Skip to content

Commit 8a96343

Browse files
committed
Merge remote-tracking branch 'origin/main' into seth/EV-6466-aggressive-cut
2 parents a65bb56 + cb56905 commit 8a96343

1,023 files changed

Lines changed: 14617 additions & 9893 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
name: Weekly link check
2+
3+
on:
4+
# Weekly schedule: Monday at 07:00 UTC (after the llms.txt job at 06:00).
5+
schedule:
6+
- cron: '0 7 * * 1'
7+
8+
# Manual trigger via GitHub UI
9+
workflow_dispatch:
10+
11+
permissions:
12+
contents: read
13+
issues: write
14+
15+
jobs:
16+
link-check:
17+
name: Build, serve, and crawl the docs
18+
runs-on: ubuntu-latest
19+
timeout-minutes: 180
20+
21+
steps:
22+
- name: Checkout
23+
uses: actions/checkout@v6
24+
25+
- name: Enable Corepack
26+
run: corepack enable
27+
28+
- name: Setup Node.js
29+
uses: actions/setup-node@v4
30+
with:
31+
node-version: '22'
32+
cache: 'yarn'
33+
34+
- name: Build the site
35+
run: make build
36+
env:
37+
NODE_OPTIONS: '--max-old-space-size=6000'
38+
DOCUSAURUS_IGNORE_SSG_WARNINGS: 'true'
39+
40+
- name: Install Playwright Chrome
41+
run: yarn playwright install --with-deps chrome
42+
43+
- name: Serve the site and run the link check
44+
run: make test 2>&1 | tee link-check.log
45+
env:
46+
CI: 'true'
47+
48+
- name: Upload the link-check log
49+
if: always()
50+
uses: actions/upload-artifact@v4
51+
with:
52+
name: link-check-log
53+
path: link-check.log
54+
if-no-files-found: ignore
55+
56+
- name: Open or update an issue on failure
57+
if: failure()
58+
env:
59+
GH_TOKEN: ${{ github.token }}
60+
run: |
61+
TITLE="Weekly link check failed"
62+
BODY_FILE=issue-body.md
63+
RUN_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
64+
{
65+
echo "The weekly link check found broken links or errors."
66+
echo ""
67+
echo "Run: ${RUN_URL}"
68+
echo ""
69+
echo "Last lines of the report (full log is in the run artifact \"link-check-log\"):"
70+
echo ""
71+
echo '```'
72+
tail -n 200 link-check.log 2>/dev/null || echo "(no log captured)"
73+
echo '```'
74+
} > "$BODY_FILE"
75+
NUM=$(gh issue list --repo "$GITHUB_REPOSITORY" --state open \
76+
--search "\"$TITLE\" in:title" --json number --jq '.[0].number // empty')
77+
if [ -n "$NUM" ]; then
78+
gh issue comment "$NUM" --repo "$GITHUB_REPOSITORY" --body-file "$BODY_FILE"
79+
else
80+
gh issue create --repo "$GITHUB_REPOSITORY" --title "$TITLE" --body-file "$BODY_FILE"
81+
fi

__tests__/crawler.test.js

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -100,6 +100,7 @@ test('Crawl the docs and execute tests', async () => {
100100
'http://dpdk.org/git/dpdk-kmods', //==>Origin: https://raw.githubusercontent.com/projectcalico/vpp-dataplane/master/scripts/init_eks.sh
101101
//For frustrating 503 errors:
102102
'https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator',
103+
/^https:\/\/amd64\.ocp\.releases\.ci\.openshift\.org\/?$/, //==>Origin: http://localhost:4242/calico-enterprise/latest/getting-started/install-on-clusters/openshift/hostedcontrolplanes
103104
//temp
104105
/^https:\/\/v1-21\.docs\.kubernetes\.io\/docs\/reference\/generated\/kubernetes-api\/v1\.21\//,
105106
'https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm',
@@ -116,6 +117,7 @@ test('Crawl the docs and execute tests', async () => {
116117
'http://www.iana.org/assignments/service-names', //==>Origin: https://downloads.tigera.io/ee/v3.14.4/manifests/tigera-operator.yaml
117118
'http://docs.openstack.org/',
118119
'http://docs.openstack.org', //This seems to be temporarily down.
120+
'https://docs.openstack.org/install-guide/environment-etcd.html', // 403 from OpenStack docs WAF in Netlify build environment
119121
'https://tools.ietf.org/html/rfc5925',
120122
'https://datatracker.ietf.org/doc/html/rfc1149',
121123
'https://datatracker.ietf.org/doc/html/rfc7938',

calico-cloud/_includes/components/FelixConfig/index.js

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,15 @@ const FelixConfig = ({ configType, name }) => {
3232
// Debugging logs
3333

3434
if (!matchedGroup) {
35-
return <p>No matching group found for '{name}'.</p>;
35+
// Fail the build loudly rather than silently dropping the group's fields.
36+
// `name` must exactly match a group Name in config-params.json, which is
37+
// auto-synced from the Felix source repos. A prose/casing sweep once
38+
// restyled these lookup keys and silently dropped fields (DOCS-2970).
39+
throw new Error(
40+
`FelixConfig: no group named '${name}' in config-params.json. The 'name' `
41+
+ `prop must exactly match a group Name in config-params.json; do not `
42+
+ `restyle it as prose.`
43+
);
3644
}
3745

3846
let content;

calico-cloud/_includes/content/_rule.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ are executed in order.
1212
| ipVersion | Positive IP version match. | `4`, `6` | integer | |
1313
| source | Source match parameters. | | [EntityRule](#entityrule) | |
1414
| destination | Destination match parameters. | | [EntityRule](#entityrule) | |
15-
| http | Match HTTP request parameters. Application layer policy must be enabled to use this field. | | [HTTPMatch](#httpmatch) | |
15+
| http | Match HTTP request parameters. Application layer policy must be enabled to use this field. | | HTTPMatch | |
1616

1717
After a `Log` action, processing continues with the next rule; `Allow` and `Deny` are immediate
1818
and final and no further rules are processed.

calico-cloud/about/calico-product-editions.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,7 @@ Calico powers 100M+ containers across 8M+ nodes in 166 countries, and is support
9292

9393
Start a free trial or request a demo to see Calico in action.
9494

95-
* [Sign up for a Calico Cloud Free Tier account](https://www.calicocloud.io/)
95+
* [Sign up for a Calico Cloud Free Tier account](https://www.calicocloud.io/?code=free)
9696
* [Schedule a 30-minute demo with our experts](https://www.tigera.io/demo/)
9797

9898
### Installation guides

calico-cloud/about/index.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -220,7 +220,7 @@ Calico powers 100M+ containers across 8M+ nodes in 166 countries, and is support
220220

221221
Start a free trial or request a demo to see Calico in action.
222222

223-
* [Sign up for a Calico Cloud Free Tier account](https://www.calicocloud.io/)
223+
* [Sign up for a Calico Cloud Free Tier account](https://www.calicocloud.io/?code=free)
224224
* [Schedule a 30-minute demo with our experts](https://www.tigera.io/demo/)
225225

226226
### Installation guides

calico-cloud/free/connect-cluster-free.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ Try the [Calico Cloud Free Tier quickstart guide](quickstart.mdx) to create a cl
4343
* If you're on 3.29 or earlier, [upgrade your Calico installation to 3.30 or later](/calico/latest/operations/upgrading/kubernetes-upgrade#upgrading-an-installation-that-uses-the-operator) and then [enable the `Goldmane` custom resource](/calico/latest/observability/enable-whisker).
4444
</details>
4545
* You have an active Calico Cloud Free Tier account.
46-
To create an account, go to the [Calico Cloud Free Tier sign-up page](https://calicocloud.io).
46+
To create an account, go to the [Calico Cloud Free Tier sign-up page](https://calicocloud.io/?code=free).
4747
* You are signed in to the $[prodname] web console.
4848

4949
## Connect your cluster

calico-cloud/free/overview.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ For more information, see:
9393

9494
## Next steps
9595

96-
* [Sign up for a free account with Calico Cloud](https://calicocloud.io/).
96+
* [Sign up for a free account with Calico Cloud](https://calicocloud.io/?code=free).
9797
* [Tutorial: Quickstart guide to Calico Cloud Free Tier](quickstart.mdx).
9898
* [Connect a cluster to Calico Cloud Free Tier](connect-cluster-free.mdx)
9999
* For an overview of the expanded feature set in Calico Cloud Pro, take a [tour of the full web console](../tutorials/calico-cloud-features/tour.mdx).

calico-cloud/free/quickstart.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ Get Calico Cloud running on a local Kind cluster, deploy a realistic microservic
1212

1313
## Before you begin
1414

15-
* [Sign up for a Calico Cloud Free Tier account](https://calicocloud.io).
15+
* [Sign up for a Calico Cloud Free Tier account](https://calicocloud.io/?code=free).
1616
* Install [Kind](https://kind.sigs.k8s.io/docs/user/quick-start/), [Docker](https://docs.docker.com/desktop/), and [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl).
1717

1818
## Step 1: Create a Kind cluster

calico-cloud/get-started/cc-arch-diagram.mdx

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -31,18 +31,16 @@ The following diagram shows the major components in a managed cluster, followed
3131
| $[prodname] installer | Gets installation resources from the $[prodname] portal, registers a managed cluster, and reports installation or upgrade progress. | &bull; TCP 443 to $[prodname] hosted service<br />&bull; TCP 6443 to Kubernetes API server |
3232
| $[prodname] tunnel server | Communicates with managed clusters by creating secure TLS tunnels. | Port 9000 from managed clusters |
3333
| calico-node | Bundles key components that are required for networking containers with $[prodname]:<br/><br />&bull; Felix<br />&bull; BIRD<br />&bull; confd | &bull; TCP 5473 to Typha<br />&bull; TCP 9900 and 9081 from Prometheus API service |
34-
| Container threat detection | A threat detection engine that analyzes observed file and process activity to detect known malicious and suspicious activity. Monitors the following types of suspicious activity within containers:<br/><br />&bull; Access to sensitive system files and directories<br />&bull; Defense evasion<br />&bull; Discovery<br />&bull; Execution<br />&bull; Persistence<br />&bull; Privilege escalation<br/><br />Includes these components:<br /><br />**Runtime Security Operator**<br />An operator to manage and reconcile container threat defense components.<br/><br />**Runtime Reporter Pods**<br />Pods running on each node in the cluster to perform the detection activity outlined above.They send activity reports to Elasticsearch for analysis by $[prodname]. | TCP to Kubernetes API server |
3534
| Compliance | Generates compliance reports for the Kubernetes cluster. Reports are based on archived flow and audit logs for Calico Cloud resources, plus any audit logs you’ve configured for Kubernetes resources in the Kubernetes API server. Compliance reports provide the following high-level information:<br /><br />&bull; Endpoints explicitly protected using ingress or egress policy<br />&bull; Policies and services<br /> - Policies and services associated with endpoints<br /> - Policy audit logs <br />&bull; Traffic<br /> - Allowed ingress/egress traffic to/from namespaces, and to/from the internet Compliance includes these components: <br /><br />**compliance-snapshotter** <br />Handles listing of required Kubernetes and $[prodname]configuration and pushes snapshots to Elasticsearch. Snapshots give you visibility into configuration changes, and how the cluster-wide configuration has evolved within a reporting interval.<br /><br />**compliance-reporter**<br />Handles report generation. Reads configuration history from Elasticsearch and determines time evolution of cluster-wide configuration, including relationships between policies, endpoints, services, and network sets. Data is then passed through a zero-trust aggregator to determine the “worst-case outliers” in the reporting interval.<br /><br />**compliance-controller**<br />Reads report configuration and manages creation, deletion, and monitoring of report generation jobs.<br /><br />**compliance-benchmarker**<br />A daemonset that runs checks in the CIS Kubernetes Benchmark on each node so you can see if Kubernetes is securely deployed.<br /> | &bull; TCP 8080 to Guardian<br />&bull; TCP 6443 to Kubernetes API server |
3635
| Fluentd | Open-source data collector for unified logging. Collects and forwards $[prodname] logs (flows, DNS, L7) to log storage. | &bull; TCP 8080 to Guardian<br />&bull; TCP 9080 from Prometheus API service |
3736
| Guardian | An agent running in each managed cluster that proxies communication between the $[prodname] tunnel server and your managed cluster. Secured using TLS tunnels.<br /> | &bull; Port 9000 to tunnel server<br />&bull; TCP 6443 to Kubernetes API server<br />&bull; TCP 6443 from $[prodname] components |
3837
| Installation endpoints | Endpoints at `*.calicocloud.io` and `*.projectcalico.org`. | TCP 443 for both |
3938
| Intrusion detection controller | Handles integrations with threat intelligence feeds and $[prodname] custom alerts. | &bull; TCP 8080 to Guardian<br />&bull; TCP 6443 to Kubernetes API server |
40-
| Image Assurance | Identifies vulnerabilities in container images that you deploy to Kubernetes clusters. Components of interest are: <br /><br />**Admission controller**<br />Uses Kubernetes Validating Webhook Configuration to control which images can be used to create pods based on scan results. <br /><br />**API**<br />Isolates tenant data and authorizes all external access to Image Assurance data. **Note:** $[prodname] does not store registry credentials in its database and does not pull customer images into the $[prodname] control plane.<br /> | &bull;  TCP 8080 to Guardian<br /> &bull; TCP 6443 to Kubernetes API server |
4139
| Kubernetes API server | A Kubernetes component that validates and configures data for the API objects (for example, pods, services, and others). <br /> | TCP 6443 (from all components) |
4240
| kube-controllers | Monitors the Kubernetes API and performs actions based on cluster state. $[prodname] kube-controllers container includes these controllers:<br/><br />&bull; Node<br />&bull; Service<br />&bull; Federated services<br />&bull; Authorization<br /> | &bull; TCP 9094 from Prometheus API service<br />&bull; TCP 6443 to Kubernetes API server |
4341
| Log storage | Storage for logs (flows, L7, DNS, audit). Data for each managed cluster is isolated and protected against unauthorized access. | n/a |
4442
| Packet capture API | Retrieves capture files (pcap format) generated by a packet capture for use with network protocol analysis tools like Wireshark. Packet capture data is visible in the web console and Service Graph. | &bull; TCP 8449 Guardian to Packet Capture API<br />&bull; TCP 6443 to Kubernetes API server |
4543
| Prometheus API service | Collects metrics from $[prodname] components and makes the metrics available to the web console. | &bull; TCP 6443 to Kubernetes API server<br />&bull; TCP 9080 to Fluentd<br />&bull; TCP 9900 and 9081 to Prometheus API service |
4644
| Tigera API server | Allows users to manage $[prodname] resources such as policies and tiers through kubectl or the Kubernetes API server. | &bull; TCP 9095 to Prometheus API service<br />&bull; TCP 8080 from Kubernetes API server |
4745
| Typha | Increases scale by reducing each node’s impact on the datastore. | TCP 5473 from calico-node to Typha |
48-
| User access to the web console | Authenticated users can access the browser-based the web console, which provides network traffic visibility and troubleshooting, centralized multi-cluster management, threat-defense, container threat detection, policy lifecycle management, scan images for vulnerabilities, and compliance for multiple roles/stakeholders. | Port 443 to $[prodname] tunnel server |
46+
| User access to the web console | Authenticated users can access the browser-based the web console, which provides network traffic visibility and troubleshooting, centralized multi-cluster management, threat-defense, policy lifecycle management, and compliance for multiple roles/stakeholders. | Port 443 to $[prodname] tunnel server |

0 commit comments

Comments
 (0)