Merge branch 'master' into upgrade-envoy-version210

Signed-off-by: Lukasz Dziedziak <[email protected]>
kumahq · Oct 22, 2024 · 4497ca3 · 4497ca3
2 parents 0e7acd7 + 40097da
commit 4497ca3
Show file tree

Hide file tree

Showing 575 changed files with 3,762 additions and 2,523 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,23 +1,20 @@
-### Checklist prior to review
+## Motivation
 
-<!--
-Each of these sections need to be filled by the author when opening the PR.
+<!-- Why are we doing this change -->
 
-If something doesn't apply please check the box and add a justification after the `--`
--->
+## Implementation information
+
+<!-- Explain how this was done and potentially alternatives considered and discarded -->
 
-- [ ] [Link to relevant issue][1] as well as docs and UI issues --
-- [ ] This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as a image registry) and it will work on Windows, system specific functions like `syscall.Mkfifo` have equivalent implementation on the other OS --
-- [ ] Tests (Unit test, E2E tests, manual test on universal and k8s) --
-  - Don't forget `ci/` labels to run additional/fewer tests
-- [ ] Do you need to update [`UPGRADE.md`](../blob/master/UPGRADE.md)? --
-- [ ] Does it need to be backported according to the [backporting policy](../blob/master/CONTRIBUTING.md#backporting)? ([this](https://github.com/kumahq/kuma/actions/workflows/auto-backport.yaml) GH action will add "backport" label based on these [file globs](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L6), if you want to prevent it from adding the "backport" label use [no-backport-autolabel](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L8) label) --
+## Supporting documentation
+
+<!-- Is there a MADR? An Issue? A related PR? -->
+
+Fix #XX
 
 <!--
 > Changelog: skip
 -->
 <!--
 Uncomment the above section to explicitly set a [`> Changelog:` entry here](https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#submitting-a-patch)?
 -->
-
-[1]: https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword
diff --git a/.github/workflows/_build_publish.yaml b/.github/workflows/_build_publish.yaml
@@ -54,7 +54,7 @@ jobs:
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: go.mod
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}
@@ -71,7 +71,7 @@ jobs:
           echo "Artifact digest:"
           cat ./build/distributions/artifact_digest_file.text
           echo "binary_artifact_digest_base64=$(cat ./build/distributions/artifact_digest_file.text)" > $GITHUB_OUTPUT
-      - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         id: binary-artifacts
         with:
           name: ${{ inputs.BINARY_ARTIFACT_NAME }}
@@ -88,7 +88,7 @@ jobs:
         run: |
           make publish/pulp
   build-images:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04 # pining to this version until https://github.com/actions/runner-images/issues/10636#issuecomment-2397720931 has a better solution
     timeout-minutes: 30
     strategy:
       fail-fast: false
@@ -105,7 +105,7 @@ jobs:
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: go.mod
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}
@@ -128,7 +128,7 @@ jobs:
           make test/container-structure/${{ matrix.image }}
       - name: scan amd64 image
         id: scan_image-amd64
-        uses: Kong/public-shared-actions/security-actions/scan-docker-image@0aaaa49782e9028086feb943ec04e03e35e3f813 # v2.7.2
+        uses: Kong/public-shared-actions/security-actions/scan-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3
         with:
           asset_prefix: image_${{ matrix.image }}-amd64
           image: ./build/docker/${{ matrix.image }}-amd64.tar
@@ -137,7 +137,7 @@ jobs:
       - name: scan arm64 image
         id: scan_image-arm64
         if: ${{ fromJSON(inputs.FULL_MATRIX) }}
-        uses: Kong/public-shared-actions/security-actions/scan-docker-image@0aaaa49782e9028086feb943ec04e03e35e3f813 # v2.7.2
+        uses: Kong/public-shared-actions/security-actions/scan-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3
         with:
           asset_prefix: image_${{ matrix.image }}-arm64
           image: ./build/docker/${{ matrix.image }}-arm64.tar
@@ -169,14 +169,14 @@ jobs:
           echo "Got digest: $digest"
           echo "digest=${digest}" >> $GITHUB_OUTPUT
           echo "{\"${{matrix.image}}\": \"${digest}\"}" > ./build/docker/${{ matrix.image }}.digest.json
-      - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         id: image-artifacts
         with:
           name: image_${{ matrix.image }}
           path: |
             ./build/docker/*.tar
           retention-days: ${{ github.event_name == 'pull_request' && 1 || 30 }}
-      - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         id: image-digest-artifacts
         with:
           name: image_${{ matrix.image }}.digest.json
@@ -186,7 +186,7 @@ jobs:
       - name: sign image
         if: ${{ fromJSON(inputs.ALLOW_PUSH) }}
         id: sign
-        uses: Kong/public-shared-actions/security-actions/sign-docker-image@0aaaa49782e9028086feb943ec04e03e35e3f813 # v2.7.2
+        uses: Kong/public-shared-actions/security-actions/sign-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3
         with:
           image_digest: ${{ steps.image_digest.outputs.digest }}
           tags: ${{ steps.image_meta.outputs.image }}
@@ -227,7 +227,7 @@ jobs:
           go-version-file: go.mod
           cache-dependency-path: |
             go.sum
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}
@@ -255,7 +255,7 @@ jobs:
           PKG_FILENAME=$(find .cr-release-packages -type f -printf "%f\n")
           echo "filename=${PKG_FILENAME}" >> $GITHUB_OUTPUT
       - name: Upload packaged chart
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: ${{ steps.package-helm.outputs.filename }}
           path: .cr-release-packages/${{ steps.package-helm.outputs.filename }}

diff --git a/.github/workflows/_e2e.yaml b/.github/workflows/_e2e.yaml
@@ -34,7 +34,7 @@ jobs:
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: go.mod
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}
@@ -127,11 +127,19 @@ jobs:
             target="test/e2e"
           fi
           make ${MAKE_PARAMETERS} CI=true "${target}"
-      - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: always()
         with:
-          name: e2e-debug-${{ env.E2E_PARAM_TARGET }}-${{ env.E2E_PARAM_ARCH }}-${{ env.E2E_PARAM_K8S_VERSION }}-${{ env.E2E_PARAM_CNI_NETWORK_PLUGIN }}-${{ matrix.parallelRunnerId }}
+          name: e2e-debug-${{ env.E2E_PARAM_TARGET }}-${{ env.E2E_PARAM_ARCH }}-${{ env.E2E_PARAM_K8S_VERSION }}-${{ env.E2E_PARAM_CNI_NETWORK_PLUGIN }}-${{ env.E2E_PARAM_SIDECAR_CONTAINERS }}-${{ matrix.parallelRunnerId }}
           if-no-files-found: ignore
           path: |
             /tmp/e2e-debug/
           retention-days: ${{ github.event_name == 'pull_request' && 5 || 30 }}
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        if: always()
+        with:
+          name: e2e-reports-${{ env.E2E_PARAM_TARGET }}-${{ env.E2E_PARAM_ARCH }}-${{ env.E2E_PARAM_K8S_VERSION }}-${{ env.E2E_PARAM_CNI_NETWORK_PLUGIN }}-${{ env.E2E_PARAM_SIDECAR_CONTAINERS }}-${{ matrix.parallelRunnerId }}
+          if-no-files-found: ignore
+          path: |
+            build/reports
+          retention-days: ${{ github.event_name == 'pull_request' && 5 || 30 }}
diff --git a/.github/workflows/_test.yaml b/.github/workflows/_test.yaml
@@ -12,8 +12,8 @@ permissions:
 env:
   CI_TOOLS_DIR: "/home/runner/work/kuma/kuma/.ci_tools"
   # This is automatically managed by CI
-  K8S_MIN_VERSION: v1.23.17-k3s1
-  K8S_MAX_VERSION: v1.30.0-k3s1
+  K8S_MIN_VERSION: v1.25.16-k3s4
+  K8S_MAX_VERSION: v1.31.1-k3s1
 jobs:
   test_unit:
     timeout-minutes: 20
@@ -26,7 +26,7 @@ jobs:
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: go.mod
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}
@@ -70,8 +70,8 @@ jobs:
                 ],
                 "include":[
                   {"sidecarContainers": "sidecarContainers", "k8sVersion": "${{ env.K8S_MAX_VERSION }}", "target": "kubernetes", "arch": "amd64"},
-                  {"k8sVersion": "${{ env.K8S_MIN_VERSION }}", "target": "multizone", "arch": "arm64"},
-                  {"k8sVersion": "${{ env.K8S_MIN_VERSION }}", "target": "kubernetes", "arch": "arm64"},
+                  {"k8sVersion": "${{ env.K8S_MIN_VERSION }}", "target": "multizone", "arch": "amd64"},
+                  {"k8sVersion": "${{ env.K8S_MIN_VERSION }}", "target": "kubernetes", "arch": "amd64"},
                   {"k8sVersion": "kind", "target": "universal", "arch": "arm64"},
                   {"k8sVersion": "${{ env.K8S_MAX_VERSION }}", "target": "gatewayapi", "arch": "amd64"},
                   {"cniNetworkPlugin": "calico", "k8sVersion": "${{ env.K8S_MAX_VERSION }}", "target": "multizone", "arch": "amd64"}

diff --git a/.github/workflows/bom.yaml b/.github/workflows/bom.yaml
@@ -17,7 +17,7 @@ jobs:
         with:
           version: v1
           args: mod -licenses -json -output licenses.json
-      - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: licenses
           path: |

diff --git a/.github/workflows/build-test-distribute.yaml b/.github/workflows/build-test-distribute.yaml
@@ -13,6 +13,9 @@ permissions:
 env:
   KUMA_DIR: "."
   CI_TOOLS_DIR: "/home/runner/work/kuma/kuma/.ci_tools"
+concurrency:
+  group: ${{github.workflow}}-${{ github.event_name == 'push' && github.sha || github.event.pull_request.number }}
+  cancel-in-progress: ${{ github.event_name == 'push' && false || true }}
 jobs:
   check:
     permissions:
@@ -48,11 +51,11 @@ jobs:
         with:
           go-version-file: go.mod
           cache: false
-      - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
+      - uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
           args: --fix=false --verbose
           version: v1.60.3
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
         with:
           path: |
             ${{ env.CI_TOOLS_DIR }}
@@ -66,7 +69,7 @@ jobs:
       - run: |
           make check
       - id: sca-project
-        uses: Kong/public-shared-actions/security-actions/sca@0aaaa49782e9028086feb943ec04e03e35e3f813 # v2.7.2
+        uses: Kong/public-shared-actions/security-actions/sca@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3
         with:
           dir: .
           config: .syft.yaml
@@ -169,7 +172,7 @@ jobs:
       - name: Push security assets to cloudsmith
         id: push_security_assets
         if: ${{ needs.provenance.result == 'success' || needs.build_publish.result == 'success' }}
-        uses: cloudsmith-io/action@8fe2c21805b379148b31e94ef1b509d2a83342c3 # v0.6.13
+        uses: cloudsmith-io/action@7af394e0f8add4867bce109385962dafecad1b8d # v0.6.14
         with:
           api-key: ${{ secrets.CLOUDSMITH_API_KEY }}
           command: "push"

diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
@@ -42,3 +42,23 @@ jobs:
           NO_BACKPORT_AUTOLABEL: no-backport-autolabel
         run: |
           tools/ci/needs_backporting.sh "${{ github.repository }}" "${{ github.event.pull_request.number }}" "origin/${{ github.base_ref }}" "HEAD" "$PREDEFINED_GLOBS" "$LABEL_TO_ADD" "$NO_BACKPORT_AUTOLABEL"
+      - name: Add checklist comment
+        if: false # disable as it doesn't work github.event.action == 'opened' && github.event.pull_request.author != 'dependabot'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          CHECKLIST_MESSAGE: |
+            :mag: Each of these sections need to be checked by the reviewer of the PR :mag::
+            
+            If something doesn't apply please check the box and add a justification if the reason is non obvious.
+            
+            - [ ] Is the PR title satisfactory? Is this part of a larger feature and should be grouped using `> Changelog`?
+            - [ ] PR description is clear and complete. It [Link to relevant issue][1] as well as docs and UI issues
+            - [ ] This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as a image registry) 
+            - [ ] IPv6 is taken into account (.e.g: no concatenation of host port)
+            - [ ] Tests (Unit test, E2E tests, manual test on universal and k8s)
+                - Don't forget `ci/` labels to run additional/fewer tests
+            - [ ] Does this contain a change that needs to be notified to users? In this case it [`UPGRADE.md`](../blob/master/UPGRADE.md) should be updated.
+            - [ ] Does it need to be backported according to the [backporting policy](../blob/master/CONTRIBUTING.md#backporting)? ([this](https://github.com/kumahq/kuma/actions/workflows/auto-backport.yaml) GH action will add "backport" label based on these [file globs](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L6), if you want to prevent it from adding the "backport" label use [no-backport-autolabel](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L8) label)
+            [1]: https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword
+
+        run: echo '${{ env.CHECKLIST_MESSAGE }}' | gh pr comment -R "${{ github.repository }}" "${{ github.event.pull_request.number }}" -F -
diff --git a/.github/workflows/ci-stability.yaml b/.github/workflows/ci-stability.yaml
@@ -0,0 +1,81 @@
+name: Check CI stability for PRs with "ci/verify-stability" or "ci/verify-stability-merge-master" label
+
+on:
+  schedule:
+    # Monday to Friday: Every 2 hours from 7 PM to 7 AM CEST
+    - cron: "0 17 * * 1-5"
+    - cron: "0 19 * * 1-5"
+    - cron: "0 21 * * 1-5"
+    - cron: "0 23 * * 1-5"
+    - cron: "0 1 * * 2-6"
+    - cron: "0 3 * * 2-6"
+    - cron: "0 5 * * 2-6"
+    # Saturday and Sunday: Every 2 hours all day
+    - cron: "0 */2 * * 6,0"
+  workflow_dispatch:  # Allows manual trigger from GitHub Actions UI
+env:
+  GH_USER: "github-actions[bot]"
+  GH_EMAIL: "<41898282+github-actions[bot]@users.noreply.github.com>"
+jobs:
+  trigger-ci:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate GitHub app token
+        id: github-app-token
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ steps.github-app-token.outputs.token }}
+      - name: Get open pull requests and save to file
+        run: |
+          gh pr list --json number,labels > open_prs.json
+        env:
+          GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }}
+      - name: Process PRs
+        id: process_prs
+        run: |
+          cat open_prs.json
+          pr_numbers_with_verify_stability=$(jq -r '.[] | select(.labels[]?.name == "ci/verify-stability") | .number' open_prs.json)
+          pr_numbers_with_verify_stability_merge_master=$(jq -r '.[] | select(.labels[]?.name == "ci/verify-stability-merge-master") | .number' open_prs.json)
+          echo "PRs with 'ci/verify-stability' label: $pr_numbers_with_verify_stability"
+          echo "PRs with 'ci/verify-stability-merge-master' label: $pr_numbers_with_verify_stability_merge_master"
+          echo "pr_numbers_with_verify_stability=$pr_numbers_with_verify_stability" >> $GITHUB_OUTPUT
+          echo "pr_numbers_with_verify_stability_merge_master=$pr_numbers_with_verify_stability_merge_master" >> $GITHUB_OUTPUT
+        env:
+          GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }}
+      - name: Merge master branch (if applicable) and push a single commit
+        if: steps.process_prs.outputs.pr_numbers_with_verify_stability != ''
+        run: |
+          for pr_number in ${{ steps.process_prs.outputs.pr_numbers_with_verify_stability }}; do
+            current_datetime=$(date +"%Y-%m-%d %H:%M:%S")
+            echo "Processing PR #$pr_number"
+
+            # Fetch PR details to get the base branch (original branch name)
+            pr_branch=$(gh pr view $pr_number --json headRefName --jq '.headRefName')
+            echo "The original branch for PR #$pr_number is $pr_branch"
+            git fetch origin pull/$pr_number/head:$pr_branch
+            git checkout $pr_branch
+
+            git config user.name "${GH_USER}"
+            git config user.email "${GH_EMAIL}"
+          
+            # Check if the PR needs to merge with master
+            if echo "${{ steps.process_prs.outputs.pr_numbers_with_verify_stability_merge_master }}" | grep -wq "$pr_number"; then
+              echo "Merging master into PR #$pr_number"
+              git fetch origin master
+              git merge origin/master --no-ff --no-commit
+              git commit --allow-empty -m "Merge master into PR #$pr_number"
+            fi
+          
+            # Commit an empty commit to trigger the CI
+            echo "Pushing empty commit to trigger CI for PR #$pr_number on $current_datetime"
+            git commit --allow-empty -m "Trigger CI for PR #$pr_number on $current_datetime"
+            git push origin $pr_branch
+          done
+        env:
+          GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }}
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -24,13 +24,13 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+        uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
         with:
           config-file: ./.github/codeql/codeql-config.yml
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+        uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
+        uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
         with:
           category: "/language:${{matrix.language}}"