Merge branch 'cilium:main' into cheithanya

cilium · Jun 17, 2024 · cb87f57 · cb87f57
2 parents 06f99b2 + dd602b0
commit cb87f57
Show file tree

Hide file tree

Showing 1,214 changed files with 89,954 additions and 57,710 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -1,5 +1,6 @@
 # helm chart
 /install/kubernetes/tetragon/README.md linguist-generated
+/install/kubernetes/tetragon/crds-yaml/* linguist-vendored
 
 # api
 /api/v1/README.md linguist-generated

diff --git a/.github/ISSUE_TEMPLATE/feature_request_template.yaml b/.github/ISSUE_TEMPLATE/feature_request_template.yaml
@@ -7,7 +7,7 @@ body:
       value: |
         Thanks for taking the time to request a new feature! 
 
-        If you have usage questions, please join the [Cilium Slack](https://slack.cilium.io/) and ask questions in the [Tetragon channel](https://cilium.slack.com/archives/C03EV7KJPJ9). Please also consult the [FAQ](https://tetragon.cilium.io/docs/faq/) first.
+        If you have usage questions, please join the [Cilium Slack](https://slack.cilium.io/) and ask questions in the [Tetragon channel](https://cilium.slack.com/archives/C03EV7KJPJ9). Please also consult the [FAQ](https://tetragon.cilium.io/docs/installation/faq/) first.
   - type: checkboxes
     attributes:
       label: Is there an existing issue for this?

diff --git a/.github/ISSUE_TEMPLATE/release_template.md b/.github/ISSUE_TEMPLATE/release_template.md
@@ -14,16 +14,23 @@ assignees: ''
 
       export RELEASE=v0.8.1
 
-- [ ] Open a pull request to update the Helm chart and docs version:
+- [ ] Open a pull request to update the Helm chart and docs:
 
       git checkout -b pr/prepare-$RELEASE
+
+      # update Helm chart
       ./contrib/update-helm-chart.sh $RELEASE
       make -C install/kubernetes
       git add install/kubernetes/tetragon/
-      # update hugo version
+
+      # update version in docs (Hugo config)
       sed -i "s/^version =.*/version = \"${RELEASE}\"/" docs/hugo.toml
       git add docs/
 
+      # update upgrade notes
+      ./contrib/update-upgrade-notes.sh $RELEASE
+      git add contrib/upgrade-notes/
+
       git commit -s -m "Prepare for $RELEASE release"
       git push origin HEAD
 
@@ -32,14 +39,16 @@ assignees: ''
       git checkout main
       git pull origin main
       git tag -a $RELEASE -m "$RELEASE release" -s
+      git tag -a api/$RELEASE -m "api/$RELEASE release" -s
       git push origin $RELEASE
 
-- If release is `X.Y.0`:
+- If you are releasing a major or minor version (`X.Y.0`):
 
-  - [ ] Create `vX.Y` branch.
-  - [ ] Create a "Starting `X.Y+1` development" PR on the master branch with the following changes:
-    - Update [CustomResourceDefinitionSchemaVersion](https://github.com/cilium/tetragon/blob/6f2809c51b3fbd35b1de0a178f1e3d0b18c52bcc/pkg/k8s/apis/cilium.io/v1alpha1/register.go#L18) to `X.Y+1.0`.
-  - [ ] Once PR is merged, tag the first commit in master which is not in the `X.Y` branch as `vX.Y+1.0-pre.0`. The high level view of the status after this tag is shown in the following figure (RELEASE is `v0.10.0` in this example):
+  - [ ] Create `vX.Y` branch from the tag you pushed
+  - [ ] Create a "Starting `X.Y+1` development" PR to the main branch with the following changes:
+    - Add the new stable branch to [renovate.json5](https://github.com/cilium/tetragon/blob/main/.github/renovate.json5)
+    - Update [CustomResourceDefinitionSchemaVersion](https://github.com/cilium/tetragon/blob/main/pkg/k8s/apis/cilium.io/v1alpha1/version.go) to `X.Y+1.0`
+  - [ ] Once PR is merged, tag the first commit in the main branch which is not in the `X.Y` branch as `vX.Y+1.0-pre.0`. The high level view of the status after this tag is shown in the following figure (RELEASE is `v0.10.0` in this example):
 
 ```mermaid
 
@@ -61,22 +70,28 @@ gitGraph
 ```
 
 - [ ] Go to [Image CI Releases workflow] and wait for the release image build to finish.
-      - Get approval for your release build workflow from [a Tetragon maintainer]
-      - https://quay.io/repository/cilium/tetragon?tab=tags
-      - https://quay.io/repository/cilium/tetragon-operator?tab=tags
+  - Get approval for your release build workflow from [a Tetragon maintainer]
+  - https://quay.io/repository/cilium/tetragon?tab=tags
+  - https://quay.io/repository/cilium/tetragon-operator?tab=tags
 
 - [ ] When a tag is pushed, a GitHub Action job takes care of creating a new GitHub
       draft release, building artifacts and attaching them to the draft release. Once
       the draft is available in the [releases page]:
-  - [ ] Use the "Auto-generate release notes" button to generate the release notes.
-  - [ ] Review the release notes and click on "Publish Release" at the bottom.
+  - [ ] Use `tgt-notes` from [tetragon-github-tools](https://github.com/isovalent/tetragon-github-tools/)
+        to generate a first version of the release notes based on `release-note/` tags and PR messages.
+  - [ ] Copy upgrade notes from `contrib/upgrade-notes/vX.Y.Z.md` file into the release notes.
+        (Skip if there are no upgrade notes - it's quite likely for patch releases).
+  - [ ] Review the release notes and update them as needed.
+  - [ ] Make sure the "Set as a pre-release" and "Set as the latest release" checkboxes are set correctly.
+        Every `-pre.N` or `-rc.N` release should be marked as a pre-release, and a stable release with the highest
+        version should be marked as latest.
+  - [ ] Click on "Publish Release" at the bottom.
 
 - [ ] Publish Helm chart
-      - Follow [cilium/charts RELEASE.md] to publish the Helm chart.
-      - Once the pull request is merged and the chart is published, go to [cilium/charts GKE workflow] and wait for the
-        CI run to pass.
+   - Follow [cilium/charts RELEASE.md] to publish the Helm chart.
+   - Once the pull request is merged and the chart is published, go to [cilium/charts GKE workflow] and wait for the
+     CI run to pass.
 
-[hugo docs]: https://github.com/cilium/tetragon/blob/main/docs/hugo.toml
 [release blockers]: https://github.com/cilium/tetragon/issues?q=is%3Aissue+is%3Aopen+label%3Arelease-blocker
 [Image CI Releases workflow]: https://github.com/cilium/tetragon/actions/workflows/build-images-releases.yml
 [cilium/charts RELEASE.md]: https://github.com/cilium/charts/blob/master/RELEASE.md

diff --git a/.github/lychee.toml b/.github/lychee.toml
@@ -9,5 +9,10 @@ exclude = [
   # the virtualbox website sends 500 regularly
   'virtualbox.org',
   # this is for the documentation contributor guide
-  '^http://localhost:1313/docs$'
+  '^http://localhost:1313/docs$',
+  # this is a form POST link in the index.html
+  '^https://formspree.io/f/xbjnwnjb$',
+  # this a parsing error from index.html, it uses the {{< latest-version >}}
+  # shortcode which is not detected
+  '^https://github.com/cilium/tetragon/releases/download/$',
 ]
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,16 @@
+Thanks for contributing! Please ensure your pull request adheres to the following guidelines:
+
+- [ ] All commits contain a well written commit message and are signed-off (see [Submitting a pull request](https://tetragon.io/docs/contribution-guide/submitting-a-pull-request/)).
+- [ ] All code is covered by unit and/or end-to-end tests where feasible.
+- [ ] All generated files are updated if needed (see [Making changes](https://tetragon.io/docs/contribution-guide/making-changes/)).
+- [ ] Provide a title or release-note blurb suitable for the release notes (see [guidelines](https://tetragon.io/docs/contribution-guide/docs/release-notes/#release-note-blurb-in-pr)).
+- [ ] Update documentation and write an upgrade note if needed (see [guidelines](https://tetragon.io/docs/contribution-guide/docs/release-notes/#upgrade-notes)).
+- [ ] Are you a user of Tetragon? Please add yourself to the [Users doc](https://github.com/cilium/cilium/blob/main/USERS.md) in the Cilium repository.
+
+<!-- Description of change -->
+
+Fixes: #issue-number
+
+```release-note
+<!-- Enter the release note text here if needed or remove this section! -->
+```
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -15,7 +15,8 @@
     "^make vendor$",
     "^make -C install/kubernetes$",
     "^go mod vendor$",
-    "^install-tool golang \\$\\(grep -oP '\\^go \\\\K\\.\\+' go\\.mod\\)$"
+    "^install-tool golang \\$\\(grep -oP '\\^go \\\\K\\.\\+' go\\.mod\\)$",
+    "^install-tool golang \\$\\(grep -oP '\\^toolchain go\\\\K\\.\\+' go\\.mod\\)$"
   ],
   // repository configuration
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
@@ -37,8 +38,10 @@
     "contrib/rthooks/tetragon-oci-hook/go.mod",
     "contrib/rthooks/tetragon-oci-hook/go.sum",
     "*Dockerfile*",
+    "docs/hugo.toml",
     "install/kubernetes/tetragon/values.yaml",
-    "**/*Makefile*"
+    "**/*Makefile*",
+    "contrib/update-helm-chart.sh",
   ],
   "postUpdateOptions": [
     "gomodTidy"
@@ -52,6 +55,7 @@
   "baseBranches": [
     "main",
     "v1.0",
+    "v1.1",
   ],
   "vulnerabilityAlerts": {
     "enabled": true
@@ -209,11 +213,42 @@
       }
     },
     {
+      // Grouping go packages updates together
       "groupName": "Go",
       "matchPackageNames": [
         "go",
         "docker.io/library/golang"
       ],
+    },
+    {
+      // main branch is using the new toolchain directive
+      "matchPackageNames": [
+        "go",
+        "docker.io/library/golang"
+      ],
+      "matchBaseBranches": [
+        "main",
+      ],
+      // postUpgradeTasks is only for when the Go module directives are bumped
+      "postUpgradeTasks": {
+        // We need to trigger a golang install manually here because in some
+        // cases it might not be preinstalled, see:
+        // https://github.com/renovatebot/renovate/discussions/23485
+        "commands": ["install-tool golang $(grep -oP '^toolchain go\\K.+' go.mod)", "make vendor"],
+        "fileFilters": ["**/**"],
+        "executionMode": "branch"
+      },
+    },
+    {
+      // stable branches are using the go directive
+      "matchPackageNames": [
+        "go",
+        "docker.io/library/golang"
+      ],
+      "matchBaseBranches": [
+        "v1.0",
+        "v1.1",
+      ],
       // postUpgradeTasks is only for when the Go module directives are bumped
       "postUpgradeTasks": {
         // We need to trigger a golang install manually here because in some
@@ -237,6 +272,7 @@
       "groupName": "Helm chart",
       "matchFileNames": [
         "install/kubernetes/tetragon/values.yaml",
+        "install/kubernetes/Makefile",
       ],
       // lint and generate files for helm chart
       "postUpgradeTasks": {
@@ -278,6 +314,7 @@
       "matchPackagePatterns": ["*"],
       "matchBaseBranches": [
         "v1.0",
+        "v1.1",
       ]
     },
     {
@@ -286,18 +323,31 @@
       "matchPackageNames": ["docker.io/library/alpine"],
       "matchBaseBranches": [
         "v1.0",
+        "v1.1",
       ]
     },
     {
-      // update go version until next minor for stable branches
+      // update go patch for 1.21 for stable branches
       "enabled": true,
       "matchPackageNames": [
         "go",
         "docker.io/library/golang"
       ],
       "allowedVersions": "/^1\\.21\\.[0-9]+-?(alpine)?$/",
       "matchBaseBranches": [
-        "v1.0"
+        "v1.0",
+      ]
+    },
+    {
+      // update go patch for 1.22 for stable branches
+      "enabled": true,
+      "matchPackageNames": [
+        "go",
+        "docker.io/library/golang"
+      ],
+      "allowedVersions": "/^1\\.22\\.[0-9]+-?(alpine)?$/",
+      "matchBaseBranches": [
+        "v1.1",
       ]
     },
     // ignore deps section
@@ -320,10 +370,6 @@
       "matchUpdateTypes": [
         "patch"
       ],
-      matchBaseBranches: [
-        "main",
-        "v1.0"
-      ]
     },
     {
       // do not allow any updates for major.minor for LVH, they will be done by maintainers
@@ -413,7 +459,8 @@
     {
       "customType": "regex",
       "fileMatch": [
-        "^\\.github/workflows/[^/]+\\.ya?ml$"
+        "^\\.github/workflows/[^/]+\\.ya?ml$",
+        "^docs/hugo.toml$",
       ],
       "matchStrings": [
         // this regex is used to match both:
@@ -430,9 +477,10 @@
       "customType": "regex",
       // explicitely not writing ^Makefile$ to match files with Makefile.extension
       "fileMatch": [
-        "Makefile"
+        "Makefile",
+        "^contrib/update-helm-chart.sh$",
       ],
-      // This regex is for upgrading docker image full reference in Makefiles, for examples:
+      // This regex is for upgrading docker image full reference in Makefiles or scripts, for examples:
       //
       // # renovate: datasource=docker
       // GOLANGCILINT_IMAGE=docker.io/golangci/golangci-lint:v1.55.2@sha256:e699df940be1810b08ba6ec050bfc34cc1931027283b5a7f607fb6a67b503876

diff --git a/.github/workflows/bpf-unit-tests.yml b/.github/workflows/bpf-unit-tests.yml
@@ -17,13 +17,13 @@ jobs:
         os: [ ubuntu-22.04, actuated-arm64-4cpu-8gb ]
     steps:
     - name: Checkout code
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
     - name: Install Go
-      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         # renovate: datasource=golang-version depName=go
-        go-version: '1.22.2'
+        go-version: '1.22.4'
 
     - name: Install LLVM
       run: |

diff --git a/.github/workflows/build-clang-image.yaml b/.github/workflows/build-clang-image.yaml
@@ -25,7 +25,7 @@ jobs:
 
       # https://github.com/docker/setup-buildx-action
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
       - name: Getting image tag
         id: tag
@@ -37,13 +37,13 @@ jobs:
           fi
 
       - name: Checkout source code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Preview build Clang image
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
           provenance: false
           context: .
@@ -71,10 +71,10 @@ jobs:
 
       # https://github.com/docker/setup-buildx-action
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
       - name: Login to quay.io
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_CLANG_RELEASE_USERNAME }}
@@ -90,13 +90,13 @@ jobs:
           fi
 
       - name: Checkout Source Code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Release Build clang
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         id: docker_build_release
         with:
           provenance: false
@@ -118,10 +118,10 @@ jobs:
           cosign sign -y quay.io/${{ github.repository_owner }}/clang@${{ steps.docker_build_release.outputs.digest }}
 
       - name: Install Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           # renovate: datasource=golang-version depName=go
-          go-version: '1.22.2'
+          go-version: '1.22.4'
 
       - name: Install Bom
         shell: bash
@@ -168,7 +168,7 @@ jobs:
 
       # Upload artifact digests
       - name: Upload artifact digests
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: image-digest clang
           path: image-digest
@@ -186,7 +186,7 @@ jobs:
           mkdir -p image-digest/
 
       - name: Download digests of all images built
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           path: image-digest/