Merge pull request #455 from l1b0k/update_12

policy: update cilium to 1.12.4

Author: BSWANG

Dockerfile

@@ -1,4 +1,4 @@
-ARG TERWAY_POLICY_IMAGE=registry.cn-hongkong.aliyuncs.com/acs/terway:policy-20221118-d172822@sha256:903a69c6cd344017b009b34d59ef4ef7499614298034cbed939a6cf7303dc1f2
+ARG TERWAY_POLICY_IMAGE=registry.cn-hongkong.aliyuncs.com/acs/terway:policy-20221222-2ecf844@sha256:271c05807fdfe444eb803f3f82b173aec99ac459fc53aff0de160708e6d8a4a9
 ARG CILIUM_LLVM_IMAGE=quay.io/cilium/cilium-llvm:547db7ec9a750b8f888a506709adb41f135b952e@sha256:4d6fa0aede3556c5fb5a9c71bc6b9585475ac9b1064f516d4c45c8fb691c9d9e
 ARG CILIUM_BPFTOOL_IMAGE=quay.io/cilium/cilium-bpftool:78448c1a37ff2b790d5e25c3d8b8ec3e96e6405f@sha256:99a9453a921a8de99899ef82e0822f0c03f65d97005c064e231c06247ad8597d
 ARG CILIUM_IPROUTE2_IMAGE=quay.io/cilium/cilium-iproute2:3570d58349efb2d6b0342369a836998c93afd291@sha256:1abcd7a5d2117190ab2690a163ee9cd135bc9e4cf8a4df662a8f993044c79342

Dockerfile.policy

@@ -18,16 +18,16 @@ RUN cd /go/src/github.com/projectcalico/felix && \
     ( ! $(readelf -d bin/calico-felix | grep -q NEEDED) || ( echo "Error: bin/calico-felix was not statically linked"; false )) \
     && chmod +x /go/src/github.com/projectcalico/felix/bin/calico-felix
 
-FROM --platform=$TARGETPLATFORM quay.io/cilium/cilium-builder:203448b6efdbcff0fa9c00a082ae1b802047c6f9@sha256:32dda3d71a1f9259a69f72e46d689eb6b3d27a5cf4858f7a10be632ceb51fbdd as cilium-builder
+FROM --platform=$TARGETPLATFORM quay.io/cilium/cilium-builder:f3ff491f1fb923136b8b5276fafd9d2ee460a265@sha256:764cc4a2ee14cdf57be3d4dbce132baa0fd7e62379ef6f6c05f3db4a7ccd64ba   as cilium-builder
 ARG GOPROXY
 ENV GOPROXY $GOPROXY
 ARG CILIUM_SHA=""
 LABEL cilium-sha=${CILIUM_SHA}
 LABEL maintainer="maintainer@cilium.io"
 WORKDIR /go/src/github.com/cilium
 RUN rm -rf cilium
-ENV GIT_TAG=v1.12.1
-ENV GIT_COMMIT=4c9a6302c9423e821c00930ca00f8eb6a34e9313
+ENV GIT_TAG=v1.12.4
+ENV GIT_COMMIT=6eaecaf87e165f7551fcf560f2ff8968e5056fe2
 RUN git clone -b $GIT_TAG --depth 1 https://github.com/cilium/cilium.git && \
     cd cilium && \
     [ "`git rev-parse HEAD`" = "${GIT_COMMIT}" ]

policy/cilium/0001-cilium-terway-datapath.patch

@@ -20,10 +20,10 @@ Signed-off-by: l1b0k <libokang.dev@gmail.com>
  create mode 100644 plugins/cilium-cni/chaining/terway/terway.go
 
 diff --git a/daemon/cmd/endpoint.go b/daemon/cmd/endpoint.go
-index af6fb5f52f..7fce43739a 100644
+index 9605f8ad3f..02137811e4 100644
 --- a/daemon/cmd/endpoint.go
 +++ b/daemon/cmd/endpoint.go
-@@ -440,6 +440,12 @@ func (d *Daemon) createEndpoint(ctx context.Context, owner regeneration.Owner, e
+@@ -442,6 +442,12 @@ func (d *Daemon) createEndpoint(ctx context.Context, owner regeneration.Owner, e
  		return d.errorDuringCreation(ep, fmt.Errorf("unable to insert endpoint into manager: %s", err))
  	}
 
@@ -261,7 +261,7 @@ index f39d064078..0865a8451d 100644
  func (ep *epInfoCache) IPv4Address() addressing.CiliumIPv4 {
  	return ep.ipv4
 diff --git a/pkg/endpoint/endpoint.go b/pkg/endpoint/endpoint.go
-index f8314e71a5..e878937435 100644
+index 605d178beb..916c3f72b7 100644
 --- a/pkg/endpoint/endpoint.go
 +++ b/pkg/endpoint/endpoint.go
 @@ -19,6 +19,7 @@ import (
@@ -325,7 +325,7 @@ index f8314e71a5..e878937435 100644
  	return e.ifName
  }
 
-@@ -2099,6 +2118,32 @@ func (e *Endpoint) IsDisconnecting() bool {
+@@ -2100,6 +2119,32 @@ func (e *Endpoint) IsDisconnecting() bool {
  	return e.state == StateDisconnected || e.state == StateDisconnecting
  }
 
@@ -359,18 +359,18 @@ index f8314e71a5..e878937435 100644
  	e.buildMutex.Lock()
  	defer e.buildMutex.Unlock()
 diff --git a/pkg/endpoint/restore.go b/pkg/endpoint/restore.go
-index d70bf02375..c26f366e9e 100644
+index 97f2b1a910..ba905543f0 100644
 --- a/pkg/endpoint/restore.go
 +++ b/pkg/endpoint/restore.go
-@@ -381,6 +381,7 @@ func (e *Endpoint) toSerializedEndpoint() *serializableEndpoint {
+@@ -383,6 +383,7 @@ func (e *Endpoint) toSerializedEndpoint() *serializableEndpoint {
  		ContainerID:           e.containerID,
  		DockerNetworkID:       e.dockerNetworkID,
  		DockerEndpointID:      e.dockerEndpointID,
 +		DatapathMapID:         e.datapathMapID,
  		IfName:                e.ifName,
  		IfIndex:               e.ifIndex,
  		OpLabels:              e.OpLabels,
-@@ -429,6 +430,9 @@ type serializableEndpoint struct {
+@@ -431,6 +432,9 @@ type serializableEndpoint struct {
  	// libnetwork
  	DockerEndpointID string
 
@@ -380,7 +380,7 @@ index d70bf02375..c26f366e9e 100644
  	// ifName is the name of the host facing interface (veth pair) which
  	// connects into the endpoint
  	IfName string
-@@ -516,6 +520,7 @@ func (ep *Endpoint) fromSerializedEndpoint(r *serializableEndpoint) {
+@@ -518,6 +522,7 @@ func (ep *Endpoint) fromSerializedEndpoint(r *serializableEndpoint) {
  	ep.containerID = r.ContainerID
  	ep.dockerNetworkID = r.DockerNetworkID
  	ep.dockerEndpointID = r.DockerEndpointID
@@ -730,5 +730,5 @@ index 5eca17daeb..1ee2227373 100644
  )
 
 -- 
-2.37.3
+2.39.0
 

policy/cilium/0002-overwrite-endpoint-when-conflicting.patch

@@ -9,10 +9,10 @@ Signed-off-by: l1b0k <libokang.dev@gmail.com>
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/daemon/cmd/endpoint.go b/daemon/cmd/endpoint.go
-index 7fce43739a..57776f0f1d 100644
+index 02137811e4..6399bb770f 100644
 --- a/daemon/cmd/endpoint.go
 +++ b/daemon/cmd/endpoint.go
-@@ -355,7 +355,9 @@ func (d *Daemon) createEndpoint(ctx context.Context, owner regeneration.Owner, e
+@@ -357,7 +357,9 @@ func (d *Daemon) createEndpoint(ctx context.Context, owner regeneration.Owner, e
  		if err != nil {
  			return invalidDataError(ep, err)
  		} else if oldEp != nil {
@@ -24,5 +24,5 @@ index 7fce43739a..57776f0f1d 100644
  	}
 
 -- 
-2.37.3
+2.39.0
 

policy/cilium/0003-run-operator.patch

@@ -5,13 +5,13 @@ Subject: [PATCH] run operator
 
 Signed-off-by: l1b0k <libokang.dev@gmail.com>
 ---
- daemon/cmd/daemon_main.go |  22 ++--
+ daemon/cmd/daemon_main.go |  25 +++--
  operator/Makefile         |   2 +-
- operator/main.go          | 218 --------------------------------------
- 3 files changed, 16 insertions(+), 226 deletions(-)
+ operator/main.go          | 219 --------------------------------------
+ 3 files changed, 19 insertions(+), 227 deletions(-)
 
 diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
-index 14daa753ef..3880abdd9c 100644
+index 8948ece323..7ca1c4af6e 100644
 --- a/daemon/cmd/daemon_main.go
 +++ b/daemon/cmd/daemon_main.go
 @@ -14,13 +14,6 @@ import (
@@ -49,11 +49,14 @@ index 14daa753ef..3880abdd9c 100644
  )
 
  const (
-@@ -1613,6 +1613,14 @@ func (d *Daemon) initKVStore() {
+@@ -1617,6 +1617,17 @@ func (d *Daemon) initKVStore() {
  }
 
  func runDaemon() {
 +	go func() {
++		if os.Getenv("DISABLE_CILIUM_OPERATOR") == "true" {
++			return
++		}
 +		cmd := exec.CommandContext(server.ServerCtx, "cilium-operator-generic", "--skip-crd-creation", "--k8s-namespace", os.Getenv("CILIUM_K8S_NAMESPACE"), "--identity-gc-interval", "10m", "--identity-heartbeat-timeout", "20m")
 +		cmd.Stdout = os.Stdout
 +		cmd.Stderr = os.Stderr
@@ -78,7 +81,7 @@ index ebd1285e3d..1710880c84 100644
  cilium-operator-aws: GO_TAGS_FLAGS+=ipam_provider_aws
  cilium-operator-azure: GO_TAGS_FLAGS+=ipam_provider_azure
 diff --git a/operator/main.go b/operator/main.go
-index 803a95322a..9d6c2522a2 100644
+index ac0ad59924..9d6c2522a2 100644
 --- a/operator/main.go
 +++ b/operator/main.go
 @@ -15,29 +15,22 @@ import (
@@ -311,7 +314,7 @@ index 803a95322a..9d6c2522a2 100644
 -		// Once the CiliumNodes are synchronized with the operator we will
 -		// be able to watch for K8s Node events which they will be used
 -		// to create the remaining CiliumNodes.
--		<-k8sCiliumNodesCacheSynced
+-		<-ciliumNodeManagerQueueSynced
 -
 -		// We don't want CiliumNodes that don't have podCIDRs to be
 -		// allocated with a podCIDR already being used by another node.
@@ -326,7 +329,7 @@ index 803a95322a..9d6c2522a2 100644
  	if operatorOption.Config.IdentityGCInterval != 0 {
  		identityRateLimiter = rate.NewLimiter(
  			operatorOption.Config.IdentityGCRateInterval,
-@@ -566,30 +372,6 @@ func onOperatorStartLeading(ctx context.Context) {
+@@ -566,31 +372,6 @@ func onOperatorStartLeading(ctx context.Context) {
  		enableCiliumEndpointSyncGC(true)
  	}
 
@@ -346,7 +349,8 @@ index 803a95322a..9d6c2522a2 100644
 -		ingressController, err := ingress.NewIngressController(
 -			ingress.WithHTTPSEnforced(operatorOption.Config.EnforceIngressHTTPS),
 -			ingress.WithSecretsSyncEnabled(operatorOption.Config.EnableIngressSecretsSync),
--			ingress.WithSecretsNamespace(operatorOption.Config.IngressSecretsNamespace))
+-			ingress.WithSecretsNamespace(operatorOption.Config.IngressSecretsNamespace),
+-			ingress.WithLBAnnotationPrefixes(operatorOption.Config.IngressLBAnnotationPrefixes))
 -		if err != nil {
 -			log.WithError(err).WithField(logfields.LogSubsys, ingress.Subsys).Fatal(
 -				"Failed to start ingress controller")
@@ -358,5 +362,5 @@ index 803a95322a..9d6c2522a2 100644
 
  	<-shutdownSignal
 -- 
-2.37.3
+2.39.0
 

policy/cilium/0004-adapt-1.10-for-terway.patch

@@ -9,10 +9,10 @@ Signed-off-by: l1b0k <libokang.dev@gmail.com>
  1 file changed, 10 insertions(+), 10 deletions(-)
 
 diff --git a/pkg/option/config.go b/pkg/option/config.go
-index e18af26c48..ca69edd2a5 100644
+index 23c8c8b84c..4fd430f1d1 100644
 --- a/pkg/option/config.go
 +++ b/pkg/option/config.go
-@@ -3155,16 +3155,16 @@ func (c *DaemonConfig) Populate() {
+@@ -3170,16 +3170,16 @@ func (c *DaemonConfig) Populate() {
  		}
  	}
 
@@ -40,5 +40,5 @@ index e18af26c48..ca69edd2a5 100644
  	c.KubeProxyReplacementHealthzBindAddr = viper.GetString(KubeProxyReplacementHealthzBindAddr)
 
 -- 
-2.37.3
+2.39.0
 

policy/cilium/0005-add-flag-to-control-in-cluster-loadBalance.patch

@@ -11,10 +11,10 @@ Signed-off-by: l1b0k <libokang.dev@gmail.com>
  3 files changed, 11 insertions(+), 1 deletion(-)
 
 diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
-index 3880abdd9c..1c979ecb62 100644
+index 7ca1c4af6e..b68980bdae 100644
 --- a/daemon/cmd/daemon_main.go
 +++ b/daemon/cmd/daemon_main.go
-@@ -389,6 +389,9 @@ func initializeFlags() {
+@@ -390,6 +390,9 @@ func initializeFlags() {
  	flags.Bool(option.EnableExternalIPs, defaults.EnableExternalIPs, fmt.Sprintf("Enable k8s service externalIPs feature (requires enabling %s)", option.EnableNodePort))
  	option.BindEnv(option.EnableExternalIPs)
 
@@ -38,7 +38,7 @@ index bbd35f3365..a055344850 100644
  		k8sLoadBalancerIPs = parseIPs(loadBalancerIPs)
  	} else if option.Config.BGPAnnounceLBIP {
 diff --git a/pkg/option/config.go b/pkg/option/config.go
-index ca69edd2a5..0df3422dac 100644
+index 4fd430f1d1..93340bb1c8 100644
 --- a/pkg/option/config.go
 +++ b/pkg/option/config.go
 @@ -244,6 +244,9 @@ const (
@@ -51,7 +51,7 @@ index ca69edd2a5..0df3422dac 100644
  	// EnableSVCSourceRangeCheck enables check of service source range checks
  	EnableSVCSourceRangeCheck = "enable-svc-source-range-check"
 
-@@ -1823,6 +1826,9 @@ type DaemonConfig struct {
+@@ -1826,6 +1829,9 @@ type DaemonConfig struct {
  	// EnableNodePort enables k8s NodePort service implementation in BPF
  	EnableNodePort bool
 
@@ -61,7 +61,7 @@ index ca69edd2a5..0df3422dac 100644
  	// EnableSVCSourceRangeCheck enables check of loadBalancerSourceRanges
  	EnableSVCSourceRangeCheck bool
 
-@@ -2796,6 +2802,7 @@ func (c *DaemonConfig) Populate() {
+@@ -2808,6 +2814,7 @@ func (c *DaemonConfig) Populate() {
  	c.EnableTracing = viper.GetBool(EnableTracing)
  	c.EnableUnreachableRoutes = viper.GetBool(EnableUnreachableRoutes)
  	c.EnableNodePort = viper.GetBool(EnableNodePort)
@@ -70,5 +70,5 @@ index ca69edd2a5..0df3422dac 100644
  	c.EnableHostPort = viper.GetBool(EnableHostPort)
  	c.EnableHostLegacyRouting = viper.GetBool(EnableHostLegacyRouting)
 -- 
-2.37.3
+2.39.0
 

policy/cilium/0006-terway-support-kubelet-health-check.patch

@@ -11,10 +11,10 @@ Signed-off-by: l1b0k <libokang.dev@gmail.com>
  1 file changed, 2 insertions(+), 4 deletions(-)
 
 diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
-index ce5a9f65f5..1bca01a43f 100644
+index 63202a77c3..9a535a4c27 100644
 --- a/bpf/bpf_lxc.c
 +++ b/bpf/bpf_lxc.c
-@@ -1626,8 +1626,7 @@ int tail_ipv6_to_endpoint(struct __ctx_buff *ctx)
+@@ -1628,8 +1628,7 @@ int tail_ipv6_to_endpoint(struct __ctx_buff *ctx)
  				 * as the host. So we can ignore the ipcache
  				 * if it reports the source as HOST_ID.
  				 */
@@ -24,7 +24,7 @@ index ce5a9f65f5..1bca01a43f 100644
  			}
  		}
  		cilium_dbg(ctx, info ? DBG_IP_ID_MAP_SUCCEED6 : DBG_IP_ID_MAP_FAILED6,
-@@ -1968,8 +1967,7 @@ int tail_ipv4_to_endpoint(struct __ctx_buff *ctx)
+@@ -1970,8 +1969,7 @@ int tail_ipv4_to_endpoint(struct __ctx_buff *ctx)
  				 * as the host. So we can ignore the ipcache
  				 * if it reports the source as HOST_ID.
  				 */
@@ -35,5 +35,5 @@ index ce5a9f65f5..1bca01a43f 100644
  		}
  		cilium_dbg(ctx, info ? DBG_IP_ID_MAP_SUCCEED4 : DBG_IP_ID_MAP_FAILED4,
 -- 
-2.37.3
+2.39.0
 

policy/cilium/0007-add-bandwidth-for-terway-ipvlan.patch

@@ -6,14 +6,15 @@ Subject: [PATCH] add bandwidth for terway ipvlan
 Signed-off-by: l1b0k <libokang.dev@gmail.com>
 ---
  bpf/bpf_lxc.c                       | 15 +++++++++++++--
+ pkg/bandwidth/bandwidth.go          | 12 ++++++------
  pkg/datapath/linux/config/config.go |  6 ++++++
- 2 files changed, 19 insertions(+), 2 deletions(-)
+ 3 files changed, 25 insertions(+), 8 deletions(-)
 
 diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
-index 1bca01a43f..9e554506d6 100644
+index 9a535a4c27..b0b2193452 100644
 --- a/bpf/bpf_lxc.c
 +++ b/bpf/bpf_lxc.c
-@@ -1333,17 +1333,28 @@ int handle_xgress(struct __ctx_buff *ctx)
+@@ -1335,17 +1335,28 @@ int handle_xgress(struct __ctx_buff *ctx)
  		goto out;
  	}
 
@@ -44,6 +45,36 @@ index 1bca01a43f..9e554506d6 100644
  		ep_tail_call(ctx, CILIUM_CALL_IPV4_FROM_LXC);
  		ret = DROP_MISSED_TAIL_CALL;
  		break;
+diff --git a/pkg/bandwidth/bandwidth.go b/pkg/bandwidth/bandwidth.go
+index ef652dfce7..b01c94930e 100644
+--- a/pkg/bandwidth/bandwidth.go
++++ b/pkg/bandwidth/bandwidth.go
+@@ -87,11 +87,11 @@ func InitBandwidthManager() {
+ 		return
+ 	}
+ 
+-	if len(option.Config.GetDevices()) == 0 {
+-		log.Warn("BPF bandwidth manager could not detect host devices. Disabling the feature.")
+-		option.Config.EnableBandwidthManager = false
+-		return
+-	}
++	//if len(option.Config.GetDevices()) == 0 {
++	//	log.Warn("BPF bandwidth manager could not detect host devices. Disabling the feature.")
++	//	option.Config.EnableBandwidthManager = false
++	//	return
++	//}
+ 	// Going via host stack will orphan skb->sk, so we do need BPF host
+ 	// routing for it to work properly.
+ 	if option.Config.EnableBBR && option.Config.EnableHostLegacyRouting {
+@@ -130,7 +130,7 @@ func InitBandwidthManager() {
+ 			}).Fatal("Failed to set sysctl needed by BPF bandwidth manager.")
+ 		}
+ 	}
+-
++	return
+ 	for _, device := range option.Config.GetDevices() {
+ 		link, err := netlink.LinkByName(device)
+ 		if err != nil {
 diff --git a/pkg/datapath/linux/config/config.go b/pkg/datapath/linux/config/config.go
 index ea542dd527..0f078ad502 100644
 --- a/pkg/datapath/linux/config/config.go
@@ -62,5 +93,5 @@ index ea542dd527..0f078ad502 100644
  		ctmap.WriteBPFMacros(fw, e)
  	} else {
 -- 
-2.37.3
+2.39.0
 

policy/cilium/0008-adapt-1.12.patch

@@ -61,5 +61,5 @@ index 3783cbcb5a..562b76a79b 100644
  	}
 
 -- 
-2.37.3
+2.39.0