chore(deps): update helm release cilium to v1.15.1 (!816) · Merge requests · Tristan Gosselin-Hane / infrastructure

Renovate Bot requested to merge renovate/cilium-1.x into master Mar 09, 2024

This MR contains the following updates:

Package	Type	Update	Change
cilium (source)	HelmChart	minor	`1.14.4` -> `1.15.1`

Release Notes

cilium/cilium (cilium)

`v1.15.1`: 1.15.1

Compare Source

We are pleased to release Cilium v1.15.1. This release contains various bug fixes and improvements, including a fix for a regression where veth devices were incorrectly getting classified as native devices (https://github.com/cilium/cilium/pull/30762).

Summary of Changes

Minor Changes:

Enhance trace events from the outbound SNAT path, to report the pre-SNAT IP address and the interface index of the egress interface. (Backport MR #30704, Upstream MR #28723, @julianwiedmann)
ui: release v0.13.0 (Backport MR #30727, Upstream MR #30711, @geakstr)

Bugfixes:

envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' (Backport MR #30681, Upstream MR #30543, @chaunceyjiang)
Fix bug in indexing of routes that lead to veth devices being considered native devices, which caused the wrong BPF program to be loaded onto them. (Backport MR #30767, Upstream MR #30762, @dylandreimerink)
fix edge case in node addressing logic which could result in a panic (Backport MR #30767, Upstream MR #30757, @dylandreimerink)
hive: Fix start hook log output (Backport MR #30727, Upstream MR #30712, @joamaki)
Updating ENI prefix delegation fallback to use dedicated error codes (Backport MR #30681, Upstream MR #30536, @hemanthmalla)

CI Changes:

ci: add trigger phrase to Gateway API conformance test workflow name (Backport MR #30681, Upstream MR #30525, @tklauser)
CI: Change cloud regions (Backport MR #30681, Upstream MR #30378, @brlbil)
ci: Fix MR labels parsing in update label workflow (Backport MR #30681, Upstream MR #30507, @pippolo84)
gh: ci-verifier: use lvh-images/complexity-test as renovate dependency (Backport MR #30681, Upstream MR #30520, @julianwiedmann)
gha: additionally cover BPF masquerade in clustermesh E2E tests (Backport MR #30681, Upstream MR #30321, @giorio94)
gha: make runner type for clustermesh workflows configurable (Backport MR #30681, Upstream MR #30496, @giorio94)
Update GitHub upload-artifact action (Backport MR #30681, Upstream MR #30443, @brlbil)
workflows: Clean IPsec test output (Backport MR #30767, Upstream MR #30759, @pchaigno)

Misc Changes:

Added Last page Edit on Documentation (Backport MR #30681, Upstream MR #30612, @gailsuccess)
bgpv1: remove BGP Controller from daemon cell (Backport MR #30767, Upstream MR #30561, @harsimran-pabla)
chore(deps): update all github action dependencies (v1.15) (patch) (#30486, @renovate[bot])
chore(deps): update all kind-images main (v1.15) (patch) (#30670, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.21 (v1.15) (#30570, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.22 (v1.15) (#30671, @renovate[bot])
chore(deps): update stable lvh-images (v1.15) (patch) (#30574, @renovate[bot])
dep: Bump grpc_health_probe to v0.4.24 (Backport MR #30704, Upstream MR #30643, @ferozsalam)
docs: Document XfrmInStateInvalid errors (Backport MR #30767, Upstream MR #30151, @pchaigno)
egressgw: improvements for FIB-driven redirect path (Backport MR #30681, Upstream MR #30576, @julianwiedmann)
Fix failure in FuzzDenyPreferredInsert test (Backport MR #30681, Upstream MR #30368, @christarazi)

Other Changes:

[v1.15] ci/ipsec: Fix downgrade version for release preparation commits (#30718, @qmonnet)
envoy: Bump envoy version to v1.27.3 (#30696, @sayboras)
install: Update image digests for v1.15.0 (#30559, @aanm)

v1.15.0

Docker Manifests

`v1.15.0`: 1.15.0

Compare Source

Changelog

The Cilium core team are excited to announce the Cilium 1.15 release. 🎉

Summary of Changes

Major Changes:

Add dynamic flowlog exporters configured by yaml file (configmap) without a need of agent restart. (#28873, @marqc)
Add support for extending ClusterMesh to 511 clusters By setting the flag --max-connected-clusters=511, a new cluster will be able to connect to a ClusterMesh with up to 511 clusters. If enabled, the number of possible cluster-local identities will be reduced to 32,768. This feature can only be enabled on new clusters, and all clusters in the ClusterMesh must share the same configuration. (#27520, @thorn3r)
Add support for Gateway API v1.0 (#28836, @sayboras)
Add support for k8s 1.28 (#27361, @aanm)
Allow selecting nodes by CIDR policy (#27464, @squeed)
bgpv1: Add bgp/routes API endpoint and cilium bgp routes CLI command (#27182, @rastislavs)
gateway-api: Support GRPCRoute resource (#28654, @sayboras)
k8s: add support for k8s 1.29.0 (#29473, @aanm)
Module Health: Node Manager: First Iteration (#25994, @tommyp1ckles)
Support BGP passwords in the Go BGP implementation. (#23759, @dgl)

Minor Changes:

*_kvstore_operations_duration_seconds metrics do not include client-side rate-limiting latency anymore. (#27396, @marseel)
io.cilium.podippool.namespace: <CiliumPodIPPool_NAMESPACE> and io.cilium.podippool.name: <CiliumPodIPPool_NAME> selectors can be specified for a PodIPPoolSelector of a CiliumBGPPeeringPolicy to select a CiliumPodIPPool by namespaced name instead of labels. (#28314, @danehans)
Add cilium bpf auth flush command for debugging purposes (#27216, @meyskens)
Add an option to Cilium to set the persistent keepalive for cilium_wg0 (#27932, @chaunceyjiang)
Add an option to specify a filters and field mask for hubble-exporter (#26379, @AwesomePatrol)
Add documentation of Hubble exporter - an option to save Hubble flows to a file (#27610, @AwesomePatrol)
Add flows per second information to Hubble status (#28205, @glrf)
Add Hubble Grafana dashboards: Network and DNS overview (#27751, @lambdanis)
add Ingress controller proxy protocol support (#28194, @zetaab)
Add lbipam support for shared ips (#28806, @usiegl00)
Add option to pass api-rate-limit via Helm values (#28239, @ungureanuvladvictor)
Add option to redact http headers (#26724, @ChrsMark)
Add per-controller success/failure count metrics and a config option for these (#26850, @asauber)
Add Prometheus map pressure metrics for NAT maps (#27001, @derailed)
Add securityContext for spire pod in helm chart (#27363, @ishuar)
Add source and destination workload_kind context labels (Hubble). (#27350, @marqc)
Add strict mode for WireGuard Pod2Pod encryption (#21856, @3u13r)
Add support for filtering on HTTP URLs in Hubble (#28275, @glrf)
Added cilium_kvstoremesh_kvstore_sync_errors_counter, cilium_clustermesh_apiserver_kvstore_sync_errors_counter and kvstore_sync_errors_counter metrics that capture data synchronization errors to kvstore. (#28419, @marseel)
Added hubble_relay_pool_peer_connection_status metric for measuring the connection status of all peers. Metric keeps track of number of peers for each possible connectiion status. (#28217, @siwiutki)
Added new ingress.cilium.io/ssl-passthrough annotation for Ingress objects (#28751, @youngnick)
Added the EnableHealthCheckLoadBalancerIP flag to address health checks on LoadBalancerIP in Google Cloud Platform using KubeProxyReplacement. (#26728, @nberlee)
Adds "best-effort" mode for XDP to skip interfaces without driver support (#28666, @poblahblahblah)
Adds optional configurable jobLabel to cilium-agent, cilium-operator, and hubble serviceMonitors (#28125, @rbankston)
Adds the CiliumPodIPPool selector type to BGP CP AdvertisedPathAttributes to match CiliumPodIPPool custom resources. Path attributes apply to routes announced for selected CiliumPodIPPools. (#28310, @danehans)
Allow case-insensitive name for CNI chaining mode (#28050, @asauber)
api, cli: Show srv6 status in cilium status (#28700, @husnialhamdani)
api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport MR #30529, Upstream MR #30167, @viktor-kurchenko)
api: Add extensions field to observer.GetFlowsRequest and flow.Flows types (#27577, @chancez)
Augments cilium status CLI to report on agent modules health status. (#25714, @derailed)
Auth map garbage collection will trigger if last local endpoint of a security identity was removed (#27697, @meyskens)
bgpv1: Add cilium-dbg bgp route-policies command & include it in the bugtool (#28973, @rastislavs)
bgpv1: Enable cilium-dbg bgp routes advertised command without specifying a peer (Backport MR #30230, Upstream MR #30033, @rastislavs)
BGPv1: Set R-bit in graceful restart capability negotiation. (#28293, @ArsenyBelorukov)
bgpv1: Use kube-system namespace by default for MD5 secret (#29478, @YutaroHayakawa)
bpf: allow overriding Makefile variables (#27492, @lmb)
bpf: compile test ENABLE_EGRESS_GATEWAY_COMMON (#27515, @lmb)
bpf: gate egressgw datapath on separate defines (#27189, @lmb)
bpf: static data: use inline asm to access static data (#27589, @ti-mo)
bpgv1: move the internal BGP signaler to a cell and allow other cells to depend on it. (#26745, @ldelossa)
can create the directory for the customized cni conf and remove the cni conf file in cleanup command (#27933, @sofat1989)
Change the Helm values configuration for SPIRE to match other images in the Helm charts (#27621, @weizhoublue)
cilium ingress should have an option to set the number of trusted loadbalancer hops (#27952, @chaunceyjiang)
cilium-agent: Remove the obsolete --bpf-lb-dev-ip-addr-inherit option (Backport MR #30264, Upstream MR #29963, @joamaki)
cilium-dbg: Add statedb query support and commands to inspect statedb tables devices, routes and l2-announce. (#28872, @joamaki)
Cilium-operator and clustermesh's kvstore metrics are now enabled by default in Helm. (#27653, @marseel)
cilium/cmd: make output of 'cilium policy selectors' sorted. (#27803, @tommyp1ckles)
cilium: export intermediate cobra.Commands (#26265, @lmb)
cilium: use absolute path to include Makefile.defs (#27054, @lmb)
CiliumL2AnnouncementPolicy will only select Services that do not specify a LoadBalancerClass or specify a LoadBalancerClass of "io.cilium/l2-announcer". (#27976, @danehans)
cli: Update cilium policy import to allow policy replacement by label (#27103, @deverton-godaddy)
clustermesh-apiserver deployment support lifecycle and terminationGracePeriodSeconds. (#26945, @acgs771126)
cmd/watchdogs: add health reporter to watchdog controller. (#29038, @tommyp1ckles)
cmd: Disable local node routes when endpoint routes are enabled (#28324, @gandro)
Config option to customize the default IP Pool when using MultiPool (#28818, @chaunceyjiang)
Correlate flows with CiliumNetworkPolicies (#27854, @chancez)
daemon: Do not require native routing CIDR if ipmasq-agent is enabled (#27747, @gandro)
daemon: don't wait for presence of unused CiliumNodeConfig CRD (#27684, @akhilles)
daemon: The option "EnableRemoteNodeIdentity" is now deprecated and will be removed from the v1.16 release. (#28300, @nathanjsweet)
Default client-go QPS and burst in agent and operator have been increased to 10 and 20 respectively for k8s versions 1.27+ (#29445, @marseel)
Delete auth map entries for removed Security IDs in SPIRE (#27663, @meyskens)
Deprecated helm options enableK8sEventHandover/enableCnpStatusUpdates were removed. Corresponding flag "enable-k8s-event-handover" in Agent and "cnp-status-update-interval" in operator were removed. (#29395, @marseel)
docs, cilium: Remove cilium endpoint regenerate command (#27326, @christarazi)
docs: remove annotations-based l7 visibility (#28449, @networkop)
Don't automatically infer ClusterID and ClusterName for external workloads. (#27886, @giorio94)
egressgw: inject datapath config via hive (#27414, @lmb)
EgressGW: interface selection is now done with BPF, using --install-egress-gateway-routes is no longer needed. (#26215, @jibi)
egressgw: refactor check for conflicting egress IPs (#27491, @lmb)
egressgw: reject config with CiliumEndpointSlice (#27984, @julianwiedmann)
egressgw: tidy up Config handling (#27221, @lmb)
endpoint, endpointmanager: Publish max policymap size as metric (#27367, @christarazi)
ENI: fix calculateExcessIPs excessive calculate of excess ip (#28467, @wu0407)
Envoy running inside the Cilium Agent may now be scraped by Prometheus when using Prometheus' ServiceMonitor objects. (Backport MR #30349, Upstream MR #30126, @youngnick)
envoy: Bump envoy to 1.26.2 (#26851, @sayboras)
envoy: Bump envoy version to v1.26.4 (#27104, @sayboras)
envoy: Bump envoy version to v1.27.1 (#28531, @sayboras)
envoy: Bump envoy version to v1.27.2 (#28671, @mhofstetter)
envoy: Update envoy version to the latest build (#27819, @jrajahalme)
Extend AWS metadata-based policy enforcement to work with any VPC-enabled service. (#27071, @spacepants)
Fix inaccurate calculation for bootstrap stats of restore (#27983, @PlatformLC)
fix: Preserve OwnerReferences when updating Ingresses with Load Balancer in shared mode (#28452, @bittermandel)
Fixes name used for disabling KVStoreMesh metrics. (#27680, @marseel)
FQDN: transition to asynchronous IPCache APIs (#29036, @squeed)
gateway-api: Add support for gateway.infrastructure attribute (#29122, @sayboras)
gateway-api: Add support for multiple request mirrors (#28342, @sayboras)
gateway-api: Add supported features in GatewayClass status (#29116, @sayboras)
gateway-api: Bump the version to v0.8.1 (#28195, @sayboras)
gateway-api: Bump the version to v1.0.0-rc1 (#28757, @sayboras)
gateway-api: Bump version to v0.8.0-rc1 (#27592, @sayboras)
gateway-api: Check for required CRDs upon startup (#28982, @sayboras)
gateway-api: Update API version for Reference Grant (#29811, @sayboras)
Handle IPv4 fragments in SNAT flows correctly. (#25340, @gentoo-root)
helm: Add extraVolumeMounts to cilium config init container (Backport MR #30349, Upstream MR #30131, @ayuspin)
helm: Added support for existing Cilium SPIRE NS (#29032, @PhilipSchmid)
helm: allow annotations to be set for preflight resources (#27860, @bradwhitfield)
Hide empty columns by default in "kubectl get ciliumendpoints" output (#28744, @Iiqbal2000)
hive/cell: remove health reporting on health provider. (#28773, @tommyp1ckles)
hubble-relay: Add support for peers joining during requests (#29326, @glrf)
Hubble: add option to filter for pods and services in any namespace (#28921, @glrf)
hubble: Add Support for filtering on HTTP headers (#28851, @ChrsMark)
hubble: Conditionally redact user info present in URLs in (L7) HTTP flows (#28848, @ioandr)
Hubble: improve security by adding an option to redact API key in Kafka requests (L7) (#25844, @ioandr)
hubble: replace deprecated usage of grpc.WithInsecure. (#25631, @tommyp1ckles)
Ignore Indexed Job-specific label by default for CID creation batch.kubernetes.io/job-completion-index. (#28897, @tosi3k)
Ignore StatefulSet-specific labels by default for CID creation. This includes the two following labels:
statefulset.kubernetes.io/pod-name
apps.kubernetes.io/pod-index (#28003, @tosi3k)
Implement AdvertisedPathAttributes for CiliumBGPNeighbor in the CiliumBGPPeeringPolicy CRD to allow setting BGP Community and Local Preference path attributes for advertised BGP routes. (#27705, @rastislavs)
Improve cilium status --verbose and cilium-health status --succinct support to show IPv6 IPs as well (#27912, @chaunceyjiang)
Improve cilium-agent bootstrap time when using cluster-pool ipam. (#28354, @marseel)
Improve helm validation for clustermesh, and allow creating the clustermesh configuration also in kvstore mode (#28763, @giorio94)
Improve Hubble Relay Kubernetes Readiness/Liveness check (#28765, @glrf)
Improve the usability of the cilium policy selectors command by including the policy name and namespace in order to easily understand which selector comes from what policy (#27838, @christarazi)
Increase number of dnsproxy mutexes from 128 to 131. (#27147, @marseel)
init: Poll CRD synchronization times have been lowered from 1 second to 50ms. (#28954, @howardjohn)
Introduce ability to specify SAFI/AFI for specific BGP peers. (#26940, @ldelossa)
ipam, metrics: Add new capacity metric (#27710, @christarazi)
ipam/multipool: Introduce specific ip family annotations for specifying ip pools (#28244, @hargrovee)
ipam: Remove cluster-pool-v2beta code (#27753, @gandro)
Merge clustermesh-apiserver and kvstoremesh into a single image (#27888, @giorio94)
metrics: add bpf_map_capacity metric which provides max size of maps (#28146, @tommyp1ckles)
metrics: Add workqueue metrics (#27042, @ysksuzuki)
Modular daemon and operator (#25986, @pippolo84)
Mutual Auth: only respond handshake with certificate if security ID is in use on node (#27682, @meyskens)
mutual-auth: Bump spire image version (#29101, @sayboras)
Named ports in DNS policies are now resolved correctly. (#29023, @jrajahalme)
Named ports in DNS policies are now resolved correctly. (Backport MR #30529, Upstream MR #29023, @jrajahalme)
Operator modular metrics (#28005, @pippolo84)
operator: Remove identity GC and CES controller legacy metrics (#28166, @pippolo84)
pkg/datapath: Remove defunct --single-cluster-route flag (#29221, @gandro)
pkg/labels: print all leaf CIDRs, not just the last one. (#28224, @squeed)
Pre-initialize several known metric vectors to avoid empty metrics (specifically: endpoint_regenerations_total, policy_change_total, policy_implementation_delay, policy_l7_total and kubernetes_events metrics). (#27835, @tommyp1ckles)
Propagate prefixed labels from Ingress resource to LB service (#28598, @log1cb0mb)
Refactor hubble redact settings schema (#26989, @ChrsMark)
Refactor hubble redact settings schema [v2] (#27553, @ChrsMark)
Remove deprecate clustermesh CA configuration from the helm chart (#27162, @giorio94)
Remove deprecated policy_import_errors_total metric (#28423, @tklauser)
Remove deprecated tunnel option, and corresponding helm values setting (#29053, @giorio94)
Rename the CLI for local Cilium API access to 'cilium-dbg' (#28085, @joestringer)
Replace etcd init script used for clustermesh with a Go equivalent. Upgrade etcd to v3.5.10. (#29109, @JamesLaverack)
Replace LB-IPAM IP allocator to remove limitations and enable additional features (#26488, @dylandreimerink)
Replace metricsmap-bpf-prom-sync with Prometheus Collector pattern (#27370, @carnerito)
Respond with ICMP reply for traffic to services without backends (#28157, @dylandreimerink)
show DSR-dispatch mode in cilium-dbg status (#29217, @chaunceyjiang)
Structured Health Reporter + EndpointManager Modular Health Checks (#27522, @tommyp1ckles)
The cilium-agent now sets GOMEMLIMIT to the container's memory resource limit, which helps the Go GC to avoid unnecessary OOMs. (#27958, @bimmlerd)
The podIPPoolSelector field has been added to CiliumBGPVirtualRouter for selectively advertising multi-pool IPAM CIDRs. (#27100, @danehans)
Update to Envoy 1.27.0, run cilium-envoy process without any privileges. (#27498, @jrajahalme)
When BGP control plane is enabled and configured for service announcements, it will only advertise a matching service that has an unspecified loadbalancerClass or set for "io.cilium/bgp-control-plane". (#26905, @danehans)
When master key protection is enabled, failed attempts at recreating k8s identity resources will now be retried. (#28912, @tommyp1ckles)
When tunneling is enabled, a packet will be encapsulated by Cilium's tunnel netdev before encrypting with WireGuard. (#29000, @brb)

Bugfixes:

ImplementationSpecific Ingress paths (which for Cilium Ingress means regex path matches) are now sorted correctly in between Exact and Prefix matches. (#29381, @youngnick)
Add a 5 second timeout to the Mutual Auth TCP handshake (#26650, @meyskens)
Add default toleration for SPIRE agent on control plane nodes (Backport MR #30230, Upstream MR #28947, @meyskens)
Allow unsupported protocol family errors when deleting IPv6 proxy routing rules (Backport MR #30529, Upstream MR #30299, @rgo3)
Avoid panic during BPF program compilation when clang command fails to start (Backport MR #30264, Upstream MR #30009, @ti-mo)
backporting: Revert changes until the new workflow will be in place (#28371, @pippolo84)
bgpv1: Avoid creating resource.Store in Start() hive hooks of BGP CP to ensure proper BGP CP initialization. (Backport MR #30079, Upstream MR #29954, @rastislavs)
bgpv1: fix manager_test.go build error (#27543, @ldelossa)
bpf: fix wrong loopback address mask value (Backport MR #30230, Upstream MR #29946, @haiyuewa)
bpf: fixes an issue where inserting inner maps into an outer may fail with EINVAL due to flags mismatch (#28710, @ldelossa)
bpf: nat: set .from_local_endpoint for all inter-cluster SNAT traffic (#26853, @julianwiedmann)
bug fix: close status collector when daemon exits (#27937, @sofat1989)
bug: In dual-stack mode (both IPv4 and IPv6 are enabled), Cilium incorrectly converted CIDRs that covered all possible addresses for an IP Family (e.g. 0.0.0.0/0) to the "reserved:world" entity. Both IP families must be completely covered for "reserved:world" to apply. This resulted in dual-stack mode network policies that could not distinguish between world IPv4 and IPv6 traffic, treating them as one entity instead. (#22625, @nathanjsweet)
Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport MR #30212, Upstream MR #29239, @jrajahalme)
cleanup: can clean the bpf filters created by the cilium agent with lower version (#27373, @sofat1989)
Conntrack entries for Service connections are now printed in the canonical "source -> destination" format when using the "bpf ct list" command. (#28913, @julianwiedmann)
daemon/cmd: Updates restoreIPCache() to use errors.Is() (Backport MR #30529, Upstream MR #30220, @danehans)
daemon: Fail init if requirements for BPF masquerade are not met (Backport MR #30230, Upstream MR #29778, @pippolo84)
datapath: fix dbg-capture-proxy-[pre/post] reporting (#27704, @mhofstetter)
datapath: Fix primary flag in NodeAddress (#29483, @joamaki)
Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail (Backport MR #30230, Upstream MR #29400, @meyskens)
Don't orphan CEPs when node IPV6 is preferred at dual stack k8s config (#28142, @rawmind0)
Due to a race condition in the experimental runtime device detection, Cilium could fail to make a newly added device available for node port services. (Backport MR #30230, Upstream MR #29917, @bimmlerd)
egressgateway: Use UID to identify CiliumEndpoints in epDataStore (#29124, @rastislavs)
egressgw: Fix the issue that an iptables SNAT rule in the host netns interferes packets to egress gw and bypass the egress GW policy (#29379, @ysksuzuki)
egressgw: policy: ensure egressGateway field is not nil (#27802, @jibi)
endpointmanager: fix bpf policy pressure getting stuck. (#28185, @tommyp1ckles)
envoy: Bump envoy image to include proxy_protocol filter (Backport MR #30349, Upstream MR #30260, @sayboras)
envoy: fix init order between accesslog and xDS server (#27617, @mhofstetter)
envoy: fix SO_REUSEPORT with BPF TPROXY (#30459, @mhofstetter)
examples: Fix YAML error backendRefs in HTTP Header Modifier (#27871, @haiyuewa)
Fix a bug that may cause traffic to the node internal IP addresses to be incorrectly masqueraded when node encryption and remote node identities are both disabled, due to an inconsistency in the node manager when handling ipset entries insertions and deletions on node updates. (Backport MR #30230, Upstream MR #29986, @qmonnet)
Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport MR #30324, Upstream MR #30248, @ti-mo)
Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport MR #30079, Upstream MR #29616, @learnitall)
Fix bug that could cause IPsec route change failures to be silent. (Backport MR #30529, Upstream MR #29423, @derailed)
Fix bugs in health-server that cause the state in the prober's cache to drift and allow nodes with empty IP addresses to be added. (Backport MR #30230, Upstream MR #29745, @thorn3r)
Fix cilium-envoy ServiceMonitor port name (#27207, @pixiono)
Fix connection disruption for IPsec during downgrade to v1.14 by attaching correct bpf program to devices. (#27480, @jschwinger233)
Fix endpoint logger not formatting logs as JSON when daemon log format is set to JSON (#27263, @leblowl)
Fix error when using multiple allowRoutes namespaces in gateway (#30550, @mhofstetter)
Fix Helm rendering for dashboards.enabled=true (#28542, @bakito)
Fix instances of leaked health reporter updates. (Backport MR #30230, Upstream MR #30134, @tommyp1ckles)
Fix issue where agent attempting to restore local node information (such as cilium_host ip) would fail on k8s fallback method. (Backport MR #30349, Upstream MR #29460, @tommyp1ckles)
Fix missing NODE_ADD Hubble peer messages in some cases (#28226, @AwesomePatrol)
Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport MR #30529, Upstream MR #30399, @tlcowling)
Fix performance regression for pod-to-pod traffic WireGuard and tunneling. (Backport MR #30529, Upstream MR #30329, @3u13r)
Fix potential deadlock that results in stale authentication entries in Cilium (#29082, @meyskens)
Fix rare bug possibly causing connection disruption and/or agent panic due to node events processing before full initialization. (Backport MR #30529, Upstream MR #30282, @giorio94)
Fix rendering helm operator-dashboard annotations (#29106, @Zariel)
Fix wrong host and router IP being used for some IPv6 deployments, which was causing various connectivity problems. (Backport MR #28500, Upstream MR #28417, @ti-mo)
fix: PromQL syntax on cilium policy query Grafana dashboard (Backport MR #30529, Upstream MR #29938, @M0NsTeRRR)
Fixed health probing where ICMP probe was incorrectly reporting node as unreachable or reporting unreachable node as reachable in some cases. (Backport MR #30529, Upstream MR #30504, @marseel)
Fixes an issue where an empty ControlPlaneState was used during registration of BGP speakers. This would cause reconciliation issues as the current state would be unknown. (#27117, @ldelossa)
Fixes an L7 proxy issue by re-introducing 2005 route table. (#29530, @jschwinger233)
gateway-api: fix empty URI when removing path prefix (#28606, @dddddai)
gateway-api: fix status reconcile error handling (Backport MR #30230, Upstream MR #29894, @mhofstetter)
gateway-api: Requeue Gateway for owning GRPCRoute (Backport MR #30230, Upstream MR #30124, @sayboras)
gateway: Add GRPCRoute support for status changed predicate (Backport MR #30230, Upstream MR #30176, @sayboras)
Handle .status.conditions on Services using in accordance with KEP-1623 (#27399, @addreas)
health: Update Cilium agent to listen on nodeip (#26845, @tamilmani1989)
helm: Correct command for initContainer config (#28613, @sayboras)
helm: Fix envoy servicemonitor annotations (Backport MR #30230, Upstream MR #30017, @pmcgrath)
Implement full CES reconciliation logic in the operator (#26836, @alan-kut)
init well-known identity before new policy repository to fix the fqdn policy issue when enable well-known identity. (Backport MR #30529, Upstream MR #30052, @yingnanzhang666)
L2 announcements retry getting lease after losing it (Backport MR #30529, Upstream MR #30340, @dylandreimerink)
l2announcer: Leases are only created for services that are being announced. (#29446, @f1ko)
l7lb: Fix bug where not all relevant ports of a Service were synchronized to Envoy (Backport MR #30264, Upstream MR #30107, @mhofstetter)
lbipam: Fix off-by-one error in LBIPAM range allocation (#29425, @YutaroHayakawa)
maps/metricspath: protect against concurrent access in Collect (Backport MR #30230, Upstream MR #30104, @buroa)
neigh: Install neighbor entries only on devices where routes exist (#28782, @ysksuzuki)
node/wireguard: Fix node-to-node encryption inconsistencies in kvstore mode (Backport MR #30530, Upstream MR #30423, @gandro)
nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport MR #29973, Upstream MR #29964, @gandro)
pkg/endpoint: fix endpoint health update always being ok. (Backport MR #30529, Upstream MR #30365, @tommyp1ckles)
pkg/nodediscovery: Updates updateCiliumNodeResource() Warning Message (Backport MR #30349, Upstream MR #30257, @danehans)
Policy revert used in rare error cases has been corrected. (#29162, @jrajahalme)
policy: Fix mapstate changes error in entry change comparison (Backport MR #30079, Upstream MR #29815, @jrajahalme)
proxy: fix multiple envoy listeners for same proxyType (#27510, @mhofstetter)
Remove a misplaces ls alias that caused cilium-dbg bpf auth ls to flush the map. (Backport MR #30529, Upstream MR #30445, @meyskens)
Remove non fatal errors from SPIRE client in the operator (Backport MR #30230, Upstream MR #28698, @meyskens)
Replace use of strict to true for kubeProxyReplacement in helm chart (#27433, @xtineskim)
Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29202, @thorn3r)
srv6: modify h.encap location in the datapath to avoid incompatibility with IPv4Masq (#28817, @ldelossa)
statedb: Fix termination of string and IP keys (#29368, @joamaki)
The DNS proxy will now compute a UDP checksum over the IPv6 response packet and the pseudo-header. (#29493, @danehans)
Unify parsing of StringSlice flags and allow splitting by commas (preferably) or by spaces. This fixes parsing of 'prometheus.metrics'. (Backport MR #30079, Upstream MR #29848, @joamaki)

CI Changes:

.github/actions: remove GKE K8s v1.23 from test matrix. (#28297, @tommyp1ckles)
.github/workflows: don't error out if pkill finds no processes (#26357, @lmb)
.github: bump k8s version from v1.28.0 -> v1.28.2. (#28664, @tommyp1ckles)
.github: dump buddyinfo and pagetypeinfo when ci-e2e fails (#26600, @lmb)
.github: re-use common helm values from a single action (#28180, @aanm)
.github: Remove Loki action (#26676, @joestringer)
Add 100 node scale test workflow (#29214, @learnitall)
Add initial, in-progress workflow for automated scale testing (#28362, @learnitall)
Add time wrapper to test agent delays in CI (#27253, @joestringer)
ariane: Disable ci-e2e-upgrade (#29488, @brb)
bpf/tests: Cover IPsec key rotations (#27185, @pchaigno)
bpf/tests: Fixed loop not unrolled error in pktgen (#28942, @dylandreimerink)
bpf: fix flakes when checking metrics map values. (#28325, @tommyp1ckles)
bpf: fix test configuration for 5.10 and 6.1 kernels (Backport MR #30230, Upstream MR #29999, @julianwiedmann)
bpf: test: pktgen cleanups (#26776, @julianwiedmann)
bpf: tests: add helpers for boilerplate code (#27429, @julianwiedmann)
bpf: tests: add helpers for common patterns (#27134, @julianwiedmann)
bpf: tests: improve CT checks for observed TCP flags (#26802, @julianwiedmann)
build(deps): bump tornado from 6.2 to 6.3.3 in /Documentation (#27497, @dependabot[bot])
ci aws: cleanup EKS cluster in separate job (#29412, @mhofstetter)
CI images: Define a variable for the floating tags (#28008, @michi-covalent)
CI images: Define a variable for the floating tags (#28228, @michi-covalent)
CI Images: Don't push floating tags from feature branches (#28044, @michi-covalent)
ci-clustermesh-upgrade: Adjust name of test to run, to match cilium-cli's renaming (Backport MR #30264, Upstream MR #30211, @qmonnet)
ci-clustermesh-upgrade: Increment timeout between rollouts to 5min (#29560, @mhofstetter)
ci-e2e-upgrade: Bring it on (#29073, @brb)
ci-e2e-upgrade: Remove setting CLI vsn (#29435, @brb)
ci-e2e: Do not print matrix config in each step (#27999, @brb)
ci-e2e: Use kernel 6.1 instead of 6.0 (#29345, @brb)
ci-ginkgo: conditionally skip fetching artifacts & junit report (#27081, @mhofstetter)
ci-gke: adjust junit file names to matrix properties (#27072, @mhofstetter)
ci-gke: remove duplicated wait for cilium (#29542, @mhofstetter)
ci-ipsec-e2e: Misc refactor + more keys (#29592, @brb)
ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport MR #30529, Upstream MR #30503, @qmonnet)
ci: Add a call to the update label backport action (Backport MR #30264, Upstream MR #29902, @joestringer)
ci: Add a workflow to update labels of backported MRs (#27875, @pippolo84)
ci: add documentation check to documentation workflow (#29684, @mhofstetter)
ci: add K8s 1.28 platform testing (#29004, @nbusseneau)
CI: Add merge_group trigger (#29276, @brlbil)
ci: add scheduled runs for Ariane workflows (#27687, @nbusseneau)
ci: Automate generation and update of docs-builder image (#24121, @qmonnet)
ci: Avoid using deprecated "tunnel" flag (#28323, @gandro)
ci: Bump timeout of ci-runtime (#29317, @YutaroHayakawa)
ci: Bump up the memory of LVH in conformance-e2e (#29494, @michi-covalent)
ci: disable preemptible VM & GKE clusters on tests based on GKE (#29607, @mhofstetter)
ci: don't write github commit status on push event (#29404, @mhofstetter)
ci: don't write github commit status on push event (#29438, @mhofstetter)
ci: Enable link checker to ensure that all links in documentation are valid (#27116, @vipul-21)
ci: fix checking github.event.pull_request.head.sha (#26775, @mhofstetter)
ci: fix deployment issue with multiple clusters in same region (#29427, @mhofstetter)
ci: fix merge group required checks (#29337, @brlbil)
CI: fix missing names (#27839, @brlbil)
ci: fix typo in clustermesh workflow job name (#29046, @tklauser)
ci: increase cilium wait timeout to 10m on cloud providers (#29541, @mhofstetter)
ci: increase junit artifact retention from 2 to 5 days (#27021, @mhofstetter)
ci: migrate some schedule workflows to event trigger push (#29433, @mhofstetter)
ci: Remove useless quotes in update label workflow (#28952, @pippolo84)
ci: replace GHA action Sibz/github-status-action (#26976, @mhofstetter)
ci: Run documentation workflow on README.rst updates (#26559, @qmonnet)
ci: set multi-pool conformance workflow status on start (#27969, @tklauser)
ci: trigger multi-pool conformance workflow using ariane (#27957, @tklauser)
ci: upload and publish JUnit test results for conformance-multi-pool (#27025, @mhofstetter)
ci: use env variable to store branch name (#26779, @ferozsalam)
cilium-cli action: Specify the repository parameter (#29338, @michi-covalent)
Conformance AKS: wait for cilium-test namespace deletion during uninstallation (Backport MR #30230, Upstream MR #29893, @giorio94)
contrib/kind: Log DNS queries in CoreDNS pods (#27874, @pchaigno)
Correctly use cli installer action in ipv4/6 smoke (#28661, @bleggett)
datapath: Clean up XFRM configs after unit tests (#29332, @pchaigno)
Define PUSH_TO_DOCKER_HUB environment variable (#29644, @michi-covalent)
Drop support for EOLed Kubernetes versions (#29174, @michi-covalent)
egressgw: back out test for policy conflict in ENI mode (#27432, @julianwiedmann)
egressgw: make reconciliationEventsCount an atomic.Uint64 (#28154, @jibi)
egressgw: manager: test: mark helpers with c.Helper() (#28020, @jibi)
egressgw: switch unit tests to reconciliationEventsCount (#27881, @jibi)
egressgw: test for conflicting IP rules in ENI mode (#27428, @julianwiedmann)
egressgw: tests: wait for initial sync reconciliation (#29084, @jibi)
Extend BPF unit tests for IPsec (#28438, @jschwinger233)
Extend Integration Test timeout (#27811, @YutaroHayakawa)
Extend the clustermesh workflows to additionally cover the external kvstore case (Backport MR #30349, Upstream MR #29983, @giorio94)
Fix container scanning workflow (#26542, @ferozsalam)
Fix exporting results to gs bucket. (#29587, @marseel)
Fix pre-flight clusterrole check (#29224, @marseel)
Fix the build (#28229, @michi-covalent)
gateway-api: Disable HTTPRouteRequestMultipleMirrors again (#28524, @sayboras)
gateway-api: Enable CI for multiple mirror feature (#28838, @sayboras)
gh/workflows: Bump CLI to v0.15.18 (Backport MR #29899, Upstream MR #29849, @brb)
gh/workflows: Bump CLI to v0.15.8 in e2e tests (#28132, @brb)
gh/workflows: Drop rading /proc in case of failure (#29855, @brb)
gh/workflows: Fix setting endpoint routes in ci-e2e (#27384, @brb)
gh: e2e: test conformance & upgrade with 5.4 kernel and EgressGW (#29651, @julianwiedmann)
GHA: Add clustermesh upgrade and downgrade tests (#27232, @giorio94)
GHA: correctly test kvstoremesh in conformance-clustermesh (#28434, @giorio94)
gha: Disable HTTPRouteRequestMultipleMirrors test (#28396, @sayboras)
gha: Enable Ingress Controller tests in conformance-e2e (#29130, @sayboras)
gha: explicilty specify beefier runner type for clustermesh workflows (Backport MR #30349, Upstream MR #30335, @giorio94)
gha: explicit branch and trigger in ariane-scheduled workflow (#28432, @giorio94)
gha: Migrate from MetalLB to L2LB (#28926, @sayboras)
gha: Remove priviledged helm option in {Ingress, Gateway} (#28200, @sayboras)
gha: sig-servicemesh owns Ingress or Gateway API related workflows (#29812, @sayboras)
golangci: enforce use of cilium/dns over miekg/dns (#27936, @tklauser)
identity: deflake test TestGetIdentity (Backport MR #30079, Upstream MR #29720, @mhofstetter)
Improve Conformance Cluster Mesh workflow coverage (Backport MR #30349, Upstream MR #29926, @giorio94)
Improve service unit test robustness (#26212, @strudelPi)
ingress: Add conformance test for KPR=false (#27304, @sayboras)
ipam: Fix race in NodeManager.Resync (#26963, @jaffcheng)
jenkinsfiles: remove kubernetes upstream (#27349, @aanm)
k8s: Replace generate-internal-groups.sh script (#27591, @sayboras)
Make ci-ipsec-upgrade a part of /test (#27557, @jschwinger233)
Make LB-IPAM tests less flaky (#29678, @dylandreimerink)
make: drop redundant go vet ./... from integration tests (#26565, @tklauser)
Mock out time for BPF ratelimit test to make it more stable (#29740, @dylandreimerink)
Network performance (Backport MR #30529, Upstream MR #30247, @marseel)
Remove coverage collection from BPF tests (#28090, @dylandreimerink)
Remove validation timeout in controlplane testing (#26414, @pippolo84)
renovate: enable Cilium CLI patch updates for Cilium <v1.14 (#29794, @giorio94)
renovate: fix match string for go version updates in go.mod (#28000, @tklauser)
renovate: Pin cilium-cli version for <v1.14 (#26716, @michi-covalent)
restore full go vet behaviour (#28945, @bimmlerd)
Revert "CI images: Define a variable for the floating tags" (#28041, @michi-covalent)
Revert quarantine k8s datapath services test (#26400, @marseel)
Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport MR #30349, Upstream MR #30207, @giorio94)
scale-test-100-gce: Use CILIUM_CLI_VERSION (#29562, @michi-covalent)
Set correct cluster name and id during upgrade test (#29165, @marseel)
Setup Renovate for SPIRE deployment (#27708, @meyskens)
Simplify CI image build workflow before v1.15 branch (#29834, @joestringer)
Skip k8s upstream conformance test for multiple protocols on a Service (#29524, @youngnick)
Switch to on-demand instances for AWS tests on scheduled runs. (#29366, @marseel)
test/k8s: clean up unused manifests (#29436, @tklauser)
test: custom calls: clean up kernel 4.9 leftovers (#27887, @julianwiedmann)
test: Fail ginkgo tests on warnings (#29624, @pchaigno)
test: Use previous in-pod CLI name for updates (#29208, @joestringer)
tests-e2e-upgrade: Use CILIUM_CLI_VERSION (#29496, @michi-covalent)
update upgrade tests to test from v1.14.0 to main (#27114, @aanm)
workflows: cilium-config: parametrize egressgw helm values (#28389, @jibi)
workflows: Increase IPsec e2e test's timeout (Backport MR #30230, Upstream MR #30194, @julianwiedmann)
workflows: Increase IPsec upgrade test's timeout (Backport MR #30079, Upstream MR #29934, @pchaigno)
workflows: Pin conn-disrupt-test GH action to main (#29402, @pchaigno)

Misc Changes:

.clang-format: Re-write and re-license .clang-format (#26640, @qmonnet)
.github/actions/helm-default: use the derived SHA as image tag (#28410, @aanm)
.github/workflows: only cancel concurrent jobs if not in merge_group (#29431, @aanm)
.github: add Dockerfile for hubble-relay image in Renovate config (#27404, @aanm)
.github: add workflow to track replied issues (#27283, @aanm)
.github: Build images for vX.Y.Z-pre.N releases (#27862, @joestringer)
.github: do not group jobs on merge queues (#29551, @aanm)
.github: do not upgrade ubuntu runner for integration tests (#27829, @aanm)
.github: fix renovate config (#27727, @aanm)
.github: Fix typo in workflow stage name (#28504, @joestringer)
.github: Remove master mirror (#25806, @joestringer)
.github: Remove remaining references to v1.11 (#26681, @joestringer)
.github: use kindest/node instead of quay.io/cilium/kindest-node (#27729, @aanm)
.github: write the right regex for little-vm-images versioning (#27390, @aanm)
@eloycoto is no longer an active committer (#27978, @eloycoto)
[v1.15] docs: add deprecation notice for enable-remote-node-identity for v1.15 (#30208, @tklauser)
Add a troubleshooting Gateway API part of the documentation (#25945, @meyskens)
Add AirQo to Cilium USERS.md (#29467, @123MwanjeMike)
Add an option to force BPF attachment to native device (#29176, @YutaroHayakawa)
Add Berops to USERS.md (#27483, @bernardhalas)
Add CEP and CES resources (#29244, @pippolo84)
Add checks to avoid use of logrus WithFields function in hot paths (#26327, @learnitall)
Add Cybozu to USERS.md (#29231, @chez-shanpu)
Add Dcode.tech to USERS.md (#28996, @eliranw)
Add deepcopy plugin (#26978, @AwesomePatrol)
Add docs on first and last IP of LB-IPAM pool (#27110, @darox)
Add error check during datapath/loader reinitialization as ApplySettings could return an error while applying sysctl settings. (#27195, @derailed)
Add G DATA CyberDefense AG as user (#27316, @farodin91)
Add guidance for bumping the Golang version in Cilium (#26789, @ferozsalam)
Add IDNIC/Kadabra as user to Cilium (#28958, @ardikabs)
Add link in maintainers.md and contributing guide to contributor ladder (#28778, @xmulligan)
Add link to getting started guide for kind cluster for common "too many files" issue (#28522, @dipankardas011)
add links to enterprise support and slack to the issues page for easier discoverability (#26551, @xmulligan)
add lint-go to merge queue check (#27542, @aanm)
Add metrics for LB-IPAM (#26173, @dylandreimerink)
Add node activity health reporters on node manager (#28799, @derailed)
Add note to the quick install documentation for increasing inotify limits (#27140, @leblowl)
Add Parseable to USERS.md (#28675, @nitisht)
Add prerelease-testing issue template (#27766, @jspaleta)
Add Schenker to the user list (#27833, @amirkkn)
Add script to run GitHub ginkgo workflow locally (#26540, @qmonnet)
Add table for node addresses (#28962, @joamaki)
add traffic shifting example for service mesh (#27845, @tanjunchen)
add Twilio to Users list (#27755, @michaelsaah)
add v1.15.0-pre.2 release (#28903, @aanm)
Add workload label context (hubble metrics). (#25667, @marqc)
Added metrics for jobs (#26077, @dylandreimerink)
Address device <-> node addressing race (#29555, @bimmlerd)
address missing binary checks for make dev-doctor. (#28269, @fujitatomoya)
alibabacloud: Allocate from vswitches with the most IP addresses (#27696, @jaffcheng)
Allow Golang bump to v1.20 on Cilium v1.12 and v1.13 (#27434, @ferozsalam)
api: Allow middleware to be injected via Hive (#29223, @gandro)
api: regenerate flow.pb.go (#27852, @Jack-R-lantern)
auth: depend on nodeIDHandler directly (#27106, @mhofstetter)
Avoid requiring the latest Go toolchain patch version to build (#28686, @joestringer)
BGP CP: API Helper Functions Cleanup (#28036, @danehans)
BGP CP: Calls String() Afi/Safi Methods instead of Duplicative Funcs (#28035, @danehans)
BGP CP: Replaces LocalNodeStore with Local CiliumNode (#28238, @danehans)
bgp: fix up formatting in CiliumBGPPeeringPolicy (#27219, @julianwiedmann)
bgpv1,ci: Add Test_AdvertisedPathAttributes into BGP component tests (#28484, @rastislavs)
bgpv1,ci: Do not use asserts in Eventually() test conditions (#28489, @rastislavs)
bgpv1: Add GetRoutes method to Router interface and generic Path type (#26803, @rastislavs)
bgpv1: Consolidate reconciler-specific maps into generic ReconcilerMetadata (#27568, @rastislavs)
bgpv1: fix incorrect error messages in the reconcilePodIPPool function (#29125, @hargrovee)
bgpv1: fix merge race conflict on NewGoBGPServer (#29321, @mhofstetter)
bgpv1: Prevent multiple reconcilers with the same name (#29071, @rastislavs)
bgpv1: Remove inappropriate comments and fix typo (#28562, @hargrovee)
bgpv1: remove references to advertisement from CiliumBGPPeeringPolicy (Backport MR #30531, Upstream MR #30337, @harsimran-pabla)
bgpv1: Reorganize BGP config reconcilers (#29277, @rastislavs)
bgpv1: set running flag in manager (Backport MR #30079, Upstream MR #30013, @harsimran-pabla)
bgpv1: Use Path type in AdvertisePath & WithdrawPath (#27223, @rastislavs)
bgpv1: Use specific log message and remove unused parameter (#28895, @hargrovee)
bigtcp: Modularize and use the devices table (#28643, @joamaki)
bpf,fib: refactor lib/fib.h to remove the now redundant code (#26380, @ldelossa)
bpf/Makefile: remove gen_compile_commands make target (#29611, @ti-mo)
bpf: avoid calculating L4 offset (#27313, @julianwiedmann)
bpf: clean up CB_NAT (#28375, @julianwiedmann)
bpf: clean up some drop notifications (#28431, @julianwiedmann)
bpf: clean up some IPv4 header validations (#29585, @julianwiedmann)
bpf: conntrack: improve handling of CT_REOPENED result (#28597, @julianwiedmann)
bpf: ct: clean up unused .seen_non_syn flag for ICMP entries (#26754, @julianwiedmann)
bpf: ct: document some unused fields in ct_entry struct (#27692, @julianwiedmann)
bpf: ct: reuse get_ct_map*() in get_cluster_ct_map*() (#27849, @julianwiedmann)
bpf: Delete obsolete do_netdev_encrypt_pools() (#28063, @jschwinger233)
bpf: don't build all bpf when making containers (fix) (#25937, @squeed)
bpf: dsr: ensure that Geneve options have correct size (#26707, @julianwiedmann)
bpf: egressgw: allow to override external API (#28277, @jibi)
bpf: egressgw: make ct_status an enum (#28399, @julianwiedmann)
bpf: egressgw: pass IPv4 tuple to egress_gw_request_needs_redirect (#27851, @jibi)
bpf: egressgw: tolerate BPF_FIB_LKUP_RET_NO_NEIGH on older kernels (Backport MR #30529, Upstream MR #30286, @julianwiedmann)
bpf: encap: clean up usage of __encap_and_redirect_with_nodeid() (#28411, @julianwiedmann)
bpf: exclude EgressGW logic in bpf_overlay (#26611, @julianwiedmann)
bpf: fib: fix issues with L2 resolution (Backport MR #30349, Upstream MR #30128, @julianwiedmann)
bpf: fine-tune a few L3 header validations (#28669, @julianwiedmann)
bpf: host: adjust scope of HostFW section in handle_ipv6() (#29052, @julianwiedmann)
bpf: hs-ipcache: use get_id_from_tunnel_id() (#28508, @julianwiedmann)
bpf: install proxy routes using Go, remove init.sh (#27445, @ti-mo)
bpf: ipsec: move get_min_encrypt_key() to encrypt.h (#28991, @julianwiedmann)
bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport MR #30079, Upstream MR #29880, @julianwiedmann)
bpf: ipv4: refactor L4 port extraction for fragmented packets (#28717, @julianwiedmann)
bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic (#29721, @julianwiedmann)
bpf: lb: return drop reasons from __lb4_rev_nat() (Backport MR #30529, Upstream MR #30410, @julianwiedmann)
bpf: let set_identity_mark() also set MARK_MAGIC_IDENTITY (#28665, @julianwiedmann)
bpf: lxc: avoid upgrade/downgrade woes with CB_FROM_TUNNEL in IPv6 path (#29304, @julianwiedmann)
bpf: lxc: clarify kube-proxy workaround in to-container path (#27604, @julianwiedmann)
bpf: lxc: cleanups (#27044, @julianwiedmann)
bpf: lxc: remove unused IPv6 loopback code (#27601, @julianwiedmann)
bpf: lxc: transfer sec identity for per-EP loopback in reply direction (#27812, @julianwiedmann)
bpf: make it easier to figure out which BUILD_PERMUTATION failed (#27541, @lmb)
bpf: minor ICMPv6 improvements (#26563, @julianwiedmann)
bpf: minor loopback cleanups (#27764, @julianwiedmann)
bpf: nat: fully switch to snat_v*_rewrite_helpers() (#29403, @julianwiedmann)
bpf: nat: Handle errors from snat_v(4|6)_prepare_state() (#26501, @qmonnet)
bpf: nat: improve logic that creates the NAT entries (#26594, @julianwiedmann)
bpf: nat: limit EgressGW redirect check to bpf_host (#29159, @julianwiedmann)
bpf: nat: minor improvements (#26520, @julianwiedmann)
bpf: nat: pass NAT map to snat_v4_new_mapping() (#29049, @julianwiedmann)
bpf: nat: share rewrite logic in RevSNAT path (#27366, @julianwiedmann)
bpf: nat: small Masquerading improvements (#26848, @julianwiedmann)
bpf: nat: SNAT cleanups (#26889, @julianwiedmann)
bpf: nat: use common set of rewrite helpers (#27509, @julianwiedmann)
bpf: nodeport: constrain CT lookups to relevant entry types (#27607, @julianwiedmann)
bpf: nodeport: improve ICMP vs DSR co-existence (#26562, @julianwiedmann)
bpf: nodeport: improve tracing for inlined RevDNAT processing (#27191, @julianwiedmann)
bpf: nodeport: integrate Ingress RevSNAT and RevDNAT paths (#27488, @julianwiedmann)
bpf: nodeport: re-introduce Ingress HostFW between RevSNAT and RevDNAT (#28960, @julianwiedmann)
bpf: nodeport: split up ingress path when HostFW is enabled (Backport MR #30529, Upstream MR #30442, @julianwiedmann)
bpf: overlay: clarify delivery to local host (#27580, @julianwiedmann)
bpf: overlay: clean up CB_SRC_LABEL handling in inter-cluster-SNAT path (#28134, @julianwiedmann)
bpf: overlay: clean up extraction of source identity (#28608, @julianwiedmann)
bpf: overlay: remove unused code (#27026, @julianwiedmann)
bpf: overlay: restore bpf_clear_meta() in from-overlay (Backport MR #30349, Upstream MR #30343, @julianwiedmann)
bpf: policy: cleanups to reduce program size (#27369, @julianwiedmann)
bpf: Rename proxy_identity to src_sec_identity (#27517, @joestringer)
bpf: s/ipcache_lookup*()/lookup_ip*_remote_endpoint() (#28805, @julianwiedmann)
bpf: small improvements in TTL / hoplimit handling (#27146, @julianwiedmann)
bpf: snat: DSR-eligible traffic can skip check for Nodeport NAT conflict (#26674, @julianwiedmann)
bpf: tests: minor cleanups (#29354, @julianwiedmann)
bpf: tunnel-related cleanups in to-container path (#28920, @julianwiedmann)
bpf: use l4_load_ports() everywhere (#29135, @julianwiedmann)
bpf: xdp: remove unused XFER_ENCAP_* enums (#27264, @julianwiedmann)
Bug: Fix module health status output (#29140, @derailed)
build(deps): bump certifi from 2022.12.7 to 2023.7.22 in /Documentation (#27064, @dependabot[bot])
build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport MR #30529, Upstream MR #30219, @dependabot[bot])
build(deps): bump pygments from 2.14.0 to 2.15.0 in /Documentation (#26957, @dependabot[bot])
build(deps): bump urllib3 from 2.0.4 to 2.0.6 in /Documentation (#28365, @dependabot[bot])
build(deps): bump urllib3 from 2.0.6 to 2.0.7 in /Documentation (#28658, @dependabot[bot])
build: Declare GO in makefile before first use (#28983, @sayboras)
build: fix usage of local golangci-lint installation (#28162, @mhofstetter)
build: Remove envoy from Makefile target (#28436, @sayboras)
Bump allowed Golang version for v1.11 and v1.12 (#26713, @ferozsalam)
Bump controller-tools fork to v0.8.0-1 (#27063, @christarazi)
Change makefile cache to rebuild on header changes (#27605, @dylandreimerink)
Changed cilium status CLI output to render the modules health section as a tree structure vs tabular data. (#28800, @derailed)
chart: define the envoy image variable in the makefile (#27725, @weizhoublue)
Check for cilium.sock in /healthz endpoint (#28343, @chaunceyjiang)
chore(deps): pin hramos/needs-attention action to 4d47f33 (main) (#27286, @renovate[bot])
chore(deps): update actions/checkout action to v3.5.3 (main) (#26568, @renovate[bot])
chore(deps): update actions/checkout action to v4 (main) (#27940, @renovate[bot])
chore(deps): update actions/checkout action to v4 (main) (#29539, @renovate[bot])
chore(deps): update actions/github-script action to v7 (main) (#29142, @renovate[bot])
chore(deps): update actions/setup-go action to v5 (v1.15) (#30142, @renovate[bot])
chore(deps): update actions/setup-python action to v4.8.0 (main) (#29769, @renovate[bot])
chore(deps): update actions/stale action to v9 (main) (#29772, @renovate[bot])
chore(deps): update all github action dependencies (main) (#27904, @renovate[bot])
chore(deps): update all github action dependencies (main) (#28188, @renovate[bot])
chore(deps): update all github action dependencies (main) (#28736, @renovate[bot])
chore(deps): update all github action dependencies (main) (#28987, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#26570, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#26821, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#27737, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#28616, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#29260, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#26691, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#26819, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#27478, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#28066, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#28190, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#28603, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#28724, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#29262, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#29387, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#29533, @renovate[bot])
chore(deps): update all github action dependencies to v2 (main) (major) (#29540, @renovate[bot])
chore(deps): update all github action dependencies to v3 (main) (major) (#28099, @renovate[bot])
chore(deps): update all github action dependencies to v5 (main) (major) (#29773, @renovate[bot])
chore(deps): update all kind-images main (main) (#27477, @renovate[bot])
chore(deps): update all kind-images main (main) (patch) (#27479, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#27339, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#27372, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#27421, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#27858, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#28037, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#28147, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#28345, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#28725, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#28859, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#29388, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#29534, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#29556, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#29766, @renovate[bot])
chore(deps): update all lvh-images main (v1.15) (patch) (#30225, @renovate[bot])
chore(deps): update anchore/scan-action action to v3.3.8 (main) (#29573, @renovate[bot])
chore(deps): update aws-actions/configure-aws-credentials action to v3 (main) (#27743, @renovate[bot])
chore(deps): update aws-actions/configure-aws-credentials action to v4 (main) (#28100, @renovate[bot])
chore(deps): update cilium/cilium digest to 1633d7b (main) (#28868, @renovate[bot])
chore(deps): update cilium/cilium digest to 614f2dd (main) (#29386, @renovate[bot])
chore(deps): update cilium/cilium digest to 6180087 (main) (#28096, @renovate[bot])
chore(deps): update cilium/cilium digest to 8a11744 (main) (#28077, @renovate[bot])
chore(deps): update cilium/cilium digest to 93f26fd (main) (#29141, @renovate[bot])
chore(deps): update cilium/cilium digest to a79241a (main) (#28721, @renovate[bot])
chore(deps): update cilium/cilium digest to ccaaa85 (main) (#28069, @renovate[bot])
chore(deps): update cilium/cilium digest to ce02445 (main) (#28629, @renovate[bot])
chore(deps): update cilium/cilium digest to ef8ca62 (main) (#29120, @renovate[bot])
chore(deps): update cilium/cilium-cli action to v0.15.4 (main) (#26971, @renovate[bot])
chore(deps): update cilium/cilium-cli action to v0.15.6 (main) (#27600, @renovate[bot])
chore(deps): update cilium/little-vm-helper action to v0.0.12 (main) (#26974, @renovate[bot])
chore(deps): update cilium/little-vm-helper action to v0.0.12 (main) (#27257, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.0 (main) (#26571, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.10 (main) (#28460, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.10 (main) (#28604, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.11 (main) (#28624, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.13 (main) (#28989, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.14 (main) (#29234, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.16 (main) (#29464, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.17 (main) (#29557, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.19 (main) (Backport MR #30230, Upstream MR #29942, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.19 (v1.15) (#30141, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.2 (main) (#26784, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.20 (v1.15) (#30201, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.3 (main) (#26875, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.4 (main) (#27127, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.5 (main) (#27258, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.5 (main) (#27261, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.6 (main) (#27613, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.7 (main) (#27859, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.8 (main) (#28191, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.9 (#28406, @joestringer)
chore(deps): update dependency cilium/hubble to v0.12.1 (main) (#28520, @renovate[bot])
chore(deps): update dependency cilium/hubble to v0.12.2 (main) (#28565, @renovate[bot])
chore(deps): update dependency eksctl-io/eksctl to v0.165.0 (main) (#29537, @renovate[bot])
chore(deps): update dependency go to v1.21.1 (main) (#28067, @renovate[bot])
chore(deps): update dependency go to v1.21.4 (main) (#29558, @renovate[bot])
chore(deps): update dependency google/gops to v0.3.28 (main) (#27412, @renovate[bot])
chore(deps): update dependency kubernetes/kops to v1.28.1 (main) (#29128, @renovate[bot])
chore(deps): update dependency ubuntu to v22 (main) (#27745, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.3 (main) (#27735, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.4 (main) (#28346, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (main) (#29535, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.19.0 (main) (#29770, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.19.1 (v1.15) (#30491, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.5 docker digest to 344193a (main) (#26481, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.6 docker digest to cfc9d1b (main) (#26818, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.0 docker digest to b490ae1 (main) (#27598, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.1 docker digest to cffaba7 (main) (#28189, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.1 docker digest to d2aad22 (main) (#28064, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.3 docker digest to 24a0937 (main) (#28602, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.4 docker digest to 9baee0e (main) (#29261, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.5 docker digest to 2ff79bc (main) (#29765, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.6 docker digest to 6fbd2d3 (v1.15) (#30050, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.6 docker digest to 76aadd9 (v1.15) (#30464, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 0bced47 (main) (#26689, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2b7412e (main) (#28722, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 6120be6 (main) (#26432, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 8eab65d (main) (#29572, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 990350f (main) (#28578, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 9b8dec3 (main) (#28383, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to aabed32 (main) (#27895, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e6173d4 (v1.15) (#30465, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ec050c3 (main) (#27529, @renovate[bot])
chore(deps): update docker/build-push-action action to v5 (main) (#28092, @renovate[bot])
chore(deps): update docker/setup-buildx-action action to v2.9.0 (main) (#26694, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 112a87f (v1.15) (#30473, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 91ca472 (main) (#28468, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 92d40ee (main) (#27905, @renovate[bot])
chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.11 (main) (#29767, @renovate[bot])
chore(deps): update github/codeql-action action to v2.21.2 (main) (#27265, @renovate[bot])
chore(deps): update github/codeql-action action to v2.21.5 (main) (#27734, @renovate[bot])
chore(deps): update github/codeql-action action to v2.22.5 (main) (#28860, @renovate[bot])
chore(deps): update github/codeql-action action to v2.22.9 (main) (#29768, @renovate[bot])
chore(deps): update go to v1.20.6 (main) (patch) (#26781, @renovate[bot])
chore(deps): update go to v1.20.7 (main) (patch) (#27259, @renovate[bot])
chore(deps): update go to v1.21.0 (main) (minor) (#27444, @renovate[bot])
chore(deps): update go to v1.21.1 (main) (patch) (#27993, @renovate[bot])
chore(deps): update go to v1.21.3 (main) (patch) (#28471, @renovate[bot])
chore(deps): update go to v1.21.4 (main) (patch) (#29043, @renovate[bot])
chore(deps): update go to v1.21.5 (main) (patch) (#29659, @renovate[bot])
chore(deps): update go to v1.21.6 (v1.15) (patch) (#30173, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.54.0 (main) (#27385, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.54.1 (main) (#27538, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.54.2 (main) (#27619, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.55.0 (main) (#28728, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.55.1 (main) (#28865, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.55.2 (main) (#28990, @renovate[bot])
chore(deps): update google-github-actions/setup-gcloud action to v2 (main) (#29780, @renovate[bot])
chore(deps): update hubble cli to v0.12.0 (main) (minor) (#26762, @renovate[bot])
chore(deps): update hubble cli to v0.12.3 (main) (patch) (#29749, @renovate[bot])
chore(deps): update hubble cli to v0.13.0 (v1.15) (minor) (#30273, @renovate[bot])
chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 [security] (main) (#29314, @renovate[bot])
chore(deps): update myrotvorets/set-commit-status-action action to v2 (main) (#28073, @renovate[bot])
chore(deps): update quay.io/cilium/hubble docker tag to v0.12.1 (main) (#28539, @renovate[bot])
chore(deps): update quay.io/cilium/hubble docker tag to v0.12.2 (main) (#28589, @renovate[bot])
chore(deps): update quay.io/cilium/kindest-node docker tag to v1.28.3 (main) (#29057, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20230915.012620 (main) (#28192, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231010.012608 (main) (#28605, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231030.012704 (main) (#28869, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231123.012848 (main) (#28992, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231211.012942 (main) (#29777, @renovate[bot])
chore(deps): update sigstore/cosign-installer action to v3.1.2 (main) (#27907, @renovate[bot])
chore(deps): update stable lvh-images (v1.15) (patch) (#30461, @renovate[bot])
chore(lint): Enable linting with gosimple (#26965, @mrueg)
chore: Add deezer as cilium user (#27846, @zwindler)
chore: Add Prometheus templating to Cilium Metrics Dashboard (#28058, @kahirokunn)
chore: add SI Analytics as cilium user (#29744, @JhoLee)
chore: rename CIDRGroups resource to CiliumCIDRGroups (#29515, @pippolo84)
chore: Use slices package from Go std lib (#28614, @pippolo84)
chore: Use slices package from Go std lib (#28822, @schlosna)
chore: Use xxx.String() instead of string(xxx.Bytes()) (#26165, @testwill)
ci-e2e: add job testing node cidr feature (#28445, @squeed)
ci-e2e: Enable debug.verbose for envoy (#26860, @sayboras)
ci: fix go mod step name (#27711, @nbusseneau)
ci: set timeout on build images workflows (#27341, @mhofstetter)
CI: Silences call to cilium uninstall (#28048, @danehans)
ci: skip cosign / sbom in case of building images during cache rebuild (#26786, @mhofstetter)
ci: skip fetching sysdump in case of skipped LB test (#26774, @mhofstetter)
ci: skip post-test info gathering in case of skipped cilium installation (#26729, @mhofstetter)
Cilium Charts set the persistent keepalive for cilium_wg0 (#28013, @chaunceyjiang)
cilium node chain refactor (#26962, @bimmlerd)
cilium, docs: Add rc.0 to development releases (#26564, @borkmann)
cilium, iptables: Extend to cover default route in enable-masquerade-… (#27664, @borkmann)
cilium-dbg, policy, api: Fix labels in policy selectors output (#29152, @christarazi)
cilium-dbg: Add "statedb node-addresses" command (#29479, @joamaki)
cilium: Add a few bwm setting tweaks (#29552, @borkmann)
cilium: Add option to masq to source route (#27618, @borkmann)
cilium: Do not warn on socket tracing if EnableSocketLBTracing was not set (#29730, @borkmann)
cilium: iptables masquerade to route source fixes (#29591, @borkmann)
cilium: Remove platform references for completion (#28505, @joestringer)
Clarify cilium_event_ts metric description (#29303, @christarazi)
Clean up deprecated and unused IPCache APIs after FQDN transition to asynchronous APIs (#29657, @tklauser)
Clean up prefix length tracking implementations (#25153, @joestringer)
cleanup: code cleanup to remove unused parameter from repository add api (#26943, @tamilmani1989)
client: Use options pattern for NewRuntime (#29271, @gandro)
clustermesh install documentation: missing step (#28889, @dashaun)
clustermesh-apiserver/kvstoremesh: unify metrics cell (#28480, @giorio94)
clustermesh-apiserver: extract external workloads in a separate cell (#28478, @giorio94)
clustermesh: make extra ipcache watcher options configurable (#27336, @giorio94)
cni: Follow CNI spec by using (containerID, ifName) as unique endpoint identifier (#26894, @gandro)
cni: log format byte array as string (#26740, @aojea)
cni: remove unused CILIUM_CNI_CONF variable from install script (#29063, @wedaly)
cocci: Re-license Coccinelle scripts as Apache 2.0 (#26629, @qmonnet)
CODEOWNERS: assign .github/actions to github-sec and ci-structure (#28394, @jibi)
CODEOWNERS: assign bpf/lib/auth.h to sig-servicemesh (#27083, @mhofstetter)
CODEOWNERS: assign egressgw control plane/datapath logic to egress-gateway team (#26952, @jibi)
CODEOWNERS: assign pkg/backoff to @cilium/sig-agent (#26573, @jibi)
CODEOWNERS: assign pkg/ip to @cilium/sig-agent (#29669, @tklauser)
CODEOWNERS: claim some new ipsec-related files for cilium/ipsec (#29516, @julianwiedmann)
codeowners: include sig-servicemesh into cilium envoy & spire helm (#27559, @mhofstetter)
CODEOWNERS: IPsec owns pkg/common/ipsec (#29002, @pchaigno)
CODEOWNERS: Let IPsec team to own GH workflows for IPsec (#29190, @brb)
CODEOWNERS: remove stale cilium_egress_gateway_policy.go entry (#27234, @giorio94)
CODEOWNERS: sig-clustermesh additionally owns clustermesh-related GHA workflows and helm templates (#29671, @giorio94)
codeowners: use new teams cilium/envoy & cilium/fqdn (#29627, @mhofstetter)
Computed and propagated the value of OldEndpoints field when merging remote cluster information. (#26474, @akstron)
config: Use String instead of StringVar method (#27794, @pippolo84)
Configure the linux node config writer through Hive (#27180, @giorio94)
contrib/kind: custom kind values (#28155, @mhofstetter)
contrib: add check for new files in check-(api|k8s)-code-gen scripts (#26790, @giorio94)
contrib: Add ContainerLab-based BGP CPlane development environment (#28292, @YutaroHayakawa)
contrib: Add support for X.Y.Z-pre.N releases (#27807, @joestringer)
contrib: fix bump-readme script (#27648, @nebril)
contrib: Fix missing function in post-release.sh (#28372, @joestringer)
contrib: Fix prerelease pullPolicy (#28906, @joestringer)
contrib: Fix remote detection for security branches (#27891, @joestringer)
contrib: Fix remote repo detection for .git suffix (#28198, @joestringer)
contrib: Make hint command copy and paste friendly (#27585, @sayboras)
contrib: Move github draft release to post-release (#27861, @joestringer)
correct stats calculation for prepareBuild of endpoint_regeneration_time (#28150, @PlatformLC)
correct stats for total time of policyregenerateion (#28153, @PlatformLC)
Correct the comment for Service4Value and Service6Value (#27824, @haiyuewa)
Creation of the /hello endpoint is delayed until the host datapath has been initialized. (#27392, @lmb)
ctmap: limit NAT purging to expected CT tuple types (#28871, @julianwiedmann)
daemon, fqdn: Remove log "DNS request no matching endpoint" when endpoint is nil (#28071, @doniacld)
daemon,pkg/service: Use hive cell infra for pkg/service (#28732, @rastislavs)
daemon: Fix incorrect node and ciliumnode resource type in annotations (#29522, @hargrovee)
daemon: remove redundant wait on restoreComplete (#27603, @ti-mo)
daemon: Simplify cilium_host IP restoration (#28781, @gandro)
daemon: Skip Ingress Endpoint on BPF watchdog (#28462, @jrajahalme)
daemon: Uniquely identify daemon ipcache upserts (#28770, @joestringer)
Daemon: Updates Detect() Call to Return Detected Devices (#28010, @danehans)
daemon: Use API server cell and adapt handlers (#25000, @joamaki)
datapath/linux/probes: remove unused Have{Map,Program}Type wrappers (#26666, @tklauser)
datapath: alignchecker: allow to extend toCheck and toCheckSizes (#28711, @jibi)
datapath: Devices table and controller (#24677, @joamaki)
datapath: Few minor improvements to DevicesController (#28887, @joamaki)
datapath: Introduce fake datapath cell (#28611, @joamaki)
dep: Replace deprecated github.com/golang/protobuf (#28203, @sayboras)
dev-doctor command version strings should be array. (#28801, @fujitatomoya)
devices: fix busy loop (#29163, @bimmlerd)
devices: Remove logging and report reason in device struct (#28393, @joamaki)
Disable StateDB metrics by default (#27657, @dylandreimerink)
dnsproxy: convert LookupEndpointByIP to use netip.Addr (#28891, @tklauser)
Do not ignore link local addresses when detecting network devices. This fixes a problem in setups where network devices that only had link local addresses were ignored. (#27868, @joamaki)
Do not log on errant release of reserved identity (#26768, @asauber)
do not start bandwidth manager in dry mode (#29183, @dylandreimerink)
doc: Add Azure CNI Powered by cilium as external installer (Backport MR #30349, Upstream MR #28286, @tamilmani1989)
doc: add circuit-breaker example for cilium service mesh (#27641, @tanjunchen)
doc: Documented pitfall with NS labels in CNPs (#26134, @PhilipSchmid)
doc: Improved Cilium ingress annotations table (#26381, @PhilipSchmid)
doc: Update recommended way for installing cilium on AKS (Backport MR #30230, Upstream MR #28910, @tamilmani1989)
docker: Tame xargs warning (#27929, @qmonnet)
Docs: Add BGP Advertised Path Attributes documentation (#28482, @rastislavs)
docs: Add CiliumPodIPPool option in BGP Adv. Path Attributes docs (#29177, @rastislavs)
docs: Add cluster install/prep guide for GKE-to-GKE clustermesh (#29342, @Neutrollized)
docs: Add Conformance Badge for Gateway API (#27470, @sayboras)
docs: Add docs structure recommendations, update style guide (#26632, @qmonnet)
docs: add documentation for policy-cidr-match-mode=nodes (#28421, @squeed)
docs: Add Egress Gateway Policy warning on egressIP and interface being mutually exclusive in the egressGateway spec. (Backport MR #30529, Upstream MR #30236, @soggiest)
docs: add instructions to build kindest-node image (#29079, @aanm)
docs: Add Keploy to user list (#27244, @Sonichigo)
docs: add MaxConnectedClusters documentation (#29637, @thorn3r)
docs: Add missing spelling exception (#26780, @qmonnet)
docs: add plusserver Kubernetes Engine to users (#28306, @sknop-cgn)
docs: Add policymap pressure debugging guide (#27903, @christarazi)
Docs: Adds CiliumPodIPPool Special Purpose Selectors (#28819, @danehans)
docs: Document Potential Dual-Stack Upgrade Issues for 1.15 (#25204, @nathanjsweet)
docs: Document renovate testing strategy (Backport MR #30230, Upstream MR #30166, @joestringer)
docs: Drop references to Helm v2 (#29463, @joestringer)
docs: egressgw: describe routing on Gateway node (Backport MR #30529, Upstream MR #30488, @julianwiedmann)
docs: Fix a typo and improve readability of a control plane architecture description in BGP Control Plane documentation (#27461, @distributethe6ix)
docs: fix chained veth plugin example (Backport MR #30230, Upstream MR #30209, @squeed)
Docs: Fix ipam_nodes metric description (#27217, @antonipp)
docs: Fix keyid derivation in IPsec docs (Backport MR #30079, Upstream MR #30000, @brb)
docs: fix minor TOC issues (#26714, @networkop)
docs: fix reference to lvh kind images (#27376, @rgo3)
docs: Fix the typo for SPIRE PVC installation option name (#27503, @haiyuewa)
docs: fix typo in troubleshooting guide (#26811, @learnitall)
docs: Fix unintentional boolean value in YAML (#26682, @dgl)
docs: Improve wording in contributions guide (#27407, @joestringer)
docs: Modify BGP MD5 password with Helm default change (#29527, @YutaroHayakawa)
docs: optimize ingress default tls secret documentation (#26684, @mhofstetter)
docs: Remove "by Default" suffix in cilium-agent metrics header (#28045, @learnitall)
docs: Remove bare URLs from Flow gRPC API Reference (#28361, @kimstacy)
docs: Remove the duplicated envoy resource list (#28281, @sayboras)
docs: specify which further release for fqdn option removal. (#29531, @squeed)
docs: Split, update, improve the contributing guide for reviewers and committers (#27085, @qmonnet)
docs: Update BGP control plane documentation with regards to LB class support and service announcements (#28253, @danehans)
docs: Update Gateway API version in example (Backport MR #30230, Upstream MR #30115, @sayboras)
docs: Update Kubernetes Gateway-API version to v0.8.1 (#28388, @haiyuewa)
docs: Update the Gateway API badge (Backport MR #30529, Upstream MR #30477, @sayboras)
docs: Update the message of Gateway API 'Programmed' (#28055, @haiyuewa)
docs: Update the tile for 'kubectl get' Gateway API (#28056, @haiyuewa)
docs: update versions and parameters for XDP Acceleration on AKS (#29091, @jshr-w)
Docs: Updates BGP CP Developer Docs (#28908, @danehans)
Docs: Updates BGP CP for PodIPPoolSelector (#28312, @danehans)
Docs: Updates for Deprecation of CNI network-plugin Flag (#28046, @danehans)
Docs: Updates L2 Announce for LB Class Support (#28252, @danehans)
docs: Use host port for serving docs (#28307, @brb)
docs: warn users that IPsec and KPR are mutual exclusive (Backport MR #30529, Upstream MR #30403, @f1ko)
Document Kind Delve debugging workflow (#26506, @ti-mo)
Documentation: Consistently use --set for cilium install (#28577, @michi-covalent)
Documentation: Replace netperf images in StarWars demos (#26842, @hhoover)
Don't log an error if the to be deleted ipset entry does not exist (#29561, @giorio94)
don't remove neighbor link state file if migrateOnly (#28659, @liuyuan10)
Don't retry one shot jobs during hive shutdown (#27395, @giorio94)
Drop mock file support from clustermesh-apiserver (#27825, @giorio94)
drop support for 1.11 (#27077, @aanm)
During startup, the agent attempts to clear out any obsolete CiliumEndpoints. Add retry logic to ensure this process is attempted more than once should errors occur during reconciliation. (#27593, @derailed)
egressgateway: switch to Resource[T] (#28091, @lmb)
egressgw: always set ifaceName in deriveFromPolicyGatewayConfig() (#26973, @julianwiedmann)
egressgw: delete stale nexthop routes (#27105, @julianwiedmann)
egressgw: detect conflicting configurations in ENI mode (#27281, @julianwiedmann)
egressgw: doc fixes for install-egress-gateway-routes removal (#28523, @lmb)
egressgw: Switch from net to netip (#28503, @joestringer)
egressgw: test CEGP parser (#27909, @julianwiedmann)
egressgw: use Resource[T] to consume CiliumEgressGatewayPolicy (#26960, @lmb)
egressgw: use route.Upsert() for inserting nexthop / prefix IP route (#26990, @julianwiedmann)
Enable k8s cache mutation detector in the CI (#28182, @aanm)
Enable strict validation of cluster config for clustermesh (#27246, @giorio94)
enabled initalDelaySeconds on StartupProbe (#28816, @jignyasamishra)
endpoint/id: simplify TestSplitID (#26581, @tklauser)
endpoint/id: use strings.IndexByte (#28202, @tklauser)
Endpoint: actually treat identifiers as immutable, remove lock (#26757, @squeed)
endpoint: Clarify policy locking requirements (#29024, @jrajahalme)
endpoint: Clarify policy locking requirements (Backport MR #30529, Upstream MR #29024, @jrajahalme)
endpoint: fix removed code comment. (#29172, @tommyp1ckles)
endpoint: moveNewFilesTo performance and error handling improvements (#26238, @learnitall)
endpoint: Use resolved named port also in the proxy stats (Backport MR #30079, Upstream MR #29813, @jrajahalme)
endpointmanager: unexport and inline functions only used in the package (#27426, @tklauser)
endpointslice: fix EndpointSlice import (#26938, @mhofstetter)
endpointstate: Add an interface to wait for endpoint restore (#29243, @pippolo84)
Ensures daemon managed controllers are stopped when the daemon shuts down. (#28148, @derailed)
Envoy silence expected internal listener warning (#29786, @jrajahalme)
envoy: Bump cilium proxy to latest version (#27555, @mhofstetter)
envoy: Import Health check sink API (#28463, @jrajahalme)
envoy: introduce artifact copier (#27728, @mhofstetter)
envoy: optimise getWildcardNetworkPolicyRule() (#27685, @jrajahalme)
envoy: perform version check directly on envoy binary (not starter) (#29512, @mhofstetter)
envoy: periodic version-check with hive timer job (#29513, @mhofstetter)
envoy: set socket opts only if not already present in CEC (#27531, @mhofstetter)
envoy: Support internal listeners in CiliumEnvoyConfig CRDs (#29026, @jrajahalme)
envoy: update cilium/proxy to latest version (#28170, @mhofstetter)
envoy: Update to a build with health checkers enabled (#28518, @jrajahalme)
envoy: Update to pick up deny policy support (#28862, @jrajahalme)
example/connectivity-check: fix port conflict, capture termination log (#28833, @squeed)
Extend cilium scale-test to export results and gather additional data (#28594, @marseel)
Extract tunnel options to simplify override, and inject them through hive (#29051, @giorio94)
Fix Cilium Datapath Prometheus metric names (#29226, @carnerito)
Fix cilium-envoy ServiceMonitor template typo (Backport MR #30230, Upstream MR #29976, @cornfeedhobo)
Fix data race during Hubble setup (#28322, @glrf)
fix duplicated ids in prerelease testing template (#27865, @jspaleta)
Fix IPv4 checksum recalculation in SNAT flows where ports are rewritten. (#28768, @gentoo-root)
Fix k8s code generation (#27964, @aanm)
Fix kind targets (#28548, @chancez)
Fix log error in clustermesh-apiserver when connecting external workloads (Backport MR #30079, Upstream MR #29896, @giorio94)
Fix LookupReservedIdentityByLabels function to return consistent results (#26795, @skmatti)
Fix regression causing a 10x increase in the duration of endpoint integration tests (Backport MR #30079, Upstream MR #29826, @giorio94)
Fix restore of previous router IP due to missing VPC CIDR in Alibabacloud section of CiliumNode Spec (#26843, @haozhangami)
Fix spelling for "WireGuard" (#26764, @qmonnet)
Fix up CCG related metrics (#27806, @christarazi)
fix(deps): update all go dependencies main (main) (#26567, @renovate[bot])
fix(deps): update all go dependencies main (main) (#27348, @renovate[bot])
fix(deps): update all go dependencies main (main) (#27440, @renovate[bot])
fix(deps): update all go dependencies main (main) (#27906, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#26695, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#26822, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#27266, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#27742, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#28072, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#28098, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#28618, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#28730, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#28994, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#29264, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#29398, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#29538, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#29771, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#26569, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#26693, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#26820, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#27135, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#27260, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#27441, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#27736, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#27939, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28070, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28193, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28348, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28514, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28615, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28727, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28866, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28993, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#29134, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#29389, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#29536, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#29574, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#29593, @renovate[bot])
fix(deps): update golang.org/x/sys digest to 13b15b7 (main) (#29279, @renovate[bot])
fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.445 (main) (#26832, @renovate[bot])
fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.549 (main) (#28097, @renovate[bot])
fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.613 (main) (#29263, @renovate[bot])
fix(deps): update module github.com/go-openapi/validate to v0.22.2 (main) (#29280, @renovate[bot])
fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport MR #30230, Upstream MR #29971, @renovate[bot])
fix(deps): update module golang.org/x/net to v0.17.0 [security] (main) (#28546, @renovate[bot])
fix: add check if debug is enabled when adding trace levels to envoy deamonset. (#27161, @dreanor65)
fix: platform typo (#27368, @testwill)
fix: remove help message in build config failure (Backport MR #30230, Upstream MR #28974, @vipul-21)
fix: Remove the latest image tag from docs as latest tag is not published (#28241, @vipul-21)
Fixed conflicting MRs in main (#27209, @dylandreimerink)
Fixes rate limiting for CES Controller (#28963, @alan-kut)
Fixes: typo (#27201, @weizhoublue)
Follow-up nits from etcd init script pull request (#29489, @JamesLaverack)
For services with External Traffic Policy: Local Service health returns http header "X-Load-Balancing-Endpoint-Weight" with number of local endpoints. The same information is still available in response body JSON payload.LocalEndpoints. (#27017, @cezarygerard)
Forcefully terminate stale sockets connected to deleted service backends when socket-lb is enabled, and allow applications to re-connect to active backends. (#25169, @aditighag)
fqdn/dnsproxy: drop dependency on global EnableIPv{4,6} option (#28968, @tklauser)
fqdn: avoid converting from netip.Addr to net.IP and back (#29625, @tklauser)
fqdn: serialize requests per-name (Backport MR #30230, Upstream MR #30109, @squeed)
fqdn: skip ipcache insertion for names without fqdn selectors (Backport MR #30230, Upstream MR #30110, @squeed)
gateway-api: Add conformance profile test (#28262, @sayboras)
gateway-api: cleanup cell imports & dependencies (#29204, @mhofstetter)
gateway-api: De-flake HTTPRouteRequestMultipleMirrors test (#28488, @sayboras)
gateway-api: don't register secretsync if required CRDs aren't present (#29437, @mhofstetter)
gateway-api: fix up for import rename (#29143, @julianwiedmann)
gateway-api: improve secret sync resiliency (#29017, @mhofstetter)
gateway-api: set controller-runtime logger (#27961, @mhofstetter)
gateway-api: Use Gateway API definition to check Route condition (#29359, @haiyuewa)
gateway-api: watch ownerreference to enable stricter reconcilation (#28641, @mhofstetter)
Generalize ClusterID reservation mechanism for clustermesh (#27248, @giorio94)
gh: feature template: s/request/proposal (#27023, @julianwiedmann)
gha: Update kube-proxy-replacement flag values (Backport MR #30529, Upstream MR #30483, @sayboras)
go.mod, renovate: specify and update Go toolchain version (#27820, @tklauser)
go.mod, vendor: update golang.org/x/sys to latest unreleased version (#29070, @tklauser)
go.mod, vendor: update vishvananda/netlink to latest (#28779, @tklauser)
guestbook: update example with leader/follower naming (#29642, @mhofstetter)
helm: add hubble UI support for GKE dataplane v2 (#28709, @dwalker-sabiogroup)
Helm: Add possibility to use affinity on certgen job (#28412, @seb-lafond)
Helm: Allow configuration of the install-cni container resources field (#27469, @RenaudWasTaken)
helm: Allow unsupported K8s versions for now (Backport MR #29899, Upstream MR #29888, @gandro)
Helm: enforce routing mode when either gke.enabled or aksbyocni.enabled are set (Backport MR #30079, Upstream MR #29674, @giorio94)
helm: Fix annotation duplication problems for cilium-agent (#28978, @bradwhitfield)
helm: Fix typo in cilium chart's description (#27389, @nu-wa)
helm: Improve debug.verbose docs (#26463, @lgadban)
helm: put extraConfig back to the end of ConfigMap cilium-config (#27556, @mhofstetter)
helm: Updated description for Helm 'devices' flag (#26557, @PhilipSchmid)
Hive obj output improvements (#28369, @bimmlerd)
hive: Fix hive hook output and move lifecycle to cell package (Backport MR #30529, Upstream MR #30416, @joamaki)
hive: ModuleID and FullModuleID, use full ID in module health (#28512, @joamaki)
hubble-relay: fix panic during server shutdown (#29705, @mhofstetter)
Hubble-ui now supports liveness and readiness probes (#27028, @mkilchhofer)
hubble-ui: release v0.12.3 (Backport MR #30529, Upstream MR #30422, @geakstr)
hubble/relay: Remove ReportOffline and refactor PeerManager (#28595, @glrf)
hubble: Reduce "stale identities observed" debug messages even more (Backport MR #30079, Upstream MR #29957, @gandro)
identity/cache: only call SortedList for release (#27796, @bimmlerd)
identity: stop double-update of selector cache and regenerate when a local identity is allocated (Backport MR #30079, Upstream MR #29865, @squeed)
images/builder: update dependencies (#27566, @rolinh)
images: drop the kvstoremesh dockerfile (#28961, @giorio94)
images: Fix init-container script for cilium-dbg (#29424, @joestringer)
images: Support updating Envoy to MR images (#27850, @jrajahalme)
Implement NodeAddressing on top of Table[NodeAddress] (#29033, @joamaki)
Import new version of forked controller-tools (#26918, @AwesomePatrol)
improv: check for k8s backing before running sync (#27269, @kwakubiney)
Improve bump-readme.sh (#27892, @joestringer)
Improve documentation for review process for contributors and reviewers (#27324, @joestringer)
Improve Hubble decoding performance for drop, debug, policy and tracesock events (#25751, @Jack-R-lantern)
Improve Hubble decoding performance for trace events (#24162, @brancz)
Improve k8s-get-cilium-pod.sh (#28774, @timoreimann)
Improve readability of clustermesh-related log messages (#28784, @giorio94)
improve the correctness of the rate limiting implementation in certain edge cases. (#29397, @dylandreimerink)
Improve translation of CIDRGroupRefs (#26369, @pippolo84)
ingress: add unit tests to test default ingressclass (#29792, @mhofstetter)
ingress: migrate Cilium Ingress controller to use the controller-runtime library (#29327, @mhofstetter)
ingress: migrate secret-sync to controller-runtime (#29198, @mhofstetter)
init.sh: move netlink device creation to Go (#27082, @rgo3)
init.sh: move obsolete bpf_host removal to Go (#26539, @rgo3)
Introduce new BGP CRDs to provide a more flexible way to configure BGP in Cilium. (#28175, @harsimran-pabla)
Introduce resiliency package (#27614, @derailed)
Introduce sync.Map wrapper with generics support (#29452, @giorio94)
ipam,alibabacloud: Improve event driven instance resync (#25619, @jaffcheng)
ipam/multipool: Fix comment for removeExpiration (#28031, @hargrovee)
ipam/multipool: Identity allocation via etcd is now supported (#28617, @gandro)
ipam: Fix duplicate metric ipam_event release (#29520, @christarazi)
ipam: let allocator.Dump return map of allocated IPs per pool (#27997, @tklauser)
ipam: remove always-nil NewCIDRRange error return value (#26706, @tklauser)
ipam: Remove unused mock function (#28370, @gandro)
ipcache: Deprecate old API (#27576, @joestringer)
ipcache: Fix incorrect source for kube-apiserver in tests (#28407, @christarazi)
ipcache: fix releasing node CIDRs after restoration (#28620, @squeed)
ipcache: keep upserted prefixes from being deleted by InjectLabels (#29014, @squeed)
ipcache: move CIDR restoration to asynchronous APIs (#28673, @squeed)
ipcache: propagate cluster ID as part of the key (#27337, @giorio94)
ipcache: use TriggerController, not UpdateController (#29548, @squeed)
ipsec: Fix Godoc document comment typo (#27721, @haiyuewa)
ipsec: misc cleanups (#28408, @julianwiedmann)
Jobs now report health (#28677, @dylandreimerink)
k8s/apis: refactor CRD registration helpers into a separate package (#26834, @tklauser)
k8s/resource: Add support for releasable Resource[T] (#29414, @pippolo84)
k8s/slim: Clarify instructions for updating slim files (Backport MR #30230, Upstream MR #29877, @christarazi)
k8s: remove extensions/v1beta1 support (#28002, @tklauser)
k8s: remove unused slim k8s model for Ingress & IngressClass (#29517, @mhofstetter)
kvstore: drop unused deleteInvalidPrefixes variable (#27074, @giorio94)
l2respondermap: Correct the comment for L2Responder Key and Stats (#27986, @haiyuewa)
l2respondermap: Rename the L2Responder key create function (#28015, @haiyuewa)
L7 Loadbalancing: Migrate to controller-runtime library (#29126, @mhofstetter)
labels/cidr: Fix slice preallocation size (#28378, @pippolo84)
labels: further optimize IPStringToLabel for single IP case (#29040, @tklauser)
labels: small optimization in NewFrom and various cleanups (Backport MR #30230, Upstream MR #30006, @tklauser)
loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport MR #30324, Upstream MR #30214, @ti-mo)
loader: attach XDP programs using bpf_link (#28308, @rgo3)
loader: do not invoke llc separately (#29458, @lmb)
Log endpoint instead of pod names where appropriate (#27427, @tklauser)
MAINTAINERS: Add Jussi Mäki (#26603, @michi-covalent)
Make it easier to depend on clustermesh types outside of its package (#27242, @giorio94)
Make the community team the owner of /USERS.md (#27321, @michi-covalent)
make: add "run-builder" target (#28587, @jrajahalme)
make: allow to override values.yaml template name (#27235, @giorio94)
makefile: add back the sed command to update the logo path (#28929, @bradwhitfield)
Makefile: add kind-egressgw targets (#28793, @jibi)
makefile: fix 'fast' targets for cilium-dbg (#28547, @aanm)
makefile: fix 'make kind' for mac (#28791, @f1ko)
Makefile: Fix variable override not working in all cases (#29599, @gandro)
maps/ctmap: simplify ip/port parsing using netip.ParseAddrPort (#28827, @tklauser)
maps: do not depend on global variable to initialize CT maps (#27275, @giorio94)
maps: maglev_test: remove toleration for 4.9 kernel (#27046, @julianwiedmann)
maps: nat: fix copy & paste in error message from doFlush*() (#29097, @julianwiedmann)
metrics: revert changes to pre-init kubernetes events metrics + improve metric logs (Backport MR #30079, Upstream MR #29343, @tommyp1ckles)
Minor documentation fixes and improvements for the BGP MD5 feature (#29375, @nvibert)
Misc updates in renovate configuration (#27328, @aanm)
Miscellaneous improvements about kvstore logging (#28843, @giorio94)
Miscellaneous improvements to the etcd client (#28834, @giorio94)
mlh: disable remove MR to project (#26863, @mhofstetter)
mlh: use a regexp to check signed-off-by (#27732, @kaworu)
Modularise MTU discovery (#28964, @bimmlerd)
Modularize ipcache BPF listener (#29194, @giorio94)
Modularize kernel modules manager into its own cell (#28713, @pippolo84)
Modularize stale endpoint gc in an independent cell (Backport MR #30079, Upstream MR #29246, @pippolo84)
Modularized the bandwidth manager (#28619, @dylandreimerink)
mountinfo: fix build on linux/386 (#29481, @tklauser)
netns: remove unused RemoveIfFromNetNSWithNameIfBothExist (#27411, @tklauser)
node: allow to override enable encapsulation on a per-node basis (#29232, @giorio94)
node: introduce prefix cluster mutator (#27354, @giorio94)
node: Only Add Enabled IPs to Labels (#28360, @nathanjsweet)
nodediscovery: support additional IP address sources for the local node (#27507, @tklauser)
None (#28738, @saschagrunert)
Operator: Add missing observability for Azure API calls (#26277, @hemanthmalla)
operator: extract controller-runtime integration into its own cell (#28931, @mhofstetter)
operator: Fix CEP and CES events debug logs (#28797, @dlapcevic)
operator: introduce cec l7 envoy loadbalancing cell (#28835, @mhofstetter)
operator: introduce gateway api cell (#28785, @mhofstetter)
operator: introduce Ingress cell (#28794, @mhofstetter)
operator: Migrate Cilium Endpoint GC to hive (#28233, @alan-kut)
Optimize IP/FQDN management in the DNSCache (#29691, @squeed)
option: add LoadBalancerUsesDSR() helper (#26898, @julianwiedmann)
pkg/aws: Improve event driven instance resync for AWS IPAM (#27791, @jaffcheng)
pkg/bgpv1: Updates getPeerConfig() Method (#28474, @danehans)
pkg/cidr: Move linux specific variable references from netlink (#27638, @aditighag)
pkg/policy: Convert benchmarks in resolve_test.go to std benchmarks (#27815, @christarazi)
pkg/pprof: add CODEOWNER (#28278, @lmb)
pkg/proxy/logger: switch to netip.Addr (#28783, @tklauser)
pkg/rand: remove random name generator (#29664, @aanm)
pkg: proxy: only install from-proxy rules/routes for native routing (#29761, @julianwiedmann)
plugins/cilium-cni: cleanups around IPAM allocation and veth pair creation (#26595, @tklauser)
plugins/cilium-cni: Introduce endpoint customization (#29707, @gandro)
plugins/cilium-cni: make error formatting consistent (#27535, @tklauser)
plugins/cilium-cni: Move implementation into separate package (#29336, @gandro)
plugins/cilium-cni: reduce string allocations of CNI command arguments (#27681, @tklauser)
policy/api: use netip.Addr when sanitizing CIDR rules (#28121, @tklauser)
policy: Describe CIDR superset logic for denies and FQDN (#26720, @joestringer)
policy: expand "world" entity selector to select all address families (Backport MR #29961, Upstream MR #29958, @squeed)
policy: Fix MapState.Equals() (Backport MR #30264, Upstream MR #30233, @jrajahalme)
policy: Return a real nil rather than a non-nil interface (#29022, @jrajahalme)
policy: Simplify AccumulateMapChanges prototypes (#29025, @jrajahalme)
policy: Simplify AccumulateMapChanges prototypes (Backport MR #30529, Upstream MR #29025, @jrajahalme)
Prepare for release v1.14.0-rc.0 (#26546, @joestringer)
Prepare for release v1.15.0-pre.0 (#27853, @aanm)
Prepare for release v1.15.0-pre.1 (#28336, @aanm)
Prepare for release v1.15.0-pre.2 (#28901, @aanm)
Prepare for release v1.15.0-pre.3 (#29596, @aanm)
Prepare for v1.15 development cycle (#26516, @joestringer)
Prepare v1.15 stable branch (#29838, @joestringer)
probes: remove HAVE_FIB_LOOKUP leftovers (#29401, @rgo3)
Propagate the CiliumClusterConfig through etcd when Cilium is configured in kvstore mode (#27109, @giorio94)
Provide CT/NAT maps GC logic through hive (#27356, @giorio94)
proxy: allow to provide fixed port for DNS proxy via cell (#28786, @tklauser)
proxy: define and use well known datapath constants (#28955, @tklauser)
proxy: export ProxyConfig fields (#29827, @tklauser)
proxy: introduce envoy cell (#26657, @mhofstetter)
proxy: refactor package global vars to proxy fields (#26619, @mhofstetter)
proxy: refactor proxy.CreateOrUpdateRedirect (#26839, @mhofstetter)
proxy: refactor redirect integration (#27049, @mhofstetter)
proxy: remove unused xds resource access timeout (#26747, @mhofstetter)
README: Remove v1.11 from stable releases table (#27466, @joestringer)
README: Update releases (#27864, @joestringer)
README: Update releases (#28179, @michi-covalent)
README: Update releases (#28340, @aanm)
README: Update releases (#28689, @jrajahalme)
README: Update releases (#29170, @nathanjsweet)
README: Update releases (#29609, @aanm)
Refactor duplicate imports for Cilium v2alpha1 API (#26620, @dlapcevic)
Refactor LocalNode synchronization logic and remove NodeChain (#29319, @giorio94)
Refactor the per-cluster CT maps manager (#27448, @giorio94)
Refactor the per-cluster NAT maps manager (#27430, @giorio94)
Refactor watchstore/watchsync metrics (#27485, @marseel)
Refactors the use of ControlPlaneState in the BGP-CP (#26992, @ldelossa)
Register cluster-id and cluster-name flags through hive (#27823, @giorio94)
Register endpointmanager metrics via dependency injected registry (#26078, @dylandreimerink)
Register service/endpoint flags through hive (#27817, @giorio94)
release image: Allow arbitrary pre-release identifiers (#29173, @michi-covalent)
relicense test/bpf/unit_test.c to not be GPL (#26618, @Joffref)
Remove accidentally checked in .orig file (#29145, @christarazi)
Remove daemon health from being reported via the CLI (#28404, @derailed)
Remove dependencies on linux probes for Windows builds (#28367, @glrf)
Remove NodeSpecer and ControlPlaneState from BGP-CP. Rely on Hive/Cell for further ConfigReconciler dependencies. (#27285, @ldelossa)
Remove unnecessary type conversions in fqdn zombies handling (#27047, @giorio94)
Remove usage of global options from iptables cell (#29088, @pippolo84)
removed unnecessary 'revert' parameter from Newk8sTranslator and updated api calls accordingly. (#26217, @akstron)
Removes Unused TransformToNode() Func (#26743, @danehans)
Rename egress_policies.h to srv6.h and add SRv6 related trace reasons. (Backport MR #30529, Upstream MR #30154, @ldelossa)
Renamed Hubble Dashboard so that it can be installed by Grafana Sidecar. (#28971, @saintdle)
renovate: ignore all gops updates (#27631, @tklauser)
renovate: schedule all renovate updates for Monday (#28585, @aanm)
Replace some usages of fmt.Sprintf with more efficient string concatenation (#27518, @schlosna)
Replace StateDB with StateDB2 (#27628, @dylandreimerink)
report endpoint ID on endpoint BPF program (#28747, @aanm)
Report node source in cilium-dbg node list (#29196, @tklauser)
Resiliency: Add checks to ensure endpoint BPF programs remain loaded (#27981, @derailed)
Resiliency: Add retry logic to attempt to clear out stale hostip (#27673, @derailed)
Resiliency: Node manager reconciliation path yields unchecked errors (#27714, @derailed)
resource: Add support for custom Indexers (#27032, @pippolo84)
Revert ".github: write the right regex for little-vm-images versioning" (#27415, @aanm)
Revert "Refactor hubble redact settings schema" (#27352, @joamaki)
secret-sync: extract secret-sync logic from gateway api controller & introduce hive cell (#29100, @mhofstetter)
service: fix service manager interface mismatch caused by merge race (#29018, @giorio94)
Set RouteMTU for generic veth (#26495, @sugangli)
Some small fixes to make kind-fast (#28621, @squeed)
Split mapstate keys into allow and deny (#28352, @bimmlerd)
Splits Apart kind-image-fast Make Target (#28079, @danehans)
SRv6: Add quality of life methods for SID map usage. (#27192, @ldelossa)
StateDB review follow-ups (#28030, @joamaki)
statedb v2.0 with per-table locks and delete tracking (#27160, @joamaki)
statedb: Allow non-terminated keys (#29440, @joamaki)
statedb: extract REST API handler to pkg (#26645, @bimmlerd)
statedb: Fix revision indexing (#29840, @joamaki)
statedb: Fix watch channel returned by LowerBound (#28644, @joamaki)
statedb: Rename statedb2 to statedb (#27643, @joamaki)
statedb: Simplify integration with Hive (#28892, @joamaki)
StateDB: split write methods from Table into RWTable (#28140, @joamaki)
statedb: Use proper context for graveyard rate limiting (#28888, @joamaki)
stream: fix spurious event on termination when Debounce is used (#29347, @giorio94)
Support for batch deletion of endpoints (#27351, @tklauser)
test/controlplane: Fix hostport test after API change (#26685, @pippolo84)
test: remove probes-test.sh (#29612, @rgo3)
tests: replace more incorrect DeepEquals uses (#25829, @markpash)
treewide: wrap multiple errors using the standard library (#26524, @rolinh)
typo fix (#28231, @yylt)
Typo fix in the docs (Backport MR #30529, Upstream MR #30407, @nvibert)
typo in the debug document (#27627, @weizhoublue)
Update codeowners for recent lb-ipam / ipalloc changes (#28803, @joestringer)
Update ec2 eni limits - current as of Oct 30, 2023 (#28880, @michaelsaah)
update github.com/cilium/ebpf to v0.12.0 (#28533, @lmb)
Update Hubble UI from v0.12.0 to v0.12.1 (#28532, @rolinh)
Update hubble-exporter.rst (#28081, @nvibert)
update k8s dependencies to v0.28.2 (#28648, @aanm)
Update l2-announcements.rst (#27988, @nvibert)
Update lb-ipam.rst (#28756, @nvibert)
Update Palantir usecases (#26633, @ungureanuvladvictor)
Update prereleases (#26871, @joestringer)
Update renovate configuration for ginkgo and kindest/node (#27347, @aanm)
Update SPIRE dependency to v1.8.5 (#29597, @meyskens)
Update stable releases (#27112, @aanm)
Update stable releases (#27126, @nathanjsweet)
Update stable releases (#27637, @asauber)
Update the TCP conntrack entry timeouts to a lower value, so that closed entries are garbage collected earlier, thus freeing up the conntrack map. (#27665, @aditighag)
Update v1.15.0-RC.1 digests (#30277, @aanm)
updated docs to reflect Envoy as a DS option (Backport MR #30230, Upstream MR #29518, @nvibert)
Use generic Set instead of specified Set (#26378, @bzsuni)
Use generics in k8s factory functions (#26367, @AwesomePatrol)
Use Go 1.19 atomic types (#27563, @tklauser)
Use Go 1.19 atomic types and their default value (#27844, @tklauser)
Use Resource[T] to implement CEP and CES watchers (Backport MR #30230, Upstream MR #29249, @pippolo84)
USERS: Add Trendyol (#26946, @eminaktas)
vendor: downgrade github.com/shirou/gopsutil/v3 to v3.23.2 (#27623, @aanm)
watchers: use resource for network policies (#26601, @bimmlerd)

Other Changes:

[1.15] loader: fix obsolete XDP program removal (#30224, @rgo3)
Add specific drop reason for missing tail calls if the host datapath is not ready yet (#30203, @ti-mo)
envoy: Bump envoy version for x/net library (#30509, @sayboras)
install: Update image digests for v1.15.0-rc.0 (#29906, @joestringer)
Prepare for release v1.15.0-rc.0 (#29883, @joestringer)
Prepare for release v1.15.0-rc.1 (#30271, @aanm)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.0@sha256:9cfd6a0a3a964780e73a11159f93cc363e616f7d9783608f62af6cfdf3759619 quay.io/cilium/cilium:stable@sha256:9cfd6a0a3a964780e73a11159f93cc363e616f7d9783608f62af6cfdf3759619

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.0@sha256:43feb49dfbaa82388dc653ce12c7626ce40ae375e9853d71b9f5cff0ce61d54a quay.io/cilium/clustermesh-apiserver:stable@sha256:43feb49dfbaa82388dc653ce12c7626ce40ae375e9853d71b9f5cff0ce61d54a

docker-plugin

quay.io/cilium/docker-plugin:v1.15.0@sha256:6c79c492da7b3574509a94b0c6b4ef0570c005aa6be5879b71d8e59e103f2a7b quay.io/cilium/docker-plugin:stable@sha256:6c79c492da7b3574509a94b0c6b4ef0570c005aa6be5879b71d8e59e103f2a7b

hubble-relay

quay.io/cilium/hubble-relay:v1.15.0@sha256:45b3ea70b73aee01644f800b8f6138c36446bfb130d2b88b0f75775ebe6a9ab6 quay.io/cilium/hubble-relay:stable@sha256:45b3ea70b73aee01644f800b8f6138c36446bfb130d2b88b0f75775ebe6a9ab6

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.0@sha256:ee03349caef5519f8e9123132cf17c85b771f8fff095c57f00a2af8bb3224b79 quay.io/cilium/operator-alibabacloud:stable@sha256:ee03349caef5519f8e9123132cf17c85b771f8fff095c57f00a2af8bb3224b79

operator-aws

quay.io/cilium/operator-aws:v1.15.0@sha256:cf45167a8bb336c763046553c6a97c0d7f12f7e2a498dfb2340fa27832a81b3a quay.io/cilium/operator-aws:stable@sha256:cf45167a8bb336c763046553c6a97c0d7f12f7e2a498dfb2340fa27832a81b3a

operator-azure

quay.io/cilium/operator-azure:v1.15.0@sha256:498a9e940cddd4e58d401a13005b0784ed9597bfe1e5cf2f52b6ba9ccceee768 quay.io/cilium/operator-azure:stable@sha256:498a9e940cddd4e58d401a13005b0784ed9597bfe1e5cf2f52b6ba9ccceee768

operator-generic

quay.io/cilium/operator-generic:v1.15.0@sha256:e26ecd316e742e4c8aa1e302ba8b577c2d37d114583d6c4cdd2b638493546a79 quay.io/cilium/operator-generic:stable@sha256:e26ecd316e742e4c8aa1e302ba8b577c2d37d114583d6c4cdd2b638493546a79

operator

quay.io/cilium/operator:v1.15.0@sha256:949ec05e962d370437deb6ca4b27b05b8e9c8077bfa6a5b9b4d80d08a26d4fee quay.io/cilium/operator:stable@sha256:949ec05e962d370437deb6ca4b27b05b8e9c8077bfa6a5b9b4d80d08a26d4fee

`v1.14.7`: 1.14.7

Compare Source

We are pleased to release Cilium v1.14.7. This release contains various bug fixes and performance / usability improvements, including a fix for performance regression for pod-to-pod traffic WireGuard and tunneling (https://github.com/cilium/cilium/pull/30329).

Summary of Changes

Minor Changes:

api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport MR #30554, Upstream MR #30167, @viktor-kurchenko)
Envoy running inside the Cilium Agent may now be scraped by Prometheus when using Prometheus' ServiceMonitor objects. (Backport MR #30355, Upstream MR #30126, @youngnick)
helm: Add extraVolumeMounts to cilium config init container (Backport MR #30355, Upstream MR #30131, @ayuspin)
ui: release v0.13.0 (Backport MR #30724, Upstream MR #30711, @geakstr)

Bugfixes:

envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' (Backport MR #30680, Upstream MR #30543, @chaunceyjiang)
Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport MR #30323, Upstream MR #30248, @ti-mo)
Fix cilium-envoy ServiceMonitor port name (Backport MR #30554, Upstream MR #27207, @pixiono)
Fix error when using multiple allowRoutes namespaces in gateway (#30551, @mhofstetter)
Fix error when using multiple allowRoutes namespaces in gateway (Backport MR #30554, Upstream MR #30100, @chaunceyjiang)
Fix issue where agent attempting to restore local node information (such as cilium_host ip) would fail on k8s fallback method. (Backport MR #30355, Upstream MR #29460, @tommyp1ckles)
Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport MR #30554, Upstream MR #30399, @tlcowling)
Fix performance regression for pod-to-pod traffic WireGuard and tunneling. (Backport MR #30554, Upstream MR #30329, @3u13r)
Fix rare bug possibly causing connection disruption and/or agent panic due to node events processing before full initialization. (Backport MR #30554, Upstream MR #30282, @giorio94)
hive: Fix start hook log output (Backport MR #30724, Upstream MR #30712, @joamaki)
init well-known identity before new policy repository to fix the fqdn policy issue when enable well-known identity. (Backport MR #30554, Upstream MR #30052, @yingnanzhang666)
L2 announcements retry getting lease after losing it (Backport MR #30355, Upstream MR #30340, @dylandreimerink)
node/wireguard: Fix node-to-node encryption inconsistencies in kvstore mode (Backport MR #30534, Upstream MR #30423, @gandro)
Updating ENI prefix delegation fallback to use dedicated error codes (Backport MR #30680, Upstream MR #30536, @hemanthmalla)

CI Changes:

ci datapath-verifier: add connectivity test (Backport MR #30371, Upstream MR #29633, @mhofstetter)
ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport MR #30554, Upstream MR #30503, @qmonnet)
ci: add trigger phrase to Gateway API conformance test workflow name (Backport MR #30680, Upstream MR #30525, @tklauser)
ci: Bump timeout of ci-runtime (Backport MR #30554, Upstream MR #29317, @YutaroHayakawa)
ci: bypass proxy.golang.org in Go toolchain installation (Backport MR #30371, Upstream MR #29549, @tklauser)
CI: Change cloud regions (Backport MR #30680, Upstream MR #30378, @brlbil)
ci: disable cgo when installing Go toolchain (Backport MR #30371, Upstream MR #27869, @tklauser)
ci: run verifier tests with proper Go toolchain version (Backport MR #30371, Upstream MR #27857, @tklauser)
Extend the clustermesh workflows to additionally cover the external kvstore case (Backport MR #30355, Upstream MR #29983, @giorio94)
gh: ci-verifier: use lvh-images/complexity-test as renovate dependency (Backport MR #30680, Upstream MR #30520, @julianwiedmann)
gha: additionally cover BPF masquerade in clustermesh E2E tests (Backport MR #30680, Upstream MR #30321, @giorio94)
gha: explicilty specify beefier runner type for clustermesh workflows (Backport MR #30355, Upstream MR #30335, @giorio94)
gha: make runner type for clustermesh workflows configurable (Backport MR #30680, Upstream MR #30496, @giorio94)
Improve Conformance Cluster Mesh workflow coverage (Backport MR #30355, Upstream MR #29926, @giorio94)
Network performance (Backport MR #30554, Upstream MR #30247, @marseel)
Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport MR #30355, Upstream MR #30207, @giorio94)
Update GitHub upload-artifact action (Backport MR #30554, Upstream MR #30443, @brlbil)

Misc Changes:

Added Last page Edit on Documentation (Backport MR #30680, Upstream MR #30612, @gailsuccess)
bpf: fib: fix issues with L2 resolution (Backport MR #30372, Upstream MR #30128, @julianwiedmann)
bpf: lb: return drop reasons from __lb4_rev_nat() (Backport MR #30554, Upstream MR #30410, @julianwiedmann)
bpf: overlay: restore bpf_clear_meta() in from-overlay (Backport MR #30355, Upstream MR #30343, @julianwiedmann)
build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport MR #30554, Upstream MR #30219, @dependabot[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.20 (v1.14) (#30144, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.21 (v1.14) (#30571, @renovate[bot])
chore(deps): update dependency go to v1.21.6 (v1.14) (#30174, @renovate[bot])
chore(deps): update dependency go to v1.21.6 (v1.14) (#30640, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.6 (v1.14) (#30641, @renovate[bot])
chore(deps): update go to v1.21.6 (v1.14) (minor) (#30145, @renovate[bot])
chore(deps): update hubble cli to v0.13.0 (v1.14) (minor) (#30274, @renovate[bot])
chore(deps): update stable lvh-images (v1.14) (patch) (#30492, @renovate[bot])
chore(deps): update stable lvh-images (v1.14) (patch) (#30575, @renovate[bot])
doc: Add Azure CNI Powered by cilium as external installer (Backport MR #30355, Upstream MR #28286, @tamilmani1989)
docs: Add Egress Gateway Policy warning on egressIP and interface being mutually exclusive in the egressGateway spec. (Backport MR #30554, Upstream MR #30236, @soggiest)
docs: warn users that IPsec and KPR are mutual exclusive (Backport MR #30554, Upstream MR #30403, @f1ko)
hive: Fix hive hook output and move lifecycle to cell package (Backport MR #30554, Upstream MR #30416, @joamaki)
hubble-ui: release v0.12.3 (Backport MR #30554, Upstream MR #30422, @geakstr)
ipcache: Skip conflict logging for tunnelpeer if native routing (Backport MR #30355, Upstream MR #27331, @christarazi)
loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport MR #30323, Upstream MR #30214, @ti-mo)
Rename egress_policies.h to srv6.h and add SRv6 related trace reasons. (Backport MR #30680, Upstream MR #30154, @ldelossa)
Rerun go mod tidy to fix missing entry (#30358, @giorio94)

Other Changes:

[v1.14] ci/ipsec: Fix downgrade version for release preparation commits (#30716, @qmonnet)
[v1.14] ci/ipsec: Re-enable node-to-node-encryption check (#30401, @qmonnet)
envoy: Bump envoy version for x/net library (#30515, @sayboras)
envoy: Bump envoy version to v1.26.7 (#30693, @sayboras)
install: Update image digests for v1.14.6 (#30318, @gentoo-root)
remove stable tags from 1.14 releases (#30557, @aanm)

`v1.14.6`: 1.14.6

Compare Source

We are pleased to release Cilium v1.14.6.

This release includes various bugfixes and performance enhancements. The amount of trace events is reduced when monitor aggregation is enabled, allowing to improve pod-to-pod performance with tunneling and IPsec. An inconsistency in the node manager is fixed, which led to incorrect masquerading of traffic to node internal IP addresses. Other fixes include fixes for mTLS, DNS proxy, datapath, etc.

Summary of Changes

Minor Changes:

Add Proxy l7 metrics proxy_type label and and Cleanup (Backport MR #29703, Upstream MR #27863, @tommyp1ckles)
Reduce "stale identity observed" warnings (Backport MR #29863, Upstream MR #27894, @leblowl)

Bugfixes:

[1.14] ingress: fix ingress class reconciliation (#29810, @mhofstetter)
Add default toleration for SPIRE agent on control plane nodes (Backport MR #30198, Upstream MR #28947, @meyskens)
Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport MR #30213, Upstream MR #29239, @jrajahalme)
cilium-preflight: use the k8s node name instead of relying on hostname (Backport MR #29996, Upstream MR #29809, @marseel)
Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail (Backport MR #30265, Upstream MR #29400, @meyskens)
Fix a bug that may cause traffic to the node internal IP addresses to be incorrectly masqueraded when node encryption and remote node identities are both disabled, due to an inconsistency in the node manager when handling ipset entries insertions and deletions on node updates. (Backport MR #30221, Upstream MR #29986, @qmonnet)
Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport MR #29996, Upstream MR #29616, @learnitall)
Fix cleanup of AWS-related leftover iptables chains (Backport MR #29863, Upstream MR #29448, @giorio94)
helm: Fix envoy servicemonitor annotations (Backport MR #30198, Upstream MR #30017, @pmcgrath)
metrics: fix issue where logging err/warn metric is never updated. (Backport MR #29863, Upstream MR #29201, @tommyp1ckles)
nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport MR #29972, Upstream MR #29964, @gandro)
policy: Fix mapstate changes error in entry change comparison (Backport MR #29996, Upstream MR #29815, @jrajahalme)
Remove non fatal errors from SPIRE client in the operator (Backport MR #30265, Upstream MR #28698, @meyskens)
Unify parsing of StringSlice flags and allow splitting by commas (preferably) or by spaces. This fixes parsing of 'prometheus.metrics'. (Backport MR #30080, Upstream MR #29848, @joamaki)

CI Changes:

bpf: fix test configuration for 5.10 and 6.1 kernels (Backport MR #30198, Upstream MR #29999, @julianwiedmann)
ci-ipsec-upgrade: Add vxlan w/ no EP routes (Backport MR #29703, Upstream MR #29653, @brb)
ci-ipsec-{e2e,upgrade}: Use lvh-kind (Backport MR #29966, Upstream MR #29514, @brb)
ci/ipsec: Skip waiting for images when skipping upgrade/dowgrade (Backport MR #29966, Upstream MR #29793, @qmonnet)
ci: add nameserver 1.1.1.1 to conformance-runtime test LVM (Backport MR #29863, Upstream MR #29455, @mhofstetter)
ci: always use full matrix for scheduled cloud-provider workflows (Backport MR #29863, Upstream MR #29694, @mhofstetter)
ci: fix dns issue when pulling cilium-docker-plugin in ci-runtime (Backport MR #29863, Upstream MR #29502, @mhofstetter)
ci: increase disk size for GKE clusters (ci-gke & ci-external-workloads) (Backport MR #30198, Upstream MR #29528, @mhofstetter)
Conformance AKS: wait for cilium-test namespace deletion during uninstallation (Backport MR #30198, Upstream MR #29893, @giorio94)
datapath: Cover subnet encryption in XFRM leak test (Backport MR #30080, Upstream MR #27212, @pchaigno)
datapath: Fix TestNodeChurnXFRMLeaks (Backport MR #30080, Upstream MR #27274, @brb)
Fix collecting of verifier logs in ci-verifier (Backport MR #29863, Upstream MR #29752, @lmb)
gh/workflows: Add lvh-kind action and use it in ci-e2e (Backport MR #29966, Upstream MR #29485, @brb)
gha: add step to ensure presence/absence of the AWS iptables chains (Backport MR #29863, Upstream MR #29670, @giorio94)
gha: enable IPv6 in clustermesh upgrade/downgrade workflow (Backport MR #29863, Upstream MR #29675, @giorio94)
node: Integration test for XFRM leaks on node churn (Backport MR #30080, Upstream MR #27187, @pchaigno)
workflows: Increase IPsec e2e test's timeout (Backport MR #30265, Upstream MR #30194, @julianwiedmann)
workflows: Increase IPsec upgrade test's timeout (Backport MR #30080, Upstream MR #29934, @pchaigno)
workflows: Make the conn-disrupt test more sensitive (Backport MR #29703, Upstream MR #29623, @pchaigno)
workflows: move cilium_cli_version definition to set-env-variables action (Backport MR #30198, Upstream MR #29237, @jibi)

Misc Changes:

bgpv1: set running flag in manager (Backport MR #30080, Upstream MR #30013, @harsimran-pabla)
bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport MR #29996, Upstream MR #29880, @julianwiedmann)
chore(deps): update all github action dependencies to v5 (v1.14) (major) (#29784, @renovate[bot])
chore(deps): update all lvh-images main (v1.14) (patch) (#29781, @renovate[bot])
chore(deps): update github/codeql-action action to v2.22.9 (v1.14) (#29783, @renovate[bot])
doc: Update recommended way for installing cilium on AKS (Backport MR #30198, Upstream MR #28910, @tamilmani1989)
docs: fix chained veth plugin example (Backport MR #30265, Upstream MR #30209, @squeed)
docs: Fix keyid derivation in IPsec docs (Backport MR #30080, Upstream MR #30000, @brb)
Fix bug preventing endpoint-related debug logs from being emitted (Backport MR #29829, Upstream MR #29495, @learnitall)
Fix cilium-envoy ServiceMonitor template typo (Backport MR #30198, Upstream MR #29976, @cornfeedhobo)
Fix log error in clustermesh-apiserver when connecting external workloads (Backport MR #29919, Upstream MR #29896, @giorio94)
fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport MR #30198, Upstream MR #29971, @renovate[bot])
fix: remove help message in build config failure (Backport MR #30265, Upstream MR #28974, @vipul-21)
Helm: enforce routing mode when either gke.enabled or aksbyocni.enabled are set (Backport MR #30080, Upstream MR #29674, @giorio94)
hubble: Reduce "stale identities observed" debug messages even more (Backport MR #29996, Upstream MR #29957, @gandro)
k8s: Bump CRD schema version to 1.27.x (#29908, @joestringer)
Modularize iptables manager (Backport MR #30221, Upstream MR #28746, @pippolo84)
resource: Fix flaky TestResource_RepeatedDelete (Backport MR #29996, Upstream MR #28588, @joamaki)
Revert "cilium: Ensure xfrm state is initialized for route IP before … (Backport MR #29868, Upstream MR #29801, @jrfastab)

Other Changes:

[1.14] loader: fix obsolete XDP program removal (#30229, @rgo3)
[v1.14] ci: In conn-disrupt-test action, disable node-to-node-encryption check (#29742, @qmonnet)
Add specific drop reason for missing tail calls if the host datapath is not ready yet (#30204, @ti-mo)
bgpv1: Add bgp/routes API endpoint and cilium bgp routes CLI command & integrate it in the bugtool (#30205, @rastislavs)
install: Update image digests for v1.14.5 (#29806, @nebril)
v1.14: update dependency cilium/cilium-cli to v0.15.19 (#30135, @pchaigno)

`v1.14.5`: 1.14.5

Compare Source

We are pleased to release Cilium v1.14.5.

This release include expanded credential and resource limit related configuration parameters for the Agent DaemonSet and SPIRE agent, fixes to an issue where stale nodes would appear in the cilium_node_connectivity_* metrics, enhancements to the detail shown by the IPsec CLI subcommands, a fix to a datapath fix for SNAT running behind multiple network interfaces, a fix to NAT entry GC when DSR enabled, a fix for endpoint label changes during the re-init restoration, and a variety of other stability enhancements. Also included are performance enhancements to concurrency techniques used in policy generation and the selectorcache read/write path.

Summary of Changes

Minor Changes:

Adds affinity, nodeSelector, podSecurityContext and securityContext to the SPIRE agent deployment values (Backport MR #29187, Upstream MR #29077, @meyskens)
helm: Add missing SA automount configuration (Backport MR #29689, Upstream MR #29511, @ayuspin)
helm: Allow setting resources for the agent init containers (Backport MR #29689, Upstream MR #29610, @ayuspin)
Network policies for reserved:ingress identity are now enforced by Cilium Ingress and Gateway API. (Backport MR #29447, Upstream MR #28126, @jrajahalme)

Bugfixes:

"envoy-admin" cluster is renamed as "/envoy-admin", requiring all references in CEC/CCEC to be updated. (Backport MR #29477, Upstream MR #29020, @jrajahalme)
Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29308, @ti-mo)
bpf: Fix drop of IPv6 reply traffic when 1) pod-originating connection is SNATed by iptables, and 2) Host Firewall is enabled. (Backport MR #29477, Upstream MR #28813, @oblazek)
bpf: xdp: don't support GENEVE passthrough with DSR-Hybrid (Backport MR #29187, Upstream MR #28959, @julianwiedmann)
ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (Backport MR #29641, Upstream MR #29098, @julianwiedmann)
datapath: Fix ENI egress routing table for cilium_host IP (Backport MR #29390, Upstream MR #29335, @gandro)
Do not skip FIB lookup when running in BPF Host Routing when Endpoint Routes enabled (Backport MR #29187, Upstream MR #28264, @aspsk)
endpoint: fix panic in RunMetadataResolver due to send on closed channel (Backport MR #29251, Upstream MR #29615, @mhofstetter)
endpointmanager: unmap ip for lookup (Backport MR #29641, Upstream MR #29554, @tklauser)
Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (Backport MR #29641, Upstream MR #29566, @christarazi)
Fix external workloads not working with non-default ClusterID (Backport MR #29477, Upstream MR #29378, @giorio94)
Fix possible disruption of long running, cross-cluster, pod to node traffic on agent restart (Backport MR #29641, Upstream MR #29613, @giorio94)
Fix routing delegation to AWS-VPC-CNI when using the security groups feature. (Backport MR #29641, Upstream MR #29111, @Alex-Waring)
Fix the Created timestamps in cilium bpf nat list that used to display the same values. (Backport MR #29187, Upstream MR #27062, @gentoo-root)
Fixed label synchronization issues in Cilium, ensuring accurate representation of endpoint labels during restoration and addressing out-of-sync problems caused by label changes while the Cilium agent is down. (Backport MR #29251, Upstream MR #29248, @aanm)
gateway-api: add watch for reference grant in TLSRoute reconciler (Backport MR #29187, Upstream MR #29007, @mhofstetter)
gateway-api: Avoid redirect loop when the same host name is used for http and https listeners (Backport MR #29442, Upstream MR #29115, @sayboras)
gateway: Ignore loadbalancer class for Gateway service (Backport MR #29641, Upstream MR #29547, @sayboras)
Handle non-AEAD IPsec keys in cilium encrypt status. (Backport MR #29641, Upstream MR #29182, @viktor-kurchenko)
ingress: fix foreground deletion of Ingress (Backport MR #29477, Upstream MR #29367, @mhofstetter)
Install loopback CNI atomically to protect against aborted copy (Backport MR #29641, Upstream MR #29462, @akhilles)
ipam: Fix bug where IP lease did not expire (Backport MR #29641, Upstream MR #29443, @gandro)
ipam: Fix bug where IP lease did not expire (Backport MR #29652, Upstream MR #29443, @gandro)
iptables: remove logic to control non-existent net.ipv6.ip_early_demux (Backport MR #29477, Upstream MR #29310, @julianwiedmann)
metrics: fix potential conflict on metrics registration (Backport MR #29270, Upstream MR #27007, @ysksuzuki)
metrics: fix potential conflict on metrics registration (Backport MR #29477, Upstream MR #27007, @ysksuzuki)
Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (Backport MR #29364, Upstream MR #29340, @aanm)
Support downgrade path for XDP attachments from Cilium 1.15 (#29104, @ti-mo)
When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (Backport MR #29477, Upstream MR #29160, @julianwiedmann)

CI Changes:

bpf: complexity-tests: add HAVE_FIB_NEIGH (Backport MR #29477, Upstream MR #29348, @julianwiedmann)
ci-ipsec-upgrade: Check for errors (Backport MR #29270, Upstream MR #29189, @brb)
ci-ipsec-upgrade: Check for errors (Backport MR #29477, Upstream MR #29189, @brb)
ci-ipsec-upgrade: Drop no-missed-tail-calls exclusion (Backport MR #29477, Upstream MR #29325, @brb)
ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (Backport MR #28876, Upstream MR #29072, @brb)
CI: Let actions/cilium-config use Chart.yaml-specified image by default (Backport MR #28876, Upstream MR #28016, @jschwinger233)
Clean up tests-ipsec-upgrade workflow (Backport MR #28876, Upstream MR #27977, @michi-covalent)
Test upgrade/downgrade to patch release for IPsec (Backport MR #28876, Upstream MR #28815, @qmonnet)
Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (Backport MR #29477, Upstream MR #29409, @giorio94)
workflows: Add debug info to IPsec key rotation test (Backport MR #29477, Upstream MR #29353, @pchaigno)

Misc Changes:

.github: use GitHub workflow from the same branch (#29252, @aanm)
[v1.14] CI: fix broken BPF complexity tests (#29553, @lmb)
Add workqueue.(delayingType).waitingLoop to goleak exception list (Backport MR #29187, Upstream MR #28557, @dylandreimerink)
chore(deps): update actions/checkout action to v4 (v1.14) (#29595, @renovate[bot])
chore(deps): update actions/github-script action to v7 (v1.14) (#29149, @renovate[bot])
chore(deps): update actions/setup-python action to v4.8.0 (v1.14) (#29579, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (#29121, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (minor) (#29265, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (patch) (#29282, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (patch) (#29576, @renovate[bot])
chore(deps): update all lvh-images main (v1.14) (patch) (#29417, @renovate[bot])
chore(deps): update all lvh-images main (v1.14) (patch) (#29577, @renovate[bot])
chore(deps): update cilium/cilium digest to d42be92 (v1.14) (#29133, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.13 (v1.14) (#29123, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.14 (v1.14) (#29283, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.16 (v1.14) (#29465, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.17 (v1.14) (#29729, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (v1.14) (#29578, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.11 docker digest to 4e4a34f (v1.14) (#29416, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.11 docker digest to 77e4e42 (v1.14) (#29281, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 8eab65d (v1.14) (#29575, @renovate[bot])
chore(deps): update go to v1.20.12 (v1.14) (patch) (#29660, @renovate[bot])
chore(deps): update google-github-actions/auth action to v2 (v1.14) (#29598, @renovate[bot])
chore(deps): update hubble cli to v0.12.3 (v1.14) (patch) (#29746, @renovate[bot])
chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 [security] (v1.14) (#29320, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231113.012843 (v1.14) (#29129, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231120.012927 (v1.14) (#29284, @renovate[bot])
ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport MR #29270, Upstream MR #29178, @brb)
ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport MR #29477, Upstream MR #29178, @brb)
Docs: Adds Webhook Limitation to EKS Install Doc (Backport MR #29641, Upstream MR #29497, @danehans)
docs: bump required Helm version (Backport MR #29477, Upstream MR #29273, @nebril)
examples: update guestbook example with new image registry (Backport MR #29641, Upstream MR #29603, @mhofstetter)
images: bump cni plugins to v1.4.0 (Backport MR #29724, Upstream MR #29622, @squeed)
ipsec: Small refactorings on key loading and state creation (Backport MR #29477, Upstream MR #29352, @pchaigno)

Other Changes:

[v1.14] Author Backport of 28896 (k8s ingress & gateway api: qualify envoy clusters and their references) (#29218, @mhofstetter)
[v1.14] bgpv1: Fix BGP component tests using the same VirtualRouter config (#29453, @rastislavs)
[v1.14] bpf: Fix identity determination in bpf_overlay.c (#29606, @ysksuzuki)
[v1.14] bpf: use bpf_xdp_load_bytes() / bpf_xdp_store_bytes() helpers (#29719, @julianwiedmann)
[v1.14] ci-ipsec-upgrade: Disable Linux 5.10-based configs (#29358, @brb)
[v1.14] gh: datapath-verifier: also run on 6.1 kernel (#29650, @julianwiedmann)
envoy: Bump cilium-envoy with golang 1.21.5 (#29656, @sayboras)
envoy: Bump envoy container image with golang 1.21 and latest grpc package (#29383, @sayboras)
install: Update image digests for v1.14.4 (#29147, @thorn3r)
Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29205, @thorn3r)
v1.14: ariane: Run ci-ipsec-upgrade when testing backports (#29225, @brb)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

chore(deps): update helm release cilium to v1.15.1

Release Notes

v1.15.1: 1.15.1

Summary of Changes

v1.15.0

Docker Manifests

v1.15.0: 1.15.0

Changelog

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.14.7: 1.14.7

Summary of Changes

v1.14.6: 1.14.6

Summary of Changes

v1.14.5: 1.14.5

Summary of Changes

Configuration

Merge request reports

`v1.15.1`: 1.15.1

`v1.15.0`: 1.15.0

`v1.14.7`: 1.14.7

`v1.14.6`: 1.14.6

`v1.14.5`: 1.14.5