Merge branch 'master' into chore/use-distroless-iptables-img

Signed-off-by: Charly Molter <[email protected]>
kumahq · Mar 1, 2023 · 0e9bb43 · 0e9bb43
2 parents e402825 + f462166
commit 0e9bb43
Show file tree

Hide file tree

Showing 923 changed files with 16,152 additions and 3,757 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -9,7 +9,7 @@ reusable:
     - &golang_image "cimg/go:1.18.10"
 
   vm_images:
-    - &ubuntu_vm_image "ubuntu-2004:202111-01"
+    - &ubuntu_vm_image "ubuntu-2204:2022.10.2"
 
 # See https://circleci.com/docs/2.0/configuration-reference/#commands-requires-version-21.
 commands:
@@ -52,16 +52,8 @@ commands:
           curl -s --fail --location https://dl.google.com/go/go<<parameters.go_version>>.<<parameters.go_os>>-<<parameters.go_arch>>.tar.gz | tar -xz -C $HOME
           echo 'export PATH=$HOME/go/bin:$PATH' >> $BASH_ENV
           # if GOPATH is not set, `golang-ci` fails with an obscure message
-          # "ERRO Running error: context loading failed: failed to load program with go/packages: could not determine GOARCH and Go compiler"
+          # "ERROR Running error: context loading failed: failed to load program with go/packages: could not determine GOARCH and Go compiler"
           echo 'export GOPATH=$HOME/go' >> $BASH_ENV
-    - run:
-        name: "Update runc"
-        # See https://github.com/rancher/k3d/issues/807 (runc's default version on the instance fails k3d)
-        command: |
-          if [[ `uname -s` == "Linux" ]]; then
-            sudo sh -c 'curl -s --fail --location https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.<<parameters.go_arch>> > /usr/bin/runc'
-            sudo chown root:root /usr/bin/runc ; sudo chmod o+x /usr/bin/runc
-          fi
   skip_on_branch:
     description: "Skip the job on the branch"
     steps:
@@ -285,10 +277,10 @@ jobs:
             # Handle legacy tests on branch
             if [[ "<< pipeline.git.branch >>" != "master" && "<< pipeline.git.branch >>" != "release-"* ]]; then
               if [[ "<< parameters.target >>" == "test/e2e" ]]; then
-                skip "we do not run legacy E2E on branch by default. To run them add ci/run-e2e-legacy label"
+                skip "we do not run legacy E2E on branch by default. To run them add ci/run-full-matrix label"
               fi
               if [[ "<< parameters.cniNetworkPlugin >>" == "calico" || "<< parameters.k8sVersion >>" == "kindIpv6" || "<< parameters.k8sVersion >>" == "v1.20.15-k3s1" || "<< parameters.arch >>" == "arm64" ]]; then
-                  skip "Not running tests on PRs with kindIpv6, oldK8s, calico and arm64"
+                  skip "Not running tests on PRs with kindIpv6, oldK8s, calico or arm64"
               fi
             fi
 
@@ -394,6 +386,7 @@ jobs:
         paths:
         - docker-images-<<parameters.arch>>
         - artifacts-linux-<<parameters.arch>>
+        - ebpf-<<parameters.arch>>
 
   release:
     executor: vm-amd64

diff --git a/.github/workflows/blackbox-tests.yaml b/.github/workflows/blackbox-tests.yaml
@@ -0,0 +1,42 @@
+name: "blackbox-tests"
+
+on:
+  workflow_dispatch:
+
+env:
+  CGO_ENABLED: "0"
+
+jobs:
+  blackbox-tests:
+    runs-on: ubuntu-20.04
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: "Set up Go"
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.18
+
+    - name: "Configure go modules cache"
+      uses: actions/cache@v3
+      with:
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+
+    - name: "Install dependencies"
+      run: |
+        go mod tidy
+
+    - name: "Setup user to test user id port exclusion"
+      run: |
+        sudo groupadd -g 4200 dns_test_user_group
+        sudo useradd dns_test_user -u 4201 -g 4200 -m -s /bin/bash
+
+    - name: "Run blackbox tests"
+      run: |
+        sudo "PATH=$PATH" $(which ginkgo) run ./test/blackbox_tests/...
diff --git a/.github/workflows/lifecycle.yml b/.github/workflows/lifecycle.yml
@@ -1,7 +1,7 @@
 name: project-lifecycle
 on:
   schedule:
-    - cron: 0 8 * * *
+    - cron: 0 7 * * *
   workflow_dispatch:
   issues:
     types:

diff --git a/.github/workflows/update-insecure-dependencies.yaml b/.github/workflows/update-insecure-dependencies.yaml
@@ -4,8 +4,6 @@ on:
   workflow_dispatch: { }
   schedule:
     - cron: 0 8 * * *
-env:
-  IGNORE_PACKAGES: "github.com/aws/aws-sdk-go"
 jobs:
   build-matrix:
     runs-on: ubuntu-latest
@@ -14,7 +12,7 @@ jobs:
     steps:
       - id: generate-matrix
         run: |
-          # The head -1 is because GITHUB_OUTPUT is easier to work with single line output and this file is created with automation in `lifecycle.yaml` 
+          # The head -1 is because GITHUB_OUTPUT is easier to work with single line output and this file is created with automation in `lifecycle.yaml`
           ACTIVE_BRANCHES=`gh api /repos/${{ github.repository }}/contents/active-branches.json --jq '.content | @base64d' | head -1`
           echo "branches=${ACTIVE_BRANCHES}" >> $GITHUB_OUTPUT
         env:
@@ -55,8 +53,7 @@ jobs:
       - name: "Update dependencies"
         id: update
         run: |
-          osv-scanner --lockfile=go.mod --json | jq '.results[].packages[].package.name' | grep -Ev ${{ env.IGNORE_PACKAGES }} | xargs -I {} go get -u {}
-          go mod tidy
+          make update-vulnerable-dependencies
       - name: "Prepare commit body - after"
         id: prepare_commit_body_after
         run: |
@@ -78,8 +75,8 @@ jobs:
 
             After update:
             ${{ env.SCAN_OUTPUT_AFTER }}
-            
-            If a package is showing up in the scan but the script is not trying to update it then it might be in env.IGNORE_PACKAGES regex
+
+            If a package is showing up in the scan but the script is not trying to update it then it might be because there is no fixed version yet.
           delete-branch: true
           title: "chore(deps): security update"
           draft: false

diff --git a/.gitignore b/.gitignore
@@ -13,3 +13,7 @@ build/
 # Release artifacts
 .cr-release-packages
 *.test
+
+# to embed ebpf programs by using go:embed, we have to copy programs first
+pkg/transparentproxy/ebpf/programs/amd64/mb_*
+pkg/transparentproxy/ebpf/programs/arm64/mb_*
diff --git a/.golangci.yml b/.golangci.yml
@@ -5,20 +5,21 @@ linters:
     - errcheck
     - gci
     - gocritic
-    - gofmt
+    - gofumpt
     - gomodguard
+    - gosimple
     - govet
+    - gosec
     - importas
     - ineffassign
     - misspell
+    - nonamedreturns
+    - staticcheck
     - typecheck
     - unconvert
     - unparam
-    - whitespace
-    - gosimple
-    - nonamedreturns
-    - staticcheck
     - unused
+    - whitespace
 
 run:
   skip-files:
@@ -39,7 +40,6 @@ linters-settings:
     sections:
     - standard
     - default
-    - prefix(github.com/kumahq/kuma-net)
     - prefix(github.com/kumahq/kuma)
     custom-order: true
   importas:
@@ -85,8 +85,6 @@ linters-settings:
     - cancelled # US English should be "canceled", but this is in the Retry API, so we can't change it.
   nonamedreturns:
     report-error-in-defer: false
-  gofmt:
-    simplify: true
 
 issues:
   fix: true
@@ -139,4 +137,7 @@ issues:
     - linters:
         - staticcheck
       text: "SA1019: .* for new policies use pkg/plugins/policies/xds/cluster.go"
+    - linters:
+        - gosec
+      path: pkg/transparent-proxy/istio
 
diff --git a/Makefile b/Makefile
@@ -28,3 +28,4 @@ include mk/e2e.new.mk
 include mk/docs.mk
 include mk/envoy.mk
 include mk/helm.mk
+include mk/ebpf.mk
diff --git a/README.md b/README.md
@@ -3,7 +3,6 @@
 **Builds**
 <!--CIBADGES-->
 [![CircleCI master](https://img.shields.io/circleci/build/github/kumahq/kuma/master?label=master)](https://circleci.com/gh/kumahq/kuma/tree/master)
-[![CircleCI release-1.5](https://img.shields.io/circleci/build/github/kumahq/kuma/release-1.5?label=release-1.5)](https://circleci.com/gh/kumahq/kuma/tree/release-1.5)
 [![CircleCI release-1.6](https://img.shields.io/circleci/build/github/kumahq/kuma/release-1.6?label=release-1.6)](https://circleci.com/gh/kumahq/kuma/tree/release-1.6)
 [![CircleCI release-1.7](https://img.shields.io/circleci/build/github/kumahq/kuma/release-1.7?label=release-1.7)](https://circleci.com/gh/kumahq/kuma/tree/release-1.7)
 [![CircleCI release-1.8](https://img.shields.io/circleci/build/github/kumahq/kuma/release-1.8?label=release-1.8)](https://circleci.com/gh/kumahq/kuma/tree/release-1.8)

diff --git a/UPGRADE.md b/UPGRADE.md
@@ -14,6 +14,72 @@ We now support version `v0.6.0` of the Gateway API. See the [upstream API
 changes](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.6.0) for
 more info.
 
+### Longer name of the resource in postgres
+
+Kuma now permits the creation of a resource with a name of up to 253 characters, which is an increase from the previous limit of 100 characters. This adjustment brings our system in line with the naming convention supported by Kubernetes.
+This change requires to run `kuma-cp migrate up` to apply changes to the postgres database.
+
+### Auth configuration of DP server in Kuma CP
+
+`dpServer.auth` configuration of Kuma CP was deprecated. You can still set config in this section, but it will be removed in the future.
+It's recommended to migrate to `dpServer.authn` if you explicitly set any of the configuration in this config section.
+* `dpServer.auth.type` is now split into two: `dpServer.authn.dpProxy.type` and `dpServer.authn.zoneProxy.type` and is still autoconfigured based on the environment.
+* `dpServer.auth.useTokenPath` is now `dpServer.authn.enableReloadableTokens`
+
+### Transparent Proxy Engine v2 and CNI v2 as default
+
+As they matured, in the upcoming release Kuma will by default use transparent
+proxy engine v2 and CNI v2.
+
+If you want to still use v1 versions of these components, you will have to install 
+Kuma with provided `legacy.transparentProxy=true` or `legacy.cni.enabled=true`
+options.
+
+#### Examples
+
+##### CNI
+
+*Helm*
+
+```sh
+helm upgrade --install --create-namespace --namespace kuma-system \
+  --set "legacy.cni.enabled=true" \
+  --set "cni.enabled=true" \
+  --set "cni.chained=true" \
+  --set "cni.netDir=/etc/cni/net.d" \
+  --set "cni.binDir=/opt/cni/bin" \
+  --set "cni.confName=10-calico.conflist"
+  kuma kuma/kuma
+```
+
+*kumactl*
+
+```sh
+kumactl install control-plane \
+  --set "legacy.cni.enabled=true" \
+  --set "cni.enabled=true" \
+  --set "cni.chained=true" \
+  --set "cni.netDir=/etc/cni/net.d" \
+  --set "cni.binDir=/opt/cni/bin" \
+  --set "cni.confName=10-calico.conflist" \
+  | kubectl apply -f-
+```
+
+##### Transparent Proxy Engine
+
+*Helm*
+
+```sh
+helm upgrade --install --create-namespace --namespace kuma-system \
+  --set "legacy.transparentProxy=true" kuma kuma/kuma
+```
+
+*kumactl*
+
+```sh
+kumactl install control-plane --set "legacy.transparentProxy=true" | kubectl apply -f-
+```
+
 ## Upgrade to `2.1.x`
 
 ### **Breaking changes**

diff --git a/active-branches.json b/active-branches.json
@@ -1 +1 @@
-[ "master", "release-1.5", "release-1.6", "release-1.7", "release-1.8", "release-2.0", "release-2.1" ]
+[ "master", "release-1.6", "release-1.7", "release-1.8", "release-2.0", "release-2.1" ]
diff --git a/api/common/v1alpha1/targetref.go b/api/common/v1alpha1/targetref.go
@@ -1,6 +1,14 @@
 // +kubebuilder:object:generate=true
 package v1alpha1
 
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	"golang.org/x/exp/maps"
+)
+
 type TargetRefKind string
 
 var (
@@ -37,3 +45,14 @@ type TargetRef struct {
 	// Mesh is reserved for future use to identify cross mesh resources.
 	Mesh string `json:"mesh,omitempty"`
 }
+
+// Hash returns a hash of the TargetRef
+func (in *TargetRef) Hash() string {
+	keys := maps.Keys(in.Tags)
+	sort.Strings(keys)
+	orderedTags := make([]string, len(keys))
+	for _, k := range keys {
+		orderedTags = append(orderedTags, fmt.Sprintf("%s=%s", k, in.Tags[k]))
+	}
+	return fmt.Sprintf("%s/%s/%s/%s", in.Kind, in.Name, strings.Join(orderedTags, "/"), in.Mesh)
+}
diff --git a/api/mesh/v1alpha1/dataplane_helpers_test.go b/api/mesh/v1alpha1/dataplane_helpers_test.go
@@ -8,7 +8,6 @@ import (
 )
 
 var _ = Describe("MultiValueTagSet", func() {
-
 	Describe("HostnameEntries()", func() {
 		type testCase struct {
 			value    MultiValueTagSet
@@ -33,7 +32,6 @@ var _ = Describe("MultiValueTagSet", func() {
 })
 
 var _ = Describe("Dataplane_Networking", func() {
-
 	Describe("GetOutboundInterfaces()", func() {
 		Context("valid input values", func() {
 			type testCase struct {
@@ -95,7 +93,6 @@ var _ = Describe("Dataplane_Networking", func() {
 	})
 
 	Describe("GetInboundInterfaces()", func() {
-
 		Context("valid input values", func() {
 			type testCase struct {
 				input    *Dataplane_Networking
@@ -142,7 +139,6 @@ var _ = Describe("Dataplane_Networking", func() {
 	})
 
 	Describe("GetHealthyInbounds()", func() {
-
 		It("should return only healty inbounds", func() {
 			networking := &Dataplane_Networking{
 				Inbound: []*Dataplane_Networking_Inbound{
@@ -181,9 +177,7 @@ var _ = Describe("Dataplane_Networking", func() {
 })
 
 var _ = Describe("Dataplane_Networking_Inbound", func() {
-
 	Describe("GetService()", func() {
-
 		type testCase struct {
 			inbound  *Dataplane_Networking_Inbound
 			expected string
@@ -213,7 +207,6 @@ var _ = Describe("Dataplane_Networking_Inbound", func() {
 	})
 
 	Describe("GetProtocol()", func() {
-
 		type testCase struct {
 			inbound  *Dataplane_Networking_Inbound
 			expected string
@@ -361,7 +354,6 @@ var _ = Describe("Dataplane with gateway", func() {
 })
 
 var _ = Describe("TagSelector", func() {
-
 	Describe("Matches()", func() {
 		type testCase struct {
 			tags  map[string]string
@@ -488,7 +480,6 @@ var _ = Describe("Tags", func() {
 })
 
 var _ = Describe("TagSelectorRank", func() {
-
 	Describe("CompareTo()", func() {
 		type testCase struct {
 			rank1    TagSelectorRank