Whisker UI new features update#11
Merged
ronanc-tigera merged 840 commits intoMar 3, 2026
Merged
Conversation
…ort-range Fix rendering of NatPortRange in nftables mode
Yoga has been "unmaintained" - which is OpenStack terminology for a state similar to EoL - since October 2024, and is no longer of interest to our OpenStack customers. The CI against Yoga recently broke when we updated our Semaphore platform from Ubuntu 20.04 to 22.04. This was briefly addressed by projectcalico@29d69fa, but since then there has been further breakage, which does not look easy to fix - fundamentally because upstream Yoga-level code was never developed and tested against Ubuntu 22.04.
Fix CI against OpenStack Yoga, by removing it
…1743) * For VM-based tests on Jammy pin docker-buildx-plugin We need to pin because download.docker.com now has a newer buildx that tries to use an API version that is too new for the Docker daemon, causing this error: ``` docker buildx build --load --platform=linux/amd64 --pull --build-arg UBI_IMAGE=registry.access.redhat.com/ubi9/ubi-minimal:latest --build-arg GIT_VERSION=v3.32.0-0.dev-643-g38568836d2ac --build-arg CALICO_BASE=calico/base:ubi9-1769122535 --build-arg BPFTOOL_IMAGE=calico/bpftool:v7.5.0 --network=host --build-arg BIN_DIR=dist/bin --build-arg BIRD_IMAGE=calico/bird:v0.3.3-211-g9111ec3c-amd64 --build-arg GIT_VERSION=v3.32.0-0.dev-643-g38568836d2ac -t node:latest-amd64 -f ./Dockerfile.amd64 . ERROR: failed to build: Error response from daemon: client version 1.52 is too new. Maximum supported API version is 1.41: driver not connecting make[1]: Leaving directory '/home/ubuntu/calico/node' make[1]: *** [Makefile:268: .calico_node.created-amd64] Error 1 make: Leaving directory '/home/ubuntu/calico/node' make: *** [Makefile:440: k8s-test] Error 2 ``` * Spurious change to trigger node CI * Revert "Spurious change to trigger node CI" This reverts commit 46fdd37. Seems we didn't need this to trigger the CI.
…nodes) Add support for the nftables and BPF dataplanes on linux nodes to the ASO test infra. Remove docker installation as only containerd is necessary. Use a config yaml for kubeadm init instead of CLI flags.
…s-aso-1 [windows] ASO: add support for nftables and BPF dataplanes (on linux nodes)
* Export maglev conntracks as prometheus metrics Co-authored-by: Shaun Crampton <shaun@tigera.io>
Co-authored-by: Casey Davenport <davenport.cas@gmail.com>
Co-authored-by: nelljerram <2089263+nelljerram@users.noreply.github.com>
Co-authored-by: nelljerram <2089263+nelljerram@users.noreply.github.com>
Co-authored-by: nelljerram <2089263+nelljerram@users.noreply.github.com>
* Fix typo in CNP CRD. * Pin upstream CNP CRD to explicit commit, was floating.
…CIDR Include Priority in mock netlink KeyForRoute so routes with the same CIDR but different priorities get distinct keys in the mock dataplane. Update all existing route key assertions accordingly. Add 11 new tests covering multi-priority route scenarios: adding and removing routes at different priorities, resync behavior, and stale route cleanup. Add a test for IPv6 RouteRemove Priority normalization. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…h-key-to-agent-master Add `ssh-key add` to cni-plugin push-images pipeline [master]
…ent-master Add `ssh-add` to all push-images pipelines [master]
Go 1.26 tightened net/url parsing to reject bare IPv6 addresses in URLs (issue #75223). URLs like http://2001:db8::1:9099/path were silently accepted in Go 1.25 but now correctly return a parse error. This broke all IPv6 BPF FV tests which construct health check URLs with unbracketed IPv6 addresses. Replace string concatenation with net.JoinHostPort() which correctly brackets IPv6 addresses ([::1]:9099) and leaves IPv4 unchanged. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Both ip6tables and nftables require bracketed IPv6 addresses when a port is present (e.g., [2001:db8::1]:80). The DNAT and SNAT actions were using plain string formatting which produces invalid rules for IPv6. Use net.JoinHostPort() which correctly brackets IPv6 addresses. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…g-release-tool-master Add apt publishing framework to release tool [master]
Test the two key live migration subcases where Felix-managed routes
coexist with external BIRD routes at different priorities for the same
VM IP:
(a) Source host: Felix local route at normal priority, BIRD remote route
appears at elevated priority, Felix removes its route, BIRD reverts
to normal priority.
(b) Destination host: BIRD remote route at normal priority, Felix
programs local route at elevated priority, BIRD route removed, Felix
reverts to normal priority.
Verifies that resync never disturbs the external BIRD routes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a detailed comment explaining the interaction between conntrack cleanup and multiple route priorities. The ConntrackCleanupManager is keyed on CIDR (one owner per CIDR) while routes are keyed on RouteKey (CIDR + Priority). For the live migration use case this is safe: Felix only manages one route per CIDR at a time, with the coexisting BIRD route being external to the tracker. On the source host, the conntrack flush when Felix removes its local route is correct: the VM is leaving, so stale conntrack entries should be flushed to force policy re-evaluation (the return path may now traverse different HostEndpoints on a different host). On the destination host, no flush is triggered because BIRD's pre-existing route was never tracked. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Commit c9b6f2b added RBAC for watching kubevirt.io VirtualMachineInstanceMigration resources to the operator manifests, but missed the non-operator (Helm chart) manifests. Add the same get/list/watch permissions to the calico-node ClusterRole in the calico chart template and regenerate manifests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Felix's KDD syncer always syncs VirtualMachineInstanceMigration resources regardless of network/IPAM mode, so the RBAC rule must be gated only on datastore==kubernetes, not additionally on network==calico. This adds the rule to canal and policy-only manifests that were previously missing it. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Use net.JoinHostPort() for IPv6-safe host:port formatting
…t-nft Fix IPv6 DNAT/SNAT rule formatting in iptables and nftables backends
* Add KubeVirt VM live migration IPAM support Implement VM-aware IPAM allocation that preserves IP addresses across KubeVirt virtual machine live migrations. Key changes: - Add KubeVirt VMI client library for tracking VM identity and migrations - Extend CNI IPAM plugin with VM-aware allocation and release logic - Add IPAMConfig resource with MaxAllocPerIPVersion for VM IP limits - Support handle-based IP reuse to maintain stable IPs during migration - Add comprehensive unit and integration tests for kubevirt IPAM flows Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix comment * Added filter for non VM pod * Review Markups * Update cni-plugin/pkg/ipamplugin/ipam_plugin.go Co-authored-by: Shaun Crampton <shaun@tigera.io> * Review Markups II * Fix static checks --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Shaun Crampton <shaun@tigera.io>
…12378 [CORE-12378] fix(QoS): Use QdiscReplace() instead of QdiscAdd()
Enhance Felix route table for elevated priority programming
Remove unnecessary `Eventually()` calls that were waiting for the workload interface to be present in the output of `ip r` on every workload update (mostly changing QoS configs).
fix(qos tests): remove unnecessary waits for routes on QoS felix FVs
* Added cali bot trigger * code review fixes * Rename cali-bot-trigger.yml to calico-github-issues-bot-trigger.yml
…calico#11968) * Add Claude Code skill for reproducing CI failures on GCP VMs Documents the process of creating a GCP VM that matches the CI environment (image family, Docker version, sysctl settings) to reproduce kernel-dependent test failures locally. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix GCP skill to match CI: machine type, disk size, Docker repo format Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Add VirtualMachineInstanceMigration RBAC to non-operator manifests
… whisker-ui-new-features
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release note: