diff --git a/go.mod b/go.mod index 17d20bbcdd9..58fba52a340 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.22.0 require ( github.com/bombsimon/logrusr/v4 v4.1.0 - github.com/cilium/cilium v1.15.4 + github.com/cilium/cilium v1.15.5 github.com/cilium/ebpf v0.15.0 github.com/cilium/little-vm-helper v0.0.17 github.com/cilium/lumberjack/v2 v2.3.0 @@ -71,7 +71,7 @@ require ( github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/cilium/dns v1.1.51-0.20231120140355-729345173dc3 // indirect + github.com/cilium/dns v1.1.51-0.20240416134107-d47d0dd702a1 // indirect github.com/cilium/proxy v0.0.0-20231031145409-f19708f3d018 // indirect github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa // indirect github.com/containerd/log v0.1.0 // indirect diff --git a/go.sum b/go.sum index f244a57fbfb..75286ff03af 100644 --- a/go.sum +++ b/go.sum @@ -51,12 +51,12 @@ github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cilium/checkmate v1.0.3 h1:CQC5eOmlAZeEjPrVZY3ZwEBH64lHlx9mXYdUehEwI5w= github.com/cilium/checkmate v1.0.3/go.mod h1:KiBTasf39/F2hf2yAmHw21YFl3hcEyP4Yk6filxc12A= -github.com/cilium/cilium v1.15.4 h1:6UWB7y/vWgXEOVmCgLk8rKYodC/odU1IngH1fdKH0nE= -github.com/cilium/cilium v1.15.4/go.mod h1:ojlr/BoauoO2o2884BGO2ukxK953ieha3eSOhhfrmlQ= +github.com/cilium/cilium v1.15.5 h1:AFhWniiqVyQXYfpaPZTRfKdS0pLx+8lCDPp7JpAZqfo= +github.com/cilium/cilium v1.15.5/go.mod h1:hsruyj1KCncND7AyIlbKgHUlk7V+ONxTn3EbrOu39dI= github.com/cilium/controller-tools v0.8.0-1 h1:D5xhwSUZZceaKAacHOyfcpUMgLbs2TGeJEijNHlAQlc= github.com/cilium/controller-tools v0.8.0-1/go.mod h1:qE2DXhVOiEq5ijmINcFbqi9GZrrUjzB1TuJU0xa6eoY= -github.com/cilium/dns v1.1.51-0.20231120140355-729345173dc3 h1:3PErIjIq4DlOwNsQNPcILFzbGnxPuKuqJsHEFpiwstM= -github.com/cilium/dns v1.1.51-0.20231120140355-729345173dc3/go.mod h1:/7LC2GOgyXJ7maupZlaVIumYQiGPIgllSf6mA9sg6RU= +github.com/cilium/dns v1.1.51-0.20240416134107-d47d0dd702a1 h1:IR2iQhLyEVDJ52rPpqYAdRZMwlOSDl1XJqkD5PQJAfs= +github.com/cilium/dns v1.1.51-0.20240416134107-d47d0dd702a1/go.mod h1:/7LC2GOgyXJ7maupZlaVIumYQiGPIgllSf6mA9sg6RU= github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk= github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso= github.com/cilium/little-vm-helper v0.0.17 h1:uKS/wQSPeFqgZk6fFRhnreGvhuQCnWsZvqhkF/PS/OM= diff --git a/pkg/k8s/go.mod b/pkg/k8s/go.mod index b0213d54585..dfd02a17c59 100644 --- a/pkg/k8s/go.mod +++ b/pkg/k8s/go.mod @@ -5,7 +5,7 @@ go 1.22.0 require ( github.com/blang/semver/v4 v4.0.0 - github.com/cilium/cilium v1.15.4 + github.com/cilium/cilium v1.15.5 github.com/sirupsen/logrus v1.9.3 golang.org/x/sync v0.7.0 k8s.io/apiextensions-apiserver v0.29.5 diff --git a/pkg/k8s/go.sum b/pkg/k8s/go.sum index fb3464f4246..b4634ccdb14 100644 --- a/pkg/k8s/go.sum +++ b/pkg/k8s/go.sum @@ -2,8 +2,8 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/cilium/checkmate v1.0.3 h1:CQC5eOmlAZeEjPrVZY3ZwEBH64lHlx9mXYdUehEwI5w= github.com/cilium/checkmate v1.0.3/go.mod h1:KiBTasf39/F2hf2yAmHw21YFl3hcEyP4Yk6filxc12A= -github.com/cilium/cilium v1.15.4 h1:6UWB7y/vWgXEOVmCgLk8rKYodC/odU1IngH1fdKH0nE= -github.com/cilium/cilium v1.15.4/go.mod h1:ojlr/BoauoO2o2884BGO2ukxK953ieha3eSOhhfrmlQ= +github.com/cilium/cilium v1.15.5 h1:AFhWniiqVyQXYfpaPZTRfKdS0pLx+8lCDPp7JpAZqfo= +github.com/cilium/cilium v1.15.5/go.mod h1:hsruyj1KCncND7AyIlbKgHUlk7V+ONxTn3EbrOu39dI= github.com/cilium/controller-tools v0.8.0-1 h1:D5xhwSUZZceaKAacHOyfcpUMgLbs2TGeJEijNHlAQlc= github.com/cilium/controller-tools v0.8.0-1/go.mod h1:qE2DXhVOiEq5ijmINcFbqi9GZrrUjzB1TuJU0xa6eoY= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= diff --git a/pkg/k8s/vendor/github.com/cilium/cilium/AUTHORS b/pkg/k8s/vendor/github.com/cilium/cilium/AUTHORS index 0239f7860d9..f7026e289f7 100644 --- a/pkg/k8s/vendor/github.com/cilium/cilium/AUTHORS +++ b/pkg/k8s/vendor/github.com/cilium/cilium/AUTHORS @@ -316,6 +316,8 @@ Jan-Erik Rediger janerik@fnordig.de Jan Jansen jan.jansen@gdata.de Jan Mraz strudelpi@pm.me Jarno Rajahalme jarno@isovalent.com +Jason Aliyetti jaliyetti@gmail.com +JBodkin-Amphora james.bodkin@amphora.net Jean Raby jean@raby.sh Jed Salazar jedsalazar@gmail.com Jef Spaleta jspaleta@gmail.com @@ -492,6 +494,7 @@ Mohit Marathe mohitmarathe23@gmail.com Moritz Eckert m1gh7ym0@gmail.com Moritz Johner beller.moritz@googlemail.com Moshe Immerman moshe.immerman@vitalitygroup.com +Natalia Reka Ivanko natalia@isovalent.com Nate Sweet nathanjsweet@pm.me Nate Taylor ntaylor1781@gmail.com Nathan Bird njbird@infiniteenergy.com diff --git a/pkg/k8s/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/labels/selector.go b/pkg/k8s/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/labels/selector.go index 0eac5f4be0e..ade6fc43498 100644 --- a/pkg/k8s/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/labels/selector.go +++ b/pkg/k8s/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/labels/selector.go @@ -651,7 +651,7 @@ func (p *Parser) parse() (internalSelector, error) { case IdentifierToken, DoesNotExistToken: r, err := p.parseRequirement() if err != nil { - return nil, fmt.Errorf("unable to parse requirement: %v", err) + return nil, fmt.Errorf("unable to parse requirement: %w", err) } requirements = append(requirements, *r) t, l := p.consume(Values) diff --git a/pkg/k8s/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go b/pkg/k8s/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go index f4810989be3..570d2260d7b 100644 --- a/pkg/k8s/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go +++ b/pkg/k8s/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go @@ -736,4 +736,7 @@ const ( // State is the state of an individual component (apiserver, kvstore etc) State = "state" + + // EtcdClusterID is the ID of the etcd cluster + EtcdClusterID = "etcdClusterID" ) diff --git a/pkg/k8s/vendor/github.com/cilium/cilium/pkg/versioncheck/check.go b/pkg/k8s/vendor/github.com/cilium/cilium/pkg/versioncheck/check.go index 6b5e34534f1..88474cfa7ec 100644 --- a/pkg/k8s/vendor/github.com/cilium/cilium/pkg/versioncheck/check.go +++ b/pkg/k8s/vendor/github.com/cilium/cilium/pkg/versioncheck/check.go @@ -20,7 +20,7 @@ import ( func MustCompile(constraint string) semver.Range { verCheck, err := Compile(constraint) if err != nil { - panic(fmt.Errorf("cannot compile go-version constraint '%s' %s", constraint, err)) + panic(fmt.Errorf("cannot compile go-version constraint '%s': %w", constraint, err)) } return verCheck } @@ -36,7 +36,7 @@ func Compile(constraint string) (semver.Range, error) { func MustVersion(version string) semver.Version { ver, err := Version(version) if err != nil { - panic(fmt.Errorf("cannot compile go-version version '%s' %s", version, err)) + panic(fmt.Errorf("cannot compile go-version version '%s': %w", version, err)) } return ver } diff --git a/pkg/k8s/vendor/modules.txt b/pkg/k8s/vendor/modules.txt index 1560f4a7543..2791795e0f7 100644 --- a/pkg/k8s/vendor/modules.txt +++ b/pkg/k8s/vendor/modules.txt @@ -1,7 +1,7 @@ # github.com/blang/semver/v4 v4.0.0 ## explicit; go 1.14 github.com/blang/semver/v4 -# github.com/cilium/cilium v1.15.4 +# github.com/cilium/cilium v1.15.5 ## explicit; go 1.21.0 github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/labels github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1 diff --git a/vendor/github.com/cilium/cilium/AUTHORS b/vendor/github.com/cilium/cilium/AUTHORS index 0239f7860d9..f7026e289f7 100644 --- a/vendor/github.com/cilium/cilium/AUTHORS +++ b/vendor/github.com/cilium/cilium/AUTHORS @@ -316,6 +316,8 @@ Jan-Erik Rediger janerik@fnordig.de Jan Jansen jan.jansen@gdata.de Jan Mraz strudelpi@pm.me Jarno Rajahalme jarno@isovalent.com +Jason Aliyetti jaliyetti@gmail.com +JBodkin-Amphora james.bodkin@amphora.net Jean Raby jean@raby.sh Jed Salazar jedsalazar@gmail.com Jef Spaleta jspaleta@gmail.com @@ -492,6 +494,7 @@ Mohit Marathe mohitmarathe23@gmail.com Moritz Eckert m1gh7ym0@gmail.com Moritz Johner beller.moritz@googlemail.com Moshe Immerman moshe.immerman@vitalitygroup.com +Natalia Reka Ivanko natalia@isovalent.com Nate Sweet nathanjsweet@pm.me Nate Taylor ntaylor1781@gmail.com Nathan Bird njbird@infiniteenergy.com diff --git a/vendor/github.com/cilium/cilium/api/v1/models/daemon_configuration_status.go b/vendor/github.com/cilium/cilium/api/v1/models/daemon_configuration_status.go index f55612181d7..64daed2b0f4 100644 --- a/vendor/github.com/cilium/cilium/api/v1/models/daemon_configuration_status.go +++ b/vendor/github.com/cilium/cilium/api/v1/models/daemon_configuration_status.go @@ -53,6 +53,9 @@ type DaemonConfigurationStatus struct { // Immutable configuration (read-only) Immutable ConfigurationMap `json:"immutable,omitempty"` + // Comma-separated list of IP ports should be reserved in the workload network namespace + IPLocalReservedPorts string `json:"ipLocalReservedPorts,omitempty"` + // Configured IPAM mode IpamMode string `json:"ipam-mode,omitempty"` diff --git a/vendor/github.com/cilium/cilium/api/v1/models/endpoint_change_request.go b/vendor/github.com/cilium/cilium/api/v1/models/endpoint_change_request.go index e1be73caae7..d59e7f3a164 100644 --- a/vendor/github.com/cilium/cilium/api/v1/models/endpoint_change_request.go +++ b/vendor/github.com/cilium/cilium/api/v1/models/endpoint_change_request.go @@ -67,6 +67,9 @@ type EndpointChangeRequest struct { // Kubernetes pod name K8sPodName string `json:"k8s-pod-name,omitempty"` + // Kubernetes pod UID + K8sUID string `json:"k8s-uid,omitempty"` + // Labels describing the identity Labels Labels `json:"labels,omitempty"` diff --git a/vendor/github.com/cilium/cilium/pkg/alignchecker/alignchecker.go b/vendor/github.com/cilium/cilium/pkg/alignchecker/alignchecker.go index f3999cc2486..8be3e3d62bc 100644 --- a/vendor/github.com/cilium/cilium/pkg/alignchecker/alignchecker.go +++ b/vendor/github.com/cilium/cilium/pkg/alignchecker/alignchecker.go @@ -24,12 +24,12 @@ import ( func CheckStructAlignments(pathToObj string, toCheck map[string][]any, checkOffsets bool) error { spec, err := btf.LoadSpec(pathToObj) if err != nil { - return fmt.Errorf("cannot parse BTF debug info %s: %s", pathToObj, err) + return fmt.Errorf("cannot parse BTF debug info %s: %w", pathToObj, err) } structInfo, err := getStructInfosFromBTF(spec, toCheck) if err != nil { - return fmt.Errorf("cannot extract struct info from BTF %s: %s", pathToObj, err) + return fmt.Errorf("cannot extract struct info from BTF %s: %w", pathToObj, err) } for cName, goStructs := range toCheck { diff --git a/vendor/github.com/cilium/cilium/pkg/allocator/allocator.go b/vendor/github.com/cilium/cilium/pkg/allocator/allocator.go index 56b40c900ae..2792a310867 100644 --- a/vendor/github.com/cilium/cilium/pkg/allocator/allocator.go +++ b/vendor/github.com/cilium/cilium/pkg/allocator/allocator.go @@ -418,7 +418,7 @@ func (a *Allocator) WaitForInitialSync(ctx context.Context) error { select { case <-a.initialListDone: case <-ctx.Done(): - return fmt.Errorf("identity sync was cancelled: %s", ctx.Err()) + return fmt.Errorf("identity sync was cancelled: %w", ctx.Err()) } return nil @@ -524,13 +524,13 @@ func (a *Allocator) lockedAllocate(ctx context.Context, key AllocatorKey) (idpoo if value != 0 { // re-create master key if err := a.backend.UpdateKeyIfLocked(ctx, value, key, true, lock); err != nil { - return 0, false, false, fmt.Errorf("unable to re-create missing master key '%s': %s while allocating ID: %s", key, value, err) + return 0, false, false, fmt.Errorf("unable to re-create missing master key '%s': %s while allocating ID: %w", key, value, err) } } } else { _, firstUse, err = a.localKeys.allocate(k, key, value) if err != nil { - return 0, false, false, fmt.Errorf("unable to reserve local key '%s': %s", k, err) + return 0, false, false, fmt.Errorf("unable to reserve local key '%s': %w", k, err) } if firstUse { @@ -545,7 +545,7 @@ func (a *Allocator) lockedAllocate(ctx context.Context, key AllocatorKey) (idpoo if err = a.backend.AcquireReference(ctx, value, key, lock); err != nil { a.localKeys.release(k) - return 0, false, false, fmt.Errorf("unable to create secondary key '%s': %s", k, err) + return 0, false, false, fmt.Errorf("unable to create secondary key '%s': %w", k, err) } // mark the key as verified in the local cache @@ -572,7 +572,7 @@ func (a *Allocator) lockedAllocate(ctx context.Context, key AllocatorKey) (idpoo oldID, firstUse, err := a.localKeys.allocate(k, key, id) if err != nil { a.idPool.Release(unmaskedID) - return 0, false, false, fmt.Errorf("unable to reserve local key '%s': %s", k, err) + return 0, false, false, fmt.Errorf("unable to reserve local key '%s': %w", k, err) } // Another local writer beat us to allocating an ID for the same key, @@ -602,7 +602,7 @@ func (a *Allocator) lockedAllocate(ctx context.Context, key AllocatorKey) (idpoo // Creation failed. Another agent most likely beat us to allocting this // ID, retry. releaseKeyAndID() - return 0, false, false, fmt.Errorf("unable to allocate ID %s for key %s: %s", strID, key2, err) + return 0, false, false, fmt.Errorf("unable to allocate ID %s for key %s: %w", strID, key2, err) } // Notify pool that leased ID is now in-use. @@ -613,7 +613,7 @@ func (a *Allocator) lockedAllocate(ctx context.Context, key AllocatorKey) (idpoo // exposed and may be in use by other nodes. The garbage // collector will release it again. releaseKeyAndID() - return 0, false, false, fmt.Errorf("secondary key creation failed '%s': %s", k, err) + return 0, false, false, fmt.Errorf("secondary key creation failed '%s': %w", k, err) } // mark the key as verified in the local cache @@ -651,7 +651,7 @@ func (a *Allocator) Allocate(ctx context.Context, key AllocatorKey) (idpool.ID, select { case <-a.initialListDone: case <-ctx.Done(): - return 0, false, false, fmt.Errorf("allocation was cancelled while waiting for initial key list to be received: %s", ctx.Err()) + return 0, false, false, fmt.Errorf("allocation was cancelled while waiting for initial key list to be received: %w", ctx.Err()) } kvstore.Trace("Allocating from kvstore", nil, logrus.Fields{fieldKey: key}) @@ -690,7 +690,7 @@ func (a *Allocator) Allocate(ctx context.Context, key AllocatorKey) (idpool.ID, select { case <-ctx.Done(): scopedLog.WithError(ctx.Err()).Warning("Ongoing key allocation has been cancelled") - return 0, false, false, fmt.Errorf("key allocation cancelled: %s", ctx.Err()) + return 0, false, false, fmt.Errorf("key allocation cancelled: %w", ctx.Err()) default: scopedLog.WithError(err).Warning("Key allocation attempt failed") } @@ -813,7 +813,7 @@ func (a *Allocator) Release(ctx context.Context, key AllocatorKey) (lastUse bool select { case <-a.initialListDone: case <-ctx.Done(): - return false, fmt.Errorf("release was cancelled while waiting for initial key list to be received: %s", ctx.Err()) + return false, fmt.Errorf("release was cancelled while waiting for initial key list to be received: %w", ctx.Err()) } k := a.encodeKey(key) diff --git a/vendor/github.com/cilium/cilium/pkg/backoff/backoff.go b/vendor/github.com/cilium/cilium/pkg/backoff/backoff.go index 2cfbde3dcad..3ddada53096 100644 --- a/vendor/github.com/cilium/cilium/pkg/backoff/backoff.go +++ b/vendor/github.com/cilium/cilium/pkg/backoff/backoff.go @@ -166,7 +166,7 @@ func (b *Exponential) Wait(ctx context.Context) error { select { case <-ctx.Done(): - return fmt.Errorf("exponential backoff cancelled via context: %s", ctx.Err()) + return fmt.Errorf("exponential backoff cancelled via context: %w", ctx.Err()) case <-time.After(t): } diff --git a/vendor/github.com/cilium/cilium/pkg/bpf/bpf_linux.go b/vendor/github.com/cilium/cilium/pkg/bpf/bpf_linux.go index 1a8972bafca..bc689ecdf4f 100644 --- a/vendor/github.com/cilium/cilium/pkg/bpf/bpf_linux.go +++ b/vendor/github.com/cilium/cilium/pkg/bpf/bpf_linux.go @@ -161,7 +161,7 @@ func GetMtime() (uint64, error) { err := unix.ClockGettime(unix.CLOCK_MONOTONIC, &ts) if err != nil { - return 0, fmt.Errorf("Unable get time: %s", err) + return 0, fmt.Errorf("Unable get time: %w", err) } return uint64(unix.TimespecToNsec(ts)), nil diff --git a/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_linux.go b/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_linux.go index 8a22cc6942d..1a94dde4199 100644 --- a/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_linux.go +++ b/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_linux.go @@ -133,10 +133,10 @@ func mountFS(printWarning bool) error { if err != nil { if os.IsNotExist(err) { if err := MkdirBPF(bpffsRoot); err != nil { - return fmt.Errorf("unable to create bpf mount directory: %s", err) + return fmt.Errorf("unable to create bpf mount directory: %w", err) } } else { - return fmt.Errorf("failed to stat the mount path %s: %s", bpffsRoot, err) + return fmt.Errorf("failed to stat the mount path %s: %w", bpffsRoot, err) } } else if !mapRootStat.IsDir() { @@ -144,7 +144,7 @@ func mountFS(printWarning bool) error { } if err := unix.Mount(bpffsRoot, bpffsRoot, "bpf", 0, ""); err != nil { - return fmt.Errorf("failed to mount %s: %s", bpffsRoot, err) + return fmt.Errorf("failed to mount %s: %w", bpffsRoot, err) } return nil } diff --git a/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_migrate.go b/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_migrate.go index d0a61be998a..99a8e49c042 100644 --- a/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_migrate.go +++ b/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_migrate.go @@ -90,7 +90,7 @@ func RepinMap(bpffsPath string, name string, spec *ebpf.MapSpec) error { } if err != nil { - return fmt.Errorf("map not found at path %s: %v", name, err) + return fmt.Errorf("map not found at path %s: %w", name, err) } defer pinned.Close() @@ -148,7 +148,7 @@ func FinalizeMap(bpffsPath, name string, revert bool) error { } if err != nil { - return fmt.Errorf("unable to open pinned map at path %s: %v", name, err) + return fmt.Errorf("unable to open pinned map at path %s: %w", name, err) } // Pending Map was found on bpffs and needs to be reverted. diff --git a/vendor/github.com/cilium/cilium/pkg/cgroups/cgroups_linux.go b/vendor/github.com/cilium/cilium/pkg/cgroups/cgroups_linux.go index a8ed26469b8..0c882558a90 100644 --- a/vendor/github.com/cilium/cilium/pkg/cgroups/cgroups_linux.go +++ b/vendor/github.com/cilium/cilium/pkg/cgroups/cgroups_linux.go @@ -20,17 +20,17 @@ func mountCgroup() error { if err != nil { if os.IsNotExist(err) { if err := os.MkdirAll(cgroupRoot, 0755); err != nil { - return fmt.Errorf("Unable to create cgroup mount directory: %s", err) + return fmt.Errorf("Unable to create cgroup mount directory: %w", err) } } else { - return fmt.Errorf("Failed to stat the mount path %s: %s", cgroupRoot, err) + return fmt.Errorf("Failed to stat the mount path %s: %w", cgroupRoot, err) } } else if !cgroupRootStat.IsDir() { return fmt.Errorf("%s is a file which is not a directory", cgroupRoot) } if err := unix.Mount("none", cgroupRoot, "cgroup2", 0, ""); err != nil { - return fmt.Errorf("failed to mount %s: %s", cgroupRoot, err) + return fmt.Errorf("failed to mount %s: %w", cgroupRoot, err) } return nil diff --git a/vendor/github.com/cilium/cilium/pkg/cgroups/manager/provider.go b/vendor/github.com/cilium/cilium/pkg/cgroups/manager/provider.go index 2dae690c605..792bc08c02d 100644 --- a/vendor/github.com/cilium/cilium/pkg/cgroups/manager/provider.go +++ b/vendor/github.com/cilium/cilium/pkg/cgroups/manager/provider.go @@ -141,12 +141,12 @@ func getSystemdContainerPathCommon(subPaths []string, podId string, containerId podIdStr := fmt.Sprintf("pod%s", podId) if qos == v1.PodQOSGuaranteed { if path, err = toSystemd(append(subPaths, podIdStr)); err != nil { - return "", fmt.Errorf("unable to construct cgroup path %w", err) + return "", fmt.Errorf("unable to construct cgroup path: %w", err) } } else { qosStr := strings.ToLower(string(qos)) if path, err = toSystemd(append(subPaths, qosStr, podIdStr)); err != nil { - return "", fmt.Errorf("unable to construct cgroup path %w", err) + return "", fmt.Errorf("unable to construct cgroup path: %w", err) } } // construct and append container sub path with container id @@ -211,7 +211,7 @@ func toSystemd(cgroupName []string) (string, error) { result, err := expandSlice(strings.Join(newparts, "-") + systemdSuffix) if err != nil { - return "", fmt.Errorf("error converting cgroup name [%v] to systemd format: %v", cgroupName, err) + return "", fmt.Errorf("error converting cgroup name [%v] to systemd format: %w", cgroupName, err) } return result, nil } diff --git a/vendor/github.com/cilium/cilium/pkg/client/client.go b/vendor/github.com/cilium/cilium/pkg/client/client.go index f0f26333d75..87c38bb845d 100644 --- a/vendor/github.com/cilium/cilium/pkg/client/client.go +++ b/vendor/github.com/cilium/cilium/pkg/client/client.go @@ -75,7 +75,7 @@ func NewDefaultClientWithTimeout(timeout time.Duration) (*Client, error) { for { select { case <-timeoutAfter: - return nil, fmt.Errorf("failed to create cilium agent client after %f seconds timeout: %s", timeout.Seconds(), err) + return nil, fmt.Errorf("failed to create cilium agent client after %f seconds timeout: %w", timeout.Seconds(), err) default: } @@ -88,7 +88,7 @@ func NewDefaultClientWithTimeout(timeout time.Duration) (*Client, error) { for { select { case <-timeoutAfter: - return nil, fmt.Errorf("failed to create cilium agent client after %f seconds timeout: %s", timeout.Seconds(), err) + return nil, fmt.Errorf("failed to create cilium agent client after %f seconds timeout: %w", timeout.Seconds(), err) default: } // This is an API call that we do to the cilium-agent to check diff --git a/vendor/github.com/cilium/cilium/pkg/command/output.go b/vendor/github.com/cilium/cilium/pkg/command/output.go index a3d0490df57..f6196048c5f 100644 --- a/vendor/github.com/cilium/cilium/pkg/command/output.go +++ b/vendor/github.com/cilium/cilium/pkg/command/output.go @@ -58,7 +58,7 @@ func PrintOutput(data interface{}) error { func PrintOutputWithPatch(data interface{}, patch interface{}) error { mergedInterface, err := mergeInterfaces(data, patch) if err != nil { - return fmt.Errorf("Unable to merge Interfaces:%v", err) + return fmt.Errorf("Unable to merge Interfaces: %w", err) } return PrintOutputWithType(mergedInterface, outputOpt) } diff --git a/vendor/github.com/cilium/cilium/pkg/controller/controller.go b/vendor/github.com/cilium/cilium/pkg/controller/controller.go index f35bded20df..821020c7df2 100644 --- a/vendor/github.com/cilium/cilium/pkg/controller/controller.go +++ b/vendor/github.com/cilium/cilium/pkg/controller/controller.go @@ -265,11 +265,11 @@ func (c *controller) runController(params ControllerParams) { err = NewExitReason("controller context canceled") } - switch err := err.(type) { - case ExitReason: + var exitReason ExitReason + if errors.As(err, &exitReason) { // This is actually not an error case, but it causes an exit c.recordSuccess(params.HealthReporter) - c.lastError = err // This will be shown in the controller status + c.lastError = exitReason // This will be shown in the controller status // Don't exit the goroutine, since that only happens when the // controller is explicitly stopped. Instead, just wait for @@ -277,7 +277,7 @@ func (c *controller) runController(params ControllerParams) { c.getLogger().Debug("Controller run succeeded; waiting for next controller update or stop") interval = time.Duration(math.MaxInt64) - default: + } else { c.getLogger().WithField(fieldConsecutiveErrors, errorRetries). WithError(err).Debug("Controller run failed") c.recordError(err, params.HealthReporter) diff --git a/vendor/github.com/cilium/cilium/pkg/counter/prefixes.go b/vendor/github.com/cilium/cilium/pkg/counter/prefixes.go index 6c883c6bb50..fad776b674b 100644 --- a/vendor/github.com/cilium/cilium/pkg/counter/prefixes.go +++ b/vendor/github.com/cilium/cilium/pkg/counter/prefixes.go @@ -67,7 +67,7 @@ func DefaultPrefixLengthCounter() *PrefixLengthCounter { createIPNet(net.IPv6len*8, net.IPv6len*8), // hosts } if _, err := counter.Add(defaultPrefixes); err != nil { - panic(fmt.Errorf("Failed to create default prefix lengths: %s", err)) + panic(fmt.Errorf("Failed to create default prefix lengths: %w", err)) } return counter diff --git a/vendor/github.com/cilium/cilium/pkg/datapath/linux/bandwidth/bandwidth.go b/vendor/github.com/cilium/cilium/pkg/datapath/linux/bandwidth/bandwidth.go index c91130e6342..8afcc2b1bbc 100644 --- a/vendor/github.com/cilium/cilium/pkg/datapath/linux/bandwidth/bandwidth.go +++ b/vendor/github.com/cilium/cilium/pkg/datapath/linux/bandwidth/bandwidth.go @@ -237,7 +237,7 @@ func setBaselineSysctls(p bandwidthManagerParams) error { for name, value := range baseIntSettings { currentValue, err := sysctl.ReadInt(name) if err != nil { - return fmt.Errorf("read sysctl %s failed: %s", name, err) + return fmt.Errorf("read sysctl %s failed: %w", name, err) } scopedLog := p.Log.WithFields(logrus.Fields{ @@ -253,7 +253,7 @@ func setBaselineSysctls(p bandwidthManagerParams) error { scopedLog.Info("Setting sysctl to baseline for BPF bandwidth manager") if err := sysctl.WriteInt(name, value); err != nil { - return fmt.Errorf("set sysctl %s=%d failed: %s", name, value, err) + return fmt.Errorf("set sysctl %s=%d failed: %w", name, value, err) } } @@ -275,7 +275,7 @@ func setBaselineSysctls(p bandwidthManagerParams) error { }).Info("Setting sysctl to baseline for BPF bandwidth manager") if err := sysctl.Write(name, value); err != nil { - return fmt.Errorf("set sysctl %s=%s failed: %s", name, value, err) + return fmt.Errorf("set sysctl %s=%s failed: %w", name, value, err) } } @@ -294,7 +294,7 @@ func setBaselineSysctls(p bandwidthManagerParams) error { }).Info("Setting sysctl to baseline for BPF bandwidth manager") if err := sysctl.WriteInt(name, value); err != nil { - return fmt.Errorf("set sysctl %s=%d failed: %s", name, value, err) + return fmt.Errorf("set sysctl %s=%d failed: %w", name, value, err) } } } diff --git a/vendor/github.com/cilium/cilium/pkg/datapath/linux/probes/managed_neighbors.go b/vendor/github.com/cilium/cilium/pkg/datapath/linux/probes/managed_neighbors.go index f260c1e2ffb..2d8196d5352 100644 --- a/vendor/github.com/cilium/cilium/pkg/datapath/linux/probes/managed_neighbors.go +++ b/vendor/github.com/cilium/cilium/pkg/datapath/linux/probes/managed_neighbors.go @@ -62,7 +62,7 @@ func haveManagedNeighbors() (outer error) { // The current goroutine is locked to an OS thread and we've failed // to undo state modifications to the thread. Returning without unlocking // the goroutine will make sure the underlying OS thread dies. - outer = fmt.Errorf("error setting thread back to its original netns: %w (original error: %s)", nerr, outer) + outer = fmt.Errorf("error setting thread back to its original netns: %w (original error: %w)", nerr, outer) return } // only now that we have successfully changed the thread back to its diff --git a/vendor/github.com/cilium/cilium/pkg/defaults/defaults.go b/vendor/github.com/cilium/cilium/pkg/defaults/defaults.go index a17bf474daa..fe34caa624a 100644 --- a/vendor/github.com/cilium/cilium/pkg/defaults/defaults.go +++ b/vendor/github.com/cilium/cilium/pkg/defaults/defaults.go @@ -507,11 +507,9 @@ const ( // InstallNoConntrackRules instructs Cilium to install Iptables rules to skip netfilter connection tracking on all pod traffic. InstallNoConntrackIptRules = false - // WireguardSubnetV4 is a default WireGuard tunnel subnet - WireguardSubnetV4 = "172.16.43.0/24" - - // WireguardSubnetV6 is a default WireGuard tunnel subnet - WireguardSubnetV6 = "fdc9:281f:04d7:9ee9::1/64" + // ContainerIPLocalReservedPortsAuto instructs the Cilium CNI plugin to reserve + // an auto-generated list of ports in the container network namespace + ContainerIPLocalReservedPortsAuto = "auto" // ExternalClusterIP enables cluster external access to ClusterIP services. // Defaults to false to retain prior behaviour of not routing external packets to ClusterIPs. diff --git a/vendor/github.com/cilium/cilium/pkg/endpoint/id/id.go b/vendor/github.com/cilium/cilium/pkg/endpoint/id/id.go index a785e2d0f01..96b8d7b1025 100644 --- a/vendor/github.com/cilium/cilium/pkg/endpoint/id/id.go +++ b/vendor/github.com/cilium/cilium/pkg/endpoint/id/id.go @@ -129,7 +129,7 @@ func ParseCiliumID(id string) (int64, error) { } n, err := strconv.ParseInt(id, 0, 64) if err != nil || n < 0 { - return 0, fmt.Errorf("invalid numeric cilium id: %s", err) + return 0, fmt.Errorf("invalid numeric cilium id: %w", err) } if n > MaxEndpointID { return 0, fmt.Errorf("endpoint id too large: %d", n) diff --git a/vendor/github.com/cilium/cilium/pkg/health/client/modules.go b/vendor/github.com/cilium/cilium/pkg/health/client/modules.go index 52d65037912..470da8ed15b 100644 --- a/vendor/github.com/cilium/cilium/pkg/health/client/modules.go +++ b/vendor/github.com/cilium/cilium/pkg/health/client/modules.go @@ -62,15 +62,13 @@ func GetAndFormatModulesHealth(w io.Writer, clt ModulesHealth, verbose bool) { for _, m := range resp.Payload.Modules { tally[cell.Level(m.Level)] += 1 } - fmt.Fprintf(w, "\t%s(%d) %s(%d) %s(%d) %s(%d)\n", + fmt.Fprintf(w, "\t%s(%d) %s(%d) %s(%d)\n", cell.StatusStopped, tally[cell.StatusStopped], cell.StatusDegraded, tally[cell.StatusDegraded], cell.StatusOK, tally[cell.StatusOK], - cell.StatusUnknown, - tally[cell.StatusUnknown], ) } diff --git a/vendor/github.com/cilium/cilium/pkg/identity/cache/allocator.go b/vendor/github.com/cilium/cilium/pkg/identity/cache/allocator.go index c637cea34ac..d5134ec77b9 100644 --- a/vendor/github.com/cilium/cilium/pkg/identity/cache/allocator.go +++ b/vendor/github.com/cilium/cilium/pkg/identity/cache/allocator.go @@ -283,7 +283,7 @@ func (m *CachingIdentityAllocator) WaitForInitialGlobalIdentities(ctx context.Co select { case <-m.globalIdentityAllocatorInitialized: case <-ctx.Done(): - return fmt.Errorf("initial global identity sync was cancelled: %s", ctx.Err()) + return fmt.Errorf("initial global identity sync was cancelled: %w", ctx.Err()) } return m.IdentityAllocator.WaitForInitialSync(ctx) @@ -493,13 +493,13 @@ func (m *CachingIdentityAllocator) WatchRemoteIdentities(remoteName string, back remoteAllocatorBackend, err := kvstoreallocator.NewKVStoreBackend(prefix, m.owner.GetNodeSuffix(), &key.GlobalIdentity{}, backend) if err != nil { - return nil, fmt.Errorf("error setting up remote allocator backend: %s", err) + return nil, fmt.Errorf("error setting up remote allocator backend: %w", err) } remoteAlloc, err := allocator.NewAllocator(&key.GlobalIdentity{}, remoteAllocatorBackend, allocator.WithEvents(m.IdentityAllocator.GetEvents()), allocator.WithoutGC(), allocator.WithoutAutostart()) if err != nil { - return nil, fmt.Errorf("unable to initialize remote Identity Allocator: %s", err) + return nil, fmt.Errorf("unable to initialize remote Identity Allocator: %w", err) } return m.IdentityAllocator.NewRemoteCache(remoteName, remoteAlloc), nil diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/const.go b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/const.go index bbdb5c510c9..4aa8ac51695 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/const.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/const.go @@ -80,6 +80,10 @@ const ( // to sync the CNP with kube-apiserver. CtrlPrefixPolicyStatus = "sync-cnp-policy-status" + // BatchJobControllerUID is one of the labels that is available on a Job + // https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-labels + BatchJobControllerUID = "batch.kubernetes.io/controller-uid" + // CiliumIdentityAnnotationDeprecated is the previous annotation key used to map to an endpoint's security identity. CiliumIdentityAnnotationDeprecated = "cilium-identity" ) diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/clrp_types.go b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/clrp_types.go index ca665284350..63bb1b5e1fd 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/clrp_types.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/clrp_types.go @@ -204,7 +204,7 @@ func (pInfo *PortInfo) SanitizePortInfo(checkNamedPort bool) (uint16, string, lb } else { p, err := strconv.ParseUint(pInfo.Port, 0, 16) if err != nil { - return pInt, pName, protocol, fmt.Errorf("unable to parse port: %v", err) + return pInt, pName, protocol, fmt.Errorf("unable to parse port: %w", err) } if p == 0 { return pInt, pName, protocol, fmt.Errorf("port cannot be 0") diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/client/cell.go b/vendor/github.com/cilium/cilium/pkg/k8s/client/cell.go index 1dac2c6ec33..fe3d7970aec 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/client/cell.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/client/cell.go @@ -5,6 +5,7 @@ package client import ( "context" + "errors" "fmt" "net" "net/http" @@ -16,7 +17,7 @@ import ( "github.com/sirupsen/logrus" apiext_clientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" apiext_fake "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/fake" - "k8s.io/apimachinery/pkg/api/errors" + k8sErrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" utilnet "k8s.io/apimachinery/pkg/util/net" utilruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -391,13 +392,12 @@ func runHeartbeat(log logrus.FieldLogger, heartBeat func(context.Context) error, // which means the server is overloaded and only for this reason we // will not close all connections. err := heartBeat(ctx) - switch t := err.(type) { - case *errors.StatusError: - if t.ErrStatus.Code != http.StatusTooManyRequests { + if err != nil { + statusError := &k8sErrors.StatusError{} + if !errors.As(err, &statusError) || + statusError.ErrStatus.Code != http.StatusTooManyRequests { done <- err } - default: - done <- err } close(done) }() diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/identitybackend/identity.go b/vendor/github.com/cilium/cilium/pkg/k8s/identitybackend/identity.go index 9386a68eb6c..d3a867d557b 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/identitybackend/identity.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/identitybackend/identity.go @@ -194,7 +194,7 @@ func (c *crdBackend) UpdateKey(ctx context.Context, id idpool.ID, key allocator. if reliablyMissing { // Recreate a missing master key if _, err = c.AllocateID(ctx, id, key); err != nil { - return fmt.Errorf("Unable recreate missing CRD identity %q->%q: %s", key, id, err) + return fmt.Errorf("Unable recreate missing CRD identity %q->%q: %w", key, id, err) } return nil @@ -278,7 +278,7 @@ func (c *crdBackend) Get(ctx context.Context, key allocator.AllocatorKey) (idpoo id, err := strconv.ParseUint(identity.Name, 10, 64) if err != nil { - return idpool.NoID, fmt.Errorf("unable to parse value '%s': %s", identity.Name, err) + return idpool.NoID, fmt.Errorf("unable to parse value '%s': %w", identity.Name, err) } return idpool.ID(id), nil diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/labels/selector.go b/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/labels/selector.go index 0eac5f4be0e..ade6fc43498 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/labels/selector.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/labels/selector.go @@ -651,7 +651,7 @@ func (p *Parser) parse() (internalSelector, error) { case IdentifierToken, DoesNotExistToken: r, err := p.parseRequirement() if err != nil { - return nil, fmt.Errorf("unable to parse requirement: %v", err) + return nil, fmt.Errorf("unable to parse requirement: %w", err) } requirements = append(requirements, *r) t, l := p.consume(Values) diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/util/intstr/intstr.go b/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/util/intstr/intstr.go index ca2f03b6d1d..2f76aa37776 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/util/intstr/intstr.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/util/intstr/intstr.go @@ -147,7 +147,7 @@ func GetScaledValueFromIntOrPercent(intOrPercent *IntOrString, total int, roundU } value, isPercent, err := getIntOrPercentValueSafely(intOrPercent) if err != nil { - return 0, fmt.Errorf("invalid value for IntOrString: %v", err) + return 0, fmt.Errorf("invalid value for IntOrString: %w", err) } if isPercent { if roundUp { @@ -169,7 +169,7 @@ func GetValueFromIntOrPercent(intOrPercent *IntOrString, total int, roundUp bool } value, isPercent, err := getIntOrPercentValue(intOrPercent) if err != nil { - return 0, fmt.Errorf("invalid value for IntOrString: %v", err) + return 0, fmt.Errorf("invalid value for IntOrString: %w", err) } if isPercent { if roundUp { @@ -191,7 +191,7 @@ func getIntOrPercentValue(intOrStr *IntOrString) (int, bool, error) { s := strings.Replace(intOrStr.StrVal, "%", "", -1) v, err := strconv.Atoi(s) if err != nil { - return 0, false, fmt.Errorf("invalid value %q: %v", intOrStr.StrVal, err) + return 0, false, fmt.Errorf("invalid value %q: %w", intOrStr.StrVal, err) } return int(v), true, nil } @@ -213,7 +213,7 @@ func getIntOrPercentValueSafely(intOrStr *IntOrString) (int, bool, error) { } v, err := strconv.Atoi(s) if err != nil { - return 0, false, fmt.Errorf("invalid value %q: %v", intOrStr.StrVal, err) + return 0, false, fmt.Errorf("invalid value %q: %w", intOrStr.StrVal, err) } return int(v), isPercent, nil } diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/version/version.go b/vendor/github.com/cilium/cilium/pkg/k8s/version/version.go index 8d0e13cf828..db2bab99517 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/version/version.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/version/version.go @@ -196,7 +196,7 @@ func endpointSlicesFallbackDiscovery(client kubernetes.Interface) error { // Unknown error, we can't derive whether to enable or disable // EndpointSlices and need to error out. - return fmt.Errorf("unable to validate EndpointSlices support: %s", err) + return fmt.Errorf("unable to validate EndpointSlices support: %w", err) } func leasesFallbackDiscovery(client kubernetes.Interface, apiDiscoveryEnabled bool) error { @@ -229,7 +229,7 @@ func leasesFallbackDiscovery(client kubernetes.Interface, apiDiscoveryEnabled bo // Unknown error, we can't derive whether to enable or disable // LeasesResourceLock and need to error out - return fmt.Errorf("unable to validate LeasesResourceLock support: %s", err) + return fmt.Errorf("unable to validate LeasesResourceLock support: %w", err) } func updateK8sServerVersion(client kubernetes.Interface) error { @@ -258,7 +258,7 @@ func updateK8sServerVersion(client kubernetes.Interface) error { } } - return fmt.Errorf("cannot parse k8s server version from %+v: %s", sv, err) + return fmt.Errorf("cannot parse k8s server version from %+v: %w", sv, err) } // Update retrieves the version of the Kubernetes apiserver and derives the diff --git a/vendor/github.com/cilium/cilium/pkg/kvstore/allocator/allocator.go b/vendor/github.com/cilium/cilium/pkg/kvstore/allocator/allocator.go index 4345273bf2b..c9141031d78 100644 --- a/vendor/github.com/cilium/cilium/pkg/kvstore/allocator/allocator.go +++ b/vendor/github.com/cilium/cilium/pkg/kvstore/allocator/allocator.go @@ -129,7 +129,7 @@ func (k *kvstoreBackend) AllocateID(ctx context.Context, id idpool.ID, key alloc keyEncoded := []byte(k.backend.Encode([]byte(key.GetKey()))) success, err := k.backend.CreateOnly(ctx, keyPath, keyEncoded, false) if err != nil || !success { - return nil, fmt.Errorf("unable to create master key '%s': %s", keyPath, err) + return nil, fmt.Errorf("unable to create master key '%s': %w", keyPath, err) } return key, nil @@ -142,7 +142,7 @@ func (k *kvstoreBackend) AllocateIDIfLocked(ctx context.Context, id idpool.ID, k keyEncoded := []byte(k.backend.Encode([]byte(key.GetKey()))) success, err := k.backend.CreateOnlyIfLocked(ctx, keyPath, keyEncoded, false, lock) if err != nil || !success { - return nil, fmt.Errorf("unable to create master key '%s': %s", keyPath, err) + return nil, fmt.Errorf("unable to create master key '%s': %w", keyPath, err) } return key, nil @@ -152,7 +152,7 @@ func (k *kvstoreBackend) AllocateIDIfLocked(ctx context.Context, id idpool.ID, k func (k *kvstoreBackend) AcquireReference(ctx context.Context, id idpool.ID, key allocator.AllocatorKey, lock kvstore.KVLocker) error { keyString := k.backend.Encode([]byte(key.GetKey())) if err := k.createValueNodeKey(ctx, keyString, id, lock); err != nil { - return fmt.Errorf("unable to create slave key '%s': %s", keyString, err) + return fmt.Errorf("unable to create slave key '%s': %w", keyString, err) } return nil } @@ -163,7 +163,7 @@ func (k *kvstoreBackend) createValueNodeKey(ctx context.Context, key string, new // The key is protected with a TTL/lease and will expire after LeaseTTL valueKey := path.Join(k.valuePrefix, key, k.suffix) if _, err := k.backend.UpdateIfDifferentIfLocked(ctx, valueKey, []byte(newID.String()), true, lock); err != nil { - return fmt.Errorf("unable to create value-node key '%s': %s", valueKey, err) + return fmt.Errorf("unable to create value-node key '%s': %w", valueKey, err) } return nil @@ -290,7 +290,7 @@ func (k *kvstoreBackend) UpdateKey(ctx context.Context, id idpool.ID, key alloca success, err := k.backend.CreateOnly(ctx, keyPath, keyEncoded, false) switch { case err != nil: - return fmt.Errorf("Unable to re-create missing master key \"%s\" -> \"%s\": %s", fieldKey, valueKey, err) + return fmt.Errorf("Unable to re-create missing master key \"%s\" -> \"%s\": %w", fieldKey, valueKey, err) case success: log.WithField(fieldKey, keyPath).Warning("Re-created missing master key") } @@ -305,7 +305,7 @@ func (k *kvstoreBackend) UpdateKey(ctx context.Context, id idpool.ID, key alloca } switch { case err != nil: - return fmt.Errorf("Unable to re-create missing slave key \"%s\" -> \"%s\": %s", fieldKey, valueKey, err) + return fmt.Errorf("Unable to re-create missing slave key \"%s\" -> \"%s\": %w", fieldKey, valueKey, err) case recreated: log.WithField(fieldKey, valueKey).Warning("Re-created missing slave key") } @@ -330,7 +330,7 @@ func (k *kvstoreBackend) UpdateKeyIfLocked(ctx context.Context, id idpool.ID, ke success, err := k.backend.CreateOnlyIfLocked(ctx, keyPath, keyEncoded, false, lock) switch { case err != nil: - return fmt.Errorf("Unable to re-create missing master key \"%s\" -> \"%s\": %s", fieldKey, valueKey, err) + return fmt.Errorf("Unable to re-create missing master key \"%s\" -> \"%s\": %w", fieldKey, valueKey, err) case success: log.WithField(fieldKey, keyPath).Warning("Re-created missing master key") } @@ -346,7 +346,7 @@ func (k *kvstoreBackend) UpdateKeyIfLocked(ctx context.Context, id idpool.ID, ke } switch { case err != nil: - return fmt.Errorf("Unable to re-create missing slave key \"%s\" -> \"%s\": %s", fieldKey, valueKey, err) + return fmt.Errorf("Unable to re-create missing slave key \"%s\" -> \"%s\": %w", fieldKey, valueKey, err) case recreated: log.WithField(fieldKey, valueKey).Warning("Re-created missing slave key") } @@ -384,7 +384,7 @@ func (k *kvstoreBackend) RunLocksGC(ctx context.Context, staleKeysPrevRound map[ // fetch list of all /../locks keys allocated, err := k.backend.ListPrefix(ctx, k.lockPrefix) if err != nil { - return nil, fmt.Errorf("list failed: %s", err) + return nil, fmt.Errorf("list failed: %w", err) } staleKeys := map[string]kvstore.Value{} @@ -433,7 +433,7 @@ func (k *kvstoreBackend) RunGC( // fetch list of all /id/ keys allocated, err := k.backend.ListPrefix(ctx, k.idPrefix) if err != nil { - return nil, nil, fmt.Errorf("list failed: %s", err) + return nil, nil, fmt.Errorf("list failed: %w", err) } totalEntries := len(allocated) diff --git a/vendor/github.com/cilium/cilium/pkg/kvstore/consul.go b/vendor/github.com/cilium/cilium/pkg/kvstore/consul.go index d4fb8bfbe33..287ec5f7d16 100644 --- a/vendor/github.com/cilium/cilium/pkg/kvstore/consul.go +++ b/vendor/github.com/cilium/cilium/pkg/kvstore/consul.go @@ -150,12 +150,12 @@ func (c *consulModule) connectConsulClient(ctx context.Context, opts *ExtraOptio if configPathOptSet && configPathOpt.value != "" { b, err := os.ReadFile(configPathOpt.value) if err != nil { - return nil, fmt.Errorf("unable to read consul tls configuration file %s: %s", configPathOpt.value, err) + return nil, fmt.Errorf("unable to read consul tls configuration file %s: %w", configPathOpt.value, err) } yc := consulAPI.TLSConfig{} err = yaml.Unmarshal(b, &yc) if err != nil { - return nil, fmt.Errorf("invalid consul tls configuration in %s: %s", configPathOpt.value, err) + return nil, fmt.Errorf("invalid consul tls configuration in %s: %w", configPathOpt.value, err) } c.config.TLSConfig = yc } @@ -229,7 +229,7 @@ func newConsulClient(ctx context.Context, config *consulAPI.Config, opts *ExtraO wo := &consulAPI.WriteOptions{} lease, _, err := c.Session().Create(entry, wo.WithContext(ctx)) if err != nil { - return nil, fmt.Errorf("unable to create default lease: %s", err) + return nil, fmt.Errorf("unable to create default lease: %w", err) } client := &consulClient{ @@ -295,7 +295,7 @@ func (c *consulClient) LockPath(ctx context.Context, path string) (KVLocker, err select { case <-ctx.Done(): - return nil, fmt.Errorf("lock cancelled via context: %s", ctx.Err()) + return nil, fmt.Errorf("lock cancelled via context: %w", ctx.Err()) default: } } @@ -651,7 +651,7 @@ func (c *consulClient) createOnly(ctx context.Context, key string, value []byte, success, _, err := c.KV().CAS(k, opts.WithContext(ctx)) increaseMetric(key, metricSet, "CreateOnly", duration.EndError(err).Total(), err) if err != nil { - return false, fmt.Errorf("unable to compare-and-swap: %s", err) + return false, fmt.Errorf("unable to compare-and-swap: %w", err) } return success, nil } @@ -666,7 +666,7 @@ func (c *consulClient) createIfExists(ctx context.Context, condKey, key string, l, err := LockPath(ctx, c, condKey) if err != nil { - return fmt.Errorf("unable to lock condKey for CreateIfExists: %s", err) + return fmt.Errorf("unable to lock condKey for CreateIfExists: %w", err) } defer l.Unlock(context.Background()) diff --git a/vendor/github.com/cilium/cilium/pkg/kvstore/etcd.go b/vendor/github.com/cilium/cilium/pkg/kvstore/etcd.go index a3dbb92019a..ece4e47b336 100644 --- a/vendor/github.com/cilium/cilium/pkg/kvstore/etcd.go +++ b/vendor/github.com/cilium/cilium/pkg/kvstore/etcd.go @@ -321,12 +321,10 @@ func etcdClientDebugLevel() zapcore.Level { // Hint tries to improve the error message displayed to te user. func Hint(err error) error { - switch err { - case context.DeadlineExceeded: + if errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("etcd client timeout exceeded") - default: - return err } + return err } type etcdClient struct { @@ -1039,7 +1037,7 @@ func (e *etcdClient) statusChecker() { switch { case consecutiveQuorumErrors > option.Config.KVstoreMaxConsecutiveQuorumErrors: - e.latestErrorStatus = fmt.Errorf("quorum check failed %d times in a row: %s", + e.latestErrorStatus = fmt.Errorf("quorum check failed %d times in a row: %w", consecutiveQuorumErrors, quorumError) e.latestStatusSnapshot = e.latestErrorStatus.Error() case len(endpoints) > 0 && ok == 0: diff --git a/vendor/github.com/cilium/cilium/pkg/kvstore/lock.go b/vendor/github.com/cilium/cilium/pkg/kvstore/lock.go index 5e72ba597e4..c70ee81046b 100644 --- a/vendor/github.com/cilium/cilium/pkg/kvstore/lock.go +++ b/vendor/github.com/cilium/cilium/pkg/kvstore/lock.go @@ -97,7 +97,7 @@ func (pl *pathLocks) lock(ctx context.Context, path string) (id uuid.UUID, err e select { case <-lockTimer.After(time.Duration(10) * time.Millisecond): case <-ctx.Done(): - err = fmt.Errorf("lock was cancelled: %s", ctx.Err()) + err = fmt.Errorf("lock was cancelled: %w", ctx.Err()) return } } @@ -133,7 +133,7 @@ func LockPath(ctx context.Context, backend BackendOperations, path string) (l *L if err != nil { kvstoreLocks.unlock(path, id) Trace("Failed to lock", err, logrus.Fields{fieldKey: path}) - err = fmt.Errorf("error while locking path %s: %s", path, err) + err = fmt.Errorf("error while locking path %s: %w", path, err) return nil, err } diff --git a/vendor/github.com/cilium/cilium/pkg/labels/labels.go b/vendor/github.com/cilium/cilium/pkg/labels/labels.go index 64d3747aeb0..74a7afd32c8 100644 --- a/vendor/github.com/cilium/cilium/pkg/labels/labels.go +++ b/vendor/github.com/cilium/cilium/pkg/labels/labels.go @@ -293,7 +293,7 @@ func (l *Label) UnmarshalJSON(data []byte) error { var aux string if err := json.Unmarshal(data, &aux); err != nil { - return fmt.Errorf("decode of Label as string failed: %+v", err) + return fmt.Errorf("decode of Label as string failed: %w", err) } if aux == "" { diff --git a/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go b/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go index f4810989be3..570d2260d7b 100644 --- a/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go +++ b/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go @@ -736,4 +736,7 @@ const ( // State is the state of an individual component (apiserver, kvstore etc) State = "state" + + // EtcdClusterID is the ID of the etcd cluster + EtcdClusterID = "etcdClusterID" ) diff --git a/vendor/github.com/cilium/cilium/pkg/mac/mac.go b/vendor/github.com/cilium/cilium/pkg/mac/mac.go index f846edb4fec..1938964d720 100644 --- a/vendor/github.com/cilium/cilium/pkg/mac/mac.go +++ b/vendor/github.com/cilium/cilium/pkg/mac/mac.go @@ -107,7 +107,7 @@ func (m *MAC) UnmarshalJSON(data []byte) error { func GenerateRandMAC() (MAC, error) { buf := make([]byte, 6) if _, err := rand.Read(buf); err != nil { - return nil, fmt.Errorf("Unable to retrieve 6 rnd bytes: %s", err) + return nil, fmt.Errorf("Unable to retrieve 6 rnd bytes: %w", err) } // Set locally administered addresses bit and reset multicast bit diff --git a/vendor/github.com/cilium/cilium/pkg/maps/lxcmap/lxcmap.go b/vendor/github.com/cilium/cilium/pkg/maps/lxcmap/lxcmap.go index cd20a752555..51261df078a 100644 --- a/vendor/github.com/cilium/cilium/pkg/maps/lxcmap/lxcmap.go +++ b/vendor/github.com/cilium/cilium/pkg/maps/lxcmap/lxcmap.go @@ -85,12 +85,12 @@ func GetBPFKeys(e EndpointFrontend) []*EndpointKey { func GetBPFValue(e EndpointFrontend) (*EndpointInfo, error) { mac, err := e.LXCMac().Uint64() if err != nil { - return nil, fmt.Errorf("invalid LXC MAC: %v", err) + return nil, fmt.Errorf("invalid LXC MAC: %w", err) } nodeMAC, err := e.GetNodeMAC().Uint64() if err != nil { - return nil, fmt.Errorf("invalid node MAC: %v", err) + return nil, fmt.Errorf("invalid node MAC: %w", err) } info := &EndpointInfo{ @@ -213,7 +213,7 @@ func DeleteElement(f EndpointFrontend) []error { var errors []error for _, k := range GetBPFKeys(f) { if err := LXCMap().Delete(k); err != nil { - errors = append(errors, fmt.Errorf("Unable to delete key %v from %s: %s", k, bpf.MapPath(MapName), err)) + errors = append(errors, fmt.Errorf("Unable to delete key %v from %s: %w", k, bpf.MapPath(MapName), err)) } } @@ -232,7 +232,7 @@ func DumpToMap() (map[string]EndpointInfo, error) { } if err := LXCMap().DumpWithCallback(callback); err != nil { - return nil, fmt.Errorf("unable to read BPF endpoint list: %s", err) + return nil, fmt.Errorf("unable to read BPF endpoint list: %w", err) } return m, nil diff --git a/vendor/github.com/cilium/cilium/pkg/mountinfo/mountinfo.go b/vendor/github.com/cilium/cilium/pkg/mountinfo/mountinfo.go index 62711a97ce3..54f509054c2 100644 --- a/vendor/github.com/cilium/cilium/pkg/mountinfo/mountinfo.go +++ b/vendor/github.com/cilium/cilium/pkg/mountinfo/mountinfo.go @@ -107,7 +107,7 @@ func parseMountInfoFile(r io.Reader) ([]*MountInfo, error) { func GetMountInfo() ([]*MountInfo, error) { fMounts, err := os.Open(mountInfoFilepath) if err != nil { - return nil, fmt.Errorf("failed to open mount information at %s: %s", mountInfoFilepath, err) + return nil, fmt.Errorf("failed to open mount information at %s: %w", mountInfoFilepath, err) } defer fMounts.Close() diff --git a/vendor/github.com/cilium/cilium/pkg/option/config.go b/vendor/github.com/cilium/cilium/pkg/option/config.go index 758ce9d96a5..27c697d9e31 100644 --- a/vendor/github.com/cilium/cilium/pkg/option/config.go +++ b/vendor/github.com/cilium/cilium/pkg/option/config.go @@ -14,6 +14,7 @@ import ( "net/netip" "os" "path/filepath" + "regexp" "runtime" "sort" "strconv" @@ -388,6 +389,10 @@ const ( // to skip netfilter connection tracking on all pod traffic. InstallNoConntrackIptRules = "install-no-conntrack-iptables-rules" + // ContainerIPLocalReservedPorts instructs the Cilium CNI plugin to reserve + // the provided comma-separated list of ports in the container network namespace + ContainerIPLocalReservedPorts = "container-ip-local-reserved-ports" + // IPv6NodeAddr is the IPv6 address of node IPv6NodeAddr = "ipv6-node" @@ -1247,6 +1252,12 @@ const ( // is considered timed out ProxyConnectTimeout = "proxy-connect-timeout" + // ProxyXffNumTrustedHopsIngress specifies the number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. + ProxyXffNumTrustedHopsIngress = "proxy-xff-num-trusted-hops-ingress" + + // ProxyXffNumTrustedHopsEgress specifies the number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. + ProxyXffNumTrustedHopsEgress = "proxy-xff-num-trusted-hops-egress" + // ProxyGID specifies the group ID that has access to unix domain sockets opened by Cilium // agent for proxy configuration and access logging. ProxyGID = "proxy-gid" @@ -1613,6 +1624,12 @@ type DaemonConfig struct { // connection attempt to have timed out. ProxyConnectTimeout int + // ProxyXffNumTrustedHopsIngress defines the number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. + ProxyXffNumTrustedHopsIngress uint32 + + // ProxyXffNumTrustedHopsEgress defines the number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. + ProxyXffNumTrustedHopsEgress uint32 + // ProxyGID specifies the group ID that has access to unix domain sockets opened by Cilium // agent for proxy configuration and access logging. ProxyGID int @@ -2319,6 +2336,10 @@ type DaemonConfig struct { // InstallNoConntrackIptRules instructs Cilium to install Iptables rules to skip netfilter connection tracking on all pod traffic. InstallNoConntrackIptRules bool + // ContainerIPLocalReservedPorts instructs the Cilium CNI plugin to reserve + // the provided comma-separated list of ports in the container network namespace + ContainerIPLocalReservedPorts string + // EnableCustomCalls enables tail call hooks for user-defined custom // eBPF programs, typically used to collect custom per-endpoint // metrics. @@ -2795,15 +2816,27 @@ func (c *DaemonConfig) validateHubbleRedact() error { return nil } +func (c *DaemonConfig) validateContainerIPLocalReservedPorts() error { + if c.ContainerIPLocalReservedPorts == "" || c.ContainerIPLocalReservedPorts == defaults.ContainerIPLocalReservedPortsAuto { + return nil + } + + if regexp.MustCompile(`^(\d+(-\d+)?)(,\d+(-\d+)?)*$`).MatchString(c.ContainerIPLocalReservedPorts) { + return nil + } + + return fmt.Errorf("Invalid comma separated list of of ranges for %s option", ContainerIPLocalReservedPorts) +} + // Validate validates the daemon configuration func (c *DaemonConfig) Validate(vp *viper.Viper) error { if err := c.validateIPv6ClusterAllocCIDR(); err != nil { - return fmt.Errorf("unable to parse CIDR value '%s' of option --%s: %s", + return fmt.Errorf("unable to parse CIDR value '%s' of option --%s: %w", c.IPv6ClusterAllocCIDR, IPv6ClusterAllocCIDRName, err) } if err := c.validateIPv6NAT46x64CIDR(); err != nil { - return fmt.Errorf("unable to parse internal CIDR value '%s': %s", + return fmt.Errorf("unable to parse internal CIDR value '%s': %w", c.IPv6NAT46x64CIDR, err) } @@ -2892,6 +2925,10 @@ func (c *DaemonConfig) Validate(vp *viper.Viper) error { return err } + if err := c.validateContainerIPLocalReservedPorts(); err != nil { + return err + } + return nil } @@ -2901,7 +2938,7 @@ func ReadDirConfig(dirName string) (map[string]interface{}, error) { m := map[string]interface{}{} files, err := os.ReadDir(dirName) if err != nil && !os.IsNotExist(err) { - return nil, fmt.Errorf("unable to read configuration directory: %s", err) + return nil, fmt.Errorf("unable to read configuration directory: %w", err) } for _, f := range files { if f.IsDir() { @@ -2942,7 +2979,7 @@ func ReadDirConfig(dirName string) (map[string]interface{}, error) { func MergeConfig(vp *viper.Viper, m map[string]interface{}) error { err := vp.MergeConfigMap(m) if err != nil { - return fmt.Errorf("unable to read merge directory configuration: %s", err) + return fmt.Errorf("unable to read merge directory configuration: %w", err) } return nil } @@ -2974,7 +3011,7 @@ func (c *DaemonConfig) parseExcludedLocalAddresses(s []string) error { for _, ipString := range s { _, ipnet, err := net.ParseCIDR(ipString) if err != nil { - return fmt.Errorf("unable to parse excluded local address %s: %s", ipString, err) + return fmt.Errorf("unable to parse excluded local address %s: %w", ipString, err) } c.ExcludeLocalAddresses = append(c.ExcludeLocalAddresses, ipnet) @@ -3122,6 +3159,8 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { c.PreAllocateMaps = vp.GetBool(PreAllocateMapsName) c.ProcFs = vp.GetString(ProcFs) c.ProxyConnectTimeout = vp.GetInt(ProxyConnectTimeout) + c.ProxyXffNumTrustedHopsIngress = vp.GetUint32(ProxyXffNumTrustedHopsIngress) + c.ProxyXffNumTrustedHopsEgress = vp.GetUint32(ProxyXffNumTrustedHopsEgress) c.ProxyGID = vp.GetInt(ProxyGID) c.ProxyPrometheusPort = vp.GetInt(ProxyPrometheusPort) c.ProxyMaxRequestsPerConnection = vp.GetInt(ProxyMaxRequestsPerConnection) @@ -3152,6 +3191,7 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { c.LoadBalancerRSSv4CIDR = vp.GetString(LoadBalancerRSSv4CIDR) c.LoadBalancerRSSv6CIDR = vp.GetString(LoadBalancerRSSv6CIDR) c.InstallNoConntrackIptRules = vp.GetBool(InstallNoConntrackIptRules) + c.ContainerIPLocalReservedPorts = vp.GetString(ContainerIPLocalReservedPorts) c.EnableCustomCalls = vp.GetBool(EnableCustomCallsName) c.BGPAnnounceLBIP = vp.GetBool(BGPAnnounceLBIP) c.BGPAnnouncePodCIDR = vp.GetBool(BGPAnnouncePodCIDR) @@ -3468,7 +3508,7 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { dec := json.NewDecoder(strings.NewReader(enc)) var result flowpb.FlowFilter if err := dec.Decode(&result); err != nil { - if err == io.EOF { + if errors.Is(err, io.EOF) { break } log.Fatalf("failed to decode hubble-export-allowlist '%v': %s", enc, err) @@ -3480,7 +3520,7 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { dec := json.NewDecoder(strings.NewReader(enc)) var result flowpb.FlowFilter if err := dec.Decode(&result); err != nil { - if err == io.EOF { + if errors.Is(err, io.EOF) { break } log.Fatalf("failed to decode hubble-export-denylist '%v': %s", enc, err) @@ -3614,11 +3654,11 @@ func (c *DaemonConfig) populateNodePortRange(vp *viper.Viper) error { c.NodePortMin, err = strconv.Atoi(nodePortRange[0]) if err != nil { - return fmt.Errorf("Unable to parse min port value for NodePort range: %s", err.Error()) + return fmt.Errorf("Unable to parse min port value for NodePort range: %w", err) } c.NodePortMax, err = strconv.Atoi(nodePortRange[1]) if err != nil { - return fmt.Errorf("Unable to parse max port value for NodePort range: %s", err.Error()) + return fmt.Errorf("Unable to parse max port value for NodePort range: %w", err) } if c.NodePortMax <= c.NodePortMin { return errors.New("NodePort range min port must be smaller than max port") @@ -4315,7 +4355,7 @@ func parseBPFMapEventConfigs(confs BPFEventBufferConfigs, confMap map[string]str for name, confStr := range confMap { conf, err := ParseEventBufferTupleString(confStr) if err != nil { - return fmt.Errorf("unable to parse %s: %s", BPFMapEventBuffers, err) + return fmt.Errorf("unable to parse %s: %w", BPFMapEventBuffers, err) } confs[name] = conf } diff --git a/vendor/github.com/cilium/cilium/pkg/policy/api/groups.go b/vendor/github.com/cilium/cilium/pkg/policy/api/groups.go index 9edcab8bab7..fb3174ead0d 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/api/groups.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/api/groups.go @@ -57,7 +57,7 @@ func (group *ToGroups) GetCidrSet(ctx context.Context) ([]CIDRRule, error) { awsAddrs, err := callback(ctx, group) if err != nil { return nil, fmt.Errorf( - "Cannot retrieve data from %s provider: %s", + "Cannot retrieve data from %s provider: %w", AWSProvider, err) } addrs = append(addrs, awsAddrs...) diff --git a/vendor/github.com/cilium/cilium/pkg/policy/api/rule_validation.go b/vendor/github.com/cilium/cilium/pkg/policy/api/rule_validation.go index 27e18d19694..b2db0b45d03 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/api/rule_validation.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/api/rule_validation.go @@ -412,7 +412,7 @@ func (pp *PortProtocol) sanitize() (isZero bool, err error) { } else { p, err := strconv.ParseUint(pp.Port, 0, 16) if err != nil { - return isZero, fmt.Errorf("Unable to parse port: %s", err) + return isZero, fmt.Errorf("Unable to parse port: %w", err) } isZero = p == 0 } @@ -446,7 +446,7 @@ func (c CIDR) sanitize() error { if err != nil { _, err := netip.ParseAddr(strCIDR) if err != nil { - return fmt.Errorf("unable to parse CIDR: %s", err) + return fmt.Errorf("unable to parse CIDR: %w", err) } return nil } @@ -466,7 +466,7 @@ func (c *CIDRRule) sanitize() error { // the logic in api.CIDR.Sanitize(). prefix, err := netip.ParsePrefix(string(c.Cidr)) if err != nil { - return fmt.Errorf("Unable to parse CIDRRule %q: %s", c.Cidr, err) + return fmt.Errorf("Unable to parse CIDRRule %q: %w", c.Cidr, err) } prefixLength := prefix.Bits() diff --git a/vendor/github.com/cilium/cilium/pkg/policy/api/selector.go b/vendor/github.com/cilium/cilium/pkg/policy/api/selector.go index 5a5cf29be1d..c23aa0d9c2b 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/api/selector.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/api/selector.go @@ -345,7 +345,7 @@ func (n *EndpointSelector) ConvertToLabelSelectorRequirementSlice() []slim_metav func (n *EndpointSelector) sanitize() error { errList := validation.ValidateLabelSelector(n.LabelSelector, validation.LabelSelectorValidationOptions{AllowInvalidLabelValueInSelector: false}, nil) if len(errList) > 0 { - return fmt.Errorf("invalid label selector: %s", errList.ToAggregate().Error()) + return fmt.Errorf("invalid label selector: %w", errList.ToAggregate()) } return nil } diff --git a/vendor/github.com/cilium/cilium/pkg/policy/rule.go b/vendor/github.com/cilium/cilium/pkg/policy/rule.go index d5f3101f167..b1e19e640b8 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/rule.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/rule.go @@ -571,22 +571,26 @@ func (r *rule) resolveIngressPolicy( func (r *rule) matches(securityIdentity *identity.Identity) bool { r.metadata.Mutex.Lock() defer r.metadata.Mutex.Unlock() - var ruleMatches bool + isNode := securityIdentity.ID == identity.ReservedIdentityHost if ruleMatches, cached := r.metadata.IdentitySelected[securityIdentity.ID]; cached { return ruleMatches } - isNode := securityIdentity.ID == identity.ReservedIdentityHost + + // Short-circuit if the rule's selector type (node vs. endpoint) does not match the + // identity's type if (r.NodeSelector.LabelSelector != nil) != isNode { r.metadata.IdentitySelected[securityIdentity.ID] = false - return ruleMatches + return false } + // Fall back to costly matching. - if ruleMatches = r.getSelector().Matches(securityIdentity.LabelArray); ruleMatches { - // Update cache so we don't have to do costly matching again. - r.metadata.IdentitySelected[securityIdentity.ID] = true - } else { - r.metadata.IdentitySelected[securityIdentity.ID] = false + ruleMatches := r.getSelector().Matches(securityIdentity.LabelArray) + + // Update cache so we don't have to do costly matching again. + // the local Host identity has mutable labels, so we cannot use the cache + if !isNode { + r.metadata.IdentitySelected[securityIdentity.ID] = ruleMatches } return ruleMatches diff --git a/vendor/github.com/cilium/cilium/pkg/policy/rules.go b/vendor/github.com/cilium/cilium/pkg/policy/rules.go index f5b0a225982..9caa9e88db0 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/rules.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/rules.go @@ -128,7 +128,7 @@ func (rules ruleSlice) updateEndpointsCaches(ep Endpoint) (bool, error) { id := ep.GetID16() securityIdentity, err := ep.GetSecurityIdentity() if err != nil { - return false, fmt.Errorf("cannot update caches in rules for endpoint %d because it is being deleted: %s", id, err) + return false, fmt.Errorf("cannot update caches in rules for endpoint %d because it is being deleted: %w", id, err) } if securityIdentity == nil { diff --git a/vendor/github.com/cilium/cilium/pkg/policy/visibility.go b/vendor/github.com/cilium/cilium/pkg/policy/visibility.go index fd821eca401..b02315f63d8 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/visibility.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/visibility.go @@ -67,7 +67,7 @@ func NewVisibilityPolicy(anno string) (*VisibilityPolicy, error) { portInt, err := strconv.ParseUint(port, 10, 16) if err != nil { - return nil, fmt.Errorf("unable to parse port: %s", err) + return nil, fmt.Errorf("unable to parse port: %w", err) } // Don't need to validate, regex already did that. diff --git a/vendor/github.com/cilium/cilium/pkg/rate/api_limiter.go b/vendor/github.com/cilium/cilium/pkg/rate/api_limiter.go index 8c34f563fc1..68728f23517 100644 --- a/vendor/github.com/cilium/cilium/pkg/rate/api_limiter.go +++ b/vendor/github.com/cilium/cilium/pkg/rate/api_limiter.go @@ -890,7 +890,7 @@ func (s *APILimiterSet) Wait(ctx context.Context, name string) (LimitedRequest, func parsePositiveInt(value string) (int, error) { switch i64, err := strconv.ParseInt(value, 10, 64); { case err != nil: - return 0, fmt.Errorf("unable to parse positive integer %q: %v", value, err) + return 0, fmt.Errorf("unable to parse positive integer %q: %w", value, err) case i64 < 0: return 0, fmt.Errorf("unable to parse positive integer %q: negative value", value) case i64 > math.MaxInt: diff --git a/vendor/github.com/cilium/cilium/pkg/sysctl/sysctl.go b/vendor/github.com/cilium/cilium/pkg/sysctl/sysctl.go index ea5bee3b031..7ec9bfaca68 100644 --- a/vendor/github.com/cilium/cilium/pkg/sysctl/sysctl.go +++ b/vendor/github.com/cilium/cilium/pkg/sysctl/sysctl.go @@ -95,12 +95,12 @@ func writeSysctl(name string, value string) error { } f, err := os.OpenFile(path, os.O_RDWR, 0644) if err != nil { - return fmt.Errorf("could not open the sysctl file %s: %s", + return fmt.Errorf("could not open the sysctl file %s: %w", path, err) } defer f.Close() if _, err := io.WriteString(f, value); err != nil { - return fmt.Errorf("could not write to the systctl file %s: %s", + return fmt.Errorf("could not write to the systctl file %s: %w", path, err) } return nil @@ -134,7 +134,7 @@ func Read(name string) (string, error) { } val, err := os.ReadFile(path) if err != nil { - return "", fmt.Errorf("Failed to read %s: %s", path, err) + return "", fmt.Errorf("Failed to read %s: %w", path, err) } return strings.TrimRight(string(val), "\n"), nil @@ -164,7 +164,7 @@ func ApplySettings(sysSettings []Setting) error { }).Info("Setting sysctl") if err := Write(s.Name, s.Val); err != nil { if !s.IgnoreErr || errors.Is(err, ErrInvalidSysctlParameter("")) { - return fmt.Errorf("Failed to sysctl -w %s=%s: %s", s.Name, s.Val, err) + return fmt.Errorf("Failed to sysctl -w %s=%s: %w", s.Name, s.Val, err) } warn := "Failed to sysctl -w" diff --git a/vendor/github.com/cilium/cilium/pkg/versioncheck/check.go b/vendor/github.com/cilium/cilium/pkg/versioncheck/check.go index 6b5e34534f1..88474cfa7ec 100644 --- a/vendor/github.com/cilium/cilium/pkg/versioncheck/check.go +++ b/vendor/github.com/cilium/cilium/pkg/versioncheck/check.go @@ -20,7 +20,7 @@ import ( func MustCompile(constraint string) semver.Range { verCheck, err := Compile(constraint) if err != nil { - panic(fmt.Errorf("cannot compile go-version constraint '%s' %s", constraint, err)) + panic(fmt.Errorf("cannot compile go-version constraint '%s': %w", constraint, err)) } return verCheck } @@ -36,7 +36,7 @@ func Compile(constraint string) (semver.Range, error) { func MustVersion(version string) semver.Version { ver, err := Version(version) if err != nil { - panic(fmt.Errorf("cannot compile go-version version '%s' %s", version, err)) + panic(fmt.Errorf("cannot compile go-version version '%s': %w", version, err)) } return ver } diff --git a/vendor/github.com/cilium/cilium/pkg/wireguard/types/types.go b/vendor/github.com/cilium/cilium/pkg/wireguard/types/types.go index a6fb646156a..889e2a45481 100644 --- a/vendor/github.com/cilium/cilium/pkg/wireguard/types/types.go +++ b/vendor/github.com/cilium/cilium/pkg/wireguard/types/types.go @@ -5,6 +5,8 @@ package types const ( + // ListenPort is the port on which the WireGuard tunnel device listens on + ListenPort = 51871 // IfaceName is the name of the WireGuard tunnel device IfaceName = "cilium_wg0" // PrivKeyFilename is the name of the WireGuard private key file diff --git a/vendor/github.com/cilium/dns/shared_client.go b/vendor/github.com/cilium/dns/shared_client.go index 2857044db4d..0b8bbeec769 100644 --- a/vendor/github.com/cilium/dns/shared_client.go +++ b/vendor/github.com/cilium/dns/shared_client.go @@ -227,6 +227,17 @@ func handler(wg *sync.WaitGroup, client *Client, conn *Conn, requests chan reque return } start := time.Now() + + // Check if we already have a request with the same id + // Due to birthday paradox and the fact that ID is uint16 + // it's likely to happen with small number (~200) of concurrent requests + // which would result in goroutine leak as we would never close req.ch + if _, ok := waitingResponses[req.msg.Id]; ok { + req.ch <- sharedClientResponse{nil, 0, fmt.Errorf("duplicate request id %d", req.msg.Id)} + close(req.ch) + continue + } + err := client.SendContext(req.ctx, req.msg, conn, start) if err != nil { req.ch <- sharedClientResponse{nil, 0, err} @@ -280,7 +291,7 @@ func (c *SharedClient) ExchangeSharedContext(ctx context.Context, m *Msg) (r *Ms // This request keeps 'c.requests' open; sending a request may hang indefinitely if // the handler happens to quit at the same time. Use ctx.Done to avoid this. - timeout := c.Client.writeTimeout() + timeout := c.getTimeoutForRequest(c.Client.writeTimeout()) ctx, cancel := context.WithTimeout(ctx, timeout) defer cancel() respCh := make(chan sharedClientResponse) @@ -291,8 +302,13 @@ func (c *SharedClient) ExchangeSharedContext(ctx context.Context, m *Msg) (r *Ms } // Since c.requests is unbuffered, the handler is guaranteed to eventually close 'respCh' - resp := <-respCh - return resp.msg, resp.rtt, resp.err + select { + case resp := <-respCh: + return resp.msg, resp.rtt, resp.err + // This is just fail-safe mechanism in case there is another similar issue + case <-time.After(time.Minute): + return nil, 0, fmt.Errorf("timeout waiting for response") + } } // close closes and waits for the close to finish. diff --git a/vendor/modules.txt b/vendor/modules.txt index 825752d0139..b925175b125 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -33,7 +33,7 @@ github.com/bombsimon/logrusr/v4 # github.com/cespare/xxhash/v2 v2.2.0 ## explicit; go 1.11 github.com/cespare/xxhash/v2 -# github.com/cilium/cilium v1.15.4 +# github.com/cilium/cilium v1.15.5 ## explicit; go 1.21.0 github.com/cilium/cilium/api/v1/client github.com/cilium/cilium/api/v1/client/bgp @@ -207,7 +207,7 @@ github.com/cilium/cilium/pkg/u8proto github.com/cilium/cilium/pkg/version github.com/cilium/cilium/pkg/versioncheck github.com/cilium/cilium/pkg/wireguard/types -# github.com/cilium/dns v1.1.51-0.20231120140355-729345173dc3 +# github.com/cilium/dns v1.1.51-0.20240416134107-d47d0dd702a1 ## explicit; go 1.18 github.com/cilium/dns # github.com/cilium/ebpf v0.15.0