Cilium Versions Save

Summary of Changes

Minor Changes:

• bgpv1: Enable cilium-dbg bgp routes advertised command without specifying a peer (Backport PR #30230, Upstream PR #30033, @rastislavs)
• cilium-agent: Remove the obsolete --bpf-lb-dev-ip-addr-inherit option (Backport PR #30264, Upstream PR #29963, @joamaki)

Bugfixes:

• Add default toleration for SPIRE agent on control plane nodes (Backport PR #30230, Upstream PR #28947, @meyskens)
• Avoid panic during BPF program compilation when clang command fails to start (Backport PR #30264, Upstream PR #30009, @ti-mo)
• bgpv1: Avoid creating resource.Store in Start() hive hooks of BGP CP to ensure proper BGP CP initialization. (Backport PR #30079, Upstream PR #29954, @rastislavs)
• bpf: fix wrong loopback address mask value (Backport PR #30230, Upstream PR #29946, @haiyuewa)
• Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30212, Upstream PR #29239, @jrajahalme)
• daemon: Fail init if requirements for BPF masquerade are not met (Backport PR #30230, Upstream PR #29778, @pippolo84)
• Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail (Backport PR #30230, Upstream PR #29400, @meyskens)
• Due to a race condition in the experimental runtime device detection, Cilium could fail to make a newly added device available for node port services. (Backport PR #30230, Upstream PR #29917, @bimmlerd)
• Fix a bug that may cause traffic to the node internal IP addresses to be incorrectly masqueraded when node encryption and remote node identities are both disabled, due to an inconsistency in the node manager when handling ipset entries insertions and deletions on node updates. (Backport PR #30230, Upstream PR #29986, @qmonnet)
• Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #30079, Upstream PR #29616, @learnitall)
• Fix bugs in health-server that cause the state in the prober's cache to drift and allow nodes with empty IP addresses to be added. (Backport PR #30230, Upstream PR #29745, @thorn3r)
• Fix instances of leaked health reporter updates. (Backport PR #30230, Upstream PR #30134, @tommyp1ckles)
• gateway-api: fix status reconcile error handling (Backport PR #30230, Upstream PR #29894, @mhofstetter)
• gateway-api: Requeue Gateway for owning GRPCRoute (Backport PR #30230, Upstream PR #30124, @sayboras)
• gateway: Add GRPCRoute support for status changed predicate (Backport PR #30230, Upstream PR #30176, @sayboras)
• helm: Fix envoy servicemonitor annotations (Backport PR #30230, Upstream PR #30017, @pmcgrath)
• l7lb: Fix bug where not all relevant ports of a Service were synchronized to Envoy (Backport PR #30264, Upstream PR #30107, @mhofstetter)
• maps/metricspath: protect against concurrent access in Collect (Backport PR #30230, Upstream PR #30104, @buroa)
• nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29973, Upstream PR #29964, @gandro)
• policy: Fix mapstate changes error in entry change comparison (Backport PR #30079, Upstream PR #29815, @jrajahalme)
• Remove non fatal errors from SPIRE client in the operator (Backport PR #30230, Upstream PR #28698, @meyskens)
• Unify parsing of StringSlice flags and allow splitting by commas (preferably) or by spaces. This fixes parsing of 'prometheus.metrics'. (Backport PR #30079, Upstream PR #29848, @joamaki)

CI Changes:

• bpf: fix test configuration for 5.10 and 6.1 kernels (Backport PR #30230, Upstream PR #29999, @julianwiedmann)
• ci-clustermesh-upgrade: Adjust name of test to run, to match cilium-cli's renaming (Backport PR #30264, Upstream PR #30211, @qmonnet)
• ci: Add a call to the update label backport action (Backport PR #30264, Upstream PR #29902, @joestringer)
• Conformance AKS: wait for cilium-test namespace deletion during uninstallation (Backport PR #30230, Upstream PR #29893, @giorio94)
• identity: deflake test TestGetIdentity (Backport PR #30079, Upstream PR #29720, @mhofstetter)
• workflows: Increase IPsec e2e test's timeout (Backport PR #30230, Upstream PR #30194, @julianwiedmann)
• workflows: Increase IPsec upgrade test's timeout (Backport PR #30079, Upstream PR #29934, @pchaigno)

Misc Changes:

• [v1.15] docs: add deprecation notice for enable-remote-node-identity for v1.15 (#30208, @tklauser)
• bgpv1: set running flag in manager (Backport PR #30079, Upstream PR #30013, @harsimran-pabla)
• bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #30079, Upstream PR #29880, @julianwiedmann)
• chore(deps): update actions/setup-go action to v5 (v1.15) (#30142, @renovate[bot])
• chore(deps): update all lvh-images main (v1.15) (patch) (#30225, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.19 (main) (Backport PR #30230, Upstream PR #29942, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.19 (v1.15) (#30141, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.20 (v1.15) (#30201, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.6 docker digest to 6fbd2d3 (v1.15) (#30050, @renovate[bot])
• chore(deps): update go to v1.21.6 (v1.15) (patch) (#30173, @renovate[bot])
• doc: Update recommended way for installing cilium on AKS (Backport PR #30230, Upstream PR #28910, @tamilmani1989)
• docs: Document renovate testing strategy (Backport PR #30230, Upstream PR #30166, @joestringer)
• docs: fix chained veth plugin example (Backport PR #30230, Upstream PR #30209, @squeed)
• docs: Fix keyid derivation in IPsec docs (Backport PR #30079, Upstream PR #30000, @brb)
• docs: Update Gateway API version in example (Backport PR #30230, Upstream PR #30115, @sayboras)
• endpoint: Use resolved named port also in the proxy stats (Backport PR #30079, Upstream PR #29813, @jrajahalme)
• Fix cilium-envoy ServiceMonitor template typo (Backport PR #30230, Upstream PR #29976, @cornfeedhobo)
• Fix log error in clustermesh-apiserver when connecting external workloads (Backport PR #30079, Upstream PR #29896, @giorio94)
• Fix regression causing a 10x increase in the duration of endpoint integration tests (Backport PR #30079, Upstream PR #29826, @giorio94)
• fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #30230, Upstream PR #29971, @renovate[bot])
• fix: remove help message in build config failure (Backport PR #30230, Upstream PR #28974, @vipul-21)
• fqdn: serialize requests per-name (Backport PR #30230, Upstream PR #30109, @squeed)
• fqdn: skip ipcache insertion for names without fqdn selectors (Backport PR #30230, Upstream PR #30110, @squeed)
• Helm: enforce routing mode when either gke.enabled or aksbyocni.enabled are set (Backport PR #30079, Upstream PR #29674, @giorio94)
• hubble: Reduce "stale identities observed" debug messages even more (Backport PR #30079, Upstream PR #29957, @gandro)
• identity: stop double-update of selector cache and regenerate when a local identity is allocated (Backport PR #30079, Upstream PR #29865, @squeed)
• k8s/slim: Clarify instructions for updating slim files (Backport PR #30230, Upstream PR #29877, @christarazi)
• labels: small optimization in NewFrom and various cleanups (Backport PR #30230, Upstream PR #30006, @tklauser)
• metrics: revert changes to pre-init kubernetes events metrics + improve metric logs (Backport PR #30079, Upstream PR #29343, @tommyp1ckles)
• Modularize stale endpoint gc in an independent cell (Backport PR #30079, Upstream PR #29246, @pippolo84)
• policy: expand "world" entity selector to select all address families (Backport PR #29961, Upstream PR #29958, @squeed)
• policy: Fix MapState.Equals() (Backport PR #30264, Upstream PR #30233, @jrajahalme)
• updated docs to reflect Envoy as a DS option (Backport PR #30230, Upstream PR #29518, @nvibert)
• Use Resource[T] to implement CEP and CES watchers (Backport PR #30230, Upstream PR #29249, @pippolo84)

Other Changes:

• [1.15] loader: fix obsolete XDP program removal (#30224, @rgo3)
• Add specific drop reason for missing tail calls if the host datapath is not ready yet (#30203, @ti-mo)
• install: Update image digests for v1.15.0-rc.0 (#29906, @joestringer)

v1.15.0-rc.0

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.0-rc.1@sha256:53e4473bc10a04ffe86e8de5b3e2b5cce6a72954b29ae50f329753820f46261b

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.0-rc.1@sha256:dede7d9d56156f284d0a993e18b3a97901aa19b8ea63898b0c26cda46f0593fb

docker-plugin

quay.io/cilium/docker-plugin:v1.15.0-rc.1@sha256:3993c08f20bfb441223122f80a94fc5f940119cc70226ca279888673ae0ff3f7

hubble-relay

quay.io/cilium/hubble-relay:v1.15.0-rc.1@sha256:137fc854260d59127d10234ec8ed2c389382bdd0c62911398e083cd7d0cdabec

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.0-rc.1@sha256:ddefe38b20d9f352685b486897a77787202b9f855d0679496792864c4fa59500

operator-aws

quay.io/cilium/operator-aws:v1.15.0-rc.1@sha256:7d4b7b931d15a14048cbcdf4ff9fdd432dbc03d12128e5c0e12d215631cade28

operator-azure

quay.io/cilium/operator-azure:v1.15.0-rc.1@sha256:fcffa96ffcd271419933b127cfccd51c45a3d5ecbc92858f505a2b4e2d84c0f7

operator-generic

quay.io/cilium/operator-generic:v1.15.0-rc.1@sha256:a85e9ce2ca1c337050f4a2eab60255aaaeb386415de8a3810298a4a88dedf7b8

operator

quay.io/cilium/operator:v1.15.0-rc.1@sha256:c7f989c98b0be42a993d5ad425f1346d1f7d671edcc502b88ecd20a979d8db33

Summary of Changes

Minor Changes:

• gateway-api: Update API version for Reference Grant (#29811, @sayboras)
• helm: Add missing SA automount configuration (#29511, @ayuspin)
• helm: Added support for existing Cilium SPIRE NS (#29032, @PhilipSchmid)
• helm: Allow setting resources for the agent init containers (#29610, @ayuspin)

Bugfixes:

• cilium-preflight: use the k8s node name instead of relying on hostname (#29809, @marseel)
• endpoint: fix panic in RunMetadataResolver due to send on closed channel (#29615, @mhofstetter)
• Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (#29566, @christarazi)
• Fix cleanup of AWS-related leftover iptables chains (#29448, @giorio94)
• Fix missing NODE_ADD Hubble peer messages in some cases (#28226, @AwesomePatrol)
• Fix possible disruption of long running, cross-cluster, pod to node traffic on agent restart (#29613, @giorio94)
• Fix potential deadlock that results in stale authentication entries in Cilium (#29082, @meyskens)
• metrics: fix issue where logging err/warn metric is never updated. (#29201, @tommyp1ckles)
• The DNS proxy will now compute a UDP checksum over the IPv6 response packet and the pseudo-header. (#29493, @danehans)

CI Changes:

• ci datapath-verifier: add connectivity test (#29633, @mhofstetter)
• ci-ipsec-e2e: Misc refactor + more keys (#29592, @brb)
• ci-ipsec-upgrade: Add vxlan w/ no EP routes (#29653, @brb)
• ci-ipsec-{e2e,upgrade}: Use lvh-kind (#29514, @brb)
• ci/ipsec: Skip waiting for images when skipping upgrade/dowgrade (#29793, @qmonnet)
• ci: add documentation check to documentation workflow (#29684, @mhofstetter)
• ci: always use full matrix for scheduled cloud-provider workflows (#29694, @mhofstetter)
• ci: disable preemptible VM & GKE clusters on tests based on GKE (#29607, @mhofstetter)
• Define PUSH_TO_DOCKER_HUB environment variable (#29644, @michi-covalent)
• Fix collecting of verifier logs in ci-verifier (#29752, @lmb)
• Fix exporting results to gs bucket. (#29587, @marseel)
• gh/workflows: Bump CLI to v0.15.18 #29849 (@brb)
• gh/workflows: Drop rading /proc in case of failure (#29855, @brb)
• gh: e2e: test conformance & upgrade with 5.4 kernel and EgressGW (#29651, @julianwiedmann)
• gha: add step to ensure presence/absence of the AWS iptables chains (#29670, @giorio94)
• gha: enable IPv6 in clustermesh upgrade/downgrade workflow (#29675, @giorio94)
• gha: Migrate from MetalLB to L2LB (#28926, @sayboras)
• gha: sig-servicemesh owns Ingress or Gateway API related workflows (#29812, @sayboras)
• Make LB-IPAM tests less flaky (#29678, @dylandreimerink)
• Mock out time for BPF ratelimit test to make it more stable (#29740, @dylandreimerink)
• renovate: enable Cilium CLI patch updates for Cilium <v1.14 (#29794, @giorio94)
• Simplify CI image build workflow before v1.15 branch (#29834, @joestringer)
• test: Fail ginkgo tests on warnings (#29624, @pchaigno)
• workflows: Make the conn-disrupt test more sensitive (#29623, @pchaigno)

Misc Changes:

• Address device <-> node addressing race (#29555, @bimmlerd)
• bpf/Makefile: remove gen_compile_commands make target (#29611, @ti-mo)
• bpf: clean up some IPv4 header validations (#29585, @julianwiedmann)
• bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic (#29721, @julianwiedmann)
• chore(deps): update actions/setup-python action to v4.8.0 (main) (#29769, @renovate[bot])
• chore(deps): update actions/stale action to v9 (main) (#29772, @renovate[bot])
• chore(deps): update all github action dependencies to v5 (main) (major) (#29773, @renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#29556, @renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#29766, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.17 (main) (#29557, @renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.19.0 (main) (#29770, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.5 docker digest to 2ff79bc (main) (#29765, @renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.11 (main) (#29767, @renovate[bot])
• chore(deps): update github/codeql-action action to v2.22.9 (main) (#29768, @renovate[bot])
• chore(deps): update go to v1.21.5 (main) (patch) (#29659, @renovate[bot])
• chore(deps): update google-github-actions/setup-gcloud action to v2 (main) (#29780, @renovate[bot])
• chore(deps): update hubble cli to v0.12.3 (main) (patch) (#29749, @renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231211.012942 (main) (#29777, @renovate[bot])
• chore: add SI Analytics as cilium user (#29744, @JhoLee)
• chore: rename CIDRGroups resource to CiliumCIDRGroups (#29515, @pippolo84)
• cilium-dbg: Add "statedb node-addresses" command (#29479, @joamaki)
• cilium: Do not warn on socket tracing if EnableSocketLBTracing was not set (#29730, @borkmann)
• cilium: iptables masquerade to route source fixes (#29591, @borkmann)
• Clean up deprecated and unused IPCache APIs after FQDN transition to asynchronous APIs (#29657, @tklauser)
• CODEOWNERS: assign pkg/ip to @cilium/sig-agent (#29669, @tklauser)
• CODEOWNERS: sig-clustermesh additionally owns clustermesh-related GHA workflows and helm templates (#29671, @giorio94)
• codeowners: use new teams cilium/envoy & cilium/fqdn (#29627, @mhofstetter)
• daemon: Fix incorrect node and ciliumnode resource type in annotations (#29522, @hargrovee)
• do not start bandwidth manager in dry mode (#29183, @dylandreimerink)
• docs: add documentation for policy-cidr-match-mode=nodes (#28421, @squeed)
• docs: add MaxConnectedClusters documentation (#29637, @thorn3r)
• Docs: Adds Webhook Limitation to EKS Install Doc (#29497, @danehans)
• docs: Modify BGP MD5 password with Helm default change (#29527, @YutaroHayakawa)
• docs: specify which further release for fqdn option removal. (#29531, @squeed)
• Don't log an error if the to be deleted ipset entry does not exist (#29561, @giorio94)
• Envoy silence expected internal listener warning (#29786, @jrajahalme)
• envoy: perform version check directly on envoy binary (not starter) (#29512, @mhofstetter)
• examples: update guestbook example with new image registry (#29603, @mhofstetter)
• fix(deps): update all go dependencies main (main) (minor) (#29771, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#29593, @renovate[bot])
• fqdn: avoid converting from netip.Addr to net.IP and back (#29625, @tklauser)
• guestbook: update example with leader/follower naming (#29642, @mhofstetter)
• helm: Allow unsupported K8s versions for now (#29888, @gandro)
• hubble-relay: fix panic during server shutdown (#29705, @mhofstetter)
• images: bump cni plugins to v1.4.0 (#29622, @squeed)
• improve the correctness of the rate limiting implementation in certain edge cases. (#29397, @dylandreimerink)
• ingress: add unit tests to test default ingressclass (#29792, @mhofstetter)
• ipcache: use TriggerController, not UpdateController (#29548, @squeed)
• k8s/resource: Add support for releasable Resource[T] (#29414, @pippolo84)
• Makefile: Fix variable override not working in all cases (#29599, @gandro)
• Optimize IP/FQDN management in the DNSCache (#29691, @squeed)
• pkg/rand: remove random name generator (#29664, @aanm)
• pkg: proxy: only install from-proxy rules/routes for native routing (#29761, @julianwiedmann)
• plugins/cilium-cni: Introduce endpoint customization (#29707, @gandro)
• Prepare for release v1.15.0-pre.3 (#29596, @aanm)
• Prepare v1.15 stable branch (#29838, @joestringer)
• proxy: export ProxyConfig fields (#29827, @tklauser)
• README: Update releases (#29609, @aanm)
• release image: Allow arbitrary pre-release identifiers (#29173, @michi-covalent)
• Revert "cilium: Ensure xfrm state is initialized for route IP before … (#29801, @jrfastab)
• statedb: Fix revision indexing (#29840, @joamaki)
• test: remove probes-test.sh (#29612, @rgo3)
• Update SPIRE dependency to v1.8.5 (#29597, @meyskens)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.0-rc.0@sha256:dfd696fb4325e996098607224cf379ccdbbe969634750fa10082e7ac31d0819a

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.0-rc.0@sha256:7a6be505270347b8e4076941b282ecd3c89cbdce68f50a3ba6e0bd5a60553c47

docker-plugin

quay.io/cilium/docker-plugin:v1.15.0-rc.0@sha256:fe6325f2268adafa28b0a0a81f5f2254014fc1aa8981c47fce6c688e3879993a

hubble-relay

quay.io/cilium/hubble-relay:v1.15.0-rc.0@sha256:eb89a6c12bef00f62f393630958f58d769f0add5ba6fa914180ec21d845034ae

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.0-rc.0@sha256:9f34a4d32c87f7dfb7fff45c2660e58113a036dca06e75ea20b5bd46856c20fa

operator-aws

quay.io/cilium/operator-aws:v1.15.0-rc.0@sha256:d28d947653bff9ad9a010bdc4bb75d3f0ce5517b601d768075f11ea32242491c

operator-azure

quay.io/cilium/operator-azure:v1.15.0-rc.0@sha256:0f6828ab7688159e3b7bc259094af6c9643783a48b2fc0630885dcabe9249831

operator-generic

quay.io/cilium/operator-generic:v1.15.0-rc.0@sha256:cc0800697151d9a68c9547c66e9d5f4a67537efd369cb10caf19e79748b24b02

operator

quay.io/cilium/operator:v1.15.0-rc.0@sha256:5e14c97ee92c6eef799b3125ab4b557c3c7c6cfe55d78c8c655bdf7aae4212ab

We are pleased to release Cilium v1.14.5.

This release include expanded credential and resource limit related configuration parameters for the Agent DaemonSet and SPIRE agent, fixes to an issue where stale nodes would appear in the cilium_node_connectivity_* metrics, enhancements to the detail shown by the IPsec CLI subcommands, a fix to a datapath fix for SNAT running behind multiple network interfaces, a fix to NAT entry GC when DSR enabled, a fix for endpoint label changes during the re-init restoration, and a variety of other stability enhancements. Also included are performance enhancements to concurrency techniques used in policy generation and the selectorcache read/write path.

Summary of Changes

Minor Changes:

• Adds affinity, nodeSelector, podSecurityContext and securityContext to the SPIRE agent deployment values (Backport PR #29187, Upstream PR #29077, @meyskens)
• helm: Add missing SA automount configuration (Backport PR #29689, Upstream PR #29511, @ayuspin)
• helm: Allow setting resources for the agent init containers (Backport PR #29689, Upstream PR #29610, @ayuspin)
• Network policies for reserved:ingress identity are now enforced by Cilium Ingress and Gateway API. (Backport PR #29447, Upstream PR #28126, @jrajahalme)

Bugfixes:

• "envoy-admin" cluster is renamed as "/envoy-admin", requiring all references in CEC/CCEC to be updated. (Backport PR #29477, Upstream PR #29020, @jrajahalme)
• Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29308, @ti-mo)
• bpf: Fix drop of IPv6 reply traffic when 1) pod-originating connection is SNATed by iptables, and 2) Host Firewall is enabled. (Backport PR #29477, Upstream PR #28813, @oblazek)
• bpf: xdp: don't support GENEVE passthrough with DSR-Hybrid (Backport PR #29187, Upstream PR #28959, @julianwiedmann)
• ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (Backport PR #29641, Upstream PR #29098, @julianwiedmann)
• datapath: Fix ENI egress routing table for cilium_host IP (Backport PR #29390, Upstream PR #29335, @gandro)
• Do not skip FIB lookup when running in BPF Host Routing when Endpoint Routes enabled (Backport PR #29187, Upstream PR #28264, @aspsk)
• endpoint: fix panic in RunMetadataResolver due to send on closed channel (Backport PR #29251, Upstream PR #29615, @mhofstetter)
• endpointmanager: unmap ip for lookup (Backport PR #29641, Upstream PR #29554, @tklauser)
• Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (Backport PR #29641, Upstream PR #29566, @christarazi)
• Fix external workloads not working with non-default ClusterID (Backport PR #29477, Upstream PR #29378, @giorio94)
• Fix possible disruption of long running, cross-cluster, pod to node traffic on agent restart (Backport PR #29641, Upstream PR #29613, @giorio94)
• Fix routing delegation to AWS-VPC-CNI when using the security groups feature. (Backport PR #29641, Upstream PR #29111, @Alex-Waring)
• Fix the Created timestamps in cilium bpf nat list that used to display the same values. (Backport PR #29187, Upstream PR #27062, @gentoo-root)
• Fixed label synchronization issues in Cilium, ensuring accurate representation of endpoint labels during restoration and addressing out-of-sync problems caused by label changes while the Cilium agent is down. (Backport PR #29251, Upstream PR #29248, @aanm)
• gateway-api: add watch for reference grant in TLSRoute reconciler (Backport PR #29187, Upstream PR #29007, @mhofstetter)
• gateway-api: Avoid redirect loop when the same host name is used for http and https listeners (Backport PR #29442, Upstream PR #29115, @sayboras)
• gateway: Ignore loadbalancer class for Gateway service (Backport PR #29641, Upstream PR #29547, @sayboras)
• Handle non-AEAD IPsec keys in cilium encrypt status. (Backport PR #29641, Upstream PR #29182, @viktor-kurchenko)
• ingress: fix foreground deletion of Ingress (Backport PR #29477, Upstream PR #29367, @mhofstetter)
• Install loopback CNI atomically to protect against aborted copy (Backport PR #29641, Upstream PR #29462, @akhilles)
• ipam: Fix bug where IP lease did not expire (Backport PR #29641, Upstream PR #29443, @gandro)
• ipam: Fix bug where IP lease did not expire (Backport PR #29652, Upstream PR #29443, @gandro)
• iptables: remove logic to control non-existent net.ipv6.ip_early_demux (Backport PR #29477, Upstream PR #29310, @julianwiedmann)
• metrics: fix potential conflict on metrics registration (Backport PR #29270, Upstream PR #27007, @ysksuzuki)
• metrics: fix potential conflict on metrics registration (Backport PR #29477, Upstream PR #27007, @ysksuzuki)
• Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (Backport PR #29364, Upstream PR #29340, @aanm)
• Support downgrade path for XDP attachments from Cilium 1.15 (#29104, @ti-mo)
• When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (Backport PR #29477, Upstream PR #29160, @julianwiedmann)

CI Changes:

• bpf: complexity-tests: add HAVE_FIB_NEIGH (Backport PR #29477, Upstream PR #29348, @julianwiedmann)
• ci-ipsec-upgrade: Check for errors (Backport PR #29270, Upstream PR #29189, @brb)
• ci-ipsec-upgrade: Check for errors (Backport PR #29477, Upstream PR #29189, @brb)
• ci-ipsec-upgrade: Drop no-missed-tail-calls exclusion (Backport PR #29477, Upstream PR #29325, @brb)
• ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (Backport PR #28876, Upstream PR #29072, @brb)
• CI: Let actions/cilium-config use Chart.yaml-specified image by default (Backport PR #28876, Upstream PR #28016, @jschwinger233)
• Clean up tests-ipsec-upgrade workflow (Backport PR #28876, Upstream PR #27977, @michi-covalent)
• Test upgrade/downgrade to patch release for IPsec (Backport PR #28876, Upstream PR #28815, @qmonnet)
• Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (Backport PR #29477, Upstream PR #29409, @giorio94)
• workflows: Add debug info to IPsec key rotation test (Backport PR #29477, Upstream PR #29353, @pchaigno)

Misc Changes:

• .github: use GitHub workflow from the same branch (#29252, @aanm)
• [v1.14] CI: fix broken BPF complexity tests (#29553, @lmb)
• Add workqueue.(delayingType).waitingLoop to goleak exception list (Backport PR #29187, Upstream PR #28557, @dylandreimerink)
• chore(deps): update actions/checkout action to v4 (v1.14) (#29595, @renovate[bot])
• chore(deps): update actions/github-script action to v7 (v1.14) (#29149, @renovate[bot])
• chore(deps): update actions/setup-python action to v4.8.0 (v1.14) (#29579, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#29121, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (minor) (#29265, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (patch) (#29282, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (patch) (#29576, @renovate[bot])
• chore(deps): update all lvh-images main (v1.14) (patch) (#29417, @renovate[bot])
• chore(deps): update all lvh-images main (v1.14) (patch) (#29577, @renovate[bot])
• chore(deps): update cilium/cilium digest to d42be92 (v1.14) (#29133, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.13 (v1.14) (#29123, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.14 (v1.14) (#29283, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.16 (v1.14) (#29465, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.17 (v1.14) (#29729, @renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (v1.14) (#29578, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.20.11 docker digest to 4e4a34f (v1.14) (#29416, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.20.11 docker digest to 77e4e42 (v1.14) (#29281, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 8eab65d (v1.14) (#29575, @renovate[bot])
• chore(deps): update go to v1.20.12 (v1.14) (patch) (#29660, @renovate[bot])
• chore(deps): update google-github-actions/auth action to v2 (v1.14) (#29598, @renovate[bot])
• chore(deps): update hubble cli to v0.12.3 (v1.14) (patch) (#29746, @renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 [security] (v1.14) (#29320, @renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231113.012843 (v1.14) (#29129, @renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231120.012927 (v1.14) (#29284, @renovate[bot])
• ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29270, Upstream PR #29178, @brb)
• ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29477, Upstream PR #29178, @brb)
• Docs: Adds Webhook Limitation to EKS Install Doc (Backport PR #29641, Upstream PR #29497, @danehans)
• docs: bump required Helm version (Backport PR #29477, Upstream PR #29273, @nebril)
• examples: update guestbook example with new image registry (Backport PR #29641, Upstream PR #29603, @mhofstetter)
• images: bump cni plugins to v1.4.0 (Backport PR #29724, Upstream PR #29622, @squeed)
• ipsec: Small refactorings on key loading and state creation (Backport PR #29477, Upstream PR #29352, @pchaigno)

Other Changes:

• [v1.14] Author Backport of 28896 (k8s ingress & gateway api: qualify envoy clusters and their references) (#29218, @mhofstetter)
• [v1.14] bgpv1: Fix BGP component tests using the same VirtualRouter config (#29453, @rastislavs)
• [v1.14] bpf: Fix identity determination in bpf_overlay.c (#29606, @ysksuzuki)
• [v1.14] bpf: use bpf_xdp_load_bytes() / bpf_xdp_store_bytes() helpers (#29719, @julianwiedmann)
• [v1.14] ci-ipsec-upgrade: Disable Linux 5.10-based configs (#29358, @brb)
• [v1.14] gh: datapath-verifier: also run on 6.1 kernel (#29650, @julianwiedmann)
• envoy: Bump cilium-envoy with golang 1.21.5 (#29656, @sayboras)
• envoy: Bump envoy container image with golang 1.21 and latest grpc package (#29383, @sayboras)
• install: Update image digests for v1.14.4 (#29147, @thorn3r)
• Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29205, @thorn3r)
• v1.14: ariane: Run ci-ipsec-upgrade when testing backports (#29225, @brb)

We are pleased to release Cilium v1.13.10.

This release include expanded SA credential and resource limit related configuration parameters for the Agent DaemonSet, fixes to an issue where stale nodes would appear in the cilium_node_connectivity_* metrics, enhancements to the detail shown by the IPsec CLI subcommands, a fix to a datapath fix for SNAT running behind multiple network interfaces, and a fix to NAT entry GC when DSR enabled. In addition, there are performance enhancements to concurrency techniques used in policy generation and the selectorcache read/write path.

Summary of Changes

Minor Changes:

• helm: Add missing SA automount configuration (Backport PR #29690, Upstream PR #29511, @ayuspin)
• helm: Add SA to nodeinit ds (Backport PR #29690, Upstream PR #24836, @darox)
• helm: Allow setting resources for the agent init containers (Backport PR #29690, Upstream PR #29610, @ayuspin)

Bugfixes:

• Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29309, @ti-mo)
• ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (Backport PR #29640, Upstream PR #29098, @julianwiedmann)
• datapath: Fix ENI egress routing table for cilium_host IP (Backport PR #29391, Upstream PR #29335, @gandro)
• Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (Backport PR #29640, Upstream PR #29566, @christarazi)
• Handle non-AEAD IPsec keys in cilium encrypt status. (Backport PR #29640, Upstream PR #29182, @viktor-kurchenko)
• Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (Backport PR #29709, Upstream PR #29340, @aanm)
• Support downgrade path for XDP attachments from Cilium 1.15 (#29105, @ti-mo)
• When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (Backport PR #29475, Upstream PR #29160, @julianwiedmann)

CI Changes:

• ci-ipsec-upgrade: Check for errors (Backport PR #29272, Upstream PR #29189, @brb)
• ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (Backport PR #29003, Upstream PR #29072, @brb)
• CI: Let actions/cilium-config use Chart.yaml-specified image by default (Backport PR #29003, Upstream PR #28016, @jschwinger233)
• Clean up tests-ipsec-upgrade workflow (Backport PR #29003, Upstream PR #27977, @michi-covalent)
• gha: align ci-ipsec-e2e workflow name to main (#29687, @giorio94)
• Test upgrade/downgrade to patch release for IPsec (Backport PR #29003, Upstream PR #28815, @qmonnet)
• Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (Backport PR #29475, Upstream PR #29409, @giorio94)
• workflows: Add debug info to IPsec key rotation test (Backport PR #29475, Upstream PR #29353, @pchaigno)

Misc Changes:

• .github: use GitHub workflow from the same branch (#29256, @aanm)
• chore(deps): update actions/checkout action to v4 (v1.13) (#29287, @renovate[bot])
• chore(deps): update all github action dependencies (v1.13) (minor) (#29286, @renovate[bot])
• chore(deps): update all github action dependencies (v1.13) (patch) (#29139, @renovate[bot])
• chore(deps): update all lvh-images main (v1.13) (patch) (#29150, @renovate[bot])
• chore(deps): update all lvh-images main (v1.13) (patch) (#29419, @renovate[bot])
• chore(deps): update docker.io/library/golang docker tag to v1.20.12 (v1.13) (#29661, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.20.11 docker digest to 77e4e42 (v1.13) (#29285, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2b7412e (v1.13) (#29138, @renovate[bot])
• chore(deps): update hubble cli to v0.12.3 (v1.13) (patch) (#29747, @renovate[bot])
• chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.13) (#29289, @renovate[bot])
• ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29192, Upstream PR #29178, @brb)
• Docs: Adds Webhook Limitation to EKS Install Doc (Backport PR #29640, Upstream PR #29497, @danehans)
• examples: update guestbook example with new image registry (Backport PR #29640, Upstream PR #29603, @mhofstetter)
• Fix bug preventing endpoint-related debug logs from being emitted (Backport PR #29700, Upstream PR #29495, @learnitall)
• images: bump cni plugins to v1.4.0 (Backport PR #29723, Upstream PR #29622, @squeed)
• ipsec: Small refactorings on key loading and state creation (Backport PR #29475, Upstream PR #29352, @pchaigno)
• Update the logrus dependency to address a security issue. (#29672, @rolinh)

Other Changes:

• [1.13] Address selectorcache concurrent read/write (#29186, @tklauser)
• [v1.13] Let renovatebot update Go toolchain version in a single PR (#29743, @tklauser)
• envoy: Bump cilium-envoy with golang 1.21.5 (#29655, @sayboras)
• envoy: Bump envoy container image with golang 1.21 and latest grpc package (#29384, @sayboras)
• install: Update image digests for v1.13.9 (#29136, @nathanjsweet)
• Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29206, @thorn3r)
• v1.13: ariane: Run ci-ipsec-upgrade when testing backports (#29227, @brb)

We are pleased to release Cilium v1.12.17.

This release include expanded SA credential and resource limit related configuration parameters for the Agent DaemonSet, fixes to an issue where stale nodes would appear in the cilium_node_connectivity_* metrics, enhancements to the detail shown by the IPsec CLI subcommands, and a datapath fix for SNAT running behind multiple network interfaces. In addition, there are performance enhancements to concurrency techniques used in policy generation and the selectorcache read/write path.

Summary of Changes

Minor Changes:

• helm: Add missing SA automount configuration (Backport PR #29692, Upstream PR #29511, @ayuspin)
• helm: Add SA to nodeinit ds (Backport PR #29692, Upstream PR #24836, @darox)
• helm: Allow setting resources for the agent init containers (Backport PR #29692, Upstream PR #29610, @ayuspin)

Bugfixes:

• datapath: Fix ENI egress routing table for cilium_host IP (Backport PR #29392, Upstream PR #29335, @gandro)
• Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (Backport PR #29639, Upstream PR #29566, @christarazi)
• Handle non-AEAD IPsec keys in cilium encrypt status. (Backport PR #29639, Upstream PR #29182, @viktor-kurchenko)
• Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (Backport PR #29708, Upstream PR #29340, @aanm)
• When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (Backport PR #29474, Upstream PR #29160, @julianwiedmann)

CI Changes:

• ci-ipsec-upgrade: Check for errors (Backport PR #29274, Upstream PR #29189, @brb)
• ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (Backport PR #29005, Upstream PR #29072, @brb)
• CI: Let actions/cilium-config use Chart.yaml-specified image by default (Backport PR #29005, Upstream PR #28016, @jschwinger233)
• ci: remove empty github workflow file tests-nightly.yaml (#29601, @mhofstetter)
• Clean up tests-ipsec-upgrade workflow (Backport PR #29005, Upstream PR #27977, @michi-covalent)
• gha: align ci-ipsec-e2e workflow name to main (#29686, @giorio94)
• Test upgrade/downgrade to patch release for IPsec (Backport PR #29005, Upstream PR #28815, @qmonnet)
• Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (Backport PR #29474, Upstream PR #29409, @giorio94)
• workflows: Add debug info to IPsec key rotation test (Backport PR #29474, Upstream PR #29353, @pchaigno)

Misc Changes:

• chore(deps): update actions/checkout action to v4 (v1.12) (#29296, @renovate[bot])
• chore(deps): update actions/github-script action to v7 (v1.12) (#29297, @renovate[bot])
• chore(deps): update all github action dependencies (v1.12) (minor) (#29295, @renovate[bot])
• chore(deps): update all github action dependencies (v1.12) (patch) (#29293, @renovate[bot])
• chore(deps): update all lvh-images main (v1.12) (patch) (#29294, @renovate[bot])
• chore(deps): update all lvh-images main (v1.12) (patch) (#29421, @renovate[bot])
• chore(deps): update docker.io/library/golang docker tag to v1.20.12 (v1.12) (#29662, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:20.04 docker digest to ed4a422 (v1.12) (#29292, @renovate[bot])
• chore(deps): update docker/dockerfile docker tag to v1.6 (v1.12) (#29253, @renovate[bot])
• chore(deps): update docker/dockerfile docker tag to v1.6 (v1.12) (#29254, @renovate[bot])
• chore(deps): update docker/dockerfile docker tag to v1.6 (v1.12) (#29255, @renovate[bot])
• chore(deps): update hubble cli to v0.12.3 (v1.12) (patch) (#29748, @renovate[bot])
• chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.12) (#29298, @renovate[bot])
• ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29193, Upstream PR #29178, @brb)
• endpoint: don't hold the endpoint lock while generating policy (Backport PR #29408, Upstream PR #26242, @squeed)
• images: bump cni plugins to v1.4.0 (Backport PR #29722, Upstream PR #29622, @squeed)
• ipsec: Small refactorings on key loading and state creation (Backport PR #29474, Upstream PR #29352, @pchaigno)
• Update the logrus dependency to address a security issue. (#29673, @rolinh)

Other Changes:

• [1.12] Address selectorcache concurrent read/write (#29167, @bimmlerd)
• [v1.12] Author Backport of 29603 (examples: update guestbook example & test with new image registry) (#29600, @mhofstetter)
• [v1.12] ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (#29683, @julianwiedmann)
• envoy: Bump cilium-envoy with golang 1.21.5 (#29654, @sayboras)
• envoy: Bump envoy container image with golang 1.21 and latest grpc package (#29385, @sayboras)
• install: Update image digests for v1.12.16 (#29137, @nathanjsweet)
• Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29209, @thorn3r)
• v1.12: ariane: Run ci-ipsec-upgrade when testing backports (#29228, @brb)

Summary of Changes

Major Changes:

• Add dynamic flowlog exporters configured by yaml file (configmap) without a need of agent restart. (#28873, @marqc)
• Add support for extending ClusterMesh to 511 clusters By setting the flag --max-connected-clusters=511, a new cluster will be able to connect to a ClusterMesh with up to 511 clusters. If enabled, the number of possible cluster-local identities will be reduced to 32,768. This feature can only be enabled on new clusters, and all clusters in the ClusterMesh must share the same configuration. (#27520, @thorn3r)
• Add support for Gateway API v1.0 (#28836, @sayboras)
• k8s: add support for k8s 1.29.0 (#29473, @aanm)

Minor Changes:

• Add a mode where routing is delegated to another CNI plugin. This enables support for using AWS security groups when chaining Cilium on top of AWS VPC CNI. (#29111, @Alex-Waring)
• Add lbipam support for shared ips (#28806, @usiegl00)
• Adds "best-effort" mode for XDP to skip interfaces without driver support (#28666, @poblahblahblah)
• Adds affinity, nodeSelector, podSecurityContext and securityContext to the SPIRE agent deployment values (#29077, @meyskens)
• Adds the CiliumPodIPPool selector type to BGP CP AdvertisedPathAttributes to match CiliumPodIPPool custom resources. Path attributes apply to routes announced for selected CiliumPodIPPools. (#28310, @danehans)
• api, cli: Show srv6 status in cilium status (#28700, @husnialhamdani)
• bgpv1: Add cilium-dbg bgp route-policies command & include it in the bugtool (#28973, @rastislavs)
• bgpv1: Use kube-system namespace by default for MD5 secret (#29478, @YutaroHayakawa)
• bpf: use bpf_xdp_load_bytes() / bpf_xdp_store_bytes() helpers when available (#29377, @julianwiedmann)
• Cilium DNS proxy now uses the original pod's address as the source address towards the DNS servers. (#28928, @jrajahalme)
• cilium-dbg: Add statedb query support and commands to inspect statedb tables devices, routes and l2-announce. (#28872, @joamaki)
• ciliumidentity resiliency improvement (#28912, @tommyp1ckles)
• cmd/watchdogs: add health reporter to watchdog controller. (#29038, @tommyp1ckles)
• Config option to customize the default IP Pool when using MultiPool (#28818, @chaunceyjiang)
• Default client-go QPS and burst in agent and operator have been increased to 10 and 20 respectively for k8s versions 1.27+ (#29445, @marseel)
• Deprecated helm options enableK8sEventHandover/enableCnpStatusUpdates were removed. Corresponding flag "enable-k8s-event-handover" in Agent and "cnp-status-update-interval" in operator were removed. (#29395, @marseel)
• FQDN: transition to asynchronous IPCache APIs (#29036, @squeed)
• gateway-api: Add support for gateway.infrastructure attribute (#29122, @sayboras)
• gateway-api: Add supported features in GatewayClass status (#29116, @sayboras)
• gateway-api: Check for required CRDs upon startup (#28982, @sayboras)
• Handle IPv4 fragments in SNAT flows correctly. (#25340, @gentoo-root)
• Hide empty columns by default in "kubectl get ciliumendpoints" output (#28744, @Iiqbal2000)
• hubble-relay: Add support for peers joining during requests (#29326, @glrf)
• Hubble: add option to filter for pods and services in any namespace (#28921, @glrf)
• hubble: Add Support for filtering on HTTP headers (#28851, @ChrsMark)
• hubble: Conditionally redact user info present in URLs in (L7) HTTP flows (#28848, @ioandr)
• Improve Hubble Relay Kubernetes Readiness/Liveness check (#28765, @glrf)
• init: Poll CRD synchronization times have been lowered from 1 second to 50ms. (#28954, @howardjohn)
• Merge clustermesh-apiserver and kvstoremesh into a single image (#27888, @giorio94)
• metric: provide way to declare labels. (#27835, @tommyp1ckles)
• mutual-auth: Bump spire image version (#29101, @sayboras)
• Named ports in DNS policies are now resolved correctly. (#29023, @jrajahalme)
• pkg/datapath: Remove defunct --single-cluster-route flag (#29221, @gandro)
• policy: Cilium will not process or enforce network policies with port ranges or Kubernetes network policies that use "EndPort". (#28704, @nathanjsweet)
• Propagate prefixed labels from Ingress resource to LB service (#28598, @log1cb0mb)
• Remove deprecated tunnel option, and corresponding helm values setting (#29053, @giorio94)
• Replace etcd init script used for clustermesh with a Go equivalent. Upgrade etcd to v3.5.10. (#29109, @JamesLaverack)
• Replace metricsmap-bpf-prom-sync with Prometheus Collector pattern (#27370, @carnerito)
• Respond with ICMP reply for traffic to services without backends (#28157, @dylandreimerink)
• show DSR-dispatch mode in cilium-dbg status (#29217, @chaunceyjiang)
• When tunneling is enabled, a packet will be encapsulated by Cilium's tunnel netdev before encrypting with WireGuard. (#29000, @brb)

Bugfixes:

• "envoy-admin" cluster is renamed as "/envoy-admin", requiring all references in CEC/CCEC to be updated. (#29020, @jrajahalme)
• ImplementationSpecific Ingress paths (which for Cilium Ingress means regex path matches) are now sorted correctly in between Exact and Prefix matches. (#29381, @youngnick)
• Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29307, @ti-mo)
• bpf: Add TC_ACT_REDIRECT check for nodeport (#28927, @sayboras)
• bpf: Fix drop of IPv6 reply traffic when 1) pod-originating connection is SNATed by iptables, and 2) Host Firewall is enabled. (#28813, @oblazek)
• bpf: xdp: don't support GENEVE passthrough with DSR-Hybrid (#28959, @julianwiedmann)
• Conntrack entries for Service connections are now printed in the canonical "source -> destination" format when using the "bpf ct list" command. (#28913, @julianwiedmann)
• ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (#29098, @julianwiedmann)
• datapath: Fix ENI egress routing table for cilium_host IP (#29335, @gandro)
• datapath: Fix primary flag in NodeAddress (#29483, @joamaki)
• Do not skip FIB lookup when running in BPF Host Routing when Endpoint Routes enabled (#28264, @aspsk)
• egressgateway: Use UID to identify CiliumEndpoints in epDataStore (#29124, @rastislavs)
• egressgw: Fix the issue that an iptables SNAT rule in the host netns interferes packets to egress gw and bypass the egress GW policy (#29379, @ysksuzuki)
• endpointmanager: fix bpf policy pressure getting stuck. (#28185, @tommyp1ckles)
• endpointmanager: unmap ip for lookup (#29554, @tklauser)
• Fix external workloads not working with non-default ClusterID (#29378, @giorio94)
• Fix rendering helm operator-dashboard annotations (#29106, @Zariel)
• Fix source identity determination for DSR with Geneve-dispatch, by looking it up from the ipcache. (#29155, @chez-shanpu)
• Fix the Created timestamps in cilium bpf nat list that used to display the same values. (#27062, @gentoo-root)
• Fixed label synchronization issues in Cilium, ensuring accurate representation of endpoint labels during restoration and addressing out-of-sync problems caused by label changes while the Cilium agent is down. (#29248, @aanm)
• Fixes an L7 proxy issue by re-introducing 2005 route table. (#29530, @jschwinger233)
• gateway-api: add watch for reference grant in TLSRoute reconciler (#29007, @mhofstetter)
• gateway-api: Avoid redirect loop when the same host name is used for http and https listeners (#29115, @sayboras)
• gateway: Ignore loadbalancer class for Gateway service (#29547, @sayboras)
• Handle non-AEAD IPsec keys in cilium encrypt status. (#29182, @viktor-kurchenko)
• ingress: cleanup resources on changed ingress class field (#28886, @mhofstetter)
• ingress: fix foreground deletion of Ingress (#29367, @mhofstetter)
• Install loopback CNI atomically to protect against aborted copy (#29462, @akhilles)
• ipam: Fix bug where IP lease did not expire (#29443, @gandro)
• iptables: remove logic to control non-existent net.ipv6.ip_early_demux (#29310, @julianwiedmann)
• k8s ingress & gateway api: fix unintentional deletion of shared envoy cluster resource (#28896, @mhofstetter)
• l2announcer: Leases are only created for services that are being announced. (#29446, @f1ko)
• lbipam: Fix off-by-one error in LBIPAM range allocation (#29425, @YutaroHayakawa)
• neigh: Install neighbor entries only on devices where routes exist (#28782, @ysksuzuki)
• Policy revert used in rare error cases has been corrected. (#29162, @jrajahalme)
• Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (#29340, @aanm)
• Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29202, @thorn3r)
• statedb: Fix termination of string and IP keys (#29368, @joamaki)
• When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (#29160, @julianwiedmann)

CI Changes:

• Add 100 node scale test workflow (#29214, @learnitall)
• ariane: Disable ci-e2e-upgrade (#29488, @brb)
• bpf/tests: Fixed loop not unrolled error in pktgen (#28942, @dylandreimerink)
• bpf: complexity-tests: add HAVE_FIB_NEIGH (#29348, @julianwiedmann)
• ci aws: cleanup EKS cluster in separate job (#29412, @mhofstetter)
• ci-clustermesh-upgrade: Increment timeout between rollouts to 5min (#29560, @mhofstetter)
• ci-e2e-upgrade: Bring it on (#29073, @brb)
• ci-e2e-upgrade: Remove setting CLI vsn (#29435, @brb)
• ci-e2e: Use kernel 6.1 instead of 6.0 (#29345, @brb)
• ci-gke: remove duplicated wait for cilium (#29542, @mhofstetter)
• ci-ipsec-upgrade: Check for errors (#29189, @brb)
• ci-ipsec-upgrade: Drop no-missed-tail-calls exclusion (#29325, @brb)
• ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (#29072, @brb)
• ci: add K8s 1.28 platform testing (#29004, @nbusseneau)
• CI: Add merge_group trigger (#29276, @brlbil)
• ci: add nameserver 1.1.1.1 to conformance-runtime test LVM (#29455, @mhofstetter)
• ci: Bump timeout of ci-runtime (#29317, @YutaroHayakawa)
• ci: Bump up the memory of LVH in conformance-e2e (#29494, @michi-covalent)
• ci: bypass proxy.golang.org in Go toolchain installation (#29549, @tklauser)
• ci: disable envoy tracing in multi-pool workflow (#28966, @tklauser)
• ci: don't write github commit status on push event (#29404, @mhofstetter)
• ci: don't write github commit status on push event (#29438, @mhofstetter)
• ci: fix deployment issue with multiple clusters in same region (#29427, @mhofstetter)
• ci: fix dns issue when pulling cilium-docker-plugin in ci-runtime (#29502, @mhofstetter)
• ci: fix merge group required checks (#29337, @brlbil)
• ci: fix typo in clustermesh workflow job name (#29046, @tklauser)
• ci: increase cilium wait timeout to 10m on cloud providers (#29541, @mhofstetter)
• ci: increase disk size for GKE clusters (ci-gke & ci-external-workloads) (#29528, @mhofstetter)
• ci: migrate some schedule workflows to event trigger push (#29433, @mhofstetter)
• ci: Remove useless quotes in update label workflow (#28952, @pippolo84)
• cilium-cli action: Specify the repository parameter (#29338, @michi-covalent)
• datapath: Clean up XFRM configs after unit tests (#29332, @pchaigno)
• Drop support for EOLed Kubernetes versions (#29174, @michi-covalent)
• egressgw: tests: wait for initial sync reconciliation (#29084, @jibi)
• Extend BPF unit tests for IPsec (#28438, @jschwinger233)
• Fix pre-flight clusterrole check (#29224, @marseel)
• gh/workflows: Add lvh-kind action and use it in ci-e2e (#29485, @brb)
• gh/workflows: Dump Cilium LB node logs in case of failure (#28808, @brb)
• gh: datapath-verifier: also run on 6.1 kernel (#29349, @julianwiedmann)
• gha: Enable Ingress Controller tests in conformance-e2e (#29130, @sayboras)
• restore full go vet behaviour (#28945, @bimmlerd)
• scale-test-100-gce: Use CILIUM_CLI_VERSION (#29562, @michi-covalent)
• Set correct cluster name and id during upgrade test (#29165, @marseel)
• Skip k8s upstream conformance test for multiple protocols on a Service (#29524, @youngnick)
• Switch to on-demand instances for AWS tests on scheduled runs. (#29366, @marseel)
• Test upgrade/downgrade to patch release for IPsec (#28815, @qmonnet)
• test/k8s: clean up unused manifests (#29436, @tklauser)
• test: Use previous in-pod CLI name for updates (#29208, @joestringer)
• tests-e2e-upgrade: Use CILIUM_CLI_VERSION (#29496, @michi-covalent)
• Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (#29409, @giorio94)
• workflows: Add debug info to IPsec key rotation test (#29353, @pchaigno)
• workflows: move cilium_cli_version definition to set-env-variables action (#29237, @jibi)
• workflows: Pin conn-disrupt-test GH action to main (#29402, @pchaigno)

Misc Changes:

• .github/workflows: only cancel concurrent jobs if not in merge_group (#29431, @aanm)
• .github: do not group jobs on merge queues (#29551, @aanm)
• Add AirQo to Cilium USERS.md (#29467, @123MwanjeMike)
• Add an option to force BPF attachment to native device (#29176, @YutaroHayakawa)
• Add CEP and CES resources (#29244, @pippolo84)
• Add Cybozu to USERS.md (#29231, @chez-shanpu)
• Add Dcode.tech to USERS.md (#28996, @eliranw)
• Add IDNIC/Kadabra as user to Cilium (#28958, @ardikabs)
• Add node activity health reporters on node manager (#28799, @derailed)
• Add table for node addresses (#28962, @joamaki)
• add v1.15.0-pre.2 release (#28903, @aanm)
• api: Allow middleware to be injected via Hive (#29223, @gandro)
• BGP CP: Replaces LocalNodeStore with Local CiliumNode (#28238, @danehans)
• bgpv1: fix incorrect error messages in the reconcilePodIPPool function (#29125, @hargrovee)
• bgpv1: fix merge race conflict on NewGoBGPServer (#29321, @mhofstetter)
• bgpv1: Prevent multiple reconcilers with the same name (#29071, @rastislavs)
• bgpv1: Reorganize BGP config reconcilers (#29277, @rastislavs)
• bgpv1: Use specific log message and remove unused parameter (#28895, @hargrovee)
• bpf: fine-tune a few L3 header validations (#28669, @julianwiedmann)
• bpf: host: adjust scope of HostFW section in handle_ipv6() (#29052, @julianwiedmann)
• bpf: ipsec: move get_min_encrypt_key() to encrypt.h (#28991, @julianwiedmann)
• bpf: lb: fix missing drop reason in reverse_map_l4_port() (#28884, @julianwiedmann)
• bpf: lxc: avoid upgrade/downgrade woes with CB_FROM_TUNNEL in IPv6 path (#29304, @julianwiedmann)
• bpf: nat: fully switch to snat_v*_rewrite_helpers() (#29403, @julianwiedmann)
• bpf: nat: limit EgressGW redirect check to bpf_host (#29159, @julianwiedmann)
• bpf: nat: pass NAT map to snat_v4_new_mapping() (#29049, @julianwiedmann)
• bpf: nodeport: re-introduce Ingress HostFW between RevSNAT and RevDNAT (#28960, @julianwiedmann)
• bpf: tests: minor cleanups (#29354, @julianwiedmann)
• bpf: tunnel-related cleanups in to-container path (#28920, @julianwiedmann)
• bpf: use l4_load_ports() everywhere (#29135, @julianwiedmann)
• Bug: Fix module health status output (#29140, @derailed)
• build: Declare GO in makefile before first use (#28983, @sayboras)
• Changed cilium status CLI output to render the modules health section as a tree structure vs tabular data. (#28800, @derailed)
• chore(deps): update actions/checkout action to v4 (main) (#29539, @renovate[bot])
• chore(deps): update actions/github-script action to v7 (main) (#29142, @renovate[bot])
• chore(deps): update all github action dependencies (main) (#28987, @renovate[bot])
• chore(deps): update all github action dependencies (main) (minor) (#29260, @renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#29262, @renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#29387, @renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#29533, @renovate[bot])
• chore(deps): update all github action dependencies to v2 (main) (major) (#29540, @renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#29388, @renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#29534, @renovate[bot])
• chore(deps): update anchore/scan-action action to v3.3.8 (main) (#29573, @renovate[bot])
• chore(deps): update cilium/cilium digest to 614f2dd (main) (#29386, @renovate[bot])
• chore(deps): update cilium/cilium digest to 93f26fd (main) (#29141, @renovate[bot])
• chore(deps): update cilium/cilium digest to ef8ca62 (main) (#29120, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.13 (main) (#28989, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.14 (main) (#29234, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.16 (main) (#29464, @renovate[bot])
• chore(deps): update dependency eksctl-io/eksctl to v0.165.0 (main) (#29537, @renovate[bot])
• chore(deps): update dependency go to v1.21.4 (main) (#29558, @renovate[bot])
• chore(deps): update dependency kubernetes/kops to v1.28.1 (main) (#29128, @renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (main) (#29535, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.4 docker digest to 9baee0e (main) (#29261, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 8eab65d (main) (#29572, @renovate[bot])
• chore(deps): update go to v1.21.4 (main) (patch) (#29043, @renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v1.55.2 (main) (#28990, @renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 [security] (main) (#29314, @renovate[bot])
• chore(deps): update quay.io/cilium/kindest-node docker tag to v1.28.3 (main) (#29057, @renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231123.012848 (main) (#28992, @renovate[bot])
• ci-ipsec-upgrade: Do not run conn tests after installing Cilium (#29178, @brb)
• ci: Bump timeout on ci-runtime privileged worksflow (#28923, @jrajahalme)
• CI: fix broken BPF complexity tests (#29510, @lmb)
• cilium-dbg, policy, api: Fix labels in policy selectors output (#29152, @christarazi)
• cilium: Add a few bwm setting tweaks (#29552, @borkmann)
• Clarify cilium_event_ts metric description (#29303, @christarazi)
• client: Use options pattern for NewRuntime (#29271, @gandro)
• clustermesh install documentation: missing step (#28889, @dashaun)
• cni: remove unused CILIUM_CNI_CONF variable from install script (#29063, @wedaly)
• CODEOWNERS: claim some new ipsec-related files for cilium/ipsec (#29516, @julianwiedmann)
• CODEOWNERS: IPsec owns pkg/common/ipsec (#29002, @pchaigno)
• CODEOWNERS: Let IPsec team to own GH workflows for IPsec (#29190, @brb)
• contrib: Fix prerelease pullPolicy (#28906, @joestringer)
• ctmap: limit NAT purging to expected CT tuple types (#28871, @julianwiedmann)
• daemon: Simplify cilium_host IP restoration (#28781, @gandro)
• datapath: Few minor improvements to DevicesController (#28887, @joamaki)
• datapath: Move linuxNodeHandler IPsec functions to their own file (#28941, @pchaigno)
• devices: fix busy loop (#29163, @bimmlerd)
• dnsproxy: convert LookupEndpointByIP to use netip.Addr (#28891, @tklauser)
• doc: Add roadmap for mutual authentication (#29006, @tgraf)
• docs: Add CiliumPodIPPool option in BGP Adv. Path Attributes docs (#29177, @rastislavs)
• docs: Add cluster install/prep guide for GKE-to-GKE clustermesh (#29342, @Neutrollized)
• docs: add instructions to build kindest-node image (#29079, @aanm)
• docs: bump required Helm version (#29273, @nebril)
• docs: Drop references to Helm v2 (#29463, @joestringer)
• docs: update versions and parameters for XDP Acceleration on AKS (#29091, @jshr-w)
• Docs: Updates BGP CP Developer Docs (#28908, @danehans)
• don't remove neighbor link state file if migrateOnly (#28659, @liuyuan10)
• enabled initalDelaySeconds on StartupProbe (#28816, @jignyasamishra)
• endpoint: Clarify policy locking requirements (#29024, @jrajahalme)
• endpoint: fix removed code comment. (#29172, @tommyp1ckles)
• endpointstate: Add an interface to wait for endpoint restore (#29243, @pippolo84)
• envoy: periodic version-check with hive timer job (#29513, @mhofstetter)
• envoy: Support internal listeners in CiliumEnvoyConfig CRDs (#29026, @jrajahalme)
• envoy: Update to pick up deny policy support (#28862, @jrajahalme)
• Extract tunnel options to simplify override, and inject them through hive (#29051, @giorio94)
• Fix bug preventing endpoint-related debug logs from being emitted (#29495, @learnitall)
• Fix Cilium Datapath Prometheus metric names (#29226, @carnerito)
• fix(deps): update all go dependencies main (main) (minor) (#28994, @renovate[bot])
• fix(deps): update all go dependencies main (main) (minor) (#29264, @renovate[bot])
• fix(deps): update all go dependencies main (main) (minor) (#29398, @renovate[bot])
• fix(deps): update all go dependencies main (main) (minor) (#29538, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#28993, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#29134, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#29389, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#29536, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#29574, @renovate[bot])
• fix(deps): update golang.org/x/sys digest to 13b15b7 (main) (#29279, @renovate[bot])
• fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.613 (main) (#29263, @renovate[bot])
• fix(deps): update module github.com/go-openapi/validate to v0.22.2 (main) (#29280, @renovate[bot])
• Fixes rate limiting for CES Controller (#28963, @alan-kut)
• Follow-up nits from etcd init script pull request (#29489, @JamesLaverack)
• fqdn/dnsproxy: drop dependency on global EnableIPv{4,6} option (#28968, @tklauser)
• gateway-api: cleanup cell imports & dependencies (#29204, @mhofstetter)
• gateway-api: don't register secretsync if required CRDs aren't present (#29437, @mhofstetter)
• gateway-api: fix up for import rename (#29143, @julianwiedmann)
• gateway-api: improve secret sync resiliency (#29017, @mhofstetter)
• gateway-api: Use Gateway API definition to check Route condition (#29359, @haiyuewa)
• go.mod, vendor: update golang.org/x/sys to latest unreleased version (#29070, @tklauser)
• Helm: Allow configuration of the install-cni container resources field (#27469, @RenaudWasTaken)
• helm: Fix annotation duplication problems for cilium-agent (#28978, @bradwhitfield)
• hubble/relay: Remove ReportOffline and refactor PeerManager (#28595, @glrf)
• images: drop the kvstoremesh dockerfile (#28961, @giorio94)
• images: Fix init-container script for cilium-dbg (#29424, @joestringer)
• Implement NodeAddressing on top of Table[NodeAddress] (#29033, @joamaki)
• Improve deletion of stale backends associated with non-global services, without waiting for full Cluster Mesh synchronization (#28745, @giorio94)
• ingress: migrate Cilium Ingress controller to use the controller-runtime library (#29327, @mhofstetter)
• ingress: migrate secret-sync to controller-runtime (#29198, @mhofstetter)
• Introduce sync.Map wrapper with generics support (#29452, @giorio94)
• ipam: Fix duplicate metric ipam_event release (#29520, @christarazi)
• ipcache: keep upserted prefixes from being deleted by InjectLabels (#29014, @squeed)
• ipcache: move CIDR restoration to asynchronous APIs (#28673, @squeed)
• ipsec: Improve encrypt flush command (#28795, @pchaigno)
• ipsec: Remove dead code for IPsec node encryption (#28898, @pchaigno)
• ipsec: Small refactorings on key loading and state creation (#29352, @pchaigno)
• k8s: remove unused slim k8s model for Ingress & IngressClass (#29517, @mhofstetter)
• L7 Loadbalancing: Migrate to controller-runtime library (#29126, @mhofstetter)
• labels: further optimize IPStringToLabel for single IP case (#29040, @tklauser)
• loader: attach XDP programs using bpf_link (#28308, @rgo3)
• loader: do not invoke llc separately (#29458, @lmb)
• makefile: add back the sed command to update the logo path (#28929, @bradwhitfield)
• maps: nat: fix copy & paste in error message from doFlush*() (#29097, @julianwiedmann)
• Minor documentation fixes and improvements for the BGP MD5 feature (#29375, @nvibert)
• Miscellaneous improvements about kvstore logging (#28843, @giorio94)
• Miscellaneous improvements to the etcd client (#28834, @giorio94)
• Modularise MTU discovery (#28964, @bimmlerd)
• Modularize ipcache BPF listener (#29194, @giorio94)
• Modularize iptables manager (#28746, @pippolo84)
• Modularize kernel modules manager into its own cell (#28713, @pippolo84)
• Modularized the bandwidth manager (#28619, @dylandreimerink)
• mountinfo: fix build on linux/386 (#29481, @tklauser)
• node: allow to override enable encapsulation on a per-node basis (#29232, @giorio94)
• operator: extract controller-runtime integration into its own cell (#28931, @mhofstetter)
• option: add LoadBalancerUsesDSR() helper (#26898, @julianwiedmann)
• pkg/allocator: store key in variable for error message (#29076, @aanm)
• pkg/bgpv1: Updates getPeerConfig() Method (#28474, @danehans)
• plugins/cilium-cni: Move implementation into separate package (#29336, @gandro)
• policy: Return a real nil rather than a non-nil interface (#29022, @jrajahalme)
• policy: Simplify AccumulateMapChanges prototypes (#29025, @jrajahalme)
• Prepare for release v1.15.0-pre.2 (#28901, @aanm)
• probes: remove HAVE_FIB_LOOKUP leftovers (#29401, @rgo3)
• proxy: define and use well known datapath constants (#28955, @tklauser)
• README: Update releases (#29170, @nathanjsweet)
• Refactor LocalNode synchronization logic and remove NodeChain (#29319, @giorio94)
• Remove accidentally checked in .orig file (#29145, @christarazi)
• Remove usage of global options from iptables cell (#29088, @pippolo84)
• Renamed Hubble Dashboard so that it can be installed by Grafana Sidecar. (#28971, @saintdle)
• Report node source in cilium-dbg node list (#29196, @tklauser)
• secret-sync: extract secret-sync logic from gateway api controller & introduce hive cell (#29100, @mhofstetter)
• service: fix service manager interface mismatch caused by merge race (#29018, @giorio94)
• Some small fixes to make kind-fast (#28621, @squeed)
• statedb: Allow non-terminated keys (#29440, @joamaki)
• statedb: Simplify integration with Hive (#28892, @joamaki)
• stream: fix spurious event on termination when Debounce is used (#29347, @giorio94)
• Update lb-ipam.rst (#28756, @nvibert)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.15.0-pre.3@sha256:c09d3fc906f26edbc93494cc46e6616668d7931a05470f02b9f9a266c2cfc279 quay.io/cilium/cilium:v1.15.0-pre.3@sha256:c09d3fc906f26edbc93494cc46e6616668d7931a05470f02b9f9a266c2cfc279

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.15.0-pre.3@sha256:74f30ab524a07ffb3e74e2c0d5c34f7a03f1b090f45e3f4450db3d34800ada4d quay.io/cilium/clustermesh-apiserver:v1.15.0-pre.3@sha256:74f30ab524a07ffb3e74e2c0d5c34f7a03f1b090f45e3f4450db3d34800ada4d

docker-plugin

docker.io/cilium/docker-plugin:v1.15.0-pre.3@sha256:dee40ce43396547b8ef34b005679e207bdc9f8413ac1abdedbc6ce10a58e3ff2 quay.io/cilium/docker-plugin:v1.15.0-pre.3@sha256:dee40ce43396547b8ef34b005679e207bdc9f8413ac1abdedbc6ce10a58e3ff2

hubble-relay

docker.io/cilium/hubble-relay:v1.15.0-pre.3@sha256:95833c3375b48cf72d1c122da6ffed2f69bd7c6b76cd373f5a8455c0c527cc4b quay.io/cilium/hubble-relay:v1.15.0-pre.3@sha256:95833c3375b48cf72d1c122da6ffed2f69bd7c6b76cd373f5a8455c0c527cc4b

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.15.0-pre.3@sha256:a4ad0149c6ebfa87692379cd090ee25a41621dcf98af2a910f767ef46df72a51 quay.io/cilium/operator-alibabacloud:v1.15.0-pre.3@sha256:a4ad0149c6ebfa87692379cd090ee25a41621dcf98af2a910f767ef46df72a51

operator-aws

docker.io/cilium/operator-aws:v1.15.0-pre.3@sha256:c99a09adf0be9ec82d6407ad5d8a87c635258a88292417e4feebf83fb90d36f6 quay.io/cilium/operator-aws:v1.15.0-pre.3@sha256:c99a09adf0be9ec82d6407ad5d8a87c635258a88292417e4feebf83fb90d36f6

operator-azure

docker.io/cilium/operator-azure:v1.15.0-pre.3@sha256:136d55f7ad5dbbae6c79f6a4d547f2641c590e37a80d745b9c8135fd5b8b5553 quay.io/cilium/operator-azure:v1.15.0-pre.3@sha256:136d55f7ad5dbbae6c79f6a4d547f2641c590e37a80d745b9c8135fd5b8b5553

operator-generic

docker.io/cilium/operator-generic:v1.15.0-pre.3@sha256:01959fb5e0164fbe3f265f42da4e444d9511f716ac26210fea1080c948d4583e quay.io/cilium/operator-generic:v1.15.0-pre.3@sha256:01959fb5e0164fbe3f265f42da4e444d9511f716ac26210fea1080c948d4583e

operator

docker.io/cilium/operator:v1.15.0-pre.3@sha256:1df2ea3840ca1c012d86f8e9dd785c3f24ce319915db3e6c99150627dfdc08cb quay.io/cilium/operator:v1.15.0-pre.3@sha256:1df2ea3840ca1c012d86f8e9dd785c3f24ce319915db3e6c99150627dfdc08cb

We are pleased to release Cilium v1.14.4. This release includes several network policy performance improvements, improvements and fixes for IPSec, and numerous bug fixes and architectural improvements.

Summary of Changes

Minor Changes:

• certmanager: solve CannotRegenerateKey (Backport PR #29030, Upstream PR #28787, @universam1)
• Cilium DNS proxy now uses the original pod's address as the source address towards the DNS servers. (Backport PR #29086, Upstream PR #28928, @jrajahalme)
• Cilium now properly deletes stale (deleted) nodes from the node_connectivity_status and node_connectivity_latency_seconds metrics, reducing metric cardinality. (Backport PR #28980, Upstream PR #28382, @derailed)
• Display interfaces used for IPsec decryption in cilium encrypt status. (Backport PR #28759, Upstream PR #28640, @pchaigno)
• helm: delete AWS iptables in all deployments aside from AWS CNI chaining environments (Backport PR #28870, Upstream PR #28697, @nebril)
• ipsec: New Prometheus metrics for XFRM configs (Backport PR #28759, Upstream PR #28400, @pchaigno)
• policy: Cilium will not process or enforce network policies with port ranges or Kubernetes network policies that use "EndPort". (Backport PR #29030, Upstream PR #28704, @nathanjsweet)
• policy: Fixed a bug that incorrectly omitted port-protocol policy rules that omitted the "protocol" field. An omitted "protocol" field now, correctly, is the same as using the "ANY" protocol. (Backport PR #28759, Upstream PR #28703, @nathanjsweet)
• v1.14: WG tunneling (#28917, @brb)

Bugfixes:

• bpf: Add TC_ACT_REDIRECT check for nodeport (Backport PR #29030, Upstream PR #28927, @sayboras)
• Don't bind a /64 address to cilium_host to avoid misrouting cross-node traffic (Backport PR #28759, Upstream PR #28633, @CallMeFoxie)
• envoy: fix lb backend endpoint calculation (Backport PR #28870, Upstream PR #27923, @mhofstetter)
• Fix CIDR labels computation (Backport PR #28870, Upstream PR #28788, @pippolo84)
• Fix concurrency issue when changing labels on pods started before Cilium setup their network. Cilium will now process pod labels modified while setting up the pod network. (Backport PR #28870, Upstream PR #28789, @aanm)
• Fix false positives of 'Key allocation attempt failed' in CRD mode (Backport PR #29064, Upstream PR #28810, @aanm)
• Fix incorrect logic used by the Ingress Controller to sync Cilium's IngressClass on startup. (Backport PR #28870, Upstream PR #28663, @learnitall)
• Fix IPsec error logs to always have all information needed to identify the XFRM configuration on which the error happened. (Backport PR #29030, Upstream PR #28642, @pchaigno)
• Fix issue causing KVStoreMesh metrics to be included in the dedicated Service/ServiceMonitor when KVStoreMesh is disabled (Backport PR #28759, Upstream PR #28481, @giorio94)
• fix: Correct spire labels identation in helm chart (Backport PR #28759, Upstream PR #28610, @sayboras)
• fixed cilium-operator delete CEC cilium-ingress when other ingressclass resources are created (Backport PR #28759, Upstream PR #28638, @chaunceyjiang)
• Improved event handling for pod events by removing an unnecessary early return, allowing unrelated components to execute correctly, while enhancing ipcache error logging. (Backport PR #29030, Upstream PR #28840, @aanm)
• ingress: cleanup resources on changed ingress class field (Backport PR #29030, Upstream PR #28886, @mhofstetter)
• Print full labelset for all identities in 'cilium ip list' output (Backport PR #28759, Upstream PR #28425, @joestringer)
• Remove AWS-CONNMARK-CHAIN iptable rules when running in ENI mode. (Backport PR #28759, Upstream PR #28676, @nebril)
• spire: add scheduling configurations to helm-chart (Backport PR #28759, Upstream PR #27229, @tvonhacht-apple)
• When the CT entry for a DSR connection is garbage-collected, the corresponding SNAT entry is now also removed. (Backport PR #28870, Upstream PR #28857, @julianwiedmann)

CI Changes:

• [v1.14] Use pull_request_target in Update Backport Label workflow (#29009, @pippolo84)
• ci: disable envoy tracing in multi-pool workflow (Backport PR #29030, Upstream PR #28966, @tklauser)
• gh/workflows: Dump Cilium LB node logs in case of failure (Backport PR #29030, Upstream PR #28808, @brb)
• Test both VXLAN and GENEVE tunneling as part of the Conformance Cluster Mesh workflow (Backport PR #28870, Upstream PR #28767, @giorio94)

Misc Changes:

• bpf: lb: fix missing drop reason in reverse_map_l4_port() (Backport PR #29030, Upstream PR #28884, @julianwiedmann)
• bpf: lxc: remove stale ENABLE_IDENTITY_MARK ifdefs (Backport PR #28759, Upstream PR #28391, @julianwiedmann)
• bugtool: Collect XFRM error counters twice (Backport PR #28870, Upstream PR #28790, @pchaigno)
• chore(deps): update all github action dependencies (v1.14) (minor) (#29010, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (patch) (#28733, @renovate[bot])
• chore(deps): update all lvh-images main (v1.14) (patch) (#28734, @renovate[bot])
• chore(deps): update all lvh-images main (v1.14) (patch) (#28867, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.11 (v1.14) (#28735, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.12 (v1.14) (#28998, @renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.18.4 (v1.14) (#28739, @renovate[bot])
• chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 91ca472 (v1.14) (#28731, @renovate[bot])
• chore(deps): update go to v1.20.11 (v1.14) (patch) (#29044, @renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231106.012832 (v1.14) (#28999, @renovate[bot])
• ci: Bump timeout on ci-runtime privileged worksflow (Backport PR #29030, Upstream PR #28923, @jrajahalme)
• datapath: Move linuxNodeHandler IPsec functions to their own file (Backport PR #29030, Upstream PR #28941, @pchaigno)
• doc: Add roadmap for mutual authentication (Backport PR #29030, Upstream PR #29006, @tgraf)
• docs: Clarify BPF Map Pressure Metric (Backport PR #28759, Upstream PR #28682, @nathanjsweet)
• docs: Update IPsec key rotation command (Backport PR #28759, Upstream PR #28141, @jschwinger233)
• go.mod, vendor: use github.com/cilium/dns fork directly (Backport PR #29086, Upstream PR #27582, @tklauser)
• Improve deletion of stale backends associated with non-global services, without waiting for full Cluster Mesh synchronization (Backport PR #29030, Upstream PR #28745, @giorio94)
• ipsec: Improve encrypt flush command (Backport PR #29030, Upstream PR #28795, @pchaigno)
• ipsec: Remove dead code for IPsec node encryption (Backport PR #29030, Upstream PR #28898, @pchaigno)
• labels/cidr: Memoize labels for already seen prefixes (Backport PR #28870, Upstream PR #28465, @pippolo84)
• labels/cidr: On the fly char replacement for IPv6 (Backport PR #29021, Upstream PR #28647, @pippolo84)
• labels: Use slices.Sort instead of sort.Strings (Backport PR #29021, Upstream PR #28649, @pippolo84)
• pkg/allocator: store key in variable for error message (Backport PR #29064, Upstream PR #29076, @aanm)
• Update the clustermesh troubleshooting guide (Backport PR #28759, Upstream PR #26798, @giorio94)

Other Changes:

• [1.14 Backport] ci: use renovate to upgrade Helm in ginkgo tests (#28940, @nebril)
• [v1.14] Always migrate cilium_calls_* during ELF load (#28830, @ti-mo)
• [v1.14] envoy: Bump version to v1.26.6 (#28853, @sayboras)
• ci-e2e: Enable WG encapsulation tests (#28997, @brb)
• install: Update image digests for v1.14.3 (#28683, @jrajahalme)

We are pleased to release Cilium v1.13.9. This release includes several network policy performance improvements, improvements and fixes for IPSec, and numerous bug fixes and architectural improvements.

Summary of Changes

Minor Changes:

• Cilium DNS proxy now uses the original pod's address as the source address towards the DNS servers. (Backport PR #29089, Upstream PR #28928, @jrajahalme)
• Cilium now properly deletes stale (deleted) nodes from the node_connectivity_status and node_connectivity_latency_seconds metrics, reducing metric cardinality. (Backport PR #28932, Upstream PR #28382, @derailed)
• Display interfaces used for IPsec decryption in cilium encrypt status. (Backport PR #28761, Upstream PR #28640, @pchaigno)
• ipsec: New Prometheus metrics for XFRM configs (Backport PR #28761, Upstream PR #28400, @pchaigno)
• policy: Fixed a bug that incorrectly omitted port-protocol policy rules that omitted the "protocol" field. An omitted "protocol" field now, correctly, is the same as using the "ANY" protocol. (Backport PR #28761, Upstream PR #28703, @nathanjsweet)

Bugfixes:

• [v1.13] Remove remote-node labels from ipcache on node delete (#28972, @tklauser)
• bpf: Add TC_ACT_REDIRECT check for nodeport (Backport PR #29034, Upstream PR #28927, @sayboras)
• envoy: fix lb backend endpoint calculation (Backport PR #28877, Upstream PR #27923, @mhofstetter)
• Fix CIDR labels computation (Backport PR #28877, Upstream PR #28788, @pippolo84)
• Fix IPsec error logs to always have all information needed to identify the XFRM configuration on which the error happened. (Backport PR #29034, Upstream PR #28642, @pchaigno)
• When the CT entry for a DSR connection is garbage-collected, the corresponding SNAT entry is now also removed. (Backport PR #28877, Upstream PR #28857, @julianwiedmann)

CI Changes:

• [v1.13] Use pull_request_target in Update Backport Label workflow (#29011, @pippolo84)
• gh/workflows: Dump Cilium LB node logs in case of failure (Backport PR #29034, Upstream PR #28808, @brb)
• Test both VXLAN and GENEVE tunneling as part of the Conformance Cluster Mesh workflow (Backport PR #28877, Upstream PR #28767, @giorio94)

Misc Changes:

• bpf: lb: fix missing drop reason in reverse_map_l4_port() (Backport PR #29034, Upstream PR #28884, @julianwiedmann)
• bpf: lxc: remove stale ENABLE_IDENTITY_MARK ifdefs (Backport PR #28761, Upstream PR #28391, @julianwiedmann)
• bugtool: Collect XFRM error counters twice (Backport PR #28877, Upstream PR #28790, @pchaigno)
• chore(deps): update docker.io/library/golang docker tag to v1.20.11 (v1.13) (#29041, @renovate[bot])
• datapath: Move linuxNodeHandler IPsec functions to their own file (Backport PR #29034, Upstream PR #28941, @pchaigno)
• docs: Clarify BPF Map Pressure Metric (Backport PR #28761, Upstream PR #28682, @nathanjsweet)
• docs: Update IPsec key rotation command (Backport PR #28761, Upstream PR #28141, @jschwinger233)
• go.mod, vendor: use github.com/cilium/dns fork directly (Backport PR #29089, Upstream PR #27582, @tklauser)
• ipsec: Improve encrypt flush command (Backport PR #29034, Upstream PR #28795, @pchaigno)
• ipsec: Remove dead code for IPsec node encryption (Backport PR #29034, Upstream PR #28898, @pchaigno)
• labels/cidr: Memoize labels for already seen prefixes (Backport PR #28877, Upstream PR #28465, @pippolo84)
• labels/cidr: On the fly char replacement for IPv6 (Backport PR #28950, Upstream PR #28647, @pippolo84)
• labels: Use slices.Sort instead of sort.Strings (Backport PR #28950, Upstream PR #28649, @pippolo84)

Other Changes:

• [v1.13] Always migrate cilium_calls_* during ELF load (#28829, @ti-mo)
• [v1.13] backports 2023-10-25 (#28776, @sayboras)
• [v1.13] envoy: Bump version to v1.26.6 (#28854, @sayboras)
• [v1.13] envoy: Update envoy version to 1.25.x (#28331, @sayboras)
• install: Update image digests for v1.13.8 (#28636, @jrajahalme)

We are pleased to release Cilium v1.12.16. This release includes several network policy performance improvements, improvements and fixes for IPSec, and numerous bug fixes and architectural improvements.

Summary of Changes

Minor Changes:

• Cilium DNS proxy now uses the original pod's address as the source address towards the DNS servers. (Backport PR #29090, Upstream PR #28928, @jrajahalme)
• Cilium now properly deletes stale (deleted) nodes from the node_connectivity_status and node_connectivity_latency_seconds metrics, reducing metric cardinality. (Backport PR #28977, Upstream PR #28382, @derailed)
• Display interfaces used for IPsec decryption in cilium encrypt status. (Backport PR #28762, Upstream PR #28640, @pchaigno)
• ipsec: New Prometheus metrics for XFRM configs (Backport PR #28762, Upstream PR #28400, @pchaigno)
• policy: Fixed a bug that incorrectly omitted port-protocol policy rules that omitted the "protocol" field. An omitted "protocol" field now, correctly, is the same as using the "ANY" protocol. (Backport PR #28762, Upstream PR #28703, @nathanjsweet)

Bugfixes:

• bpf: Add TC_ACT_REDIRECT check for nodeport (Backport PR #29035, Upstream PR #28927, @sayboras)
• Fix CIDR labels computation (Backport PR #28893, Upstream PR #28788, @pippolo84)
• Fix IPsec error logs to always have all information needed to identify the XFRM configuration on which the error happened. (Backport PR #29035, Upstream PR #28642, @pchaigno)

CI Changes:

• [v1.12] Use pull_request_target in Update Backport Label workflow (#29012, @pippolo84)
• gh/workflows: Dump Cilium LB node logs in case of failure (Backport PR #29035, Upstream PR #28808, @brb)
• Test both VXLAN and GENEVE tunneling as part of the Conformance Cluster Mesh workflow (Backport PR #28893, Upstream PR #28767, @giorio94)

Misc Changes:

• bpf: lb: fix missing drop reason in reverse_map_l4_port() (Backport PR #29035, Upstream PR #28884, @julianwiedmann)
• bpf: lxc: remove stale ENABLE_IDENTITY_MARK ifdefs (Backport PR #28762, Upstream PR #28391, @julianwiedmann)
• bugtool: Collect XFRM error counters twice (Backport PR #28893, Upstream PR #28790, @pchaigno)
• chore(deps): update docker.io/library/golang docker tag to v1.20.11 (v1.12) (#29042, @renovate[bot])
• datapath: Move linuxNodeHandler IPsec functions to their own file (Backport PR #29035, Upstream PR #28941, @pchaigno)
• docs: Clarify BPF Map Pressure Metric (Backport PR #28762, Upstream PR #28682, @nathanjsweet)
• docs: Update IPsec key rotation command (Backport PR #28762, Upstream PR #28141, @jschwinger233)
• go.mod, vendor: use github.com/cilium/dns fork directly (Backport PR #29090, Upstream PR #27582, @tklauser)
• ipsec: Improve encrypt flush command (Backport PR #29035, Upstream PR #28795, @pchaigno)
• labels/cidr: Memoize labels for already seen prefixes (Backport PR #28893, Upstream PR #28465, @pippolo84)
• labels/cidr: On the fly char replacement for IPv6 (Backport PR #28951, Upstream PR #28647, @pippolo84)
• labels: Use slices.Sort instead of sort.Strings (Backport PR #28951, Upstream PR #28649, @pippolo84)

Other Changes:

• [v1.12] envoy: Bump version to v1.26.6 (#28855, @sayboras)
• [v1.12] envoy: Update envoy version to 1.25.x (#28333, @sayboras)
• install: Update image digests for v1.12.15 (#28653, @jrajahalme)

Summary of Changes

Major Changes:

• Support BGP passwords in the Go BGP implementation. (#23759, @dgl)

Minor Changes:

• Add flows per second information to Hubble status (#28205, @glrf)
• add Ingress controller proxy protocol support (#28194, @zetaab)
• Add option to redact http headers (#26724, @ChrsMark)
• Added cilium_kvstoremesh_kvstore_sync_errors_counter, cilium_clustermesh_apiserver_kvstore_sync_errors_counter and kvstore_sync_errors_counter metrics that capture data synchronization errors to kvstore. (#28419, @marseel)
• Added hubble_relay_pool_peer_connection_status metric for measuring the connection status of all peers. Metric keeps track of number of peers for each possible connectiion status. (#28217, @siwiutki)
• Added new ingress.cilium.io/ssl-passthrough annoation for Ingress objects (#28751, @youngnick)
• Adds optional configurable jobLabel to cilium-agent, cilium-operator, and hubble serviceMonitors (#28125, @rbankston)
• Auth map garbage collection will trigger if last local endpoint of a security identity was removed (#27697, @meyskens)
• BGPv1: Set R-bit in graceful restart capability negotiation. (#28293, @ArsenyBelorukov)
• bpf: static data: use inline asm to access static data (#27589, @ti-mo)
• certmanager: solve CannotRegenerateKey (#28787, @universam1)
• cilium ingress should have an option to set the number of trusted loadbalancer hops (#27952, @chaunceyjiang)
• Cilium now properly deletes stale (deleted) nodes from the node_connectivity_status and node_connectivity_latency_seconds metrics, reducing metric cardinality. (#28382, @derailed)
• cmd: Disable local node routes when endpoint routes are enabled (#28324, @gandro)
• Display interfaces used for IPsec decryption in cilium encrypt status. (#28640, @pchaigno)
• docs: remove annotations-based l7 visibility (#28449, @networkop)
• EgressGW: interface selection is now done with BPF, using --install-egress-gateway-routes is no longer needed. (#26215, @jibi)
• ENI: fix calculateExcessIPs excessive calculate of excess ip (#28467, @wu0407)
• envoy: Bump envoy version to v1.27.1 (#28531, @sayboras)
• envoy: Bump envoy version to v1.27.2 (#28671, @mhofstetter)
• fix: Preserve OwnerReferences when updating Ingresses with Load Balancer in shared mode (#28452, @bittermandel)
• gateaway-api: Support GRPCRoute resource (#28654, @sayboras)
• gateway-api: Add support for multiple request mirrors (#28342, @sayboras)
• gateway-api: Bump the version to v1.0.0-rc1 (#28757, @sayboras)
• helm: delete AWS iptables in all deployments aside from AWS CNI chaining environments (#28697, @nebril)
• Ignore Indexed Job-specific label by default for CID creation:
• batch.kubernetes.io/job-completion-index. (#28897, @tosi3k)
• Improve cilium-agent bootstrap time when using cluster-pool ipam. (#28354, @marseel)
• Improve helm validation for clustermesh, and allow creating the clustermesh configuration also in kvstore mode (#28763, @giorio94)
• Improve the usability of the cilium policy selectors command by including the policy name and namespace in order to easily understand which selector comes from what policy (#27838, @christarazi)
• ipam/multipool: Introduce specific ip family annotations for specifying ip pools (#28244, @hargrovee)
• ipsec: New Prometheus metrics for XFRM configs (#28400, @pchaigno)
• metrics: add bpf_map_capacity metric which provides max size of maps (#28146, @tommyp1ckles)
• metrics: Add map pressure metric for auth map (#28357, @sayboras)
• Network policies for reserved:ingress identity are now enforced by Cilium Ingress and Gateway API. (#28126, @jrajahalme)
• pkg/labels: print all leaf CIDRs, not just the last one. (#28224, @squeed)
• policy: Fixed a bug that incorrectly omitted port-protocol policy rules that omitted the "protocol" field. An omitted "protocol" field now, correctly, is the same as using the "ANY" protocol. (#28703, @nathanjsweet)
• Reduce "stale identity observed" warnings (#27894, @leblowl)
• Remove deprecated policy_import_errors_total metric (#28423, @tklauser)
• Rename the CLI for local Cilium API access to 'cilium-dbg' (#28085, @joestringer)
• Replace LB-IPAM IP allocator to remove limitations and enable additional features (#26488, @dylandreimerink)
• Structured Health Reporter + EndpointManager Modular Health Checks (#27522, @tommyp1ckles)

Bugfixes:

• Always replace the cilium_call_* tail call map during upgrade/restart to avoid "Missed tail call" errors (#28740, @ti-mo)
• backporting: Revert changes until the new workflow will be in place (#28371, @pippolo84)
• bpf: fixes an issue where inserting inner maps into an outer may fail with EINVAL due to flags mismatch (#28710, @ldelossa)
• bpf: overlay: fix missing DBG_DECAP for Inter-Cluster-SNAT (#28466, @julianwiedmann)
• Don't bind a /64 address to cilium_host to avoid misrouting cross-node traffic (#28633, @CallMeFoxie)
• Don't orphan CEPs when node IPV6 is preferred at dual stack k8s config (#28142, @rawmind0)
• envoy: fix lb backend endpoint calculation (#27923, @mhofstetter)
• Fix a bug that causes pod-to-pod traffic between nodes to be dropped when IPsec is enabled and kube-proxy installed rules in both iptables-nft and iptables-legacy. (#28258, @pchaigno)
• Fix CIDR labels computation (#28788, @pippolo84)
• Fix concurrency issue when changing labels on pods started before Cilium setup their network. Cilium will now process pod labels modified while setting up the pod network. (#28789, @aanm)
• Fix Helm rendering for dashboards.enabled=true (#28542, @bakito)
• Fix incorrect logic used by the Ingress Controller to sync Cilium's IngressClass on startup. (#28663, @learnitall)
• Fix issue causing KVStoreMesh metrics to be included in the dedicated Service/ServiceMonitor when KVStoreMesh is disabled (#28481, @giorio94)
• Fix wrong host and router IP being used for some IPv6 deployments, which was causing various connectivity problems. (#28417, @ti-mo)
• Fix wrong host and router IP being used for some IPv6 deployments, which was causing various connectivity problems. (Backport PR #28500, Upstream PR #28417, @ti-mo)
• fix: Correct spire labels identation in helm chart (#28610, @sayboras)
• Fix: Gateway API double slash while stripping path prefix (#28294, @nxy7)
• fixed cilium-operator delete CEC cilium-ingress when other ingressclass resources are created (#28638, @chaunceyjiang)
• gateway-api: fix empty URI when removing path prefix (#28606, @dddddai)
• helm: Correct command for initContainer config (#28613, @sayboras)
• Improved event handling for pod events by removing an unnecessary early return, allowing unrelated components to execute correctly, while enhancing ipcache error logging. (#28840, @aanm)
• ipcache: fix flapping labels in SelectorCache when reserved:host identity has multiple IPs (#28332, @squeed)
• pkg/k8s: use a deep copy of CNP in UpdateStatus to avoid race condition (#28364, @aanm)
• Print full labelset for all identities in 'cilium ip list' output (#28425, @joestringer)
• Remove AWS-CONNMARK-CHAIN iptable rules when running in ENI mode. (#28676, @nebril)
• resource: Fix race condition in handling of Kubernetes object delete event retrying. In the very rare case when an object was created, deleted and re-created with the same name and the handling of the first deletion failed, the handling of delete event may have been retried even though the object was re-created. Only affected features using the Resource-library (LB IPAM, Mutual Auth and ClusterMesh). (#27340, @joamaki)
• srv6: modify h.encap location in the datapath to avoid incompatibility with IPv4Masq (#28817, @ldelossa)
• When the CT entry for a DSR connection is garbage-collected, the corresponding SNAT entry is now also removed. (#28857, @julianwiedmann)

CI Changes:

• .github: bump k8s version from v1.28.0 -> v1.28.2. (#28664, @tommyp1ckles)
• .github: re-use common helm values from a single action (#28180, @aanm)
• Add initial, in-progress workflow for automated scale testing (#28362, @learnitall)
• Add time wrapper to test agent delays in CI (#27253, @joestringer)
• bgpv1,ci: Fix BGP component tests reusing the same VirtualRouter config (#28420, @rastislavs)
• ci: Add a workflow to update labels of backported PRs (#27875, @pippolo84)
• ci: Avoid using deprecated "tunnel" flag (#28323, @gandro)
• ci: Enable link checker to ensure that all links in documentation are valid (#27116, @vipul-21)
• ci: use renovate to upgrade Helm in ginkgo tests (#28777, @nebril)
• Correctly use cli installer action in ipv4/6 smoke (#28661, @bleggett)
• Do not hardcode the AWS VPC CNI plugin version in the conformance-aws-cni GHA workflow (#28392, @giorio94)
• gateway-api: Disable HTTPRouteRequestMultipleMirrors again (#28524, @sayboras)
• gateway-api: Enable CI for multiple mirror feature (#28838, @sayboras)
• GHA: Add clustermesh upgrade and downgrade tests (#27232, @giorio94)
• GHA: correctly test kvstoremesh in conformance-clustermesh (#28434, @giorio94)
• gha: Disable HTTPRouteRequestMultipleMirrors test (#28396, @sayboras)
• gha: explicit branch and trigger in ariane-scheduled workflow (#28432, @giorio94)
• Setup Renovate for SPIRE deployment (#27708, @meyskens)
• Test both VXLAN and GENEVE tunneling as part of the Conformance Cluster Mesh workflow (#28767, @giorio94)
• workflows: cilium-config: parametrize egressgw helm values (#28389, @jibi)

Misc Changes:

• .github/actions/helm-default: use the derived SHA as image tag (#28410, @aanm)
• .github: Fix typo in workflow stage name (#28504, @joestringer)
• Add link in maintainers.md and contributing guide to contributor ladder (#28778, @xmulligan)
• Add link to getting started guide for kind cluster for common "too many files" issue (#28522, @dipankardas011)
• Add Parseable to USERS.md (#28675, @nitisht)
• add traffic shifting example for service mesh (#27845, @tanjunchen)
• Add workqueue.(delayingType).waitingLoop to goleak exception list (#28557, @dylandreimerink)
• address missing binary checks for make dev-doctor. (#28269, @fujitatomoya)
• Avoid requiring the latest Go toolchain patch version to build (#28686, @joestringer)
• BGP CP: API Helper Functions Cleanup (#28036, @danehans)
• bgpv1,ci: Add Test_AdvertisedPathAttributes into BGP component tests (#28484, @rastislavs)
• bgpv1,ci: Do not use asserts in Eventually() test conditions (#28489, @rastislavs)
• bgpv1: Remove inappropriate comments and fix typo (#28562, @hargrovee)
• bigtcp: Modularize and use the devices table (#28643, @joamaki)
• bpf: clean up CB_NAT (#28375, @julianwiedmann)
• bpf: clean up some drop notifications (#28431, @julianwiedmann)
• bpf: conntrack: improve handling of CT_REOPENED result (#28597, @julianwiedmann)
• bpf: egressgw: make ct_status an enum (#28399, @julianwiedmann)
• bpf: encap: clean up usage of __encap_and_redirect_with_nodeid() (#28411, @julianwiedmann)
• bpf: hs-ipcache: use get_id_from_tunnel_id() (#28508, @julianwiedmann)
• bpf: ipv4: refactor L4 port extraction for fragmented packets (#28717, @julianwiedmann)
• bpf: let set_identity_mark() also set MARK_MAGIC_IDENTITY (#28665, @julianwiedmann)
• bpf: lxc: remove stale ENABLE_IDENTITY_MARK ifdefs (#28391, @julianwiedmann)
• bpf: overlay: clean up extraction of source identity (#28608, @julianwiedmann)
• bpf: s/ipcache_lookup*()/lookup_ip*_remote_endpoint() (#28805, @julianwiedmann)
• bugtool: Collect XFRM error counters twice (#28790, @pchaigno)
• build(deps): bump urllib3 from 2.0.4 to 2.0.6 in /Documentation (#28365, @dependabot[bot])
• build(deps): bump urllib3 from 2.0.6 to 2.0.7 in /Documentation (#28658, @dependabot[bot])
• build: Remove envoy from Makefile target (#28436, @sayboras)
• Check for cilium.sock in /healthz endpoint (#28343, @chaunceyjiang)
• chore(deps): update all github action dependencies (main) (#28736, @renovate[bot])
• chore(deps): update all github action dependencies (main) (minor) (#28616, @renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#28603, @renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#28724, @renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#28345, @renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#28725, @renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#28859, @renovate[bot])
• chore(deps): update cilium/cilium digest to a79241a (main) (#28721, @renovate[bot])
• chore(deps): update cilium/cilium digest to ce02445 (main) (#28629, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.10 (main) (#28460, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.10 (main) (#28604, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.11 (main) (#28624, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.9 (#28406, @joestringer)
• chore(deps): update dependency cilium/hubble to v0.12.1 (main) (#28520, @renovate[bot])
• chore(deps): update dependency cilium/hubble to v0.12.2 (main) (#28565, @renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.18.4 (main) (#28346, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.3 docker digest to 24a0937 (main) (#28602, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2b7412e (main) (#28722, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 990350f (main) (#28578, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 9b8dec3 (main) (#28383, @renovate[bot])
• chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 91ca472 (main) (#28468, @renovate[bot])
• chore(deps): update github/codeql-action action to v2.22.5 (main) (#28860, @renovate[bot])
• chore(deps): update go to v1.21.3 (main) (patch) (#28471, @renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v1.55.0 (main) (#28728, @renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v1.55.1 (main) (#28865, @renovate[bot])
• chore(deps): update quay.io/cilium/hubble docker tag to v0.12.1 (main) (#28539, @renovate[bot])
• chore(deps): update quay.io/cilium/hubble docker tag to v0.12.2 (main) (#28589, @renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231010.012608 (main) (#28605, @renovate[bot])
• chore: Use slices package from Go std lib (#28614, @pippolo84)
• chore: Use slices package from Go std lib (#28822, @schlosna)
• ci-e2e: add job testing node cidr feature (#28445, @squeed)
• cilium node chain refactor (#26962, @bimmlerd)
• cilium: Remove platform references for completion (#28505, @joestringer)
• Clean up prefix length tracking implementations (#25153, @joestringer)
• clustermesh-apiserver/kvstoremesh: unify metrics cell (#28480, @giorio94)
• clustermesh-apiserver: extract external workloads in a separate cell (#28478, @giorio94)
• CODEOWNERS: assign .github/actions to github-sec and ci-structure (#28394, @jibi)
• contrib: Add ContainerLab-based BGP CPlane development environment (#28292, @YutaroHayakawa)
• contrib: Fix missing function in post-release.sh (#28372, @joestringer)
• correct stats calculation for prepareBuild of endpoint_regeneration_time (#28150, @PlatformLC)
• daemon,pkg/service: Use hive cell infra for pkg/service (#28732, @rastislavs)
• daemon: Skip Ingress Endpoint on BPF watchdog (#28462, @jrajahalme)
• daemon: Uniquely identify daemon ipcache upserts (#28770, @joestringer)
• datapath: alignchecker: allow to extend toCheck and toCheckSizes (#28711, @jibi)
• datapath: Introduce fake datapath cell (#28611, @joamaki)
• dev-doctor command version strings should be array. (#28801, @fujitatomoya)
• devices: Remove logging and report reason in device struct (#28393, @joamaki)
• Docs: Add BGP Advertised Path Attributes documentation (#28482, @rastislavs)
• docs: Add policymap pressure debugging guide (#27903, @christarazi)
• Docs: Adds CiliumPodIPPool Special Purpose Selectors (#28819, @danehans)
• docs: Clarify BPF Map Pressure Metric (#28682, @nathanjsweet)
• docs: fix reference to lvh kind images (#27376, @rgo3)
• docs: Mention RouteTableInterfacesOffset in system requirements (#28358, @gandro)
• docs: Remove bare URLs from Flow gRPC API Reference (#28361, @kimstacy)
• docs: Update IPsec key rotation command (#28141, @jschwinger233)
• docs: Update Kubernetes Gateway-API version to v0.8.1 (#28388, @haiyuewa)
• Docs: Updates BGP CP for PodIPPoolSelector (#28312, @danehans)
• Docs: Updates for Deprecation of CNI network-plugin Flag (#28046, @danehans)
• Docs: Updates L2 Announce for LB Class Support (#28252, @danehans)
• docs: Use host port for serving docs (#28307, @brb)
• Documentation: Consistently use --set for cilium install (#28577, @michi-covalent)
• egressgw: doc fixes for install-egress-gateway-routes removal (#28523, @lmb)
• egressgw: Switch from net to netip (#28503, @joestringer)
• Enable k8s cache mutation detector in the CI (#28182, @aanm)
• endpoint/id: use strings.IndexByte (#28202, @tklauser)
• envoy: Import Health check sink API (#28463, @jrajahalme)
• envoy: Update to a build with health checkers enabled (#28518, @jrajahalme)
• example/connectivity-check: fix port conflict, capture termination log (#28833, @squeed)
• Extend cilium scale-test to export results and gather additional data (#28594, @marseel)
• Fix data race during Hubble setup (#28322, @glrf)
• Fix IPv4 checksum recalculation in SNAT flows where ports are rewritten. (#28768, @gentoo-root)
• Fix kind targets (#28548, @chancez)
• fix(deps): update all go dependencies main (main) (minor) (#28098, @renovate[bot])
• fix(deps): update all go dependencies main (main) (minor) (#28618, @renovate[bot])
• fix(deps): update all go dependencies main (main) (minor) (#28730, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#28348, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#28514, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#28615, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#28727, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#28866, @renovate[bot])
• fix(deps): update module golang.org/x/net to v0.17.0 [security] (main) (#28546, @renovate[bot])
• fix: Remove the latest image tag from docs as latest tag is not published (#28241, @vipul-21)
• Forcefully terminate stale sockets connected to deleted service backends when socket-lb is enabled, and allow applications to re-connect to active backends. (#25169, @aditighag)
• gateway-api: Add conformance profile test (#28262, @sayboras)
• gateway-api: De-flake HTTPRouteRequestMultipleMirrors test (#28488, @sayboras)
• gateway-api: watch ownerreference to enable stricter reconcilation (#28641, @mhofstetter)
• go.mod, vendor: update vishvananda/netlink to latest (#28779, @tklauser)
• helm: add hubble UI support for GKE dataplane v2 (#28709, @dwalker-sabiogroup)
• Helm: Add possibility to use affinity on certgen job (#28412, @seb-lafond)
• Hive obj output improvements (#28369, @bimmlerd)
• hive: ModuleID and FullModuleID, use full ID in module health (#28512, @joamaki)
• Improve k8s-get-cilium-pod.sh (#28774, @timoreimann)
• Improve readability of clustermesh-related log messages (#28784, @giorio94)
• Introduce new BGP CRDs to provide a more flexible way to configure BGP in Cilium. (#28175, @harsimran-pabla)
• ipam/multipool: Identity allocation via etcd is now supported (#28617, @gandro)
• ipam: Remove unused mock function (#28370, @gandro)
• ipcache: Fix incorrect source for kube-apiserver in tests (#28407, @christarazi)
• ipcache: fix releasing node CIDRs after restoration (#28620, @squeed)
• ipsec: Atomically upgrade XFRM states with new output-mark (#28485, @pchaigno)
• ipsec: misc cleanups (#28408, @julianwiedmann)
• Jobs now report health (#28677, @dylandreimerink)
• labels/cidr: Fix slice preallocation size (#28378, @pippolo84)
• labels/cidr: Memoize labels for already seen prefixes (#28465, @pippolo84)
• labels/cidr: On the fly char replacement for IPv6 (#28647, @pippolo84)
• labels: Use slices.Sort instead of sort.Strings (#28649, @pippolo84)
• make: add "run-builder" target (#28587, @jrajahalme)
• Makefile: add kind-egressgw targets (#28793, @jibi)
• Makefile: fix 'fast' make targets (#28380, @aanm)
• makefile: fix 'fast' targets for cilium-dbg (#28547, @aanm)
• makefile: fix 'make kind' for mac (#28791, @f1ko)
• maps/ctmap: simplify ip/port parsing using netip.ParseAddrPort (#28827, @tklauser)
• node: Only Add Enabled IPs to Labels (#28360, @nathanjsweet)
• None (#28738, @saschagrunert)
• operator: introduce cec l7 envoy loadbalancing cell (#28835, @mhofstetter)
• operator: introduce gateway api cell (#28785, @mhofstetter)
• operator: introduce Ingress cell (#28794, @mhofstetter)
• operator: Migrate Cilium Endpoint GC to hive (#28233, @alan-kut)
• pkg/pprof: add CODEOWNER (#28278, @lmb)
• Prepare for release v1.15.0-pre.1 (#28336, @aanm)
• proxy: allow to provide fixed port for DNS proxy via cell (#28786, @tklauser)
• README: Update releases (#28340, @aanm)
• README: Update releases (#28689, @jrajahalme)
• Remove daemon health from being reported via the CLI (#28404, @derailed)
• Remove dependencies on linux probes for Windows builds (#28367, @glrf)
• renovate: schedule all renovate updates for Monday (#28585, @aanm)
• report endpoint ID on endpoint BPF program (#28747, @aanm)
• Resiliency: Add checks to ensure endpoint BPF programs remain loaded (#27981, @derailed)
• Resiliency: Node manager reconciliation path yields unchecked errors (#27714, @derailed)
• resource: Fix flaky TestResource_RepeatedDelete (#28588, @joamaki)
• Split mapstate keys into allow and deny (#28352, @bimmlerd)
• statedb: Fix watch channel returned by LowerBound (#28644, @joamaki)
• StateDB: split write methods from Table into RWTable (#28140, @joamaki)
• statedb: Use proper context for graveyard rate limiting (#28888, @joamaki)
• typo fix (#28231, @yylt)
• Update codeowners for recent lb-ipam / ipalloc changes (#28803, @joestringer)
• Update docs theme (#28403, @raphink)
• Update ec2 eni limits - current as of Oct 30, 2023 (#28880, @michaelsaah)
• update github.com/cilium/ebpf to v0.12.0 (#28533, @lmb)
• Update Hubble UI from v0.12.0 to v0.12.1 (#28532, @rolinh)
• update k8s dependencies to v0.28.2 (#28648, @aanm)
• Update the clustermesh troubleshooting guide (#26798, @giorio94)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.15.0-pre.2@sha256:7f077c49ce091428b04de006d5f4cb01b8e32d63dc1d45fa3e372d624681e836 quay.io/cilium/cilium:v1.15.0-pre.2@sha256:7f077c49ce091428b04de006d5f4cb01b8e32d63dc1d45fa3e372d624681e836

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.15.0-pre.2@sha256:19539c7470f27431ee06e4d4bccad40ca206430e3b5f31c8c86cc96e71d85127 quay.io/cilium/clustermesh-apiserver:v1.15.0-pre.2@sha256:19539c7470f27431ee06e4d4bccad40ca206430e3b5f31c8c86cc96e71d85127

docker-plugin

docker.io/cilium/docker-plugin:v1.15.0-pre.2@sha256:033f762410bee062c47df96313ffda60683f682db8b562d81614fa7130d3b643 quay.io/cilium/docker-plugin:v1.15.0-pre.2@sha256:033f762410bee062c47df96313ffda60683f682db8b562d81614fa7130d3b643

hubble-relay

docker.io/cilium/hubble-relay:v1.15.0-pre.2@sha256:74b20caf534472e274eb020e8ceaf4abfe8d6540c282cb648eb4e0420bccf782 quay.io/cilium/hubble-relay:v1.15.0-pre.2@sha256:74b20caf534472e274eb020e8ceaf4abfe8d6540c282cb648eb4e0420bccf782

kvstoremesh

docker.io/cilium/kvstoremesh:v1.15.0-pre.2@sha256:68906ec4ff4577eeaff3a263a68037aae83f6727437e07958c6f7b2cac6b564b quay.io/cilium/kvstoremesh:v1.15.0-pre.2@sha256:68906ec4ff4577eeaff3a263a68037aae83f6727437e07958c6f7b2cac6b564b

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.15.0-pre.2@sha256:a6ff662a0e07a383bc617579ca9ece9c093386a001582bc7588ab1e5b5fdf92e quay.io/cilium/operator-alibabacloud:v1.15.0-pre.2@sha256:a6ff662a0e07a383bc617579ca9ece9c093386a001582bc7588ab1e5b5fdf92e

operator-aws

docker.io/cilium/operator-aws:v1.15.0-pre.2@sha256:81897d31042f34bac5d0d2a25d6dd64f7f294c5711f39ef47ddcb68ef05c1be0 quay.io/cilium/operator-aws:v1.15.0-pre.2@sha256:81897d31042f34bac5d0d2a25d6dd64f7f294c5711f39ef47ddcb68ef05c1be0

operator-azure

docker.io/cilium/operator-azure:v1.15.0-pre.2@sha256:01b92fc10fa76117f61f40fdd20c25d45ea8c205979423e2afd911523317e3ce quay.io/cilium/operator-azure:v1.15.0-pre.2@sha256:01b92fc10fa76117f61f40fdd20c25d45ea8c205979423e2afd911523317e3ce

operator-generic

docker.io/cilium/operator-generic:v1.15.0-pre.2@sha256:e5506ddf0665307cf4012a9fbe3f1a51c722b63a12e7abd357119b7c2d1f68af quay.io/cilium/operator-generic:v1.15.0-pre.2@sha256:e5506ddf0665307cf4012a9fbe3f1a51c722b63a12e7abd357119b7c2d1f68af

operator

docker.io/cilium/operator:v1.15.0-pre.2@sha256:060831c979d9eb636e70a51a1e3e5e6eb9f3297492c35b9c6d502a47c11b901e quay.io/cilium/operator:v1.15.0-pre.2@sha256:060831c979d9eb636e70a51a1e3e5e6eb9f3297492c35b9c6d502a47c11b901e