diff --git a/go.mod b/go.mod index 98a76581e57..e5c923c4a00 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.22.2 require ( github.com/bombsimon/logrusr/v4 v4.1.0 - github.com/cilium/cilium v1.15.10 + github.com/cilium/cilium v1.15.13 github.com/cilium/ebpf v0.15.0 github.com/cilium/little-vm-helper v0.0.19 github.com/cilium/lumberjack/v2 v2.3.0 diff --git a/go.sum b/go.sum index 7bd88f783d1..0d988cc02f5 100644 --- a/go.sum +++ b/go.sum @@ -51,8 +51,8 @@ github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cilium/checkmate v1.0.3 h1:CQC5eOmlAZeEjPrVZY3ZwEBH64lHlx9mXYdUehEwI5w= github.com/cilium/checkmate v1.0.3/go.mod h1:KiBTasf39/F2hf2yAmHw21YFl3hcEyP4Yk6filxc12A= -github.com/cilium/cilium v1.15.10 h1:DeTMoJQm78pgfrpfODSDOq+tWDS9ew0m1+B8SzojB4o= -github.com/cilium/cilium v1.15.10/go.mod h1:c7Pk1BmmZBUdYYxBGc/T4mLOocxmXx6K6idB7Iw012c= +github.com/cilium/cilium v1.15.13 h1:0E85euXBRJp+oJtiOGX5Zy5KZ4PIcVRFjGrXrLVirmI= +github.com/cilium/cilium v1.15.13/go.mod h1:CPlrRsHJAMdosrkc5/FN45WkZWW/Qlmy/Libk0SPMio= github.com/cilium/controller-tools v0.8.0-1 h1:D5xhwSUZZceaKAacHOyfcpUMgLbs2TGeJEijNHlAQlc= github.com/cilium/controller-tools v0.8.0-1/go.mod h1:qE2DXhVOiEq5ijmINcFbqi9GZrrUjzB1TuJU0xa6eoY= github.com/cilium/dns v1.1.51-0.20240416134107-d47d0dd702a1 h1:IR2iQhLyEVDJ52rPpqYAdRZMwlOSDl1XJqkD5PQJAfs= diff --git a/pkg/k8s/go.mod b/pkg/k8s/go.mod index 4ba402fa06a..7e88642ff8d 100644 --- a/pkg/k8s/go.mod +++ b/pkg/k8s/go.mod @@ -5,7 +5,7 @@ go 1.22.2 require ( github.com/blang/semver/v4 v4.0.0 - github.com/cilium/cilium v1.15.10 + github.com/cilium/cilium v1.15.13 github.com/sirupsen/logrus v1.9.3 golang.org/x/sync v0.10.0 k8s.io/apiextensions-apiserver v0.29.4 diff --git a/pkg/k8s/go.sum b/pkg/k8s/go.sum index af416075cca..be2e62543cd 100644 --- a/pkg/k8s/go.sum +++ b/pkg/k8s/go.sum @@ -2,8 +2,8 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/cilium/checkmate v1.0.3 h1:CQC5eOmlAZeEjPrVZY3ZwEBH64lHlx9mXYdUehEwI5w= github.com/cilium/checkmate v1.0.3/go.mod h1:KiBTasf39/F2hf2yAmHw21YFl3hcEyP4Yk6filxc12A= -github.com/cilium/cilium v1.15.10 h1:DeTMoJQm78pgfrpfODSDOq+tWDS9ew0m1+B8SzojB4o= -github.com/cilium/cilium v1.15.10/go.mod h1:c7Pk1BmmZBUdYYxBGc/T4mLOocxmXx6K6idB7Iw012c= +github.com/cilium/cilium v1.15.13 h1:0E85euXBRJp+oJtiOGX5Zy5KZ4PIcVRFjGrXrLVirmI= +github.com/cilium/cilium v1.15.13/go.mod h1:CPlrRsHJAMdosrkc5/FN45WkZWW/Qlmy/Libk0SPMio= github.com/cilium/controller-tools v0.8.0-1 h1:D5xhwSUZZceaKAacHOyfcpUMgLbs2TGeJEijNHlAQlc= github.com/cilium/controller-tools v0.8.0-1/go.mod h1:qE2DXhVOiEq5ijmINcFbqi9GZrrUjzB1TuJU0xa6eoY= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= diff --git a/pkg/k8s/vendor/github.com/cilium/cilium/AUTHORS b/pkg/k8s/vendor/github.com/cilium/cilium/AUTHORS index 61f2cda993e..7b493b67387 100644 --- a/pkg/k8s/vendor/github.com/cilium/cilium/AUTHORS +++ b/pkg/k8s/vendor/github.com/cilium/cilium/AUTHORS @@ -314,6 +314,7 @@ ishuar ishansharma887@gmail.com Ivan Makarychev i.makarychev@tinkoff.ru Ivar Lazzaro ivarlazzaro@gmail.com Jack-R-lantern tjdfkr2421@gmail.com +Jacob Henner code@ventricle.us Jacopo Nardiello jnardiello@users.noreply.github.com Jaff Cheng jaff.cheng.sh@gmail.com Jaime Caamaño Ruiz jcaamano@suse.com @@ -412,6 +413,7 @@ Liu Qun qunliu@zyhx-group.com liuxu liuxu623@gmail.com Livingstone S E livingstone.s.e@gmail.com Li Yiheng lyhutopi@gmail.com +Liyi Huang pdshly@gmail.com Liz Rice liz@lizrice.com log1cb0mb nabeelnrana@gmail.com LongHui Li longhui.li@woqutech.com @@ -547,6 +549,7 @@ Oliver Ni oliver.ni@gmail.com Oliver Wang a0924100192@gmail.com Omar Aloraini ooraini.dev@gmail.com Ondrej Blazek ondrej.blazek@firma.seznam.cz +oneumyvakin oneumyvaking@mail.ru Osthues osthues.matthias@gmail.com Pablo Ruiz pablo.ruiz@gmail.com Paco Xu paco.xu@daocloud.io @@ -653,6 +656,7 @@ Shane Utt shaneutt@linux.com Shantanu Deshpande shantanud106@gmail.com Shunpoco tkngsnsk313320@gmail.com Sigurd Spieckermann sigurd.spieckermann@gmail.com +Simone Magnani simone.magnani@isovalent.com Simone Sciarrati s.sciarrati@gmail.com Simon Pasquier spasquier@mirantis.com sknop 118932232+sknop-cgn@users.noreply.github.com @@ -721,6 +725,7 @@ Vadim Ponomarev velizarx@gmail.com vakr vakr@microsoft.com Valas Valancius valas@google.com Vance Li vanceli@tencent.com +verysonglaa 39988258+verysonglaa@users.noreply.github.com Vigneshwaren Sunder vickymailed@gmail.com viktor-kurchenko viktor.kurchenko@isovalent.com Viktor Kuzmin kvaster@gmail.com @@ -760,6 +765,7 @@ Xinyuan Zhang zhangxinyuan@google.com xyz-li hui0787411@163.com yanggang gang.yang@daocloud.io yanhongchang yanhongchang@100tal.com +Yann ILAS yann.ilas@gmail.com Yash Shetty yashshetty@google.com Ye Sijun junnplus@gmail.com Yiannis Yiakoumis yiannis@selfienetworks.com diff --git a/pkg/k8s/vendor/modules.txt b/pkg/k8s/vendor/modules.txt index 2c3ea57fb08..4ee47c82807 100644 --- a/pkg/k8s/vendor/modules.txt +++ b/pkg/k8s/vendor/modules.txt @@ -1,7 +1,7 @@ # github.com/blang/semver/v4 v4.0.0 ## explicit; go 1.14 github.com/blang/semver/v4 -# github.com/cilium/cilium v1.15.10 +# github.com/cilium/cilium v1.15.13 ## explicit; go 1.21.0 github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/labels github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1 diff --git a/vendor/github.com/cilium/cilium/AUTHORS b/vendor/github.com/cilium/cilium/AUTHORS index 61f2cda993e..7b493b67387 100644 --- a/vendor/github.com/cilium/cilium/AUTHORS +++ b/vendor/github.com/cilium/cilium/AUTHORS @@ -314,6 +314,7 @@ ishuar ishansharma887@gmail.com Ivan Makarychev i.makarychev@tinkoff.ru Ivar Lazzaro ivarlazzaro@gmail.com Jack-R-lantern tjdfkr2421@gmail.com +Jacob Henner code@ventricle.us Jacopo Nardiello jnardiello@users.noreply.github.com Jaff Cheng jaff.cheng.sh@gmail.com Jaime Caamaño Ruiz jcaamano@suse.com @@ -412,6 +413,7 @@ Liu Qun qunliu@zyhx-group.com liuxu liuxu623@gmail.com Livingstone S E livingstone.s.e@gmail.com Li Yiheng lyhutopi@gmail.com +Liyi Huang pdshly@gmail.com Liz Rice liz@lizrice.com log1cb0mb nabeelnrana@gmail.com LongHui Li longhui.li@woqutech.com @@ -547,6 +549,7 @@ Oliver Ni oliver.ni@gmail.com Oliver Wang a0924100192@gmail.com Omar Aloraini ooraini.dev@gmail.com Ondrej Blazek ondrej.blazek@firma.seznam.cz +oneumyvakin oneumyvaking@mail.ru Osthues osthues.matthias@gmail.com Pablo Ruiz pablo.ruiz@gmail.com Paco Xu paco.xu@daocloud.io @@ -653,6 +656,7 @@ Shane Utt shaneutt@linux.com Shantanu Deshpande shantanud106@gmail.com Shunpoco tkngsnsk313320@gmail.com Sigurd Spieckermann sigurd.spieckermann@gmail.com +Simone Magnani simone.magnani@isovalent.com Simone Sciarrati s.sciarrati@gmail.com Simon Pasquier spasquier@mirantis.com sknop 118932232+sknop-cgn@users.noreply.github.com @@ -721,6 +725,7 @@ Vadim Ponomarev velizarx@gmail.com vakr vakr@microsoft.com Valas Valancius valas@google.com Vance Li vanceli@tencent.com +verysonglaa 39988258+verysonglaa@users.noreply.github.com Vigneshwaren Sunder vickymailed@gmail.com viktor-kurchenko viktor.kurchenko@isovalent.com Viktor Kuzmin kvaster@gmail.com @@ -760,6 +765,7 @@ Xinyuan Zhang zhangxinyuan@google.com xyz-li hui0787411@163.com yanggang gang.yang@daocloud.io yanhongchang yanhongchang@100tal.com +Yann ILAS yann.ilas@gmail.com Yash Shetty yashshetty@google.com Ye Sijun junnplus@gmail.com Yiannis Yiakoumis yiannis@selfienetworks.com diff --git a/vendor/github.com/cilium/cilium/pkg/datapath/types/bigtcp.go b/vendor/github.com/cilium/cilium/pkg/datapath/types/bigtcp.go new file mode 100644 index 00000000000..e9074fd2da6 --- /dev/null +++ b/vendor/github.com/cilium/cilium/pkg/datapath/types/bigtcp.go @@ -0,0 +1,40 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Cilium + +package types + +import ( + "github.com/spf13/pflag" +) + +const ( + EnableIPv4BIGTCPFlag = "enable-ipv4-big-tcp" + EnableIPv6BIGTCPFlag = "enable-ipv6-big-tcp" +) + +// BigTCPUserConfig are the configuration flags that the user can modify. +type BigTCPUserConfig struct { + // EnableIPv6BIGTCP enables IPv6 BIG TCP (larger GSO/GRO limits) for the node including pods. + EnableIPv6BIGTCP bool + + // EnableIPv4BIGTCP enables IPv4 BIG TCP (larger GSO/GRO limits) for the node including pods. + EnableIPv4BIGTCP bool +} + +func (def BigTCPUserConfig) Flags(flags *pflag.FlagSet) { + flags.Bool(EnableIPv4BIGTCPFlag, def.EnableIPv4BIGTCP, "Enable IPv4 BIG TCP option which increases device's maximum GRO/GSO limits for IPv4") + flags.Bool(EnableIPv6BIGTCPFlag, def.EnableIPv6BIGTCP, "Enable IPv6 BIG TCP option which increases device's maximum GRO/GSO limits for IPv6") +} + +func (def BigTCPUserConfig) IsIPv4Enabled() bool { + return def.EnableIPv4BIGTCP +} + +func (def BigTCPUserConfig) IsIPv6Enabled() bool { + return def.EnableIPv6BIGTCP +} + +type BigTCPConfig interface { + IsIPv4Enabled() bool + IsIPv6Enabled() bool +} diff --git a/vendor/github.com/cilium/cilium/pkg/datapath/types/loader.go b/vendor/github.com/cilium/cilium/pkg/datapath/types/loader.go index f5b5bb64d78..58350517a35 100644 --- a/vendor/github.com/cilium/cilium/pkg/datapath/types/loader.go +++ b/vendor/github.com/cilium/cilium/pkg/datapath/types/loader.go @@ -46,7 +46,7 @@ type PreFilter interface { // Proxy is any type which installs rules related to redirecting traffic to // a proxy. type Proxy interface { - ReinstallRoutingRules() error + ReinstallRoutingRules(mtu int) error ReinstallIPTablesRules(ctx context.Context) error } @@ -54,7 +54,7 @@ type Proxy interface { type IptablesManager interface { // InstallProxyRules creates the necessary datapath config (e.g., iptables // rules for redirecting host proxy traffic on a specific ProxyPort) - InstallProxyRules(ctx context.Context, proxyPort uint16, ingress, localOnly bool, name string) error + InstallProxyRules(ctx context.Context, proxyPort uint16, ingress bool, name string) error // SupportsOriginalSourceAddr tells if the datapath supports // use of original source addresses in proxy upstream @@ -62,9 +62,9 @@ type IptablesManager interface { SupportsOriginalSourceAddr() bool InstallRules(ctx context.Context, ifName string, quiet, install bool) error - // GetProxyPort fetches the existing proxy port configured for the - // specified listener. Used early in bootstrap to reopen proxy ports. - GetProxyPort(listener string) uint16 + // GetProxyPorts fetches the existing proxy ports configured in the + // datapath. Used early in bootstrap to reopen proxy ports. + GetProxyPorts() map[string]uint16 // InstallNoTrackRules is explicitly called when a pod has valid // "policy.cilium.io/no-track-port" annotation. When diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/service_cache.go b/vendor/github.com/cilium/cilium/pkg/k8s/service_cache.go index 4f0666fd324..712dcfb5cea 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/service_cache.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/service_cache.go @@ -121,21 +121,24 @@ type ServiceCache struct { selfNodeZoneLabel string ServiceMutators []func(svc *slim_corev1.Service, svcInfo *Service) + + metrics SVCMetrics } // NewServiceCache returns a new ServiceCache -func NewServiceCache(nodeAddressing types.NodeAddressing) *ServiceCache { +func NewServiceCache(nodeAddressing types.NodeAddressing, svcMetrics SVCMetrics) *ServiceCache { return &ServiceCache{ services: map[ServiceID]*Service{}, endpoints: map[ServiceID]*EndpointSlices{}, externalEndpoints: map[ServiceID]externalEndpoints{}, Events: make(chan ServiceEvent, option.Config.K8sServiceCacheSize), nodeAddressing: nodeAddressing, + metrics: svcMetrics, } } -func newServiceCache(lc cell.Lifecycle, nodeAddressing types.NodeAddressing, cfg ServiceCacheConfig, lns *node.LocalNodeStore) *ServiceCache { - sc := NewServiceCache(nodeAddressing) +func newServiceCache(lc cell.Lifecycle, nodeAddressing types.NodeAddressing, cfg ServiceCacheConfig, lns *node.LocalNodeStore, metrics SVCMetrics) *ServiceCache { + sc := NewServiceCache(nodeAddressing, metrics) sc.config = cfg var wg sync.WaitGroup @@ -269,8 +272,10 @@ func (s *ServiceCache) UpdateService(k8sSvc *slim_corev1.Service, swg *lock.Stop if oldService.DeepEqual(newService) { return svcID } + s.metrics.DelService(oldService) } + s.metrics.AddService(newService) s.services[svcID] = newService // Check if the corresponding Endpoints resource is already available @@ -325,6 +330,7 @@ func (s *ServiceCache) DeleteService(k8sSvc *slim_corev1.Service, swg *lock.Stop delete(s.services, svcID) if serviceOK { + s.metrics.DelService(oldService) swg.Add() s.Events <- ServiceEvent{ Action: DeleteService, @@ -839,3 +845,21 @@ func (s *ServiceCache) updateSelfNodeLabels(labels map[string]string) { } } } + +type SVCMetrics interface { + AddService(svc *Service) + DelService(svc *Service) +} + +type svcMetricsNoop struct { +} + +func (s svcMetricsNoop) AddService(svc *Service) { +} + +func (s svcMetricsNoop) DelService(svc *Service) { +} + +func NewSVCMetricsNoop() SVCMetrics { + return &svcMetricsNoop{} +} diff --git a/vendor/github.com/cilium/cilium/pkg/option/config.go b/vendor/github.com/cilium/cilium/pkg/option/config.go index 4e150406b51..c892fe9b0fc 100644 --- a/vendor/github.com/cilium/cilium/pkg/option/config.go +++ b/vendor/github.com/cilium/cilium/pkg/option/config.go @@ -170,6 +170,10 @@ const ( // for the connection from proxy to upstream cluster ProxyIdleTimeout = "proxy-idle-timeout-seconds" + // RestoredProxyPortsAgeLimit specifies the time after which a restored proxy ports file is + // considered stale (in minutes) + RestoredProxyPortsAgeLimit = "restored-proxy-ports-age-limit" + // FixedIdentityMapping is the key-value for the fixed identity mapping // which allows to use reserved label for fixed identities FixedIdentityMapping = "fixed-identity-mapping" @@ -1659,6 +1663,10 @@ type DaemonConfig struct { // for the connection from proxy to upstream cluster ProxyIdleTimeout time.Duration + // RestoredProxyPortsAgeLimit specifies the time after which a restored proxy ports file is + // considered stale (in minutes) + RestoredProxyPortsAgeLimit uint + // EnvoyLogPath specifies where to store the Envoy proxy logs when Envoy // runs in the same container as Cilium. EnvoyLogPath string @@ -3191,6 +3199,7 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { c.ProxyMaxRequestsPerConnection = vp.GetInt(ProxyMaxRequestsPerConnection) c.ProxyMaxConnectionDuration = time.Duration(vp.GetInt64(ProxyMaxConnectionDuration)) c.ProxyIdleTimeout = time.Duration(vp.GetInt64(ProxyIdleTimeout)) + c.RestoredProxyPortsAgeLimit = vp.GetUint(RestoredProxyPortsAgeLimit) c.RestoreState = vp.GetBool(Restore) c.RouteMetric = vp.GetInt(RouteMetric) c.RunDir = vp.GetString(StateDir) @@ -3315,11 +3324,6 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { } } - if c.EnableIPv4 && ipv4NativeRoutingCIDR == "" && c.EnableAutoDirectRouting { - log.Warnf("If %s is enabled, then you are recommended to also configure %s. If %s is not configured, this may lead to pod to pod traffic being masqueraded, "+ - "which can cause problems with performance, observability and policy", EnableAutoDirectRoutingName, IPv4NativeRoutingCIDR, IPv4NativeRoutingCIDR) - } - ipv6NativeRoutingCIDR := vp.GetString(IPv6NativeRoutingCIDR) if ipv6NativeRoutingCIDR != "" { @@ -3333,11 +3337,6 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { } } - if c.EnableIPv6 && ipv6NativeRoutingCIDR == "" && c.EnableAutoDirectRouting { - log.Warnf("If %s is enabled, then you are recommended to also configure %s. If %s is not configured, this may lead to pod to pod traffic being masqueraded, "+ - "which can cause problems with performance, observability and policy", EnableAutoDirectRoutingName, IPv6NativeRoutingCIDR, IPv6NativeRoutingCIDR) - } - if err := c.calculateBPFMapSizes(vp); err != nil { log.Fatal(err) } diff --git a/vendor/github.com/cilium/cilium/pkg/policy/api/egress.go b/vendor/github.com/cilium/cilium/pkg/policy/api/egress.go index f4eac3d7210..e64de3cd39c 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/api/egress.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/api/egress.go @@ -319,6 +319,18 @@ func (e *EgressCommonRule) RequiresDerivative() bool { return len(e.ToGroups) > 0 } +func (e *EgressCommonRule) IsL3() bool { + if e == nil { + return false + } + return len(e.ToEndpoints) > 0 || + len(e.ToRequires) > 0 || + len(e.ToCIDR) > 0 || + len(e.ToCIDRSet) > 0 || + len(e.ToEntities) > 0 || + len(e.ToGroups) > 0 +} + // CreateDerivative will return a new rule based on the data gathered by the // rules that creates a new derivative policy. // In the case of ToGroups will call outside using the groups callback and this diff --git a/vendor/github.com/cilium/cilium/pkg/policy/api/ingress.go b/vendor/github.com/cilium/cilium/pkg/policy/api/ingress.go index a727d9df207..f0b99472fff 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/api/ingress.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/api/ingress.go @@ -213,3 +213,16 @@ func (i *IngressCommonRule) GetSourceEndpointSelectorsWithRequirements(requireme func (i *IngressCommonRule) AllowsWildcarding() bool { return len(i.FromRequires) == 0 } + +// IsL3 returns true if the IngressCommonRule contains at least a rule that +// affects L3 policy enforcement. +func (in *IngressCommonRule) IsL3() bool { + if in == nil { + return false + } + return len(in.FromEndpoints) > 0 || + len(in.FromRequires) > 0 || + len(in.FromCIDR) > 0 || + len(in.FromCIDRSet) > 0 || + len(in.FromEntities) > 0 +} diff --git a/vendor/github.com/cilium/cilium/pkg/policy/api/rule.go b/vendor/github.com/cilium/cilium/pkg/policy/api/rule.go index f0224b1f48c..7a8ced8bbab 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/api/rule.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/api/rule.go @@ -242,3 +242,21 @@ func (r *Rule) CreateDerivative(ctx context.Context) (*Rule, error) { } return newRule, nil } + +type PolicyMetrics interface { + AddRule(r Rule) + DelRule(r Rule) +} + +type policyMetricsNoop struct { +} + +func (p *policyMetricsNoop) AddRule(Rule) { +} + +func (p *policyMetricsNoop) DelRule(Rule) { +} + +func NewPolicyMetricsNoop() PolicyMetrics { + return &policyMetricsNoop{} +} diff --git a/vendor/github.com/cilium/cilium/pkg/policy/repository.go b/vendor/github.com/cilium/cilium/pkg/policy/repository.go index 52cde0e9274..8634743757f 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/repository.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/repository.go @@ -140,6 +140,8 @@ type Repository struct { secretManager certificatemanager.SecretManager getEnvoyHTTPRules func(certificatemanager.SecretManager, *api.L7Rules, string) (*cilium.HttpNetworkPolicyRules, bool) + + metricsManager api.PolicyMetrics } // GetSelectorCache() returns the selector cache used by the Repository @@ -174,8 +176,9 @@ func NewPolicyRepository( idCache cache.IdentityCache, certManager certificatemanager.CertificateManager, secretManager certificatemanager.SecretManager, + metricsManager api.PolicyMetrics, ) *Repository { - repo := NewStoppedPolicyRepository(idAllocator, idCache, certManager, secretManager) + repo := NewStoppedPolicyRepository(idAllocator, idCache, certManager, secretManager, metricsManager) repo.Start() return repo } @@ -190,6 +193,7 @@ func NewStoppedPolicyRepository( idCache cache.IdentityCache, certManager certificatemanager.CertificateManager, secretManager certificatemanager.SecretManager, + metricsManager api.PolicyMetrics, ) *Repository { selectorCache := NewSelectorCache(idAllocator, idCache) repo := &Repository{ @@ -197,6 +201,7 @@ func NewStoppedPolicyRepository( selectorCache: selectorCache, certManager: certManager, secretManager: secretManager, + metricsManager: metricsManager, } repo.revision.Store(1) repo.policyCache = NewPolicyCache(repo, true) @@ -412,6 +417,7 @@ func (p *Repository) AddListLocked(rules api.Rules) (ruleSlice, uint64) { newList := make(ruleSlice, len(rules)) for i := range rules { + p.metricsManager.AddRule(*rules[i]) newRule := &rule{ Rule: *rules[i], metadata: newRuleMetadata(), @@ -524,6 +530,7 @@ func (p *Repository) DeleteByLabelsLocked(lbls labels.LabelArray) (ruleSlice, ui } else { deletedRules = append(deletedRules, r) deleted++ + p.metricsManager.DelRule(r.Rule) } } diff --git a/vendor/modules.txt b/vendor/modules.txt index 08fcfeda72b..01d28fa0dfc 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -33,7 +33,7 @@ github.com/bombsimon/logrusr/v4 # github.com/cespare/xxhash/v2 v2.2.0 ## explicit; go 1.11 github.com/cespare/xxhash/v2 -# github.com/cilium/cilium v1.15.10 +# github.com/cilium/cilium v1.15.13 ## explicit; go 1.21.0 github.com/cilium/cilium/api/v1/client github.com/cilium/cilium/api/v1/client/bgp