From 572c3c455ae507efd3e06ad7dfa455c2af36b59b Mon Sep 17 00:00:00 2001 From: "cilium-renovate[bot]" <134692979+cilium-renovate[bot]@users.noreply.github.com> Date: Thu, 16 May 2024 08:55:06 +0000 Subject: [PATCH] fix(deps): update all go dependencies main Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> --- api/go.mod | 4 +- api/vendor/modules.txt | 2 +- contrib/rthooks/tetragon-oci-hook/go.mod | 4 +- .../tetragon-oci-hook/vendor/modules.txt | 2 +- go.mod | 16 +- go.sum | 24 +-- vendor/github.com/cilium/cilium/AUTHORS | 3 + .../v1/models/daemon_configuration_status.go | 3 + .../api/v1/models/endpoint_change_request.go | 3 + .../cilium/pkg/alignchecker/alignchecker.go | 4 +- .../cilium/cilium/pkg/allocator/allocator.go | 20 +-- .../cilium/cilium/pkg/backoff/backoff.go | 2 +- .../cilium/cilium/pkg/bpf/bpf_linux.go | 2 +- .../cilium/cilium/pkg/bpf/bpffs_linux.go | 6 +- .../cilium/cilium/pkg/bpf/bpffs_migrate.go | 4 +- .../cilium/pkg/cgroups/cgroups_linux.go | 6 +- .../cilium/pkg/cgroups/manager/provider.go | 6 +- .../cilium/cilium/pkg/client/client.go | 4 +- .../cilium/cilium/pkg/command/output.go | 2 +- .../cilium/pkg/controller/controller.go | 8 +- .../cilium/cilium/pkg/counter/prefixes.go | 2 +- .../pkg/datapath/linux/bandwidth/bandwidth.go | 8 +- .../linux/probes/managed_neighbors.go | 2 +- .../cilium/cilium/pkg/defaults/defaults.go | 8 +- .../cilium/cilium/pkg/endpoint/id/id.go | 2 +- .../cilium/pkg/health/client/modules.go | 4 +- .../cilium/pkg/identity/cache/allocator.go | 6 +- .../cilium/pkg/k8s/apis/cilium.io/const.go | 4 + .../pkg/k8s/apis/cilium.io/v2/clrp_types.go | 2 +- .../cilium/cilium/pkg/k8s/client/cell.go | 12 +- .../pkg/k8s/identitybackend/identity.go | 4 +- .../pkg/k8s/slim/k8s/apis/labels/selector.go | 2 +- .../k8s/slim/k8s/apis/util/intstr/intstr.go | 8 +- .../cilium/cilium/pkg/k8s/version/version.go | 6 +- .../cilium/pkg/kvstore/allocator/allocator.go | 20 +-- .../cilium/cilium/pkg/kvstore/consul.go | 12 +- .../cilium/cilium/pkg/kvstore/etcd.go | 8 +- .../cilium/cilium/pkg/kvstore/lock.go | 4 +- .../cilium/cilium/pkg/labels/labels.go | 2 +- .../cilium/pkg/logging/logfields/logfields.go | 3 + .../github.com/cilium/cilium/pkg/mac/mac.go | 2 +- .../cilium/cilium/pkg/maps/lxcmap/lxcmap.go | 8 +- .../cilium/cilium/pkg/mountinfo/mountinfo.go | 2 +- .../cilium/cilium/pkg/option/config.go | 60 +++++-- .../cilium/cilium/pkg/policy/api/groups.go | 2 +- .../cilium/pkg/policy/api/rule_validation.go | 6 +- .../cilium/cilium/pkg/policy/api/selector.go | 2 +- .../cilium/cilium/pkg/policy/rule.go | 20 ++- .../cilium/cilium/pkg/policy/rules.go | 2 +- .../cilium/cilium/pkg/policy/visibility.go | 2 +- .../cilium/cilium/pkg/rate/api_limiter.go | 2 +- .../cilium/cilium/pkg/sysctl/sysctl.go | 8 +- .../cilium/cilium/pkg/versioncheck/check.go | 4 +- .../cilium/pkg/wireguard/types/types.go | 2 + vendor/github.com/cilium/dns/shared_client.go | 22 ++- .../little-vm-helper/pkg/images/build.go | 10 +- .../little-vm-helper/pkg/runner/conf.go | 52 ++++++ .../little-vm-helper/pkg/runner/qemu.go | 151 ++++++++++++++++++ .../image-spec/specs-go/v1/annotations.go | 3 - .../image-spec/specs-go/v1/artifact.go | 34 ---- .../image-spec/specs-go/v1/config.go | 34 ++-- .../image-spec/specs-go/v1/manifest.go | 11 ++ .../image-spec/specs-go/v1/mediatype.go | 19 ++- .../image-spec/specs-go/version.go | 2 +- vendor/modules.txt | 18 +-- .../pkg/client/fieldowner.go | 106 ++++++++++++ .../pkg/manager/internal.go | 18 +++ .../controller-runtime/pkg/manager/manager.go | 9 ++ .../pkg/metrics/server/server.go | 20 +++ 69 files changed, 645 insertions(+), 230 deletions(-) create mode 100644 vendor/github.com/cilium/little-vm-helper/pkg/runner/conf.go create mode 100644 vendor/github.com/cilium/little-vm-helper/pkg/runner/qemu.go delete mode 100644 vendor/github.com/opencontainers/image-spec/specs-go/v1/artifact.go create mode 100644 vendor/sigs.k8s.io/controller-runtime/pkg/client/fieldowner.go diff --git a/api/go.mod b/api/go.mod index cdf91671423..aa93b2943d0 100644 --- a/api/go.mod +++ b/api/go.mod @@ -1,7 +1,9 @@ module github.com/cilium/tetragon/api // renovate: datasource=golang-version depName=go -go 1.22.0 +go 1.22.1 + +toolchain go1.22.3 require ( github.com/cilium/tetragon v0.0.0-00010101000000-000000000000 diff --git a/api/vendor/modules.txt b/api/vendor/modules.txt index 1be96d9d0ae..fb1dd9a64c1 100644 --- a/api/vendor/modules.txt +++ b/api/vendor/modules.txt @@ -1,5 +1,5 @@ # github.com/cilium/tetragon v0.0.0-00010101000000-000000000000 => ../ -## explicit; go 1.22.0 +## explicit; go 1.22.1 github.com/cilium/tetragon/pkg/matchers/bytesmatcher github.com/cilium/tetragon/pkg/matchers/listmatcher github.com/cilium/tetragon/pkg/matchers/stringmatcher diff --git a/contrib/rthooks/tetragon-oci-hook/go.mod b/contrib/rthooks/tetragon-oci-hook/go.mod index b7b03f6570a..5089e41b907 100644 --- a/contrib/rthooks/tetragon-oci-hook/go.mod +++ b/contrib/rthooks/tetragon-oci-hook/go.mod @@ -1,7 +1,9 @@ module github.com/cilium/tetragon/contrib/rthooks/tetragon-oci-hook // renovate: datasource=golang-version depName=go -go 1.22.0 +go 1.22.1 + +toolchain go1.22.3 require ( github.com/alecthomas/kong v0.9.0 diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/modules.txt b/contrib/rthooks/tetragon-oci-hook/vendor/modules.txt index 087b001abe9..46c01802c31 100644 --- a/contrib/rthooks/tetragon-oci-hook/vendor/modules.txt +++ b/contrib/rthooks/tetragon-oci-hook/vendor/modules.txt @@ -20,7 +20,7 @@ github.com/cilium/ebpf/link ## explicit; go 1.13 github.com/cilium/lumberjack/v2 # github.com/cilium/tetragon/api v0.0.0-00010101000000-000000000000 => ../../../api -## explicit; go 1.22.0 +## explicit; go 1.22.1 github.com/cilium/tetragon/api/v1/tetragon # github.com/containers/common v0.58.2 ## explicit; go 1.20 diff --git a/go.mod b/go.mod index 8b349368ce4..40b8cd43d0a 100644 --- a/go.mod +++ b/go.mod @@ -1,13 +1,15 @@ module github.com/cilium/tetragon // renovate: datasource=golang-version depName=go -go 1.22.0 +go 1.22.1 + +toolchain go1.22.3 require ( github.com/bombsimon/logrusr/v4 v4.1.0 - github.com/cilium/cilium v1.15.4 + github.com/cilium/cilium v1.15.5 github.com/cilium/ebpf v0.15.0 - github.com/cilium/little-vm-helper v0.0.17 + github.com/cilium/little-vm-helper v0.0.18 github.com/cilium/lumberjack/v2 v2.3.0 github.com/cilium/tetragon/api v0.0.0-00010101000000-000000000000 github.com/cilium/tetragon/pkg/k8s v0.0.0-00010101000000-000000000000 @@ -30,7 +32,7 @@ require ( github.com/mennanov/fieldmask-utils v1.1.2 github.com/opencontainers/runtime-spec v1.2.0 github.com/pelletier/go-toml v1.9.5 - github.com/prometheus/client_golang v1.19.0 + github.com/prometheus/client_golang v1.19.1 github.com/prometheus/client_model v0.6.1 github.com/prometheus/procfs v0.14.0 github.com/sirupsen/logrus v1.9.3 @@ -55,7 +57,7 @@ require ( k8s.io/code-generator v0.29.4 k8s.io/klog/v2 v2.120.1 k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f - sigs.k8s.io/controller-runtime v0.16.5 + sigs.k8s.io/controller-runtime v0.16.6 sigs.k8s.io/controller-tools v0.14.0 sigs.k8s.io/e2e-framework v0.2.0 sigs.k8s.io/yaml v1.4.0 @@ -71,7 +73,7 @@ require ( github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/cilium/dns v1.1.51-0.20231120140355-729345173dc3 // indirect + github.com/cilium/dns v1.1.51-0.20240416134107-d47d0dd702a1 // indirect github.com/cilium/proxy v0.0.0-20231031145409-f19708f3d018 // indirect github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa // indirect github.com/containerd/log v0.1.0 // indirect @@ -146,7 +148,7 @@ require ( github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b // indirect + github.com/opencontainers/image-spec v1.1.0-rc3 // indirect github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect github.com/pelletier/go-toml/v2 v2.1.0 // indirect github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect diff --git a/go.sum b/go.sum index 68a0ff8c9b4..2d87c639fb8 100644 --- a/go.sum +++ b/go.sum @@ -51,16 +51,16 @@ github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cilium/checkmate v1.0.3 h1:CQC5eOmlAZeEjPrVZY3ZwEBH64lHlx9mXYdUehEwI5w= github.com/cilium/checkmate v1.0.3/go.mod h1:KiBTasf39/F2hf2yAmHw21YFl3hcEyP4Yk6filxc12A= -github.com/cilium/cilium v1.15.4 h1:6UWB7y/vWgXEOVmCgLk8rKYodC/odU1IngH1fdKH0nE= -github.com/cilium/cilium v1.15.4/go.mod h1:ojlr/BoauoO2o2884BGO2ukxK953ieha3eSOhhfrmlQ= +github.com/cilium/cilium v1.15.5 h1:AFhWniiqVyQXYfpaPZTRfKdS0pLx+8lCDPp7JpAZqfo= +github.com/cilium/cilium v1.15.5/go.mod h1:hsruyj1KCncND7AyIlbKgHUlk7V+ONxTn3EbrOu39dI= github.com/cilium/controller-tools v0.8.0-1 h1:D5xhwSUZZceaKAacHOyfcpUMgLbs2TGeJEijNHlAQlc= github.com/cilium/controller-tools v0.8.0-1/go.mod h1:qE2DXhVOiEq5ijmINcFbqi9GZrrUjzB1TuJU0xa6eoY= -github.com/cilium/dns v1.1.51-0.20231120140355-729345173dc3 h1:3PErIjIq4DlOwNsQNPcILFzbGnxPuKuqJsHEFpiwstM= -github.com/cilium/dns v1.1.51-0.20231120140355-729345173dc3/go.mod h1:/7LC2GOgyXJ7maupZlaVIumYQiGPIgllSf6mA9sg6RU= +github.com/cilium/dns v1.1.51-0.20240416134107-d47d0dd702a1 h1:IR2iQhLyEVDJ52rPpqYAdRZMwlOSDl1XJqkD5PQJAfs= +github.com/cilium/dns v1.1.51-0.20240416134107-d47d0dd702a1/go.mod h1:/7LC2GOgyXJ7maupZlaVIumYQiGPIgllSf6mA9sg6RU= github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk= github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso= -github.com/cilium/little-vm-helper v0.0.17 h1:uKS/wQSPeFqgZk6fFRhnreGvhuQCnWsZvqhkF/PS/OM= -github.com/cilium/little-vm-helper v0.0.17/go.mod h1:2q3DGb/ptNd+jnenMpx0l++PX6r85FzvaTvZG31pGAQ= +github.com/cilium/little-vm-helper v0.0.18 h1:Sx3D9lQ6glUwWyF9b8I/sd/mo+2qobnpMGT1n6VlS04= +github.com/cilium/little-vm-helper v0.0.18/go.mod h1:Cq9INShkRoeR4LC46dwHkfL3EZfHsN+e+xAsJKJ/wJM= github.com/cilium/lumberjack/v2 v2.3.0 h1:IhVJMvPpqDYmQzC0KDhAoy7KlaRsyOsZnT97Nsa3u0o= github.com/cilium/lumberjack/v2 v2.3.0/go.mod h1:yfbtPGmg4i//5oEqzaMxDqSWqgfZFmMoV70Mc2k6v0A= github.com/cilium/proxy v0.0.0-20231031145409-f19708f3d018 h1:R/QlThqx099hS6req1k2Q87fvLSRgCEicQGate9vxO4= @@ -437,8 +437,8 @@ github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8= -github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ= +github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8= +github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk= github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:FfH+VrHHk6Lxt9HdVS0PXzSXFyS2NbZKXv33FYPol0A= @@ -469,8 +469,8 @@ github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:Om github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= -github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU= -github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k= +github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= +github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -854,8 +854,8 @@ k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCf k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 h1:TgtAeesdhpm2SGwkQasmbeqDo8th5wOBA5h/AjTKA4I= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0/go.mod h1:VHVDI/KrK4fjnV61bE2g3sA7tiETLn8sooImelsCx3Y= -sigs.k8s.io/controller-runtime v0.16.5 h1:yr1cEJbX08xsTW6XEIzT13KHHmIyX8Umvme2cULvFZw= -sigs.k8s.io/controller-runtime v0.16.5/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0= +sigs.k8s.io/controller-runtime v0.16.6 h1:FiXwTuFF5ZJKmozfP2Z0j7dh6kmxP4Ou1KLfxgKKC3I= +sigs.k8s.io/controller-runtime v0.16.6/go.mod h1:+dQzkZxnylD0u49e0a+7AR+vlibEBaThmPca7lTyUsI= sigs.k8s.io/e2e-framework v0.2.0 h1:gD6AWWAHFcHibI69E9TgkNFhh0mVwWtRCHy2RU057jQ= sigs.k8s.io/e2e-framework v0.2.0/go.mod h1:E6JXj/V4PIlb95jsn2WrNKG+Shb45xaaI7C0+BH4PL8= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/vendor/github.com/cilium/cilium/AUTHORS b/vendor/github.com/cilium/cilium/AUTHORS index 0239f7860d9..f7026e289f7 100644 --- a/vendor/github.com/cilium/cilium/AUTHORS +++ b/vendor/github.com/cilium/cilium/AUTHORS @@ -316,6 +316,8 @@ Jan-Erik Rediger janerik@fnordig.de Jan Jansen jan.jansen@gdata.de Jan Mraz strudelpi@pm.me Jarno Rajahalme jarno@isovalent.com +Jason Aliyetti jaliyetti@gmail.com +JBodkin-Amphora james.bodkin@amphora.net Jean Raby jean@raby.sh Jed Salazar jedsalazar@gmail.com Jef Spaleta jspaleta@gmail.com @@ -492,6 +494,7 @@ Mohit Marathe mohitmarathe23@gmail.com Moritz Eckert m1gh7ym0@gmail.com Moritz Johner beller.moritz@googlemail.com Moshe Immerman moshe.immerman@vitalitygroup.com +Natalia Reka Ivanko natalia@isovalent.com Nate Sweet nathanjsweet@pm.me Nate Taylor ntaylor1781@gmail.com Nathan Bird njbird@infiniteenergy.com diff --git a/vendor/github.com/cilium/cilium/api/v1/models/daemon_configuration_status.go b/vendor/github.com/cilium/cilium/api/v1/models/daemon_configuration_status.go index f55612181d7..64daed2b0f4 100644 --- a/vendor/github.com/cilium/cilium/api/v1/models/daemon_configuration_status.go +++ b/vendor/github.com/cilium/cilium/api/v1/models/daemon_configuration_status.go @@ -53,6 +53,9 @@ type DaemonConfigurationStatus struct { // Immutable configuration (read-only) Immutable ConfigurationMap `json:"immutable,omitempty"` + // Comma-separated list of IP ports should be reserved in the workload network namespace + IPLocalReservedPorts string `json:"ipLocalReservedPorts,omitempty"` + // Configured IPAM mode IpamMode string `json:"ipam-mode,omitempty"` diff --git a/vendor/github.com/cilium/cilium/api/v1/models/endpoint_change_request.go b/vendor/github.com/cilium/cilium/api/v1/models/endpoint_change_request.go index e1be73caae7..d59e7f3a164 100644 --- a/vendor/github.com/cilium/cilium/api/v1/models/endpoint_change_request.go +++ b/vendor/github.com/cilium/cilium/api/v1/models/endpoint_change_request.go @@ -67,6 +67,9 @@ type EndpointChangeRequest struct { // Kubernetes pod name K8sPodName string `json:"k8s-pod-name,omitempty"` + // Kubernetes pod UID + K8sUID string `json:"k8s-uid,omitempty"` + // Labels describing the identity Labels Labels `json:"labels,omitempty"` diff --git a/vendor/github.com/cilium/cilium/pkg/alignchecker/alignchecker.go b/vendor/github.com/cilium/cilium/pkg/alignchecker/alignchecker.go index f3999cc2486..8be3e3d62bc 100644 --- a/vendor/github.com/cilium/cilium/pkg/alignchecker/alignchecker.go +++ b/vendor/github.com/cilium/cilium/pkg/alignchecker/alignchecker.go @@ -24,12 +24,12 @@ import ( func CheckStructAlignments(pathToObj string, toCheck map[string][]any, checkOffsets bool) error { spec, err := btf.LoadSpec(pathToObj) if err != nil { - return fmt.Errorf("cannot parse BTF debug info %s: %s", pathToObj, err) + return fmt.Errorf("cannot parse BTF debug info %s: %w", pathToObj, err) } structInfo, err := getStructInfosFromBTF(spec, toCheck) if err != nil { - return fmt.Errorf("cannot extract struct info from BTF %s: %s", pathToObj, err) + return fmt.Errorf("cannot extract struct info from BTF %s: %w", pathToObj, err) } for cName, goStructs := range toCheck { diff --git a/vendor/github.com/cilium/cilium/pkg/allocator/allocator.go b/vendor/github.com/cilium/cilium/pkg/allocator/allocator.go index 56b40c900ae..2792a310867 100644 --- a/vendor/github.com/cilium/cilium/pkg/allocator/allocator.go +++ b/vendor/github.com/cilium/cilium/pkg/allocator/allocator.go @@ -418,7 +418,7 @@ func (a *Allocator) WaitForInitialSync(ctx context.Context) error { select { case <-a.initialListDone: case <-ctx.Done(): - return fmt.Errorf("identity sync was cancelled: %s", ctx.Err()) + return fmt.Errorf("identity sync was cancelled: %w", ctx.Err()) } return nil @@ -524,13 +524,13 @@ func (a *Allocator) lockedAllocate(ctx context.Context, key AllocatorKey) (idpoo if value != 0 { // re-create master key if err := a.backend.UpdateKeyIfLocked(ctx, value, key, true, lock); err != nil { - return 0, false, false, fmt.Errorf("unable to re-create missing master key '%s': %s while allocating ID: %s", key, value, err) + return 0, false, false, fmt.Errorf("unable to re-create missing master key '%s': %s while allocating ID: %w", key, value, err) } } } else { _, firstUse, err = a.localKeys.allocate(k, key, value) if err != nil { - return 0, false, false, fmt.Errorf("unable to reserve local key '%s': %s", k, err) + return 0, false, false, fmt.Errorf("unable to reserve local key '%s': %w", k, err) } if firstUse { @@ -545,7 +545,7 @@ func (a *Allocator) lockedAllocate(ctx context.Context, key AllocatorKey) (idpoo if err = a.backend.AcquireReference(ctx, value, key, lock); err != nil { a.localKeys.release(k) - return 0, false, false, fmt.Errorf("unable to create secondary key '%s': %s", k, err) + return 0, false, false, fmt.Errorf("unable to create secondary key '%s': %w", k, err) } // mark the key as verified in the local cache @@ -572,7 +572,7 @@ func (a *Allocator) lockedAllocate(ctx context.Context, key AllocatorKey) (idpoo oldID, firstUse, err := a.localKeys.allocate(k, key, id) if err != nil { a.idPool.Release(unmaskedID) - return 0, false, false, fmt.Errorf("unable to reserve local key '%s': %s", k, err) + return 0, false, false, fmt.Errorf("unable to reserve local key '%s': %w", k, err) } // Another local writer beat us to allocating an ID for the same key, @@ -602,7 +602,7 @@ func (a *Allocator) lockedAllocate(ctx context.Context, key AllocatorKey) (idpoo // Creation failed. Another agent most likely beat us to allocting this // ID, retry. releaseKeyAndID() - return 0, false, false, fmt.Errorf("unable to allocate ID %s for key %s: %s", strID, key2, err) + return 0, false, false, fmt.Errorf("unable to allocate ID %s for key %s: %w", strID, key2, err) } // Notify pool that leased ID is now in-use. @@ -613,7 +613,7 @@ func (a *Allocator) lockedAllocate(ctx context.Context, key AllocatorKey) (idpoo // exposed and may be in use by other nodes. The garbage // collector will release it again. releaseKeyAndID() - return 0, false, false, fmt.Errorf("secondary key creation failed '%s': %s", k, err) + return 0, false, false, fmt.Errorf("secondary key creation failed '%s': %w", k, err) } // mark the key as verified in the local cache @@ -651,7 +651,7 @@ func (a *Allocator) Allocate(ctx context.Context, key AllocatorKey) (idpool.ID, select { case <-a.initialListDone: case <-ctx.Done(): - return 0, false, false, fmt.Errorf("allocation was cancelled while waiting for initial key list to be received: %s", ctx.Err()) + return 0, false, false, fmt.Errorf("allocation was cancelled while waiting for initial key list to be received: %w", ctx.Err()) } kvstore.Trace("Allocating from kvstore", nil, logrus.Fields{fieldKey: key}) @@ -690,7 +690,7 @@ func (a *Allocator) Allocate(ctx context.Context, key AllocatorKey) (idpool.ID, select { case <-ctx.Done(): scopedLog.WithError(ctx.Err()).Warning("Ongoing key allocation has been cancelled") - return 0, false, false, fmt.Errorf("key allocation cancelled: %s", ctx.Err()) + return 0, false, false, fmt.Errorf("key allocation cancelled: %w", ctx.Err()) default: scopedLog.WithError(err).Warning("Key allocation attempt failed") } @@ -813,7 +813,7 @@ func (a *Allocator) Release(ctx context.Context, key AllocatorKey) (lastUse bool select { case <-a.initialListDone: case <-ctx.Done(): - return false, fmt.Errorf("release was cancelled while waiting for initial key list to be received: %s", ctx.Err()) + return false, fmt.Errorf("release was cancelled while waiting for initial key list to be received: %w", ctx.Err()) } k := a.encodeKey(key) diff --git a/vendor/github.com/cilium/cilium/pkg/backoff/backoff.go b/vendor/github.com/cilium/cilium/pkg/backoff/backoff.go index 2cfbde3dcad..3ddada53096 100644 --- a/vendor/github.com/cilium/cilium/pkg/backoff/backoff.go +++ b/vendor/github.com/cilium/cilium/pkg/backoff/backoff.go @@ -166,7 +166,7 @@ func (b *Exponential) Wait(ctx context.Context) error { select { case <-ctx.Done(): - return fmt.Errorf("exponential backoff cancelled via context: %s", ctx.Err()) + return fmt.Errorf("exponential backoff cancelled via context: %w", ctx.Err()) case <-time.After(t): } diff --git a/vendor/github.com/cilium/cilium/pkg/bpf/bpf_linux.go b/vendor/github.com/cilium/cilium/pkg/bpf/bpf_linux.go index 1a8972bafca..bc689ecdf4f 100644 --- a/vendor/github.com/cilium/cilium/pkg/bpf/bpf_linux.go +++ b/vendor/github.com/cilium/cilium/pkg/bpf/bpf_linux.go @@ -161,7 +161,7 @@ func GetMtime() (uint64, error) { err := unix.ClockGettime(unix.CLOCK_MONOTONIC, &ts) if err != nil { - return 0, fmt.Errorf("Unable get time: %s", err) + return 0, fmt.Errorf("Unable get time: %w", err) } return uint64(unix.TimespecToNsec(ts)), nil diff --git a/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_linux.go b/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_linux.go index 8a22cc6942d..1a94dde4199 100644 --- a/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_linux.go +++ b/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_linux.go @@ -133,10 +133,10 @@ func mountFS(printWarning bool) error { if err != nil { if os.IsNotExist(err) { if err := MkdirBPF(bpffsRoot); err != nil { - return fmt.Errorf("unable to create bpf mount directory: %s", err) + return fmt.Errorf("unable to create bpf mount directory: %w", err) } } else { - return fmt.Errorf("failed to stat the mount path %s: %s", bpffsRoot, err) + return fmt.Errorf("failed to stat the mount path %s: %w", bpffsRoot, err) } } else if !mapRootStat.IsDir() { @@ -144,7 +144,7 @@ func mountFS(printWarning bool) error { } if err := unix.Mount(bpffsRoot, bpffsRoot, "bpf", 0, ""); err != nil { - return fmt.Errorf("failed to mount %s: %s", bpffsRoot, err) + return fmt.Errorf("failed to mount %s: %w", bpffsRoot, err) } return nil } diff --git a/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_migrate.go b/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_migrate.go index d0a61be998a..99a8e49c042 100644 --- a/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_migrate.go +++ b/vendor/github.com/cilium/cilium/pkg/bpf/bpffs_migrate.go @@ -90,7 +90,7 @@ func RepinMap(bpffsPath string, name string, spec *ebpf.MapSpec) error { } if err != nil { - return fmt.Errorf("map not found at path %s: %v", name, err) + return fmt.Errorf("map not found at path %s: %w", name, err) } defer pinned.Close() @@ -148,7 +148,7 @@ func FinalizeMap(bpffsPath, name string, revert bool) error { } if err != nil { - return fmt.Errorf("unable to open pinned map at path %s: %v", name, err) + return fmt.Errorf("unable to open pinned map at path %s: %w", name, err) } // Pending Map was found on bpffs and needs to be reverted. diff --git a/vendor/github.com/cilium/cilium/pkg/cgroups/cgroups_linux.go b/vendor/github.com/cilium/cilium/pkg/cgroups/cgroups_linux.go index a8ed26469b8..0c882558a90 100644 --- a/vendor/github.com/cilium/cilium/pkg/cgroups/cgroups_linux.go +++ b/vendor/github.com/cilium/cilium/pkg/cgroups/cgroups_linux.go @@ -20,17 +20,17 @@ func mountCgroup() error { if err != nil { if os.IsNotExist(err) { if err := os.MkdirAll(cgroupRoot, 0755); err != nil { - return fmt.Errorf("Unable to create cgroup mount directory: %s", err) + return fmt.Errorf("Unable to create cgroup mount directory: %w", err) } } else { - return fmt.Errorf("Failed to stat the mount path %s: %s", cgroupRoot, err) + return fmt.Errorf("Failed to stat the mount path %s: %w", cgroupRoot, err) } } else if !cgroupRootStat.IsDir() { return fmt.Errorf("%s is a file which is not a directory", cgroupRoot) } if err := unix.Mount("none", cgroupRoot, "cgroup2", 0, ""); err != nil { - return fmt.Errorf("failed to mount %s: %s", cgroupRoot, err) + return fmt.Errorf("failed to mount %s: %w", cgroupRoot, err) } return nil diff --git a/vendor/github.com/cilium/cilium/pkg/cgroups/manager/provider.go b/vendor/github.com/cilium/cilium/pkg/cgroups/manager/provider.go index 2dae690c605..792bc08c02d 100644 --- a/vendor/github.com/cilium/cilium/pkg/cgroups/manager/provider.go +++ b/vendor/github.com/cilium/cilium/pkg/cgroups/manager/provider.go @@ -141,12 +141,12 @@ func getSystemdContainerPathCommon(subPaths []string, podId string, containerId podIdStr := fmt.Sprintf("pod%s", podId) if qos == v1.PodQOSGuaranteed { if path, err = toSystemd(append(subPaths, podIdStr)); err != nil { - return "", fmt.Errorf("unable to construct cgroup path %w", err) + return "", fmt.Errorf("unable to construct cgroup path: %w", err) } } else { qosStr := strings.ToLower(string(qos)) if path, err = toSystemd(append(subPaths, qosStr, podIdStr)); err != nil { - return "", fmt.Errorf("unable to construct cgroup path %w", err) + return "", fmt.Errorf("unable to construct cgroup path: %w", err) } } // construct and append container sub path with container id @@ -211,7 +211,7 @@ func toSystemd(cgroupName []string) (string, error) { result, err := expandSlice(strings.Join(newparts, "-") + systemdSuffix) if err != nil { - return "", fmt.Errorf("error converting cgroup name [%v] to systemd format: %v", cgroupName, err) + return "", fmt.Errorf("error converting cgroup name [%v] to systemd format: %w", cgroupName, err) } return result, nil } diff --git a/vendor/github.com/cilium/cilium/pkg/client/client.go b/vendor/github.com/cilium/cilium/pkg/client/client.go index f0f26333d75..87c38bb845d 100644 --- a/vendor/github.com/cilium/cilium/pkg/client/client.go +++ b/vendor/github.com/cilium/cilium/pkg/client/client.go @@ -75,7 +75,7 @@ func NewDefaultClientWithTimeout(timeout time.Duration) (*Client, error) { for { select { case <-timeoutAfter: - return nil, fmt.Errorf("failed to create cilium agent client after %f seconds timeout: %s", timeout.Seconds(), err) + return nil, fmt.Errorf("failed to create cilium agent client after %f seconds timeout: %w", timeout.Seconds(), err) default: } @@ -88,7 +88,7 @@ func NewDefaultClientWithTimeout(timeout time.Duration) (*Client, error) { for { select { case <-timeoutAfter: - return nil, fmt.Errorf("failed to create cilium agent client after %f seconds timeout: %s", timeout.Seconds(), err) + return nil, fmt.Errorf("failed to create cilium agent client after %f seconds timeout: %w", timeout.Seconds(), err) default: } // This is an API call that we do to the cilium-agent to check diff --git a/vendor/github.com/cilium/cilium/pkg/command/output.go b/vendor/github.com/cilium/cilium/pkg/command/output.go index a3d0490df57..f6196048c5f 100644 --- a/vendor/github.com/cilium/cilium/pkg/command/output.go +++ b/vendor/github.com/cilium/cilium/pkg/command/output.go @@ -58,7 +58,7 @@ func PrintOutput(data interface{}) error { func PrintOutputWithPatch(data interface{}, patch interface{}) error { mergedInterface, err := mergeInterfaces(data, patch) if err != nil { - return fmt.Errorf("Unable to merge Interfaces:%v", err) + return fmt.Errorf("Unable to merge Interfaces: %w", err) } return PrintOutputWithType(mergedInterface, outputOpt) } diff --git a/vendor/github.com/cilium/cilium/pkg/controller/controller.go b/vendor/github.com/cilium/cilium/pkg/controller/controller.go index f35bded20df..821020c7df2 100644 --- a/vendor/github.com/cilium/cilium/pkg/controller/controller.go +++ b/vendor/github.com/cilium/cilium/pkg/controller/controller.go @@ -265,11 +265,11 @@ func (c *controller) runController(params ControllerParams) { err = NewExitReason("controller context canceled") } - switch err := err.(type) { - case ExitReason: + var exitReason ExitReason + if errors.As(err, &exitReason) { // This is actually not an error case, but it causes an exit c.recordSuccess(params.HealthReporter) - c.lastError = err // This will be shown in the controller status + c.lastError = exitReason // This will be shown in the controller status // Don't exit the goroutine, since that only happens when the // controller is explicitly stopped. Instead, just wait for @@ -277,7 +277,7 @@ func (c *controller) runController(params ControllerParams) { c.getLogger().Debug("Controller run succeeded; waiting for next controller update or stop") interval = time.Duration(math.MaxInt64) - default: + } else { c.getLogger().WithField(fieldConsecutiveErrors, errorRetries). WithError(err).Debug("Controller run failed") c.recordError(err, params.HealthReporter) diff --git a/vendor/github.com/cilium/cilium/pkg/counter/prefixes.go b/vendor/github.com/cilium/cilium/pkg/counter/prefixes.go index 6c883c6bb50..fad776b674b 100644 --- a/vendor/github.com/cilium/cilium/pkg/counter/prefixes.go +++ b/vendor/github.com/cilium/cilium/pkg/counter/prefixes.go @@ -67,7 +67,7 @@ func DefaultPrefixLengthCounter() *PrefixLengthCounter { createIPNet(net.IPv6len*8, net.IPv6len*8), // hosts } if _, err := counter.Add(defaultPrefixes); err != nil { - panic(fmt.Errorf("Failed to create default prefix lengths: %s", err)) + panic(fmt.Errorf("Failed to create default prefix lengths: %w", err)) } return counter diff --git a/vendor/github.com/cilium/cilium/pkg/datapath/linux/bandwidth/bandwidth.go b/vendor/github.com/cilium/cilium/pkg/datapath/linux/bandwidth/bandwidth.go index c91130e6342..8afcc2b1bbc 100644 --- a/vendor/github.com/cilium/cilium/pkg/datapath/linux/bandwidth/bandwidth.go +++ b/vendor/github.com/cilium/cilium/pkg/datapath/linux/bandwidth/bandwidth.go @@ -237,7 +237,7 @@ func setBaselineSysctls(p bandwidthManagerParams) error { for name, value := range baseIntSettings { currentValue, err := sysctl.ReadInt(name) if err != nil { - return fmt.Errorf("read sysctl %s failed: %s", name, err) + return fmt.Errorf("read sysctl %s failed: %w", name, err) } scopedLog := p.Log.WithFields(logrus.Fields{ @@ -253,7 +253,7 @@ func setBaselineSysctls(p bandwidthManagerParams) error { scopedLog.Info("Setting sysctl to baseline for BPF bandwidth manager") if err := sysctl.WriteInt(name, value); err != nil { - return fmt.Errorf("set sysctl %s=%d failed: %s", name, value, err) + return fmt.Errorf("set sysctl %s=%d failed: %w", name, value, err) } } @@ -275,7 +275,7 @@ func setBaselineSysctls(p bandwidthManagerParams) error { }).Info("Setting sysctl to baseline for BPF bandwidth manager") if err := sysctl.Write(name, value); err != nil { - return fmt.Errorf("set sysctl %s=%s failed: %s", name, value, err) + return fmt.Errorf("set sysctl %s=%s failed: %w", name, value, err) } } @@ -294,7 +294,7 @@ func setBaselineSysctls(p bandwidthManagerParams) error { }).Info("Setting sysctl to baseline for BPF bandwidth manager") if err := sysctl.WriteInt(name, value); err != nil { - return fmt.Errorf("set sysctl %s=%d failed: %s", name, value, err) + return fmt.Errorf("set sysctl %s=%d failed: %w", name, value, err) } } } diff --git a/vendor/github.com/cilium/cilium/pkg/datapath/linux/probes/managed_neighbors.go b/vendor/github.com/cilium/cilium/pkg/datapath/linux/probes/managed_neighbors.go index f260c1e2ffb..2d8196d5352 100644 --- a/vendor/github.com/cilium/cilium/pkg/datapath/linux/probes/managed_neighbors.go +++ b/vendor/github.com/cilium/cilium/pkg/datapath/linux/probes/managed_neighbors.go @@ -62,7 +62,7 @@ func haveManagedNeighbors() (outer error) { // The current goroutine is locked to an OS thread and we've failed // to undo state modifications to the thread. Returning without unlocking // the goroutine will make sure the underlying OS thread dies. - outer = fmt.Errorf("error setting thread back to its original netns: %w (original error: %s)", nerr, outer) + outer = fmt.Errorf("error setting thread back to its original netns: %w (original error: %w)", nerr, outer) return } // only now that we have successfully changed the thread back to its diff --git a/vendor/github.com/cilium/cilium/pkg/defaults/defaults.go b/vendor/github.com/cilium/cilium/pkg/defaults/defaults.go index a17bf474daa..fe34caa624a 100644 --- a/vendor/github.com/cilium/cilium/pkg/defaults/defaults.go +++ b/vendor/github.com/cilium/cilium/pkg/defaults/defaults.go @@ -507,11 +507,9 @@ const ( // InstallNoConntrackRules instructs Cilium to install Iptables rules to skip netfilter connection tracking on all pod traffic. InstallNoConntrackIptRules = false - // WireguardSubnetV4 is a default WireGuard tunnel subnet - WireguardSubnetV4 = "172.16.43.0/24" - - // WireguardSubnetV6 is a default WireGuard tunnel subnet - WireguardSubnetV6 = "fdc9:281f:04d7:9ee9::1/64" + // ContainerIPLocalReservedPortsAuto instructs the Cilium CNI plugin to reserve + // an auto-generated list of ports in the container network namespace + ContainerIPLocalReservedPortsAuto = "auto" // ExternalClusterIP enables cluster external access to ClusterIP services. // Defaults to false to retain prior behaviour of not routing external packets to ClusterIPs. diff --git a/vendor/github.com/cilium/cilium/pkg/endpoint/id/id.go b/vendor/github.com/cilium/cilium/pkg/endpoint/id/id.go index a785e2d0f01..96b8d7b1025 100644 --- a/vendor/github.com/cilium/cilium/pkg/endpoint/id/id.go +++ b/vendor/github.com/cilium/cilium/pkg/endpoint/id/id.go @@ -129,7 +129,7 @@ func ParseCiliumID(id string) (int64, error) { } n, err := strconv.ParseInt(id, 0, 64) if err != nil || n < 0 { - return 0, fmt.Errorf("invalid numeric cilium id: %s", err) + return 0, fmt.Errorf("invalid numeric cilium id: %w", err) } if n > MaxEndpointID { return 0, fmt.Errorf("endpoint id too large: %d", n) diff --git a/vendor/github.com/cilium/cilium/pkg/health/client/modules.go b/vendor/github.com/cilium/cilium/pkg/health/client/modules.go index 52d65037912..470da8ed15b 100644 --- a/vendor/github.com/cilium/cilium/pkg/health/client/modules.go +++ b/vendor/github.com/cilium/cilium/pkg/health/client/modules.go @@ -62,15 +62,13 @@ func GetAndFormatModulesHealth(w io.Writer, clt ModulesHealth, verbose bool) { for _, m := range resp.Payload.Modules { tally[cell.Level(m.Level)] += 1 } - fmt.Fprintf(w, "\t%s(%d) %s(%d) %s(%d) %s(%d)\n", + fmt.Fprintf(w, "\t%s(%d) %s(%d) %s(%d)\n", cell.StatusStopped, tally[cell.StatusStopped], cell.StatusDegraded, tally[cell.StatusDegraded], cell.StatusOK, tally[cell.StatusOK], - cell.StatusUnknown, - tally[cell.StatusUnknown], ) } diff --git a/vendor/github.com/cilium/cilium/pkg/identity/cache/allocator.go b/vendor/github.com/cilium/cilium/pkg/identity/cache/allocator.go index c637cea34ac..d5134ec77b9 100644 --- a/vendor/github.com/cilium/cilium/pkg/identity/cache/allocator.go +++ b/vendor/github.com/cilium/cilium/pkg/identity/cache/allocator.go @@ -283,7 +283,7 @@ func (m *CachingIdentityAllocator) WaitForInitialGlobalIdentities(ctx context.Co select { case <-m.globalIdentityAllocatorInitialized: case <-ctx.Done(): - return fmt.Errorf("initial global identity sync was cancelled: %s", ctx.Err()) + return fmt.Errorf("initial global identity sync was cancelled: %w", ctx.Err()) } return m.IdentityAllocator.WaitForInitialSync(ctx) @@ -493,13 +493,13 @@ func (m *CachingIdentityAllocator) WatchRemoteIdentities(remoteName string, back remoteAllocatorBackend, err := kvstoreallocator.NewKVStoreBackend(prefix, m.owner.GetNodeSuffix(), &key.GlobalIdentity{}, backend) if err != nil { - return nil, fmt.Errorf("error setting up remote allocator backend: %s", err) + return nil, fmt.Errorf("error setting up remote allocator backend: %w", err) } remoteAlloc, err := allocator.NewAllocator(&key.GlobalIdentity{}, remoteAllocatorBackend, allocator.WithEvents(m.IdentityAllocator.GetEvents()), allocator.WithoutGC(), allocator.WithoutAutostart()) if err != nil { - return nil, fmt.Errorf("unable to initialize remote Identity Allocator: %s", err) + return nil, fmt.Errorf("unable to initialize remote Identity Allocator: %w", err) } return m.IdentityAllocator.NewRemoteCache(remoteName, remoteAlloc), nil diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/const.go b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/const.go index bbdb5c510c9..4aa8ac51695 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/const.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/const.go @@ -80,6 +80,10 @@ const ( // to sync the CNP with kube-apiserver. CtrlPrefixPolicyStatus = "sync-cnp-policy-status" + // BatchJobControllerUID is one of the labels that is available on a Job + // https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-labels + BatchJobControllerUID = "batch.kubernetes.io/controller-uid" + // CiliumIdentityAnnotationDeprecated is the previous annotation key used to map to an endpoint's security identity. CiliumIdentityAnnotationDeprecated = "cilium-identity" ) diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/clrp_types.go b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/clrp_types.go index ca665284350..63bb1b5e1fd 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/clrp_types.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/clrp_types.go @@ -204,7 +204,7 @@ func (pInfo *PortInfo) SanitizePortInfo(checkNamedPort bool) (uint16, string, lb } else { p, err := strconv.ParseUint(pInfo.Port, 0, 16) if err != nil { - return pInt, pName, protocol, fmt.Errorf("unable to parse port: %v", err) + return pInt, pName, protocol, fmt.Errorf("unable to parse port: %w", err) } if p == 0 { return pInt, pName, protocol, fmt.Errorf("port cannot be 0") diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/client/cell.go b/vendor/github.com/cilium/cilium/pkg/k8s/client/cell.go index 1dac2c6ec33..fe3d7970aec 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/client/cell.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/client/cell.go @@ -5,6 +5,7 @@ package client import ( "context" + "errors" "fmt" "net" "net/http" @@ -16,7 +17,7 @@ import ( "github.com/sirupsen/logrus" apiext_clientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" apiext_fake "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/fake" - "k8s.io/apimachinery/pkg/api/errors" + k8sErrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" utilnet "k8s.io/apimachinery/pkg/util/net" utilruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -391,13 +392,12 @@ func runHeartbeat(log logrus.FieldLogger, heartBeat func(context.Context) error, // which means the server is overloaded and only for this reason we // will not close all connections. err := heartBeat(ctx) - switch t := err.(type) { - case *errors.StatusError: - if t.ErrStatus.Code != http.StatusTooManyRequests { + if err != nil { + statusError := &k8sErrors.StatusError{} + if !errors.As(err, &statusError) || + statusError.ErrStatus.Code != http.StatusTooManyRequests { done <- err } - default: - done <- err } close(done) }() diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/identitybackend/identity.go b/vendor/github.com/cilium/cilium/pkg/k8s/identitybackend/identity.go index 9386a68eb6c..d3a867d557b 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/identitybackend/identity.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/identitybackend/identity.go @@ -194,7 +194,7 @@ func (c *crdBackend) UpdateKey(ctx context.Context, id idpool.ID, key allocator. if reliablyMissing { // Recreate a missing master key if _, err = c.AllocateID(ctx, id, key); err != nil { - return fmt.Errorf("Unable recreate missing CRD identity %q->%q: %s", key, id, err) + return fmt.Errorf("Unable recreate missing CRD identity %q->%q: %w", key, id, err) } return nil @@ -278,7 +278,7 @@ func (c *crdBackend) Get(ctx context.Context, key allocator.AllocatorKey) (idpoo id, err := strconv.ParseUint(identity.Name, 10, 64) if err != nil { - return idpool.NoID, fmt.Errorf("unable to parse value '%s': %s", identity.Name, err) + return idpool.NoID, fmt.Errorf("unable to parse value '%s': %w", identity.Name, err) } return idpool.ID(id), nil diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/labels/selector.go b/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/labels/selector.go index 0eac5f4be0e..ade6fc43498 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/labels/selector.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/labels/selector.go @@ -651,7 +651,7 @@ func (p *Parser) parse() (internalSelector, error) { case IdentifierToken, DoesNotExistToken: r, err := p.parseRequirement() if err != nil { - return nil, fmt.Errorf("unable to parse requirement: %v", err) + return nil, fmt.Errorf("unable to parse requirement: %w", err) } requirements = append(requirements, *r) t, l := p.consume(Values) diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/util/intstr/intstr.go b/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/util/intstr/intstr.go index ca2f03b6d1d..2f76aa37776 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/util/intstr/intstr.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/util/intstr/intstr.go @@ -147,7 +147,7 @@ func GetScaledValueFromIntOrPercent(intOrPercent *IntOrString, total int, roundU } value, isPercent, err := getIntOrPercentValueSafely(intOrPercent) if err != nil { - return 0, fmt.Errorf("invalid value for IntOrString: %v", err) + return 0, fmt.Errorf("invalid value for IntOrString: %w", err) } if isPercent { if roundUp { @@ -169,7 +169,7 @@ func GetValueFromIntOrPercent(intOrPercent *IntOrString, total int, roundUp bool } value, isPercent, err := getIntOrPercentValue(intOrPercent) if err != nil { - return 0, fmt.Errorf("invalid value for IntOrString: %v", err) + return 0, fmt.Errorf("invalid value for IntOrString: %w", err) } if isPercent { if roundUp { @@ -191,7 +191,7 @@ func getIntOrPercentValue(intOrStr *IntOrString) (int, bool, error) { s := strings.Replace(intOrStr.StrVal, "%", "", -1) v, err := strconv.Atoi(s) if err != nil { - return 0, false, fmt.Errorf("invalid value %q: %v", intOrStr.StrVal, err) + return 0, false, fmt.Errorf("invalid value %q: %w", intOrStr.StrVal, err) } return int(v), true, nil } @@ -213,7 +213,7 @@ func getIntOrPercentValueSafely(intOrStr *IntOrString) (int, bool, error) { } v, err := strconv.Atoi(s) if err != nil { - return 0, false, fmt.Errorf("invalid value %q: %v", intOrStr.StrVal, err) + return 0, false, fmt.Errorf("invalid value %q: %w", intOrStr.StrVal, err) } return int(v), isPercent, nil } diff --git a/vendor/github.com/cilium/cilium/pkg/k8s/version/version.go b/vendor/github.com/cilium/cilium/pkg/k8s/version/version.go index 8d0e13cf828..db2bab99517 100644 --- a/vendor/github.com/cilium/cilium/pkg/k8s/version/version.go +++ b/vendor/github.com/cilium/cilium/pkg/k8s/version/version.go @@ -196,7 +196,7 @@ func endpointSlicesFallbackDiscovery(client kubernetes.Interface) error { // Unknown error, we can't derive whether to enable or disable // EndpointSlices and need to error out. - return fmt.Errorf("unable to validate EndpointSlices support: %s", err) + return fmt.Errorf("unable to validate EndpointSlices support: %w", err) } func leasesFallbackDiscovery(client kubernetes.Interface, apiDiscoveryEnabled bool) error { @@ -229,7 +229,7 @@ func leasesFallbackDiscovery(client kubernetes.Interface, apiDiscoveryEnabled bo // Unknown error, we can't derive whether to enable or disable // LeasesResourceLock and need to error out - return fmt.Errorf("unable to validate LeasesResourceLock support: %s", err) + return fmt.Errorf("unable to validate LeasesResourceLock support: %w", err) } func updateK8sServerVersion(client kubernetes.Interface) error { @@ -258,7 +258,7 @@ func updateK8sServerVersion(client kubernetes.Interface) error { } } - return fmt.Errorf("cannot parse k8s server version from %+v: %s", sv, err) + return fmt.Errorf("cannot parse k8s server version from %+v: %w", sv, err) } // Update retrieves the version of the Kubernetes apiserver and derives the diff --git a/vendor/github.com/cilium/cilium/pkg/kvstore/allocator/allocator.go b/vendor/github.com/cilium/cilium/pkg/kvstore/allocator/allocator.go index 4345273bf2b..c9141031d78 100644 --- a/vendor/github.com/cilium/cilium/pkg/kvstore/allocator/allocator.go +++ b/vendor/github.com/cilium/cilium/pkg/kvstore/allocator/allocator.go @@ -129,7 +129,7 @@ func (k *kvstoreBackend) AllocateID(ctx context.Context, id idpool.ID, key alloc keyEncoded := []byte(k.backend.Encode([]byte(key.GetKey()))) success, err := k.backend.CreateOnly(ctx, keyPath, keyEncoded, false) if err != nil || !success { - return nil, fmt.Errorf("unable to create master key '%s': %s", keyPath, err) + return nil, fmt.Errorf("unable to create master key '%s': %w", keyPath, err) } return key, nil @@ -142,7 +142,7 @@ func (k *kvstoreBackend) AllocateIDIfLocked(ctx context.Context, id idpool.ID, k keyEncoded := []byte(k.backend.Encode([]byte(key.GetKey()))) success, err := k.backend.CreateOnlyIfLocked(ctx, keyPath, keyEncoded, false, lock) if err != nil || !success { - return nil, fmt.Errorf("unable to create master key '%s': %s", keyPath, err) + return nil, fmt.Errorf("unable to create master key '%s': %w", keyPath, err) } return key, nil @@ -152,7 +152,7 @@ func (k *kvstoreBackend) AllocateIDIfLocked(ctx context.Context, id idpool.ID, k func (k *kvstoreBackend) AcquireReference(ctx context.Context, id idpool.ID, key allocator.AllocatorKey, lock kvstore.KVLocker) error { keyString := k.backend.Encode([]byte(key.GetKey())) if err := k.createValueNodeKey(ctx, keyString, id, lock); err != nil { - return fmt.Errorf("unable to create slave key '%s': %s", keyString, err) + return fmt.Errorf("unable to create slave key '%s': %w", keyString, err) } return nil } @@ -163,7 +163,7 @@ func (k *kvstoreBackend) createValueNodeKey(ctx context.Context, key string, new // The key is protected with a TTL/lease and will expire after LeaseTTL valueKey := path.Join(k.valuePrefix, key, k.suffix) if _, err := k.backend.UpdateIfDifferentIfLocked(ctx, valueKey, []byte(newID.String()), true, lock); err != nil { - return fmt.Errorf("unable to create value-node key '%s': %s", valueKey, err) + return fmt.Errorf("unable to create value-node key '%s': %w", valueKey, err) } return nil @@ -290,7 +290,7 @@ func (k *kvstoreBackend) UpdateKey(ctx context.Context, id idpool.ID, key alloca success, err := k.backend.CreateOnly(ctx, keyPath, keyEncoded, false) switch { case err != nil: - return fmt.Errorf("Unable to re-create missing master key \"%s\" -> \"%s\": %s", fieldKey, valueKey, err) + return fmt.Errorf("Unable to re-create missing master key \"%s\" -> \"%s\": %w", fieldKey, valueKey, err) case success: log.WithField(fieldKey, keyPath).Warning("Re-created missing master key") } @@ -305,7 +305,7 @@ func (k *kvstoreBackend) UpdateKey(ctx context.Context, id idpool.ID, key alloca } switch { case err != nil: - return fmt.Errorf("Unable to re-create missing slave key \"%s\" -> \"%s\": %s", fieldKey, valueKey, err) + return fmt.Errorf("Unable to re-create missing slave key \"%s\" -> \"%s\": %w", fieldKey, valueKey, err) case recreated: log.WithField(fieldKey, valueKey).Warning("Re-created missing slave key") } @@ -330,7 +330,7 @@ func (k *kvstoreBackend) UpdateKeyIfLocked(ctx context.Context, id idpool.ID, ke success, err := k.backend.CreateOnlyIfLocked(ctx, keyPath, keyEncoded, false, lock) switch { case err != nil: - return fmt.Errorf("Unable to re-create missing master key \"%s\" -> \"%s\": %s", fieldKey, valueKey, err) + return fmt.Errorf("Unable to re-create missing master key \"%s\" -> \"%s\": %w", fieldKey, valueKey, err) case success: log.WithField(fieldKey, keyPath).Warning("Re-created missing master key") } @@ -346,7 +346,7 @@ func (k *kvstoreBackend) UpdateKeyIfLocked(ctx context.Context, id idpool.ID, ke } switch { case err != nil: - return fmt.Errorf("Unable to re-create missing slave key \"%s\" -> \"%s\": %s", fieldKey, valueKey, err) + return fmt.Errorf("Unable to re-create missing slave key \"%s\" -> \"%s\": %w", fieldKey, valueKey, err) case recreated: log.WithField(fieldKey, valueKey).Warning("Re-created missing slave key") } @@ -384,7 +384,7 @@ func (k *kvstoreBackend) RunLocksGC(ctx context.Context, staleKeysPrevRound map[ // fetch list of all /../locks keys allocated, err := k.backend.ListPrefix(ctx, k.lockPrefix) if err != nil { - return nil, fmt.Errorf("list failed: %s", err) + return nil, fmt.Errorf("list failed: %w", err) } staleKeys := map[string]kvstore.Value{} @@ -433,7 +433,7 @@ func (k *kvstoreBackend) RunGC( // fetch list of all /id/ keys allocated, err := k.backend.ListPrefix(ctx, k.idPrefix) if err != nil { - return nil, nil, fmt.Errorf("list failed: %s", err) + return nil, nil, fmt.Errorf("list failed: %w", err) } totalEntries := len(allocated) diff --git a/vendor/github.com/cilium/cilium/pkg/kvstore/consul.go b/vendor/github.com/cilium/cilium/pkg/kvstore/consul.go index d4fb8bfbe33..287ec5f7d16 100644 --- a/vendor/github.com/cilium/cilium/pkg/kvstore/consul.go +++ b/vendor/github.com/cilium/cilium/pkg/kvstore/consul.go @@ -150,12 +150,12 @@ func (c *consulModule) connectConsulClient(ctx context.Context, opts *ExtraOptio if configPathOptSet && configPathOpt.value != "" { b, err := os.ReadFile(configPathOpt.value) if err != nil { - return nil, fmt.Errorf("unable to read consul tls configuration file %s: %s", configPathOpt.value, err) + return nil, fmt.Errorf("unable to read consul tls configuration file %s: %w", configPathOpt.value, err) } yc := consulAPI.TLSConfig{} err = yaml.Unmarshal(b, &yc) if err != nil { - return nil, fmt.Errorf("invalid consul tls configuration in %s: %s", configPathOpt.value, err) + return nil, fmt.Errorf("invalid consul tls configuration in %s: %w", configPathOpt.value, err) } c.config.TLSConfig = yc } @@ -229,7 +229,7 @@ func newConsulClient(ctx context.Context, config *consulAPI.Config, opts *ExtraO wo := &consulAPI.WriteOptions{} lease, _, err := c.Session().Create(entry, wo.WithContext(ctx)) if err != nil { - return nil, fmt.Errorf("unable to create default lease: %s", err) + return nil, fmt.Errorf("unable to create default lease: %w", err) } client := &consulClient{ @@ -295,7 +295,7 @@ func (c *consulClient) LockPath(ctx context.Context, path string) (KVLocker, err select { case <-ctx.Done(): - return nil, fmt.Errorf("lock cancelled via context: %s", ctx.Err()) + return nil, fmt.Errorf("lock cancelled via context: %w", ctx.Err()) default: } } @@ -651,7 +651,7 @@ func (c *consulClient) createOnly(ctx context.Context, key string, value []byte, success, _, err := c.KV().CAS(k, opts.WithContext(ctx)) increaseMetric(key, metricSet, "CreateOnly", duration.EndError(err).Total(), err) if err != nil { - return false, fmt.Errorf("unable to compare-and-swap: %s", err) + return false, fmt.Errorf("unable to compare-and-swap: %w", err) } return success, nil } @@ -666,7 +666,7 @@ func (c *consulClient) createIfExists(ctx context.Context, condKey, key string, l, err := LockPath(ctx, c, condKey) if err != nil { - return fmt.Errorf("unable to lock condKey for CreateIfExists: %s", err) + return fmt.Errorf("unable to lock condKey for CreateIfExists: %w", err) } defer l.Unlock(context.Background()) diff --git a/vendor/github.com/cilium/cilium/pkg/kvstore/etcd.go b/vendor/github.com/cilium/cilium/pkg/kvstore/etcd.go index a3dbb92019a..ece4e47b336 100644 --- a/vendor/github.com/cilium/cilium/pkg/kvstore/etcd.go +++ b/vendor/github.com/cilium/cilium/pkg/kvstore/etcd.go @@ -321,12 +321,10 @@ func etcdClientDebugLevel() zapcore.Level { // Hint tries to improve the error message displayed to te user. func Hint(err error) error { - switch err { - case context.DeadlineExceeded: + if errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("etcd client timeout exceeded") - default: - return err } + return err } type etcdClient struct { @@ -1039,7 +1037,7 @@ func (e *etcdClient) statusChecker() { switch { case consecutiveQuorumErrors > option.Config.KVstoreMaxConsecutiveQuorumErrors: - e.latestErrorStatus = fmt.Errorf("quorum check failed %d times in a row: %s", + e.latestErrorStatus = fmt.Errorf("quorum check failed %d times in a row: %w", consecutiveQuorumErrors, quorumError) e.latestStatusSnapshot = e.latestErrorStatus.Error() case len(endpoints) > 0 && ok == 0: diff --git a/vendor/github.com/cilium/cilium/pkg/kvstore/lock.go b/vendor/github.com/cilium/cilium/pkg/kvstore/lock.go index 5e72ba597e4..c70ee81046b 100644 --- a/vendor/github.com/cilium/cilium/pkg/kvstore/lock.go +++ b/vendor/github.com/cilium/cilium/pkg/kvstore/lock.go @@ -97,7 +97,7 @@ func (pl *pathLocks) lock(ctx context.Context, path string) (id uuid.UUID, err e select { case <-lockTimer.After(time.Duration(10) * time.Millisecond): case <-ctx.Done(): - err = fmt.Errorf("lock was cancelled: %s", ctx.Err()) + err = fmt.Errorf("lock was cancelled: %w", ctx.Err()) return } } @@ -133,7 +133,7 @@ func LockPath(ctx context.Context, backend BackendOperations, path string) (l *L if err != nil { kvstoreLocks.unlock(path, id) Trace("Failed to lock", err, logrus.Fields{fieldKey: path}) - err = fmt.Errorf("error while locking path %s: %s", path, err) + err = fmt.Errorf("error while locking path %s: %w", path, err) return nil, err } diff --git a/vendor/github.com/cilium/cilium/pkg/labels/labels.go b/vendor/github.com/cilium/cilium/pkg/labels/labels.go index 64d3747aeb0..74a7afd32c8 100644 --- a/vendor/github.com/cilium/cilium/pkg/labels/labels.go +++ b/vendor/github.com/cilium/cilium/pkg/labels/labels.go @@ -293,7 +293,7 @@ func (l *Label) UnmarshalJSON(data []byte) error { var aux string if err := json.Unmarshal(data, &aux); err != nil { - return fmt.Errorf("decode of Label as string failed: %+v", err) + return fmt.Errorf("decode of Label as string failed: %w", err) } if aux == "" { diff --git a/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go b/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go index f4810989be3..570d2260d7b 100644 --- a/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go +++ b/vendor/github.com/cilium/cilium/pkg/logging/logfields/logfields.go @@ -736,4 +736,7 @@ const ( // State is the state of an individual component (apiserver, kvstore etc) State = "state" + + // EtcdClusterID is the ID of the etcd cluster + EtcdClusterID = "etcdClusterID" ) diff --git a/vendor/github.com/cilium/cilium/pkg/mac/mac.go b/vendor/github.com/cilium/cilium/pkg/mac/mac.go index f846edb4fec..1938964d720 100644 --- a/vendor/github.com/cilium/cilium/pkg/mac/mac.go +++ b/vendor/github.com/cilium/cilium/pkg/mac/mac.go @@ -107,7 +107,7 @@ func (m *MAC) UnmarshalJSON(data []byte) error { func GenerateRandMAC() (MAC, error) { buf := make([]byte, 6) if _, err := rand.Read(buf); err != nil { - return nil, fmt.Errorf("Unable to retrieve 6 rnd bytes: %s", err) + return nil, fmt.Errorf("Unable to retrieve 6 rnd bytes: %w", err) } // Set locally administered addresses bit and reset multicast bit diff --git a/vendor/github.com/cilium/cilium/pkg/maps/lxcmap/lxcmap.go b/vendor/github.com/cilium/cilium/pkg/maps/lxcmap/lxcmap.go index cd20a752555..51261df078a 100644 --- a/vendor/github.com/cilium/cilium/pkg/maps/lxcmap/lxcmap.go +++ b/vendor/github.com/cilium/cilium/pkg/maps/lxcmap/lxcmap.go @@ -85,12 +85,12 @@ func GetBPFKeys(e EndpointFrontend) []*EndpointKey { func GetBPFValue(e EndpointFrontend) (*EndpointInfo, error) { mac, err := e.LXCMac().Uint64() if err != nil { - return nil, fmt.Errorf("invalid LXC MAC: %v", err) + return nil, fmt.Errorf("invalid LXC MAC: %w", err) } nodeMAC, err := e.GetNodeMAC().Uint64() if err != nil { - return nil, fmt.Errorf("invalid node MAC: %v", err) + return nil, fmt.Errorf("invalid node MAC: %w", err) } info := &EndpointInfo{ @@ -213,7 +213,7 @@ func DeleteElement(f EndpointFrontend) []error { var errors []error for _, k := range GetBPFKeys(f) { if err := LXCMap().Delete(k); err != nil { - errors = append(errors, fmt.Errorf("Unable to delete key %v from %s: %s", k, bpf.MapPath(MapName), err)) + errors = append(errors, fmt.Errorf("Unable to delete key %v from %s: %w", k, bpf.MapPath(MapName), err)) } } @@ -232,7 +232,7 @@ func DumpToMap() (map[string]EndpointInfo, error) { } if err := LXCMap().DumpWithCallback(callback); err != nil { - return nil, fmt.Errorf("unable to read BPF endpoint list: %s", err) + return nil, fmt.Errorf("unable to read BPF endpoint list: %w", err) } return m, nil diff --git a/vendor/github.com/cilium/cilium/pkg/mountinfo/mountinfo.go b/vendor/github.com/cilium/cilium/pkg/mountinfo/mountinfo.go index 62711a97ce3..54f509054c2 100644 --- a/vendor/github.com/cilium/cilium/pkg/mountinfo/mountinfo.go +++ b/vendor/github.com/cilium/cilium/pkg/mountinfo/mountinfo.go @@ -107,7 +107,7 @@ func parseMountInfoFile(r io.Reader) ([]*MountInfo, error) { func GetMountInfo() ([]*MountInfo, error) { fMounts, err := os.Open(mountInfoFilepath) if err != nil { - return nil, fmt.Errorf("failed to open mount information at %s: %s", mountInfoFilepath, err) + return nil, fmt.Errorf("failed to open mount information at %s: %w", mountInfoFilepath, err) } defer fMounts.Close() diff --git a/vendor/github.com/cilium/cilium/pkg/option/config.go b/vendor/github.com/cilium/cilium/pkg/option/config.go index 758ce9d96a5..27c697d9e31 100644 --- a/vendor/github.com/cilium/cilium/pkg/option/config.go +++ b/vendor/github.com/cilium/cilium/pkg/option/config.go @@ -14,6 +14,7 @@ import ( "net/netip" "os" "path/filepath" + "regexp" "runtime" "sort" "strconv" @@ -388,6 +389,10 @@ const ( // to skip netfilter connection tracking on all pod traffic. InstallNoConntrackIptRules = "install-no-conntrack-iptables-rules" + // ContainerIPLocalReservedPorts instructs the Cilium CNI plugin to reserve + // the provided comma-separated list of ports in the container network namespace + ContainerIPLocalReservedPorts = "container-ip-local-reserved-ports" + // IPv6NodeAddr is the IPv6 address of node IPv6NodeAddr = "ipv6-node" @@ -1247,6 +1252,12 @@ const ( // is considered timed out ProxyConnectTimeout = "proxy-connect-timeout" + // ProxyXffNumTrustedHopsIngress specifies the number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. + ProxyXffNumTrustedHopsIngress = "proxy-xff-num-trusted-hops-ingress" + + // ProxyXffNumTrustedHopsEgress specifies the number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. + ProxyXffNumTrustedHopsEgress = "proxy-xff-num-trusted-hops-egress" + // ProxyGID specifies the group ID that has access to unix domain sockets opened by Cilium // agent for proxy configuration and access logging. ProxyGID = "proxy-gid" @@ -1613,6 +1624,12 @@ type DaemonConfig struct { // connection attempt to have timed out. ProxyConnectTimeout int + // ProxyXffNumTrustedHopsIngress defines the number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. + ProxyXffNumTrustedHopsIngress uint32 + + // ProxyXffNumTrustedHopsEgress defines the number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. + ProxyXffNumTrustedHopsEgress uint32 + // ProxyGID specifies the group ID that has access to unix domain sockets opened by Cilium // agent for proxy configuration and access logging. ProxyGID int @@ -2319,6 +2336,10 @@ type DaemonConfig struct { // InstallNoConntrackIptRules instructs Cilium to install Iptables rules to skip netfilter connection tracking on all pod traffic. InstallNoConntrackIptRules bool + // ContainerIPLocalReservedPorts instructs the Cilium CNI plugin to reserve + // the provided comma-separated list of ports in the container network namespace + ContainerIPLocalReservedPorts string + // EnableCustomCalls enables tail call hooks for user-defined custom // eBPF programs, typically used to collect custom per-endpoint // metrics. @@ -2795,15 +2816,27 @@ func (c *DaemonConfig) validateHubbleRedact() error { return nil } +func (c *DaemonConfig) validateContainerIPLocalReservedPorts() error { + if c.ContainerIPLocalReservedPorts == "" || c.ContainerIPLocalReservedPorts == defaults.ContainerIPLocalReservedPortsAuto { + return nil + } + + if regexp.MustCompile(`^(\d+(-\d+)?)(,\d+(-\d+)?)*$`).MatchString(c.ContainerIPLocalReservedPorts) { + return nil + } + + return fmt.Errorf("Invalid comma separated list of of ranges for %s option", ContainerIPLocalReservedPorts) +} + // Validate validates the daemon configuration func (c *DaemonConfig) Validate(vp *viper.Viper) error { if err := c.validateIPv6ClusterAllocCIDR(); err != nil { - return fmt.Errorf("unable to parse CIDR value '%s' of option --%s: %s", + return fmt.Errorf("unable to parse CIDR value '%s' of option --%s: %w", c.IPv6ClusterAllocCIDR, IPv6ClusterAllocCIDRName, err) } if err := c.validateIPv6NAT46x64CIDR(); err != nil { - return fmt.Errorf("unable to parse internal CIDR value '%s': %s", + return fmt.Errorf("unable to parse internal CIDR value '%s': %w", c.IPv6NAT46x64CIDR, err) } @@ -2892,6 +2925,10 @@ func (c *DaemonConfig) Validate(vp *viper.Viper) error { return err } + if err := c.validateContainerIPLocalReservedPorts(); err != nil { + return err + } + return nil } @@ -2901,7 +2938,7 @@ func ReadDirConfig(dirName string) (map[string]interface{}, error) { m := map[string]interface{}{} files, err := os.ReadDir(dirName) if err != nil && !os.IsNotExist(err) { - return nil, fmt.Errorf("unable to read configuration directory: %s", err) + return nil, fmt.Errorf("unable to read configuration directory: %w", err) } for _, f := range files { if f.IsDir() { @@ -2942,7 +2979,7 @@ func ReadDirConfig(dirName string) (map[string]interface{}, error) { func MergeConfig(vp *viper.Viper, m map[string]interface{}) error { err := vp.MergeConfigMap(m) if err != nil { - return fmt.Errorf("unable to read merge directory configuration: %s", err) + return fmt.Errorf("unable to read merge directory configuration: %w", err) } return nil } @@ -2974,7 +3011,7 @@ func (c *DaemonConfig) parseExcludedLocalAddresses(s []string) error { for _, ipString := range s { _, ipnet, err := net.ParseCIDR(ipString) if err != nil { - return fmt.Errorf("unable to parse excluded local address %s: %s", ipString, err) + return fmt.Errorf("unable to parse excluded local address %s: %w", ipString, err) } c.ExcludeLocalAddresses = append(c.ExcludeLocalAddresses, ipnet) @@ -3122,6 +3159,8 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { c.PreAllocateMaps = vp.GetBool(PreAllocateMapsName) c.ProcFs = vp.GetString(ProcFs) c.ProxyConnectTimeout = vp.GetInt(ProxyConnectTimeout) + c.ProxyXffNumTrustedHopsIngress = vp.GetUint32(ProxyXffNumTrustedHopsIngress) + c.ProxyXffNumTrustedHopsEgress = vp.GetUint32(ProxyXffNumTrustedHopsEgress) c.ProxyGID = vp.GetInt(ProxyGID) c.ProxyPrometheusPort = vp.GetInt(ProxyPrometheusPort) c.ProxyMaxRequestsPerConnection = vp.GetInt(ProxyMaxRequestsPerConnection) @@ -3152,6 +3191,7 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { c.LoadBalancerRSSv4CIDR = vp.GetString(LoadBalancerRSSv4CIDR) c.LoadBalancerRSSv6CIDR = vp.GetString(LoadBalancerRSSv6CIDR) c.InstallNoConntrackIptRules = vp.GetBool(InstallNoConntrackIptRules) + c.ContainerIPLocalReservedPorts = vp.GetString(ContainerIPLocalReservedPorts) c.EnableCustomCalls = vp.GetBool(EnableCustomCallsName) c.BGPAnnounceLBIP = vp.GetBool(BGPAnnounceLBIP) c.BGPAnnouncePodCIDR = vp.GetBool(BGPAnnouncePodCIDR) @@ -3468,7 +3508,7 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { dec := json.NewDecoder(strings.NewReader(enc)) var result flowpb.FlowFilter if err := dec.Decode(&result); err != nil { - if err == io.EOF { + if errors.Is(err, io.EOF) { break } log.Fatalf("failed to decode hubble-export-allowlist '%v': %s", enc, err) @@ -3480,7 +3520,7 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { dec := json.NewDecoder(strings.NewReader(enc)) var result flowpb.FlowFilter if err := dec.Decode(&result); err != nil { - if err == io.EOF { + if errors.Is(err, io.EOF) { break } log.Fatalf("failed to decode hubble-export-denylist '%v': %s", enc, err) @@ -3614,11 +3654,11 @@ func (c *DaemonConfig) populateNodePortRange(vp *viper.Viper) error { c.NodePortMin, err = strconv.Atoi(nodePortRange[0]) if err != nil { - return fmt.Errorf("Unable to parse min port value for NodePort range: %s", err.Error()) + return fmt.Errorf("Unable to parse min port value for NodePort range: %w", err) } c.NodePortMax, err = strconv.Atoi(nodePortRange[1]) if err != nil { - return fmt.Errorf("Unable to parse max port value for NodePort range: %s", err.Error()) + return fmt.Errorf("Unable to parse max port value for NodePort range: %w", err) } if c.NodePortMax <= c.NodePortMin { return errors.New("NodePort range min port must be smaller than max port") @@ -4315,7 +4355,7 @@ func parseBPFMapEventConfigs(confs BPFEventBufferConfigs, confMap map[string]str for name, confStr := range confMap { conf, err := ParseEventBufferTupleString(confStr) if err != nil { - return fmt.Errorf("unable to parse %s: %s", BPFMapEventBuffers, err) + return fmt.Errorf("unable to parse %s: %w", BPFMapEventBuffers, err) } confs[name] = conf } diff --git a/vendor/github.com/cilium/cilium/pkg/policy/api/groups.go b/vendor/github.com/cilium/cilium/pkg/policy/api/groups.go index 9edcab8bab7..fb3174ead0d 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/api/groups.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/api/groups.go @@ -57,7 +57,7 @@ func (group *ToGroups) GetCidrSet(ctx context.Context) ([]CIDRRule, error) { awsAddrs, err := callback(ctx, group) if err != nil { return nil, fmt.Errorf( - "Cannot retrieve data from %s provider: %s", + "Cannot retrieve data from %s provider: %w", AWSProvider, err) } addrs = append(addrs, awsAddrs...) diff --git a/vendor/github.com/cilium/cilium/pkg/policy/api/rule_validation.go b/vendor/github.com/cilium/cilium/pkg/policy/api/rule_validation.go index 27e18d19694..b2db0b45d03 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/api/rule_validation.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/api/rule_validation.go @@ -412,7 +412,7 @@ func (pp *PortProtocol) sanitize() (isZero bool, err error) { } else { p, err := strconv.ParseUint(pp.Port, 0, 16) if err != nil { - return isZero, fmt.Errorf("Unable to parse port: %s", err) + return isZero, fmt.Errorf("Unable to parse port: %w", err) } isZero = p == 0 } @@ -446,7 +446,7 @@ func (c CIDR) sanitize() error { if err != nil { _, err := netip.ParseAddr(strCIDR) if err != nil { - return fmt.Errorf("unable to parse CIDR: %s", err) + return fmt.Errorf("unable to parse CIDR: %w", err) } return nil } @@ -466,7 +466,7 @@ func (c *CIDRRule) sanitize() error { // the logic in api.CIDR.Sanitize(). prefix, err := netip.ParsePrefix(string(c.Cidr)) if err != nil { - return fmt.Errorf("Unable to parse CIDRRule %q: %s", c.Cidr, err) + return fmt.Errorf("Unable to parse CIDRRule %q: %w", c.Cidr, err) } prefixLength := prefix.Bits() diff --git a/vendor/github.com/cilium/cilium/pkg/policy/api/selector.go b/vendor/github.com/cilium/cilium/pkg/policy/api/selector.go index 5a5cf29be1d..c23aa0d9c2b 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/api/selector.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/api/selector.go @@ -345,7 +345,7 @@ func (n *EndpointSelector) ConvertToLabelSelectorRequirementSlice() []slim_metav func (n *EndpointSelector) sanitize() error { errList := validation.ValidateLabelSelector(n.LabelSelector, validation.LabelSelectorValidationOptions{AllowInvalidLabelValueInSelector: false}, nil) if len(errList) > 0 { - return fmt.Errorf("invalid label selector: %s", errList.ToAggregate().Error()) + return fmt.Errorf("invalid label selector: %w", errList.ToAggregate()) } return nil } diff --git a/vendor/github.com/cilium/cilium/pkg/policy/rule.go b/vendor/github.com/cilium/cilium/pkg/policy/rule.go index d5f3101f167..b1e19e640b8 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/rule.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/rule.go @@ -571,22 +571,26 @@ func (r *rule) resolveIngressPolicy( func (r *rule) matches(securityIdentity *identity.Identity) bool { r.metadata.Mutex.Lock() defer r.metadata.Mutex.Unlock() - var ruleMatches bool + isNode := securityIdentity.ID == identity.ReservedIdentityHost if ruleMatches, cached := r.metadata.IdentitySelected[securityIdentity.ID]; cached { return ruleMatches } - isNode := securityIdentity.ID == identity.ReservedIdentityHost + + // Short-circuit if the rule's selector type (node vs. endpoint) does not match the + // identity's type if (r.NodeSelector.LabelSelector != nil) != isNode { r.metadata.IdentitySelected[securityIdentity.ID] = false - return ruleMatches + return false } + // Fall back to costly matching. - if ruleMatches = r.getSelector().Matches(securityIdentity.LabelArray); ruleMatches { - // Update cache so we don't have to do costly matching again. - r.metadata.IdentitySelected[securityIdentity.ID] = true - } else { - r.metadata.IdentitySelected[securityIdentity.ID] = false + ruleMatches := r.getSelector().Matches(securityIdentity.LabelArray) + + // Update cache so we don't have to do costly matching again. + // the local Host identity has mutable labels, so we cannot use the cache + if !isNode { + r.metadata.IdentitySelected[securityIdentity.ID] = ruleMatches } return ruleMatches diff --git a/vendor/github.com/cilium/cilium/pkg/policy/rules.go b/vendor/github.com/cilium/cilium/pkg/policy/rules.go index f5b0a225982..9caa9e88db0 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/rules.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/rules.go @@ -128,7 +128,7 @@ func (rules ruleSlice) updateEndpointsCaches(ep Endpoint) (bool, error) { id := ep.GetID16() securityIdentity, err := ep.GetSecurityIdentity() if err != nil { - return false, fmt.Errorf("cannot update caches in rules for endpoint %d because it is being deleted: %s", id, err) + return false, fmt.Errorf("cannot update caches in rules for endpoint %d because it is being deleted: %w", id, err) } if securityIdentity == nil { diff --git a/vendor/github.com/cilium/cilium/pkg/policy/visibility.go b/vendor/github.com/cilium/cilium/pkg/policy/visibility.go index fd821eca401..b02315f63d8 100644 --- a/vendor/github.com/cilium/cilium/pkg/policy/visibility.go +++ b/vendor/github.com/cilium/cilium/pkg/policy/visibility.go @@ -67,7 +67,7 @@ func NewVisibilityPolicy(anno string) (*VisibilityPolicy, error) { portInt, err := strconv.ParseUint(port, 10, 16) if err != nil { - return nil, fmt.Errorf("unable to parse port: %s", err) + return nil, fmt.Errorf("unable to parse port: %w", err) } // Don't need to validate, regex already did that. diff --git a/vendor/github.com/cilium/cilium/pkg/rate/api_limiter.go b/vendor/github.com/cilium/cilium/pkg/rate/api_limiter.go index 8c34f563fc1..68728f23517 100644 --- a/vendor/github.com/cilium/cilium/pkg/rate/api_limiter.go +++ b/vendor/github.com/cilium/cilium/pkg/rate/api_limiter.go @@ -890,7 +890,7 @@ func (s *APILimiterSet) Wait(ctx context.Context, name string) (LimitedRequest, func parsePositiveInt(value string) (int, error) { switch i64, err := strconv.ParseInt(value, 10, 64); { case err != nil: - return 0, fmt.Errorf("unable to parse positive integer %q: %v", value, err) + return 0, fmt.Errorf("unable to parse positive integer %q: %w", value, err) case i64 < 0: return 0, fmt.Errorf("unable to parse positive integer %q: negative value", value) case i64 > math.MaxInt: diff --git a/vendor/github.com/cilium/cilium/pkg/sysctl/sysctl.go b/vendor/github.com/cilium/cilium/pkg/sysctl/sysctl.go index ea5bee3b031..7ec9bfaca68 100644 --- a/vendor/github.com/cilium/cilium/pkg/sysctl/sysctl.go +++ b/vendor/github.com/cilium/cilium/pkg/sysctl/sysctl.go @@ -95,12 +95,12 @@ func writeSysctl(name string, value string) error { } f, err := os.OpenFile(path, os.O_RDWR, 0644) if err != nil { - return fmt.Errorf("could not open the sysctl file %s: %s", + return fmt.Errorf("could not open the sysctl file %s: %w", path, err) } defer f.Close() if _, err := io.WriteString(f, value); err != nil { - return fmt.Errorf("could not write to the systctl file %s: %s", + return fmt.Errorf("could not write to the systctl file %s: %w", path, err) } return nil @@ -134,7 +134,7 @@ func Read(name string) (string, error) { } val, err := os.ReadFile(path) if err != nil { - return "", fmt.Errorf("Failed to read %s: %s", path, err) + return "", fmt.Errorf("Failed to read %s: %w", path, err) } return strings.TrimRight(string(val), "\n"), nil @@ -164,7 +164,7 @@ func ApplySettings(sysSettings []Setting) error { }).Info("Setting sysctl") if err := Write(s.Name, s.Val); err != nil { if !s.IgnoreErr || errors.Is(err, ErrInvalidSysctlParameter("")) { - return fmt.Errorf("Failed to sysctl -w %s=%s: %s", s.Name, s.Val, err) + return fmt.Errorf("Failed to sysctl -w %s=%s: %w", s.Name, s.Val, err) } warn := "Failed to sysctl -w" diff --git a/vendor/github.com/cilium/cilium/pkg/versioncheck/check.go b/vendor/github.com/cilium/cilium/pkg/versioncheck/check.go index 6b5e34534f1..88474cfa7ec 100644 --- a/vendor/github.com/cilium/cilium/pkg/versioncheck/check.go +++ b/vendor/github.com/cilium/cilium/pkg/versioncheck/check.go @@ -20,7 +20,7 @@ import ( func MustCompile(constraint string) semver.Range { verCheck, err := Compile(constraint) if err != nil { - panic(fmt.Errorf("cannot compile go-version constraint '%s' %s", constraint, err)) + panic(fmt.Errorf("cannot compile go-version constraint '%s': %w", constraint, err)) } return verCheck } @@ -36,7 +36,7 @@ func Compile(constraint string) (semver.Range, error) { func MustVersion(version string) semver.Version { ver, err := Version(version) if err != nil { - panic(fmt.Errorf("cannot compile go-version version '%s' %s", version, err)) + panic(fmt.Errorf("cannot compile go-version version '%s': %w", version, err)) } return ver } diff --git a/vendor/github.com/cilium/cilium/pkg/wireguard/types/types.go b/vendor/github.com/cilium/cilium/pkg/wireguard/types/types.go index a6fb646156a..889e2a45481 100644 --- a/vendor/github.com/cilium/cilium/pkg/wireguard/types/types.go +++ b/vendor/github.com/cilium/cilium/pkg/wireguard/types/types.go @@ -5,6 +5,8 @@ package types const ( + // ListenPort is the port on which the WireGuard tunnel device listens on + ListenPort = 51871 // IfaceName is the name of the WireGuard tunnel device IfaceName = "cilium_wg0" // PrivKeyFilename is the name of the WireGuard private key file diff --git a/vendor/github.com/cilium/dns/shared_client.go b/vendor/github.com/cilium/dns/shared_client.go index 2857044db4d..0b8bbeec769 100644 --- a/vendor/github.com/cilium/dns/shared_client.go +++ b/vendor/github.com/cilium/dns/shared_client.go @@ -227,6 +227,17 @@ func handler(wg *sync.WaitGroup, client *Client, conn *Conn, requests chan reque return } start := time.Now() + + // Check if we already have a request with the same id + // Due to birthday paradox and the fact that ID is uint16 + // it's likely to happen with small number (~200) of concurrent requests + // which would result in goroutine leak as we would never close req.ch + if _, ok := waitingResponses[req.msg.Id]; ok { + req.ch <- sharedClientResponse{nil, 0, fmt.Errorf("duplicate request id %d", req.msg.Id)} + close(req.ch) + continue + } + err := client.SendContext(req.ctx, req.msg, conn, start) if err != nil { req.ch <- sharedClientResponse{nil, 0, err} @@ -280,7 +291,7 @@ func (c *SharedClient) ExchangeSharedContext(ctx context.Context, m *Msg) (r *Ms // This request keeps 'c.requests' open; sending a request may hang indefinitely if // the handler happens to quit at the same time. Use ctx.Done to avoid this. - timeout := c.Client.writeTimeout() + timeout := c.getTimeoutForRequest(c.Client.writeTimeout()) ctx, cancel := context.WithTimeout(ctx, timeout) defer cancel() respCh := make(chan sharedClientResponse) @@ -291,8 +302,13 @@ func (c *SharedClient) ExchangeSharedContext(ctx context.Context, m *Msg) (r *Ms } // Since c.requests is unbuffered, the handler is guaranteed to eventually close 'respCh' - resp := <-respCh - return resp.msg, resp.rtt, resp.err + select { + case resp := <-respCh: + return resp.msg, resp.rtt, resp.err + // This is just fail-safe mechanism in case there is another similar issue + case <-time.After(time.Minute): + return nil, 0, fmt.Errorf("timeout waiting for response") + } } // close closes and waits for the close to finish. diff --git a/vendor/github.com/cilium/little-vm-helper/pkg/images/build.go b/vendor/github.com/cilium/little-vm-helper/pkg/images/build.go index 3d255f4d199..1a67f2f8ab9 100644 --- a/vendor/github.com/cilium/little-vm-helper/pkg/images/build.go +++ b/vendor/github.com/cilium/little-vm-helper/pkg/images/build.go @@ -77,13 +77,17 @@ func (f *ImageForest) BuildImage(bldConf *BuildConf, image string) (*BuilderResu // BuildAllImages will build all images in the forest. It will start from the // roots, and work its way down. func (f *ImageForest) BuildAllImages(bldConf *BuildConf) *BuilderResult { + return f.BuildImages(bldConf, f.RootImages()) +} + +// BuildImages will build the images specified in the queue from the forest. It +// will start from the roots, and work its way down. +func (f *ImageForest) BuildImages(bldConf *BuildConf, queue []string) *BuilderResult { log := bldConf.Log st := newBuildState(f, bldConf) - - queue := f.RootImages() log.WithFields(logrus.Fields{ "queue": strings.Join(queue, ","), - }).Info("starting to build all images") + }).Info("starting to build images") for { var image string if len(queue) == 0 { diff --git a/vendor/github.com/cilium/little-vm-helper/pkg/runner/conf.go b/vendor/github.com/cilium/little-vm-helper/pkg/runner/conf.go new file mode 100644 index 00000000000..f444bab4859 --- /dev/null +++ b/vendor/github.com/cilium/little-vm-helper/pkg/runner/conf.go @@ -0,0 +1,52 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Cilium + +package runner + +import ( + "github.com/sirupsen/logrus" +) + +type RunConf struct { + // Image filename + Image string + // kernel filename to boot with. (if empty no -kernel option will be passed to qemu) + KernelFname string + // kernel append args to add when a kernel is passed to qemu + KernelAppendArgs []string + // Do not run the qemu command, just print it + QemuPrint bool + // Do not use KVM acceleration, even if /dev/kvm exists + DisableKVM bool + // Daemonize QEMU after initializing + Daemonize bool + // Log file for virtual console output + ConsoleLogFile string + + // Print qemu command before running it + Verbose bool + + // Disable the network connection to the VM + DisableNetwork bool + ForwardedPorts PortForwards + + Logger *logrus.Logger + + HostMount string + + SerialPort int + + CPU int + Mem string + // Kind of CPU to use (e.g. host or kvm64) + CPUKind string + + // RootDev is the type of device used for the root fs. Can be "hda" or "vda" + RootDev string + + QemuMonitorPort int +} + +func (rc *RunConf) testImageFname() string { + return rc.Image +} diff --git a/vendor/github.com/cilium/little-vm-helper/pkg/runner/qemu.go b/vendor/github.com/cilium/little-vm-helper/pkg/runner/qemu.go new file mode 100644 index 00000000000..90c4b0af775 --- /dev/null +++ b/vendor/github.com/cilium/little-vm-helper/pkg/runner/qemu.go @@ -0,0 +1,151 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Cilium + +package runner + +import ( + "fmt" + "os" + "os/exec" + "strings" + + "github.com/cilium/little-vm-helper/pkg/arch" + "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" +) + +func BuildQemuArgs(log *logrus.Logger, rcnf *RunConf) ([]string, error) { + qemuArgs := []string{ + // no need for all the default devices + "-nodefaults", + // no need display (-nographics seems a bit slower) + "-display", "none", + // don't reboot, just exit + "-no-reboot", + // cpus, memory + "-smp", fmt.Sprintf("%d", rcnf.CPU), "-m", rcnf.Mem, + } + + qemuArgs = arch.AppendArchSpecificQemuArgs(qemuArgs) + + // quick-and-dirty kvm detection + kvmEnabled := false + if !rcnf.DisableKVM { + if f, err := os.OpenFile("/dev/kvm", os.O_RDWR, 0755); err == nil { + qemuArgs = append(qemuArgs, "-enable-kvm") + f.Close() + kvmEnabled = true + } else { + log.Info("KVM disabled") + } + } + + qemuArgs = arch.AppendCPUKind(qemuArgs, kvmEnabled, rcnf.CPUKind) + + if rcnf.SerialPort != 0 { + qemuArgs = append(qemuArgs, + "-serial", + fmt.Sprintf("telnet:localhost:%d,server,nowait", rcnf.SerialPort)) + } + + if rcnf.ConsoleLogFile != "" { + qemuArgs = append(qemuArgs, + "-serial", + fmt.Sprintf("file:%s", rcnf.ConsoleLogFile)) + } + + var kernelRoot string + switch rcnf.RootDev { + case "hda": + qemuArgs = append(qemuArgs, "-hda", rcnf.testImageFname()) + kernelRoot = "/dev/sda" + case "vda": + qemuArgs = append(qemuArgs, "-drive", fmt.Sprintf("file=%s,if=virtio,index=0,media=disk", rcnf.testImageFname())) + kernelRoot = "/dev/vda" + default: + return nil, fmt.Errorf("invalid root device: %s", rcnf.RootDev) + } + + if rcnf.KernelFname != "" { + console, err := arch.Console() + if err != nil { + return nil, fmt.Errorf("failed retrieving console name: %w", err) + } + + appendArgs := []string{ + fmt.Sprintf("root=%s", kernelRoot), + fmt.Sprintf("console=%s", console), + "earlyprintk=ttyS0", + "panic=-1", + } + appendArgs = append(appendArgs, rcnf.KernelAppendArgs...) + qemuArgs = append(qemuArgs, + "-kernel", rcnf.KernelFname, + "-append", strings.Join(appendArgs, " "), + ) + } + + if !rcnf.DisableNetwork { + qemuArgs = append(qemuArgs, rcnf.ForwardedPorts.QemuArgs()...) + } + + if !rcnf.Daemonize { + qemuArgs = append(qemuArgs, + "-serial", "mon:stdio", + "-device", "virtio-serial-pci", + ) + } else { + qemuArgs = append(qemuArgs, "-daemonize") + } + + if rcnf.QemuMonitorPort != 0 { + arg := fmt.Sprintf("tcp:localhost:%d,server,nowait", rcnf.QemuMonitorPort) + qemuArgs = append(qemuArgs, "-monitor", arg) + } + + if len(rcnf.HostMount) > 0 { + qemuArgs = append(qemuArgs, + "-fsdev", fmt.Sprintf("local,id=host_id,path=%s,security_model=none", rcnf.HostMount), + "-device", "virtio-9p-pci,fsdev=host_id,mount_tag=host_mount", + ) + } + + return qemuArgs, nil +} + +func StartQemu(rcnf RunConf) error { + qemuBin, err := arch.QemuBinary() + if err != nil { + return fmt.Errorf("failed to retrieve Qemu binary: %w", err) + } + + qemuArgs, err := BuildQemuArgs(rcnf.Logger, &rcnf) + if err != nil { + return err + } + + if rcnf.QemuPrint || rcnf.Verbose { + var sb strings.Builder + sb.WriteString(qemuBin) + for _, arg := range qemuArgs { + sb.WriteString(" ") + if len(arg) > 0 && arg[0] == '-' { + sb.WriteString("\\\n\t") + } + sb.WriteString(arg) + } + + fmt.Printf("%s\n", sb.String()) + // We don't want to return early if running in verbose mode + if rcnf.QemuPrint { + return nil + } + } + + qemuPath, err := exec.LookPath(qemuBin) + if err != nil { + return err + } + + return unix.Exec(qemuPath, append([]string{qemuBin}, qemuArgs...), nil) +} diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go index 6f9e6fd3abf..e6289204604 100644 --- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go @@ -65,7 +65,4 @@ const ( // AnnotationArtifactDescription is the annotation key for the human readable description for the artifact. AnnotationArtifactDescription = "org.opencontainers.artifact.description" - - // AnnotationReferrersFiltersApplied is the annotation key for the comma separated list of filters applied by the registry in the referrers listing. - AnnotationReferrersFiltersApplied = "org.opencontainers.referrers.filtersApplied" ) diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/artifact.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/artifact.go deleted file mode 100644 index 03d76ce437a..00000000000 --- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/artifact.go +++ /dev/null @@ -1,34 +0,0 @@ -// Copyright 2022 The Linux Foundation -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package v1 - -// Artifact describes an artifact manifest. -// This structure provides `application/vnd.oci.artifact.manifest.v1+json` mediatype when marshalled to JSON. -type Artifact struct { - // MediaType is the media type of the object this schema refers to. - MediaType string `json:"mediaType"` - - // ArtifactType is the IANA media type of the artifact this schema refers to. - ArtifactType string `json:"artifactType"` - - // Blobs is a collection of blobs referenced by this manifest. - Blobs []Descriptor `json:"blobs,omitempty"` - - // Subject (reference) is an optional link from the artifact to another manifest forming an association between the artifact and the other manifest. - Subject *Descriptor `json:"subject,omitempty"` - - // Annotations contains arbitrary metadata for the artifact manifest. - Annotations map[string]string `json:"annotations,omitempty"` -} diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go index e6aa113f074..36b0aeb8f1f 100644 --- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go @@ -49,13 +49,15 @@ type ImageConfig struct { // StopSignal contains the system call signal that will be sent to the container to exit. StopSignal string `json:"StopSignal,omitempty"` - // ArgsEscaped `[Deprecated]` - This field is present only for legacy - // compatibility with Docker and should not be used by new image builders. - // It is used by Docker for Windows images to indicate that the `Entrypoint` - // or `Cmd` or both, contains only a single element array, that is a - // pre-escaped, and combined into a single string `CommandLine`. If `true` - // the value in `Entrypoint` or `Cmd` should be used as-is to avoid double - // escaping. + // ArgsEscaped + // + // Deprecated: This field is present only for legacy compatibility with + // Docker and should not be used by new image builders. It is used by Docker + // for Windows images to indicate that the `Entrypoint` or `Cmd` or both, + // contains only a single element array, that is a pre-escaped, and combined + // into a single string `CommandLine`. If `true` the value in `Entrypoint` or + // `Cmd` should be used as-is to avoid double escaping. + // https://github.com/opencontainers/image-spec/pull/892 ArgsEscaped bool `json:"ArgsEscaped,omitempty"` } @@ -95,22 +97,8 @@ type Image struct { // Author defines the name and/or email address of the person or entity which created and is responsible for maintaining the image. Author string `json:"author,omitempty"` - // Architecture is the CPU architecture which the binaries in this image are built to run on. - Architecture string `json:"architecture"` - - // Variant is the variant of the specified CPU architecture which image binaries are intended to run on. - Variant string `json:"variant,omitempty"` - - // OS is the name of the operating system which the image is built to run on. - OS string `json:"os"` - - // OSVersion is an optional field specifying the operating system - // version, for example on Windows `10.0.14393.1066`. - OSVersion string `json:"os.version,omitempty"` - - // OSFeatures is an optional field specifying an array of strings, - // each listing a required OS feature (for example on Windows `win32k`). - OSFeatures []string `json:"os.features,omitempty"` + // Platform describes the platform which the image in the manifest runs on. + Platform // Config defines the execution parameters which should be used as a base when running a container using the image. Config ImageConfig `json:"config,omitempty"` diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go index 730a09359b1..4ce7b54ccde 100644 --- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go @@ -23,6 +23,9 @@ type Manifest struct { // MediaType specifies the type of this document data structure e.g. `application/vnd.oci.image.manifest.v1+json` MediaType string `json:"mediaType,omitempty"` + // ArtifactType specifies the IANA media type of artifact when the manifest is used for an artifact. + ArtifactType string `json:"artifactType,omitempty"` + // Config references a configuration object for a container, by digest. // The referenced configuration object is a JSON blob that the runtime uses to set up the container. Config Descriptor `json:"config"` @@ -36,3 +39,11 @@ type Manifest struct { // Annotations contains arbitrary metadata for the image manifest. Annotations map[string]string `json:"annotations,omitempty"` } + +// ScratchDescriptor is the descriptor of a blob with content of `{}`. +var ScratchDescriptor = Descriptor{ + MediaType: MediaTypeScratch, + Digest: `sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a`, + Size: 2, + Data: []byte(`{}`), +} diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go index 935b481e3ed..5dd31255eb0 100644 --- a/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go @@ -40,21 +40,36 @@ const ( // MediaTypeImageLayerNonDistributable is the media type for layers referenced by // the manifest but with distribution restrictions. + // + // Deprecated: Non-distributable layers are deprecated, and not recommended + // for future use. Implementations SHOULD NOT produce new non-distributable + // layers. + // https://github.com/opencontainers/image-spec/pull/965 MediaTypeImageLayerNonDistributable = "application/vnd.oci.image.layer.nondistributable.v1.tar" // MediaTypeImageLayerNonDistributableGzip is the media type for // gzipped layers referenced by the manifest but with distribution // restrictions. + // + // Deprecated: Non-distributable layers are deprecated, and not recommended + // for future use. Implementations SHOULD NOT produce new non-distributable + // layers. + // https://github.com/opencontainers/image-spec/pull/965 MediaTypeImageLayerNonDistributableGzip = "application/vnd.oci.image.layer.nondistributable.v1.tar+gzip" // MediaTypeImageLayerNonDistributableZstd is the media type for zstd // compressed layers referenced by the manifest but with distribution // restrictions. + // + // Deprecated: Non-distributable layers are deprecated, and not recommended + // for future use. Implementations SHOULD NOT produce new non-distributable + // layers. + // https://github.com/opencontainers/image-spec/pull/965 MediaTypeImageLayerNonDistributableZstd = "application/vnd.oci.image.layer.nondistributable.v1.tar+zstd" // MediaTypeImageConfig specifies the media type for the image configuration. MediaTypeImageConfig = "application/vnd.oci.image.config.v1+json" - // MediaTypeArtifactManifest specifies the media type for a content descriptor. - MediaTypeArtifactManifest = "application/vnd.oci.artifact.manifest.v1+json" + // MediaTypeScratch specifies the media type for an unused blob containing the value `{}` + MediaTypeScratch = "application/vnd.oci.scratch.v1+json" ) diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/version.go b/vendor/github.com/opencontainers/image-spec/specs-go/version.go index 1afd590fe0b..3d4119b4416 100644 --- a/vendor/github.com/opencontainers/image-spec/specs-go/version.go +++ b/vendor/github.com/opencontainers/image-spec/specs-go/version.go @@ -25,7 +25,7 @@ const ( VersionPatch = 0 // VersionDev indicates development branch. Releases will be empty string. - VersionDev = "-dev" + VersionDev = "-rc.3" ) // Version is the specification version that the package types support. diff --git a/vendor/modules.txt b/vendor/modules.txt index a8674648b39..dbd37243b6f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -33,7 +33,7 @@ github.com/bombsimon/logrusr/v4 # github.com/cespare/xxhash/v2 v2.2.0 ## explicit; go 1.11 github.com/cespare/xxhash/v2 -# github.com/cilium/cilium v1.15.4 +# github.com/cilium/cilium v1.15.5 ## explicit; go 1.21.0 github.com/cilium/cilium/api/v1/client github.com/cilium/cilium/api/v1/client/bgp @@ -207,7 +207,7 @@ github.com/cilium/cilium/pkg/u8proto github.com/cilium/cilium/pkg/version github.com/cilium/cilium/pkg/versioncheck github.com/cilium/cilium/pkg/wireguard/types -# github.com/cilium/dns v1.1.51-0.20231120140355-729345173dc3 +# github.com/cilium/dns v1.1.51-0.20240416134107-d47d0dd702a1 ## explicit; go 1.18 github.com/cilium/dns # github.com/cilium/ebpf v0.15.0 @@ -227,8 +227,8 @@ github.com/cilium/ebpf/internal/unix github.com/cilium/ebpf/link github.com/cilium/ebpf/perf github.com/cilium/ebpf/rlimit -# github.com/cilium/little-vm-helper v0.0.17 -## explicit; go 1.21.0 +# github.com/cilium/little-vm-helper v0.0.18 +## explicit; go 1.22.1 github.com/cilium/little-vm-helper/pkg/arch github.com/cilium/little-vm-helper/pkg/images github.com/cilium/little-vm-helper/pkg/kernels @@ -251,7 +251,7 @@ github.com/cilium/proxy/go/envoy/type/tracing/v3 github.com/cilium/proxy/go/envoy/type/v3 github.com/cilium/proxy/pkg/policy/api/kafka # github.com/cilium/tetragon/api v0.0.0-00010101000000-000000000000 => ./api -## explicit; go 1.22.0 +## explicit; go 1.22.1 github.com/cilium/tetragon/api/v1/tetragon github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/yaml @@ -657,8 +657,8 @@ github.com/oklog/ulid # github.com/opencontainers/go-digest v1.0.0 ## explicit; go 1.13 github.com/opencontainers/go-digest -# github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b -## explicit; go 1.17 +# github.com/opencontainers/image-spec v1.1.0-rc3 +## explicit; go 1.18 github.com/opencontainers/image-spec/specs-go github.com/opencontainers/image-spec/specs-go/v1 # github.com/opencontainers/runtime-spec v1.2.0 @@ -691,7 +691,7 @@ github.com/pmezard/go-difflib/difflib # github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c ## explicit; go 1.14 github.com/power-devops/perfstat -# github.com/prometheus/client_golang v1.19.0 +# github.com/prometheus/client_golang v1.19.1 ## explicit; go 1.20 github.com/prometheus/client_golang/prometheus github.com/prometheus/client_golang/prometheus/collectors @@ -1717,7 +1717,7 @@ k8s.io/utils/pointer k8s.io/utils/ptr k8s.io/utils/strings/slices k8s.io/utils/trace -# sigs.k8s.io/controller-runtime v0.16.5 +# sigs.k8s.io/controller-runtime v0.16.6 ## explicit; go 1.20 sigs.k8s.io/controller-runtime sigs.k8s.io/controller-runtime/pkg/builder diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/fieldowner.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/fieldowner.go new file mode 100644 index 00000000000..2f2f892ef3f --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/fieldowner.go @@ -0,0 +1,106 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package client + +import ( + "context" + + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +// WithFieldOwner wraps a Client and adds the fieldOwner as the field +// manager to all write requests from this client. If additional [FieldOwner] +// options are specified on methods of this client, the value specified here +// will be overridden. +func WithFieldOwner(c Client, fieldOwner string) Client { + return &clientWithFieldManager{ + manager: fieldOwner, + c: c, + Reader: c, + } +} + +type clientWithFieldManager struct { + manager string + c Client + Reader +} + +func (f *clientWithFieldManager) Create(ctx context.Context, obj Object, opts ...CreateOption) error { + return f.c.Create(ctx, obj, append([]CreateOption{FieldOwner(f.manager)}, opts...)...) +} + +func (f *clientWithFieldManager) Update(ctx context.Context, obj Object, opts ...UpdateOption) error { + return f.c.Update(ctx, obj, append([]UpdateOption{FieldOwner(f.manager)}, opts...)...) +} + +func (f *clientWithFieldManager) Patch(ctx context.Context, obj Object, patch Patch, opts ...PatchOption) error { + return f.c.Patch(ctx, obj, patch, append([]PatchOption{FieldOwner(f.manager)}, opts...)...) +} + +func (f *clientWithFieldManager) Delete(ctx context.Context, obj Object, opts ...DeleteOption) error { + return f.c.Delete(ctx, obj, opts...) +} + +func (f *clientWithFieldManager) DeleteAllOf(ctx context.Context, obj Object, opts ...DeleteAllOfOption) error { + return f.c.DeleteAllOf(ctx, obj, opts...) +} + +func (f *clientWithFieldManager) Scheme() *runtime.Scheme { return f.c.Scheme() } +func (f *clientWithFieldManager) RESTMapper() meta.RESTMapper { return f.c.RESTMapper() } +func (f *clientWithFieldManager) GroupVersionKindFor(obj runtime.Object) (schema.GroupVersionKind, error) { + return f.c.GroupVersionKindFor(obj) +} +func (f *clientWithFieldManager) IsObjectNamespaced(obj runtime.Object) (bool, error) { + return f.c.IsObjectNamespaced(obj) +} + +func (f *clientWithFieldManager) Status() StatusWriter { + return &subresourceClientWithFieldOwner{ + owner: f.manager, + subresourceWriter: f.c.Status(), + } +} + +func (f *clientWithFieldManager) SubResource(subresource string) SubResourceClient { + c := f.c.SubResource(subresource) + return &subresourceClientWithFieldOwner{ + owner: f.manager, + subresourceWriter: c, + SubResourceReader: c, + } +} + +type subresourceClientWithFieldOwner struct { + owner string + subresourceWriter SubResourceWriter + SubResourceReader +} + +func (f *subresourceClientWithFieldOwner) Create(ctx context.Context, obj Object, subresource Object, opts ...SubResourceCreateOption) error { + return f.subresourceWriter.Create(ctx, obj, subresource, append([]SubResourceCreateOption{FieldOwner(f.owner)}, opts...)...) +} + +func (f *subresourceClientWithFieldOwner) Update(ctx context.Context, obj Object, opts ...SubResourceUpdateOption) error { + return f.subresourceWriter.Update(ctx, obj, append([]SubResourceUpdateOption{FieldOwner(f.owner)}, opts...)...) +} + +func (f *subresourceClientWithFieldOwner) Patch(ctx context.Context, obj Object, patch Patch, opts ...SubResourcePatchOption) error { + return f.subresourceWriter.Patch(ctx, obj, patch, append([]SubResourcePatchOption{FieldOwner(f.owner)}, opts...)...) +} diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/manager/internal.go b/vendor/sigs.k8s.io/controller-runtime/pkg/manager/internal.go index a16f354a1b1..dc702861da8 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/manager/internal.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/manager/internal.go @@ -179,6 +179,24 @@ func (cm *controllerManager) add(r Runnable) error { return cm.runnables.Add(r) } +// AddMetricsServerExtraHandler adds extra handler served on path to the http server that serves metrics. +func (cm *controllerManager) AddMetricsServerExtraHandler(path string, handler http.Handler) error { + cm.Lock() + defer cm.Unlock() + if cm.started { + return fmt.Errorf("unable to add new metrics handler because metrics endpoint has already been created") + } + if cm.metricsServer == nil { + cm.GetLogger().Info("warn: metrics server is currently disabled, registering extra handler %q will be ignored", path) + return nil + } + if err := cm.metricsServer.AddExtraHandler(path, handler); err != nil { + return err + } + cm.logger.V(2).Info("Registering metrics http server extra handler", "path", path) + return nil +} + // AddHealthzCheck allows you to add Healthz checker. func (cm *controllerManager) AddHealthzCheck(name string, check healthz.Checker) error { cm.Lock() diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/manager/manager.go b/vendor/sigs.k8s.io/controller-runtime/pkg/manager/manager.go index 708a9cc16f7..647ea4370e3 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/manager/manager.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/manager/manager.go @@ -67,6 +67,15 @@ type Manager interface { // election was configured. Elected() <-chan struct{} + // AddMetricsServerExtraHandler adds an extra handler served on path to the http server that serves metrics. + // Might be useful to register some diagnostic endpoints e.g. pprof. + // + // Note that these endpoints are meant to be sensitive and shouldn't be exposed publicly. + // + // If the simple path -> handler mapping offered here is not enough, + // a new http server/listener should be added as Runnable to the manager via Add method. + AddMetricsServerExtraHandler(path string, handler http.Handler) error + // AddHealthzCheck allows you to add Healthz checker AddHealthzCheck(name string, check healthz.Checker) error diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/metrics/server/server.go b/vendor/sigs.k8s.io/controller-runtime/pkg/metrics/server/server.go index e10c5c2103f..40eb9db8cc5 100644 --- a/vendor/sigs.k8s.io/controller-runtime/pkg/metrics/server/server.go +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/metrics/server/server.go @@ -46,6 +46,9 @@ var DefaultBindAddress = ":8080" // Server is a server that serves metrics. type Server interface { + // AddExtraHandler adds extra handler served on path to the http server that serves metrics. + AddExtraHandler(path string, handler http.Handler) error + // NeedLeaderElection implements the LeaderElectionRunnable interface, which indicates // the metrics server doesn't need leader election. NeedLeaderElection() bool @@ -179,6 +182,23 @@ func (*defaultServer) NeedLeaderElection() bool { return false } +// AddExtraHandler adds extra handler served on path to the http server that serves metrics. +func (s *defaultServer) AddExtraHandler(path string, handler http.Handler) error { + s.mu.Lock() + defer s.mu.Unlock() + if s.options.ExtraHandlers == nil { + s.options.ExtraHandlers = make(map[string]http.Handler) + } + if path == defaultMetricsEndpoint { + return fmt.Errorf("overriding builtin %s endpoint is not allowed", defaultMetricsEndpoint) + } + if _, found := s.options.ExtraHandlers[path]; found { + return fmt.Errorf("can't register extra handler by duplicate path %q on metrics http server", path) + } + s.options.ExtraHandlers[path] = handler + return nil +} + // Start runs the server. // It will install the metrics related resources depend on the server configuration. func (s *defaultServer) Start(ctx context.Context) error {