chore(deps): update helm release cilium to v1.15.5 (!996) · Merge requests · Tristan Gosselin-Hane / infrastructure

Renovate Bot requested to merge renovate/cilium-1.x into master May 15, 2024

This MR contains the following updates:

Package	Type	Update	Change
cilium (source)	HelmChart	patch	`1.15.4` -> `1.15.5`

Release Notes

cilium/cilium (cilium)

`v1.15.5`: 1.15.5

Compare Source

We are pleased to announce the release of Cilium v1.15.5.

This release fixes a lot of bugs, including fixes for conflicting ports with DNS proxy, clustermesh startup issues, and StatefulSet handling.

Security Advisories

This release addresses following security vulnerabilities:

Summary of Changes

Minor Changes:

envoy: Bump go version to 1.22.3 (#32413, @sayboras)
labels: Add controller-uid into default ignore list (Backport MR #32103, Upstream MR #31964, @sayboras)

Bugfixes:

Agent: add kubeconfigPath to initContainers (Backport MR #32230, Upstream MR #32008, @darox)
Avoids drops with "No mapping for NAT masquerade" for ICMP messages by local service backends. (Backport MR #32384, Upstream MR #32155, @julianwiedmann)
cilium-cni: Reserve ports that can conflict with transparent DNS proxy (Backport MR #32418, Upstream MR #32128, @gandro)
cni: Use correct route MTU when ENI, Azure or Alibaba Cloud IPAM is enabled (Backport MR #32384, Upstream MR #32244, @learnitall)
dnsproxy: Fix bug where DNS request timed out too soon (Backport MR #32230, Upstream MR #31999, @gandro)
Envoy upstream connections are now unique for each downstream connection when using the original source address of a source pod. (Backport MR #32312, Upstream MR #32270, @jrajahalme)
envoy: pass idle timeout configuration option to cilium configmap (Backport MR #32230, Upstream MR #32203, @mhofstetter)
Fix failing service connections, when the service requests are transported via cilium's overlay network. (Backport MR #32230, Upstream MR #32116, @julianwiedmann)
Fix issue causing clustermesh-apiserver/kvstoremesh to not start when run with a non-root user (Backport MR #31879, Upstream MR #31539, @giorio94)
Fix service connection to terminating backend, when the service has no more backends available. (Backport MR #32092, Upstream MR #31840, @julianwiedmann)
Fix various bugs related to restart of StatefulSet pods that may result in connectivity issues (Backport MR #32432, Upstream MR #31605, @christarazi)
Fixes a bug where Cilium in chained mode removed the agent-not-ready taint too early if the primary network is slow in deploying. (Backport MR #32230, Upstream MR #32168, @squeed)
Fixes an (unlikely) bug where HostFirewall policies may miss updates to a node's labels. (Backport MR #32384, Upstream MR #30548, @squeed)
fqdn: fix memory leak in transparent mode when there was a moderately high number of parallel DNS requests (>100). (Backport MR #32103, Upstream MR #31959, @marseel)
Ingress/Gateway API: merge Envoy listeners for HTTP(S) and TLS passthrough (Backport MR #32178, Upstream MR #31646, @mhofstetter)
ipam: retry netlink.LinkList call when setting up ENI devices (Backport MR #32230, Upstream MR #32099, @jasonaliyetti)
loader: sanitize bpffs directory strings for netdevs (Backport MR #32103, Upstream MR #32090, @rgo3)
Prevent Cilium agents from incorrectly restarting an etcd watch against a different etcd instance. (#32005, @giorio94)
tables: Sort node addresses also by public vs private IP (Backport MR #32103, Upstream MR #30579, @joamaki)

CI Changes:

alibabacloud/eni: avoid racing node mgr in test (Backport MR #31967, Upstream MR #31877, @bimmlerd)
ci: Filter supported versions of AKS (Backport MR #32384, Upstream MR #32303, @marseel)
ci: Increase timeout for images for l4lb test (Backport MR #32230, Upstream MR #32201, @marseel)
ci: Set hubble.relay.retryTimeout=5s (Backport MR #32230, Upstream MR #32066, @chancez)
enable kube cache mutation detector (Backport MR #32230, Upstream MR #32069, @aanm)
gha: bump post-upgrade timeout in clustermesh upgrade/downgrade tests (Backport MR #32384, Upstream MR #32347, @giorio94)
gha: configure fully-qualified DNS names as external targets (Backport MR #32103, Upstream MR #31510, @giorio94)
gha: drop double installation of Cilium CLI in conformance-eks (Backport MR #32103, Upstream MR #32042, @giorio94)
Miscellaneous improvements to the clustermesh upgrade/downgrade test (Backport MR #32103, Upstream MR #31958, @giorio94)
route: dedicated net ns for each subtest of runListRules (Backport MR #32230, Upstream MR #29916, @mhofstetter)
test: De-flake xds server_e2e_test (Backport MR #32103, Upstream MR #32004, @jrajahalme)
workflows: Fix CI jobs for push events on private forks (Backport MR #32230, Upstream MR #32085, @pchaigno)

Misc Changes:

bpf: host: simplify MARK_MAGIC_PROXY_EGRESS_EPID handling (Backport MR #32384, Upstream MR #29803, @julianwiedmann)
build(deps): bump pydantic from 2.3.0 to 2.4.0 in /Documentation (Backport MR #32230, Upstream MR #32176, @dependabot[bot])
chore(deps): update all github action dependencies (v1.15) (#31954, @renovate[bot])
chore(deps): update all github action dependencies (v1.15) (#32107, @renovate[bot])
chore(deps): update all github action dependencies (v1.15) (#32366, @renovate[bot])
chore(deps): update all-dependencies (v1.15) (#31993, @renovate[bot])
chore(deps): update all-dependencies (v1.15) (#32238, @renovate[bot])
chore(deps): update azure/login action to v2.1.0 (v1.15) (#31994, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.6 (v1.15) (#32365, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.9 docker digest to 81811f8 (v1.15) (#31953, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.9 docker digest to d83472f (v1.15) (#32257, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to a6d2b38 (v1.15) (#32364, @renovate[bot])
chore(deps): update go to v1.21.10 (v1.15) (#32417, @renovate[bot])
chore(deps): update golangci/golangci-lint-action action to v6 (v1.15) (#32396, @renovate[bot])
chore(deps): update hubble cli to v0.13.3 (v1.15) (#32108, @renovate[bot])
chore(deps): update stable lvh-images (v1.15) (patch) (#31821, @renovate[bot])
CI: bump default FQDN datapath timeout from 100 to 250ms (Backport MR #32230, Upstream MR #31866, @squeed)
clustermesh: fix panic if the etcd client cannot be created (Backport MR #32384, Upstream MR #32225, @giorio94)
docs: Add annotation for Ingress endpoint (Backport MR #32384, Upstream MR #32284, @sayboras)
docs: add link to sig-policy meeting (Backport MR #32384, Upstream MR #32340, @squeed)
docs: Clean-up Host Firewall documentation, list known issues (Backport MR #32384, Upstream MR #32267, @qmonnet)
docs: Fix prometheus port regex (Backport MR #32230, Upstream MR #32030, @JBodkin-Amphora)
Docs: mark Tetragon as Stable (Backport MR #31967, Upstream MR #31886, @sharlns)
Document Cluster Mesh global services limitations when KPR=false (Backport MR #31967, Upstream MR #31798, @giorio94)
endpoint: Skip build queue warning log is context is canceled (Backport MR #32230, Upstream MR #32132, @jrajahalme)
Fix helm chart incompatible types for comparison (Backport MR #32230, Upstream MR #32025, @lou-lan)
fqdn: Change error log to warning (Backport MR #32384, Upstream MR #32333, @jrajahalme)
fqdn: Fix Upgrade Issue Between PortProto Versions (Backport MR #32384, Upstream MR #32325, @nathanjsweet)
golangci: Enable errorlint (Backport MR #31783, Upstream MR #31458, @jrajahalme)
images: Update bpftool, checkpatch images (Backport MR #31896, Upstream MR #31753, @qmonnet)
Improve release organization page (Backport MR #32103, Upstream MR #31970, @joestringer)
install/kubernetes: add AppArmor profile to Cilium Daemonset (Backport MR #32384, Upstream MR #32199, @aanm)
install/kubernetes: update nodeinit image to latest version (Backport MR #32230, Upstream MR #32181, @tklauser)
ipsec: Debug info for transient IPsec upgrade drops (Backport MR #32384, Upstream MR #32240, @pchaigno)
l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops (Backport MR #32260, Upstream MR #32200, @mhofstetter)
Remove aks-preview from AKS workflows (Backport MR #32230, Upstream MR #32118, @marseel)
Seamlessly downgrade bpf attachments from tcx to tc (Backport MR #32337, Upstream MR #32228, @ti-mo)

Other Changes:

[1.15] images: update cilium-{runtime,builder} (#32444, @nebril)
[v1.15-backport] Introduce fromEgressProxyRule (#31922, @jschwinger233)
[v1.15] cilium-dbg: remove section with unknown health status. (#31905, @tommyp1ckles)
[v1.15] proxy: skip rule removal if address family is not supported (#32007, @rgo3)
envoy: Bump envoy version to v1.27.5 (#32077, @sayboras)
envoy: Update envoy 1.27.x to 1.28.3 (#32149, @sayboras)
fix k8s versions tested in CI (#31965, @nbusseneau)
install: Update image digests for v1.15.4 (#31915, @asauber)

v1.15.5

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40 quay.io/cilium/cilium:stable@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.5@sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7 quay.io/cilium/clustermesh-apiserver:stable@sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7

docker-plugin

quay.io/cilium/docker-plugin:v1.15.5@sha256:c301dc000eff2940a82fc51f4a937793fa3a7212d77000a5aa06ae6116032437 quay.io/cilium/docker-plugin:stable@sha256:c301dc000eff2940a82fc51f4a937793fa3a7212d77000a5aa06ae6116032437

hubble-relay

quay.io/cilium/hubble-relay:v1.15.5@sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781 quay.io/cilium/hubble-relay:stable@sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.5@sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3 quay.io/cilium/operator-alibabacloud:stable@sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3

operator-aws

quay.io/cilium/operator-aws:v1.15.5@sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9 quay.io/cilium/operator-aws:stable@sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9

operator-azure

quay.io/cilium/operator-azure:v1.15.5@sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522 quay.io/cilium/operator-azure:stable@sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522

operator-generic

quay.io/cilium/operator-generic:v1.15.5@sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8 quay.io/cilium/operator-generic:stable@sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8

operator

quay.io/cilium/operator:v1.15.5@sha256:6f480128aa3d3b2c50a8dfa0bd5bc5121e48b1ee0bbc8eec9cae72e904bf10c3 quay.io/cilium/operator:stable@sha256:6f480128aa3d3b2c50a8dfa0bd5bc5121e48b1ee0bbc8eec9cae72e904bf10c3

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited May 15, 2024 by Renovate Bot

chore(deps): update helm release cilium to v1.15.5