Merging v1.1.0 into windows branch by LakshK98 · Pull Request #2401 · microsoft/retina

LakshK98 · 2026-06-02T16:52:53Z

Description

Merging v1.1.0 into windows branch .

Related Issue

If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request.

Checklist

I have read the contributing documentation.
I signed and signed-off the commits (git commit -S -s ...). See this documentation on signing commits.
I have correctly attributed the author(s) of the code.
I have tested the changes locally.
I have followed the project's style guidelines.
I have updated the documentation, if necessary.
I have added tests, if applicable.

Screenshots (if applicable) or Testing Completed

Please add any relevant screenshots or GIFs to showcase the changes made.

Additional Notes

Add any additional notes or context about the pull request here.

Please refer to the CONTRIBUTING.md file for more information on how to contribute to this project.

…o 0.7.0 (microsoft#1584) Bumps [sigs.k8s.io/cloud-provider-azure/pkg/azclient](https://github.com/kubernetes-sigs/cloud-provider-azure) from 0.6.2 to 0.7.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/20e0e1d7a3a23b5956fb3a73350d7b318d67a133"><code>20e0e1d</code></a> Merge pull request <a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/458">#458</a> from feiskyer/prepare-0.7.0</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/8f1df22be94fda9571a518be37bcc601d1ce5ef3"><code>8f1df22</code></a> Update document links to Cloud Provider Azure website</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/5053a9f37f9ddefb7584e4b0d48483f83c85274f"><code>5053a9f</code></a> Release Cloud Provider Azure v0.7.0</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/9e049a331b20e924984be292ce735bcc1f6e48b9"><code>9e049a3</code></a> Merge pull request <a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/451">#451</a> from ialidzhikov/cleanup/network-apiversion</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/7e37c2c97661a581547b327b518f0741784f5816"><code>7e37c2c</code></a> Merge pull request <a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/453">#453</a> from andyzhangx/disk-batch-operation</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/ffabb16994bd57719dbd07d6baca97e35a81ae09"><code>ffabb16</code></a> Merge pull request <a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/455">#455</a> from nilo19/failing-test/skip-multi-pool</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/bcb98816f29fc71dfaeaaebc65685b27f5431ff2"><code>bcb9881</code></a> Merge pull request <a href="https://redirect.github.com/kubernetes-sigs/cloud-provider-azure/issues/457">#457</a> from nilo19/bug/fix-dep</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/67975b245d7e3732b921d03349d3de66052b095e"><code>67975b2</code></a> Explicitly set mod=mod in go list</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/3c9b40f5c5c456b81b41f99bf9344dfba6383618"><code>3c9b40f</code></a> use batch operation for azure disk attach/detach</li> <li><a href="https://github.com/kubernetes-sigs/cloud-provider-azure/commit/d574dd5ee95e38692a2a3a8b8cfaf7859a32a64f"><code>d574dd5</code></a> Skip the exclude LB test on multi node pool cluster</li> <li>Additional commits viewable in <a href="https://github.com/kubernetes-sigs/cloud-provider-azure/compare/pkg/azclient/v0.6.2...v0.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sigs.k8s.io/cloud-provider-azure/pkg/azclient&package-manager=go_modules&previous-version=0.6.2&new-version=0.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

) # Description In some cases the flows incorrectly assumed APIServer IPs as world. This PR adds functionality to the watcher to extract IPs from the Kubernetes service and endpoints. In some managed Kubernetes offerings these IPs are used to establish connections from and to the kube-apiserver. ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed ![image](https://github.com/user-attachments/assets/47319020-c030-4f33-9cdd-1cded2daccd6) Before: ![image](https://github.com/user-attachments/assets/8e7a80f7-8715-47ba-9728-fc9d18cd550f) After: ![image](https://github.com/user-attachments/assets/d9ba7efa-3eac-4506-9467-fa1ba8063549) ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.4.0 to 5.5.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-go/releases">actions/setup-go's releases</a>.</em></p> <blockquote> <h2>v5.5.0</h2> <h2>What's Changed</h2> <h3>Bug fixes:</h3> <ul> <li>Update self-hosted environment validation by <a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/556">actions/setup-go#556</a></li> <li>Add manifest validation and improve error handling by <a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/586">actions/setup-go#586</a></li> <li>Update template link by <a href="https://github.com/jsoref"><code>@jsoref</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/527">actions/setup-go#527</a></li> </ul> <h3>Dependency updates:</h3> <ul> <li>Upgrade <code>@action/cache</code> from 4.0.2 to 4.0.3 by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/574">actions/setup-go#574</a></li> <li>Upgrade <code>@actions/glob</code> from 0.4.0 to 0.5.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/573">actions/setup-go#573</a></li> <li>Upgrade ts-jest from 29.1.2 to 29.3.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/582">actions/setup-go#582</a></li> <li>Upgrade eslint-plugin-jest from 27.9.0 to 28.11.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/537">actions/setup-go#537</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/jsoref"><code>@jsoref</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/527">actions/setup-go#527</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-go/compare/v5...v5.5.0">https://github.com/actions/setup-go/compare/v5...v5.5.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/setup-go/commit/d35c59abb061a4a6fb18e82ac0862c26744d6ab5"><code>d35c59a</code></a> chore: update discussions url (<a href="https://redirect.github.com/actions/setup-go/issues/527">#527</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/29694d72cd5e7ef3b09496b39f28a942af47737e"><code>29694d7</code></a> Add manifest validation and improve error handling (<a href="https://redirect.github.com/actions/setup-go/issues/586">#586</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/78535dd5f299baffe8c7a20903d46f69f967f55b"><code>78535dd</code></a> Bump eslint-plugin-jest from 27.9.0 to 28.11.0 (<a href="https://redirect.github.com/actions/setup-go/issues/537">#537</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/bb65d8857b81c74a671e81f935d3362a5d718e2f"><code>bb65d88</code></a> Bump ts-jest from 29.1.2 to 29.3.2 (<a href="https://redirect.github.com/actions/setup-go/issues/582">#582</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/7f17e836c0800bfdfa49811f9ddaa7608881dffc"><code>7f17e83</code></a> Bump <code>@actions/glob</code> from 0.4.0 to 0.5.0 (<a href="https://redirect.github.com/actions/setup-go/issues/573">#573</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/dca8468d37b6d090cde2c7b97b738a37134f5ffb"><code>dca8468</code></a> Update self-hosted environment validation and bump undici version (<a href="https://redirect.github.com/actions/setup-go/issues/556">#556</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/691cc3533f9e01982f216a98ecdd9fd81c27fd5b"><code>691cc35</code></a> upgrade actions/cache to 4.0.3 (<a href="https://redirect.github.com/actions/setup-go/issues/574">#574</a>)</li> <li>See full diff in <a href="https://github.com/actions/setup-go/compare/0aaccfd150d50ccaeb58ebd88d36e91967a5f35b...d35c59abb061a4a6fb18e82ac0862c26744d6ab5">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/setup-go&package-manager=github_actions&previous-version=5.4.0&new-version=5.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

) # Description Initial implementation of conntrack metrics for the legacy control plane in basic mode. The aggregation is at the node level, which makes the metric bounded. Metrics: - conntrack_bytes_tx - conntrack_bytes_rx - conntrack_packets_tx - conntrack_packets_rx - conntrack_total_connections ## Related Issue fixes microsoft#1190 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/contributing). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Bytes RX ![image](https://github.com/user-attachments/assets/4e79109c-406c-47b7-b426-95003ecfdc64) Total connections metric ![image](https://github.com/user-attachments/assets/f3759fd8-6d8f-4301-b4e0-c8f01a74d539) ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.

…oft#1594) # Description This pull request updates the version of the `ethtool` dependency in the `go.mod` file to ensure compatibility with the latest fixes. With go version upgrade from 1.23 to 1.24, certain behavior of go with relation memory management got changed (see golang/go#73536) which effected out linuxutil plugin leading to a jump in memory usage. With the help of pprof profiling we identified the root cause in ethtool library (see golang/go#73536). The ethtool lib owners implemented a change to address the issue which was released with tag `v0.6.0`. Dependency update: * [`go.mod`](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L300-R300): Updated the `github.com/safchain/ethtool` dependency from version `v0.5.10` to `v0.6.0`. ## Screenshots (if applicable) or Testing Completed I ran retina with a workload that was utilizing following network at around ~30% cpu: ![image](https://github.com/user-attachments/assets/e8c74fe5-3317-4872-9543-46bd8486296b) Here is the memory profile while running different versions of retina, the last one is this commit. ![image](https://github.com/user-attachments/assets/bfd399e0-1ded-44d6-95e6-8830c6181c05) While we don't come back to original level, we do see an improvement in memory usage of around ~10%

Fixes microsoft#1458 In the PR above, I only added the `/etc/host-os-release` volumeMount in `deploy/standard/manifests/controller/helm/retina/templates/daemonset.yaml` but not in `deploy/hubble/manifests/controller/helm/retina/templates/agent/daemonset.yaml` The omission was because in the former we iterate over the volume mount list defined in values.yaml, while the latter defines them explicitly in the daemonset.

…ation (microsoft#1569) # Description This PR improves the `NodeReconciler` logic in `controller.go` by adding a safeguard for nodes with no addresses. Specifically, it ensures that if a node has an empty `Status.Addresses` field, a warning is logged, and the reconciliation process exits gracefully without further processing. This prevents potential runtime errors when attempting to access an address that does not exist. ## Related Issue resolve microsoft#1541 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed The following scenarios were tested: 1. **Node with no addresses**: Verified that a warning is logged, and the reconciliation exits without errors. 2. **Node with valid addresses**: Verified that the `RetinaNode` is created and updated in the cache correctly. 3. **Node being deleted**: Verified that the `RetinaNode` is removed from the cache as expected. All tests passed successfully. ## Additional Notes This change ensures that the `NodeReconciler` handles edge cases more robustly, improving the stability of the controller. The added safeguard prevents potential issues when interacting with nodes that lack address information. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.

@nddq

# Description - In certain cases, cluster admins must be able to directly modify resources.requests to bypass pending issues with the retina-agent DaemonSet. - Recommit 90a370f due to gpg-signing PR microsoft#1589 (Requested by @nddq) ## Related Issue Reopen from microsoft#1589 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: younsl <cysl@kakao.com>

…t#1556) # Description Adds the `is_reply` label to advanced packet forward metrics. Optional as part of the `MetricsConfiguration`. ## Related Issue microsoft#1426 ## Checklist - [X] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [X] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [X] I have correctly attributed the author(s) of the code. - [X] I have tested the changes locally. - [X] I have followed the project's style guidelines. - [X] I have updated the documentation, if necessary. - [X] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed <img width="1234" alt="Screenshot 2025-04-23 at 2 49 22 PM" src="https://github.com/user-attachments/assets/973b0223-b493-42f3-9b3e-6b41dca83136" /> # Exported metrics without `is_reply` in the `MetricsConfiguration` ``` networkobservability_adv_forward_bytes{destination_ip="10.128.45.3",destination_namespace="unknown",destination_podname="unknown",direction="EGRESS",source_ip="172.18.7.2",source_namespace="platform-logging",source_podname="fluentd-58c5q"} 54 networkobservability_adv_forward_bytes{destination_ip="10.128.45.3",destination_namespace="unknown",destination_podname="unknown",direction="INGRESS",source_ip="172.18.7.2",source_namespace="platform-logging",source_podname="fluentd-58c5q"} 726 ``` # Exported metrics with `is_reply` in the `MetricsConfiguration` `additionalLabels` ``` networkobservability_adv_forward_bytes{destination_ip="10.128.45.3",destination_namespace="unknown",destination_podname="unknown",direction="INGRESS",is_reply="false",source_ip="172.18.7.2",source_namespace="platform-logging",source_podname="fluentd-58c5q"} 54 networkobservability_adv_forward_bytes{destination_ip="10.128.45.3",destination_namespace="unknown",destination_podname="unknown",direction="INGRESS",is_reply="true",source_ip="172.18.7.1",source_namespace="kube-system",source_podname="ebs-csi-node-5qmwq"} 950 networkobservability_adv_forward_bytes{destination_ip="10.128.45.3",destination_namespace="unknown",destination_podname="unknown",direction="INGRESS",is_reply="true",source_ip="172.18.7.2",source_namespace="platform-logging",source_podname="fluentd-58c5q"} 672 ``` --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Matthew McKeen <matthew.mckeen@fastly.com>

# Description Fix ingress helm template issue due to missing helper script: - The hubble-ui subchart of retina doesn't include the `ingress.paths` definition from the cilium chart, so it needs to be defined instead in the _helpers.tpl helper script of retina. - Root cause line in `ingress.yaml` template: https://github.com/microsoft/retina/blob/7e2fc3346eaabf3ece23c1d181a1de7dcac2bd82/deploy/hubble/manifests/controller/helm/retina/templates/hubble-ui/ingress.yaml#L38 ## Related Issue - cilium/cilium#13682 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Ingress completly created (screenshot from k9s): <img width="859" alt="붙여넣은_이미지_2025__4__30__오후_5_27" src="https://github.com/user-attachments/assets/cc727bf6-591f-4f88-a7a1-559210a8f3df" /> ## Additional Notes N/A --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: younsl <cysl@kakao.com>

Currently Retina is not FIPS-compliant across the board. This is to help validate the support matrix.

…ft#1606) Reverting microsoft#1602 that added a stale OSSKU tag which is failing in merge queue now. This was merged due to a GH a race condition in a skipped job. Will follow-up with another PR just enabling FIPS on the existing AzureLinux node pool.

microsoft#1602 used a stale SKU tag, and somehow slipped through the CI. Submitting this again with the up-to-date AzureLinux tag.

When running on the FIPS-compliant Ubuntu 20.04, Retina requires `SYS_RESOURCE` on top of `IPC_LOCK`. Also, skip attaching to unavailable kernel hook points. Merge after microsoft#1601 - otherwise the pod still fails, just at a later stage.

…rosoft#1601) In microsoft#1458 I added a kernel version check to only attach `fexit` programs when they're supported. We also need to ensure we don't even load them into the kernel.

# Description This PR is a follow up from: https://github.com/microsoft/retina/pull/1538/files#diff-fb3f33cdd2a5865385222d244e9bdc9a7ebee2756d506f6495f83a5cff42b25a The ARM64 Operator image was added to the test workflow, and the ADO (Microsoft internal release) pipeline, but not to GHCR release flow. This PR fixes that. ## Related Issue microsoft#1582 ## Checklist - [X] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [X] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [X] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [X] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed This flow was tested here: https://github.com/microsoft/retina/actions/runs/15065640778/job/42350022052 ![image](https://github.com/user-attachments/assets/6d74dbb0-4455-45e1-96cf-a890d9e88b78) ![image](https://github.com/user-attachments/assets/4c51ab47-2ba9-477a-910c-b2a1b0b9f849) ![image](https://github.com/user-attachments/assets/9b2da4bc-3208-4fb2-8063-430039cfff27) ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.

# Description Use only the initial SYN packet to determine the connection direction and not also the SYN-ACK. This should only happen in very unfortunate cases (when the agent is injected in the middle of a TCP handshake). Just a couple of additional questions: * Since we don't know the direction, shouldn't this https://github.com/microsoft/retina/blob/7287769254ac5b1597bd617bfb206e8c7047fe3f/pkg/plugin/conntrack/_cprog/conntrack.c#L220 be `TRAFFIC_DIRECTION_UNKNOWN`? * Is there any particular heuristic behind this ACK detection? https://github.com/microsoft/retina/blob/7287769254ac5b1597bd617bfb206e8c7047fe3f/pkg/plugin/conntrack/_cprog/conntrack.c#L224 Almost all TCP packets should have the ACK flag, so it seems a 50% possibility to get the right direction ## Related Issue no ## Checklist - [ ] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [ ] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [ ] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>

Our E2e job is getting skipped in the merge queue, because of YAML parsing errors. We have invalid syntax in the if-statements checking for success of prerequisite jobs that need to run for `manifests` and `E2E` to run. Looks like this used to be ignored and those jobs just ran, while recently Github started enforcing stricter YAML syntax validation which is causing these jobs to get skipped! It started about a week ago, example errors at the bottom of the page: https://github.com/microsoft/retina/actions/runs/14842770818 ![image](https://github.com/user-attachments/assets/1906d486-e581-4ed3-8c93-baa8b3f15e0d)

# Description Adds RBAC to allow querying `endpoints` in the standard chart. Fixes errors introduced by microsoft#1573 for failures to query for `endpoints` when the legacy control plane is deployed. ## Checklist - [X] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [X] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [X] I have correctly attributed the author(s) of the code. - [X] I have tested the changes locally. - [X] I have followed the project's style guidelines. - [X] I have updated the documentation, if necessary. - [X] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Deployed with new version of the chart, no longer receive errors like ``` retina ts=2025-05-20T20:23:52.758Z level=error caller=apiserver/apiserver.go:120 msg="failed to initialize new cache" error="failed to retrieve ips from kubernetes endpoint: retrieving kubernetes endpoint: endpoints \"kubernetes\" is forbidden retina ts=2025-05-20T20:23:52.758Z level=error caller=watchermanager/watchermanager.go:76 msg="refresh failed" error="failed to retrieve ips from kubernetes endpoint: retrieving kubernetes endpoint: endpoints \"kubernetes\" is forbidden ``` --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Matthew McKeen <matthew.mckeen@fastly.com>

…microsoft#1629) # Description This warning is being logged to many times. ![image](https://github.com/user-attachments/assets/2e52935d-e3af-44d8-b88c-243f9749b425) ## Related Issue If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request. ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.

# Description Documentation update: Update control-plane and data-plane images in architecture page ## Related Issue If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request. ## Checklist - [ ] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [ ] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [ ] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Alex Castilio dos Santos <alexsantos@microsoft.com>

# Description In this hot code path computing the key for the debug log does a bunch of unnecessary string allocations. Refactor to use `zap` lazy serialization so we only incur this cost when debug logging is turned on. ## Checklist - [X] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [X] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [X] I have correctly attributed the author(s) of the code. - [X] I have tested the changes locally. - [X] I have followed the project's style guidelines. - [X] I have updated the documentation, if necessary. - [X] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Deployed with debug logging turned on, logs as expected. ``` retina-agent-q9525 retina ts=2025-05-22T22:50:39.044Z level=debug caller=cache/cache.go:100 msg="pod found for IP" ip=172.26.11.226 pod=platform/thanos-rule-remote-1 retina-agent-q9525 retina ts=2025-05-22T22:50:39.044Z level=debug caller=cache/cache.go:140 msg="pod found for IP" ip=172.26.11.226 pod=platform/thanos-rule-remote-1 retina-agent-q9525 retina ts=2025-05-22T22:50:39.044Z level=debug caller=cache/cache.go:94 msg="pod not found for IP" ip=172.27.12.108 retina-agent-q9525 retina ts=2025-05-22T22:50:39.044Z level=debug caller=cache/cache.go:116 msg="service found for IP" ip=172.27.12.108 svc=platform/thanos-query ``` Signed-off-by: Matthew McKeen <matthew.mckeen@fastly.com>

…tion CRD (microsoft#1636) # Description This PR adds information about usage of Annotations and MetricsConfiguration CRD. ## Related Issue Fixes microsoft#1632 ## Checklist - [ ] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [ ] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [ ] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Alex Castilio dos Santos <alexsantos@microsoft.com>

…icrosoft#1637) # Description Allows passing arbitrary environment variables to the DaemonSet in the standard Helm chart. ## Checklist - [X] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [X] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [X] I have correctly attributed the author(s) of the code. - [X] I have tested the changes locally. - [X] I have followed the project's style guidelines. - [X] I have updated the documentation, if necessary. - [X] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed No diff between `helm template` with current chart with default values and that from this PR. Diff with provided `env` values shows values added as expected. ``` env: - name: test1 value: test1 - name: test2 value: test2 - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName ``` --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Matthew McKeen <matthew.mckeen@fastly.com>

# Description Update the Setup and Capture docs to be more concise and clear. Restructured the Setup page. Added a `Capture with CRD` page for consistency - a little bit of overlap with the Concepts/CRDs/Capture. Renamed headings under Prometheus and Grafana to add "Configuration". - The setup page had "Next steps: Prometheus & Grafana" at the bottom, even though those were NOT the next steps according to the order of the docs, so removed that text to avoid confusion. ## Related Issue NA ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed ### Setup page ![{9A23BD5F-AF49-4FBE-90A1-A3822BC71B3F}](https://github.com/user-attachments/assets/fb775360-3561-4dcc-95b6-0db72e859fde) ### Capture Overview page ![image](https://github.com/user-attachments/assets/85ab22e9-acec-4c4c-9a77-6c3ac3a9f3ee) ### Capture CLI page ![image](https://github.com/user-attachments/assets/5313fc57-969a-4136-822b-38b4bcc06b8e) ### Capture CRD page ![image](https://github.com/user-attachments/assets/e7d7fbc0-c731-46a8-95fd-bd82224b6772) --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. --------- Signed-off-by: Kamil <kamil.prz@gmail.com>

…1641) # Description Please provide a brief description of the changes made in this pull request. ## Related Issue Prevent this issue when running on Cilium CNI and no operator enabled ``` ts=2025-05-30T08:34:19.360Z level=warn caller=logrus-zap-hook@v0.1.0/zap.go:51 msg="pkg/mod/k8s.io/client-go@v0.32.4/tools/cache/reflector.go:251: failed to list *v2.CiliumEndpoint: ciliumendpoints.cilium.io is forbidden: User \"system:serviceaccount:kube-system:retina-agent\" cannot list resource \"ciliumendpoints\" in API group \"cilium.io\" at the cluster scope" subsys=klog ts=2025-05-30T08:34:19.360Z level=error caller=k8s/watcher_linux.go:51 msg="Error watching k8s resource" subsys=k8s-watcher resource=v2.CiliumEndpoint underlyingError="pkg/mod/k8s.io/client-go@v0.32.4/tools/cache/reflector.go:251: Failed to watch *v2.CiliumEndpoint: failed to list *v2.CiliumEndpoint: ciliumendpoints.cilium.io is forbidden: User \"system:serviceaccount:kube-system:retina-agent\" cannot list resource \"ciliumendpoints\" in API group \"cilium.io\" at the cluster scope" ts=2025-05-30T08:34:24.685Z level=warn caller=logrus-zap-hook@v0.1.0/zap.go:51 msg="pkg/mod/k8s.io/client-go@v0.32.4/tools/cache/reflector.go:251: failed to list *v2.CiliumEndpoint: ciliumendpoints.cilium.io is forbidden: User \"system:serviceaccount:kube-system:retina-agent\" cannot list resource \"ciliumendpoints\" in API group \"cilium.io\" at the cluster scope" subsys=klog ts=2025-05-30T08:34:24.685Z level=error caller=k8s/watcher_linux.go:51 msg="Error watching k8s resource" resource=v2.CiliumEndpoint subsys=k8s-watcher underlyingError="pkg/mod/k8s.io/client-go@v0.32.4/tools/cache/reflector.go:251: Failed to watch *v2.CiliumEndpoint: failed to list *v2.CiliumEndpoint: ciliumendpoints.cilium.io is forbidden: User \"system:serviceaccount:kube-system:retina-agent\" cannot list resource \"ciliumendpoints\" in API group \"cilium.io\" at the cluster scope" ts=2025-05-30T08:34:27.605Z level=info caller=ciliumeventobserver/ciliumeventobserver_linux.go:146 msg="Connected to cilium monitor" ts=2025-05-30T08:34:36.368Z level=warn caller=logrus-zap-hook@v0.1.0/zap.go:51 msg="pkg/mod/k8s.io/client-go@v0.32.4/tools/cache/reflector.go:251: failed to list *v2.CiliumEndpoint: ciliumendpoints.cilium.io is forbidden: User \"system:serviceaccount:kube-system:retina-agent\" cannot list resource \"ciliumendpoints\" in API group \"cilium.io\" at the cluster scope" subsys=klog ts=2025-05-30T08:34:36.368Z level=error caller=k8s/watcher_linux.go:51 msg="Error watching k8s resource" underlyingError="pkg/mod/k8s.io/client-go@v0.32.4/tools/cache/reflector.go:251: Failed to watch *v2.CiliumEndpoint: failed to list *v2.CiliumEndpoint: ciliumendpoints.cilium.io is forbidden: User \"system:serviceaccount:kube-system:retina-agent\" cannot list resource \"ciliumendpoints\" in API group \"cilium.io\" at the cluster scope" resource=v2.CiliumEndpoint subsys=k8s-watcher ts=2025-05-30T08:34:45.633Z level=error caller=apiserver/apiserver.go:120 msg="failed to initialize new cache" error="failed to retrieve ips from kubernetes endpoint: retrieving kubernetes endpoint: endpoints \"kubernetes\" is forbidden: User \"system:serviceaccount:kube-system:retina-agent\" cannot get resource \"endpoints\" in API group \"\" in the namespace \"default\"" ts=2025-05-30T08:34:45.634Z level=error caller=watchermanager/watchermanager.go:76 msg="refresh failed" error="failed to retrieve ips from kubernetes endpoint: retrieving kubernetes endpoint: endpoints \"kubernetes\" is forbidden: User \"system:serviceaccount:kube-system:retina-agent\" cannot get resource \"endpoints\" in API group \"\" in the namespace \"default\"" ts=2025-05-30T08:34:51.451Z level=warn caller=logrus-zap-hook@v0.1.0/zap.go:51 msg="pkg/mod/k8s.io/client-go@v0.32.4/tools/cache/reflector.go:251: failed to list *v2.CiliumEndpoint: ciliumendpoints.cilium.io is forbidden: User \"system:serviceaccount:kube-system:retina-agent\" cannot list resource \"ciliumendpoints\" in API group \"cilium.io\" at the cluster scope" subsys=klog ts=2025-05-30T08:34:51.452Z level=error caller=k8s/watcher_linux.go:51 msg="Error watching k8s resource" underlyingError="pkg/mod/k8s.io/client-go@v0.32.4/tools/cache/reflector.go:251: Failed to watch *v2.CiliumEndpoint: failed to list *v2.CiliumEndpoint: ciliumendpoints.cilium.io is forbidden: User \"system:serviceaccount:kube-system:retina-agent\" cannot list resource \"ciliumendpoints\" in API group \"cilium.io\" at the cluster scope" subsys=k8s-watcher resource=v2.CiliumEndpoint ts=2025-05-30T08:35:17.368Z level=warn caller=logrus-zap-hook@v0.1.0/zap.go:51 msg="pkg/mod/k8s.io/client-go@v0.32.4/tools/cache/reflector.go:251: failed to list *v2.CiliumEndpoint: ciliumendpoints.cilium.io is forbidden: User \"system:serviceaccount:kube-system:retina-agent\" cannot list resource \"ciliumendpoints\" in API group \"cilium.io\" at the cluster scope" subsys=klog ts=2025-05-30T08:35:17.368Z level=error caller=k8s/watcher_linux.go:51 msg="Error watching k8s resource" resource=v2.CiliumEndpoint subsys=k8s-watcher underlyingError="pkg/mod/k8s.io/client-go@v0.32.4/tools/cache/reflector.go:251: Failed to watch *v2.CiliumEndpoint: failed to list *v2.CiliumEndpoint: ciliumendpoints.cilium.io is forbidden: User \"system:serviceaccount:kube-system:retina-agent\" cannot list resource \"ciliumendpoints\" in API group \"cilium.io\" at the cluster scope" ts=2025-05-30T08:35:48.126Z level=warn caller=logrus-zap-hook@v0.1.0/zap.go:51 msg="pkg/mod/k8s.io/client-go@v0.32.4/tools/cache/reflector.go:251: failed to list *v2.CiliumEndpoint: ciliumendpoints.cilium.io is forbidden: User \"system:serviceaccount:kube-system:retina-agent\" cannot list resource \"ciliumendpoints\" in API group \"cilium.io\" at the cluster scope" subsys=klog ts=2025-05-30T08:35:48.126Z level=error caller=k8s/watcher_linux.go:51 msg="Error watching k8s resource" subsys=k8s-watcher underlyingError="pkg/mod/k8s.io/client-go@v0.32.4/tools/cache/reflector.go:251: Failed to watch *v2.CiliumEndpoint: failed to list *v2.CiliumEndpoint: ciliumendpoints.cilium.io is forbidden: User \"system:serviceaccount:kube-system:retina-agent\" cannot list resource \"ciliumendpoints\" in API group \"cilium.io\" at the cluster scope" resource=v2.CiliumEndpoint ts=2025-05-30T08:36:15.604Z level=info caller=endpointmanager/manager.go:588 msg="regenerating all endpoints" subsys=endpoint-manager reason="periodic endpoint regeneration" ``` ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.

…icrosoft#1634) # Description Update documentation for development contributions ## Checklist - [ ] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [ ] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [ ] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. --------- Co-authored-by: Simone Rodigari <32323373+SRodi@users.noreply.github.com>

# Description Fixing broken links added in microsoft#1639 ## Related Issue NA ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Kamil <kamil.prz@gmail.com>

…oft#2019) # Description - Add darwin metadata proto and generated types so `RetinaMetadata`/`DNSType` compile on darwin targets. - Update proto generation to run per-OS protos and include darwin output. ## Testing - make proto-gen ## Related Issue - Fixes microsoft#2018 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.

…2028) # Description - Add darwin implementation of `GetDropReasonDesc` to fix GoReleaser darwin builds. ## Context - GoReleaser builds darwin targets; utils package lacked darwin implementation, causing undefined symbol. ## Testing - Not run (build-only change). ## Related Issue See issue in this job run (for an unrelated PR) https://github.com/microsoft/retina/actions/runs/21755953385/job/62766139385?pr=1981 ## Checklist - [ ] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [ ] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [ ] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.

…icrosoft#2048) # Description Fix unit test reliability issues causing CI flakiness, silent 600-second timeouts, and test-image build failures. ## cache_test.go — Flaky gomock race condition (~50% failure rate) `cache.publish()` fires `Publish` calls in goroutines. Tests used `time.Sleep(1ms)` to wait for completion, but this was a race condition — `ctrl.Finish()` often ran before the goroutines completed, causing "missing call(s) to Publish" errors. **Fix:** Replace `time.Sleep` with `sync.WaitGroup` + gomock `.Do()` callbacks to properly synchronize with async publishes. ## ciliumeventobserver — 600s timeout on every CI run (issue microsoft#1688) The `ciliumeventobserver` test package timed out at 600 seconds on every single CI run, silently reporting as green. Multiple bugs contributed: 1. **`monitorLoop` select/default antipattern**: Used `select { case <-ctx.Done(): ... default: DecodeBinary() }` where the blocking `DecodeBinary` call prevented context cancellation from ever being checked. Replaced with a direct blocking read followed by `ctx.Err()` check after errors. 2. **Goroutine leaks in tests**: Tests never closed `net.Pipe` connections, so `monitorLoop` goroutines remained stuck in blocking reads after tests completed, causing the test process to hang until the 10-minute Go test timeout. 3. **Invalid test payload**: `getPayload()` called `CreateL3L4Payload` without Ethernet/IP/TCP layers, causing the Hubble parser to fail with "Ethernet packet too small". Events never reached the external channel, so tests blocked forever on channel reads. 4. **Missing test config**: `TestStart` didn't set `retryDelay`, defaulting to 12 seconds in `connect()`. 5. **Unbuffered channel race**: `externalChannel` was unbuffered, causing a race with the non-blocking send in `parserLoop`. Events were silently dropped, hitting an uninitialized metrics counter (nil pointer panic). ## setup-envtest — GCS 401 Unauthorized breaking test-image CI The `setup-envtest` tool pinned at `v0.0.0-20211110210527-619e6b92dab9` (Nov 2021) downloads etcd/kube-apiserver binaries from a GCS bucket using unauthenticated access. GCS recently started returning `401 Unauthorized`, causing `KUBEBUILDER_ASSETS=""` and failing the `TestAPIs` envtest-based test in `pkg/controllers/daemon/retinaendpoint`. **Fix:** Update `setup-envtest` to `v0.0.0-20250517180713-32e5e9e948a5` (release-0.20 branch), which uses GitHub-based downloads instead of deprecated GCS. ## Lint fixes - Fixed `nilerr` lint: `monitorLoop` checked `ctx.Err() != nil` but returned `nil` — now returns `ctx.Err()`. - Fixed `errcheck` lint: unchecked return value of `tcp.SetNetworkLayerForChecksum` in test. ## Related Issue Fixes microsoft#1688 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Testing Completed - `cache_test.go`: Ran 50 iterations (`-count=50`), all 400 test executions pass with 0 failures. - `ciliumeventobserver`: Ran 5 iterations (`-count=5`) with 30s timeout. All 20 tests pass in ~5 seconds total (previously timed out at 600s). - `setup-envtest`: Verified locally that updated version successfully downloads binaries via GitHub (no more GCS 401). ## Additional Notes The `monitorLoop` production code change (removing the `select/default` antipattern) is necessary because the old pattern made it impossible to cancel the monitor loop when `DecodeBinary` was blocking. In production, `Stop()` closes the connection which unblocks the read, and the new `ctx.Err()` check ensures clean shutdown. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>

@type

…oft#2015) # Description Replace `RetinaMetadata` with `structpb.Struct` for flow extensions to enable Hubble CLI JSON marshaling without type registration Changes: - Add `NewExtensions()` and `SetExtensions()` helper functions - Update Add* functions to take `*structpb.Struct` instead of `*RetinaMetadata` - Update accessor functions to read from Struct - Update all plugins and tests to use new API ## Related Issue Closes microsoft#1080 ## Checklist - [ ] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [ ] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [ ] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed ```bash {"flow":{"time":"2026-01-31T17:10:38.030385093Z","verdict":"FORWARDED","IP":{"source":"10.10.0.5","destination":"192.168.0.73","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":4244,"destination_port":38112,"flags":{"SYN":true,"ACK":true}}},"source":{"ID":1,"identity":1,"labels":["reserved:host"]},"destination":{"ID":51516,"identity":51516,"namespace":"kube-system","labels":["k8s:io.cilium.k8s.namespace.labels.kubernetes.azure.com/managedby=aks","k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system","k8s:io.cilium.k8s.policy.cluster=default","k8s:k8s-app=hubble-relay","k8s:io.cilium.k8s.namespace.labels.addonmanager.kubernetes.io/mode=Reconcile","k8s:io.cilium.k8s.namespace.labels.control-plane=true","k8s:io.cilium.k8s.namespace.labels.kubernetes.io/cluster-service=true","k8s:io.cilium.k8s.policy.serviceaccount=hubble-relay","k8s:io.kubernetes.pod.namespace=kube-system","k8s:pod-template-hash=6b7c54d9ff","k8s:app.kubernetes.io/name=hubble-relay","k8s:app.kubernetes.io/part-of=cilium"],"pod_name":"hubble-relay-6b7c54d9ff-2lsqj"},"Type":"L3_L4","event_type":{"type":4},"traffic_direction":"EGRESS","trace_observation_point":"TO_ENDPOINT","is_reply":true,"Summary":"TCP Flags: SYN:true ACK:true","extensions":{"@type":"type.googleapis.com/google.protobuf.Struct","value":{"bytes":74,"previously_observed_tcp_flags":{"ACK":0,"CWR":0,"ECE":0,"FIN":0,"NS":0,"PSH":0,"RST":0,"SYN":0,"URG":0}}}},"time":"2026-01-31T17:10:38.030385093Z"} {"flow":{"time":"2026-01-31T17:10:38.030403862Z","verdict":"FORWARDED","IP":{"source":"192.168.0.73","destination":"10.10.0.5","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":38112,"destination_port":4244,"flags":{"ACK":true}}},"source":{"ID":51516,"identity":51516,"namespace":"kube-system","labels":["k8s:io.cilium.k8s.namespace.labels.kubernetes.azure.com/managedby=aks","k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system","k8s:io.cilium.k8s.policy.cluster=default","k8s:k8s-app=hubble-relay","k8s:io.cilium.k8s.namespace.labels.addonmanager.kubernetes.io/mode=Reconcile","k8s:io.cilium.k8s.namespace.labels.control-plane=true","k8s:io.cilium.k8s.namespace.labels.kubernetes.io/cluster-service=true","k8s:io.cilium.k8s.policy.serviceaccount=hubble-relay","k8s:io.kubernetes.pod.namespace=kube-system","k8s:pod-template-hash=6b7c54d9ff","k8s:app.kubernetes.io/name=hubble-relay","k8s:app.kubernetes.io/part-of=cilium"],"pod_name":"hubble-relay-6b7c54d9ff-2lsqj"},"destination":{"ID":1,"identity":1,"labels":["reserved:host"]},"Type":"L3_L4","event_type":{"type":4,"sub_type":3},"traffic_direction":"EGRESS","trace_observation_point":"TO_STACK","is_reply":false,"Summary":"TCP Flags: ACK:true","extensions":{"@type":"type.googleapis.com/google.protobuf.Struct","value":{"bytes":66,"previously_observed_tcp_flags":{"ACK":0,"CWR":0,"ECE":0,"FIN":0,"NS":0,"PSH":0,"RST":0,"SYN":0,"URG":0}}}},"time":"2026-01-31T17:10:38.030403862Z"} {"flow":{"time":"2026-01-31T17:10:38.030513168Z","verdict":"DROPPED","IP":{"source":"0.0.0.0","destination":"0.0.0.0","ipVersion":"IPv4"},"source":{"ID":2,"identity":2,"labels":["reserved:world"]},"destination":{"ID":2,"identity":2,"labels":["reserved:world"]},"Type":"L3_L4","event_type":{"type":1},"traffic_direction":"INGRESS","trace_observation_point":"FROM_NETWORK","Summary":"Drop Reason: TCP_ACCEPT_BASIC\nNote: This reason is most accurate. Prefer over others while using Hubble CLI.","extensions":{"@type":"type.googleapis.com/google.protobuf.Struct","value":{"drop_reason":"TCP_ACCEPT_BASIC"}}},"time":"2026-01-31T17:10:38.030513168Z"} {"flow":{"time":"2026-01-31T17:10:38.030525215Z","verdict":"FORWARDED","IP":{"source":"192.168.0.73","destination":"10.10.0.5","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":38112,"destination_port":4244,"flags":{"PSH":true,"ACK":true}}},"source":{"ID":51516,"identity":51516,"namespace":"kube-system","labels":["k8s:io.cilium.k8s.namespace.labels.kubernetes.azure.com/managedby=aks","k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=kube-system","k8s:io.cilium.k8s.policy.cluster=default","k8s:k8s-app=hubble-relay","k8s:io.cilium.k8s.namespace.labels.addonmanager.kubernetes.io/mode=Reconcile","k8s:io.cilium.k8s.namespace.labels.control-plane=true","k8s:io.cilium.k8s.namespace.labels.kubernetes.io/cluster-service=true","k8s:io.cilium.k8s.policy.serviceaccount=hubble-relay","k8s:io.kubernetes.pod.namespace=kube-system","k8s:pod-template-hash=6b7c54d9ff","k8s:app.kubernetes.io/name=hubble-relay","k8s:app.kubernetes.io/part-of=cilium"],"pod_name":"hubble-relay-6b7c54d9ff-2lsqj"},"destination":{"ID":1,"identity":1,"labels":["reserved:host"]},"Type":"L3_L4","event_type":{"type":4,"sub_type":3},"traffic_direction":"EGRESS","trace_observation_point":"TO_STACK","is_reply":false,"Summary":"TCP Flags: PSH:true ACK:true","extensions":{"@type":"type.googleapis.com/google.protobuf.Struct","value":{"bytes":90,"previously_observed_tcp_flags":{"ACK":0,"CWR":0,"ECE":0,"FIN":0,"NS":0,"PSH":0,"RST":0,"SYN":0,"URG":0}}}},"time":"2026-01-31T17:10:38.030525215Z"} ``` <img width="2871" height="526" alt="image" src="https://github.com/user-attachments/assets/80d5b4a7-1ba8-47f6-9285-a9c82e9519bc" /> ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>

# Description Switch remaining ARM64 image build jobs to native `ubuntu-24.04-arm` runners instead of QEMU emulation on x86 `ubuntu-latest`. This follows the same pattern established for `retina-shell-images` in PR microsoft#2024. ## Related Issue Follows up on microsoft#2024 (fix(ci): use native arm64 runners for shell image build). ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed YAML syntax validated. Changes are consistent with the existing `retina-shell-images` pattern already running in CI. **Jobs migrated (6 total across 2 files):** | Job | File | |-----|------| | `retina-images` | `images.yaml` | | `operator-images` | `images.yaml` | | `kubectl-retina-images` | `images.yaml` | | `retina-images` | `release-images.yaml` | | `operator-images` | `release-images.yaml` | | `kubectl-retina-images` | `release-images.yaml` | **Changes per job:** - `runs-on`: `ubuntu-latest` → `${{ matrix.runner }}` - Matrix converted from simple arrays to explicit `include` entries with `runner` field (`ubuntu-latest` for amd64, `ubuntu-24.04-arm` for arm64) - Removed `docker/setup-qemu-action` step (no longer needed for native builds) - Updated job names to include `(${{ matrix.platform }}, ${{ matrix.arch }})` for clarity **Not changed:** - `manifests` jobs — still use QEMU as needed for multi-arch manifest inspection - `retina-shell-images` — already migrated in microsoft#2024 ## Additional Notes The only remaining `setup-qemu-action` references are in the `manifests` jobs, which correctly still need it. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>

….19.7 (microsoft#2014) Bumps [github.com/aws/aws-sdk-go-v2/credentials](https://github.com/aws/aws-sdk-go-v2) from 1.18.10 to 1.19.7. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/e2e9697d8ebe330a7435716c2f31b1cea4dff3c0"><code>e2e9697</code></a> Release 2025-01-31</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/6576a0939a79d5f31eef10164750faedd78a45d4"><code>6576a09</code></a> Regenerated Clients</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/f762573ab5d9286d9751d49091f6a240c12c0742"><code>f762573</code></a> Update API model</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/c94df29ecd457e8ec40931fd2fe54d8da2f93ce2"><code>c94df29</code></a> add transfer manager doc header (<a href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/2990">#2990</a>)</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/880543ce2034570eb3b93c4811289c3b0e55600f"><code>880543c</code></a> revert the revert on the transfer manager beta (<a href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/2993">#2993</a>)</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/8da49e527e317a77ef0f1b2f52b4dc72a4fbd720"><code>8da49e5</code></a> switch to code-generated waiters for remaining services (<a href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/2994">#2994</a>)</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/c7c68659ce67e5b7e18f31bc66068cec9e3d790d"><code>c7c6865</code></a> Release 2025-01-30</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/70f736c5dc0b8652c5fe5c387b2165c3b9beddb1"><code>70f736c</code></a> Regenerated Clients</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/28731c2bdef3c2555a95632396b6d4936e58099d"><code>28731c2</code></a> Update endpoints model</li> <li><a href="https://github.com/aws/aws-sdk-go-v2/commit/3505e4b255c327a1fa38f870612c327b93302dc0"><code>3505e4b</code></a> Update API model</li> <li>Additional commits viewable in <a href="https://github.com/aws/aws-sdk-go-v2/compare/config/v1.18.10...service/m2/v1.19.7">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/aws/aws-sdk-go-v2/credentials&package-manager=go_modules&previous-version=1.18.10&new-version=1.19.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

## Description Comprehensive CI hardening across all workflow files, devcontainer fixes, and coverage reporting. ### Actions pinned to SHA - Pin all 50+ GitHub Action references to SHA digests with version comments - Bump to latest versions: CodeQL v4.32.3, golangci-lint-action v9.2.0, goreleaser-action v6.4.0, markdownlint-cli2-action v22.0.0, trivy-action 0.34.0, create-pull-request v8.1.0, stale v10.1.1, and others - Eliminates supply chain risk from mutable version tags (including `actions/stale@main`) ### Workflow hardening - **Concurrency groups** added to 8 workflows to cancel duplicate runs - **timeout-minutes** added to all 37 jobs across all workflows - **Explicit permissions** added to workflows missing them (commit-message, test-multicloud, markdownlint, release-validation) - **Permissions reduced** in test.yaml (removed unnecessary issues/pull-requests/security-events write) - **Path filters** added to docs and markdownlint workflows ### Bug fixes - **Trivy**: skip scan when triggering release workflow failed (eliminates ~82% of trivy failures); use latest release tag for scheduled/manual scans instead of HEAD SHA - **Merge queue bypass removed**: golangci-lint and CodeQL now run on merge_group events - **Shell expansion fix**: `$(make version)` and `$(curl ...)` in YAML `with:` blocks don't execute — restructured perf-schedule.yaml with a `get-tag` job and fixed images.yaml perf-test calls - **Release validation**: only runs when triggering workflow succeeded - **Stale outputs**: quoted to prevent injection - **Coverage scripts**: fixed hardcoded `owner = "azure"` → `"microsoft"`, fixed workflow filename `"retina-test.yaml"` → `"test.yaml"`, added guard for empty workflow runs - **Makefile coverage target**: fixed grep pattern that silently failed to filter `_generated.go` files (mixed escaped/unescaped `|` in BRE mode) ### Test coverage reporting - **Step summary**: every test run now posts total coverage percentage and lowest-coverage packages to `$GITHUB_STEP_SUMMARY` - **PR comment**: on pull requests, fetches main branch coverage, diffs it, and posts/updates a coverage comparison comment showing per-file increases/decreases - Handles 403 gracefully for fork PRs (insufficient `GITHUB_TOKEN` permissions) — falls back to step summary - Wires up the existing but disconnected `scripts/coverage/` infrastructure ### GoReleaser - Added `checksum` and `sboms` sections for release artifact integrity ### Devcontainer - Upgraded base image from Ubuntu Jammy (22.04) to Noble (24.04) - Pinned Go version to 1.24.11 (matches go.mod) - Fixed LLVM/Clang from version 14 to 16 (matches project requirements) - Added `clang` and `llvm-strip` symlinks - Installed `gofumpt` (required by `make fmt`) - Added docker readiness check before `kind create cluster` - Hardened install script with `set -euo pipefail` - Removed redundant `common-utils` feature ## Related Issue N/A — proactive hardening based on CI failure analysis. ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed - Verified zero unpinned actions remain (`grep` for `@v\d` and `@main` returns no matches) - Verified zero `IS_NOT_MERGE_GROUP` references remain - Verified all 37 jobs have `timeout-minutes` set - YAML syntax validated across all workflow files Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>

Bumps [actions/stale](https://github.com/actions/stale) from 10.1.1 to 10.2.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/stale/releases">actions/stale's releases</a>.</em></p> <blockquote> <h2>v10.2.0</h2> <h2>What's Changed</h2> <h3>Bug Fix</h3> <ul> <li>Fix checking state cache (fix <a href="https://redirect.github.com/actions/stale/issues/1136">#1136</a>) and switch to Octokit helper methods by <a href="https://github.com/itchyny"><code>@itchyny</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1152">actions/stale#1152</a></li> </ul> <h3>Dependency Updates</h3> <ul> <li>Upgrade js-yaml from 4.1.0 to 4.1.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1304">actions/stale#1304</a></li> <li>Upgrade lodash from 4.17.21 to 4.17.23 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1313">actions/stale#1313</a></li> <li>Upgrade actions/cache from 4.0.3 to 5.0.2 and actions/github from 5.1.1 to 7.0.0 by <a href="https://github.com/chiranjib-swain"><code>@chiranjib-swain</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1312">actions/stale#1312</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/itchyny"><code>@itchyny</code></a> made their first contribution in <a href="https://redirect.github.com/actions/stale/pull/1152">actions/stale#1152</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/stale/compare/v10...v10.2.0">https://github.com/actions/stale/compare/v10...v10.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/stale/commit/b5d41d4e1d5dceea10e7104786b73624c18a190f"><code>b5d41d4</code></a> build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (<a href="https://redirect.github.com/actions/stale/issues/1313">#1313</a>)</li> <li><a href="https://github.com/actions/stale/commit/dcd2b9469d2220b7e8d08aedc00c105d277fd46b"><code>dcd2b94</code></a> Fix punycode and url.parse Deprecation Warnings (<a href="https://redirect.github.com/actions/stale/issues/1312">#1312</a>)</li> <li><a href="https://github.com/actions/stale/commit/d6f8a33132340b15a7006f552936e4b9b39c00ec"><code>d6f8a33</code></a> build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (<a href="https://redirect.github.com/actions/stale/issues/1304">#1304</a>)</li> <li><a href="https://github.com/actions/stale/commit/a21a0816299b11691f9592ef0d63d08e02f06d9d"><code>a21a081</code></a> Fix checking state cache (fix <a href="https://redirect.github.com/actions/stale/issues/1136">#1136</a>), also switch to octokit methods (<a href="https://redirect.github.com/actions/stale/issues/1152">#1152</a>)</li> <li>See full diff in <a href="https://github.com/actions/stale/compare/997185467fa4f803885201cee163a9f38240193d...b5d41d4e1d5dceea10e7104786b73624c18a190f">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/stale&package-manager=github_actions&previous-version=10.1.1&new-version=10.2.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

## Description Bump shell tool versions: - **pwru**: v1.0.9 → v1.0.11 ([release notes](https://github.com/cilium/pwru/releases/tag/v1.0.11)) - **hubble CLI**: v1.18.3 → v1.18.6 ([release notes](https://github.com/cilium/hubble/releases/tag/v1.18.6)) ## Related Issue N/A ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed - Verified pwru v1.0.11 release asset URL resolves: `curl -sfIL "https://github.com/cilium/pwru/releases/download/v1.0.11/pwru-linux-amd64.tar.gz"` - Verified hubble v1.18.6 release exists on GitHub Signed-off-by: Quang Nguyen <quang@nddq.dev> Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>

## Description Bump all Docusaurus site dependencies to latest compatible versions to resolve 2 high-severity `qs` vulnerabilities. ## Related Issue N/A ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed - `npm audit` → 0 vulnerabilities - `npm run build` → clean build, no warnings Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>

…time (microsoft#1921) # Description With advanced metrics, high-cardinality labels can cause the metrics export to bloat leading to unbounded memory and resource usage. This PR sets up an optional TTL for advanced metrics defined in the `MetricsConfiguration` CRD. By default, the TTL is infinite and cleanup is not tracked or done. When defined, on a period equal to the TTL metrics which have not been updated within the last TTL duration will be removed from the metrics export. For counters and gauges that look like counters, this will be treated by Prometheus similar to any other missing metric (for example from an application restart). As long as functions like `rate` or `increase` are used, calculations will remain accurate. This also includes a refactor of the base metrics object as an interface, allowing mocking in tests and a clean API contract with child objects that compose it. ## Related Issue microsoft#1692 ## Checklist - [X] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [X] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [X] I have correctly attributed the author(s) of the code. - [X] I have tested the changes locally. - [X] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Deployed, modified CRD to enable/disable and change the TTL. Metrics are re-initialized as expected. Made sure that CRD validation rejects invalid TTL values. Also, added comprehensive tests for the TTL-based cleanup logic. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Matthew McKeen <matthew.mckeen@fastly.com>

Bumps [helm/kind-action](https://github.com/helm/kind-action) from 1.13.0 to 1.14.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/helm/kind-action/releases">helm/kind-action's releases</a>.</em></p> <blockquote> <h2>v1.14.0</h2> <h2>What's Changed</h2> <ul> <li>Bump actions/checkout from 5.0.0 to 6.0.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/helm/kind-action/pull/153">helm/kind-action#153</a></li> <li>bump kind to v0.31.0 and k8s to v1.35.0 by <a href="https://github.com/MrFreezeex"><code>@MrFreezeex</code></a> in <a href="https://redirect.github.com/helm/kind-action/pull/155">helm/kind-action#155</a></li> <li>Bump actions/checkout from 6.0.1 to 6.0.2 in the actions group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/helm/kind-action/pull/156">helm/kind-action#156</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/MrFreezeex"><code>@MrFreezeex</code></a> made their first contribution in <a href="https://redirect.github.com/helm/kind-action/pull/155">helm/kind-action#155</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/helm/kind-action/compare/v1...v1.14.0">https://github.com/helm/kind-action/compare/v1...v1.14.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/helm/kind-action/commit/ef37e7f390d99f746eb8b610417061a60e82a6cc"><code>ef37e7f</code></a> Bump actions/checkout from 6.0.1 to 6.0.2 in the actions group (<a href="https://redirect.github.com/helm/kind-action/issues/156">#156</a>)</li> <li><a href="https://github.com/helm/kind-action/commit/f5f117a566cacf2b7e54d9ddbfa40584fdf3b127"><code>f5f117a</code></a> bump kind to v0.31.0 and k8s to v1.35.0 (<a href="https://redirect.github.com/helm/kind-action/issues/155">#155</a>)</li> <li><a href="https://github.com/helm/kind-action/commit/2cd8ada7be24dd8f8446296d86376de928fe2df5"><code>2cd8ada</code></a> Bump actions/checkout from 5.0.0 to 6.0.1 (<a href="https://redirect.github.com/helm/kind-action/issues/153">#153</a>)</li> <li>See full diff in <a href="https://github.com/helm/kind-action/compare/92086f6be054225fa813e0a4b13787fc9088faab...ef37e7f390d99f746eb8b610417061a60e82a6cc">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=helm/kind-action&package-manager=github_actions&previous-version=1.13.0&new-version=1.14.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

## Summary - remove Windows Server 2019 support across build/test targets - align Windows image defaults to 2022+ and update manifests - clean up related CLI mappings, scripts, and docs ## Changes - drop 2019 from Windows build matrices and manifest targets - remove Windows 2019 Dockerfiles and base image references - remove 2019 OS image mapping and tests in capture download - update AKS deploy script and README note - update image metadata artifacts to remove ltsc2019 ## Testing - not run (not requested) ## Notes - Windows builds remain enabled for 2022+ only ## Related Issue - Fixes microsoft#2075 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes -This PR is required to unblock CI, see for example https://github.com/microsoft/retina/actions/runs/22350794227/job/64686829439 --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.

…ump (microsoft#2067) # Description The v9 → v22 bump of `markdownlint-cli2-action` in microsoft#2060 broke the Markdown Lint CI check for all PRs. The `command` input was removed in v22 and replaced with a dedicated `config` input. The old invocation silently ignored both `command: config` and the config file path inside `globs`, causing all files to be linted with default rules — including MD013 (line-length) which the project explicitly disables in `.github/.markdownlint.json`. This PR switches to the v22 `config` input so the config file is actually applied. ## Related Issue N/A ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed CI will validate — this is a workflow-only change. The fix is self-verifying: if the config is applied correctly, MD013 violations from existing files (e.g., `SECURITY.md`, `test/e2e/README.md`) will stop appearing. ## Additional Notes N/A Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>

…oft#2078) ## Description This PR updates the markdown linter configuration to disable the following rules: - **MD058**: Omit break at the end of a block. - **MD059**: Omit break inside a block. - **MD060**: Omit break after a header. These changes reduce noise in the linting process for existing documentation. ## Related Issue - See CI job failure: https://github.com/microsoft/retina/actions/runs/22402204231/job/64851720792?pr=1981 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.

…k issue tracing (microsoft#2061) # Description ## Summary New `bpftrace` subcommand for real-time tracing of network issues on Kubernetes nodes using eBPF/bpftrace. ## Use Cases - Debug packet drops on a node (e.g., NetworkPolicy blocks, routing issues) - Trace TCP connection failures (RST sent/received, connection refused) - Identify retransmissions indicating packet loss or congestion - Filter events by IP or subnet to focus on specific endpoints ```bash # Trace all events (default) kubectl retina bpftrace <node> # Trace only drops and RSTs for a specific IP kubectl retina bpftrace <node> --drops --rst --ip 10.244.1.15 # Trace retransmits for a subnet kubectl retina bpftrace <node> --retransmits --cidr 10.244.0.0/16 ``` ## What's Implemented ### New CLI Command: `kubectl retina bpftrace <node-name>` Traces network issues on a specified Kubernetes node with the following capabilities: **Event Types Captured:** | Type | Probe | Description | |------|-------|-------------| | DROP | `kfree_skb` | Packet drops with kernel reason codes (e.g., NETFILTER_DROP for NetworkPolicy) | | RST_SENT | `tcp_send_reset` | TCP RST packets sent by this host | | RST_RECV | `tcp_receive_reset` | TCP RST packets received by this host | | SOCK_ERR | `inet_sk_error_report` | Socket errors (ECONNREFUSED, ETIMEDOUT, etc.) | | RETRANS | `tcp_retransmit_skb` | TCP retransmissions indicating packet loss | ## Flags | Flag | Description | |------|-------------| | `--ip` | Filter by IP address (src or dst) | | `--cidr` | Filter by CIDR (src or dst) | | `--drops` | Enable only packet drop events | | `--rst` | Enable only TCP RST events | | `--errors` | Enable only socket error events | | `--retransmits` | Enable only retransmit events | | `--all` | Enable all events (default) | | `--duration` | Trace duration (0 = until Ctrl-C) | | `--startup-timeout` | Pod startup timeout | | `-o, --output` | Output format: `table` or `json` | When no event flags are specified, all events are traced. ## Related Issue If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request. ## Checklist - [ ] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [ ] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [ ] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [ ] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed <img width="956" height="893" alt="image" src="https://github.com/user-attachments/assets/cfefd21a-03a7-4518-88c5-66a28d3a4145" /> ## Additional Notes ## Limitations - **IPv4 only**: IPv6 not supported - **Linux only**: Windows nodes not supported - **Cilium CNI**: DROP events won't capture Cilium policy drops (Cilium uses eBPF datapath, not netfilter/kfree_skb) ## Testing ```bash # Build go build -o kubectl-retina ./cli # E2E test (validates all 4 event types) ./test/e2e/test_bpftrace_drops.sh # Manual NODE=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}') ./kubectl-retina bpftrace $NODE --duration 30s --retina-shell-image-version v1.0.3 ``` ## Security - IP/CIDR inputs validated and converted to hex (injection-safe) - Commands executed via array-based exec (no shell) - Pod uses minimal capabilities for bpftrace --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. --------- Signed-off-by: Alex Castilio dos Santos <alexsantos@microsoft.com>

…arn group across 1 directory (microsoft#2070) Bumps the npm_and_yarn group with 1 update in the /site directory: [ajv](https://github.com/ajv-validator/ajv). Updates `ajv` from 6.12.6 to 6.14.0 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ajv-validator/ajv/commit/e3af0a723b4b7ad86eff43be355c706d31e0e915"><code>e3af0a7</code></a> 6.14.0</li> <li><a href="https://github.com/ajv-validator/ajv/commit/b552ed66191eb338498df3196065c777e3bb71f2"><code>b552ed6</code></a> add regExp option to address $data exploit via a regular expression (CVE-2025...</li> <li><a href="https://github.com/ajv-validator/ajv/commit/72f228665859eed5e2be3a66f8c4a7aff6b34dcf"><code>72f2286</code></a> docs: update v7 info</li> <li><a href="https://github.com/ajv-validator/ajv/commit/231e52b3bca62559202b95e5fb5cee02145b226a"><code>231e52b</code></a> Merge pull request <a href="https://redirect.github.com/ajv-validator/ajv/issues/1320">#1320</a> from philsturgeon/patch-1</li> <li><a href="https://github.com/ajv-validator/ajv/commit/d3475fc20416c33fe030c8aa3b09fa411f325bbd"><code>d3475fc</code></a> Add spectral, an AJV util from a sponsor</li> <li><a href="https://github.com/ajv-validator/ajv/commit/413afe01f518ea74d1740a7cb211df787c585544"><code>413afe0</code></a> docs: v7.0.0-beta.3</li> <li><a href="https://github.com/ajv-validator/ajv/commit/11e997bda2f3eecb445c1e5a07d96ef7e81c5f5d"><code>11e997b</code></a> update readme for v7</li> <li>See full diff in <a href="https://github.com/ajv-validator/ajv/compare/v6.12.6...v6.14.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ajv&package-manager=npm_and_yarn&previous-version=6.12.6&new-version=6.14.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/retina/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.3 to 4.32.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action's releases</a>.</em></p> <blockquote> <h2>v4.32.4</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2">2.24.2</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3493">#3493</a></li> <li>Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. <a href="https://redirect.github.com/github/codeql-action/pull/3473">#3473</a></li> <li>When the CodeQL Action is run <a href="https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup">with debugging enabled in Default Setup</a> and <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. <a href="https://redirect.github.com/github/codeql-action/pull/3486">#3486</a></li> <li>Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3485">#3485</a></li> <li>Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a <a href="https://github.com/dsp-testing/codeql-cli-nightlies">nightly CodeQL CLI release</a> instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3484">#3484</a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>[UNRELEASED]</h2> <p>No user facing changes.</p> <h2>4.32.4 - 20 Feb 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2">2.24.2</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3493">#3493</a></li> <li>Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. <a href="https://redirect.github.com/github/codeql-action/pull/3473">#3473</a></li> <li>When the CodeQL Action is run <a href="https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup">with debugging enabled in Default Setup</a> and <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. <a href="https://redirect.github.com/github/codeql-action/pull/3486">#3486</a></li> <li>Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3485">#3485</a></li> <li>Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a <a href="https://github.com/dsp-testing/codeql-cli-nightlies">nightly CodeQL CLI release</a> instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3484">#3484</a></li> </ul> <h2>4.32.3 - 13 Feb 2026</h2> <ul> <li>Added experimental support for testing connections to <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries</a>. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. <a href="https://redirect.github.com/github/codeql-action/pull/3466">#3466</a></li> </ul> <h2>4.32.2 - 05 Feb 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1">2.24.1</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3460">#3460</a></li> </ul> <h2>4.32.1 - 02 Feb 2026</h2> <ul> <li>A warning is now shown in Default Setup workflow logs if a <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registry is configured</a> using a GitHub Personal Access Token (PAT), but no username is configured. <a href="https://redirect.github.com/github/codeql-action/pull/3422">#3422</a></li> <li>Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. <a href="https://redirect.github.com/github/codeql-action/pull/3421">#3421</a></li> </ul> <h2>4.32.0 - 26 Jan 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0">2.24.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3425">#3425</a></li> </ul> <h2>4.31.11 - 23 Jan 2026</h2> <ul> <li>When running a Default Setup workflow with <a href="https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging">Actions debugging enabled</a>, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. <a href="https://redirect.github.com/github/codeql-action/pull/3409">#3409</a></li> <li>Improved error handling throughout the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3415">#3415</a></li> <li>Added experimental support for automatically excluding <a href="https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github">generated files</a> from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. <a href="https://redirect.github.com/github/codeql-action/pull/3318">#3318</a></li> <li>The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. <a href="https://redirect.github.com/github/codeql-action/pull/3403">#3403</a></li> </ul> <h2>4.31.10 - 12 Jan 2026</h2> <ul> <li>Update default CodeQL bundle version to 2.23.9. <a href="https://redirect.github.com/github/codeql-action/pull/3393">#3393</a></li> </ul> <h2>4.31.9 - 16 Dec 2025</h2> <p>No user facing changes.</p> <h2>4.31.8 - 11 Dec 2025</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/89a39a4e59826350b863aa6b6252a07ad50cf83e"><code>89a39a4</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3494">#3494</a> from github/update-v4.32.4-39ba80c47</li> <li><a href="https://github.com/github/codeql-action/commit/e5d84c885c00d506f7816d26a298534dbbffac6d"><code>e5d84c8</code></a> Apply remaining review suggestions</li> <li><a href="https://github.com/github/codeql-action/commit/0c202097b5de484e2a3725d4467f9cb7e3107881"><code>0c20209</code></a> Apply suggestions from code review</li> <li><a href="https://github.com/github/codeql-action/commit/314172e5a1e1691ba4ad232b3d0230ceaf3d9239"><code>314172e</code></a> Fix typo</li> <li><a href="https://github.com/github/codeql-action/commit/cdda72d36b93310932b0afe1784acd0209d190dd"><code>cdda72d</code></a> Add changelog entries</li> <li><a href="https://github.com/github/codeql-action/commit/cfda84cc5509282e2adc1570c3cf29c3167ae87f"><code>cfda84c</code></a> Update changelog for v4.32.4</li> <li><a href="https://github.com/github/codeql-action/commit/39ba80c47550c834104c0f222b502461ac312c29"><code>39ba80c</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3493">#3493</a> from github/update-bundle/codeql-bundle-v2.24.2</li> <li><a href="https://github.com/github/codeql-action/commit/00150dad957fc9c1cba52bdab82e458ae5c09fe5"><code>00150da</code></a> Add changelog note</li> <li><a href="https://github.com/github/codeql-action/commit/d97dce6561ae3dd4e4db9bfa95479f7572bd7566"><code>d97dce6</code></a> Update default bundle to codeql-bundle-v2.24.2</li> <li><a href="https://github.com/github/codeql-action/commit/50fdbb9ec845c41d6d3509d794e3a28af7032c59"><code>50fdbb9</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3492">#3492</a> from github/henrymercer/new-repository-properties-ff</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/9e907b5e64f6b83e7804b09294d44122997950d6...89a39a4e59826350b863aa6b6252a07ad50cf83e">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=4.32.3&new-version=4.32.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ft#1981) # Description This PR introduces support for `BPF_MAP_TYPE_RINGBUF` in the `packetparser` plugin as a configurable alternative to `BPF_MAP_TYPE_PERF_EVENT_ARRAY`. Ring Buffers offer better performance and memory efficiency, especially on high-core systems, by using a shared buffer across CPUs rather than per-CPU buffers. ### Changes - **Configuration**: Added `packetParserRingBuffer` (enum: `enabled`/`disabled`; `auto` reserved) and `packetParserRingBufferSize` (uint32) to the Retina configuration and Helm charts. - **BPF**: Updated `packetparser.c` to conditionally compile with `BPF_MAP_TYPE_RINGBUF` when enabled. - **Userspace**: Updated `packetparser_linux.go` to: - Pass `-DUSE_RING_BUFFER` and `-DRING_BUFFER_SIZE` flags during BPF compilation. - Implement a `ringBufReaderWrapper` to adapt the `cilium/ebpf/ringbuf` reader to the existing reader interface. - Add logging to indicate which buffer type is active. - **Testing**: Updated unit tests to mock metrics correctly and added a new test case to verify compilation with Ring Buffer enabled. - **Userspace (follow-up)**: - Decoupled the reader interface from `cilium/ebpf/perf.Record` by introducing a custom `perfRecord` struct to support both perf array and ring buffer paths cleanly. - Added a `perfReaderWrapper` and updated `ringBufReaderWrapper` to convert records into the new `perfRecord` type. - **Kernel gating**: - Added shared kernel version parsing/comparison helpers and reusable kernel release retrieval utils. - Enforced a minimum kernel version when ring buffer mode is enabled. - Updated telemetry to reuse the shared kernel release helper. - **Docs/config**: Updated config docs and Helm `values.yaml` to reflect `packetParserRingBuffer`. - **Tests**: - Added unit tests for kernel release parsing and version comparison helpers. - Limited the ring buffer config test to Linux builds. - Adjusted packetparser tests to align with the new `perfRecord` reader interface. - **Chore/lint**: Addressed linting by using safe page-size casts, wrapping perf errors, and splitting long lines. ### Verification - Verified unit tests pass: `go test -v ./pkg/plugin/packetparser/...` - Manual verification on Kind: - Built image with `enablePacketParserRingBuffer: true`. - Deployed to Kind cluster. - Verified logs show "Initializing Ring Buffer reader". - Verified BPF map type is `ringbuf` using `bpftool`. ## Related Issues/PRs - microsoft#655 - fixes microsoft#1966 - microsoft#1965 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed <img width="1335" height="1448" alt="image" src="https://github.com/user-attachments/assets/7b775c40-6683-4faa-aa2d-4748ea7277be" /> <img width="1913" height="355" alt="Screenshot 2025-12-15 093850" src="https://github.com/user-attachments/assets/83701a79-2b3f-46d6-8d87-8ff5e3aa9318" /> <img width="2517" height="1351" alt="Screenshot 2025-12-15 093819" src="https://github.com/user-attachments/assets/4a81b526-cc1d-41e2-b06d-5a8d90061ad6" /> ## Additional Notes Once this PR gets reviewed and merged, I will update the site docs accordingly. See issue microsoft#2016 In addition, I created an issue to implement an auto option to let retina decide at runtime whether to use `BPF_MAP_TYPE_RINGBUF` or not. See microsoft#2017 I stuck with `BPF_MAP_TYPE_PERF_EVENT_ARRAY` (Perf Buffers) as the default implementation because we still have a requirement to support Linux Kernel 5.4+, as noted in our [intro docs](https://retina.sh/docs/Introduction/intro). Since Ring Buffers (`BPF_MAP_TYPE_RINGBUF`) weren't introduced until kernel 5.8, making them the default would break Retina on older LTS environments (like Ubuntu 20.04) that we're currently committed to supporting. We also haven't had a chance to benchmark the performance difference on high-core clusters yet. The [upstream documentation](https://docs.ebpf.io/linux/map-type/BPF_MAP_TYPE_RINGBUF/) is clear that while `BPF_MAP_TYPE_RINGBUF` is generally more efficient, it uses a single shared ring buffer whereas `BPF_MAP_TYPE_PERF_EVENT_ARRAY` uses a per-CPU approach, which has different scalability characteristics. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. --------- Signed-off-by: Simone Rodigari <srodigari@microsoft.com>

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6.2.0 to 6.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-go/releases">actions/setup-go's releases</a>.</em></p> <blockquote> <h2>v6.3.0</h2> <h2>What's Changed</h2> <ul> <li>Update default Go module caching to use go.mod by <a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/705">actions/setup-go#705</a></li> <li>Fix golang download url to go.dev by <a href="https://github.com/178inaba"><code>@178inaba</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/469">actions/setup-go#469</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-go/compare/v6...v6.3.0">https://github.com/actions/setup-go/compare/v6...v6.3.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/setup-go/commit/4b73464bb391d4059bd26b0524d20df3927bd417"><code>4b73464</code></a> Fix golang download url to go.dev (<a href="https://redirect.github.com/actions/setup-go/issues/469">#469</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/a5f9b05d2d216f63e13859e0d847461041025775"><code>a5f9b05</code></a> Update default Go module caching to use go.mod (<a href="https://redirect.github.com/actions/setup-go/issues/705">#705</a>)</li> <li>See full diff in <a href="https://github.com/actions/setup-go/compare/7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5...4b73464bb391d4059bd26b0524d20df3927bd417">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/setup-go&package-manager=github_actions&previous-version=6.2.0&new-version=6.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…#2071) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.34.0 to 0.34.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/aquasecurity/trivy-action/releases">aquasecurity/trivy-action's releases</a>.</em></p> <blockquote> <h2>v0.34.1</h2> <h2>What's Changed</h2> <ul> <li>ci(test): add zizmor security linter for GitHub Actions by <a href="https://github.com/DmitriyLewen"><code>@DmitriyLewen</code></a> in <a href="https://redirect.github.com/aquasecurity/trivy-action/pull/502">aquasecurity/trivy-action#502</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/aquasecurity/trivy-action/compare/0.34.0...0.34.1">https://github.com/aquasecurity/trivy-action/compare/0.34.0...0.34.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/aquasecurity/trivy-action/commit/e368e328979b113139d6f9068e03accaed98a518"><code>e368e32</code></a> ci(test): add zizmor security linter for GitHub Actions (<a href="https://redirect.github.com/aquasecurity/trivy-action/issues/502">#502</a>)</li> <li>See full diff in <a href="https://github.com/aquasecurity/trivy-action/compare/c1824fd6edce30d7ab345a9989de00bbd46ef284...e368e328979b113139d6f9068e03accaed98a518">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aquasecurity/trivy-action&package-manager=github_actions&previous-version=0.34.0&new-version=0.34.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…rosoft#2081) # Description The goreleaser workflow fails at the SBOM cataloging step because `syft` is not installed on the runner. `.goreleaser.yaml` declares `sboms: [artifacts: archive]` which requires Syft, but the workflow never installs it. This was surfaced by the [v1.1.0 release run](https://github.com/microsoft/retina/actions/runs/22452857876): ``` ⨯ release failed after 9m34s error=exec: "syft": executable file not found in $PATH ``` Add `anchore/sbom-action/download-syft@v0.23.0` (pinned to SHA) to both the `build` and `release` jobs. ## Related Issue N/A ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [ ] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed CI workflow change — will be validated by the next tag push or PR build. ## Additional Notes N/A Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>

dependabot Bot and others added 30 commits May 7, 2025 16:18

test: add FIPS-enabled Mariner node pool to E2E (microsoft#1602)

4a7621d

Currently Retina is not FIPS-compliant across the board. This is to help validate the support matrix.

test: Enable FIPS using existing AzureLinux node pool. (microsoft#1609)

d4aa794

microsoft#1602 used a stale SKU tag, and somehow slipped through the CI. Submitting this again with the up-to-date AzureLinux tag.

fix(DropReason): Do not load fexit programs on kernels below 5.5 (mic…

4f729e6

…rosoft#1601) In microsoft#1458 I added a kernel version check to only attach `fexit` programs when they're supported. We also need to ensure we don't even load them into the kernel.

SRodi and others added 25 commits February 6, 2026 13:27

resolve merge conflicts

c173abd

LakshK98 requested a review from a team as a code owner June 2, 2026 16:52

LakshK98 requested review from skosuri1 and timraymond June 2, 2026 16:52

LakshK98 added 2 commits June 3, 2026 11:43

remove retinaMetadata

63265a3

remove cleanup

a910af2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merging v1.1.0 into windows branch #2401

Merging v1.1.0 into windows branch #2401
LakshK98 wants to merge 231 commits into
microsoft:dev/v0.0.33-windowsfrom
LakshK98:laksh/merge-v1.1.0

LakshK98 commented Jun 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

Conversation

LakshK98 commented Jun 2, 2026

Description

Related Issue

Checklist

Screenshots (if applicable) or Testing Completed

Additional Notes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants