microsoft
diff --git a/‎.github/workflows/golangci-lint.yaml‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/golangci-lint.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 26 additions & 38 deletions b/‎.gitignore‎
Lines changed: 26 additions & 38 deletions
diff --git a/‎Makefile‎
Lines changed: 17 additions & 3 deletions b/‎Makefile‎
Lines changed: 17 additions & 3 deletions
diff --git a/‎cli/Dockerfile‎
Lines changed: 5 additions & 5 deletions b/‎cli/Dockerfile‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎cmd/hubble/cells_linux.go‎
Lines changed: 43 additions & 9 deletions b/‎cmd/hubble/cells_linux.go‎
Lines changed: 43 additions & 9 deletions
diff --git a/‎cmd/hubble/daemon_linux.go‎
Lines changed: 13 additions & 12 deletions b/‎cmd/hubble/daemon_linux.go‎
Lines changed: 13 additions & 12 deletions
@@ -27,13 +27,17 @@ jobs:
     env:
       GOOS: ${{ matrix.goos }}
       GOARCH: ${{ matrix.goarch }}
+      CGO_ENABLED: "0"
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
       - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version-file: go.mod
+      - name: Check BPF object stubs
+        if: env.IS_NOT_MERGE_GROUP
+        run: make lint-bpf-objects
       - name: golangci-lint
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:
 
@@ -1,55 +1,43 @@
-# If you prefer the allow list template instead of the deny list, see community template:
-# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
-#
-# Binaries for programs and plugins
+# Binaries
 *.exe
 *.exe~
 *.dll
 *.so
 *.dylib
-
-# Avoid checking in keys
-*.pem
-
-# Test binary, built with `go test -c`
 *.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
-*.out
-
-# logs
-*.log
-
-# Dependency directories (remove the comment below to include it)
-# vendor/
-
-# Go workspace file
-go.work
-
-# Object files
 *.o
+bin/
+dist/
 
-# docusaurus
-site/yarn.lock
-site/.docusaurus/
-site/node_modules/
+# Go
+go.work
 
-output
-#vscode 
-.vscode/
+# Keys and certificates
+*.pem
+.certs/
 
-dist/
-bin/
+# Logs and output
+*.log
+*.out
+.output/
 
-image-metadata-*.json
-*packetmonitorsupport*/
-*.pem
+# Test artifacts
 *results*.json
 netperf-*.json
 netperf-*.csv
+image-metadata-*.json
+*packetmonitorsupport*/
+test-summary
 
-.certs/
+# Build artifacts
+.artifacts/
 
-artifacts/
+# Documentation site
+site/yarn.lock
+site/.docusaurus/
+site/node_modules/
 
-test-summary
+# IDE and editor
+.vscode/
+.clangd
+.clang-format
@@ -96,7 +96,7 @@ help: ## Display this help
 ##@ Tools 
 
 GOFUMPT			= go tool mvdan.cc/gofumpt
-GOLANGCI_LINT	= go tool github.com/golangci/golangci-lint/cmd/golangci-lint
+GOLANGCI_LINT	= go tool github.com/golangci/golangci-lint/v2/cmd/golangci-lint
 GORELEASER		= go tool github.com/goreleaser/goreleaser
 CONTROLLER_GEN	= go tool sigs.k8s.io/controller-tools/cmd/controller-gen
 GINKGO			= go tool github.com/onsi/ginkgo
@@ -141,10 +141,24 @@ fmt: ## run gofumpt on $FMT_PKG (default "retina").
 	$(GOFUMPT) -w $(FMT_PKG)
 
 lint: ## Fast lint vs default branch showing only new issues.
-	$(GOLANGCI_LINT) run --new-from-rev main --timeout 10m -v $(LINT_PKG)/...
+	CGO_ENABLED=0 $(GOLANGCI_LINT) run --new-from-rev main --timeout 10m -v $(LINT_PKG)/...
 
 lint-existing: ## Lint the current branch in entirety.
-	$(GOLANGCI_LINT) run -v $(LINT_PKG)/...
+	CGO_ENABLED=0 $(GOLANGCI_LINT) run -v $(LINT_PKG)/...
+
+lint-bpf-objects: ## Check that committed .o files are empty stubs (build generates real ones).
+	@echo "Checking for non-empty .o files..."
+	@non_empty=$$(git ls-files '*.o' | xargs -I{} sh -c 'test -s "{}" && echo "{}"'); \
+	if [ -n "$$non_empty" ]; then \
+		echo "ERROR: The following .o files must be empty stubs:"; \
+		echo "$$non_empty"; \
+		echo "Run 'make empty-bpf-objects' to fix."; \
+		exit 1; \
+	fi
+	@echo "All .o files are empty stubs. OK."
+
+empty-bpf-objects: ## Empty all tracked .o files (they are stubs for the linter).
+	git ls-files '*.o' | xargs -I{} truncate -s 0 {}
 
 clean: ## clean build artifacts
 	$(RMDIR) $(OUTPUT_DIR)
 
@@ -1,5 +1,5 @@
-# skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.24.11-azurelinux3.0 --format "{{.Name}}@{{.Digest}}"
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/oss/go/microsoft/golang@sha256:531bd02db17b0c2ec919f10fc203a6a8c825e8ca01f40c3a1e32e1cf7119c6d8 AS builder
+# skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.25.7-azurelinux3.0 --format "{{.Name}}@{{.Digest}}"
+FROM mcr.microsoft.com/oss/go/microsoft/golang@sha256:408661cbcfcbf24c06fc4f85c23566b42af722fdef5a5044782859e682916be7 AS builder
 
 ARG VERSION
 ARG APP_INSIGHTS_ID
@@ -16,21 +16,21 @@ ARG GOARCH=amd64
 ENV GOARCH=${GOARCH}
 
 RUN --mount=type=cache,target="/root/.cache/go-build" \
-    CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
+    GOOS=$GOOS GOARCH=$GOARCH go build \
     -ldflags "-X github.com/microsoft/retina/internal/buildinfo.Version="$VERSION" \
     -X "github.com/microsoft/retina/internal/buildinfo.ApplicationInsightsID"="$APP_INSIGHTS_ID" \
     -X "github.com/microsoft/retina/internal/buildinfo.RetinaAgentImageName"="$AGENT_IMAGE_NAME"" \
     -a -o kubectl-retina cli/main.go
 
 # Target 1: Distroless (secure, minimal)
 # skopeo inspect docker://mcr.microsoft.com/azurelinux/distroless/minimal:3.0 --format "{{.Name}}@{{.Digest}}"
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/azurelinux/distroless/minimal@sha256:0801b80a0927309572b9adc99bd1813bc680473175f6e8175cd4124d95dbd50c AS distroless-target
+FROM mcr.microsoft.com/azurelinux/distroless/minimal@sha256:0801b80a0927309572b9adc99bd1813bc680473175f6e8175cd4124d95dbd50c AS distroless-target
 WORKDIR /
 COPY --from=builder /workspace/kubectl-retina .
 
 # Target 2: Shell-enabled (operational, init container support)
 # skopeo inspect docker://mcr.microsoft.com/cbl-mariner/base/core:2.0 --format "{{.Name}}@{{.Digest}}"
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/cbl-mariner/base/core@sha256:4d97d662d71c1fda938ed9df36d8f490d9107cff37e89c0efa932d073285ad85 AS shell-target
+FROM mcr.microsoft.com/cbl-mariner/base/core@sha256:4d97d662d71c1fda938ed9df36d8f490d9107cff37e89c0efa932d073285ad85 AS shell-target
 WORKDIR /
 COPY --from=builder /workspace/kubectl-retina /bin/kubectl-retina
 RUN chmod +x /bin/kubectl-retina
 
@@ -5,18 +5,21 @@
 package hubble
 
 import (
+	"github.com/cilium/cilium/pkg/datapath/link"
 	"github.com/cilium/cilium/pkg/defaults"
 	"github.com/cilium/cilium/pkg/gops"
 	hubblecell "github.com/cilium/cilium/pkg/hubble/cell"
-	exportercell "github.com/cilium/cilium/pkg/hubble/exporter/cell"
+	ciliumparser "github.com/cilium/cilium/pkg/hubble/parser"
 	k8sClient "github.com/cilium/cilium/pkg/k8s/client"
+	"github.com/cilium/cilium/pkg/kpr"
+	"github.com/cilium/cilium/pkg/kvstore"
 	"github.com/cilium/cilium/pkg/logging"
 	"github.com/cilium/cilium/pkg/logging/logfields"
 	"github.com/cilium/cilium/pkg/node/manager"
 	"github.com/cilium/cilium/pkg/option"
 	"github.com/cilium/cilium/pkg/pprof"
-	"github.com/cilium/cilium/pkg/recorder"
 	"github.com/cilium/hive/cell"
+	"github.com/cilium/statedb"
 	"k8s.io/client-go/rest"
 
 	"github.com/microsoft/retina/internal/buildinfo"
@@ -31,6 +34,20 @@ import (
 	"github.com/microsoft/retina/pkg/shared/telemetry"
 )
 
+// disabledKVStoreClient wraps a kvstore.Client but returns IsEnabled() = false.
+// This is needed because K8sCiliumEndpointsWatcher only initializes if kvstore is disabled.
+// When kvstore is enabled, Cilium expects CiliumEndpoint data to come from kvstore,
+// but Retina watches CiliumEndpoint CRDs directly and needs the watcher to populate IPCache.
+type disabledKVStoreClient struct {
+	kvstore.Client
+}
+
+// IsEnabled returns false to indicate kvstore is not being used for CiliumEndpoint sync.
+// This allows the K8sCiliumEndpointsWatcher to initialize and populate IPCache with K8sMetadata.
+func (d *disabledKVStoreClient) IsEnabled() bool {
+	return false
+}
+
 var (
 	Agent = cell.Module(
 		"agent",
@@ -39,7 +56,7 @@ var (
 		ControlPlane,
 	)
 	daemonSubsys = "daemon"
-	logger       = logging.DefaultLogger.WithField(logfields.LogSubsys, daemonSubsys)
+	logger       = logging.DefaultSlogLogger.With(logfields.LogSubsys, daemonSubsys)
 
 	Infrastructure = cell.Module(
 		"infrastructure",
@@ -61,6 +78,19 @@ var (
 		// Kubernetes client
 		k8sClient.Cell,
 
+		// Kube proxy replacement config (needed by loadbalancer cells)
+		kpr.Cell,
+
+		// Provide a disabled kvstore client for Retina.
+		// This is important: the K8sCiliumEndpointsWatcher only initializes
+		// if kvstore.IsEnabled() returns false (because with a real kvstore,
+		// CiliumEndpoint data would come from kvstore instead of watching CRDs).
+		// Since Retina doesn't use etcd/consul and relies on watching CiliumEndpoint CRDs,
+		// we need IsEnabled() to return false so the watcher populates IPCache with K8sMetadata.
+		cell.Provide(func(db *statedb.DB) kvstore.Client {
+			return &disabledKVStoreClient{Client: kvstore.NewInMemoryClient(db, "default")}
+		}),
+
 		cell.Provide(func(cfg config.Config, k8sCfg *rest.Config) telemetry.Config {
 			return telemetry.Config{
 				Component:             "retina-agent",
@@ -92,11 +122,11 @@ var (
 
 		retinak8s.Cell,
 
-		recorder.Cell,
-
 		// Provides resources for hubble
 		resources.Cell,
-		cell.Provide(parser.New),
+
+		// Provides link cache needed by hubble parser
+		link.Cell,
 
 		// Provides the node reconciler as node manager
 		rnode.Cell,
@@ -106,9 +136,13 @@ var (
 			},
 		),
 
-		exportercell.Cell,
-		// Provides the hubble agent
-		hubblecell.Core,
+		// Provides the full hubble agent (includes parser, exporter, metrics, and TLS)
+		hubblecell.Cell,
+
+		// Override Cilium's parser with Retina's parser that understands v1.Event from plugins
+		cell.DecorateAll(func(_ ciliumparser.Decoder, params parser.Params) ciliumparser.Decoder {
+			return parser.New(params)
+		}),
 
 		telemetry.Heartbeat,
 	)
 
@@ -7,11 +7,12 @@ package hubble
 import (
 	"context"
 	"fmt"
+	"log/slog"
 
 	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
 
 	"github.com/microsoft/retina/pkg/config"
+	"github.com/microsoft/retina/pkg/log"
 	"github.com/microsoft/retina/pkg/managers/pluginmanager"
 	"github.com/microsoft/retina/pkg/managers/servermanager"
 
@@ -20,7 +21,6 @@ import (
 	v1 "github.com/cilium/cilium/pkg/hubble/api/v1"
 	hubblecell "github.com/cilium/cilium/pkg/hubble/cell"
 	"github.com/cilium/cilium/pkg/ipcache"
-	"github.com/cilium/cilium/pkg/k8s"
 	k8sClient "github.com/cilium/cilium/pkg/k8s/client"
 	"github.com/cilium/cilium/pkg/k8s/watchers"
 	monitoragent "github.com/cilium/cilium/pkg/monitor/agent"
@@ -34,7 +34,6 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
-	zapf "sigs.k8s.io/controller-runtime/pkg/log/zap"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 )
 
@@ -44,7 +43,9 @@ var (
 		"daemon",
 		"Retina-Agent Daemon",
 		// Create the controller manager, provides the hive with the controller manager and its client
-		cell.Provide(func(k8sCfg *rest.Config, logger logrus.FieldLogger, rcfg config.RetinaHubbleConfig) (ctrl.Manager, client.Client, error) {
+		cell.Provide(func(
+			k8sCfg *rest.Config, logger *slog.Logger, rcfg config.RetinaHubbleConfig,
+		) (ctrl.Manager, client.Client, error) {
 			if err := corev1.AddToScheme(scheme); err != nil { //nolint:govet // intentional shadow
 				logger.Error("failed to add corev1 to scheme")
 				return nil, nil, errors.Wrap(err, "failed to add corev1 to scheme")
@@ -60,7 +61,7 @@ var (
 				LeaderElectionID:       "ecaf1259.retina.io",
 			}
 
-			logf.SetLogger(zapf.New())
+			logf.SetLogger(log.LogrLogger())
 			ctrlManager, err := ctrl.NewManager(k8sCfg, mgrOption)
 			if err != nil {
 				logger.Error("failed to create manager")
@@ -71,7 +72,7 @@ var (
 		}),
 
 		// Start the controller manager
-		cell.Invoke(func(l logrus.FieldLogger, lifecycle cell.Lifecycle, ctrlManager ctrl.Manager) {
+		cell.Invoke(func(l *slog.Logger, lifecycle cell.Lifecycle, ctrlManager ctrl.Manager) {
 			var wp *workerpool.WorkerPool
 			lifecycle.Append(
 				cell.Hook{
@@ -99,7 +100,7 @@ var (
 type Daemon struct {
 	clientset k8sClient.Clientset
 
-	log            logrus.FieldLogger
+	log            *slog.Logger
 	monitorAgent   monitoragent.Agent
 	pluginManager  *pluginmanager.PluginManager
 	HTTPServer     *servermanager.HTTPServer
@@ -108,7 +109,6 @@ type Daemon struct {
 	k8swatcher     *watchers.K8sWatcher
 	localNodeStore *node.LocalNodeStore
 	ipc            *ipcache.IPCache
-	svcCache       k8s.ServiceCache
 	hubble         hubblecell.HubbleIntegration
 }
 
@@ -124,33 +124,34 @@ func newDaemon(params *daemonParams) *Daemon {
 		k8swatcher:     params.K8sWatcher,
 		localNodeStore: params.Lnds,
 		ipc:            params.IPC,
-		svcCache:       params.SvcCache,
 		hubble:         params.Hubble,
 	}
 }
 
 func (d *Daemon) Run(ctx context.Context) error {
 	// Start K8s watcher
-	d.log.WithField("localNodeStore", d.localNodeStore).Info("Starting local node store")
+	d.log.Info("Starting local node store", "localNodeStore", d.localNodeStore)
 
 	// Start K8s watcher. Will block till sync is complete or timeout.
 	// If sync doesn't complete within timeout (3 minutes), causes fatal error.
 	retinak8s.Start(ctx, d.k8swatcher)
 
+	d.log.Info("Starting generateEvents goroutine", "eventChanCap", cap(d.eventChan))
 	go d.generateEvents(ctx)
 	return nil
 }
 
 func (d *Daemon) generateEvents(ctx context.Context) {
+	d.log.Info("generateEvents started, waiting for events on eventChan")
 	for {
 		select {
 		case <-ctx.Done():
+			d.log.Info("generateEvents context done, exiting")
 			return
 		case event := <-d.eventChan:
-			d.log.WithField("event", event).Debug("Sending event to monitor agent")
 			err := d.monitorAgent.SendEvent(0, event)
 			if err != nil {
-				d.log.WithError(err).Error("Unable to send event to monitor agent")
+				d.log.Error("Unable to send event to monitor agent", "error", err)
 			}
 		}
 	}