From 67c4d35a4521045f6796503374bef3200f73cbc1 Mon Sep 17 00:00:00 2001 From: Andrey Pavlov Date: Thu, 8 Aug 2024 22:26:30 +0500 Subject: [PATCH 1/9] [cilium] embed cilium-cli as a subcommand Signed-off-by: Andrey Pavlov --- Taskfile.yml | 49 ++++++- cmd/cilium.go | 25 ++++ go.mod | 7 +- go.sum | 5 + .../cilium-cli/patches/001-defaults.patch | 124 ++++++++++++++++++ .../patches/002-cnp-for-conn-tests.patch | 107 +++++++++++++++ internal/cilium-cli/patches/README.md | 1 + 7 files changed, 313 insertions(+), 5 deletions(-) create mode 100644 cmd/cilium.go create mode 100644 internal/cilium-cli/patches/001-defaults.patch create mode 100644 internal/cilium-cli/patches/002-cnp-for-conn-tests.patch create mode 100644 internal/cilium-cli/patches/README.md diff --git a/Taskfile.yml b/Taskfile.yml index 1dccc96..d59ae1b 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -34,14 +34,16 @@ vars: echo "${ldflags[*]-}" + ciliumCLIVersion: v0.15.22 + cgoTags: "dfrunsecurity dfrunnetwork dfrunmount dfssh containers_image_openpgp osusergo exclude_graphdriver_devicemapper netgo no_devmapper static_build cni" goTags: "dfrunsecurity dfrunnetwork dfrunmount dfssh containers_image_openpgp" cgoDevLDFlags: "-linkmode external -extldflags=-static" goDevLDFlags: "" - cgoReleaseLDFlags: "-linkmode external -extldflags=-static -s -w -X 'github.com/deckhouse/deckhouse-cli/cmd.Version={{ .version }}' -X github.com/werf/werf/pkg/werf.Version={{ .version }} {{ .kubectlLDFlags }}" - goReleaseLDFlags: "-s -w -X 'github.com/deckhouse/deckhouse-cli/cmd.Version={{ .version }}' -X github.com/werf/werf/pkg/werf.Version={{ .version }} {{ .kubectlLDFlags }}" + cgoReleaseLDFlags: "-linkmode external -extldflags=-static -s -w -X 'github.com/deckhouse/deckhouse-cli/cmd.Version={{ .version }}' -X 'github.com/cilium/cilium-cli/cli.Version={{ .ciliumCLIVersion }}' -X github.com/werf/werf/pkg/werf.Version={{ .version }} {{ .kubectlLDFlags }}" + goReleaseLDFlags: "-s -w -X 'github.com/deckhouse/deckhouse-cli/cmd.Version={{ .version }}' -X 'github.com/cilium/cilium-cli/cli.Version={{ .ciliumCLIVersion }}' -X github.com/werf/werf/pkg/werf.Version={{ .version }} {{ .kubectlLDFlags }}" tasks: _build:cgo:dev: @@ -136,6 +138,15 @@ tasks: - build:dist:darwin:arm64 - build:dist:windows:amd64 + build:dist:linux:amd64:wocgo: + desc: Build d8 release binary for linux/amd64 w/o cgo + cmds: + - task: _build:go:dist + vars: + targetOS: "linux" + targetArch: "amd64" + outputDir: "{{ .outputDir }}" + build:dist:linux:amd64: desc: Build d8 release binary for linux/amd64 cmds: @@ -238,3 +249,37 @@ tasks: desc: Clean all binaries cmds: - rm -rf ./build ./dist ./d8 + + _cilium:clone: + desc: Clone cilium-cli + cmds: + - mkdir -p internal/cilium-cli + - git clone --depth 1 --branch v{{ .CILIUM_CLI_VERSION }} {{ .SOURCE_REPO }}/cilium/cilium-cli.git internal/cilium-cli + vars: + CILIUM_CLI_VERSION: "0.15.22" + SOURCE_REPO: "https://github.com" + + _cilium:patch: + desc: Patch cilium-cli + cmds: + - cd internal/cilium-cli + - find /patches -name '*.patch' | xargs git apply --verbose --allow-empty + + _cilium:gomod-replace: + desc: Add replace to go.mod + cmds: + - go mod edit -replace github.com/cilium/cilium-cli=internal/cilium-cli + + _cilium:original-build: + desc: Build cilium-cli + cmds: + - cd internal/cilium-cli + - make install + + build-d8-w-cilium: + desc: Build and package all d8 binaries + cmds: + - task: _cilium:clone + - task: _cilium:patch + - task: _cilium:gomod-replace + - task: build:dist:linux:amd64 diff --git a/cmd/cilium.go b/cmd/cilium.go new file mode 100644 index 0000000..1f15db7 --- /dev/null +++ b/cmd/cilium.go @@ -0,0 +1,25 @@ +/* +Copyright 2024 Flant JSC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package cmd + +import ( + "github.com/cilium/cilium-cli/cli" +) + +func init() { + rootCmd.AddCommand(cli.NewCiliumCommand(&cli.NopHooks{})) +} diff --git a/go.mod b/go.mod index dfe7fb9..7db9fba 100644 --- a/go.mod +++ b/go.mod @@ -4,6 +4,7 @@ go 1.22.0 require ( github.com/Masterminds/semver/v3 v3.2.1 + github.com/cilium/cilium-cli v0.15.22 github.com/deckhouse/virtualization/api v0.0.0-20240326113112-979c4f4f17b9 github.com/google/go-containerregistry v0.19.1 github.com/gookit/color v1.5.4 @@ -14,7 +15,7 @@ require ( github.com/samber/lo v1.39.0 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 - github.com/spf13/pflag v1.0.5 + github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace github.com/stretchr/testify v1.9.0 github.com/werf/3p-helm v0.0.0-20240806141915-3137f4cc1557 github.com/werf/logboek v0.6.1 @@ -129,7 +130,7 @@ require ( github.com/dustin/go-humanize v1.0.1 // indirect github.com/emicklei/go-restful/v3 v3.11.2 // indirect github.com/emirpasic/gods v1.18.1 // indirect - github.com/evanphx/json-patch v5.8.0+incompatible // indirect + github.com/evanphx/json-patch v5.9.0+incompatible // indirect github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect github.com/fatih/camelcase v1.0.0 // indirect github.com/fatih/color v1.16.0 // indirect @@ -297,7 +298,7 @@ require ( github.com/ulikunitz/xz v0.5.11 // indirect github.com/vbatts/tar-split v0.11.5 // indirect github.com/vbauerster/mpb/v8 v8.7.2 // indirect - github.com/vishvananda/netlink v1.2.1-beta.2 // indirect + github.com/vishvananda/netlink v1.2.1-beta.2.0.20231127184239-0ced8385386a // indirect github.com/vishvananda/netns v0.0.4 // indirect github.com/wI2L/jsondiff v0.5.0 // indirect github.com/werf/copy-recurse v0.2.7 // indirect diff --git a/go.sum b/go.sum index ce438cd..cb89f55 100644 --- a/go.sum +++ b/go.sum @@ -181,6 +181,7 @@ github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObk github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04= github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8= +github.com/cilium/cilium-cli v0.15.22/go.mod h1:lBs+5L0JBGyxfdjsQwQ+iJnkGHhK1xUDaGUCsxSXmZQ= github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4= github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= @@ -322,6 +323,7 @@ github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v5.8.0+incompatible h1:1Av9pn2FyxPdvrWNQszj1g6D6YthSmvCfcN6SYclTJg= github.com/evanphx/json-patch v5.8.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8= @@ -937,6 +939,7 @@ github.com/spf13/jwalterweatherman v0.0.0-20141219030609-3d60171a6431/go.mod h1: github.com/spf13/pflag v1.0.0/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v0.0.0-20150530192845-be5ff3e4840c/go.mod h1:A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM= github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ= github.com/spf13/viper v1.18.2/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMVB+yk= @@ -998,6 +1001,7 @@ github.com/vbauerster/mpb/v8 v8.7.2 h1:SMJtxhNho1MV3OuFgS1DAzhANN1Ejc5Ct+0iSaIkB github.com/vbauerster/mpb/v8 v8.7.2/go.mod h1:ZFnrjzspgDHoxYLGvxIruiNk73GNTPG4YHgVNpR10VY= github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs= github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= +github.com/vishvananda/netlink v1.2.1-beta.2.0.20231127184239-0ced8385386a/go.mod h1:whJevzBpTrid75eZy99s3DqCmy05NfibNaF2Ol5Ox5A= github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8= github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= @@ -1311,6 +1315,7 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= diff --git a/internal/cilium-cli/patches/001-defaults.patch b/internal/cilium-cli/patches/001-defaults.patch new file mode 100644 index 0000000..343838e --- /dev/null +++ b/internal/cilium-cli/patches/001-defaults.patch @@ -0,0 +1,124 @@ +diff --git a/defaults/defaults.go b/defaults/defaults.go +index 184eda2c..b1c68210 100644 +--- a/defaults/defaults.go ++++ b/defaults/defaults.go +@@ -12,12 +12,12 @@ const ( + Version = "v1.15.0" + + AgentContainerName = "cilium-agent" +- AgentServiceAccountName = "cilium" +- AgentClusterRoleName = "cilium" ++ AgentServiceAccountName = "agent" ++ AgentClusterRoleName = "d8:cni-cilium:agent" + AgentSecretsRoleName = "cilium-secrets" + AgentConfigRoleName = "cilium-config-agent" +- AgentDaemonSetName = "cilium" +- AgentPodSelector = "k8s-app=cilium" ++ AgentDaemonSetName = "agent" ++ AgentPodSelector = "app=agent" + AgentResourceQuota = "cilium-resource-quota" + AgentImage = "quay.io/cilium/cilium" + +@@ -33,13 +33,13 @@ const ( + + NodeInitDaemonSetName = "cilium-node-init" + +- OperatorServiceAccountName = "cilium-operator" +- OperatorClusterRoleName = "cilium-operator" +- OperatorPodSelector = "io.cilium/app=operator" ++ OperatorServiceAccountName = "operator" ++ OperatorClusterRoleName = "d8:cni-cilium:operator" ++ OperatorPodSelector = "app=operator" + OperatorSecretsRoleName = "cilium-operator-secrets" +- OperatorContainerName = "cilium-operator" ++ OperatorContainerName = "operator" + OperatorMetricsPortName = "prometheus" +- OperatorDeploymentName = "cilium-operator" ++ OperatorDeploymentName = "operator" + OperatorResourceQuota = "cilium-operator-resource-quota" + OperatorImage = "quay.io/cilium/operator-generic" + OperatorImageAWS = "quay.io/cilium/operator-aws" +@@ -50,15 +50,15 @@ const ( + RelayContainerName = "hubble-relay" + RelayDeploymentName = "hubble-relay" + RelayClusterRoleName = "hubble-relay" +- RelayServiceAccountName = "hubble-relay" ++ RelayServiceAccountName = "relay" + RelayConfigMapName = "hubble-relay-config" + RelayImage = "quay.io/cilium/hubble-relay" + RelayServerSecretName = "hubble-relay-server-certs" + RelayClientSecretName = "hubble-relay-client-certs" + HubbleUIClientSecretName = "hubble-ui-client-certs" + +- HubbleUIClusterRoleName = "hubble-ui" +- HubbleUIServiceAccountName = "hubble-ui" ++ HubbleUIClusterRoleName = "d8:cilium-hubble:ui:reader" ++ HubbleUIServiceAccountName = "ui" + HubbleUIDeploymentName = "hubble-ui" + HubbleUIImage = "quay.io/cilium/hubble-ui" + HubbleUIBackendImage = "quay.io/cilium/hubble-ui-backend" +diff --git a/internal/cli/cmd/cmd.go b/internal/cli/cmd/cmd.go +index 0c38f5ac..a04fccb7 100644 +--- a/internal/cli/cmd/cmd.go ++++ b/internal/cli/cmd/cmd.go +@@ -75,7 +75,7 @@ cilium connectivity test`, + } + + cmd.PersistentFlags().StringVar(&contextName, "context", "", "Kubernetes configuration context") +- cmd.PersistentFlags().StringVarP(&namespace, "namespace", "n", "kube-system", "Namespace Cilium is running in") ++ cmd.PersistentFlags().StringVarP(&namespace, "namespace", "n", "d8-cni-cilium", "Namespace Cilium is running in") + + cmd.AddCommand( + newCmdBgp(), +diff --git a/sysdump/defaults.go b/sysdump/defaults.go +index 0452cba0..231dc7c9 100644 +--- a/sysdump/defaults.go ++++ b/sysdump/defaults.go +@@ -11,11 +11,11 @@ import ( + ) + + const ( +- labelPrefix = "k8s-app=" ++ labelPrefix = "app=" + ) + + const ( +- DefaultCiliumLabelSelector = labelPrefix + "cilium" ++ DefaultCiliumLabelSelector = labelPrefix + "agent" + DefaultCiliumEnvoyLabelSelector = labelPrefix + "cilium-envoy" + DefaultCiliumOperatorLabelSelector = "io.cilium/app=operator" + DefaultClustermeshApiserverLabelSelector = labelPrefix + "clustermesh-apiserver" +@@ -38,7 +38,7 @@ const ( + DefaultQuick = false + DefaultOutputFileName = "cilium-sysdump-" // "" will be replaced with the timestamp + DefaultDetectGopsPID = false +- DefaultCNIConfigDirectory = "/etc/cni/net.d/" ++ DefaultCNIConfigDirectory = "/host/etc/cni/net.d/" + DefaultCNIConfigMapName = "cni-configuration" + DefaultTetragonNamespace = "kube-system" + DefaultTetragonLabelSelector = "app.kubernetes.io/name=tetragon" +@@ -60,9 +60,9 @@ var ( + + // DefaultCiliumNamespaces will be used to attempt to autodetect what namespace Cilium is installed in + // unless otherwise specified. +- DefaultCiliumNamespaces = []string{"kube-system", "cilium"} ++ DefaultCiliumNamespaces = []string{"kube-system", "cilium", "d8-cni-cilium"} + + // DefaultCiliumSPIRENamespaces will be used to attempt to autodetect what namespace Cilium SPIRE is installed in + // unless otherwise specified. +- DefaultCiliumSPIRENamespaces = []string{"kube-system", "cilium", "cilium-spire"} ++ DefaultCiliumSPIRENamespaces = []string{"kube-system", "cilium", "cilium-spire", "d8-cni-cilium"} + ) +diff --git a/sysdump/sysdump.go b/sysdump/sysdump.go +index ebe90e99..c279dbff 100644 +--- a/sysdump/sysdump.go ++++ b/sysdump/sysdump.go +@@ -2471,7 +2471,7 @@ func detectCiliumNamespace(k KubernetesClient) (string, error) { + return "", fmt.Errorf("failed to detect Cilium namespace: %w", err) + } + +- _, err = k.GetDaemonSet(ctx, ns.Name, "cilium", metav1.GetOptions{}) ++ _, err = k.GetDaemonSet(ctx, ns.Name, "agent", metav1.GetOptions{}) + if errors.IsNotFound(err) { + continue + } diff --git a/internal/cilium-cli/patches/002-cnp-for-conn-tests.patch b/internal/cilium-cli/patches/002-cnp-for-conn-tests.patch new file mode 100644 index 0000000..c25b51c --- /dev/null +++ b/internal/cilium-cli/patches/002-cnp-for-conn-tests.patch @@ -0,0 +1,107 @@ +diff --git a/connectivity/manifests/client-egress-l7-tls.yaml b/connectivity/manifests/client-egress-l7-tls.yaml +index 519045a8..5f8ce63c 100644 +--- a/connectivity/manifests/client-egress-l7-tls.yaml ++++ b/connectivity/manifests/client-egress-l7-tls.yaml +@@ -15,6 +15,10 @@ specs: + protocol: UDP + - port: "53" + protocol: TCP ++ - port: "5353" ++ protocol: UDP ++ - port: "5335" ++ protocol: TCP + rules: + dns: + - matchPattern: "*" +diff --git a/connectivity/manifests/client-egress-only-dns.yaml b/connectivity/manifests/client-egress-only-dns.yaml +index b8177270..6adec70f 100644 +--- a/connectivity/manifests/client-egress-only-dns.yaml ++++ b/connectivity/manifests/client-egress-only-dns.yaml +@@ -13,6 +13,10 @@ spec: + protocol: UDP + - port: "53" + protocol: TCP ++ - port: "5353" ++ protocol: UDP ++ - port: "5353" ++ protocol: TCP + rules: + dns: + - matchPattern: "*" +diff --git a/connectivity/manifests/client-egress-to-cidr-k8s.yaml b/connectivity/manifests/client-egress-to-cidr-k8s.yaml +index eb9f9080..42958412 100644 +--- a/connectivity/manifests/client-egress-to-cidr-k8s.yaml ++++ b/connectivity/manifests/client-egress-to-cidr-k8s.yaml +@@ -17,3 +17,5 @@ spec: + - ports: + - port: "53" + protocol: ANY ++ - port: "5353" ++ protocol: ANY +diff --git a/connectivity/manifests/client-egress-to-echo-knp.yaml b/connectivity/manifests/client-egress-to-echo-knp.yaml +index 2723badb..6a26676e 100644 +--- a/connectivity/manifests/client-egress-to-echo-knp.yaml ++++ b/connectivity/manifests/client-egress-to-echo-knp.yaml +@@ -21,6 +21,7 @@ spec: + - { key: 'io.kubernetes.pod.namespace', operator: In, values: [ "kube-system" ] } + ports: + - port: 53 ++ - port: 5353 + # protocol non specified corresponding to ANY in CNP + # When node-local-dns is deployed with local IP, + # Cilium labels its ip as world. +diff --git a/connectivity/manifests/client-egress-to-echo.yaml b/connectivity/manifests/client-egress-to-echo.yaml +index f4659870..82ca5332 100644 +--- a/connectivity/manifests/client-egress-to-echo.yaml ++++ b/connectivity/manifests/client-egress-to-echo.yaml +@@ -21,6 +21,10 @@ spec: + protocol: UDP + - port: "53" + protocol: TCP ++ - port: "5353" ++ protocol: UDP ++ - port: "5353" ++ protocol: TCP + toEndpoints: + - matchExpressions: + - { key: 'k8s-app', operator: In, values: [ "kube-dns", "coredns", "node-local-dns", "nodelocaldns" ] } +diff --git a/connectivity/manifests/client-egress-to-entities-k8s.yaml b/connectivity/manifests/client-egress-to-entities-k8s.yaml +index 5802cdcf..ef93dbb7 100644 +--- a/connectivity/manifests/client-egress-to-entities-k8s.yaml ++++ b/connectivity/manifests/client-egress-to-entities-k8s.yaml +@@ -17,3 +17,5 @@ spec: + - ports: + - port: "53" + protocol: ANY ++ - port: "5353" ++ protocol: ANY +diff --git a/connectivity/manifests/client-egress-to-entities-world.yaml b/connectivity/manifests/client-egress-to-entities-world.yaml +index 48ed871d..30a0d21d 100644 +--- a/connectivity/manifests/client-egress-to-entities-world.yaml ++++ b/connectivity/manifests/client-egress-to-entities-world.yaml +@@ -23,6 +23,10 @@ spec: + protocol: UDP + - port: "53" + protocol: TCP ++ - port: "5353" ++ protocol: UDP ++ - port: "5353" ++ protocol: TCP + # When node-local-dns is deployed with local IP, + # Cilium labels its ip as world. + # This change prevents failing the connectivity +diff --git a/connectivity/manifests/client-egress-to-fqdns-one-one-one-one.yaml b/connectivity/manifests/client-egress-to-fqdns-one-one-one-one.yaml +index d6aecb1b..60222425 100644 +--- a/connectivity/manifests/client-egress-to-fqdns-one-one-one-one.yaml ++++ b/connectivity/manifests/client-egress-to-fqdns-one-one-one-one.yaml +@@ -23,6 +23,10 @@ spec: + protocol: UDP + - port: "53" + protocol: TCP ++ - port: "5353" ++ protocol: UDP ++ - port: "5353" ++ protocol: TCP + rules: + dns: + - matchPattern: "*" diff --git a/internal/cilium-cli/patches/README.md b/internal/cilium-cli/patches/README.md new file mode 100644 index 0000000..435fdce --- /dev/null +++ b/internal/cilium-cli/patches/README.md @@ -0,0 +1 @@ +# Patches From a7a98b5e7287f1f6618d1e09100702dc8fe26d42 Mon Sep 17 00:00:00 2001 From: Andrey Pavlov Date: Thu, 8 Aug 2024 23:19:59 +0500 Subject: [PATCH 2/9] [cilium] fix patches Signed-off-by: Andrey Pavlov --- Taskfile.yml | 2 +- .../patches => patches/cilium-cli}/001-defaults.patch | 0 .../patches => patches/cilium-cli}/002-cnp-for-conn-tests.patch | 0 {internal/cilium-cli/patches => patches/cilium-cli}/README.md | 0 4 files changed, 1 insertion(+), 1 deletion(-) rename {internal/cilium-cli/patches => patches/cilium-cli}/001-defaults.patch (100%) rename {internal/cilium-cli/patches => patches/cilium-cli}/002-cnp-for-conn-tests.patch (100%) rename {internal/cilium-cli/patches => patches/cilium-cli}/README.md (100%) diff --git a/Taskfile.yml b/Taskfile.yml index d59ae1b..d0bb5a8 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -263,7 +263,7 @@ tasks: desc: Patch cilium-cli cmds: - cd internal/cilium-cli - - find /patches -name '*.patch' | xargs git apply --verbose --allow-empty + - find /patches/cilium-cli -name '*.patch' | xargs git apply --verbose --allow-empty _cilium:gomod-replace: desc: Add replace to go.mod diff --git a/internal/cilium-cli/patches/001-defaults.patch b/patches/cilium-cli/001-defaults.patch similarity index 100% rename from internal/cilium-cli/patches/001-defaults.patch rename to patches/cilium-cli/001-defaults.patch diff --git a/internal/cilium-cli/patches/002-cnp-for-conn-tests.patch b/patches/cilium-cli/002-cnp-for-conn-tests.patch similarity index 100% rename from internal/cilium-cli/patches/002-cnp-for-conn-tests.patch rename to patches/cilium-cli/002-cnp-for-conn-tests.patch diff --git a/internal/cilium-cli/patches/README.md b/patches/cilium-cli/README.md similarity index 100% rename from internal/cilium-cli/patches/README.md rename to patches/cilium-cli/README.md From 1520b35d878d1e352ee50d9e417e40b646d6d76d Mon Sep 17 00:00:00 2001 From: Andrey Pavlov Date: Thu, 8 Aug 2024 23:26:00 +0500 Subject: [PATCH 3/9] [cilium] fix patches Signed-off-by: Andrey Pavlov --- Taskfile.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Taskfile.yml b/Taskfile.yml index d0bb5a8..bbe6466 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -263,7 +263,7 @@ tasks: desc: Patch cilium-cli cmds: - cd internal/cilium-cli - - find /patches/cilium-cli -name '*.patch' | xargs git apply --verbose --allow-empty + - find ../../patches/cilium-cli -name '*.patch' | xargs git apply --verbose --allow-empty _cilium:gomod-replace: desc: Add replace to go.mod From 83574676a71a7e869dd8185b527736f2428abd2c Mon Sep 17 00:00:00 2001 From: Andrey Pavlov Date: Thu, 8 Aug 2024 23:47:28 +0500 Subject: [PATCH 4/9] [cilium] fix tasks Signed-off-by: Andrey Pavlov --- Taskfile.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Taskfile.yml b/Taskfile.yml index bbe6466..f2ef12a 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -261,14 +261,15 @@ tasks: _cilium:patch: desc: Patch cilium-cli + dir: internal/cilium-cli cmds: - - cd internal/cilium-cli - - find ../../patches/cilium-cli -name '*.patch' | xargs git apply --verbose --allow-empty + - find ../../patches/cilium-cli -name '*.patch' | xargs git apply --verbose _cilium:gomod-replace: desc: Add replace to go.mod cmds: - - go mod edit -replace github.com/cilium/cilium-cli=internal/cilium-cli + - go mod edit -replace github.com/cilium/cilium-cli=./internal/cilium-cli + - go mod tidy _cilium:original-build: desc: Build cilium-cli From 9afcae729309cf21c6a4107edcc86e197c957f4a Mon Sep 17 00:00:00 2001 From: Andrey Pavlov Date: Fri, 9 Aug 2024 21:21:03 +0500 Subject: [PATCH 5/9] [cilium] add patch Signed-off-by: Andrey Pavlov --- Taskfile.yml | 16 ++-- .../003-removing-dangerous-commands.patch | 84 +++++++++++++++++++ 2 files changed, 94 insertions(+), 6 deletions(-) create mode 100644 patches/cilium-cli/003-removing-dangerous-commands.patch diff --git a/Taskfile.yml b/Taskfile.yml index f2ef12a..3e1716c 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -34,7 +34,7 @@ vars: echo "${ldflags[*]-}" - ciliumCLIVersion: v0.15.22 + ciliumCLIVersion: "0.15.22" cgoTags: "dfrunsecurity dfrunnetwork dfrunmount dfssh containers_image_openpgp osusergo exclude_graphdriver_devicemapper netgo no_devmapper static_build cni" goTags: "dfrunsecurity dfrunnetwork dfrunmount dfssh containers_image_openpgp" @@ -42,8 +42,8 @@ vars: cgoDevLDFlags: "-linkmode external -extldflags=-static" goDevLDFlags: "" - cgoReleaseLDFlags: "-linkmode external -extldflags=-static -s -w -X 'github.com/deckhouse/deckhouse-cli/cmd.Version={{ .version }}' -X 'github.com/cilium/cilium-cli/cli.Version={{ .ciliumCLIVersion }}' -X github.com/werf/werf/pkg/werf.Version={{ .version }} {{ .kubectlLDFlags }}" - goReleaseLDFlags: "-s -w -X 'github.com/deckhouse/deckhouse-cli/cmd.Version={{ .version }}' -X 'github.com/cilium/cilium-cli/cli.Version={{ .ciliumCLIVersion }}' -X github.com/werf/werf/pkg/werf.Version={{ .version }} {{ .kubectlLDFlags }}" + cgoReleaseLDFlags: "-linkmode external -extldflags=-static -s -w -X 'github.com/deckhouse/deckhouse-cli/cmd.Version={{ .version }}' -X 'github.com/cilium/cilium-cli/cli.Version=v{{ .ciliumCLIVersion }}' -X github.com/werf/werf/pkg/werf.Version={{ .version }} {{ .kubectlLDFlags }}" + goReleaseLDFlags: "-s -w -X 'github.com/deckhouse/deckhouse-cli/cmd.Version={{ .version }}' -X 'github.com/cilium/cilium-cli/cli.Version=v{{ .ciliumCLIVersion }}' -X github.com/werf/werf/pkg/werf.Version={{ .version }} {{ .kubectlLDFlags }}" tasks: _build:cgo:dev: @@ -254,9 +254,8 @@ tasks: desc: Clone cilium-cli cmds: - mkdir -p internal/cilium-cli - - git clone --depth 1 --branch v{{ .CILIUM_CLI_VERSION }} {{ .SOURCE_REPO }}/cilium/cilium-cli.git internal/cilium-cli + - git clone --depth 1 --branch v{{ .ciliumCLIVersion }} {{ .SOURCE_REPO }}/cilium/cilium-cli.git internal/cilium-cli vars: - CILIUM_CLI_VERSION: "0.15.22" SOURCE_REPO: "https://github.com" _cilium:patch: @@ -273,10 +272,15 @@ tasks: _cilium:original-build: desc: Build cilium-cli + dir: internal/cilium-cli cmds: - - cd internal/cilium-cli - make install + _cilium:clean: + desc: Clean cilium dir + cmds: + - rm -rf internal/cilium-cli + build-d8-w-cilium: desc: Build and package all d8 binaries cmds: diff --git a/patches/cilium-cli/003-removing-dangerous-commands.patch b/patches/cilium-cli/003-removing-dangerous-commands.patch new file mode 100644 index 0000000..a1acf29 --- /dev/null +++ b/patches/cilium-cli/003-removing-dangerous-commands.patch @@ -0,0 +1,84 @@ +diff --git a/internal/cli/cmd/cmd.go b/internal/cli/cmd/cmd.go +index a04fccb7..8062bc6c 100644 +--- a/internal/cli/cmd/cmd.go ++++ b/internal/cli/cmd/cmd.go +@@ -9,7 +9,6 @@ import ( + + "github.com/spf13/cobra" + +- "github.com/cilium/cilium-cli/internal/utils" + "github.com/cilium/cilium-cli/k8s" + ) + +@@ -79,7 +78,6 @@ cilium connectivity test`, + + cmd.AddCommand( + newCmdBgp(), +- newCmdClusterMesh(), + newCmdConfig(), + newCmdConnectivity(hooks), + newCmdContext(), +@@ -89,19 +87,6 @@ cilium connectivity test`, + newCmdSysdump(hooks), + newCmdVersion(), + ) +- if utils.IsInHelmMode() { +- cmd.AddCommand( +- newCmdInstallWithHelm(), +- newCmdUninstallWithHelm(), +- newCmdUpgradeWithHelm(), +- ) +- } else { +- cmd.AddCommand( +- newCmdInstall(), +- newCmdUninstall(), +- newCmdUpgrade(), +- ) +- } + + cmd.SetOut(os.Stdout) + cmd.SetErr(os.Stderr) +diff --git a/internal/cli/cmd/config.go b/internal/cli/cmd/config.go +index 0920554c..9808bef6 100644 +--- a/internal/cli/cmd/config.go ++++ b/internal/cli/cmd/config.go +@@ -22,8 +22,6 @@ func newCmdConfig() *cobra.Command { + + cmd.AddCommand( + newCmdConfigView(), +- newCmdConfigSet(), +- newCmdConfigDelete(), + ) + + return cmd +diff --git a/internal/cli/cmd/hubble.go b/internal/cli/cmd/hubble.go +index d9f228df..d13a6402 100644 +--- a/internal/cli/cmd/hubble.go ++++ b/internal/cli/cmd/hubble.go +@@ -9,7 +9,6 @@ import ( + + "github.com/cilium/cilium-cli/defaults" + "github.com/cilium/cilium-cli/hubble" +- "github.com/cilium/cilium-cli/internal/utils" + + "github.com/spf13/cobra" + ) +@@ -25,17 +24,7 @@ func newCmdHubble() *cobra.Command { + newCmdPortForwardCommand(), + newCmdUI(), + ) +- if utils.IsInHelmMode() { +- cmd.AddCommand( +- newCmdHubbleEnableWithHelm(), +- newCmdHubbleDisableWithHelm(), +- ) +- } else { +- cmd.AddCommand( +- newCmdHubbleEnable(), +- newCmdHubbleDisable(), +- ) +- } ++ + return cmd + } + From 10264fd4a209e5ee78fdc2637e77f5e7ab063506 Mon Sep 17 00:00:00 2001 From: Andrey Pavlov Date: Thu, 15 Aug 2024 22:47:54 +0500 Subject: [PATCH 6/9] [cilium] add patch Signed-off-by: Andrey Pavlov --- patches/cilium-cli/004-tolerations.patch | 28 ++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 patches/cilium-cli/004-tolerations.patch diff --git a/patches/cilium-cli/004-tolerations.patch b/patches/cilium-cli/004-tolerations.patch new file mode 100644 index 0000000..e297092 --- /dev/null +++ b/patches/cilium-cli/004-tolerations.patch @@ -0,0 +1,28 @@ +diff --git a/connectivity/check/deployment.go b/connectivity/check/deployment.go +index 128bf772..259f0205 100644 +--- a/connectivity/check/deployment.go ++++ b/connectivity/check/deployment.go +@@ -120,6 +120,11 @@ func newDeployment(p deploymentParameters) *appsv1.Deployment { + if p.Replicas == 0 { + p.Replicas = 1 + } ++ if p.Tolerations == nil || len(p.Tolerations) == 0 { ++ p.Tolerations = []corev1.Toleration{ ++ {Operator: corev1.TolerationOpExists}, ++ } ++ } + replicas32 := int32(p.Replicas) + dep := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ +@@ -243,6 +248,11 @@ type daemonSetParameters struct { + } + + func newDaemonSet(p daemonSetParameters) *appsv1.DaemonSet { ++ if p.Tolerations == nil || len(p.Tolerations) == 0 { ++ p.Tolerations = []corev1.Toleration{ ++ {Operator: corev1.TolerationOpExists}, ++ } ++ } + ds := &appsv1.DaemonSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: p.Name, From 6de9b10c84f2f63f39c45c99dbec9ac892b898ee Mon Sep 17 00:00:00 2001 From: Andrey Pavlov Date: Thu, 22 Aug 2024 20:54:29 +0500 Subject: [PATCH 7/9] [cilium] add patch Signed-off-by: Andrey Pavlov --- patches/cilium-cli/005-to-fqdns.patch | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 patches/cilium-cli/005-to-fqdns.patch diff --git a/patches/cilium-cli/005-to-fqdns.patch b/patches/cilium-cli/005-to-fqdns.patch new file mode 100644 index 0000000..fc897e9 --- /dev/null +++ b/patches/cilium-cli/005-to-fqdns.patch @@ -0,0 +1,13 @@ +diff --git a/connectivity/manifests/client-egress-to-fqdns-one-one-one-one.yaml b/connectivity/manifests/client-egress-to-fqdns-one-one-one-one.yaml +index 60222425..f242a1f8 100644 +--- a/connectivity/manifests/client-egress-to-fqdns-one-one-one-one.yaml ++++ b/connectivity/manifests/client-egress-to-fqdns-one-one-one-one.yaml +@@ -1,7 +1,7 @@ + apiVersion: cilium.io/v2 + kind: CiliumNetworkPolicy + metadata: +- name: client-egress-to-fqdns-{{.ExternalTarget}} ++ name: client-egress-to-fqdns-{{.ExternalTarget}}-z + spec: + endpointSelector: + matchLabels: From 1cc2068cc8be9506ed29ed9df52aeaee87f6ba31 Mon Sep 17 00:00:00 2001 From: Andrey Pavlov Date: Thu, 22 Aug 2024 22:29:34 +0500 Subject: [PATCH 8/9] [cilium] fix patch Signed-off-by: Andrey Pavlov --- patches/cilium-cli/005-to-fqdns.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/cilium-cli/005-to-fqdns.patch b/patches/cilium-cli/005-to-fqdns.patch index fc897e9..c09a3bd 100644 --- a/patches/cilium-cli/005-to-fqdns.patch +++ b/patches/cilium-cli/005-to-fqdns.patch @@ -7,7 +7,7 @@ index 60222425..f242a1f8 100644 kind: CiliumNetworkPolicy metadata: - name: client-egress-to-fqdns-{{.ExternalTarget}} -+ name: client-egress-to-fqdns-{{.ExternalTarget}}-z ++ name: client-egress-to-fqdns-{{.ExternalTarget}}zzz spec: endpointSelector: matchLabels: From 428de13f166cdd8279d40ffcc8aea66a9c12d6bb Mon Sep 17 00:00:00 2001 From: Andrey Pavlov Date: Wed, 28 Aug 2024 17:41:46 +0500 Subject: [PATCH 9/9] [cilium] fix patch Signed-off-by: Andrey Pavlov --- patches/cilium-cli/006-to-fqdns-2.patch | 32 +++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 patches/cilium-cli/006-to-fqdns-2.patch diff --git a/patches/cilium-cli/006-to-fqdns-2.patch b/patches/cilium-cli/006-to-fqdns-2.patch new file mode 100644 index 0000000..5a51b39 --- /dev/null +++ b/patches/cilium-cli/006-to-fqdns-2.patch @@ -0,0 +1,32 @@ +diff --git a/connectivity/suite.go b/connectivity/suite.go +index dbccd881..8e976089 100644 +--- a/connectivity/suite.go ++++ b/connectivity/suite.go +@@ -1163,12 +1163,12 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, extra Hooks) error { + tests.PodToWorld2(), // resolves cilium.io + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { +- if a.Destination().Address(features.IPFamilyAny) == "cilium.io" { ++ if a.Destination().Address(features.IPFamilyAny) == "cilium.io." { + if a.Destination().Path() == "/" || a.Destination().Path() == "" { + egress = check.ResultDNSOK + egress.HTTP = check.HTTP{ + Method: "GET", +- URL: "https://cilium.io", ++ URL: "https://cilium.io.", + } + // Expect packets for cilium.io / 104.198.14.52 to be dropped. + return check.ResultDropCurlTimeout, check.ResultNone +diff --git a/connectivity/tests/world.go b/connectivity/tests/world.go +index 3da51983..23be7214 100644 +--- a/connectivity/tests/world.go ++++ b/connectivity/tests/world.go +@@ -86,7 +86,7 @@ func (s *podToWorld2) Name() string { + } + + func (s *podToWorld2) Run(ctx context.Context, t *check.Test) { +- https := check.HTTPEndpoint("cilium-io-https", "https://cilium.io") ++ https := check.HTTPEndpoint("cilium-io-https", "https://cilium.io.") + + fp := check.FlowParameters{ + DNSRequired: true,