli/connectivity/builder/bgp_control_plane.go @cilium/sig-bgp +/cilium-cli/connectivity/builder/cluster_entity_multi_cluster.go @cilium/sig-clustermesh +/cilium-cli/connectivity/builder/dns_only.go @cilium/fqdn +/cilium-cli/connectivity/builder/echo_ingress.go @cilium/sig-servicemesh +/cilium-cli/connectivity/builder/echo_ingress_auth_always_fail.go @cilium/sig-servicemesh +/cilium-cli/connectivity/builder/echo_ingress_from_other_client_deny.go @cilium/sig-servicemesh +/cilium-cli/connectivity/builder/echo_ingress_from_outside.go @cilium/sig-servicemesh +/cilium-cli/connectivity/builder/echo_ingress_knp.go @cilium/sig-servicemesh +/cilium-cli/connectivity/builder/echo_ingress_l7.go @cilium/sig-servicemesh +/cilium-cli/connectivity/builder/echo_ingress_l7_named_port.go @cilium/sig-servicemesh +/cilium-cli/connectivity/builder/echo_ingress_mutual_auth_spiffe.go @cilium/sig-servicemesh +/cilium-cli/connectivity/builder/egress_gateway.go @cilium/egress-gateway +/cilium-cli/connectivity/builder/egress_gateway_excluded_cidrs.go @cilium/egress-gateway +/cilium-cli/connectivity/builder/egress_gateway_with_l7_policy.go @cilium/egress-gateway +/cilium-cli/connectivity/builder/local_redirect_policy.go @cilium/sig-lb +/cilium-cli/connectivity/builder/no_ipsec_xfrm_errors.go @cilium/sig-encryption +/cilium-cli/connectivity/builder/node_to_node_encryption.go @cilium/sig-encryption +/cilium-cli/connectivity/builder/pod_to_pod_encryption.go @cilium/sig-encryption +/cilium-cli/connectivity/builder/pod_to_pod_encryption_v2.go @cilium/sig-encryption +/cilium-cli/connectivity/perf/** @cilium/sig-scalability +/cilium-cli/connectivity/tests/bgp.go @cilium/sig-bgp +/cilium-cli/connectivity/tests/clustermesh-endpointslice-sync.go @cilium/sig-clustermesh +/cilium-cli/connectivity/tests/egressgateway.go @cilium/egress-gateway +/cilium-cli/connectivity/tests/encryption.go @cilium/sig-encryption +/cilium-cli/connectivity/tests/encryption_v2.go @cilium/sig-encryption +/cilium-cli/connectivity/tests/errors.go @cilium/sig-agent @cilium/sig-datapath +/cilium-cli/connectivity/tests/from-cidr.go @cilium/sig-policy +/cilium-cli/connectivity/tests/health.go @cilium/sig-agent +/cilium-cli/connectivity/tests/host.go @cilium/sig-agent +/cilium-cli/connectivity/tests/ipsec_xfrm.go @cilium/ipsec +/cilium-cli/connectivity/tests/lrp.go @cilium/sig-lb +/cilium-cli/connectivity/tests/pod.go @cilium/sig-agent +/cilium-cli/connectivity/tests/service.go @cilium/sig-lb +/cilium-cli/connectivity/tests/to-cidr.go @cilium/sig-policy +/cilium-cli/connectivity/tests/upgrade.go @cilium/sig-datapath +/cilium-cli/connectivity/tests/world.go @cilium/proxy +/cilium-cli/encrypt/ @cilium/sig-encryption +/cilium-cli/hubble/ @cilium/sig-hubble +/cilium-cli/install/ @cilium/cli @cilium/helm +/cilium-cli/install/azure.go @cilium/azure +/cilium-cli/k8s/ @cilium/sig-k8s +/cilium-health/ @cilium/sig-agent +/cilium-health/cmd/ @cilium/sig-agent @cilium/cli +/clustermesh-apiserver @cilium/sig-clustermesh +/contrib/ @cilium/contributing +/contrib/containerlab/ @cilium/sig-bgp +/contrib/coccinelle/ @cilium/sig-datapath +/contrib/scripts/portgen.py @cilium/sig-datapath +/daemon/ @cilium/sig-agent +/daemon/cmd/datapath.go @cilium/sig-datapath +/daemon/cmd/endpoint* @cilium/endpoint +/daemon/cmd/fqdn* @cilium/fqdn +/daemon/cmd/health* @cilium/sig-agent +/daemon/cmd/ipcache* @cilium/ipcache +/daemon/cmd/kube_proxy* @cilium/sig-datapath +/daemon/cmd/bootstrap_statistics.go @cilium/metrics +/daemon/cmd/policy* @cilium/sig-policy +/daemon/cmd/state.go @cilium/endpoint +/daemon/cmd/cells*.go @cilium/sig-foundations +/Documentation/ @cilium/docs-structure +/Documentation/_static/ @cilium/docs-structure +/Documentation/api.rst @cilium/sig-agent @cilium/docs-structure +/Documentation/beta.rst @cilium/docs-structure +/Documentation/reference-guides/bpf/ @cilium/sig-datapath @cilium/docs-structure +/Documentation/reference-guides/xfrm/ @cilium/ipsec @cilium/docs-structure +/Documentation/check-build.sh @cilium/docs-structure +/Documentation/check-cmdref.sh @cilium/docs-structure +/Documentation/check-crd-compat-table.sh @cilium/docs-structure +/Documentation/check-examples.sh @cilium/docs-structure +/Documentation/check-helmvalues.sh @cilium/docs-structure +/Documentation/cmdref/ +/Documentation/community/community.rst @cilium/contributing +/Documentation/community/governance.rst @cilium/contributing +/Documentation/community/roadmap.rst @cilium/contributing @cilium/docs-structure +/Documentation/contributing/ @cilium/contributing @cilium/docs-structure +/Documentation/conf.py @cilium/docs-structure +/Documentation/configuration/index.rst @cilium/docs-structure +/Documentation/contributing/ @cilium/contributing @cilium/docs-structure +/Documentation/contributing/development/reviewers_committers/review_vendor.rst @cilium/vendor +/Documentation/crdlist.rst +/Documentation/Dockerfile @cilium/docs-structure +/Documentation/gettingstarted/demo.rst @cilium/docs-structure +/Documentation/gettingstarted/gettinghelp.rst @cilium/contributing @cilium/docs-structure +/Documentation/glossary.rst @cilium/docs-structure +/Documentation/helm-values.rst +/Documentation/images/re-request-review.png @cilium/contributing @cilium/docs-structure +/Documentation/index.rst @cilium/docs-structure +/Documentation/installation/alibabacloud* @cilium/alibabacloud @cilium/docs-structure +/Documentation/installation/aws* @cilium/aws @cilium/docs-structure +/Documentation/installation/cni-chaining-aws-cni.rst @cilium/aws @cilium/docs-structure +/Documentation/installation/cni-chaining-azure-cni.rst @cilium/azure @cilium/docs-structure +/Documentation/installation/kind-configure.rst @cilium/docs-structure +/Documentation/internals/index.rst @cilium/docs-structure +/Documentation/internals/cilium_operator.rst @cilium/operator @cilium/docs-structure +/Documentation/internals/hubble.rst @cilium/sig-hubble @cilium/docs-structure +/Documentation/images/bpf* @cilium/sig-datapath @cilium/docs-structure +/Documentation/images/hubble_getflows.png @cilium/sig-hubble @cilium/docs-structure +/Documentation/Makefile @cilium/docs-structure +/Documentation/network/bgp* @cilium/sig-bgp @cilium/docs-structure +/Documentation/network/clustermesh/ @cilium/sig-clustermesh @cilium/docs-structure +/Documentation/network/concepts/ipam/ @cilium/sig-ipam @cilium/docs-structure +/Documentation/network/concepts/ipam/azure* @cilium/sig-ipam @cilium/azure @cilium/docs-structure +/Documentation/network/concepts/ipam/eni* @cilium/sig-ipam @cilium/aws @cilium/docs-structure +/Documentation/network/concepts/masquerading.rst @cilium/sig-datapath @cilium/docs-structure +/Documentation/network/ebpf/ @cilium/sig-datapath @cilium/docs-structure +/Documentation/network/egress-gateway-toc.rst @cilium/egress-gateway @cilium/docs-structure +/Documentation/network/egress-gateway/ @cilium/egress-gateway @cilium/docs-structure +/Documentation/network/kubernetes/ @cilium/sig-k8s @cilium/docs-structure +/Documentation/network/kubernetes/bandwidth-manager.rst @cilium/sig-datapath @cilium/docs-structure +/Documentation/network/kubernetes/ipam* @cilium/sig-ipam @cilium/docs-structure +/Documentation/network/kubernetes/kubeproxy-free.rst @cilium/sig-lb @cilium/docs-structure +/Documentation/network/kubernetes/local-redirect-policy.rst @cilium/sig-lb @cilium/docs-structure +/Documentation/network/kubernetes/ciliumendpointslice.rst @cilium/sig-scalability @cilium/docs-structure +/Documentation/network/lb-ipam.rst @cilium/sig-lb @cilium/docs-structure +/Documentation/network/multicast.rst @cilium/sig-datapath @cilium/docs-structure +/Documentation/network/servicemesh/ @cilium/sig-servicemesh @cilium/docs-structure +/Documentation/observability/ @cilium/sig-policy @cilium/docs-structure +/Documentation/observability/hubble* @cilium/sig-hubble @cilium/docs-structure +/Documentation/operations/performance/ @cilium/sig-datapath @cilium/docs-structure +/Documentation/operations/system_requirements.rst @cilium/sig-datapath @cilium/docs-structure +/Documentation/operations/troubleshooting_clustermesh.rst @cilium/sig-clustermesh @cilium/docs-structure +/Documentation/overview/component-overview.rst @cilium/docs-structure +/Documentation/overview/intro.rst @cilium/docs-structure +/Documentation/requirements.txt @cilium/docs-structure +/Documentation/security/http.rst @cilium/sig-policy @cilium/docs-structure +/Documentation/security/images/cilium_threat_model* @cilium/security @cilium/docs-structure +/Documentation/security/network/encryption-ipsec.rst @cilium/ipsec @cilium/docs-structure +/Documentation/security/network/encryption-wireguard.rst @cilium/wireguard @cilium/docs-structure +/Documentation/security/network/proxy/ @cilium/proxy @cilium/docs-structure +/Documentation/security/policy-creation.rst @cilium/sig-policy @cilium/docs-structure +/Documentation/security/policy/ @cilium/sig-policy @cilium/docs-structure +/Documentation/security/threat-model.rst @cilium/security @cilium/docs-structure +/Documentation/spelling_wordlist.txt @cilium/docs-structure +/Documentation/update-cmdref.sh @cilium/docs-structure +/Documentation/update-spelling_wordlist.sh @cilium/docs-structure +/Documentation/yaml.config @cilium/docs-structure +/examples/ @cilium/docs-structure +/examples/hubble/ @cilium/sig-hubble +/examples/kubernetes/ @cilium/sig-k8s +/examples/kubernetes/clustermesh/ @cilium/sig-clustermesh +/examples/minikube/ @cilium/sig-k8s +/examples/policies/kubernetes/clustermesh/ @cilium/sig-clustermesh +/FURTHER_READINGS.rst @cilium/docs-structure +/hack/ @cilium/contributing +/hubble/ @cilium/sig-hubble +/hubble-relay/ @cilium/sig-hubble +/images @cilium/build +/images/builder/install-protoc.sh @cilium/sig-hubble-api +/images/builder/install-protoplugins.sh @cilium/sig-hubble-api +/images/builder/update-cilium-builder-image.sh @cilium/github-sec +/images/hubble-relay @cilium/sig-hubble +/images/runtime/update-cilium-runtime-image.sh @cilium/github-sec +/install/kubernetes/ @cilium/sig-k8s @cilium/helm +/install/kubernetes/cilium/**/cilium-envoy @cilium/sig-k8s @cilium/helm @cilium/envoy @cilium/sig-servicemesh +/install/kubernetes/cilium/**/spire @cilium/sig-k8s @cilium/helm @cilium/sig-servicemesh +/install/kubernetes/cilium/templates/clustermesh* @cilium/sig-k8s @cilium/helm @cilium/sig-clustermesh +/install/kubernetes/cilium/templates/hubble* @cilium/sig-k8s @cilium/helm @cilium/sig-hubble +/LICENSE @cilium/contributing +/MAINTAINERS.md @cilium/contributing +/netlify.toml @cilium/ci-structure +/operator/ @cilium/operator +/operator/doublewrite @cilium/metrics +/operator/pkg/bgpv2 @cilium/sig-bgp +/operator/pkg/ciliumendpointslice @cilium/sig-scalability +/operator/pkg/ciliumenvoyconfig @cilium/sig-servicemesh +/operator/pkg/controller-runtime @cilium/envoy @cilium/sig-servicemesh +/operator/pkg/gateway-api @cilium/sig-servicemesh +/operator/pkg/ingress @cilium/sig-servicemesh +/operator/pkg/lbipam @cilium/sig-lb +/operator/pkg/model @cilium/sig-servicemesh +/operator/pkg/networkpolicy @cilium/sig-policy +/operator/pkg/secretsync @cilium/envoy @cilium/sig-servicemesh +/pkg/act/ @cilium/sig-datapath @cilium/metrics +/pkg/annotation @cilium/sig-k8s +/pkg/alibabacloud/ @cilium/alibabacloud +/pkg/alignchecker/ @cilium/sig-datapath @cilium/loader +/pkg/allocator/ @cilium/kvstore +/pkg/api/ @cilium/api +/pkg/auth/ @cilium/sig-servicemesh +/pkg/aws/ @cilium/aws +/pkg/azure/ @cilium/azure +/pkg/backoff/ @cilium/sig-agent +/pkg/bufuuid/ @cilium/sig-scalability +/pkg/datapath/linux/bandwidth/ @cilium/sig-datapath +/pkg/bgpv1/ @cilium/sig-bgp +/pkg/bpf/ @cilium/loader +/pkg/byteorder/ @cilium/sig-datapath @cilium/api +/pkg/cgroups/ @cilium/sig-datapath +/pkg/cidr/ @cilium/sig-agent +/pkg/ciliumenvoyconfig/ @cilium/envoy @cilium/sig-servicemesh +/pkg/cleanup/ @cilium/sig-agent +/pkg/client @cilium/api +/pkg/clustermesh @cilium/sig-clustermesh +/pkg/cmdref @cilium/cli +/pkg/command/ @cilium/cli +/pkg/common/ @cilium/sig-agent +/pkg/common/ipsec/ @cilium/ipsec +/pkg/comparator/ @cilium/sig-agent +/pkg/completion/ @cilium/proxy +/pkg/components/ @cilium/sig-agent +/pkg/container/ @cilium/sig-foundations +/pkg/container/bitlpm/ @cilium/ipcache @cilium/sig-policy +/pkg/container/set/ @cilium/sig-policy +/pkg/controller @cilium/sig-agent +/pkg/counter @cilium/sig-datapath +/pkg/crypto/certificatemanager @cilium/envoy @cilium/sig-servicemesh +/pkg/crypto/certloader @cilium/sig-hubble +/pkg/datapath/ @cilium/sig-datapath +/pkg/datapath/fake/ipsec.go @cilium/ipsec +/pkg/datapath/linux/config/ @cilium/loader +/pkg/datapath/linux/ipsec/ @cilium/ipsec +/pkg/datapath/linux/ipsec/xfrm_collector* @cilium/ipsec @cilium/metrics +/pkg/datapath/linux/ipsec.go @cilium/ipsec +/pkg/datapath/linux/node.go @cilium/sig-datapath +/pkg/datapath/linux/probes/ @cilium/loader +/pkg/datapath/linux/requirements.go @cilium/loader +/pkg/datapath/linux/sysctl/ @cilium/sig-datapath +/pkg/datapath/types/ipsec.go @cilium/ipsec +/pkg/datapath/types/loader.go @cilium/loader +/pkg/datapath/loader/ @cilium/loader +/pkg/datapath/ipcache/ @cilium/ipcache +/pkg/defaults @cilium/sig-agent +/pkg/debug @cilium/sig-agent +/pkg/dial @cilium/sig-agent +/pkg/driftchecker @cilium/sig-foundations +/pkg/dynamicconfig @cilium/sig-foundations +/pkg/ebpf @cilium/sig-datapath +/pkg/egressgateway/ @cilium/egress-gateway +/pkg/endpoint/ @cilium/endpoint +/pkg/endpointcleanup/ @cilium/endpoint +/pkg/endpointmanager/ @cilium/endpoint +/pkg/endpointstate/ @cilium/endpoint +/pkg/envoy/ @cilium/envoy +/pkg/eventqueue/ @cilium/sig-agent +/pkg/dynamiclifecycle/ @cilium/sig-foundations +/pkg/flowdebug/ @cilium/proxy +/pkg/fqdn/ @cilium/fqdn +/pkg/fswatcher/ @cilium/sig-datapath @cilium/sig-hubble +/pkg/gops/ @cilium/sig-agent +/pkg/health/ @cilium/sig-agent +/pkg/hive/ @cilium/sig-foundations +/pkg/hubble/ @cilium/sig-hubble +/pkg/hubble/metrics @cilium/hubble-metrics +/pkg/iana/ @cilium/sig-agent +/pkg/identity @cilium/sig-policy +/pkg/idpool/ @cilium/kvstore +/pkg/ip/ @cilium/sig-agent +/pkg/ipalloc/ @cilium/sig-ipam +/pkg/ipam/ @cilium/sig-ipam +/pkg/ipam/allocator/alibabacloud/ @cilium/sig-ipam @cilium/alibabacloud +/pkg/ipam/allocator/aws/ @cilium/sig-ipam @cilium/aws +/pkg/ipam/allocator/azure/ @cilium/sig-ipam @cilium/azure +/pkg/ipam/allocator/clusterpool/ @cilium/sig-ipam @cilium/operator +/pkg/ipcache/ @cilium/ipcache +/pkg/ipmasq @cilium/sig-agent +/pkg/k8s/ @cilium/sig-k8s +/pkg/k8s/apis/cilium.io/client/crds/v2/ @cilium/sig-k8s +/pkg/k8s/apis/cilium.io/client/crds/v2/ciliumegressgatewaypolicies.yaml @cilium/egress-gateway +/pkg/k8s/apis/cilium.io/v2/cegp_types.go @cilium/egress-gateway +/pkg/k8s/apis/cilium.io/v2/ @cilium/api @cilium/sig-k8s +/pkg/kvstore/ @cilium/kvstore +/pkg/kvstore/etcdinit @cilium/sig-clustermesh @cilium/kvstore +/pkg/l2announcer/ @cilium/sig-agent +/pkg/labels @cilium/sig-policy @cilium/api +/pkg/labelsfilter @cilium/sig-policy +/pkg/launcher @cilium/sig-agent +/pkg/loadbalancer @cilium/sig-lb +/pkg/loadinfo/ @cilium/sig-agent +/pkg/lock @cilium/sig-agent +/pkg/logging/ @cilium/cli +/pkg/mac @cilium/sig-datapath +/pkg/maglev @cilium/sig-lb +/pkg/maps/ @cilium/sig-datapath +/pkg/maps/egressmap @cilium/egress-gateway +/pkg/mcastmanager @cilium/sig-datapath +/pkg/metrics @cilium/metrics +/pkg/monitor @cilium/sig-datapath +/pkg/monitor/api @cilium/api @cilium/sig-datapath +/pkg/monitor/datapath_trace.go @cilium/sig-datapath @cilium/sig-hubble +/pkg/monitor/format @cilium/cli @cilium/sig-datapath +/pkg/monitor/payload @cilium/api @cilium/sig-datapath +/pkg/mountinfo @cilium/sig-datapath +/pkg/mtu @cilium/sig-datapath +/pkg/multicast @cilium/sig-datapath +/pkg/murmur3/ @cilium/sig-datapath +/pkg/netns/ @cilium/sig-datapath @cilium/sig-k8s +/pkg/node @cilium/sig-agent +/pkg/nodediscovery/ @cilium/sig-agent +/pkg/option @cilium/sig-agent @cilium/cli +/pkg/pidfile @cilium/sig-agent +/pkg/policy @cilium/sig-policy +/pkg/policy/api/ @cilium/api +/pkg/policy/groups/aws/ @cilium/sig-policy @cilium/aws +/pkg/policy/k8s @cilium/sig-policy +/pkg/pprof @cilium/sig-foundations +/pkg/promise @cilium/sig-foundations +/pkg/proxy/ @cilium/proxy +/pkg/proxy/accesslog @cilium/proxy @cilium/api +/pkg/proxy/dns.go @cilium/proxy @cilium/fqdn +/pkg/proxy/envoyproxy.go @cilium/proxy @cilium/envoy +/pkg/rate/ @cilium/sig-agent +/pkg/rate/metrics @cilium/metrics +/pkg/recorder @cilium/sig-datapath +/pkg/redirectpolicy @cilium/sig-lb +/pkg/resiliency @cilium/sig-agent +/pkg/revert/ @cilium/sig-agent +/pkg/safeio @cilium/sig-agent +/pkg/safetime/ @cilium/sig-agent +/pkg/service @cilium/sig-lb +/pkg/shortener @cilium/sig-foundations @cilium/sig-k8s +/pkg/signal @cilium/sig-datapath +/pkg/slices @cilium/sig-foundations +/pkg/socketlb @cilium/loader +/pkg/source @cilium/ipcache +/pkg/spanstat/ @cilium/sig-agent +/pkg/status/ @cilium/sig-agent +/pkg/testutils/ @cilium/ci-structure +/pkg/time @cilium/sig-agent +/pkg/trigger/ @cilium/sig-agent +/pkg/tuple @cilium/sig-datapath +/pkg/types/ @cilium/sig-datapath +/pkg/u8proto/ @cilium/sig-agent +/pkg/wireguard @cilium/wireguard +/pkg/version/ @cilium/sig-agent +/pkg/versioncheck/ @cilium/sig-agent +/pkg/xds/ @cilium/envoy +/plugins/cilium-cni/ @cilium/sig-k8s +/plugins/cilium-docker/ @cilium/docker +/README.rst @cilium/docs-structure +/SECURITY.md @cilium/contributing +/SECURITY-INSIGHTS.yml @cilium/security +/stable.txt @cilium/release-managers +/test/ @cilium/ci-structure +/test/Makefile* @cilium/ci-structure @cilium/build +# Service handling tests +/test/k8s/services.go @cilium/sig-lb @cilium/ci-structure +# Datapath tests +/bpf/tests/bpftest/ @cilium/sig-datapath +/test/k8s/bandwidth.go @cilium/sig-datapath @cilium/ci-structure +/test/k8s/chaos.go @cilium/sig-datapath @cilium/ci-structure +/test/k8s/datapath_configuration.go @cilium/sig-datapath @cilium/ci-structure +/test/runtime/connectivity.go @cilium/sig-datapath @cilium/ci-structure +/test/verifier @cilium/loader @cilium/ci-structure +# Policy tests +/test/k8s/net_policies.go @cilium/sig-policy @cilium/ci-structure +/test/runtime/net_policies.go @cilium/sig-policy @cilium/ci-structure +# Hubble/monitoring tests +/test/k8s/hubble.go @cilium/sig-hubble @cilium/ci-structure +/test/runtime/monitor.go @cilium/sig-hubble @cilium/ci-structure +# L7 proxy tests +/test/k8s/fqdn.go @cilium/fqdn @cilium/ci-structure +/test/k8s/kafka_policies.go @cilium/envoy @cilium/ci-structure +/test/runtime/fqdn.go @cilium/fqdn @cilium/ci-structure +# Standalone L4LB tests +/test/l4lb @cilium/sig-lb @cilium/ci-structure +/test/nat46x64 @cilium/sig-lb @cilium/ci-structure +/test/bigtcp @cilium/sig-datapath @cilium/ci-structure +# Misc. tests +/test/runtime/kvstore.go @cilium/kvstore @cilium/ci-structure +/test/runtime/chaos_agent.go @cilium/sig-agent @cilium/ci-structure +/tools/ @cilium/contributing +/USERS.md @cilium/community +/go.sum @cilium/vendor +/go.mod @cilium/vendor +/vendor/ @cilium/vendor +/VERSION @cilium/release-managers +/.clang-format @cilium/contributing diff --git a/vendor/github.com/cilium/cilium/CODE_OF_CONDUCT.md b/vendor/github.com/cilium/cilium/CODE_OF_CONDUCT.md new file mode 100644 index 0000000000..eea0dbd783 --- /dev/null +++ b/vendor/github.com/cilium/cilium/CODE_OF_CONDUCT.md @@ -0,0 +1,46 @@ +## Community Code of Conduct v1.0 + +This is Code of Conduct is based on the [CNCF Code of +Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md). +See the referred document for translated versions into different languages. The +text below is modified with Cilium community specific contact details. + +### Contributor Code of Conduct + +As contributors and maintainers of this project, and in the interest of fostering +an open and welcoming community, we pledge to respect all people who contribute +through reporting issues, posting feature requests, updating documentation, +submitting pull requests or patches, and other activities. + +We are committed to making participation in this project a harassment-free experience for +everyone, regardless of level of experience, gender, gender identity and expression, +sexual orientation, disability, personal appearance, body size, race, ethnicity, age, +religion, or nationality. + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery +* Personal attacks +* Trolling or insulting/derogatory comments +* Public or private harassment +* Publishing others' private information, such as physical or electronic addresses, + without explicit permission +* Other unethical or unprofessional conduct. + +Project maintainers have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are not +aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers +commit themselves to fairly and consistently applying these principles to every aspect +of managing this project. Project maintainers who do not follow or enforce the Code of +Conduct may be permanently removed from the project team. + +This code of conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the code of conduct team via +[conduct@cilium.io](mailto:conduct@cilium.io). + +This Code of Conduct is adapted from the Contributor Covenant +(http://contributor-covenant.org), version 1.2.0, available at +http://contributor-covenant.org/version/1/2/0/ diff --git a/vendor/github.com/cilium/cilium/CONTRIBUTING.md b/vendor/github.com/cilium/cilium/CONTRIBUTING.md new file mode 100644 index 0000000000..3c2e4ce941 --- /dev/null +++ b/vendor/github.com/cilium/cilium/CONTRIBUTING.md @@ -0,0 +1,17 @@ +# How to Contribute + +## To Cilium/Hubble + +See the [Developer / Contributor +Guide](https://docs.cilium.io/en/stable/contributing/development/contributing_guide/) for detailed information on +how to contribute, get started and find good first issues. + +## To the cilium.io website + +Please see the [cilium.io website contributing guide](https://github.com/cilium/cilium.io/blob/main/CONTRIBUTING.md) for detailed +information on how to add blogs, trainings, and other resources. + +## To the Cilium documentation + +Please see the [Cilium documentation contributing guide](https://docs.cilium.io/en/stable/contributing/docs/) for detailed +information on how to contribute to the Cilium documentation. diff --git a/vendor/github.com/cilium/cilium/FURTHER_READINGS.rst b/vendor/github.com/cilium/cilium/FURTHER_READINGS.rst new file mode 100644 index 0000000000..b8a8936c6f --- /dev/null +++ b/vendor/github.com/cilium/cilium/FURTHER_READINGS.rst @@ -0,0 +1,87 @@ +Further Reading +=============== + +.. further-reading-begin + +Related Material +---------------- + +* `BPF for security—and chaos—in Kubernetes `_ +* `k8s-snowflake: Configs and scripts for bootstrapping an opinionated + Kubernetes cluster anywhere using Cilium plugin + `_ +* `Using Cilium for NetworkPolicy: Kubernetes documentation on how to use Cilium + to implement NetworkPolicy + `_ + +Presentations +------------- + +* Kubernetes on Edge Day, Europe 2022 - Connecting Klusters on the Edge with Deep Dive into Cilium Cluster Mesh: + `Video `__ +* Cloud Native Telco Day, Europe 2022 - Leveraging Cilium and SRv6 for Telco Networking: + `Video `__ +* KubeCon, Europe 2022 - A Guided Tour of Cilium Service Mesh: + `Video `__ +* eBPF Day, Europe, 2022 - IKEA Private Cloud, eBPF Based Networking, Load Balancing, and Observability with Cilium: + `Video `__ +* KubeCon, North America 2021 - Beyond printf & tcpdump: Debugging Kubernetes Networking with eBPF: + `Video `__ +* eBPF Summit, Virtual 2020 - Our eBPF Journey at Datadog: + `Video `__ +* eBPF Summit, Virtual 2020 - Building a Secure and Maintainable PaaS Leveraging Cilium: + `Video `__ +* eBPF Summit, Virtual 2020 - The Past, Present and Future of Cilium and Hubble at Palantir: + `Video `__ +* KubeCon, Europe 2020 - Hubble - eBPF Based Observability for Kubernetes: + `Video `__ +* Fosdem, Brussels, 2020 - BPF as a revolutionary technology for the container landscape: + `Slides `__, `Video `__ +* KubeCon, North America 2019 - Understanding and Troubleshooting the eBPF Datapath in Cilium: + `Video `__ +* KubeCon, North America 2019 - Liberating Kubernetes from kube-proxy and iptables: + `Slides `__, `Video `__ +* KubeCon, Europe 2019 - Using eBPF to Bring Kubernetes-Aware Security to the Linux Kernel: + `Video `__ +* KubeCon, Europe 2019 - Transparent Chaos Testing with Envoy , Cilium and BPF: + `Slides `__, `Video `__ +* All Systems Go!, Berlin, Sept 2018 - Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security + `Slides `__, `Video `__ +* QCon, San Francisco 2018 - How to Make Linux Microservice-Aware with Cilium and eBPF: + `Slides `__, `Video `__ +* KubeCon, North America 2018 - Connecting Kubernetes Clusters Across Cloud Providers: + `Slides `__, `Video `__ +* KubeCon, North America 2018 - Implementing Least Privilege Security and Networking with BPF on Kubernetes: + `Slides `__, `Video `__ +* KubeCon, Europe 2018 - Accelerating Envoy with the Linux Kernel: + `Video `__ +* Open Source Summit, North America - Cilium: Networking and security for containers with BPF and XDP: + `Video `__ +* DockerCon, Austin TX, Apr 2017 - Cilium - Network and Application Security with BPF and XDP: `Slides + `__, `Video `__ +* CNCF/KubeCon Meetup, Berlin, Mar 2017 - Linux Native, HTTP Aware Network Security: + `Slides `__, `Video `__ +* Docker Distributed Systems Summit, Berlin, Oct 2016: + `Slides `__, `Video `__ +* NetDev1.2, Tokyo, Sep 2016 - cls_bpf/eBPF updates since netdev 1.1: + `Slides `__, `Video `__ +* NetDev1.2, Tokyo, Sep 2016 - Advanced programmability and recent updates with tc’s cls_bpf: + `Slides `__, `Video `__ +* ContainerCon NA, Toronto, Aug 2016 - Fast IPv6 container networking with BPF & XDP: + `Slides `__ + +Podcasts +-------- + +* Software Gone Wild by Ivan Pepelnjak, Oct 2016: `Blog `__, `MP3 `__ +* OVS Orbit by Ben Pfaff, May 2016: `Blog `__, `MP3 `__ + +Community blog posts +-------------------- + +* `Cilium for Network and Application Security with BPF and XDP, Apr 2017 + `_ +* `Cilium, BPF and XDP, Google Open Source Blog, Nov 2016 + `_ + +.. further-reading-end diff --git a/vendor/github.com/cilium/cilium/MAINTAINERS.md b/vendor/github.com/cilium/cilium/MAINTAINERS.md new file mode 100644 index 0000000000..dcfa99014b --- /dev/null +++ b/vendor/github.com/cilium/cilium/MAINTAINERS.md @@ -0,0 +1,132 @@ +# Maintainers + +See [Governance](https://github.com/cilium/community/blob/main/GOVERNANCE.md) for +governance, commit, and vote guidelines as well as committer responsibilities. +Everybody listed is a committer as per governance definition. See the +[Contributor Ladder](https://github.com/cilium/community/blob/main/CONTRIBUTOR-LADDER.md) +to learn how to level up through the project. + +## Cilium Committers + + * [Aditi Ghag] (Isovalent) + * [Alexandre Perrin] (Isovalent) + * [André Martins] (Isovalent) + * [Beatriz Martínez] (Isovalent) + * [Bill Mulligan] (Isovalent) + * [Bruno M. Custódio] (Isovalent) + * [Casey Callendrello] (Isovalent) + * [Chance Zibolski] (Isovalent) + * [Chris Tarazi] (Isovalent) + * [Daniel Borkmann] (Isovalent) + * [Dan Wendlandt] (Isovalent) + * [Deepesh Pathak] + * [Dorde Lapcevic] (Google) + * [Dylan Reimerink] (Isovalent) + * [Gilberto Bertin] (Isovalent) + * [Glib Smaga] (Isovalent) + * [Hemanth Malla] (Datadog) + * [Ian Vernon] + * [Jarno Rajahalme] (Isovalent) + * [Joe Stringer] (Isovalent) + * [John Fastabend] (Isovalent) + * [Julian Wiedmann] (Isovalent) + * [Jussi Mäki] (Isovalent) + * [Kornilios Kourtis] (Isovalent) + * [Laurent Bernaille] (Datadog) + * [Liz Rice] (Isovalent) + * [Lorenz Bauer] (Isovalent) + * [Louis DeLosSantos] (Isovalent) + * [Maciej Kwiek] (Isovalent) + * [Marco Iorio] (Isovalent) + * [Martynas Pumputis] (Isovalent) + * [Michal Rostecki] (Deepfence) + * [Michi Mutsuzaki] (Isovalent) + * [Natália Réka Ivánkó] (Isovalent) + * [Nathan Sweet] (Isovalent) + * [Nick Young] (Isovalent) + * [Nicolas Busseneau] (Isovalent) + * [Nirmoy Das] (AMD) + * [Paul Chaignon] (Isovalent) + * [Quentin Monnet] (Hedgehog) + * [Robin Hahling] (Isovalent) + * [Sebastian Wicki] (Isovalent) + * [Tam Mach] (Isovalent) + * [Thomas Graf] (Isovalent) + * [Timo Beckers] (Isovalent) + * [Tobias Klauser] (Isovalent) + * [Tom Hadlaw] (Isovalent) + * [Vlad Ungureanu] (Palantir) + * [Yutaro Hayakawa] (Isovalent) + +## Cilium & Hubble Emeritus Committers + +We would like to acknowledge previous committers and their huge contributions to our collective success: + + * [Eloy Coto] (Red Hat) + * [Ilya Dmitrichenko] (Docker) + * [Ray Bejjani] + * [Tom Payne] + * [Weilong Cui] (Google) + * [Yongkun Gui] (Google) + * [Zang Li] (Google) + + +Please see the AUTHORS file for the full list of contributors to the Cilium +project. + +[Aditi Ghag]: https://github.com/aditighag +[Alexandre Perrin]: https://github.com/kaworu +[André Martins]: https://github.com/aanm +[Beatriz Martínez]: https://github.com/b3a-dev +[Bill Mulligan]: https://github.com/xmulligan +[Bruno M. Custódio]: https://github.com/bmcustodio +[Casey Callendrello]: https://github.com/squeed +[Chance Zibolski]: https://github.com/chancez +[Chris Tarazi]: https://github.com/christarazi +[Daniel Borkmann]: https://github.com/borkmann +[Dan Wendlandt]: https://github.com/danwent +[Deepesh Pathak]: https://github.com/fristonio +[Dorde Lapcevic]: https://github.com/dlapcevic +[Dylan Reimerink]: https://github.com/dylandreimerink +[Eloy Coto]: https://github.com/eloycoto +[Gilberto Bertin]: https://github.com/jibi +[Glib Smaga]: https://github.com/glibsm +[Hemanth Malla]: https://github.com/hemanthmalla +[Ian Vernon]: https://github.com/ianvernon +[Ilya Dmitrichenko]: https://github.com/errordeveloper +[Jarno Rajahalme]: https://github.com/jrajahalme +[Joe Stringer]: https://github.com/joestringer +[John Fastabend]: https://github.com/jrfastab +[Julian Wiedmann]: https://github.com/julianwiedmann +[Jussi Mäki]: https://github.com/joamaki +[Kornilios Kourtis]: https://github.com/kkourt +[Laurent Bernaille]: https://github.com/lbernail +[Liz Rice]: https://github.com/lizrice +[Lorenz Bauer]: https://github.com/lmb +[Louis DeLosSantos]: https://github.com/ldelossa +[Maciej Kwiek]: https://github.com/nebril +[Marco Iorio]: https://github.com/giorio94 +[Martynas Pumputis]: https://github.com/brb +[Michal Rostecki]: https://github.com/vadorovsky +[Michi Mutsuzaki]: https://github.com/michi-covalent +[Natália Réka Ivánkó]: https://github.com/sharlns +[Nathan Sweet]: https://github.com/nathanjsweet +[Nick Young]: https://github.com/youngnick +[Nicolas Busseneau]: https://github.com/nbusseneau +[Nirmoy Das]: https://github.com/nirmoy +[Paul Chaignon]: https://github.com/pchaigno +[Quentin Monnet]: https://github.com/qmonnet +[Ray Bejjani]: https://github.com/raybejjani +[Robin Hahling]: https://github.com/rolinh +[Sebastian Wicki]: https://github.com/gandro +[Tam Mach]: https://github.com/sayboras +[Thomas Graf]: https://github.com/tgraf +[Timo Beckers]: https://github.com/ti-mo +[Tobias Klauser]: https://github.com/tklauser +[Tom Hadlaw]: https://github.com/tommyp1ckles +[Tom Payne]: https://github.com/twpayne +[Vlad Ungureanu]: https://github.com/ungureanuvladvictor +[Weilong Cui]: https://github.com/Weil0ng +[Yongkun Gui]: https://github.com/anfernee +[Yutaro Hayakawa]: https://github.com/YutaroHayakawa +[Zang Li]: https://github.com/lzang diff --git a/vendor/github.com/cilium/cilium/Makefile b/vendor/github.com/cilium/cilium/Makefile new file mode 100644 index 0000000000..56e55edfe0 --- /dev/null +++ b/vendor/github.com/cilium/cilium/Makefile @@ -0,0 +1,537 @@ +# Copyright Authors of Cilium +# SPDX-License-Identifier: Apache-2.0 + +##@ Default +all: precheck build postcheck ## Default make target that perform precheck -> build -> postcheck + @echo "Build finished." + +##@ Build, Install and Test +debug: export NOOPT=1 ## Builds Cilium by disabling inlining, compiler optimizations and without stripping debug symbols, useful for debugging. +debug: export NOSTRIP=1 +debug: all + +include Makefile.defs + +SUBDIRS_CILIUM_CONTAINER := cilium-dbg daemon cilium-health bugtool tools/mount tools/sysctlfix plugins/cilium-cni +SUBDIR_OPERATOR_CONTAINER := operator +SUBDIR_RELAY_CONTAINER := hubble-relay + +ifdef LIBNETWORK_PLUGIN +SUBDIRS_CILIUM_CONTAINER += plugins/cilium-docker +endif + +# Add the ability to override variables +-include Makefile.override + +# List of subdirectories used for global "make build", "make clean", etc +SUBDIRS := $(SUBDIRS_CILIUM_CONTAINER) $(SUBDIR_OPERATOR_CONTAINER) plugins tools $(SUBDIR_RELAY_CONTAINER) bpf clustermesh-apiserver + +# Filter out any directories where the parent directory is also present, to avoid +# building or cleaning a subdirectory twice. +# For example: The directory "tools" is transformed into a match pattern "tools/%", +# which is then used to filter out items such as "tools/mount" and "tools/sysctlfx" +SUBDIRS := $(filter-out $(foreach dir,$(SUBDIRS),$(dir)/%),$(SUBDIRS)) + +# Space-separated list of Go packages to test, equivalent to 'go test' package patterns. +# Because is treated as a Go package pattern, the special '...' sequence is supported, +# meaning 'all subpackages of the given package'. +TESTPKGS ?= ./... +UNPARALLELTESTPKGS ?= ./pkg/datapath/linux/ipsec/... + +GOTEST_BASE := -timeout 720s +GOTEST_COVER_OPTS += -coverprofile=coverage.out +BENCH_EVAL := "." +BENCH ?= $(BENCH_EVAL) +BENCHFLAGS_EVAL := -bench=$(BENCH) -run=^$$ -benchtime=10s +BENCHFLAGS ?= $(BENCHFLAGS_EVAL) +SKIP_KVSTORES ?= "false" +SKIP_K8S_CODE_GEN_CHECK ?= "true" +SKIP_CUSTOMVET_CHECK ?= "false" + +JOB_BASE_NAME ?= cilium_test + +TEST_LDFLAGS=-ldflags "-X github.com/cilium/cilium/pkg/kvstore.etcdDummyAddress=http://etcd:4002" + +TEST_UNITTEST_LDFLAGS= + +build: $(SUBDIRS) ## Builds all the components for Cilium by executing make in the respective sub directories. + +build-container: ## Builds components required for cilium-agent container. + for i in $(SUBDIRS_CILIUM_CONTAINER); do $(MAKE) $(SUBMAKEOPTS) -C $$i all; done + +build-container-operator: ## Builds components required for cilium-operator container. + $(MAKE) $(SUBMAKEOPTS) -C $(SUBDIR_OPERATOR_CONTAINER) all + +build-container-operator-generic: ## Builds components required for a cilium-operator generic variant container. + $(MAKE) $(SUBMAKEOPTS) -C $(SUBDIR_OPERATOR_CONTAINER) cilium-operator-generic + +build-container-operator-aws: ## Builds components required for a cilium-operator aws variant container. + $(MAKE) $(SUBMAKEOPTS) -C $(SUBDIR_OPERATOR_CONTAINER) cilium-operator-aws + +build-container-operator-azure: ## Builds components required for a cilium-operator azure variant container. + $(MAKE) $(SUBMAKEOPTS) -C $(SUBDIR_OPERATOR_CONTAINER) cilium-operator-azure + +build-container-operator-alibabacloud: ## Builds components required for a cilium-operator alibabacloud variant container. + $(MAKE) $(SUBMAKEOPTS) -C $(SUBDIR_OPERATOR_CONTAINER) cilium-operator-alibabacloud + +build-container-hubble-relay: + $(MAKE) $(SUBMAKEOPTS) -C $(SUBDIR_RELAY_CONTAINER) all + +$(SUBDIRS): force ## Execute default make target(make all) for the provided subdirectory. + @ $(MAKE) $(SUBMAKEOPTS) -C $@ all + +tests-privileged: ## Run Go tests including ones that require elevated privileges. + @$(ECHO_CHECK) running privileged tests... + ## We split tests into two parts: one that can be run in parallel + ## and tests that cannot be run in parallel with other packages + ## One drawback of this approach is that + ## if first set of tests fails, second one is not run + { PRIVILEGED_TESTS=true PATH=$(PATH):$(ROOT_DIR)/bpf $(GO_TEST) $(TEST_LDFLAGS) \ + $(TESTPKGS) $(GOTEST_BASE) $(GOTEST_COVER_OPTS) \ + && PRIVILEGED_TESTS=true PATH=$(PATH):$(ROOT_DIR)/bpf $(GO_TEST) $(TEST_LDFLAGS) \ + $(UNPARALLELTESTPKGS) $(GOTEST_BASE) -json -covermode=count -coverprofile=coverage2.out -p 1 --tags=unparallel; } | $(GOTEST_FORMATTER) + tail -n+2 coverage2.out >> coverage.out + rm coverage2.out + $(MAKE) generate-cov + +start-kvstores: ## Start running kvstores (etcd container) for integration tests. +ifeq ($(SKIP_KVSTORES),"false") + @echo Starting key-value store container... + -$(QUIET)$(CONTAINER_ENGINE) rm -f "cilium-etcd-test-container" 2> /dev/null + $(QUIET)$(CONTAINER_ENGINE) run -d \ + -e ETCD_UNSUPPORTED_ARCH=$(GOARCH) \ + --name "cilium-etcd-test-container" \ + -p 4002:4001 \ + $(ETCD_IMAGE) \ + etcd -name etcd0 \ + -advertise-client-urls http://0.0.0.0:4001 \ + -listen-client-urls http://0.0.0.0:4001 \ + -listen-peer-urls http://0.0.0.0:2380 \ + -initial-cluster-token etcd-cluster-1 \ + -initial-cluster-state new +endif + +stop-kvstores: ## Forcefully removes running kvstore components (etcd container) for integration tests. +ifeq ($(SKIP_KVSTORES),"false") + $(QUIET)$(CONTAINER_ENGINE) rm -f "cilium-etcd-test-container" +endif + +generate-cov: ## Generate HTML coverage report at coverage-all.html. + -@# Remove generated code from coverage +ifneq ($(SKIP_COVERAGE),) + @echo "Skipping generate-cov because SKIP_COVERAGE is set." +else + $(QUIET) grep -Ev '(^github.com/cilium/cilium/api/v1)|(generated.deepcopy.go)|(^github.com/cilium/cilium/pkg/k8s/client/)' \ + coverage.out > coverage.out.tmp + $(QUIET)$(GO) tool cover -html=coverage.out.tmp -o=coverage-all.html + $(QUIET) rm coverage.out.tmp +endif + @rmdir ./daemon/1 ./daemon/1_backup 2> /dev/null || true + +integration-tests: start-kvstores ## Run Go tests including ones that are marked as integration tests. + @$(ECHO_CHECK) running integration tests... + INTEGRATION_TESTS=true $(GO_TEST) $(TEST_UNITTEST_LDFLAGS) $(TESTPKGS) $(GOTEST_BASE) $(GOTEST_COVER_OPTS) | $(GOTEST_FORMATTER) + $(MAKE) generate-cov + $(MAKE) stop-kvstores + +bench: start-kvstores ## Run benchmarks for Cilium integration-tests in the repository. + $(GO_TEST) $(TEST_UNITTEST_LDFLAGS) $(GOTEST_BASE) $(BENCHFLAGS) $(TESTPKGS) + $(MAKE) stop-kvstores + +bench-privileged: ## Run benchmarks for privileged tests. + PRIVILEGED_TESTS=true $(GO_TEST) $(TEST_UNITTEST_LDFLAGS) $(GOTEST_BASE) $(BENCHFLAGS) $(TESTPKGS) + +clean-tags: ## Remove all the tags files from the repository. + @$(ECHO_CLEAN) tags + @-rm -f cscope.out cscope.in.out cscope.po.out cscope.files tags + +.PHONY: cscope.files +cscope.files: ## Generate cscope.files with the list of all files to generate ctags for. + @# Argument to -f must be double-quoted since shell removes backslashes that appear + @# before newlines. Otherwise, backslashes will appear in the output file. + @go list -f "{{ \$$p := .ImportPath }} \ + {{- range .GoFiles }}{{ printf \"%s/%s\n\" \$$p . }}{{ end }} \ + {{- range .TestGoFiles }}{{ printf \"%s/%s\n\" \$$p . }}{{ end }}" ./... \ + | sed 's#github.com/cilium/cilium/##g' | sort | uniq > cscope.files + + @echo "$(BPF_SRCFILES)" | sed 's/ /\n/g' | sort >> cscope.files + +tags: cscope.files ## Generate tags for Go and BPF source files. + @ctags -L cscope.files + cscope -R -b -q + +clean-container: ## Perform `make clean` for each component required in cilium-agent container. + -$(QUIET) for i in $(SUBDIRS_CILIUM_CONTAINER); do $(MAKE) $(SUBMAKEOPTS) -C $$i clean; done + +clean: ## Perform overall cleanup for Cilium. + -$(QUIET) for i in $(SUBDIRS); do $(MAKE) $(SUBMAKEOPTS) -C $$i clean; done + +veryclean: ## Perform complete cleanup for container engine images(including build cache). + -$(QUIET) $(CONTAINER_ENGINE) image prune -af + -$(QUIET) $(CONTAINER_ENGINE) builder prune -af + +install-bpf: ## Copies over the BPF source files from bpf/ to /var/lib/cilium/bpf/ + $(QUIET)$(INSTALL) -m 0750 -d $(DESTDIR)$(LOCALSTATEDIR)/lib/cilium + -rm -rf $(DESTDIR)$(LOCALSTATEDIR)/lib/cilium/bpf/* + $(foreach bpfsrc,$(BPF_SRCFILES), $(INSTALL) -D -m 0644 $(bpfsrc) $(DESTDIR)$(LOCALSTATEDIR)/lib/cilium/$(bpfsrc);) + +install: install-bpf ## Performs install for all the Cilium sub components (daemon, operator, relay etc.) + $(QUIET)$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR) + for i in $(SUBDIRS); do $(MAKE) $(SUBMAKEOPTS) -C $$i install; done + +install-container: install-bpf ## Performs install for all components required for cilium-agent container. + $(QUIET)$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR) + for i in $(SUBDIRS_CILIUM_CONTAINER); do $(MAKE) $(SUBMAKEOPTS) -C $$i install; done + +install-container-binary: install-bpf ## Install binaries for all components required for cilium-agent container. + $(QUIET)$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR) + for i in $(SUBDIRS_CILIUM_CONTAINER); do $(MAKE) $(SUBMAKEOPTS) -C $$i install-binary; done + +install-bash-completion: ## Install bash completion for all components required for cilium-agent container. + $(QUIET)$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR) + for i in $(SUBDIRS_CILIUM_CONTAINER); do $(MAKE) $(SUBMAKEOPTS) -C $$i install-bash-completion; done + +install-container-binary-operator: ## Install binaries for all components required for cilium-operator container. + $(QUIET)$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR) + $(MAKE) $(SUBMAKEOPTS) -C $(SUBDIR_OPERATOR_CONTAINER) install + +install-container-binary-operator-generic: ## Install binaries for all components required for cilium-operator generic variant container. + $(QUIET)$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR) + $(MAKE) $(SUBMAKEOPTS) -C $(SUBDIR_OPERATOR_CONTAINER) install-generic + +install-container-binary-operator-aws: ## Install binaries for all components required for cilium-operator aws variant container. + $(QUIET)$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR) + $(MAKE) $(SUBMAKEOPTS) -C $(SUBDIR_OPERATOR_CONTAINER) install-aws + +install-container-binary-operator-azure: ## Install binaries for all components required for cilium-operator azure variant container. + $(QUIET)$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR) + $(MAKE) $(SUBMAKEOPTS) -C $(SUBDIR_OPERATOR_CONTAINER) install-azure + +install-container-binary-operator-alibabacloud: ## Install binaries for all components required for cilium-operator alibabacloud variant container. + $(QUIET)$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR) + $(MAKE) $(SUBMAKEOPTS) -C $(SUBDIR_OPERATOR_CONTAINER) install-alibabacloud + +install-container-binary-hubble-relay: + $(QUIET)$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR) + $(MAKE) $(SUBMAKEOPTS) -C $(SUBDIR_RELAY_CONTAINER) install-binary + +# Workaround for not having git in the build environment +# Touch the file only if needed +GIT_VERSION: force + @if [ "$(GIT_VERSION)" != "`cat 2>/dev/null GIT_VERSION`" ] ; then echo "$(GIT_VERSION)" >GIT_VERSION; fi + +check_deps: + @$(CILIUM_CLI) --help > /dev/null 2>&1 || ( echo "ERROR: '$(CILIUM_CLI)' not found. Please install it." && exit 1) + +include Makefile.kind + +-include Makefile.docker + +manifests: ## Generate K8s manifests e.g. CRD, RBAC etc. + contrib/scripts/k8s-manifests-gen.sh + +.PHONY: generate-apis +generate-apis: generate-api generate-health-api generate-hubble-api generate-operator-api generate-kvstoremesh-api generate-sdp-api + +generate-api: api/v1/openapi.yaml ## Generate cilium-agent client, model and server code from openapi spec. + @$(ECHO_GEN)api/v1/openapi.yaml + -$(QUIET)$(SWAGGER) generate server -s server -a restapi \ + -t api/v1 \ + -f api/v1/openapi.yaml \ + --default-scheme=unix \ + -C api/v1/cilium-server.yml \ + -r hack/spdx-copyright-header.txt + -$(QUIET)$(SWAGGER) generate client -a restapi \ + -t api/v1 \ + -f api/v1/openapi.yaml \ + -r hack/spdx-copyright-header.txt + @# sort goimports automatically + -$(QUIET)$(GO) run golang.org/x/tools/cmd/goimports -w ./api/v1/client ./api/v1/models ./api/v1/server + +generate-health-api: api/v1/health/openapi.yaml ## Generate cilium-health client, model and server code from openapi spec. + @$(ECHO_GEN)api/v1/health/openapi.yaml + -$(QUIET)$(SWAGGER) generate server -s server -a restapi \ + -t api/v1 \ + -t api/v1/health/ \ + -f api/v1/health/openapi.yaml \ + --default-scheme=unix \ + -C api/v1/cilium-server.yml \ + -r hack/spdx-copyright-header.txt + -$(QUIET)$(SWAGGER) generate client -a restapi \ + -t api/v1 \ + -t api/v1/health/ \ + -f api/v1/health/openapi.yaml \ + -r hack/spdx-copyright-header.txt + @# sort goimports automatically + -$(QUIET)$(GO) run golang.org/x/tools/cmd/goimports -w ./api/v1/health + +generate-operator-api: api/v1/operator/openapi.yaml ## Generate cilium-operator client, model and server code from openapi spec. + @$(ECHO_GEN)api/v1/operator/openapi.yaml + -$(QUIET)$(SWAGGER) generate server -s server -a restapi \ + -t api/v1 \ + -t api/v1/operator/ \ + -f api/v1/operator/openapi.yaml \ + --default-scheme=http \ + -C api/v1/cilium-server.yml \ + -r hack/spdx-copyright-header.txt + -$(QUIET)$(SWAGGER) generate client -a restapi \ + -t api/v1 \ + -t api/v1/operator/ \ + -f api/v1/operator/openapi.yaml \ + -r hack/spdx-copyright-header.txt + @# sort goimports automatically + -$(QUIET)$(GO) run golang.org/x/tools/cmd/goimports -w ./api/v1/operator + +generate-kvstoremesh-api: api/v1/kvstoremesh/openapi.yaml ## Generate kvstoremesh client, model and server code from openapi spec. + @$(ECHO_GEN)api/v1/kvstoremesh/openapi.yaml + -$(QUIET)$(SWAGGER) generate server -s server -a restapi \ + -t api/v1 \ + -t api/v1/kvstoremesh/ \ + -f api/v1/kvstoremesh/openapi.yaml \ + --default-scheme=http \ + -C api/v1/cilium-server.yml \ + -r hack/spdx-copyright-header.txt + -$(QUIET)$(SWAGGER) generate client -a restapi \ + -t api/v1 \ + -t api/v1/kvstoremesh/ \ + -f api/v1/kvstoremesh/openapi.yaml \ + -r hack/spdx-copyright-header.txt + @# sort goimports automatically + -$(QUIET)$(GO) run golang.org/x/tools/cmd/goimports -w ./api/v1/kvstoremesh + +generate-hubble-api: api/v1/flow/flow.proto api/v1/peer/peer.proto api/v1/observer/observer.proto api/v1/relay/relay.proto ## Generate hubble proto Go sources. + $(QUIET) $(MAKE) $(SUBMAKEOPTS) -C api/v1 + + +generate-sdp-api: api/v1/standalone-dns-proxy/standalone-dns-proxy.proto + $(QUIET) $(MAKE) $(SUBMAKEOPTS) -C api/v1 + +define generate_k8s_protobuf + $(GO) install k8s.io/code-generator/cmd/go-to-protobuf/protoc-gen-gogo && \ + $(GO) install golang.org/x/tools/cmd/goimports && \ + $(GO) run k8s.io/code-generator/cmd/go-to-protobuf \ + --apimachinery-packages='-k8s.io/apimachinery/pkg/util/intstr,$\ + -k8s.io/apimachinery/pkg/api/resource,$\ + -k8s.io/apimachinery/pkg/runtime/schema,$\ + -k8s.io/apimachinery/pkg/runtime,$\ + -k8s.io/apimachinery/pkg/apis/meta/v1,$\ + -k8s.io/apimachinery/pkg/apis/meta/v1beta1'\ + --drop-embedded-fields="github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1.TypeMeta" \ + --proto-import="$$PWD" \ + --proto-import="$$PWD/vendor" \ + --proto-import="$$PWD/tools/protobuf" \ + --packages=$(subst $(newline),$(comma),$(1)) \ + --go-header-file "$$PWD/hack/custom-boilerplate.go.txt" \ + --output-dir=$$GOPATH/src +endef + +define K8S_PROTO_PACKAGES +github.com/cilium/cilium/pkg/k8s/slim/k8s/api/core/v1 +github.com/cilium/cilium/pkg/k8s/slim/k8s/api/discovery/v1 +github.com/cilium/cilium/pkg/k8s/slim/k8s/api/discovery/v1beta1 +github.com/cilium/cilium/pkg/k8s/slim/k8s/api/networking/v1 +github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/apiextensions/v1 +github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1 +github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1beta1 +github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/util/intstr +endef + +.PHONY: generate-k8s-api-local +generate-k8s-api-local: + $(ASSERT_CILIUM_MODULE) + + $(eval TMPDIR := $(shell mktemp -d -t cilium.tmpXXXXXXXX)) + + $(QUIET) $(call generate_k8s_protobuf,${K8S_PROTO_PACKAGES},"$(TMPDIR)") + $(QUIET) contrib/scripts/k8s-code-gen.sh "$(TMPDIR)" + + $(QUIET) rm -rf "$(TMPDIR)" + +.PHONY: generate-k8s-api +generate-k8s-api: ## Generate Cilium k8s API client, deepcopy and deepequal Go sources. + RUN_AS_NONROOT=1 contrib/scripts/builder.sh \ + $(MAKE) -C /go/src/github.com/cilium/cilium/ generate-k8s-api-local + +check-k8s-clusterrole: ## Ensures there is no diff between preflight's clusterrole and runtime's clusterrole. + ./contrib/scripts/check-preflight-clusterrole.sh + +##@ Development +vps: ## List all the running vagrant VMs. + VBoxManage list runningvms + +reload: ## Reload cilium-agent and cilium-docker systemd service after installing built binaries. + sudo systemctl stop cilium cilium-docker + sudo $(MAKE) install + sudo systemctl start cilium cilium-docker + sleep 6 + cilium status + +release: ## Perform a Git release for Cilium. + @echo "Visit https://github.com/cilium/release/issues/new/choose to initiate the release process." + +gofmt: ## Run gofmt on Go source files in the repository. + $(QUIET)$(GO) fmt ./... + +govet: ## Run govet on Go source files in the repository. + @$(ECHO_CHECK) vetting all packages... + $(QUIET) $(GO_VET) ./... + +golangci-lint: ## Run golangci-lint +ifneq (,$(findstring $(GOLANGCILINT_WANT_VERSION:v%=%),$(GOLANGCILINT_VERSION))) + @$(ECHO_CHECK) golangci-lint $(GOLANGCI_LINT_ARGS) + $(QUIET) golangci-lint run $(GOLANGCI_LINT_ARGS) +else + $(QUIET) $(CONTAINER_ENGINE) run --rm -v `pwd`:/app -w /app docker.io/golangci/golangci-lint:$(GOLANGCILINT_WANT_VERSION)@$(GOLANGCILINT_IMAGE_SHA) golangci-lint run $(GOLANGCI_LINT_ARGS) +endif + +golangci-lint-fix: ## Run golangci-lint to automatically fix warnings + $(QUIET)$(MAKE) golangci-lint GOLANGCI_LINT_ARGS="--fix" + +lint: golangci-lint + +lint-fix: golangci-lint-fix + +logging-subsys-field: ## Validate logrus subsystem field for logs in Go source code. + @$(ECHO_CHECK) contrib/scripts/check-logging-subsys-field.sh + $(QUIET) contrib/scripts/check-logging-subsys-field.sh + +check-microk8s: ## Validate if microk8s is ready to install cilium. + @$(ECHO_CHECK) microk8s is ready... + $(QUIET)microk8s.status >/dev/null \ + || (echo "Error: Microk8s is not running" && exit 1) + +LOCAL_IMAGE_TAG=local +microk8s: export DOCKER_REGISTRY=localhost:32000 +microk8s: export LOCAL_AGENT_IMAGE=$(DOCKER_REGISTRY)/$(DOCKER_DEV_ACCOUNT)/cilium-dev:$(LOCAL_IMAGE_TAG) +microk8s: export LOCAL_OPERATOR_IMAGE=$(DOCKER_REGISTRY)/$(DOCKER_DEV_ACCOUNT)/operator:$(LOCAL_IMAGE_TAG) +microk8s: check-microk8s ## Build cilium-dev docker image and import to microk8s + $(QUIET)$(MAKE) dev-docker-image DOCKER_IMAGE_TAG=$(LOCAL_IMAGE_TAG) + @echo " DEPLOY image to microk8s ($(LOCAL_AGENT_IMAGE))" + $(QUIET)./contrib/scripts/microk8s-import.sh $(LOCAL_AGENT_IMAGE) + $(QUIET)$(MAKE) dev-docker-operator-image DOCKER_IMAGE_TAG=$(LOCAL_IMAGE_TAG) + @echo " DEPLOY image to microk8s ($(LOCAL_OPERATOR_IMAGE))" + $(QUIET)./contrib/scripts/microk8s-import.sh $(LOCAL_OPERATOR_IMAGE) + +precheck: logging-subsys-field ## Peform build precheck for the source code. +ifeq ($(SKIP_K8S_CODE_GEN_CHECK),"false") + @$(ECHO_CHECK) contrib/scripts/check-k8s-code-gen.sh + $(QUIET) contrib/scripts/check-k8s-code-gen.sh +endif + @$(ECHO_CHECK) contrib/scripts/check-fmt.sh + $(QUIET) contrib/scripts/check-fmt.sh + @$(ECHO_CHECK) contrib/scripts/check-log-newlines.sh + $(QUIET) contrib/scripts/check-log-newlines.sh + @$(ECHO_CHECK) contrib/scripts/check-test-tags.sh + $(QUIET) contrib/scripts/check-test-tags.sh + @$(ECHO_CHECK) contrib/scripts/lock-check.sh + $(QUIET) contrib/scripts/lock-check.sh + @$(ECHO_CHECK) contrib/scripts/check-viper.sh + $(QUIET) contrib/scripts/check-viper.sh +ifeq ($(SKIP_CUSTOMVET_CHECK),"false") + @$(ECHO_CHECK) contrib/scripts/custom-vet-check.sh + $(QUIET) contrib/scripts/custom-vet-check.sh +endif + @$(ECHO_CHECK) contrib/scripts/check-time.sh + $(QUIET) contrib/scripts/check-time.sh + @$(ECHO_CHECK) contrib/scripts/check-go-testdata.sh + $(QUIET) contrib/scripts/check-go-testdata.sh + @$(ECHO_CHECK) contrib/scripts/check-source-info.sh + $(QUIET) contrib/scripts/check-source-info.sh + @$(ECHO_CHECK) contrib/scripts/check-xfrmstate.sh + $(QUIET) contrib/scripts/check-xfrmstate.sh + @$(ECHO_CHECK) contrib/scripts/check-legacy-header-guard.sh + $(QUIET) contrib/scripts/check-legacy-header-guard.sh + @$(ECHO_CHECK) contrib/scripts/check-logrus.sh + $(QUIET) contrib/scripts/check-logrus.sh + @$(ECHO_CHECK) contrib/scripts/check-safenetlink.sh + $(QUIET) contrib/scripts/check-safenetlink.sh + +pprof-heap: ## Get Go pprof heap profile. + $(QUIET)$(GO) tool pprof http://localhost:6060/debug/pprof/heap + +pprof-profile: ## Get Go pprof profile. + $(QUIET)$(GO) tool pprof http://localhost:6060/debug/pprof/profile + +pprof-block: ## Get Go pprof block profile. + $(QUIET)$(GO) tool pprof http://localhost:6060/debug/pprof/block + +pprof-trace-5s: ## Get Go pprof trace for a duration of 5 seconds. + curl http://localhost:6060/debug/pprof/trace?seconds=5 + +pprof-mutex: ## Get Go pprof mutex profile. + $(QUIET)$(GO) tool pprof http://localhost:6060/debug/pprof/mutex + +update-authors: ## Update AUTHORS file for Cilium repository. + @echo "Updating AUTHORS file..." + @echo "The following people, in alphabetical order, have either authored or signed" > AUTHORS + @echo "off on commits in the Cilium repository:" >> AUTHORS + @echo "" >> AUTHORS + @contrib/scripts/extract_authors.sh >> AUTHORS + @cat .authors.aux >> AUTHORS + +generate-crd-docs: ## Generate CRD List for documentation + $(QUIET)$(GO) run ./tools/crdlistgen + +test-docs: ## Build HTML documentation. + $(MAKE) -C Documentation html + +render-docs: ## Run server with live preview to render documentation. + $(MAKE) -C Documentation live-preview + +manpages: ## Generate manpage for Cilium CLI. + -rm -r man + mkdir -p man + cilium cmdman -d man + +install-manpages: ## Install manpages the Cilium CLI. + cp man/* /usr/local/share/man/man1/ + mandb + +postcheck: build ## Run Cilium build postcheck (update-cmdref, build documentation etc.). + $(QUIET) SKIP_BUILD=true $(MAKE) $(SUBMAKEOPTS) -C Documentation check + +licenses-all: ## Generate file with all the License from dependencies. + @$(GO) run ./tools/licensegen > LICENSE.all || ( rm -f LICENSE.all ; false ) + +dev-doctor: ## Run Cilium dev-doctor to validate local development environment. + $(QUIET)$(GO) version 2>/dev/null || ( echo "go not found, see https://golang.org/doc/install" ; false ) + $(QUIET)$(GO) run ./tools/dev-doctor + +help: ## Display help for the Makefile, from https://www.thapaliya.com/en/writings/well-documented-makefiles/. + $(call print_help_from_makefile) + @# There is also a list of target we have to manually put the information about. + @# These are templated targets. + $(call print_help_line,"docker-cilium-image","Build cilium-agent docker image") + $(call print_help_line,"dev-docker-image","Build cilium-agent development docker image") + $(call print_help_line,"dev-docker-image-debug","Build cilium-agent development docker debug image") + $(call print_help_line,"docker-plugin-image","Build cilium-docker plugin image") + $(call print_help_line,"docker-hubble-relay-image","Build hubble-relay docker image") + $(call print_help_line,"docker-clustermesh-apiserver-image","Build docker image for Cilium clustermesh APIServer") + $(call print_help_line,"docker-operator-image","Build cilium-operator docker image") + $(call print_help_line,"docker-operator-*-image","Build platform specific cilium-operator images(alibabacloud, aws, azure, generic)") + $(call print_help_line,"docker-operator-*-image-debug","Build platform specific cilium-operator debug images(alibabacloud, aws, azure, generic)") + $(call print_help_line,"docker-*-image-unstripped","Build unstripped version of above docker images(cilium, hubble-relay, operator etc.)") + +.PHONY: help clean clean-container dev-doctor force generate-api generate-health-api generate-operator-api generate-kvstoremesh-api generate-hubble-api generate-sdp-api install licenses-all veryclean run_bpf_tests run-builder +force :; + +BPF_TEST_FILE ?= "" +BPF_TEST_DUMP_CTX ?= "" +BPF_TEST_VERBOSE ?= 0 + +run_bpf_tests: ## Build and run the BPF unit tests using the cilium-builder container image. + DOCKER_ARGS=--privileged contrib/scripts/builder.sh \ + "make" "-j$(shell nproc)" "-C" "bpf/tests/" "run" "BPF_TEST_FILE=$(BPF_TEST_FILE)" "BPF_TEST_DUMP_CTX=$(BPF_TEST_DUMP_CTX)" "V=$(BPF_TEST_VERBOSE)" + +run-builder: ## Drop into a shell inside a container running the cilium-builder image. + DOCKER_ARGS=-it contrib/scripts/builder.sh bash + +.PHONY: renovate-local +renovate-local: ## Run a local linter for the renovate configuration + $(CONTAINER_ENGINE) run --rm -ti \ + -e LOG_LEVEL=debug \ + -e GITHUB_COM_TOKEN="$(gh auth token)" \ + -v /tmp:/tmp \ + -v $(ROOT_DIR):/usr/src/app \ + docker.io/renovate/renovate:slim \ + renovate --platform=local diff --git a/vendor/github.com/cilium/cilium/Makefile.defs b/vendor/github.com/cilium/cilium/Makefile.defs new file mode 100644 index 0000000000..f81372d2df --- /dev/null +++ b/vendor/github.com/cilium/cilium/Makefile.defs @@ -0,0 +1,227 @@ +# Copyright Authors of Cilium +# SPDX-License-Identifier: Apache-2.0 + +SHELL := /usr/bin/env bash +.SHELLFLAGS := -eu -o pipefail -c + +# define a function replacing spaces with commas in a list +empty := +space := $(empty) $(empty) +comma := , +join-with-comma = $(subst $(space),$(comma),$(strip $1)) + +define newline + + +endef + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +RELATIVE_DIR := $(shell echo $(realpath .) | sed "s;$(ROOT_DIR)[/]*;;") +include $(ROOT_DIR)/Makefile.quiet + +PREFIX?=/usr +BINDIR?=$(PREFIX)/bin +CNIBINDIR?=/opt/cni/bin +CNICONFDIR?=/etc/cni/net.d +LIBDIR?=$(PREFIX)/lib +LOCALSTATEDIR?=/var +RUNDIR?=/var/run +CONFDIR?=/etc + +export GO ?= go +NATIVE_ARCH = $(shell GOARCH= $(GO) env GOARCH) +export GOARCH ?= $(NATIVE_ARCH) + +INSTALL = install + +CONTAINER_ENGINE?=docker +DOCKER_FLAGS?= +DOCKER_BUILD_FLAGS?= + +# use gsed if available, otherwise use sed. +# gsed is needed for MacOS to make in-place replacement work correctly. +SED ?= $(if $(shell command -v gsed),gsed,sed) + +# Set DOCKER_DEV_ACCOUNT with "cilium" by default +ifeq ($(DOCKER_DEV_ACCOUNT),) + DOCKER_DEV_ACCOUNT=cilium +endif + +ifneq ($(CI_BUILD),) + DOCKER_IMAGE_SUFFIX=-ci + DOCKER_IMAGE_TAG=$(shell git rev-parse HEAD) +endif + +# Set DOCKER_IMAGE_TAG with "latest" by default +ifeq ($(DOCKER_IMAGE_TAG),) + DOCKER_IMAGE_TAG=latest +endif + +# renovate: datasource=docker depName=gcr.io/etcd-development/etcd +ETCD_IMAGE_VERSION = v3.5.18 +ETCD_IMAGE_SHA = sha256:9079538aa6e9ff9a57b4d737ca1f03f978e7b9e8fe45bb91b19bd933deb98912 +ETCD_IMAGE=gcr.io/etcd-development/etcd:$(ETCD_IMAGE_VERSION)@$(ETCD_IMAGE_SHA) + +CILIUM_BUILDER_IMAGE=$(shell cat $(ROOT_DIR)/images/cilium/Dockerfile | grep "ARG CILIUM_BUILDER_IMAGE=" | cut -d"=" -f2) + +export CILIUM_CLI ?= cilium +export KUBECTL ?= kubectl + +# Till the self-hosted renovate PR #30185 is merged, we might need to run the below +# command locally for any version update. +# make generate-api generate-health-api generate-hubble-api generate-operator-api generate-kvstoremesh-api +# renovate: datasource=docker depName=quay.io/goswagger/swagger +SWAGGER_VERSION = 0.31.0 +SWAGGER_IMAGE_SHA = sha256:5f36c14131ea569ad687ac546d6cdd2ccf0feff662eae5f5bf37d9d8a0b51cbc +SWAGGER := $(CONTAINER_ENGINE) run -u $(shell id -u):$(shell id -g) --rm -v $(ROOT_DIR):$(ROOT_DIR) -w $(ROOT_DIR) --entrypoint swagger quay.io/goswagger/swagger:$(SWAGGER_VERSION)@$(SWAGGER_IMAGE_SHA) + +# go build/test/clean flags +# these are declared here so they are treated explicitly +# as non-immediate variables +GO_BUILD_FLAGS ?= +GO_TEST_FLAGS ?= +GO_CLEAN_FLAGS ?= +GO_BUILD_LDFLAGS ?= +# go build/test -tags values +GO_TAGS_FLAGS += osusergo + +# This is declared here as it is needed to change the covermode depending on if +# RACE is specified. +GOTEST_COVER_OPTS = + +# By default, just print go test output immediately to the terminal. If tparse +# is installed, use it to format the output. Use -progress instead of -follow, +# as the latter is too verbose for most of the test suite. +GOTEST_FORMATTER ?= cat +ifneq ($(shell command -v tparse),) + GOTEST_COVER_OPTS += -json + GOTEST_FORMATTER_FLAGS := +ifneq ($(V),0) + GOTEST_FORMATTER_FLAGS += -follow +endif +ifneq ($(LOG_CODEOWNERS),) + GOTEST_FORMATTER = tee >($(GO) run ./tools/testowners) >(tparse $(GOTEST_FORMATTER_FLAGS)) >/dev/null +else + GOTEST_FORMATTER = tparse $(GOTEST_FORMATTER_FLAGS) +endif +endif + +# renovate: datasource=docker depName=golangci/golangci-lint +GOLANGCILINT_WANT_VERSION = v1.64.5 +GOLANGCILINT_IMAGE_SHA = sha256:9faef4dda4304c4790a14c5b8c8cd8c2715a8cb754e13f61d8ceaa358f5a454a +GOLANGCILINT_VERSION = $(shell golangci-lint version --format short 2>/dev/null) + +VERSION = $(shell cat $(dir $(lastword $(MAKEFILE_LIST)))/VERSION) +VERSION_MAJOR = $(shell cat $(dir $(lastword $(MAKEFILE_LIST)))/VERSION | cut -d. -f1) +# Use git only if in a Git repo +ifneq ($(wildcard $(dir $(lastword $(MAKEFILE_LIST)))/.git/HEAD),) + GIT_VERSION = $(shell git show -s --format='format:%h %aI') +else + GIT_VERSION = $(shell cat 2>/dev/null $(ROOT_DIR)/GIT_VERSION) +endif +FULL_BUILD_VERSION = $(VERSION) $(GIT_VERSION) +GO_BUILD_LDFLAGS += -X "github.com/cilium/cilium/pkg/version.ciliumVersion=$(FULL_BUILD_VERSION)" + +ifeq ($(NOSTRIP),) + # Note: these options will not remove annotations needed for stack + # traces, so panic backtraces will still be readable. + # + # -w: Omit the DWARF symbol table. + # -s: Omit the symbol table and debug information. + GO_BUILD_LDFLAGS += -s -w +endif + +ifneq ($(wildcard $(dir $(lastword $(MAKEFILE_LIST)))/images/cilium/Dockerfile),) + CILIUM_ENVOY_REF=$(shell sed -E -e 's/^ARG CILIUM_ENVOY_IMAGE=([^ ]*)/\1/p;d' < $(ROOT_DIR)/images/cilium/Dockerfile) + CILIUM_ENVOY_SHA=$(shell echo $(CILIUM_ENVOY_REF) | sed -E -e 's/[^/]*\/[^:]*:(.*-)?([^:@]*).*/\2/p;d') + GO_BUILD_LDFLAGS += -X "github.com/cilium/cilium/pkg/envoy.requiredEnvoyVersionSHA=$(CILIUM_ENVOY_SHA)" +endif + +# Use git only if in a Git repo, otherwise find the files from the file system +BPF_SRCFILES_IGNORE = bpf/.gitignore +ifneq ($(wildcard $(dir $(lastword $(MAKEFILE_LIST)))/.git/HEAD),) + BPF_SRCFILES := $(shell git ls-files $(ROOT_DIR)/bpf/ | LC_ALL=C sort | tr "\n" ' ') +else + # this line has to be in-sync with bpf/.gitignore, please note usage of make patterns like `%.i` + BPF_SRCFILES_IGNORE += bpf/%.i bpf/%.s bpf/.rebuild_all + BPF_SRCFILES := $(shell find $(ROOT_DIR)/bpf/ -type f | LC_ALL=C sort | tr "\n" ' ') +endif + +# ROOT_DIR can be either `../` or absolute path, each of these need to be stripped +BPF_SRCFILES := $(filter-out $(BPF_SRCFILES_IGNORE),$(subst ../,,$(subst $(ROOT_DIR)/,,$(BPF_SRCFILES)))) + +GO_BUILD_FLAGS += -mod=vendor +GO_TEST_FLAGS += -mod=vendor -vet=all +GO_CLEAN_FLAGS += -mod=vendor + +GO_BUILD = CGO_ENABLED=0 $(GO) build + +# Support CGO cross-compiling for amd64 and arm64 targets +CGO_CC = +CROSS_ARCH = +ifneq ($(GOARCH),$(NATIVE_ARCH)) + CROSS_ARCH = $(GOARCH) +endif +ifeq ($(CROSS_ARCH),arm64) + CGO_CC = CC=aarch64-linux-gnu-gcc +else ifeq ($(CROSS_ARCH),amd64) + CGO_CC = CC=x86_64-linux-gnu-gcc +endif +GO_BUILD_WITH_CGO = CGO_ENABLED=1 $(CGO_CC) $(GO) build + +ifneq ($(RACE),) + GO_BUILD_FLAGS += -race + GO_TEST_FLAGS += -race + GOTEST_COVER_OPTS += -covermode=atomic + + # GO_BUILD becomes GO_BUILD_WITH_CGO as `-race` requires CGO + GO_BUILD = $(GO_BUILD_WITH_CGO) + ifeq ($(LOCKDEBUG),) + LOCKDEBUG=1 + endif +else + GOTEST_COVER_OPTS += -covermode=count +endif + +ifneq ($(LOCKDEBUG),) + GO_TAGS_FLAGS += lockdebug +endif + +GO_BUILD_FLAGS += -ldflags '$(GO_BUILD_LDFLAGS) $(EXTRA_GO_BUILD_LDFLAGS)' -tags=$(call join-with-comma,$(GO_TAGS_FLAGS)) $(EXTRA_GO_BUILD_FLAGS) +GO_TEST_FLAGS += -tags=$(call join-with-comma,$(GO_TAGS_FLAGS)) + +ifeq ($(NOOPT),1) + GO_BUILD_FLAGS += -gcflags="all=-N -l" +endif + +GO_BUILD += $(GO_BUILD_FLAGS) +GO_BUILD_WITH_CGO += $(GO_BUILD_FLAGS) + +GO_TEST = CGO_ENABLED=0 $(GO) test $(GO_TEST_FLAGS) +GO_CLEAN = $(GO) clean $(GO_CLEAN_FLAGS) + +GO_VET = $(GO) vet +GO_LIST = $(GO) list + +HELM_TOOLBOX_VERSION ?= "v1.1.0" +HELM_TOOLBOX_SHA ?= "961693f182b9b456ed90e5274ac5df81e4af4343104e252666959cdf9570ce9e" +HELM_TOOLBOX_IMAGE ?= "quay.io/cilium/helm-toolbox:$(HELM_TOOLBOX_VERSION)@sha256:$(HELM_TOOLBOX_SHA)" + +YQ_VERSION ?= "4.40.5" +YQ_SHA ?= "32be61dc94d0acc44f513ba69d0fc05f1f92c2e760491f2a27e11fc13cde6327" +YQ_IMAGE ?= "docker.io/mikefarah/yq:$(YQ_VERSION)@sha256:$(YQ_SHA)" + +define print_help_line + @printf " \033[36m%-29s\033[0m %s.\n" $(1) $(2) +endef + +define print_help_from_makefile + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z0-9][a-zA-Z0-9 _-]*:.*?##/ { split($$1, targets, " "); for (i in targets) { printf " \033[36m%-28s\033[0m %s\n", targets[i], $$2 } } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) +endef + +# Use to ensure the CWD, or any child of it, belongs to Cilium's go module. +CILIUM_GO_MODULE = github.com/cilium/cilium +CURRENT_GO_MODULE = $(shell go list -m) +define ASSERT_CILIUM_MODULE + $(if $(filter $(CILIUM_GO_MODULE), $(CURRENT_GO_MODULE)) ,, $(error "Could not locate Cilium's go.mod file, are you in Cilium's repository?")) +endef diff --git a/vendor/github.com/cilium/cilium/Makefile.docker b/vendor/github.com/cilium/cilium/Makefile.docker new file mode 100644 index 0000000000..026d516872 --- /dev/null +++ b/vendor/github.com/cilium/cilium/Makefile.docker @@ -0,0 +1,153 @@ +# Copyright Authors of Cilium +# SPDX-License-Identifier: Apache-2.0 + +DOCKER_BUILDER := default + +# Export with value expected by docker +export DOCKER_BUILDKIT=1 + +# Docker Buildx support. If ARCH is defined, a builder instance 'cross' +# on the local node is configured for amd64 and arm64 platform targets. +# Otherwise build on the current (typically default) builder for the host +# platform only. +ifdef ARCH + # Default to multi-arch builds, always create the builder for all the platforms we support + DOCKER_PLATFORMS := linux/arm64,linux/amd64 + DOCKER_BUILDER := $(shell docker buildx ls | grep -E -e "[a-zA-Z0-9-]+ \*" | cut -d ' ' -f1) + ifneq (,$(filter $(DOCKER_BUILDER),default desktop-linux)) + DOCKER_BUILDKIT_DRIVER := + ifdef DOCKER_BUILDKIT_IMAGE + DOCKER_BUILDKIT_DRIVER := --driver docker-container --driver-opt image=$(DOCKER_BUILDKIT_IMAGE) + endif + BUILDER_SETUP := $(shell docker buildx create --platform $(DOCKER_PLATFORMS) $(DOCKER_BUILDKIT_DRIVER) --use) + endif + # Override default for a single platform + ifneq ($(ARCH),multi) + DOCKER_PLATFORMS := linux/$(ARCH) + endif + DOCKER_FLAGS += --push --platform $(DOCKER_PLATFORMS) +else + ifeq ($(findstring --output,$(DOCKER_FLAGS)),) + ifeq ($(findstring --push,$(DOCKER_FLAGS)),) + # ARCH, --output, and --push are not specified, build for the host platform without pushing, mimicking regular docker build + DOCKER_FLAGS += --load + endif + endif +endif +DOCKER_EXISTS := $(shell command -v docker 2>/dev/null) +ifdef DOCKER_EXISTS +DOCKER_BUILDER := $(shell docker buildx ls | grep -E -e "[a-zA-Z0-9-]+ \*" | cut -d ' ' -f1) +endif + +##@ Docker Images +.PHONY: builder-info +builder-info: ## Print information about the docker builder that will be used for building images. + @echo "Using Docker Buildx builder \"$(DOCKER_BUILDER)\" with build flags \"$(DOCKER_FLAGS)\"." + +# Generic rule for augmented .dockerignore files. +GIT_IGNORE_FILES := $(shell find . -not -path "./vendor*" -name .gitignore -print) +.PRECIOUS: %.dockerignore +%.dockerignore: $(GIT_IGNORE_FILES) Makefile.docker + @-mkdir -p $(dir $@) + @echo "/hack" > $@ + @echo ".git" >> $@ + @echo "/Makefile.docker" >> $@ + @echo $(dir $(GIT_IGNORE_FILES)) | tr ' ' '\n' | xargs -P1 -I {DIR} -n1 sed \ + -e '# Remove lines with white space, comments and files that must be passed to docker, "$$" due to make. #' \ + -e '/^[[:space:]]*$$/d' -e '/^#/d' -e '/GIT_VERSION/d' \ + -e '# Apply pattern in all directories if it contains no "/", keep "!" up front. #' \ + -e '/^[^!/][^/]*$$/s<^<**/<' -e '/^![^/]*$$/s<^!> $@ + +DOCKER_REGISTRY ?= quay.io +ifeq ($(findstring /,$(DOCKER_DEV_ACCOUNT)),/) + # DOCKER_DEV_ACCOUNT already contains '/', assume it specifies a registry + IMAGE_REPOSITORY := $(DOCKER_DEV_ACCOUNT) +else + IMAGE_REPOSITORY := $(DOCKER_REGISTRY)/$(DOCKER_DEV_ACCOUNT) +endif + +# +# Template for Docker images. Paramaters are: +# $(1) image target name +# $(2) Dockerfile path +# $(3) image name stem (e.g., cilium, cilium-operator, etc) +# $(4) image tag +# $(5) target +# +define DOCKER_IMAGE_TEMPLATE +.PHONY: $(1) +$(1): GIT_VERSION $(2) $(2).dockerignore GIT_VERSION builder-info + $(ECHO_DOCKER)$(2) $(IMAGE_REPOSITORY)/$(IMAGE_NAME)$${UNSTRIPPED}:$(4) + $(eval IMAGE_NAME := $(subst %,$$$$*,$(3))) +ifeq ($(5),debug) + @export NOSTRIP=1 +endif + $(QUIET) $(CONTAINER_ENGINE) buildx build -f $(subst %,$$*,$(2)) \ + $(DOCKER_BUILD_FLAGS) $(DOCKER_FLAGS) \ + $(if $(BASE_IMAGE),--build-arg BASE_IMAGE=$(BASE_IMAGE),) \ + --build-arg MODIFIERS="NOSTRIP=$${NOSTRIP} NOOPT=${NOOPT} LOCKDEBUG=${LOCKDEBUG} RACE=${RACE} V=${V} LIBNETWORK_PLUGIN=${LIBNETWORK_PLUGIN} ${ADDITIONAL_MODIFIERS}" \ + --build-arg CILIUM_SHA=$(firstword $(GIT_VERSION)) \ + --build-arg OPERATOR_VARIANT=$(IMAGE_NAME) \ + --build-arg DEBUG_HOLD=$(DEBUG_HOLD) \ + --target $(5) \ + -t $(IMAGE_REPOSITORY)/$(IMAGE_NAME)$${UNSTRIPPED}$(DOCKER_IMAGE_SUFFIX):$(4) . +ifneq ($(KIND_LOAD),) + sleep 1 + kind load docker-image $(IMAGE_REPOSITORY)/$(IMAGE_NAME)$${UNSTRIPPED}$(DOCKER_IMAGE_SUFFIX):$(4) +else + ifeq ($(findstring --push,$(DOCKER_FLAGS)),) + @echo 'Define "DOCKER_FLAGS=--push" to push the build results.' + else + $(CONTAINER_ENGINE) buildx imagetools inspect $(IMAGE_REPOSITORY)/$(IMAGE_NAME)$${UNSTRIPPED}$(DOCKER_IMAGE_SUFFIX):$(4) + @echo '^^^ Images pushed, multi-arch manifest should be above. ^^^' + endif +endif + +$(1)-unstripped: NOSTRIP=1 +$(1)-unstripped: UNSTRIPPED=-unstripped +$(1)-unstripped: $(1) + @echo +endef + +# docker-cilium-image +$(eval $(call DOCKER_IMAGE_TEMPLATE,docker-cilium-image,images/cilium/Dockerfile,cilium,$(DOCKER_IMAGE_TAG),release)) + +# dev-docker-image +$(eval $(call DOCKER_IMAGE_TEMPLATE,dev-docker-image,images/cilium/Dockerfile,cilium-dev,$(DOCKER_IMAGE_TAG),release)) + +# dev-docker-image-debug +$(eval $(call DOCKER_IMAGE_TEMPLATE,dev-docker-image-debug,images/cilium/Dockerfile,cilium-dev,$(DOCKER_IMAGE_TAG),debug)) + +# docker-plugin-image +$(eval $(call DOCKER_IMAGE_TEMPLATE,docker-plugin-image,images/cilium-docker-plugin/Dockerfile,docker-plugin,$(DOCKER_IMAGE_TAG),release)) + +# docker-hubble-relay-image +$(eval $(call DOCKER_IMAGE_TEMPLATE,docker-hubble-relay-image,images/hubble-relay/Dockerfile,hubble-relay,$(DOCKER_IMAGE_TAG),release)) + +# docker-clustermesh-apiserver-image +$(eval $(call DOCKER_IMAGE_TEMPLATE,docker-clustermesh-apiserver-image,images/clustermesh-apiserver/Dockerfile,clustermesh-apiserver,$(DOCKER_IMAGE_TAG),release)) + +# docker-operator-images. +# We eat the ending of "operator" in to the stem ('%') to allow this pattern +# to build also 'docker-operator-image', where the stem would be empty otherwise. +$(eval $(call DOCKER_IMAGE_TEMPLATE,docker-opera%-image,images/operator/Dockerfile,opera%,$(DOCKER_IMAGE_TAG),release)) +$(eval $(call DOCKER_IMAGE_TEMPLATE,dev-docker-opera%-image,images/operator/Dockerfile,opera%,$(DOCKER_IMAGE_TAG),release)) +$(eval $(call DOCKER_IMAGE_TEMPLATE,dev-docker-opera%-image-debug,images/operator/Dockerfile,opera%,$(DOCKER_IMAGE_TAG),debug)) + +# +# docker-*-all targets are mainly used from the CI +# +docker-images-all: docker-cilium-image docker-plugin-image docker-hubble-relay-image docker-clustermesh-apiserver-image docker-operator-images-all ## Build all Cilium related docker images. + +docker-images-all-unstripped: docker-cilium-image-unstripped docker-plugin-image-unstripped docker-hubble-relay-image-unstripped docker-clustermesh-apiserver-image-unstripped docker-operator-images-all-unstripped ## Build all Cilium related unstripped docker images. + +docker-operator-images-all: docker-operator-image docker-operator-aws-image docker-operator-azure-image docker-operator-alibabacloud-image docker-operator-generic-image ## Build all variants of cilium-operator images. + +docker-operator-images-all-unstripped: docker-operator-image-unstripped docker-operator-aws-image-unstripped docker-operator-azure-image-unstripped docker-operator-alibabacloud-image-unstripped docker-operator-generic-image-unstripped ## Build all variants of unstripped cilium-operator images. diff --git a/vendor/github.com/cilium/cilium/Makefile.kind b/vendor/github.com/cilium/cilium/Makefile.kind new file mode 100644 index 0000000000..082d768490 --- /dev/null +++ b/vendor/github.com/cilium/cilium/Makefile.kind @@ -0,0 +1,492 @@ +# Copyright Authors of Cilium +# SPDX-License-Identifier: Apache-2.0 + +##@ Development (Kind) + +.PHONY: kind +kind: ## Create a kind cluster for Cilium development. + $(QUIET)SED=$(SED) ./contrib/scripts/kind.sh + +.PHONY: kind-egressgw +kind-egressgw: ## Create a kind cluster for egress gateway Cilium development. + $(QUIET)SED=$(SED) WORKERS=3 ./contrib/scripts/kind.sh + kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]' + +.PHONY: kind-down +kind-down: ## Destroy a kind cluster for Cilium development. + $(QUIET)./contrib/scripts/kind-down.sh + +.PHONY: kind-clustermesh +kind-clustermesh: ## Create two kind clusters for clustermesh development. + @echo " If you have problems with too many open file, check https://kind.sigs.k8s.io/docs/user/known-issues/#pod-errors-due-to-too-many-open-files" + $(QUIET) CLUSTER_NAME=clustermesh1 IPFAMILY=dual PODSUBNET=10.1.0.0/16,fd00:10:1::/48 SERVICESUBNET=172.20.1.0/24,fd00:10:f1::/112 ./contrib/scripts/kind.sh + $(QUIET) CLUSTER_NAME=clustermesh2 AGENTPORTPREFIX=236 OPERATORPORTPREFIX=237 IPFAMILY=dual PODSUBNET=10.2.0.0/16,fd00:10:2::/48 SERVICESUBNET=172.20.2.0/24,fd00:10:f2::/112 ./contrib/scripts/kind.sh + +.PHONY: kind-clustermesh-down +kind-clustermesh-down: ## Destroy kind clusters for clustermesh development. + $(QUIET)./contrib/scripts/kind-down.sh clustermesh1 clustermesh2 + +.PHONY: kind-clustermesh-ready +kind-clustermesh-ready: ## Check if both kind clustermesh clusters exist + @$(ECHO_CHECK) clustermesh kind is ready... + @kind get clusters 2>&1 | grep "clustermesh1" \ + && exit 0 || exit 1 + @kind get clusters 2>&1 | grep "clustermesh2" \ + && exit 0 || exit 1 + +.PHONY: kind-bgp-v4 +kind-bgp-v4: + $(QUIET) $(MAKE) -C contrib/containerlab/bgp-cplane-dev-v4 deploy + +.PHONY: kind-bgp-v4-down +kind-bgp-v4-down: + $(QUIET) $(MAKE) -C contrib/containerlab/bgp-cplane-dev-v4 destroy + +.PHONY: kind-bgp-v4-apply-policy +kind-bgp-v4-apply-policy: + $(QUIET) $(MAKE) -C contrib/containerlab/bgp-cplane-dev-v4 apply-policy + +.PHONY: kind-bgp-v6 +kind-bgp-v6: + $(QUIET) $(MAKE) -C contrib/containerlab/bgp-cplane-dev-v6 deploy + +.PHONY: kind-bgp-v6-down +kind-bgp-v6-down: + $(QUIET) $(MAKE) -C contrib/containerlab/bgp-cplane-dev-v6 destroy + +.PHONY: kind-bgp-v6-apply-policy +kind-bgp-v6-apply-policy: + $(QUIET) $(MAKE) -C contrib/containerlab/bgp-cplane-dev-v6 apply-policy + +.PHONY: kind-bgp-dual +kind-bgp-dual: + $(QUIET) $(MAKE) -C contrib/containerlab/bgp-cplane-dev-dual deploy + +.PHONY: kind-bgp-dual-down +kind-bgp-dual-down: + $(QUIET) $(MAKE) -C contrib/containerlab/bgp-cplane-dev-dual destroy + +.PHONY: kind-bgp-dual-apply-policy +kind-bgp-dual-apply-policy: + $(QUIET) $(MAKE) -C contrib/containerlab/bgp-cplane-dev-dual apply-policy + +# Template for kind environment for a target. Parameters are: +# $(1) Makefile target name +define KIND_ENV +.PHONY: $(1) +$(1): export DOCKER_REGISTRY=localhost:5000 +$(1): export LOCAL_AGENT_IMAGE=$$(DOCKER_REGISTRY)/$$(DOCKER_DEV_ACCOUNT)/cilium-dev:$$(LOCAL_IMAGE_TAG) +$(1): export LOCAL_OPERATOR_IMAGE=$$(DOCKER_REGISTRY)/$$(DOCKER_DEV_ACCOUNT)/operator-generic:$$(LOCAL_IMAGE_TAG) +$(1): export LOCAL_CLUSTERMESH_IMAGE=$$(DOCKER_REGISTRY)/$$(DOCKER_DEV_ACCOUNT)/clustermesh-apiserver:$$(LOCAL_IMAGE_TAG) +endef + +$(eval $(call KIND_ENV,kind-clustermesh-images)) +kind-clustermesh-images: kind-clustermesh-ready kind-build-clustermesh-apiserver kind-build-image-agent kind-build-image-operator ## Builds images and imports them into clustermesh clusters + $(QUIET)kind load docker-image $(LOCAL_CLUSTERMESH_IMAGE) --name clustermesh1 + $(QUIET)kind load docker-image $(LOCAL_CLUSTERMESH_IMAGE) --name clustermesh2 + $(QUIET)kind load docker-image $(LOCAL_AGENT_IMAGE) --name clustermesh1 + $(QUIET)kind load docker-image $(LOCAL_AGENT_IMAGE) --name clustermesh2 + $(QUIET)kind load docker-image $(LOCAL_OPERATOR_IMAGE) --name clustermesh1 + $(QUIET)kind load docker-image $(LOCAL_OPERATOR_IMAGE) --name clustermesh2 + +.PHONY: kind-connect-clustermesh ## Connect the ClusterMesh clusters. +kind-connect-clustermesh: check_deps kind-clustermesh-ready + @echo " CONNECT the two clusters" + $(CILIUM_CLI) clustermesh connect --context kind-clustermesh1 --destination-context kind-clustermesh2 + $(CILIUM_CLI) clustermesh status --context kind-clustermesh1 --wait + $(CILIUM_CLI) clustermesh status --context kind-clustermesh2 --wait + +ENABLE_KVSTOREMESH ?= true +$(eval $(call KIND_ENV,kind-install-cilium-clustermesh)) +kind-install-cilium-clustermesh: check_deps kind-clustermesh-ready ## Install a local Cilium version into the clustermesh clusters and enable clustermesh. + @echo " INSTALL cilium on clustermesh1 cluster" + -$(CILIUM_CLI) --context=kind-clustermesh1 uninstall >/dev/null + $(CILIUM_CLI) --context=kind-clustermesh1 install \ + --chart-directory=$(ROOT_DIR)/install/kubernetes/cilium \ + --values=$(ROOT_DIR)/contrib/testing/kind-clustermesh1.yaml \ + --set=image.override=$(LOCAL_AGENT_IMAGE) \ + --set=operator.image.override=$(LOCAL_OPERATOR_IMAGE) \ + --set=clustermesh.apiserver.image.override=$(LOCAL_CLUSTERMESH_IMAGE) \ + --set=clustermesh.apiserver.kvstoremesh.enabled=$(ENABLE_KVSTOREMESH) + + @echo " INSTALL cilium on clustermesh2 cluster" + -$(CILIUM_CLI) --context=kind-clustermesh2 uninstall >/dev/null + $(KUBECTL) --context=kind-clustermesh1 get secret -n kube-system cilium-ca -o yaml | \ + $(KUBECTL) --context=kind-clustermesh2 replace --force -f - + $(CILIUM_CLI) --context=kind-clustermesh2 install \ + --chart-directory=$(ROOT_DIR)/install/kubernetes/cilium \ + --values=$(ROOT_DIR)/contrib/testing/kind-clustermesh2.yaml \ + --set=image.override=$(LOCAL_AGENT_IMAGE) \ + --set=operator.image.override=$(LOCAL_OPERATOR_IMAGE) \ + --set=clustermesh.apiserver.image.override=$(LOCAL_CLUSTERMESH_IMAGE) \ + --set=clustermesh.apiserver.kvstoremesh.enabled=$(ENABLE_KVSTOREMESH) + + $(MAKE) kind-connect-clustermesh + +.PHONY: kind-install-cilium-clustermesh-fast +kind-install-cilium-clustermesh-fast: check_deps kind-clustermesh-ready ## "Fast" Install a local Cilium version using volume-mounted binaries into the ClusterMesh clusters and enable ClusterMesh. + @echo " INSTALL cilium on clustermesh1 cluster" + docker pull quay.io/cilium/cilium-ci:latest + kind load docker-image --name clustermesh1 quay.io/cilium/cilium-ci:latest + -$(CILIUM_CLI) --context=kind-clustermesh1 uninstall >/dev/null + $(CILIUM_CLI) --context=kind-clustermesh1 install \ + --chart-directory=$(ROOT_DIR)/install/kubernetes/cilium \ + --values=$(ROOT_DIR)/contrib/testing/kind-clustermesh1.yaml \ + --values=$(ROOT_DIR)/contrib/testing/kind-fast.yaml \ + --set=clustermesh.apiserver.kvstoremesh.enabled=$(ENABLE_KVSTOREMESH) + + @echo " INSTALL cilium on clustermesh2 cluster" + kind load docker-image --name clustermesh2 quay.io/cilium/cilium-ci:latest + -$(CILIUM_CLI) --context=kind-clustermesh2 uninstall >/dev/null + $(KUBECTL) --context=kind-clustermesh1 get secret -n kube-system cilium-ca -o yaml | \ + $(KUBECTL) --context=kind-clustermesh2 replace --force -f - + $(CILIUM_CLI) --context=kind-clustermesh2 install \ + --chart-directory=$(ROOT_DIR)/install/kubernetes/cilium \ + --values=$(ROOT_DIR)/contrib/testing/kind-clustermesh2.yaml \ + --values=$(ROOT_DIR)/contrib/testing/kind-fast.yaml \ + --set=clustermesh.apiserver.kvstoremesh.enabled=$(ENABLE_KVSTOREMESH) + + $(MAKE) kind-image-fast + $(MAKE) kind-connect-clustermesh + +KIND_CLUSTER_NAME ?= $(shell kind get clusters -q | head -n1) + +.PHONY: kind-ready +kind-ready: + @$(ECHO_CHECK) kind-ready + @if [ -n "$(shell kind get clusters -q)" ]; then echo "kind is ready"; else echo "kind not ready"; exit 1; fi + +$(eval $(call KIND_ENV,kind-build-image-agent)) +kind-build-image-agent: ## Build cilium-dev docker image + $(QUIET)$(MAKE) dev-docker-image$(DEBUGGER_SUFFIX) DOCKER_IMAGE_TAG=$(LOCAL_IMAGE_TAG) + +$(eval $(call KIND_ENV,kind-image-agent)) +kind-image-agent: .SHELLFLAGS=-c +kind-image-agent: kind-ready kind-build-image-agent ## Build cilium-dev docker image and import it into kind. + $(QUIET)kind load docker-image $(LOCAL_AGENT_IMAGE) -n $(KIND_CLUSTER_NAME); \ + [ $$? -eq 0 ] || $(QUIET)kind load docker-image $(LOCAL_AGENT_IMAGE) -n $(KIND_CLUSTER_NAME) + +$(eval $(call KIND_ENV,kind-build-image-operator)) +kind-build-image-operator: ## Build cilium-operator-dev docker image + $(QUIET)$(MAKE) dev-docker-operator-generic-image$(DEBUGGER_SUFFIX) DOCKER_IMAGE_TAG=$(LOCAL_IMAGE_TAG) + +$(eval $(call KIND_ENV,kind-image-operator)) +kind-image-operator: .SHELLFLAGS=-c +kind-image-operator: kind-ready kind-build-image-operator ## Build cilium-operator-dev docker image and import it into kind. + $(QUIET)kind load docker-image $(LOCAL_OPERATOR_IMAGE) -n $(KIND_CLUSTER_NAME); \ + [ $$? -eq 0 ] || $(QUIET)kind load docker-image $(LOCAL_OPERATOR_IMAGE) -n $(KIND_CLUSTER_NAME) + +$(eval $(call KIND_ENV,kind-build-clustermesh-apiserver)) +kind-build-clustermesh-apiserver: ## Build cilium-clustermesh-apiserver docker image + $(QUIET)$(MAKE) docker-clustermesh-apiserver-image DOCKER_IMAGE_TAG=$(LOCAL_IMAGE_TAG) + +.PHONY: kind-image +kind-image: ## Build cilium and operator images and import them into kind. + $(MAKE) kind-image-agent + $(MAKE) kind-image-operator + +define KIND_VALUES_FAST_FILES +--helm-values=$(ROOT_DIR)/contrib/testing/kind-common.yaml \ +--helm-values=$(ROOT_DIR)/contrib/testing/kind-fast.yaml +endef + +ifneq ("$(wildcard $(ROOT_DIR)/contrib/testing/kind-custom.yaml)","") + KIND_VALUES_FAST_FILES := $(KIND_VALUES_FAST_FILES) --helm-values=$(ROOT_DIR)/contrib/testing/kind-custom.yaml +endif + +ifdef ADDITIONAL_KIND_VALUES_FILE + KIND_VALUES_FAST_FILES := $(KIND_VALUES_FAST_FILES) --helm-values=$(ROOT_DIR)/$(ADDITIONAL_KIND_VALUES_FILE) +endif + +.PHONY: kind-install-cilium-fast +kind-install-cilium-fast: .SHELLFLAGS=-c +kind-install-cilium-fast: check_deps kind-ready ## "Fast" Install a local Cilium version using volume-mounted binaries into all clusters. + @echo " INSTALL cilium" + docker pull quay.io/cilium/cilium-ci:latest + for cluster_name in $${KIND_CLUSTERS:-$(shell kind get clusters)}; do \ + kind load docker-image --name $$cluster_name quay.io/cilium/cilium-ci:latest; \ + [ $$? -eq 0 ] || kind load docker-image --name $$cluster_name quay.io/cilium/cilium-ci:latest; \ + $(CILIUM_CLI) --context=kind-$$cluster_name uninstall >/dev/null 2>&1 || true; \ + $(CILIUM_CLI) install --context=kind-$$cluster_name \ + --chart-directory=$(ROOT_DIR)/install/kubernetes/cilium \ + $(KIND_VALUES_FAST_FILES) \ + --version= >/dev/null ; \ + done + +.PHONY: build-cli +build-cli: ## Build cilium cli binary + $(QUIET)$(MAKE) -C cilium-dbg GOOS=linux + +.PHONY: build-agent +build-agent: ## Build cilium daemon binary + $(QUIET)$(MAKE) -C daemon GOOS=linux + +.PHONY: build-operator +build-operator: ## Build cilium operator binary + $(QUIET)$(MAKE) -C operator cilium-operator-generic GOOS=linux + +.PHONY: build-clustermesh-apiserver +build-clustermesh-apiserver: ## Build cilium clustermesh-apiserver binary + $(QUIET)$(MAKE) -C clustermesh-apiserver GOOS=linux + +.PHONY: build-hubble-cli +build-hubble-cli: ## Build hubble cli binary + $(QUIET)$(MAKE) -C hubble GOOS=linux + +.PHONY: build-bugtool +build-bugtool: ## Build bugtool binary + $(QUIET)$(MAKE) -C bugtool GOOS=linux + +.PHONY: kind-image-fast-agent +kind-image-fast-agent: kind-ready build-cli build-agent build-hubble-cli build-bugtool ## Build cilium cli, daemon binaries, and hubble cli. Copy the bins and bpf files to kind nodes. + $(eval dst:=/cilium-binaries) + for cluster_name in $${KIND_CLUSTERS:-$(shell kind get clusters)}; do \ + for node_name in $$(kind get nodes -n "$$cluster_name"); do \ + docker exec $${node_name} mkdir -p "${dst}"; \ + \ + docker exec $${node_name} rm -rf "${dst}/var/lib/cilium"; \ + docker exec $${node_name} mkdir -p "${dst}/var/lib/cilium"; \ + docker cp "./bpf/" $${node_name}:"${dst}/var/lib/cilium/bpf"; \ + docker exec $${node_name} find "${dst}/var/lib/cilium/bpf" -type f -exec chmod 0644 {} + ;\ + \ + docker exec $${node_name} rm -f "${dst}/cilium-dbg"; \ + docker cp "./cilium-dbg/cilium-dbg" $${node_name}:"${dst}"; \ + docker exec $${node_name} chmod +x "${dst}/cilium-dbg"; \ + \ + docker exec $${node_name} rm -f "${dst}/cilium-agent"; \ + docker cp "./daemon/cilium-agent" $${node_name}:"${dst}"; \ + docker exec $${node_name} chmod +x "${dst}/cilium-agent"; \ + \ + docker exec $${node_name} rm -f "${dst}/hubble"; \ + docker cp "./hubble/hubble" $${node_name}:"${dst}"; \ + docker exec $${node_name} chmod +x "${dst}/hubble"; \ + \ + docker exec $${node_name} rm -f "${dst}/cilium-bugtool"; \ + docker cp "./bugtool/cilium-bugtool" $${node_name}:"${dst}"; \ + docker exec $${node_name} chmod +x "${dst}/cilium-bugtool"; \ + done; \ + kubectl --context=kind-$${cluster_name} delete pods -n kube-system -l k8s-app=cilium --force; \ + done + +.PHONY: kind-image-fast-operator +kind-image-fast-operator: kind-ready build-operator ## Build cilium operator binary and copy it to all kind nodes. + $(eval dst:=/cilium-binaries) + for cluster_name in $${KIND_CLUSTERS:-$(shell kind get clusters)}; do \ + for node_name in $$(kind get nodes -n "$$cluster_name"); do \ + docker exec $${node_name} mkdir -p "${dst}"; \ + \ + docker exec $${node_name} rm -f "${dst}/cilium-operator-generic"; \ + docker cp "./operator/cilium-operator-generic" $${node_name}:"${dst}"; \ + docker exec $${node_name} chmod +x "${dst}/cilium-operator-generic"; \ + done; \ + kubectl --context=kind-$${cluster_name} delete pods -n kube-system -l name=cilium-operator --force; \ + done + +.PHONY: kind-image-fast-clustermesh-apiserver +kind-image-fast-clustermesh-apiserver: kind-ready build-clustermesh-apiserver ## Build clustermesh-apiserver binary and copy it to all kind nodes. + $(eval dst:=/cilium-binaries) + for cluster_name in $${KIND_CLUSTERS:-$(shell kind get clusters)}; do \ + for node_name in $$(kind get nodes -n "$$cluster_name"); do \ + docker exec $${node_name} mkdir -p "${dst}"; \ + \ + docker exec $${node_name} rm -f "${dst}/clustermesh-apiserver"; \ + docker cp "./clustermesh-apiserver/clustermesh-apiserver" $${node_name}:"${dst}"; \ + docker exec $${node_name} chmod +x "${dst}/clustermesh-apiserver"; \ + done; \ + kubectl --context=kind-$${cluster_name} delete pods -n kube-system -l k8s-app=clustermesh-apiserver --force; \ + done + +.PHONY: kind-image-fast +kind-image-fast: kind-image-fast-agent kind-image-fast-operator kind-image-fast-clustermesh-apiserver ## Build all binaries and copy them to kind nodes. + +define KIND_VALUES_FILES +--helm-values=$(ROOT_DIR)/contrib/testing/kind-common.yaml \ +--helm-values=$(ROOT_DIR)/contrib/testing/kind-values.yaml +endef + +ifdef ADDITIONAL_KIND_VALUES_FILE + KIND_VALUES_FILES := $(KIND_VALUES_FILES) --helm-values=$(ROOT_DIR)/$(ADDITIONAL_KIND_VALUES_FILE) +endif + +ifneq ("$(wildcard $(ROOT_DIR)/contrib/testing/kind-custom.yaml)","") + KIND_VALUES_FILES := $(KIND_VALUES_FILES) --helm-values=$(ROOT_DIR)/contrib/testing/kind-custom.yaml +endif + +.PHONY: kind-install-cilium +kind-install-cilium: check_deps kind-ready ## Install a local Cilium version into the cluster. + @echo " INSTALL cilium" + # cilium-cli doesn't support idempotent installs, so we uninstall and + # reinstall here. https://github.com/cilium/cilium-cli/issues/205 + -@$(CILIUM_CLI) uninstall >/dev/null 2>&1 || true + + # cilium-cli's --wait flag doesn't work, so we just force it to run + # in the background instead and wait for the resources to be available. + # https://github.com/cilium/cilium-cli/issues/1070 + $(CILIUM_CLI) install \ + --chart-directory=$(ROOT_DIR)/install/kubernetes/cilium \ + $(KIND_VALUES_FILES) \ + --version= \ + >/dev/null 2>&1 & + +GW_VERSION ?= $(shell grep "sigs.k8s.io/gateway-api" go.mod | awk '{print $$2}' | awk -F'-' '{print (NF>2)?$$NF:$$0}') +# Set this to "standard" to use the standard CRDs instead +GW_CHANNEL ?= "experimental" +KIND_NET_CIDR ?= $(shell docker network inspect kind-cilium -f '{{json .IPAM.Config}}' | jq -r '.[] | select(.Subnet | test("^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+")) | .Subnet') +LB_CIDR ?= $(shell echo $(KIND_NET_CIDR) | sed "s@0.0/16@255.200\/28@" | sed -e 's/[\/&]/\\&/g') + +.PHONY: kind-servicemesh-install-cilium +kind-servicemesh-install-cilium: check_deps kind-ready ## Install a local Cilium version into the cluster. + @echo " INSTALL cilium" + # cilium-cli doesn't support idempotent installs, so we uninstall and + # reinstall here. https://github.com/cilium/cilium-cli/issues/205 + -@$(CILIUM_CLI) uninstall >/dev/null 2>&1 || true + + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$(GW_VERSION)/config/crd/$(GW_CHANNEL)/gateway.networking.k8s.io_gatewayclasses.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$(GW_VERSION)/config/crd/$(GW_CHANNEL)/gateway.networking.k8s.io_gateways.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$(GW_VERSION)/config/crd/$(GW_CHANNEL)/gateway.networking.k8s.io_httproutes.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$(GW_VERSION)/config/crd/$(GW_CHANNEL)/gateway.networking.k8s.io_referencegrants.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$(GW_VERSION)/config/crd/$(GW_CHANNEL)/gateway.networking.k8s.io_grpcroutes.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$(GW_VERSION)/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml + + $(CILIUM_CLI) install \ + --chart-directory=$(ROOT_DIR)/install/kubernetes/cilium \ + $(KIND_VALUES_FILES) \ + --helm-values=$(ROOT_DIR)/contrib/testing/kind-servicemesh.yaml \ + --version= \ + >/dev/null 2>&1 & + + $(CILIUM_CLI) status --wait --wait-duration 30s + + @echo "KIND_NET_CIDR: $(KIND_NET_CIDR)" + @echo "LB_CIDR: $(LB_CIDR)" + + @echo "Deploying LB-IPAM Pool..." + sed -e "s/LB_CIDR/$(LB_CIDR)/g" $(ROOT_DIR)/contrib/testing/servicemesh/ippool.yaml | kubectl apply -f - + + @echo "Deploying L2-Announcement Policy..." + kubectl apply -f $(ROOT_DIR)/contrib/testing/servicemesh/l2policy.yaml + +.PHONY: kind-servicemesh-prereqs +kind-servicemesh-prereqs: check_deps kind-ready + @echo " SETUP Servicemesh" + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$(GW_VERSION)/config/crd/$(GW_CHANNEL)/gateway.networking.k8s.io_gatewayclasses.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$(GW_VERSION)/config/crd/$(GW_CHANNEL)/gateway.networking.k8s.io_gateways.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$(GW_VERSION)/config/crd/$(GW_CHANNEL)/gateway.networking.k8s.io_httproutes.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$(GW_VERSION)/config/crd/$(GW_CHANNEL)/gateway.networking.k8s.io_referencegrants.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$(GW_VERSION)/config/crd/$(GW_CHANNEL)/gateway.networking.k8s.io_grpcroutes.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$(GW_VERSION)/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml + + $(eval KIND_VALUES_FAST_FILES += --helm-values=$(ROOT_DIR)/contrib/testing/kind-servicemesh.yaml) + + @echo "KIND_VALUES_FILES $(KIND_VALUES_FAST_FILES)" + +.PHONY: kind-servicemesh-install-cilium-fast +kind-servicemesh-install-cilium-fast: | kind-servicemesh-prereqs kind-image-fast kind-install-cilium-fast + $(CILIUM_CLI) status --wait --wait-duration 30s + + @echo "KIND_NET_CIDR: $(KIND_NET_CIDR)" + @echo "LB_CIDR: $(LB_CIDR)" + + @echo "Deploying LB-IPAM Pool..." + sed -e "s/LB_CIDR/$(LB_CIDR)/g" $(ROOT_DIR)/contrib/testing/servicemesh/ippool.yaml | kubectl apply -f - + + @echo "Deploying L2-Announcement Policy..." + kubectl apply -f $(ROOT_DIR)/contrib/testing/servicemesh/l2policy.yaml + +.PHONY: kind-egressgw-install-cilium +kind-egressgw-install-cilium: check_deps kind-ready ## Install a local Cilium version into the cluster. + @echo " INSTALL cilium" + # cilium-cli doesn't support idempotent installs, so we uninstall and + # reinstall here. https://github.com/cilium/cilium-cli/issues/205 + -@$(CILIUM_CLI) uninstall >/dev/null 2>&1 || true + + # cilium-cli's --wait flag doesn't work, so we just force it to run + # in the background instead and wait for the resources to be available. + # https://github.com/cilium/cilium-cli/issues/1070 + $(CILIUM_CLI) install \ + --chart-directory=$(ROOT_DIR)/install/kubernetes/cilium \ + $(KIND_VALUES_FILES) \ + --helm-values=$(ROOT_DIR)/contrib/testing/kind-egressgw-values.yaml \ + --nodes-without-cilium \ + --version= \ + >/dev/null 2>&1 & + +KVSTORE_POD_NAME ?= "kvstore" +KVSTORE_POD_PORT ?= "2378" + +.PHONY: kind-kvstore-install-cilium +kind-kvstore-install-cilium: check_deps kind-ready kind-kvstore-start ## Install a local Cilium version into the cluster, configured in kvstore mode. + $(MAKE) kind-install-cilium KIND_VALUES_FILES="\ + $(KIND_VALUES_FILES) \ + --set etcd.enabled=true \ + --set etcd.endpoints[0]=http://$(shell kubectl --namespace kube-system get pod $(KVSTORE_POD_NAME) -o jsonpath='{.status.hostIP}'):$(KVSTORE_POD_PORT) \ + --set identityAllocationMode=kvstore \ + " + +.PHONY: kind-kvstore-start +kind-kvstore-start: ## Start an etcd pod serving as Cilium's kvstore + kubectl --namespace kube-system get pod $(KVSTORE_POD_NAME) >/dev/null 2>/dev/null || \ + kubectl --namespace kube-system run $(KVSTORE_POD_NAME) --image $(ETCD_IMAGE) \ + --overrides='{ "apiVersion": "v1", "spec": { "hostNetwork": true, "nodeSelector": {"node-role.kubernetes.io/control-plane": ""}, "tolerations": [{ "operator": "Exists" }] }}' \ + -- etcd --listen-client-urls=http://0.0.0.0:$(KVSTORE_POD_PORT) --advertise-client-urls=http://0.0.0.0:$(KVSTORE_POD_PORT) + + kubectl --namespace kube-system wait --for=condition=Ready pod/$(KVSTORE_POD_NAME) + +.PHONY: kind-kvstore-stop +kind-kvstore-stop: ## Stop the etcd pod serving as Cilium's kvstore + kubectl --namespace kube-system delete pod $(KVSTORE_POD_NAME) --ignore-not-found + kubectl --namespace kube-system wait --for=delete pod/$(KVSTORE_POD_NAME) + +.PHONY: kind-uninstall-cilium +kind-uninstall-cilium: check_deps ## Uninstall Cilium from the cluster. + @echo " UNINSTALL cilium" + -$(CILIUM_CLI) uninstall + +.PHONY: kind-check-cilium +kind-check-cilium: check_deps + @echo " CHECK cilium is ready..." + $(CILIUM_CLI) status --wait --wait-duration 1s >/dev/null 2>/dev/null + +# Template for kind debug targets. Parameters are: +# $(1) agent target +define DEBUG_KIND_TEMPLATE +.PHONY: kind-image$(1)-debug +kind-image$(1)-debug: export DEBUGGER_SUFFIX=-debug +kind-image$(1)-debug: export NOSTRIP=1 +kind-image$(1)-debug: export NOOPT=1 +kind-image$(1)-debug: ## Build cilium$(1) docker image with a dlv debugger wrapper and import it into kind. + $(MAKE) kind-image$(1) +endef + +# kind-image-agent-debug +$(eval $(call DEBUG_KIND_TEMPLATE,-agent)) + +# kind-image-operator-debug +$(eval $(call DEBUG_KIND_TEMPLATE,-operator)) + +$(eval $(call KIND_ENV,kind-debug-agent)) +kind-debug-agent: ## Create a local kind development environment with cilium-agent attached to a debugger. + $(QUIET)$(MAKE) kind-ready 2>/dev/null \ + || $(MAKE) kind + $(MAKE) kind-image-agent-debug + # Not debugging cilium-operator here; any image is good enough. + kind load docker-image $(LOCAL_OPERATOR_IMAGE) \ + || $(MAKE) kind-image-operator + $(MAKE) kind-check-cilium 2>/dev/null \ + || $(MAKE) kind-install-cilium + @echo "Attach delve to localhost on these ports to continue:" + @echo " - 23401: cilium-agent (kind-control-plane)" + @echo " - 23411: cilium-agent (kind-worker)" + +$(eval $(call KIND_ENV,kind-debug)) +kind-debug: ## Create a local kind development environment with cilium-agent & cilium-operator attached to a debugger. + $(QUIET)$(MAKE) kind-ready 2>/dev/null \ + || $(MAKE) kind + $(MAKE) kind-image-agent-debug + $(MAKE) kind-image-operator-debug + $(MAKE) kind-check-cilium 2>/dev/null \ + || $(MAKE) kind-install-cilium + @echo "Attach delve to localhost on these ports to continue:" + @echo " - 23401: cilium-agent (kind-control-plane)" + @echo " - 23411: cilium-agent (kind-worker)" + @echo " - 23511: cilium-operator (kind-worker)" diff --git a/vendor/github.com/cilium/cilium/Makefile.quiet b/vendor/github.com/cilium/cilium/Makefile.quiet new file mode 100644 index 0000000000..397661109e --- /dev/null +++ b/vendor/github.com/cilium/cilium/Makefile.quiet @@ -0,0 +1,30 @@ +# Copyright Authors of Cilium +# SPDX-License-Identifier: Apache-2.0 + +ifeq ($(ROOT_DIR),) + ROOT_DIR ?= $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) + RELATIVE_DIR ?= $(shell echo $(realpath .) | sed "s;$(ROOT_DIR)[/]*;;") +endif +ifeq ($(V),0) + QUIET=@ + ECHO_CC=echo " CC $(RELATIVE_DIR)/$@" + ECHO_CHECK=echo " CHECK $(RELATIVE_DIR)" + ECHO_CLEAN=echo " CLEAN $(RELATIVE_DIR)" + ECHO_DOCKER=echo " DOCKER $(RELATIVE_DIR) $@" + ECHO_GEN=echo " GEN $(RELATIVE_DIR)/" + ECHO_GINKGO=echo " GINKGO $(RELATIVE_DIR)" + ECHO_GO=echo " GO $(RELATIVE_DIR)/$@" + ECHO_TEST=echo " TEST " + SUBMAKEOPTS="-s" +else + # The whitespace at below EOLs is required for verbose case! + ECHO_CC=: + ECHO_CHECK=: + ECHO_CLEAN=: + ECHO_DOCKER=: + ECHO_GEN=: + ECHO_GINKGO=: + ECHO_GO=: + ECHO_TEST=: + SUBMAKEOPTS= +endif diff --git a/vendor/github.com/cilium/cilium/README.rst b/vendor/github.com/cilium/cilium/README.rst new file mode 100644 index 0000000000..57d1768595 --- /dev/null +++ b/vendor/github.com/cilium/cilium/README.rst @@ -0,0 +1,359 @@ +.. raw:: html + + + + Cilium Logo + + +|cii| |go-report| |clomonitor| |artifacthub| |slack| |go-doc| |rtd| |apache| |bsd| |gpl| |fossa| |gateway-api| |codespaces| + +Cilium is a networking, observability, and security solution with an eBPF-based +dataplane. It provides a simple flat Layer 3 network with the ability to span +multiple clusters in either a native routing or overlay mode. It is L7-protocol +aware and can enforce network policies on L3-L7 using an identity based security +model that is decoupled from network addressing. + +Cilium implements distributed load balancing for traffic between pods and to +external services, and is able to fully replace kube-proxy, using efficient +hash tables in eBPF allowing for almost unlimited scale. It also supports +advanced functionality like integrated ingress and egress gateway, bandwidth +management and service mesh, and provides deep network and security visibility and monitoring. + +A new Linux kernel technology called eBPF_ is at the foundation of Cilium. It +supports dynamic insertion of eBPF bytecode into the Linux kernel at various +integration points such as: network IO, application sockets, and tracepoints to +implement security, networking and visibility logic. eBPF is highly efficient +and flexible. To learn more about eBPF, visit `eBPF.io`_. + +.. image:: Documentation/images/cilium-overview.png + :alt: Overview of Cilium features for networking, observability, service mesh, and runtime security + +.. raw:: html + + + + + CNCF Graduated Project + + + + + + Powered by eBPF + + + +Stable Releases +=============== + +The Cilium community maintains minor stable releases for the last three minor +Cilium versions. Older Cilium stable versions from minor releases prior to that +are considered EOL. + +For upgrades to new minor releases please consult the `Cilium Upgrade Guide`_. + +Listed below are the actively maintained release branches along with their latest +patch release, corresponding image pull tags and their release notes: + ++---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+ +| `v1.17 `__ | 2025-02-04 | ``quay.io/cilium/cilium:v1.17.0`` | `Release Notes `__ | ++---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+ +| `v1.16 `__ | 2025-01-21 | ``quay.io/cilium/cilium:v1.16.6`` | `Release Notes `__ | ++---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+ +| `v1.15 `__ | 2025-01-16 | ``quay.io/cilium/cilium:v1.15.13`` | `Release Notes `__ | ++---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+ + +Architectures +------------- + +Cilium images are distributed for AMD64 and AArch64 architectures. + +Software Bill of Materials +-------------------------- + +Starting with Cilium version 1.13.0, all images include a Software Bill of +Materials (SBOM). The SBOM is generated in `SPDX`_ format. More information +on this is available on `Cilium SBOM`_. + +.. _`SPDX`: https://spdx.dev/ +.. _`Cilium SBOM`: https://docs.cilium.io/en/latest/configuration/sbom/ + +Development +=========== + +For development and testing purpose, the Cilium community publishes snapshots, +early release candidates (RC) and CI container images build from the `main +branch `_. These images are +not for use in production. + +For testing upgrades to new development releases please consult the latest +development build of the `Cilium Upgrade Guide`_. + +Listed below are branches for testing along with their snapshots or RC releases, +corresponding image pull tags and their release notes where applicable: + ++----------------------------------------------------------------------------+------------+-----------------------------------------+------------------------------------------------------------------------------------------------+ +| `main `__ | daily | ``quay.io/cilium/cilium-ci:latest`` | N/A | ++----------------------------------------------------------------------------+------------+-----------------------------------------+------------------------------------------------------------------------------------------------+ +| `v1.17.0-rc.2 `__ | 2025-01-24 | ``quay.io/cilium/cilium:v1.17.0-rc.2`` | `Pre Release Candidate Notes `__ | ++----------------------------------------------------------------------------+------------+-----------------------------------------+------------------------------------------------------------------------------------------------+ + +Functionality Overview +====================== + +.. begin-functionality-overview + +Protect and secure APIs transparently +------------------------------------- + +Ability to secure modern application protocols such as REST/HTTP, gRPC and +Kafka. Traditional firewalls operate at Layer 3 and 4. A protocol running on a +particular port is either completely trusted or blocked entirely. Cilium +provides the ability to filter on individual application protocol requests such +as: + +- Allow all HTTP requests with method ``GET`` and path ``/public/.*``. Deny all + other requests. +- Allow ``service1`` to produce on Kafka topic ``topic1`` and ``service2`` to + consume on ``topic1``. Reject all other Kafka messages. +- Require the HTTP header ``X-Token: [0-9]+`` to be present in all REST calls. + +See the section `Layer 7 Policy`_ in our documentation for the latest list of +supported protocols and examples on how to use it. + +Secure service to service communication based on identities +----------------------------------------------------------- + +Modern distributed applications rely on technologies such as application +containers to facilitate agility in deployment and scale out on demand. This +results in a large number of application containers being started in a short +period of time. Typical container firewalls secure workloads by filtering on +source IP addresses and destination ports. This concept requires the firewalls +on all servers to be manipulated whenever a container is started anywhere in +the cluster. + +In order to avoid this situation which limits scale, Cilium assigns a security +identity to groups of application containers which share identical security +policies. The identity is then associated with all network packets emitted by +the application containers, allowing to validate the identity at the receiving +node. Security identity management is performed using a key-value store. + +Secure access to and from external services +------------------------------------------- + +Label based security is the tool of choice for cluster internal access control. +In order to secure access to and from external services, traditional CIDR based +security policies for both ingress and egress are supported. This allows to +limit access to and from application containers to particular IP ranges. + +Simple Networking +----------------- + +A simple flat Layer 3 network with the ability to span multiple clusters +connects all application containers. IP allocation is kept simple by using host +scope allocators. This means that each host can allocate IPs without any +coordination between hosts. + +The following multi node networking models are supported: + +* **Overlay:** Encapsulation-based virtual network spanning all hosts. + Currently, VXLAN and Geneve are baked in but all encapsulation formats + supported by Linux can be enabled. + + When to use this mode: This mode has minimal infrastructure and integration + requirements. It works on almost any network infrastructure as the only + requirement is IP connectivity between hosts which is typically already + given. + +* **Native Routing:** Use of the regular routing table of the Linux host. + The network is required to be capable to route the IP addresses of the + application containers. + + When to use this mode: This mode is for advanced users and requires some + awareness of the underlying networking infrastructure. This mode works well + with: + + - Native IPv6 networks + - In conjunction with cloud network routers + - If you are already running routing daemons + +Load Balancing +-------------- + +Cilium implements distributed load balancing for traffic between application +containers and to external services and is able to fully replace components +such as kube-proxy. The load balancing is implemented in eBPF using efficient +hashtables allowing for almost unlimited scale. + +For north-south type load balancing, Cilium's eBPF implementation is optimized +for maximum performance, can be attached to XDP (eXpress Data Path), and supports +direct server return (DSR) as well as Maglev consistent hashing if the load +balancing operation is not performed on the source host. + +For east-west type load balancing, Cilium performs efficient service-to-backend +translation right in the Linux kernel's socket layer (e.g. at TCP connect time) +such that per-packet NAT operations overhead can be avoided in lower layers. + +Bandwidth Management +-------------------- + +Cilium implements bandwidth management through efficient EDT-based (Earliest Departure +Time) rate-limiting with eBPF for container traffic that is egressing a node. This +allows to significantly reduce transmission tail latencies for applications and to +avoid locking under multi-queue NICs compared to traditional approaches such as HTB +(Hierarchy Token Bucket) or TBF (Token Bucket Filter) as used in the bandwidth CNI +plugin, for example. + +Monitoring and Troubleshooting +------------------------------ + +The ability to gain visibility and troubleshoot issues is fundamental to the +operation of any distributed system. While we learned to love tools like +``tcpdump`` and ``ping`` and while they will always find a special place in our +hearts, we strive to provide better tooling for troubleshooting. This includes +tooling to provide: + +- Event monitoring with metadata: When a packet is dropped, the tool doesn't + just report the source and destination IP of the packet, the tool provides + the full label information of both the sender and receiver among a lot of + other information. + +- Metrics export via Prometheus: Key metrics are exported via Prometheus for + integration with your existing dashboards. + +- Hubble_: An observability platform specifically written for Cilium. It + provides service dependency maps, operational monitoring and alerting, + and application and security visibility based on flow logs. + +.. _Hubble: https://github.com/cilium/hubble/ +.. _`Layer 7 Policy`: https://docs.cilium.io/en/stable/security/policy/language/#layer-7-examples + +.. end-functionality-overview + +Getting Started +=============== + +* `Why Cilium?`_ +* `Getting Started`_ +* `Architecture and Concepts`_ +* `Installing Cilium`_ +* `Frequently Asked Questions`_ +* Contributing_ + +Community +========= + +Slack +----- + +Join the Cilium `Slack channel `_ to chat with +Cilium developers and other Cilium users. This is a good place to learn about +Cilium, ask questions, and share your experiences. + +Special Interest Groups (SIG) +----------------------------- + +See `Special Interest groups +`_ for a list of all SIGs and their meeting times. + +Developer meetings +------------------ +The Cilium developer community hangs out on Zoom to chat. Everybody is welcome. + +* Weekly, Wednesday, + 5:00 pm `Europe/Zurich time `__ (CET/CEST), + usually equivalent to 8:00 am PT, or 11:00 am ET. `Meeting Notes and Zoom Info`_ +* Third Wednesday of each month, 9:00 am `Japan time `__ (JST). `APAC Meeting Notes and Zoom Info`_ + +eBPF & Cilium Office Hours livestream +------------------------------------- +We host a weekly community `YouTube livestream called eCHO `_ which (very loosely!) stands for eBPF & Cilium Office Hours. Join us live, catch up with past episodes, or head over to the `eCHO repo `_ and let us know your ideas for topics we should cover. + +Governance +---------- +The Cilium project is governed by a group of `Maintainers and Committers `__. +How they are selected and govern is outlined in our `governance document `__. + +Adopters +-------- +A list of adopters of the Cilium project who are deploying it in production, and of their use cases, +can be found in file `USERS.md `__. + +License +======= + +.. _apache-license: LICENSE +.. _bsd-license: bpf/LICENSE.BSD-2-Clause +.. _gpl-license: bpf/LICENSE.GPL-2.0 + +The Cilium user space components are licensed under the +`Apache License, Version 2.0 `__. +The BPF code templates are dual-licensed under the +`General Public License, Version 2.0 (only) `__ +and the `2-Clause BSD License `__ +(you can use the terms of either license, at your option). + +.. _`Cilium Upgrade Guide`: https://docs.cilium.io/en/stable/operations/upgrade/ +.. _`Why Cilium?`: https://docs.cilium.io/en/stable/overview/intro +.. _`Getting Started`: https://docs.cilium.io/en/stable/#getting-started +.. _`Architecture and Concepts`: https://docs.cilium.io/en/stable/overview/component-overview/ +.. _`Installing Cilium`: https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/ +.. _`Frequently Asked Questions`: https://github.com/cilium/cilium/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Akind%2Fquestion+ +.. _Contributing: https://docs.cilium.io/en/stable/contributing/development/ +.. _Prerequisites: https://docs.cilium.io/en/stable/operations/system_requirements/ +.. _`eBPF`: https://ebpf.io +.. _`eBPF.io`: https://ebpf.io +.. _`Meeting Notes and Zoom Info`: https://docs.google.com/document/d/1Y_4chDk4rznD6UgXPlPvn3Dc7l-ZutGajUv1eF0VDwQ/edit# +.. _`APAC Meeting Notes and Zoom Info`: https://docs.google.com/document/d/1egv4qLydr0geP-GjQexYKm4tz3_tHy-LCBjVQcXcT5M/edit# + +.. |go-report| image:: https://goreportcard.com/badge/github.com/cilium/cilium + :alt: Go Report Card + :target: https://goreportcard.com/report/github.com/cilium/cilium + +.. |go-doc| image:: https://godoc.org/github.com/cilium/cilium?status.svg + :alt: GoDoc + :target: https://godoc.org/github.com/cilium/cilium + +.. |rtd| image:: https://readthedocs.org/projects/docs/badge/?version=latest + :alt: Read the Docs + :target: https://docs.cilium.io/ + +.. |apache| image:: https://img.shields.io/badge/license-Apache-blue.svg + :alt: Apache licensed + :target: apache-license_ + +.. |bsd| image:: https://img.shields.io/badge/license-BSD-blue.svg + :alt: BSD licensed + :target: bsd-license_ + +.. |gpl| image:: https://img.shields.io/badge/license-GPL-blue.svg + :alt: GPL licensed + :target: gpl-license_ + +.. |slack| image:: https://img.shields.io/badge/slack-cilium-brightgreen.svg?logo=slack + :alt: Join the Cilium slack channel + :target: https://slack.cilium.io + +.. |cii| image:: https://bestpractices.coreinfrastructure.org/projects/1269/badge + :alt: CII Best Practices + :target: https://bestpractices.coreinfrastructure.org/projects/1269 + +.. |clomonitor| image:: https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/cilium/badge + :alt: CLOMonitor + :target: https://clomonitor.io/projects/cncf/cilium + +.. |artifacthub| image:: https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/cilium + :alt: Artifact Hub + :target: https://artifacthub.io/packages/helm/cilium/cilium + +.. |fossa| image:: https://app.fossa.com/api/projects/custom%2B162%2Fgit%40github.com%3Acilium%2Fcilium.git.svg?type=shield + :alt: FOSSA Status + :target: https://app.fossa.com/projects/custom%2B162%2Fgit%40github.com%3Acilium%2Fcilium.git?ref=badge_shield + +.. |gateway-api| image:: https://img.shields.io/badge/Gateway%20API%20Conformance%20v1.2.0-Cilium-green + :alt: Gateway API Status + :target: https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.2.0/cilium-cilium + +.. |codespaces| image:: https://img.shields.io/badge/Open_in_GitHub_Codespaces-gray?logo=github + :alt: Github Codespaces + :target: https://github.com/codespaces/new?hide_repo_select=true&ref=master&repo=48109239&machine=standardLinux32gb&location=WestEurope diff --git a/vendor/github.com/cilium/cilium/SECURITY-INSIGHTS.yml b/vendor/github.com/cilium/cilium/SECURITY-INSIGHTS.yml new file mode 100644 index 0000000000..3074a9d1e2 --- /dev/null +++ b/vendor/github.com/cilium/cilium/SECURITY-INSIGHTS.yml @@ -0,0 +1,69 @@ +header: + schema-version: '1.0.0' + expiration-date: '2025-01-26T01:00:00.000Z' + last-updated: '2024-01-26' + last-reviewed: '2024-01-26' + project-url: https://github.com/cilium/cilium + license: https://github.com/cilium/cilium/blob/main/LICENSE +project-lifecycle: + status: active + bug-fixes-only: false + core-maintainers: + - https://github.com/cilium/cilium/blob/main/MAINTAINERS.md + roadmap: https://docs.cilium.io/en/stable/community/roadmap +contribution-policy: + accepts-pull-requests: true + accepts-automated-pull-requests: true +dependencies: + third-party-packages: true + dependencies-lists: + - https://github.com/cilium/cilium/blob/main/go.mod + sbom: + - sbom-format: SPDX + sbom-url: https://docs.cilium.io/en/stable/configuration/sbom +distribution-points: + - https://github.com/cilium/cilium + - https://hub.docker.com/u/cilium + - https://quay.io/organization/cilium +documentation: + - https://docs.cilium.io/en/stable/ +security-assessments: + - auditor-name: ADA Logics + auditor-url: https://adalogics.com + auditor-report: https://github.com/cilium/cilium.io/blob/main/Security-Reports/CiliumSecurityAudit2022.pdf + report-year: 2022 + - auditor-name: ADA Logics + auditor-url: https://adalogics.com + auditor-report: https://github.com/cilium/cilium.io/blob/main/Security-Reports/CiliumFuzzingAudit2022.pdf + report-year: 2022 +security-contacts: + - type: email + value: security@cilium.io +security-testing: +- tool-type: sca + tool-name: Mend Renovate + tool-url: https://www.mend.io/renovate + tool-version: latest + integration: + ad-hoc: false + ci: true + before-release: true +- tool-type: fuzzer + tool-name: OSS-Fuzz + tool-url: https://github.com/google/oss-fuzz + tool-version: latest + integration: + ad-hoc: false + ci: true + before-release: true +- tool-type: sast + tool-name: Grype + tool-url: https://github.com/anchore/grype + tool-version: latest + integration: + ad-hoc: false + ci: true + before-release: true +vulnerability-reporting: + accepts-vulnerability-reports: true + security-policy: https://github.com/cilium/cilium/security diff --git a/vendor/github.com/cilium/cilium/SECURITY.md b/vendor/github.com/cilium/cilium/SECURITY.md new file mode 100644 index 0000000000..87570c3114 --- /dev/null +++ b/vendor/github.com/cilium/cilium/SECURITY.md @@ -0,0 +1,29 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +|----------| ------------------ | +| main | :white_check_mark: | +| 1.17.x | :white_check_mark: | +| 1.16.x | :white_check_mark: | +| 1.15.x | :white_check_mark: | +| < 1.15.0 | :x: | + +## Reporting a Vulnerability + +We strongly encourage you to report security vulnerabilities to +our private security mailing list: security@cilium.io - first, before +disclosing them in any public forums. + +A threat model for Cilium and recommendations for running Cilium in production +environments can be found [here][threat-model]. Please ensure that you have +taken this threat model into consideration before making a report, including +considering the feasibility of an attack against a correctly secured +environment. + +This is a private mailing list where members of Cilium's +[Security Team](https://github.com/cilium/community/blob/main/roles/Security-Team.md) +are subscribed to, and is treated as top priority. + +[threat-model]: https://docs.cilium.io/en/latest/security/threat-model/ diff --git a/vendor/github.com/cilium/cilium/USERS.md b/vendor/github.com/cilium/cilium/USERS.md new file mode 100644 index 0000000000..71734e2227 --- /dev/null +++ b/vendor/github.com/cilium/cilium/USERS.md @@ -0,0 +1,924 @@ +Who is using Cilium? +==================== + +Sharing experiences and learning from other users is essential. We are +frequently asked who is using a particular feature of Cilium so people can get in +contact with other users to share experiences and best practices. People +also often want to know if product/platform X has integrated Cilium. +While the [Cilium Slack community](https://slack.cilium.io) allows +users to get in touch, it can be challenging to find this information quickly. + +The following is a directory of adopters to help identify users of individual +features. The users themselves directly maintain the list. + +Adding yourself as a user +------------------------- + +If you are using Cilium or it is integrated into your product, service, or +platform, please consider adding yourself as a user with a quick +description of your use case by opening a pull request to this file and adding +a section describing your usage of Cilium. If you are open to others contacting +you about your use of Cilium on Slack, add your Slack nickname as well. + + N: Name of user (company) + D: Description + U: Usage of features + L: Link with further information (optional) + Q: Contacts available for questions (optional) + +Example entry: + + * N: Cilium Example User Inc. + D: Cilium Example User Inc. is using Cilium for scientific purposes + U: ENI networking, DNS policies, ClusterMesh + Q: @slacknick1, @slacknick2 + +Requirements to be listed +------------------------- + + * You must represent the user listed. Do *NOT* add entries on behalf of + other users. + * There is no minimum deployment size but we request to list permanent + production deployments only, i.e., no demo or trial deployments. Commercial + use is not required. A well-done home lab setup can be equally + interesting as a large-scale commercial deployment. + +Users (Alphabetically) +---------------------- + + * N: Ænix + D: Ænix uses Cilium in free PaaS platform [Cozystack](https://cozystack.io) for running containers, virtual machines and Kubernetes-as-a-Service. + U: Networking, NetworkPolicy, kube-proxy replacement, CNI-Chaining (with kube-ovn) + L: https://cozystack.io/ + Q: @kvaps + + * N: AccuKnox + D: AccuKnox uses Cilium for network visibility and network policy enforcement. + U: L3/L4/L7 policy enforcement using Identity, External/VM Workloads, Network Visibility using Hubble + L: https://www.accuknox.com/spifee-identity-for-cilium-presentation-at-kubecon-2021, https://www.accuknox.com/cilium + Q: @nyrahul + + * N: Acoss + D: Acoss is using cilium as their main CNI plugin (self hosted k8s, On-premises) + U: CiliumNetworkPolicy, Hubble, BPF NodePort, Direct routing + L: @JrCs + + * N: Adobe, Inc. + D: Adobe's Project Ethos uses Cilium for multi-tenant, multi-cloud clusters + U: L3/L4/L7 policies + L: https://youtu.be/39FLsSc2P-Y + + * N: AirQo + D: AirQo uses Cilium as the CNI plugin + U: CNI, Networking, NetworkPolicy, Cluster Mesh, Hubble, Kubernetes services + L: @airqo-platform + + * N: Alauda + D: Alauda uses Cilium in the Alauda Container Platform product to provide high performance network,observability and security. + U: Networking, NetworkPolicy, Services, Observability + Q:@oilbeater + + * N: Alibaba Cloud + D: Alibaba Cloud is using Cilium together with Terway CNI as the high-performance ENI dataplane + U: Networking, NetworkPolicy, Services, IPVLAN + L: https://www.alibabacloud.com/blog/how-does-alibaba-cloud-build-high-performance-cloud-native-pod-networks-in-production-environments_596590 + + * N: Amazon Web Services (AWS) + D: AWS uses Cilium as the default CNI for EKS Anywhere + U: Networking, NetworkPolicy, Services + L: https://isovalent.com/blog/post/2021-09-aws-eks-anywhere-chooses-cilium + + * N: APPUiO by VSHN + D: VSHN uses Cilium for multi-tenant networking on APPUiO Cloud and as an add-on to APPUiO Managed, both on Red Hat OpenShift and Cloud Kubernetes. + U: CNI, Networking, NetworkPolicy, Hubble, IPAM, Kubernetes services + L: https://products.docs.vshn.ch/products/appuio/managed/addon_cilium.html and https://www.appuio.cloud + + * N: ArangoDB Oasis + D: ArangoDB Oasis is using Cilium in to separate database deployments in our multi-tenant cloud environment + U: Networking, CiliumNetworkPolicy(cluster & local), Hubble, IPAM + L: https://cloud.arangodb.com + Q: @ewoutp @Robert-Stam + + * N: Archer Aviation + D: Archer Aviation uses Cilium as part of the foundation of the Kubernetes cluster. + U: Networking, Observability, Security + L: https://www.archer.com + Q: @Hongbo Miao + + * N: Ascend.io + D: Ascend.io is using Cilium as a consistent CNI for our Data Automation Platform on GKE, EKS, and AKS. + U: Transparent Encryption, Overlay Networking, Cluster Mesh, Egress Gateway, Network Policy, Hubble + L: https://www.ascend.io/ + Q: @Joe Stevens + + * N: Ayedo + D: Ayedo builds and operates cloud-native container platforms based on Kubernetes + U: Hubble for Visibility, Cilium as Mesh between Services + L: https://www.ayedo.de/ + + * N: Back Market + D: Back Market is using Cilium as CNI in all their clusters and environments (kOps + EKS in AWS) + U: CNI, Network Policies, Transparent Encryption (WG), Hubble + Q: @nitrikx + L: https://www.backmarket.com/ + + * N: Berops + D: Cilium is used as a CNI plug-in in our open-source multi-cloud and hybrid-cloud Kubernetes platform - Claudie + U: CNI, Network Policies, Hubble + Q: @Bernard Halas + L: https://github.com/berops/claudie + + * N: Bitnami + D: Cilium is part of the largest open-source application catalog. + U: CNI, Hubble, BGP, eBPF, CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy + L: https://bitnami.com/stack/cilium + Q: @carrodher + + * N: BMC Software + D: Cilium can be optionally used in BMC Helix Innovaton Suite and BMC IT Operations Management On Premise + U: CNI, Hubble + L: https://www.bmc.com + Q: @ryebridge + + * N: ByteDance + D: ByteDance is using Cilium as CNI plug-in for self-hosted Kubernetes. + U: CNI, Networking + L: @Jiang Wang + + * N: Canonical + D: Canonical's Kubernetes distribution microk8s uses Cilium as CNI plugin + U: Networking, NetworkPolicy, and Kubernetes services + L: https://microk8s.io/ + + * N: Capital One + D: Capital One uses Cilium as its standard CNI for all Kubernetes environments + U: CNI, CiliumClusterWideNetworkpolicy, CiliumNetworkPolicy, Hubble, network visibility + L: https://www.youtube.com/watch?v=hwOpCKBaJ-w + + * N: CENGN - Centre of Excellence in Next Generation Networks + D: CENGN is using Cilium in multiple clusters including production and development clusters (self-hosted k8s, On-premises) + U: L3/L4/L7 network policies, Monitoring via Prometheus metrics & Hubble + L: https://www.youtube.com/watch?v=yXm7yZE2rk4 + Q: @rmaika @mohahmed13 + + * N: Cistec + D: Cistec is a clinical information system provider and uses Cilium as the CNI plugin. + U: Networking and network policy + L: https://www.cistec.com/ + + * N: Civo + D: Civo is offering Cilium as the CNI option for Civo users to choose it for their Civo Kubernetes clusters. + U: Networking and network policy + L: https://www.civo.com/kubernetes + + * N: ClickHouse + D: ClickHouse uses Cilium as CNI for AWS Kubernetes environments + U: CiliumNetworkPolicy, Hubble, ClusterMesh + L: https://clickhouse.com + + * N: Cloutomate + D: Cloutomate uses Cilium as CNI for itself and customer installations + U: Networking Observability and Security, Service Mesh, Cluster Mesh + L: https://cloutomate.de + + * N: Cognite + D: Cognite is an industrial DataOps provider and uses Cilium as the CNI plugin + Q: @Robert Collins + + * N: CONNY + D: CONNY is legaltech platform to improve access to justice for individuals + U: Networking, NetworkPolicy, Services + Q: @ant31 + L: https://conny.de + + * N: Cosmonic + D: Cilium is the CNI for Cosmonic's Nomad based PaaS + U: Networking, NetworkPolicy, Transparent Encryption + L: https://cilium.io/blog/2023/01/18/cosmonic-user-story/ + + * N: Crane + D: Crane uses Cilium as the default CNI + U: Networking, NetworkPolicy, Services + L: https://github.com/slzcc/crane + Q: @slzcc + + * N: Cybozu + D: Cybozu deploys Cilium to on-prem Kubernetes Cluster and uses it with Coil by CNI chaining. + U: CNI Chaining, L4 LoadBalancer, NetworkPolicy, Hubble + L: https://cybozu-global.com/ + + * N: Daimler Truck AG + D: The CSG RuntimeDepartment of DaimlerTruck is maintaining an AKS k8s cluster as a shared resource for DevOps crews and is using Cilium as the default CNI (BYOCNI). + U: Networking, NetworkPolicy and Monitoring + L: https://daimlertruck.com + Q: @brandshaide + + * N: DaoCloud - spiderpool & merbridge + D: spiderpool is using Cilium as their main CNI plugin for overlay and merbridge is using Cilium eBPF library to speed up your Service Mesh + U: CNI, Service load-balancing, cluster mesh + L: https://github.com/spidernet-io/spiderpool, https://github.com/merbridge/merbridge + Q: @weizhoublue, @kebe7jun + + * N: Datadog + D: Datadog is using Cilium in AWS (self-hosted k8s) + U: ENI Networking, Service load-balancing, Encryption, Network Policies, Hubble + Q: @lbernail, @roboll, @mvisonneau + + * N: Dcode.tech + D: We specialize in AWS and Kubernetes, and actively implement Cilium at our clients. + U: CNI, CiliumNetworkPolicy, Hubble UI + L: https://dcode.tech/ + Q: @eliranw, @maordavidov + + * N: Deckhouse + D: Deckhouse Kubernetes Platform is using Cilium as a one of the supported CNIs. + U: Networking, Security, Hubble UI for network visibility + L: https://github.com/deckhouse/deckhouse + + * N: Deezer + D: Deezer is using Cilium as CNI for all our on-prem clusters for its performance and security. We plan to leverage BGP features as well soon + U: CNI, Hubble, kube-proxy replacement, eBPF + L: https://github.com/deezer + + * N: DigitalOcean + D: DigitalOcean is using Cilium as the CNI for Digital Ocean's managed Kubernetes Services (DOKS) + U: Networking and network policy + L: https://github.com/digitalocean/DOKS + + * N: Docaposte + D: Docaposte is the digital trust leader in France. We have selected Cilium as our CNI for Kubernetes deployments in production environments, due to its performance and advanced features. + U: eBPF, CiliumclusterWideNetworkPolicy, CiliumNetworkPolicy, kube-proxy replacement, Hubble + L: https://docaposte.fr + Q: @albundy83 + + * N: ECCO Data and AI + D: ECCO Data and AI is using Cilium as CNI in all their clusters and environments (EKS in AWS). + U: CNI, IPv6 networking, Service Load Balancing and Cluster Mesh + L: https://github.com/SneaksAndData + + * N: Edgeless Systems + D: Edgeless Systems is using Cilium as the CNI for Edgeless System's Confidential Kubernetes Distribution (Constellation) + U: Networking (CNI), Transparent Encryption (WG), + L: https://docs.edgeless.systems/constellation/architecture/networking + Q: @m1ghtym0 + + * N: Eficode + D: As a cloud-native and devops consulting firm, we have implemented Cilium on customer engagements + U: CNI, CiliumNetworkPolicy at L7, Hubble + L: https://eficode.com/ + Q: @Andy Allred + + * N: Elastic Path + D: Elastic Path is using Cilium in their CloudOps for Kubernetes production clusters + U: CNI + L: https://documentation.elasticpath.com/cloudops-kubernetes/docs/index.html + Q: @Neil Seward + + * N: Equinix + D: Equinix Metal is using Cilium for production and non-production environments on bare metal + U: CNI, CiliumClusterWideNetworkpolicy, CiliumNetworkPolicy, BGP advertisements, Hubble, network visibility + L: https://metal.equinix.com/ + Q: @tylerauerbeck, @fishnix, @tenyo, @hegartyk + + * N: Equinix + D: Equinix NL Managed Services is using Cilium with their Managed Kubernetes offering + U: CNI, network policies, visibility + L: https://www.equinix.nl/products/support-services/managed-services/netherlands + Q: @jonkerj + + * N: EvoCloud + D: EvoCloud uses Cilium as a Kubernetes proxy replacement, CNI with Gateway API integration, Cluster mesh with BGP enabled, Network policy and Hubble Observability. + U: L4/L7 Networking, L2 Announcement, Network Policies, Kube-proxy replacement, CNI with Gateway API, Hubble for tracing and observability, ClusterMesh and ServiceMesh + L: https://github.com/evocloud-dev/evocloud-paas + Q: @geanttechnology, @escapevelocity17321 + + * N: Exoscale + D: Exoscale is offering Cilium as a CNI option on its managed Kubernetes service named SKS (Scalable Kubernetes Service) + U: CNI, Networking + L: https://www.exoscale.com/sks/ + Q: @Antoine + + * N: finleap connect + D: finleap connect is using Cilium in their production clusters (self-hosted, bare-metal, private cloud) + U: CNI, NetworkPolicies + Q: @chue + + * N: Form3 + D: Form3 is using Cilium in their production clusters (self-hosted, bare-metal, private cloud) + U: Service load-balancing, Encryption, CNI, NetworkPolicies + Q: @kevholditch-f3, samo-f3, ewilde-form3 + + * N: FRSCA - Factory for Repeatable Secure Creation of Artifacts + D: FRSCA is utilizing tetragon integrated with Tekton to create runtime attestation to attest artifact and builder attributes + U: Runtime observability + L: https://github.com/buildsec/frsca + Q: @Parth Patel + + * N: F5 Inc + D: F5 helps customers with Cilium VXLAN tunnel integration with BIG-IP + U: Networking + L: https://github.com/f5devcentral/f5-ci-docs/blob/master/docs/cilium/cilium-bigip-info.rst + Q: @vincentmli + + * N: Gcore + D: Gcore supports Cilium as CNI provider for Gcore Managed Kubernetes Service + U: CNI, Networking, NetworkPolicy, Kubernetes Services + L: https://gcore.com/news/cilium-cni-support + Q: @rzdebskiy + + * N: Giant Swarm + D: Giant Swarm is using Cilium in their Cluster API based managed Kubernetes service (AWS, Azure, GCP, OpenStack, VMware Cloud Director and VMware vSphere) as CNI + U: Networking + L: https://www.giantswarm.io/ + + * N: GitLab + D: GitLab is using Cilium to implement network policies inside Auto DevOps deployed clusters for customers using k8s + U: Network policies + L: https://docs.gitlab.com/ee/user/clusters/applications.html#install-cilium-using-gitlab-ci + Q: @ap4y @whaber + + * N: Google + D: Google is using Cilium in Anthos and Google Kubernetes Engine (GKE) as Dataplane V2 + U: Networking, network policy, and network visibility + L: https://cloud.google.com/blog/products/containers-kubernetes/bringing-ebpf-and-cilium-to-google-kubernetes-engine + + * N: G DATA CyberDefense AG + D: G DATA CyberDefense AG is using Cilium on our managed on premise clusters. + U: Networking, network policy, security, and network visibility + L: https://gdatasoftware.com + Q: @farodin91 + + * N: Guidewire Software, Inc. + D: Guidewire Software, Inc. is using Cilium for the Guidewire Cloud Platform. + U: CNI, network policy, and network visibility + L: https://www.guidewire.com + + * N: IDNIC | Kadabra + D: IDNIC is the National Internet Registry administering IP addresses for INDONESIA, uses Cilium to powered Kadabra project runing services across multi data centers. + U: Networking, Network Policies, kube-proxy Replacement, Service Load Balancing and Cluster Mesh + L: https://ris.idnic.net/ + Q: @ardikabs + + * N: IKEA IT AB + D: IKEA IT AB is using Cilium for production and non-production environments (self-hosted, bare-metal, private cloud) + U: Networking, CiliumclusterWideNetworkPolicy, CiliumNetworkPolicy, kube-proxy replacement, Hubble, Direct routing, egress gateway, hubble-otel, Multi Nic XDP, BGP advertisements, Bandwidth Manager, Service Load Balancing, Cluster Mesh + L: https://www.ingka.com/ + + * N: Immerok + D: Immerok uses Cilium for cross-cluster communication and network isolation; Immerok Cloud is a serverless platform for the full power of [Apache Flink](https://flink.apache.org) at any scale. + U: Networking, network policy, observability, cluster mesh, kube-proxy replacement, security, CNI + L: https://immerok.io + Q: @austince, @dmvk + + * N: Incentive.me + D: Incentive.me use Cilium, Tetragon and Hubble for enterprise networking, observability, and security of all environments. + U: Networking, network policy, observability, cluster mesh, kube-proxy replacement, security, egress gateway, service load balancing, CNI + L: https://incentive.me + Q: @lucasfcnunes + + * N: Infomaniak + D: Infomaniak is using Cilium in their production clusters (self-hosted, bare-metal and openstack) + U: Networking, CiliumNetworkPolicy, BPF NodePort, Direct routing, kube-proxy replacement + L: https://www.infomaniak.com/en + Q: @reneluria + + * N: innoQ Schweiz GmbH + D: As a consulting company we added Cilium to a couple of our customers infrastructure + U: Networking, CiliumNetworkPolicy at L7, kube-proxy replacement, encryption + L: https://www.cloud-migration.ch/ + Q: @fakod + + * N: Intility AS + D: Intility is a managed service provider for enterprises and we use Cilium, Tetragon and Hubble to deliver world class managed Kubernetes clusters to customers from our own private cloud + U: Networking, CiliumNetworkPolicy, CiliumCIDRGroup, security, CNI + L: https://intility.com/container-platform/ + Q: @jonasks, @daniwk, @stianfro + + * N: Isovalent + D: Cilium is the platform that powers Isovalent’s enterprise networking, observability, and security solutions + U: Networking, network policy, observability, cluster mesh, kube-proxy replacement, security, egress gateway, service load balancing, CNI + L: https://isovalent.com/product/ + Q: @BillMulligan + + * N: Jar + D: Cilium is used as Jar's CNI on all prod and pre production environments. + U: Networking, network policy, observability, cluster mesh, kube-proxy replacement, security, egress gateway, service load balancing, CNI + L: https://myjar.app/blog/engineering/ + Q: @rohan-changejar @rohangrge + + + * N: JUMO + D: JUMO is using Cilium as their CNI plugin for all of their AWS-hosted EKS clusters + U: Networking, network policy, network visibility, cluster mesh + Q: @Matthieu ANTOINE, @Carlos Castro, @Joao Coutinho (Slack) + + * N: Kakao + D: Kakao is using Cilium as the CNI for their private cloud's managed Kubernetes service + U: Custom eBPF programs, networking, network policy, kube-proxy replacement + L: https://youtu.be/WRACr5nXl9U + Q: @gyutaeb + + * N: KA-NABELL + D: KA-NABELL harnesses Cilium to deliver Kubernetes networking with robust security and clear observability. + U: CNI/ENI Networking, kube-proxy replacement, Monitoring via Prometheus metrics & Hubble, eBPF, CiliumNetworkPolicy + L: https://speakerdeck.com/andoshin11/envoy-external-authztogrpc-extensionwoli-yong-sita-wan-zhang-ranai-microservicesren-zheng-ren-ke-ji-pan?slide=8 + Q: @kahirokunn + + * N: Keploy + D: Keploy is using the Cilium to capture the network traffic to perform E2E Testing. + U: Networking, network policy, Monitoring, E2E Testing + L: https://keploy.io/ + + * N: Kilo + D: Cilium is a supported CNI for Kilo. When used together, Cilium + Kilo create a full mesh via WireGuard for Kubernetes in edge environments. + U: CNI, Networking, Hubble, kube-proxy replacement, network policy + L: https://kilo.squat.ai/ + Q: @squat, @arpagon + + * N: Koyeb + D: Koyeb hosts microVMs on its own servers and uses Cilium to power a mesh in between those + U: Networking, policies inside a non-Kubernetes environment + L: https://www.koyeb.com/blog/70-faster-deployments-and-high-performance-private-network + Q: @koyeb on Twitter / https://community.koyeb.com/ + + * N: kOps + D: kOps is using Cilium as one of the supported CNIs + U: Networking, Hubble, Encryption, kube-proxy replacement + L: kops.sigs.k8s.io/ + Q: @olemarkus + + * N: Kryptos Logic + D: Kryptos is a cyber security company that is using Kubernetes on-prem in which Cilium is our CNI of choice. + U: Networking, Observability, kube-proxy replacement + + * N: kubeasz + D: kubeasz, a certified kubernetes installer, is using Cilium as a one of the supported CNIs. + U: Networking, network policy, Hubble for network visibility + L: https://github.com/easzlab/kubeasz + + * N: Kube-OVN + D: Kube-OVN uses Cilium to enhance service performance, security and monitoring. + U: CNI-Chaining, Hubble, kube-proxy replacement + L: https://github.com/kubeovn/kube-ovn/blob/master/docs/IntegrateCiliumIntoKubeOVN.md + Q: @oilbeater + + * N: Kube-Hetzner + D: Kube-Hetzner is a open-source Terraform project that uses Cilium as an possible CNI in its cluster deployment on Hetzner Cloud. + U: Networking, Hubble, kube-proxy replacement + L: https://github.com/kube-hetzner/terraform-hcloud-kube-hetzner#cni + Q: @MysticalTech + + * N: Kubermatic + D: Kubermatic Kubernetes Platform is using Cilium as a one of the supported CNIs. + U: Networking, network policy, Hubble for network visibility + L: https://github.com/kubermatic/kubermatic + + * N: KubeSphere - KubeKey + D: KubeKey is an open-source lightweight tool for deploying Kubernetes clusters and addons efficiently. It uses Cilium as one of the supported CNIs. + U: Networking, Security, Hubble UI for network visibility + L: https://github.com/kubesphere/kubekey + Q: @FeynmanZhou + + * N: K8e - Simple Kubernetes Distribution + D: Kubernetes Easy (k8e) is a lightweight, Extensible, Enterprise Kubernetes distribution. It uses Cilium as default CNI network. + U: Networking, network policy, Hubble for network visibility + L: https://github.com/xiaods/k8e + Q: @xds2000 + + * N: LinkPool + D: LinkPool is a professional Web3 infrastructure provider. + U: LinkPool is using Cilium as the CNI for its on-premise production clusters + L: https://linkpool.com + Q: @jleeh + + * N: Liquid Reply + D: Liquid Reply is a professional service provider and utilizes Cilium on suitable projects and implementations. + U: Networking, network policy, Hubble for network visibility, Security + L: http://liquidreply.com + Q: @mkorbi + + * N: Magic Leap + D: Magic Leap is using Hubble plugged to GKE Dataplane v2 clusters + U: Hubble + Q: @romachalm + + * N: Melenion Inc + D: Melenion is using Cilium as the CNI for its on-premise production clusters + U: Service Load Balancing, Hubble + Q: @edude03 + + * N: Meltwater + D: Meltwater is using Cilium in AWS on self-hosted multi-tenant k8s clusters as the CNI plugin + U: ENI Networking, Encryption, Monitoring via Prometheus metrics & Hubble + Q: @recollir, @dezmodue + + * N: Microsoft + D: Microsoft is using Cilium in "Azure CNI powered by Cilium" AKS (Azure Kubernetes Services) clusters + L: https://techcommunity.microsoft.com/t5/azure-networking-blog/azure-cni-powered-by-cilium-for-azure-kubernetes-service-aks/ba-p/3662341 + Q: @tamilmani1989 @chandanAggarwal + + * N: Mobilab + D: Mobilab uses Cilium as the CNI for its internal cloud + U: CNI + L: https://mobilabsolutions.com/2019/01/why-we-switched-to-cilium/ + + * N: MyFitnessPal + D: MyFitnessPal trusts Cilium with high volume user traffic in AWS on self-hosted k8s clusters as the CNI plugin and in GKE with Dataplane V2 + U: Networking (CNI, Maglev, kube-proxy replacement, local redirect policy), Observability (Network metrics with Hubble, DNS proxy, service maps, policy troubleshooting) and Security (Network Policy) + L: https://www.myfitnesspal.com + + * N: Mux, Inc. + D: Mux deploys Cilium on self-hosted k8s clusters (Cluster API) in GCP and AWS to run its video streaming/analytics platforms. + U: Pod networking (CNI, IPAM, Host-reachable Services), Hubble, Cluster-mesh. TBD: Network Policy, Transparent Encryption (WG), Host Firewall. + L: https://mux.com + Q: @dilyevsky + + * N: NetBird + D: NetBird uses Cilium to compile BPF to Go for cross-platform DNS management and NAT traversal + U: bpf2go to compile a C source file into eBPF bytecode and then to Go + L: https://netbird.io/knowledge-hub/using-xdp-ebpf-to-share-default-dns-port-between-resolvers + Q: @braginini + + * N: Netcloud AG + D: As a Swiss ICT company we are using Cilium as their CNI for mission critical, on premise k8s clusters. + U: Overlay Networking, CNI, Network Policy, Kube-Proxy Replacement, Service load-balancing + L: https://www.netcloud.ch + + * N: NETWAYS Web Services + D: NETWAYS Web Services offers Cilium to their clients as CNI option for their Managed Kubernetes clusters. + U: Networking (CNI), Observability (Hubble) + L: https://nws.netways.de/managed-kubernetes/ + + * N: New York Times (the) + D: The New York Times is using Cilium on EKS to build multi-region multi-tenant shared clusters + U: Networking (CNI, EKS IPAM, Maglev, kube-proxy replacement, Direct Routing), Observability (Network metrics with Hubble, policy troubleshooting) and Security (Network Policy) + L: https://www.nytimes.com/, https://youtu.be/9FDpMNvPrCw + Q: @abebars + + * N: Nexxiot + D: Nexxiot is an IoT SaaS provider using Cilium as the main CNI plugin on AWS EKS clusters + U: Networking (IPAM, CNI), Security (Network Policies), Visibility (hubble) + L: https://nexxiot.com + + * N: Nine Internet Solutions AG + D: Nine uses Cilium on all Nine Kubernetes Engine clusters + U: CNI, network policy, kube-proxy replacement, host firewall + L: https://www.nine.ch/en/kubernetes + + * N: Northflank + D: Northflank is a PaaS and uses Cilium as the main CNI plugin across GCP, Azure, AWS and bare-metal + U: Networking, network policy, hubble, packet monitoring and network visibility + L: https://northflank.com + Q: @NorthflankWill, @Champgoblem + + * N: Nutanix + D: Nutanix uses Cilium as the default CNI plugin for NKP (Nutanix Kubernetes Platform) when deployed on AHV + U: Networking, NetworkPolicy, Services + L: https://www.nutanix.com/products/kubernetes-management-platform + Q: @tuxtof + + * N: Overstock Inc. + D: Overstock is using Cilium as the main CNI plugin on bare-metal clusters (self hosted k8s). + U: Networking, network policy, hubble, observability + + * N: Palantir Technologies Inc. + D: Palantir is using Cilium as their main CNI plugin in all major cloud providers [AWS/Azure/GCP] (self hosted k8s). + U: ENI networking, L3/L4 policies, FQDN based policy, FQDN filtering, IPSec + Q: ungureanuvladvictor + + * N: Palark GmbH + D: Palark uses Cilium for networking in its Kubernetes platform provided to numerous customers as a part of its DevOps as a Service offering. + U: CNI, Networking, Network policy, Security, Hubble UI + L: https://blog.palark.com/why-cilium-for-kubernetes-networking/ + Q: @shurup + + * N: Parseable + D: Parseable uses Tertragon for collecting and ingesting eBPF logs for Kubernetes clusters. + U: Security, eBPF, Tetragon + L: https://www.parseable.io/blog/ebpf-log-analytics + Q: @nitisht + + * N: Pionative + D: Pionative supplies all its clients across cloud providers with + Kubernetes running Cilium to deliver the best performance out there. + U: CNI, Networking, Security, eBPF + L: https://www.pionative.com + Q: @Pionerd + + * N: Plaid Inc + D: Plaid is using Cilium as their CNI plugin in self-hosted Kubernetes on AWS. + U: CNI, network policies + L: [https://plaid.com](https://plaid.com/contact/) + Q: @diversario @jandersen-plaid + + * N: PlanetScale + D: PlanetScale is using Cilium as the CNI for its serverless database platform. + U: Networking (CNI, IPAM, kube-proxy replacement, native routing), Network Security, Cluster Mesh, Load Balancing + L: https://planetscale.com/ + Q: @dctrwatson + + * N: plusserver Kubernetes Engine (PSKE) + D: PSKE uses Cilium for multiple scenarios, for examples for managed Kubernetes clusters provided with Gardener Project across AWS and OpenStack. + U: CNI , Overlay Network, Network Policies + L: https://www.plusserver.com/en/product/managed-kubernetes/, https://github.com/gardener/gardener-extension-networking-cilium + + * N: Polar Signals + D: Polar Signals uses Cilium as the CNI on its GKE dataplane v2 based clusters. + U: Networking + L: https://polarsignals.com + Q: @polarsignals @brancz + + * N: Polverio + D: Polverio KubeLift is a single-node Kubernetes distribution optimized for Azure, using Cilium as the CNI. + U: CNI, IPAM + L: https://polverio.com + Q: @polverio @stuartpreston + + * N: Poseidon Laboratories + D: Poseidon's Typhoon Kubernetes distro uses Cilium as the default CNI and its used internally + U: Networking, policies, service load balancing + L: https://github.com/poseidon/typhoon/ + Q: @dghubble @typhoon8s + + * N: PostFinance AG + D: PostFinance is using Cilium as their CNI for all mission critical, on premise k8s clusters + U: Networking, network policies, kube-proxy replacement + L: https://github.com/postfinance + + * N: Proton AG + D: Proton is using Cilium as their CNI for all their Kubernetes clusters + U: Networking, network policies, host firewall, kube-proxy replacement, Hubble + L: https://proton.me/ + Q: @j4m3s @MrFreezeex + + * N: Radio France + D: Radio France is using Cilium in their production clusters (self-hosted k8s with kops on AWS) + U: Mainly Service load-balancing + Q: @francoisj + + * N: Qpoint + D: An eBPF-based egress observability platform for your cloud and production applications + U: CNI, bpf2go to compile a C source file into eBPF bytecode and then to Go + L: https://www.qpoint.io/ and https://github.com/qpoint-io + Q: @Marc Barry + + * N: Rancher Labs, now part of SUSE + D: Rancher Labs certified Kubernetes distribution RKE2 can be deployed with Cilium. + U: Networking and network policy + L: https://github.com/rancher/rke and https://github.com/rancher/rke2 + + * N: Rapyuta Robotics. + D: Rapyuta is using cilium as their main CNI plugin. (self hosted k8s) + U: CiliumNetworkPolicy, Hubble, Service Load Balancing. + Q: @Gowtham + + * N: Rafay Systems + D: Rafay's Kubernetes Operations Platform uses Cilium for centralized network visibility and network policy enforcement + U: NetworkPolicy, Visibility via Prometheus metrics & Hubble + L: https://rafay.co/platform/network-policy-manager/ + Q: @cloudnativeboy @mohanatreya + + * N: Robinhood Markets + D: Robinhood uses Cilium for Kubernetes overlay networking in an environment where we run tests for backend services + U: CNI, Overlay networking + Q: @Madhu CS + + * N: Santa Claus & the Elves + D: All our infrastructure to process children's letters and wishes, toy making, and delivery, distributed over multiple clusters around the world, is now powered by Cilium. + U: ClusterMesh, L4LB, XDP acceleration, Bandwidth manager, Encryption, Hubble + L: https://qmonnet.github.io/whirl-offload/2024/01/02/santa-switches-to-cilium/ + + * N: SAP + D: SAP uses Cilium for multiple internal scenarios. For examples for self-hosted Kubernetes scenarios on AWS with SAP Concur and for managed Kubernetes clusters provided with Gardener Project across AWS, Azure, GCP, and OpenStack. + U: CNI , Overlay Network, Network Policies + L: https://www.concur.com, https://gardener.cloud/, https://github.com/gardener/gardener-extension-networking-cilium + Q: @dragan (SAP Concur), @docktofuture & @ScheererJ (Gardener) + + * N: Sapian + D: Sapian uses Cilium as the default CNI in our product DialBox Cloud; DialBox cloud is an Edge Kubernetes cluster using [kilo](https://github.com/squat/kilo) for WireGuard mesh connectivity inter-nodes. Therefore, Cilium is crucial for low latency in real-time communications environments. + U: CNI, Network Policies, Hubble, kube-proxy replacement + L: https://sapian.com.co, https://arpagon.co/blog/k8s-edge + Q: @arpagon + + * N: Schenker AG + D: Land transportation unit of Schenker uses Cilium as default CNI in self-managed kubernetes clusters running in AWS + U: CNI, Monitoring, kube-proxy replacement + L: https://www.dbschenker.com/global + Q: @amirkkn + + * N: Scigility AG + D: We use Cilium as the default CNI across client implementations and also for our internal platform. + U: CNI, Monitoring, kube-proxy replacement, Hubble + L: https://scigility.com/ + Q: @ciil + + * N: Sealos + D: Sealos is using Cilium as a consistent CNI for our Sealos Cloud. + U: Networking, Service, kube-proxy replacement, Network Policy, Hubble + L: https://sealos.io + Q: @fanux, @yangchuansheng + + * N: SeatGeek + D: SeatGeek uses Cilium as the default CNI/service mesh for AWS hosted clusters + U: CNI, ClusterMesh, Network Policy, Hubble, L7 Mesh + L: https://seatgeek.com + Q: @byxorna, @aetimmes + + * N: Seznam.cz + D: Seznam.cz uses Cilium in multiple scenarios in on-prem DCs. At first as L4LB which loadbalances external traffic into k8s+openstack clusters then as CNI in multiple k8s and openstack clusters which are all connected in a clustermesh to enforce NetworkPolicies across pods/VMs. + U: L4LB, L3/4 CNPs+CCNPs, KPR, Hubble, HostPolicy, Direct-routing, IPv4+IPv6, ClusterMesh + Q: @oblazek + + * N: Simple + D: Simple uses cilium as default CNI in Kubernetes clusters (AWS EKS) for both development and production environments. + U: CNI, Network Policies, Hubble + L: https://simple.life + Q: @sergeyshevch + + * N: Scaleway + D: Scaleway uses Cilium as the default CNI for Kubernetes Kapsule + U: Networking, NetworkPolicy, Services + L: @jtherin @remyleone + + * N: Schuberg Philis + D: Schuberg Philis uses Cilium as CNI for mission critical kubernetes clusters we run for our customers. + U: CNI (instead of amazon-vpc-cni-k8s), DefaultDeny(Zero Trust), Hubble, CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy, EKS + L: https://schubergphilis.com/en + Q: @stimmerman @shoekstra @mbaumann + + * N: SDV Services + D: SDV Services uses Cilium to host Wordpress multi-tenant the cloud-native way and also as the CNI for customer Kubernetes clusters. + U: CNI, Networking, NetworkPolicy, Hubble, IPAM, Kubernetes services + L: https://sdvservices.nl + Q: @Sjouke de Vries + + * N: SI Analytics + D: SI Analytics uses Cilium as CNI in self-managed Kubernetes clusters in on-prem DCs. And also use Cilium as CNI in its GKE dataplane v2 based clusters. + U: CNI, Network Policies, Hubble + L: https://si-analytics.ai, https://ovision.ai + Q: @jholee + + * N: SIGHUP + D: SIGHUP integrated Cilium as a supported CNI for KFD (Kubernetes Fury Distribution), our enterprise-grade OSS reference architecture + U: Available supported CNI + L: https://sighup.io, https://github.com/sighupio/fury-kubernetes-networking + Q: @jnardiello @nutellino + + * N: SINAD + D: SINAD uses Cilium and integrates Tetragon (Which is amazing) to their application EzyKube + U: CNI, Networking, Node2Node & Pod2Pod Encryption, Kube-Proxy Replacement, eBPF, security + L: https://sinad.io + + * N: SmileDirectClub + D: SmileDirectClub is using Cilium in manufacturing clusters (self-hosted on vSphere and AWS EC2) + U: CNI + Q: @joey, @onur.gokkocabas + + * N: Snapp + D: Snapp is using Cilium in production for its on premise openshift clusters + U: CNI, Network Policies, Hubble + Q: @m-yosefpor + + * N: Solo.io + D: Cilium is part of Gloo Application Networking platform, with a “batteries included but swappable” manner + U: CNI, Network Policies + Q: @linsun + + * N: S&P Global + D: S&P Global uses Cilium as their multi-cloud CNI + U: CNI + L: https://www.youtube.com/watch?v=6CZ_SSTqb4g + + * N: Spectro Cloud + D: Spectro Cloud uses & promotes Cilium for clusters its K8S management platform (Palette) deploys + U: CNI, Overlay network, kube-proxy replacement + Q: @Kevin Reeuwijk + + * N: Spherity + D: Spherity is using Cilium on AWS EKS + U: CNI/ENI Networking, Network policies, Hubble + Q: @solidnerd + + * N: Sportradar + D: Sportradar is using Cilium as their main CNI plugin in AWS (using kops) + U: L3/L4 policies, Hubble, BPF NodePort, CiliumClusterwideNetworkPolicy + Q: @Eric Bailey, @Ole Markus + + * N: Sproutfi + D: Sproutfi uses Cilium as the CNI on its GKE based clusters + U: Service Load Balancing, Hubble, Datadog Integration for Prometheus metrics + Q: @edude03 + + * N: SuperOrbital + D: As a Kubernetes-focused consulting firm, we have implemented Cilium on customer engagements + U: CNI, CiliumNetworkPolicy at L7, Hubble + L: https://superorbital.io/ + Q: @jmcshane + + * N: Syself + D: Syself uses Cilium as the CNI for Syself Autopilot, a managed Kubernetes platform + U: CNI, HostFirewall, Monitoring, CiliumClusterwideNetworkPolicy, Hubble + L: https://syself.com + Q: @sbaete + + * N: Talos + D: Cilium is one of the supported CNI's in Talos + U: Networking, NetworkPolicy, Hubble, BPF NodePort + L: https://github.com/talos-systems/talos + Q: @frezbo, @smira, @Ulexus + + * N: Tencent Cloud + D: Tencent Cloud container team designed the TKE hybrid cloud container network solution with Cilium as the cluster network base + U: Networking, CNI + L: https://segmentfault.com/a/1190000040298428/en + + * N: teuto.net Netzdienste GmbH + D: teuto.net is using cilium for their managed k8s service, t8s + U: CNI, CiliumNetworkPolicy, Hubble, Encryption, ... + L: https://teuto.net/managed-kubernetes + Q: @cwrau + + * N: Trendyol + D: Trendyol.com has recently implemented Cilium as the default CNI for its production Kubernetes clusters starting from version 1.26. + U: Networking, kube-proxy replacement, eBPF, Network Visibility with Hubble and Grafana, Local Redirect Policy + L: https://t.ly/FDCZK + + * N: T-Systems International + D: TSI uses Cilium for it's Open Sovereign Cloud product, including as a CNI for Gardener-based Kubernetes clusters and bare-metal infrastructure managed by OnMetal. + U: CNI, overlay network, NetworkPolicies + Q: @ManuStoessel + + * N: uSwitch + D: uSwitch is using Cilium in AWS for all their production clusters (self hosted k8s) + U: ClusterMesh, CNI-Chaining (with amazon-vpc-cni-k8s) + Q: @jirving + + * N: United Cloud + D: United Cloud is using Cilium for all non-production and production clusters (on-premises) + U: CNI, Hubble, CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy, ClusterMesh, Encryption + L: https://united.cloud + Q: @boris + + * N: Utmost Software, Inc + D: Utmost is using Cilium in all tiers of its Kubernetes ecosystem to implement zero trust + U: CNI, DefaultDeny(Zero Trust), Hubble, CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy + L: https://blog.utmost.co/zero-trust-security-at-utmost + Q: @andrewholt + + * N: Trip.com + D: Trip.com is using Cilium in their production clusters (self-hosted k8s, On-premises and AWS) + U: ENI Networking, Service load-balancing, Direct routing (via Bird) + L: https://ctripcloud.github.io/cilium/network/2020/01/19/trip-first-step-towards-cloud-native-networking.html + Q: @ArthurChiao + + * N: Tailor Brands + D: Tailor Brands is using Cilium in their production, staging, and development clusters (AWS EKS) + U: CNI (instead of amazon-vpc-cni-k8s), Hubble, Datadog Integration for Prometheus metrics + Q: @liorrozen + + * N: Twilio + D: Twilio Segment is using Cilium across their k8s-based compute platform + U: CNI, EKS direct routing, kube-proxy replacement, Hubble, CiliumNetworkPolicies + Q: @msaah + + * N: ungleich + D: ungleich is using Cilium as part of IPv6-only Kubernetes deployments. + U: CNI, IPv6 only networking, BGP, eBPF + Q: @Nico Schottelius, @nico:ungleich.ch (Matrix) + + * N: Veepee + D: Veepee is using Cilium on their on-premise Kubernetes clusters, hosting majority of their applications. + U. CNI, BGP, eBPF, Hubble, DirectRouting (via kube-router) + Q: @nerzhul + + * N: Virtuozzo + D: Cilium CNI is the default network plugin for Kubernetes clusters within Virtuozzo Hybrid Infrastructure. + U: Networking, NetworkPolicy, Services + L: https://docs.virtuozzo.com/virtuozzo_hybrid_infrastructure_6_3_admins_guide/index.html#provisioning-kubernetes.html + Q: egor.ustinov@virtuozzo.com + + * N: VMware by Broadcom + D: VMware offers multi-arch (ARM, AMD) and multi-distro (Ubuntu, RedHat UBI, Debian, PhotonOS) Cilium as part of the Tanzu Application Catalog, enabling customers to deploy it in their Kubernetes infrastructure. + U: CNI, Hubble, BGP, eBPF, CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy + L: https://app-catalog.vmware.com/catalog?gfilter=cilium + Q: @carrodher + + * N: Wildlife Studios + D: Wildlife Studios is using Cilium in AWS for all their game production clusters (self hosted k8s) + U: ClusterMesh, Global Service Load Balancing. + Q: @Oki @luanguimaraesla @rsafonseca + + * N: WSO2 + D: WSO2 is using Cilium to implemented Zero Trust Network Security for their Kubernetes clusters + U: CNI, WireGuard Transparent Encryption, CiliumClusterWideNetworkpolicy, CiliumNetworkPolicy, Hubble, Layer 7 visibility and Service Mesh via Cilium Envoy + L: https://www.cncf.io/case-studies/wso2/ + Q: @lakwarus @isala404 @tharinduwijewardane + + * N: Yahoo! + D: Yahoo is using Cilium for L4 North-South Load Balancing for Kubernetes Services + L: https://www.youtube.com/watch?v=-C86fBMcp5Q + + * N: ZeroHash + D: Zero Hash is using Cilium as CNI for networking, security and monitoring features for Kubernetes clusters + U: CNI/ENI Networking, Network policies, Hubble + Q: @eugenestarchenko diff --git a/vendor/github.com/cilium/cilium/VERSION b/vendor/github.com/cilium/cilium/VERSION new file mode 100644 index 0000000000..ee017091ff --- /dev/null +++ b/vendor/github.com/cilium/cilium/VERSION @@ -0,0 +1 @@ +1.18.0-dev diff --git a/vendor/github.com/cilium/cilium/api/v1/flow/README.md b/vendor/github.com/cilium/cilium/api/v1/flow/README.md index aa37e84a0a..9780d188a3 100644 --- a/vendor/github.com/cilium/cilium/api/v1/flow/README.md +++ b/vendor/github.com/cilium/cilium/api/v1/flow/README.md @@ -1164,6 +1164,8 @@ This mirrors enum xlate_point in bpf/lib/trace_sock.h | FROM_OVERLAY | 9 | FROM_OVERLAY indicates network packets were received from the tunnel device. | | FROM_NETWORK | 10 | FROM_NETWORK indicates network packets were received from native devices. | | TO_NETWORK | 11 | TO_NETWORK indicates network packets are transmitted towards native devices. | +| FROM_CRYPTO | 12 | FROM_CRYPTO indicates network packets were received from the crypto process for decryption. | +| TO_CRYPTO | 13 | TO_CRYPTO indicates network packets are transmitted towards the crypto process for encryption. | diff --git a/vendor/github.com/cilium/cilium/api/v1/flow/flow.pb.go b/vendor/github.com/cilium/cilium/api/v1/flow/flow.pb.go index 8038657a7f..3b9beceb95 100644 --- a/vendor/github.com/cilium/cilium/api/v1/flow/flow.pb.go +++ b/vendor/github.com/cilium/cilium/api/v1/flow/flow.pb.go @@ -3,7 +3,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.3 +// protoc-gen-go v1.36.5 // protoc v5.29.3 // source: flow/flow.proto @@ -17,6 +17,7 @@ import ( wrapperspb "google.golang.org/protobuf/types/known/wrapperspb" reflect "reflect" sync "sync" + unsafe "unsafe" ) const ( @@ -169,6 +170,12 @@ const ( // TO_NETWORK indicates network packets are transmitted towards native // devices. TraceObservationPoint_TO_NETWORK TraceObservationPoint = 11 + // FROM_CRYPTO indicates network packets were received from the crypto + // process for decryption. + TraceObservationPoint_FROM_CRYPTO TraceObservationPoint = 12 + // TO_CRYPTO indicates network packets are transmitted towards the crypto + // process for encryption. + TraceObservationPoint_TO_CRYPTO TraceObservationPoint = 13 ) // Enum value maps for TraceObservationPoint. @@ -187,6 +194,8 @@ var ( 9: "FROM_OVERLAY", 10: "FROM_NETWORK", 11: "TO_NETWORK", + 12: "FROM_CRYPTO", + 13: "TO_CRYPTO", } TraceObservationPoint_value = map[string]int32{ "UNKNOWN_POINT": 0, @@ -202,6 +211,8 @@ var ( "FROM_OVERLAY": 9, "FROM_NETWORK": 10, "TO_NETWORK": 11, + "FROM_CRYPTO": 12, + "TO_CRYPTO": 13, } ) @@ -4881,7 +4892,7 @@ func (x *FlowFilter_Experimental) GetCelExpression() []string { var File_flow_flow_proto protoreflect.FileDescriptor -var file_flow_flow_proto_rawDesc = []byte{ +var file_flow_flow_proto_rawDesc = string([]byte{ 0x0a, 0x0f, 0x66, 0x6c, 0x6f, 0x77, 0x2f, 0x66, 0x6c, 0x6f, 0x77, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x04, 0x66, 0x6c, 0x6f, 0x77, 0x1a, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x61, 0x6e, 0x79, 0x2e, 0x70, 0x72, 0x6f, @@ -5439,7 +5450,7 @@ var file_flow_flow_proto_rawDesc = []byte{ 0x68, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0c, 0x0a, 0x08, 0x44, 0x49, 0x53, 0x41, 0x42, 0x4c, 0x45, 0x44, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x53, 0x50, 0x49, 0x52, 0x45, 0x10, 0x01, 0x12, 0x14, 0x0a, 0x10, 0x54, 0x45, 0x53, 0x54, 0x5f, 0x41, 0x4c, 0x57, 0x41, 0x59, 0x53, 0x5f, 0x46, 0x41, - 0x49, 0x4c, 0x10, 0x02, 0x2a, 0xea, 0x01, 0x0a, 0x15, 0x54, 0x72, 0x61, 0x63, 0x65, 0x4f, 0x62, + 0x49, 0x4c, 0x10, 0x02, 0x2a, 0x8a, 0x02, 0x0a, 0x15, 0x54, 0x72, 0x61, 0x63, 0x65, 0x4f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x11, 0x0a, 0x0d, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x5f, 0x50, 0x4f, 0x49, 0x4e, 0x54, 0x10, 0x00, 0x12, 0x0c, 0x0a, 0x08, 0x54, 0x4f, 0x5f, 0x50, 0x52, 0x4f, 0x58, 0x59, 0x10, 0x01, 0x12, @@ -5454,7 +5465,9 @@ var file_flow_flow_proto_rawDesc = []byte{ 0x0c, 0x46, 0x52, 0x4f, 0x4d, 0x5f, 0x4f, 0x56, 0x45, 0x52, 0x4c, 0x41, 0x59, 0x10, 0x09, 0x12, 0x10, 0x0a, 0x0c, 0x46, 0x52, 0x4f, 0x4d, 0x5f, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x10, 0x0a, 0x12, 0x0e, 0x0a, 0x0a, 0x54, 0x4f, 0x5f, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x10, - 0x0b, 0x2a, 0xa0, 0x01, 0x0a, 0x0b, 0x54, 0x72, 0x61, 0x63, 0x65, 0x52, 0x65, 0x61, 0x73, 0x6f, + 0x0b, 0x12, 0x0f, 0x0a, 0x0b, 0x46, 0x52, 0x4f, 0x4d, 0x5f, 0x43, 0x52, 0x59, 0x50, 0x54, 0x4f, + 0x10, 0x0c, 0x12, 0x0d, 0x0a, 0x09, 0x54, 0x4f, 0x5f, 0x43, 0x52, 0x59, 0x50, 0x54, 0x4f, 0x10, + 0x0d, 0x2a, 0xa0, 0x01, 0x0a, 0x0b, 0x54, 0x72, 0x61, 0x63, 0x65, 0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x14, 0x54, 0x52, 0x41, 0x43, 0x45, 0x5f, 0x52, 0x45, 0x41, 0x53, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x4e, 0x45, 0x57, 0x10, 0x01, 0x12, 0x0f, 0x0a, 0x0b, 0x45, 0x53, 0x54, 0x41, 0x42, 0x4c, 0x49, 0x53, @@ -5793,16 +5806,16 @@ var file_flow_flow_proto_rawDesc = []byte{ 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2f, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x66, 0x6c, 0x6f, 0x77, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} +}) var ( file_flow_flow_proto_rawDescOnce sync.Once - file_flow_flow_proto_rawDescData = file_flow_flow_proto_rawDesc + file_flow_flow_proto_rawDescData []byte ) func file_flow_flow_proto_rawDescGZIP() []byte { file_flow_flow_proto_rawDescOnce.Do(func() { - file_flow_flow_proto_rawDescData = protoimpl.X.CompressGZIP(file_flow_flow_proto_rawDescData) + file_flow_flow_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_flow_flow_proto_rawDesc), len(file_flow_flow_proto_rawDesc))) }) return file_flow_flow_proto_rawDescData } @@ -5984,7 +5997,7 @@ func file_flow_flow_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_flow_flow_proto_rawDesc, + RawDescriptor: unsafe.Slice(unsafe.StringData(file_flow_flow_proto_rawDesc), len(file_flow_flow_proto_rawDesc)), NumEnums: 15, NumMessages: 39, NumExtensions: 0, @@ -5996,7 +6009,6 @@ func file_flow_flow_proto_init() { MessageInfos: file_flow_flow_proto_msgTypes, }.Build() File_flow_flow_proto = out.File - file_flow_flow_proto_rawDesc = nil file_flow_flow_proto_goTypes = nil file_flow_flow_proto_depIdxs = nil } diff --git a/vendor/github.com/cilium/cilium/api/v1/flow/flow.proto b/vendor/github.com/cilium/cilium/api/v1/flow/flow.proto index 910174c46a..ed432f02d5 100644 --- a/vendor/github.com/cilium/cilium/api/v1/flow/flow.proto +++ b/vendor/github.com/cilium/cilium/api/v1/flow/flow.proto @@ -193,6 +193,13 @@ enum TraceObservationPoint { // TO_NETWORK indicates network packets are transmitted towards native // devices. TO_NETWORK = 11; + // FROM_CRYPTO indicates network packets were received from the crypto + // process for decryption. + FROM_CRYPTO = 12; + // TO_CRYPTO indicates network packets are transmitted towards the crypto + // process for encryption. + TO_CRYPTO = 13; + } enum TraceReason { diff --git a/vendor/github.com/cilium/cilium/api/v1/health/models/connectivity_status.go b/vendor/github.com/cilium/cilium/api/v1/health/models/connectivity_status.go index 123e3b416f..5e570ce04d 100644 --- a/vendor/github.com/cilium/cilium/api/v1/health/models/connectivity_status.go +++ b/vendor/github.com/cilium/cilium/api/v1/health/models/connectivity_status.go @@ -20,6 +20,9 @@ import ( // swagger:model ConnectivityStatus type ConnectivityStatus struct { + // Timestamp of last probe completion + LastProbed string `json:"lastProbed,omitempty"` + // Round trip time to node in nanoseconds Latency int64 `json:"latency,omitempty"` diff --git a/vendor/github.com/cilium/cilium/api/v1/health/models/health_status_response.go b/vendor/github.com/cilium/cilium/api/v1/health/models/health_status_response.go index 4b189c09cb..82140fe72e 100644 --- a/vendor/github.com/cilium/cilium/api/v1/health/models/health_status_response.go +++ b/vendor/github.com/cilium/cilium/api/v1/health/models/health_status_response.go @@ -28,6 +28,9 @@ type HealthStatusResponse struct { // Connectivity status to each other node Nodes []*NodeStatus `json:"nodes"` + // Interval in seconds between probes + ProbeInterval string `json:"probeInterval,omitempty"` + // timestamp Timestamp string `json:"timestamp,omitempty"` } diff --git a/vendor/github.com/cilium/cilium/api/v1/observer/observer.pb.go b/vendor/github.com/cilium/cilium/api/v1/observer/observer.pb.go index d2bd54a84e..03007e7f95 100644 --- a/vendor/github.com/cilium/cilium/api/v1/observer/observer.pb.go +++ b/vendor/github.com/cilium/cilium/api/v1/observer/observer.pb.go @@ -3,7 +3,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.3 +// protoc-gen-go v1.36.5 // protoc v5.29.3 // source: observer/observer.proto @@ -20,6 +20,7 @@ import ( wrapperspb "google.golang.org/protobuf/types/known/wrapperspb" reflect "reflect" sync "sync" + unsafe "unsafe" ) const ( @@ -65,6 +66,8 @@ const TraceObservationPoint_FROM_STACK = flow.TraceObservationPoint_FROM_STACK const TraceObservationPoint_FROM_OVERLAY = flow.TraceObservationPoint_FROM_OVERLAY const TraceObservationPoint_FROM_NETWORK = flow.TraceObservationPoint_FROM_NETWORK const TraceObservationPoint_TO_NETWORK = flow.TraceObservationPoint_TO_NETWORK +const TraceObservationPoint_FROM_CRYPTO = flow.TraceObservationPoint_FROM_CRYPTO +const TraceObservationPoint_TO_CRYPTO = flow.TraceObservationPoint_TO_CRYPTO var TraceObservationPoint_name = flow.TraceObservationPoint_name var TraceObservationPoint_value = flow.TraceObservationPoint_value @@ -1725,7 +1728,7 @@ func (x *GetFlowsRequest_Experimental) GetFieldMask() *fieldmaskpb.FieldMask { var File_observer_observer_proto protoreflect.FileDescriptor -var file_observer_observer_proto_rawDesc = []byte{ +var file_observer_observer_proto_rawDesc = string([]byte{ 0x0a, 0x17, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x08, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x1a, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, @@ -1955,16 +1958,16 @@ var file_observer_observer_proto_rawDesc = []byte{ 0x6d, 0x2f, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2f, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x50, 0x04, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} +}) var ( file_observer_observer_proto_rawDescOnce sync.Once - file_observer_observer_proto_rawDescData = file_observer_observer_proto_rawDesc + file_observer_observer_proto_rawDescData []byte ) func file_observer_observer_proto_rawDescGZIP() []byte { file_observer_observer_proto_rawDescOnce.Do(func() { - file_observer_observer_proto_rawDescData = protoimpl.X.CompressGZIP(file_observer_observer_proto_rawDescData) + file_observer_observer_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_observer_observer_proto_rawDesc), len(file_observer_observer_proto_rawDesc))) }) return file_observer_observer_proto_rawDescData } @@ -2073,7 +2076,7 @@ func file_observer_observer_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_observer_observer_proto_rawDesc, + RawDescriptor: unsafe.Slice(unsafe.StringData(file_observer_observer_proto_rawDesc), len(file_observer_observer_proto_rawDesc)), NumEnums: 0, NumMessages: 17, NumExtensions: 0, @@ -2084,7 +2087,6 @@ func file_observer_observer_proto_init() { MessageInfos: file_observer_observer_proto_msgTypes, }.Build() File_observer_observer_proto = out.File - file_observer_observer_proto_rawDesc = nil file_observer_observer_proto_goTypes = nil file_observer_observer_proto_depIdxs = nil } diff --git a/vendor/github.com/cilium/cilium/api/v1/relay/relay.pb.go b/vendor/github.com/cilium/cilium/api/v1/relay/relay.pb.go index abf656c07b..3af74c961a 100644 --- a/vendor/github.com/cilium/cilium/api/v1/relay/relay.pb.go +++ b/vendor/github.com/cilium/cilium/api/v1/relay/relay.pb.go @@ -3,7 +3,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.3 +// protoc-gen-go v1.36.5 // protoc v5.29.3 // source: relay/relay.proto @@ -14,6 +14,7 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" + unsafe "unsafe" ) const ( @@ -157,7 +158,7 @@ func (x *NodeStatusEvent) GetMessage() string { var File_relay_relay_proto protoreflect.FileDescriptor -var file_relay_relay_proto_rawDesc = []byte{ +var file_relay_relay_proto_rawDesc = string([]byte{ 0x0a, 0x11, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x2f, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x05, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x22, 0x7f, 0x0a, 0x0f, 0x4e, 0x6f, 0x64, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x12, 0x33, 0x0a, @@ -178,16 +179,16 @@ var file_relay_relay_proto_rawDesc = []byte{ 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2f, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} +}) var ( file_relay_relay_proto_rawDescOnce sync.Once - file_relay_relay_proto_rawDescData = file_relay_relay_proto_rawDesc + file_relay_relay_proto_rawDescData []byte ) func file_relay_relay_proto_rawDescGZIP() []byte { file_relay_relay_proto_rawDescOnce.Do(func() { - file_relay_relay_proto_rawDescData = protoimpl.X.CompressGZIP(file_relay_relay_proto_rawDescData) + file_relay_relay_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_relay_relay_proto_rawDesc), len(file_relay_relay_proto_rawDesc))) }) return file_relay_relay_proto_rawDescData } @@ -216,7 +217,7 @@ func file_relay_relay_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_relay_relay_proto_rawDesc, + RawDescriptor: unsafe.Slice(unsafe.StringData(file_relay_relay_proto_rawDesc), len(file_relay_relay_proto_rawDesc)), NumEnums: 1, NumMessages: 1, NumExtensions: 0, @@ -228,7 +229,6 @@ func file_relay_relay_proto_init() { MessageInfos: file_relay_relay_proto_msgTypes, }.Build() File_relay_relay_proto = out.File - file_relay_relay_proto_rawDesc = nil file_relay_relay_proto_goTypes = nil file_relay_relay_proto_depIdxs = nil } diff --git a/vendor/github.com/cilium/cilium/assets.go b/vendor/github.com/cilium/cilium/assets.go new file mode 100644 index 0000000000..cca1fcf7bf --- /dev/null +++ b/vendor/github.com/cilium/cilium/assets.go @@ -0,0 +1,12 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Cilium + +// Cilium provides access to top-level files in the tree for Cilium development. +package cilium + +import ( + _ "embed" +) + +//go:embed CODEOWNERS +var CodeOwnersRaw string diff --git a/vendor/github.com/cilium/cilium/cilium-cli/cli/clustermesh.go b/vendor/github.com/cilium/cilium/cilium-cli/cli/clustermesh.go index f45e6aae5d..066e4dc901 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/cli/clustermesh.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/cli/clustermesh.go @@ -6,9 +6,7 @@ package cli import ( "context" "fmt" - "io" "os" - "strings" "time" "github.com/spf13/cobra" @@ -16,7 +14,6 @@ import ( "github.com/cilium/cilium/cilium-cli/clustermesh" "github.com/cilium/cilium/cilium-cli/defaults" "github.com/cilium/cilium/cilium-cli/status" - k8sConst "github.com/cilium/cilium/pkg/k8s/apis/cilium.io" ) func newCmdClusterMesh() *cobra.Command { @@ -28,7 +25,6 @@ func newCmdClusterMesh() *cobra.Command { cmd.AddCommand( newCmdClusterMeshStatus(), - newCmdClusterMeshExternalWorkload(), newCmdClusterMeshConnectWithHelm(), newCmdClusterMeshDisconnectWithHelm(), newCmdClusterMeshEnableWithHelm(), @@ -73,175 +69,6 @@ func newCmdClusterMeshStatus() *cobra.Command { return cmd } -func newCmdClusterMeshExternalWorkload() *cobra.Command { - cmd := &cobra.Command{ - Use: "external-workload", - Aliases: []string{"vm"}, - Short: "External Workload Management", - Long: ``, - } - - cmd.AddCommand( - newCmdExternalWorkloadCreate(), - newCmdExternalWorkloadDelete(), - newCmdExternalWorkloadInstall(), - newCmdExternalWorkloadStatus(), - ) - - return cmd -} - -func parseLabels(labels string) map[string]string { - res := make(map[string]string) - for _, str := range strings.Split(labels, ",") { - str = strings.TrimSpace(str) - i := strings.IndexByte(str, '=') - if i < 0 { - res[str] = "" - } else { - res[str[:i]] = str[i+1:] - } - } - return res -} - -func newCmdExternalWorkloadCreate() *cobra.Command { - var params = clustermesh.Parameters{ - Writer: os.Stderr, - } - var labels string - var namespace string - - cmd := &cobra.Command{ - Use: "create ", - Short: "Create new external workloads", - Long: ``, - RunE: func(_ *cobra.Command, args []string) error { - params.Namespace = namespace - params.ImpersonateAs = impersonateAs - params.ImpersonateGroups = impersonateGroups - - if labels != "" { - params.Labels = parseLabels(labels) - } - if namespace != "" { - if params.Labels == nil { - params.Labels = make(map[string]string) - } - params.Labels[k8sConst.PodNamespaceLabel] = namespace - } - cm := clustermesh.NewK8sClusterMesh(k8sClient, params) - if err := cm.CreateExternalWorkload(context.Background(), args); err != nil { - fatalf("Unable to add external workloads: %s", err) - } - return nil - }, - } - - cmd.Flags().StringVar(&labels, "labels", "", "Comma separated list of labels for the external workload identity") - cmd.Flags().StringVar(¶ms.IPv4AllocCIDR, "ipv4-alloc-cidr", "", "Unique IPv4 CIDR allocated for the external workload") - cmd.Flags().StringVar(¶ms.IPv6AllocCIDR, "ipv6-alloc-cidr", "", "Unique IPv6 CIDR allocated for the external workload") - - return cmd -} - -func newCmdExternalWorkloadDelete() *cobra.Command { - var params = clustermesh.Parameters{ - Writer: os.Stderr, - } - - cmd := &cobra.Command{ - Use: "delete ", - Short: "Delete named external workloads", - Long: ``, - RunE: func(_ *cobra.Command, args []string) error { - params.ImpersonateAs = impersonateAs - params.ImpersonateGroups = impersonateGroups - - cm := clustermesh.NewK8sClusterMesh(k8sClient, params) - if err := cm.DeleteExternalWorkload(context.Background(), args); err != nil { - fatalf("Unable to remove external workloads: %s", err) - } - return nil - }, - } - - cmd.Flags().BoolVar(¶ms.All, "all", false, "Delete all resources if none are named") - - return cmd -} - -func newCmdExternalWorkloadInstall() *cobra.Command { - var params = clustermesh.Parameters{ - Writer: os.Stderr, - } - - cmd := &cobra.Command{ - Use: "install [output-file]", - Short: "Creates a shell script to install external workloads", - Long: ``, - RunE: func(_ *cobra.Command, args []string) error { - params.Namespace = namespace - params.ImpersonateAs = impersonateAs - params.ImpersonateGroups = impersonateGroups - - cm := clustermesh.NewK8sClusterMesh(k8sClient, params) - var writer io.Writer - if len(args) > 0 { - file, err := os.Create(args[0]) - if err != nil { - fatalf("Unable to open file %s: %s", args[0], err) - } - defer func() { - file.Chmod(0775) - file.Close() - }() - writer = file - } else { - writer = os.Stdout - } - if err := cm.WriteExternalWorkloadInstallScript(context.Background(), writer); err != nil { - fatalf("Unable to create external workload install script: %s", err) - } - return nil - }, - } - - cmd.Flags().BoolVar(¶ms.Wait, "wait", false, "Wait until status is successful") - cmd.Flags().DurationVar(¶ms.WaitDuration, "wait-duration", 15*time.Minute, "Maximum time to wait") - cmd.Flags().StringSliceVar(¶ms.ConfigOverwrites, "config", []string{}, "Cilium agent config entries (key=value)") - cmd.Flags().IntVar(¶ms.Retries, "retries", 4, "Number of Cilium agent start retries") - - return cmd -} - -func newCmdExternalWorkloadStatus() *cobra.Command { - var params = clustermesh.Parameters{ - Writer: os.Stdout, - } - - cmd := &cobra.Command{ - Use: "status [name...]", - Short: "Show status of external workloads", - Long: ``, - RunE: func(_ *cobra.Command, args []string) error { - params.Namespace = namespace - params.ImpersonateAs = impersonateAs - params.ImpersonateGroups = impersonateGroups - - cm := clustermesh.NewK8sClusterMesh(k8sClient, params) - if err := cm.ExternalWorkloadStatus(context.Background(), args); err != nil { - fatalf("Unable to determine status: %s", err) - } - return nil - }, - } - - cmd.Flags().StringVar(&contextName, "context", "", "Kubernetes configuration context") - - return cmd -} - func newCmdClusterMeshEnableWithHelm() *cobra.Command { var params = clustermesh.Parameters{ Writer: os.Stdout, @@ -265,7 +92,6 @@ func newCmdClusterMeshEnableWithHelm() *cobra.Command { }, } - cmd.Flags().BoolVar(¶ms.EnableExternalWorkloads, "enable-external-workloads", false, "Enable support for external workloads, such as VMs") cmd.Flags().BoolVar(¶ms.EnableKVStoreMesh, "enable-kvstoremesh", false, "Enable kvstoremesh, an extension which caches remote cluster information in the local kvstore (Cilium >=1.14 only)") cmd.Flags().StringVar(¶ms.ServiceType, "service-type", "", "Type of Kubernetes service to expose control plane { LoadBalancer | NodePort }") diff --git a/vendor/github.com/cilium/cilium/cilium-cli/cli/connectivity.go b/vendor/github.com/cilium/cilium/cilium-cli/cli/connectivity.go index 25f61d95ae..1710b3aa56 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/cli/connectivity.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/cli/connectivity.go @@ -13,9 +13,11 @@ import ( "syscall" "time" + "github.com/hmarr/codeowners" "github.com/spf13/cobra" "github.com/spf13/pflag" + assets "github.com/cilium/cilium" "github.com/cilium/cilium/cilium-cli/api" "github.com/cilium/cilium/cilium-cli/connectivity" "github.com/cilium/cilium/cilium-cli/connectivity/check" @@ -76,8 +78,12 @@ func RunE(hooks api.Hooks) func(cmd *cobra.Command, args []string) error { } logger := check.NewConcurrentLogger(params.Writer, params.TestConcurrency) + owners, err := codeowners.ParseFile(strings.NewReader(assets.CodeOwnersRaw)) + if err != nil { + return fmt.Errorf("🐛 Failed to parse CODEOWNERS. Developer BUG? %w", err) + } - connTests, err := newConnectivityTests(params, hooks, logger) + connTests, err := newConnectivityTests(params, hooks, logger, owners) if err != nil { return err } @@ -171,6 +177,7 @@ func newCmdConnectivityTest(hooks api.Hooks) *cobra.Command { sysdump.InitSysdumpFlags(cmd, ¶ms.SysdumpOptions, "sysdump-", hooks) cmd.Flags().BoolVar(¶ms.IncludeConnDisruptTest, "include-conn-disrupt-test", false, "Include conn disrupt test") + cmd.Flags().BoolVar(¶ms.IncludeConnDisruptTestNSTraffic, "include-conn-disrupt-test-ns-traffic", false, "Include conn disrupt test for NS traffic") cmd.Flags().BoolVar(¶ms.ConnDisruptTestSetup, "conn-disrupt-test-setup", false, "Set up conn disrupt test dependencies") cmd.Flags().StringVar(¶ms.ConnDisruptTestRestartsPath, "conn-disrupt-test-restarts-path", "/tmp/cilium-conn-disrupt-restarts", "Conn disrupt test temporary result file (used internally)") cmd.Flags().StringVar(¶ms.ConnDisruptTestXfrmErrorsPath, "conn-disrupt-test-xfrm-errors-path", "/tmp/cilium-conn-disrupt-xfrm-errors", "Conn disrupt test temporary result file (used internally)") @@ -181,6 +188,8 @@ func newCmdConnectivityTest(hooks api.Hooks) *cobra.Command { cmd.Flags().StringSliceVar(¶ms.ExpectedXFRMErrors, "expected-xfrm-errors", defaults.ExpectedXFRMErrors, "List of expected XFRM errors") cmd.Flags().MarkHidden("expected-xfrm-errors") + cmd.Flags().BoolVar(¶ms.LogCodeOwners, "log-code-owners", defaults.LogCodeOwners, "Log code owners for tests that fail") + cmd.Flags().MarkHidden("log-code-owners") cmd.Flags().StringSliceVar(¶ms.LogCheckLevels, "log-check-levels", defaults.LogCheckLevels, "Log levels to check for in log messages") cmd.Flags().MarkHidden("log-check-levels") @@ -246,6 +255,7 @@ func newConnectivityTests( params check.Parameters, hooks api.Hooks, logger *check.ConcurrentLogger, + owners codeowners.Ruleset, ) ([]*check.ConnectivityTest, error) { if params.TestConcurrency < 1 { fmt.Printf("--test-concurrency parameter value is invalid [%d], using 1 instead\n", params.TestConcurrency) @@ -262,7 +272,7 @@ func newConnectivityTests( } params.ExternalDeploymentPort += i params.EchoServerHostPort += i - cc, err := check.NewConnectivityTest(k8sClient, params, hooks, logger) + cc, err := check.NewConnectivityTest(k8sClient, params, hooks, logger, owners) if err != nil { return nil, err } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/cli/status.go b/vendor/github.com/cilium/cilium/cilium-cli/cli/status.go index 834996d666..04fe73c0ca 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/cli/status.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/cli/status.go @@ -68,6 +68,7 @@ func newCmdStatus() *cobra.Command { "The number of workers to use") cmd.Flags().StringVarP(¶ms.Output, "output", "o", status.OutputSummary, "Output format. One of: json, summary") cmd.Flags().BoolVar(¶ms.Interactive, "interactive", true, "Refresh the status summary output after each retry when --wait flag is specified") + cmd.Flags().BoolVar(¶ms.Verbose, "verbose", false, "Print more verbose error / log messages") return cmd } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/clustermesh/clustermesh.go b/vendor/github.com/cilium/cilium/cilium-cli/clustermesh/clustermesh.go index 82d643bc63..d6e84b2e38 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/clustermesh/clustermesh.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/clustermesh/clustermesh.go @@ -21,7 +21,6 @@ import ( "strconv" "strings" "sync" - "text/tabwriter" "time" "helm.sh/helm/v3/pkg/release" @@ -75,12 +74,8 @@ type k8sClusterMeshImplementation interface { KVStoreMeshStatus(ctx context.Context, namespace, pod string) ([]*models.RemoteCluster, error) CiliumDbgEndpoints(ctx context.Context, namespace, pod string) ([]*models.Endpoint, error) ClusterName() string - ListCiliumExternalWorkloads(ctx context.Context, opts metav1.ListOptions) (*ciliumv2.CiliumExternalWorkloadList, error) - GetCiliumExternalWorkload(ctx context.Context, name string, opts metav1.GetOptions) (*ciliumv2.CiliumExternalWorkload, error) - CreateCiliumExternalWorkload(ctx context.Context, cew *ciliumv2.CiliumExternalWorkload, opts metav1.CreateOptions) (*ciliumv2.CiliumExternalWorkload, error) - DeleteCiliumExternalWorkload(ctx context.Context, name string, opts metav1.DeleteOptions) error ListCiliumEndpoints(ctx context.Context, namespace string, options metav1.ListOptions) (*ciliumv2.CiliumEndpointList, error) - CiliumLogs(ctx context.Context, namespace, pod string, since time.Time, previous bool) (string, error) + ContainerLogs(ctx context.Context, namespace, pod, containerName string, since time.Time, previous bool) (string, error) } type K8sClusterMesh struct { @@ -114,10 +109,6 @@ type Parameters struct { ImpersonateAs string ImpersonateGroups []string - // EnableExternalWorkloads indicates whether externalWorkloads.enabled Helm value - // should be set to true. For Helm mode only. - EnableExternalWorkloads bool - // EnableKVStoreMesh indicates whether kvstoremesh should be enabled. // For Helm mode only. EnableKVStoreMesh bool @@ -175,7 +166,7 @@ func (k *K8sClusterMesh) GetClusterConfig(ctx context.Context) error { k.clusterName = clusterName if clusterID == "0" || clusterName == "default" { - k.Log("⚠️ Cluster not configured for clustermesh, use '--set cluster.id' and '--set cluster.name' with 'cilium install'. External workloads may still be configured.") + k.Log("⚠️ Cluster not configured for clustermesh, use '--set cluster.id' and '--set cluster.name' with 'cilium install'.") } return nil @@ -190,8 +181,6 @@ type accessInformation struct { CA []byte `json:"ca,omitempty"` ClientCert []byte `json:"client_cert,omitempty"` ClientKey []byte `json:"client_key,omitempty"` - ExternalWorkloadCert []byte `json:"external_workload_cert,omitempty"` - ExternalWorkloadKey []byte `json:"external_workload_key,omitempty"` Tunnel string `json:"tunnel,omitempty"` MaxConnectedClusters int `json:"max_connected_clusters,omitempty"` } @@ -209,18 +198,13 @@ func getDeprecatedName(secretName string) string { return defaults.ClusterMeshClientSecretName case defaults.ClusterMeshServerSecretName, defaults.ClusterMeshAdminSecretName, - defaults.ClusterMeshClientSecretName, - defaults.ClusterMeshExternalWorkloadSecretName: + defaults.ClusterMeshClientSecretName: return secretName + "s" default: return "" } } -func getExternalWorkloadCertName() string { - return defaults.ClusterMeshClientSecretName -} - // getDeprecatedSecret attempts to retrieve a secret using one or more deprecated names // There are now multiple "layers" of deprecated secret names, so we call this function recursively if needed func (k *K8sClusterMesh) getDeprecatedSecret(ctx context.Context, client k8sClusterMeshImplementation, secretName string, defaultName string) (*corev1.Secret, error) { @@ -278,7 +262,7 @@ func (k *K8sClusterMesh) getCACert(ctx context.Context, client k8sClusterMeshImp return nil, fmt.Errorf("secret %q does not contain the CA certificate", defaults.CASecretName) } -func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8sClusterMeshImplementation, endpoints []string, verbose bool, getExternalWorkLoadSecret bool) (*accessInformation, error) { +func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8sClusterMeshImplementation, endpoints []string, verbose bool) (*accessInformation, error) { cm, err := client.GetConfigMap(ctx, k.params.Namespace, defaults.ConfigMapName, metav1.GetOptions{}) if err != nil { return nil, fmt.Errorf("unable to retrieve ConfigMap %q: %w", defaults.ConfigMapName, err) @@ -334,25 +318,6 @@ func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8 } } - // ExternalWorkload secret is created by 'clustermesh enable' command, but it isn't created by Helm. We should try to load this secret only when needed - var externalWorkloadKey, externalWorkloadCert []byte - if getExternalWorkLoadSecret { - externalWorkloadSecret, err := k.getSecret(ctx, client, getExternalWorkloadCertName()) - if err != nil { - return nil, fmt.Errorf("unable to get external workload secret to access clustermesh service") - } - - externalWorkloadKey, ok = externalWorkloadSecret.Data[corev1.TLSPrivateKeyKey] - if !ok { - return nil, fmt.Errorf("secret %q does not contain key %q", externalWorkloadSecret.Namespace, corev1.TLSPrivateKeyKey) - } - - externalWorkloadCert, ok = externalWorkloadSecret.Data[corev1.TLSCertKey] - if !ok { - return nil, fmt.Errorf("secret %q does not contain key %q", externalWorkloadSecret.Namespace, corev1.TLSCertKey) - } - } - tunnelProtocol := "" if cm.Data[configNameRoutingMode] == "tunnel" { // Cilium v1.14 and newer @@ -372,8 +337,6 @@ func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8 CA: caCert, ClientKey: clientKey, ClientCert: clientCert, - ExternalWorkloadKey: externalWorkloadKey, - ExternalWorkloadCert: externalWorkloadCert, ServiceType: svc.Spec.Type, ServiceIPs: []string{}, Tunnel: tunnelProtocol, @@ -531,7 +494,7 @@ func (k *K8sClusterMesh) shallowExtractAccessInfo(ctx context.Context, c *k8s.Cl func (k *K8sClusterMesh) getAccessInfoForConnect( ctx context.Context, client *k8s.Client, endpoints []string, ) (*accessInformation, error) { - ai, err := k.extractAccessInformation(ctx, client, endpoints, true, false) + ai, err := k.extractAccessInformation(ctx, client, endpoints, true) if err != nil { k.Log("❌ Unable to retrieve access information of cluster %q: %s", client.ClusterName(), err) return nil, err @@ -588,7 +551,7 @@ type Status struct { } `json:"kvstoremesh,omitempty"` } -func (k *K8sClusterMesh) statusAccessInformation(ctx context.Context, log bool, getExternalWorkloadSecret bool) (*accessInformation, error) { +func (k *K8sClusterMesh) statusAccessInformation(ctx context.Context, log bool) (*accessInformation, error) { w := wait.NewObserver(ctx, wait.Parameters{Log: func(err error, wait string) { if log { k.Log("⌛ Waiting (%s) for access information: %s", wait, err) @@ -597,7 +560,7 @@ func (k *K8sClusterMesh) statusAccessInformation(ctx context.Context, log bool, defer w.Cancel() for { - ai, err := k.extractAccessInformation(ctx, k.client, []string{}, false, getExternalWorkloadSecret) + ai, err := k.extractAccessInformation(ctx, k.client, []string{}, false) if err != nil && k.params.Wait { if err := w.Retry(err); err != nil { return nil, err @@ -901,7 +864,7 @@ func (k *K8sClusterMesh) Status(ctx context.Context) (*Status, error) { if k.externalKVStore { k.Log("✅ Cilium is configured with an external kvstore") } else { - s.AccessInformation, err = k.statusAccessInformation(ctx, true, false) + s.AccessInformation, err = k.statusAccessInformation(ctx, true) if err != nil { return nil, err } @@ -1044,382 +1007,6 @@ func (k *K8sClusterMesh) outputConnectivityStatus(agents, kvstoremesh *Connectiv } } -func (k *K8sClusterMesh) CreateExternalWorkload(ctx context.Context, names []string) error { - count := 0 - for _, name := range names { - cew := &ciliumv2.CiliumExternalWorkload{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Labels: k.params.Labels, - Annotations: map[string]string{}, - }, - Spec: ciliumv2.CiliumExternalWorkloadSpec{ - IPv4AllocCIDR: k.params.IPv4AllocCIDR, - IPv6AllocCIDR: k.params.IPv6AllocCIDR, - }, - } - - _, err := k.client.CreateCiliumExternalWorkload(ctx, cew, metav1.CreateOptions{}) - if err != nil { - return err - } - count++ - } - k.Log("✅ Added %d external workload resources.", count) - return nil -} - -func (k *K8sClusterMesh) DeleteExternalWorkload(ctx context.Context, names []string) error { - var errs []string - count := 0 - - if len(names) == 0 && k.params.All { - cewList, err := k.client.ListCiliumExternalWorkloads(ctx, metav1.ListOptions{}) - if err != nil { - return err - } - for _, cew := range cewList.Items { - names = append(names, cew.Name) - } - } - for _, name := range names { - err := k.client.DeleteCiliumExternalWorkload(ctx, name, metav1.DeleteOptions{}) - if err != nil { - errs = append(errs, err.Error()) - } else { - count++ - } - } - if count > 0 { - k.Log("✅ Removed %d external workload resources.", count) - } else { - k.Log("ℹ️ No external workload resources to remove.") - } - if len(errs) > 0 { - return errors.New(strings.Join(errs, ", ")) - } - return nil -} - -var installScriptFmt = `#!/bin/bash -CILIUM_IMAGE=${1:-%[1]s} -CLUSTER_ADDR=${2:-%[2]s} -CONFIG_OVERWRITES=${3:-%[3]s} - -set -e -shopt -s extglob - -# Run without sudo if not available (e.g., running as root) -SUDO= -if [ ! "$(whoami)" = "root" ] ; then - SUDO=sudo -fi - -if [ "$1" = "uninstall" ] ; then - if [ -n "$(${SUDO} docker ps -a -q -f name=cilium)" ]; then - echo "Shutting down running Cilium agent" - ${SUDO} docker rm -f cilium || true - fi - if [ -e /usr/bin/cilium ]; then - echo "Removing /usr/bin/cilium" - ${SUDO} rm /usr/bin/cilium - fi - if [ -e /usr/bin/cilium-dbg ] ; then - echo "Removing /usr/bin/cilium-dbg" - ${SUDO} rm /usr/bin/cilium-dbg - fi - pushd /etc - if [ -f resolv.conf.orig ] ; then - echo "Restoring /etc/resolv.conf" - ${SUDO} mv -f resolv.conf.orig resolv.conf - elif [ -f resolv.conf.link ] && [ -f $(cat resolv.conf.link) ] ; then - echo "Restoring systemd resolved config..." - if [ -f /usr/lib/systemd/resolved.conf.d/cilium-kube-dns.conf ] ; then - ${SUDO} rm /usr/lib/systemd/resolved.conf.d/cilium-kube-dns.conf - fi - ${SUDO} systemctl daemon-reload - ${SUDO} systemctl reenable systemd-resolved.service - ${SUDO} service systemd-resolved restart - ${SUDO} ln -fs $(cat resolv.conf.link) resolv.conf - ${SUDO} rm resolv.conf.link - fi - popd - exit 0 -fi - -if [ -z "$CLUSTER_ADDR" ] ; then - echo "CLUSTER_ADDR must be defined to the IP:PORT at which the clustermesh-apiserver is reachable." - exit 1 -fi - -port='@(6553[0-5]|655[0-2][0-9]|65[0-4][0-9][0-9]|6[0-4][0-9][0-9][0-9]|[1-5][0-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9]|[1-9])' -byte='@(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])' -ipv4="$byte\.$byte\.$byte\.$byte" - -# Default port is for a HostPort service -case "$CLUSTER_ADDR" in - \[+([0-9a-fA-F:])\]:$port) - CLUSTER_PORT=${CLUSTER_ADDR##\[*\]:} - CLUSTER_IP=${CLUSTER_ADDR#\[} - CLUSTER_IP=${CLUSTER_IP%%\]:*} - ;; - $ipv4:$port) - CLUSTER_PORT=${CLUSTER_ADDR##*:} - CLUSTER_IP=${CLUSTER_ADDR%%:*} - ;; - *:*) - echo "Malformed CLUSTER_ADDR: $CLUSTER_ADDR" - exit 1 - ;; - *) - CLUSTER_PORT=2379 - CLUSTER_IP=$CLUSTER_ADDR - ;; -esac - -${SUDO} mkdir -p /var/lib/cilium/etcd -${SUDO} tee /var/lib/cilium/etcd/ca.crt </dev/null -%[4]sEOF -${SUDO} tee /var/lib/cilium/etcd/tls.crt </dev/null -%[5]sEOF -${SUDO} tee /var/lib/cilium/etcd/tls.key </dev/null -%[6]sEOF -${SUDO} tee /var/lib/cilium/etcd/config.yaml </dev/null ---- -trusted-ca-file: /var/lib/cilium/etcd/ca.crt -cert-file: /var/lib/cilium/etcd/tls.crt -key-file: /var/lib/cilium/etcd/tls.key -endpoints: -- https://clustermesh-apiserver.cilium.io:$CLUSTER_PORT -EOF - -CILIUM_OPTS=" --join-cluster %[8]s --enable-endpoint-health-checking=false" -CILIUM_OPTS+=" --cluster-name ${CLUSTER_NAME:-%[9]s} --cluster-id ${CLUSTER_ID:-%[10]s}" -CILIUM_OPTS+=" --kvstore etcd --kvstore-opt etcd.config=/var/lib/cilium/etcd/config.yaml" -if [ -n "$HOST_IP" ] ; then - CILIUM_OPTS+=" --ipv4-node $HOST_IP" -fi -if [ -n "$CONFIG_OVERWRITES" ] ; then - CILIUM_OPTS+=" $CONFIG_OVERWRITES" -fi - -DOCKER_OPTS=" -d --log-driver local --restart always" -DOCKER_OPTS+=" --privileged --network host --cap-add NET_ADMIN --cap-add SYS_MODULE" -# Run cilium agent in the host's cgroup namespace so that -# socket-based load balancing works as expected. -# See https://github.com/cilium/cilium/pull/16259 for more details. -DOCKER_OPTS+=" --cgroupns=host" -DOCKER_OPTS+=" --volume /var/lib/cilium/etcd:/var/lib/cilium/etcd" -DOCKER_OPTS+=" --volume /var/run/cilium:/var/run/cilium" -DOCKER_OPTS+=" --volume /boot:/boot" -DOCKER_OPTS+=" --volume /lib/modules:/lib/modules" -DOCKER_OPTS+=" --volume /sys/fs/bpf:/sys/fs/bpf" -DOCKER_OPTS+=" --volume /run/xtables.lock:/run/xtables.lock" -DOCKER_OPTS+=" --add-host clustermesh-apiserver.cilium.io:$CLUSTER_IP" - -cilium_started=false -retries=%[7]s -while [ $cilium_started = false ]; do - if [ -n "$(${SUDO} docker ps -a -q -f name=cilium)" ]; then - echo "Shutting down running Cilium agent" - ${SUDO} docker rm -f cilium || true - fi - - echo "Launching Cilium agent $CILIUM_IMAGE..." - ${SUDO} docker run --name cilium $DOCKER_OPTS $CILIUM_IMAGE cilium-agent $CILIUM_OPTS - - # Copy Cilium CLI - ${SUDO} docker cp -L cilium:/usr/bin/cilium /usr/bin/cilium-dbg - ${SUDO} ln -fs /usr/bin/cilium-dbg /usr/bin/cilium - - # Wait for cilium agent to become available - for ((i = 0 ; i < 12; i++)); do - if ${SUDO} cilium-dbg status --brief > /dev/null 2>&1; then - cilium_started=true - break - fi - sleep 5s - echo "Waiting for Cilium daemon to come up..." - done - - echo "Cilium status:" - ${SUDO} cilium-dbg status || true - - if [ "$cilium_started" = true ] ; then - echo 'Cilium successfully started!' - else - if [ $retries -eq 0 ]; then - >&2 echo 'Timeout waiting for Cilium to start, retries exhausted.' - exit 1 - fi - ((retries--)) - echo "Restarting Cilium..." - fi -done - -# Wait for kube-dns service to become available -kubedns="" -for ((i = 0 ; i < 24; i++)); do - kubedns=$(${SUDO} cilium-dbg service list get -o jsonpath='{[?(@.spec.frontend-address.port==53)].spec.frontend-address.ip}') - if [ -n "$kubedns" ] ; then - break - fi - sleep 5s - echo "Waiting for kube-dns service to come available..." -done - -namespace=$(${SUDO} cilium-dbg endpoint get -l reserved:host -o jsonpath='{$[0].status.identity.labels}' | tr -d "[]\"" | tr "," "\n" | grep io.kubernetes.pod.namespace | cut -d= -f2) - -if [ -n "$kubedns" ] ; then - if grep "nameserver $kubedns" /etc/resolv.conf ; then - echo "kube-dns IP $kubedns already in /etc/resolv.conf" - else - linkval=$(readlink /etc/resolv.conf) && echo "$linkval" | ${SUDO} tee /etc/resolv.conf.link || true - if [[ "$linkval" == *"/systemd/"* ]] ; then - echo "updating systemd resolved with kube-dns IP $kubedns" - ${SUDO} mkdir -p /usr/lib/systemd/resolved.conf.d - ${SUDO} tee /usr/lib/systemd/resolved.conf.d/cilium-kube-dns.conf </dev/null -# This file is installed by Cilium to use kube dns server from a non-k8s node. -[Resolve] -DNS=$kubedns -Domains=${namespace}.svc.cluster.local svc.cluster.local cluster.local -EOF - ${SUDO} systemctl daemon-reload - ${SUDO} systemctl reenable systemd-resolved.service - ${SUDO} service systemd-resolved restart - ${SUDO} ln -fs /run/systemd/resolve/resolv.conf /etc/resolv.conf - else - echo "Adding kube-dns IP $kubedns to /etc/resolv.conf" - ${SUDO} cp /etc/resolv.conf /etc/resolv.conf.orig - resolvconf="nameserver $kubedns\n$(cat /etc/resolv.conf)\nsearch ${namespace}.svc.cluster.local svc.cluster.local cluster.local\n" - printf "$resolvconf" | ${SUDO} tee /etc/resolv.conf - fi - fi -else - >&2 echo "kube-dns not found." - exit 1 -fi -` - -func (k *K8sClusterMesh) WriteExternalWorkloadInstallScript(ctx context.Context, writer io.Writer) error { - daemonSet, err := k.client.GetDaemonSet(ctx, k.params.Namespace, defaults.AgentDaemonSetName, metav1.GetOptions{}) - if err != nil { - return err - } - if daemonSet == nil { - return fmt.Errorf("DaemonSet %s is not available", defaults.AgentDaemonSetName) - } - k.Log("✅ Using image from Cilium DaemonSet: %s", daemonSet.Spec.Template.Spec.Containers[0].Image) - - ai, err := k.statusAccessInformation(ctx, false, true) - if err != nil { - return err - } - if ai.Tunnel != "" && ai.Tunnel != "vxlan" { - return fmt.Errorf("datapath not using vxlan, please install Cilium with '--set tunnelMode=vxlan'") - } - - clusterAddr := fmt.Sprintf("%s:%d", ai.ServiceIPs[0], ai.ServicePort) - k.Log("✅ Using clustermesh-apiserver service address: %s", clusterAddr) - - configOverwrites := "" - if len(k.params.ConfigOverwrites) > 0 { - for i, opt := range k.params.ConfigOverwrites { - if !strings.HasPrefix(opt, "--") { - k.params.ConfigOverwrites[i] = "--" + opt - } - } - configOverwrites = strings.Join(k.params.ConfigOverwrites, " ") - } - - if k.params.Retries <= 0 { - k.params.Retries = 1 - } - - sockLBOpt := "--bpf-lb-sock" - fmt.Fprintf(writer, installScriptFmt, - daemonSet.Spec.Template.Spec.Containers[0].Image, clusterAddr, - configOverwrites, - string(ai.CA), string(ai.ExternalWorkloadCert), string(ai.ExternalWorkloadKey), - strconv.Itoa(k.params.Retries), sockLBOpt, ai.ClusterName, ai.ClusterID) - return nil -} - -func formatCEW(cew ciliumv2.CiliumExternalWorkload) string { - var items []string - ip := cew.Status.IP - if ip == "" { - ip = "N/A" - } - items = append(items, fmt.Sprintf("IP: %s", ip)) - var labels []string - for key, value := range cew.Labels { - labels = append(labels, fmt.Sprintf("%s=%s", key, value)) - } - items = append(items, fmt.Sprintf("Labels: %s", strings.Join(labels, ","))) - return strings.Join(items, ", ") -} - -func (k *K8sClusterMesh) ExternalWorkloadStatus(ctx context.Context, names []string) error { - collector, err := status.NewK8sStatusCollector(k.client, status.K8sStatusParameters{ - Namespace: k.params.Namespace, - }) - if err != nil { - return fmt.Errorf("unable to create client to collect status: %w", err) - } - - k.statusCollector = collector - - ctx, cancel := context.WithTimeout(ctx, k.params.waitTimeout()) - defer cancel() - - ai, err := k.statusAccessInformation(ctx, true, true) - if err != nil { - return err - } - - k.Log("✅ Service %q of type %q found", defaults.ClusterMeshServiceName, ai.ServiceType) - k.Log("✅ Cluster access information is available:") - for _, ip := range ai.ServiceIPs { - k.Log(" - %s:%d", ip, ai.ServicePort) - } - - var cews []ciliumv2.CiliumExternalWorkload - - if len(names) == 0 { - cewList, err := k.client.ListCiliumExternalWorkloads(ctx, metav1.ListOptions{}) - if err != nil { - return err - } - cews = cewList.Items - if len(cews) == 0 { - k.Log("⚠️ No external workloads found.") - return nil - } - } else { - for _, name := range names { - cew, err := k.client.GetCiliumExternalWorkload(ctx, name, metav1.GetOptions{}) - if err != nil { - return err - } - cews = append(cews, *cew) - } - } - - var buf bytes.Buffer - w := tabwriter.NewWriter(&buf, 0, 0, 4, ' ', 0) - - header := "External Workloads" - for _, cew := range cews { - fmt.Fprintf(w, "%s\t%s\t%s\n", header, cew.Name, formatCEW(cew)) - header = "" - } - - w.Flush() - fmt.Println(buf.String()) - return err -} - func log(format string, a ...interface{}) { // TODO (ajs): make logger configurable fmt.Fprintf(os.Stdout, format+"\n", a...) @@ -1430,9 +1017,6 @@ func generateEnableHelmValues(params Parameters, flavor k8s.Flavor) (map[string] "clustermesh": map[string]interface{}{ "useAPIServer": true, }, - "externalWorkloads": map[string]interface{}{ - "enabled": params.EnableExternalWorkloads, - }, } if params.ServiceType == "" { @@ -1527,7 +1111,6 @@ func DisableWithHelm(ctx context.Context, k8sClient *k8s.Client, params Paramete helmStrValues := []string{ "clustermesh.useAPIServer=false", "clustermesh.config.enabled=false", - "externalWorkloads.enabled=false", } vals, err := helm.ParseVals(helmStrValues) if err != nil { @@ -1601,7 +1184,7 @@ type ClusterState struct { remoteClusterNamesAi []string // names of remote clusters for remove sections } -func processLocalClient(ctx context.Context, localRelease *release.Release) (*ClusterState, error) { +func processLocalClient(localRelease *release.Release) (*ClusterState, error) { state := &ClusterState{} var err error @@ -1769,7 +1352,7 @@ func (k *K8sClusterMesh) ConnectWithHelm(ctx context.Context) error { return err } - clusterState, err := processLocalClient(ctx, localRelease) + clusterState, err := processLocalClient(localRelease) if err != nil { return err } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/allow_all_except_world.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/allow_all_except_world.go index 027e780711..3ecdbb7577 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/allow_all_except_world.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/allow_all_except_world.go @@ -29,6 +29,5 @@ func (t allowAllExceptWorld) build(ct *check.ConnectivityTest, _ map[string]stri // tests.PodToRemoteNodePort(), // tests.PodToLocalNodePort(), tests.PodToHost(), - tests.PodToExternalWorkload(), ) } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/builder.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/builder.go index caeb75dc7c..261fdeff24 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/builder.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/builder.go @@ -72,6 +72,9 @@ var ( //go:embed manifests/client-egress-tls-sni.yaml clientEgressTLSSNIPolicyYAML string + //go:embed manifests/client-egress-tls-sni-other.yaml + clientEgressTLSSNIOtherPolicyYAML string + //go:embed manifests/client-egress-l7-tls-sni.yaml clientEgressL7TLSSNIPolicyYAML string @@ -242,6 +245,7 @@ func concurrentTests(connTests []*check.ConnectivityTest) error { health{}, northSouthLoadbalancing{}, podToPodEncryption{}, + podToPodEncryptionV2{}, nodeToNodeEncryption{}, egressGateway{}, egressGatewayExcludedCidrs{}, @@ -311,6 +315,7 @@ func renderTemplates(clusterName string, param check.Parameters) (map[string]str "clientEgressL7HTTPNamedPortPolicyYAML": clientEgressL7HTTPNamedPortPolicyYAML, "clientEgressToFQDNsPolicyYAML": clientEgressToFQDNsPolicyYAML, "clientEgressTLSSNIPolicyYAML": clientEgressTLSSNIPolicyYAML, + "clientEgressTLSSNIOtherPolicyYAML": clientEgressTLSSNIOtherPolicyYAML, "clientEgressL7TLSSNIPolicyYAML": clientEgressL7TLSSNIPolicyYAML, "clientEgressL7TLSPolicyYAML": clientEgressL7TLSPolicyYAML, "clientEgressL7TLSPolicyPortRangeYAML": clientEgressL7TLSPolicyPortRangeYAML, diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/check_log_errors.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/check_log_errors.go index e1bb745ec3..a0f22123f7 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/check_log_errors.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/check_log_errors.go @@ -17,5 +17,5 @@ func (t checkLogErrors) build(ct *check.ConnectivityTest, _ map[string]string) { return versioncheck.MustCompile(">=1.14.0")(ct.CiliumVersion) || ct.Params().IncludeUnsafeTests }). WithSysdumpPolicy(check.SysdumpPolicyOnce). - WithScenarios(tests.NoErrorsInLogs(ct.CiliumVersion, ct.Params().LogCheckLevels)) + WithScenarios(tests.NoErrorsInLogs(ct.CiliumVersion, ct.Params().LogCheckLevels, ct.Params().ExternalTarget)) } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/client_egress_l7_tls_deny_without_headers.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/client_egress_l7_tls_deny_without_headers.go index 8e183c010a..9c2563ac50 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/client_egress_l7_tls_deny_without_headers.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/client_egress_l7_tls_deny_without_headers.go @@ -21,7 +21,11 @@ func (t clientEgressL7TlsDenyWithoutHeaders) build(ct *check.ConnectivityTest, t WithCertificate("externaltarget-tls", ct.Params().ExternalTarget). WithCiliumPolicy(templates["clientEgressL7TLSPolicyYAML"]). // L7 allow policy with TLS interception WithCiliumPolicy(templates["clientEgressOnlyDNSPolicyYAML"]). // DNS resolution only - WithScenarios(tests.PodToWorldWithTLSIntercept()). + WithScenarios(tests.PodToWorldWithTLSIntercept( + "--retry", "5", + "--retry-delay", "0", + "--retry-all-errors", + )). WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { return check.ResultDropCurlHTTPError, check.ResultNone }) diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/client_egress_tls_sni.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/client_egress_tls_sni.go index 2060ad3d39..b5360460e1 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/client_egress_tls_sni.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/client_egress_tls_sni.go @@ -35,12 +35,13 @@ func clientEgressTlsSniTest(ct *check.ConnectivityTest, templates map[string]str return check.ResultDefaultDenyEgressDrop, check.ResultNone }) + yamlFile = templates["clientEgressTLSSNIOtherPolicyYAML"] newTest(fmt.Sprintf("%s-denied", testName), ct). WithCiliumVersion("!1.14.15 !1.14.16 !1.15.9 !1.15.10 !1.16.2 !1.16.3"). WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). WithCiliumPolicy(yamlFile). // L7 allow policy TLS SNI enforcement for external target WithCiliumPolicy(templates["clientEgressOnlyDNSPolicyYAML"]). // DNS resolution only - WithScenarios(tests.PodToWorld2()). // Another External Target is not allowed + WithScenarios(tests.PodToWorld()). // External Target is not allowed WithExpectations(func(a *check.Action) (egress, ingress check.Result) { if a.Destination().Port() == 443 { // SSL error as another external target (e.g. cilium.io) SNI is not allowed diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/manifests/client-egress-tls-sni-other.yaml b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/manifests/client-egress-tls-sni-other.yaml new file mode 100644 index 0000000000..86119ea70d --- /dev/null +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/manifests/client-egress-tls-sni-other.yaml @@ -0,0 +1,17 @@ +# Same as client-egress-tls-sni.yaml but with external other target server name +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: "client-egress-tls-sni-other" +specs: +- description: "TLS SNI policy with ExternalOtherTarget" + endpointSelector: + matchLabels: + kind: client + egress: + - toPorts: + - ports: + - port: "443" + protocol: "TCP" + serverNames: + - "{{trimSuffix .ExternalOtherTarget "."}}" diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/no_policies.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/no_policies.go index 3420cd8c32..9afe822514 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/no_policies.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/no_policies.go @@ -20,7 +20,6 @@ func (t noPolicies) build(ct *check.ConnectivityTest, _ map[string]string) { tests.PodToWorld(tests.WithRetryAll()), tests.PodToHost(), tests.HostToPod(), - tests.PodToExternalWorkload(), tests.PodToCIDR(tests.WithRetryAll()), ) } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/pod_to_pod_encryption.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/pod_to_pod_encryption.go index 12401ce501..e4ba6b9f61 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/pod_to_pod_encryption.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/pod_to_pod_encryption.go @@ -22,6 +22,20 @@ func (t podToPodEncryption) build(ct *check.ConnectivityTest, _ map[string]strin // unencrypted packets shall, or shall not, be observed based on the feature set. newTest("pod-to-pod-encryption", ct). WithCondition(func() bool { return !ct.Params().SingleNode }). + WithCondition(func() bool { + + // for wireguard, we can run the podToPodEncryptionV2 tests if we + // are on a post v1.18 cluster + encryptionPod, ok := ct.Feature(features.EncryptionPod) + if !ok { + return false + } + if encryptionPod.Mode == "wireguard" && versioncheck.MustCompile(">=1.18.0")(ct.CiliumVersion) { + return false + } + + return true + }). WithScenarios( tests.PodToPodEncryption(features.RequireEnabled(features.EncryptionPod)), ) @@ -29,6 +43,16 @@ func (t podToPodEncryption) build(ct *check.ConnectivityTest, _ map[string]strin newTest("pod-to-pod-with-l7-policy-encryption", ct). WithCondition(func() bool { return !ct.Params().SingleNode }). WithCondition(func() bool { + // for wireguard, we can run the podToPodEncryptionV2 tests if we + // are on a post v1.18 cluster + encryptionPod, ok := ct.Feature(features.EncryptionPod) + if !ok { + return false + } + if encryptionPod.Mode == "wireguard" && versioncheck.MustCompile(">=1.18.0")(ct.CiliumVersion) { + return false + } + if ok, _ := ct.Features.MatchRequirements(features.RequireMode(features.EncryptionPod, "ipsec")); ok { // Introduced in v1.17.0, backported to v1.15.11 and v1.16.4. if !versioncheck.MustCompile(">=1.15.11 <1.16.0 || >=1.16.4")(ct.CiliumVersion) { diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/pod_to_pod_encryption_v2.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/pod_to_pod_encryption_v2.go new file mode 100644 index 0000000000..677f84b899 --- /dev/null +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/builder/pod_to_pod_encryption_v2.go @@ -0,0 +1,78 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Cilium + +package builder + +import ( + _ "embed" + + "github.com/cilium/cilium/cilium-cli/connectivity/check" + "github.com/cilium/cilium/cilium-cli/connectivity/tests" + "github.com/cilium/cilium/cilium-cli/utils/features" + "github.com/cilium/cilium/pkg/versioncheck" +) + +type podToPodEncryptionV2 struct{} + +func (t podToPodEncryptionV2) build(ct *check.ConnectivityTest, _ map[string]string) { + // Encryption checks are always executed as a sanity check, asserting whether + // unencrypted packets shall, or shall not, be observed based on the feature set. + newTest("pod-to-pod-encryption-v2", ct). + WithCondition(func() bool { return !ct.Params().SingleNode }). + WithCondition(func() bool { + // this test only runs post v1.18.0 clusters + if !versioncheck.MustCompile(">=1.18.0")(ct.CiliumVersion) { + return false + } + + // we run if no encryption is enabled at all to sanity check our + // tcpdump filters + encryptionPod, ok := ct.Feature(features.EncryptionPod) + if !ok { + return false + } + if !encryptionPod.Enabled { + return true + } + + // we only run for wireguard right now, until IPsec implements VinE + if encryptionPod.Mode == "wireguard" { + return true + } + + return false + }). + WithScenarios( + tests.PodToPodEncryptionV2(), + ) + + newTest("pod-to-pod-with-l7-policy-encryption-v2", ct). + WithCondition(func() bool { return !ct.Params().SingleNode }). + WithCondition(func() bool { + // this test only runs post v1.18.0 clusters + if !versioncheck.MustCompile(">=1.18.0")(ct.CiliumVersion) { + return false + } + + encryptionPod, ok := ct.Feature(features.EncryptionPod) + if !ok { + return false + } + + // we only run for wireguard right now, until IPsec implements VinE + if encryptionPod.Mode == "wireguard" { + return true + } + + return false + }). + WithFeatureRequirements( + features.RequireEnabled(features.L7Proxy), + features.RequireEnabled(features.EncryptionPod), + ). + WithCiliumPolicy(clientsEgressL7HTTPFromAnyPolicyYAML). + WithCiliumPolicy(echoIngressL7HTTPFromAnywherePolicyYAML). + WithScenarios( + tests.PodToPodEncryptionV2(), + ) +} diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/check.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/check.go index cbe03d867b..8b42916f52 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/check.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/check.go @@ -92,15 +92,17 @@ type Parameters struct { ImpersonateGroups []string IPFamilies []string - IncludeConnDisruptTest bool - ConnDisruptTestSetup bool - ConnDisruptTestRestartsPath string - ConnDisruptTestXfrmErrorsPath string - ConnDisruptDispatchInterval time.Duration + IncludeConnDisruptTest bool + IncludeConnDisruptTestNSTraffic bool + ConnDisruptTestSetup bool + ConnDisruptTestRestartsPath string + ConnDisruptTestXfrmErrorsPath string + ConnDisruptDispatchInterval time.Duration ExpectedDropReasons []string ExpectedXFRMErrors []string + LogCodeOwners bool LogCheckLevels []string FlushCT bool diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/context.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/context.go index 053db190ae..73a40b2b30 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/context.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/context.go @@ -17,6 +17,7 @@ import ( "time" "github.com/blang/semver/v4" + "github.com/hmarr/codeowners" "google.golang.org/grpc" "google.golang.org/grpc/credentials/insecure" corev1 "k8s.io/api/core/v1" @@ -30,6 +31,7 @@ import ( "github.com/cilium/cilium/cilium-cli/utils/features" ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" "github.com/cilium/cilium/pkg/lock" + "github.com/cilium/cilium/pkg/versioncheck" ) const ( @@ -50,6 +52,8 @@ type ConnectivityTest struct { // Features contains the features enabled on the running Cilium cluster Features features.Set + CodeOwners codeowners.Ruleset + // ClusterName is the identifier of the local cluster. ClusterName string @@ -75,7 +79,6 @@ type ConnectivityTest struct { echoExternalServices map[string]Service ingressService map[string]Service k8sService Service - externalWorkloads map[string]ExternalWorkload lrpClientPods map[string]Pod lrpBackendPods map[string]Pod frrPods []Pod @@ -95,6 +98,8 @@ type ConnectivityTest struct { controlPlaneNodes map[string]*corev1.Node nodesWithoutCilium map[string]struct{} ciliumNodes map[NodeIdentity]*ciliumv2.CiliumNode + + testConnDisruptClientNSTrafficDeploymentNames []string } // NodeIdentity uniquely identifies a Node by Cluster and Name. @@ -204,6 +209,7 @@ func NewConnectivityTest( p Parameters, sysdumpHooks sysdump.Hooks, logger *ConcurrentLogger, + owners codeowners.Ruleset, ) (*ConnectivityTest, error) { if err := p.validate(); err != nil { return nil, err @@ -229,7 +235,6 @@ func NewConnectivityTest( echoServices: make(map[string]Service), echoExternalServices: make(map[string]Service), ingressService: make(map[string]Service), - externalWorkloads: make(map[string]ExternalWorkload), hostNetNSPodsByNode: make(map[string]Pod), secondaryNetworkNodeIPv4: make(map[string]string), secondaryNetworkNodeIPv6: make(map[string]string), @@ -240,6 +245,7 @@ func NewConnectivityTest( testNames: make(map[string]struct{}), lastFlowTimestamps: make(map[string]time.Time), Features: features.Set{}, + CodeOwners: owners, } return k, nil @@ -499,12 +505,20 @@ func (ct *ConnectivityTest) report() error { ct.Failf("%d/%d tests failed (%d/%d actions), %d tests skipped, %d scenarios skipped:", nf, nt-nst, fa, na, nst, nss) // List all failed actions by test. + failedActions := 0 for _, t := range failed { ct.Logf("Test [%s]:", t.Name()) for _, a := range t.failedActions() { + failedActions++ ct.Log(" ❌", a) + ct.LogOwners(a.Scenario()) } } + if len(failed) > 0 && failedActions == 0 { + // Test failure was triggered not by a specific action + // failing, but some other infrastructure code. + ct.LogOwners(defaultTestOwners) + } return fmt.Errorf("[%s] %d tests failed", ct.params.TestNamespace, nf) } @@ -920,7 +934,7 @@ func (ct *ConnectivityTest) DetectMinimumCiliumVersion(ctx context.Context) (*se func (ct *ConnectivityTest) CurlCommand(peer TestPeer, ipFam features.IPFamily, opts ...string) []string { cmd := []string{ "curl", - "-w", "%{local_ip}:%{local_port} -> %{remote_ip}:%{remote_port} = %{response_code}", + "-w", "%{local_ip}:%{local_port} -> %{remote_ip}:%{remote_port} = %{response_code}\n", "--silent", "--fail", "--show-error", "--output", "/dev/null", } @@ -935,6 +949,13 @@ func (ct *ConnectivityTest) CurlCommand(peer TestPeer, ipFam features.IPFamily, cmd = append(cmd, "--insecure") } + switch ipFam { + case features.IPFamilyV4: + cmd = append(cmd, "-4") + case features.IPFamilyV6: + cmd = append(cmd, "-6") + } + if host := peer.Address(ipFam); strings.HasSuffix(host, ".") { // Let's explicitly configure the Host header in case the DNS name has a // trailing dot. This allows us to use trailing dots to prevent system @@ -1153,10 +1174,6 @@ func (ct *ConnectivityTest) K8sService() Service { return ct.k8sService } -func (ct *ConnectivityTest) ExternalWorkloads() map[string]ExternalWorkload { - return ct.externalWorkloads -} - func (ct *ConnectivityTest) HubbleClient() observer.ObserverClient { return ct.hubbleClient } @@ -1262,3 +1279,39 @@ func (ct *ConnectivityTest) KillMulticastTestSender() []string { cmd := []string{"pkill", "-f", socatMulticastTestMsg} return cmd } + +func (ct *ConnectivityTest) ForEachIPFamily(hasNetworkPolicies bool, do func(features.IPFamily)) { + ipFams := features.GetIPFamilies(ct.Params().IPFamilies) + + // The per-endpoint routes feature is broken with IPv6 on < v1.14 when there + // are any netpols installed (https://github.com/cilium/cilium/issues/23852 + // and https://github.com/cilium/cilium/issues/23910). + if f, ok := ct.Feature(features.EndpointRoutes); ok && + f.Enabled && hasNetworkPolicies && + versioncheck.MustCompile("<1.14.0")(ct.CiliumVersion) { + + ipFams = []features.IPFamily{features.IPFamilyV4} + } + + for _, ipFam := range ipFams { + switch ipFam { + case features.IPFamilyV4: + if f, ok := ct.Features[features.IPv4]; ok && f.Enabled { + do(ipFam) + } + + case features.IPFamilyV6: + if f, ok := ct.Features[features.IPv6]; ok && f.Enabled { + do(ipFam) + } + } + } +} + +func (ct *ConnectivityTest) ShouldRunConnDisruptNSTraffic() bool { + return ct.params.IncludeConnDisruptTestNSTraffic && + ct.Features[features.NodeWithoutCilium].Enabled && + (ct.Params().MultiCluster == "" || ct.Features[features.KPRNodePort].Enabled) && + !ct.Features[features.KPRNodePortAcceleration].Enabled && + (!ct.Features[features.IPsecEnabled].Enabled || !ct.Features[features.KPRNodePort].Enabled) +} diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/deployment.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/deployment.go index afe2e449cf..7d5a5909e6 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/deployment.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/deployment.go @@ -5,12 +5,13 @@ package check import ( "context" + "errors" "fmt" "maps" + "net/netip" "slices" "sort" "strings" - "sync" "time" appsv1 "k8s.io/api/apps/v1" @@ -70,11 +71,17 @@ const ( hostNetNSDeploymentNameNonCilium = "host-netns-non-cilium" // runs on non-Cilium test nodes kindHostNetNS = "host-netns" - testConnDisruptClientDeploymentName = "test-conn-disrupt-client" - testConnDisruptServerDeploymentName = "test-conn-disrupt-server" - testConnDisruptServiceName = "test-conn-disrupt" - testConnDisruptCNPName = "test-conn-disrupt" - KindTestConnDisrupt = "test-conn-disrupt" + testConnDisruptClientDeploymentName = "test-conn-disrupt-client" + testConnDisruptClientNSTrafficDeploymentName = "test-conn-disrupt-client" + testConnDisruptServerDeploymentName = "test-conn-disrupt-server" + testConnDisruptServerNSTrafficDeploymentName = "test-conn-disrupt-server-ns-traffic" + testConnDisruptServiceName = "test-conn-disrupt" + testConnDisruptNSTrafficServiceName = "test-conn-disrupt-ns-traffic" + testConnDisruptCNPName = "test-conn-disrupt" + testConnDisruptNSTrafficCNPName = "test-conn-disrupt-ns-traffic" + testConnDisruptServerNSTrafficAppLabel = "test-conn-disrupt-server-ns-traffic" + KindTestConnDisrupt = "test-conn-disrupt" + KindTestConnDisruptNSTraffic = "test-conn-disrupt-ns-traffic" bwPrioAnnotationString = "bandwidth.cilium.io/priority" ) @@ -448,6 +455,41 @@ func newConnDisruptCNP(ns string) *ciliumv2.CiliumNetworkPolicy { } } +func newConnDisruptCNPForNSTraffic(ns string) *ciliumv2.CiliumNetworkPolicy { + selector := policyapi.EndpointSelector{ + LabelSelector: &slimmetav1.LabelSelector{ + MatchLabels: map[string]string{"kind": KindTestConnDisruptNSTraffic}, + }, + } + + ports := []policyapi.PortRule{{ + Ports: []policyapi.PortProtocol{{ + Protocol: policyapi.ProtoTCP, + Port: "8000", + }}, + }} + + return &ciliumv2.CiliumNetworkPolicy{ + TypeMeta: metav1.TypeMeta{ + Kind: ciliumv2.CNPKindDefinition, + APIVersion: ciliumv2.SchemeGroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{Name: testConnDisruptNSTrafficCNPName, Namespace: ns}, + Spec: &policyapi.Rule{ + EndpointSelector: selector, + Ingress: []policyapi.IngressRule{{ + IngressCommonRule: policyapi.IngressCommonRule{ + FromEntities: policyapi.EntitySlice{ + policyapi.EntityWorld, + policyapi.EntityRemoteNode, + }, + }, + ToPorts: ports, + }}, + }, + } +} + func (ct *ConnectivityTest) ingresses() map[string]string { ingresses := map[string]string{"same-node": echoSameNodeDeploymentName} if !ct.Params().SingleNode || ct.Params().MultiCluster != "" { @@ -520,114 +562,28 @@ func (ct *ConnectivityTest) deploy(ctx context.Context) error { // Deploy test-conn-disrupt actors (only in the first // test namespace in case of tests concurrent run) if ct.params.ConnDisruptTestSetup && ct.params.TestNamespaceIndex == 0 { - _, err = ct.clients.src.GetDeployment(ctx, ct.params.TestNamespace, testConnDisruptServerDeploymentName, metav1.GetOptions{}) - if err != nil { - ct.Logf("✨ [%s] Deploying %s deployment...", ct.clients.src.ClusterName(), testConnDisruptServerDeploymentName) - readinessProbe := &corev1.Probe{ - ProbeHandler: corev1.ProbeHandler{ - Exec: &corev1.ExecAction{ - Command: []string{"cat", "/tmp/server-ready"}, - }, - }, - PeriodSeconds: int32(3), - InitialDelaySeconds: int32(1), - FailureThreshold: int32(20), - } - testConnDisruptServerDeployment := newDeployment(deploymentParameters{ - Name: testConnDisruptServerDeploymentName, - Kind: KindTestConnDisrupt, - Image: ct.params.TestConnDisruptImage, - Replicas: 3, - Labels: map[string]string{"app": "test-conn-disrupt-server"}, - Command: []string{"tcd-server", "8000"}, - Port: 8000, - ReadinessProbe: readinessProbe, - Resources: corev1.ResourceRequirements{ - Requests: corev1.ResourceList{corev1.ResourceCPU: *resource.NewMilliQuantity(100, resource.DecimalSI)}, - }, - }) - _, err = ct.clients.src.CreateServiceAccount(ctx, ct.params.TestNamespace, k8s.NewServiceAccount(testConnDisruptServerDeploymentName), metav1.CreateOptions{}) - if err != nil { - return fmt.Errorf("unable to create service account %s: %w", testConnDisruptServerDeploymentName, err) - } - _, err = ct.clients.src.CreateDeployment(ctx, ct.params.TestNamespace, testConnDisruptServerDeployment, metav1.CreateOptions{}) - if err != nil { - return fmt.Errorf("unable to create deployment %s: %w", testConnDisruptServerDeployment, err) - } - } - - // Make sure that the server deployment is ready to spread client connections - err := WaitForDeployment(ctx, ct, ct.clients.src, ct.params.TestNamespace, testConnDisruptServerDeploymentName) - if err != nil { - ct.Failf("%s deployment is not ready: %s", testConnDisruptServerDeploymentName, err) + if err := ct.createTestConnDisruptServerDeployAndSvc(ctx, testConnDisruptServerDeploymentName, KindTestConnDisrupt, 3, + testConnDisruptServiceName, "test-conn-disrupt-server", newConnDisruptCNP); err != nil { + return err } - for _, client := range ct.Clients() { - _, err = client.GetService(ctx, ct.params.TestNamespace, testConnDisruptServiceName, metav1.GetOptions{}) - if err != nil { - ct.Logf("✨ [%s] Deploying %s service...", client.ClusterName(), testConnDisruptServiceName) - svc := newService(testConnDisruptServiceName, map[string]string{"app": "test-conn-disrupt-server"}, nil, "http", 8000, ct.Params().ServiceType) - svc.ObjectMeta.Annotations = map[string]string{"service.cilium.io/global": "true"} - _, err = client.CreateService(ctx, ct.params.TestNamespace, svc, metav1.CreateOptions{}) - if err != nil { - return fmt.Errorf("unable to create service %s: %w", testConnDisruptServiceName, err) - } - } - - if enabled, _ := ct.Features.MatchRequirements(features.RequireEnabled(features.CNP)); enabled { - ipsec, _ := ct.Features.MatchRequirements(features.RequireMode(features.EncryptionPod, "ipsec")) - if ipsec && versioncheck.MustCompile(">=1.14.0 <1.16.0")(ct.CiliumVersion) { - // https://github.com/cilium/cilium/issues/36681 - continue - } - for _, client := range ct.Clients() { - ct.Logf("✨ [%s] Deploying %s CiliumNetworkPolicy...", client.ClusterName(), testConnDisruptCNPName) - _, err = client.ApplyGeneric(ctx, newConnDisruptCNP(ct.params.TestNamespace)) - if err != nil { - return fmt.Errorf("unable to create CiliumNetworkPolicy %s: %w", testConnDisruptCNPName, err) - } - } - } + if err := ct.createTestConnDisruptClientDeployment(ctx, testConnDisruptClientDeploymentName, KindTestConnDisrupt, + "test-conn-disrupt-client", fmt.Sprintf("test-conn-disrupt.%s.svc.cluster.local.:8000", ct.params.TestNamespace), + 5, false); err != nil { + return err } - _, err = ct.clients.dst.GetDeployment(ctx, ct.params.TestNamespace, testConnDisruptClientDeploymentName, metav1.GetOptions{}) - if err != nil { - ct.Logf("✨ [%s] Deploying %s deployment...", ct.clients.dst.ClusterName(), testConnDisruptClientDeploymentName) - readinessProbe := &corev1.Probe{ - ProbeHandler: corev1.ProbeHandler{ - Exec: &corev1.ExecAction{ - Command: []string{"cat", "/tmp/client-ready"}, - }, - }, - PeriodSeconds: int32(3), - InitialDelaySeconds: int32(1), - FailureThreshold: int32(20), + if ct.ShouldRunConnDisruptNSTraffic() { + if err := ct.createTestConnDisruptServerDeployAndSvc(ctx, testConnDisruptServerNSTrafficDeploymentName, KindTestConnDisruptNSTraffic, 1, + testConnDisruptNSTrafficServiceName, testConnDisruptServerNSTrafficAppLabel, newConnDisruptCNPForNSTraffic); err != nil { + return err } - testConnDisruptClientDeployment := newDeployment(deploymentParameters{ - Name: testConnDisruptClientDeploymentName, - Kind: KindTestConnDisrupt, - Image: ct.params.TestConnDisruptImage, - Replicas: 5, - Labels: map[string]string{"app": "test-conn-disrupt-client"}, - Command: []string{ - "tcd-client", - "--dispatch-interval", ct.params.ConnDisruptDispatchInterval.String(), - fmt.Sprintf("test-conn-disrupt.%s.svc.cluster.local.:8000", ct.params.TestNamespace), - }, - ReadinessProbe: readinessProbe, - Resources: corev1.ResourceRequirements{ - Requests: corev1.ResourceList{corev1.ResourceCPU: *resource.NewMilliQuantity(100, resource.DecimalSI)}, - }, - }) - _, err = ct.clients.dst.CreateServiceAccount(ctx, ct.params.TestNamespace, k8s.NewServiceAccount(testConnDisruptClientDeploymentName), metav1.CreateOptions{}) - if err != nil { - return fmt.Errorf("unable to create service account %s: %w", testConnDisruptClientDeploymentName, err) - } - _, err = ct.clients.dst.CreateDeployment(ctx, ct.params.TestNamespace, testConnDisruptClientDeployment, metav1.CreateOptions{}) - if err != nil { - return fmt.Errorf("unable to create deployment %s: %w", testConnDisruptClientDeployment, err) + if err := ct.createTestConnDisruptClientDeploymentForNSTraffic(ctx); err != nil { + return err } + } else { + ct.Info("Skipping conn-disrupt-test for NS traffic") } } @@ -1179,6 +1135,251 @@ func (ct *ConnectivityTest) deploy(ctx context.Context) error { return nil } +func (ct *ConnectivityTest) createTestConnDisruptServerDeployAndSvc(ctx context.Context, deployName, kind string, replicas int, svcName, appLabel string, + cnpFunc func(ns string) *ciliumv2.CiliumNetworkPolicy) error { + _, err := ct.clients.src.GetDeployment(ctx, ct.params.TestNamespace, deployName, metav1.GetOptions{}) + if err != nil { + ct.Logf("✨ [%s] Deploying %s deployment...", ct.clients.src.ClusterName(), deployName) + readinessProbe := &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + Exec: &corev1.ExecAction{ + Command: []string{"cat", "/tmp/server-ready"}, + }, + }, + PeriodSeconds: int32(3), + InitialDelaySeconds: int32(1), + FailureThreshold: int32(20), + } + testConnDisruptServerDeployment := newDeployment(deploymentParameters{ + Name: deployName, + Kind: kind, + Image: ct.params.TestConnDisruptImage, + Replicas: replicas, + Labels: map[string]string{"app": appLabel}, + Command: []string{"tcd-server", "8000"}, + Port: 8000, + ReadinessProbe: readinessProbe, + Resources: corev1.ResourceRequirements{ + Requests: corev1.ResourceList{corev1.ResourceCPU: *resource.NewMilliQuantity(100, resource.DecimalSI)}, + }, + }) + _, err = ct.clients.src.CreateServiceAccount(ctx, ct.params.TestNamespace, k8s.NewServiceAccount(deployName), metav1.CreateOptions{}) + if err != nil { + return fmt.Errorf("unable to create service account %s: %w", deployName, err) + } + _, err = ct.clients.src.CreateDeployment(ctx, ct.params.TestNamespace, testConnDisruptServerDeployment, metav1.CreateOptions{}) + if err != nil { + return fmt.Errorf("unable to create deployment %s: %w", testConnDisruptServerDeployment, err) + } + } + + // Make sure that the server deployment is ready to spread client connections + err = WaitForDeployment(ctx, ct, ct.clients.src, ct.params.TestNamespace, deployName) + if err != nil { + ct.Failf("%s deployment is not ready: %s", deployName, err) + } + + for _, client := range ct.Clients() { + _, err = client.GetService(ctx, ct.params.TestNamespace, svcName, metav1.GetOptions{}) + if err != nil { + ct.Logf("✨ [%s] Deploying %s service...", client.ClusterName(), svcName) + svc := newService(svcName, map[string]string{"app": appLabel}, nil, "http", 8000, ct.Params().ServiceType) + svc.ObjectMeta.Annotations = map[string]string{"service.cilium.io/global": "true"} + _, err = client.CreateService(ctx, ct.params.TestNamespace, svc, metav1.CreateOptions{}) + if err != nil { + return fmt.Errorf("unable to create service %s: %w", svcName, err) + } + } + + if enabled, _ := ct.Features.MatchRequirements(features.RequireEnabled(features.CNP)); enabled { + ipsec, _ := ct.Features.MatchRequirements(features.RequireMode(features.EncryptionPod, "ipsec")) + if ipsec && versioncheck.MustCompile(">=1.14.0 <1.16.0")(ct.CiliumVersion) { + // https://github.com/cilium/cilium/issues/36681 + continue + } + for _, client := range ct.Clients() { + cnp := cnpFunc(ct.params.TestNamespace) + ct.Logf("✨ [%s] Deploying %s CiliumNetworkPolicy...", client.ClusterName(), cnp.Name) + _, err = client.ApplyGeneric(ctx, cnp) + if err != nil { + return fmt.Errorf("unable to create CiliumNetworkPolicy %s: %w", cnp.Name, err) + } + } + } + } + + return err +} + +func (ct *ConnectivityTest) createTestConnDisruptClientDeployment(ctx context.Context, deployName, kind, appLabel, address string, replicas int, isExternal bool) error { + _, err := ct.clients.dst.GetDeployment(ctx, ct.params.TestNamespace, deployName, metav1.GetOptions{}) + if err != nil { + ct.Logf("✨ [%s] Deploying %s deployment...", ct.clients.dst.ClusterName(), deployName) + readinessProbe := &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + Exec: &corev1.ExecAction{ + Command: []string{"cat", "/tmp/client-ready"}, + }, + }, + PeriodSeconds: int32(3), + InitialDelaySeconds: int32(1), + FailureThreshold: int32(20), + } + + param := deploymentParameters{ + Name: deployName, + Kind: kind, + Image: ct.params.TestConnDisruptImage, + Replicas: replicas, + Labels: map[string]string{"app": appLabel}, + Command: []string{ + "tcd-client", + "--dispatch-interval", ct.params.ConnDisruptDispatchInterval.String(), + address, + }, + ReadinessProbe: readinessProbe, + Resources: corev1.ResourceRequirements{ + Requests: corev1.ResourceList{corev1.ResourceCPU: *resource.NewMilliQuantity(100, resource.DecimalSI)}, + }, + } + if isExternal { + param.NodeSelector = map[string]string{defaults.CiliumNoScheduleLabel: "true"} + param.HostNetwork = true + param.Tolerations = []corev1.Toleration{ + {Operator: corev1.TolerationOpExists}, + } + } + testConnDisruptClientDeployment := newDeployment(param) + + _, err = ct.clients.dst.CreateServiceAccount(ctx, ct.params.TestNamespace, k8s.NewServiceAccount(deployName), metav1.CreateOptions{}) + if err != nil { + return fmt.Errorf("unable to create service account %s: %w", deployName, err) + } + _, err = ct.clients.dst.CreateDeployment(ctx, ct.params.TestNamespace, testConnDisruptClientDeployment, metav1.CreateOptions{}) + if err != nil { + return fmt.Errorf("unable to create deployment %s: %w", testConnDisruptClientDeployment, err) + } + } + + return err +} + +func (ct *ConnectivityTest) createTestConnDisruptClientDeploymentForNSTraffic(ctx context.Context) error { + nodes, err := ct.getBackendNodeAndNonBackendNode(ctx) + if err != nil { + return err + } + + for _, n := range nodes { + for _, client := range ct.Clients() { + svc, err := client.GetService(ctx, ct.params.TestNamespace, testConnDisruptNSTrafficServiceName, metav1.GetOptions{}) + if err != nil { + return fmt.Errorf("unable to get service %s: %w", testConnDisruptNSTrafficServiceName, err) + } + + var errs error + np := uint16(svc.Spec.Ports[0].NodePort) + addrs := slices.Clone(n.node.Status.Addresses) + hasNetworkPolicies, err := ct.hasNetworkPolicies(ctx) + if err != nil { + return fmt.Errorf("failed to check if any netpol exists: %w", err) + } + ct.ForEachIPFamily(hasNetworkPolicies, func(family features.IPFamily) { + for _, addr := range addrs { + if features.GetIPFamily(addr.Address) != family { + continue + } + + // On GKE ExternalIP is not reachable from inside a cluster + if addr.Type == corev1.NodeExternalIP { + if f, ok := ct.Feature(features.Flavor); ok && f.Enabled && f.Mode == "gke" { + continue + } + } + + deployName := fmt.Sprintf("%s-%s-%s-%s", testConnDisruptClientNSTrafficDeploymentName, n.nodeType, family, strings.ToLower(string(addr.Type))) + if err := ct.createTestConnDisruptClientDeployment(ctx, + deployName, + KindTestConnDisruptNSTraffic, + fmt.Sprintf("test-conn-disrupt-client-%s-%s-%s", n.nodeType, family, strings.ToLower(string(addr.Type))), + netip.AddrPortFrom(netip.MustParseAddr(addr.Address), np).String(), + 1, true); err != nil { + errs = errors.Join(errs, err) + } + ct.testConnDisruptClientNSTrafficDeploymentNames = append(ct.testConnDisruptClientNSTrafficDeploymentNames, deployName) + } + }) + if errs != nil { + return errs + } + } + } + + return err +} + +type nodeWithType struct { + nodeType string + node *corev1.Node +} + +func (ct *ConnectivityTest) getBackendNodeAndNonBackendNode(ctx context.Context) ([]nodeWithType, error) { + appLabel := fmt.Sprintf("app=%s", testConnDisruptServerNSTrafficAppLabel) + podList, err := ct.clients.src.ListPods(ctx, ct.params.TestNamespace, metav1.ListOptions{LabelSelector: appLabel}) + if err != nil { + return nil, fmt.Errorf("unable to list pods with lable %s: %w", appLabel, err) + } + + pod := podList.Items[0] + + var nodes []nodeWithType + nodes = append(nodes, nodeWithType{ + nodeType: "backend-node", + node: ct.nodes[pod.Spec.NodeName], + }) + for name, node := range ct.Nodes() { + if name != pod.Spec.NodeName { + nodes = append(nodes, nodeWithType{ + nodeType: "non-backend-node", + node: node, + }) + break + } + } + + return nodes, err +} + +func (ct *ConnectivityTest) hasNetworkPolicies(ctx context.Context) (bool, error) { + for _, client := range ct.Clients() { + cnps, err := client.ListCiliumNetworkPolicies(ctx, ct.params.TestNamespace, metav1.ListOptions{Limit: 1}) + if err != nil { + return false, err + } + if len(cnps.Items) > 0 { + return true, nil + } + + ccnps, err := client.ListCiliumClusterwideNetworkPolicies(ctx, metav1.ListOptions{Limit: 1}) + if err != nil { + return false, err + } + if len(ccnps.Items) > 0 { + return true, nil + } + + nps, err := client.ListNetworkPolicies(ctx, metav1.ListOptions{Limit: 1}) + if err != nil { + return false, err + } + if len(nps.Items) > 0 { + return true, nil + } + } + + return false, nil +} + func (ct *ConnectivityTest) createClientPerfDeployment(ctx context.Context, name string, nodeName string, hostNetwork bool) error { ct.Logf("✨ [%s] Deploying %s deployment...", ct.clients.src.ClusterName(), name) gracePeriod := int64(1) @@ -1351,6 +1552,10 @@ func (ct *ConnectivityTest) deploymentList() (srcList []string, dstList []string // not matter much, because the two clients are identical. srcList = append(srcList, testConnDisruptServerDeploymentName) dstList = append(dstList, testConnDisruptClientDeploymentName) + if ct.ShouldRunConnDisruptNSTraffic() { + srcList = append(srcList, testConnDisruptServerNSTrafficDeploymentName) + dstList = append(dstList, ct.testConnDisruptClientNSTrafficDeploymentNames...) + } } if ct.params.MultiCluster != "" || !ct.params.SingleNode { @@ -1412,10 +1617,22 @@ func (ct *ConnectivityTest) DeleteConnDisruptTestDeployment(ctx context.Context, ct.Debugf("🔥 [%s] Deleting test-conn-disrupt deployments...", client.ClusterName()) _ = client.DeleteDeployment(ctx, ct.params.TestNamespace, testConnDisruptClientDeploymentName, metav1.DeleteOptions{}) _ = client.DeleteDeployment(ctx, ct.params.TestNamespace, testConnDisruptServerDeploymentName, metav1.DeleteOptions{}) + deployList, err := client.ListDeployment(ctx, ct.params.TestNamespace, metav1.ListOptions{LabelSelector: "kind=" + KindTestConnDisruptNSTraffic}) + if err != nil { + ct.Warnf("failed to list deployments: %s %v", KindTestConnDisruptNSTraffic, err) + } + for _, deploy := range deployList.Items { + _ = client.DeleteDeployment(ctx, ct.params.TestNamespace, deploy.Name, metav1.DeleteOptions{}) + _ = client.DeleteServiceAccount(ctx, ct.params.TestNamespace, deploy.Name, metav1.DeleteOptions{}) + } + _ = client.DeleteDeployment(ctx, ct.params.TestNamespace, testConnDisruptServerNSTrafficDeploymentName, metav1.DeleteOptions{}) _ = client.DeleteServiceAccount(ctx, ct.params.TestNamespace, testConnDisruptClientDeploymentName, metav1.DeleteOptions{}) _ = client.DeleteServiceAccount(ctx, ct.params.TestNamespace, testConnDisruptServerDeploymentName, metav1.DeleteOptions{}) + _ = client.DeleteServiceAccount(ctx, ct.params.TestNamespace, testConnDisruptServerNSTrafficDeploymentName, metav1.DeleteOptions{}) _ = client.DeleteService(ctx, ct.params.TestNamespace, testConnDisruptServiceName, metav1.DeleteOptions{}) + _ = client.DeleteService(ctx, ct.params.TestNamespace, testConnDisruptNSTrafficServiceName, metav1.DeleteOptions{}) _ = client.DeleteCiliumNetworkPolicy(ctx, ct.params.TestNamespace, testConnDisruptCNPName, metav1.DeleteOptions{}) + _ = client.DeleteCiliumNetworkPolicy(ctx, ct.params.TestNamespace, testConnDisruptNSTrafficCNPName, metav1.DeleteOptions{}) return nil } @@ -1769,24 +1986,6 @@ func (ct *ConnectivityTest) validateDeployment(ctx context.Context) error { } } - var logOnce sync.Once - for _, client := range ct.clients.clients() { - externalWorkloads, err := client.ListCiliumExternalWorkloads(ctx, metav1.ListOptions{}) - if k8sErrors.IsNotFound(err) { - logOnce.Do(func() { - ct.Log("ciliumexternalworkloads.cilium.io is not defined. Disabling external workload tests") - }) - continue - } else if err != nil { - return fmt.Errorf("unable to list external workloads: %w", err) - } - for _, externalWorkload := range externalWorkloads.Items { - ct.externalWorkloads[externalWorkload.Name] = ExternalWorkload{ - workload: externalWorkload.DeepCopy(), - } - } - } - // TODO: unconditionally re-enable the IPCache check once // https://github.com/cilium/cilium-cli/issues/361 is resolved. if ct.params.SkipIPCacheCheck { diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/features.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/features.go index a2a6f54a07..f3d0dec0c4 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/features.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/features.go @@ -165,6 +165,11 @@ func (ct *ConnectivityTest) extractFeaturesFromCiliumStatus(ctx context.Context, } if f.NodePort != nil { result[features.KPRNodePort] = features.Status{Enabled: f.NodePort.Enabled} + acceleration := strings.ToLower(f.NodePort.Acceleration) + result[features.KPRNodePortAcceleration] = features.Status{ + Enabled: mode != "false" && acceleration != "disabled", + Mode: mode, + } } if f.SessionAffinity != nil { result[features.KPRSessionAffinity] = features.Status{Enabled: f.SessionAffinity.Enabled} diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/logging.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/logging.go index dcc84bb03e..c57076472e 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/logging.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/logging.go @@ -10,9 +10,12 @@ import ( "io" "os" "os/signal" + "regexp" "runtime" "syscall" "time" + + "github.com/hmarr/codeowners" ) const ( @@ -78,6 +81,85 @@ func (ct *ConnectivityTest) Log(a ...interface{}) { fmt.Fprintln(ct.params.Writer, a...) } +// ownedScenario represents a piece of logic in the testsuite with a +// corresponding filepath that indicates ownership (via CODEOWNERS). +// It is used to inform developers who they may consult in the event that a +// test fails without a clear indication why. +type ownedScenario interface { + Name() string + FilePath() string +} + +var defaultTestOwners ownedScenario + +func init() { + // Initialize in an init func to ensure that NewScenarioBase() can look + // up a couple of layers of stack to find a test file in order to + // determine default codeowners, in this case falling back to the + // owners of the overall test infrastructure. + // + // This will be used when there is a failure outside of a specific + // scenario provided by a test. + defaultTestOwners = defaultScenario{ + ScenarioBase: NewScenarioBase(), + } +} + +type defaultScenario struct { + ScenarioBase +} + +func (s defaultScenario) Name() string { + return "cli-test-framework" +} + +var ghWorkflowRegexp = regexp.MustCompile("^(?:.+?)/(?:.+?)/(.+?)@.*$") + +func (ct *ConnectivityTest) LogOwners(scenario ownedScenario) { + if !ct.params.LogCodeOwners { + return + } + + rule, err := ct.CodeOwners.Match(scenario.FilePath()) + if err != nil || rule == nil || rule.Owners == nil { + ct.Fatalf("Failed to find CODEOWNERS for test scenario. Developer BUG?"+ + "\n\t\tname=%s path=%s err=%s", scenario.Name(), scenario.FilePath(), err) + return + } + + var workflowOwners []codeowners.Owner + var ghWorkflow string + // Example: cilium/cilium/.github/workflows/conformance-kind-proxy-embedded.yaml@refs/pull/37593/merge + ghWorkflowRef := os.Getenv("GITHUB_WORKFLOW_REF") + matches := ghWorkflowRegexp.FindStringSubmatch(ghWorkflowRef) + // here matches should either be nil (no match) or a slice with two values: + // the full match and the capture. + if len(matches) == 2 { + ghWorkflow = matches[1] + } + if ghWorkflow != "" { + workflowRule, err := ct.CodeOwners.Match(ghWorkflow) + if err != nil || workflowRule == nil || workflowRule.Owners == nil { + ct.Warnf("Failed to find CODEOWNERS for workflow %s: %s", ghWorkflow, err) + } + workflowOwners = workflowRule.Owners + } + + ct.Log(" ⛑️ The following owners are responsible for reliability of this test: ") + for _, o := range rule.Owners { + ct.Log(" - " + o.String() + " (" + scenario.Name() + ")") + } + for _, o := range workflowOwners { + owner := o.String() + switch owner { + case "@cilium/github-sec": + // Skip + default: + ct.Log(" - " + owner + " (" + ghWorkflow + ")") + } + } +} + // Logf logs a formatted message. func (ct *ConnectivityTest) Logf(format string, a ...interface{}) { ct.Timestamp() diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/peer.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/peer.go index b434cc326c..4f3a883488 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/peer.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/peer.go @@ -300,57 +300,6 @@ func (s NodeportService) Port() uint32 { return uint32(s.Service.Service.Spec.Ports[0].NodePort) } -// ExternalWorkload is an external workload acting as a peer in a -// connectivity test. It implements interface TestPeer. -type ExternalWorkload struct { - // workload is the Kubernetes Cilium external workload resource. - workload *ciliumv2.CiliumExternalWorkload -} - -// Name returns the name of the ExternalWorkload. -func (e ExternalWorkload) Name() string { - return e.workload.Namespace + "/" + e.workload.Name -} - -// Scheme returns an empty string. -func (e ExternalWorkload) Scheme() string { - return "" -} - -// Path returns an empty string. -func (e ExternalWorkload) Path() string { - return "" -} - -// Address returns the network address of the ExternalWorkload. -func (e ExternalWorkload) Address(features.IPFamily) string { - return e.workload.Status.IP -} - -// Port returns 0. -func (e ExternalWorkload) Port() uint32 { - return 0 -} - -// HasLabel checks if given label exists and value matches. -func (e ExternalWorkload) HasLabel(name, value string) bool { - v, ok := e.workload.Labels[name] - return ok && v == value -} - -// Labels returns the copy of labels -func (e ExternalWorkload) Labels() map[string]string { - newMap := make(map[string]string, len(e.workload.Labels)) - for k, v := range e.workload.Labels { - newMap[k] = v - } - return newMap -} - -func (e ExternalWorkload) FlowFilters() []*flow.FlowFilter { - return nil -} - // ICMPEndpoint returns a new ICMP endpoint. func ICMPEndpoint(name, host string) TestPeer { return icmpEndpoint{ diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/policy.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/policy.go index c78ee971a5..caf6518461 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/policy.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/policy.go @@ -294,7 +294,7 @@ func (t *Test) applyResources(ctx context.Context) error { // performed if the user cancels during the policy revision wait time. t.finalizers = append(t.finalizers, func(ctx context.Context) error { if err := t.deleteResources(ctx); err != nil { - t.CiliumLogs(ctx) + t.ContainerLogs(ctx) return err } @@ -370,11 +370,11 @@ func (t *Test) deleteResources(ctx context.Context) error { return nil } -// CiliumLogs dumps the logs of all Cilium agents since the start of the Test. +// ContainerLogs dumps the logs of all Cilium agents since the start of the Test. // filter is applied on each line of output. -func (t *Test) CiliumLogs(ctx context.Context) { +func (t *Test) ContainerLogs(ctx context.Context) { for _, pod := range t.Context().ciliumPods { - log, err := pod.K8sClient.CiliumLogs(ctx, pod.Pod.Namespace, pod.Pod.Name, t.startTime, false) + log, err := pod.K8sClient.ContainerLogs(ctx, pod.Pod.Namespace, pod.Pod.Name, defaults.AgentContainerName, t.startTime, false) if err != nil { t.Fatalf("Error reading Cilium logs: %s", err) } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/scenario.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/scenario.go index a3e111feb5..c487f32093 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/scenario.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/scenario.go @@ -5,6 +5,9 @@ package check import ( "context" + "path/filepath" + "runtime" + "strings" "github.com/cilium/cilium/cilium-cli/utils/features" ) @@ -14,6 +17,9 @@ type Scenario interface { // Name returns the name of the Scenario. Name() string + // Filepath returns the source code filename for the Scenario. + FilePath() string + // Run is invoked by the testing framework to execute the Scenario. Run(ctx context.Context, t *Test) } @@ -25,3 +31,36 @@ type ConditionalScenario interface { Scenario Requirements() []features.Requirement } + +type ScenarioBase struct { + filepath string +} + +func NewScenarioBase() ScenarioBase { + return ScenarioBase{ + filepath: getSourceFile(), + } +} + +func (s ScenarioBase) FilePath() string { + return s.filepath +} + +// getSourceFile returns the file path for test scenario relative to the root +// of this repository. +func getSourceFile() string { + // 2 steps up go to NewScenarioBase() => actual scenario constructor. + _, path, _, ok := runtime.Caller(2) + if ok { + // 'path' is an absolute path on disk. Trim back to a relative + // path from the root directory of the repository, calculated + // using this filepath's relationship with the root directory. + // If you move this logic, ensure that this calculation directs + // back up to the root of the tree where CODEOWNERS exists! + _, thisPath, _, _ := runtime.Caller(0) + repoDir, _ := filepath.Abs(filepath.Join(thisPath, "..", "..", "..", "..")) + return strings.TrimPrefix(path, repoDir+string(filepath.Separator)) + } + // Fall back to the general owner of connectivity infrastructure. + return "cilium-cli/connectivity/" +} diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/secrets.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/secrets.go index edc8112709..4a2cbba2a7 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/secrets.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/secrets.go @@ -56,7 +56,7 @@ func (t *Test) applySecrets(ctx context.Context) error { // Register a finalizer with the Test immediately to enable cleanup. t.finalizers = append(t.finalizers, func(ctx context.Context) error { if err := t.deleteSecrets(ctx); err != nil { - t.CiliumLogs(ctx) + t.ContainerLogs(ctx) return err } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/test.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/test.go index 45e796daa3..23aca30ffe 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/test.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/check/test.go @@ -199,13 +199,13 @@ func (t *Test) setup(ctx context.Context) error { // Apply Secrets to the cluster. if err := t.applySecrets(ctx); err != nil { - t.CiliumLogs(ctx) + t.ContainerLogs(ctx) return fmt.Errorf("applying Secrets: %w", err) } // Apply CNPs & KNPs to the cluster. if err := t.applyResources(ctx); err != nil { - t.CiliumLogs(ctx) + t.ContainerLogs(ctx) return fmt.Errorf("applying network policies: %w", err) } @@ -837,31 +837,7 @@ func (t *Test) collectSysdump() { } func (t *Test) ForEachIPFamily(do func(features.IPFamily)) { - ipFams := features.GetIPFamilies(t.ctx.Params().IPFamilies) - - // The per-endpoint routes feature is broken with IPv6 on < v1.14 when there - // are any netpols installed (https://github.com/cilium/cilium/issues/23852 - // and https://github.com/cilium/cilium/issues/23910). - if f, ok := t.Context().Feature(features.EndpointRoutes); ok && - f.Enabled && t.HasNetworkPolicies() && - versioncheck.MustCompile("<1.14.0")(t.Context().CiliumVersion) { - - ipFams = []features.IPFamily{features.IPFamilyV4} - } - - for _, ipFam := range ipFams { - switch ipFam { - case features.IPFamilyV4: - if f, ok := t.ctx.Features[features.IPv4]; ok && f.Enabled { - do(ipFam) - } - - case features.IPFamilyV6: - if f, ok := t.ctx.Features[features.IPv6]; ok && f.Enabled { - do(ipFam) - } - } - } + t.ctx.ForEachIPFamily(t.HasNetworkPolicies(), do) } // CertificateCAs returns the CAs used to sign the certificates within the test. diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/perf/benchmarks/netperf/bandwidth.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/perf/benchmarks/netperf/bandwidth.go index 0b152fcc0e..9c4532aacc 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/perf/benchmarks/netperf/bandwidth.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/perf/benchmarks/netperf/bandwidth.go @@ -23,11 +23,14 @@ const ( // NetQos : Test Network QoS Enforcement func NetQos(n string) check.Scenario { return &netQos{ - name: n, + name: n, + ScenarioBase: check.NewScenarioBase(), } } type netQos struct { + check.ScenarioBase + lock.Mutex name string } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/perf/benchmarks/netperf/perfpod.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/perf/benchmarks/netperf/perfpod.go index 89705e5a84..ee84e5d5a9 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/perf/benchmarks/netperf/perfpod.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/perf/benchmarks/netperf/perfpod.go @@ -22,11 +22,14 @@ const ( // Network Performance func Netperf(n string) check.Scenario { return &netPerf{ - name: n, + name: n, + ScenarioBase: check.NewScenarioBase(), } } type netPerf struct { + check.ScenarioBase + name string } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/bgp.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/bgp.go index d4ff885544..e2455959b7 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/bgp.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/bgp.go @@ -36,10 +36,13 @@ const ( func BGPAdvertisements(bgpAPIVersion uint8) check.Scenario { return &bgpAdvertisements{ bgpAPIVersion: bgpAPIVersion, + ScenarioBase: check.NewScenarioBase(), } } type bgpAdvertisements struct { + check.ScenarioBase + bgpAPIVersion uint8 } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/client.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/client.go index 9519172dcb..e7499a6f30 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/client.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/client.go @@ -14,11 +14,15 @@ import ( // ClientToClient sends an ICMP packet from each client Pod // to each client Pod in the test context. func ClientToClient() check.Scenario { - return &clientToClient{} + return &clientToClient{ + ScenarioBase: check.NewScenarioBase(), + } } // clientToClient implements a Scenario. -type clientToClient struct{} +type clientToClient struct { + check.ScenarioBase +} func (s *clientToClient) Name() string { return "client-to-client" diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/clustermesh-endpointslice-sync.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/clustermesh-endpointslice-sync.go index 5bff3d6921..36f02a2e88 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/clustermesh-endpointslice-sync.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/clustermesh-endpointslice-sync.go @@ -12,10 +12,14 @@ import ( ) func ClusterMeshEndpointSliceSync() check.Scenario { - return &clusterMeshEndpointSliceSync{} + return &clusterMeshEndpointSliceSync{ + ScenarioBase: check.NewScenarioBase(), + } } -type clusterMeshEndpointSliceSync struct{} +type clusterMeshEndpointSliceSync struct { + check.ScenarioBase +} func (s *clusterMeshEndpointSliceSync) Name() string { return "clustermesh-endpointslice-sync" diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/dummy.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/dummy.go index 291cd0a286..6e5637bd18 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/dummy.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/dummy.go @@ -13,12 +13,14 @@ import ( // dummy implements a Scenario. type dummy struct { + check.ScenarioBase name string } func Dummy(name string) check.Scenario { return &dummy{ - name: name, + name: name, + ScenarioBase: check.NewScenarioBase(), } } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/egressgateway.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/egressgateway.go index 8a30d784c1..242f348cb7 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/egressgateway.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/egressgateway.go @@ -150,10 +150,14 @@ func extractClientIPFromResponse(res string) net.IP { // - reply traffic for services // - reply traffic for pods func EgressGateway() check.Scenario { - return &egressGateway{} + return &egressGateway{ + ScenarioBase: check.NewScenarioBase(), + } } -type egressGateway struct{} +type egressGateway struct { + check.ScenarioBase +} func (s *egressGateway) Name() string { return "egress-gateway" @@ -240,7 +244,7 @@ func (s *egressGateway) Run(ctx context.Context, t *check.Test) { clientIP := extractClientIPFromResponse(a.CmdOutput()) if !clientIP.Equal(egressGatewayNodeInternalIP) { - t.Fatal("Request reached external echo service with wrong source IP") + a.Fatal("Request reached external echo service with wrong source IP") } }) i++ @@ -258,7 +262,7 @@ func (s *egressGateway) Run(ctx context.Context, t *check.Test) { clientIP := extractClientIPFromResponse(a.CmdOutput()) if !clientIP.Equal(egressGatewayNodeInternalIP) { - t.Fatal("Request reached external echo service with wrong source IP") + a.Fatal("Request reached external echo service with wrong source IP") } }) i++ @@ -311,10 +315,14 @@ func (s *egressGateway) Run(ctx context.Context, t *check.Test) { // // This suite tests the excludedCIDRs property and ensure traffic matching an excluded CIDR does not get masqueraded with the egress IP func EgressGatewayExcludedCIDRs() check.Scenario { - return &egressGatewayExcludedCIDRs{} + return &egressGatewayExcludedCIDRs{ + ScenarioBase: check.NewScenarioBase(), + } } -type egressGatewayExcludedCIDRs struct{} +type egressGatewayExcludedCIDRs struct { + check.ScenarioBase +} func (s *egressGatewayExcludedCIDRs) Name() string { return "egress-gateway-excluded-cidrs" @@ -385,7 +393,7 @@ func (s *egressGatewayExcludedCIDRs) Run(ctx context.Context, t *check.Test) { clientIP := extractClientIPFromResponse(a.CmdOutput()) if !clientIP.Equal(net.ParseIP(client.Pod.Status.HostIP)) { - t.Fatal("Request reached external echo service with wrong source IP") + a.Fatal("Request reached external echo service with wrong source IP") } }) i++ diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/encryption.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/encryption.go index d312ca45d6..1199c738f4 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/encryption.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/encryption.go @@ -213,10 +213,17 @@ func isWgEncap(t *check.Test) bool { // The checks are implemented by curl'ing a server pod from a client pod, and // then inspecting tcpdump captures from the client pod's node. func PodToPodEncryption(reqs ...features.Requirement) check.Scenario { - return &podToPodEncryption{reqs} + return &podToPodEncryption{ + reqs: reqs, + ScenarioBase: check.NewScenarioBase(), + } } -type podToPodEncryption struct{ reqs []features.Requirement } +type podToPodEncryption struct { + check.ScenarioBase + + reqs []features.Requirement +} func (s *podToPodEncryption) Name() string { return "pod-to-pod-encryption" @@ -373,10 +380,17 @@ func nodeToNodeEncTestPods(nodes map[check.NodeIdentity]*ciliumv2.CiliumNode, ex } func NodeToNodeEncryption(reqs ...features.Requirement) check.Scenario { - return &nodeToNodeEncryption{reqs} + return &nodeToNodeEncryption{ + reqs: reqs, + ScenarioBase: check.NewScenarioBase(), + } } -type nodeToNodeEncryption struct{ reqs []features.Requirement } +type nodeToNodeEncryption struct { + check.ScenarioBase + + reqs []features.Requirement +} func (s *nodeToNodeEncryption) Name() string { return "node-to-node-encryption" diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/encryption_v2.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/encryption_v2.go new file mode 100644 index 0000000000..e9f9262348 --- /dev/null +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/encryption_v2.go @@ -0,0 +1,596 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Cilium + +package tests + +import ( + "context" + "fmt" + "net/netip" + "strings" + + "github.com/cilium/cilium/cilium-cli/connectivity/check" + "github.com/cilium/cilium/cilium-cli/connectivity/sniff" + "github.com/cilium/cilium/cilium-cli/utils/features" +) + +var _ check.Scenario = (*podToPodEncryptionV2)(nil) + +// PodToPodEncryptionV2 is a test which ensures client traffic to a server pod +// is encrypted and not leaked. +// +// This tests runs on clusters post v1.18 which requires both IPsec and Wireguard +// to utilize encrypted overlay, where encryption occurs just prior to the +// final egress of a pod-to-pod packet. +// +// In tunnel mode this means VXLAN|GENEVE encap happens prior to encryption and the +// tunnel encap'd packet is further encapsulated into IPsec's ESP tunnel headers. +// +// The actual test scenario can focus on the egress device for a pod-to-pod flow. +// The egress device is the final interface where the encrypted packet is xmitted +// on to reach the wire and head toward the destination. +// +// On this egress device (typically eth0 in the host network namespace) TCPDUMP +// is used to capture packets. +// +// In native routing mode the TCPDUMP filter simply looks for plain text pod +// to pod traffic for the client and server pods under test. +// +// For tunnel mode the TCPDUMP filter looks for UDP packets which match: +// 1. UDP protocol +// 2. UDP dst port matching the configured tunnel mode's well known port (e.g. 8472 for VXLAN) +// 3. Inner IP headers of pod-to-pod traffic. +// In other words the TCPDUMP filter seeks into the tunnel packet and looks for +// plain-text pod-to-pod traffic for the client and server pods under test. +// +// Leak detection is performed both on the client side and server side, ensuring +// client->server traffic is encrypted and the return traffic, server->client +// is encrypted as well. +// +// This test should be ran both when encryption is enabled AND disabled. +// +// When encryption is enabled the test will check that no packets match the +// TCPDUMP filter, i.e. there are no plain text leaks +// +// When encryption is disabled the test will check that packets DO match the +// TCPDUMP filter, this is a sanity check to ensure we match plain-text packets +// appropriately and have confidence that aforementioned leak detection works. +func PodToPodEncryptionV2() check.Scenario { + return &podToPodEncryptionV2{ + ScenarioBase: check.NewScenarioBase(), + } +} + +type podToPodEncryptionV2 struct { + check.ScenarioBase + + ct *check.ConnectivityTest + // client pod used to generate traffic + client *check.Pod + // server pod which receives and responds to client traffic + server *check.Pod + // pod on client's node providing access to host network namespace + clientHostNS *check.Pod + // pod on server's node providing access to host network namespace + serverHostNS *check.Pod + + tunnelMode features.Status + encryptMode features.Status + ipv4Enabled features.Status + ipv6Enabled features.Status + + // the egress device, on the client node, that client->server traffic will + // leave on. + // + // NOTE: this test assumes that if IPv6 is enabled the same egress device + // is used to push client traffic toward the server. + // this will almost always be the case. + clientEgressDev string + // the egress device, on the server node, that server->client (return traffic) + // will leave on. + // + // see clientEgressDev NOTE: + serverEgressDev string + + // pcap filter used to detect leaks on the client side + clientFilter4 string + // pcap filter used to detect leaks on the server side + serverFilter4 string + // tcpdump running on the client + clientSniffer4 *sniff.Sniffer + // tcpdump running on the server + serverSniffer4 *sniff.Sniffer + + // IPv6 variants of the above + clientFilter6 string + serverFilter6 string + clientSniffer6 *sniff.Sniffer + serverSniffer6 *sniff.Sniffer +} + +func (s *podToPodEncryptionV2) Name() string { + return "pod-to-pod-encryption-v2" +} + +// resolveEgressDevice resolves the egress device used in the provided host +// network namespace used to send traffic to dst. +func (s *podToPodEncryptionV2) resolveEgressDevice(ctx context.Context, srcHostNS *check.Pod, dst *check.Pod) (string, error) { + // if tunnel encap is used, the packet will be encapsulated before + // leaving the host, thus, use the tunnel endpoint IP rather then the + // pod IP for route lookup. + var dstIP string + if s.tunnelMode.Enabled { + dstIP = dst.Pod.Status.HostIP + } else { + dstIP = dst.Pod.Status.PodIP + } + + // issue ip route get for destination in provided host network namespace + // and extract device. + // + // example string output: + // "172.18.0.2 dev eth0 src 172.18.0.4 uid 0 \n cache \n" + out, err := srcHostNS.K8sClient.ExecInPod(ctx, + srcHostNS.Pod.Namespace, + srcHostNS.Pod.Name, + "", + []string{"ip", "route", "get", dstIP}) + + if err != nil { + return "", fmt.Errorf("Failed to resolve egress device for: %w", err) + } + + // search for dev key in ip route output, next token will be the device name + // itself. + var dev string + outArray := strings.Split(out.String(), " ") + for i, val := range outArray { + if val == "dev" { + if i+1 > len(outArray)-1 { + // should never really happen... + return "", fmt.Errorf("Failed to find egress device") + } + dev = outArray[i+1] + break + } + } + + if dev == "" { + return "", fmt.Errorf("Failed to find egress device") + } + + return dev, nil +} + +// resolveClientEgressDevice determines the ultimate egress device used to +// send a client's packet to the link-local network and toward the destination. +// +// in native routing mode this will be an "ip route get {dst_pod_ip}" while in +// tunnel mode this will be "ip route get {dst_node_ip}" as the packet will be +// tunnel encap'd before departure. +func (s *podToPodEncryptionV2) resolveClientEgressDevice(ctx context.Context) (string, error) { + // we have a context, may as well check it + if ctx.Err() != nil { + return "", fmt.Errorf("Context already cancelled") + } + + return s.resolveEgressDevice(ctx, s.clientHostNS, s.server) +} + +// resolveServerEgressDevice is the similar to resolveClientEgressDevice but +// finds the egress device for client return traffic from the server. +func (s *podToPodEncryptionV2) resolveServerEgressDevice(ctx context.Context) (string, error) { + // we have a context, may as well check it + if ctx.Err() != nil { + return "", fmt.Errorf("Context already cancelled") + } + return s.resolveEgressDevice(ctx, s.serverHostNS, s.client) +} + +// tunnelTCPDumpFilters4 will generate the required TCPDump filters for leak +// detection when the cluster is in tunnel routing mode. +// +// the TCPDump filter will: +// 1. detect UDP traffic +// 2. detect that the UDP dst port is the configured tunnel protocol port +// 3. seek into the VXLAN|GENEVE packet and ensure the IP header does not contain +// [src: client, dst: server], this would be a leak. +func (s *podToPodEncryptionV2) tunnelTCPDumpFilters4(ctx context.Context) (clientFilter string, serverFilter string, err error) { + if ctx.Err() != nil { + return "", "", fmt.Errorf("Context already cancelled") + } + + // Start at the UDP header (VXLAN|GENEVE) and index into IPHeader.Src and IPHeader.Dst + // UDP(8)+VXLAN|GENEVE(8)+ETHER(14) = udp[30] + Offset to IPHeader.Src = udp[42] + // UDP(8)+VXLAN|GENEVE(8)+ETHER(14) = udp[30] + Offset to IPHeader.Dst = udp[46] + fmtInnerIPHeaderSrc := "udp[42:4] == %s" + fmtInnerIPHeaderDst := "udp[46:4] == %s" + fmtFilter := "udp and port %d and ( %s and %s )" + + src, err := netip.ParseAddr(s.client.Address(features.IPFamilyV4)) + if err != nil { + return "", "", fmt.Errorf("Failed to parse client pod IP: %w", err) + } + dst, err := netip.ParseAddr(s.server.Address(features.IPFamilyV4)) + if err != nil { + return "", "", fmt.Errorf("Failed to parse server pod IP: %w", err) + } + + srcBytes := src.As4() + srcAsHex := fmt.Sprintf("0x%02x%02x%02x%02x", srcBytes[0], srcBytes[1], srcBytes[2], srcBytes[3]) + + dstBytes := dst.As4() + dstAsHex := fmt.Sprintf("0x%02x%02x%02x%02x", dstBytes[0], dstBytes[1], dstBytes[2], dstBytes[3]) + + port := 8472 + if s.tunnelMode.Mode == "geneve" { + port = 6081 + } + + // InnerIP.Src(client) -> InnerIP.Dst(server) + clientFilter = fmt.Sprintf(fmtFilter, port, + fmt.Sprintf(fmtInnerIPHeaderSrc, srcAsHex), + fmt.Sprintf(fmtInnerIPHeaderDst, dstAsHex)) + + // InnerIP.Src(server) -> InnerIP.Dst(client) + serverFilter = fmt.Sprintf(fmtFilter, port, + fmt.Sprintf(fmtInnerIPHeaderSrc, dstAsHex), + fmt.Sprintf(fmtInnerIPHeaderDst, srcAsHex)) + + return clientFilter, serverFilter, nil +} + +func (s *podToPodEncryptionV2) nativeTCPDumpFilters4(ctx context.Context) (clientFilter string, serverFilter string, err error) { + if ctx.Err() != nil { + return "", "", fmt.Errorf("Context already cancelled") + } + + // Native routing filter is much simpler, just check for the plain text + // traffic. + fmtNativeFilter := "src %s and dst %s" + + src, err := netip.ParseAddr(s.client.Address(features.IPFamilyV4)) + if err != nil { + return "", "", fmt.Errorf("Failed to parse client pod IP: %w", err) + } + dst, err := netip.ParseAddr(s.server.Address(features.IPFamilyV4)) + if err != nil { + return "", "", fmt.Errorf("Failed to parse server pod IP: %w", err) + } + + clientFilter = fmt.Sprintf(fmtNativeFilter, src, dst) + serverFilter = fmt.Sprintf(fmtNativeFilter, dst, src) + return clientFilter, serverFilter, nil +} + +// resolveTCPDumpFilters4 crafts a TCPDump filter which will be applied to +// s.clientEgressDev to detect any leaks. +// +// subtly, we cannot check for return traffic on each node. +// +// this is because in IPsec the return ESP traffic will arrive at +// s.clientEgressDev where we are TCPDumping. +// +// when XFRM decrypts this traffic it re-circulates the packet via the interface it +// arrived on original (s.clientEgressDev), at which point we will see the plain +// text packets arrive as they are decrypted and re-circulated by XFRM. +// +// to get around this we create filters for client-return-traffic that can be +// used server side, ensuring the return traffic is encrypted before leaving the +// host. +func (s *podToPodEncryptionV2) resolveTCPDumpFilters4(ctx context.Context) (clientFilter string, serverFilter string, err error) { + // we have a context, may as well check it + if ctx.Err() != nil { + return "", "", fmt.Errorf("Context already cancelled") + } + + // handle tunneling mode. + if s.tunnelMode.Enabled { + return s.tunnelTCPDumpFilters4(ctx) + } + + return s.nativeTCPDumpFilters4(ctx) +} + +// tunnelTCPDumpFilters6 is equivalent to tunnelTCPDumpFilters4 but for IPv6. +func (s *podToPodEncryptionV2) tunnelTCPDumpFilters6(ctx context.Context) (clientFilter string, serverFilter string, err error) { + if ctx.Err() != nil { + return "", "", fmt.Errorf("Context already cancelled") + } + + // Start at the UDP header (VXLAN|GENEVE) and index into IP6Header.Src and IP6Header.Dst + // UDP(8)+VXLAN|GENEVE(8)+ETHER(14) = udp[30] + Offset to IP6Header.Src = udp[38] + // UDP(8)+VXLAN|GENEVE(8)+ETHER(14) = udp[30] + Offset to IP6Header.Dst = udp[54] + // + // IP6 addresses are 16 bytes large, TCPDump syntax can peek at a maximum of + // 4 bytes at a time, therefore we'll create 4 peek directives and slice up + // the IPv6 address into groups of 4 byte words: (4peeks x 4bytes = 16byte IPv6 Address). + innerIPv6Src := "(udp[38:4] == %s and udp[42:4] == %s and udp[46:4] == %s and udp[50:4] == %s)" + innerIPv6Dst := "(udp[54:4] == %s and udp[58:4] == %s and udp[62:4] == %s and udp[66:4] == %s)" + fmtFilter := "udp and port %d and %s and %s" + + src, err := netip.ParseAddr(s.client.Address(features.IPFamilyV6)) + if err != nil { + return "", "", fmt.Errorf("Failed to parse client pod IP: %w", err) + } + dst, err := netip.ParseAddr(s.server.Address(features.IPFamilyV6)) + if err != nil { + return "", "", fmt.Errorf("Failed to parse server pod IP: %w", err) + } + + port := 8472 + if s.tunnelMode.Mode == "geneve" { + port = 6081 + } + + srcBytes := src.As16() + srcWord1 := fmt.Sprintf("0x%02x%02x%02x%02x", srcBytes[0], srcBytes[1], srcBytes[2], srcBytes[3]) + srcWord2 := fmt.Sprintf("0x%02x%02x%02x%02x", srcBytes[4], srcBytes[5], srcBytes[6], srcBytes[7]) + srcWord3 := fmt.Sprintf("0x%02x%02x%02x%02x", srcBytes[8], srcBytes[9], srcBytes[10], srcBytes[11]) + srcWord4 := fmt.Sprintf("0x%02x%02x%02x%02x", srcBytes[12], srcBytes[13], srcBytes[14], srcBytes[15]) + + dstBytes := dst.As16() + dstWord1 := fmt.Sprintf("0x%02x%02x%02x%02x", dstBytes[0], dstBytes[1], dstBytes[2], dstBytes[3]) + dstWord2 := fmt.Sprintf("0x%02x%02x%02x%02x", dstBytes[4], dstBytes[5], dstBytes[6], dstBytes[7]) + dstWord3 := fmt.Sprintf("0x%02x%02x%02x%02x", dstBytes[8], dstBytes[9], dstBytes[10], dstBytes[11]) + dstWord4 := fmt.Sprintf("0x%02x%02x%02x%02x", dstBytes[12], dstBytes[13], dstBytes[14], dstBytes[15]) + + clientInnerIPv6Src := fmt.Sprintf(innerIPv6Src, srcWord1, srcWord2, srcWord3, srcWord4) + clientInnerIPv6Dst := fmt.Sprintf(innerIPv6Dst, dstWord1, dstWord2, dstWord3, dstWord4) + + serverInnerIPv6Src := fmt.Sprintf(innerIPv6Src, dstWord1, dstWord2, dstWord3, dstWord4) + serverInnerIPv6Dst := fmt.Sprintf(innerIPv6Dst, srcWord1, srcWord2, srcWord3, srcWord4) + + clientFilter = fmt.Sprintf(fmtFilter, port, clientInnerIPv6Src, clientInnerIPv6Dst) + serverFilter = fmt.Sprintf(fmtFilter, port, serverInnerIPv6Dst, serverInnerIPv6Src) + return clientFilter, serverFilter, nil +} + +func (s *podToPodEncryptionV2) nativeTCPDumpFilters6(ctx context.Context) (clientFilter string, serverFilter string, err error) { + if ctx.Err() != nil { + return "", "", fmt.Errorf("Context already cancelled") + } + + fmtNativeFilter := "src %s and dst %s" + + src, err := netip.ParseAddr(s.client.Address(features.IPFamilyV6)) + if err != nil { + return "", "", fmt.Errorf("Failed to parse client pod IP: %w", err) + } + dst, err := netip.ParseAddr(s.server.Address(features.IPFamilyV6)) + if err != nil { + return "", "", fmt.Errorf("Failed to parse server pod IP: %w", err) + } + + clientFilter = fmt.Sprintf(fmtNativeFilter, src, dst) + serverFilter = fmt.Sprintf(fmtNativeFilter, dst, src) + return clientFilter, serverFilter, nil +} + +// resolveTCPDumpFilters6 is the analog of resolveTCPDumpFilters4 but for IPv6. +func (s *podToPodEncryptionV2) resolveTCPDumpFilters6(ctx context.Context) (clientFilter string, serverFilter string, err error) { + if ctx.Err() != nil { + return "", "", fmt.Errorf("Context already cancelled") + } + + if s.tunnelMode.Enabled { + return s.tunnelTCPDumpFilters6(ctx) + } + + return s.nativeTCPDumpFilters6(ctx) +} + +// startSniffers will start TCPdump on both the client and the server pod's host +// namespaces. +// +// if IPv6 is enabled for the cluster IPv6 specific sniffers will be started +// as well. +// +// if encryption is enabled we will put the sniffer into Assert mode where any +// captured packets indicates a test failure. +// +// conversely if encryption is disabled the sniffer is placed into Sanity mode +// where packets are expected. this is useful, in a rather indirect way, +// to prove that the generated tcpdump filters are working correctly and +// capturing the traffic traffic which would be a leak if encryption was enabled. +func (s *podToPodEncryptionV2) startSniffers(ctx context.Context, t *check.Test) error { + if ctx.Err() != nil { + return fmt.Errorf("Context already cancelled") + } + + mode := sniff.ModeSanity + if s.encryptMode.Enabled { + t.Debugf("Encryption is enabled: test will fail if plain-text packets are seen.") + mode = sniff.ModeAssert + } else { + t.Info("Encryption is disabled: test will fail if plain-text packets are not seen to validates pcap filters are correct") + } + + var err error + + if s.ipv4Enabled.Enabled { + s.clientSniffer4, err = sniff.Sniff(ctx, s.Name(), s.clientHostNS, s.clientEgressDev, s.clientFilter4, mode, t) + if err != nil { + return fmt.Errorf("Failed to start sniffer on client: %w", err) + } + t.Debugf("started client tcpdump sniffer: [client: %s] [node: %s] [dev: %s] [filter: %s] [mode: %s]", + s.client.Pod.Name, s.client.Pod.Spec.NodeName, s.clientEgressDev, s.clientFilter4, mode) + + s.serverSniffer4, err = sniff.Sniff(ctx, s.Name(), s.serverHostNS, s.serverEgressDev, s.serverFilter4, mode, t) + if err != nil { + return fmt.Errorf("Failed to start sniffer on server: %w", err) + } + t.Debugf("started server tcpdump sniffer: [server: %s] [node: %s] [dev: %s] [filter: %s] [mode: %s]", + s.server.Pod.Name, s.server.Pod.Spec.NodeName, s.serverEgressDev, s.serverFilter4, mode) + } + + // if IPv6 is enabled on the cluster start IPv6 specific sniffers. + // one may wonder why we have IPv6 specific tcpdump instances and do not create + // a single filter which matches for both IPv4 and IPv6 traffic. + // + // the issue with this resides in the sanity check that is performed when + // encryption is disabled. + // this sanity check must ensure we see the traffic that **would be** a leak + // if encryption was on, ensuring the filters are correct. + // + // a filter which matches for both IPv4 and IPv6 traffic may see one, or the + // other, but not both, and confirm that the sanity check passed, + // since **any** plain-text packets were observed. + // this maybe a false positive tho, as you may have only seen IPv4 or IPv6, + // and not both. therefore, maintain a sniffer-per-filter for the filters we + // want to sanity check. + if s.ipv6Enabled.Enabled { + // subtly, this name is used to create the pcap file later evaluated + // in sniff.Validate. + // + // we need to use a different name or else else both tcpdump instances + // write to the same pcap file and this can break validation. + name := fmt.Sprintf("%s-ipv6", s.Name()) + + s.clientSniffer6, err = sniff.Sniff(ctx, name, s.clientHostNS, s.clientEgressDev, s.clientFilter6, mode, t) + if err != nil { + return fmt.Errorf("Failed to start sniffer on client for IPv6: %w", err) + } + t.Debugf("started client tcpdump sniffer for IPv6: [client: %s] [node: %s] [dev: %s] [filter: %s] [mode: %s]", + s.client.Pod.Name, s.client.Pod.Spec.NodeName, s.clientEgressDev, s.clientFilter6, mode) + + s.serverSniffer6, err = sniff.Sniff(ctx, name, s.serverHostNS, s.serverEgressDev, s.serverFilter6, mode, t) + if err != nil { + return fmt.Errorf("Failed to start sniffer on server for IPv6: %w", err) + } + t.Debugf("started server tcpdump sniffer for IPv6: [server: %s] [node: %s] [dev: %s] [filter: %s] [mode: %s]", + s.server.Pod.Name, s.server.Pod.Spec.NodeName, s.serverEgressDev, s.serverFilter6, mode) + } + + return nil +} + +// clientToServerTest creates and runs a check.Action which performs a curl +// from the client to the server pod. +// +// the action then checks the client sniffer initialized and ran in s.startSniffers +// to ensure packets are seen (when encryption is disabled) or leaked packets are +// not seen (when encryption is enabled). +func (s *podToPodEncryptionV2) clientToServerTest(ctx context.Context, t *check.Test) error { + if ctx.Err() != nil { + return fmt.Errorf("Context already cancelled") + } + + if s.ipv4Enabled.Enabled { + t.Debugf("performing client->server curl: [client: %s] [server: %s] [family: ipv4]", s.client.Pod.Name, s.server.Pod.Name) + action := t.NewAction(s, fmt.Sprintf("curl-%s", features.IPFamilyV4), s.client, s.server, features.IPFamilyV4) + action.Run(func(a *check.Action) { + a.ExecInPod(ctx, t.Context().CurlCommand(s.server, features.IPFamilyV4)) + s.clientSniffer4.Validate(ctx, a) + s.serverSniffer4.Validate(ctx, a) + }) + } + + if s.ipv6Enabled.Enabled { + t.Debugf("performing client->server curl: [client: %s] [server: %s] [family: ipv6]", s.client.Pod.Name, s.server.Pod.Name) + action := t.NewAction(s, fmt.Sprintf("curl-%s", features.IPFamilyV6), s.client, s.server, features.IPFamilyV6) + action.Run(func(a *check.Action) { + a.ExecInPod(ctx, t.Context().CurlCommand(s.server, features.IPFamilyV6)) + s.clientSniffer6.Validate(ctx, a) + s.serverSniffer6.Validate(ctx, a) + }) + } + + return nil +} + +func (s *podToPodEncryptionV2) Run(ctx context.Context, t *check.Test) { + s.ct = t.Context() + + // grab the features influencing this test + var ok bool + s.ipv4Enabled, ok = s.ct.Feature(features.IPv4) + if !ok { + t.Fatalf("Failed to detect IPv4 feature") + } + s.ipv6Enabled, ok = s.ct.Feature(features.IPv6) + if !ok { + t.Fatalf("Failed to detect IPv6 feature") + } + s.tunnelMode, ok = s.ct.Feature(features.Tunnel) + if !ok { + t.Fatalf("Failed to detect tunnel mode") + } + s.encryptMode, ok = s.ct.Feature(features.EncryptionPod) + if !ok { + t.Fatalf("Failed to detect encryption mode") + } + + if !s.ipv4Enabled.Enabled && !s.ipv6Enabled.Enabled { + t.Fatalf("Test requires at least one IP family to be enabled") + } + + // grab client and server pod, server must be on another host + s.client = s.ct.RandomClientPod() + if s.client == nil { + t.Fatalf("Failed to acquire a client pod\n") + } + + for _, pod := range s.ct.EchoPods() { + if pod.Pod.Status.HostIP != s.client.Pod.Status.HostIP { + s.server = &pod + break + } + } + if s.server == nil { + t.Fatalf("Failed to acquire a server pod\n") + } + + // grab host namespace pods for accessing the network namespaces of client + // and server pods. + if clientHostNS, ok := s.ct.HostNetNSPodsByNode()[s.client.Pod.Spec.NodeName]; !ok { + t.Fatalf("Fail to acquire host namespace pod on %s\n (client's node)", s.client.Pod.Spec.NodeName) + } else { + s.clientHostNS = &clientHostNS + } + + if serverHostNS, ok := s.ct.HostNetNSPodsByNode()[s.server.Pod.Spec.NodeName]; !ok { + t.Fatalf("Fail to acquire host namespace pod on %s\n (server's node)", s.server.Pod.Spec.NodeName) + } else { + s.serverHostNS = &serverHostNS + } + + // resolve the egress device on the client where traffic toward the server + // will leave the host, and the egress device on the server where the return + // traffic will leave the host. + var err error + s.clientEgressDev, err = s.resolveClientEgressDevice(ctx) + if err != nil { + t.Fatalf("Failed to resolve egress device for client: %v", err) + } + + s.serverEgressDev, err = s.resolveServerEgressDevice(ctx) + if err != nil { + t.Fatalf("Failed to resolve egress device for server: %v", err) + } + + // resolve the client and server's pcap filters used for leak detection, + if s.ipv4Enabled.Enabled { + s.clientFilter4, s.serverFilter4, err = s.resolveTCPDumpFilters4(ctx) + if err != nil { + t.Fatalf("Failed to resolve pcap filter: %v", err) + } + } + if s.ipv6Enabled.Enabled { + s.clientFilter6, s.serverFilter6, err = s.resolveTCPDumpFilters6(ctx) + if err != nil { + t.Fatalf("Failed to resolve pcap filter for IPv6: %v", err) + } + } + + // start the client and server side tcpdump sniffers with the filters + // resolved by s.resolveTCPDumpFilter4. + if err := s.startSniffers(ctx, t); err != nil { + t.Fatalf("Failed to start sniffers: %s", err) + } + + // performs a curl from the client to the server and validate the tcpdump + // sniffers do not detect leaked traffic (or detect plain-text if encryption + // is not enabled) + s.clientToServerTest(ctx, t) +} diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/errors.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/errors.go index 69a66c651f..dc0cfa8827 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/errors.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/errors.go @@ -44,7 +44,7 @@ func (r regexMatcher) IsMatch(log string) bool { // NoErrorsInLogs checks whether there are no error messages in cilium-agent // logs. The error messages are defined in badLogMsgsWithExceptions, which key // is an error message, while values is a list of ignored messages. -func NoErrorsInLogs(ciliumVersion semver.Version, checkLevels []string) check.Scenario { +func NoErrorsInLogs(ciliumVersion semver.Version, checkLevels []string, externalTarget string) check.Scenario { // Exceptions for level=error should only be added as a last resort, if the // error cannot be fixed in Cilium or in the test. errorLogExceptions := []logMatcher{ @@ -54,6 +54,8 @@ func NoErrorsInLogs(ciliumVersion semver.Version, checkLevels []string) check.Sc if ciliumVersion.LT(semver.MustParse("1.14.0")) { errorLogExceptions = append(errorLogExceptions, previouslyUsedCIDR, klogLeaderElectionFail) } + + envoyTLSWarning := regexMatcher{regexp.MustCompile(fmt.Sprintf(envoyTLSWarningTemplate, externalTarget))} warningLogExceptions := []logMatcher{cantEnableJIT, delMissingService, podCIDRUnavailable, unableGetNode, sessionAffinitySocketLB, objectHasBeenModified, noBackendResponse, legacyBGPFeature, etcdTimeout, endpointRestoreFailed, unableRestoreRouterIP, @@ -62,7 +64,8 @@ func NoErrorsInLogs(ciliumVersion semver.Version, checkLevels []string) check.Sc hubbleQueueFull, reflectPanic, svcNotFound, unableTranslateCIDRgroups, gobgpWarnings, endpointMapDeleteFailed, etcdReconnection, epRestoreMissingState, mutationDetectorKlog, hubbleFailedCreatePeer, fqdnDpUpdatesTimeout, longNetpolUpdate, failedToGetEpLabels, - failedCreategRPCClient, unableReallocateIngressIP, fqdnMaxIPPerHostname, failedGetMetricsAPI, envoyTLSWarning} + failedCreategRPCClient, unableReallocateIngressIP, fqdnMaxIPPerHostname, failedGetMetricsAPI, envoyTLSWarning, + ciliumNodeConfigDeprecation, hubbleUIEnvVarFallback} // The list is adopted from cilium/cilium/test/helper/utils.go var errorMsgsWithExceptions = map[string][]logMatcher{ panicMessage: nil, @@ -87,10 +90,15 @@ func NoErrorsInLogs(ciliumVersion semver.Version, checkLevels []string) check.Sc if slices.Contains(checkLevels, defaults.LogLevelWarning) && ciliumVersion.GE(semver.MustParse("1.17.0")) { errorMsgsWithExceptions["level=warn"] = warningLogExceptions } - return &noErrorsInLogs{errorMsgsWithExceptions} + return &noErrorsInLogs{ + errorMsgsWithExceptions: errorMsgsWithExceptions, + ScenarioBase: check.NewScenarioBase(), + } } type noErrorsInLogs struct { + check.ScenarioBase + errorMsgsWithExceptions map[string][]logMatcher } @@ -99,8 +107,9 @@ func (n *noErrorsInLogs) Name() string { } type podID struct{ Cluster, Namespace, Name string } +type podContainers map[string]uint // Map container name to restart count type podInfo struct { - containers []string + containers podContainers client *k8s.Client } @@ -113,9 +122,26 @@ func (n *noErrorsInLogs) Run(ctx context.Context, t *check.Test) { opts := corev1.PodLogOptions{LimitBytes: ptr.To[int64](sysdump.DefaultLogsLimitBytes)} for pod, info := range pods { client := info.client - for _, container := range info.containers { + for container, restarts := range info.containers { id := fmt.Sprintf("%s/%s/%s (%s)", pod.Cluster, pod.Namespace, pod.Name, container) t.NewGenericAction(n, id).Run(func(a *check.Action) { + // Ignore Cilium operator restarts for the moment, as they can + // legitimately happen in case it loses the leader election due + // to temporary control plane blips. + ignore := container == "cilium-operator" + + // The hubble relay container can currently be restarted by the + // startup probe if it fails to connect to Cilium. However, this + // can legitimately happen when the certificates are generated + // for the first time, as that they then need to be reloaded + // by the agents. Given that we cannot configure the settings of + // the startup probe, let's just accept one possible restart here. + ignore = ignore || (restarts == 1 && container == "hubble-relay") + + if restarts > 0 && !ignore { + a.Failf("Non-zero (%d) restart count of %s must be investigated", restarts, id) + } + var logs bytes.Buffer err := client.GetLogs(ctx, pod.Namespace, pod.Name, container, opts, &logs) if err != nil { @@ -131,10 +157,15 @@ func (n *noErrorsInLogs) Run(ctx context.Context, t *check.Test) { // NoUnexpectedPacketDrops checks whether there were no drops due to expected // packet drops. func NoUnexpectedPacketDrops(expectedDrops []string) check.Scenario { - return &noUnexpectedPacketDrops{expectedDrops} + return &noUnexpectedPacketDrops{ + expectedDrops: expectedDrops, + ScenarioBase: check.NewScenarioBase(), + } } type noUnexpectedPacketDrops struct { + check.ScenarioBase + expectedDrops []string } @@ -211,13 +242,24 @@ func (n *noErrorsInLogs) allCiliumPods(ctx context.Context, ct *check.Connectivi return output, nil } -func (n *noErrorsInLogs) podContainers(pod *corev1.Pod) (containers []string) { +func (n *noErrorsInLogs) podContainers(pod *corev1.Pod) podContainers { + restarts := func(statuses []corev1.ContainerStatus, name string) (restarts uint) { + for _, status := range statuses { + if status.Name == name { + return uint(status.RestartCount) + } + } + return 0 + } + + containers := make(podContainers, len(pod.Spec.Containers)+len(pod.Spec.InitContainers)) + for _, container := range pod.Spec.Containers { - containers = append(containers, container.Name) + containers[container.Name] = restarts(pod.Status.ContainerStatuses, container.Name) } for _, container := range pod.Spec.InitContainers { - containers = append(containers, container.Name) + containers[container.Name] = restarts(pod.Status.InitContainerStatuses, container.Name) } return containers @@ -281,39 +323,41 @@ const ( klogLeaderElectionFail stringMatcher = "error retrieving resource lock kube-system/cilium-operator-resource-lock:" // from: https://github.com/cilium/cilium/issues/31050 nilDetailsForService stringMatcher = "retrieved nil details for Service" // from: https://github.com/cilium/cilium/issues/35595 - cantEnableJIT stringMatcher = "bpf_jit_enable: no such file or directory" // Because we run tests in Kind. - delMissingService stringMatcher = "Deleting no longer present service" // cf. https://github.com/cilium/cilium/issues/29679 - podCIDRUnavailable stringMatcher = " PodCIDR not available" // cf. https://github.com/cilium/cilium/issues/29680 - unableGetNode stringMatcher = "Unable to get node resource" // cf. https://github.com/cilium/cilium/issues/29710 - sessionAffinitySocketLB stringMatcher = "Session affinity for host reachable services needs kernel" // cf. https://github.com/cilium/cilium/issues/29736 - objectHasBeenModified stringMatcher = "the object has been modified; please apply your changes" // cf. https://github.com/cilium/cilium/issues/29712 - noBackendResponse stringMatcher = "The kernel does not support --service-no-backend-response=reject" // cf. https://github.com/cilium/cilium/issues/29733 - legacyBGPFeature stringMatcher = "You are using the legacy BGP feature" // Expected when testing the legacy BGP feature. - etcdTimeout stringMatcher = "etcd client timeout exceeded" // cf. https://github.com/cilium/cilium/issues/29714 - endpointRestoreFailed stringMatcher = "Unable to restore endpoint, ignoring" // cf. https://github.com/cilium/cilium/issues/29716 - unableRestoreRouterIP stringMatcher = "Unable to restore router IP from filesystem" // cf. https://github.com/cilium/cilium/issues/29715 - routerIPReallocated stringMatcher = "Router IP could not be re-allocated" // cf. https://github.com/cilium/cilium/issues/29715 - cantFindIdentityInCache stringMatcher = "unable to release identity: unable to find key in local cache" // cf. https://github.com/cilium/cilium/issues/29732 - keyAllocFailedFoundMaster stringMatcher = "Found master key after proceeding with new allocation" // cf. https://github.com/cilium/cilium/issues/29738 - cantRecreateMasterKey stringMatcher = "unable to re-create missing master key" // cf. https://github.com/cilium/cilium/issues/29738 - cantUpdateCRDIdentity stringMatcher = "Unable update CRD identity information with a reference for this node" // cf. https://github.com/cilium/cilium/issues/29739 - cantDeleteFromPolicyMap stringMatcher = "cilium_call_policy: delete: key does not exist" // cf. https://github.com/cilium/cilium/issues/29754 - hubbleQueueFull stringMatcher = "hubble events queue is full" // Because we run without monitor aggregation - reflectPanic stringMatcher = "reflect.Value.SetUint using value obtained using unexported field" // cf. https://github.com/cilium/cilium/issues/33766 - svcNotFound stringMatcher = "service not found" // cf. https://github.com/cilium/cilium/issues/35768 - unableTranslateCIDRgroups stringMatcher = "Unable to translate all CIDR groups to CIDRs" // Can be removed once v1.17 is released. - gobgpWarnings stringMatcher = "component=gobgp.BgpServerInstance" // cf. https://github.com/cilium/cilium/issues/35799 - etcdReconnection stringMatcher = "Error observed on etcd connection, reconnecting etcd" // cf. https://github.com/cilium/cilium/issues/35865 - epRestoreMissingState stringMatcher = "Couldn't find state, ignoring endpoint" // cf. https://github.com/cilium/cilium/issues/35869 - mutationDetectorKlog stringMatcher = "Mutation detector is enabled, this will result in memory leakage." // cf. https://github.com/cilium/cilium/issues/35929 - hubbleFailedCreatePeer stringMatcher = "Failed to create peer client for peers synchronization" // cf. https://github.com/cilium/cilium/issues/35930 - fqdnDpUpdatesTimeout stringMatcher = "Timed out waiting for datapath updates of FQDN IP information" // cf. https://github.com/cilium/cilium/issues/35931 - longNetpolUpdate stringMatcher = "onConfigUpdate(): Worker threads took longer than" // cf. https://github.com/cilium/cilium/issues/36067 - failedToGetEpLabels stringMatcher = "Failed to get identity labels for endpoint" // cf. https://github.com/cilium/cilium/issues/36068 - failedCreategRPCClient stringMatcher = "Failed to create gRPC client" // cf. https://github.com/cilium/cilium/issues/36070 - unableReallocateIngressIP stringMatcher = "unable to re-allocate ingress IPv6" // cf. https://github.com/cilium/cilium/issues/36072 - fqdnMaxIPPerHostname stringMatcher = "Raise tofqdns-endpoint-max-ip-per-hostname to mitigate this" // cf. https://github.com/cilium/cilium/issues/36073 - failedGetMetricsAPI stringMatcher = "retrieve the complete list of server APIs: metrics.k8s.io/v1beta1" // cf. https://github.com/cilium/cilium/issues/36085 + cantEnableJIT stringMatcher = "bpf_jit_enable: no such file or directory" // Because we run tests in Kind. + delMissingService stringMatcher = "Deleting no longer present service" // cf. https://github.com/cilium/cilium/issues/29679 + podCIDRUnavailable stringMatcher = " PodCIDR not available" // cf. https://github.com/cilium/cilium/issues/29680 + unableGetNode stringMatcher = "Unable to get node resource" // cf. https://github.com/cilium/cilium/issues/29710 + sessionAffinitySocketLB stringMatcher = "Session affinity for host reachable services needs kernel" // cf. https://github.com/cilium/cilium/issues/29736 + objectHasBeenModified stringMatcher = "the object has been modified; please apply your changes" // cf. https://github.com/cilium/cilium/issues/29712 + noBackendResponse stringMatcher = "The kernel does not support --service-no-backend-response=reject" // cf. https://github.com/cilium/cilium/issues/29733 + legacyBGPFeature stringMatcher = "You are using the legacy BGP feature" // Expected when testing the legacy BGP feature. + etcdTimeout stringMatcher = "etcd client timeout exceeded" // cf. https://github.com/cilium/cilium/issues/29714 + endpointRestoreFailed stringMatcher = "Unable to restore endpoint, ignoring" // cf. https://github.com/cilium/cilium/issues/29716 + unableRestoreRouterIP stringMatcher = "Unable to restore router IP from filesystem" // cf. https://github.com/cilium/cilium/issues/29715 + routerIPReallocated stringMatcher = "Router IP could not be re-allocated" // cf. https://github.com/cilium/cilium/issues/29715 + cantFindIdentityInCache stringMatcher = "unable to release identity: unable to find key in local cache" // cf. https://github.com/cilium/cilium/issues/29732 + keyAllocFailedFoundMaster stringMatcher = "Found master key after proceeding with new allocation" // cf. https://github.com/cilium/cilium/issues/29738 + cantRecreateMasterKey stringMatcher = "unable to re-create missing master key" // cf. https://github.com/cilium/cilium/issues/29738 + cantUpdateCRDIdentity stringMatcher = "Unable update CRD identity information with a reference for this node" // cf. https://github.com/cilium/cilium/issues/29739 + cantDeleteFromPolicyMap stringMatcher = "cilium_call_policy: delete: key does not exist" // cf. https://github.com/cilium/cilium/issues/29754 + hubbleQueueFull stringMatcher = "hubble events queue is full" // Because we run without monitor aggregation + reflectPanic stringMatcher = "reflect.Value.SetUint using value obtained using unexported field" // cf. https://github.com/cilium/cilium/issues/33766 + svcNotFound stringMatcher = "service not found" // cf. https://github.com/cilium/cilium/issues/35768 + unableTranslateCIDRgroups stringMatcher = "Unable to translate all CIDR groups to CIDRs" // Can be removed once v1.17 is released. + gobgpWarnings stringMatcher = "component=gobgp.BgpServerInstance" // cf. https://github.com/cilium/cilium/issues/35799 + etcdReconnection stringMatcher = "Error observed on etcd connection, reconnecting etcd" // cf. https://github.com/cilium/cilium/issues/35865 + epRestoreMissingState stringMatcher = "Couldn't find state, ignoring endpoint" // cf. https://github.com/cilium/cilium/issues/35869 + mutationDetectorKlog stringMatcher = "Mutation detector is enabled, this will result in memory leakage." // cf. https://github.com/cilium/cilium/issues/35929 + hubbleFailedCreatePeer stringMatcher = "Failed to create peer client for peers synchronization" // cf. https://github.com/cilium/cilium/issues/35930 + fqdnDpUpdatesTimeout stringMatcher = "Timed out waiting for datapath updates of FQDN IP information" // cf. https://github.com/cilium/cilium/issues/35931 + longNetpolUpdate stringMatcher = "onConfigUpdate(): Worker threads took longer than" // cf. https://github.com/cilium/cilium/issues/36067 + failedToGetEpLabels stringMatcher = "Failed to get identity labels for endpoint" // cf. https://github.com/cilium/cilium/issues/36068 + failedCreategRPCClient stringMatcher = "Failed to create gRPC client" // cf. https://github.com/cilium/cilium/issues/36070 + unableReallocateIngressIP stringMatcher = "unable to re-allocate ingress IPv6" // cf. https://github.com/cilium/cilium/issues/36072 + fqdnMaxIPPerHostname stringMatcher = "Raise tofqdns-endpoint-max-ip-per-hostname to mitigate this" // cf. https://github.com/cilium/cilium/issues/36073 + failedGetMetricsAPI stringMatcher = "retrieve the complete list of server APIs: metrics.k8s.io/v1beta1" // cf. https://github.com/cilium/cilium/issues/36085 + ciliumNodeConfigDeprecation stringMatcher = "cilium.io/v2alpha1 CiliumNodeConfig will be deprecated in cilium v1.16" // cf. https://github.com/cilium/cilium/issues/37249 + hubbleUIEnvVarFallback stringMatcher = "using fallback value for env var" // cf. https://github.com/cilium/hubble-ui/pull/940 // Logs messages that should not be in the cilium-envoy DS logs envoyErrorMessage = "[error]" @@ -328,6 +372,7 @@ var ( knownIssueWireguardCollision = regexMatcher{regexp.MustCompile("Cannot forward proxied DNS lookup.*:51871.*bind: address already in use")} // from: https://github.com/cilium/cilium/issues/30901 // Cf. https://github.com/cilium/cilium/issues/35803 endpointMapDeleteFailed = regexMatcher{regexp.MustCompile(`Ignoring error while deleting endpoint.*from map cilium_\w+: delete: key does not exist`)} - // envoyTLSWarning is the legitimate warning log for negative TLS SNI test case - envoyTLSWarning = regexMatcher{regexp.MustCompile("cilium.tls_wrapper: Could not get server TLS context for pod.*on destination IP.*port 443 sni.*cilium.io.*and raw socket is not allowed")} + // envoyTLSWarningTemplate is the legitimate warning log for negative TLS SNI test case + // This is a template string as we need to replace %s for external target flag + envoyTLSWarningTemplate = "cilium.tls_wrapper: Could not get server TLS context for pod.*on destination IP.*port 443 sni.*%s.*and raw socket is not allowed" ) diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/externalworkload.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/externalworkload.go deleted file mode 100644 index d58b68c89f..0000000000 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/externalworkload.go +++ /dev/null @@ -1,45 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright Authors of Cilium - -package tests - -import ( - "context" - "fmt" - - "github.com/cilium/cilium/cilium-cli/connectivity/check" - "github.com/cilium/cilium/cilium-cli/utils/features" -) - -func PodToExternalWorkload() check.Scenario { - return &podToExternalWorkload{} -} - -type podToExternalWorkload struct{} - -func (s *podToExternalWorkload) Name() string { - return "pod-to-external-workload" -} - -func (s *podToExternalWorkload) Run(ctx context.Context, t *check.Test) { - var i int - ct := t.Context() - - for _, pod := range ct.ClientPods() { - for _, wl := range ct.ExternalWorkloads() { - t.NewAction(s, fmt.Sprintf("ping-%d", i), &pod, wl, features.IPFamilyV4).Run(func(a *check.Action) { - a.ExecInPod(ctx, ct.PingCommand(wl, features.IPFamilyV4)) - - a.ValidateFlows(ctx, pod, a.GetEgressRequirements(check.FlowParameters{ - Protocol: check.ICMP, - })) - - a.ValidateFlows(ctx, wl, a.GetIngressRequirements(check.FlowParameters{ - Protocol: check.ICMP, - })) - }) - - i++ - } - } -} diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/from-cidr.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/from-cidr.go index 10777698a0..c582f235c0 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/from-cidr.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/from-cidr.go @@ -15,11 +15,15 @@ import ( // FromCIDRToPod generates HTTP request from each node without Cilium to the // echo pods within the Cilium / K8s cluster. func FromCIDRToPod() check.Scenario { - return &fromCIDRToPod{} + return &fromCIDRToPod{ + ScenarioBase: check.NewScenarioBase(), + } } // fromCIDRToPod implements a Scenario. -type fromCIDRToPod struct{} +type fromCIDRToPod struct { + check.ScenarioBase +} func (f *fromCIDRToPod) Name() string { return "from-cidr-to-pod" diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/health.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/health.go index 058ed288d4..14b1ed64a0 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/health.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/health.go @@ -20,10 +20,14 @@ import ( ) func CiliumHealth() check.Scenario { - return &ciliumHealth{} + return &ciliumHealth{ + ScenarioBase: check.NewScenarioBase(), + } } -type ciliumHealth struct{} +type ciliumHealth struct { + check.ScenarioBase +} func (s *ciliumHealth) Name() string { return "cilium-health" diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/host.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/host.go index 79a96cb65a..90e6923a3d 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/host.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/host.go @@ -16,11 +16,15 @@ import ( // PodToHost sends an ICMP ping from all client Pods to all nodes // in the test context. func PodToHost() check.Scenario { - return &podToHost{} + return &podToHost{ + ScenarioBase: check.NewScenarioBase(), + } } // podToHost implements a Scenario. -type podToHost struct{} +type podToHost struct { + check.ScenarioBase +} func (s *podToHost) Name() string { return "pod-to-host" @@ -70,11 +74,15 @@ func (s *podToHost) Run(ctx context.Context, t *check.Test) { // PodToControlPlaneHost sends an ICMP ping from the controlPlaneclient Pod to all nodes // in the test context. func PodToControlPlaneHost() check.Scenario { - return &podToControlPlaneHost{} + return &podToControlPlaneHost{ + ScenarioBase: check.NewScenarioBase(), + } } // podToHost implements a Scenario. -type podToControlPlaneHost struct{} +type podToControlPlaneHost struct { + check.ScenarioBase +} func (s *podToControlPlaneHost) Name() string { return "pod-to-controlplane-host" @@ -110,11 +118,15 @@ func (s *podToControlPlaneHost) Run(ctx context.Context, t *check.Test) { // PodToHostPort sends an HTTP request from all client Pods // to all echo Services' HostPorts. func PodToHostPort() check.Scenario { - return &podToHostPort{} + return &podToHostPort{ + ScenarioBase: check.NewScenarioBase(), + } } // podToHostPort implements a ConditionalScenario. -type podToHostPort struct{} +type podToHostPort struct { + check.ScenarioBase +} func (s *podToHostPort) Name() string { return "pod-to-hostport" @@ -154,10 +166,14 @@ func (s *podToHostPort) Run(ctx context.Context, t *check.Test) { // HostToPod generates one HTTP request from each node inside the cluster to // each echo (server) pod in the test context. func HostToPod() check.Scenario { - return &hostToPod{} + return &hostToPod{ + ScenarioBase: check.NewScenarioBase(), + } } -type hostToPod struct{} +type hostToPod struct { + check.ScenarioBase +} func (s *hostToPod) Name() string { return "host-to-pod" diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/ipsec_xfrm.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/ipsec_xfrm.go index bbf1ce0b11..e9488e61c5 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/ipsec_xfrm.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/ipsec_xfrm.go @@ -31,11 +31,14 @@ type ciliumMetricsXfrmError struct { func NoIPsecXfrmErrors(expectedErrors []string) check.Scenario { return &noIPsecXfrmErrors{ - features.ComputeFailureExceptions(defaults.ExpectedXFRMErrors, expectedErrors), + expectedErrors: features.ComputeFailureExceptions(defaults.ExpectedXFRMErrors, expectedErrors), + ScenarioBase: check.NewScenarioBase(), } } type noIPsecXfrmErrors struct { + check.ScenarioBase + expectedErrors []string } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/k8s.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/k8s.go index d0828a64bb..b344f99ee7 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/k8s.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/k8s.go @@ -14,11 +14,15 @@ import ( // PodToK8sLocal sends a curl from all control plane client Pods // to all control-plane nodes. func PodToK8sLocal() check.Scenario { - return &podToK8sLocal{} + return &podToK8sLocal{ + ScenarioBase: check.NewScenarioBase(), + } } // podToK8sLocal implements a Scenario. -type podToK8sLocal struct{} +type podToK8sLocal struct { + check.ScenarioBase +} func (s *podToK8sLocal) Name() string { return "pod-to-k8s-local" @@ -27,15 +31,19 @@ func (s *podToK8sLocal) Name() string { func (s *podToK8sLocal) Run(ctx context.Context, t *check.Test) { ct := t.Context() k8sSvc := ct.K8sService() + ipFamilies := []features.IPFamily{features.IPFamilyV4, features.IPFamilyV6} for _, pod := range ct.ControlPlaneClientPods() { - t.NewAction(s, fmt.Sprintf("curl-k8s-from-pod-%s", pod.Name()), &pod, k8sSvc, features.IPFamilyAny).Run(func(a *check.Action) { - a.ExecInPod(ctx, ct.CurlCommand(k8sSvc, features.IPFamilyAny)) - a.ValidateFlows(ctx, pod, a.GetEgressRequirements(check.FlowParameters{ - DNSRequired: true, - AltDstPort: k8sSvc.Port(), - })) - - a.ValidateMetrics(ctx, pod, a.GetEgressMetricsRequirements()) - }) + for _, ipFamily := range ipFamilies { + actionName := fmt.Sprintf("curl-k8s-from-pod-%s-%s", pod.Name(), ipFamily) + t.NewAction(s, actionName, &pod, k8sSvc, ipFamily).Run(func(a *check.Action) { + a.ExecInPod(ctx, ct.CurlCommand(k8sSvc, ipFamily)) + a.ValidateFlows(ctx, pod, a.GetEgressRequirements(check.FlowParameters{ + DNSRequired: true, + AltDstPort: k8sSvc.Port(), + })) + + a.ValidateMetrics(ctx, pod, a.GetEgressMetricsRequirements()) + }) + } } } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/lrp.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/lrp.go index f73b1c146c..333c41cf22 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/lrp.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/lrp.go @@ -26,10 +26,14 @@ import ( // - client pods to LRP frontend // - LRP backend pods to LRP frontend func LRP(skipRedirectFromBackend bool) check.Scenario { - return lrp{skipRedirectFromBackend: skipRedirectFromBackend} + return lrp{ + ScenarioBase: check.NewScenarioBase(), + skipRedirectFromBackend: skipRedirectFromBackend, + } } type lrp struct { + check.ScenarioBase skipRedirectFromBackend bool } @@ -191,10 +195,14 @@ func WaitForLocalRedirectBPFEntries(ctx context.Context, t *check.Test, frontend // The network policy allows the clients to access node-local-dns // and the externalEcho service. func LRPWithNodeDNS() check.Scenario { - return lrpWithNodeDNS{} + return lrpWithNodeDNS{ + ScenarioBase: check.NewScenarioBase(), + } } -type lrpWithNodeDNS struct{} +type lrpWithNodeDNS struct { + check.ScenarioBase +} func (s lrpWithNodeDNS) Name() string { return "local-redirect-policy-with-node-dns" diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/multicast.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/multicast.go index 76a377f2c0..86d61c7b23 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/multicast.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/multicast.go @@ -38,10 +38,13 @@ var NodeWithoutGroupMu lock.RWMutex var NotSubscribePodAddressMu lock.RWMutex type socatMulticast struct { + check.ScenarioBase } func SocatMulticast() check.Scenario { - return &socatMulticast{} + return &socatMulticast{ + ScenarioBase: check.NewScenarioBase(), + } } func (s *socatMulticast) Name() string { diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/pod.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/pod.go index 6865acbe98..a3a6f760ad 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/pod.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/pod.go @@ -30,6 +30,7 @@ func PodToPod(opts ...Option) check.Scenario { opt(options) } return &podToPod{ + ScenarioBase: check.NewScenarioBase(), sourceLabels: options.sourceLabels, destinationLabels: options.destinationLabels, method: options.method, @@ -38,6 +39,8 @@ func PodToPod(opts ...Option) check.Scenario { // podToPod implements a Scenario. type podToPod struct { + check.ScenarioBase + sourceLabels map[string]string destinationLabels map[string]string method string @@ -91,6 +94,7 @@ func PodToPodWithEndpoints(opts ...Option) check.Scenario { opt(rc) } return &podToPodWithEndpoints{ + ScenarioBase: check.NewScenarioBase(), sourceLabels: options.sourceLabels, destinationLabels: options.destinationLabels, method: options.method, @@ -101,6 +105,8 @@ func PodToPodWithEndpoints(opts ...Option) check.Scenario { // podToPodWithEndpoints implements a Scenario. type podToPodWithEndpoints struct { + check.ScenarioBase + sourceLabels map[string]string destinationLabels map[string]string method string @@ -189,10 +195,14 @@ func (s *podToPodWithEndpoints) curlEndpoints(ctx context.Context, t *check.Test // - For IPv4: $POD_MTU - 20 (IPv4 hdr) - 8 (ICMP Echo hdr) // - For IPv6: $POD_MTU - 40 (IPv6 hdr) - 8 (ICMP Echo hdr) func PodToPodNoFrag() check.Scenario { - return &podToPodNoFrag{} + return &podToPodNoFrag{ + ScenarioBase: check.NewScenarioBase(), + } } -type podToPodNoFrag struct{} +type podToPodNoFrag struct { + check.ScenarioBase +} func (s *podToPodNoFrag) Name() string { return "pod-to-pod-no-frag" @@ -270,6 +280,7 @@ func PodToPodMissingIPCache(opts ...Option) check.Scenario { opt(options) } return &podToPodMissingIPCache{ + ScenarioBase: check.NewScenarioBase(), sourceLabels: options.sourceLabels, destinationLabels: options.destinationLabels, method: options.method, @@ -277,6 +288,8 @@ func PodToPodMissingIPCache(opts ...Option) check.Scenario { } type podToPodMissingIPCache struct { + check.ScenarioBase + sourceLabels map[string]string destinationLabels map[string]string method string diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/service.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/service.go index 9bc3d67b8e..b78ae34294 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/service.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/service.go @@ -23,6 +23,7 @@ func PodToService(opts ...Option) check.Scenario { opt(options) } return &podToService{ + ScenarioBase: check.NewScenarioBase(), sourceLabels: options.sourceLabels, destinationLabels: options.destinationLabels, } @@ -30,6 +31,8 @@ func PodToService(opts ...Option) check.Scenario { // podToService implements a Scenario. type podToService struct { + check.ScenarioBase + sourceLabels map[string]string destinationLabels map[string]string } @@ -75,6 +78,7 @@ func PodToIngress(opts ...Option) check.Scenario { opt(options) } return &podToIngress{ + ScenarioBase: check.NewScenarioBase(), sourceLabels: options.sourceLabels, destinationLabels: options.destinationLabels, } @@ -82,6 +86,8 @@ func PodToIngress(opts ...Option) check.Scenario { // podToIngress implements a Scenario. type podToIngress struct { + check.ScenarioBase + sourceLabels map[string]string destinationLabels map[string]string } @@ -119,11 +125,15 @@ func (s *podToIngress) Run(ctx context.Context, t *check.Test) { // PodToRemoteNodePort sends an HTTP request from all client Pods // to all echo Services' NodePorts, but only to other nodes. func PodToRemoteNodePort() check.Scenario { - return &podToRemoteNodePort{} + return &podToRemoteNodePort{ + ScenarioBase: check.NewScenarioBase(), + } } // podToRemoteNodePort implements a Scenario. -type podToRemoteNodePort struct{} +type podToRemoteNodePort struct { + check.ScenarioBase +} func (s *podToRemoteNodePort) Name() string { return "pod-to-remote-nodeport" @@ -160,11 +170,15 @@ func (s *podToRemoteNodePort) Run(ctx context.Context, t *check.Test) { // to all echo Services' NodePorts, but only on the same node as // the client Pods. func PodToLocalNodePort() check.Scenario { - return &podToLocalNodePort{} + return &podToLocalNodePort{ + ScenarioBase: check.NewScenarioBase(), + } } // podToLocalNodePort implements a Scenario. -type podToLocalNodePort struct{} +type podToLocalNodePort struct { + check.ScenarioBase +} func (s *podToLocalNodePort) Name() string { return "pod-to-local-nodeport" @@ -260,10 +274,14 @@ func curlNodePort(ctx context.Context, s check.Scenario, t *check.Test, // OutsideToNodePort sends an HTTP request from client pod running on a node w/o // Cilium to NodePort services. func OutsideToNodePort() check.Scenario { - return &outsideToNodePort{} + return &outsideToNodePort{ + ScenarioBase: check.NewScenarioBase(), + } } -type outsideToNodePort struct{} +type outsideToNodePort struct { + check.ScenarioBase +} func (s *outsideToNodePort) Name() string { return "outside-to-nodeport" @@ -290,10 +308,14 @@ func (s *outsideToNodePort) Run(ctx context.Context, t *check.Test) { // OutsideToIngressService sends an HTTP request from client pod running on a node w/o // Cilium to NodePort services. func OutsideToIngressService() check.Scenario { - return &outsideToIngressService{} + return &outsideToIngressService{ + ScenarioBase: check.NewScenarioBase(), + } } -type outsideToIngressService struct{} +type outsideToIngressService struct { + check.ScenarioBase +} func (s *outsideToIngressService) Name() string { return "outside-to-ingress-service" diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/to-cidr.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/to-cidr.go index f7c2aae2ed..af42cf685a 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/to-cidr.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/to-cidr.go @@ -20,11 +20,16 @@ func PodToCIDR(opts ...RetryOption) check.Scenario { for _, op := range opts { op(cond) } - return &podToCIDR{rc: cond} + return &podToCIDR{ + ScenarioBase: check.NewScenarioBase(), + rc: cond, + } } // podToCIDR implements a Scenario. type podToCIDR struct { + check.ScenarioBase + rc *retryCondition } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/upgrade.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/upgrade.go index 07be99da81..a98404fcac 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/upgrade.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/upgrade.go @@ -31,10 +31,14 @@ import ( // counters, and compares them against the previously stored ones. A mismatch // indicates that a connection was interrupted. func NoInterruptedConnections() check.Scenario { - return &noInterruptedConnections{} + return &noInterruptedConnections{ + ScenarioBase: check.NewScenarioBase(), + } } -type noInterruptedConnections struct{} +type noInterruptedConnections struct { + check.ScenarioBase +} func (n *noInterruptedConnections) Name() string { return "no-interrupted-connections" @@ -56,6 +60,22 @@ func (n *noInterruptedConnections) Run(ctx context.Context, t *check.Test) { for _, pod := range pods.Items { restartCount[pod.GetObjectMeta().GetName()] = strconv.Itoa(int(pod.Status.ContainerStatuses[0].RestartCount)) } + + if ct.ShouldRunConnDisruptNSTraffic() { + pods, err = client.ListPods(ctx, ct.Params().TestNamespace, metav1.ListOptions{LabelSelector: "kind=" + check.KindTestConnDisruptNSTraffic}) + if err != nil { + t.Fatalf("Unable to list test-conn-disrupt-ns-traffic pods: %s", err) + } + if len(pods.Items) == 0 { + t.Fatal("No test-conn-disrupt-{client,server} for NS traffic pods found") + } + + for _, pod := range pods.Items { + restartCount[pod.GetObjectMeta().GetName()] = strconv.Itoa(int(pod.Status.ContainerStatuses[0].RestartCount)) + } + } else { + ct.Info("Skipping conn-disrupt-test for NS traffic") + } } // Only store restart counters which will be used later when running the same diff --git a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/world.go b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/world.go index d886a786e3..a5f2a6188b 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/world.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/connectivity/tests/world.go @@ -30,11 +30,16 @@ func PodToWorld(opts ...RetryOption) check.Scenario { for _, op := range opts { op(cond) } - return &podToWorld{rc: cond} + return &podToWorld{ + ScenarioBase: check.NewScenarioBase(), + rc: cond, + } } // podToWorld implements a Scenario. type podToWorld struct { + check.ScenarioBase + rc *retryCondition } @@ -85,11 +90,15 @@ func (s *podToWorld) Run(ctx context.Context, t *check.Test) { // PodToWorld2 sends an HTTPS request to ExternalOtherTarget from random client // Pods. func PodToWorld2() check.Scenario { - return &podToWorld2{} + return &podToWorld2{ + ScenarioBase: check.NewScenarioBase(), + } } // podToWorld2 implements a Scenario. -type podToWorld2 struct{} +type podToWorld2 struct { + check.ScenarioBase +} func (s *podToWorld2) Name() string { return "pod-to-world-2" @@ -122,7 +131,8 @@ func (s *podToWorld2) Run(ctx context.Context, t *check.Test) { // PodToWorldWithTLSIntercept sends an HTTPS request to one.one.one.one (default value of ExternalTarget) from from random client func PodToWorldWithTLSIntercept(curlOpts ...string) check.Scenario { s := &podToWorldWithTLSIntercept{ - curlOpts: []string{"--cacert", "/tmp/test-ca.crt"}, // skip TLS verification as it will be our internal cert + curlOpts: []string{"--cacert", "/tmp/test-ca.crt"}, // skip TLS verification as it will be our internal cert + ScenarioBase: check.NewScenarioBase(), } s.curlOpts = append(s.curlOpts, curlOpts...) @@ -132,6 +142,8 @@ func PodToWorldWithTLSIntercept(curlOpts ...string) check.Scenario { // podToWorldWithTLSIntercept implements a Scenario. type podToWorldWithTLSIntercept struct { + check.ScenarioBase + curlOpts []string } @@ -175,8 +187,9 @@ func (s *podToWorldWithTLSIntercept) Run(ctx context.Context, t *check.Test) { // The goal is to make sure the secret update path is verified. func PodToWorldWithExtraTLSIntercept(caName string, curlOpts ...string) check.Scenario { s := &podToWorldWithExtraTLSIntercept{ - caName: caName, - curlOpts: []string{"--cacert", "/tmp/test-ca.crt"}, // skip TLS verification as it will be our internal cert + caName: caName, + curlOpts: []string{"--cacert", "/tmp/test-ca.crt"}, // skip TLS verification as it will be our internal cert + ScenarioBase: check.NewScenarioBase(), } s.curlOpts = append(s.curlOpts, curlOpts...) @@ -185,6 +198,8 @@ func PodToWorldWithExtraTLSIntercept(caName string, curlOpts ...string) check.Sc } type podToWorldWithExtraTLSIntercept struct { + check.ScenarioBase + caName string curlOpts []string } diff --git a/vendor/github.com/cilium/cilium/cilium-cli/defaults/defaults.go b/vendor/github.com/cilium/cilium/cilium-cli/defaults/defaults.go index b4095700f7..100efc0948 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/defaults/defaults.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/defaults/defaults.go @@ -32,6 +32,7 @@ const ( RelayContainerName = "hubble-relay" RelayDeploymentName = "hubble-relay" RelayConfigMapName = "hubble-relay-config" + RelayPodSelector = "app.kubernetes.io/name=hubble-relay" HubbleUIDeploymentName = "hubble-ui" @@ -53,7 +54,6 @@ const ( ClusterMeshAdminSecretName = "clustermesh-apiserver-admin-cert" ClusterMeshClientSecretName = "clustermesh-apiserver-client-cert" ClusterMeshRemoteSecretName = "clustermesh-apiserver-remote-cert" - ClusterMeshExternalWorkloadSecretName = "clustermesh-apiserver-external-workload-cert" ClusterMeshConnectionModeBidirectional = "bidirectional" ClusterMeshConnectionModeMesh = "mesh" ClusterMeshConnectionModeUnicast = "unicast" @@ -78,7 +78,7 @@ const ( // renovate: datasource=docker ConnectivityTestFRRImage = "quay.io/frrouting/frr:10.2.1@sha256:c8543d3e0a1348cc0f2b19154fd8b0300e237773dbec65d9d6d6570c1d088deb" // renovate: datasource=docker - ConnectivityTestSocatImage = "docker.io/alpine/socat:1.8.0.1@sha256:d95d6a210a87164533d444e8d7ebd586231b3387a27ee7c0732ade3d6c3b0f4d" + ConnectivityTestSocatImage = "docker.io/alpine/socat:1.8.0.1@sha256:e899028c84c1a1e65bb14821b0802a683a2cffbff96c9ac02ff1d9cbb03f64e6" ConfigMapName = "cilium-config" @@ -173,6 +173,7 @@ var ( "inbound_state_invalid", // XfrmInStateInvalid } + LogCodeOwners = false LogCheckLevels = []string{ LogLevelError, LogLevelWarning, diff --git a/vendor/github.com/cilium/cilium/cilium-cli/k8s/client.go b/vendor/github.com/cilium/cilium/cilium-cli/k8s/client.go index 191600ba04..0b58d0af9e 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/k8s/client.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/k8s/client.go @@ -43,6 +43,7 @@ import ( _ "k8s.io/client-go/plugin/pkg/client/auth" // Register all auth providers (azure, gcp, oidc, openstack, ..) "k8s.io/client-go/rest" clientcmdapi "k8s.io/client-go/tools/clientcmd/api" + "k8s.io/client-go/tools/portforward" "k8s.io/client-go/transport/spdy" "github.com/cilium/cilium/api/v1/models" @@ -239,6 +240,10 @@ func (c *Client) GetDeployment(ctx context.Context, namespace, name string, opts return c.Clientset.AppsV1().Deployments(namespace).Get(ctx, name, opts) } +func (c *Client) ListDeployment(ctx context.Context, namespace string, options metav1.ListOptions) (*appsv1.DeploymentList, error) { + return c.Clientset.AppsV1().Deployments(namespace).List(ctx, options) +} + func (c *Client) DeleteDeployment(ctx context.Context, namespace, name string, opts metav1.DeleteOptions) error { return c.Clientset.AppsV1().Deployments(namespace).Delete(ctx, name, opts) } @@ -323,9 +328,9 @@ func (c *Client) PodLogs(namespace, name string, opts *corev1.PodLogOptions) *re return c.Clientset.CoreV1().Pods(namespace).GetLogs(name, opts) } -func (c *Client) CiliumLogs(ctx context.Context, namespace, pod string, since time.Time, previous bool) (string, error) { +func (c *Client) ContainerLogs(ctx context.Context, namespace, pod, containerName string, since time.Time, previous bool) (string, error) { opts := &corev1.PodLogOptions{ - Container: defaults.AgentContainerName, + Container: containerName, Timestamps: true, SinceTime: &metav1.Time{Time: since}, Previous: previous, @@ -681,22 +686,6 @@ func (c *Client) PatchNode(ctx context.Context, nodeName string, pt types.PatchT return c.Clientset.CoreV1().Nodes().Patch(ctx, nodeName, pt, data, metav1.PatchOptions{}) } -func (c *Client) ListCiliumExternalWorkloads(ctx context.Context, opts metav1.ListOptions) (*ciliumv2.CiliumExternalWorkloadList, error) { - return c.CiliumClientset.CiliumV2().CiliumExternalWorkloads().List(ctx, opts) -} - -func (c *Client) GetCiliumExternalWorkload(ctx context.Context, name string, opts metav1.GetOptions) (*ciliumv2.CiliumExternalWorkload, error) { - return c.CiliumClientset.CiliumV2().CiliumExternalWorkloads().Get(ctx, name, opts) -} - -func (c *Client) CreateCiliumExternalWorkload(ctx context.Context, cew *ciliumv2.CiliumExternalWorkload, opts metav1.CreateOptions) (*ciliumv2.CiliumExternalWorkload, error) { - return c.CiliumClientset.CiliumV2().CiliumExternalWorkloads().Create(ctx, cew, opts) -} - -func (c *Client) DeleteCiliumExternalWorkload(ctx context.Context, name string, opts metav1.DeleteOptions) error { - return c.CiliumClientset.CiliumV2().CiliumExternalWorkloads().Delete(ctx, name, opts) -} - func (c *Client) ListCiliumNetworkPolicies(ctx context.Context, namespace string, opts metav1.ListOptions) (*ciliumv2.CiliumNetworkPolicyList, error) { return c.CiliumClientset.CiliumV2().CiliumNetworkPolicies(namespace).List(ctx, opts) } @@ -824,6 +813,39 @@ func (c *Client) ProxyGet(ctx context.Context, namespace, name, url string) (str return string(rawbody), nil } +func (c *Client) createDialer(url *url.URL) (httpstream.Dialer, error) { + var errWebsocket, errSPDY error + + // We cannot control if errors from these constructors are due to lack of server support. + // In the case of such errors, ignore them and later chose which dialer to return. + dialerWebsocket, errWebsocket := portforward.NewSPDYOverWebsocketDialer(url, c.Config) + + transport, upgrader, errSPDY := spdy.RoundTripperFor(c.Config) + dialerSPDY := spdy.NewDialer(upgrader, &http.Client{Transport: transport}, http.MethodPost, url) + + // NewFallBackDialer returns a httpstream.Dialer which attempts a + // connection with a primry dialer and a secondary dialer. However, it + // does this by calling a method on both the primary and secondary + // dialers. This means that both of them must not be nil if we want to + // avoid a crash. Therefore, if either primary or secondary encountered + // an error, return the other one. + if errSPDY != nil && errWebsocket == nil { + return dialerWebsocket, nil + } + if errWebsocket != nil && errSPDY == nil { + return dialerSPDY, nil + } + + if errSPDY != nil && errWebsocket != nil { + return nil, fmt.Errorf("Error while creating k8s dialer: (websocket) %w, (spdy) %w", errWebsocket, errSPDY) + } + + dialerFallback := portforward.NewFallbackDialer(dialerWebsocket, dialerSPDY, func(err error) bool { + return httpstream.IsUpgradeFailure(err) || httpstream.IsHTTPSProxyError(err) + }) + return dialerFallback, nil +} + func (c *Client) ProxyTCP(ctx context.Context, namespace, name string, port uint16, handler func(io.ReadWriteCloser) error) error { request := c.Clientset.CoreV1().RESTClient().Post(). Resource(corev1.ResourcePods.String()). @@ -831,13 +853,11 @@ func (c *Client) ProxyTCP(ctx context.Context, namespace, name string, port uint Name(name). SubResource("portforward") - transport, upgrader, err := spdy.RoundTripperFor(c.Config) + dialer, err := c.createDialer(request.URL()) if err != nil { - return fmt.Errorf("creating round tripper: %w", err) + return err } - dialer := spdy.NewDialer(upgrader, &http.Client{Transport: transport}, http.MethodPost, request.URL()) - const portForwardProtocolV1Name = "portforward.k8s.io" conn, proto, err := dialer.Dial(portForwardProtocolV1Name) if err != nil { diff --git a/vendor/github.com/cilium/cilium/cilium-cli/k8s/exec.go b/vendor/github.com/cilium/cilium/cilium-cli/k8s/exec.go index 7a6d387e72..df9c64304a 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/k8s/exec.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/k8s/exec.go @@ -7,9 +7,12 @@ import ( "context" "fmt" "io" + "net/url" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/util/httpstream" + "k8s.io/client-go/rest" "k8s.io/client-go/tools/remotecommand" "github.com/cilium/cilium/cilium-cli/k8s/internal" @@ -23,6 +26,41 @@ type ExecParameters struct { TTY bool // fuses stderr into stdout if 'true', needed for Ctrl-C support } +func newExecutor(config *rest.Config, url *url.URL) (remotecommand.Executor, error) { + var errWebsocket, errSPDY error + + // We cannot control if errors from these constructors are due to lack of server support. + // In the case of such errors, ignore them and later chose which executor to return. + execWebsocket, errWebsocket := remotecommand.NewWebSocketExecutor(config, "GET", url.String()) + execSPDY, errSPDY := remotecommand.NewSPDYExecutor(config, "POST", url) + + // NewFallBackExecutor returns a remotecommand.Executor which attempts + // a connection with a primry executor and a secondary executor. + // However, it does this by calling a method on both the primary and + // secondary executors passed to it. This means that both of them must + // not be nil if we want to avoid a crash. Therefore, if one of them + // encountered an error, return the other one. + if errSPDY != nil && errWebsocket == nil { + return execWebsocket, nil + } + if errWebsocket != nil && errSPDY == nil { + return execSPDY, nil + } + + if errSPDY != nil && errWebsocket != nil { + return nil, fmt.Errorf("Error while creating k8s executor: (websocket) %w, (spdy) %w", errWebsocket, errSPDY) + } + + execFallback, errFallback := remotecommand.NewFallbackExecutor(execWebsocket, execSPDY, func(err error) bool { + return httpstream.IsUpgradeFailure(err) || httpstream.IsHTTPSProxyError(err) + }) + if errFallback != nil { + return nil, fmt.Errorf("Error while creating k8s executor: %w", errFallback) + } + + return execFallback, nil +} + func (c *Client) execInPodWithWriters(connCtx, killCmdCtx context.Context, p ExecParameters, stdout, stderr io.Writer) error { req := c.Clientset.CoreV1().RESTClient().Post().Resource("pods").Name(p.Pod).Namespace(p.Namespace).SubResource("exec") @@ -43,9 +81,9 @@ func (c *Client) execInPodWithWriters(connCtx, killCmdCtx context.Context, p Exe } req.VersionedParams(execOpts, parameterCodec) - exec, err := remotecommand.NewSPDYExecutor(c.Config, "POST", req.URL()) + exec, err := newExecutor(c.Config, req.URL()) if err != nil { - return fmt.Errorf("error while creating executor: %w", err) + return err } var stdin io.ReadCloser diff --git a/vendor/github.com/cilium/cilium/cilium-cli/status/k8s.go b/vendor/github.com/cilium/cilium/cilium-cli/status/k8s.go index e1de33cdcf..224646455b 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/status/k8s.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/status/k8s.go @@ -60,6 +60,10 @@ type K8sStatusParameters struct { // Interactive specifies whether the summary output refreshes after each // retry when --wait flag is specified. Interactive bool + + // Verbose increases the verbosity of certain output, such as Cilium + // error logs on failure. + Verbose bool } type K8sStatusCollector struct { @@ -76,7 +80,7 @@ type k8sImplementation interface { GetDeployment(ctx context.Context, namespace, name string, options metav1.GetOptions) (*appsv1.Deployment, error) ListPods(ctx context.Context, namespace string, options metav1.ListOptions) (*corev1.PodList, error) ListCiliumEndpoints(ctx context.Context, namespace string, options metav1.ListOptions) (*ciliumv2.CiliumEndpointList, error) - CiliumLogs(ctx context.Context, namespace, pod string, since time.Time, previous bool) (string, error) + ContainerLogs(ctx context.Context, namespace, pod, container string, since time.Time, previous bool) (string, error) } func NewK8sStatusCollector(client k8sImplementation, params K8sStatusParameters) (*K8sStatusCollector, error) { @@ -419,6 +423,101 @@ type statusTask struct { task func(_ context.Context) error } +// logComponentTask returns a task to gather logs from a Cilium component +// other than the cilium-agent (which needs special care as it's a DaemonSet). +func (k *K8sStatusCollector) logComponentTask(status *Status, namespace, deployment, podName, containerName string, containerStatus *corev1.ContainerStatus) statusTask { + return statusTask{ + name: podName, + task: func(ctx context.Context) error { + var err error + + if containerStatus == nil || containerStatus.State.Running == nil { + desc := "is not running" + + // determine CrashLoopBackOff status and get last log line, if available. + if containerStatus != nil { + if containerStatus.State.Waiting != nil && containerStatus.State.Waiting.Reason == "CrashLoopBackOff" { + desc = "is in CrashLoopBackOff" + } + if containerStatus.LastTerminationState.Terminated != nil { + terminated := containerStatus.LastTerminationState.Terminated + desc = fmt.Sprintf("%s, pulling previous Pod logs for further investigation", desc) + + getPrevious := false + if containerStatus.RestartCount > 0 { + getPrevious = true + } + logs, errLogCollection := k.client.ContainerLogs(ctx, namespace, podName, containerName, terminated.FinishedAt.Time.Add(-2*time.Minute), getPrevious) + if errLogCollection != nil { + status.CollectionError(fmt.Errorf("failed to gather logs from %s:%s:%s: %w", namespace, podName, containerName, err)) + } else if logs != "" { + lastLog := k.processLogs(logs) + err = fmt.Errorf("container %s %s:\n%s", containerName, desc, lastLog) + } + } + } + } + + status.mutex.Lock() + defer status.mutex.Unlock() + + if err != nil { + status.AddAggregatedError(deployment, podName, err) + } + + return nil + }, + } +} + +func (k *K8sStatusCollector) processLogs(logs string) string { + logs = strings.TrimSpace(logs) + if k.params.Verbose { + return logs + } + + // If the log is small, just print the whole thing. + context := 5 // lines + lines := strings.Split(logs, "\n") + if len(lines) <= context*2 { + return logs + } + + // There's a few critical things in most logs: + // - A few of the oldest lines from initial startup + // - A few of the newest lines with the final error + // - Anything marked with warning level or higher severity + truncated := false + result := lines[:context] + for i := context; i < len(lines); i++ { + // Always keep the end of the log + if i >= len(lines)-context { + result = append(result, lines[i]) + continue + } + + // Keep serious-looking logs + switch { + case strings.Contains(lines[i], "level=warn"): + result = append(result, lines[i]) + truncated = false + case strings.Contains(lines[i], "level=err"): + result = append(result, lines[i]) + truncated = false + case strings.Contains(lines[i], "level=fatal"): + result = append(result, lines[i]) + truncated = false + default: + if !truncated { + result = append(result, "<...>") + truncated = true + } + } + } + + return strings.Join(result, "\n") +} + func (k *K8sStatusCollector) status(ctx context.Context, cancel context.CancelFunc) *Status { status := newStatus() tasks := []statusTask{ @@ -655,31 +754,9 @@ func (k *K8sStatusCollector) status(ctx context.Context, cancel context.CancelFu terminated := containerStatus.LastTerminationState.Terminated desc = fmt.Sprintf("%s, exited with code %d", desc, terminated.ExitCode) - // capture final log line, maybe it's useful - // either from container message or a separate logs request - dyingGasp := "" + // capture final log line from container termination message, maybe it's useful if terminated.Message != "" { lastLog = strings.TrimSpace(terminated.Message) - } else { - agentLogsOnce.Do(func() { // in a sync.Once so we don't waste time retrieving lots of logs - var getPrevious bool - if containerStatus.RestartCount > 0 { - getPrevious = true - } - logs, err := k.client.CiliumLogs(ctx, pod.Namespace, pod.Name, terminated.FinishedAt.Time.Add(-2*time.Minute), getPrevious) - if err == nil && logs != "" { - dyingGasp = strings.TrimSpace(logs) - } - }) - } - - // output the last few log lines if available - if dyingGasp != "" { - lines := strings.Split(dyingGasp, "\n") - lastLog = "" - for i := 0; i < min(len(lines), 50); i++ { - lastLog += fmt.Sprintf("\n%s", lines[i]) - } } } } @@ -702,6 +779,60 @@ func (k *K8sStatusCollector) status(ctx context.Context, cancel context.CancelFu return nil }, }) + agentLogsOnce.Do(func() { // in a sync.Once so we don't waste time retrieving lots of logs + tasks = append(tasks, k.logComponentTask(status, pod.Namespace, defaults.AgentDaemonSetName, pod.Name, defaults.AgentContainerName, containerStatus)) + }) + } + }) + if err != nil { + status.CollectionError(err) + } + + err = k.podStatus(ctx, status, defaults.OperatorDeploymentName, defaults.OperatorPodSelector, func(_ context.Context, status *Status, name string, pod *corev1.Pod) { + if pod.Status.Phase == corev1.PodRunning { + // extract container status + var containerStatus *corev1.ContainerStatus + for i, cStatus := range pod.Status.ContainerStatuses { + if cStatus.Name == defaults.OperatorContainerName { + containerStatus = &pod.Status.ContainerStatuses[i] + break + } + } + tasks = append(tasks, k.logComponentTask(status, pod.Namespace, defaults.OperatorDeploymentName, pod.Name, defaults.OperatorContainerName, containerStatus)) + } + }) + if err != nil { + status.CollectionError(err) + } + + err = k.podStatus(ctx, status, defaults.RelayDeploymentName, defaults.RelayPodSelector, func(_ context.Context, status *Status, name string, pod *corev1.Pod) { + if pod.Status.Phase == corev1.PodRunning { + // extract container status + var containerStatus *corev1.ContainerStatus + for i, cStatus := range pod.Status.ContainerStatuses { + if cStatus.Name == defaults.RelayContainerName { + containerStatus = &pod.Status.ContainerStatuses[i] + break + } + } + tasks = append(tasks, k.logComponentTask(status, pod.Namespace, defaults.RelayDeploymentName, pod.Name, defaults.RelayContainerName, containerStatus)) + } + }) + if err != nil { + status.CollectionError(err) + } + + err = k.podStatus(ctx, status, defaults.ClusterMeshDeploymentName, defaults.ClusterMeshPodSelector, func(_ context.Context, status *Status, name string, pod *corev1.Pod) { + if pod.Status.Phase == corev1.PodRunning { + // extract container status + var containerStatus *corev1.ContainerStatus + for i, cStatus := range pod.Status.ContainerStatuses { + if cStatus.Name == defaults.ClusterMeshContainerName { + containerStatus = &pod.Status.ContainerStatuses[i] + break + } + } + tasks = append(tasks, k.logComponentTask(status, pod.Namespace, defaults.ClusterMeshDeploymentName, pod.Name, defaults.ClusterMeshContainerName, containerStatus)) } }) if err != nil { diff --git a/vendor/github.com/cilium/cilium/cilium-cli/sysdump/client.go b/vendor/github.com/cilium/cilium/cilium-cli/sysdump/client.go index 4c52012f43..72afc68692 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/sysdump/client.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/sysdump/client.go @@ -63,7 +63,6 @@ type KubernetesClient interface { ListCiliumEndpoints(ctx context.Context, namespace string, options metav1.ListOptions) (*ciliumv2.CiliumEndpointList, error) ListCiliumEndpointSlices(ctx context.Context, options metav1.ListOptions) (*ciliumv2alpha1.CiliumEndpointSliceList, error) ListCiliumEnvoyConfigs(ctx context.Context, namespace string, options metav1.ListOptions) (*ciliumv2.CiliumEnvoyConfigList, error) - ListCiliumExternalWorkloads(ctx context.Context, options metav1.ListOptions) (*ciliumv2.CiliumExternalWorkloadList, error) ListCiliumLoadBalancerIPPools(ctx context.Context, opts metav1.ListOptions) (*ciliumv2alpha1.CiliumLoadBalancerIPPoolList, error) ListCiliumLocalRedirectPolicies(ctx context.Context, namespace string, options metav1.ListOptions) (*ciliumv2.CiliumLocalRedirectPolicyList, error) ListCiliumNetworkPolicies(ctx context.Context, namespace string, opts metav1.ListOptions) (*ciliumv2.CiliumNetworkPolicyList, error) diff --git a/vendor/github.com/cilium/cilium/cilium-cli/sysdump/constants.go b/vendor/github.com/cilium/cilium/cilium-cli/sysdump/constants.go index 55935d0347..612891f701 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/sysdump/constants.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/sysdump/constants.go @@ -62,13 +62,11 @@ const ( ciliumSPIREServerConfigMapFileName = "cilium-spire-server-configmap-.yaml" ciliumSPIREServerEntriesFileName = "cilium-spire-server-entries-%s-.json" ciliumIngressesFileName = "ciliumingresses-.yaml" - ciliumEgressNATPoliciesFileName = "ciliumegressnatpolicies-.yaml" ciliumEgressGatewayPoliciesFileName = "ciliumegressgatewaypolicies-.yaml" ciliumEndpointsFileName = "ciliumendpoints-.yaml" ciliumEndpointSlicesFileName = "ciliumendpointslices-.yaml" ciliumEnvoyConfigsFileName = "ciliumenvoyconfigs-.yaml" ciliumEtcdSecretFileName = "cilium-etcd-secrets-secret-.yaml" - ciliumExternalWorkloadFileName = "ciliumexternalworkload-.yaml" ciliumIdentitiesFileName = "ciliumidentities-.yaml" ciliumCIDRGroupsFileName = "ciliumcidrgroups-.yaml" ciliumLocalRedirectPoliciesFileName = "ciliumlocalredirectpolicies-.yaml" diff --git a/vendor/github.com/cilium/cilium/cilium-cli/sysdump/sysdump.go b/vendor/github.com/cilium/cilium/cilium-cli/sysdump/sysdump.go index 5a39e53c55..b99c29d319 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/sysdump/sysdump.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/sysdump/sysdump.go @@ -685,26 +685,6 @@ func (c *Collector) Run() error { return nil }, }, - { - Description: "Collecting Cilium egress NAT policies", - Quick: true, - Task: func(ctx context.Context) error { - gvr := schema.GroupVersionResource{ - Group: "cilium.io", - Version: "v2alpha1", - Resource: "ciliumegressnatpolicies", - } - allNamespace := corev1.NamespaceAll - v, err := c.Client.ListUnstructured(ctx, gvr, &allNamespace, metav1.ListOptions{}) - if err != nil { - return fmt.Errorf("failed to collect Cilium egress NAT policies: %w", err) - } - if err := c.WriteYAML(ciliumEgressNATPoliciesFileName, v); err != nil { - return fmt.Errorf("failed to collect Cilium egress NAT policies: %w", err) - } - return nil - }, - }, { Description: "Collecting Cilium Egress Gateway policies", Quick: true, @@ -1468,21 +1448,6 @@ func (c *Collector) Run() error { return fmt.Errorf("could not find running Cilium Pod") }, }, - { - CreatesSubtasks: true, - Description: "Collecting Cilium external workloads", - Quick: true, - Task: func(ctx context.Context) error { - v, err := c.Client.ListCiliumExternalWorkloads(ctx, metav1.ListOptions{}) - if err != nil { - return fmt.Errorf("failed to collect Cilium external workloads: %w", err) - } - if err := c.WriteYAML(ciliumExternalWorkloadFileName, v); err != nil { - return fmt.Errorf("failed to collect Cilium external workloads: %w", err) - } - return nil - }, - }, } if c.Options.HubbleFlowsCount > 0 { diff --git a/vendor/github.com/cilium/cilium/cilium-cli/utils/features/features.go b/vendor/github.com/cilium/cilium/cilium-cli/utils/features/features.go index 925a7f6c7a..e638869a43 100644 --- a/vendor/github.com/cilium/cilium/cilium-cli/utils/features/features.go +++ b/vendor/github.com/cilium/cilium/cilium-cli/utils/features/features.go @@ -26,14 +26,15 @@ const ( Tunnel Feature = "tunnel" EndpointRoutes Feature = "endpoint-routes" - KPRMode Feature = "kpr-mode" - KPRExternalIPs Feature = "kpr-external-ips" - KPRGracefulTermination Feature = "kpr-graceful-termination" - KPRHostPort Feature = "kpr-hostport" - KPRSocketLB Feature = "kpr-socket-lb" - KPRSocketLBHostnsOnly Feature = "kpr-socket-lb-hostns-only" - KPRNodePort Feature = "kpr-nodeport" - KPRSessionAffinity Feature = "kpr-session-affinity" + KPRMode Feature = "kpr-mode" + KPRExternalIPs Feature = "kpr-external-ips" + KPRGracefulTermination Feature = "kpr-graceful-termination" + KPRHostPort Feature = "kpr-hostport" + KPRSocketLB Feature = "kpr-socket-lb" + KPRSocketLBHostnsOnly Feature = "kpr-socket-lb-hostns-only" + KPRNodePort Feature = "kpr-nodeport" + KPRNodePortAcceleration Feature = "kpr-nodeport-acceleration" + KPRSessionAffinity Feature = "kpr-session-affinity" BPFLBExternalClusterIP Feature = "bpf-lb-external-clusterip" @@ -382,6 +383,10 @@ func (fs Set) ExtractFromConfigMap(cm *v1.ConfigMap) { Enabled: cm.Data[string(PolicySecretSync)] == "true", } } + + fs[PolicySecretSync] = Status{ + Enabled: cm.Data[string(PolicySecretSync)] == "true", + } } func (fs Set) ExtractFromNodes(nodesWithoutCilium map[string]struct{}) { diff --git a/vendor/github.com/cilium/cilium/hubble/pkg/printer/color.go b/vendor/github.com/cilium/cilium/hubble/pkg/printer/color.go index 1d4171c62a..8623005751 100644 --- a/vendor/github.com/cilium/cilium/hubble/pkg/printer/color.go +++ b/vendor/github.com/cilium/cilium/hubble/pkg/printer/color.go @@ -4,6 +4,8 @@ package printer import ( + "maps" + "slices" "strings" "github.com/fatih/color" @@ -116,3 +118,19 @@ func (c colorer) authTestAlwaysFail(a interface{}) string { func (c colorer) authIsEnabled(a interface{}) string { return c.green.Sprint(a) } + +// compute the list of unique ANSI escape sequences for this colorer. +func (c *colorer) sequences() []string { + unique := make(map[string]struct{}) + for _, v := range c.colors { + seq := v.Sprint("|") + split := strings.Split(seq, "|") + if len(split) != 2 { + // should never happen + continue + } + unique[split[0]] = struct{}{} + unique[split[1]] = struct{}{} + } + return slices.Collect(maps.Keys(unique)) +} diff --git a/vendor/github.com/cilium/cilium/hubble/pkg/printer/printer.go b/vendor/github.com/cilium/cilium/hubble/pkg/printer/printer.go index d08940b9e9..8302efb754 100644 --- a/vendor/github.com/cilium/cilium/hubble/pkg/printer/printer.go +++ b/vendor/github.com/cilium/cilium/hubble/pkg/printer/printer.go @@ -7,7 +7,6 @@ import ( "encoding/json" "errors" "fmt" - "io" "net" "os" "path" @@ -27,32 +26,24 @@ import ( "github.com/cilium/cilium/pkg/time" ) -// Printer for flows. -type Printer struct { - opts Options - line int - tw *tabwriter.Writer - jsonEncoder *json.Encoder - color *colorer -} +const ( + tab = "\t" + newline = "\n" + space = " " -type errWriter struct { - w io.Writer - err error -} + dictSeparator = "------------" -func (ew *errWriter) write(a ...interface{}) { - if ew.err != nil { - return - } - _, ew.err = fmt.Fprint(ew.w, a...) -} + nodeNamesCutOff = 50 +) -func (ew *errWriter) writef(format string, a ...interface{}) { - if ew.err != nil { - return - } - _, ew.err = fmt.Fprintf(ew.w, format, a...) +// Printer for flows. +type Printer struct { + opts Options + line int + tw *tabwriter.Writer + jsonEncoder *json.Encoder + color *colorer + writerBuilder *terminalEscaperBuilder } // New Printer. @@ -84,19 +75,11 @@ func New(fopts ...Option) *Printer { p.jsonEncoder = json.NewEncoder(p.opts.w) } + p.writerBuilder = newTerminalEscaperBuilder(p.color.sequences()) + return p } -const ( - tab = "\t" - newline = "\n" - space = " " - - dictSeparator = "------------" - - nodeNamesCutOff = 50 -) - // Close any outstanding operations going on in the printer. func (p *Printer) Close() error { if p.tw != nil { @@ -106,12 +89,6 @@ func (p *Printer) Close() error { return nil } -// WriteErr returns the given msg into the err writer defined in the printer. -func (p *Printer) WriteErr(msg string) error { - _, err := fmt.Fprintln(p.opts.werr, msg) - return err -} - // GetPorts returns source and destination port of a flow. func (p *Printer) GetPorts(f *flowpb.Flow) (string, string) { l4 := f.GetL4() @@ -299,15 +276,15 @@ func (p *Printer) WriteProtoFlow(res *observerpb.GetFlowsResponse) error { switch p.opts.output { case TabOutput: - ew := &errWriter{w: p.tw} + w := p.createTabWriter() src, dst := p.GetHostNames(f) if p.line == 0 { - ew.write("TIMESTAMP", tab) + w.print("TIMESTAMP", tab) if p.opts.nodeName { - ew.write("NODE", tab) + w.print("NODE", tab) } - ew.write( + w.print( "SOURCE", tab, "DESTINATION", tab, "TYPE", tab, @@ -315,46 +292,47 @@ func (p *Printer) WriteProtoFlow(res *observerpb.GetFlowsResponse) error { "SUMMARY", newline, ) } - ew.write(fmtTimestamp(p.opts.timeFormat, f.GetTime()), tab) + w.print(fmtTimestamp(p.opts.timeFormat, f.GetTime()), tab) if p.opts.nodeName { - ew.write(f.GetNodeName(), tab) + w.print(f.GetNodeName(), tab) } - ew.write( + w.print( src, tab, dst, tab, GetFlowType(f), tab, p.getVerdict(f), tab, p.getSummary(f), newline, ) - if ew.err != nil { - return fmt.Errorf("failed to write out packet: %w", ew.err) + if w.err != nil { + return fmt.Errorf("failed to write out packet: %w", w.err) } case DictOutput: - ew := &errWriter{w: p.opts.w} + w := p.createStdoutWriter() src, dst := p.GetHostNames(f) if p.line != 0 { // TODO: line length? - ew.write(dictSeparator, newline) + w.print(dictSeparator, newline) } // this is a little crude, but will do for now. should probably find the // longest header and auto-format the keys - ew.write(" TIMESTAMP: ", fmtTimestamp(p.opts.timeFormat, f.GetTime()), newline) + w.print(" TIMESTAMP: ", fmtTimestamp(p.opts.timeFormat, f.GetTime()), newline) if p.opts.nodeName { - ew.write(" NODE: ", f.GetNodeName(), newline) + w.print(" NODE: ", f.GetNodeName(), newline) } - ew.write( + w.print( " SOURCE: ", src, newline, "DESTINATION: ", dst, newline, " TYPE: ", GetFlowType(f), newline, " VERDICT: ", p.getVerdict(f), newline, - " SUMMARY: ", f.GetSummary(), newline, + " SUMMARY: ", p.getSummary(f), newline, ) - if ew.err != nil { - return fmt.Errorf("failed to write out packet: %w", ew.err) + if w.err != nil { + return fmt.Errorf("failed to write out packet: %w", w.err) } case CompactOutput: + w := p.createStdoutWriter() var node string src, dst := p.GetHostNames(f) srcIdentity, dstIdentity := p.GetSecurityIdentities(f) @@ -372,7 +350,7 @@ func (p *Printer) WriteProtoFlow(res *observerpb.GetFlowsResponse) error { srcIdentity, dstIdentity = dstIdentity, srcIdentity arrow = "<-" } - _, err := fmt.Fprintf(p.opts.w, + w.printf( "%s%s: %s %s %s %s %s %s %s (%s)\n", fmtTimestamp(p.opts.timeFormat, f.GetTime()), node, @@ -384,8 +362,8 @@ func (p *Printer) WriteProtoFlow(res *observerpb.GetFlowsResponse) error { GetFlowType(f), p.getVerdict(f), p.getSummary(f)) - if err != nil { - return fmt.Errorf("failed to write out packet: %w", err) + if w.err != nil { + return fmt.Errorf("failed to write out packet: %w", w.err) } case JSONLegacyOutput: return p.jsonEncoder.Encode(f) @@ -421,7 +399,7 @@ func joinWithCutOff(elems []string, sep string, targetLen int) string { return fmt.Sprintf("%s (and %d more)", joined, omitted) } -// WriteProtoNodeStatusEvent writes a node status event into the error stream +// WriteProtoNodeStatusEvent writes a node status event into the error stream. func (p *Printer) WriteProtoNodeStatusEvent(r *observerpb.GetFlowsResponse) error { s := r.GetNodeStatus() if s == nil { @@ -442,14 +420,12 @@ func (p *Printer) WriteProtoNodeStatusEvent(r *observerpb.GetFlowsResponse) erro case JSONPBOutput: return json.NewEncoder(p.opts.werr).Encode(r) case DictOutput: + w := p.createStderrWriter() // this is a bit crude, but in case stdout and stderr are interleaved, // we want to make sure the separators are still printed to clearly // separate flows from node events. if p.line != 0 { - _, err := fmt.Fprintln(p.opts.w, dictSeparator) - if err != nil { - return err - } + w.print(dictSeparator + "\n") } else { p.line++ } @@ -458,16 +434,17 @@ func (p *Printer) WriteProtoNodeStatusEvent(r *observerpb.GetFlowsResponse) erro if m := s.GetMessage(); len(m) != 0 { message = strconv.Quote(m) } - _, err := fmt.Fprint(p.opts.werr, + w.print( " TIMESTAMP: ", fmtTimestamp(p.opts.timeFormat, r.GetTime()), newline, " STATE: ", s.GetStateChange().String(), newline, " NODES: ", nodeNames, newline, " MESSAGE: ", message, newline, ) - if err != nil { - return fmt.Errorf("failed to write out node status: %w", err) + if w.err != nil { + return fmt.Errorf("failed to write out node status: %w", w.err) } case TabOutput, CompactOutput: + w := p.createStderrWriter() numNodes := len(s.GetNodeNames()) nodeNames := joinWithCutOff(s.GetNodeNames(), ", ", nodeNamesCutOff) prefix := fmt.Sprintf("%s [%s]", fmtTimestamp(p.opts.timeFormat, r.GetTime()), r.GetNodeName()) @@ -482,8 +459,10 @@ func (p *Printer) WriteProtoNodeStatusEvent(r *observerpb.GetFlowsResponse) erro case relaypb.NodeState_NODE_ERROR: msg = fmt.Sprintf("%s: Error %q on %d nodes: %s", prefix, s.GetMessage(), numNodes, nodeNames) } - - return p.WriteErr(msg) + w.print(msg + "\n") + if w.err != nil { + return fmt.Errorf("failed to write out node status: %w", w.err) + } } return nil @@ -594,60 +573,61 @@ func (p *Printer) WriteProtoAgentEvent(r *observerpb.GetAgentEventsResponse) err case JSONPBOutput: return p.jsonEncoder.Encode(r) case DictOutput: - ew := &errWriter{w: p.opts.w} + w := p.createStdoutWriter() if p.line != 0 { - ew.write(dictSeparator) + w.print(dictSeparator) } - ew.write(" TIMESTAMP: ", fmtTimestamp(p.opts.timeFormat, r.GetTime()), newline) + w.print(" TIMESTAMP: ", fmtTimestamp(p.opts.timeFormat, r.GetTime()), newline) if p.opts.nodeName { - ew.write(" NODE: ", r.GetNodeName(), newline) + w.print(" NODE: ", r.GetNodeName(), newline) } - ew.write( + w.print( " TYPE: ", e.GetType(), newline, " DETAILS: ", getAgentEventDetails(e, p.opts.timeFormat), newline, ) - if ew.err != nil { - return fmt.Errorf("failed to write out agent event: %w", ew.err) + if w.err != nil { + return fmt.Errorf("failed to write out agent event: %w", w.err) } case TabOutput: - ew := &errWriter{w: p.tw} + w := p.createTabWriter() if p.line == 0 { - ew.write("TIMESTAMP", tab) + w.print("TIMESTAMP", tab) if p.opts.nodeName { - ew.write("NODE", tab) + w.print("NODE", tab) } - ew.write( + w.print( "TYPE", tab, "DETAILS", newline, ) } - ew.write(fmtTimestamp(p.opts.timeFormat, r.GetTime()), tab) + w.print(fmtTimestamp(p.opts.timeFormat, r.GetTime()), tab) if p.opts.nodeName { - ew.write(r.GetNodeName(), tab) + w.print(r.GetNodeName(), tab) } - ew.write( + w.print( e.GetType(), tab, getAgentEventDetails(e, p.opts.timeFormat), newline, ) - if ew.err != nil { - return fmt.Errorf("failed to write out agent event: %w", ew.err) + if w.err != nil { + return fmt.Errorf("failed to write out agent event: %w", w.err) } case CompactOutput: + w := p.createStdoutWriter() var node string if p.opts.nodeName { node = fmt.Sprintf(" [%s]", r.GetNodeName()) } - _, err := fmt.Fprintf(p.opts.w, - "%s%s: %s (%s)\n", + w.printf("%s%s: %s (%s)\n", fmtTimestamp(p.opts.timeFormat, r.GetTime()), node, e.GetType(), - getAgentEventDetails(e, p.opts.timeFormat)) - if err != nil { - return fmt.Errorf("failed to write out agent event: %w", err) + getAgentEventDetails(e, p.opts.timeFormat), + ) + if w.err != nil { + return fmt.Errorf("failed to write out agent event: %w", w.err) } } p.line++ @@ -696,17 +676,17 @@ func (p *Printer) WriteProtoDebugEvent(r *observerpb.GetDebugEventsResponse) err case JSONPBOutput: return p.jsonEncoder.Encode(r) case DictOutput: - ew := &errWriter{w: p.opts.w} + w := p.createStdoutWriter() if p.line != 0 { - ew.write(dictSeparator) + w.print(dictSeparator) } - ew.write(" TIMESTAMP: ", fmtTimestamp(p.opts.timeFormat, r.GetTime()), newline) + w.print(" TIMESTAMP: ", fmtTimestamp(p.opts.timeFormat, r.GetTime()), newline) if p.opts.nodeName { - ew.write(" NODE: ", r.GetNodeName(), newline) + w.print(" NODE: ", r.GetNodeName(), newline) } - ew.write( + w.print( "", " TYPE: ", e.GetType(), newline, " FROM: ", fmtEndpointShort(e.GetSource()), newline, @@ -714,43 +694,43 @@ func (p *Printer) WriteProtoDebugEvent(r *observerpb.GetDebugEventsResponse) err " CPU: ", fmtCPU(e.GetCpu()), newline, " MESSAGE: ", e.GetMessage(), newline, ) - if ew.err != nil { - return fmt.Errorf("failed to write out debug event: %w", ew.err) + if w.err != nil { + return fmt.Errorf("failed to write out debug event: %w", w.err) } case TabOutput: - ew := &errWriter{w: p.tw} + w := p.createTabWriter() if p.line == 0 { - ew.write("TIMESTAMP", tab) + w.print("TIMESTAMP", tab) if p.opts.nodeName { - ew.write("NODE", tab) + w.print("NODE", tab) } - ew.write( + w.print( "FROM", tab, tab, "TYPE", tab, "CPU/MARK", tab, "MESSAGE", newline, ) } - ew.write(fmtTimestamp(p.opts.timeFormat, r.GetTime()), tab) + w.print(fmtTimestamp(p.opts.timeFormat, r.GetTime()), tab) if p.opts.nodeName { - ew.write(r.GetNodeName(), tab) + w.print(r.GetNodeName(), tab) } - ew.write( + w.print( fmtEndpointShort(e.GetSource()), tab, tab, e.GetType(), tab, fmtCPU(e.GetCpu()), space, fmtHexUint32(e.GetHash()), tab, e.GetMessage(), newline, ) - if ew.err != nil { - return fmt.Errorf("failed to write out debug event: %w", ew.err) + if w.err != nil { + return fmt.Errorf("failed to write out debug event: %w", w.err) } case CompactOutput: + w := p.createStdoutWriter() var node string if p.opts.nodeName { node = fmt.Sprintf(" [%s]", r.GetNodeName()) } - _, err := fmt.Fprintf(p.opts.w, - "%s%s: %s %s MARK: %s CPU: %s (%s)\n", + w.printf("%s%s: %s %s MARK: %s CPU: %s (%s)\n", fmtTimestamp(p.opts.timeFormat, r.GetTime()), node, fmtEndpointShort(e.GetSource()), @@ -759,8 +739,8 @@ func (p *Printer) WriteProtoDebugEvent(r *observerpb.GetDebugEventsResponse) err fmtCPU(e.GetCpu()), e.GetMessage(), ) - if err != nil { - return fmt.Errorf("failed to write out debug event: %w", err) + if w.err != nil { + return fmt.Errorf("failed to write out debug event: %w", w.err) } } p.line++ @@ -806,8 +786,12 @@ func (p *Printer) WriteGetFlowsResponse(res *observerpb.GetFlowsResponse) error return nil default: if p.opts.enableDebug { + w := p.createStderrWriter() msg := fmt.Sprintf("unknown response type: %+v", r) - return p.WriteErr(msg) + w.print(msg + "\n") + if w.err != nil { + return fmt.Errorf("failed to write out flow response: %w", w.err) + } } return nil } @@ -835,8 +819,8 @@ func (p *Printer) WriteServerStatusResponse(res *observerpb.ServerStatusResponse switch p.opts.output { case TabOutput: - ew := &errWriter{w: p.tw} - ew.write( + w := p.createTabWriter() + w.print( "NUM FLOWS", tab, "MAX FLOWS", tab, "SEEN FLOWS", tab, @@ -854,12 +838,12 @@ func (p *Printer) WriteServerStatusResponse(res *observerpb.ServerStatusResponse numUnavailableNodes, tab, res.GetVersion(), newline, ) - if ew.err != nil { - return fmt.Errorf("failed to write out server status: %w", ew.err) + if w.err != nil { + return fmt.Errorf("failed to write out server status: %w", w.err) } case DictOutput: - ew := &errWriter{w: p.opts.w} - ew.write( + w := p.createStdoutWriter() + w.print( " NUM FLOWS: ", uint64Grouping(res.GetNumFlows()), newline, " MAX FLOWS: ", uint64Grouping(res.GetMaxFlows()), newline, " SEEN FLOWS: ", uint64Grouping(res.GetSeenFlows()), newline, @@ -869,21 +853,21 @@ func (p *Printer) WriteServerStatusResponse(res *observerpb.ServerStatusResponse " NUM UNAVAIL. NODES: ", numUnavailableNodes, newline, " VERSION: ", res.GetVersion(), newline, ) - if ew.err != nil { - return fmt.Errorf("failed to write out server status: %w", ew.err) + if w.err != nil { + return fmt.Errorf("failed to write out server status: %w", w.err) } case CompactOutput: - ew := &errWriter{w: p.opts.w} + w := p.createStdoutWriter() flowsRatio := "" if res.GetMaxFlows() > 0 { flowsRatio = fmt.Sprintf(" (%.2f%%)", (float64(res.GetNumFlows())/float64(res.GetMaxFlows()))*100) } - ew.writef("Current/Max Flows: %v/%v%s\n", uint64Grouping(res.GetNumFlows()), uint64Grouping(res.GetMaxFlows()), flowsRatio) + w.printf("Current/Max Flows: %v/%v%s\n", uint64Grouping(res.GetNumFlows()), uint64Grouping(res.GetMaxFlows()), flowsRatio) if uptime := time.Duration(res.GetUptimeNs()).Seconds(); flowsPerSec == "N/A" && uptime > 0 { flowsPerSec = fmt.Sprintf("%.2f", float64(res.GetSeenFlows())/uptime) } - ew.writef("Flows/s: %s\n", flowsPerSec) + w.printf("Flows/s: %s\n", flowsPerSec) numConnected := res.GetNumConnectedNodes() numUnavailable := res.GetNumUnavailableNodes() @@ -892,7 +876,7 @@ func (p *Printer) WriteServerStatusResponse(res *observerpb.ServerStatusResponse if numUnavailable != nil { total = fmt.Sprintf("/%d", numUnavailable.GetValue()+numConnected.GetValue()) } - ew.writef("Connected Nodes: %d%s\n", numConnected.GetValue(), total) + w.printf("Connected Nodes: %d%s\n", numConnected.GetValue(), total) } if numUnavailable != nil && numUnavailable.GetValue() > 0 { if unavailable := res.GetUnavailableNodes(); unavailable != nil { @@ -900,16 +884,16 @@ func (p *Printer) WriteServerStatusResponse(res *observerpb.ServerStatusResponse if numUnavailable.GetValue() > uint32(len(unavailable)) { unavailable = append(unavailable, fmt.Sprintf("and %d more...", numUnavailable.GetValue()-uint32(len(unavailable)))) } - ew.writef("Unavailable Nodes: %d\n - %s\n", + w.printf("Unavailable Nodes: %d\n - %s\n", numUnavailable.GetValue(), strings.Join(unavailable, "\n - "), ) } else { - ew.writef("Unavailable Nodes: %d\n", numUnavailable.GetValue()) + w.printf("Unavailable Nodes: %d\n", numUnavailable.GetValue()) } } - if ew.err != nil { - return fmt.Errorf("failed to write out server status: %w", ew.err) + if w.err != nil { + return fmt.Errorf("failed to write out server status: %w", w.err) } case JSONPBOutput: return p.jsonEncoder.Encode(res) @@ -923,17 +907,17 @@ func (p *Printer) WriteLostEvent(res *observerpb.GetFlowsResponse) error { switch p.opts.output { case TabOutput: - ew := &errWriter{w: p.tw} + w := p.createTabWriter() src := f.GetSource() numEventsLost := f.GetNumEventsLost() cpu := f.GetCpu() if p.line == 0 { - ew.write("TIMESTAMP", tab) + w.print("TIMESTAMP", tab) if p.opts.nodeName { - ew.write("NODE", tab) + w.print("NODE", tab) } - ew.write( + w.print( "SOURCE", tab, "DESTINATION", tab, "TYPE", tab, @@ -941,58 +925,58 @@ func (p *Printer) WriteLostEvent(res *observerpb.GetFlowsResponse) error { "SUMMARY", newline, ) } - ew.write("", tab) + w.print("", tab) if p.opts.nodeName { - ew.write("", tab) + w.print("", tab) } - ew.write( + w.print( src, tab, "", tab, "EVENTS LOST", tab, "", tab, fmt.Sprintf("CPU(%d) - %d", cpu.GetValue(), numEventsLost), newline, ) - if ew.err != nil { - return fmt.Errorf("failed to write out packet: %w", ew.err) + if w.err != nil { + return fmt.Errorf("failed to write out packet: %w", w.err) } case DictOutput: - ew := &errWriter{w: p.opts.w} + w := p.createStdoutWriter() src := f.GetSource() numEventsLost := f.GetNumEventsLost() cpu := f.GetCpu() if p.line != 0 { // TODO: line length? - ew.write(dictSeparator, newline) + w.print(dictSeparator, newline) } // this is a little crude, but will do for now. should probably find the // longest header and auto-format the keys - ew.write(" TIMESTAMP: ", "", newline) + w.print(" TIMESTAMP: ", "", newline) if p.opts.nodeName { - ew.write(" NODE: ", "", newline) + w.print(" NODE: ", "", newline) } - ew.write( + w.print( " SOURCE: ", src, newline, " TYPE: ", "EVENTS LOST", newline, " VERDICT: ", "", newline, " SUMMARY: ", fmt.Sprintf("CPU(%d) - %d", cpu.GetValue(), numEventsLost), newline, ) - if ew.err != nil { - return fmt.Errorf("failed to write out packet: %w", ew.err) + if w.err != nil { + return fmt.Errorf("failed to write out packet: %w", w.err) } case CompactOutput: + w := p.createStdoutWriter() src := f.GetSource() numEventsLost := f.GetNumEventsLost() cpu := f.GetCpu() - _, err := fmt.Fprintf(p.opts.w, - "EVENTS LOST: %s CPU(%d) %d\n", + w.printf("EVENTS LOST: %s CPU(%d) %d\n", src, cpu.GetValue(), numEventsLost, ) - if err != nil { - return fmt.Errorf("failed to write out packet: %w", err) + if w.err != nil { + return fmt.Errorf("failed to write out packet: %w", w.err) } case JSONLegacyOutput: return p.jsonEncoder.Encode(f) @@ -1002,3 +986,15 @@ func (p *Printer) WriteLostEvent(res *observerpb.GetFlowsResponse) error { p.line++ return nil } + +func (p *Printer) createStdoutWriter() *terminalEscaperWriter { + return p.writerBuilder.NewWriter(p.opts.w) +} + +func (p *Printer) createStderrWriter() *terminalEscaperWriter { + return p.writerBuilder.NewWriter(p.opts.werr) +} + +func (p *Printer) createTabWriter() *terminalEscaperWriter { + return p.writerBuilder.NewWriter(p.tw) +} diff --git a/vendor/github.com/cilium/cilium/hubble/pkg/printer/terminal.go b/vendor/github.com/cilium/cilium/hubble/pkg/printer/terminal.go new file mode 100644 index 0000000000..7890fda10a --- /dev/null +++ b/vendor/github.com/cilium/cilium/hubble/pkg/printer/terminal.go @@ -0,0 +1,53 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Hubble + +package printer + +import ( + "fmt" + "io" + "strings" +) + +type terminalEscaperBuilder struct { + replacer *strings.Replacer +} + +// newTerminalEscaperBuilder creates a new terminalEscaperBuilder that allows a subset of control +// sequences, such as a reserved set of colors and their reset sequences. +func newTerminalEscaperBuilder(allowed []string) *terminalEscaperBuilder { + var oldnew []string + for _, a := range allowed { + oldnew = append(oldnew, a, a) + } + oldnew = append(oldnew, "\x1b", "^[", "\r", "\\r") + return &terminalEscaperBuilder{replacer: strings.NewReplacer(oldnew...)} +} + +func (teb *terminalEscaperBuilder) NewWriter(w io.Writer) *terminalEscaperWriter { + return &terminalEscaperWriter{w: w, replacer: teb.replacer} +} + +// terminalEscaperWriter replaces ANSI escape sequences and other terminal special +// characters to avoid terminal escape character attacks. It stops on the first error +// encountered and stores its value. The caller is responsible for checking Err() +// when done writing. +type terminalEscaperWriter struct { + w io.Writer + replacer *strings.Replacer + err error +} + +func (tew *terminalEscaperWriter) print(a ...interface{}) { + if tew.err != nil { + return + } + _, tew.err = tew.replacer.WriteString(tew.w, fmt.Sprint(a...)) +} + +func (tew *terminalEscaperWriter) printf(format string, a ...interface{}) { + if tew.err != nil { + return + } + _, tew.err = tew.replacer.WriteString(tew.w, fmt.Sprintf(format, a...)) +} diff --git a/vendor/github.com/cilium/cilium/netlify.toml b/vendor/github.com/cilium/cilium/netlify.toml new file mode 100644 index 0000000000..ce6d7f8250 --- /dev/null +++ b/vendor/github.com/cilium/cilium/netlify.toml @@ -0,0 +1,4 @@ +[build] + base = "Documentation/" + publish = "_build/html" + command = "make html-netlify" diff --git a/vendor/github.com/cilium/cilium/pkg/bgpv1/types/bgp.go b/vendor/github.com/cilium/cilium/pkg/bgpv1/types/bgp.go index 1541ccd930..b4ffd8aefe 100644 --- a/vendor/github.com/cilium/cilium/pkg/bgpv1/types/bgp.go +++ b/vendor/github.com/cilium/cilium/pkg/bgpv1/types/bgp.go @@ -11,7 +11,6 @@ import ( "github.com/osrg/gobgp/v3/pkg/packet/bgp" "github.com/cilium/cilium/api/v1/models" - v2alpha1api "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1" ) // BGP metric labels @@ -57,18 +56,45 @@ type Path struct { UUID []byte // path identifier in underlying implementation } -// NeighborRequest contains neighbor parameters used when enabling or disabling peer -type NeighborRequest struct { - // Deprecated: field kept for backward compatibility. - // - // Both Neighbor and Peer should not be used at the same time. - // Neighbor field is used in BGPv1 and Peer, PeerConfig fields are used in BGPv2. - Neighbor *v2alpha1api.CiliumBGPNeighbor - - Peer *v2alpha1api.CiliumBGPNodePeer - PeerConfig *v2alpha1api.CiliumBGPPeerConfigSpec - // Password is the "AuthSecret" in the Neighbor, fetched from a secret - Password string +// Neighbor is an object representing a single BGP neighbor. It is an analogue +// of GoBGP's Peer object, but only contains minimal fields required for Cilium +// usecases. +type Neighbor struct { + Address netip.Addr + ASN uint32 + AuthPassword string + EbgpMultihop *NeighborEbgpMultihop + RouteReflector *NeighborRouteReflector + Timers *NeighborTimers + Transport *NeighborTransport + GracefulRestart *NeighborGracefulRestart + AfiSafis []*Family +} + +type NeighborTransport struct { + LocalAddress string + LocalPort uint32 + RemotePort uint32 +} + +type NeighborEbgpMultihop struct { + TTL uint32 +} + +type NeighborTimers struct { + ConnectRetry uint64 + HoldTime uint64 + KeepaliveInterval uint64 +} + +type NeighborGracefulRestart struct { + Enabled bool + RestartTime uint32 +} + +type NeighborRouteReflector struct { + Client bool + ClusterID string } // SoftResetDirection defines the direction in which a BGP soft reset should be performed @@ -303,13 +329,13 @@ type Router interface { Stop() // AddNeighbor configures BGP peer - AddNeighbor(ctx context.Context, n NeighborRequest) error + AddNeighbor(ctx context.Context, n *Neighbor) error // UpdateNeighbor updates BGP peer - UpdateNeighbor(ctx context.Context, n NeighborRequest) error + UpdateNeighbor(ctx context.Context, n *Neighbor) error // RemoveNeighbor removes BGP peer - RemoveNeighbor(ctx context.Context, n NeighborRequest) error + RemoveNeighbor(ctx context.Context, n *Neighbor) error // ResetNeighbor resets BGP peering with the provided neighbor address ResetNeighbor(ctx context.Context, r ResetNeighborRequest) error diff --git a/vendor/github.com/cilium/cilium/pkg/bgpv1/types/conversions.go b/vendor/github.com/cilium/cilium/pkg/bgpv1/types/conversions.go index cf0440de74..7f6a48737f 100644 --- a/vendor/github.com/cilium/cilium/pkg/bgpv1/types/conversions.go +++ b/vendor/github.com/cilium/cilium/pkg/bgpv1/types/conversions.go @@ -5,6 +5,7 @@ package types import ( "fmt" + "net/netip" "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1" ) @@ -265,3 +266,207 @@ func ToAgentFamily(fam v2alpha1.CiliumBGPFamily) Family { Safi: ParseSafi(fam.Safi), } } + +// ToNeighborV1 converts a CiliumBGPNeighbor to Neighbor which can be used +// with Router API. The caller must ensure that the an is not nil. +func ToNeighborV1(an *v2alpha1.CiliumBGPNeighbor, password string) *Neighbor { + n := &Neighbor{} + + n.Address = toPeerAddressV1(an.PeerAddress) + n.ASN = uint32(an.PeerASN) + n.AuthPassword = password + n.EbgpMultihop = toEbgpMultihopV1(an.EBGPMultihopTTL) + n.Timers = toNeighborTimersV1( + an.ConnectRetryTimeSeconds, + an.HoldTimeSeconds, + an.KeepAliveTimeSeconds, + ) + n.Transport = toNeighborTransportV1(an.PeerPort) + n.GracefulRestart = toNeighborGracefulRestartV1(an.GracefulRestart) + n.AfiSafis = toNeighborAfiSafisV1(an.Families) + + return n +} + +func toPeerAddressV1(apiPeerAddress string) netip.Addr { + // API uses CIDR notation, but gobgp uses IP address notation. + prefix, err := netip.ParsePrefix(apiPeerAddress) + if err != nil { + return netip.Addr{} + } + return prefix.Addr() +} + +func toEbgpMultihopV1(apiTTL *int32) *NeighborEbgpMultihop { + if apiTTL == nil { + return nil + } + return &NeighborEbgpMultihop{ + TTL: uint32(*apiTTL), + } +} + +func toNeighborTimersV1(connectRetry, holdTime, keepaliveInterval *int32) *NeighborTimers { + if connectRetry == nil && holdTime == nil && keepaliveInterval == nil { + return nil + } + + timers := &NeighborTimers{} + + if connectRetry != nil { + timers.ConnectRetry = uint64(*connectRetry) + } + + if holdTime != nil { + timers.HoldTime = uint64(*holdTime) + } + + if keepaliveInterval != nil { + timers.KeepaliveInterval = uint64(*keepaliveInterval) + } + + return timers +} + +func toNeighborTransportV1(apiPeerPort *int32) *NeighborTransport { + if apiPeerPort == nil { + return nil + } + return &NeighborTransport{ + RemotePort: uint32(*apiPeerPort), + } +} + +func toNeighborGracefulRestartV1(apiGracefulRestart *v2alpha1.CiliumBGPNeighborGracefulRestart) *NeighborGracefulRestart { + if apiGracefulRestart == nil || apiGracefulRestart.RestartTimeSeconds == nil { + return nil + } + return &NeighborGracefulRestart{ + Enabled: apiGracefulRestart.Enabled, + RestartTime: uint32(*apiGracefulRestart.RestartTimeSeconds), + } +} + +func toNeighborAfiSafisV1(apiFamilies []v2alpha1.CiliumBGPFamily) []*Family { + if len(apiFamilies) == 0 { + return nil + } + + afisafis := make([]*Family, 0, len(apiFamilies)) + + for _, apiFamily := range apiFamilies { + afisafis = append(afisafis, &Family{ + Afi: ParseAfi(apiFamily.Afi), + Safi: ParseSafi(apiFamily.Safi), + }) + } + + return afisafis +} + +// ToNeighborV2 converts a CiliumBGPNodePeer to Neighbor which can be used +// with Router API. The caller must ensure that the np, np.PeerAddress, +// np.PeerASN and pc are not nil. +func ToNeighborV2(np *v2alpha1.CiliumBGPNodePeer, pc *v2alpha1.CiliumBGPPeerConfigSpec, password string) *Neighbor { + neighbor := &Neighbor{} + + neighbor.Address = toPeerAddressV2(*np.PeerAddress) + neighbor.ASN = uint32(*np.PeerASN) + neighbor.AuthPassword = password + neighbor.EbgpMultihop = toNeighborEbgpMultihopV2(pc.EBGPMultihop) + neighbor.Timers = toNeighborTimersV2(pc.Timers) + neighbor.Transport = toNeighborTransportV2(np.LocalAddress, pc.Transport) + neighbor.GracefulRestart = toNeighborGracefulRestartV2(pc.GracefulRestart) + neighbor.AfiSafis = toNeighborAfiSafisV2(pc.Families) + + return neighbor +} + +func toPeerAddressV2(peerAddress string) netip.Addr { + addr, err := netip.ParseAddr(peerAddress) + if err != nil { + return netip.Addr{} + } + return addr +} + +func toNeighborEbgpMultihopV2(ebgpMultihop *int32) *NeighborEbgpMultihop { + if ebgpMultihop == nil || *ebgpMultihop <= 1 { + return nil + } + return &NeighborEbgpMultihop{ + TTL: uint32(*ebgpMultihop), + } +} + +func toNeighborTimersV2(apiTimers *v2alpha1.CiliumBGPTimers) *NeighborTimers { + if apiTimers == nil { + return nil + } + + timers := &NeighborTimers{} + + if apiTimers.ConnectRetryTimeSeconds != nil { + timers.ConnectRetry = uint64(*apiTimers.ConnectRetryTimeSeconds) + } + + if apiTimers.HoldTimeSeconds != nil { + timers.HoldTime = uint64(*apiTimers.HoldTimeSeconds) + } + + if apiTimers.KeepAliveTimeSeconds != nil { + timers.KeepaliveInterval = uint64(*apiTimers.KeepAliveTimeSeconds) + } + + return timers +} + +func toNeighborTransportV2(apiLocalAddress *string, apiTransport *v2alpha1.CiliumBGPTransport) *NeighborTransport { + if apiLocalAddress == nil && apiTransport == nil { + return nil + } + + transport := &NeighborTransport{} + + if apiLocalAddress != nil { + transport.LocalAddress = *apiLocalAddress + } + + if apiTransport != nil { + if apiTransport.LocalPort != nil { + transport.LocalPort = uint32(*apiTransport.LocalPort) + } + if apiTransport.PeerPort != nil { + transport.RemotePort = uint32(*apiTransport.PeerPort) + } + } + + return transport +} + +func toNeighborGracefulRestartV2(apiGR *v2alpha1.CiliumBGPNeighborGracefulRestart) *NeighborGracefulRestart { + if apiGR == nil || apiGR.RestartTimeSeconds == nil { + return nil + } + return &NeighborGracefulRestart{ + Enabled: apiGR.Enabled, + RestartTime: uint32(*apiGR.RestartTimeSeconds), + } +} + +func toNeighborAfiSafisV2(families []v2alpha1.CiliumBGPFamilyWithAdverts) []*Family { + if len(families) == 0 { + return nil + } + + afiSafis := []*Family{} + + for _, family := range families { + afiSafis = append(afiSafis, &Family{ + Afi: ParseAfi(family.Afi), + Safi: ParseSafi(family.Safi), + }) + } + + return afiSafis +} diff --git a/vendor/github.com/cilium/cilium/pkg/bgpv1/types/fake_router.go b/vendor/github.com/cilium/cilium/pkg/bgpv1/types/fake_router.go index 3c67c35606..66172d2f46 100644 --- a/vendor/github.com/cilium/cilium/pkg/bgpv1/types/fake_router.go +++ b/vendor/github.com/cilium/cilium/pkg/bgpv1/types/fake_router.go @@ -19,15 +19,15 @@ func NewFakeRouter() Router { func (f *FakeRouter) Stop() {} -func (f *FakeRouter) AddNeighbor(ctx context.Context, n NeighborRequest) error { +func (f *FakeRouter) AddNeighbor(ctx context.Context, n *Neighbor) error { return nil } -func (f *FakeRouter) UpdateNeighbor(ctx context.Context, n NeighborRequest) error { +func (f *FakeRouter) UpdateNeighbor(ctx context.Context, n *Neighbor) error { return nil } -func (f *FakeRouter) RemoveNeighbor(ctx context.Context, n NeighborRequest) error { +func (f *FakeRouter) RemoveNeighbor(ctx context.Context, n *Neighbor) error { return nil } diff --git a/vendor/github.com/cilium/cilium/pkg/clustermesh/types/types.go b/vendor/github.com/cilium/cilium/pkg/clustermesh/types/types.go index 930e98335f..96dc907479 100644 --- a/vendor/github.com/cilium/cilium/pkg/clustermesh/types/types.go +++ b/vendor/github.com/cilium/cilium/pkg/clustermesh/types/types.go @@ -8,6 +8,8 @@ import ( "fmt" "regexp" + "github.com/cilium/hive/cell" + "github.com/cilium/cilium/pkg/defaults" ) @@ -77,6 +79,20 @@ func ValidateClusterName(name string) error { return nil } +func RegisterClusterInfoValidator(lc cell.Lifecycle, cinfo ClusterInfo) { + lc.Append(cell.Hook{ + OnStart: func(cell.HookContext) error { + if err := cinfo.InitClusterIDMax(); err != nil { + return err + } + if err := cinfo.ValidateStrict(); err != nil { + return err + } + return nil + }, + }) +} + type CiliumClusterConfig struct { ID uint32 `json:"id,omitempty"` diff --git a/vendor/github.com/cilium/cilium/pkg/datapath/linux/probes/probes.go b/vendor/github.com/cilium/cilium/pkg/datapath/linux/probes/probes.go index 05d91502dd..d56ecea540 100644 --- a/vendor/github.com/cilium/cilium/pkg/datapath/linux/probes/probes.go +++ b/vendor/github.com/cilium/cilium/pkg/datapath/linux/probes/probes.go @@ -515,69 +515,6 @@ var HaveNetkit = sync.OnceValue(func() error { }) }) -// HaveOuterSourceIPSupport tests whether the kernel support setting the outer -// source IP address via the bpf_skb_set_tunnel_key BPF helper. We can't rely -// on the verifier to reject a program using the new support because the -// verifier just accepts any argument size for that helper; non-supported -// fields will simply not be used. Instead, we set the outer source IP and -// retrieve it with bpf_skb_get_tunnel_key right after. If the retrieved value -// equals the value set, we have a confirmation the kernel supports it. -func HaveOuterSourceIPSupport() (err error) { - defer func() { - if err != nil && !errors.Is(err, ebpf.ErrNotSupported) { - log.WithError(err).Fatal("failed to probe for outer source IP support") - } - }() - - progSpec := &ebpf.ProgramSpec{ - Name: "set_tunnel_key_probe", - Type: ebpf.SchedACT, - License: "GPL", - } - progSpec.Instructions = asm.Instructions{ - asm.Mov.Reg(asm.R8, asm.R1), - - asm.Mov.Imm(asm.R2, 0), - asm.StoreMem(asm.RFP, -8, asm.R2, asm.DWord), - asm.StoreMem(asm.RFP, -16, asm.R2, asm.DWord), - asm.StoreMem(asm.RFP, -24, asm.R2, asm.DWord), - asm.StoreMem(asm.RFP, -32, asm.R2, asm.DWord), - asm.StoreMem(asm.RFP, -40, asm.R2, asm.DWord), - asm.Mov.Imm(asm.R2, 42), - asm.StoreMem(asm.RFP, -44, asm.R2, asm.Word), - asm.Mov.Reg(asm.R2, asm.RFP), - asm.Add.Imm(asm.R2, -44), - asm.Mov.Imm(asm.R3, 44), // sizeof(struct bpf_tunnel_key) when setting the outer source IP is supported. - asm.Mov.Imm(asm.R4, 0), - asm.FnSkbSetTunnelKey.Call(), - - asm.Mov.Reg(asm.R1, asm.R8), - asm.Mov.Reg(asm.R2, asm.RFP), - asm.Add.Imm(asm.R2, -44), - asm.Mov.Imm(asm.R3, 44), - asm.Mov.Imm(asm.R4, 0), - asm.FnSkbGetTunnelKey.Call(), - - asm.LoadMem(asm.R0, asm.RFP, -44, asm.Word), - asm.Return(), - } - prog, err := ebpf.NewProgram(progSpec) - if err != nil { - return err - } - defer prog.Close() - - pkt := []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} - ret, _, err := prog.Test(pkt) - if err != nil { - return err - } - if ret != 42 { - return ebpf.ErrNotSupported - } - return nil -} - // HaveSKBAdjustRoomL2RoomMACSupport tests whether the kernel supports the `bpf_skb_adjust_room` helper // with the `BPF_ADJ_ROOM_MAC` mode. To do so, we create a program that requests the passed in SKB // to be expanded by 20 bytes. The helper checks the `mode` argument and will return -ENOSUPP if diff --git a/vendor/github.com/cilium/cilium/pkg/defaults/defaults.go b/vendor/github.com/cilium/cilium/pkg/defaults/defaults.go index 37b52e9c16..6c922670a6 100644 --- a/vendor/github.com/cilium/cilium/pkg/defaults/defaults.go +++ b/vendor/github.com/cilium/cilium/pkg/defaults/defaults.go @@ -331,10 +331,6 @@ const ( // initial allocator state from kvstore before exiting. AllocatorListTimeout = 3 * time.Minute - // K8sWatcherEndpointSelector specifies the k8s endpoints that Cilium - // should watch for. - K8sWatcherEndpointSelector = "metadata.name!=kube-scheduler,metadata.name!=kube-controller-manager,metadata.name!=etcd-operator,metadata.name!=gcp-controller-manager" - // ConntrackGCMaxLRUInterval is the maximum conntrack GC interval when using LRU maps ConntrackGCMaxLRUInterval = 12 * time.Hour @@ -581,6 +577,9 @@ const ( // WireguardTrackAllIPsFallback forces the WireGuard agent to track all IPs. WireguardTrackAllIPsFallback = false + + // ConnectivityProbeFrequencyRatio is the default connectivity probe frequency + ConnectivityProbeFrequencyRatio = 0.5 ) var ( diff --git a/vendor/github.com/cilium/cilium/pkg/fqdn/dns/dns.go b/vendor/github.com/cilium/cilium/pkg/fqdn/dns/dns.go index 1c089a7857..b2c5a7faba 100644 --- a/vendor/github.com/cilium/cilium/pkg/fqdn/dns/dns.go +++ b/vendor/github.com/cilium/cilium/pkg/fqdn/dns/dns.go @@ -15,18 +15,27 @@ import "strings" // isFQDN reports whether the domain name s is fully qualified. func isFQDN(s string) bool { - s2 := strings.TrimSuffix(s, ".") - if s == s2 { + // Check for (and remove) a trailing dot, returning if there isn't one. + if s == "" || s[len(s)-1] != '.' { return false } + s = s[:len(s)-1] - i := strings.LastIndexFunc(s2, func(r rune) bool { + // If we don't have an escape sequence before the final dot, we know it's + // fully qualified and can return here. + if s == "" || s[len(s)-1] != '\\' { + return true + } + + // Otherwise we have to check if the dot is escaped or not by checking if + // there are an odd or even number of escape sequences before the dot. + i := strings.LastIndexFunc(s, func(r rune) bool { return r != '\\' }) // Test whether we have an even number of escape sequences before // the dot or none. - return (len(s2)-i)%2 != 0 + return (len(s)-i)%2 != 0 } // FQDN returns the fully qualified domain name from s. diff --git a/vendor/github.com/cilium/cilium/pkg/health/client/client.go b/vendor/github.com/cilium/cilium/pkg/health/client/client.go index c30e1b25f4..e59c1b959e 100644 --- a/vendor/github.com/cilium/cilium/pkg/health/client/client.go +++ b/vendor/github.com/cilium/cilium/pkg/health/client/client.go @@ -193,12 +193,13 @@ func SummarizePathConnectivityStatusType(cps []*models.PathStatus) map[Connectiv func formatConnectivityStatus(w io.Writer, cs *models.ConnectivityStatus, path, indent string) { status := cs.Status + lastProbed := cs.LastProbed switch GetConnectivityStatusType(cs) { case ConnStatusReachable: latency := time.Duration(cs.Latency) status = fmt.Sprintf("OK, RTT=%s", latency) } - fmt.Fprintf(w, "%s%s:\t%s\n", indent, path, status) + fmt.Fprintf(w, "%s%s:\t%s\t(Last probed: %s)\n", indent, path, status, lastProbed) } func formatPathStatus(w io.Writer, name string, cp *models.PathStatus, indent string, verbose bool) { @@ -412,8 +413,8 @@ func FormatHealthStatusResponse(w io.Writer, sr *models.HealthStatusResponse, al } } - fmt.Fprintf(w, "Cluster health:\t%d/%d reachable\t(%s)\n", - healthy, len(sr.Nodes), sr.Timestamp) + fmt.Fprintf(w, "Cluster health:\t%d/%d reachable\t(%s)\t(Probe interval: %s)\n", + healthy, len(sr.Nodes), sr.Timestamp, sr.ProbeInterval) fmt.Fprintf(w, "Name\tIP\tNode\tEndpoints\n") diff --git a/vendor/github.com/cilium/cilium/pkg/hive/hive.go b/vendor/github.com/cilium/cilium/pkg/hive/hive.go index 7afee7d1ea..3f37ec5b27 100644 --- a/vendor/github.com/cilium/cilium/pkg/hive/hive.go +++ b/vendor/github.com/cilium/cilium/pkg/hive/hive.go @@ -73,8 +73,8 @@ func New(cells ...cell.Cell) *Hive { // Scope logging and health by module ID. moduleDecorators := []cell.ModuleDecorator{ - func(log logrus.FieldLogger, mid cell.ModuleID) logrus.FieldLogger { - return log.WithField(logfields.LogSubsys, string(mid)) + func(mid cell.ModuleID) logrus.FieldLogger { + return logging.DefaultLogger.WithField(logfields.LogSubsys, string(mid)) }, func(hp types.Provider, fmid cell.FullModuleID) cell.Health { return hp.ForModule(fmid) diff --git a/vendor/github.com/cilium/cilium/pkg/identity/identity.go b/vendor/github.com/cilium/cilium/pkg/identity/identity.go index 39e0375fd9..a9748549b8 100644 --- a/vendor/github.com/cilium/cilium/pkg/identity/identity.go +++ b/vendor/github.com/cilium/cilium/pkg/identity/identity.go @@ -141,12 +141,6 @@ func (id *Identity) IsWellKnown() bool { return WellKnown.lookupByNumericIdentity(id.ID) != nil } -// IsWellKnownIdentity returns true if the identity represents a well-known -// identity, false otherwise. -func IsWellKnownIdentity(id NumericIdentity) bool { - return WellKnown.lookupByNumericIdentity(id) != nil -} - // NewIdentityFromLabelArray creates a new identity func NewIdentityFromLabelArray(id NumericIdentity, lblArray labels.LabelArray) *Identity { var lbls labels.Labels diff --git a/vendor/github.com/cilium/cilium/pkg/ipcache/types/types.go b/vendor/github.com/cilium/cilium/pkg/ipcache/types/types.go index 988dcf662a..7ce8084744 100644 --- a/vendor/github.com/cilium/cilium/pkg/ipcache/types/types.go +++ b/vendor/github.com/cilium/cilium/pkg/ipcache/types/types.go @@ -122,3 +122,40 @@ func (id RequestedIdentity) IsValid() bool { func (id RequestedIdentity) ID() identity.NumericIdentity { return identity.NumericIdentity(id) } + +// EndpointFlags represents various flags that can be attached to endpoints in the IPCache +// This type implements ipcache.IPMetadata +type EndpointFlags struct { + // isInit gets flipped to true on the first intentional flag set + // it is a sentinel to distinguish an uninitialized EndpointFlags + // from one with all flags set to false + isInit bool + + // flagSkipTunnel can be applied to a remote endpoint to signal that + // packets destined for said endpoint shall not be forwarded through + // an overlay tunnel, regardless of Cilium's configuration. + flagSkipTunnel bool +} + +func (e *EndpointFlags) SetSkipTunnel(skip bool) { + e.isInit = true + e.flagSkipTunnel = skip +} + +func (e EndpointFlags) IsValid() bool { + return e.isInit +} + +// Uint8 encoding MUST mimic the one in pkg/maps/ipcache +// since it will eventually get recast to it +const ( + FlagSkipTunnel uint8 = 1 << iota +) + +func (e EndpointFlags) Uint8() uint8 { + var flags uint8 = 0 + if e.flagSkipTunnel { + flags = flags | FlagSkipTunnel + } + return flags +} diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/register.go b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/register.go index 963cab1e9c..e60c79033d 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/register.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/register.go @@ -15,5 +15,5 @@ const ( // // Maintainers: Run ./Documentation/check-crd-compat-table.sh for each release // Developers: Bump patch for each change in the CRD schema. - CustomResourceDefinitionSchemaVersion = "1.31.0" + CustomResourceDefinitionSchemaVersion = "1.31.1" ) diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/cew_types.go b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/cew_types.go deleted file mode 100644 index 8d6081182e..0000000000 --- a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/cew_types.go +++ /dev/null @@ -1,84 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright Authors of Cilium - -package v2 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -// +genclient -// +genclient:nonNamespaced -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// +kubebuilder:resource:categories={cilium},singular="ciliumexternalworkload",path="ciliumexternalworkloads",scope="Cluster",shortName={cew} -// +kubebuilder:printcolumn:JSONPath=".status.id",name="Cilium ID",type=integer -// +kubebuilder:printcolumn:JSONPath=".status.ip",name="IP",type=string -// +kubebuilder:subresource:status - -// CiliumExternalWorkload is a Kubernetes Custom Resource that -// contains a specification for an external workload that can join the -// cluster. The name of the CRD is the FQDN of the external workload, -// and it needs to match the name in the workload registration. The -// labels on the CRD object are the labels that will be used to -// allocate a Cilium Identity for the external workload. If -// 'io.kubernetes.pod.namespace' or 'io.kubernetes.pod.name' labels -// are not explicitly specified, they will be defaulted to 'default' -// and , respectively. 'io.cilium.k8s.policy.cluster' -// will always be defined as the name of the current cluster, which -// defaults to "default". -type CiliumExternalWorkload struct { - // +k8s:openapi-gen=false - // +deepequal-gen=false - metav1.TypeMeta `json:",inline"` - // +k8s:openapi-gen=false - // +deepequal-gen=false - metav1.ObjectMeta `json:"metadata"` - - // Spec is the desired configuration of the external Cilium workload. - Spec CiliumExternalWorkloadSpec `json:"spec,omitempty"` - - // Status is the most recent status of the external Cilium workload. - // It is a read-only field. - // - // +deepequal-gen=false - // +kubebuilder:validation:Optional - Status CiliumExternalWorkloadStatus `json:"status"` -} - -// CiliumExternalWorkloadSpec specifies the configurations for redirecting traffic -// within a workload. -type CiliumExternalWorkloadSpec struct { - // IPv4AllocCIDR is the range of IPv4 addresses in the CIDR format that the external workload can - // use to allocate IP addresses for the tunnel device and the health endpoint. - // - // +kubebuilder:validation:Pattern=`^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$` - IPv4AllocCIDR string `json:"ipv4-alloc-cidr,omitempty"` - - // IPv6AllocCIDR is the range of IPv6 addresses in the CIDR format that the external workload can - // use to allocate IP addresses for the tunnel device and the health endpoint. - // - // +kubebuilder:validation:Pattern=`^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$` - IPv6AllocCIDR string `json:"ipv6-alloc-cidr,omitempty"` -} - -// CiliumExternalWorkloadStatus is the status of a the external Cilium workload. -type CiliumExternalWorkloadStatus struct { - // ID is the numeric identity allocated for the external workload. - ID uint64 `json:"id,omitempty"` - - // IP is the IP address of the workload. Empty if the workload has not registered. - IP string `json:"ip,omitempty"` -} - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// +k8s:openapi-gen=false -// +deepequal-gen=false - -// CiliumExternalWorkloadList is a list of CiliumExternalWorkload objects. -type CiliumExternalWorkloadList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata"` - - // Items is a list of CiliumExternalWorkload - Items []CiliumExternalWorkload `json:"items"` -} diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/register.go b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/register.go index bea3596cc5..dcd16711b4 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/register.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/register.go @@ -95,17 +95,6 @@ const ( // CLRPName is the full name of Local Redirect Policy CLRPName = CLRPPluralName + "." + CustomResourceDefinitionGroup - // Cilium External Workload (CEW) - - // CEWPluralName is the plural name of Cilium External Workload - CEWPluralName = "ciliumexternalworkloads" - - // CEWKindDefinition is the kind name for Cilium External Workload - CEWKindDefinition = "CiliumExternalWorkload" - - // CEWName is the full name of Cilium External Workload - CEWName = CEWPluralName + "." + CustomResourceDefinitionGroup - // Cilium Cluster Envoy Config (CCEC) // CCECPluralName is the plural name of Cilium Clusterwide Envoy Config @@ -193,8 +182,6 @@ func addKnownTypes(scheme *runtime.Scheme) error { &CiliumNodeList{}, &CiliumNodeConfig{}, &CiliumNodeConfigList{}, - &CiliumExternalWorkload{}, - &CiliumExternalWorkloadList{}, &CiliumIdentity{}, &CiliumIdentityList{}, &CiliumLocalRedirectPolicy{}, diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/zz_generated.deepcopy.go b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/zz_generated.deepcopy.go index 7e8f288578..8a7648b811 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/zz_generated.deepcopy.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/zz_generated.deepcopy.go @@ -420,99 +420,6 @@ func (in *CiliumEnvoyConfigSpec) DeepCopy() *CiliumEnvoyConfigSpec { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *CiliumExternalWorkload) DeepCopyInto(out *CiliumExternalWorkload) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec - out.Status = in.Status - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumExternalWorkload. -func (in *CiliumExternalWorkload) DeepCopy() *CiliumExternalWorkload { - if in == nil { - return nil - } - out := new(CiliumExternalWorkload) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *CiliumExternalWorkload) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *CiliumExternalWorkloadList) DeepCopyInto(out *CiliumExternalWorkloadList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]CiliumExternalWorkload, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumExternalWorkloadList. -func (in *CiliumExternalWorkloadList) DeepCopy() *CiliumExternalWorkloadList { - if in == nil { - return nil - } - out := new(CiliumExternalWorkloadList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *CiliumExternalWorkloadList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *CiliumExternalWorkloadSpec) DeepCopyInto(out *CiliumExternalWorkloadSpec) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumExternalWorkloadSpec. -func (in *CiliumExternalWorkloadSpec) DeepCopy() *CiliumExternalWorkloadSpec { - if in == nil { - return nil - } - out := new(CiliumExternalWorkloadSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *CiliumExternalWorkloadStatus) DeepCopyInto(out *CiliumExternalWorkloadStatus) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumExternalWorkloadStatus. -func (in *CiliumExternalWorkloadStatus) DeepCopy() *CiliumExternalWorkloadStatus { - if in == nil { - return nil - } - out := new(CiliumExternalWorkloadStatus) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CiliumIdentity) DeepCopyInto(out *CiliumIdentity) { *out = *in diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/zz_generated.deepequal.go b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/zz_generated.deepequal.go index cd75476234..bc9092b444 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/zz_generated.deepequal.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/zz_generated.deepequal.go @@ -288,54 +288,6 @@ func (in *CiliumEnvoyConfigSpec) DeepEqual(other *CiliumEnvoyConfigSpec) bool { return true } -// DeepEqual is an autogenerated deepequal function, deeply comparing the -// receiver with other. in must be non-nil. -func (in *CiliumExternalWorkload) DeepEqual(other *CiliumExternalWorkload) bool { - if other == nil { - return false - } - - if in.Spec != other.Spec { - return false - } - - return true -} - -// DeepEqual is an autogenerated deepequal function, deeply comparing the -// receiver with other. in must be non-nil. -func (in *CiliumExternalWorkloadSpec) DeepEqual(other *CiliumExternalWorkloadSpec) bool { - if other == nil { - return false - } - - if in.IPv4AllocCIDR != other.IPv4AllocCIDR { - return false - } - if in.IPv6AllocCIDR != other.IPv6AllocCIDR { - return false - } - - return true -} - -// DeepEqual is an autogenerated deepequal function, deeply comparing the -// receiver with other. in must be non-nil. -func (in *CiliumExternalWorkloadStatus) DeepEqual(other *CiliumExternalWorkloadStatus) bool { - if other == nil { - return false - } - - if in.ID != other.ID { - return false - } - if in.IP != other.IP { - return false - } - - return true -} - // DeepEqual is an autogenerated deepequal function, deeply comparing the // receiver with other. in must be non-nil. func (in *CiliumIdentity) DeepEqual(other *CiliumIdentity) bool { diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/bgp_cluster_types.go b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/bgp_cluster_types.go index 781ce5198e..204291f6f9 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/bgp_cluster_types.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/bgp_cluster_types.go @@ -82,6 +82,15 @@ type CiliumBGPInstance struct { // +kubebuilder:validation:Maximum=4294967295 LocalASN *int64 `json:"localASN,omitempty"` + // LocalPort is the port on which the BGP daemon listens for incoming connections. + // + // If not specified, BGP instance will not listen for incoming connections. + // + // +kubebuilder:validation:Optional + // +kubebuilder:validation:Minimum=1 + // +kubebuilder:validation:Maximum=65535 + LocalPort *int32 `json:"localPort,omitempty"` + // Peers is a list of neighboring BGP peers for this virtual router // // +kubebuilder:validation:Optional diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/gatewayclassconfig_types.go b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/gatewayclassconfig_types.go new file mode 100644 index 0000000000..01ddc8a82e --- /dev/null +++ b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/gatewayclassconfig_types.go @@ -0,0 +1,130 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Cilium + +package v2alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + corev1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/api/core/v1" +) + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories={cilium},singular="ciliumgatewayclassconfig",path="ciliumgatewayclassconfigs",scope="Namespaced",shortName={cgcc} +// +kubebuilder:printcolumn:name="Accepted",type=string,JSONPath=`.status.conditions[?(@.type=="Accepted")].status` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:printcolumn:name="Description",type=string,JSONPath=`.spec.description`,priority=1 +// +kubebuilder:subresource:status +// +kubebuilder:storageversion + +// CiliumGatewayClassConfig is a Kubernetes third-party resource which +// is used to configure Gateways owned by GatewayClass. +type CiliumGatewayClassConfig struct { + // +deepequal-gen=false + metav1.TypeMeta `json:",inline"` + // +deepequal-gen=false + metav1.ObjectMeta `json:"metadata"` + + // Spec is a human-readable of a GatewayClass configuration. + // + // +kubebuilder:validation:Optional + Spec CiliumGatewayClassConfigSpec `json:"spec,omitempty"` + + // Status is the status of the policy. + // + // +deepequal-gen=false + // +kubebuilder:validation:Optional + Status CiliumGatewayClassConfigStatus `json:"status"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +k8s:openapi-gen=false +// +deepequal-gen=false + +// CiliumGatewayClassConfigList is a list of +// CiliumGatewayClassConfig objects. +type CiliumGatewayClassConfigList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata"` + + // Items is a list of CiliumGatewayClassConfigs. + Items []CiliumGatewayClassConfig `json:"items"` +} + +// +deepequal-gen=true + +type ServiceConfig struct { + // Sets the Service.Spec.Type in generated Service objects to the given value. + // + // +kubebuilder:default="LoadBalancer" + Type corev1.ServiceType `json:"type,omitempty"` + + // Sets the Service.Spec.ExternalTrafficPolicy in generated Service objects to the given value. + // + // +optional + // +kubebuilder:default="Cluster" + ExternalTrafficPolicy corev1.ServiceExternalTrafficPolicy `json:"externalTrafficPolicy,omitempty"` + + // Sets the Service.Spec.LoadBalancerClass in generated Service objects to the given value. + // + // +optional + LoadBalancerClass *string `json:"loadBalancerClass,omitempty"` + + // Sets the Service.Spec.IPFamilies in generated Service objects to the given value. + // + // +listType=atomic + // +optional + IPFamilies []corev1.IPFamily `json:"ipFamilies,omitempty"` + + // Sets the Service.Spec.IPFamilyPolicy in generated Service objects to the given value. + // + // +optional + IPFamilyPolicy *corev1.IPFamilyPolicy `json:"ipFamilyPolicy,omitempty"` + + // Sets the Service.Spec.AllocateLoadBalancerNodePorts in generated Service objects to the given value. + // + // +optional + AllocateLoadBalancerNodePorts *bool `json:"allocateLoadBalancerNodePorts,omitempty"` + + // Sets the Service.Spec.LoadBalancerSourceRanges in generated Service objects to the given value. + // + // +optional + // +listType=atomic + LoadBalancerSourceRanges []string `json:"loadBalancerSourceRanges,omitempty"` + + // Sets the Service.Spec.TrafficDistribution in generated Service objects to the given value. + // + // +optional + TrafficDistribution *string `json:"trafficDistribution,omitempty"` +} + +// CiliumGatewayClassConfigSpec specifies all the configuration options for a +// Cilium managed GatewayClass. +type CiliumGatewayClassConfigSpec struct { + // Description helps describe a GatewayClass configuration with more details. + // + // +kubebuilder:validation:MaxLength=64 + // +kubebuilder:validation:Optional + Description *string `json:"description,omitempty"` + + // Service specifies the configuration for the generated Service. + // Note that not all fields from upstream Service.Spec are supported + // + // +kubebuilder:validation:Optional + Service *ServiceConfig `json:"service,omitempty"` +} + +// +deepequal-gen=false + +// CiliumGatewayClassConfigStatus contains the status of a CiliumGatewayClassConfig. +type CiliumGatewayClassConfigStatus struct { + // Current service state + // +optional + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/register.go b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/register.go index 8446c629e4..9b695656cb 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/register.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/register.go @@ -110,6 +110,12 @@ const ( CPIPPluralName = "ciliumpodippools" CPIPKindDefinition = "CiliumPodIPPool" CPIPName = CPIPPluralName + "." + CustomResourceDefinitionGroup + + // CiliumGatewayClassConfig (CGCC) + CGCCPluralName = "ciliumgatewayclassconfigs" + CGCCListName = "ciliumgatewayclassconfiglists" + CGCCKindDefinition = "CiliumGatewayClassConfig" + CGCCName = CGCCPluralName + "." + CustomResourceDefinitionGroup ) // SchemeGroupVersion is group version used to register these objects @@ -179,6 +185,10 @@ func addKnownTypes(scheme *runtime.Scheme) error { &CiliumBGPNodeConfigList{}, &CiliumBGPNodeConfigOverride{}, &CiliumBGPNodeConfigOverrideList{}, + + // new Gateway API types + &CiliumGatewayClassConfig{}, + &CiliumGatewayClassConfigList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/zz_generated.deepcopy.go b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/zz_generated.deepcopy.go index 6a0a23bd17..7146c8073f 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/zz_generated.deepcopy.go @@ -11,6 +11,7 @@ package v2alpha1 import ( models "github.com/cilium/cilium/api/v1/models" v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" + corev1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/api/core/v1" v1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1" api "github.com/cilium/cilium/pkg/policy/api" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -393,6 +394,11 @@ func (in *CiliumBGPInstance) DeepCopyInto(out *CiliumBGPInstance) { *out = new(int64) **out = **in } + if in.LocalPort != nil { + in, out := &in.LocalPort, &out.LocalPort + *out = new(int32) + **out = **in + } if in.Peers != nil { in, out := &in.Peers, &out.Peers *out = make([]CiliumBGPPeer, len(*in)) @@ -1451,6 +1457,116 @@ func (in *CiliumEndpointSliceList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CiliumGatewayClassConfig) DeepCopyInto(out *CiliumGatewayClassConfig) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumGatewayClassConfig. +func (in *CiliumGatewayClassConfig) DeepCopy() *CiliumGatewayClassConfig { + if in == nil { + return nil + } + out := new(CiliumGatewayClassConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CiliumGatewayClassConfig) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CiliumGatewayClassConfigList) DeepCopyInto(out *CiliumGatewayClassConfigList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]CiliumGatewayClassConfig, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumGatewayClassConfigList. +func (in *CiliumGatewayClassConfigList) DeepCopy() *CiliumGatewayClassConfigList { + if in == nil { + return nil + } + out := new(CiliumGatewayClassConfigList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CiliumGatewayClassConfigList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CiliumGatewayClassConfigSpec) DeepCopyInto(out *CiliumGatewayClassConfigSpec) { + *out = *in + if in.Description != nil { + in, out := &in.Description, &out.Description + *out = new(string) + **out = **in + } + if in.Service != nil { + in, out := &in.Service, &out.Service + *out = new(ServiceConfig) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumGatewayClassConfigSpec. +func (in *CiliumGatewayClassConfigSpec) DeepCopy() *CiliumGatewayClassConfigSpec { + if in == nil { + return nil + } + out := new(CiliumGatewayClassConfigSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CiliumGatewayClassConfigStatus) DeepCopyInto(out *CiliumGatewayClassConfigStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumGatewayClassConfigStatus. +func (in *CiliumGatewayClassConfigStatus) DeepCopy() *CiliumGatewayClassConfigStatus { + if in == nil { + return nil + } + out := new(CiliumGatewayClassConfigStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CiliumL2AnnouncementPolicy) DeepCopyInto(out *CiliumL2AnnouncementPolicy) { *out = *in @@ -1982,3 +2098,49 @@ func (in *PeerConfigReference) DeepCopy() *PeerConfigReference { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceConfig) DeepCopyInto(out *ServiceConfig) { + *out = *in + if in.LoadBalancerClass != nil { + in, out := &in.LoadBalancerClass, &out.LoadBalancerClass + *out = new(string) + **out = **in + } + if in.IPFamilies != nil { + in, out := &in.IPFamilies, &out.IPFamilies + *out = make([]corev1.IPFamily, len(*in)) + copy(*out, *in) + } + if in.IPFamilyPolicy != nil { + in, out := &in.IPFamilyPolicy, &out.IPFamilyPolicy + *out = new(corev1.IPFamilyPolicy) + **out = **in + } + if in.AllocateLoadBalancerNodePorts != nil { + in, out := &in.AllocateLoadBalancerNodePorts, &out.AllocateLoadBalancerNodePorts + *out = new(bool) + **out = **in + } + if in.LoadBalancerSourceRanges != nil { + in, out := &in.LoadBalancerSourceRanges, &out.LoadBalancerSourceRanges + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.TrafficDistribution != nil { + in, out := &in.TrafficDistribution, &out.TrafficDistribution + *out = new(string) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceConfig. +func (in *ServiceConfig) DeepCopy() *ServiceConfig { + if in == nil { + return nil + } + out := new(ServiceConfig) + in.DeepCopyInto(out) + return out +} diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/zz_generated.deepequal.go b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/zz_generated.deepequal.go index 5e5d0bee96..089277031b 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/zz_generated.deepequal.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1/zz_generated.deepequal.go @@ -352,6 +352,14 @@ func (in *CiliumBGPInstance) DeepEqual(other *CiliumBGPInstance) bool { } } + if (in.LocalPort == nil) != (other.LocalPort == nil) { + return false + } else if in.LocalPort != nil { + if *in.LocalPort != *other.LocalPort { + return false + } + } + if ((in.Peers != nil) && (other.Peers != nil)) || ((in.Peers == nil) != (other.Peers == nil)) { in, other := &in.Peers, &other.Peers if other == nil { @@ -1329,6 +1337,46 @@ func (in *CiliumEndpointSlice) DeepEqual(other *CiliumEndpointSlice) bool { return true } +// DeepEqual is an autogenerated deepequal function, deeply comparing the +// receiver with other. in must be non-nil. +func (in *CiliumGatewayClassConfig) DeepEqual(other *CiliumGatewayClassConfig) bool { + if other == nil { + return false + } + + if !in.Spec.DeepEqual(&other.Spec) { + return false + } + + return true +} + +// DeepEqual is an autogenerated deepequal function, deeply comparing the +// receiver with other. in must be non-nil. +func (in *CiliumGatewayClassConfigSpec) DeepEqual(other *CiliumGatewayClassConfigSpec) bool { + if other == nil { + return false + } + + if (in.Description == nil) != (other.Description == nil) { + return false + } else if in.Description != nil { + if *in.Description != *other.Description { + return false + } + } + + if (in.Service == nil) != (other.Service == nil) { + return false + } else if in.Service != nil { + if !in.Service.DeepEqual(other.Service) { + return false + } + } + + return true +} + // DeepEqual is an autogenerated deepequal function, deeply comparing the // receiver with other. in must be non-nil. func (in *CiliumL2AnnouncementPolicy) DeepEqual(other *CiliumL2AnnouncementPolicy) bool { @@ -1650,3 +1698,85 @@ func (in *PeerConfigReference) DeepEqual(other *PeerConfigReference) bool { return true } + +// DeepEqual is an autogenerated deepequal function, deeply comparing the +// receiver with other. in must be non-nil. +func (in *ServiceConfig) DeepEqual(other *ServiceConfig) bool { + if other == nil { + return false + } + + if in.Type != other.Type { + return false + } + if in.ExternalTrafficPolicy != other.ExternalTrafficPolicy { + return false + } + if (in.LoadBalancerClass == nil) != (other.LoadBalancerClass == nil) { + return false + } else if in.LoadBalancerClass != nil { + if *in.LoadBalancerClass != *other.LoadBalancerClass { + return false + } + } + + if ((in.IPFamilies != nil) && (other.IPFamilies != nil)) || ((in.IPFamilies == nil) != (other.IPFamilies == nil)) { + in, other := &in.IPFamilies, &other.IPFamilies + if other == nil { + return false + } + + if len(*in) != len(*other) { + return false + } else { + for i, inElement := range *in { + if inElement != (*other)[i] { + return false + } + } + } + } + + if (in.IPFamilyPolicy == nil) != (other.IPFamilyPolicy == nil) { + return false + } else if in.IPFamilyPolicy != nil { + if *in.IPFamilyPolicy != *other.IPFamilyPolicy { + return false + } + } + + if (in.AllocateLoadBalancerNodePorts == nil) != (other.AllocateLoadBalancerNodePorts == nil) { + return false + } else if in.AllocateLoadBalancerNodePorts != nil { + if *in.AllocateLoadBalancerNodePorts != *other.AllocateLoadBalancerNodePorts { + return false + } + } + + if ((in.LoadBalancerSourceRanges != nil) && (other.LoadBalancerSourceRanges != nil)) || ((in.LoadBalancerSourceRanges == nil) != (other.LoadBalancerSourceRanges == nil)) { + in, other := &in.LoadBalancerSourceRanges, &other.LoadBalancerSourceRanges + if other == nil { + return false + } + + if len(*in) != len(*other) { + return false + } else { + for i, inElement := range *in { + if inElement != (*other)[i] { + return false + } + } + } + } + + if (in.TrafficDistribution == nil) != (other.TrafficDistribution == nil) { + return false + } else if in.TrafficDistribution != nil { + if *in.TrafficDistribution != *other.TrafficDistribution { + return false + } + } + + return true +} diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/client/cell.go b/vendor/github.com/cilium/cilium/pkg/k8s/client/cell.go index 629a182c1d..6c9e8b7bae 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/client/cell.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/client/cell.go @@ -14,41 +14,30 @@ import ( "strings" "time" - "github.com/cilium/hive" "github.com/cilium/hive/cell" - "github.com/cilium/hive/script" "github.com/sirupsen/logrus" apiext_clientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" - apiext_fake "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/fake" k8sErrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" utilnet "k8s.io/apimachinery/pkg/util/net" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/wait" versionapi "k8s.io/apimachinery/pkg/version" "k8s.io/client-go/discovery" - fakediscovery "k8s.io/client-go/discovery/fake" "k8s.io/client-go/kubernetes" - "k8s.io/client-go/kubernetes/fake" "k8s.io/client-go/rest" - k8sTesting "k8s.io/client-go/testing" "k8s.io/client-go/tools/clientcmd" "k8s.io/client-go/util/connrotation" mcsapi_clientset "sigs.k8s.io/mcs-api/pkg/client/clientset/versioned" - mcsapi_fake "sigs.k8s.io/mcs-api/pkg/client/clientset/versioned/fake" "github.com/cilium/cilium/pkg/controller" cilium_clientset "github.com/cilium/cilium/pkg/k8s/client/clientset/versioned" - cilium_fake "github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/fake" k8smetrics "github.com/cilium/cilium/pkg/k8s/metrics" slim_apiextclientsetscheme "github.com/cilium/cilium/pkg/k8s/slim/k8s/apiextensions-client/clientset/versioned/scheme" slim_apiext_clientset "github.com/cilium/cilium/pkg/k8s/slim/k8s/apiextensions-clientset" slim_metav1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1" slim_metav1beta1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1beta1" slim_clientset "github.com/cilium/cilium/pkg/k8s/slim/k8s/client/clientset/versioned" - slim_fake "github.com/cilium/cilium/pkg/k8s/slim/k8s/client/clientset/versioned/fake" - "github.com/cilium/cilium/pkg/k8s/testutils" k8sversion "github.com/cilium/cilium/pkg/k8s/version" "github.com/cilium/cilium/pkg/logging/logfields" "github.com/cilium/cilium/pkg/version" @@ -463,111 +452,6 @@ func isConnReady(c kubernetes.Interface) error { return err } -var FakeClientCell = cell.Module( - "k8s-fake-client", - "Fake Kubernetes client", - - cell.Provide( - NewFakeClientset, - func(fc *FakeClientset) hive.ScriptCmdOut { - return hive.NewScriptCmd("k8s", FakeClientCommand(fc)) - }, - ), -) - -type ( - MCSAPIFakeClientset = mcsapi_fake.Clientset - KubernetesFakeClientset = fake.Clientset - SlimFakeClientset = slim_fake.Clientset - CiliumFakeClientset = cilium_fake.Clientset - APIExtFakeClientset = apiext_fake.Clientset -) - -type FakeClientset struct { - disabled bool - - *MCSAPIFakeClientset - *KubernetesFakeClientset - *CiliumFakeClientset - *APIExtFakeClientset - clientsetGetters - - SlimFakeClientset *SlimFakeClientset - - trackers map[string]k8sTesting.ObjectTracker - - enabled bool -} - -var _ Clientset = &FakeClientset{} - -func (c *FakeClientset) Slim() slim_clientset.Interface { - return c.SlimFakeClientset -} - -func (c *FakeClientset) Discovery() discovery.DiscoveryInterface { - return c.KubernetesFakeClientset.Discovery() -} - -func (c *FakeClientset) IsEnabled() bool { - return !c.disabled -} - -func (c *FakeClientset) Disable() { - c.disabled = true -} - -func (c *FakeClientset) Config() Config { - //exhaustruct:ignore - return Config{} -} - -func (c *FakeClientset) RestConfig() *rest.Config { - //exhaustruct:ignore - return &rest.Config{} -} - -func NewFakeClientset() (*FakeClientset, Clientset) { - version := testutils.DefaultVersion - return NewFakeClientsetWithVersion(version) -} - -func NewFakeClientsetWithVersion(version string) (*FakeClientset, Clientset) { - if version == "" { - version = testutils.DefaultVersion - } - resources, found := testutils.APIResources[version] - if !found { - panic("version " + version + " not found from testutils.APIResources") - } - - client := FakeClientset{ - SlimFakeClientset: slim_fake.NewSimpleClientset(), - CiliumFakeClientset: cilium_fake.NewSimpleClientset(), - APIExtFakeClientset: apiext_fake.NewSimpleClientset(), - MCSAPIFakeClientset: mcsapi_fake.NewSimpleClientset(), - KubernetesFakeClientset: fake.NewSimpleClientset(), - enabled: true, - } - client.KubernetesFakeClientset.Resources = resources - client.SlimFakeClientset.Resources = resources - client.CiliumFakeClientset.Resources = resources - client.APIExtFakeClientset.Resources = resources - client.trackers = map[string]k8sTesting.ObjectTracker{ - "slim": client.SlimFakeClientset.Tracker(), - "cilium": client.CiliumFakeClientset.Tracker(), - "mcs": client.MCSAPIFakeClientset.Tracker(), - "kubernetes": client.KubernetesFakeClientset.Tracker(), - "apiexit": client.APIExtFakeClientset.Tracker(), - } - - fd := client.KubernetesFakeClientset.Discovery().(*fakediscovery.FakeDiscovery) - fd.FakedServerVersion = toVersionInfo(version) - - client.clientsetGetters = clientsetGetters{&client} - return &client, &client -} - func toVersionInfo(rawVersion string) *versionapi.Info { parts := strings.Split(rawVersion, ".") return &versionapi.Info{Major: parts[0], Minor: parts[1]} @@ -588,88 +472,6 @@ func NewClientBuilder(lc cell.Lifecycle, log logrus.FieldLogger, cfg Config) Cli } } -var FakeClientBuilderCell = cell.Provide(FakeClientBuilder) - -func FakeClientBuilder() ClientBuilderFunc { - fc, _ := NewFakeClientset() - return func(_ string) (Clientset, error) { - return fc, nil - } -} - -func FakeClientCommand(fc *FakeClientset) script.Cmd { - return script.Command( - script.CmdUsage{ - Summary: "interact with fake k8s client", - Args: " args...", - }, - func(s *script.State, args ...string) (script.WaitFunc, error) { - if len(args) < 1 { - return nil, fmt.Errorf("usage: k8s files...\n is one of add, update or delete.") - } - - action := args[0] - if len(args) < 2 { - return nil, fmt.Errorf("usage: k8s %s files...", action) - } - - for _, file := range args[1:] { - b, err := os.ReadFile(s.Path(file)) - if err != nil { - // Try relative to current directory, e.g. to allow reading "testdata/foo.yaml" - b, err = os.ReadFile(file) - } - if err != nil { - return nil, fmt.Errorf("failed to read %s: %w", file, err) - } - obj, gvk, err := testutils.DecodeObjectGVK(b) - if err != nil { - return nil, fmt.Errorf("decode: %w", err) - } - gvr, _ := meta.UnsafeGuessKindToResource(*gvk) - objMeta, err := meta.Accessor(obj) - if err != nil { - return nil, fmt.Errorf("accessor: %w", err) - } - name := objMeta.GetName() - ns := objMeta.GetNamespace() - - // Try to add the object to all the trackers. If one of them - // accepts we're good. We'll add to all since multiple trackers - // may accept (e.g. slim and kubernetes). - - // err will get set to nil if any of the tracker methods succeed. - // start with a non-nil default error. - err = fmt.Errorf("none of the trackers of FakeClientset accepted %T", obj) - for trackerName, tracker := range fc.trackers { - var trackerErr error - switch action { - case "add": - trackerErr = tracker.Add(obj) - case "update": - trackerErr = tracker.Update(gvr, obj, ns) - case "delete": - trackerErr = tracker.Delete(gvr, ns, name) - default: - return nil, fmt.Errorf("unknown k8s action %q, expected 'add', 'update' or 'delete'", action) - } - if err != nil { - if trackerErr == nil { - // One of the trackers accepted the object, it's a success! - err = nil - } else { - err = errors.Join(err, fmt.Errorf("%s: %w", trackerName, trackerErr)) - } - } - } - if err != nil { - return nil, err - } - } - return nil, nil - }) -} - func init() { // Register the metav1.Table and metav1.PartialObjectMetadata for the // apiextclientset. diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/cilium.io_client.go b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/cilium.io_client.go index c079fb85df..2aa34f3e2c 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/cilium.io_client.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/cilium.io_client.go @@ -20,7 +20,6 @@ type CiliumV2Interface interface { CiliumEgressGatewayPoliciesGetter CiliumEndpointsGetter CiliumEnvoyConfigsGetter - CiliumExternalWorkloadsGetter CiliumIdentitiesGetter CiliumLocalRedirectPoliciesGetter CiliumNetworkPoliciesGetter @@ -53,10 +52,6 @@ func (c *CiliumV2Client) CiliumEnvoyConfigs(namespace string) CiliumEnvoyConfigI return newCiliumEnvoyConfigs(c, namespace) } -func (c *CiliumV2Client) CiliumExternalWorkloads() CiliumExternalWorkloadInterface { - return newCiliumExternalWorkloads(c) -} - func (c *CiliumV2Client) CiliumIdentities() CiliumIdentityInterface { return newCiliumIdentities(c) } diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/ciliumexternalworkload.go b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/ciliumexternalworkload.go deleted file mode 100644 index 57ef50d699..0000000000 --- a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/ciliumexternalworkload.go +++ /dev/null @@ -1,57 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright Authors of Cilium - -// Code generated by client-gen. DO NOT EDIT. - -package v2 - -import ( - context "context" - - ciliumiov2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" - scheme "github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/scheme" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - types "k8s.io/apimachinery/pkg/types" - watch "k8s.io/apimachinery/pkg/watch" - gentype "k8s.io/client-go/gentype" -) - -// CiliumExternalWorkloadsGetter has a method to return a CiliumExternalWorkloadInterface. -// A group's client should implement this interface. -type CiliumExternalWorkloadsGetter interface { - CiliumExternalWorkloads() CiliumExternalWorkloadInterface -} - -// CiliumExternalWorkloadInterface has methods to work with CiliumExternalWorkload resources. -type CiliumExternalWorkloadInterface interface { - Create(ctx context.Context, ciliumExternalWorkload *ciliumiov2.CiliumExternalWorkload, opts v1.CreateOptions) (*ciliumiov2.CiliumExternalWorkload, error) - Update(ctx context.Context, ciliumExternalWorkload *ciliumiov2.CiliumExternalWorkload, opts v1.UpdateOptions) (*ciliumiov2.CiliumExternalWorkload, error) - // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). - UpdateStatus(ctx context.Context, ciliumExternalWorkload *ciliumiov2.CiliumExternalWorkload, opts v1.UpdateOptions) (*ciliumiov2.CiliumExternalWorkload, error) - Delete(ctx context.Context, name string, opts v1.DeleteOptions) error - DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error - Get(ctx context.Context, name string, opts v1.GetOptions) (*ciliumiov2.CiliumExternalWorkload, error) - List(ctx context.Context, opts v1.ListOptions) (*ciliumiov2.CiliumExternalWorkloadList, error) - Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) - Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *ciliumiov2.CiliumExternalWorkload, err error) - CiliumExternalWorkloadExpansion -} - -// ciliumExternalWorkloads implements CiliumExternalWorkloadInterface -type ciliumExternalWorkloads struct { - *gentype.ClientWithList[*ciliumiov2.CiliumExternalWorkload, *ciliumiov2.CiliumExternalWorkloadList] -} - -// newCiliumExternalWorkloads returns a CiliumExternalWorkloads -func newCiliumExternalWorkloads(c *CiliumV2Client) *ciliumExternalWorkloads { - return &ciliumExternalWorkloads{ - gentype.NewClientWithList[*ciliumiov2.CiliumExternalWorkload, *ciliumiov2.CiliumExternalWorkloadList]( - "ciliumexternalworkloads", - c.RESTClient(), - scheme.ParameterCodec, - "", - func() *ciliumiov2.CiliumExternalWorkload { return &ciliumiov2.CiliumExternalWorkload{} }, - func() *ciliumiov2.CiliumExternalWorkloadList { return &ciliumiov2.CiliumExternalWorkloadList{} }, - ), - } -} diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/fake/fake_cilium.io_client.go b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/fake/fake_cilium.io_client.go index 52eb1ac672..c853aaeee9 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/fake/fake_cilium.io_client.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/fake/fake_cilium.io_client.go @@ -35,10 +35,6 @@ func (c *FakeCiliumV2) CiliumEnvoyConfigs(namespace string) v2.CiliumEnvoyConfig return newFakeCiliumEnvoyConfigs(c, namespace) } -func (c *FakeCiliumV2) CiliumExternalWorkloads() v2.CiliumExternalWorkloadInterface { - return newFakeCiliumExternalWorkloads(c) -} - func (c *FakeCiliumV2) CiliumIdentities() v2.CiliumIdentityInterface { return newFakeCiliumIdentities(c) } diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/fake/fake_ciliumexternalworkload.go b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/fake/fake_ciliumexternalworkload.go deleted file mode 100644 index 6a3071a601..0000000000 --- a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/fake/fake_ciliumexternalworkload.go +++ /dev/null @@ -1,39 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright Authors of Cilium - -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" - ciliumiov2 "github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2" - gentype "k8s.io/client-go/gentype" -) - -// fakeCiliumExternalWorkloads implements CiliumExternalWorkloadInterface -type fakeCiliumExternalWorkloads struct { - *gentype.FakeClientWithList[*v2.CiliumExternalWorkload, *v2.CiliumExternalWorkloadList] - Fake *FakeCiliumV2 -} - -func newFakeCiliumExternalWorkloads(fake *FakeCiliumV2) ciliumiov2.CiliumExternalWorkloadInterface { - return &fakeCiliumExternalWorkloads{ - gentype.NewFakeClientWithList[*v2.CiliumExternalWorkload, *v2.CiliumExternalWorkloadList]( - fake.Fake, - "", - v2.SchemeGroupVersion.WithResource("ciliumexternalworkloads"), - v2.SchemeGroupVersion.WithKind("CiliumExternalWorkload"), - func() *v2.CiliumExternalWorkload { return &v2.CiliumExternalWorkload{} }, - func() *v2.CiliumExternalWorkloadList { return &v2.CiliumExternalWorkloadList{} }, - func(dst, src *v2.CiliumExternalWorkloadList) { dst.ListMeta = src.ListMeta }, - func(list *v2.CiliumExternalWorkloadList) []*v2.CiliumExternalWorkload { - return gentype.ToPointerSlice(list.Items) - }, - func(list *v2.CiliumExternalWorkloadList, items []*v2.CiliumExternalWorkload) { - list.Items = gentype.FromPointerSlice(items) - }, - ), - fake, - } -} diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/generated_expansion.go b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/generated_expansion.go index fe5700373b..e654e07179 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/generated_expansion.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/generated_expansion.go @@ -15,8 +15,6 @@ type CiliumEndpointExpansion interface{} type CiliumEnvoyConfigExpansion interface{} -type CiliumExternalWorkloadExpansion interface{} - type CiliumIdentityExpansion interface{} type CiliumLocalRedirectPolicyExpansion interface{} diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/cilium.io_client.go b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/cilium.io_client.go index 8e49ea7ff1..eb756f2653 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/cilium.io_client.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/cilium.io_client.go @@ -23,6 +23,7 @@ type CiliumV2alpha1Interface interface { CiliumBGPPeeringPoliciesGetter CiliumCIDRGroupsGetter CiliumEndpointSlicesGetter + CiliumGatewayClassConfigsGetter CiliumL2AnnouncementPoliciesGetter CiliumLoadBalancerIPPoolsGetter CiliumNodeConfigsGetter @@ -66,6 +67,10 @@ func (c *CiliumV2alpha1Client) CiliumEndpointSlices() CiliumEndpointSliceInterfa return newCiliumEndpointSlices(c) } +func (c *CiliumV2alpha1Client) CiliumGatewayClassConfigs() CiliumGatewayClassConfigInterface { + return newCiliumGatewayClassConfigs(c) +} + func (c *CiliumV2alpha1Client) CiliumL2AnnouncementPolicies() CiliumL2AnnouncementPolicyInterface { return newCiliumL2AnnouncementPolicies(c) } diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/ciliumgatewayclassconfig.go b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/ciliumgatewayclassconfig.go new file mode 100644 index 0000000000..e9734e168f --- /dev/null +++ b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/ciliumgatewayclassconfig.go @@ -0,0 +1,59 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Cilium + +// Code generated by client-gen. DO NOT EDIT. + +package v2alpha1 + +import ( + context "context" + + ciliumiov2alpha1 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1" + scheme "github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + gentype "k8s.io/client-go/gentype" +) + +// CiliumGatewayClassConfigsGetter has a method to return a CiliumGatewayClassConfigInterface. +// A group's client should implement this interface. +type CiliumGatewayClassConfigsGetter interface { + CiliumGatewayClassConfigs() CiliumGatewayClassConfigInterface +} + +// CiliumGatewayClassConfigInterface has methods to work with CiliumGatewayClassConfig resources. +type CiliumGatewayClassConfigInterface interface { + Create(ctx context.Context, ciliumGatewayClassConfig *ciliumiov2alpha1.CiliumGatewayClassConfig, opts v1.CreateOptions) (*ciliumiov2alpha1.CiliumGatewayClassConfig, error) + Update(ctx context.Context, ciliumGatewayClassConfig *ciliumiov2alpha1.CiliumGatewayClassConfig, opts v1.UpdateOptions) (*ciliumiov2alpha1.CiliumGatewayClassConfig, error) + // Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). + UpdateStatus(ctx context.Context, ciliumGatewayClassConfig *ciliumiov2alpha1.CiliumGatewayClassConfig, opts v1.UpdateOptions) (*ciliumiov2alpha1.CiliumGatewayClassConfig, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*ciliumiov2alpha1.CiliumGatewayClassConfig, error) + List(ctx context.Context, opts v1.ListOptions) (*ciliumiov2alpha1.CiliumGatewayClassConfigList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *ciliumiov2alpha1.CiliumGatewayClassConfig, err error) + CiliumGatewayClassConfigExpansion +} + +// ciliumGatewayClassConfigs implements CiliumGatewayClassConfigInterface +type ciliumGatewayClassConfigs struct { + *gentype.ClientWithList[*ciliumiov2alpha1.CiliumGatewayClassConfig, *ciliumiov2alpha1.CiliumGatewayClassConfigList] +} + +// newCiliumGatewayClassConfigs returns a CiliumGatewayClassConfigs +func newCiliumGatewayClassConfigs(c *CiliumV2alpha1Client) *ciliumGatewayClassConfigs { + return &ciliumGatewayClassConfigs{ + gentype.NewClientWithList[*ciliumiov2alpha1.CiliumGatewayClassConfig, *ciliumiov2alpha1.CiliumGatewayClassConfigList]( + "ciliumgatewayclassconfigs", + c.RESTClient(), + scheme.ParameterCodec, + "", + func() *ciliumiov2alpha1.CiliumGatewayClassConfig { return &ciliumiov2alpha1.CiliumGatewayClassConfig{} }, + func() *ciliumiov2alpha1.CiliumGatewayClassConfigList { + return &ciliumiov2alpha1.CiliumGatewayClassConfigList{} + }, + ), + } +} diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/fake/fake_cilium.io_client.go b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/fake/fake_cilium.io_client.go index 4a657e4b8f..ec3f3631df 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/fake/fake_cilium.io_client.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/fake/fake_cilium.io_client.go @@ -47,6 +47,10 @@ func (c *FakeCiliumV2alpha1) CiliumEndpointSlices() v2alpha1.CiliumEndpointSlice return newFakeCiliumEndpointSlices(c) } +func (c *FakeCiliumV2alpha1) CiliumGatewayClassConfigs() v2alpha1.CiliumGatewayClassConfigInterface { + return newFakeCiliumGatewayClassConfigs(c) +} + func (c *FakeCiliumV2alpha1) CiliumL2AnnouncementPolicies() v2alpha1.CiliumL2AnnouncementPolicyInterface { return newFakeCiliumL2AnnouncementPolicies(c) } diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/fake/fake_ciliumgatewayclassconfig.go b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/fake/fake_ciliumgatewayclassconfig.go new file mode 100644 index 0000000000..567d0ecce9 --- /dev/null +++ b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/fake/fake_ciliumgatewayclassconfig.go @@ -0,0 +1,39 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Cilium + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v2alpha1 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1" + ciliumiov2alpha1 "github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1" + gentype "k8s.io/client-go/gentype" +) + +// fakeCiliumGatewayClassConfigs implements CiliumGatewayClassConfigInterface +type fakeCiliumGatewayClassConfigs struct { + *gentype.FakeClientWithList[*v2alpha1.CiliumGatewayClassConfig, *v2alpha1.CiliumGatewayClassConfigList] + Fake *FakeCiliumV2alpha1 +} + +func newFakeCiliumGatewayClassConfigs(fake *FakeCiliumV2alpha1) ciliumiov2alpha1.CiliumGatewayClassConfigInterface { + return &fakeCiliumGatewayClassConfigs{ + gentype.NewFakeClientWithList[*v2alpha1.CiliumGatewayClassConfig, *v2alpha1.CiliumGatewayClassConfigList]( + fake.Fake, + "", + v2alpha1.SchemeGroupVersion.WithResource("ciliumgatewayclassconfigs"), + v2alpha1.SchemeGroupVersion.WithKind("CiliumGatewayClassConfig"), + func() *v2alpha1.CiliumGatewayClassConfig { return &v2alpha1.CiliumGatewayClassConfig{} }, + func() *v2alpha1.CiliumGatewayClassConfigList { return &v2alpha1.CiliumGatewayClassConfigList{} }, + func(dst, src *v2alpha1.CiliumGatewayClassConfigList) { dst.ListMeta = src.ListMeta }, + func(list *v2alpha1.CiliumGatewayClassConfigList) []*v2alpha1.CiliumGatewayClassConfig { + return gentype.ToPointerSlice(list.Items) + }, + func(list *v2alpha1.CiliumGatewayClassConfigList, items []*v2alpha1.CiliumGatewayClassConfig) { + list.Items = gentype.FromPointerSlice(items) + }, + ), + fake, + } +} diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/generated_expansion.go b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/generated_expansion.go index 4b25b32bb8..5a1d72f1f9 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/generated_expansion.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2alpha1/generated_expansion.go @@ -21,6 +21,8 @@ type CiliumCIDRGroupExpansion interface{} type CiliumEndpointSliceExpansion interface{} +type CiliumGatewayClassConfigExpansion interface{} + type CiliumL2AnnouncementPolicyExpansion interface{} type CiliumLoadBalancerIPPoolExpansion interface{} diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/client/fake.go b/vendor/github.com/cilium/cilium/pkg/k8s/client/fake.go new file mode 100644 index 0000000000..b6989d1819 --- /dev/null +++ b/vendor/github.com/cilium/cilium/pkg/k8s/client/fake.go @@ -0,0 +1,522 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Cilium + +package client + +import ( + "errors" + "fmt" + "log/slog" + "os" + "strings" + "time" + + "github.com/cilium/hive" + "github.com/cilium/hive/cell" + "github.com/cilium/hive/script" + "github.com/spf13/pflag" + apiext_fake "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/fake" + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/watch" + "k8s.io/client-go/discovery" + fakediscovery "k8s.io/client-go/discovery/fake" + "k8s.io/client-go/kubernetes/fake" + "k8s.io/client-go/rest" + k8sTesting "k8s.io/client-go/testing" + mcsapi_fake "sigs.k8s.io/mcs-api/pkg/client/clientset/versioned/fake" + k8sYaml "sigs.k8s.io/yaml" + + cilium_fake "github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/fake" + slim_clientset "github.com/cilium/cilium/pkg/k8s/slim/k8s/client/clientset/versioned" + slim_fake "github.com/cilium/cilium/pkg/k8s/slim/k8s/client/clientset/versioned/fake" + "github.com/cilium/cilium/pkg/k8s/testutils" + "github.com/cilium/cilium/pkg/lock" +) + +var FakeClientCell = cell.Module( + "k8s-fake-client", + "Fake Kubernetes client", + + cell.Provide( + NewFakeClientset, + func(fc *FakeClientset) hive.ScriptCmdsOut { + return hive.NewScriptCmds(FakeClientCommands(fc)) + }, + ), +) + +type ( + MCSAPIFakeClientset = mcsapi_fake.Clientset + KubernetesFakeClientset = fake.Clientset + SlimFakeClientset = slim_fake.Clientset + CiliumFakeClientset = cilium_fake.Clientset + APIExtFakeClientset = apiext_fake.Clientset +) + +type FakeClientset struct { + disabled bool + + *MCSAPIFakeClientset + *KubernetesFakeClientset + *CiliumFakeClientset + *APIExtFakeClientset + clientsetGetters + + SlimFakeClientset *SlimFakeClientset + + trackers map[string]k8sTesting.ObjectTracker + + watchers lock.Map[string, struct{}] +} + +var _ Clientset = &FakeClientset{} + +func (c *FakeClientset) Slim() slim_clientset.Interface { + return c.SlimFakeClientset +} + +func (c *FakeClientset) Discovery() discovery.DiscoveryInterface { + return c.KubernetesFakeClientset.Discovery() +} + +func (c *FakeClientset) IsEnabled() bool { + return !c.disabled +} + +func (c *FakeClientset) Disable() { + c.disabled = true +} + +func (c *FakeClientset) Config() Config { + //exhaustruct:ignore + return Config{} +} + +func (c *FakeClientset) RestConfig() *rest.Config { + //exhaustruct:ignore + return &rest.Config{} +} + +func NewFakeClientset(log *slog.Logger) (*FakeClientset, Clientset) { + version := testutils.DefaultVersion + return NewFakeClientsetWithVersion(log, version) +} + +// trackerPreference has the trackers in preference order, +// e.g. which tracker to look into first for k8s/get or k8s/list. +// We prefer the slim one over the kubernetes one as that's the one +// likely used in Cilium. +var trackerPreference = []string{ + "slim", + "cilium", + "mcs", + "apiext", + "kubernetes", +} + +func NewFakeClientsetWithVersion(log *slog.Logger, version string) (*FakeClientset, Clientset) { + if version == "" { + version = testutils.DefaultVersion + } + resources, found := testutils.APIResources[version] + if !found { + panic("version " + version + " not found from testutils.APIResources") + } + + client := FakeClientset{ + SlimFakeClientset: slim_fake.NewSimpleClientset(), + CiliumFakeClientset: cilium_fake.NewSimpleClientset(), + APIExtFakeClientset: apiext_fake.NewSimpleClientset(), + MCSAPIFakeClientset: mcsapi_fake.NewSimpleClientset(), + KubernetesFakeClientset: fake.NewSimpleClientset(), + } + client.KubernetesFakeClientset.Resources = resources + client.SlimFakeClientset.Resources = resources + client.CiliumFakeClientset.Resources = resources + client.APIExtFakeClientset.Resources = resources + client.trackers = map[string]k8sTesting.ObjectTracker{ + "slim": augmentTracker(log, client.SlimFakeClientset, &client.watchers), + "cilium": augmentTracker(log, client.CiliumFakeClientset, &client.watchers), + "mcs": augmentTracker(log, client.MCSAPIFakeClientset, &client.watchers), + "kubernetes": augmentTracker(log, client.KubernetesFakeClientset, &client.watchers), + "apiext": augmentTracker(log, client.APIExtFakeClientset, &client.watchers), + } + + fd := client.KubernetesFakeClientset.Discovery().(*fakediscovery.FakeDiscovery) + fd.FakedServerVersion = toVersionInfo(version) + + client.clientsetGetters = clientsetGetters{&client} + return &client, &client +} + +var FakeClientBuilderCell = cell.Provide(FakeClientBuilder) + +func FakeClientBuilder(log *slog.Logger) ClientBuilderFunc { + fc, _ := NewFakeClientset(log) + return func(_ string) (Clientset, error) { + return fc, nil + } +} + +func showGVR(gvr schema.GroupVersionResource) string { + if gvr.Group == "" { + return fmt.Sprintf("%s.%s", gvr.Version, gvr.Resource) + } + return fmt.Sprintf("%s.%s.%s", gvr.Group, gvr.Version, gvr.Resource) +} + +func FakeClientCommands(fc *FakeClientset) map[string]script.Cmd { + seenResources := map[schema.GroupVersionKind]schema.GroupVersionResource{} + + addUpdateOrDelete := func(s *script.State, action string, files []string) error { + for _, file := range files { + b, err := os.ReadFile(s.Path(file)) + if err != nil { + // Try relative to current directory, e.g. to allow reading "testdata/foo.yaml" + b, err = os.ReadFile(file) + } + if err != nil { + return fmt.Errorf("failed to read %s: %w", file, err) + } + obj, gvk, err := testutils.DecodeObjectGVK(b) + if err != nil { + return fmt.Errorf("decode: %w", err) + } + + // Also try decoding using the kubernetes schema instead + // of the slim schema so that we get an object that the "kubernetes" + // tracker accepts. + kobj, _ := testutils.DecodeKubernetesObject(b) + + gvr, _ := meta.UnsafeGuessKindToResource(*gvk) + objMeta, err := meta.Accessor(obj) + if err != nil { + return fmt.Errorf("accessor: %w", err) + } + seenResources[*gvk] = gvr + + name := objMeta.GetName() + ns := objMeta.GetNamespace() + + // Try to add the object to all the trackers. If one of them + // accepts we're good. We'll add to all since multiple trackers + // may accept (e.g. slim and kubernetes). + + // err will get set to nil if any of the tracker methods succeed. + // start with a non-nil default error. + err = fmt.Errorf("none of the trackers of FakeClientset accepted %T", obj) + for trackerName, tracker := range fc.trackers { + var trackerErr error + switch action { + case "add": + trackerErr = tracker.Add(obj) + if trackerErr != nil && kobj != nil { + trackerErr = tracker.Add(kobj) + } + case "update": + trackerErr = tracker.Update(gvr, obj, ns) + if trackerErr != nil && kobj != nil { + trackerErr = tracker.Update(gvr, kobj, ns) + } + case "delete": + trackerErr = tracker.Delete(gvr, ns, name) + } + if err != nil { + if trackerErr == nil { + // One of the trackers accepted the object, it's a success! + err = nil + } else { + err = errors.Join(err, fmt.Errorf("%s: %w", trackerName, trackerErr)) + } + } + } + if err != nil { + return err + } + } + return nil + } + + return map[string]script.Cmd{ + "k8s/add": script.Command( + script.CmdUsage{ + Summary: "Add new K8s object(s) to the object trackers", + Detail: []string{ + "The files should be YAML, e.g. in the format produced by", + "'kubectl get -o yaml'", + }, + Args: "files...", + }, + func(s *script.State, args ...string) (script.WaitFunc, error) { + if len(args) == 0 { + return nil, script.ErrUsage + } + return nil, addUpdateOrDelete(s, "add", args) + }, + ), + + "k8s/update": script.Command( + script.CmdUsage{ + Summary: "Update K8s object(s) in the object trackers", + Args: "files...", + }, + func(s *script.State, args ...string) (script.WaitFunc, error) { + if len(args) == 0 { + return nil, script.ErrUsage + } + return nil, addUpdateOrDelete(s, "update", args) + }, + ), + + "k8s/delete": script.Command( + script.CmdUsage{ + Summary: "Delete K8s object(s) from the object trackers", + Args: "files...", + }, + func(s *script.State, args ...string) (script.WaitFunc, error) { + if len(args) == 0 { + return nil, script.ErrUsage + } + return nil, addUpdateOrDelete(s, "delete", args) + }, + ), + + "k8s/get": script.Command( + script.CmdUsage{ + Summary: "Get a K8s object from the object trackers", + Detail: []string{ + "Tries object trackers in order. Prefers the slim over kubernetes.", + "For list of resources run 'k8s/resources'", + }, + Args: "resource name", + Flags: func(fs *pflag.FlagSet) { + fs.StringP("out", "o", "", "File to write to instead of stdout") + }, + }, + func(s *script.State, args ...string) (script.WaitFunc, error) { + file, err := s.Flags.GetString("out") + if err != nil { + return nil, err + } + if len(args) != 2 { + return nil, script.ErrUsage + } + + var gvr schema.GroupVersionResource + for _, r := range seenResources { + res := showGVR(r) + if res == args[0] { + gvr = r + break + } else if strings.Contains(res, args[0]) { + s.Logf("Using closest match %q\n", res) + gvr = r + break + } + } + if gvr.Resource == "" { + return nil, fmt.Errorf("%q not a known resource, see 'k8s/resources' for full list", args[0]) + } + + ns, name, found := strings.Cut(args[1], "/") + if !found { + name = ns + ns = "" + } + + return func(s *script.State) (stdout string, stderr string, err error) { + var trackerErr error + for _, trackerName := range trackerPreference { + tracker := fc.trackers[trackerName] + obj, err := tracker.Get(gvr, ns, name) + if err == nil { + bs, err := k8sYaml.Marshal(obj) + if file != "" { + return "", "", os.WriteFile(s.Path(file), bs, 0644) + } + return string(bs), "", err + } + trackerErr = errors.Join(trackerErr, err) + } + return "", "", fmt.Errorf("%w: no tracker recognized %s", trackerErr, gvr) + }, nil + }, + ), + + "k8s/list": script.Command( + script.CmdUsage{ + Summary: "List K8s objects in the object trackers", + Detail: []string{ + "For example to list pods in any namespace: k8s/list v1.pods ''", + "Run 'k8s/resources' for a list of seen resources.", + }, + Args: "resource namespace", + Flags: func(fs *pflag.FlagSet) { + fs.StringP("out", "o", "", "File to write to instead of stdout") + }, + }, + func(s *script.State, args ...string) (script.WaitFunc, error) { + file, err := s.Flags.GetString("out") + if err != nil { + return nil, err + } + if len(args) != 2 { + return nil, fmt.Errorf("%w: expected resource and namespace", script.ErrUsage) + } + + var gvr schema.GroupVersionResource + var gvk schema.GroupVersionKind + for k, r := range seenResources { + res := showGVR(r) + if res == args[0] { + gvr = r + gvk = k + break + } else if strings.Contains(res, args[0]) { + s.Logf("Using closest match %q\n", res) + gvr = r + gvk = k + break + } + } + if gvr.Resource == "" { + return nil, fmt.Errorf("%q not a known resource, see 'k8s/resources' for full list", args[0]) + } + + return func(s *script.State) (stdout string, stderr string, err error) { + var trackerErr error + for _, trackerName := range trackerPreference { + tracker := fc.trackers[trackerName] + obj, err := tracker.List(gvr, gvk, args[1]) + if err == nil { + bs, err := k8sYaml.Marshal(obj) + if file != "" { + return "", "", os.WriteFile(s.Path(file), bs, 0644) + } + return string(bs), "", err + } + trackerErr = errors.Join(trackerErr, err) + } + return "", "", fmt.Errorf("%w: no tracker recognized %s", trackerErr, gvr) + }, nil + }, + ), + + "k8s/summary": script.Command( + script.CmdUsage{ + Summary: "Show a summary of object trackers", + Detail: []string{ + "Lists each object tracker and the objects stored within.", + }, + }, + func(s *script.State, args ...string) (script.WaitFunc, error) { + for _, trackerName := range trackerPreference { + tracker := fc.trackers[trackerName] + s.Logf("%s:\n", trackerName) + for gvk, gvr := range seenResources { + objs, err := tracker.List(gvr, gvk, "") + if err == nil { + lst, _ := meta.ExtractList(objs) + s.Logf("- %s: %d\n", showGVR(gvr), len(lst)) + } + } + } + return nil, nil + }, + ), + + "k8s/resources": script.Command( + script.CmdUsage{ + Summary: "List which resources have been seen by the fake client", + }, + func(s *script.State, args ...string) (script.WaitFunc, error) { + return func(s *script.State) (stdout string, stderr string, err error) { + var buf strings.Builder + for _, gvr := range seenResources { + fmt.Fprintf(&buf, "%s\n", showGVR(gvr)) + } + stdout = buf.String() + return + }, nil + }, + ), + + "k8s/wait-watchers": script.Command( + script.CmdUsage{ + Summary: "Wait for watchers for given resources to appear", + Detail: []string{ + "Takes a list of resources and waits for a Watch() to appear for it.", + "", + "Useful when working with an informer/reflector that is not backed by", + "a StateDB table and thus cannot use 'db/initialized'.", + }, + Args: "resources...", + }, + func(s *script.State, args ...string) (script.WaitFunc, error) { + resources := map[string]struct{}{} + for _, r := range args { + resources[r] = struct{}{} + } + for s.Context().Err() == nil && len(resources) > 0 { + for r := range resources { + _, ok := fc.watchers.Load(r) + if ok { + delete(resources, r) + } + } + time.Sleep(10 * time.Millisecond) + } + if len(resources) > 0 { + seen := []string{} + fc.watchers.Range(func(key string, value struct{}) bool { + seen = append(seen, key) + return true + }) + return nil, fmt.Errorf("watchers did not appear. saw: %v", seen) + } + return nil, nil + }, + ), + } + +} + +type fakeWithTracker interface { + PrependReactor(verb string, resource string, reaction k8sTesting.ReactionFunc) + PrependWatchReactor(resource string, reaction k8sTesting.WatchReactionFunc) + Tracker() k8sTesting.ObjectTracker +} + +// augmentTracker augments the fake clientset to record watchers. +// The reason we need to do this is the following: The k8s object tracker's implementation +// of Watch is not equivalent to Watch on a real api-server, as it does not respect the +// ResourceVersion from whence to start the watch. As a consequence, when informers (or +// reflectors) call ListAndWatch, they miss events which occur between the end of List and +// the establishment of Watch. +func augmentTracker[T fakeWithTracker](log *slog.Logger, f T, watchers *lock.Map[string, struct{}]) k8sTesting.ObjectTracker { + o := f.Tracker() + + f.PrependWatchReactor( + "*", + func(action k8sTesting.Action) (handled bool, ret watch.Interface, err error) { + w := action.(k8sTesting.WatchAction) + gvr := w.GetResource() + ns := w.GetNamespace() + watch, err := o.Watch(gvr, ns) + if err != nil { + return false, nil, err + } + watchName := showGVR(gvr) + if _, ok := watchers.Load(watchName); ok { + log.Warn("Multiple watches for resource intercepted. This highlights a potential cause for flakes", "resource", watchName) + } + + log.Debug("Watch started", "resource", watchName) + watchers.Store(watchName, struct{}{}) + + return true, watch, nil + }) + + return o +} diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/informer/informer.go b/vendor/github.com/cilium/cilium/pkg/k8s/informer/informer.go index b27203a27b..274aa61700 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/informer/informer.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/informer/informer.go @@ -13,6 +13,7 @@ import ( utilRuntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/tools/cache" + "github.com/cilium/cilium/pkg/k8s/watchers/resources" "github.com/cilium/cilium/pkg/logging" "github.com/cilium/cilium/pkg/logging/logfields" "github.com/cilium/cilium/pkg/time" @@ -115,6 +116,9 @@ func NewInformerWithStore( obj = d.Object } + // Deduplicate the strings in the object metadata to reduce memory consumption. + resources.DedupMetadata(obj) + // In CI we detect if the objects were modified and panic // this is a no-op in production environments. cacheMutationDetector.AddObject(obj) diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/resource/resource.go b/vendor/github.com/cilium/cilium/pkg/k8s/resource/resource.go index e5d1a050a7..db75b9be2e 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/resource/resource.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/resource/resource.go @@ -22,7 +22,6 @@ import ( "k8s.io/client-go/util/workqueue" "sigs.k8s.io/controller-runtime/pkg/client/apiutil" - metaCache "github.com/cilium/cilium/pkg/container/cache" k8smetrics "github.com/cilium/cilium/pkg/k8s/metrics" "github.com/cilium/cilium/pkg/k8s/synced" "github.com/cilium/cilium/pkg/k8s/watchers/resources" @@ -407,14 +406,14 @@ func (r *resource[T]) Stop(stopCtx cell.HookContext) error { } type eventsOpts struct { - rateLimiter workqueue.RateLimiter + rateLimiter workqueue.TypedRateLimiter[WorkItem] errorHandler ErrorHandler } type EventsOpt func(*eventsOpts) // WithRateLimiter sets the rate limiting algorithm to be used when requeueing failed events. -func WithRateLimiter(r workqueue.RateLimiter) EventsOpt { +func WithRateLimiter(r workqueue.TypedRateLimiter[WorkItem]) EventsOpt { return func(o *eventsOpts) { o.rateLimiter = r } @@ -453,7 +452,7 @@ func (r *resource[T]) Events(ctx context.Context, opts ...EventsOpt) <-chan Even options := eventsOpts{ errorHandler: AlwaysRetry, // Default error handling is to always retry. - rateLimiter: workqueue.DefaultControllerRateLimiter(), + rateLimiter: workqueue.DefaultTypedControllerRateLimiter[WorkItem](), } for _, apply := range opts { apply(&options) @@ -469,8 +468,8 @@ func (r *resource[T]) Events(ctx context.Context, opts ...EventsOpt) <-chan Even r: r, options: options, debugInfo: debugInfo, - wq: workqueue.NewRateLimitingQueueWithConfig(options.rateLimiter, - workqueue.RateLimitingQueueConfig{Name: r.resourceName()}), + wq: workqueue.NewTypedRateLimitingQueueWithConfig[WorkItem](options.rateLimiter, + workqueue.TypedRateLimitingQueueConfig[WorkItem]{Name: r.resourceName()}), } // Fork a goroutine to process the queued keys and pass them to the subscriber. @@ -588,7 +587,7 @@ func (r *resource[T]) resourceName() string { type subscriber[T k8sRuntime.Object] struct { r *resource[T] debugInfo string - wq workqueue.RateLimitingInterface + wq workqueue.TypedRateLimitingInterface[WorkItem] options eventsOpts } @@ -694,13 +693,12 @@ loop: } } -func (s *subscriber[T]) getWorkItem() (e workItem, shutdown bool) { - var raw any - raw, shutdown = s.wq.Get() +func (s *subscriber[T]) getWorkItem() (e WorkItem, shutdown bool) { + raw, shutdown := s.wq.Get() if shutdown { return } - return raw.(workItem), false + return raw, false } func (s *subscriber[T]) enqueueSync() { @@ -711,7 +709,7 @@ func (s *subscriber[T]) enqueueKey(key Key) { s.wq.Add(keyWorkItem{key}) } -func (s *subscriber[T]) eventDone(entry workItem, err error) { +func (s *subscriber[T]) eventDone(entry WorkItem, err error) { // This is based on the example found in k8s.io/client-go/examples/worsueue/main.go. // Mark the object as done being processed. If it was marked dirty @@ -788,13 +786,13 @@ func (l *lastKnownObjects[T]) DeleteByUID(key Key, objToDelete T) { } } -// workItem restricts the set of types we use when type-switching over the +// WorkItem restricts the set of types we use when type-switching over the // queue entries, so that we'll get a compiler error on impossible types. // // The queue entries must be kept comparable and not be pointers as we want // to be able to coalesce multiple keyEntry's into a single element in the // queue. -type workItem interface { +type WorkItem interface { isWorkItem() } @@ -852,14 +850,14 @@ func (r *resource[T]) newInformer() (cache.Indexer, cache.Controller) { obj = d.Object } + // Deduplicate the strings in the object metadata to reduce memory consumption. + resources.DedupMetadata(obj) + // In CI we detect if the objects were modified and panic // (e.g. when KUBE_CACHE_MUTATION_DETECTOR is set) // this is a no-op in production environments. cacheMutationDetector.AddObject(obj) - // Deduplicate the strings in the object metadata to reduce memory consumption. - dedupMetadata(obj) - key := NewKey(obj) switch d.Type { @@ -904,18 +902,6 @@ func (r *resource[T]) newInformer() (cache.Indexer, cache.Controller) { } } -// dedupMetadata deduplicates the allocated strings in the metadata using the container/cache package. -func dedupMetadata(obj any) { - meta, err := meta.Accessor(obj) - if err != nil { - return - } - meta.SetName(metaCache.Strings.Get(meta.GetName())) - meta.SetNamespace(metaCache.Strings.Get(meta.GetNamespace())) - meta.SetLabels(metaCache.StringMaps.Get(meta.GetLabels())) - meta.SetAnnotations(metaCache.StringMaps.Get(meta.GetAnnotations())) -} - func getUID(obj k8sRuntime.Object) types.UID { meta, err := meta.Accessor(obj) if err != nil { diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/resource/statedb.go b/vendor/github.com/cilium/cilium/pkg/k8s/resource/statedb.go new file mode 100644 index 0000000000..afd6db370f --- /dev/null +++ b/vendor/github.com/cilium/cilium/pkg/k8s/resource/statedb.go @@ -0,0 +1,176 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Cilium + +package resource + +import ( + "context" + "fmt" + "runtime" + + "github.com/cilium/statedb" + "github.com/cilium/stream" + k8sRuntime "k8s.io/apimachinery/pkg/runtime" + "k8s.io/client-go/util/workqueue" + + "github.com/cilium/cilium/pkg/rate" + "github.com/cilium/cilium/pkg/time" +) + +// NewTableEventStream constructs a stream of [Event] from a StateDB table of Kubernetes +// objects. This is meant as a transitionary mechanism for converting from Resource[T] to Table[T] +// and is not meant as a long term solution. Sub-systems should instead consider either moving to +// the StateDB reconciler (expressing their desired state in a StateDB table) or using an internal +// workqueue for processing. +// +// This should only be used when the workqueue retry handling is required. If it is not needed +// you should use [statedb.Observable]. +// +// Deprecated: This is a transitionary helper. Use only if converting from Resource[T] and need the +// workqueue retry handling. If retrying is not needed use [statedb.Observable] instead or refactor +// your code to use [statedb.Table.Changes]. +func NewTableEventStream[T k8sRuntime.Object](db *statedb.DB, table statedb.Table[T], getByKey func(Key) statedb.Query[T]) stream.Observable[Event[T]] { + return &tableWorkQueue[T]{ + db: db, + table: table, + getByKey: getByKey, + } +} + +type tableWorkQueueItem struct { + key Key + initOccurred bool +} + +type tableWorkQueue[T k8sRuntime.Object] struct { + db *statedb.DB + table statedb.Table[T] + getByKey func(Key) statedb.Query[T] +} + +func (twq *tableWorkQueue[T]) Observe(ctx context.Context, next func(Event[T]), complete func(error)) { + var zero T + wq := workqueue.NewTypedRateLimitingQueueWithConfig[tableWorkQueueItem]( + workqueue.DefaultTypedControllerRateLimiter[tableWorkQueueItem](), + workqueue.TypedRateLimitingQueueConfig[tableWorkQueueItem]{ + Name: fmt.Sprintf("%T", zero), + }, + ) + + var deletedObjects lastKnownObjects[T] + + wtxn := twq.db.WriteTxn(twq.table) + changeIter, err := twq.table.Changes(wtxn) + _, initWatch := twq.table.Initialized(wtxn) + wtxn.Commit() + if err != nil { + complete(err) + return + } + + _, callerFile, callerLine, _ := runtime.Caller(1) + debugInfo := fmt.Sprintf("%T.Observe() called from %s:%d", twq, callerFile, callerLine) + doneFinalizer := func(done *bool) { + // If you get here it is because an Event[T] was handed to a subscriber + // that forgot to call Event[T].Done(). + // + // Calling Done() is needed to mark the event as handled. This allows + // the next event for the same key to be handled and is used to clear + // rate limiting and retry counts of prior failures. + panic(fmt.Sprintf( + "%s has a broken event handler that did not call Done() "+ + "before event was garbage collected", + debugInfo)) + } + + // Start a goroutine to feed the workqueue. + go func() { + defer wq.ShutDown() + + // Limit the read transaction rate to at most 10 per second to reduce + // overhead and coalesce changes. + limiter := rate.NewLimiter(time.Second/10, 1) + defer limiter.Stop() + + for { + changes, watch := changeIter.Next(twq.db.ReadTxn()) + for change := range changes { + if ctx.Err() != nil { + break + } + obj := change.Object + key := NewKey(obj) + wq.Add(tableWorkQueueItem{key: key}) + if change.Deleted { + deletedObjects.Store(key, change.Object) + } + } + select { + case <-ctx.Done(): + return + case <-watch: + case <-initWatch: + initWatch = nil + wq.Add(tableWorkQueueItem{ + initOccurred: true, + }) + } + if err := limiter.Wait(ctx); err != nil { + return + } + } + }() + + // And a goroutine to emit the events + go func() { + defer complete(nil) + + for { + item, shutdown := wq.Get() + if shutdown { + return + } + + var event Event[T] + var eventDoneSentinel = new(bool) + event.Done = func(err error) { + runtime.SetFinalizer(eventDoneSentinel, nil) + defer wq.Done(item) + if err == nil { + // Clear rate limiting. + wq.Forget(item) + + if event.Kind == Delete { + // Deletion processed successfully, forget the deleted object. + deletedObjects.DeleteByUID(item.key, event.Object) + } + } else { + // Requeue for retry. + wq.AddRateLimited(item) + } + } + // Add a finalizer to catch forgotten calls to Done(). + runtime.SetFinalizer(eventDoneSentinel, doneFinalizer) + + if item.initOccurred { + event.Kind = Sync + next(event) + continue + } + + obj, _, found := twq.table.Get(twq.db.ReadTxn(), twq.getByKey(item.key)) + if found { + event.Kind = Upsert + event.Object = obj + next(event) + } else { + event.Kind = Delete + obj, found := deletedObjects.Load(item.key) + if found { + event.Object = obj + next(event) + } + } + } + }() +} diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/resource_ctors.go b/vendor/github.com/cilium/cilium/pkg/k8s/resource_ctors.go index ffe6f0c3df..3ac62202ec 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/resource_ctors.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/resource_ctors.go @@ -480,17 +480,6 @@ func ciliumEndpointSliceLocalPodIndexFunc(obj any) ([]string, error) { return indices, nil } -func CiliumExternalWorkloads(params CiliumResourceParams, opts ...func(*metav1.ListOptions)) (resource.Resource[*cilium_api_v2.CiliumExternalWorkload], error) { - if !params.ClientSet.IsEnabled() { - return nil, nil - } - lw := utils.ListerWatcherWithModifiers( - utils.ListerWatcherFromTyped[*cilium_api_v2.CiliumExternalWorkloadList](params.ClientSet.CiliumV2().CiliumExternalWorkloads()), - opts..., - ) - return resource.New[*cilium_api_v2.CiliumExternalWorkload](params.Lifecycle, lw, resource.WithMetric("CiliumExternalWorkloads"), resource.WithCRDSync(params.CRDSyncPromise)), nil -} - func CiliumEnvoyConfigResource(params CiliumResourceParams, opts ...func(*metav1.ListOptions)) (resource.Resource[*cilium_api_v2.CiliumEnvoyConfig], error) { if !params.ClientSet.IsEnabled() { return nil, nil diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/synced/crd.go b/vendor/github.com/cilium/cilium/pkg/k8s/synced/crd.go index c4dcbdffae..924fa26aca 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/synced/crd.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/synced/crd.go @@ -18,7 +18,7 @@ import ( "k8s.io/client-go/tools/cache" v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" - v2alpha1 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1" + "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1" "github.com/cilium/cilium/pkg/k8s/client" "github.com/cilium/cilium/pkg/k8s/informer" slim_metav1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1" @@ -103,7 +103,6 @@ func ClusterMeshAPIServerResourceNames() []string { CRDResourceName(v2.CNName), CRDResourceName(v2.CIDName), CRDResourceName(v2.CEPName), - CRDResourceName(v2.CEWName), } } @@ -112,9 +111,9 @@ func ClusterMeshAPIServerResourceNames() []string { func AllCiliumCRDResourceNames() []string { return append( AgentCRDResourceNames(), - CRDResourceName(v2.CEWName), CRDResourceName(v2.CNCName), CRDResourceName(v2alpha1.CNCName), // TODO depreciate CNC on v2alpha1 https://github.com/cilium/cilium/issues/31982 + CRDResourceName(v2alpha1.CGCCName), ) } diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/testutils/decoder.go b/vendor/github.com/cilium/cilium/pkg/k8s/testutils/decoder.go index dec8f753cd..8b659a1a71 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/testutils/decoder.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/testutils/decoder.go @@ -10,6 +10,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/serializer" + "k8s.io/client-go/kubernetes/fake" gatewayv1 "sigs.k8s.io/gateway-api/apis/v1" gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" @@ -21,13 +22,18 @@ import ( ) var ( - // Scheme for object types used in Cilium. + // Scheme for object types used in Cilium. Excludes the core Kubernetes schema + // in favour of the slim one. + // // The scheme can be extended by init() functions since [Decoder] is // lazily constructed. Scheme = runtime.NewScheme() decoderOnce sync.Once decoder runtime.Decoder + + kubernetesDecoderOnce sync.Once + kubernetesDecoder runtime.Decoder ) // Decoder returns an object decoder for Cilium and Slim objects. @@ -69,6 +75,16 @@ func DecodeObjectGVK(bytes []byte) (runtime.Object, *schema.GroupVersionKind, er return obj, gvk, err } +func DecodeKubernetesObject(bytes []byte) (runtime.Object, error) { + kubernetesDecoderOnce.Do(func() { + scheme := runtime.NewScheme() + fake.AddToScheme(scheme) + kubernetesDecoder = serializer.NewCodecFactory(scheme).UniversalDeserializer() + }) + obj, _, err := kubernetesDecoder.Decode(bytes, nil, nil) + return obj, err +} + func DecodeFile(path string) (runtime.Object, error) { bs, err := os.ReadFile(path) if err != nil { diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/testutils/resources.go b/vendor/github.com/cilium/cilium/pkg/k8s/testutils/resources.go index 2944a47d7a..4225a73a7a 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/testutils/resources.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/testutils/resources.go @@ -62,7 +62,6 @@ var ( {Name: cilium_v2.CNPPluralName, Namespaced: true, Kind: cilium_v2.CNPKindDefinition}, {Name: cilium_v2.CCNPPluralName, Namespaced: true, Kind: cilium_v2.CCNPKindDefinition}, {Name: cilium_v2.CLRPPluralName, Namespaced: true, Kind: cilium_v2.CLRPKindDefinition}, - {Name: cilium_v2.CEWPluralName, Namespaced: true, Kind: cilium_v2.CEWKindDefinition}, {Name: cilium_v2.CCECPluralName, Namespaced: true, Kind: cilium_v2.CCECKindDefinition}, {Name: cilium_v2.CECPluralName, Namespaced: true, Kind: cilium_v2.CECKindDefinition}, }, diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/watchers/resources/resources.go b/vendor/github.com/cilium/cilium/pkg/k8s/watchers/resources/resources.go index 8fa4272a0e..f2895f8450 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/watchers/resources/resources.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/watchers/resources/resources.go @@ -5,6 +5,12 @@ // K8s watchers. package resources +import ( + "k8s.io/apimachinery/pkg/api/meta" + + "github.com/cilium/cilium/pkg/container/cache" +) + const ( // K8sAPIGroupServiceV1Core is the identifier for K8s resources of type core/v1/Service. K8sAPIGroupServiceV1Core = "core/v1::Service" @@ -34,3 +40,15 @@ const ( // MetricDelete the label for watcher metrics related to delete events. MetricDelete = "delete" ) + +// dedupMetadata deduplicates the allocated strings in the metadata using the container/cache package. +func DedupMetadata(obj any) { + meta, err := meta.Accessor(obj) + if err != nil { + return + } + meta.SetName(cache.Strings.Get(meta.GetName())) + meta.SetNamespace(cache.Strings.Get(meta.GetNamespace())) + meta.SetLabels(cache.StringMaps.Get(meta.GetLabels())) + meta.SetAnnotations(cache.StringMaps.Get(meta.GetAnnotations())) +} diff --git a/vendor/github.com/cilium/cilium/pkg/kvstore/store/syncstore.go b/vendor/github.com/cilium/cilium/pkg/kvstore/store/syncstore.go index f8af6aa999..bc2008ace6 100644 --- a/vendor/github.com/cilium/cilium/pkg/kvstore/store/syncstore.go +++ b/vendor/github.com/cilium/cilium/pkg/kvstore/store/syncstore.go @@ -65,8 +65,8 @@ type wqSyncStore struct { workers uint withLease bool - limiter workqueue.RateLimiter - workqueue workqueue.RateLimitingInterface + limiter workqueue.TypedRateLimiter[workqueueKey] + workqueue workqueue.TypedRateLimitingInterface[workqueueKey] state lock.Map[string, []byte] // map[NamedKey.GetKeyName()]Key.Marshal() synced atomic.Bool // Synced() has been triggered @@ -80,12 +80,15 @@ type wqSyncStore struct { syncedMetric prometheus.Gauge } -type syncCanary struct{ skipCallbacks bool } +type workqueueKey struct { + value string + syncCanary *struct{ skipCallbacks bool } +} type WSSOpt func(*wqSyncStore) // WSSWithRateLimiter sets the rate limiting algorithm to be used when requeueing failed events. -func WSSWithRateLimiter(limiter workqueue.RateLimiter) WSSOpt { +func WSSWithRateLimiter(limiter workqueue.TypedRateLimiter[workqueueKey]) WSSOpt { return func(wss *wqSyncStore) { wss.limiter = limiter } @@ -123,7 +126,7 @@ func newWorkqueueSyncStore(clusterName string, backend SyncStoreBackend, prefix workers: 1, withLease: true, - limiter: workqueue.DefaultControllerRateLimiter(), + limiter: workqueue.DefaultTypedControllerRateLimiter[workqueueKey](), syncedKey: prefix, log: log.WithField(logfields.Prefix, prefix), @@ -134,7 +137,7 @@ func newWorkqueueSyncStore(clusterName string, backend SyncStoreBackend, prefix } wss.log = wss.log.WithField(logfields.ClusterName, wss.source) - wss.workqueue = workqueue.NewRateLimitingQueue(wss.limiter) + wss.workqueue = workqueue.NewTypedRateLimitingQueue(wss.limiter) wss.queuedMetric = m.KVStoreSyncQueueSize.WithLabelValues(kvstore.GetScopeFromKey(prefix), wss.source) wss.errorsMetric = m.KVStoreSyncErrors.WithLabelValues(kvstore.GetScopeFromKey(prefix), wss.source) wss.syncedMetric = m.KVStoreInitialSyncCompleted.WithLabelValues(kvstore.GetScopeFromKey(prefix), wss.source, "write") @@ -190,7 +193,7 @@ func (wss *wqSyncStore) UpsertKey(_ context.Context, k Key) error { wss.pendingSync.Store(key, struct{}{}) } - wss.workqueue.Add(key) + wss.workqueue.Add(workqueueKey{value: key}) wss.queuedMetric.Set(float64(wss.workqueue.Len())) } @@ -203,7 +206,7 @@ func (wss *wqSyncStore) UpsertKey(_ context.Context, k Key) error { func (wss *wqSyncStore) DeleteKey(_ context.Context, k NamedKey) error { key := k.GetKeyName() if _, loaded := wss.state.LoadAndDelete(key); loaded { - wss.workqueue.Add(key) + wss.workqueue.Add(workqueueKey{value: key}) wss.queuedMetric.Set(float64(wss.workqueue.Len())) } else { wss.log.WithField(logfields.Key, key).Debug("ignoring delete request for non-existing key") @@ -215,7 +218,7 @@ func (wss *wqSyncStore) DeleteKey(_ context.Context, k NamedKey) error { func (wss *wqSyncStore) Synced(_ context.Context, callbacks ...func(ctx context.Context)) error { if synced := wss.synced.Swap(true); !synced { wss.syncedCallbacks = callbacks - wss.workqueue.Add(syncCanary{}) + wss.workqueue.Add(workqueueKey{syncCanary: &struct{ skipCallbacks bool }{}}) } return nil } @@ -247,22 +250,21 @@ func (wss *wqSyncStore) processNextItem(ctx context.Context) bool { // Since no error occurred, forget this item so it does not get queued again // until another change happens. wss.workqueue.Forget(key) - if skey, ok := key.(string); ok { - wss.pendingSync.Delete(skey) - } + wss.pendingSync.Delete(key.value) return true } -func (wss *wqSyncStore) handle(ctx context.Context, key interface{}) error { - if value, ok := key.(syncCanary); ok { - return wss.handleSync(ctx, value.skipCallbacks) +func (wss *wqSyncStore) handle(ctx context.Context, item workqueueKey) error { + if item.syncCanary != nil { + return wss.handleSync(ctx, item.syncCanary.skipCallbacks) } + key := item.value - if value, ok := wss.state.Load(key.(string)); ok { - return wss.handleUpsert(ctx, key.(string), value) + if value, ok := wss.state.Load(key); ok { + return wss.handleUpsert(ctx, key, value) } - return wss.handleDelete(ctx, key.(string)) + return wss.handleDelete(ctx, key) } func (wss *wqSyncStore) handleUpsert(ctx context.Context, key string, value []byte) error { @@ -332,7 +334,7 @@ func (wss *wqSyncStore) handleExpiredLease(key string) { if key == wss.getSyncedKey() { // Re-enqueue the creation of the sync canary, but make sure that // the registered callbacks are not executed a second time. - wss.workqueue.Add(syncCanary{skipCallbacks: true}) + wss.workqueue.Add(workqueueKey{syncCanary: &struct{ skipCallbacks bool }{true}}) return } @@ -344,7 +346,7 @@ func (wss *wqSyncStore) handleExpiredLease(key string) { wss.pendingSync.Store(key, struct{}{}) } - wss.workqueue.Add(key) + wss.workqueue.Add(workqueueKey{value: key}) } } diff --git a/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go b/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go index 89d2e46382..ebe8b0cb61 100644 --- a/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go +++ b/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go @@ -444,6 +444,13 @@ const ( // with TunnelPeer ConflictingTunnelPeer = "conflictingTunnelPeer" + // EndpointFlags is the encoded set of flags for an endpoint + EndpointFlags = "endpointFlags" + + // ConflictingEndpointFlags is the encoded set of flags that conflicts + // with 'EndpointFlags' + ConflictingEndpointFlags = "conflictingEndpointFlags" + // Type is the address type Type = "type" diff --git a/vendor/github.com/cilium/cilium/pkg/metrics/metrics.go b/vendor/github.com/cilium/cilium/pkg/metrics/metrics.go index 08ea50f93d..91a7c75a4d 100644 --- a/vendor/github.com/cilium/cilium/pkg/metrics/metrics.go +++ b/vendor/github.com/cilium/cilium/pkg/metrics/metrics.go @@ -274,7 +274,7 @@ var ( BPFMapPressure = true // BootstrapTimes is the durations of cilium-agent bootstrap sequence. - BootstrapTimes = NoOpObserverVec + BootstrapTimes = NoOpGaugeVec // APIInteractions is the total time taken to process an API call made // to the cilium-agent @@ -655,7 +655,7 @@ var ( ) type LegacyMetrics struct { - BootstrapTimes metric.Vec[metric.Observer] + BootstrapTimes metric.Vec[metric.Gauge] APIInteractions metric.Vec[metric.Observer] NodeConnectivityStatus metric.DeletableVec[metric.Gauge] NodeConnectivityLatency metric.DeletableVec[metric.Gauge] @@ -739,7 +739,7 @@ type LegacyMetrics struct { func NewLegacyMetrics() *LegacyMetrics { lm := &LegacyMetrics{ - BootstrapTimes: metric.NewHistogramVec(metric.HistogramOpts{ + BootstrapTimes: metric.NewGaugeVec(metric.GaugeOpts{ ConfigName: Namespace + "_" + SubsystemAgent + "_bootstrap_seconds", Namespace: Namespace, Subsystem: SubsystemAgent, diff --git a/vendor/github.com/cilium/cilium/pkg/monitor/api/drop.go b/vendor/github.com/cilium/cilium/pkg/monitor/api/drop.go index d181359530..1c6147622f 100644 --- a/vendor/github.com/cilium/cilium/pkg/monitor/api/drop.go +++ b/vendor/github.com/cilium/cilium/pkg/monitor/api/drop.go @@ -26,6 +26,8 @@ var errors = map[uint8]string{ 9: "Fragmented packet", 10: "Fragmented packet entry update failed", 11: "Missed tail call to custom program", + 12: "Interface Decrypting", + 13: "Interface Encrypting", 130: "Invalid source mac", // Unused 131: "Invalid destination mac", // Unused 132: "Invalid source ip", diff --git a/vendor/github.com/cilium/cilium/pkg/monitor/api/types.go b/vendor/github.com/cilium/cilium/pkg/monitor/api/types.go index fc15a962a2..8bb2125fc2 100644 --- a/vendor/github.com/cilium/cilium/pkg/monitor/api/types.go +++ b/vendor/github.com/cilium/cilium/pkg/monitor/api/types.go @@ -161,6 +161,8 @@ const ( TraceFromOverlay TraceFromNetwork TraceToNetwork + TraceFromCrypto + TraceToCrypto ) // TraceObservationPoints is a map of all supported trace observation points @@ -171,12 +173,14 @@ var TraceObservationPoints = map[uint8]string{ TraceToStack: "to-stack", TraceToOverlay: "to-overlay", TraceToNetwork: "to-network", + TraceToCrypto: "to-crypto", TraceFromLxc: "from-endpoint", TraceFromProxy: "from-proxy", TraceFromHost: "from-host", TraceFromStack: "from-stack", TraceFromOverlay: "from-overlay", TraceFromNetwork: "from-network", + TraceFromCrypto: "from-crypto", } // TraceObservationPoint returns the name of a trace observation point diff --git a/vendor/github.com/cilium/cilium/pkg/option/config.go b/vendor/github.com/cilium/cilium/pkg/option/config.go index b939fd6429..f6e61433f3 100644 --- a/vendor/github.com/cilium/cilium/pkg/option/config.go +++ b/vendor/github.com/cilium/cilium/pkg/option/config.go @@ -192,10 +192,6 @@ const ( // K8sRequireIPv6PodCIDRName is the name of the K8sRequireIPv6PodCIDR option K8sRequireIPv6PodCIDRName = "k8s-require-ipv6-pod-cidr" - // K8sWatcherEndpointSelector specifies the k8s endpoints that Cilium - // should watch for. - K8sWatcherEndpointSelector = "k8s-watcher-endpoint-selector" - // EnableK8s operation of Kubernetes-related services/controllers. // Intended for operating cilium with CNI-compatible orchestrators other than Kubernetes. (default is true) EnableK8s = "enable-k8s" @@ -668,9 +664,6 @@ const ( // AgentNotReadyNodeTaintKey AgentNotReadyNodeTaintKeyName = "agent-not-ready-taint-key" - // JoinClusterName is the name of the JoinCluster Option - JoinClusterName = "join-cluster" - // EnableIPv4Name is the name of the option to enable IPv4 support EnableIPv4Name = "enable-ipv4" @@ -1149,6 +1142,9 @@ const ( // EnableEndpointLockdownOnPolicyOverflow enables endpoint lockdown when an endpoint's // policy map overflows. EnableEndpointLockdownOnPolicyOverflow = "enable-endpoint-lockdown-on-policy-overflow" + + // ConnectivityProbeFrequencyRatio is the name of the option to specify the connectivity probe frequency + ConnectivityProbeFrequencyRatio = "connectivity-probe-frequency-ratio" ) // Default string arguments @@ -1200,9 +1196,6 @@ const ( // IdentityManagementMode controls whether CiliumIdentities are managed by cilium-agent, cilium-operator, or both. IdentityManagementMode = "identity-management-mode" - // EnableExternalWorkloads enables the support for external workloads. - EnableExternalWorkloads = "enable-external-workloads" - // EnableSourceIPVerification enables the source ip verification, defaults to true EnableSourceIPVerification = "enable-source-ip-verification" ) @@ -1528,10 +1521,6 @@ type DaemonConfig struct { // pods. AgentNotReadyNodeTaintKey string - // JoinCluster is 'true' if the agent should join a Cilium cluster via kvstore - // registration - JoinCluster bool - // EnableIPv4 is true when IPv4 is enabled EnableIPv4 bool @@ -1651,7 +1640,6 @@ type DaemonConfig struct { IPv6ServiceRange string K8sSyncTimeout time.Duration AllocatorListTimeout time.Duration - K8sWatcherEndpointSelector string KVStore string KVStoreOpt map[string]string LabelPrefixFile string @@ -2259,6 +2247,9 @@ type DaemonConfig struct { // EnableEndpointLockdownOnPolicyOverflow enables endpoint lockdown when an endpoint's // policy map overflows. EnableEndpointLockdownOnPolicyOverflow bool + + // ConnectivityProbeFrequencyRatio is the ratio of the connectivity probe frequency vs resource consumption + ConnectivityProbeFrequencyRatio float64 } var ( @@ -2322,6 +2313,8 @@ var ( EnableNonDefaultDenyPolicies: defaults.EnableNonDefaultDenyPolicies, EnableSourceIPVerification: defaults.EnableSourceIPVerification, + + ConnectivityProbeFrequencyRatio: defaults.ConnectivityProbeFrequencyRatio, } ) @@ -2905,13 +2898,11 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { c.IPv6NodeAddr = vp.GetString(IPv6NodeAddr) c.IPv6Range = vp.GetString(IPv6Range) c.IPv6ServiceRange = vp.GetString(IPv6ServiceRange) - c.JoinCluster = vp.GetBool(JoinClusterName) c.K8sRequireIPv4PodCIDR = vp.GetBool(K8sRequireIPv4PodCIDRName) c.K8sRequireIPv6PodCIDR = vp.GetBool(K8sRequireIPv6PodCIDRName) c.K8sServiceCacheSize = uint(vp.GetInt(K8sServiceCacheSize)) c.K8sSyncTimeout = vp.GetDuration(K8sSyncTimeoutName) c.AllocatorListTimeout = vp.GetDuration(AllocatorListTimeoutName) - c.K8sWatcherEndpointSelector = vp.GetString(K8sWatcherEndpointSelector) c.KeepConfig = vp.GetBool(KeepConfig) c.KVStore = vp.GetString(KVStore) c.KVstoreLeaseTTL = vp.GetDuration(KVstoreLeaseTTL) @@ -3333,6 +3324,15 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { c.LoadBalancerOnly = vp.GetBool(LoadBalancerOnly) c.EnableInternalTrafficPolicy = vp.GetBool(EnableInternalTrafficPolicy) c.EnableSourceIPVerification = vp.GetBool(EnableSourceIPVerification) + + // Allow the range [0.0, 1.0]. + connectivityFreqRatio := vp.GetFloat64(ConnectivityProbeFrequencyRatio) + if 0.0 <= connectivityFreqRatio && connectivityFreqRatio <= 1.0 { + c.ConnectivityProbeFrequencyRatio = connectivityFreqRatio + } else { + log.Warningf("specified connectivity probe frequency ratio %f must be in the range [0.0, 1.0], using default", connectivityFreqRatio) + c.ConnectivityProbeFrequencyRatio = defaults.ConnectivityProbeFrequencyRatio + } } func (c *DaemonConfig) populateLoadBalancerSettings(vp *viper.Viper) { diff --git a/vendor/github.com/cilium/cilium/pkg/policy/mapstate.go b/vendor/github.com/cilium/cilium/pkg/policy/mapstate.go index 5d2b8633d5..f236dcf9b1 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/mapstate.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/mapstate.go @@ -738,8 +738,8 @@ func (ms *mapState) insertWithChanges(newKey Key, newEntry mapStateEntry, featur // Delete covered allow entries with lower proxy port priority. // - // This can be skipped if no rules have proxy redirects - if features.contains(redirectRules) { + // This is only needed if the newEntry has a proxy port priority greater than zero. + if newEntry.ProxyPortPriority > 0 { for k, v := range ms.NarrowerOrEqualKeys(newKey) { if !v.IsDeny() && v.ProxyPortPriority < newEntry.ProxyPortPriority { ms.deleteKeyWithChanges(k, changes) diff --git a/vendor/github.com/cilium/cilium/pkg/service/store/logfields.go b/vendor/github.com/cilium/cilium/pkg/service/store/logfields.go deleted file mode 100644 index 7dc7953d68..0000000000 --- a/vendor/github.com/cilium/cilium/pkg/service/store/logfields.go +++ /dev/null @@ -1,11 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright Authors of Cilium - -package store - -import ( - "github.com/cilium/cilium/pkg/logging" - "github.com/cilium/cilium/pkg/logging/logfields" -) - -var log = logging.DefaultLogger.WithField(logfields.LogSubsys, "service") diff --git a/vendor/github.com/cilium/cilium/pkg/service/store/store.go b/vendor/github.com/cilium/cilium/pkg/service/store/store.go index 4b4d54e2ee..7b2a041e81 100644 --- a/vendor/github.com/cilium/cilium/pkg/service/store/store.go +++ b/vendor/github.com/cilium/cilium/pkg/service/store/store.go @@ -17,7 +17,6 @@ import ( "github.com/cilium/cilium/pkg/kvstore/store" "github.com/cilium/cilium/pkg/loadbalancer" "github.com/cilium/cilium/pkg/lock" - "github.com/cilium/cilium/pkg/logging/logfields" "github.com/cilium/cilium/pkg/option" ) @@ -241,60 +240,3 @@ func KeyCreator(validators ...clusterServiceValidator) store.KeyCreator { return &ValidatingClusterService{validators: validators} } } - -type clusterServiceObserver struct { - // merger is the interface responsible to merge service and - // endpoints into an existing cache - merger ServiceMerger - - // swg provides a mechanism to know when the services were synchronized - // with the datapath. - swg *lock.StoppableWaitGroup -} - -// OnUpdate is called when a service in a remote cluster is updated -func (c *clusterServiceObserver) OnUpdate(key store.Key) { - if svc, ok := key.(*ValidatingClusterService); ok { - scopedLog := log.WithField(logfields.ServiceName, svc.String()) - scopedLog.Debugf("Update event of cluster service %#v", svc) - - c.merger.MergeClusterServiceUpdate(&svc.ClusterService, c.swg) - } else { - log.Warningf("Received unexpected cluster service update object %+v", key) - } -} - -// OnDelete is called when a service in a remote cluster is deleted -func (c *clusterServiceObserver) OnDelete(key store.NamedKey) { - if svc, ok := key.(*ValidatingClusterService); ok { - scopedLog := log.WithField(logfields.ServiceName, svc.String()) - scopedLog.Debugf("Delete event of cluster service %#v", svc) - - c.merger.MergeClusterServiceDelete(&svc.ClusterService, c.swg) - } else { - log.Warningf("Received unexpected cluster service delete object %+v", key) - } -} - -// JoinClusterServices starts a controller for syncing services from the kvstore -func JoinClusterServices(merger ServiceMerger, clusterName string) { - swg := lock.NewStoppableWaitGroup() - - log.Info("Enumerating cluster services") - // JoinSharedStore performs initial sync of services - _, err := store.JoinSharedStore(store.Configuration{ - Prefix: path.Join(ServiceStorePrefix, clusterName), - KeyCreator: KeyCreator( - ClusterNameValidator(clusterName), - NamespacedNameValidator(), - ), - Observer: &clusterServiceObserver{ - merger: merger, - swg: swg, - }, - }) - if err != nil { - log.WithError(err).Fatal("Enumerating cluster services failed") - } - swg.Stop() -} diff --git a/vendor/github.com/cilium/cilium/stable.txt b/vendor/github.com/cilium/cilium/stable.txt new file mode 100644 index 0000000000..07c3efad8d --- /dev/null +++ b/vendor/github.com/cilium/cilium/stable.txt @@ -0,0 +1 @@ +v1.17.0 diff --git a/vendor/github.com/cilium/hive/cell/config.go b/vendor/github.com/cilium/hive/cell/config.go index 3662da33f3..2e0b9d978f 100644 --- a/vendor/github.com/cilium/hive/cell/config.go +++ b/vendor/github.com/cilium/hive/cell/config.go @@ -4,6 +4,7 @@ package cell import ( + "errors" "fmt" "reflect" "strings" @@ -14,6 +15,8 @@ import ( "go.uber.org/dig" ) +var ErrDuplicateFlag = errors.New("duplicate flag") + // Config constructs a new config cell. // // The configuration struct `T` needs to implement the Flags method that @@ -149,8 +152,16 @@ func (c *config[Cfg]) Apply(cont container, _ rootContainer) error { // Register the flags to the global set of all flags. err := cont.Invoke( - func(allFlags *pflag.FlagSet) { + func(allFlags *pflag.FlagSet) error { + var err error + flags.VisitAll(func(flag *pflag.Flag) { + if allFlags.Lookup(flag.Name) != nil { + err2 := fmt.Errorf("'%s' declared twice: %w", flag.Name, ErrDuplicateFlag) + err = errors.Join(err, err2) + } + }) allFlags.AddFlagSet(flags) + return err }) if err != nil { return err diff --git a/vendor/github.com/cilium/hive/cell/info.go b/vendor/github.com/cilium/hive/cell/info.go index 7c2075328a..aa534a5949 100644 --- a/vendor/github.com/cilium/hive/cell/info.go +++ b/vendor/github.com/cilium/hive/cell/info.go @@ -7,7 +7,6 @@ import ( "bufio" "fmt" "io" - "os" "strings" "github.com/davecgh/go-spew/spew" @@ -24,13 +23,20 @@ type InfoPrinter struct { width int } -func NewInfoPrinter() *InfoPrinter { - width, _, err := term.GetSize(int(os.Stdout.Fd())) - if err != nil { - width = 120 +type fder interface { + Fd() uintptr +} + +func NewInfoPrinter(w io.Writer) *InfoPrinter { + width := 120 + if f, ok := w.(fder); ok { + widthFd, _, err := term.GetSize(int(f.Fd())) + if err == nil { + width = widthFd + } } return &InfoPrinter{ - Writer: os.Stdout, + Writer: w, width: width, } } diff --git a/vendor/github.com/cilium/hive/cell/lifecycle.go b/vendor/github.com/cilium/hive/cell/lifecycle.go index a41f75ee2c..c6db2693b4 100644 --- a/vendor/github.com/cilium/hive/cell/lifecycle.go +++ b/vendor/github.com/cilium/hive/cell/lifecycle.go @@ -7,6 +7,7 @@ import ( "context" "errors" "fmt" + "io" "log/slog" "sync" "time" @@ -56,7 +57,7 @@ type Lifecycle interface { Start(*slog.Logger, context.Context) error Stop(*slog.Logger, context.Context) error - PrintHooks() + PrintHooks(io.Writer) } // DefaultLifecycle lifecycle implements a simple lifecycle management that conforms @@ -178,27 +179,27 @@ func (lc *DefaultLifecycle) Stop(log *slog.Logger, ctx context.Context) error { return errs } -func (lc *DefaultLifecycle) PrintHooks() { +func (lc *DefaultLifecycle) PrintHooks(w io.Writer) { lc.mu.Lock() defer lc.mu.Unlock() - fmt.Printf("Start hooks:\n\n") + fmt.Fprintf(w, "Start hooks:\n\n") for _, hook := range lc.hooks { fnName, exists := getHookFuncName(hook.HookInterface, true) if !exists { continue } - fmt.Printf(" • %s (%s)\n", fnName, hook.moduleID) + fmt.Fprintf(w, " • %s (%s)\n", fnName, hook.moduleID) } - fmt.Printf("\nStop hooks:\n\n") + fmt.Fprintf(w, "\nStop hooks:\n\n") for i := len(lc.hooks) - 1; i >= 0; i-- { hook := lc.hooks[i] fnName, exists := getHookFuncName(hook.HookInterface, false) if !exists { continue } - fmt.Printf(" • %s (%s)\n", fnName, hook.moduleID) + fmt.Fprintf(w, " • %s (%s)\n", fnName, hook.moduleID) } } diff --git a/vendor/github.com/cilium/hive/command.go b/vendor/github.com/cilium/hive/command.go index 62ec26724c..b398e77539 100644 --- a/vendor/github.com/cilium/hive/command.go +++ b/vendor/github.com/cilium/hive/command.go @@ -4,6 +4,9 @@ package hive import ( + "log/slog" + "os" + "github.com/spf13/cobra" ) @@ -14,7 +17,7 @@ func (h *Hive) Command() *cobra.Command { Use: "hive", Short: "Inspect the hive", Run: func(cmd *cobra.Command, args []string) { - h.PrintObjects() + h.PrintObjects(os.Stdout, slog.Default()) }, TraverseChildren: false, } diff --git a/vendor/github.com/cilium/hive/hive.go b/vendor/github.com/cilium/hive/hive.go index 7760ec8add..760fe08436 100644 --- a/vendor/github.com/cilium/hive/hive.go +++ b/vendor/github.com/cilium/hive/hive.go @@ -7,6 +7,7 @@ import ( "context" "errors" "fmt" + "io" "log/slog" "os" "os/signal" @@ -339,9 +340,9 @@ func (h *Hive) Start(log *slog.Logger, ctx context.Context) error { start := time.Now() err := h.lifecycle.Start(log, ctx) if err == nil { - log.Info("Started", "duration", time.Since(start)) + log.Info("Started hive", "duration", time.Since(start)) } else { - log.Error("Start failed", "error", err, "duration", time.Since(start)) + log.Error("Failed to start hive", "error", err, "duration", time.Since(start)) } return err } @@ -351,7 +352,7 @@ func (h *Hive) Start(log *slog.Logger, ctx context.Context) error { // then after 5 more seconds the process will be terminated forcefully. func (h *Hive) Stop(log *slog.Logger, ctx context.Context) error { defer close(h.fatalOnTimeout(ctx)) - log.Info("Stopping") + log.Info("Stopping hive") return h.lifecycle.Stop(log, ctx) } @@ -392,18 +393,18 @@ func (h *Hive) Shutdown(opts ...ShutdownOption) { } } -func (h *Hive) PrintObjects() { - if err := h.Populate(slog.Default()); err != nil { +func (h *Hive) PrintObjects(w io.Writer, log *slog.Logger) { + if err := h.Populate(log); err != nil { panic(fmt.Sprintf("Failed to populate object graph: %s", err)) } - fmt.Printf("Cells:\n\n") - ip := cell.NewInfoPrinter() + fmt.Fprintf(w, "Cells:\n\n") + ip := cell.NewInfoPrinter(w) for _, c := range h.cells { c.Info(h.container).Print(2, ip) - fmt.Println() + fmt.Fprintln(w) } - h.lifecycle.PrintHooks() + h.lifecycle.PrintHooks(w) } func (h *Hive) PrintDotGraph() { @@ -429,6 +430,8 @@ func (h *Hive) ScriptCommands(log *slog.Logger) (map[string]script.Cmd, error) { } m := map[string]script.Cmd{} m["hive"] = hiveScriptCmd(h, log) + m["hive/start"] = hiveStartCmd(h, log) + m["hive/stop"] = hiveStopCmd(h, log) // Gather the commands from the hive. h.container.Invoke(func(sc ScriptCmds) { diff --git a/vendor/github.com/cilium/hive/script.go b/vendor/github.com/cilium/hive/script.go index bf3691a271..f4a2a0f211 100644 --- a/vendor/github.com/cilium/hive/script.go +++ b/vendor/github.com/cilium/hive/script.go @@ -63,28 +63,54 @@ type ScriptCmdsOut struct { ScriptCmds []ScriptCmd `group:"script-commands,flatten"` } +const defaultScriptTimeout = time.Minute + func hiveScriptCmd(h *Hive, log *slog.Logger) script.Cmd { - const defaultTimeout = time.Minute return script.Command( script.CmdUsage{ - Summary: "manipulate the hive", - Args: "cmd args...", + Summary: "show the hive", }, func(s *script.State, args ...string) (script.WaitFunc, error) { - if len(args) < 1 { - return nil, fmt.Errorf("hive cmd args...\n'cmd' is one of: start, stop, jobs") - } - switch args[0] { - case "start": - ctx, cancel := context.WithTimeout(context.Background(), defaultTimeout) + switch { + // For backwards compatibility. + case len(args) >= 1 && args[0] == "start": + ctx, cancel := context.WithTimeout(context.Background(), defaultScriptTimeout) defer cancel() return nil, h.Start(log, ctx) - case "stop": - ctx, cancel := context.WithTimeout(context.Background(), defaultTimeout) + case len(args) >= 1 && args[0] == "stop": + ctx, cancel := context.WithTimeout(context.Background(), defaultScriptTimeout) defer cancel() return nil, h.Stop(log, ctx) + default: + h.PrintObjects(s.LogWriter(), log) + return nil, nil } - return nil, fmt.Errorf("unknown hive command %q, expected one of: start, stop, jobs", args[0]) + }, + ) +} + +func hiveStartCmd(h *Hive, log *slog.Logger) script.Cmd { + return script.Command( + script.CmdUsage{ + Summary: "start the hive", + }, + func(s *script.State, args ...string) (script.WaitFunc, error) { + ctx, cancel := context.WithTimeout(context.Background(), defaultScriptTimeout) + defer cancel() + return nil, h.Start(log, ctx) + }, + ) +} + +func hiveStopCmd(h *Hive, log *slog.Logger) script.Cmd { + return script.Command( + script.CmdUsage{ + Summary: "stop the hive", + }, + func(s *script.State, args ...string) (script.WaitFunc, error) { + ctx, cancel := context.WithTimeout(context.Background(), defaultScriptTimeout) + defer cancel() + return nil, h.Stop(log, ctx) }, ) } diff --git a/vendor/github.com/cilium/hive/script/cmds.go b/vendor/github.com/cilium/hive/script/cmds.go index 4182d1b8a5..75fb7fbf35 100644 --- a/vendor/github.com/cilium/hive/script/cmds.go +++ b/vendor/github.com/cilium/hive/script/cmds.go @@ -1190,19 +1190,31 @@ func Break() Cmd { } defer tty.Close() + // Flush any pending logs before switching to raw mode. + s.FlushLog() + + // Hack: sleep a little bit to allow the log to be written out to stdout + // before we switch to raw mode (which might mess up the output) + time.Sleep(50 * time.Millisecond) + prev, err := term.MakeRaw(int(tty.Fd())) if err != nil { return nil, fmt.Errorf("cannot set /dev/tty to raw mode") } defer term.Restore(int(tty.Fd()), prev) - // Flush any pending logs - engine := s.engine - + // Switch the log output to the terminal until we continue term := term.NewTerminal(tty, "debug> ") - s.FlushLog() + origLogOut := s.logOut + defer func() { + s.logOut = origLogOut + + }() + s.logOut = term + fmt.Fprintf(term, "\nBreak! Control-d to continue.\n") + engine := s.engine for { line, err := term.ReadLine() if err != nil { diff --git a/vendor/github.com/cilium/hive/script/engine.go b/vendor/github.com/cilium/hive/script/engine.go index ed4fa6fdf3..b919bb469d 100644 --- a/vendor/github.com/cilium/hive/script/engine.go +++ b/vendor/github.com/cilium/hive/script/engine.go @@ -77,21 +77,28 @@ type Engine struct { // section when starting a new section. Quiet bool - // RetryInterval for retrying commands marked with '*'. If zero, then - // the default retry interval is used. + // RetryInterval is the minimal interval for retrying commands marked with '*'. + // If zero, then the default retry interval is used. RetryInterval time.Duration + + // MaxRetryInterval is the maximum time to wait before retrying. + MaxRetryInterval time.Duration } // NewEngine returns an Engine configured with a basic set of commands and conditions. func NewEngine() *Engine { return &Engine{ - Cmds: DefaultCmds(), - Conds: DefaultConds(), - RetryInterval: defaultRetryInterval, + Cmds: DefaultCmds(), + Conds: DefaultConds(), + RetryInterval: defaultRetryInterval, + MaxRetryInterval: defaultMaxRetryInterval, } } -const defaultRetryInterval = 100 * time.Millisecond +const ( + defaultRetryInterval = 100 * time.Millisecond + defaultMaxRetryInterval = 500 * time.Millisecond +) // A Cmd is a command that is available to a script. type Cmd interface { @@ -168,6 +175,8 @@ type CondUsage struct { Prefix bool } +var ParseError = errors.New("parse error") + // Execute reads and executes script, writing the output to log. // // Execute stops and returns an error at the first command that does not succeed. @@ -288,7 +297,7 @@ func (e *Engine) Execute(s *State, file string, script *bufio.Reader, log io.Wri s.Logf("> %s\n", line) if err != nil { - return lineErr(err) + return lineErr(fmt.Errorf("%w: %w", ParseError, err)) } // Evaluate condition guards. @@ -329,14 +338,16 @@ func (e *Engine) Execute(s *State, file string, script *bufio.Reader, log io.Wri if cmd.want == successRetryOnFailure || cmd.want == failureRetryOnSuccess { // Command wants retries. Retry the whole section numRetries := 0 + backoff := exponentialBackoff{max: e.MaxRetryInterval, interval: e.RetryInterval} for err != nil { s.FlushLog() + retryDuration := backoff.get() + s.Logf("(command %q failed, retrying in %s...)\n", line, retryDuration) select { case <-s.Context().Done(): return lineErr(s.Context().Err()) - case <-time.After(retryInterval): + case <-time.After(retryDuration): } - s.Logf("(command %q failed, retrying...)\n", line) numRetries++ for _, cmd := range sectionCmds { impl := e.Cmds[cmd.name] @@ -995,3 +1006,14 @@ func (e *Engine) ListConds(w io.Writer, s *State, tags ...string) error { return nil } + +type exponentialBackoff struct { + max time.Duration + interval time.Duration +} + +func (eb *exponentialBackoff) get() time.Duration { + d := eb.interval + eb.interval = min(eb.interval*2, eb.max) + return d +} diff --git a/vendor/github.com/cilium/hive/script/state.go b/vendor/github.com/cilium/hive/script/state.go index 29c3287f95..44c80cdd56 100644 --- a/vendor/github.com/cilium/hive/script/state.go +++ b/vendor/github.com/cilium/hive/script/state.go @@ -41,6 +41,8 @@ type State struct { DoUpdate bool FileUpdates map[string]string + BreakOnError bool + background []backgroundCmd } @@ -198,9 +200,16 @@ func (s *State) LogWriter() io.Writer { return &s.log } +type flusher interface { + Flush() error +} + // FlushLog writes out the contents of the script's log and clears the buffer. func (s *State) FlushLog() error { _, err := s.logOut.Write(s.log.Bytes()) + if flusher, ok := s.logOut.(flusher); ok { + flusher.Flush() + } s.log.Reset() return err } diff --git a/vendor/github.com/cilium/proxy/go/cilium/api/bpf_metadata.pb.go b/vendor/github.com/cilium/proxy/go/cilium/api/bpf_metadata.pb.go index 2666dd7edb..9bcd3dc9f2 100644 --- a/vendor/github.com/cilium/proxy/go/cilium/api/bpf_metadata.pb.go +++ b/vendor/github.com/cilium/proxy/go/cilium/api/bpf_metadata.pb.go @@ -66,6 +66,7 @@ type BpfMetadata struct { ProxyId uint32 `protobuf:"varint,8,opt,name=proxy_id,json=proxyId,proto3" json:"proxy_id,omitempty"` // policy_update_warning_limit is the time in milliseconds after which a warning is logged if // network policy update took longer + // Deprecated, has no effect. PolicyUpdateWarningLimit *durationpb.Duration `protobuf:"bytes,9,opt,name=policy_update_warning_limit,json=policyUpdateWarningLimit,proto3" json:"policy_update_warning_limit,omitempty"` } diff --git a/vendor/github.com/cilium/statedb/any_table.go b/vendor/github.com/cilium/statedb/any_table.go index ebea155734..36b40a30a3 100644 --- a/vendor/github.com/cilium/statedb/any_table.go +++ b/vendor/github.com/cilium/statedb/any_table.go @@ -15,6 +15,11 @@ type AnyTable struct { Meta TableMeta } +func (t AnyTable) NumObjects(txn ReadTxn) int { + indexTxn := txn.getTxn().mustIndexReadTxn(t.Meta, PrimaryIndexPos) + return indexTxn.Len() +} + func (t AnyTable) All(txn ReadTxn) iter.Seq2[any, Revision] { all, _ := t.AllWatch(txn) return all @@ -31,7 +36,7 @@ func (t AnyTable) UnmarshalYAML(data []byte) (any, error) { func (t AnyTable) Insert(txn WriteTxn, obj any) (old any, hadOld bool, err error) { var iobj object - iobj, hadOld, err = txn.getTxn().insert(t.Meta, Revision(0), obj) + iobj, hadOld, _, err = txn.getTxn().insert(t.Meta, Revision(0), obj) if hadOld { old = iobj.data } diff --git a/vendor/github.com/cilium/statedb/part/txn.go b/vendor/github.com/cilium/statedb/part/txn.go index 943ab23aa5..cc417cd232 100644 --- a/vendor/github.com/cilium/statedb/part/txn.go +++ b/vendor/github.com/cilium/statedb/part/txn.go @@ -49,7 +49,15 @@ func (txn *Txn[T]) Clone() *Txn[T] { // Insert or update the tree with the given key and value. // Returns the old value if it exists. func (txn *Txn[T]) Insert(key []byte, value T) (old T, hadOld bool) { - old, hadOld, txn.root = txn.insert(txn.root, key, value) + old, hadOld, _ = txn.InsertWatch(key, value) + return +} + +// Insert or update the tree with the given key and value. +// Returns the old value if it exists and a watch channel that closes when the +// key changes again. +func (txn *Txn[T]) InsertWatch(key []byte, value T) (old T, hadOld bool, watch <-chan struct{}) { + old, hadOld, watch, txn.root = txn.insert(txn.root, key, value) if !hadOld { txn.size++ } @@ -61,7 +69,17 @@ func (txn *Txn[T]) Insert(key []byte, value T) (old T, hadOld bool) { // caller to not mutate the value in-place and to return a clone. // Returns the old value if it exists. func (txn *Txn[T]) Modify(key []byte, mod func(T) T) (old T, hadOld bool) { - old, hadOld, txn.root = txn.modify(txn.root, key, mod) + old, hadOld, _ = txn.ModifyWatch(key, mod) + return +} + +// Modify a value in the tree. If the key does not exist the modify +// function is called with the zero value for T. It is up to the +// caller to not mutate the value in-place and to return a clone. +// Returns the old value if it exists and a watch channel that closes +// when the key changes again. +func (txn *Txn[T]) ModifyWatch(key []byte, mod func(T) T) (old T, hadOld bool, watch <-chan struct{}) { + old, hadOld, watch, txn.root = txn.modify(txn.root, key, mod) if !hadOld { txn.size++ } @@ -166,11 +184,11 @@ func (txn *Txn[T]) cloneNode(n *header[T]) *header[T] { return n } -func (txn *Txn[T]) insert(root *header[T], key []byte, value T) (oldValue T, hadOld bool, newRoot *header[T]) { +func (txn *Txn[T]) insert(root *header[T], key []byte, value T) (oldValue T, hadOld bool, watch <-chan struct{}, newRoot *header[T]) { return txn.modify(root, key, func(_ T) T { return value }) } -func (txn *Txn[T]) modify(root *header[T], key []byte, mod func(T) T) (oldValue T, hadOld bool, newRoot *header[T]) { +func (txn *Txn[T]) modify(root *header[T], key []byte, mod func(T) T) (oldValue T, hadOld bool, watch <-chan struct{}, newRoot *header[T]) { fullKey := key this := root @@ -212,8 +230,10 @@ func (txn *Txn[T]) modify(root *header[T], key []byte, mod func(T) T) (oldValue this = txn.cloneNode(this) } var zero T - this.insert(idx, newLeaf(txn.opts, key, fullKey, mod(zero)).self()) + leaf := newLeaf(txn.opts, key, fullKey, mod(zero)) + this.insert(idx, leaf.self()) *thisp = this + watch = leaf.watch return } @@ -237,7 +257,9 @@ func (txn *Txn[T]) modify(root *header[T], key []byte, mod func(T) T) (oldValue hadOld = true this = txn.cloneNode(this) *thisp = this - this.getLeaf().value = mod(oldValue) + leaf := this.getLeaf() + leaf.value = mod(oldValue) + watch = leaf.watch } else { // Partially matching prefix. newNode := &node4[T]{ @@ -253,6 +275,7 @@ func (txn *Txn[T]) modify(root *header[T], key []byte, mod func(T) T) (oldValue key = key[len(common):] var zero T newLeaf := newLeaf(txn.opts, key, fullKey, mod(zero)) + watch = newLeaf.watch // Insert the two leaves into the node we created. If one has // a key that is a subset of the other, then we can insert them @@ -298,11 +321,14 @@ func (txn *Txn[T]) modify(root *header[T], key []byte, mod func(T) T) (oldValue hadOld = true leaf = txn.cloneNode(leaf.self()).getLeaf() leaf.value = mod(oldValue) + watch = leaf.watch this.setLeaf(leaf) } else { // Set the leaf var zero T - this.setLeaf(newLeaf(txn.opts, this.prefix, fullKey, mod(zero))) + leaf := newLeaf(txn.opts, this.prefix, fullKey, mod(zero)) + watch = leaf.watch + this.setLeaf(leaf) } default: @@ -316,6 +342,7 @@ func (txn *Txn[T]) modify(root *header[T], key []byte, mod func(T) T) (oldValue var zero T newLeaf := newLeaf(txn.opts, key, fullKey, mod(zero)) + watch = newLeaf.watch newNode := &node4[T]{ header: header[T]{prefix: common}, } diff --git a/vendor/github.com/cilium/statedb/script.go b/vendor/github.com/cilium/statedb/script.go index c0e805f967..2474e3c77c 100644 --- a/vendor/github.com/cilium/statedb/script.go +++ b/vendor/github.com/cilium/statedb/script.go @@ -28,6 +28,7 @@ func ScriptCommands(db *DB) hive.ScriptCmdsOut { "db": DBCmd(db), "db/show": ShowCmd(db), "db/cmp": CompareCmd(db), + "db/empty": EmptyCmd(db), "db/insert": InsertCmd(db), "db/delete": DeleteCmd(db), "db/get": GetCmd(db), @@ -168,8 +169,6 @@ func ShowCmd(db *DB) script.Cmd { fs.StringP("format", "f", "table", "Format to write in (table, yaml or json)") }, Detail: []string{ - "Show the contents of a table.", - "", "The contents are written to stdout, but can be written to", "a file instead with the -o flag.", "", @@ -354,6 +353,28 @@ func CompareCmd(db *DB) script.Cmd { }) } +func EmptyCmd(db *DB) script.Cmd { + return script.Command( + script.CmdUsage{ + Summary: "Assert that given table(s) are empty", + Args: "table", + }, + func(s *script.State, args ...string) (script.WaitFunc, error) { + txn := db.ReadTxn() + for _, tableName := range args { + meta := db.GetTable(txn, tableName) + if meta == nil { + return nil, fmt.Errorf("table %q not found", tableName) + } + tbl := AnyTable{Meta: meta} + if n := tbl.NumObjects(txn); n != 0 { + return nil, fmt.Errorf("table %q not empty, found %d obects", tableName, n) + } + } + return nil, nil + }) +} + func InsertCmd(db *DB) script.Cmd { return script.Command( script.CmdUsage{ diff --git a/vendor/github.com/cilium/statedb/table.go b/vendor/github.com/cilium/statedb/table.go index 1d75f07241..c7d41fb1f6 100644 --- a/vendor/github.com/cilium/statedb/table.go +++ b/vendor/github.com/cilium/statedb/table.go @@ -404,8 +404,13 @@ func (t *genTable[Obj]) ListWatch(txn ReadTxn, q Query[Obj]) (iter.Seq2[Obj, Rev } func (t *genTable[Obj]) Insert(txn WriteTxn, obj Obj) (oldObj Obj, hadOld bool, err error) { + oldObj, hadOld, _, err = t.InsertWatch(txn, obj) + return +} + +func (t *genTable[Obj]) InsertWatch(txn WriteTxn, obj Obj) (oldObj Obj, hadOld bool, watch <-chan struct{}, err error) { var old object - old, hadOld, err = txn.getTxn().insert(t, Revision(0), obj) + old, hadOld, watch, err = txn.getTxn().insert(t, Revision(0), obj) if hadOld { oldObj = old.data.(Obj) } @@ -414,7 +419,7 @@ func (t *genTable[Obj]) Insert(txn WriteTxn, obj Obj) (oldObj Obj, hadOld bool, func (t *genTable[Obj]) Modify(txn WriteTxn, obj Obj, merge func(old, new Obj) Obj) (oldObj Obj, hadOld bool, err error) { var old object - old, hadOld, err = txn.getTxn().modify(t, Revision(0), obj, + old, hadOld, _, err = txn.getTxn().modify(t, Revision(0), obj, func(old any) any { return merge(old.(Obj), obj) }) @@ -426,7 +431,7 @@ func (t *genTable[Obj]) Modify(txn WriteTxn, obj Obj, merge func(old, new Obj) O func (t *genTable[Obj]) CompareAndSwap(txn WriteTxn, rev Revision, obj Obj) (oldObj Obj, hadOld bool, err error) { var old object - old, hadOld, err = txn.getTxn().insert(t, rev, obj) + old, hadOld, _, err = txn.getTxn().insert(t, rev, obj) if hadOld { oldObj = old.data.(Obj) } diff --git a/vendor/github.com/cilium/statedb/txn.go b/vendor/github.com/cilium/statedb/txn.go index 4a7bc1c767..6c75c88232 100644 --- a/vendor/github.com/cilium/statedb/txn.go +++ b/vendor/github.com/cilium/statedb/txn.go @@ -145,20 +145,20 @@ func (txn *txn) mustIndexWriteTxn(meta TableMeta, indexPos int) indexTxn { return indexTxn } -func (txn *txn) insert(meta TableMeta, guardRevision Revision, data any) (object, bool, error) { +func (txn *txn) insert(meta TableMeta, guardRevision Revision, data any) (object, bool, <-chan struct{}, error) { return txn.modify(meta, guardRevision, data, func(_ any) any { return data }) } -func (txn *txn) modify(meta TableMeta, guardRevision Revision, newData any, merge func(any) any) (object, bool, error) { +func (txn *txn) modify(meta TableMeta, guardRevision Revision, newData any, merge func(any) any) (object, bool, <-chan struct{}, error) { if txn.modifiedTables == nil { - return object{}, false, ErrTransactionClosed + return object{}, false, nil, ErrTransactionClosed } // Look up table and allocate a new revision. tableName := meta.Name() table := txn.modifiedTables[meta.tablePos()] if table == nil { - return object{}, false, tableError(tableName, ErrTableNotLockedForWriting) + return object{}, false, nil, tableError(tableName, ErrTableNotLockedForWriting) } oldRevision := table.revision table.revision++ @@ -169,7 +169,7 @@ func (txn *txn) modify(meta TableMeta, guardRevision Revision, newData any, merg idIndexTxn := txn.mustIndexWriteTxn(meta, PrimaryIndexPos) var obj object - oldObj, oldExists := idIndexTxn.Modify(idKey, + oldObj, oldExists, watch := idIndexTxn.ModifyWatch(idKey, func(old object) object { obj = object{ revision: revision, @@ -204,7 +204,7 @@ func (txn *txn) modify(meta TableMeta, guardRevision Revision, newData any, merg // the insert. idIndexTxn.Delete(idKey) table.revision = oldRevision - return object{}, false, ErrObjectNotFound + return object{}, false, watch, ErrObjectNotFound } if oldObj.revision != guardRevision { // Revert the change. We're assuming here that it's rarer for CompareAndSwap() to @@ -212,7 +212,7 @@ func (txn *txn) modify(meta TableMeta, guardRevision Revision, newData any, merg // (versus doing a Get() and then Insert()). idIndexTxn.Insert(idKey, oldObj) table.revision = oldRevision - return oldObj, true, ErrRevisionNotEqual + return oldObj, true, watch, ErrRevisionNotEqual } } @@ -266,7 +266,7 @@ func (txn *txn) modify(meta TableMeta, guardRevision Revision, newData any, merg }) } - return oldObj, oldExists, nil + return oldObj, oldExists, watch, nil } func (txn *txn) hasDeleteTrackers(meta TableMeta) bool { @@ -570,29 +570,48 @@ func (txn *txn) Commit() ReadTxn { return txn } -func writeTableAsJSON(buf *bufio.Writer, txn *txn, table *tableEntry) error { +func marshalJSON(data any) (out []byte) { + // Catch panics from JSON marshalling to ensure we have some output for debugging + // purposes even if the object has panicing JSON marshalling. + defer func() { + if r := recover(); r != nil { + out = []byte(fmt.Sprintf("\"panic marshalling JSON: %.32s\"", r)) + } + }() + bs, err := json.Marshal(data) + if err != nil { + return []byte("\"marshalling error: " + err.Error() + "\"") + } + return bs +} + +func writeTableAsJSON(buf *bufio.Writer, txn *txn, table *tableEntry) (err error) { indexTxn := txn.mustIndexReadTxn(table.meta, PrimaryIndexPos) iter := indexTxn.Iterator() - buf.WriteString(" \"" + table.meta.Name() + "\": [\n") + writeString := func(s string) { + if err != nil { + return + } + _, err = buf.WriteString(s) + } + writeString(" \"" + table.meta.Name() + "\": [\n") _, obj, ok := iter.Next() for ok { - buf.WriteString(" ") - bs, err := json.Marshal(obj.data) - if err != nil { + writeString(" ") + if _, err := buf.Write(marshalJSON(obj.data)); err != nil { return err } - buf.Write(bs) _, obj, ok = iter.Next() if ok { - buf.WriteString(",\n") + writeString(",\n") } else { - buf.WriteByte('\n') + writeString("\n") } } - buf.WriteString(" ]") - return nil + writeString(" ]") + return } // WriteJSON marshals out the database as JSON into the given writer. @@ -613,8 +632,7 @@ func (txn *txn) WriteJSON(w io.Writer, tables ...string) error { first = false } - err := writeTableAsJSON(buf, txn, &table) - if err != nil { + if err := writeTableAsJSON(buf, txn, &table); err != nil { return err } } diff --git a/vendor/github.com/cilium/statedb/types.go b/vendor/github.com/cilium/statedb/types.go index 5492e64f1d..418e597322 100644 --- a/vendor/github.com/cilium/statedb/types.go +++ b/vendor/github.com/cilium/statedb/types.go @@ -143,6 +143,18 @@ type RWTable[Obj any] interface { // revision. Insert(WriteTxn, Obj) (oldObj Obj, hadOld bool, err error) + // InsertWatch an object into the table. Returns the object that was + // replaced if there was one and a watch channel that closes when the + // object is modified again. + // + // Possible errors: + // - ErrTableNotLockedForWriting: table was not locked for writing + // - ErrTransactionClosed: the write transaction already committed or aborted + // + // Each inserted or updated object will be assigned a new unique + // revision. + InsertWatch(WriteTxn, Obj) (oldObj Obj, hadOld bool, watch <-chan struct{}, err error) + // Modify an existing object or insert a new object into the table. If an old object // exists the [merge] function is called with the old and new objects. // diff --git a/vendor/github.com/cilium/statedb/watchset.go b/vendor/github.com/cilium/statedb/watchset.go new file mode 100644 index 0000000000..daa7624791 --- /dev/null +++ b/vendor/github.com/cilium/statedb/watchset.go @@ -0,0 +1,199 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Cilium + +package statedb + +import ( + "context" + "maps" + "slices" + "sync" + "time" +) + +const watchSetChunkSize = 16 + +type channelSet = map[<-chan struct{}]struct{} + +// WatchSet is a set of watch channels that can be waited on. +type WatchSet struct { + mu sync.Mutex + chans channelSet +} + +func NewWatchSet() *WatchSet { + return &WatchSet{ + chans: channelSet{}, + } +} + +// Add channel(s) to the watch set +func (ws *WatchSet) Add(chans ...<-chan struct{}) { + ws.mu.Lock() + for _, ch := range chans { + ws.chans[ch] = struct{}{} + } + ws.mu.Unlock() +} + +// Clear the channels from the WatchSet +func (ws *WatchSet) Clear() { + ws.mu.Lock() + clear(ws.chans) + ws.mu.Unlock() +} + +// Has returns true if the WatchSet has the channel +func (ws *WatchSet) Has(ch <-chan struct{}) bool { + ws.mu.Lock() + _, found := ws.chans[ch] + ws.mu.Unlock() + return found +} + +// HasAny returns true if the WatchSet has any of the given channels +func (ws *WatchSet) HasAny(chans []<-chan struct{}) bool { + ws.mu.Lock() + defer ws.mu.Unlock() + for _, ch := range chans { + if _, found := ws.chans[ch]; found { + return true + } + } + return false +} + +// Merge channels from another WatchSet +func (ws *WatchSet) Merge(other *WatchSet) { + other.mu.Lock() + defer other.mu.Unlock() + ws.mu.Lock() + defer ws.mu.Unlock() + for ch := range other.chans { + ws.chans[ch] = struct{}{} + } +} + +// Wait for channels in the watch set to close or the context is cancelled. +// After the first closed channel is seen Wait will wait [settleTime] for +// more closed channels. +// Returns the closed channels and removes them from the set. +func (ws *WatchSet) Wait(ctx context.Context, settleTime time.Duration) ([]<-chan struct{}, error) { + innerCtx, cancel := context.WithCancel(ctx) + defer cancel() + + ws.mu.Lock() + defer ws.mu.Unlock() + + closedChannels := &closedChannelsSlice{} + + // No channels to watch? Just watch the context. + if len(ws.chans) == 0 { + <-ctx.Done() + return nil, ctx.Err() + } + + // Collect the channels into a slice. The slice length is rounded to a full + // chunk size. + chans := slices.Collect(maps.Keys(ws.chans)) + chunkSize := 16 + roundedSize := len(chans) + (chunkSize - len(chans)%chunkSize) + chans = slices.Grow(chans, roundedSize)[:roundedSize] + haveResult := make(chan struct{}, 1) + + var wg sync.WaitGroup + chunks := slices.Chunk(chans, chunkSize) + for chunk := range chunks { + wg.Add(1) + go func() { + defer wg.Done() + watch16(haveResult, closedChannels, innerCtx.Done(), chunk) + }() + } + + // Wait for the first closed channel to be seen. If [settleTime] is set, + // then wait a bit longer for more. + select { + case <-haveResult: + if settleTime > 0 { + select { + case <-time.After(settleTime): + case <-ctx.Done(): + } + } + case <-ctx.Done(): + } + + // Stop waiting for more channels to close + cancel() + wg.Wait() + + // Remove the closed channels from the watch set. + for _, ch := range closedChannels.chans { + delete(ws.chans, ch) + } + + return closedChannels.chans, ctx.Err() +} + +func watch16(haveClosed chan struct{}, closedChannels *closedChannelsSlice, stop <-chan struct{}, chans []<-chan struct{}) { + for { + closedIndex := -1 + select { + case <-stop: + return + case <-chans[0]: + closedIndex = 0 + case <-chans[1]: + closedIndex = 1 + case <-chans[2]: + closedIndex = 2 + case <-chans[3]: + closedIndex = 3 + case <-chans[4]: + closedIndex = 4 + case <-chans[5]: + closedIndex = 5 + case <-chans[6]: + closedIndex = 6 + case <-chans[7]: + closedIndex = 7 + case <-chans[8]: + closedIndex = 8 + case <-chans[9]: + closedIndex = 9 + case <-chans[10]: + closedIndex = 10 + case <-chans[11]: + closedIndex = 11 + case <-chans[12]: + closedIndex = 12 + case <-chans[13]: + closedIndex = 13 + case <-chans[14]: + closedIndex = 14 + case <-chans[15]: + closedIndex = 15 + } + closedChannels.append(chans[closedIndex]) + chans[closedIndex] = nil + if haveClosed != nil { + select { + case haveClosed <- struct{}{}: + haveClosed = nil + default: + } + } + } +} + +type closedChannelsSlice struct { + mu sync.Mutex + chans []<-chan struct{} +} + +func (ccs *closedChannelsSlice) append(ch <-chan struct{}) { + ccs.mu.Lock() + ccs.chans = append(ccs.chans, ch) + ccs.mu.Unlock() +} diff --git a/vendor/github.com/cncf/xds/go/udpa/annotations/migrate.pb.go b/vendor/github.com/cncf/xds/go/udpa/annotations/migrate.pb.go index 0281b3ee58..3c751b6ca9 100644 --- a/vendor/github.com/cncf/xds/go/udpa/annotations/migrate.pb.go +++ b/vendor/github.com/cncf/xds/go/udpa/annotations/migrate.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: udpa/annotations/migrate.proto package annotations diff --git a/vendor/github.com/cncf/xds/go/udpa/annotations/security.pb.go b/vendor/github.com/cncf/xds/go/udpa/annotations/security.pb.go index cf858bd977..7c83399198 100644 --- a/vendor/github.com/cncf/xds/go/udpa/annotations/security.pb.go +++ b/vendor/github.com/cncf/xds/go/udpa/annotations/security.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: udpa/annotations/security.proto package annotations diff --git a/vendor/github.com/cncf/xds/go/udpa/annotations/sensitive.pb.go b/vendor/github.com/cncf/xds/go/udpa/annotations/sensitive.pb.go index 2d5c78dc29..e2b1a59cb6 100644 --- a/vendor/github.com/cncf/xds/go/udpa/annotations/sensitive.pb.go +++ b/vendor/github.com/cncf/xds/go/udpa/annotations/sensitive.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: udpa/annotations/sensitive.proto package annotations diff --git a/vendor/github.com/cncf/xds/go/udpa/annotations/status.pb.go b/vendor/github.com/cncf/xds/go/udpa/annotations/status.pb.go index c96818b17c..cf629f7517 100644 --- a/vendor/github.com/cncf/xds/go/udpa/annotations/status.pb.go +++ b/vendor/github.com/cncf/xds/go/udpa/annotations/status.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: udpa/annotations/status.proto package annotations diff --git a/vendor/github.com/cncf/xds/go/udpa/annotations/versioning.pb.go b/vendor/github.com/cncf/xds/go/udpa/annotations/versioning.pb.go index b3ab9e346b..8bd950f6ba 100644 --- a/vendor/github.com/cncf/xds/go/udpa/annotations/versioning.pb.go +++ b/vendor/github.com/cncf/xds/go/udpa/annotations/versioning.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: udpa/annotations/versioning.proto package annotations diff --git a/vendor/github.com/cncf/xds/go/xds/annotations/v3/migrate.pb.go b/vendor/github.com/cncf/xds/go/xds/annotations/v3/migrate.pb.go index 705a71e887..5211b83c73 100644 --- a/vendor/github.com/cncf/xds/go/xds/annotations/v3/migrate.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/annotations/v3/migrate.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/annotations/v3/migrate.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/annotations/v3/security.pb.go b/vendor/github.com/cncf/xds/go/xds/annotations/v3/security.pb.go index 0278e51658..14df890c13 100644 --- a/vendor/github.com/cncf/xds/go/xds/annotations/v3/security.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/annotations/v3/security.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/annotations/v3/security.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/annotations/v3/sensitive.pb.go b/vendor/github.com/cncf/xds/go/xds/annotations/v3/sensitive.pb.go index 57161aab47..042b66bff4 100644 --- a/vendor/github.com/cncf/xds/go/xds/annotations/v3/sensitive.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/annotations/v3/sensitive.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/annotations/v3/sensitive.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/annotations/v3/status.pb.go b/vendor/github.com/cncf/xds/go/xds/annotations/v3/status.pb.go index 255d109fc5..5d5975ffbd 100644 --- a/vendor/github.com/cncf/xds/go/xds/annotations/v3/status.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/annotations/v3/status.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/annotations/v3/status.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/annotations/v3/versioning.pb.go b/vendor/github.com/cncf/xds/go/xds/annotations/v3/versioning.pb.go index 2de032f159..97edd7690d 100644 --- a/vendor/github.com/cncf/xds/go/xds/annotations/v3/versioning.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/annotations/v3/versioning.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/annotations/v3/versioning.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/core/v3/authority.pb.go b/vendor/github.com/cncf/xds/go/xds/core/v3/authority.pb.go index 3058286d57..035b8c0101 100644 --- a/vendor/github.com/cncf/xds/go/xds/core/v3/authority.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/core/v3/authority.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/core/v3/authority.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/core/v3/cidr.pb.go b/vendor/github.com/cncf/xds/go/xds/core/v3/cidr.pb.go index 0e339b5899..58c27d7d31 100644 --- a/vendor/github.com/cncf/xds/go/xds/core/v3/cidr.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/core/v3/cidr.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/core/v3/cidr.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/core/v3/collection_entry.pb.go b/vendor/github.com/cncf/xds/go/xds/core/v3/collection_entry.pb.go index 0d45b961bf..f0b4c12f2d 100644 --- a/vendor/github.com/cncf/xds/go/xds/core/v3/collection_entry.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/core/v3/collection_entry.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/core/v3/collection_entry.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/core/v3/context_params.pb.go b/vendor/github.com/cncf/xds/go/xds/core/v3/context_params.pb.go index 714ab43673..3e75637ea2 100644 --- a/vendor/github.com/cncf/xds/go/xds/core/v3/context_params.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/core/v3/context_params.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/core/v3/context_params.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/core/v3/extension.pb.go b/vendor/github.com/cncf/xds/go/xds/core/v3/extension.pb.go index be4ea10c6b..7183e11433 100644 --- a/vendor/github.com/cncf/xds/go/xds/core/v3/extension.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/core/v3/extension.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/core/v3/extension.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/core/v3/resource.pb.go b/vendor/github.com/cncf/xds/go/xds/core/v3/resource.pb.go index 641e3411ac..ced3bc3f40 100644 --- a/vendor/github.com/cncf/xds/go/xds/core/v3/resource.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/core/v3/resource.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/core/v3/resource.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/core/v3/resource_locator.pb.go b/vendor/github.com/cncf/xds/go/xds/core/v3/resource_locator.pb.go index 3f99d4beec..f469c18cf9 100644 --- a/vendor/github.com/cncf/xds/go/xds/core/v3/resource_locator.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/core/v3/resource_locator.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/core/v3/resource_locator.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/core/v3/resource_name.pb.go b/vendor/github.com/cncf/xds/go/xds/core/v3/resource_name.pb.go index 3d42818b7a..65f65fdbdc 100644 --- a/vendor/github.com/cncf/xds/go/xds/core/v3/resource_name.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/core/v3/resource_name.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/core/v3/resource_name.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/cel.pb.go b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/cel.pb.go index 7299227a3d..1bd4aaf60a 100644 --- a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/cel.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/cel.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/type/matcher/v3/cel.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/domain.pb.go b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/domain.pb.go index 5f72c8d110..3053b35f9d 100644 --- a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/domain.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/domain.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/type/matcher/v3/domain.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/http_inputs.pb.go b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/http_inputs.pb.go index 4393bb7e29..eedcacec6b 100644 --- a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/http_inputs.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/http_inputs.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/type/matcher/v3/http_inputs.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/ip.pb.go b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/ip.pb.go index fdb6599461..6facd7aeb9 100644 --- a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/ip.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/ip.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/type/matcher/v3/ip.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/matcher.pb.go b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/matcher.pb.go index d94b03b559..ac8dd4f19e 100644 --- a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/matcher.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/matcher.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/type/matcher/v3/matcher.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/range.pb.go b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/range.pb.go index 2861768daa..bc811ecb28 100644 --- a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/range.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/range.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/type/matcher/v3/range.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/regex.pb.go b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/regex.pb.go index 3dcf303ac2..c02ec2a916 100644 --- a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/regex.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/regex.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/type/matcher/v3/regex.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/string.pb.go b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/string.pb.go index f9067918c7..79b70bcb7a 100644 --- a/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/string.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/type/matcher/v3/string.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/type/matcher/v3/string.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/type/v3/cel.pb.go b/vendor/github.com/cncf/xds/go/xds/type/v3/cel.pb.go index c7d42d4a94..e298ffb099 100644 --- a/vendor/github.com/cncf/xds/go/xds/type/v3/cel.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/type/v3/cel.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/type/v3/cel.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/type/v3/range.pb.go b/vendor/github.com/cncf/xds/go/xds/type/v3/range.pb.go index ca9d3e1b7f..c6f8bb9ba4 100644 --- a/vendor/github.com/cncf/xds/go/xds/type/v3/range.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/type/v3/range.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/type/v3/range.proto package v3 diff --git a/vendor/github.com/cncf/xds/go/xds/type/v3/typed_struct.pb.go b/vendor/github.com/cncf/xds/go/xds/type/v3/typed_struct.pb.go index 72ec85ed60..ba42cb0e81 100644 --- a/vendor/github.com/cncf/xds/go/xds/type/v3/typed_struct.pb.go +++ b/vendor/github.com/cncf/xds/go/xds/type/v3/typed_struct.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.33.0 -// protoc v5.27.0--rc2 +// protoc v5.29.1 // source: xds/type/v3/typed_struct.proto package v3 diff --git a/vendor/github.com/envoyproxy/protoc-gen-validate/validate/BUILD b/vendor/github.com/envoyproxy/protoc-gen-validate/validate/BUILD index a9d38c51b9..ef634dd812 100644 --- a/vendor/github.com/envoyproxy/protoc-gen-validate/validate/BUILD +++ b/vendor/github.com/envoyproxy/protoc-gen-validate/validate/BUILD @@ -1,9 +1,10 @@ -load("@com_google_protobuf//:protobuf.bzl", "py_proto_library") +load("@com_google_protobuf//bazel:cc_proto_library.bzl", "cc_proto_library") +load("@io_bazel_rules_go//go:def.bzl", "go_library") load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library") -load("@rules_cc//cc:defs.bzl", "cc_library", "cc_proto_library") +load("@rules_cc//cc:defs.bzl", "cc_library") load("@rules_java//java:defs.bzl", "java_proto_library") load("@rules_proto//proto:defs.bzl", "proto_library") -load("@io_bazel_rules_go//go:def.bzl", "go_library") +load("@rules_python//python:proto.bzl", "py_proto_library") package( default_visibility = @@ -27,8 +28,7 @@ cc_proto_library( py_proto_library( name = "validate_py", - srcs = ["validate.proto"], - deps = ["@com_google_protobuf//:protobuf_python"], + deps = [":validate_proto"], ) go_proto_library( diff --git a/vendor/github.com/evanphx/json-patch/README.md b/vendor/github.com/evanphx/json-patch/README.md index 97e319b21b..86fefd5bf7 100644 --- a/vendor/github.com/evanphx/json-patch/README.md +++ b/vendor/github.com/evanphx/json-patch/README.md @@ -14,9 +14,7 @@ well as for calculating & applying [RFC7396 JSON merge patches](https://tools.ie go get -u github.com/evanphx/json-patch/v5 ``` -**Stable Versions**: -* Version 5: `go get -u gopkg.in/evanphx/json-patch.v5` -* Version 4: `go get -u gopkg.in/evanphx/json-patch.v4` +If you need version 4, use `go get -u gopkg.in/evanphx/json-patch.v4` (previous versions below `v3` are unavailable) diff --git a/vendor/github.com/evanphx/json-patch/patch.go b/vendor/github.com/evanphx/json-patch/patch.go index cd0274e1e4..95136681ba 100644 --- a/vendor/github.com/evanphx/json-patch/patch.go +++ b/vendor/github.com/evanphx/json-patch/patch.go @@ -3,11 +3,10 @@ package jsonpatch import ( "bytes" "encoding/json" + "errors" "fmt" "strconv" "strings" - - "github.com/pkg/errors" ) const ( @@ -277,7 +276,7 @@ func (o Operation) Path() (string, error) { return op, nil } - return "unknown", errors.Wrapf(ErrMissing, "operation missing path field") + return "unknown", fmt.Errorf("operation missing path field: %w", ErrMissing) } // From reads the "from" field of the Operation. @@ -294,7 +293,7 @@ func (o Operation) From() (string, error) { return op, nil } - return "unknown", errors.Wrapf(ErrMissing, "operation, missing from field") + return "unknown", fmt.Errorf("operation, missing from field: %w", ErrMissing) } func (o Operation) value() *lazyNode { @@ -319,7 +318,7 @@ func (o Operation) ValueInterface() (interface{}, error) { return v, nil } - return nil, errors.Wrapf(ErrMissing, "operation, missing value field") + return nil, fmt.Errorf("operation, missing value field: %w", ErrMissing) } func isArray(buf []byte) bool { @@ -398,7 +397,7 @@ func (d *partialDoc) get(key string) (*lazyNode, error) { func (d *partialDoc) remove(key string) error { _, ok := (*d)[key] if !ok { - return errors.Wrapf(ErrMissing, "Unable to remove nonexistent key: %s", key) + return fmt.Errorf("Unable to remove nonexistent key: %s: %w", key, ErrMissing) } delete(*d, key) @@ -415,10 +414,10 @@ func (d *partialArray) set(key string, val *lazyNode) error { if idx < 0 { if !SupportNegativeIndices { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } if idx < -len(*d) { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } idx += len(*d) } @@ -435,7 +434,7 @@ func (d *partialArray) add(key string, val *lazyNode) error { idx, err := strconv.Atoi(key) if err != nil { - return errors.Wrapf(err, "value was not a proper array index: '%s'", key) + return fmt.Errorf("value was not a proper array index: '%s': %w", key, err) } sz := len(*d) + 1 @@ -445,15 +444,15 @@ func (d *partialArray) add(key string, val *lazyNode) error { cur := *d if idx >= len(ary) { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } if idx < 0 { if !SupportNegativeIndices { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } if idx < -len(ary) { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } idx += len(ary) } @@ -475,16 +474,16 @@ func (d *partialArray) get(key string) (*lazyNode, error) { if idx < 0 { if !SupportNegativeIndices { - return nil, errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } if idx < -len(*d) { - return nil, errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } idx += len(*d) } if idx >= len(*d) { - return nil, errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } return (*d)[idx], nil @@ -499,15 +498,15 @@ func (d *partialArray) remove(key string) error { cur := *d if idx >= len(cur) { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } if idx < 0 { if !SupportNegativeIndices { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } if idx < -len(cur) { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } idx += len(cur) } @@ -525,18 +524,18 @@ func (d *partialArray) remove(key string) error { func (p Patch) add(doc *container, op Operation) error { path, err := op.Path() if err != nil { - return errors.Wrapf(ErrMissing, "add operation failed to decode path") + return fmt.Errorf("add operation failed to decode path: %w", ErrMissing) } con, key := findObject(doc, path) if con == nil { - return errors.Wrapf(ErrMissing, "add operation does not apply: doc is missing path: \"%s\"", path) + return fmt.Errorf("add operation does not apply: doc is missing path: \"%s\": %w", path, ErrMissing) } err = con.add(key, op.value()) if err != nil { - return errors.Wrapf(err, "error in add for path: '%s'", path) + return fmt.Errorf("error in add for path: '%s': %w", path, err) } return nil @@ -545,18 +544,18 @@ func (p Patch) add(doc *container, op Operation) error { func (p Patch) remove(doc *container, op Operation) error { path, err := op.Path() if err != nil { - return errors.Wrapf(ErrMissing, "remove operation failed to decode path") + return fmt.Errorf("remove operation failed to decode path: %w", ErrMissing) } con, key := findObject(doc, path) if con == nil { - return errors.Wrapf(ErrMissing, "remove operation does not apply: doc is missing path: \"%s\"", path) + return fmt.Errorf("remove operation does not apply: doc is missing path: \"%s\": %w", path, ErrMissing) } err = con.remove(key) if err != nil { - return errors.Wrapf(err, "error in remove for path: '%s'", path) + return fmt.Errorf("error in remove for path: '%s': %w", path, err) } return nil @@ -565,7 +564,7 @@ func (p Patch) remove(doc *container, op Operation) error { func (p Patch) replace(doc *container, op Operation) error { path, err := op.Path() if err != nil { - return errors.Wrapf(err, "replace operation failed to decode path") + return fmt.Errorf("replace operation failed to decode path: %w", err) } if path == "" { @@ -574,7 +573,7 @@ func (p Patch) replace(doc *container, op Operation) error { if val.which == eRaw { if !val.tryDoc() { if !val.tryAry() { - return errors.Wrapf(err, "replace operation value must be object or array") + return fmt.Errorf("replace operation value must be object or array: %w", err) } } } @@ -585,7 +584,7 @@ func (p Patch) replace(doc *container, op Operation) error { case eDoc: *doc = &val.doc case eRaw: - return errors.Wrapf(err, "replace operation hit impossible case") + return fmt.Errorf("replace operation hit impossible case: %w", err) } return nil @@ -594,17 +593,17 @@ func (p Patch) replace(doc *container, op Operation) error { con, key := findObject(doc, path) if con == nil { - return errors.Wrapf(ErrMissing, "replace operation does not apply: doc is missing path: %s", path) + return fmt.Errorf("replace operation does not apply: doc is missing path: %s: %w", path, ErrMissing) } _, ok := con.get(key) if ok != nil { - return errors.Wrapf(ErrMissing, "replace operation does not apply: doc is missing key: %s", path) + return fmt.Errorf("replace operation does not apply: doc is missing key: %s: %w", path, ErrMissing) } err = con.set(key, op.value()) if err != nil { - return errors.Wrapf(err, "error in remove for path: '%s'", path) + return fmt.Errorf("error in remove for path: '%s': %w", path, err) } return nil @@ -613,39 +612,39 @@ func (p Patch) replace(doc *container, op Operation) error { func (p Patch) move(doc *container, op Operation) error { from, err := op.From() if err != nil { - return errors.Wrapf(err, "move operation failed to decode from") + return fmt.Errorf("move operation failed to decode from: %w", err) } con, key := findObject(doc, from) if con == nil { - return errors.Wrapf(ErrMissing, "move operation does not apply: doc is missing from path: %s", from) + return fmt.Errorf("move operation does not apply: doc is missing from path: %s: %w", from, ErrMissing) } val, err := con.get(key) if err != nil { - return errors.Wrapf(err, "error in move for path: '%s'", key) + return fmt.Errorf("error in move for path: '%s': %w", key, err) } err = con.remove(key) if err != nil { - return errors.Wrapf(err, "error in move for path: '%s'", key) + return fmt.Errorf("error in move for path: '%s': %w", key, err) } path, err := op.Path() if err != nil { - return errors.Wrapf(err, "move operation failed to decode path") + return fmt.Errorf("move operation failed to decode path: %w", err) } con, key = findObject(doc, path) if con == nil { - return errors.Wrapf(ErrMissing, "move operation does not apply: doc is missing destination path: %s", path) + return fmt.Errorf("move operation does not apply: doc is missing destination path: %s: %w", path, ErrMissing) } err = con.add(key, val) if err != nil { - return errors.Wrapf(err, "error in move for path: '%s'", path) + return fmt.Errorf("error in move for path: '%s': %w", path, err) } return nil @@ -654,7 +653,7 @@ func (p Patch) move(doc *container, op Operation) error { func (p Patch) test(doc *container, op Operation) error { path, err := op.Path() if err != nil { - return errors.Wrapf(err, "test operation failed to decode path") + return fmt.Errorf("test operation failed to decode path: %w", err) } if path == "" { @@ -673,67 +672,67 @@ func (p Patch) test(doc *container, op Operation) error { return nil } - return errors.Wrapf(ErrTestFailed, "testing value %s failed", path) + return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed) } con, key := findObject(doc, path) if con == nil { - return errors.Wrapf(ErrMissing, "test operation does not apply: is missing path: %s", path) + return fmt.Errorf("test operation does not apply: is missing path: %s: %w", path, ErrMissing) } val, err := con.get(key) if err != nil { - return errors.Wrapf(err, "error in test for path: '%s'", path) + return fmt.Errorf("error in test for path: '%s': %w", path, err) } if val == nil { if op.value() == nil || op.value().raw == nil { return nil } - return errors.Wrapf(ErrTestFailed, "testing value %s failed", path) + return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed) } else if op.value() == nil { - return errors.Wrapf(ErrTestFailed, "testing value %s failed", path) + return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed) } if val.equal(op.value()) { return nil } - return errors.Wrapf(ErrTestFailed, "testing value %s failed", path) + return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed) } func (p Patch) copy(doc *container, op Operation, accumulatedCopySize *int64) error { from, err := op.From() if err != nil { - return errors.Wrapf(err, "copy operation failed to decode from") + return fmt.Errorf("copy operation failed to decode from: %w", err) } con, key := findObject(doc, from) if con == nil { - return errors.Wrapf(ErrMissing, "copy operation does not apply: doc is missing from path: %s", from) + return fmt.Errorf("copy operation does not apply: doc is missing from path: %s: %w", from, ErrMissing) } val, err := con.get(key) if err != nil { - return errors.Wrapf(err, "error in copy for from: '%s'", from) + return fmt.Errorf("error in copy for from: '%s': %w", from, err) } path, err := op.Path() if err != nil { - return errors.Wrapf(ErrMissing, "copy operation failed to decode path") + return fmt.Errorf("copy operation failed to decode path: %w", ErrMissing) } con, key = findObject(doc, path) if con == nil { - return errors.Wrapf(ErrMissing, "copy operation does not apply: doc is missing destination path: %s", path) + return fmt.Errorf("copy operation does not apply: doc is missing destination path: %s: %w", path, ErrMissing) } valCopy, sz, err := deepCopy(val) if err != nil { - return errors.Wrapf(err, "error while performing deep copy") + return fmt.Errorf("error while performing deep copy: %w", err) } (*accumulatedCopySize) += int64(sz) @@ -743,7 +742,7 @@ func (p Patch) copy(doc *container, op Operation, accumulatedCopySize *int64) er err = con.add(key, valCopy) if err != nil { - return errors.Wrapf(err, "error while adding value during copy") + return fmt.Errorf("error while adding value during copy: %w", err) } return nil diff --git a/vendor/github.com/hmarr/codeowners/.gitignore b/vendor/github.com/hmarr/codeowners/.gitignore new file mode 100644 index 0000000000..0b67144c82 --- /dev/null +++ b/vendor/github.com/hmarr/codeowners/.gitignore @@ -0,0 +1 @@ +/codeowners diff --git a/vendor/github.com/hmarr/codeowners/.goreleaser.yml b/vendor/github.com/hmarr/codeowners/.goreleaser.yml new file mode 100644 index 0000000000..199cf8579f --- /dev/null +++ b/vendor/github.com/hmarr/codeowners/.goreleaser.yml @@ -0,0 +1,47 @@ +version: 2 + +before: + hooks: + - go mod download + +builds: + - main: ./cmd/codeowners + env: + - CGO_ENABLED=0 + goos: + - linux + - darwin + goarch: + - amd64 + - arm64 + +brews: + - homepage: "https://github.com/hmarr/codeowners" + description: "Determine who owns what according CODEOWNERS files" + + repository: + owner: hmarr + name: homebrew-tap + token: "{{ .Env.HOMEBREW_TAP_RELEASE_TOKEN }}" + + commit_author: + name: release-bot + email: release-bot@hmarr.com + + directory: Formula + +checksum: + name_template: 'checksums.txt' + +snapshot: + name_template: "{{ .Tag }}-next" + +changelog: + sort: asc + filters: + exclude: + - '^docs:' + - '^test:' + - '^build:' + - '^deps:' + - '(?i)typo' diff --git a/vendor/github.com/hmarr/codeowners/LICENSE b/vendor/github.com/hmarr/codeowners/LICENSE new file mode 100644 index 0000000000..135bee7300 --- /dev/null +++ b/vendor/github.com/hmarr/codeowners/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2020 Harry Marr + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/vendor/github.com/hmarr/codeowners/Makefile b/vendor/github.com/hmarr/codeowners/Makefile new file mode 100644 index 0000000000..1eeed0700d --- /dev/null +++ b/vendor/github.com/hmarr/codeowners/Makefile @@ -0,0 +1,3 @@ +.PHONY: build +build: + go build ./cmd/codeowners diff --git a/vendor/github.com/hmarr/codeowners/README.md b/vendor/github.com/hmarr/codeowners/README.md new file mode 100644 index 0000000000..895052243d --- /dev/null +++ b/vendor/github.com/hmarr/codeowners/README.md @@ -0,0 +1,123 @@ +# codeowners + +![build](https://github.com/hmarr/codeowners/workflows/build/badge.svg) +[![PkgGoDev](https://pkg.go.dev/badge/github.com/hmarr/codeowners)](https://pkg.go.dev/github.com/hmarr/codeowners) + +A CLI and Go library for GitHub's [CODEOWNERS file](https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners#codeowners-syntax). + +## Command line tool + +The `codeowners` CLI identifies the owners for files in a local repository or directory. + +### Installation + +If you're on macOS, you can install the CLI from the [homebrew tap](https://github.com/hmarr/homebrew-tap#codeowners). + +```console +$ brew tap hmarr/tap +$ brew install codeowners +``` + +Otherwise, grab a binary from the [releases page](https://github.com/hmarr/codeowners/releases) or install from source with `go install`: + +```console +$ go install github.com/hmarr/codeowners/cmd/codeowners@latest +``` + +### Usage + +By default, the command line tool will walk the directory tree, printing the code owners of any files that are found. + +```console +$ codeowners --help +usage: codeowners ... + -f, --file string CODEOWNERS file path + -h, --help show this help message + -o, --owner strings filter results by owner + -u, --unowned only show unowned files (can be combined with -o) + +$ ls +CODEOWNERS DOCUMENTATION.md README.md example.go example_test.go + +$ cat CODEOWNERS +*.go @example/go-engineers +*.md @example/docs-writers +README.md product-manager@example.com + +$ codeowners +CODEOWNERS (unowned) +README.md product-manager@example.com +example_test.go @example/go-engineers +example.go @example/go-engineers +DOCUMENTATION.md @example/docs-writers +``` + +To limit the files the tool looks at, provide one or more paths as arguments. + +```console +$ codeowners *.md +README.md product-manager@example.com +DOCUMENTATION.md @example/docs-writers +``` + +Pass the `--owner` flag to filter results by a specific owner. + +```console +$ codeowners -o @example/go-engineers +example_test.go @example/go-engineers +example.go @example/go-engineers +``` + +Pass the `--unowned` flag to only show unowned files. + +```console +$ codeowners -u +CODEOWNERS (unowned) +``` + +## Go library + +A package for parsing CODEOWNERS files and matching files to owners. + +### Installation + +```console +$ go get github.com/hmarr/codeowners +``` + +### Usage + +Full documentation is available at [pkg.go.dev](https://pkg.go.dev/github.com/hmarr/codeowners). + +Here's a quick example to get you started: + +```go +package main + +import ( + "fmt" + "log" + "os" + + "github.com/hmarr/codeowners" +) + +func main() { + file, err := os.Open("CODEOWNERS") + if err != nil { + log.Fatal(err) + } + + ruleset, err := codeowners.ParseFile(file) + if err != nil { + log.Fatal(err) + } + + rule, err := ruleset.Match("path/to/file") + if err != nil { + log.Fatal(err) + } + + fmt.Printf("Owners: %v\n", rule.Owners) +} +``` diff --git a/vendor/github.com/hmarr/codeowners/codeowners.go b/vendor/github.com/hmarr/codeowners/codeowners.go new file mode 100644 index 0000000000..5aef80ba4c --- /dev/null +++ b/vendor/github.com/hmarr/codeowners/codeowners.go @@ -0,0 +1,160 @@ +// Package codeowners is a library for working with CODEOWNERS files. +// +// CODEOWNERS files map gitignore-style path patterns to sets of owners, which +// may be GitHub users, GitHub teams, or email addresses. This library parses +// the CODEOWNERS file format into rulesets, which may then be used to determine +// the ownership of files. +// +// Usage +// +// To find the owner of a given file, parse a CODEOWNERS file and call Match() +// on the resulting ruleset. +// ruleset, err := codeowners.ParseFile(file) +// if err != nil { +// log.Fatal(err) +// } +// +// rule, err := ruleset.Match("path/to/file") +// if err != nil { +// log.Fatal(err) +// } +// +// Command line interface +// +// A command line interface is also available in the cmd/codeowners package. +// When run, it will walk the directory tree showing the code owners for each +// file encountered. The help flag lists available options. +// +// $ codeowners --help +package codeowners + +import ( + "fmt" + "os" + "os/exec" + "path/filepath" + "strings" +) + +// LoadFileFromStandardLocation loads and parses a CODEOWNERS file at one of the +// standard locations for CODEOWNERS files (./, .github/, docs/). If run from a +// git repository, all paths are relative to the repository root. +func LoadFileFromStandardLocation() (Ruleset, error) { + path := findFileAtStandardLocation() + if path == "" { + return nil, fmt.Errorf("could not find CODEOWNERS file at any of the standard locations") + } + return LoadFile(path) +} + +// LoadFile loads and parses a CODEOWNERS file at the path specified. +func LoadFile(path string) (Ruleset, error) { + f, err := os.Open(path) + if err != nil { + return nil, err + } + return ParseFile(f) +} + +// findFileAtStandardLocation loops through the standard locations for +// CODEOWNERS files (./, .github/, docs/), and returns the first place a +// CODEOWNERS file is found. If run from a git repository, all paths are +// relative to the repository root. +func findFileAtStandardLocation() string { + pathPrefix := "" + repoRoot, inRepo := findRepositoryRoot() + if inRepo { + pathPrefix = repoRoot + } + + for _, path := range []string{"CODEOWNERS", ".github/CODEOWNERS", ".gitlab/CODEOWNERS", "docs/CODEOWNERS"} { + fullPath := filepath.Join(pathPrefix, path) + if fileExists(fullPath) { + return fullPath + } + } + return "" +} + +// fileExist checks if a normal file exists at the path specified. +func fileExists(path string) bool { + info, err := os.Stat(path) + if os.IsNotExist(err) { + return false + } + return !info.IsDir() +} + +// findRepositoryRoot returns the path to the root of the git repository, if +// we're currently in one. If we're not in a git repository, the boolean return +// value is false. +func findRepositoryRoot() (string, bool) { + output, err := exec.Command("git", "rev-parse", "--show-toplevel").Output() + if err != nil { + return "", false + } + return strings.TrimSpace(string(output)), true +} + +// Ruleset is a collection of CODEOWNERS rules. +type Ruleset []Rule + +// Match finds the last rule in the ruleset that matches the path provided. When +// determining the ownership of a file using CODEOWNERS, order matters, and the +// last matching rule takes precedence. +func (r Ruleset) Match(path string) (*Rule, error) { + for i := len(r) - 1; i >= 0; i-- { + rule := &r[i] + match, err := rule.Match(path) + if match || err != nil { + return rule, err + } + } + return nil, nil +} + +// Rule is a CODEOWNERS rule that maps a gitignore-style path pattern to a set +// of owners. +type Rule struct { + Owners []Owner + Comment string + LineNumber int + pattern pattern +} + +// RawPattern returns the rule's gitignore-style path pattern. +func (r Rule) RawPattern() string { + return r.pattern.pattern +} + +// Match tests whether the provided matches the rule's pattern. +func (r Rule) Match(path string) (bool, error) { + return r.pattern.match(path) +} + +const ( + // EmailOwner is the owner type for email addresses. + EmailOwner string = "email" + // TeamOwner is the owner type for GitHub teams. + TeamOwner string = "team" + // UsernameOwner is the owner type for GitHub usernames. + UsernameOwner string = "username" +) + +// Owner represents an owner found in a rule. +type Owner struct { + // Value is the name of the owner: the email addres, team name, or username. + Value string + // Type will be one of 'email', 'team', or 'username'. + Type string +} + +// String returns a string representation of the owner. For email owners, it +// simply returns the email address. For user and team owners it prepends an '@' +// to the owner. +func (o Owner) String() string { + if o.Type == EmailOwner { + return o.Value + } + return "@" + o.Value +} diff --git a/vendor/github.com/hmarr/codeowners/match.go b/vendor/github.com/hmarr/codeowners/match.go new file mode 100644 index 0000000000..4c34638e19 --- /dev/null +++ b/vendor/github.com/hmarr/codeowners/match.go @@ -0,0 +1,177 @@ +package codeowners + +import ( + "fmt" + "path/filepath" + "regexp" + "strings" +) + +type pattern struct { + pattern string + regex *regexp.Regexp + leftAnchoredLiteral bool +} + +// newPattern creates a new pattern struct from a gitignore-style pattern string +func newPattern(patternStr string) (pattern, error) { + pat := pattern{pattern: patternStr} + + if !strings.ContainsAny(patternStr, "*?\\") && patternStr[0] == '/' { + pat.leftAnchoredLiteral = true + } else { + patternRegex, err := buildPatternRegex(patternStr) + if err != nil { + return pattern{}, err + } + pat.regex = patternRegex + } + + return pat, nil +} + +// match tests if the path provided matches the pattern +func (p pattern) match(testPath string) (bool, error) { + // Normalize Windows-style path separators to forward slashes + testPath = filepath.ToSlash(testPath) + + if p.leftAnchoredLiteral { + prefix := p.pattern + + // Strip the leading slash as we're anchored to the root already + if prefix[0] == '/' { + prefix = prefix[1:] + } + + // If the pattern ends with a slash we can do a simple prefix match + if prefix[len(prefix)-1] == '/' { + return strings.HasPrefix(testPath, prefix), nil + } + + // If the strings are the same length, check for an exact match + if len(testPath) == len(prefix) { + return testPath == prefix, nil + } + + // Otherwise check if the test path is a subdirectory of the pattern + if len(testPath) > len(prefix) && testPath[len(prefix)] == '/' { + return testPath[:len(prefix)] == prefix, nil + } + + // Otherwise the test path must be shorter than the pattern, so it can't match + return false, nil + } + + return p.regex.MatchString(testPath), nil +} + +// buildPatternRegex compiles a new regexp object from a gitignore-style pattern string +func buildPatternRegex(pattern string) (*regexp.Regexp, error) { + // Handle specific edge cases first + switch { + case strings.Contains(pattern, "***"): + return nil, fmt.Errorf("pattern cannot contain three consecutive asterisks") + case pattern == "": + return nil, fmt.Errorf("empty pattern") + case pattern == "/": + // "/" doesn't match anything + return regexp.Compile(`\A\z`) + } + + segs := strings.Split(pattern, "/") + + if segs[0] == "" { + // Leading slash: match is relative to root + segs = segs[1:] + } else { + // No leading slash - check for a single segment pattern, which matches + // relative to any descendent path (equivalent to a leading **/) + if len(segs) == 1 || (len(segs) == 2 && segs[1] == "") { + if segs[0] != "**" { + segs = append([]string{"**"}, segs...) + } + } + } + + if len(segs) > 1 && segs[len(segs)-1] == "" { + // Trailing slash is equivalent to "/**" + segs[len(segs)-1] = "**" + } + + sep := "/" + + lastSegIndex := len(segs) - 1 + needSlash := false + var re strings.Builder + re.WriteString(`\A`) + for i, seg := range segs { + switch seg { + case "**": + switch { + case i == 0 && i == lastSegIndex: + // If the pattern is just "**" we match everything + re.WriteString(`.+`) + case i == 0: + // If the pattern starts with "**" we match any leading path segment + re.WriteString(`(?:.+` + sep + `)?`) + needSlash = false + case i == lastSegIndex: + // If the pattern ends with "**" we match any trailing path segment + re.WriteString(sep + `.*`) + default: + // If the pattern contains "**" we match zero or more path segments + re.WriteString(`(?:` + sep + `.+)?`) + needSlash = true + } + + case "*": + if needSlash { + re.WriteString(sep) + } + + // Regular wildcard - match any characters except the separator + re.WriteString(`[^` + sep + `]+`) + needSlash = true + + default: + if needSlash { + re.WriteString(sep) + } + + escape := false + for _, ch := range seg { + if escape { + escape = false + re.WriteString(regexp.QuoteMeta(string(ch))) + continue + } + + // Other pathspec implementations handle character classes here (e.g. + // [AaBb]), but CODEOWNERS doesn't support that so we don't need to + switch ch { + case '\\': + escape = true + case '*': + // Multi-character wildcard + re.WriteString(`[^` + sep + `]*`) + case '?': + // Single-character wildcard + re.WriteString(`[^` + sep + `]`) + default: + // Regular character + re.WriteString(regexp.QuoteMeta(string(ch))) + } + } + + if i == lastSegIndex { + // As there's no trailing slash (that'd hit the '**' case), we + // need to match descendent paths + re.WriteString(`(?:` + sep + `.*)?`) + } + + needSlash = true + } + } + re.WriteString(`\z`) + return regexp.Compile(re.String()) +} diff --git a/vendor/github.com/hmarr/codeowners/parse.go b/vendor/github.com/hmarr/codeowners/parse.go new file mode 100644 index 0000000000..4a930a4ab8 --- /dev/null +++ b/vendor/github.com/hmarr/codeowners/parse.go @@ -0,0 +1,273 @@ +package codeowners + +import ( + "bufio" + "bytes" + "errors" + "fmt" + "io" + "regexp" + "strings" +) + +type parseOption func(*parseOptions) + +type parseOptions struct { + ownerMatchers []OwnerMatcher +} + +func WithOwnerMatchers(mm []OwnerMatcher) parseOption { + return func(opts *parseOptions) { + opts.ownerMatchers = mm + } +} + +type OwnerMatcher interface { + // Matches give string agains a pattern e.g. a regexp. + // Should return ErrNoMatch if the pattern doesn't match. + Match(s string) (Owner, error) +} + +type ErrInvalidOwnerFormat struct { + Owner string +} + +func (err ErrInvalidOwnerFormat) Error() string { + return fmt.Sprintf("invalid owner format '%s'", err.Owner) +} + +var ErrNoMatch = errors.New("no match") + +var ( + emailRegexp = regexp.MustCompile(`\A[A-Z0-9a-z\._%\+\-]+@[A-Za-z0-9\.\-]+\.[A-Za-z]{2,6}\z`) + teamRegexp = regexp.MustCompile(`\A@([a-zA-Z0-9\-]+\/[a-zA-Z0-9_\-]+)\z`) + usernameRegexp = regexp.MustCompile(`\A@([a-zA-Z0-9\-_]+)\z`) +) + +// DefaultOwnerMatchers is the default set of owner matchers, which includes the +// GitHub-flavored email, team, and username matchers. +var DefaultOwnerMatchers = []OwnerMatcher{ + OwnerMatchFunc(MatchEmailOwner), + OwnerMatchFunc(MatchTeamOwner), + OwnerMatchFunc(MatchUsernameOwner), +} + +// OwnerMatchFunc is a function that matches a string against a pattern and +// returns an Owner, or ErrNoMatch if no match was found. It implements the +// OwnerMatcher interface and may be provided to WithOwnerMatchers to customize +// owner matching behavior (e.g. to support GitLab-style team names). +type OwnerMatchFunc func(s string) (Owner, error) + +func (f OwnerMatchFunc) Match(s string) (Owner, error) { + return f(s) +} + +// MatchEmailOwner matches an email address owner. May be provided to +// WithOwnerMatchers. +func MatchEmailOwner(s string) (Owner, error) { + match := emailRegexp.FindStringSubmatch(s) + if match == nil { + return Owner{}, ErrNoMatch + } + + return Owner{Value: match[0], Type: EmailOwner}, nil +} + +// MatchTeamOwner matches a GitHub team owner. May be provided to +// WithOwnerMatchers. +func MatchTeamOwner(s string) (Owner, error) { + match := teamRegexp.FindStringSubmatch(s) + if match == nil { + return Owner{}, ErrNoMatch + } + + return Owner{Value: match[1], Type: TeamOwner}, nil +} + +// MatchUsernameOwner matches a GitHub username owner. May be provided to +// WithOwnerMatchers. +func MatchUsernameOwner(s string) (Owner, error) { + match := usernameRegexp.FindStringSubmatch(s) + if match == nil { + return Owner{}, ErrNoMatch + } + + return Owner{Value: match[1], Type: UsernameOwner}, nil +} + +// ParseFile parses a CODEOWNERS file, returning a set of rules. +// To override the default owner matchers, pass WithOwnerMatchers() as an option. +func ParseFile(f io.Reader, options ...parseOption) (Ruleset, error) { + opts := parseOptions{ownerMatchers: DefaultOwnerMatchers} + for _, opt := range options { + opt(&opts) + } + + rules := Ruleset{} + scanner := bufio.NewScanner(f) + lineNo := 0 + for scanner.Scan() { + lineNo++ + line := strings.TrimSpace(scanner.Text()) + + // Ignore blank lines and comments + if len(line) == 0 || line[0] == '#' { + continue + } + + rule, err := parseRule(line, opts) + if err != nil { + return nil, fmt.Errorf("line %d: %w", lineNo, err) + } + rule.LineNumber = lineNo + rules = append(rules, rule) + } + return rules, nil +} + +const ( + statePattern = iota + 1 + stateOwners +) + +// parseRule parses a single line of a CODEOWNERS file, returning a Rule struct +func parseRule(ruleStr string, opts parseOptions) (Rule, error) { + r := Rule{} + + state := statePattern + escaped := false + buf := bytes.Buffer{} + for i, ch := range strings.TrimSpace(ruleStr) { + // Comments consume the rest of the line and stop further parsing + if ch == '#' { + r.Comment = strings.TrimSpace(ruleStr[i+1:]) + break + } + + switch state { + case statePattern: + switch { + case ch == '\\': + // Escape the next character (important for whitespace while parsing), but + // don't lose the backslash as it's part of the pattern + escaped = true + buf.WriteRune(ch) + continue + + case isWhitespace(ch) && !escaped: + // Unescaped whitespace means this is the end of the pattern + pattern, err := newPattern(buf.String()) + if err != nil { + return r, err + } + r.pattern = pattern + buf.Reset() + state = stateOwners + + case isPatternChar(ch) || (isWhitespace(ch) && escaped): + // Keep any valid pattern characters and escaped whitespace + buf.WriteRune(ch) + + default: + return r, fmt.Errorf("unexpected character '%c' at position %d", ch, i+1) + } + // Escaping only applies to one character + escaped = false + + case stateOwners: + switch { + case isWhitespace(ch): + // Whitespace means we've reached the end of the owner or we're just chomping + // through whitespace before or after owner declarations + if buf.Len() > 0 { + ownerStr := buf.String() + owner, err := newOwner(ownerStr, opts.ownerMatchers) + if err != nil { + return r, fmt.Errorf("%w at position %d", err, i+1-len(ownerStr)) + } + r.Owners = append(r.Owners, owner) + buf.Reset() + } + + case isOwnersChar(ch): + // Write valid owner characters to the buffer + buf.WriteRune(ch) + + default: + return r, fmt.Errorf("unexpected character '%c' at position %d", ch, i+1) + } + } + } + + // We've finished consuming the line, but we might still have content in the buffer + // if the line didn't end with a separator (whitespace) + switch state { + case statePattern: + if buf.Len() == 0 { // We should have non-empty pattern + return r, fmt.Errorf("unexpected end of rule") + } + + pattern, err := newPattern(buf.String()) + if err != nil { + return r, err + } + r.pattern = pattern + + case stateOwners: + // If there's an owner left in the buffer, don't leave it behind + if buf.Len() > 0 { + ownerStr := buf.String() + owner, err := newOwner(ownerStr, opts.ownerMatchers) + if err != nil { + return r, fmt.Errorf("%s at position %d", err.Error(), len(ruleStr)+1-len(ownerStr)) + } + r.Owners = append(r.Owners, owner) + } + } + + return r, nil +} + +// newOwner figures out which kind of owner this is and returns an Owner struct +func newOwner(s string, mm []OwnerMatcher) (Owner, error) { + for _, m := range mm { + o, err := m.Match(s) + if errors.Is(err, ErrNoMatch) { + continue + } else if err != nil { + return Owner{}, err + } + + return o, nil + } + + return Owner{}, ErrInvalidOwnerFormat{ + Owner: s, + } +} + +func isWhitespace(ch rune) bool { + return ch == ' ' || ch == '\t' || ch == '\n' +} + +func isAlphanumeric(ch rune) bool { + return (ch >= 'A' && ch <= 'Z') || (ch >= 'a' && ch <= 'z') || (ch >= '0' && ch <= '9') +} + +// isPatternChar matches characters that are allowed in patterns +func isPatternChar(ch rune) bool { + switch ch { + case '*', '?', '.', '/', '@', '_', '+', '-', '\\', '(', ')': + return true + } + return isAlphanumeric(ch) +} + +// isOwnersChar matches characters that are allowed in owner definitions +func isOwnersChar(ch rune) bool { + switch ch { + case '.', '@', '/', '_', '%', '+', '-': + return true + } + return isAlphanumeric(ch) +} diff --git a/vendor/github.com/vishvananda/netlink/conntrack_linux.go b/vendor/github.com/vishvananda/netlink/conntrack_linux.go index c566b2a4a6..b3d354d75e 100644 --- a/vendor/github.com/vishvananda/netlink/conntrack_linux.go +++ b/vendor/github.com/vishvananda/netlink/conntrack_linux.go @@ -5,8 +5,8 @@ import ( "encoding/binary" "errors" "fmt" + "io/fs" "net" - "strings" "time" "github.com/vishvananda/netlink/nl" @@ -159,7 +159,7 @@ func (h *Handle) ConntrackDeleteFilter(table ConntrackTableType, family InetFami // ConntrackDeleteFilters deletes entries on the specified table matching any of the specified filters using the netlink handle passed // conntrack -D [table] parameters Delete conntrack or expectation func (h *Handle) ConntrackDeleteFilters(table ConntrackTableType, family InetFamily, filters ...CustomConntrackFilter) (uint, error) { - var errMsgs []string + var finalErr error res, err := h.dumpConntrackTable(table, family) if err != nil { if !errors.Is(err, ErrDumpInterrupted) { @@ -167,9 +167,10 @@ func (h *Handle) ConntrackDeleteFilters(table ConntrackTableType, family InetFam } // This allows us to at least do a best effort to try to clean the // entries matching the filter. - errMsgs = append(errMsgs, err.Error()) + finalErr = err } + var totalFilterErrors int var matched uint for _, dataRaw := range res { flow := parseRawData(dataRaw) @@ -178,19 +179,20 @@ func (h *Handle) ConntrackDeleteFilters(table ConntrackTableType, family InetFam req2 := h.newConntrackRequest(table, family, nl.IPCTNL_MSG_CT_DELETE, unix.NLM_F_ACK) // skip the first 4 byte that are the netfilter header, the newConntrackRequest is adding it already req2.AddRawData(dataRaw[4:]) - if _, err = req2.Execute(unix.NETLINK_NETFILTER, 0); err == nil { + if _, err = req2.Execute(unix.NETLINK_NETFILTER, 0); err == nil || errors.Is(err, fs.ErrNotExist) { matched++ // flow is already deleted, no need to match on other filters and continue to the next flow. break + } else { + totalFilterErrors++ } - errMsgs = append(errMsgs, fmt.Sprintf("failed to delete conntrack flow '%s': %s", flow.String(), err.Error())) } } } - if len(errMsgs) > 0 { - return matched, fmt.Errorf(strings.Join(errMsgs, "; ")) + if totalFilterErrors > 0 { + finalErr = errors.Join(finalErr, fmt.Errorf("failed to delete %d conntrack flows with %d filters", totalFilterErrors, len(filters))) } - return matched, nil + return matched, finalErr } func (h *Handle) newConntrackRequest(table ConntrackTableType, family InetFamily, operation, flags int) *nl.NetlinkRequest { diff --git a/vendor/github.com/vishvananda/netlink/link.go b/vendor/github.com/vishvananda/netlink/link.go index e09a6cfe54..cccf5d792a 100644 --- a/vendor/github.com/vishvananda/netlink/link.go +++ b/vendor/github.com/vishvananda/netlink/link.go @@ -56,6 +56,8 @@ type LinkAttrs struct { Vfs []VfInfo // virtual functions available on link Group uint32 PermHWAddr net.HardwareAddr + ParentDev string + ParentDevBus string Slave LinkSlave } diff --git a/vendor/github.com/vishvananda/netlink/link_linux.go b/vendor/github.com/vishvananda/netlink/link_linux.go index 88bbc6db5c..d6bffded31 100644 --- a/vendor/github.com/vishvananda/netlink/link_linux.go +++ b/vendor/github.com/vishvananda/netlink/link_linux.go @@ -2263,6 +2263,10 @@ func LinkDeserialize(hdr *unix.NlMsghdr, m []byte) (Link, error) { break } } + case unix.IFLA_PARENT_DEV_NAME: + base.ParentDev = string(attr.Value[:len(attr.Value)-1]) + case unix.IFLA_PARENT_DEV_BUS_NAME: + base.ParentDevBus = string(attr.Value[:len(attr.Value)-1]) } } diff --git a/vendor/github.com/vishvananda/netlink/nl/parse_attr_linux.go b/vendor/github.com/vishvananda/netlink/nl/parse_attr_linux.go index 7f49125cff..8ee0428db8 100644 --- a/vendor/github.com/vishvananda/netlink/nl/parse_attr_linux.go +++ b/vendor/github.com/vishvananda/netlink/nl/parse_attr_linux.go @@ -17,7 +17,7 @@ func ParseAttributes(data []byte) <-chan Attribute { go func() { i := 0 - for i+4 < len(data) { + for i+4 <= len(data) { length := int(native.Uint16(data[i : i+2])) attrType := native.Uint16(data[i+2 : i+4]) diff --git a/vendor/go.etcd.io/etcd/api/v3/version/version.go b/vendor/go.etcd.io/etcd/api/v3/version/version.go index ca6efc5136..15c99a2c28 100644 --- a/vendor/go.etcd.io/etcd/api/v3/version/version.go +++ b/vendor/go.etcd.io/etcd/api/v3/version/version.go @@ -26,7 +26,7 @@ import ( var ( // MinClusterVersion is the min cluster version this etcd binary is compatible with. MinClusterVersion = "3.0.0" - Version = "3.5.17" + Version = "3.5.18" APIVersion = "unknown" // Git SHA Value will be set during build diff --git a/vendor/go.etcd.io/etcd/client/v3/lease.go b/vendor/go.etcd.io/etcd/client/v3/lease.go index 4e7d1caf83..4877ee9496 100644 --- a/vendor/go.etcd.io/etcd/client/v3/lease.go +++ b/vendor/go.etcd.io/etcd/client/v3/lease.go @@ -263,6 +263,12 @@ func (l *lessor) Leases(ctx context.Context) (*LeaseLeasesResponse, error) { return nil, ContextError(ctx, err) } +// To identify the context passed to `KeepAlive`, a key/value pair is +// attached to the context. The key is a `keepAliveCtxKey` object, and +// the value is the pointer to the context object itself, ensuring +// uniqueness as each context has a unique memory address. +type keepAliveCtxKey struct{} + func (l *lessor) KeepAlive(ctx context.Context, id LeaseID) (<-chan *LeaseKeepAliveResponse, error) { ch := make(chan *LeaseKeepAliveResponse, LeaseResponseChSize) @@ -277,6 +283,10 @@ func (l *lessor) KeepAlive(ctx context.Context, id LeaseID) (<-chan *LeaseKeepAl default: } ka, ok := l.keepAlives[id] + + if ctx.Done() != nil { + ctx = context.WithValue(ctx, keepAliveCtxKey{}, &ctx) + } if !ok { // create fresh keep alive ka = &keepAlive{ @@ -347,7 +357,7 @@ func (l *lessor) keepAliveCtxCloser(ctx context.Context, id LeaseID, donec <-cha // close channel and remove context if still associated with keep alive for i, c := range ka.ctxs { - if c == ctx { + if c.Value(keepAliveCtxKey{}) == ctx.Value(keepAliveCtxKey{}) { close(ka.chs[i]) ka.ctxs = append(ka.ctxs[:i], ka.ctxs[i+1:]...) ka.chs = append(ka.chs[:i], ka.chs[i+1:]...) diff --git a/vendor/golang.org/x/net/http2/http2.go b/vendor/golang.org/x/net/http2/http2.go index c7601c909f..6c18ea230b 100644 --- a/vendor/golang.org/x/net/http2/http2.go +++ b/vendor/golang.org/x/net/http2/http2.go @@ -34,11 +34,19 @@ import ( ) var ( - VerboseLogs bool - logFrameWrites bool - logFrameReads bool - inTests bool - disableExtendedConnectProtocol bool + VerboseLogs bool + logFrameWrites bool + logFrameReads bool + inTests bool + + // Enabling extended CONNECT by causes browsers to attempt to use + // WebSockets-over-HTTP/2. This results in problems when the server's websocket + // package doesn't support extended CONNECT. + // + // Disable extended CONNECT by default for now. + // + // Issue #71128. + disableExtendedConnectProtocol = true ) func init() { @@ -51,8 +59,8 @@ func init() { logFrameWrites = true logFrameReads = true } - if strings.Contains(e, "http2xconnect=0") { - disableExtendedConnectProtocol = true + if strings.Contains(e, "http2xconnect=1") { + disableExtendedConnectProtocol = false } } @@ -407,23 +415,6 @@ func (s *sorter) SortStrings(ss []string) { s.v = save } -// validPseudoPath reports whether v is a valid :path pseudo-header -// value. It must be either: -// -// - a non-empty string starting with '/' -// - the string '*', for OPTIONS requests. -// -// For now this is only used a quick check for deciding when to clean -// up Opaque URLs before sending requests from the Transport. -// See golang.org/issue/16847 -// -// We used to enforce that the path also didn't start with "//", but -// Google's GFE accepts such paths and Chrome sends them, so ignore -// that part of the spec. See golang.org/issue/19103. -func validPseudoPath(v string) bool { - return (len(v) > 0 && v[0] == '/') || v == "*" -} - // incomparable is a zero-width, non-comparable type. Adding it to a struct // makes that struct also non-comparable, and generally doesn't add // any size (as long as it's first). diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go index b55547aec6..7434b87843 100644 --- a/vendor/golang.org/x/net/http2/server.go +++ b/vendor/golang.org/x/net/http2/server.go @@ -50,6 +50,7 @@ import ( "golang.org/x/net/http/httpguts" "golang.org/x/net/http2/hpack" + "golang.org/x/net/internal/httpcommon" ) const ( @@ -812,8 +813,7 @@ const maxCachedCanonicalHeadersKeysSize = 2048 func (sc *serverConn) canonicalHeader(v string) string { sc.serveG.check() - buildCommonHeaderMapsOnce() - cv, ok := commonCanonHeader[v] + cv, ok := httpcommon.CachedCanonicalHeader(v) if ok { return cv } diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go index b2e2ed3373..f2c166b615 100644 --- a/vendor/golang.org/x/net/http2/transport.go +++ b/vendor/golang.org/x/net/http2/transport.go @@ -25,7 +25,6 @@ import ( "net/http" "net/http/httptrace" "net/textproto" - "sort" "strconv" "strings" "sync" @@ -35,6 +34,7 @@ import ( "golang.org/x/net/http/httpguts" "golang.org/x/net/http2/hpack" "golang.org/x/net/idna" + "golang.org/x/net/internal/httpcommon" ) const ( @@ -1275,23 +1275,6 @@ func (cc *ClientConn) closeForLostPing() { // exported. At least they'll be DeepEqual for h1-vs-h2 comparisons tests. var errRequestCanceled = errors.New("net/http: request canceled") -func commaSeparatedTrailers(req *http.Request) (string, error) { - keys := make([]string, 0, len(req.Trailer)) - for k := range req.Trailer { - k = canonicalHeader(k) - switch k { - case "Transfer-Encoding", "Trailer", "Content-Length": - return "", fmt.Errorf("invalid Trailer key %q", k) - } - keys = append(keys, k) - } - if len(keys) > 0 { - sort.Strings(keys) - return strings.Join(keys, ","), nil - } - return "", nil -} - func (cc *ClientConn) responseHeaderTimeout() time.Duration { if cc.t.t1 != nil { return cc.t.t1.ResponseHeaderTimeout @@ -1303,35 +1286,6 @@ func (cc *ClientConn) responseHeaderTimeout() time.Duration { return 0 } -// checkConnHeaders checks whether req has any invalid connection-level headers. -// per RFC 7540 section 8.1.2.2: Connection-Specific Header Fields. -// Certain headers are special-cased as okay but not transmitted later. -func checkConnHeaders(req *http.Request) error { - if v := req.Header.Get("Upgrade"); v != "" { - return fmt.Errorf("http2: invalid Upgrade request header: %q", req.Header["Upgrade"]) - } - if vv := req.Header["Transfer-Encoding"]; len(vv) > 0 && (len(vv) > 1 || vv[0] != "" && vv[0] != "chunked") { - return fmt.Errorf("http2: invalid Transfer-Encoding request header: %q", vv) - } - if vv := req.Header["Connection"]; len(vv) > 0 && (len(vv) > 1 || vv[0] != "" && !asciiEqualFold(vv[0], "close") && !asciiEqualFold(vv[0], "keep-alive")) { - return fmt.Errorf("http2: invalid Connection request header: %q", vv) - } - return nil -} - -// actualContentLength returns a sanitized version of -// req.ContentLength, where 0 actually means zero (not unknown) and -1 -// means unknown. -func actualContentLength(req *http.Request) int64 { - if req.Body == nil || req.Body == http.NoBody { - return 0 - } - if req.ContentLength != 0 { - return req.ContentLength - } - return -1 -} - func (cc *ClientConn) decrStreamReservations() { cc.mu.Lock() defer cc.mu.Unlock() @@ -1356,7 +1310,7 @@ func (cc *ClientConn) roundTrip(req *http.Request, streamf func(*clientStream)) reqCancel: req.Cancel, isHead: req.Method == "HEAD", reqBody: req.Body, - reqBodyContentLength: actualContentLength(req), + reqBodyContentLength: httpcommon.ActualContentLength(req), trace: httptrace.ContextClientTrace(ctx), peerClosed: make(chan struct{}), abort: make(chan struct{}), @@ -1364,25 +1318,7 @@ func (cc *ClientConn) roundTrip(req *http.Request, streamf func(*clientStream)) donec: make(chan struct{}), } - // TODO(bradfitz): this is a copy of the logic in net/http. Unify somewhere? - if !cc.t.disableCompression() && - req.Header.Get("Accept-Encoding") == "" && - req.Header.Get("Range") == "" && - !cs.isHead { - // Request gzip only, not deflate. Deflate is ambiguous and - // not as universally supported anyway. - // See: https://zlib.net/zlib_faq.html#faq39 - // - // Note that we don't request this for HEAD requests, - // due to a bug in nginx: - // http://trac.nginx.org/nginx/ticket/358 - // https://golang.org/issue/5522 - // - // We don't request gzip if the request is for a range, since - // auto-decoding a portion of a gzipped document will just fail - // anyway. See https://golang.org/issue/8923 - cs.requestedGzip = true - } + cs.requestedGzip = httpcommon.IsRequestGzip(req, cc.t.disableCompression()) go cs.doRequest(req, streamf) @@ -1413,7 +1349,7 @@ func (cc *ClientConn) roundTrip(req *http.Request, streamf func(*clientStream)) } res.Request = req res.TLS = cc.tlsState - if res.Body == noBody && actualContentLength(req) == 0 { + if res.Body == noBody && httpcommon.ActualContentLength(req) == 0 { // If there isn't a request or response body still being // written, then wait for the stream to be closed before // RoundTrip returns. @@ -1496,10 +1432,6 @@ func (cs *clientStream) writeRequest(req *http.Request, streamf func(*clientStre cc := cs.cc ctx := cs.ctx - if err := checkConnHeaders(req); err != nil { - return err - } - // wait for setting frames to be received, a server can change this value later, // but we just wait for the first settings frame var isExtendedConnect bool @@ -1663,20 +1595,22 @@ func (cs *clientStream) encodeAndWriteHeaders(req *http.Request) error { // we send: HEADERS{1}, CONTINUATION{0,} + DATA{0,} (DATA is // sent by writeRequestBody below, along with any Trailers, // again in form HEADERS{1}, CONTINUATION{0,}) - trailers, err := commaSeparatedTrailers(req) - if err != nil { - return err - } - hasTrailers := trailers != "" - contentLen := actualContentLength(req) - hasBody := contentLen != 0 - hdrs, err := cc.encodeHeaders(req, cs.requestedGzip, trailers, contentLen) + cc.hbuf.Reset() + res, err := httpcommon.EncodeHeaders(httpcommon.EncodeHeadersParam{ + Request: req, + AddGzipHeader: cs.requestedGzip, + PeerMaxHeaderListSize: cc.peerMaxHeaderListSize, + DefaultUserAgent: defaultUserAgent, + }, func(name, value string) { + cc.writeHeader(name, value) + }) if err != nil { - return err + return fmt.Errorf("http2: %w", err) } + hdrs := cc.hbuf.Bytes() // Write the request. - endStream := !hasBody && !hasTrailers + endStream := !res.HasBody && !res.HasTrailers cs.sentHeaders = true err = cc.writeHeaders(cs.ID, endStream, int(cc.maxFrameSize), hdrs) traceWroteHeaders(cs.trace) @@ -2070,218 +2004,6 @@ func (cs *clientStream) awaitFlowControl(maxBytes int) (taken int32, err error) } } -func validateHeaders(hdrs http.Header) string { - for k, vv := range hdrs { - if !httpguts.ValidHeaderFieldName(k) && k != ":protocol" { - return fmt.Sprintf("name %q", k) - } - for _, v := range vv { - if !httpguts.ValidHeaderFieldValue(v) { - // Don't include the value in the error, - // because it may be sensitive. - return fmt.Sprintf("value for header %q", k) - } - } - } - return "" -} - -var errNilRequestURL = errors.New("http2: Request.URI is nil") - -func isNormalConnect(req *http.Request) bool { - return req.Method == "CONNECT" && req.Header.Get(":protocol") == "" -} - -// requires cc.wmu be held. -func (cc *ClientConn) encodeHeaders(req *http.Request, addGzipHeader bool, trailers string, contentLength int64) ([]byte, error) { - cc.hbuf.Reset() - if req.URL == nil { - return nil, errNilRequestURL - } - - host := req.Host - if host == "" { - host = req.URL.Host - } - host, err := httpguts.PunycodeHostPort(host) - if err != nil { - return nil, err - } - if !httpguts.ValidHostHeader(host) { - return nil, errors.New("http2: invalid Host header") - } - - var path string - if !isNormalConnect(req) { - path = req.URL.RequestURI() - if !validPseudoPath(path) { - orig := path - path = strings.TrimPrefix(path, req.URL.Scheme+"://"+host) - if !validPseudoPath(path) { - if req.URL.Opaque != "" { - return nil, fmt.Errorf("invalid request :path %q from URL.Opaque = %q", orig, req.URL.Opaque) - } else { - return nil, fmt.Errorf("invalid request :path %q", orig) - } - } - } - } - - // Check for any invalid headers+trailers and return an error before we - // potentially pollute our hpack state. (We want to be able to - // continue to reuse the hpack encoder for future requests) - if err := validateHeaders(req.Header); err != "" { - return nil, fmt.Errorf("invalid HTTP header %s", err) - } - if err := validateHeaders(req.Trailer); err != "" { - return nil, fmt.Errorf("invalid HTTP trailer %s", err) - } - - enumerateHeaders := func(f func(name, value string)) { - // 8.1.2.3 Request Pseudo-Header Fields - // The :path pseudo-header field includes the path and query parts of the - // target URI (the path-absolute production and optionally a '?' character - // followed by the query production, see Sections 3.3 and 3.4 of - // [RFC3986]). - f(":authority", host) - m := req.Method - if m == "" { - m = http.MethodGet - } - f(":method", m) - if !isNormalConnect(req) { - f(":path", path) - f(":scheme", req.URL.Scheme) - } - if trailers != "" { - f("trailer", trailers) - } - - var didUA bool - for k, vv := range req.Header { - if asciiEqualFold(k, "host") || asciiEqualFold(k, "content-length") { - // Host is :authority, already sent. - // Content-Length is automatic, set below. - continue - } else if asciiEqualFold(k, "connection") || - asciiEqualFold(k, "proxy-connection") || - asciiEqualFold(k, "transfer-encoding") || - asciiEqualFold(k, "upgrade") || - asciiEqualFold(k, "keep-alive") { - // Per 8.1.2.2 Connection-Specific Header - // Fields, don't send connection-specific - // fields. We have already checked if any - // are error-worthy so just ignore the rest. - continue - } else if asciiEqualFold(k, "user-agent") { - // Match Go's http1 behavior: at most one - // User-Agent. If set to nil or empty string, - // then omit it. Otherwise if not mentioned, - // include the default (below). - didUA = true - if len(vv) < 1 { - continue - } - vv = vv[:1] - if vv[0] == "" { - continue - } - } else if asciiEqualFold(k, "cookie") { - // Per 8.1.2.5 To allow for better compression efficiency, the - // Cookie header field MAY be split into separate header fields, - // each with one or more cookie-pairs. - for _, v := range vv { - for { - p := strings.IndexByte(v, ';') - if p < 0 { - break - } - f("cookie", v[:p]) - p++ - // strip space after semicolon if any. - for p+1 <= len(v) && v[p] == ' ' { - p++ - } - v = v[p:] - } - if len(v) > 0 { - f("cookie", v) - } - } - continue - } - - for _, v := range vv { - f(k, v) - } - } - if shouldSendReqContentLength(req.Method, contentLength) { - f("content-length", strconv.FormatInt(contentLength, 10)) - } - if addGzipHeader { - f("accept-encoding", "gzip") - } - if !didUA { - f("user-agent", defaultUserAgent) - } - } - - // Do a first pass over the headers counting bytes to ensure - // we don't exceed cc.peerMaxHeaderListSize. This is done as a - // separate pass before encoding the headers to prevent - // modifying the hpack state. - hlSize := uint64(0) - enumerateHeaders(func(name, value string) { - hf := hpack.HeaderField{Name: name, Value: value} - hlSize += uint64(hf.Size()) - }) - - if hlSize > cc.peerMaxHeaderListSize { - return nil, errRequestHeaderListSize - } - - trace := httptrace.ContextClientTrace(req.Context()) - traceHeaders := traceHasWroteHeaderField(trace) - - // Header list size is ok. Write the headers. - enumerateHeaders(func(name, value string) { - name, ascii := lowerHeader(name) - if !ascii { - // Skip writing invalid headers. Per RFC 7540, Section 8.1.2, header - // field names have to be ASCII characters (just as in HTTP/1.x). - return - } - cc.writeHeader(name, value) - if traceHeaders { - traceWroteHeaderField(trace, name, value) - } - }) - - return cc.hbuf.Bytes(), nil -} - -// shouldSendReqContentLength reports whether the http2.Transport should send -// a "content-length" request header. This logic is basically a copy of the net/http -// transferWriter.shouldSendContentLength. -// The contentLength is the corrected contentLength (so 0 means actually 0, not unknown). -// -1 means unknown. -func shouldSendReqContentLength(method string, contentLength int64) bool { - if contentLength > 0 { - return true - } - if contentLength < 0 { - return false - } - // For zero bodies, whether we send a content-length depends on the method. - // It also kinda doesn't matter for http2 either way, with END_STREAM. - switch method { - case "POST", "PUT", "PATCH": - return true - default: - return false - } -} - // requires cc.wmu be held. func (cc *ClientConn) encodeTrailers(trailer http.Header) ([]byte, error) { cc.hbuf.Reset() @@ -2298,7 +2020,7 @@ func (cc *ClientConn) encodeTrailers(trailer http.Header) ([]byte, error) { } for k, vv := range trailer { - lowKey, ascii := lowerHeader(k) + lowKey, ascii := httpcommon.LowerHeader(k) if !ascii { // Skip writing invalid headers. Per RFC 7540, Section 8.1.2, header // field names have to be ASCII characters (just as in HTTP/1.x). @@ -2653,7 +2375,7 @@ func (rl *clientConnReadLoop) handleResponse(cs *clientStream, f *MetaHeadersFra Status: status + " " + http.StatusText(statusCode), } for _, hf := range regularFields { - key := canonicalHeader(hf.Name) + key := httpcommon.CanonicalHeader(hf.Name) if key == "Trailer" { t := res.Trailer if t == nil { @@ -2661,7 +2383,7 @@ func (rl *clientConnReadLoop) handleResponse(cs *clientStream, f *MetaHeadersFra res.Trailer = t } foreachHeaderElement(hf.Value, func(v string) { - t[canonicalHeader(v)] = nil + t[httpcommon.CanonicalHeader(v)] = nil }) } else { vv := header[key] @@ -2785,7 +2507,7 @@ func (rl *clientConnReadLoop) processTrailers(cs *clientStream, f *MetaHeadersFr trailer := make(http.Header) for _, hf := range f.RegularFields() { - key := canonicalHeader(hf.Name) + key := httpcommon.CanonicalHeader(hf.Name) trailer[key] = append(trailer[key], hf.Value) } cs.trailer = trailer @@ -3331,7 +3053,7 @@ func (cc *ClientConn) writeStreamReset(streamID uint32, code ErrCode, ping bool, var ( errResponseHeaderListSize = errors.New("http2: response header list larger than advertised limit") - errRequestHeaderListSize = errors.New("http2: request header list larger than peer's advertised limit") + errRequestHeaderListSize = httpcommon.ErrRequestHeaderListSize ) func (cc *ClientConn) logf(format string, args ...interface{}) { @@ -3515,16 +3237,6 @@ func traceFirstResponseByte(trace *httptrace.ClientTrace) { } } -func traceHasWroteHeaderField(trace *httptrace.ClientTrace) bool { - return trace != nil && trace.WroteHeaderField != nil -} - -func traceWroteHeaderField(trace *httptrace.ClientTrace, k, v string) { - if trace != nil && trace.WroteHeaderField != nil { - trace.WroteHeaderField(k, []string{v}) - } -} - func traceGot1xxResponseFunc(trace *httptrace.ClientTrace) func(int, textproto.MIMEHeader) error { if trace != nil { return trace.Got1xxResponse diff --git a/vendor/golang.org/x/net/http2/write.go b/vendor/golang.org/x/net/http2/write.go index 6ff6bee7e9..fdb35b9477 100644 --- a/vendor/golang.org/x/net/http2/write.go +++ b/vendor/golang.org/x/net/http2/write.go @@ -13,6 +13,7 @@ import ( "golang.org/x/net/http/httpguts" "golang.org/x/net/http2/hpack" + "golang.org/x/net/internal/httpcommon" ) // writeFramer is implemented by any type that is used to write frames. @@ -351,7 +352,7 @@ func encodeHeaders(enc *hpack.Encoder, h http.Header, keys []string) { } for _, k := range keys { vv := h[k] - k, ascii := lowerHeader(k) + k, ascii := httpcommon.LowerHeader(k) if !ascii { // Skip writing invalid headers. Per RFC 7540, Section 8.1.2, header // field names have to be ASCII characters (just as in HTTP/1.x). diff --git a/vendor/golang.org/x/net/internal/httpcommon/ascii.go b/vendor/golang.org/x/net/internal/httpcommon/ascii.go new file mode 100644 index 0000000000..ed14da5afc --- /dev/null +++ b/vendor/golang.org/x/net/internal/httpcommon/ascii.go @@ -0,0 +1,53 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package httpcommon + +import "strings" + +// The HTTP protocols are defined in terms of ASCII, not Unicode. This file +// contains helper functions which may use Unicode-aware functions which would +// otherwise be unsafe and could introduce vulnerabilities if used improperly. + +// asciiEqualFold is strings.EqualFold, ASCII only. It reports whether s and t +// are equal, ASCII-case-insensitively. +func asciiEqualFold(s, t string) bool { + if len(s) != len(t) { + return false + } + for i := 0; i < len(s); i++ { + if lower(s[i]) != lower(t[i]) { + return false + } + } + return true +} + +// lower returns the ASCII lowercase version of b. +func lower(b byte) byte { + if 'A' <= b && b <= 'Z' { + return b + ('a' - 'A') + } + return b +} + +// isASCIIPrint returns whether s is ASCII and printable according to +// https://tools.ietf.org/html/rfc20#section-4.2. +func isASCIIPrint(s string) bool { + for i := 0; i < len(s); i++ { + if s[i] < ' ' || s[i] > '~' { + return false + } + } + return true +} + +// asciiToLower returns the lowercase version of s if s is ASCII and printable, +// and whether or not it was. +func asciiToLower(s string) (lower string, ok bool) { + if !isASCIIPrint(s) { + return "", false + } + return strings.ToLower(s), true +} diff --git a/vendor/golang.org/x/net/http2/headermap.go b/vendor/golang.org/x/net/internal/httpcommon/headermap.go similarity index 77% rename from vendor/golang.org/x/net/http2/headermap.go rename to vendor/golang.org/x/net/internal/httpcommon/headermap.go index 149b3dd20e..ad3fbacd60 100644 --- a/vendor/golang.org/x/net/http2/headermap.go +++ b/vendor/golang.org/x/net/internal/httpcommon/headermap.go @@ -1,8 +1,8 @@ -// Copyright 2014 The Go Authors. All rights reserved. +// Copyright 2025 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -package http2 +package httpcommon import ( "net/http" @@ -88,7 +88,9 @@ func buildCommonHeaderMaps() { } } -func lowerHeader(v string) (lower string, ascii bool) { +// LowerHeader returns the lowercase form of a header name, +// used on the wire for HTTP/2 and HTTP/3 requests. +func LowerHeader(v string) (lower string, ascii bool) { buildCommonHeaderMapsOnce() if s, ok := commonLowerHeader[v]; ok { return s, true @@ -96,10 +98,18 @@ func lowerHeader(v string) (lower string, ascii bool) { return asciiToLower(v) } -func canonicalHeader(v string) string { +// CanonicalHeader canonicalizes a header name. (For example, "host" becomes "Host".) +func CanonicalHeader(v string) string { buildCommonHeaderMapsOnce() if s, ok := commonCanonHeader[v]; ok { return s } return http.CanonicalHeaderKey(v) } + +// CachedCanonicalHeader returns the canonical form of a well-known header name. +func CachedCanonicalHeader(v string) (string, bool) { + buildCommonHeaderMapsOnce() + s, ok := commonCanonHeader[v] + return s, ok +} diff --git a/vendor/golang.org/x/net/internal/httpcommon/request.go b/vendor/golang.org/x/net/internal/httpcommon/request.go new file mode 100644 index 0000000000..3439147738 --- /dev/null +++ b/vendor/golang.org/x/net/internal/httpcommon/request.go @@ -0,0 +1,379 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package httpcommon + +import ( + "errors" + "fmt" + "net/http" + "net/http/httptrace" + "sort" + "strconv" + "strings" + + "golang.org/x/net/http/httpguts" + "golang.org/x/net/http2/hpack" +) + +var ( + ErrRequestHeaderListSize = errors.New("request header list larger than peer's advertised limit") +) + +// EncodeHeadersParam is parameters to EncodeHeaders. +type EncodeHeadersParam struct { + Request *http.Request + + // AddGzipHeader indicates that an "accept-encoding: gzip" header should be + // added to the request. + AddGzipHeader bool + + // PeerMaxHeaderListSize, when non-zero, is the peer's MAX_HEADER_LIST_SIZE setting. + PeerMaxHeaderListSize uint64 + + // DefaultUserAgent is the User-Agent header to send when the request + // neither contains a User-Agent nor disables it. + DefaultUserAgent string +} + +// EncodeHeadersParam is the result of EncodeHeaders. +type EncodeHeadersResult struct { + HasBody bool + HasTrailers bool +} + +// EncodeHeaders constructs request headers common to HTTP/2 and HTTP/3. +// It validates a request and calls headerf with each pseudo-header and header +// for the request. +// The headerf function is called with the validated, canonicalized header name. +func EncodeHeaders(param EncodeHeadersParam, headerf func(name, value string)) (res EncodeHeadersResult, _ error) { + req := param.Request + + // Check for invalid connection-level headers. + if err := checkConnHeaders(req); err != nil { + return res, err + } + + if req.URL == nil { + return res, errors.New("Request.URL is nil") + } + + host := req.Host + if host == "" { + host = req.URL.Host + } + host, err := httpguts.PunycodeHostPort(host) + if err != nil { + return res, err + } + if !httpguts.ValidHostHeader(host) { + return res, errors.New("invalid Host header") + } + + // isNormalConnect is true if this is a non-extended CONNECT request. + isNormalConnect := false + protocol := req.Header.Get(":protocol") + if req.Method == "CONNECT" && protocol == "" { + isNormalConnect = true + } else if protocol != "" && req.Method != "CONNECT" { + return res, errors.New("invalid :protocol header in non-CONNECT request") + } + + // Validate the path, except for non-extended CONNECT requests which have no path. + var path string + if !isNormalConnect { + path = req.URL.RequestURI() + if !validPseudoPath(path) { + orig := path + path = strings.TrimPrefix(path, req.URL.Scheme+"://"+host) + if !validPseudoPath(path) { + if req.URL.Opaque != "" { + return res, fmt.Errorf("invalid request :path %q from URL.Opaque = %q", orig, req.URL.Opaque) + } else { + return res, fmt.Errorf("invalid request :path %q", orig) + } + } + } + } + + // Check for any invalid headers+trailers and return an error before we + // potentially pollute our hpack state. (We want to be able to + // continue to reuse the hpack encoder for future requests) + if err := validateHeaders(req.Header); err != "" { + return res, fmt.Errorf("invalid HTTP header %s", err) + } + if err := validateHeaders(req.Trailer); err != "" { + return res, fmt.Errorf("invalid HTTP trailer %s", err) + } + + contentLength := ActualContentLength(req) + + trailers, err := commaSeparatedTrailers(req) + if err != nil { + return res, err + } + + enumerateHeaders := func(f func(name, value string)) { + // 8.1.2.3 Request Pseudo-Header Fields + // The :path pseudo-header field includes the path and query parts of the + // target URI (the path-absolute production and optionally a '?' character + // followed by the query production, see Sections 3.3 and 3.4 of + // [RFC3986]). + f(":authority", host) + m := req.Method + if m == "" { + m = http.MethodGet + } + f(":method", m) + if !isNormalConnect { + f(":path", path) + f(":scheme", req.URL.Scheme) + } + if protocol != "" { + f(":protocol", protocol) + } + if trailers != "" { + f("trailer", trailers) + } + + var didUA bool + for k, vv := range req.Header { + if asciiEqualFold(k, "host") || asciiEqualFold(k, "content-length") { + // Host is :authority, already sent. + // Content-Length is automatic, set below. + continue + } else if asciiEqualFold(k, "connection") || + asciiEqualFold(k, "proxy-connection") || + asciiEqualFold(k, "transfer-encoding") || + asciiEqualFold(k, "upgrade") || + asciiEqualFold(k, "keep-alive") { + // Per 8.1.2.2 Connection-Specific Header + // Fields, don't send connection-specific + // fields. We have already checked if any + // are error-worthy so just ignore the rest. + continue + } else if asciiEqualFold(k, "user-agent") { + // Match Go's http1 behavior: at most one + // User-Agent. If set to nil or empty string, + // then omit it. Otherwise if not mentioned, + // include the default (below). + didUA = true + if len(vv) < 1 { + continue + } + vv = vv[:1] + if vv[0] == "" { + continue + } + } else if asciiEqualFold(k, "cookie") { + // Per 8.1.2.5 To allow for better compression efficiency, the + // Cookie header field MAY be split into separate header fields, + // each with one or more cookie-pairs. + for _, v := range vv { + for { + p := strings.IndexByte(v, ';') + if p < 0 { + break + } + f("cookie", v[:p]) + p++ + // strip space after semicolon if any. + for p+1 <= len(v) && v[p] == ' ' { + p++ + } + v = v[p:] + } + if len(v) > 0 { + f("cookie", v) + } + } + continue + } else if k == ":protocol" { + // :protocol pseudo-header was already sent above. + continue + } + + for _, v := range vv { + f(k, v) + } + } + if shouldSendReqContentLength(req.Method, contentLength) { + f("content-length", strconv.FormatInt(contentLength, 10)) + } + if param.AddGzipHeader { + f("accept-encoding", "gzip") + } + if !didUA { + f("user-agent", param.DefaultUserAgent) + } + } + + // Do a first pass over the headers counting bytes to ensure + // we don't exceed cc.peerMaxHeaderListSize. This is done as a + // separate pass before encoding the headers to prevent + // modifying the hpack state. + if param.PeerMaxHeaderListSize > 0 { + hlSize := uint64(0) + enumerateHeaders(func(name, value string) { + hf := hpack.HeaderField{Name: name, Value: value} + hlSize += uint64(hf.Size()) + }) + + if hlSize > param.PeerMaxHeaderListSize { + return res, ErrRequestHeaderListSize + } + } + + trace := httptrace.ContextClientTrace(req.Context()) + + // Header list size is ok. Write the headers. + enumerateHeaders(func(name, value string) { + name, ascii := LowerHeader(name) + if !ascii { + // Skip writing invalid headers. Per RFC 7540, Section 8.1.2, header + // field names have to be ASCII characters (just as in HTTP/1.x). + return + } + + headerf(name, value) + + if trace != nil && trace.WroteHeaderField != nil { + trace.WroteHeaderField(name, []string{value}) + } + }) + + res.HasBody = contentLength != 0 + res.HasTrailers = trailers != "" + return res, nil +} + +// IsRequestGzip reports whether we should add an Accept-Encoding: gzip header +// for a request. +func IsRequestGzip(req *http.Request, disableCompression bool) bool { + // TODO(bradfitz): this is a copy of the logic in net/http. Unify somewhere? + if !disableCompression && + req.Header.Get("Accept-Encoding") == "" && + req.Header.Get("Range") == "" && + req.Method != "HEAD" { + // Request gzip only, not deflate. Deflate is ambiguous and + // not as universally supported anyway. + // See: https://zlib.net/zlib_faq.html#faq39 + // + // Note that we don't request this for HEAD requests, + // due to a bug in nginx: + // http://trac.nginx.org/nginx/ticket/358 + // https://golang.org/issue/5522 + // + // We don't request gzip if the request is for a range, since + // auto-decoding a portion of a gzipped document will just fail + // anyway. See https://golang.org/issue/8923 + return true + } + return false +} + +// checkConnHeaders checks whether req has any invalid connection-level headers. +// +// https://www.rfc-editor.org/rfc/rfc9114.html#section-4.2-3 +// https://www.rfc-editor.org/rfc/rfc9113.html#section-8.2.2-1 +// +// Certain headers are special-cased as okay but not transmitted later. +// For example, we allow "Transfer-Encoding: chunked", but drop the header when encoding. +func checkConnHeaders(req *http.Request) error { + if v := req.Header.Get("Upgrade"); v != "" { + return fmt.Errorf("invalid Upgrade request header: %q", req.Header["Upgrade"]) + } + if vv := req.Header["Transfer-Encoding"]; len(vv) > 0 && (len(vv) > 1 || vv[0] != "" && vv[0] != "chunked") { + return fmt.Errorf("invalid Transfer-Encoding request header: %q", vv) + } + if vv := req.Header["Connection"]; len(vv) > 0 && (len(vv) > 1 || vv[0] != "" && !asciiEqualFold(vv[0], "close") && !asciiEqualFold(vv[0], "keep-alive")) { + return fmt.Errorf("invalid Connection request header: %q", vv) + } + return nil +} + +func commaSeparatedTrailers(req *http.Request) (string, error) { + keys := make([]string, 0, len(req.Trailer)) + for k := range req.Trailer { + k = CanonicalHeader(k) + switch k { + case "Transfer-Encoding", "Trailer", "Content-Length": + return "", fmt.Errorf("invalid Trailer key %q", k) + } + keys = append(keys, k) + } + if len(keys) > 0 { + sort.Strings(keys) + return strings.Join(keys, ","), nil + } + return "", nil +} + +// ActualContentLength returns a sanitized version of +// req.ContentLength, where 0 actually means zero (not unknown) and -1 +// means unknown. +func ActualContentLength(req *http.Request) int64 { + if req.Body == nil || req.Body == http.NoBody { + return 0 + } + if req.ContentLength != 0 { + return req.ContentLength + } + return -1 +} + +// validPseudoPath reports whether v is a valid :path pseudo-header +// value. It must be either: +// +// - a non-empty string starting with '/' +// - the string '*', for OPTIONS requests. +// +// For now this is only used a quick check for deciding when to clean +// up Opaque URLs before sending requests from the Transport. +// See golang.org/issue/16847 +// +// We used to enforce that the path also didn't start with "//", but +// Google's GFE accepts such paths and Chrome sends them, so ignore +// that part of the spec. See golang.org/issue/19103. +func validPseudoPath(v string) bool { + return (len(v) > 0 && v[0] == '/') || v == "*" +} + +func validateHeaders(hdrs http.Header) string { + for k, vv := range hdrs { + if !httpguts.ValidHeaderFieldName(k) && k != ":protocol" { + return fmt.Sprintf("name %q", k) + } + for _, v := range vv { + if !httpguts.ValidHeaderFieldValue(v) { + // Don't include the value in the error, + // because it may be sensitive. + return fmt.Sprintf("value for header %q", k) + } + } + } + return "" +} + +// shouldSendReqContentLength reports whether we should send +// a "content-length" request header. This logic is basically a copy of the net/http +// transferWriter.shouldSendContentLength. +// The contentLength is the corrected contentLength (so 0 means actually 0, not unknown). +// -1 means unknown. +func shouldSendReqContentLength(method string, contentLength int64) bool { + if contentLength > 0 { + return true + } + if contentLength < 0 { + return false + } + // For zero bodies, whether we send a content-length depends on the method. + // It also kinda doesn't matter for http2 either way, with END_STREAM. + switch method { + case "POST", "PUT", "PATCH": + return true + default: + return false + } +} diff --git a/vendor/golang.org/x/sync/errgroup/errgroup.go b/vendor/golang.org/x/sync/errgroup/errgroup.go index 948a3ee63d..b8322598ae 100644 --- a/vendor/golang.org/x/sync/errgroup/errgroup.go +++ b/vendor/golang.org/x/sync/errgroup/errgroup.go @@ -118,6 +118,7 @@ func (g *Group) TryGo(f func() error) bool { // SetLimit limits the number of active goroutines in this group to at most n. // A negative value indicates no limit. +// A limit of zero will prevent any new goroutines from being added. // // Any subsequent call to the Go method will block until it can add an active // goroutine without exceeding the configured limit. diff --git a/vendor/golang.org/x/sys/unix/auxv.go b/vendor/golang.org/x/sys/unix/auxv.go new file mode 100644 index 0000000000..37a82528f5 --- /dev/null +++ b/vendor/golang.org/x/sys/unix/auxv.go @@ -0,0 +1,36 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build go1.21 && (aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris || zos) + +package unix + +import ( + "syscall" + "unsafe" +) + +//go:linkname runtime_getAuxv runtime.getAuxv +func runtime_getAuxv() []uintptr + +// Auxv returns the ELF auxiliary vector as a sequence of key/value pairs. +// The returned slice is always a fresh copy, owned by the caller. +// It returns an error on non-ELF platforms, or if the auxiliary vector cannot be accessed, +// which happens in some locked-down environments and build modes. +func Auxv() ([][2]uintptr, error) { + vec := runtime_getAuxv() + vecLen := len(vec) + + if vecLen == 0 { + return nil, syscall.ENOENT + } + + if vecLen%2 != 0 { + return nil, syscall.EINVAL + } + + result := make([]uintptr, vecLen) + copy(result, vec) + return unsafe.Slice((*[2]uintptr)(unsafe.Pointer(&result[0])), vecLen/2), nil +} diff --git a/vendor/golang.org/x/sys/unix/auxv_unsupported.go b/vendor/golang.org/x/sys/unix/auxv_unsupported.go new file mode 100644 index 0000000000..1200487f2e --- /dev/null +++ b/vendor/golang.org/x/sys/unix/auxv_unsupported.go @@ -0,0 +1,13 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build !go1.21 && (aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris || zos) + +package unix + +import "syscall" + +func Auxv() ([][2]uintptr, error) { + return nil, syscall.ENOTSUP +} diff --git a/vendor/golang.org/x/sys/unix/syscall_solaris.go b/vendor/golang.org/x/sys/unix/syscall_solaris.go index 21974af064..abc3955477 100644 --- a/vendor/golang.org/x/sys/unix/syscall_solaris.go +++ b/vendor/golang.org/x/sys/unix/syscall_solaris.go @@ -1102,3 +1102,90 @@ func (s *Strioctl) SetInt(i int) { func IoctlSetStrioctlRetInt(fd int, req int, s *Strioctl) (int, error) { return ioctlPtrRet(fd, req, unsafe.Pointer(s)) } + +// Ucred Helpers +// See ucred(3c) and getpeerucred(3c) + +//sys getpeerucred(fd uintptr, ucred *uintptr) (err error) +//sys ucredFree(ucred uintptr) = ucred_free +//sys ucredGet(pid int) (ucred uintptr, err error) = ucred_get +//sys ucredGeteuid(ucred uintptr) (uid int) = ucred_geteuid +//sys ucredGetegid(ucred uintptr) (gid int) = ucred_getegid +//sys ucredGetruid(ucred uintptr) (uid int) = ucred_getruid +//sys ucredGetrgid(ucred uintptr) (gid int) = ucred_getrgid +//sys ucredGetsuid(ucred uintptr) (uid int) = ucred_getsuid +//sys ucredGetsgid(ucred uintptr) (gid int) = ucred_getsgid +//sys ucredGetpid(ucred uintptr) (pid int) = ucred_getpid + +// Ucred is an opaque struct that holds user credentials. +type Ucred struct { + ucred uintptr +} + +// We need to ensure that ucredFree is called on the underlying ucred +// when the Ucred is garbage collected. +func ucredFinalizer(u *Ucred) { + ucredFree(u.ucred) +} + +func GetPeerUcred(fd uintptr) (*Ucred, error) { + var ucred uintptr + err := getpeerucred(fd, &ucred) + if err != nil { + return nil, err + } + result := &Ucred{ + ucred: ucred, + } + // set the finalizer on the result so that the ucred will be freed + runtime.SetFinalizer(result, ucredFinalizer) + return result, nil +} + +func UcredGet(pid int) (*Ucred, error) { + ucred, err := ucredGet(pid) + if err != nil { + return nil, err + } + result := &Ucred{ + ucred: ucred, + } + // set the finalizer on the result so that the ucred will be freed + runtime.SetFinalizer(result, ucredFinalizer) + return result, nil +} + +func (u *Ucred) Geteuid() int { + defer runtime.KeepAlive(u) + return ucredGeteuid(u.ucred) +} + +func (u *Ucred) Getruid() int { + defer runtime.KeepAlive(u) + return ucredGetruid(u.ucred) +} + +func (u *Ucred) Getsuid() int { + defer runtime.KeepAlive(u) + return ucredGetsuid(u.ucred) +} + +func (u *Ucred) Getegid() int { + defer runtime.KeepAlive(u) + return ucredGetegid(u.ucred) +} + +func (u *Ucred) Getrgid() int { + defer runtime.KeepAlive(u) + return ucredGetrgid(u.ucred) +} + +func (u *Ucred) Getsgid() int { + defer runtime.KeepAlive(u) + return ucredGetsgid(u.ucred) +} + +func (u *Ucred) Getpid() int { + defer runtime.KeepAlive(u) + return ucredGetpid(u.ucred) +} diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux.go b/vendor/golang.org/x/sys/unix/zerrors_linux.go index 6ebc48b3fe..4f432bfe8f 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux.go @@ -1245,6 +1245,7 @@ const ( FAN_REPORT_DFID_NAME = 0xc00 FAN_REPORT_DFID_NAME_TARGET = 0x1e00 FAN_REPORT_DIR_FID = 0x400 + FAN_REPORT_FD_ERROR = 0x2000 FAN_REPORT_FID = 0x200 FAN_REPORT_NAME = 0x800 FAN_REPORT_PIDFD = 0x80 @@ -1330,8 +1331,10 @@ const ( FUSE_SUPER_MAGIC = 0x65735546 FUTEXFS_SUPER_MAGIC = 0xbad1dea F_ADD_SEALS = 0x409 + F_CREATED_QUERY = 0x404 F_DUPFD = 0x0 F_DUPFD_CLOEXEC = 0x406 + F_DUPFD_QUERY = 0x403 F_EXLCK = 0x4 F_GETFD = 0x1 F_GETFL = 0x3 @@ -1551,6 +1554,7 @@ const ( IPPROTO_ROUTING = 0x2b IPPROTO_RSVP = 0x2e IPPROTO_SCTP = 0x84 + IPPROTO_SMC = 0x100 IPPROTO_TCP = 0x6 IPPROTO_TP = 0x1d IPPROTO_UDP = 0x11 @@ -1623,6 +1627,8 @@ const ( IPV6_UNICAST_IF = 0x4c IPV6_USER_FLOW = 0xe IPV6_V6ONLY = 0x1a + IPV6_VERSION = 0x60 + IPV6_VERSION_MASK = 0xf0 IPV6_XFRM_POLICY = 0x23 IP_ADD_MEMBERSHIP = 0x23 IP_ADD_SOURCE_MEMBERSHIP = 0x27 @@ -1867,6 +1873,7 @@ const ( MADV_UNMERGEABLE = 0xd MADV_WILLNEED = 0x3 MADV_WIPEONFORK = 0x12 + MAP_DROPPABLE = 0x8 MAP_FILE = 0x0 MAP_FIXED = 0x10 MAP_FIXED_NOREPLACE = 0x100000 @@ -1967,6 +1974,7 @@ const ( MSG_PEEK = 0x2 MSG_PROXY = 0x10 MSG_RST = 0x1000 + MSG_SOCK_DEVMEM = 0x2000000 MSG_SYN = 0x400 MSG_TRUNC = 0x20 MSG_TRYHARD = 0x4 @@ -2083,6 +2091,7 @@ const ( NFC_ATR_REQ_MAXSIZE = 0x40 NFC_ATR_RES_GB_MAXSIZE = 0x2f NFC_ATR_RES_MAXSIZE = 0x40 + NFC_ATS_MAXSIZE = 0x14 NFC_COMM_ACTIVE = 0x0 NFC_COMM_PASSIVE = 0x1 NFC_DEVICE_NAME_MAXSIZE = 0x8 @@ -2163,6 +2172,7 @@ const ( NFNL_SUBSYS_QUEUE = 0x3 NFNL_SUBSYS_ULOG = 0x4 NFS_SUPER_MAGIC = 0x6969 + NFT_BITWISE_BOOL = 0x0 NFT_CHAIN_FLAGS = 0x7 NFT_CHAIN_MAXNAMELEN = 0x100 NFT_CT_MAX = 0x17 @@ -2491,6 +2501,7 @@ const ( PR_GET_PDEATHSIG = 0x2 PR_GET_SECCOMP = 0x15 PR_GET_SECUREBITS = 0x1b + PR_GET_SHADOW_STACK_STATUS = 0x4a PR_GET_SPECULATION_CTRL = 0x34 PR_GET_TAGGED_ADDR_CTRL = 0x38 PR_GET_THP_DISABLE = 0x2a @@ -2499,6 +2510,7 @@ const ( PR_GET_TIMING = 0xd PR_GET_TSC = 0x19 PR_GET_UNALIGN = 0x5 + PR_LOCK_SHADOW_STACK_STATUS = 0x4c PR_MCE_KILL = 0x21 PR_MCE_KILL_CLEAR = 0x0 PR_MCE_KILL_DEFAULT = 0x2 @@ -2525,6 +2537,8 @@ const ( PR_PAC_GET_ENABLED_KEYS = 0x3d PR_PAC_RESET_KEYS = 0x36 PR_PAC_SET_ENABLED_KEYS = 0x3c + PR_PMLEN_MASK = 0x7f000000 + PR_PMLEN_SHIFT = 0x18 PR_PPC_DEXCR_CTRL_CLEAR = 0x4 PR_PPC_DEXCR_CTRL_CLEAR_ONEXEC = 0x10 PR_PPC_DEXCR_CTRL_EDITABLE = 0x1 @@ -2592,6 +2606,7 @@ const ( PR_SET_PTRACER = 0x59616d61 PR_SET_SECCOMP = 0x16 PR_SET_SECUREBITS = 0x1c + PR_SET_SHADOW_STACK_STATUS = 0x4b PR_SET_SPECULATION_CTRL = 0x35 PR_SET_SYSCALL_USER_DISPATCH = 0x3b PR_SET_TAGGED_ADDR_CTRL = 0x37 @@ -2602,6 +2617,9 @@ const ( PR_SET_UNALIGN = 0x6 PR_SET_VMA = 0x53564d41 PR_SET_VMA_ANON_NAME = 0x0 + PR_SHADOW_STACK_ENABLE = 0x1 + PR_SHADOW_STACK_PUSH = 0x4 + PR_SHADOW_STACK_WRITE = 0x2 PR_SME_GET_VL = 0x40 PR_SME_SET_VL = 0x3f PR_SME_SET_VL_ONEXEC = 0x40000 @@ -2911,7 +2929,6 @@ const ( RTM_NEWNEXTHOP = 0x68 RTM_NEWNEXTHOPBUCKET = 0x74 RTM_NEWNSID = 0x58 - RTM_NEWNVLAN = 0x70 RTM_NEWPREFIX = 0x34 RTM_NEWQDISC = 0x24 RTM_NEWROUTE = 0x18 @@ -2920,6 +2937,7 @@ const ( RTM_NEWTCLASS = 0x28 RTM_NEWTFILTER = 0x2c RTM_NEWTUNNEL = 0x78 + RTM_NEWVLAN = 0x70 RTM_NR_FAMILIES = 0x1b RTM_NR_MSGTYPES = 0x6c RTM_SETDCB = 0x4f diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go index c0d45e3205..75207613c7 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go @@ -116,6 +116,8 @@ const ( IN_CLOEXEC = 0x80000 IN_NONBLOCK = 0x800 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x7b9 + IPV6_FLOWINFO_MASK = 0xffffff0f + IPV6_FLOWLABEL_MASK = 0xffff0f00 ISIG = 0x1 IUCLC = 0x200 IXOFF = 0x1000 @@ -304,6 +306,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x36 SCM_TIMESTAMPING_PKTINFO = 0x3a SCM_TIMESTAMPNS = 0x23 + SCM_TS_OPT_ID = 0x51 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go index c731d24f02..c68acda535 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go @@ -116,6 +116,8 @@ const ( IN_CLOEXEC = 0x80000 IN_NONBLOCK = 0x800 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x7b9 + IPV6_FLOWINFO_MASK = 0xffffff0f + IPV6_FLOWLABEL_MASK = 0xffff0f00 ISIG = 0x1 IUCLC = 0x200 IXOFF = 0x1000 @@ -305,6 +307,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x36 SCM_TIMESTAMPING_PKTINFO = 0x3a SCM_TIMESTAMPNS = 0x23 + SCM_TS_OPT_ID = 0x51 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go index 680018a4a7..a8c607ab86 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go @@ -115,6 +115,8 @@ const ( IN_CLOEXEC = 0x80000 IN_NONBLOCK = 0x800 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x7b9 + IPV6_FLOWINFO_MASK = 0xffffff0f + IPV6_FLOWLABEL_MASK = 0xffff0f00 ISIG = 0x1 IUCLC = 0x200 IXOFF = 0x1000 @@ -310,6 +312,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x36 SCM_TIMESTAMPING_PKTINFO = 0x3a SCM_TIMESTAMPNS = 0x23 + SCM_TS_OPT_ID = 0x51 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go index a63909f308..18563dd8d3 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go @@ -109,6 +109,7 @@ const ( F_SETOWN = 0x8 F_UNLCK = 0x2 F_WRLCK = 0x1 + GCS_MAGIC = 0x47435300 HIDIOCGRAWINFO = 0x80084803 HIDIOCGRDESC = 0x90044802 HIDIOCGRDESCSIZE = 0x80044801 @@ -119,6 +120,8 @@ const ( IN_CLOEXEC = 0x80000 IN_NONBLOCK = 0x800 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x7b9 + IPV6_FLOWINFO_MASK = 0xffffff0f + IPV6_FLOWLABEL_MASK = 0xffff0f00 ISIG = 0x1 IUCLC = 0x200 IXOFF = 0x1000 @@ -302,6 +305,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x36 SCM_TIMESTAMPING_PKTINFO = 0x3a SCM_TIMESTAMPNS = 0x23 + SCM_TS_OPT_ID = 0x51 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go index 9b0a2573fe..22912cdaa9 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go @@ -116,6 +116,8 @@ const ( IN_CLOEXEC = 0x80000 IN_NONBLOCK = 0x800 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x7b9 + IPV6_FLOWINFO_MASK = 0xffffff0f + IPV6_FLOWLABEL_MASK = 0xffff0f00 ISIG = 0x1 IUCLC = 0x200 IXOFF = 0x1000 @@ -297,6 +299,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x36 SCM_TIMESTAMPING_PKTINFO = 0x3a SCM_TIMESTAMPNS = 0x23 + SCM_TS_OPT_ID = 0x51 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go index 958e6e0645..29344eb37a 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go @@ -115,6 +115,8 @@ const ( IN_CLOEXEC = 0x80000 IN_NONBLOCK = 0x80 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x200007b9 + IPV6_FLOWINFO_MASK = 0xfffffff + IPV6_FLOWLABEL_MASK = 0xfffff ISIG = 0x1 IUCLC = 0x200 IXOFF = 0x1000 @@ -303,6 +305,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x36 SCM_TIMESTAMPING_PKTINFO = 0x3a SCM_TIMESTAMPNS = 0x23 + SCM_TS_OPT_ID = 0x51 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go index 50c7f25bd1..20d51fb96a 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go @@ -115,6 +115,8 @@ const ( IN_CLOEXEC = 0x80000 IN_NONBLOCK = 0x80 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x200007b9 + IPV6_FLOWINFO_MASK = 0xfffffff + IPV6_FLOWLABEL_MASK = 0xfffff ISIG = 0x1 IUCLC = 0x200 IXOFF = 0x1000 @@ -303,6 +305,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x36 SCM_TIMESTAMPING_PKTINFO = 0x3a SCM_TIMESTAMPNS = 0x23 + SCM_TS_OPT_ID = 0x51 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go index ced21d66d9..321b60902a 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go @@ -115,6 +115,8 @@ const ( IN_CLOEXEC = 0x80000 IN_NONBLOCK = 0x80 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x200007b9 + IPV6_FLOWINFO_MASK = 0xffffff0f + IPV6_FLOWLABEL_MASK = 0xffff0f00 ISIG = 0x1 IUCLC = 0x200 IXOFF = 0x1000 @@ -303,6 +305,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x36 SCM_TIMESTAMPING_PKTINFO = 0x3a SCM_TIMESTAMPNS = 0x23 + SCM_TS_OPT_ID = 0x51 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go index 226c044190..9bacdf1e27 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go @@ -115,6 +115,8 @@ const ( IN_CLOEXEC = 0x80000 IN_NONBLOCK = 0x80 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x200007b9 + IPV6_FLOWINFO_MASK = 0xffffff0f + IPV6_FLOWLABEL_MASK = 0xffff0f00 ISIG = 0x1 IUCLC = 0x200 IXOFF = 0x1000 @@ -303,6 +305,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x36 SCM_TIMESTAMPING_PKTINFO = 0x3a SCM_TIMESTAMPNS = 0x23 + SCM_TS_OPT_ID = 0x51 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go index 3122737cd4..c224272615 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go @@ -115,6 +115,8 @@ const ( IN_CLOEXEC = 0x80000 IN_NONBLOCK = 0x800 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x200007b9 + IPV6_FLOWINFO_MASK = 0xfffffff + IPV6_FLOWLABEL_MASK = 0xfffff ISIG = 0x80 IUCLC = 0x1000 IXOFF = 0x400 @@ -358,6 +360,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x36 SCM_TIMESTAMPING_PKTINFO = 0x3a SCM_TIMESTAMPNS = 0x23 + SCM_TS_OPT_ID = 0x51 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go index eb5d3467ed..6270c8ee13 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go @@ -115,6 +115,8 @@ const ( IN_CLOEXEC = 0x80000 IN_NONBLOCK = 0x800 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x200007b9 + IPV6_FLOWINFO_MASK = 0xfffffff + IPV6_FLOWLABEL_MASK = 0xfffff ISIG = 0x80 IUCLC = 0x1000 IXOFF = 0x400 @@ -362,6 +364,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x36 SCM_TIMESTAMPING_PKTINFO = 0x3a SCM_TIMESTAMPNS = 0x23 + SCM_TS_OPT_ID = 0x51 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go index e921ebc60b..9966c1941f 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go @@ -115,6 +115,8 @@ const ( IN_CLOEXEC = 0x80000 IN_NONBLOCK = 0x800 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x200007b9 + IPV6_FLOWINFO_MASK = 0xffffff0f + IPV6_FLOWLABEL_MASK = 0xffff0f00 ISIG = 0x80 IUCLC = 0x1000 IXOFF = 0x400 @@ -362,6 +364,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x36 SCM_TIMESTAMPING_PKTINFO = 0x3a SCM_TIMESTAMPNS = 0x23 + SCM_TS_OPT_ID = 0x51 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go index 38ba81c55c..848e5fcc42 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go @@ -115,6 +115,8 @@ const ( IN_CLOEXEC = 0x80000 IN_NONBLOCK = 0x800 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x7b9 + IPV6_FLOWINFO_MASK = 0xffffff0f + IPV6_FLOWLABEL_MASK = 0xffff0f00 ISIG = 0x1 IUCLC = 0x200 IXOFF = 0x1000 @@ -294,6 +296,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x36 SCM_TIMESTAMPING_PKTINFO = 0x3a SCM_TIMESTAMPNS = 0x23 + SCM_TS_OPT_ID = 0x51 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go index 71f0400977..669b2adb80 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go @@ -115,6 +115,8 @@ const ( IN_CLOEXEC = 0x80000 IN_NONBLOCK = 0x800 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x7b9 + IPV6_FLOWINFO_MASK = 0xfffffff + IPV6_FLOWLABEL_MASK = 0xfffff ISIG = 0x1 IUCLC = 0x200 IXOFF = 0x1000 @@ -366,6 +368,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x36 SCM_TIMESTAMPING_PKTINFO = 0x3a SCM_TIMESTAMPNS = 0x23 + SCM_TS_OPT_ID = 0x51 SCM_TXTIME = 0x3d SCM_WIFI_STATUS = 0x29 SECCOMP_IOCTL_NOTIF_ADDFD = 0x40182103 diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go index c44a313322..4834e57514 100644 --- a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go +++ b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go @@ -119,6 +119,8 @@ const ( IN_CLOEXEC = 0x400000 IN_NONBLOCK = 0x4000 IOCTL_VM_SOCKETS_GET_LOCAL_CID = 0x200007b9 + IPV6_FLOWINFO_MASK = 0xfffffff + IPV6_FLOWLABEL_MASK = 0xfffff ISIG = 0x1 IUCLC = 0x200 IXOFF = 0x1000 @@ -357,6 +359,7 @@ const ( SCM_TIMESTAMPING_OPT_STATS = 0x38 SCM_TIMESTAMPING_PKTINFO = 0x3c SCM_TIMESTAMPNS = 0x21 + SCM_TS_OPT_ID = 0x5a SCM_TXTIME = 0x3f SCM_WIFI_STATUS = 0x25 SECCOMP_IOCTL_NOTIF_ADDFD = 0x80182103 diff --git a/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go b/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go index 829b87feb8..c6545413c4 100644 --- a/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go +++ b/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go @@ -141,6 +141,16 @@ import ( //go:cgo_import_dynamic libc_getpeername getpeername "libsocket.so" //go:cgo_import_dynamic libc_setsockopt setsockopt "libsocket.so" //go:cgo_import_dynamic libc_recvfrom recvfrom "libsocket.so" +//go:cgo_import_dynamic libc_getpeerucred getpeerucred "libc.so" +//go:cgo_import_dynamic libc_ucred_get ucred_get "libc.so" +//go:cgo_import_dynamic libc_ucred_geteuid ucred_geteuid "libc.so" +//go:cgo_import_dynamic libc_ucred_getegid ucred_getegid "libc.so" +//go:cgo_import_dynamic libc_ucred_getruid ucred_getruid "libc.so" +//go:cgo_import_dynamic libc_ucred_getrgid ucred_getrgid "libc.so" +//go:cgo_import_dynamic libc_ucred_getsuid ucred_getsuid "libc.so" +//go:cgo_import_dynamic libc_ucred_getsgid ucred_getsgid "libc.so" +//go:cgo_import_dynamic libc_ucred_getpid ucred_getpid "libc.so" +//go:cgo_import_dynamic libc_ucred_free ucred_free "libc.so" //go:cgo_import_dynamic libc_port_create port_create "libc.so" //go:cgo_import_dynamic libc_port_associate port_associate "libc.so" //go:cgo_import_dynamic libc_port_dissociate port_dissociate "libc.so" @@ -280,6 +290,16 @@ import ( //go:linkname procgetpeername libc_getpeername //go:linkname procsetsockopt libc_setsockopt //go:linkname procrecvfrom libc_recvfrom +//go:linkname procgetpeerucred libc_getpeerucred +//go:linkname procucred_get libc_ucred_get +//go:linkname procucred_geteuid libc_ucred_geteuid +//go:linkname procucred_getegid libc_ucred_getegid +//go:linkname procucred_getruid libc_ucred_getruid +//go:linkname procucred_getrgid libc_ucred_getrgid +//go:linkname procucred_getsuid libc_ucred_getsuid +//go:linkname procucred_getsgid libc_ucred_getsgid +//go:linkname procucred_getpid libc_ucred_getpid +//go:linkname procucred_free libc_ucred_free //go:linkname procport_create libc_port_create //go:linkname procport_associate libc_port_associate //go:linkname procport_dissociate libc_port_dissociate @@ -420,6 +440,16 @@ var ( procgetpeername, procsetsockopt, procrecvfrom, + procgetpeerucred, + procucred_get, + procucred_geteuid, + procucred_getegid, + procucred_getruid, + procucred_getrgid, + procucred_getsuid, + procucred_getsgid, + procucred_getpid, + procucred_free, procport_create, procport_associate, procport_dissociate, @@ -2029,6 +2059,90 @@ func recvfrom(fd int, p []byte, flags int, from *RawSockaddrAny, fromlen *_Sockl // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT +func getpeerucred(fd uintptr, ucred *uintptr) (err error) { + _, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procgetpeerucred)), 2, uintptr(fd), uintptr(unsafe.Pointer(ucred)), 0, 0, 0, 0) + if e1 != 0 { + err = errnoErr(e1) + } + return +} + +// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT + +func ucredGet(pid int) (ucred uintptr, err error) { + r0, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procucred_get)), 1, uintptr(pid), 0, 0, 0, 0, 0) + ucred = uintptr(r0) + if e1 != 0 { + err = errnoErr(e1) + } + return +} + +// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT + +func ucredGeteuid(ucred uintptr) (uid int) { + r0, _, _ := sysvicall6(uintptr(unsafe.Pointer(&procucred_geteuid)), 1, uintptr(ucred), 0, 0, 0, 0, 0) + uid = int(r0) + return +} + +// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT + +func ucredGetegid(ucred uintptr) (gid int) { + r0, _, _ := sysvicall6(uintptr(unsafe.Pointer(&procucred_getegid)), 1, uintptr(ucred), 0, 0, 0, 0, 0) + gid = int(r0) + return +} + +// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT + +func ucredGetruid(ucred uintptr) (uid int) { + r0, _, _ := sysvicall6(uintptr(unsafe.Pointer(&procucred_getruid)), 1, uintptr(ucred), 0, 0, 0, 0, 0) + uid = int(r0) + return +} + +// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT + +func ucredGetrgid(ucred uintptr) (gid int) { + r0, _, _ := sysvicall6(uintptr(unsafe.Pointer(&procucred_getrgid)), 1, uintptr(ucred), 0, 0, 0, 0, 0) + gid = int(r0) + return +} + +// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT + +func ucredGetsuid(ucred uintptr) (uid int) { + r0, _, _ := sysvicall6(uintptr(unsafe.Pointer(&procucred_getsuid)), 1, uintptr(ucred), 0, 0, 0, 0, 0) + uid = int(r0) + return +} + +// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT + +func ucredGetsgid(ucred uintptr) (gid int) { + r0, _, _ := sysvicall6(uintptr(unsafe.Pointer(&procucred_getsgid)), 1, uintptr(ucred), 0, 0, 0, 0, 0) + gid = int(r0) + return +} + +// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT + +func ucredGetpid(ucred uintptr) (pid int) { + r0, _, _ := sysvicall6(uintptr(unsafe.Pointer(&procucred_getpid)), 1, uintptr(ucred), 0, 0, 0, 0, 0) + pid = int(r0) + return +} + +// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT + +func ucredFree(ucred uintptr) { + sysvicall6(uintptr(unsafe.Pointer(&procucred_free)), 1, uintptr(ucred), 0, 0, 0, 0, 0) + return +} + +// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT + func port_create() (n int, err error) { r0, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procport_create)), 0, 0, 0, 0, 0, 0, 0) n = int(r0) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go index 524b0820cb..c79aaff306 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go @@ -458,4 +458,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 460 SYS_LSM_LIST_MODULES = 461 SYS_MSEAL = 462 + SYS_SETXATTRAT = 463 + SYS_GETXATTRAT = 464 + SYS_LISTXATTRAT = 465 + SYS_REMOVEXATTRAT = 466 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go index f485dbf456..5eb450695e 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go @@ -381,4 +381,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 460 SYS_LSM_LIST_MODULES = 461 SYS_MSEAL = 462 + SYS_SETXATTRAT = 463 + SYS_GETXATTRAT = 464 + SYS_LISTXATTRAT = 465 + SYS_REMOVEXATTRAT = 466 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go index 70b35bf3b0..05e5029744 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go @@ -422,4 +422,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 460 SYS_LSM_LIST_MODULES = 461 SYS_MSEAL = 462 + SYS_SETXATTRAT = 463 + SYS_GETXATTRAT = 464 + SYS_LISTXATTRAT = 465 + SYS_REMOVEXATTRAT = 466 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go index 1893e2fe88..38c53ec51b 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go @@ -325,4 +325,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 460 SYS_LSM_LIST_MODULES = 461 SYS_MSEAL = 462 + SYS_SETXATTRAT = 463 + SYS_GETXATTRAT = 464 + SYS_LISTXATTRAT = 465 + SYS_REMOVEXATTRAT = 466 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go index 16a4017da0..31d2e71a18 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go @@ -321,4 +321,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 460 SYS_LSM_LIST_MODULES = 461 SYS_MSEAL = 462 + SYS_SETXATTRAT = 463 + SYS_GETXATTRAT = 464 + SYS_LISTXATTRAT = 465 + SYS_REMOVEXATTRAT = 466 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go index 7e567f1eff..f4184a336b 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go @@ -442,4 +442,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 4460 SYS_LSM_LIST_MODULES = 4461 SYS_MSEAL = 4462 + SYS_SETXATTRAT = 4463 + SYS_GETXATTRAT = 4464 + SYS_LISTXATTRAT = 4465 + SYS_REMOVEXATTRAT = 4466 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go index 38ae55e5ef..05b9962278 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go @@ -372,4 +372,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 5460 SYS_LSM_LIST_MODULES = 5461 SYS_MSEAL = 5462 + SYS_SETXATTRAT = 5463 + SYS_GETXATTRAT = 5464 + SYS_LISTXATTRAT = 5465 + SYS_REMOVEXATTRAT = 5466 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go index 55e92e60a8..43a256e9e6 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go @@ -372,4 +372,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 5460 SYS_LSM_LIST_MODULES = 5461 SYS_MSEAL = 5462 + SYS_SETXATTRAT = 5463 + SYS_GETXATTRAT = 5464 + SYS_LISTXATTRAT = 5465 + SYS_REMOVEXATTRAT = 5466 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go index 60658d6a02..eea5ddfc22 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go @@ -442,4 +442,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 4460 SYS_LSM_LIST_MODULES = 4461 SYS_MSEAL = 4462 + SYS_SETXATTRAT = 4463 + SYS_GETXATTRAT = 4464 + SYS_LISTXATTRAT = 4465 + SYS_REMOVEXATTRAT = 4466 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go index e203e8a7ed..0d777bfbb1 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go @@ -449,4 +449,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 460 SYS_LSM_LIST_MODULES = 461 SYS_MSEAL = 462 + SYS_SETXATTRAT = 463 + SYS_GETXATTRAT = 464 + SYS_LISTXATTRAT = 465 + SYS_REMOVEXATTRAT = 466 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go index 5944b97d54..b446365025 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go @@ -421,4 +421,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 460 SYS_LSM_LIST_MODULES = 461 SYS_MSEAL = 462 + SYS_SETXATTRAT = 463 + SYS_GETXATTRAT = 464 + SYS_LISTXATTRAT = 465 + SYS_REMOVEXATTRAT = 466 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go index c66d416dad..0c7d21c188 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go @@ -421,4 +421,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 460 SYS_LSM_LIST_MODULES = 461 SYS_MSEAL = 462 + SYS_SETXATTRAT = 463 + SYS_GETXATTRAT = 464 + SYS_LISTXATTRAT = 465 + SYS_REMOVEXATTRAT = 466 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go index a5459e766f..8405391698 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go @@ -326,4 +326,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 460 SYS_LSM_LIST_MODULES = 461 SYS_MSEAL = 462 + SYS_SETXATTRAT = 463 + SYS_GETXATTRAT = 464 + SYS_LISTXATTRAT = 465 + SYS_REMOVEXATTRAT = 466 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go index 01d86825bb..fcf1b790d6 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go @@ -387,4 +387,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 460 SYS_LSM_LIST_MODULES = 461 SYS_MSEAL = 462 + SYS_SETXATTRAT = 463 + SYS_GETXATTRAT = 464 + SYS_LISTXATTRAT = 465 + SYS_REMOVEXATTRAT = 466 ) diff --git a/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go b/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go index 7b703e77cd..52d15b5f9d 100644 --- a/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go +++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go @@ -400,4 +400,8 @@ const ( SYS_LSM_SET_SELF_ATTR = 460 SYS_LSM_LIST_MODULES = 461 SYS_MSEAL = 462 + SYS_SETXATTRAT = 463 + SYS_GETXATTRAT = 464 + SYS_LISTXATTRAT = 465 + SYS_REMOVEXATTRAT = 466 ) diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux.go b/vendor/golang.org/x/sys/unix/ztypes_linux.go index 5537148dcb..a46abe6472 100644 --- a/vendor/golang.org/x/sys/unix/ztypes_linux.go +++ b/vendor/golang.org/x/sys/unix/ztypes_linux.go @@ -4747,7 +4747,7 @@ const ( NL80211_ATTR_MAC_HINT = 0xc8 NL80211_ATTR_MAC_MASK = 0xd7 NL80211_ATTR_MAX_AP_ASSOC_STA = 0xca - NL80211_ATTR_MAX = 0x14c + NL80211_ATTR_MAX = 0x14d NL80211_ATTR_MAX_CRIT_PROT_DURATION = 0xb4 NL80211_ATTR_MAX_CSA_COUNTERS = 0xce NL80211_ATTR_MAX_MATCH_SETS = 0x85 @@ -5519,7 +5519,7 @@ const ( NL80211_MNTR_FLAG_CONTROL = 0x3 NL80211_MNTR_FLAG_COOK_FRAMES = 0x5 NL80211_MNTR_FLAG_FCSFAIL = 0x1 - NL80211_MNTR_FLAG_MAX = 0x6 + NL80211_MNTR_FLAG_MAX = 0x7 NL80211_MNTR_FLAG_OTHER_BSS = 0x4 NL80211_MNTR_FLAG_PLCPFAIL = 0x2 NL80211_MPATH_FLAG_ACTIVE = 0x1 @@ -6174,3 +6174,5 @@ type SockDiagReq struct { Family uint8 Protocol uint8 } + +const RTM_NEWNVLAN = 0x70 diff --git a/vendor/golang.org/x/time/rate/rate.go b/vendor/golang.org/x/time/rate/rate.go index 93a798ab63..ec5f0cdd0c 100644 --- a/vendor/golang.org/x/time/rate/rate.go +++ b/vendor/golang.org/x/time/rate/rate.go @@ -405,8 +405,15 @@ func (limit Limit) durationFromTokens(tokens float64) time.Duration { if limit <= 0 { return InfDuration } - seconds := tokens / float64(limit) - return time.Duration(float64(time.Second) * seconds) + + duration := (tokens / float64(limit)) * float64(time.Second) + + // Cap the duration to the maximum representable int64 value, to avoid overflow. + if duration > float64(math.MaxInt64) { + return InfDuration + } + + return time.Duration(duration) } // tokensFromDuration is a unit conversion function from a time duration to the number of tokens diff --git a/vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go b/vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go index 4a9fce53c4..db7806cb99 100644 --- a/vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go +++ b/vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go @@ -1159,6 +1159,13 @@ type SelectiveGapicGeneration struct { // An allowlist of the fully qualified names of RPCs that should be included // on public client surfaces. Methods []string `protobuf:"bytes,1,rep,name=methods,proto3" json:"methods,omitempty"` + // Setting this to true indicates to the client generators that methods + // that would be excluded from the generation should instead be generated + // in a way that indicates these methods should not be consumed by + // end users. How this is expressed is up to individual language + // implementations to decide. Some examples may be: added annotations, + // obfuscated identifiers, or other language idiomatic patterns. + GenerateOmittedAsInternal bool `protobuf:"varint,2,opt,name=generate_omitted_as_internal,json=generateOmittedAsInternal,proto3" json:"generate_omitted_as_internal,omitempty"` } func (x *SelectiveGapicGeneration) Reset() { @@ -1200,6 +1207,13 @@ func (x *SelectiveGapicGeneration) GetMethods() []string { return nil } +func (x *SelectiveGapicGeneration) GetGenerateOmittedAsInternal() bool { + if x != nil { + return x.GenerateOmittedAsInternal + } + return false +} + // Experimental features to be included during client library generation. // These fields will be deprecated once the feature graduates and is enabled // by default. @@ -1218,6 +1232,11 @@ type PythonSettings_ExperimentalFeatures struct { // enabled by default 1 month after launching the feature in preview // packages. ProtobufPythonicTypesEnabled bool `protobuf:"varint,2,opt,name=protobuf_pythonic_types_enabled,json=protobufPythonicTypesEnabled,proto3" json:"protobuf_pythonic_types_enabled,omitempty"` + // Disables generation of an unversioned Python package for this client + // library. This means that the module names will need to be versioned in + // import statements. For example `import google.cloud.library_v2` instead + // of `import google.cloud.library`. + UnversionedPackageDisabled bool `protobuf:"varint,3,opt,name=unversioned_package_disabled,json=unversionedPackageDisabled,proto3" json:"unversioned_package_disabled,omitempty"` } func (x *PythonSettings_ExperimentalFeatures) Reset() { @@ -1266,6 +1285,13 @@ func (x *PythonSettings_ExperimentalFeatures) GetProtobufPythonicTypesEnabled() return false } +func (x *PythonSettings_ExperimentalFeatures) GetUnversionedPackageDisabled() bool { + if x != nil { + return x.UnversionedPackageDisabled + } + return false +} + // Describes settings to use when generating API methods that use the // long-running operation pattern. // All default values below are from those used in the client library @@ -1619,7 +1645,7 @@ var file_google_api_client_proto_rawDesc = []byte{ 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4c, 0x61, 0x6e, 0x67, 0x75, 0x61, 0x67, 0x65, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x06, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x22, 0xc5, 0x02, 0x0a, 0x0e, 0x50, 0x79, 0x74, 0x68, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x74, + 0x6e, 0x22, 0x87, 0x03, 0x0a, 0x0e, 0x50, 0x79, 0x74, 0x68, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x3a, 0x0a, 0x06, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4c, 0x61, 0x6e, 0x67, 0x75, 0x61, 0x67, 0x65, @@ -1630,7 +1656,7 @@ var file_google_api_client_proto_rawDesc = []byte{ 0x68, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x45, 0x78, 0x70, 0x65, 0x72, 0x69, 0x6d, 0x65, 0x6e, 0x74, 0x61, 0x6c, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x52, 0x14, 0x65, 0x78, 0x70, 0x65, 0x72, 0x69, 0x6d, 0x65, 0x6e, 0x74, 0x61, 0x6c, 0x46, 0x65, - 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x1a, 0x90, 0x01, 0x0a, 0x14, 0x45, 0x78, 0x70, 0x65, 0x72, + 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x1a, 0xd2, 0x01, 0x0a, 0x14, 0x45, 0x78, 0x70, 0x65, 0x72, 0x69, 0x6d, 0x65, 0x6e, 0x74, 0x61, 0x6c, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x12, 0x31, 0x0a, 0x15, 0x72, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x73, 0x79, 0x6e, 0x63, 0x5f, 0x69, 0x6f, 0x5f, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x12, @@ -1639,140 +1665,148 @@ var file_google_api_client_proto_rawDesc = []byte{ 0x79, 0x74, 0x68, 0x6f, 0x6e, 0x69, 0x63, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x5f, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x1c, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x50, 0x79, 0x74, 0x68, 0x6f, 0x6e, 0x69, 0x63, 0x54, 0x79, 0x70, - 0x65, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0x4a, 0x0a, 0x0c, 0x4e, 0x6f, 0x64, - 0x65, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x3a, 0x0a, 0x06, 0x63, 0x6f, 0x6d, - 0x6d, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x67, 0x6f, 0x6f, 0x67, - 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4c, 0x61, 0x6e, - 0x67, 0x75, 0x61, 0x67, 0x65, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x06, 0x63, - 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x22, 0xae, 0x04, 0x0a, 0x0e, 0x44, 0x6f, 0x74, 0x6e, 0x65, 0x74, + 0x65, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x40, 0x0a, 0x1c, 0x75, 0x6e, 0x76, + 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x65, 0x64, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, + 0x5f, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, + 0x1a, 0x75, 0x6e, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x65, 0x64, 0x50, 0x61, 0x63, 0x6b, + 0x61, 0x67, 0x65, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0x4a, 0x0a, 0x0c, 0x4e, + 0x6f, 0x64, 0x65, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x3a, 0x0a, 0x06, 0x63, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x67, 0x6f, + 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4c, + 0x61, 0x6e, 0x67, 0x75, 0x61, 0x67, 0x65, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x52, + 0x06, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x22, 0xae, 0x04, 0x0a, 0x0e, 0x44, 0x6f, 0x74, 0x6e, + 0x65, 0x74, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x3a, 0x0a, 0x06, 0x63, 0x6f, + 0x6d, 0x6d, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x67, 0x6f, 0x6f, + 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4c, 0x61, + 0x6e, 0x67, 0x75, 0x61, 0x67, 0x65, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x06, + 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x12, 0x5a, 0x0a, 0x10, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, + 0x64, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x2f, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x44, 0x6f, + 0x74, 0x6e, 0x65, 0x74, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x52, 0x65, 0x6e, + 0x61, 0x6d, 0x65, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, + 0x79, 0x52, 0x0f, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, + 0x65, 0x73, 0x12, 0x5d, 0x0a, 0x11, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x5f, 0x72, 0x65, + 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x30, 0x2e, + 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x44, 0x6f, 0x74, 0x6e, 0x65, + 0x74, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, + 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, + 0x10, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, + 0x73, 0x12, 0x2b, 0x0a, 0x11, 0x69, 0x67, 0x6e, 0x6f, 0x72, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x73, + 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x69, 0x67, + 0x6e, 0x6f, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x12, 0x38, + 0x0a, 0x18, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, + 0x63, 0x65, 0x5f, 0x61, 0x6c, 0x69, 0x61, 0x73, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, + 0x52, 0x16, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, + 0x65, 0x41, 0x6c, 0x69, 0x61, 0x73, 0x65, 0x73, 0x12, 0x35, 0x0a, 0x16, 0x68, 0x61, 0x6e, 0x64, + 0x77, 0x72, 0x69, 0x74, 0x74, 0x65, 0x6e, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, + 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x68, 0x61, 0x6e, 0x64, 0x77, 0x72, + 0x69, 0x74, 0x74, 0x65, 0x6e, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x1a, + 0x42, 0x0a, 0x14, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, + 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, + 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, + 0x02, 0x38, 0x01, 0x1a, 0x43, 0x0a, 0x15, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x52, 0x65, + 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, + 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, + 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x4a, 0x0a, 0x0c, 0x52, 0x75, 0x62, 0x79, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x3a, 0x0a, 0x06, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4c, 0x61, 0x6e, 0x67, 0x75, 0x61, 0x67, 0x65, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x06, 0x63, 0x6f, - 0x6d, 0x6d, 0x6f, 0x6e, 0x12, 0x5a, 0x0a, 0x10, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x5f, - 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2f, - 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x44, 0x6f, 0x74, 0x6e, - 0x65, 0x74, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, - 0x65, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, - 0x0f, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, - 0x12, 0x5d, 0x0a, 0x11, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x73, 0x6f, - 0x75, 0x72, 0x63, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x67, 0x6f, - 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x44, 0x6f, 0x74, 0x6e, 0x65, 0x74, 0x53, - 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x52, - 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x10, 0x72, - 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x12, - 0x2b, 0x0a, 0x11, 0x69, 0x67, 0x6e, 0x6f, 0x72, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, - 0x72, 0x63, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x69, 0x67, 0x6e, 0x6f, - 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x12, 0x38, 0x0a, 0x18, - 0x66, 0x6f, 0x72, 0x63, 0x65, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, - 0x5f, 0x61, 0x6c, 0x69, 0x61, 0x73, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x16, - 0x66, 0x6f, 0x72, 0x63, 0x65, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x41, - 0x6c, 0x69, 0x61, 0x73, 0x65, 0x73, 0x12, 0x35, 0x0a, 0x16, 0x68, 0x61, 0x6e, 0x64, 0x77, 0x72, - 0x69, 0x74, 0x74, 0x65, 0x6e, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, - 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x68, 0x61, 0x6e, 0x64, 0x77, 0x72, 0x69, 0x74, - 0x74, 0x65, 0x6e, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x1a, 0x42, 0x0a, - 0x14, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, - 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, - 0x01, 0x1a, 0x43, 0x0a, 0x15, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, - 0x75, 0x72, 0x63, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, - 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, - 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x4a, 0x0a, 0x0c, 0x52, 0x75, 0x62, 0x79, 0x53, 0x65, - 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x3a, 0x0a, 0x06, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, - 0x61, 0x70, 0x69, 0x2e, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4c, 0x61, 0x6e, 0x67, 0x75, 0x61, - 0x67, 0x65, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x06, 0x63, 0x6f, 0x6d, 0x6d, - 0x6f, 0x6e, 0x22, 0xe4, 0x01, 0x0a, 0x0a, 0x47, 0x6f, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, - 0x73, 0x12, 0x3a, 0x0a, 0x06, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x22, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x43, - 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4c, 0x61, 0x6e, 0x67, 0x75, 0x61, 0x67, 0x65, 0x53, 0x65, 0x74, - 0x74, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x06, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x12, 0x56, 0x0a, - 0x10, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, - 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x6f, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, - 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x45, - 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0f, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x53, 0x65, 0x72, - 0x76, 0x69, 0x63, 0x65, 0x73, 0x1a, 0x42, 0x0a, 0x14, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, - 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, - 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, - 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xc2, 0x03, 0x0a, 0x0e, 0x4d, 0x65, - 0x74, 0x68, 0x6f, 0x64, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x1a, 0x0a, 0x08, - 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, - 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x49, 0x0a, 0x0c, 0x6c, 0x6f, 0x6e, 0x67, - 0x5f, 0x72, 0x75, 0x6e, 0x6e, 0x69, 0x6e, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, - 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x4d, 0x65, 0x74, 0x68, - 0x6f, 0x64, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x4c, 0x6f, 0x6e, 0x67, 0x52, - 0x75, 0x6e, 0x6e, 0x69, 0x6e, 0x67, 0x52, 0x0b, 0x6c, 0x6f, 0x6e, 0x67, 0x52, 0x75, 0x6e, 0x6e, - 0x69, 0x6e, 0x67, 0x12, 0x32, 0x0a, 0x15, 0x61, 0x75, 0x74, 0x6f, 0x5f, 0x70, 0x6f, 0x70, 0x75, - 0x6c, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x73, 0x18, 0x03, 0x20, 0x03, - 0x28, 0x09, 0x52, 0x13, 0x61, 0x75, 0x74, 0x6f, 0x50, 0x6f, 0x70, 0x75, 0x6c, 0x61, 0x74, 0x65, - 0x64, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x73, 0x1a, 0x94, 0x02, 0x0a, 0x0b, 0x4c, 0x6f, 0x6e, 0x67, - 0x52, 0x75, 0x6e, 0x6e, 0x69, 0x6e, 0x67, 0x12, 0x47, 0x0a, 0x12, 0x69, 0x6e, 0x69, 0x74, 0x69, - 0x61, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x6c, 0x5f, 0x64, 0x65, 0x6c, 0x61, 0x79, 0x18, 0x01, 0x20, + 0x6d, 0x6d, 0x6f, 0x6e, 0x22, 0xe4, 0x01, 0x0a, 0x0a, 0x47, 0x6f, 0x53, 0x65, 0x74, 0x74, 0x69, + 0x6e, 0x67, 0x73, 0x12, 0x3a, 0x0a, 0x06, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, + 0x2e, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4c, 0x61, 0x6e, 0x67, 0x75, 0x61, 0x67, 0x65, 0x53, + 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x06, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x12, + 0x56, 0x0a, 0x10, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, + 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x6f, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, + 0x73, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, + 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0f, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x53, + 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x1a, 0x42, 0x0a, 0x14, 0x52, 0x65, 0x6e, 0x61, 0x6d, + 0x65, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, + 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, + 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xc2, 0x03, 0x0a, 0x0e, + 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x1a, + 0x0a, 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x49, 0x0a, 0x0c, 0x6c, 0x6f, + 0x6e, 0x67, 0x5f, 0x72, 0x75, 0x6e, 0x6e, 0x69, 0x6e, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x26, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x4d, 0x65, + 0x74, 0x68, 0x6f, 0x64, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x4c, 0x6f, 0x6e, + 0x67, 0x52, 0x75, 0x6e, 0x6e, 0x69, 0x6e, 0x67, 0x52, 0x0b, 0x6c, 0x6f, 0x6e, 0x67, 0x52, 0x75, + 0x6e, 0x6e, 0x69, 0x6e, 0x67, 0x12, 0x32, 0x0a, 0x15, 0x61, 0x75, 0x74, 0x6f, 0x5f, 0x70, 0x6f, + 0x70, 0x75, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x73, 0x18, 0x03, + 0x20, 0x03, 0x28, 0x09, 0x52, 0x13, 0x61, 0x75, 0x74, 0x6f, 0x50, 0x6f, 0x70, 0x75, 0x6c, 0x61, + 0x74, 0x65, 0x64, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x73, 0x1a, 0x94, 0x02, 0x0a, 0x0b, 0x4c, 0x6f, + 0x6e, 0x67, 0x52, 0x75, 0x6e, 0x6e, 0x69, 0x6e, 0x67, 0x12, 0x47, 0x0a, 0x12, 0x69, 0x6e, 0x69, + 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x6c, 0x5f, 0x64, 0x65, 0x6c, 0x61, 0x79, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x52, 0x10, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x50, 0x6f, 0x6c, 0x6c, 0x44, 0x65, 0x6c, + 0x61, 0x79, 0x12, 0x32, 0x0a, 0x15, 0x70, 0x6f, 0x6c, 0x6c, 0x5f, 0x64, 0x65, 0x6c, 0x61, 0x79, + 0x5f, 0x6d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x69, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x02, 0x52, 0x13, 0x70, 0x6f, 0x6c, 0x6c, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x4d, 0x75, 0x6c, 0x74, + 0x69, 0x70, 0x6c, 0x69, 0x65, 0x72, 0x12, 0x3f, 0x0a, 0x0e, 0x6d, 0x61, 0x78, 0x5f, 0x70, 0x6f, + 0x6c, 0x6c, 0x5f, 0x64, 0x65, 0x6c, 0x61, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, + 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, + 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0c, 0x6d, 0x61, 0x78, 0x50, 0x6f, + 0x6c, 0x6c, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x12, 0x47, 0x0a, 0x12, 0x74, 0x6f, 0x74, 0x61, 0x6c, + 0x5f, 0x70, 0x6f, 0x6c, 0x6c, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x10, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x50, 0x6f, 0x6c, 0x6c, 0x44, 0x65, 0x6c, 0x61, 0x79, - 0x12, 0x32, 0x0a, 0x15, 0x70, 0x6f, 0x6c, 0x6c, 0x5f, 0x64, 0x65, 0x6c, 0x61, 0x79, 0x5f, 0x6d, - 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x69, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x02, 0x52, - 0x13, 0x70, 0x6f, 0x6c, 0x6c, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x4d, 0x75, 0x6c, 0x74, 0x69, 0x70, - 0x6c, 0x69, 0x65, 0x72, 0x12, 0x3f, 0x0a, 0x0e, 0x6d, 0x61, 0x78, 0x5f, 0x70, 0x6f, 0x6c, 0x6c, - 0x5f, 0x64, 0x65, 0x6c, 0x61, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, - 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, - 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0c, 0x6d, 0x61, 0x78, 0x50, 0x6f, 0x6c, 0x6c, - 0x44, 0x65, 0x6c, 0x61, 0x79, 0x12, 0x47, 0x0a, 0x12, 0x74, 0x6f, 0x74, 0x61, 0x6c, 0x5f, 0x70, - 0x6f, 0x6c, 0x6c, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x10, 0x74, 0x6f, - 0x74, 0x61, 0x6c, 0x50, 0x6f, 0x6c, 0x6c, 0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x22, 0x34, - 0x0a, 0x18, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x76, 0x65, 0x47, 0x61, 0x70, 0x69, 0x63, - 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x6d, 0x65, - 0x74, 0x68, 0x6f, 0x64, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x6d, 0x65, 0x74, - 0x68, 0x6f, 0x64, 0x73, 0x2a, 0xa3, 0x01, 0x0a, 0x19, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x4c, - 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x12, 0x2b, 0x0a, 0x27, 0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54, 0x5f, 0x4c, 0x49, 0x42, - 0x52, 0x41, 0x52, 0x59, 0x5f, 0x4f, 0x52, 0x47, 0x41, 0x4e, 0x49, 0x5a, 0x41, 0x54, 0x49, 0x4f, - 0x4e, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, - 0x09, 0x0a, 0x05, 0x43, 0x4c, 0x4f, 0x55, 0x44, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x44, - 0x53, 0x10, 0x02, 0x12, 0x0a, 0x0a, 0x06, 0x50, 0x48, 0x4f, 0x54, 0x4f, 0x53, 0x10, 0x03, 0x12, - 0x0f, 0x0a, 0x0b, 0x53, 0x54, 0x52, 0x45, 0x45, 0x54, 0x5f, 0x56, 0x49, 0x45, 0x57, 0x10, 0x04, - 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x4f, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x10, 0x05, 0x12, 0x07, - 0x0a, 0x03, 0x47, 0x45, 0x4f, 0x10, 0x06, 0x12, 0x11, 0x0a, 0x0d, 0x47, 0x45, 0x4e, 0x45, 0x52, - 0x41, 0x54, 0x49, 0x56, 0x45, 0x5f, 0x41, 0x49, 0x10, 0x07, 0x2a, 0x67, 0x0a, 0x18, 0x43, 0x6c, - 0x69, 0x65, 0x6e, 0x74, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x44, 0x65, 0x73, 0x74, 0x69, - 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2a, 0x0a, 0x26, 0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54, - 0x5f, 0x4c, 0x49, 0x42, 0x52, 0x41, 0x52, 0x59, 0x5f, 0x44, 0x45, 0x53, 0x54, 0x49, 0x4e, 0x41, + 0x74, 0x6f, 0x74, 0x61, 0x6c, 0x50, 0x6f, 0x6c, 0x6c, 0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, + 0x22, 0x75, 0x0a, 0x18, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x76, 0x65, 0x47, 0x61, 0x70, + 0x69, 0x63, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, + 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x6d, + 0x65, 0x74, 0x68, 0x6f, 0x64, 0x73, 0x12, 0x3f, 0x0a, 0x1c, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, + 0x74, 0x65, 0x5f, 0x6f, 0x6d, 0x69, 0x74, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x73, 0x5f, 0x69, 0x6e, + 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x19, 0x67, 0x65, + 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x4f, 0x6d, 0x69, 0x74, 0x74, 0x65, 0x64, 0x41, 0x73, 0x49, + 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2a, 0xa3, 0x01, 0x0a, 0x19, 0x43, 0x6c, 0x69, 0x65, + 0x6e, 0x74, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2b, 0x0a, 0x27, 0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54, 0x5f, + 0x4c, 0x49, 0x42, 0x52, 0x41, 0x52, 0x59, 0x5f, 0x4f, 0x52, 0x47, 0x41, 0x4e, 0x49, 0x5a, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, - 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x47, 0x49, 0x54, 0x48, 0x55, 0x42, 0x10, 0x0a, 0x12, 0x13, - 0x0a, 0x0f, 0x50, 0x41, 0x43, 0x4b, 0x41, 0x47, 0x45, 0x5f, 0x4d, 0x41, 0x4e, 0x41, 0x47, 0x45, - 0x52, 0x10, 0x14, 0x3a, 0x4a, 0x0a, 0x10, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x5f, 0x73, 0x69, - 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x12, 0x1e, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, - 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x9b, 0x08, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, - 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x3a, - 0x43, 0x0a, 0x0c, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x68, 0x6f, 0x73, 0x74, 0x12, - 0x1f, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, - 0x66, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, - 0x18, 0x99, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, - 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x43, 0x0a, 0x0c, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x73, 0x63, - 0x6f, 0x70, 0x65, 0x73, 0x12, 0x1f, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4f, 0x70, - 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x9a, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x6f, 0x61, - 0x75, 0x74, 0x68, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x73, 0x3a, 0x44, 0x0a, 0x0b, 0x61, 0x70, 0x69, - 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, - 0x63, 0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0xc1, 0xba, 0xab, 0xfa, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x70, 0x69, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x42, - 0x69, 0x0a, 0x0e, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, - 0x69, 0x42, 0x0b, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, - 0x5a, 0x41, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, - 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x6f, - 0x67, 0x6c, 0x65, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, - 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x3b, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x73, 0xa2, 0x02, 0x04, 0x47, 0x41, 0x50, 0x49, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x33, + 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x43, 0x4c, 0x4f, 0x55, 0x44, 0x10, 0x01, 0x12, 0x07, 0x0a, + 0x03, 0x41, 0x44, 0x53, 0x10, 0x02, 0x12, 0x0a, 0x0a, 0x06, 0x50, 0x48, 0x4f, 0x54, 0x4f, 0x53, + 0x10, 0x03, 0x12, 0x0f, 0x0a, 0x0b, 0x53, 0x54, 0x52, 0x45, 0x45, 0x54, 0x5f, 0x56, 0x49, 0x45, + 0x57, 0x10, 0x04, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x4f, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x10, + 0x05, 0x12, 0x07, 0x0a, 0x03, 0x47, 0x45, 0x4f, 0x10, 0x06, 0x12, 0x11, 0x0a, 0x0d, 0x47, 0x45, + 0x4e, 0x45, 0x52, 0x41, 0x54, 0x49, 0x56, 0x45, 0x5f, 0x41, 0x49, 0x10, 0x07, 0x2a, 0x67, 0x0a, + 0x18, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x44, 0x65, + 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2a, 0x0a, 0x26, 0x43, 0x4c, 0x49, + 0x45, 0x4e, 0x54, 0x5f, 0x4c, 0x49, 0x42, 0x52, 0x41, 0x52, 0x59, 0x5f, 0x44, 0x45, 0x53, 0x54, + 0x49, 0x4e, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, + 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x47, 0x49, 0x54, 0x48, 0x55, 0x42, 0x10, + 0x0a, 0x12, 0x13, 0x0a, 0x0f, 0x50, 0x41, 0x43, 0x4b, 0x41, 0x47, 0x45, 0x5f, 0x4d, 0x41, 0x4e, + 0x41, 0x47, 0x45, 0x52, 0x10, 0x14, 0x3a, 0x4a, 0x0a, 0x10, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, + 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x12, 0x1e, 0x2e, 0x67, 0x6f, 0x6f, + 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4d, 0x65, 0x74, + 0x68, 0x6f, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x9b, 0x08, 0x20, 0x03, 0x28, + 0x09, 0x52, 0x0f, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, + 0x72, 0x65, 0x3a, 0x43, 0x0a, 0x0c, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x68, 0x6f, + 0x73, 0x74, 0x12, 0x1f, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4f, 0x70, 0x74, 0x69, + 0x6f, 0x6e, 0x73, 0x18, 0x99, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x66, 0x61, + 0x75, 0x6c, 0x74, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x43, 0x0a, 0x0c, 0x6f, 0x61, 0x75, 0x74, 0x68, + 0x5f, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x73, 0x12, 0x1f, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, + 0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x9a, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x0b, 0x6f, 0x61, 0x75, 0x74, 0x68, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x73, 0x3a, 0x44, 0x0a, 0x0b, + 0x61, 0x70, 0x69, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x2e, 0x67, 0x6f, + 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x65, + 0x72, 0x76, 0x69, 0x63, 0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0xc1, 0xba, 0xab, + 0xfa, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x70, 0x69, 0x56, 0x65, 0x72, 0x73, 0x69, + 0x6f, 0x6e, 0x42, 0x69, 0x0a, 0x0e, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, + 0x2e, 0x61, 0x70, 0x69, 0x42, 0x0b, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x50, 0x72, 0x6f, 0x74, + 0x6f, 0x50, 0x01, 0x5a, 0x41, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, + 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, + 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, + 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x3b, 0x61, 0x6e, 0x6e, 0x6f, 0x74, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0xa2, 0x02, 0x04, 0x47, 0x41, 0x50, 0x49, 0x62, 0x06, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go b/vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go index ffb5838cb1..c93b4f5248 100644 --- a/vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go +++ b/vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go @@ -663,14 +663,14 @@ var file_google_api_http_proto_rawDesc = []byte{ 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x48, 0x74, 0x74, 0x70, 0x50, 0x61, 0x74, 0x74, 0x65, 0x72, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x04, 0x70, 0x61, 0x74, 0x68, 0x42, 0x6a, 0x0a, 0x0e, 0x63, 0x6f, 0x6d, 0x2e, + 0x28, 0x09, 0x52, 0x04, 0x70, 0x61, 0x74, 0x68, 0x42, 0x67, 0x0a, 0x0e, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x42, 0x09, 0x48, 0x74, 0x74, 0x70, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x41, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x3b, 0x61, - 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0xf8, 0x01, 0x01, 0xa2, 0x02, 0x04, - 0x47, 0x41, 0x50, 0x49, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0xa2, 0x02, 0x04, 0x47, 0x41, 0x50, + 0x49, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go b/vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go index b5db279aeb..a1c543a948 100644 --- a/vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go +++ b/vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go @@ -556,15 +556,14 @@ var file_google_api_resource_proto_rawDesc = []byte{ 0x67, 0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x9d, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, - 0x52, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x42, 0x6e, 0x0a, 0x0e, 0x63, 0x6f, + 0x52, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x42, 0x6b, 0x0a, 0x0e, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x42, 0x0d, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x41, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x3b, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, - 0xf8, 0x01, 0x01, 0xa2, 0x02, 0x04, 0x47, 0x41, 0x50, 0x49, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x33, + 0xa2, 0x02, 0x04, 0x47, 0x41, 0x50, 0x49, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go b/vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go index 1d8397b02b..2b54db3045 100644 --- a/vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go +++ b/vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go @@ -69,7 +69,7 @@ const ( // The routing header consists of one or multiple key-value pairs. Every key // and value must be percent-encoded, and joined together in the format of // `key1=value1&key2=value2`. -// In the examples below I am skipping the percent-encoding for readablity. +// The examples below skip the percent-encoding for readability. // // # Example 1 // diff --git a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go index 2fc0a71f94..76fa5fea95 100644 --- a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go +++ b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go @@ -54,9 +54,18 @@ func init() { balancer.Register(pickfirstBuilder{}) } -// enableHealthListenerKeyType is a unique key type used in resolver attributes -// to indicate whether the health listener usage is enabled. -type enableHealthListenerKeyType struct{} +type ( + // enableHealthListenerKeyType is a unique key type used in resolver + // attributes to indicate whether the health listener usage is enabled. + enableHealthListenerKeyType struct{} + // managedByPickfirstKeyType is an attribute key type to inform Outlier + // Detection that the generic health listener is being used. + // TODO: https://github.com/grpc/grpc-go/issues/7915 - Remove this when + // implementing the dualstack design. This is a hack. Once Dualstack is + // completed, outlier detection will stop sending ejection updates through + // the connectivity listener. + managedByPickfirstKeyType struct{} +) var ( logger = grpclog.Component("pick-first-leaf-lb") @@ -140,6 +149,17 @@ func EnableHealthListener(state resolver.State) resolver.State { return state } +// IsManagedByPickfirst returns whether an address belongs to a SubConn +// managed by the pickfirst LB policy. +// TODO: https://github.com/grpc/grpc-go/issues/7915 - This is a hack to disable +// outlier_detection via the with connectivity listener when using pick_first. +// Once Dualstack changes are complete, all SubConns will be created by +// pick_first and outlier detection will only use the health listener for +// ejection. This hack can then be removed. +func IsManagedByPickfirst(addr resolver.Address) bool { + return addr.BalancerAttributes.Value(managedByPickfirstKeyType{}) != nil +} + type pfConfig struct { serviceconfig.LoadBalancingConfig `json:"-"` @@ -166,6 +186,7 @@ type scData struct { } func (b *pickfirstBalancer) newSCData(addr resolver.Address) (*scData, error) { + addr.BalancerAttributes = addr.BalancerAttributes.WithValue(managedByPickfirstKeyType{}, true) sd := &scData{ rawConnectivityState: connectivity.Idle, effectiveState: connectivity.Idle, diff --git a/vendor/google.golang.org/grpc/balancer_wrapper.go b/vendor/google.golang.org/grpc/balancer_wrapper.go index 905817b5fc..c2688376ae 100644 --- a/vendor/google.golang.org/grpc/balancer_wrapper.go +++ b/vendor/google.golang.org/grpc/balancer_wrapper.go @@ -34,7 +34,15 @@ import ( "google.golang.org/grpc/status" ) -var setConnectedAddress = internal.SetConnectedAddress.(func(*balancer.SubConnState, resolver.Address)) +var ( + setConnectedAddress = internal.SetConnectedAddress.(func(*balancer.SubConnState, resolver.Address)) + // noOpRegisterHealthListenerFn is used when client side health checking is + // disabled. It sends a single READY update on the registered listener. + noOpRegisterHealthListenerFn = func(_ context.Context, listener func(balancer.SubConnState)) func() { + listener(balancer.SubConnState{ConnectivityState: connectivity.Ready}) + return func() {} + } +) // ccBalancerWrapper sits between the ClientConn and the Balancer. // @@ -277,10 +285,17 @@ type healthData struct { // to the LB policy. This is stored to avoid sending updates when the // SubConn has already exited connectivity state READY. connectivityState connectivity.State + // closeHealthProducer stores function to close the ref counted health + // producer. The health producer is automatically closed when the SubConn + // state changes. + closeHealthProducer func() } func newHealthData(s connectivity.State) *healthData { - return &healthData{connectivityState: s} + return &healthData{ + connectivityState: s, + closeHealthProducer: func() {}, + } } // updateState is invoked by grpc to push a subConn state update to the @@ -413,6 +428,37 @@ func (acbw *acBalancerWrapper) closeProducers() { } } +// healthProducerRegisterFn is a type alias for the health producer's function +// for registering listeners. +type healthProducerRegisterFn = func(context.Context, balancer.SubConn, string, func(balancer.SubConnState)) func() + +// healthListenerRegFn returns a function to register a listener for health +// updates. If client side health checks are disabled, the registered listener +// will get a single READY (raw connectivity state) update. +// +// Client side health checking is enabled when all the following +// conditions are satisfied: +// 1. Health checking is not disabled using the dial option. +// 2. The health package is imported. +// 3. The health check config is present in the service config. +func (acbw *acBalancerWrapper) healthListenerRegFn() func(context.Context, func(balancer.SubConnState)) func() { + if acbw.ccb.cc.dopts.disableHealthCheck { + return noOpRegisterHealthListenerFn + } + regHealthLisFn := internal.RegisterClientHealthCheckListener + if regHealthLisFn == nil { + // The health package is not imported. + return noOpRegisterHealthListenerFn + } + cfg := acbw.ac.cc.healthCheckConfig() + if cfg == nil { + return noOpRegisterHealthListenerFn + } + return func(ctx context.Context, listener func(balancer.SubConnState)) func() { + return regHealthLisFn.(healthProducerRegisterFn)(ctx, acbw, cfg.ServiceName, listener) + } +} + // RegisterHealthListener accepts a health listener from the LB policy. It sends // updates to the health listener as long as the SubConn's connectivity state // doesn't change and a new health listener is not registered. To invalidate @@ -421,6 +467,7 @@ func (acbw *acBalancerWrapper) closeProducers() { func (acbw *acBalancerWrapper) RegisterHealthListener(listener func(balancer.SubConnState)) { acbw.healthMu.Lock() defer acbw.healthMu.Unlock() + acbw.healthData.closeHealthProducer() // listeners should not be registered when the connectivity state // isn't Ready. This may happen when the balancer registers a listener // after the connectivityState is updated, but before it is notified @@ -436,6 +483,7 @@ func (acbw *acBalancerWrapper) RegisterHealthListener(listener func(balancer.Sub return } + registerFn := acbw.healthListenerRegFn() acbw.ccb.serializer.TrySchedule(func(ctx context.Context) { if ctx.Err() != nil || acbw.ccb.balancer == nil { return @@ -443,10 +491,25 @@ func (acbw *acBalancerWrapper) RegisterHealthListener(listener func(balancer.Sub // Don't send updates if a new listener is registered. acbw.healthMu.Lock() defer acbw.healthMu.Unlock() - curHD := acbw.healthData - if curHD != hd { + if acbw.healthData != hd { return } - listener(balancer.SubConnState{ConnectivityState: connectivity.Ready}) + // Serialize the health updates from the health producer with + // other calls into the LB policy. + listenerWrapper := func(scs balancer.SubConnState) { + acbw.ccb.serializer.TrySchedule(func(ctx context.Context) { + if ctx.Err() != nil || acbw.ccb.balancer == nil { + return + } + acbw.healthMu.Lock() + defer acbw.healthMu.Unlock() + if acbw.healthData != hd { + return + } + listener(scs) + }) + } + + hd.closeHealthProducer = registerFn(ctx, listenerWrapper) }) } diff --git a/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go b/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go index 9e9d080699..21dd72969a 100644 --- a/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go +++ b/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go @@ -18,7 +18,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.35.1 +// protoc-gen-go v1.35.2 // protoc v5.27.1 // source: grpc/binlog/v1/binarylog.proto diff --git a/vendor/google.golang.org/grpc/credentials/tls.go b/vendor/google.golang.org/grpc/credentials/tls.go index e163a473df..bd5fe22b6a 100644 --- a/vendor/google.golang.org/grpc/credentials/tls.go +++ b/vendor/google.golang.org/grpc/credentials/tls.go @@ -32,6 +32,8 @@ import ( "google.golang.org/grpc/internal/envconfig" ) +const alpnFailureHelpMessage = "If you upgraded from a grpc-go version earlier than 1.67, your TLS connections may have stopped working due to ALPN enforcement. For more details, see: https://github.com/grpc/grpc-go/issues/434" + var logger = grpclog.Component("credentials") // TLSInfo contains the auth information for a TLS authenticated connection. @@ -128,7 +130,7 @@ func (c *tlsCreds) ClientHandshake(ctx context.Context, authority string, rawCon if np == "" { if envconfig.EnforceALPNEnabled { conn.Close() - return nil, nil, fmt.Errorf("credentials: cannot check peer: missing selected ALPN property") + return nil, nil, fmt.Errorf("credentials: cannot check peer: missing selected ALPN property. %s", alpnFailureHelpMessage) } logger.Warningf("Allowing TLS connection to server %q with ALPN disabled. TLS connections to servers with ALPN disabled will be disallowed in future grpc-go releases", cfg.ServerName) } @@ -158,7 +160,7 @@ func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error) if cs.NegotiatedProtocol == "" { if envconfig.EnforceALPNEnabled { conn.Close() - return nil, nil, fmt.Errorf("credentials: cannot check peer: missing selected ALPN property") + return nil, nil, fmt.Errorf("credentials: cannot check peer: missing selected ALPN property. %s", alpnFailureHelpMessage) } else if logger.V(2) { logger.Info("Allowing TLS connection from client with ALPN disabled. TLS connections with ALPN disabled will be disallowed in future grpc-go releases") } diff --git a/vendor/google.golang.org/grpc/dialoptions.go b/vendor/google.golang.org/grpc/dialoptions.go index 7494ae591f..f3a045296a 100644 --- a/vendor/google.golang.org/grpc/dialoptions.go +++ b/vendor/google.golang.org/grpc/dialoptions.go @@ -428,6 +428,11 @@ func WithTimeout(d time.Duration) DialOption { // returned by f, gRPC checks the error's Temporary() method to decide if it // should try to reconnect to the network address. // +// Note that gRPC by default performs name resolution on the target passed to +// NewClient. To bypass name resolution and cause the target string to be +// passed directly to the dialer here instead, use the "passthrough" resolver +// by specifying it in the target string, e.g. "passthrough:target". +// // Note: All supported releases of Go (as of December 2023) override the OS // defaults for TCP keepalive time and interval to 15s. To enable TCP keepalive // with OS defaults for keepalive time and interval, use a net.Dialer that sets diff --git a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go index 6e7dd6b772..1e42b6fdc8 100644 --- a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go +++ b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go @@ -49,7 +49,7 @@ var ( // XDSFallbackSupport is the env variable that controls whether support for // xDS fallback is turned on. If this is unset or is false, only the first // xDS server in the list of server configs will be used. - XDSFallbackSupport = boolFromEnv("GRPC_EXPERIMENTAL_XDS_FALLBACK", false) + XDSFallbackSupport = boolFromEnv("GRPC_EXPERIMENTAL_XDS_FALLBACK", true) // NewPickFirstEnabled is set if the new pickfirst leaf policy is to be used // instead of the exiting pickfirst implementation. This can be enabled by // setting the environment variable "GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST" diff --git a/vendor/google.golang.org/grpc/internal/envconfig/xds.go b/vendor/google.golang.org/grpc/internal/envconfig/xds.go index 29f234acb1..9afeb444d4 100644 --- a/vendor/google.golang.org/grpc/internal/envconfig/xds.go +++ b/vendor/google.golang.org/grpc/internal/envconfig/xds.go @@ -53,4 +53,10 @@ var ( // C2PResolverTestOnlyTrafficDirectorURI is the TD URI for testing. C2PResolverTestOnlyTrafficDirectorURI = os.Getenv("GRPC_TEST_ONLY_GOOGLE_C2P_RESOLVER_TRAFFIC_DIRECTOR_URI") + + // XDSDualstackEndpointsEnabled is true if gRPC should read the + // "additional addresses" in the xDS endpoint resource. + // TODO: https://github.com/grpc/grpc-go/issues/7866 - Control this using + // an env variable when all LB policies handle endpoints. + XDSDualstackEndpointsEnabled = false ) diff --git a/vendor/google.golang.org/grpc/internal/internal.go b/vendor/google.golang.org/grpc/internal/internal.go index 3afc181344..c17b98194b 100644 --- a/vendor/google.golang.org/grpc/internal/internal.go +++ b/vendor/google.golang.org/grpc/internal/internal.go @@ -31,6 +31,10 @@ import ( var ( // HealthCheckFunc is used to provide client-side LB channel health checking HealthCheckFunc HealthChecker + // RegisterClientHealthCheckListener is used to provide a listener for + // updates from the client-side health checking service. It returns a + // function that can be called to stop the health producer. + RegisterClientHealthCheckListener any // func(ctx context.Context, sc balancer.SubConn, serviceName string, listener func(balancer.SubConnState)) func() // BalancerUnregister is exported by package balancer to unregister a balancer. BalancerUnregister func(name string) // KeepaliveMinPingTime is the minimum ping interval. This must be 10s by diff --git a/vendor/google.golang.org/grpc/internal/transport/handler_server.go b/vendor/google.golang.org/grpc/internal/transport/handler_server.go index d9305a65d8..3dea235735 100644 --- a/vendor/google.golang.org/grpc/internal/transport/handler_server.go +++ b/vendor/google.golang.org/grpc/internal/transport/handler_server.go @@ -498,5 +498,5 @@ func mapRecvMsgError(err error) error { if strings.Contains(err.Error(), "body closed by handler") { return status.Error(codes.Canceled, err.Error()) } - return connectionErrorf(true, err, err.Error()) + return connectionErrorf(true, err, "%s", err.Error()) } diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go index 0055fddd7e..997b0a59b5 100644 --- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go +++ b/vendor/google.golang.org/grpc/internal/transport/http2_server.go @@ -564,7 +564,7 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade t.logger.Infof("Aborting the stream early: %v", errMsg) } t.controlBuf.put(&earlyAbortStream{ - httpStatus: 405, + httpStatus: http.StatusMethodNotAllowed, streamID: streamID, contentSubtype: s.contentSubtype, status: status.New(codes.Internal, errMsg), @@ -585,7 +585,7 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade stat = status.New(codes.PermissionDenied, err.Error()) } t.controlBuf.put(&earlyAbortStream{ - httpStatus: 200, + httpStatus: http.StatusOK, streamID: s.id, contentSubtype: s.contentSubtype, status: stat, diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go index 16065a027a..9d5b2884d1 100644 --- a/vendor/google.golang.org/grpc/server.go +++ b/vendor/google.golang.org/grpc/server.go @@ -1360,8 +1360,16 @@ func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerSt } return err } - defer d.Free() + freed := false + dataFree := func() { + if !freed { + d.Free() + freed = true + } + } + defer dataFree() df := func(v any) error { + defer dataFree() if err := s.getCodec(stream.ContentSubtype()).Unmarshal(d, v); err != nil { return status.Errorf(codes.Internal, "grpc: error unmarshalling request: %v", err) } diff --git a/vendor/google.golang.org/grpc/service_config.go b/vendor/google.golang.org/grpc/service_config.go index 7e83027d19..8d451e07c7 100644 --- a/vendor/google.golang.org/grpc/service_config.go +++ b/vendor/google.golang.org/grpc/service_config.go @@ -268,18 +268,21 @@ func parseServiceConfig(js string, maxAttempts int) *serviceconfig.ParseResult { return &serviceconfig.ParseResult{Config: &sc} } +func isValidRetryPolicy(jrp *jsonRetryPolicy) bool { + return jrp.MaxAttempts > 1 && + jrp.InitialBackoff > 0 && + jrp.MaxBackoff > 0 && + jrp.BackoffMultiplier > 0 && + len(jrp.RetryableStatusCodes) > 0 +} + func convertRetryPolicy(jrp *jsonRetryPolicy, maxAttempts int) (p *internalserviceconfig.RetryPolicy, err error) { if jrp == nil { return nil, nil } - if jrp.MaxAttempts <= 1 || - jrp.InitialBackoff <= 0 || - jrp.MaxBackoff <= 0 || - jrp.BackoffMultiplier <= 0 || - len(jrp.RetryableStatusCodes) == 0 { - logger.Warningf("grpc: ignoring retry policy %v due to illegal configuration", jrp) - return nil, nil + if !isValidRetryPolicy(jrp) { + return nil, fmt.Errorf("invalid retry policy (%+v): ", jrp) } if jrp.MaxAttempts < maxAttempts { diff --git a/vendor/google.golang.org/grpc/stream.go b/vendor/google.golang.org/grpc/stream.go index 17e2267b33..54adbbced7 100644 --- a/vendor/google.golang.org/grpc/stream.go +++ b/vendor/google.golang.org/grpc/stream.go @@ -1766,7 +1766,7 @@ func (ss *serverStream) RecvMsg(m any) (err error) { return err } if err == io.ErrUnexpectedEOF { - err = status.Errorf(codes.Internal, io.ErrUnexpectedEOF.Error()) + err = status.Error(codes.Internal, io.ErrUnexpectedEOF.Error()) } return toRPCErr(err) } diff --git a/vendor/google.golang.org/grpc/version.go b/vendor/google.golang.org/grpc/version.go index d2bba7f3d9..0e03fa4d4f 100644 --- a/vendor/google.golang.org/grpc/version.go +++ b/vendor/google.golang.org/grpc/version.go @@ -19,4 +19,4 @@ package grpc // Version is the current grpc version. -const Version = "1.69.4" +const Version = "1.70.0" diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go index cffdfda961..737d6876d5 100644 --- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go @@ -192,11 +192,6 @@ func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) erro fd = fieldDescs.ByTextName(name) } } - if flags.ProtoLegacyWeak { - if fd != nil && fd.IsWeak() && fd.Message().IsPlaceholder() { - fd = nil // reset since the weak reference is not linked in - } - } if fd == nil { // Field is unknown. diff --git a/vendor/google.golang.org/protobuf/encoding/prototext/decode.go b/vendor/google.golang.org/protobuf/encoding/prototext/decode.go index d972a3d98e..b53805056a 100644 --- a/vendor/google.golang.org/protobuf/encoding/prototext/decode.go +++ b/vendor/google.golang.org/protobuf/encoding/prototext/decode.go @@ -185,11 +185,6 @@ func (d decoder) unmarshalMessage(m protoreflect.Message, checkDelims bool) erro } else if xtErr != nil && xtErr != protoregistry.NotFound { return d.newError(tok.Pos(), "unable to resolve [%s]: %v", tok.RawString(), xtErr) } - if flags.ProtoLegacyWeak { - if fd != nil && fd.IsWeak() && fd.Message().IsPlaceholder() { - fd = nil // reset since the weak reference is not linked in - } - } // Handle unknown fields. if fd == nil { diff --git a/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go b/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go index 7e87c76044..669133d04d 100644 --- a/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go +++ b/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go @@ -26,7 +26,7 @@ var byteType = reflect.TypeOf(byte(0)) // The type is the underlying field type (e.g., a repeated field may be // represented by []T, but the Go type passed in is just T). // A list of enum value descriptors must be provided for enum fields. -// This does not populate the Enum or Message (except for weak message). +// This does not populate the Enum or Message. // // This function is a best effort attempt; parsing errors are ignored. func Unmarshal(tag string, goType reflect.Type, evs protoreflect.EnumValueDescriptors) protoreflect.FieldDescriptor { @@ -109,9 +109,6 @@ func Unmarshal(tag string, goType reflect.Type, evs protoreflect.EnumValueDescri } case s == "packed": f.L1.EditionFeatures.IsPacked = true - case strings.HasPrefix(s, "weak="): - f.L1.IsWeak = true - f.L1.Message = filedesc.PlaceholderMessage(protoreflect.FullName(s[len("weak="):])) case strings.HasPrefix(s, "def="): // The default tag is special in that everything afterwards is the // default regardless of the presence of commas. @@ -183,9 +180,6 @@ func Marshal(fd protoreflect.FieldDescriptor, enumName string) string { // the exact same semantics from the previous generator. tag = append(tag, "json="+jsonName) } - if fd.IsWeak() { - tag = append(tag, "weak="+string(fd.Message().FullName())) - } // The previous implementation does not tag extension fields as proto3, // even when the field is defined in a proto3 file. Match that behavior // for consistency. diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc.go index 378b826faa..688aabe434 100644 --- a/vendor/google.golang.org/protobuf/internal/filedesc/desc.go +++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc.go @@ -19,7 +19,6 @@ import ( "google.golang.org/protobuf/internal/pragma" "google.golang.org/protobuf/internal/strs" "google.golang.org/protobuf/reflect/protoreflect" - "google.golang.org/protobuf/reflect/protoregistry" ) // Edition is an Enum for proto2.Edition @@ -275,7 +274,6 @@ type ( Kind protoreflect.Kind StringName stringName IsProto3Optional bool // promoted from google.protobuf.FieldDescriptorProto - IsWeak bool // promoted from google.protobuf.FieldOptions IsLazy bool // promoted from google.protobuf.FieldOptions Default defaultValue ContainingOneof protoreflect.OneofDescriptor // must be consistent with Message.Oneofs.Fields @@ -369,7 +367,7 @@ func (fd *Field) IsPacked() bool { return fd.L1.EditionFeatures.IsPacked } func (fd *Field) IsExtension() bool { return false } -func (fd *Field) IsWeak() bool { return fd.L1.IsWeak } +func (fd *Field) IsWeak() bool { return false } func (fd *Field) IsLazy() bool { return fd.L1.IsLazy } func (fd *Field) IsList() bool { return fd.Cardinality() == protoreflect.Repeated && !fd.IsMap() } func (fd *Field) IsMap() bool { return fd.Message() != nil && fd.Message().IsMapEntry() } @@ -396,11 +394,6 @@ func (fd *Field) Enum() protoreflect.EnumDescriptor { return fd.L1.Enum } func (fd *Field) Message() protoreflect.MessageDescriptor { - if fd.L1.IsWeak { - if d, _ := protoregistry.GlobalFiles.FindDescriptorByName(fd.L1.Message.FullName()); d != nil { - return d.(protoreflect.MessageDescriptor) - } - } return fd.L1.Message } func (fd *Field) IsMapEntry() bool { diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go index 67a51b327c..d4c94458bd 100644 --- a/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go +++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go @@ -32,11 +32,6 @@ func (file *File) resolveMessages() { for j := range md.L2.Fields.List { fd := &md.L2.Fields.List[j] - // Weak fields are resolved upon actual use. - if fd.L1.IsWeak { - continue - } - // Resolve message field dependency. switch fd.L1.Kind { case protoreflect.EnumKind: @@ -150,8 +145,6 @@ func (fd *File) unmarshalFull(b []byte) { switch num { case genid.FileDescriptorProto_PublicDependency_field_number: fd.L2.Imports[v].IsPublic = true - case genid.FileDescriptorProto_WeakDependency_field_number: - fd.L2.Imports[v].IsWeak = true } case protowire.BytesType: v, m := protowire.ConsumeBytes(b) @@ -502,8 +495,6 @@ func (fd *Field) unmarshalOptions(b []byte) { switch num { case genid.FieldOptions_Packed_field_number: fd.L1.EditionFeatures.IsPacked = protowire.DecodeBool(v) - case genid.FieldOptions_Weak_field_number: - fd.L1.IsWeak = protowire.DecodeBool(v) case genid.FieldOptions_Lazy_field_number: fd.L1.IsLazy = protowire.DecodeBool(v) case FieldOptions_EnforceUTF8: diff --git a/vendor/google.golang.org/protobuf/internal/filetype/build.go b/vendor/google.golang.org/protobuf/internal/filetype/build.go index ba83fea44c..e1b4130bd2 100644 --- a/vendor/google.golang.org/protobuf/internal/filetype/build.go +++ b/vendor/google.golang.org/protobuf/internal/filetype/build.go @@ -63,7 +63,7 @@ type Builder struct { // message declarations in "flattened ordering". // // Dependencies are Go types for enums or messages referenced by - // message fields (excluding weak fields), for parent extended messages of + // message fields, for parent extended messages of // extension fields, for enums or messages referenced by extension fields, // and for input and output messages referenced by service methods. // Dependencies must come after declarations, but the ordering of diff --git a/vendor/google.golang.org/protobuf/internal/flags/flags.go b/vendor/google.golang.org/protobuf/internal/flags/flags.go index 5cb3ee70f9..a06ccabc2f 100644 --- a/vendor/google.golang.org/protobuf/internal/flags/flags.go +++ b/vendor/google.golang.org/protobuf/internal/flags/flags.go @@ -6,7 +6,7 @@ package flags // ProtoLegacy specifies whether to enable support for legacy functionality -// such as MessageSets, weak fields, and various other obscure behavior +// such as MessageSets, and various other obscure behavior // that is necessary to maintain backwards compatibility with proto1 or // the pre-release variants of proto2 and proto3. // @@ -22,8 +22,3 @@ const ProtoLegacy = protoLegacy // extension fields at unmarshal time, but defers creating the message // structure until the extension is first accessed. const LazyUnmarshalExtensions = ProtoLegacy - -// ProtoLegacyWeak specifies whether to enable support for weak fields. -// This flag was split out of ProtoLegacy in preparation for removing -// support for weak fields (independent of the other protolegacy features). -const ProtoLegacyWeak = ProtoLegacy diff --git a/vendor/google.golang.org/protobuf/internal/genid/goname.go b/vendor/google.golang.org/protobuf/internal/genid/goname.go index 693d2e9e1f..99bb95bafd 100644 --- a/vendor/google.golang.org/protobuf/internal/genid/goname.go +++ b/vendor/google.golang.org/protobuf/internal/genid/goname.go @@ -11,15 +11,10 @@ const ( SizeCache_goname = "sizeCache" SizeCacheA_goname = "XXX_sizecache" - WeakFields_goname = "weakFields" - WeakFieldsA_goname = "XXX_weak" - UnknownFields_goname = "unknownFields" UnknownFieldsA_goname = "XXX_unrecognized" ExtensionFields_goname = "extensionFields" ExtensionFieldsA_goname = "XXX_InternalExtensions" ExtensionFieldsB_goname = "XXX_extensions" - - WeakFieldPrefix_goname = "XXX_weak_" ) diff --git a/vendor/google.golang.org/protobuf/internal/impl/codec_field.go b/vendor/google.golang.org/protobuf/internal/impl/codec_field.go index 7c1f66c8c1..d14d7d93cc 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/codec_field.go +++ b/vendor/google.golang.org/protobuf/internal/impl/codec_field.go @@ -5,15 +5,12 @@ package impl import ( - "fmt" "reflect" - "sync" "google.golang.org/protobuf/encoding/protowire" "google.golang.org/protobuf/internal/errors" "google.golang.org/protobuf/proto" "google.golang.org/protobuf/reflect/protoreflect" - "google.golang.org/protobuf/reflect/protoregistry" "google.golang.org/protobuf/runtime/protoiface" ) @@ -121,78 +118,6 @@ func (mi *MessageInfo) initOneofFieldCoders(od protoreflect.OneofDescriptor, si } } -func makeWeakMessageFieldCoder(fd protoreflect.FieldDescriptor) pointerCoderFuncs { - var once sync.Once - var messageType protoreflect.MessageType - lazyInit := func() { - once.Do(func() { - messageName := fd.Message().FullName() - messageType, _ = protoregistry.GlobalTypes.FindMessageByName(messageName) - }) - } - - return pointerCoderFuncs{ - size: func(p pointer, f *coderFieldInfo, opts marshalOptions) int { - m, ok := p.WeakFields().get(f.num) - if !ok { - return 0 - } - lazyInit() - if messageType == nil { - panic(fmt.Sprintf("weak message %v is not linked in", fd.Message().FullName())) - } - return sizeMessage(m, f.tagsize, opts) - }, - marshal: func(b []byte, p pointer, f *coderFieldInfo, opts marshalOptions) ([]byte, error) { - m, ok := p.WeakFields().get(f.num) - if !ok { - return b, nil - } - lazyInit() - if messageType == nil { - panic(fmt.Sprintf("weak message %v is not linked in", fd.Message().FullName())) - } - return appendMessage(b, m, f.wiretag, opts) - }, - unmarshal: func(b []byte, p pointer, wtyp protowire.Type, f *coderFieldInfo, opts unmarshalOptions) (unmarshalOutput, error) { - fs := p.WeakFields() - m, ok := fs.get(f.num) - if !ok { - lazyInit() - if messageType == nil { - return unmarshalOutput{}, errUnknown - } - m = messageType.New().Interface() - fs.set(f.num, m) - } - return consumeMessage(b, m, wtyp, opts) - }, - isInit: func(p pointer, f *coderFieldInfo) error { - m, ok := p.WeakFields().get(f.num) - if !ok { - return nil - } - return proto.CheckInitialized(m) - }, - merge: func(dst, src pointer, f *coderFieldInfo, opts mergeOptions) { - sm, ok := src.WeakFields().get(f.num) - if !ok { - return - } - dm, ok := dst.WeakFields().get(f.num) - if !ok { - lazyInit() - if messageType == nil { - panic(fmt.Sprintf("weak message %v is not linked in", fd.Message().FullName())) - } - dm = messageType.New().Interface() - dst.WeakFields().set(f.num, dm) - } - opts.Merge(dm, sm) - }, - } -} - func makeMessageFieldCoder(fd protoreflect.FieldDescriptor, ft reflect.Type) pointerCoderFuncs { if mi := getMessageInfo(ft); mi != nil { funcs := pointerCoderFuncs{ diff --git a/vendor/google.golang.org/protobuf/internal/impl/codec_message.go b/vendor/google.golang.org/protobuf/internal/impl/codec_message.go index 111d95833d..f78b57b046 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/codec_message.go +++ b/vendor/google.golang.org/protobuf/internal/impl/codec_message.go @@ -119,9 +119,6 @@ func (mi *MessageInfo) makeCoderMethods(t reflect.Type, si structInfo) { } case isOneof: fieldOffset = offsetOf(fs) - case fd.IsWeak(): - fieldOffset = si.weakOffset - funcs = makeWeakMessageFieldCoder(fd) default: fieldOffset = offsetOf(fs) childMessage, funcs = fieldCoder(fd, ft) diff --git a/vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go b/vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go index f81d7d0db9..41c1f74ef8 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go +++ b/vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go @@ -46,9 +46,6 @@ func (mi *MessageInfo) makeOpaqueCoderMethods(t reflect.Type, si opaqueStructInf switch { case fd.ContainingOneof() != nil && !fd.ContainingOneof().IsSynthetic(): fieldOffset = offsetOf(fs) - case fd.IsWeak(): - fieldOffset = si.weakOffset - funcs = makeWeakMessageFieldCoder(fd) case fd.Message() != nil && !fd.IsMap(): fieldOffset = offsetOf(fs) if fd.IsList() { diff --git a/vendor/google.golang.org/protobuf/internal/impl/lazy.go b/vendor/google.golang.org/protobuf/internal/impl/lazy.go index e8fb6c35b4..c7de31e243 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/lazy.go +++ b/vendor/google.golang.org/protobuf/internal/impl/lazy.go @@ -131,7 +131,7 @@ func (mi *MessageInfo) skipField(b []byte, f *coderFieldInfo, wtyp protowire.Typ fmi := f.validation.mi if fmi == nil { fd := mi.Desc.Fields().ByNumber(f.num) - if fd == nil || !fd.IsWeak() { + if fd == nil { return out, ValidationUnknown } messageName := fd.Message().FullName() diff --git a/vendor/google.golang.org/protobuf/internal/impl/legacy_message.go b/vendor/google.golang.org/protobuf/internal/impl/legacy_message.go index bf0b6049b4..a51dffbe29 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/legacy_message.go +++ b/vendor/google.golang.org/protobuf/internal/impl/legacy_message.go @@ -310,12 +310,9 @@ func aberrantAppendField(md *filedesc.Message, goType reflect.Type, tag, tagKey, fd.L0.Parent = md fd.L0.Index = n - if fd.L1.IsWeak || fd.L1.EditionFeatures.IsPacked { + if fd.L1.EditionFeatures.IsPacked { fd.L1.Options = func() protoreflect.ProtoMessage { opts := descopts.Field.ProtoReflect().New() - if fd.L1.IsWeak { - opts.Set(opts.Descriptor().Fields().ByName("weak"), protoreflect.ValueOfBool(true)) - } if fd.L1.EditionFeatures.IsPacked { opts.Set(opts.Descriptor().Fields().ByName("packed"), protoreflect.ValueOfBool(fd.L1.EditionFeatures.IsPacked)) } diff --git a/vendor/google.golang.org/protobuf/internal/impl/message.go b/vendor/google.golang.org/protobuf/internal/impl/message.go index d1f79b4224..d50423dcb7 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/message.go +++ b/vendor/google.golang.org/protobuf/internal/impl/message.go @@ -14,7 +14,6 @@ import ( "google.golang.org/protobuf/internal/genid" "google.golang.org/protobuf/reflect/protoreflect" - "google.golang.org/protobuf/reflect/protoregistry" ) // MessageInfo provides protobuf related functionality for a given Go type @@ -120,7 +119,6 @@ type ( var ( sizecacheType = reflect.TypeOf(SizeCache(0)) - weakFieldsType = reflect.TypeOf(WeakFields(nil)) unknownFieldsAType = reflect.TypeOf(unknownFieldsA(nil)) unknownFieldsBType = reflect.TypeOf(unknownFieldsB(nil)) extensionFieldsType = reflect.TypeOf(ExtensionFields(nil)) @@ -129,8 +127,6 @@ var ( type structInfo struct { sizecacheOffset offset sizecacheType reflect.Type - weakOffset offset - weakType reflect.Type unknownOffset offset unknownType reflect.Type extensionOffset offset @@ -148,7 +144,6 @@ type structInfo struct { func (mi *MessageInfo) makeStructInfo(t reflect.Type) structInfo { si := structInfo{ sizecacheOffset: invalidOffset, - weakOffset: invalidOffset, unknownOffset: invalidOffset, extensionOffset: invalidOffset, lazyOffset: invalidOffset, @@ -168,11 +163,6 @@ fieldLoop: si.sizecacheOffset = offsetOf(f) si.sizecacheType = f.Type } - case genid.WeakFields_goname, genid.WeakFieldsA_goname: - if f.Type == weakFieldsType { - si.weakOffset = offsetOf(f) - si.weakType = f.Type - } case genid.UnknownFields_goname, genid.UnknownFieldsA_goname: if f.Type == unknownFieldsAType || f.Type == unknownFieldsBType { si.unknownOffset = offsetOf(f) @@ -256,9 +246,6 @@ func (mi *MessageInfo) Message(i int) protoreflect.MessageType { mi.init() fd := mi.Desc.Fields().Get(i) switch { - case fd.IsWeak(): - mt, _ := protoregistry.GlobalTypes.FindMessageByName(fd.Message().FullName()) - return mt case fd.IsMap(): return mapEntryType{fd.Message(), mi.fieldTypes[fd.Number()]} default: diff --git a/vendor/google.golang.org/protobuf/internal/impl/message_opaque.go b/vendor/google.golang.org/protobuf/internal/impl/message_opaque.go index d8dcd78863..dd55e8e009 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/message_opaque.go +++ b/vendor/google.golang.org/protobuf/internal/impl/message_opaque.go @@ -56,9 +56,6 @@ func opaqueInitHook(mi *MessageInfo) bool { usePresence, _ := usePresenceForField(si, fd) switch { - case fd.IsWeak(): - // Weak fields are no different for opaque. - fi = fieldInfoForWeakMessage(fd, si.weakOffset) case fd.ContainingOneof() != nil && !fd.ContainingOneof().IsSynthetic(): // Oneofs are no different for opaque. fi = fieldInfoForOneof(fd, si.oneofsByName[fd.ContainingOneof().Name()], mi.Exporter, si.oneofWrappersByNumber[fd.Number()]) @@ -620,8 +617,6 @@ func usePresenceForField(si opaqueStructInfo, fd protoreflect.FieldDescriptor) ( switch { case fd.ContainingOneof() != nil && !fd.ContainingOneof().IsSynthetic(): return false, false - case fd.IsWeak(): - return false, false case fd.IsMap(): return false, false case fd.Kind() == protoreflect.MessageKind || fd.Kind() == protoreflect.GroupKind: diff --git a/vendor/google.golang.org/protobuf/internal/impl/message_reflect.go b/vendor/google.golang.org/protobuf/internal/impl/message_reflect.go index 31c19b54f8..0d20132fa2 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/message_reflect.go +++ b/vendor/google.golang.org/protobuf/internal/impl/message_reflect.go @@ -72,8 +72,6 @@ func (mi *MessageInfo) makeKnownFieldsFunc(si structInfo) { fi = fieldInfoForMap(fd, fs, mi.Exporter) case fd.IsList(): fi = fieldInfoForList(fd, fs, mi.Exporter) - case fd.IsWeak(): - fi = fieldInfoForWeakMessage(fd, si.weakOffset) case fd.Message() != nil: fi = fieldInfoForMessage(fd, fs, mi.Exporter) default: @@ -219,9 +217,6 @@ func (mi *MessageInfo) makeFieldTypes(si structInfo) { } case fd.Message() != nil: ft = fs.Type - if fd.IsWeak() { - ft = nil - } isMessage = true } if isMessage && ft != nil && ft.Kind() != reflect.Ptr { diff --git a/vendor/google.golang.org/protobuf/internal/impl/message_reflect_field.go b/vendor/google.golang.org/protobuf/internal/impl/message_reflect_field.go index 3cd1fbc21f..68d4ae32ec 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/message_reflect_field.go +++ b/vendor/google.golang.org/protobuf/internal/impl/message_reflect_field.go @@ -8,11 +8,8 @@ import ( "fmt" "math" "reflect" - "sync" - "google.golang.org/protobuf/internal/flags" "google.golang.org/protobuf/reflect/protoreflect" - "google.golang.org/protobuf/reflect/protoregistry" ) type fieldInfo struct { @@ -332,79 +329,6 @@ func fieldInfoForScalar(fd protoreflect.FieldDescriptor, fs reflect.StructField, } } -func fieldInfoForWeakMessage(fd protoreflect.FieldDescriptor, weakOffset offset) fieldInfo { - if !flags.ProtoLegacyWeak { - panic("no support for proto1 weak fields") - } - - var once sync.Once - var messageType protoreflect.MessageType - lazyInit := func() { - once.Do(func() { - messageName := fd.Message().FullName() - messageType, _ = protoregistry.GlobalTypes.FindMessageByName(messageName) - if messageType == nil { - panic(fmt.Sprintf("weak message %v for field %v is not linked in", messageName, fd.FullName())) - } - }) - } - - num := fd.Number() - return fieldInfo{ - fieldDesc: fd, - has: func(p pointer) bool { - if p.IsNil() { - return false - } - _, ok := p.Apply(weakOffset).WeakFields().get(num) - return ok - }, - clear: func(p pointer) { - p.Apply(weakOffset).WeakFields().clear(num) - }, - get: func(p pointer) protoreflect.Value { - lazyInit() - if p.IsNil() { - return protoreflect.ValueOfMessage(messageType.Zero()) - } - m, ok := p.Apply(weakOffset).WeakFields().get(num) - if !ok { - return protoreflect.ValueOfMessage(messageType.Zero()) - } - return protoreflect.ValueOfMessage(m.ProtoReflect()) - }, - set: func(p pointer, v protoreflect.Value) { - lazyInit() - m := v.Message() - if m.Descriptor() != messageType.Descriptor() { - if got, want := m.Descriptor().FullName(), messageType.Descriptor().FullName(); got != want { - panic(fmt.Sprintf("field %v has mismatching message descriptor: got %v, want %v", fd.FullName(), got, want)) - } - panic(fmt.Sprintf("field %v has mismatching message descriptor: %v", fd.FullName(), m.Descriptor().FullName())) - } - p.Apply(weakOffset).WeakFields().set(num, m.Interface()) - }, - mutable: func(p pointer) protoreflect.Value { - lazyInit() - fs := p.Apply(weakOffset).WeakFields() - m, ok := fs.get(num) - if !ok { - m = messageType.New().Interface() - fs.set(num, m) - } - return protoreflect.ValueOfMessage(m.ProtoReflect()) - }, - newMessage: func() protoreflect.Message { - lazyInit() - return messageType.New() - }, - newField: func() protoreflect.Value { - lazyInit() - return protoreflect.ValueOfMessage(messageType.New()) - }, - } -} - func fieldInfoForMessage(fd protoreflect.FieldDescriptor, fs reflect.StructField, x exporter) fieldInfo { ft := fs.Type conv := NewConverter(ft, fd) diff --git a/vendor/google.golang.org/protobuf/internal/impl/pointer_unsafe.go b/vendor/google.golang.org/protobuf/internal/impl/pointer_unsafe.go index 6bed45e35c..62f8bf663e 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/pointer_unsafe.go +++ b/vendor/google.golang.org/protobuf/internal/impl/pointer_unsafe.go @@ -111,7 +111,6 @@ func (p pointer) StringSlice() *[]string { return (*[]string)(p.p func (p pointer) Bytes() *[]byte { return (*[]byte)(p.p) } func (p pointer) BytesPtr() **[]byte { return (**[]byte)(p.p) } func (p pointer) BytesSlice() *[][]byte { return (*[][]byte)(p.p) } -func (p pointer) WeakFields() *weakFields { return (*weakFields)(p.p) } func (p pointer) Extensions() *map[int32]ExtensionField { return (*map[int32]ExtensionField)(p.p) } func (p pointer) LazyInfoPtr() **protolazy.XXX_lazyUnmarshalInfo { return (**protolazy.XXX_lazyUnmarshalInfo)(p.p) diff --git a/vendor/google.golang.org/protobuf/internal/impl/validate.go b/vendor/google.golang.org/protobuf/internal/impl/validate.go index b534a3d6db..7b2995dde5 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/validate.go +++ b/vendor/google.golang.org/protobuf/internal/impl/validate.go @@ -211,9 +211,7 @@ func newValidationInfo(fd protoreflect.FieldDescriptor, ft reflect.Type) validat switch fd.Kind() { case protoreflect.MessageKind: vi.typ = validationTypeMessage - if !fd.IsWeak() { - vi.mi = getMessageInfo(ft) - } + vi.mi = getMessageInfo(ft) case protoreflect.GroupKind: vi.typ = validationTypeGroup vi.mi = getMessageInfo(ft) @@ -320,26 +318,6 @@ State: } if f != nil { vi = f.validation - if vi.typ == validationTypeMessage && vi.mi == nil { - // Probable weak field. - // - // TODO: Consider storing the results of this lookup somewhere - // rather than recomputing it on every validation. - fd := st.mi.Desc.Fields().ByNumber(num) - if fd == nil || !fd.IsWeak() { - break - } - messageName := fd.Message().FullName() - messageType, err := protoregistry.GlobalTypes.FindMessageByName(messageName) - switch err { - case nil: - vi.mi, _ = messageType.(*MessageInfo) - case protoregistry.NotFound: - vi.typ = validationTypeBytes - default: - return out, ValidationUnknown - } - } break } // Possible extension field. diff --git a/vendor/google.golang.org/protobuf/internal/impl/weak.go b/vendor/google.golang.org/protobuf/internal/impl/weak.go deleted file mode 100644 index eb79a7ba94..0000000000 --- a/vendor/google.golang.org/protobuf/internal/impl/weak.go +++ /dev/null @@ -1,74 +0,0 @@ -// Copyright 2019 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package impl - -import ( - "fmt" - - "google.golang.org/protobuf/reflect/protoreflect" - "google.golang.org/protobuf/reflect/protoregistry" -) - -// weakFields adds methods to the exported WeakFields type for internal use. -// -// The exported type is an alias to an unnamed type, so methods can't be -// defined directly on it. -type weakFields WeakFields - -func (w weakFields) get(num protoreflect.FieldNumber) (protoreflect.ProtoMessage, bool) { - m, ok := w[int32(num)] - return m, ok -} - -func (w *weakFields) set(num protoreflect.FieldNumber, m protoreflect.ProtoMessage) { - if *w == nil { - *w = make(weakFields) - } - (*w)[int32(num)] = m -} - -func (w *weakFields) clear(num protoreflect.FieldNumber) { - delete(*w, int32(num)) -} - -func (Export) HasWeak(w WeakFields, num protoreflect.FieldNumber) bool { - _, ok := w[int32(num)] - return ok -} - -func (Export) ClearWeak(w *WeakFields, num protoreflect.FieldNumber) { - delete(*w, int32(num)) -} - -func (Export) GetWeak(w WeakFields, num protoreflect.FieldNumber, name protoreflect.FullName) protoreflect.ProtoMessage { - if m, ok := w[int32(num)]; ok { - return m - } - mt, _ := protoregistry.GlobalTypes.FindMessageByName(name) - if mt == nil { - panic(fmt.Sprintf("message %v for weak field is not linked in", name)) - } - return mt.Zero().Interface() -} - -func (Export) SetWeak(w *WeakFields, num protoreflect.FieldNumber, name protoreflect.FullName, m protoreflect.ProtoMessage) { - if m != nil { - mt, _ := protoregistry.GlobalTypes.FindMessageByName(name) - if mt == nil { - panic(fmt.Sprintf("message %v for weak field is not linked in", name)) - } - if mt != m.ProtoReflect().Type() { - panic(fmt.Sprintf("invalid message type for weak field: got %T, want %T", m, mt.Zero().Interface())) - } - } - if m == nil || !m.ProtoReflect().IsValid() { - delete(*w, int32(num)) - return - } - if *w == nil { - *w = make(weakFields) - } - (*w)[int32(num)] = m -} diff --git a/vendor/google.golang.org/protobuf/internal/version/version.go b/vendor/google.golang.org/protobuf/internal/version/version.go index f5c06280fe..01efc33030 100644 --- a/vendor/google.golang.org/protobuf/internal/version/version.go +++ b/vendor/google.golang.org/protobuf/internal/version/version.go @@ -52,7 +52,7 @@ import ( const ( Major = 1 Minor = 36 - Patch = 3 + Patch = 5 PreRelease = "" ) diff --git a/vendor/google.golang.org/protobuf/proto/decode.go b/vendor/google.golang.org/protobuf/proto/decode.go index e28d7acb37..4cbf1aeaf7 100644 --- a/vendor/google.golang.org/protobuf/proto/decode.go +++ b/vendor/google.golang.org/protobuf/proto/decode.go @@ -8,7 +8,6 @@ import ( "google.golang.org/protobuf/encoding/protowire" "google.golang.org/protobuf/internal/encoding/messageset" "google.golang.org/protobuf/internal/errors" - "google.golang.org/protobuf/internal/flags" "google.golang.org/protobuf/internal/genid" "google.golang.org/protobuf/internal/pragma" "google.golang.org/protobuf/reflect/protoreflect" @@ -172,10 +171,6 @@ func (o UnmarshalOptions) unmarshalMessageSlow(b []byte, m protoreflect.Message) var err error if fd == nil { err = errUnknown - } else if flags.ProtoLegacyWeak { - if fd.IsWeak() && fd.Message().IsPlaceholder() { - err = errUnknown // weak referent is not linked in - } } // Parse the field value. diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go b/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go index 69a0505091..823dbf3ba6 100644 --- a/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go +++ b/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go @@ -132,17 +132,11 @@ func (o FileOptions) New(fd *descriptorpb.FileDescriptorProto, r Resolver) (prot } f.L2.Imports[i].IsPublic = true } - for _, i := range fd.GetWeakDependency() { - if !(0 <= i && int(i) < len(f.L2.Imports)) || f.L2.Imports[i].IsWeak { - return nil, errors.New("invalid or duplicate weak import index: %d", i) - } - f.L2.Imports[i].IsWeak = true - } imps := importSet{f.Path(): true} for i, path := range fd.GetDependency() { imp := &f.L2.Imports[i] f, err := r.FindFileByPath(path) - if err == protoregistry.NotFound && (o.AllowUnresolvable || imp.IsWeak) { + if err == protoregistry.NotFound && o.AllowUnresolvable { f = filedesc.PlaceholderFile(path) } else if err != nil { return nil, errors.New("could not resolve import %q: %v", path, err) diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go index ebcb4a8ab1..9da34998b1 100644 --- a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go +++ b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go @@ -149,7 +149,6 @@ func (r descsByName) initFieldsFromDescriptorProto(fds []*descriptorpb.FieldDesc if opts := fd.GetOptions(); opts != nil { opts = proto.Clone(opts).(*descriptorpb.FieldOptions) f.L1.Options = func() protoreflect.ProtoMessage { return opts } - f.L1.IsWeak = opts.GetWeak() f.L1.IsLazy = opts.GetLazy() if opts.Packed != nil { f.L1.EditionFeatures.IsPacked = opts.GetPacked() diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_resolve.go b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_resolve.go index f3cebab29c..ff692436e9 100644 --- a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_resolve.go +++ b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_resolve.go @@ -43,7 +43,7 @@ func (r *resolver) resolveMessageDependencies(ms []filedesc.Message, mds []*desc o.L1.Fields.List = append(o.L1.Fields.List, f) } - if f.L1.Kind, f.L1.Enum, f.L1.Message, err = r.findTarget(f.Kind(), f.Parent().FullName(), partialName(fd.GetTypeName()), f.IsWeak()); err != nil { + if f.L1.Kind, f.L1.Enum, f.L1.Message, err = r.findTarget(f.Kind(), f.Parent().FullName(), partialName(fd.GetTypeName())); err != nil { return errors.New("message field %q cannot resolve type: %v", f.FullName(), err) } if f.L1.Kind == protoreflect.GroupKind && (f.IsMap() || f.IsMapEntry()) { @@ -73,10 +73,10 @@ func (r *resolver) resolveMessageDependencies(ms []filedesc.Message, mds []*desc func (r *resolver) resolveExtensionDependencies(xs []filedesc.Extension, xds []*descriptorpb.FieldDescriptorProto) (err error) { for i, xd := range xds { x := &xs[i] - if x.L1.Extendee, err = r.findMessageDescriptor(x.Parent().FullName(), partialName(xd.GetExtendee()), false); err != nil { + if x.L1.Extendee, err = r.findMessageDescriptor(x.Parent().FullName(), partialName(xd.GetExtendee())); err != nil { return errors.New("extension field %q cannot resolve extendee: %v", x.FullName(), err) } - if x.L1.Kind, x.L2.Enum, x.L2.Message, err = r.findTarget(x.Kind(), x.Parent().FullName(), partialName(xd.GetTypeName()), false); err != nil { + if x.L1.Kind, x.L2.Enum, x.L2.Message, err = r.findTarget(x.Kind(), x.Parent().FullName(), partialName(xd.GetTypeName())); err != nil { return errors.New("extension field %q cannot resolve type: %v", x.FullName(), err) } if xd.DefaultValue != nil { @@ -95,11 +95,11 @@ func (r *resolver) resolveServiceDependencies(ss []filedesc.Service, sds []*desc s := &ss[i] for j, md := range sd.GetMethod() { m := &s.L2.Methods.List[j] - m.L1.Input, err = r.findMessageDescriptor(m.Parent().FullName(), partialName(md.GetInputType()), false) + m.L1.Input, err = r.findMessageDescriptor(m.Parent().FullName(), partialName(md.GetInputType())) if err != nil { return errors.New("service method %q cannot resolve input: %v", m.FullName(), err) } - m.L1.Output, err = r.findMessageDescriptor(s.FullName(), partialName(md.GetOutputType()), false) + m.L1.Output, err = r.findMessageDescriptor(s.FullName(), partialName(md.GetOutputType())) if err != nil { return errors.New("service method %q cannot resolve output: %v", m.FullName(), err) } @@ -111,16 +111,16 @@ func (r *resolver) resolveServiceDependencies(ss []filedesc.Service, sds []*desc // findTarget finds an enum or message descriptor if k is an enum, message, // group, or unknown. If unknown, and the name could be resolved, the kind // returned kind is set based on the type of the resolved descriptor. -func (r *resolver) findTarget(k protoreflect.Kind, scope protoreflect.FullName, ref partialName, isWeak bool) (protoreflect.Kind, protoreflect.EnumDescriptor, protoreflect.MessageDescriptor, error) { +func (r *resolver) findTarget(k protoreflect.Kind, scope protoreflect.FullName, ref partialName) (protoreflect.Kind, protoreflect.EnumDescriptor, protoreflect.MessageDescriptor, error) { switch k { case protoreflect.EnumKind: - ed, err := r.findEnumDescriptor(scope, ref, isWeak) + ed, err := r.findEnumDescriptor(scope, ref) if err != nil { return 0, nil, nil, err } return k, ed, nil, nil case protoreflect.MessageKind, protoreflect.GroupKind: - md, err := r.findMessageDescriptor(scope, ref, isWeak) + md, err := r.findMessageDescriptor(scope, ref) if err != nil { return 0, nil, nil, err } @@ -129,7 +129,7 @@ func (r *resolver) findTarget(k protoreflect.Kind, scope protoreflect.FullName, // Handle unspecified kinds (possible with parsers that operate // on a per-file basis without knowledge of dependencies). d, err := r.findDescriptor(scope, ref) - if err == protoregistry.NotFound && (r.allowUnresolvable || isWeak) { + if err == protoregistry.NotFound && r.allowUnresolvable { return k, filedesc.PlaceholderEnum(ref.FullName()), filedesc.PlaceholderMessage(ref.FullName()), nil } else if err == protoregistry.NotFound { return 0, nil, nil, errors.New("%q not found", ref.FullName()) @@ -206,9 +206,9 @@ func (r *resolver) findDescriptor(scope protoreflect.FullName, ref partialName) } } -func (r *resolver) findEnumDescriptor(scope protoreflect.FullName, ref partialName, isWeak bool) (protoreflect.EnumDescriptor, error) { +func (r *resolver) findEnumDescriptor(scope protoreflect.FullName, ref partialName) (protoreflect.EnumDescriptor, error) { d, err := r.findDescriptor(scope, ref) - if err == protoregistry.NotFound && (r.allowUnresolvable || isWeak) { + if err == protoregistry.NotFound && r.allowUnresolvable { return filedesc.PlaceholderEnum(ref.FullName()), nil } else if err == protoregistry.NotFound { return nil, errors.New("%q not found", ref.FullName()) @@ -222,9 +222,9 @@ func (r *resolver) findEnumDescriptor(scope protoreflect.FullName, ref partialNa return ed, nil } -func (r *resolver) findMessageDescriptor(scope protoreflect.FullName, ref partialName, isWeak bool) (protoreflect.MessageDescriptor, error) { +func (r *resolver) findMessageDescriptor(scope protoreflect.FullName, ref partialName) (protoreflect.MessageDescriptor, error) { d, err := r.findDescriptor(scope, ref) - if err == protoregistry.NotFound && (r.allowUnresolvable || isWeak) { + if err == protoregistry.NotFound && r.allowUnresolvable { return filedesc.PlaceholderMessage(ref.FullName()), nil } else if err == protoregistry.NotFound { return nil, errors.New("%q not found", ref.FullName()) diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_validate.go b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_validate.go index 5eaf652176..c343d9227b 100644 --- a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_validate.go +++ b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_validate.go @@ -149,12 +149,6 @@ func validateMessageDeclarations(file *filedesc.File, ms []filedesc.Message, mds return errors.New("message field %q under proto3 optional semantics must be within a single element oneof", f.FullName()) } } - if f.IsWeak() && !flags.ProtoLegacyWeak { - return errors.New("message field %q is a weak field, which is a legacy proto1 feature that is no longer supported", f.FullName()) - } - if f.IsWeak() && (!f.HasPresence() || !isOptionalMessage(f) || f.ContainingOneof() != nil) { - return errors.New("message field %q may only be weak for an optional message", f.FullName()) - } if f.IsPacked() && !isPackable(f) { return errors.New("message field %q is not packable", f.FullName()) } @@ -199,9 +193,6 @@ func validateMessageDeclarations(file *filedesc.File, ms []filedesc.Message, mds if f.Cardinality() != protoreflect.Optional { return errors.New("message field %q belongs in a oneof and must be optional", f.FullName()) } - if f.IsWeak() { - return errors.New("message field %q belongs in a oneof and must not be a weak reference", f.FullName()) - } } } @@ -254,9 +245,6 @@ func validateExtensionDeclarations(f *filedesc.File, xs []filedesc.Extension, xd return errors.New("extension field %q has an invalid number: %d", x.FullName(), x.Number()) } } - if xd.GetOptions().GetWeak() { - return errors.New("extension field %q cannot be a weak reference", x.FullName()) - } if x.IsPacked() && !isPackable(x) { return errors.New("extension field %q is not packable", x.FullName()) } diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go b/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go index f55b036959..697a61b290 100644 --- a/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go +++ b/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go @@ -11,6 +11,7 @@ import ( "google.golang.org/protobuf/internal/editiondefaults" "google.golang.org/protobuf/internal/filedesc" + "google.golang.org/protobuf/internal/genid" "google.golang.org/protobuf/proto" "google.golang.org/protobuf/reflect/protoreflect" "google.golang.org/protobuf/types/descriptorpb" @@ -128,23 +129,39 @@ func mergeEditionFeatures(parentDesc protoreflect.Descriptor, child *descriptorp // We must not use proto.GetExtension(child, gofeaturespb.E_Go) // because that only works for messages we generated, but not for // dynamicpb messages. See golang/protobuf#1669. + // + // Further, we harden this code against adversarial inputs: a + // service which accepts descriptors from a possibly malicious + // source shouldn't crash. goFeatures := child.ProtoReflect().Get(gofeaturespb.E_Go.TypeDescriptor()) if !goFeatures.IsValid() { return parentFS } + gf, ok := goFeatures.Interface().(protoreflect.Message) + if !ok { + return parentFS + } // gf.Interface() could be *dynamicpb.Message or *gofeaturespb.GoFeatures. - gf := goFeatures.Message() fields := gf.Descriptor().Fields() - if fd := fields.ByName("legacy_unmarshal_json_enum"); gf.Has(fd) { + if fd := fields.ByNumber(genid.GoFeatures_LegacyUnmarshalJsonEnum_field_number); fd != nil && + !fd.IsList() && + fd.Kind() == protoreflect.BoolKind && + gf.Has(fd) { parentFS.GenerateLegacyUnmarshalJSON = gf.Get(fd).Bool() } - if fd := fields.ByName("strip_enum_prefix"); gf.Has(fd) { + if fd := fields.ByNumber(genid.GoFeatures_StripEnumPrefix_field_number); fd != nil && + !fd.IsList() && + fd.Kind() == protoreflect.EnumKind && + gf.Has(fd) { parentFS.StripEnumPrefix = int(gf.Get(fd).Enum()) } - if fd := fields.ByName("api_level"); gf.Has(fd) { + if fd := fields.ByNumber(genid.GoFeatures_ApiLevel_field_number); fd != nil && + !fd.IsList() && + fd.Kind() == protoreflect.EnumKind && + gf.Has(fd) { parentFS.APILevel = int(gf.Get(fd).Enum()) } diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go b/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go index a5de8d4001..9b880aa8c9 100644 --- a/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go +++ b/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go @@ -32,9 +32,6 @@ func ToFileDescriptorProto(file protoreflect.FileDescriptor) *descriptorpb.FileD if imp.IsPublic { p.PublicDependency = append(p.PublicDependency, int32(i)) } - if imp.IsWeak { - p.WeakDependency = append(p.WeakDependency, int32(i)) - } } for i, locs := 0, file.SourceLocations(); i < locs.Len(); i++ { loc := locs.Get(i) diff --git a/vendor/google.golang.org/protobuf/reflect/protoreflect/type.go b/vendor/google.golang.org/protobuf/reflect/protoreflect/type.go index cd8fadbaf8..cd7fbc87a4 100644 --- a/vendor/google.golang.org/protobuf/reflect/protoreflect/type.go +++ b/vendor/google.golang.org/protobuf/reflect/protoreflect/type.go @@ -68,7 +68,7 @@ type Descriptor interface { // dependency is not resolved, in which case only name information is known. // // Placeholder types may only be returned by the following accessors - // as a result of unresolved dependencies or weak imports: + // as a result of unresolved dependencies: // // ╔═══════════════════════════════════╤═════════════════════╗ // ║ Accessor │ Descriptor ║ @@ -168,11 +168,7 @@ type FileImport struct { // The current file and the imported file must be within proto package. IsPublic bool - // IsWeak reports whether this is a weak import, which does not impose - // a direct dependency on the target file. - // - // Weak imports are a legacy proto1 feature. Equivalent behavior is - // achieved using proto2 extension fields or proto3 Any messages. + // Deprecated: support for weak fields has been removed. IsWeak bool } @@ -325,9 +321,7 @@ type FieldDescriptor interface { // specified in the source .proto file. HasOptionalKeyword() bool - // IsWeak reports whether this is a weak field, which does not impose a - // direct dependency on the target type. - // If true, then Message returns a placeholder type. + // Deprecated: support for weak fields has been removed. IsWeak() bool // IsPacked reports whether repeated primitive numeric kinds should be diff --git a/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go b/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go index a551e7ae94..a516337674 100644 --- a/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go +++ b/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go @@ -46,6 +46,7 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" + unsafe "unsafe" ) // The full set of known editions. @@ -4360,7 +4361,7 @@ func (x *GeneratedCodeInfo_Annotation) GetSemantic() GeneratedCodeInfo_Annotatio var File_google_protobuf_descriptor_proto protoreflect.FileDescriptor -var file_google_protobuf_descriptor_proto_rawDesc = []byte{ +var file_google_protobuf_descriptor_proto_rawDesc = string([]byte{ 0x0a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, @@ -5130,16 +5131,16 @@ var file_google_protobuf_descriptor_proto_rawDesc = []byte{ 0x70, 0x62, 0xf8, 0x01, 0x01, 0xa2, 0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1a, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x52, 0x65, 0x66, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, -} +}) var ( file_google_protobuf_descriptor_proto_rawDescOnce sync.Once - file_google_protobuf_descriptor_proto_rawDescData = file_google_protobuf_descriptor_proto_rawDesc + file_google_protobuf_descriptor_proto_rawDescData []byte ) func file_google_protobuf_descriptor_proto_rawDescGZIP() []byte { file_google_protobuf_descriptor_proto_rawDescOnce.Do(func() { - file_google_protobuf_descriptor_proto_rawDescData = protoimpl.X.CompressGZIP(file_google_protobuf_descriptor_proto_rawDescData) + file_google_protobuf_descriptor_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_google_protobuf_descriptor_proto_rawDesc), len(file_google_protobuf_descriptor_proto_rawDesc))) }) return file_google_protobuf_descriptor_proto_rawDescData } @@ -5292,7 +5293,7 @@ func file_google_protobuf_descriptor_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_google_protobuf_descriptor_proto_rawDesc, + RawDescriptor: unsafe.Slice(unsafe.StringData(file_google_protobuf_descriptor_proto_rawDesc), len(file_google_protobuf_descriptor_proto_rawDesc)), NumEnums: 17, NumMessages: 33, NumExtensions: 0, @@ -5304,7 +5305,6 @@ func file_google_protobuf_descriptor_proto_init() { MessageInfos: file_google_protobuf_descriptor_proto_msgTypes, }.Build() File_google_protobuf_descriptor_proto = out.File - file_google_protobuf_descriptor_proto_rawDesc = nil file_google_protobuf_descriptor_proto_goTypes = nil file_google_protobuf_descriptor_proto_depIdxs = nil } diff --git a/vendor/google.golang.org/protobuf/types/gofeaturespb/go_features.pb.go b/vendor/google.golang.org/protobuf/types/gofeaturespb/go_features.pb.go index e0b72eaf92..28d24bad79 100644 --- a/vendor/google.golang.org/protobuf/types/gofeaturespb/go_features.pb.go +++ b/vendor/google.golang.org/protobuf/types/gofeaturespb/go_features.pb.go @@ -16,6 +16,7 @@ import ( descriptorpb "google.golang.org/protobuf/types/descriptorpb" reflect "reflect" sync "sync" + unsafe "unsafe" ) type GoFeatures_APILevel int32 @@ -227,7 +228,7 @@ var ( var File_google_protobuf_go_features_proto protoreflect.FileDescriptor -var file_google_protobuf_go_features_proto_rawDesc = []byte{ +var file_google_protobuf_go_features_proto_rawDesc = string([]byte{ 0x0a, 0x21, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x67, 0x6f, 0x5f, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x02, 0x70, 0x62, 0x1a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, @@ -283,16 +284,16 @@ var file_google_protobuf_go_features_proto_rawDesc = []byte{ 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x67, 0x6f, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x70, 0x62, -} +}) var ( file_google_protobuf_go_features_proto_rawDescOnce sync.Once - file_google_protobuf_go_features_proto_rawDescData = file_google_protobuf_go_features_proto_rawDesc + file_google_protobuf_go_features_proto_rawDescData []byte ) func file_google_protobuf_go_features_proto_rawDescGZIP() []byte { file_google_protobuf_go_features_proto_rawDescOnce.Do(func() { - file_google_protobuf_go_features_proto_rawDescData = protoimpl.X.CompressGZIP(file_google_protobuf_go_features_proto_rawDescData) + file_google_protobuf_go_features_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_google_protobuf_go_features_proto_rawDesc), len(file_google_protobuf_go_features_proto_rawDesc))) }) return file_google_protobuf_go_features_proto_rawDescData } @@ -326,7 +327,7 @@ func file_google_protobuf_go_features_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_google_protobuf_go_features_proto_rawDesc, + RawDescriptor: unsafe.Slice(unsafe.StringData(file_google_protobuf_go_features_proto_rawDesc), len(file_google_protobuf_go_features_proto_rawDesc)), NumEnums: 2, NumMessages: 1, NumExtensions: 1, @@ -339,7 +340,6 @@ func file_google_protobuf_go_features_proto_init() { ExtensionInfos: file_google_protobuf_go_features_proto_extTypes, }.Build() File_google_protobuf_go_features_proto = out.File - file_google_protobuf_go_features_proto_rawDesc = nil file_google_protobuf_go_features_proto_goTypes = nil file_google_protobuf_go_features_proto_depIdxs = nil } diff --git a/vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go b/vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go index 191552cce0..497da66e91 100644 --- a/vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go +++ b/vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go @@ -122,6 +122,7 @@ import ( reflect "reflect" strings "strings" sync "sync" + unsafe "unsafe" ) // `Any` contains an arbitrary serialized protocol buffer message along with a @@ -411,7 +412,7 @@ func (x *Any) GetValue() []byte { var File_google_protobuf_any_proto protoreflect.FileDescriptor -var file_google_protobuf_any_proto_rawDesc = []byte{ +var file_google_protobuf_any_proto_rawDesc = string([]byte{ 0x0a, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x61, 0x6e, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x22, 0x36, 0x0a, 0x03, @@ -427,16 +428,16 @@ var file_google_protobuf_any_proto_rawDesc = []byte{ 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} +}) var ( file_google_protobuf_any_proto_rawDescOnce sync.Once - file_google_protobuf_any_proto_rawDescData = file_google_protobuf_any_proto_rawDesc + file_google_protobuf_any_proto_rawDescData []byte ) func file_google_protobuf_any_proto_rawDescGZIP() []byte { file_google_protobuf_any_proto_rawDescOnce.Do(func() { - file_google_protobuf_any_proto_rawDescData = protoimpl.X.CompressGZIP(file_google_protobuf_any_proto_rawDescData) + file_google_protobuf_any_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_google_protobuf_any_proto_rawDesc), len(file_google_protobuf_any_proto_rawDesc))) }) return file_google_protobuf_any_proto_rawDescData } @@ -462,7 +463,7 @@ func file_google_protobuf_any_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_google_protobuf_any_proto_rawDesc, + RawDescriptor: unsafe.Slice(unsafe.StringData(file_google_protobuf_any_proto_rawDesc), len(file_google_protobuf_any_proto_rawDesc)), NumEnums: 0, NumMessages: 1, NumExtensions: 0, @@ -473,7 +474,6 @@ func file_google_protobuf_any_proto_init() { MessageInfos: file_google_protobuf_any_proto_msgTypes, }.Build() File_google_protobuf_any_proto = out.File - file_google_protobuf_any_proto_rawDesc = nil file_google_protobuf_any_proto_goTypes = nil file_google_protobuf_any_proto_depIdxs = nil } diff --git a/vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go b/vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go index 34d76e6cd9..193880d181 100644 --- a/vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go +++ b/vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go @@ -80,6 +80,7 @@ import ( reflect "reflect" sync "sync" time "time" + unsafe "unsafe" ) // A Duration represents a signed, fixed-length span of time represented @@ -288,7 +289,7 @@ func (x *Duration) GetNanos() int32 { var File_google_protobuf_duration_proto protoreflect.FileDescriptor -var file_google_protobuf_duration_proto_rawDesc = []byte{ +var file_google_protobuf_duration_proto_rawDesc = string([]byte{ 0x0a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, @@ -305,16 +306,16 @@ var file_google_protobuf_duration_proto_rawDesc = []byte{ 0x50, 0x42, 0xaa, 0x02, 0x1e, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} +}) var ( file_google_protobuf_duration_proto_rawDescOnce sync.Once - file_google_protobuf_duration_proto_rawDescData = file_google_protobuf_duration_proto_rawDesc + file_google_protobuf_duration_proto_rawDescData []byte ) func file_google_protobuf_duration_proto_rawDescGZIP() []byte { file_google_protobuf_duration_proto_rawDescOnce.Do(func() { - file_google_protobuf_duration_proto_rawDescData = protoimpl.X.CompressGZIP(file_google_protobuf_duration_proto_rawDescData) + file_google_protobuf_duration_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_google_protobuf_duration_proto_rawDesc), len(file_google_protobuf_duration_proto_rawDesc))) }) return file_google_protobuf_duration_proto_rawDescData } @@ -340,7 +341,7 @@ func file_google_protobuf_duration_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_google_protobuf_duration_proto_rawDesc, + RawDescriptor: unsafe.Slice(unsafe.StringData(file_google_protobuf_duration_proto_rawDesc), len(file_google_protobuf_duration_proto_rawDesc)), NumEnums: 0, NumMessages: 1, NumExtensions: 0, @@ -351,7 +352,6 @@ func file_google_protobuf_duration_proto_init() { MessageInfos: file_google_protobuf_duration_proto_msgTypes, }.Build() File_google_protobuf_duration_proto = out.File - file_google_protobuf_duration_proto_rawDesc = nil file_google_protobuf_duration_proto_goTypes = nil file_google_protobuf_duration_proto_depIdxs = nil } diff --git a/vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go b/vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go index 7fcdd382cc..a5b8657c4b 100644 --- a/vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go +++ b/vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go @@ -38,6 +38,7 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" + unsafe "unsafe" ) // A generic empty message that you can re-use to avoid defining duplicated @@ -85,7 +86,7 @@ func (*Empty) Descriptor() ([]byte, []int) { var File_google_protobuf_empty_proto protoreflect.FileDescriptor -var file_google_protobuf_empty_proto_rawDesc = []byte{ +var file_google_protobuf_empty_proto_rawDesc = string([]byte{ 0x0a, 0x1b, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x22, 0x07, @@ -98,16 +99,16 @@ var file_google_protobuf_empty_proto_rawDesc = []byte{ 0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1e, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} +}) var ( file_google_protobuf_empty_proto_rawDescOnce sync.Once - file_google_protobuf_empty_proto_rawDescData = file_google_protobuf_empty_proto_rawDesc + file_google_protobuf_empty_proto_rawDescData []byte ) func file_google_protobuf_empty_proto_rawDescGZIP() []byte { file_google_protobuf_empty_proto_rawDescOnce.Do(func() { - file_google_protobuf_empty_proto_rawDescData = protoimpl.X.CompressGZIP(file_google_protobuf_empty_proto_rawDescData) + file_google_protobuf_empty_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_google_protobuf_empty_proto_rawDesc), len(file_google_protobuf_empty_proto_rawDesc))) }) return file_google_protobuf_empty_proto_rawDescData } @@ -133,7 +134,7 @@ func file_google_protobuf_empty_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_google_protobuf_empty_proto_rawDesc, + RawDescriptor: unsafe.Slice(unsafe.StringData(file_google_protobuf_empty_proto_rawDesc), len(file_google_protobuf_empty_proto_rawDesc)), NumEnums: 0, NumMessages: 1, NumExtensions: 0, @@ -144,7 +145,6 @@ func file_google_protobuf_empty_proto_init() { MessageInfos: file_google_protobuf_empty_proto_msgTypes, }.Build() File_google_protobuf_empty_proto = out.File - file_google_protobuf_empty_proto_rawDesc = nil file_google_protobuf_empty_proto_goTypes = nil file_google_protobuf_empty_proto_depIdxs = nil } diff --git a/vendor/google.golang.org/protobuf/types/known/fieldmaskpb/field_mask.pb.go b/vendor/google.golang.org/protobuf/types/known/fieldmaskpb/field_mask.pb.go index e5d7da38c2..041feb0f3e 100644 --- a/vendor/google.golang.org/protobuf/types/known/fieldmaskpb/field_mask.pb.go +++ b/vendor/google.golang.org/protobuf/types/known/fieldmaskpb/field_mask.pb.go @@ -83,6 +83,7 @@ import ( sort "sort" strings "strings" sync "sync" + unsafe "unsafe" ) // `FieldMask` represents a set of symbolic field paths, for example: @@ -503,7 +504,7 @@ func (x *FieldMask) GetPaths() []string { var File_google_protobuf_field_mask_proto protoreflect.FileDescriptor -var file_google_protobuf_field_mask_proto_rawDesc = []byte{ +var file_google_protobuf_field_mask_proto_rawDesc = string([]byte{ 0x0a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x6d, 0x61, 0x73, 0x6b, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, @@ -519,16 +520,16 @@ var file_google_protobuf_field_mask_proto_rawDesc = []byte{ 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} +}) var ( file_google_protobuf_field_mask_proto_rawDescOnce sync.Once - file_google_protobuf_field_mask_proto_rawDescData = file_google_protobuf_field_mask_proto_rawDesc + file_google_protobuf_field_mask_proto_rawDescData []byte ) func file_google_protobuf_field_mask_proto_rawDescGZIP() []byte { file_google_protobuf_field_mask_proto_rawDescOnce.Do(func() { - file_google_protobuf_field_mask_proto_rawDescData = protoimpl.X.CompressGZIP(file_google_protobuf_field_mask_proto_rawDescData) + file_google_protobuf_field_mask_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_google_protobuf_field_mask_proto_rawDesc), len(file_google_protobuf_field_mask_proto_rawDesc))) }) return file_google_protobuf_field_mask_proto_rawDescData } @@ -554,7 +555,7 @@ func file_google_protobuf_field_mask_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_google_protobuf_field_mask_proto_rawDesc, + RawDescriptor: unsafe.Slice(unsafe.StringData(file_google_protobuf_field_mask_proto_rawDesc), len(file_google_protobuf_field_mask_proto_rawDesc)), NumEnums: 0, NumMessages: 1, NumExtensions: 0, @@ -565,7 +566,6 @@ func file_google_protobuf_field_mask_proto_init() { MessageInfos: file_google_protobuf_field_mask_proto_msgTypes, }.Build() File_google_protobuf_field_mask_proto = out.File - file_google_protobuf_field_mask_proto_rawDesc = nil file_google_protobuf_field_mask_proto_goTypes = nil file_google_protobuf_field_mask_proto_depIdxs = nil } diff --git a/vendor/google.golang.org/protobuf/types/known/structpb/struct.pb.go b/vendor/google.golang.org/protobuf/types/known/structpb/struct.pb.go index f2c53ea337..ecdd31ab53 100644 --- a/vendor/google.golang.org/protobuf/types/known/structpb/struct.pb.go +++ b/vendor/google.golang.org/protobuf/types/known/structpb/struct.pb.go @@ -128,6 +128,7 @@ import ( reflect "reflect" sync "sync" utf8 "unicode/utf8" + unsafe "unsafe" ) // `NullValue` is a singleton enumeration to represent the null value for the @@ -671,7 +672,7 @@ func (x *ListValue) GetValues() []*Value { var File_google_protobuf_struct_proto protoreflect.FileDescriptor -var file_google_protobuf_struct_proto_rawDesc = []byte{ +var file_google_protobuf_struct_proto_rawDesc = string([]byte{ 0x0a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x22, @@ -719,16 +720,16 @@ var file_google_protobuf_struct_proto_rawDesc = []byte{ 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} +}) var ( file_google_protobuf_struct_proto_rawDescOnce sync.Once - file_google_protobuf_struct_proto_rawDescData = file_google_protobuf_struct_proto_rawDesc + file_google_protobuf_struct_proto_rawDescData []byte ) func file_google_protobuf_struct_proto_rawDescGZIP() []byte { file_google_protobuf_struct_proto_rawDescOnce.Do(func() { - file_google_protobuf_struct_proto_rawDescData = protoimpl.X.CompressGZIP(file_google_protobuf_struct_proto_rawDescData) + file_google_protobuf_struct_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_google_protobuf_struct_proto_rawDesc), len(file_google_protobuf_struct_proto_rawDesc))) }) return file_google_protobuf_struct_proto_rawDescData } @@ -773,7 +774,7 @@ func file_google_protobuf_struct_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_google_protobuf_struct_proto_rawDesc, + RawDescriptor: unsafe.Slice(unsafe.StringData(file_google_protobuf_struct_proto_rawDesc), len(file_google_protobuf_struct_proto_rawDesc)), NumEnums: 1, NumMessages: 4, NumExtensions: 0, @@ -785,7 +786,6 @@ func file_google_protobuf_struct_proto_init() { MessageInfos: file_google_protobuf_struct_proto_msgTypes, }.Build() File_google_protobuf_struct_proto = out.File - file_google_protobuf_struct_proto_rawDesc = nil file_google_protobuf_struct_proto_goTypes = nil file_google_protobuf_struct_proto_depIdxs = nil } diff --git a/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go b/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go index 9550109aa3..00ac835c0b 100644 --- a/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go +++ b/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go @@ -78,6 +78,7 @@ import ( reflect "reflect" sync "sync" time "time" + unsafe "unsafe" ) // A Timestamp represents a point in time independent of any time zone or local @@ -297,7 +298,7 @@ func (x *Timestamp) GetNanos() int32 { var File_google_protobuf_timestamp_proto protoreflect.FileDescriptor -var file_google_protobuf_timestamp_proto_rawDesc = []byte{ +var file_google_protobuf_timestamp_proto_rawDesc = string([]byte{ 0x0a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, @@ -314,16 +315,16 @@ var file_google_protobuf_timestamp_proto_rawDesc = []byte{ 0xa2, 0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1e, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} +}) var ( file_google_protobuf_timestamp_proto_rawDescOnce sync.Once - file_google_protobuf_timestamp_proto_rawDescData = file_google_protobuf_timestamp_proto_rawDesc + file_google_protobuf_timestamp_proto_rawDescData []byte ) func file_google_protobuf_timestamp_proto_rawDescGZIP() []byte { file_google_protobuf_timestamp_proto_rawDescOnce.Do(func() { - file_google_protobuf_timestamp_proto_rawDescData = protoimpl.X.CompressGZIP(file_google_protobuf_timestamp_proto_rawDescData) + file_google_protobuf_timestamp_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_google_protobuf_timestamp_proto_rawDesc), len(file_google_protobuf_timestamp_proto_rawDesc))) }) return file_google_protobuf_timestamp_proto_rawDescData } @@ -349,7 +350,7 @@ func file_google_protobuf_timestamp_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_google_protobuf_timestamp_proto_rawDesc, + RawDescriptor: unsafe.Slice(unsafe.StringData(file_google_protobuf_timestamp_proto_rawDesc), len(file_google_protobuf_timestamp_proto_rawDesc)), NumEnums: 0, NumMessages: 1, NumExtensions: 0, @@ -360,7 +361,6 @@ func file_google_protobuf_timestamp_proto_init() { MessageInfos: file_google_protobuf_timestamp_proto_msgTypes, }.Build() File_google_protobuf_timestamp_proto = out.File - file_google_protobuf_timestamp_proto_rawDesc = nil file_google_protobuf_timestamp_proto_goTypes = nil file_google_protobuf_timestamp_proto_depIdxs = nil } diff --git a/vendor/google.golang.org/protobuf/types/known/wrapperspb/wrappers.pb.go b/vendor/google.golang.org/protobuf/types/known/wrapperspb/wrappers.pb.go index 15b424ec12..5de5301063 100644 --- a/vendor/google.golang.org/protobuf/types/known/wrapperspb/wrappers.pb.go +++ b/vendor/google.golang.org/protobuf/types/known/wrapperspb/wrappers.pb.go @@ -48,6 +48,7 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" + unsafe "unsafe" ) // Wrapper message for `double`. @@ -529,7 +530,7 @@ func (x *BytesValue) GetValue() []byte { var File_google_protobuf_wrappers_proto protoreflect.FileDescriptor -var file_google_protobuf_wrappers_proto_rawDesc = []byte{ +var file_google_protobuf_wrappers_proto_rawDesc = string([]byte{ 0x0a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, @@ -563,16 +564,16 @@ var file_google_protobuf_wrappers_proto_rawDesc = []byte{ 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} +}) var ( file_google_protobuf_wrappers_proto_rawDescOnce sync.Once - file_google_protobuf_wrappers_proto_rawDescData = file_google_protobuf_wrappers_proto_rawDesc + file_google_protobuf_wrappers_proto_rawDescData []byte ) func file_google_protobuf_wrappers_proto_rawDescGZIP() []byte { file_google_protobuf_wrappers_proto_rawDescOnce.Do(func() { - file_google_protobuf_wrappers_proto_rawDescData = protoimpl.X.CompressGZIP(file_google_protobuf_wrappers_proto_rawDescData) + file_google_protobuf_wrappers_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_google_protobuf_wrappers_proto_rawDesc), len(file_google_protobuf_wrappers_proto_rawDesc))) }) return file_google_protobuf_wrappers_proto_rawDescData } @@ -606,7 +607,7 @@ func file_google_protobuf_wrappers_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_google_protobuf_wrappers_proto_rawDesc, + RawDescriptor: unsafe.Slice(unsafe.StringData(file_google_protobuf_wrappers_proto_rawDesc), len(file_google_protobuf_wrappers_proto_rawDesc)), NumEnums: 0, NumMessages: 9, NumExtensions: 0, @@ -617,7 +618,6 @@ func file_google_protobuf_wrappers_proto_init() { MessageInfos: file_google_protobuf_wrappers_proto_msgTypes, }.Build() File_google_protobuf_wrappers_proto = out.File - file_google_protobuf_wrappers_proto_rawDesc = nil file_google_protobuf_wrappers_proto_goTypes = nil file_google_protobuf_wrappers_proto_depIdxs = nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index 4303080860..e424e8a57b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,4 +1,4 @@ -# cel.dev/expr v0.18.0 +# cel.dev/expr v0.19.1 ## explicit; go 1.21.1 cel.dev/expr # dario.cat/mergo v1.0.1 @@ -52,11 +52,12 @@ github.com/chai2010/gettext-go github.com/chai2010/gettext-go/mo github.com/chai2010/gettext-go/plural github.com/chai2010/gettext-go/po -# github.com/cilium/charts v0.0.0-20250122005123-9aa3c2db578d +# github.com/cilium/charts v0.0.0-20250204154402-8a35f8210901 ## explicit; go 1.17 github.com/cilium/charts -# github.com/cilium/cilium v1.17.0-pre.3.0.20250129155153-a50d083bc18f +# github.com/cilium/cilium v1.17.0-pre.3.0.20250218164107-47d3a25180a2 ## explicit; go 1.23.0 +github.com/cilium/cilium github.com/cilium/cilium/api/v1/client github.com/cilium/cilium/api/v1/client/bgp github.com/cilium/cilium/api/v1/client/daemon @@ -263,7 +264,7 @@ github.com/cilium/ebpf/internal/testutils/fdtrace github.com/cilium/ebpf/internal/tracefs github.com/cilium/ebpf/internal/unix github.com/cilium/ebpf/link -# github.com/cilium/hive v0.0.0-20250121145729-e67f66eb0375 +# github.com/cilium/hive v0.0.0-20250217113459-914947d44393 ## explicit; go 1.21.3 github.com/cilium/hive github.com/cilium/hive/cell @@ -271,7 +272,7 @@ github.com/cilium/hive/internal github.com/cilium/hive/job github.com/cilium/hive/script github.com/cilium/hive/script/internal/diff -# github.com/cilium/proxy v0.0.0-20241219105110-b2e1bb5839df +# github.com/cilium/proxy v0.0.0-20250214115704-3e4b99dc5d1f ## explicit; go 1.23 github.com/cilium/proxy/go/cilium/api github.com/cilium/proxy/go/envoy/admin/v3 @@ -552,7 +553,7 @@ github.com/cilium/proxy/go/envoy/type/tracing/v3 github.com/cilium/proxy/go/envoy/type/v3 github.com/cilium/proxy/go/envoy/watchdog/v3 github.com/cilium/proxy/pkg/policy/api/kafka -# github.com/cilium/statedb v0.3.5 +# github.com/cilium/statedb v0.3.6 ## explicit; go 1.23 github.com/cilium/statedb github.com/cilium/statedb/index @@ -587,7 +588,7 @@ github.com/cloudflare/cfssl/signer github.com/cloudflare/cfssl/signer/local github.com/cloudflare/cfssl/signer/remote github.com/cloudflare/cfssl/signer/universal -# github.com/cncf/xds/go v0.0.0-20241213214725-57cfbe6fad57 +# github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 ## explicit; go 1.19 github.com/cncf/xds/go/udpa/annotations github.com/cncf/xds/go/xds/annotations/v3 @@ -678,10 +679,10 @@ github.com/docker/go-metrics ## explicit; go 1.13 github.com/emicklei/go-restful/v3 github.com/emicklei/go-restful/v3/log -# github.com/envoyproxy/protoc-gen-validate v1.1.0 -## explicit; go 1.19 +# github.com/envoyproxy/protoc-gen-validate v1.2.1 +## explicit; go 1.21.1 github.com/envoyproxy/protoc-gen-validate/validate -# github.com/evanphx/json-patch v5.9.0+incompatible +# github.com/evanphx/json-patch v5.9.11+incompatible ## explicit github.com/evanphx/json-patch # github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f @@ -870,6 +871,9 @@ github.com/hashicorp/hcl/hcl/token github.com/hashicorp/hcl/json/parser github.com/hashicorp/hcl/json/scanner github.com/hashicorp/hcl/json/token +# github.com/hmarr/codeowners v1.2.1 +## explicit; go 1.18 +github.com/hmarr/codeowners # github.com/huandu/xstrings v1.5.0 ## explicit; go 1.12 github.com/huandu/xstrings @@ -983,7 +987,7 @@ github.com/opencontainers/image-spec/specs-go/v1 github.com/opentracing/opentracing-go github.com/opentracing/opentracing-go/ext github.com/opentracing/opentracing-go/log -# github.com/osrg/gobgp/v3 v3.33.0 +# github.com/osrg/gobgp/v3 v3.34.0 ## explicit; go 1.22.7 github.com/osrg/gobgp/v3/pkg/packet/bgp # github.com/pelletier/go-toml v1.9.5 @@ -1071,7 +1075,7 @@ github.com/spf13/cast # github.com/spf13/cobra v1.8.1 ## explicit; go 1.15 github.com/spf13/cobra -# github.com/spf13/pflag v1.0.6-0.20250109003754-5ca813443bd2 +# github.com/spf13/pflag v1.0.6 ## explicit; go 1.12 github.com/spf13/pflag # github.com/spf13/viper v1.19.0 @@ -1089,7 +1093,7 @@ github.com/spf13/viper/internal/features # github.com/subosito/gotenv v1.6.0 ## explicit; go 1.18 github.com/subosito/gotenv -# github.com/vishvananda/netlink v1.3.1-0.20250121061148-364253875734 +# github.com/vishvananda/netlink v1.3.1-0.20250209162617-655392bc778a ## explicit; go 1.12 github.com/vishvananda/netlink github.com/vishvananda/netlink/nl @@ -1138,7 +1142,7 @@ github.com/zmap/zlint/v3/lints/etsi github.com/zmap/zlint/v3/lints/mozilla github.com/zmap/zlint/v3/lints/rfc github.com/zmap/zlint/v3/util -# go.etcd.io/etcd/api/v3 v3.5.17 +# go.etcd.io/etcd/api/v3 v3.5.18 ## explicit; go 1.22 go.etcd.io/etcd/api/v3/authpb go.etcd.io/etcd/api/v3/etcdserverpb @@ -1146,13 +1150,13 @@ go.etcd.io/etcd/api/v3/membershippb go.etcd.io/etcd/api/v3/mvccpb go.etcd.io/etcd/api/v3/v3rpc/rpctypes go.etcd.io/etcd/api/v3/version -# go.etcd.io/etcd/client/pkg/v3 v3.5.17 +# go.etcd.io/etcd/client/pkg/v3 v3.5.18 ## explicit; go 1.22 go.etcd.io/etcd/client/pkg/v3/logutil go.etcd.io/etcd/client/pkg/v3/systemd go.etcd.io/etcd/client/pkg/v3/tlsutil go.etcd.io/etcd/client/pkg/v3/types -# go.etcd.io/etcd/client/v3 v3.5.17 +# go.etcd.io/etcd/client/v3 v3.5.18 ## explicit; go 1.22 go.etcd.io/etcd/client/v3 go.etcd.io/etcd/client/v3/concurrency @@ -1206,8 +1210,8 @@ go.opentelemetry.io/otel/metric/noop go.opentelemetry.io/otel/trace go.opentelemetry.io/otel/trace/embedded go.opentelemetry.io/otel/trace/noop -# go.opentelemetry.io/proto/otlp v1.4.0 -## explicit; go 1.22.7 +# go.opentelemetry.io/proto/otlp v1.5.0 +## explicit; go 1.22.0 go.opentelemetry.io/proto/otlp/common/v1 # go.uber.org/dig v1.17.1 ## explicit; go 1.20 @@ -1234,7 +1238,7 @@ go.uber.org/zap/zapgrpc # go4.org/netipx v0.0.0-20231129151722-fdeea329fbba ## explicit; go 1.18 go4.org/netipx -# golang.org/x/crypto v0.32.0 +# golang.org/x/crypto v0.33.0 ## explicit; go 1.20 golang.org/x/crypto/bcrypt golang.org/x/crypto/blowfish @@ -1261,7 +1265,7 @@ golang.org/x/exp/slices golang.org/x/exp/slog golang.org/x/exp/slog/internal golang.org/x/exp/slog/internal/buffer -# golang.org/x/net v0.34.0 +# golang.org/x/net v0.35.0 ## explicit; go 1.18 golang.org/x/net/context/ctxhttp golang.org/x/net/html @@ -1270,30 +1274,31 @@ golang.org/x/net/http/httpguts golang.org/x/net/http2 golang.org/x/net/http2/hpack golang.org/x/net/idna +golang.org/x/net/internal/httpcommon golang.org/x/net/internal/socks golang.org/x/net/internal/timeseries golang.org/x/net/proxy golang.org/x/net/trace golang.org/x/net/websocket -# golang.org/x/oauth2 v0.25.0 +# golang.org/x/oauth2 v0.26.0 ## explicit; go 1.18 golang.org/x/oauth2 golang.org/x/oauth2/internal -# golang.org/x/sync v0.10.0 +# golang.org/x/sync v0.11.0 ## explicit; go 1.18 golang.org/x/sync/errgroup golang.org/x/sync/semaphore golang.org/x/sync/singleflight -# golang.org/x/sys v0.29.0 +# golang.org/x/sys v0.30.0 ## explicit; go 1.18 golang.org/x/sys/execabs golang.org/x/sys/plan9 golang.org/x/sys/unix golang.org/x/sys/windows -# golang.org/x/term v0.28.0 +# golang.org/x/term v0.29.0 ## explicit; go 1.18 golang.org/x/term -# golang.org/x/text v0.21.0 +# golang.org/x/text v0.22.0 ## explicit; go 1.18 golang.org/x/text/encoding golang.org/x/text/encoding/internal @@ -1305,21 +1310,21 @@ golang.org/x/text/secure/bidirule golang.org/x/text/transform golang.org/x/text/unicode/bidi golang.org/x/text/unicode/norm -# golang.org/x/time v0.9.0 +# golang.org/x/time v0.10.0 ## explicit; go 1.18 golang.org/x/time/rate -# golang.org/x/tools v0.29.0 +# golang.org/x/tools v0.30.0 ## explicit; go 1.22.0 golang.org/x/tools/txtar -# google.golang.org/genproto/googleapis/api v0.0.0-20241216192217-9240e9c98484 -## explicit; go 1.21 +# google.golang.org/genproto/googleapis/api v0.0.0-20250207221924-e9438ea467c6 +## explicit; go 1.22 google.golang.org/genproto/googleapis/api google.golang.org/genproto/googleapis/api/annotations google.golang.org/genproto/googleapis/api/expr/v1alpha1 -# google.golang.org/genproto/googleapis/rpc v0.0.0-20250122153221-138b5a5a4fd4 +# google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6 ## explicit; go 1.22 google.golang.org/genproto/googleapis/rpc/status -# google.golang.org/grpc v1.69.4 +# google.golang.org/grpc v1.70.0 ## explicit; go 1.22 google.golang.org/grpc google.golang.org/grpc/attributes @@ -1379,7 +1384,7 @@ google.golang.org/grpc/serviceconfig google.golang.org/grpc/stats google.golang.org/grpc/status google.golang.org/grpc/tap -# google.golang.org/protobuf v1.36.3 +# google.golang.org/protobuf v1.36.5 ## explicit; go 1.21 google.golang.org/protobuf/encoding/protodelim google.golang.org/protobuf/encoding/protojson @@ -1477,7 +1482,7 @@ helm.sh/helm/v3/pkg/strvals helm.sh/helm/v3/pkg/time helm.sh/helm/v3/pkg/time/ctime helm.sh/helm/v3/pkg/uploader -# k8s.io/api v0.32.1 +# k8s.io/api v0.32.2 ## explicit; go 1.23.0 k8s.io/api/admission/v1 k8s.io/api/admission/v1beta1 @@ -1538,7 +1543,7 @@ k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 k8s.io/api/storagemigration/v1alpha1 -# k8s.io/apiextensions-apiserver v0.32.1 +# k8s.io/apiextensions-apiserver v0.32.2 ## explicit; go 1.23.0 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 @@ -1554,7 +1559,7 @@ k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextension k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1/fake k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1 k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1/fake -# k8s.io/apimachinery v0.32.1 +# k8s.io/apimachinery v0.32.2 ## explicit; go 1.23.0 k8s.io/apimachinery/pkg/api/equality k8s.io/apimachinery/pkg/api/errors @@ -1619,16 +1624,16 @@ k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/netutil k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v0.32.1 +# k8s.io/apiserver v0.32.2 ## explicit; go 1.23.0 k8s.io/apiserver/pkg/endpoints/deprecation -# k8s.io/cli-runtime v0.32.1 +# k8s.io/cli-runtime v0.32.2 ## explicit; go 1.23.0 k8s.io/cli-runtime/pkg/genericclioptions k8s.io/cli-runtime/pkg/genericiooptions k8s.io/cli-runtime/pkg/printers k8s.io/cli-runtime/pkg/resource -# k8s.io/client-go v0.32.1 +# k8s.io/client-go v0.32.2 ## explicit; go 1.23.0 k8s.io/client-go/applyconfigurations k8s.io/client-go/applyconfigurations/admissionregistration/v1 @@ -1856,7 +1861,7 @@ k8s.io/client-go/util/keyutil k8s.io/client-go/util/retry k8s.io/client-go/util/watchlist k8s.io/client-go/util/workqueue -# k8s.io/component-base v0.32.1 +# k8s.io/component-base v0.32.2 ## explicit; go 1.23.0 k8s.io/component-base/version # k8s.io/klog/v2 v2.130.1 @@ -1880,7 +1885,7 @@ k8s.io/kube-openapi/pkg/spec3 k8s.io/kube-openapi/pkg/util/proto k8s.io/kube-openapi/pkg/util/proto/validation k8s.io/kube-openapi/pkg/validation/spec -# k8s.io/kubectl v0.32.1 +# k8s.io/kubectl v0.32.2 ## explicit; go 1.23.0 k8s.io/kubectl/pkg/cmd/util k8s.io/kubectl/pkg/scheme @@ -2007,7 +2012,7 @@ sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field sigs.k8s.io/kustomize/kyaml/yaml/merge2 sigs.k8s.io/kustomize/kyaml/yaml/schema sigs.k8s.io/kustomize/kyaml/yaml/walk -# sigs.k8s.io/mcs-api v0.1.1-0.20250116162235-62ede9a032dc +# sigs.k8s.io/mcs-api v0.1.1-0.20250129110323-a7986579439f ## explicit; go 1.23.0 sigs.k8s.io/mcs-api/pkg/apis/v1alpha1 sigs.k8s.io/mcs-api/pkg/client/clientset/versioned