hubble-relay: update to 1.15.12

.github/workflows/main.yaml

@@ -151,6 +151,7 @@ jobs:
               container-image: "hubble"
             - dir: "./hubble-relay"
               container-image: "hubble-relay"
+              make-post-targets: "cilium-checkout cilium-test-e2e-setup cilium-test-e2e-upgrade-inotify test-e2e"
               request-scan: "false"
             - dir: "./hubble-ui"
               container-image: "hubble-ui-frontend"

cilium/e2e/Makefile

@@ -1,8 +1,10 @@
 SUDO ?= sudo
-IMAGE_TAG ?= ghcr.io/cybozu/cilium:$(shell cat ../TAG)
 CILIUM := bin/cilium
 CILIUM_DIR := ../src/cilium
 
+CILIUM_AGENT_IMAGE_TAG ?= ghcr.io/cybozu/cilium:$(shell cat ../TAG)
+HUBBLE_RELAY_IMAGE_TAG ?= ghcr.io/cybozu/hubble-relay:$(shell cat ../../hubble-relay/TAG)
+
 .PHONY: setup
 setup:
 	mkdir -p bin
@@ -24,12 +26,28 @@ upgrade-inotify:
 .PHONY: start
 start:
 	cd $(CILIUM_DIR); ./contrib/scripts/kind.sh --xdp "" 3 "" "" "none" "ipv4"
-	kind load docker-image $(IMAGE_TAG)
+	kind load docker-image $(CILIUM_AGENT_IMAGE_TAG)
+	$(CILIUM) install --wait \
+		--chart-directory=$(CILIUM_DIR)/install/kubernetes/cilium \
+		--values values.yaml \
+		--set image.repository=$(shell echo $(CILIUM_AGENT_IMAGE_TAG) | cut -d':' -f1) \
+		--set image.tag=$(shell echo $(CILIUM_AGENT_IMAGE_TAG) | cut -d':' -f2)
+
+.PHONY: start-hubble-relay
+start-hubble-relay:
+	cd $(CILIUM_DIR); ./contrib/scripts/kind.sh --xdp "" 3 "" "" "none" "ipv4"
+	CILIUM_AGENT_IMAGE_TAG=quay.io/cilium/cilium:v$(shell echo $(HUBBLE_RELAY_IMAGE_TAG) | cut -d':' -f2 | cut -d'.' -f1-3); \
+	docker pull $${CILIUM_AGENT_IMAGE_TAG}; \
+	kind load docker-image $${CILIUM_AGENT_IMAGE_TAG}
+	kind load docker-image $(HUBBLE_RELAY_IMAGE_TAG)
 	$(CILIUM) install --wait \
 		--chart-directory=$(CILIUM_DIR)/install/kubernetes/cilium \
 		--values values.yaml \
-		--set image.repository=$(shell echo $(IMAGE_TAG) | cut -d':' -f1) \
-		--set image.tag=$(shell echo $(IMAGE_TAG) | cut -d':' -f2) \
+		--set hubble.relay.image.repository=$(shell echo $(HUBBLE_RELAY_IMAGE_TAG) | cut -d':' -f1) \
+		--set hubble.relay.image.tag=$(shell echo $(HUBBLE_RELAY_IMAGE_TAG) | cut -d':' -f2) \
+		--set hubble.relay.image.pullPolicy=Never \
+		--set hubble.relay.securityContext.runAsUser=10000 \
+		--set hubble.relay.securityContext.runAsGroup=10000
 
 # check-log-errors is disabled in CI to accomodate with the following issue:
 # https://github.com/cilium/image-tools/pull/267

cilium/e2e/values.yaml

@@ -1,6 +1,12 @@
 autoDirectNodeRoutes: true
 devices: eth+
 enableIPv6Masquerade: false
+hubble:
+  enabled: true
+  relay:
+    enabled: true
+    image:
+      useDigest: false
 image:
   pullPolicy: Never
   useDigest: false

hubble-relay/BRANCH

@@ -1 +1 @@
-1.14
+1.15

hubble-relay/Dockerfile

@@ -1,8 +1,8 @@
-ARG BASE_IMAGE=ghcr.io/cybozu/ubuntu:22.04
+ARG UBUNTU_IMAGE=ghcr.io/cybozu/ubuntu:22.04
 ARG GOLANG_IMAGE=ghcr.io/cybozu/golang:1.22-jammy
 
 # Stage1: build
-FROM ${GOLANG_IMAGE} as build
+FROM ${GOLANG_IMAGE} AS build
 
 COPY TAG /
 
@@ -22,19 +22,26 @@ RUN VERSION=$(cut -d \. -f 1,2,3 < /TAG ) \
 WORKDIR /go/src/github.com/cilium/cilium/hubble-relay
 RUN make
 
+# grpc_health_probe
+WORKDIR /go/src/github.com/cilium/cilium
+RUN cp images/hubble-relay/download-grpc-health-probe.sh /tmp/download-grpc-health-probe.sh
+RUN /tmp/download-grpc-health-probe.sh
+
 # Stage2: runtime
-FROM ${BASE_IMAGE}
+FROM ${UBUNTU_IMAGE}
 LABEL org.opencontainers.image.source="https://github.com/cybozu/neco-containers"
 
 # Add nonroot user for the neco environment
 RUN useradd nonroot -u 10000 -U -m
 
 COPY --from=build /out/linux/amd64/bin/gops /bin/gops
 COPY --from=build /go/src/github.com/cilium/cilium/LICENSE.all /LICENSE
+COPY --from=build /out/linux/amd64/bin/grpc_health_probe /bin/grpc_health_probe
 COPY --from=build /go/src/github.com/cilium/cilium/hubble-relay/hubble-relay /usr/bin/hubble-relay
 
 # use uid:gid for the nonroot user for compatibility with runAsNonRoot
 USER 10000:10000
 
+ENV HOME=/home/nonroot
 ENTRYPOINT ["/usr/bin/hubble-relay"]
 CMD ["serve"]

hubble-relay/Makefile

@@ -0,0 +1,24 @@
+IMAGE_TAG ?= ghcr.io/cybozu/hubble-relay:$(shell cat TAG)
+
+.PHONY: build
+build:
+	docker build . --tag=$(IMAGE_TAG)
+
+.PHONY: cilium-checkout
+cilium-checkout:
+	@$(MAKE) -C ../cilium checkout
+
+.PHONY: cilium-test-e2e-setup
+cilium-test-e2e-setup:
+	@$(MAKE) -C ../cilium test-e2e-setup
+
+.PHONY: cilium-test-e2e-upgrade-inotify
+cilium-test-e2e-upgrade-inotify:
+	@$(MAKE) -C ../cilium test-e2e-upgrade-inotify
+
+.PHONY: test-e2e
+test-e2e:
+	@$(MAKE) -C ../cilium/e2e start-hubble-relay
+	kubectl wait deployments -A --all --for condition=Available --timeout=300s
+	kubectl wait pods -A --all --for condition=Ready --timeout=300s
+	@$(MAKE) -C ../cilium/e2e stop

hubble-relay/TAG

@@ -1 +1 @@
-1.14.14.1
+1.15.12.1