Merge branch 'projectcalico:master' into master

Behnam-Shobiri · Jun 13, 2024 · 70ee078 · 70ee078
2 parents 07131cb + 9ed6c3e
commit 70ee078
Show file tree

Hide file tree

Showing 90 changed files with 19,868 additions and 712 deletions.
diff --git a/.semaphore/semaphore-scheduled-builds.yml b/.semaphore/semaphore-scheduled-builds.yml
@@ -194,58 +194,46 @@ blocks:
 
 - name: "cni-plugin: Windows"
   run:
-    when: "true or change_in(['/*', '/cni-plugin/', '/libcalico-go/', '/process/testing/winfv/'], {exclude: ['/**/.gitignore', '/**/README.md', '/**/LICENSE']})"
+    when: "true or change_in(['/*', '/cni-plugin/', '/libcalico-go/', '/process/testing/winfv-cni-plugin/'], {exclude: ['/**/.gitignore', '/**/README.md', '/**/LICENSE']})"
   dependencies:
     - cni-plugin
   task:
     secrets:
-      - name: banzai-secrets
-      - name: private-repo
+      - name: azure-dev-ci
     prologue:
       commands:
-        # Load the github access secrets.  First fix the permissions.
-        - chmod 0600 ~/.keys/*
-        - ssh-add ~/.keys/*
-        # Prepare aws configuration.
-        - pip install --upgrade --user awscli
-        - export REPORT_DIR=~/report
+        # Prepare azure configuration.
+        - az login --service-principal -u "${AZ_USER}" -p "${AZ_PASS}" --tenant "${AZ_TENANT}" --output none
+        - export AZURE_SUBSCRIPTION_ID=$AZ_SUBSCRIPTION_ID
+        - export AZURE_TENANT_ID=$AZ_TENANT
+        - export AZURE_CLIENT_ID=$AZ_USER
+        - export AZURE_CLIENT_SECRET=$AZ_PASS
+        - export REPORT_DIR=/home/semaphore/calico/process/testing/winfv-cni-plugin/report
         - export LOGS_DIR=~/fv.log
         - export SHORT_WORKFLOW_ID=$(echo ${SEMAPHORE_WORKFLOW_ID} | sha256sum | cut -c -8)
-        - export CLUSTER_NAME=sem-${SEMAPHORE_PROJECT_NAME}-pr${SEMAPHORE_GIT_PR_NUMBER}-${CONTAINER_RUNTIME}-${SHORT_WORKFLOW_ID}
-        - export KEYPAIR_NAME=${CLUSTER_NAME}
-        - echo CLUSTER_NAME=${CLUSTER_NAME}
-        - sudo apt-get install -y putty-tools
+        - export CLUSTER_NAME=sem-${SEMAPHORE_PROJECT_NAME}-pr${SEMAPHORE_GIT_PR_NUMBER}-${SHORT_WORKFLOW_ID}
+        - export SUFFIX=${CLUSTER_NAME}
         - cd cni-plugin
         - ../.semaphore/run-and-monitor build.log make bin/windows/calico.exe bin/windows/calico-ipam.exe bin/windows/win-fv.exe
     epilogue:
       always:
         commands:
           - artifact push job ${REPORT_DIR} --destination semaphore/test-results --expire-in ${SEMAPHORE_ARTIFACT_EXPIRY} || true
           - artifact push job ${LOGS_DIR} --destination semaphore/logs --expire-in ${SEMAPHORE_ARTIFACT_EXPIRY} || true
-          - aws ec2 delete-key-pair --key-name ${KEYPAIR_NAME} || true
-          - cd ~/calico/process/testing/winfv && NAME_PREFIX="${CLUSTER_NAME}" ./setup-fv.sh -q -u
+          - cd ~/calico/process/testing/winfv-cni-plugin/aso && make dist-clean
     env_vars:
       - name: SEMAPHORE_ARTIFACT_EXPIRY
         value: 2w
-      - name: AWS_DEFAULT_REGION
-        value: us-west-2
-      - name: MASTER_CONNECT_KEY_PUB
-        value: master_ssh_key.pub
-      - name: MASTER_CONNECT_KEY
-        value: master_ssh_key
-      - name: WIN_PPK_KEY
-        value: win_ppk_key
+      - name: AZURE_LOCATION
+        value: eastus2
+      - name: KUBE_VERSION
+        value: v1.29.4
     jobs:
       - name: Containerd - Windows FV
         execution_time_limit:
-          minutes: 120
+          minutes: 60
         commands:
           - ../.semaphore/run-and-monitor win-fv-containerd.log ./.semaphore/run-win-fv.sh
-        env_vars:
-          - name: CONTAINER_RUNTIME
-            value: containerd
-          - name: CONTAINERD_VERSION
-            value: 1.6.22
 - name: confd
   run:
     when: "true or change_in(['/*', '/api/', '/libcalico-go/', '/confd/', '/hack/test/certs/'], {exclude: ['/**/.gitignore', '/**/README.md', '/**/LICENSE']})"

diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml
@@ -194,58 +194,46 @@ blocks:
 
 - name: "cni-plugin: Windows"
   run:
-    when: "false or change_in(['/*', '/cni-plugin/', '/libcalico-go/', '/process/testing/winfv/'], {exclude: ['/**/.gitignore', '/**/README.md', '/**/LICENSE']})"
+    when: "false or change_in(['/*', '/cni-plugin/', '/libcalico-go/', '/process/testing/winfv-cni-plugin/'], {exclude: ['/**/.gitignore', '/**/README.md', '/**/LICENSE']})"
   dependencies:
     - cni-plugin
   task:
     secrets:
-      - name: banzai-secrets
-      - name: private-repo
+      - name: azure-dev-ci
     prologue:
       commands:
-        # Load the github access secrets.  First fix the permissions.
-        - chmod 0600 ~/.keys/*
-        - ssh-add ~/.keys/*
-        # Prepare aws configuration.
-        - pip install --upgrade --user awscli
-        - export REPORT_DIR=~/report
+        # Prepare azure configuration.
+        - az login --service-principal -u "${AZ_USER}" -p "${AZ_PASS}" --tenant "${AZ_TENANT}" --output none
+        - export AZURE_SUBSCRIPTION_ID=$AZ_SUBSCRIPTION_ID
+        - export AZURE_TENANT_ID=$AZ_TENANT
+        - export AZURE_CLIENT_ID=$AZ_USER
+        - export AZURE_CLIENT_SECRET=$AZ_PASS
+        - export REPORT_DIR=/home/semaphore/calico/process/testing/winfv-cni-plugin/report
         - export LOGS_DIR=~/fv.log
         - export SHORT_WORKFLOW_ID=$(echo ${SEMAPHORE_WORKFLOW_ID} | sha256sum | cut -c -8)
-        - export CLUSTER_NAME=sem-${SEMAPHORE_PROJECT_NAME}-pr${SEMAPHORE_GIT_PR_NUMBER}-${CONTAINER_RUNTIME}-${SHORT_WORKFLOW_ID}
-        - export KEYPAIR_NAME=${CLUSTER_NAME}
-        - echo CLUSTER_NAME=${CLUSTER_NAME}
-        - sudo apt-get install -y putty-tools
+        - export CLUSTER_NAME=sem-${SEMAPHORE_PROJECT_NAME}-pr${SEMAPHORE_GIT_PR_NUMBER}-${SHORT_WORKFLOW_ID}
+        - export SUFFIX=${CLUSTER_NAME}
         - cd cni-plugin
         - ../.semaphore/run-and-monitor build.log make bin/windows/calico.exe bin/windows/calico-ipam.exe bin/windows/win-fv.exe
     epilogue:
       always:
         commands:
           - artifact push job ${REPORT_DIR} --destination semaphore/test-results --expire-in ${SEMAPHORE_ARTIFACT_EXPIRY} || true
           - artifact push job ${LOGS_DIR} --destination semaphore/logs --expire-in ${SEMAPHORE_ARTIFACT_EXPIRY} || true
-          - aws ec2 delete-key-pair --key-name ${KEYPAIR_NAME} || true
-          - cd ~/calico/process/testing/winfv && NAME_PREFIX="${CLUSTER_NAME}" ./setup-fv.sh -q -u
+          - cd ~/calico/process/testing/winfv-cni-plugin/aso && make dist-clean
     env_vars:
       - name: SEMAPHORE_ARTIFACT_EXPIRY
         value: 2w
-      - name: AWS_DEFAULT_REGION
-        value: us-west-2
-      - name: MASTER_CONNECT_KEY_PUB
-        value: master_ssh_key.pub
-      - name: MASTER_CONNECT_KEY
-        value: master_ssh_key
-      - name: WIN_PPK_KEY
-        value: win_ppk_key
+      - name: AZURE_LOCATION
+        value: eastus2
+      - name: KUBE_VERSION
+        value: v1.29.4
     jobs:
       - name: Containerd - Windows FV
         execution_time_limit:
-          minutes: 120
+          minutes: 60
         commands:
           - ../.semaphore/run-and-monitor win-fv-containerd.log ./.semaphore/run-win-fv.sh
-        env_vars:
-          - name: CONTAINER_RUNTIME
-            value: containerd
-          - name: CONTAINERD_VERSION
-            value: 1.6.22
 - name: confd
   run:
     when: "false or change_in(['/*', '/api/', '/libcalico-go/', '/confd/', '/hack/test/certs/'], {exclude: ['/**/.gitignore', '/**/README.md', '/**/LICENSE']})"

diff --git a/.semaphore/semaphore.yml.d/blocks/20-cni-plugin.yml b/.semaphore/semaphore.yml.d/blocks/20-cni-plugin.yml
@@ -17,55 +17,43 @@
 
 - name: "cni-plugin: Windows"
   run:
-    when: "${FORCE_RUN} or change_in(['/*', '/cni-plugin/', '/libcalico-go/', '/process/testing/winfv/'], {exclude: ['/**/.gitignore', '/**/README.md', '/**/LICENSE']})"
+    when: "${FORCE_RUN} or change_in(['/*', '/cni-plugin/', '/libcalico-go/', '/process/testing/winfv-cni-plugin/'], {exclude: ['/**/.gitignore', '/**/README.md', '/**/LICENSE']})"
   dependencies:
     - cni-plugin
   task:
     secrets:
-      - name: banzai-secrets
-      - name: private-repo
+      - name: azure-dev-ci
     prologue:
       commands:
-        # Load the github access secrets.  First fix the permissions.
-        - chmod 0600 ~/.keys/*
-        - ssh-add ~/.keys/*
-        # Prepare aws configuration.
-        - pip install --upgrade --user awscli
-        - export REPORT_DIR=~/report
+        # Prepare azure configuration.
+        - az login --service-principal -u "${AZ_USER}" -p "${AZ_PASS}" --tenant "${AZ_TENANT}" --output none
+        - export AZURE_SUBSCRIPTION_ID=$AZ_SUBSCRIPTION_ID
+        - export AZURE_TENANT_ID=$AZ_TENANT
+        - export AZURE_CLIENT_ID=$AZ_USER
+        - export AZURE_CLIENT_SECRET=$AZ_PASS
+        - export REPORT_DIR=/home/semaphore/calico/process/testing/winfv-cni-plugin/report
         - export LOGS_DIR=~/fv.log
         - export SHORT_WORKFLOW_ID=$(echo ${SEMAPHORE_WORKFLOW_ID} | sha256sum | cut -c -8)
-        - export CLUSTER_NAME=sem-${SEMAPHORE_PROJECT_NAME}-pr${SEMAPHORE_GIT_PR_NUMBER}-${CONTAINER_RUNTIME}-${SHORT_WORKFLOW_ID}
-        - export KEYPAIR_NAME=${CLUSTER_NAME}
-        - echo CLUSTER_NAME=${CLUSTER_NAME}
-        - sudo apt-get install -y putty-tools
+        - export CLUSTER_NAME=sem-${SEMAPHORE_PROJECT_NAME}-pr${SEMAPHORE_GIT_PR_NUMBER}-${SHORT_WORKFLOW_ID}
+        - export SUFFIX=${CLUSTER_NAME}
         - cd cni-plugin
         - ../.semaphore/run-and-monitor build.log make bin/windows/calico.exe bin/windows/calico-ipam.exe bin/windows/win-fv.exe
     epilogue:
       always:
         commands:
           - artifact push job ${REPORT_DIR} --destination semaphore/test-results --expire-in ${SEMAPHORE_ARTIFACT_EXPIRY} || true
           - artifact push job ${LOGS_DIR} --destination semaphore/logs --expire-in ${SEMAPHORE_ARTIFACT_EXPIRY} || true
-          - aws ec2 delete-key-pair --key-name ${KEYPAIR_NAME} || true
-          - cd ~/calico/process/testing/winfv && NAME_PREFIX="${CLUSTER_NAME}" ./setup-fv.sh -q -u
+          - cd ~/calico/process/testing/winfv-cni-plugin/aso && make dist-clean
     env_vars:
       - name: SEMAPHORE_ARTIFACT_EXPIRY
         value: 2w
-      - name: AWS_DEFAULT_REGION
-        value: us-west-2
-      - name: MASTER_CONNECT_KEY_PUB
-        value: master_ssh_key.pub
-      - name: MASTER_CONNECT_KEY
-        value: master_ssh_key
-      - name: WIN_PPK_KEY
-        value: win_ppk_key
+      - name: AZURE_LOCATION
+        value: eastus2
+      - name: KUBE_VERSION
+        value: v1.29.4
     jobs:
       - name: Containerd - Windows FV
         execution_time_limit:
-          minutes: 120
+          minutes: 60
         commands:
           - ../.semaphore/run-and-monitor win-fv-containerd.log ./.semaphore/run-win-fv.sh
-        env_vars:
-          - name: CONTAINER_RUNTIME
-            value: containerd
-          - name: CONTAINERD_VERSION
-            value: 1.6.22
diff --git a/api/pkg/apis/projectcalico/v3/felixconfig.go b/api/pkg/apis/projectcalico/v3/felixconfig.go
@@ -344,20 +344,20 @@ type FelixConfigurationSpec struct {
 	// PrometheusWireGuardMetricsEnabled disables wireguard metrics collection, which the Prometheus client does by default, when
 	// set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]
 	PrometheusWireGuardMetricsEnabled *bool `json:"prometheusWireGuardMetricsEnabled,omitempty"`
-
-	// FailsafeInboundHostPorts is a list of UDP/TCP ports and CIDRs that Felix will allow incoming traffic to host endpoints
-	// on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration.
-	// For back-compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow
-	// traffic from all addresses. To disable all inbound host ports, use the value none. The default value allows ssh access
-	// and DHCP.
-	// [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]
+	// FailsafeInboundHostPorts is a list of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will
+	// allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally
+	// cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified,
+	// it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports,
+	// use the value "[]". The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API.
+	// [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ]
 	FailsafeInboundHostPorts *[]ProtoPort `json:"failsafeInboundHostPorts,omitempty"`
-	// FailsafeOutboundHostPorts is a list of UDP/TCP ports and CIDRs that Felix will allow outgoing traffic from host endpoints
-	// to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration.
-	// For back-compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow
-	// traffic from all addresses. To disable all outbound host ports, use the value none. The default value opens etcd's standard
-	// ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP and DNS.
-	// [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, udp:53, udp:67]
+	// FailsafeOutboundHostPorts is a list of List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix
+	// will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally
+	// cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults
+	// to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports,
+	// use the value "[]". The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd
+	// as well as allowing DHCP, DNS, BGP and the Kubernetes API.
+	// [Default: udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ]
 	FailsafeOutboundHostPorts *[]ProtoPort `json:"failsafeOutboundHostPorts,omitempty"`
 
 	// KubeNodePortRanges holds list of port ranges used for service node ports. Only used if felix detects kube-proxy running in ipvs mode.

diff --git a/api/pkg/lib/numorstring/protocol.go b/api/pkg/lib/numorstring/protocol.go
@@ -119,7 +119,7 @@ func (p Protocol) NumValue() (uint8, error) {
 	return (Uint8OrString)(p).NumValue()
 }
 
-// SupportsPorts returns whether this protocol supports ports.  This returns true if
+// SupportsProtocols returns whether this protocol supports ports.  This returns true if
 // the numerical or string version of the protocol indicates TCP (6), UDP (17), or SCTP (132).
 func (p Protocol) SupportsPorts() bool {
 	num, err := p.NumValue()

diff --git a/api/pkg/openapi/openapi_generated.go b/api/pkg/openapi/openapi_generated.go
diff --git a/apiserver/cmd/apiserver/server/server.go b/apiserver/cmd/apiserver/server/server.go
@@ -54,6 +54,7 @@ func logrusLevel() logrus.Level {
 	return logrus.ErrorLevel
 }
 
+// NewCommandStartMaster provides a CLI handler for 'start master' command
 func NewCommandStartCalicoServer(out io.Writer) (*cobra.Command, error) {
 	//	o := NewCalicoServerOptions(out, errOut)
 

diff --git a/apiserver/pkg/storage/calico/resource.go b/apiserver/pkg/storage/calico/resource.go
@@ -106,7 +106,7 @@ func CreateClientFromConfig() clientv3.Interface {
 	return c
 }
 
-// Versioner returns the versioner associated with this interface
+// Versioned returns the versioned associated with this interface
 func (rs *resourceStore) Versioner() storage.Versioner {
 	return rs.versioner
 }