Merge pull request #864 from l1b0k/feat/policy

feature: update cilium

Author: BSWANG

deploy/images/policy/Dockerfile

@@ -22,7 +22,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     ( ! $(readelf -d bin/calico-felix | grep -q NEEDED) || ( echo "Error: bin/calico-felix was not statically linked"; false )) \
     && chmod +x /go/src/github.com/projectcalico/calico/bin/calico-felix
 
-FROM --platform=$TARGETPLATFORM quay.io/cilium/cilium-builder:86e436425fc11708b65423805e3b9939071e55e9@sha256:a440f8ca734205b5d61a483f0ac99aaf758ba89f1d2a8892219b6c0f8c475695 as cilium-builder
+FROM --platform=$TARGETPLATFORM quay.io/cilium/cilium-builder:0aa9ec56fe2df313baa592994c1e4dd2a6a38f96@sha256:d5df105dbf3362be00cb88ba8f517d54b3a272e71f7b3e9be38690b48e23149e as cilium-builder
 ARG GOPROXY
 ENV GOPROXY=$GOPROXY
 ARG CILIUM_SHA=""
@@ -31,8 +31,8 @@ LABEL cilium-sha=${CILIUM_SHA}
 LABEL maintainer="maintainer@cilium.io"
 WORKDIR /go/src/github.com/cilium
 RUN rm -rf cilium
-ENV GIT_TAG=v1.16.8
-ENV GIT_COMMIT=dc65ba9bb5f8201e0f51babfb6e7a02de2527460
+ENV GIT_TAG=v1.16.12
+ENV GIT_COMMIT=a66093957f9614320e5d7364615235209b757c55
 RUN git clone -b $GIT_TAG --depth 1 https://github.com/cilium/cilium.git && \
     cd cilium && git config --global user.email terway && git config --global user.name terway && \
     [ "`git rev-parse HEAD`" = "${GIT_COMMIT}" ]

deploy/images/terway-controlplane/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1-labs
-ARG TERWAY_POLICY_IMAGE=registry-cn-zhangjiakou.ack.aliyuncs.com/acs/terway:policy-9715d7d1@sha256:638ae096605ebd9f6a8a75b535aa9eab8cbdf6e3c9a1ad7420c70621c9890062
+ARG TERWAY_POLICY_IMAGE=registry-cn-zhangjiakou.ack.aliyuncs.com/acs/terway:policy-ce3481dc@sha256:b94ada7d627f9bba4a0d8638d05f630a9f6a9a04c47a6a9953c2abfa674ccaeb
 
 FROM --platform=$TARGETPLATFORM ${TERWAY_POLICY_IMAGE} AS policy-dist
 

deploy/images/terway/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1-labs
-ARG TERWAY_POLICY_IMAGE=registry-cn-zhangjiakou.ack.aliyuncs.com/acs/terway:policy-9715d7d1@sha256:638ae096605ebd9f6a8a75b535aa9eab8cbdf6e3c9a1ad7420c70621c9890062
+ARG TERWAY_POLICY_IMAGE=registry-cn-zhangjiakou.ack.aliyuncs.com/acs/terway:policy-ce3481dc@sha256:b94ada7d627f9bba4a0d8638d05f630a9f6a9a04c47a6a9953c2abfa674ccaeb
 ARG UBUNTU_IMAGE=registry.cn-hangzhou.aliyuncs.com/acs/ubuntu:22.04-update
 ARG CILIUM_IPROUTE2_IMAGE=quay.io/cilium/cilium-iproute2:3570d58349efb2d6b0342369a836998c93afd291@sha256:1abcd7a5d2117190ab2690a163ee9cd135bc9e4cf8a4df662a8f993044c79342
 ARG CILIUM_LLVM_IMAGE=quay.io/cilium/cilium-llvm:9f1bfe736009afb1fbb562718bbc42ea07d37d8e@sha256:a666a7a01a2dc610c3ab6e32f25ca5e294201f3cbbc01f233320c527955deee3

policy/cilium/0001-cni-add-terway-cni.patch

@@ -40,7 +40,7 @@ Signed-off-by: l1b0k <libokang.dev@gmail.com>
  create mode 100644 plugins/cilium-cni/chaining/terway/terway.go
 
 diff --git a/bpf/bpf_host.c b/bpf/bpf_host.c
-index 0b5ea843a3..27de726b02 100644
+index a32930a316..e22aacfe91 100644
 --- a/bpf/bpf_host.c
 +++ b/bpf/bpf_host.c
 @@ -1365,7 +1365,7 @@ int cil_to_netdev(struct __ctx_buff *ctx __maybe_unused)
@@ -52,7 +52,7 @@ index 0b5ea843a3..27de726b02 100644
  	__s8 ext_err = 0;
 
  	bpf_clear_meta(ctx);
-@@ -1613,6 +1613,10 @@ exit:
+@@ -1615,6 +1615,10 @@ exit:
  			  TRACE_EP_ID_UNKNOWN,
  			  NATIVE_DEV_IFINDEX, trace.reason, trace.monitor);
 
@@ -64,7 +64,7 @@ index 0b5ea843a3..27de726b02 100644
 
  drop_err:
 diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
-index 36ecfde895..fd46558a86 100644
+index 5356061a23..d8871026d5 100644
 --- a/bpf/bpf_lxc.c
 +++ b/bpf/bpf_lxc.c
 @@ -688,9 +688,18 @@ ct_recreate6:
@@ -88,7 +88,7 @@ index 36ecfde895..fd46558a86 100644
  		if (fib_ok(ret))
  			send_trace_notify(ctx, TRACE_TO_NETWORK, SECLABEL_IPV6,
  					  *dst_sec_identity, TRACE_EP_ID_UNKNOWN, oif,
-@@ -1251,9 +1260,18 @@ skip_vtep:
+@@ -1255,9 +1264,18 @@ skip_vtep:
 
  maybe_pass_to_stack: __maybe_unused;
  	if (is_defined(ENABLE_HOST_ROUTING)) {
@@ -109,7 +109,7 @@ index 36ecfde895..fd46558a86 100644
  		if (fib_ok(ret))
  			send_trace_notify(ctx, TRACE_TO_NETWORK, SECLABEL_IPV4,
  					  *dst_sec_identity, TRACE_EP_ID_UNKNOWN, oif,
-@@ -1460,17 +1478,32 @@ int cil_from_container(struct __ctx_buff *ctx)
+@@ -1468,17 +1486,32 @@ int cil_from_container(struct __ctx_buff *ctx)
  		goto out;
  	}
 
@@ -794,7 +794,7 @@ index 0000000000..16d42d2e7b
 +	return ep.eniIndex
 +}
 diff --git a/pkg/option/config.go b/pkg/option/config.go
-index 29683dbd5a..2e9be9f766 100644
+index 0fbbdeb7f0..e38fd79cdb 100644
 --- a/pkg/option/config.go
 +++ b/pkg/option/config.go
 @@ -40,6 +40,7 @@ import (

policy/cilium/0002-bypass-the-node-local-dns-ip.patch

@@ -9,7 +9,7 @@ Signed-off-by: l1b0k <libokang.dev@gmail.com>
  1 file changed, 5 insertions(+)
 
 diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
-index fd46558a86..0701bddf5e 100644
+index d8871026d5..f7b44be648 100644
 --- a/bpf/bpf_lxc.c
 +++ b/bpf/bpf_lxc.c
 @@ -14,6 +14,7 @@
@@ -20,7 +20,7 @@ index fd46558a86..0701bddf5e 100644
 
  #include "lib/auth.h"
  #include "lib/tailcall.h"
-@@ -1265,6 +1266,10 @@ maybe_pass_to_stack: __maybe_unused;
+@@ -1269,6 +1270,10 @@ maybe_pass_to_stack: __maybe_unused;
  #else
  		int oif = 0;
  #endif

policy/cilium/0003-cep-optimize-cep-watch.patch

@@ -72,10 +72,10 @@ index 495cd217e6..33cb1e6021 100644
  							Status: *mdl,
  						}
 diff --git a/pkg/k8s/resource_ctors.go b/pkg/k8s/resource_ctors.go
-index 809d13a776..49a7633460 100644
+index f4e63e5736..e835b21447 100644
 --- a/pkg/k8s/resource_ctors.go
 +++ b/pkg/k8s/resource_ctors.go
-@@ -9,10 +9,13 @@ import (
+@@ -10,10 +10,13 @@ import (
 
  	"github.com/cilium/cilium/pkg/allocator"
  	"github.com/cilium/cilium/pkg/identity/key"
@@ -89,7 +89,7 @@ index 809d13a776..49a7633460 100644
  	k8sRuntime "k8s.io/apimachinery/pkg/runtime"
  	"k8s.io/apimachinery/pkg/watch"
  	"k8s.io/client-go/tools/cache"
-@@ -397,14 +400,24 @@ func transformEndpoint(obj any) (any, error) {
+@@ -401,14 +404,24 @@ func transformEndpoint(obj any) (any, error) {
  // to initialize it before the first access.
  // To reflect this, the node.LocalNodeStore dependency is explicitly requested in the function
  // signature.

policy/cilium/0004-lb-enable-in-cluster-load-balancer.patch

@@ -12,7 +12,7 @@ Signed-off-by: l1b0k <libokang.dev@gmail.com>
  4 files changed, 13 insertions(+), 3 deletions(-)
 
 diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
-index 0701bddf5e..c35ed9dc60 100644
+index f7b44be648..f592d55336 100644
 --- a/bpf/bpf_lxc.c
 +++ b/bpf/bpf_lxc.c
 @@ -98,7 +98,7 @@ static __always_inline int __per_packet_lb_svc_xlate_4(void *ctx, struct iphdr *
@@ -61,7 +61,7 @@ index 486d4669c6..9e453da546 100644
  		k8sLoadBalancerIPs = parseIPs(loadBalancerIPs)
  	} else if option.Config.BGPAnnounceLBIP {
 diff --git a/pkg/option/config.go b/pkg/option/config.go
-index 2e9be9f766..4abd5c38ff 100644
+index e38fd79cdb..854fd4abc5 100644
 --- a/pkg/option/config.go
 +++ b/pkg/option/config.go
 @@ -245,6 +245,9 @@ const (

policy/cilium/0005-deprecated-disable-per-package-lb.patch

@@ -11,7 +11,7 @@ Signed-off-by: l1b0k <libokang.dev@gmail.com>
  3 files changed, 14 insertions(+), 2 deletions(-)
 
 diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
-index c35ed9dc60..b6c5359ddb 100644
+index f592d55336..dab62a1026 100644
 --- a/bpf/bpf_lxc.c
 +++ b/bpf/bpf_lxc.c
 @@ -62,11 +62,12 @@
@@ -53,7 +53,7 @@ index 0db9f8a1fa..28ff4c121f 100644
  	cDefinesMap["HOST_ID"] = fmt.Sprintf("%d", identity.GetReservedID(labels.IDNameHost))
  	cDefinesMap["WORLD_ID"] = fmt.Sprintf("%d", identity.GetReservedID(labels.IDNameWorld))
 diff --git a/pkg/option/config.go b/pkg/option/config.go
-index 4abd5c38ff..87f4fe20dd 100644
+index 854fd4abc5..33d18ab335 100644
 --- a/pkg/option/config.go
 +++ b/pkg/option/config.go
 @@ -1233,6 +1233,8 @@ const (

policy/cilium/0009-bandwidth-support-ingress-QoS-using-eBPF-token-bucke.patch

@@ -75,7 +75,7 @@ index 4916cc7668..abafd6b01e 100644
  add_type(struct egress_gw_policy_entry);
  add_type(struct vtep_key);
 diff --git a/bpf/lib/common.h b/bpf/lib/common.h
-index 3e93b47cc2..7b32f32756 100644
+index b5647166db..e16e3f52cf 100644
 --- a/bpf/lib/common.h
 +++ b/bpf/lib/common.h
 @@ -352,6 +352,17 @@ struct edt_info {

policy/cilium/0011-fix-viper-flag.patch

@@ -9,7 +9,7 @@ Signed-off-by: l1b0k <libokang.dev@gmail.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/pkg/option/config.go b/pkg/option/config.go
-index 87f4fe20dd..8107f94de4 100644
+index 33d18ab335..120d749348 100644
 --- a/pkg/option/config.go
 +++ b/pkg/option/config.go
 @@ -3063,7 +3063,7 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) {