chore(deps): update kubezero-network-dependencies #154

renovate · 2023-12-14T03:05:28Z

renovate commented

2023-12-14 03:05:28 +00:00

This PR contains the following updates:

Package	Update	Change
cilium (source)	minor	`1.14.4` -> `1.15.2`
metallb (source)	minor	`0.13.12` -> `0.14.3`

Release Notes

cilium/cilium (cilium)

`v1.15.2`: 1.15.2

Compare Source

We are pleased to release Cilium v1.15.2. This release contains various bug fixes and improvements.

Security Advisories

This patch release addresses security vulnerabilities. See the following security advisories
for details.

IPsec

This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy.

Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode.

Summary of Changes

Minor Changes:

Add default divisor for GOMEMLIMIT to satisfy Argo CD diff (Backport PR #30997, Upstream PR #30635, @jdmcmahan)
Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (Backport PR #31318, Upstream PR #31205, @squeed)
Gateway API BackendRef filters support (Backport PR #30997, Upstream PR #30090, @chaunceyjiang)

Bugfixes:

Cilium allows selecting 'lo' as a device again. (Backport PR #31206, Upstream PR #31200, @bimmlerd)
endpoint: fix inability to create endpoint with labels in a single API call (Backport PR #30997, Upstream PR #30170, @oblazek)
Fix bug in the VTEP feature which caused all traffic from the VTEP to be dropped with "Incorrect VNI from VTEP" (Backport PR #31154, Upstream PR #31039, @joestringer)
Fix bug prevented endpoints from sending or receiving network traffic due to the 'reserved:init' label persisting after initialization. (Backport PR #31047, Upstream PR #30909, @aanm)
Fix GC interval calculation by taking into account the actual time passed between GC runs. (Backport PR #31154, Upstream PR #28657, @gentoo-root)
Fix host firewall policy enforcement for pod to node traffic when tunneling is enabled and KPR is disabled (Backport PR #30997, Upstream PR #30818, @giorio94)
Fix the referenced interface in iptables rules (eni+ instead of lxc+) when --enable-endpoint-routes=true and --cni-chaining-mode="aws-cni" (Backport PR #31154, Upstream PR #30766, @pippolo84)
Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (Backport PR #31155, Upstream PR #30837, @jschwinger233)
Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (Backport PR #31158, Upstream PR #29594, @jschwinger233)
Fixes proxy issues in egress direction (Backport PR #31158, Upstream PR #30095, @jschwinger233)
Fixes some valid GC entries being removed at agent restart (Backport PR #30863, Upstream PR #29696, @rsafonseca)
gateway-api: Correct the null check for GRPRRoute Match (Backport PR #31154, Upstream PR #31052, @sayboras)
helm: Probe Envoy DaemonSet localhost IP directly (Backport PR #30997, Upstream PR #30970, @iandrewt)
hubble: fix parsing of invalid HTTP URLs (Backport PR #31154, Upstream PR #31100, @kaworu)
srv6: Fix packet drop with GSO type mismatch (Backport PR #30799, Upstream PR #30732, @YutaroHayakawa)
statedb: Fix race between Observable and DB stopping (Backport PR #30863, Upstream PR #30816, @joamaki)
xds: Avoid xds timeout due to agent restart in envoy DS mode (Backport PR #31154, Upstream PR #31061, @sayboras)

CI Changes:

ci/ipsec: Fix downgrade version retrieval (Backport PR #31047, Upstream PR #30742, @qmonnet)
ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR #30863, Upstream PR #30790, @brlbil)
CI: Update tested K8S versions across all cloud providers (Backport PR #30863, Upstream PR #30795, @brlbil)
Fix datapath mode in Network Performance CI test (Backport PR #30863, Upstream PR #30756, @marseel)
Prevent E2E tests from failing on a known-ok warning log of temporary CRD failure (Backport PR #31154, Upstream PR #30778, @learnitall)

Misc Changes:

bgpv1: Remove disruptive error handling from BGPRouterManager (#30735, @YutaroHayakawa)
bgpv1: Remove or downgrade noisy logs (Backport PR #30997, Upstream PR #30868, @YutaroHayakawa)
bitlpm: Factor out common code (Backport PR #31154, Upstream PR #31026, @jrajahalme)
bpf: host: optimize from-host's ICMPv6 path (Backport PR #31155, Upstream PR #31127, @julianwiedmann)
bpf: host: skip from-proxy handling in from-netdev (Backport PR #31158, Upstream PR #29962, @julianwiedmann)
bugtool: Capture memory fragmentation info from /proc (Backport PR #31154, Upstream PR #30966, @pchaigno)
Bump google.golang.org/protobuf (v1.15) (#31319, @ferozsalam)
Change ariane config CODEOWNERS (Backport PR #30863, Upstream PR #30803, @brlbil)
chore(deps): update actions/download-artifact action to v4.1.3 (v1.15) (#30986, @renovate[bot])
chore(deps): update all github action dependencies (v1.15) (#30951, @renovate[bot])
chore(deps): update all github action dependencies (v1.15) (#31113, @renovate[bot])
chore(deps): update all github action dependencies (v1.15) (#31290, @renovate[bot])
chore(deps): update all github action dependencies (v1.15) (patch) (#30780, @renovate[bot])
chore(deps): update all github action dependencies (v1.15) (patch) (#31133, @renovate[bot])
chore(deps): update all github action dependencies to v4 (v1.15) (major) (#30781, @renovate[bot])
chore(deps): update all kind-images main (v1.15) (#30851, @renovate[bot])
chore(deps): update all-dependencies (v1.15) (#30949, @renovate[bot])
chore(deps): update all-dependencies (v1.15) (#31287, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.23 (v1.15) (#30860, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.0 (v1.15) (#31172, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.7 docker digest to 549dd88 (v1.15) (#30855, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to f9d633f (v1.15) (#30738, @renovate[bot])
chore(deps): update go to v1.21.7 (v1.15) (patch) (#30672, @renovate[bot])
chore(deps): update go to v1.21.8 (v1.15) (#31183, @renovate[bot])
chore(deps): update hubble cli to v0.13.2 (v1.15) (#31338, @renovate[bot])
chore(deps): update stable lvh-images (v1.15) (patch) (#30652, @renovate[bot])
chore(deps): update stable lvh-images (v1.15) (patch) (#31134, @renovate[bot])
chore(deps): update stable lvh-images (v1.15) (patch) (#31288, @renovate[bot])
chore(deps): update stable lvh-images to v6.6-20240221.111541 (v1.15) (#30977, @renovate[bot])
CODEOWNERS: Ensure gha review for actions (#31139, @joestringer)
container/bitlpm: Add Lookup Boolean Return Value (Backport PR #31154, Upstream PR #31037, @nathanjsweet)
docs: Fix 'kubectl exec' invocations (quotes, double dash separator) in example script kafka-sw-gen-traffic.sh (Backport PR #31154, Upstream PR #30462, @saintdle)
docs: kpr: DSR-Geneve with native-routing requires tunnelProtocol (Backport PR #30997, Upstream PR #30854, @julianwiedmann)
docs: update note on WireGuard with tunnel routing (Backport PR #31154, Upstream PR #31083, @julianwiedmann)
images: bump cni plugins to v1.4.1 (#31348, @aanm)
lbipam: copy slice before modification in (*LBIPAM).handlePoolModified (Backport PR #30997, Upstream PR #30859, @tklauser)
loader: also populate NATIVE_DEV_IFINDEX for cilium_overlay (Backport PR #31154, Upstream PR #31025, @julianwiedmann)
pkg: Add Bitwise LPM Trie Library (Backport PR #30863, Upstream PR #29717, @nathanjsweet)
slices: don't modify input slices in test (Backport PR #30997, Upstream PR #30677, @tklauser)
v1.15: Remove cilium/build from codeowners (#31210, @joestringer)

Other Changes:

v1.15] envoy: Bump golang version to 1.21.8 ([#&#8203;31221](https://github.com/cilium/cilium/issues/31221), [@&#8203;sayboras](https://github.com/sayboras))

bgpv1: Disable PodCIDR Reconciler for unsupported IPAM modes (#31354, @YutaroHayakawa)
cli: Replace --cluster-name with --helm-set cluster.name (#31176, @michi-covalent)
install: Update image digests for v1.15.1 (#30777, @michi-covalent)
Upgrade GoBGP to v3.23.0 (#30792, @YutaroHayakawa)
v1.15 envoy: Avoid duplicated upstream callback (#30942, @sayboras)
v1.15: WG L7 (#31266, @brb)

`v1.15.1`: 1.15.1

Compare Source

We are pleased to release Cilium v1.15.1. This release contains various bug fixes and improvements, including a fix for a regression where veth devices were incorrectly getting classified as native devices (https://github.com/cilium/cilium/pull/30762).

Summary of Changes

Minor Changes:

Enhance trace events from the outbound SNAT path, to report the pre-SNAT IP address and the interface index of the egress interface. (Backport PR #30704, Upstream PR #28723, @julianwiedmann)
ui: release v0.13.0 (Backport PR #30727, Upstream PR #30711, @geakstr)

Bugfixes:

envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' (Backport PR #30681, Upstream PR #30543, @chaunceyjiang)
Fix bug in indexing of routes that lead to veth devices being considered native devices, which caused the wrong BPF program to be loaded onto them. (Backport PR #30767, Upstream PR #30762, @dylandreimerink)
fix edge case in node addressing logic which could result in a panic (Backport PR #30767, Upstream PR #30757, @dylandreimerink)
hive: Fix start hook log output (Backport PR #30727, Upstream PR #30712, @joamaki)
Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR #30681, Upstream PR #30536, @hemanthmalla)

CI Changes:

ci: add trigger phrase to Gateway API conformance test workflow name (Backport PR #30681, Upstream PR #30525, @tklauser)
CI: Change cloud regions (Backport PR #30681, Upstream PR #30378, @brlbil)
ci: Fix PR labels parsing in update label workflow (Backport PR #30681, Upstream PR #30507, @pippolo84)
gh: ci-verifier: use lvh-images/complexity-test as renovate dependency (Backport PR #30681, Upstream PR #30520, @julianwiedmann)
gha: additionally cover BPF masquerade in clustermesh E2E tests (Backport PR #30681, Upstream PR #30321, @giorio94)
gha: make runner type for clustermesh workflows configurable (Backport PR #30681, Upstream PR #30496, @giorio94)
Update GitHub upload-artifact action (Backport PR #30681, Upstream PR #30443, @brlbil)
workflows: Clean IPsec test output (Backport PR #30767, Upstream PR #30759, @pchaigno)

Misc Changes:

Added Last page Edit on Documentation (Backport PR #30681, Upstream PR #30612, @gailsuccess)
bgpv1: remove BGP Controller from daemon cell (Backport PR #30767, Upstream PR #30561, @harsimran-pabla)
chore(deps): update all github action dependencies (v1.15) (patch) (#30486, @renovate[bot])
chore(deps): update all kind-images main (v1.15) (patch) (#30670, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.21 (v1.15) (#30570, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.22 (v1.15) (#30671, @renovate[bot])
chore(deps): update stable lvh-images (v1.15) (patch) (#30574, @renovate[bot])
dep: Bump grpc_health_probe to v0.4.24 (Backport PR #30704, Upstream PR #30643, @ferozsalam)
docs: Document XfrmInStateInvalid errors (Backport PR #30767, Upstream PR #30151, @pchaigno)
egressgw: improvements for FIB-driven redirect path (Backport PR #30681, Upstream PR #30576, @julianwiedmann)
Fix failure in FuzzDenyPreferredInsert test (Backport PR #30681, Upstream PR #30368, @christarazi)

Other Changes:

v1.15] ci/ipsec: Fix downgrade version for release preparation commits ([#&#8203;30718](https://github.com/cilium/cilium/issues/30718), [@&#8203;qmonnet](https://github.com/qmonnet))

envoy: Bump envoy version to v1.27.3 (#30696, @sayboras)
install: Update image digests for v1.15.0 (#30559, @aanm)

v1.15.0

Docker Manifests

`v1.15.0`: 1.15.0

Compare Source

Changelog

The Cilium core team are excited to announce the Cilium 1.15 release. 🎉

Summary of Changes

Major Changes:

Add dynamic flowlog exporters configured by yaml file (configmap) without a need of agent restart. (#28873, @marqc)
Add support for extending ClusterMesh to 511 clusters
By setting the flag --max-connected-clusters=511, a new cluster will be able to connect to a ClusterMesh with up to 511 clusters. If enabled, the number of possible cluster-local identities will be reduced to 32,768. This feature can only be enabled on new clusters, and all clusters in the ClusterMesh must share the same configuration. (#27520, @thorn3r)
Add support for Gateway API v1.0 (#28836, @sayboras)
Add support for k8s 1.28 (#27361, @aanm)
Allow selecting nodes by CIDR policy (#27464, @squeed)
bgpv1: Add bgp/routes API endpoint and cilium bgp routes CLI command (#27182, @rastislavs)
gateway-api: Support GRPCRoute resource (#28654, @sayboras)
k8s: add support for k8s 1.29.0 (#29473, @aanm)
Module Health: Node Manager: First Iteration (#25994, @tommyp1ckles)
Support BGP passwords in the Go BGP implementation. (#23759, @dgl)

Minor Changes:

*_kvstore_operations_duration_seconds metrics do not include client-side rate-limiting latency anymore. (#27396, @marseel)
io.cilium.podippool.namespace: <CiliumPodIPPool_NAMESPACE> and io.cilium.podippool.name: <CiliumPodIPPool_NAME> selectors can be specified for a PodIPPoolSelector of a CiliumBGPPeeringPolicy to select a CiliumPodIPPool by namespaced name instead of labels. (#28314, @danehans)
Add cilium bpf auth flush command for debugging purposes (#27216, @meyskens)
Add an option to Cilium to set the persistent keepalive for cilium_wg0 (#27932, @chaunceyjiang)
Add an option to specify a filters and field mask for hubble-exporter (#26379, @AwesomePatrol)
Add documentation of Hubble exporter - an option to save Hubble flows to a file (#27610, @AwesomePatrol)
Add flows per second information to Hubble status (#28205, @glrf)
Add Hubble Grafana dashboards: Network and DNS overview (#27751, @lambdanis)
add Ingress controller proxy protocol support (#28194, @zetaab)
Add lbipam support for shared ips (#28806, @usiegl00)
Add option to pass api-rate-limit via Helm values (#28239, @ungureanuvladvictor)
Add option to redact http headers (#26724, @ChrsMark)
Add per-controller success/failure count metrics and a config option for these (#26850, @asauber)
Add Prometheus map pressure metrics for NAT maps (#27001, @derailed)
Add securityContext for spire pod in helm chart (#27363, @ishuar)
Add source and destination workload_kind context labels (Hubble). (#27350, @marqc)
Add strict mode for WireGuard Pod2Pod encryption (#21856, @3u13r)
Add support for filtering on HTTP URLs in Hubble (#28275, @glrf)
Added cilium_kvstoremesh_kvstore_sync_errors_counter, cilium_clustermesh_apiserver_kvstore_sync_errors_counter and kvstore_sync_errors_counter metrics that capture data synchronization errors to kvstore. (#28419, @marseel)
Added hubble_relay_pool_peer_connection_status metric for measuring the connection status of all peers. Metric keeps track of number of peers for each possible connectiion status. (#28217, @siwiutki)
Added new ingress.cilium.io/ssl-passthrough annotation for Ingress objects (#28751, @youngnick)
Added the EnableHealthCheckLoadBalancerIP flag to address health checks on LoadBalancerIP in Google Cloud Platform using KubeProxyReplacement. (#26728, @nberlee)
Adds "best-effort" mode for XDP to skip interfaces without driver support (#28666, @poblahblahblah)
Adds optional configurable jobLabel to cilium-agent, cilium-operator, and hubble serviceMonitors (#28125, @rbankston)
Adds the CiliumPodIPPool selector type to BGP CP AdvertisedPathAttributes to match CiliumPodIPPool custom resources. Path attributes apply to routes announced for selected CiliumPodIPPools. (#28310, @danehans)
Allow case-insensitive name for CNI chaining mode (#28050, @asauber)
api, cli: Show srv6 status in cilium status (#28700, @husnialhamdani)
api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR #30529, Upstream PR #30167, @viktor-kurchenko)
api: Add extensions field to observer.GetFlowsRequest and flow.Flows types (#27577, @chancez)
Augments cilium status CLI to report on agent modules health status. (#25714, @derailed)
Auth map garbage collection will trigger if last local endpoint of a security identity was removed (#27697, @meyskens)
bgpv1: Add cilium-dbg bgp route-policies command & include it in the bugtool (#28973, @rastislavs)
bgpv1: Enable cilium-dbg bgp routes advertised command without specifying a peer (Backport PR #30230, Upstream PR #30033, @rastislavs)
BGPv1: Set R-bit in graceful restart capability negotiation. (#28293, @ArsenyBelorukov)
bgpv1: Use kube-system namespace by default for MD5 secret (#29478, @YutaroHayakawa)
bpf: allow overriding Makefile variables (#27492, @lmb)
bpf: compile test ENABLE_EGRESS_GATEWAY_COMMON (#27515, @lmb)
bpf: gate egressgw datapath on separate defines (#27189, @lmb)
bpf: static data: use inline asm to access static data (#27589, @ti-mo)
bpgv1: move the internal BGP signaler to a cell and allow other cells to depend on it. (#26745, @ldelossa)
can create the directory for the customized cni conf and remove the cni conf file in cleanup command (#27933, @sofat1989)
Change the Helm values configuration for SPIRE to match other images in the Helm charts (#27621, @weizhoublue)
cilium ingress should have an option to set the number of trusted loadbalancer hops (#27952, @chaunceyjiang)
cilium-agent: Remove the obsolete --bpf-lb-dev-ip-addr-inherit option (Backport PR #30264, Upstream PR #29963, @joamaki)
cilium-dbg: Add statedb query support and commands to inspect statedb tables devices, routes and l2-announce. (#28872, @joamaki)
Cilium-operator and clustermesh's kvstore metrics are now enabled by default in Helm. (#27653, @marseel)
cilium/cmd: make output of 'cilium policy selectors' sorted. (#27803, @tommyp1ckles)
cilium: export intermediate cobra.Commands (#26265, @lmb)
cilium: use absolute path to include Makefile.defs (#27054, @lmb)
CiliumL2AnnouncementPolicy will only select Services that do not specify a LoadBalancerClass or specify a LoadBalancerClass of "io.cilium/l2-announcer". (#27976, @danehans)
cli: Update cilium policy import to allow policy replacement by label (#27103, @deverton-godaddy)
clustermesh-apiserver deployment support lifecycle and terminationGracePeriodSeconds. (#26945, @acgs771126)
cmd/watchdogs: add health reporter to watchdog controller. (#29038, @tommyp1ckles)
cmd: Disable local node routes when endpoint routes are enabled (#28324, @gandro)
Config option to customize the default IP Pool when using MultiPool (#28818, @chaunceyjiang)
Correlate flows with CiliumNetworkPolicies (#27854, @chancez)
daemon: Do not require native routing CIDR if ipmasq-agent is enabled (#27747, @gandro)
daemon: don't wait for presence of unused CiliumNodeConfig CRD (#27684, @akhilles)
daemon: The option "EnableRemoteNodeIdentity" is now deprecated and will be removed from the v1.16 release. (#28300, @nathanjsweet)
Default client-go QPS and burst in agent and operator have been increased to 10 and 20 respectively for k8s versions 1.27+ (#29445, @marseel)
Delete auth map entries for removed Security IDs in SPIRE (#27663, @meyskens)
Deprecated helm options enableK8sEventHandover/enableCnpStatusUpdates were removed.
Corresponding flag "enable-k8s-event-handover" in Agent and "cnp-status-update-interval" in operator were removed. (#29395, @marseel)
docs, cilium: Remove cilium endpoint regenerate command (#27326, @christarazi)
docs: remove annotations-based l7 visibility (#28449, @networkop)
Don't automatically infer ClusterID and ClusterName for external workloads. (#27886, @giorio94)
egressgw: inject datapath config via hive (#27414, @lmb)
EgressGW: interface selection is now done with BPF, using --install-egress-gateway-routes is no longer needed. (#26215, @jibi)
egressgw: refactor check for conflicting egress IPs (#27491, @lmb)
egressgw: reject config with CiliumEndpointSlice (#27984, @julianwiedmann)
egressgw: tidy up Config handling (#27221, @lmb)
endpoint, endpointmanager: Publish max policymap size as metric (#27367, @christarazi)
ENI: fix calculateExcessIPs excessive calculate of excess ip (#28467, @wu0407)
Envoy running inside the Cilium Agent may now be scraped by Prometheus when using Prometheus' ServiceMonitor objects. (Backport PR #30349, Upstream PR #30126, @youngnick)
envoy: Bump envoy to 1.26.2 (#26851, @sayboras)
envoy: Bump envoy version to v1.26.4 (#27104, @sayboras)
envoy: Bump envoy version to v1.27.1 (#28531, @sayboras)
envoy: Bump envoy version to v1.27.2 (#28671, @mhofstetter)
envoy: Update envoy version to the latest build (#27819, @jrajahalme)
Extend AWS metadata-based policy enforcement to work with any VPC-enabled service. (#27071, @spacepants)
Fix inaccurate calculation for bootstrap stats of restore (#27983, @PlatformLC)
fix: Preserve OwnerReferences when updating Ingresses with Load Balancer in shared mode (#28452, @bittermandel)
Fixes name used for disabling KVStoreMesh metrics. (#27680, @marseel)
FQDN: transition to asynchronous IPCache APIs (#29036, @squeed)
gateway-api: Add support for gateway.infrastructure attribute (#29122, @sayboras)
gateway-api: Add support for multiple request mirrors (#28342, @sayboras)
gateway-api: Add supported features in GatewayClass status (#29116, @sayboras)
gateway-api: Bump the version to v0.8.1 (#28195, @sayboras)
gateway-api: Bump the version to v1.0.0-rc1 (#28757, @sayboras)
gateway-api: Bump version to v0.8.0-rc1 (#27592, @sayboras)
gateway-api: Check for required CRDs upon startup (#28982, @sayboras)
gateway-api: Update API version for Reference Grant (#29811, @sayboras)
Handle IPv4 fragments in SNAT flows correctly. (#25340, @gentoo-root)
helm: Add extraVolumeMounts to cilium config init container (Backport PR #30349, Upstream PR #30131, @ayuspin)
helm: Added support for existing Cilium SPIRE NS (#29032, @PhilipSchmid)
helm: allow annotations to be set for preflight resources (#27860, @bradwhitfield)
Hide empty columns by default in "kubectl get ciliumendpoints" output (#28744, @Iiqbal2000)
hive/cell: remove health reporting on health provider. (#28773, @tommyp1ckles)
hubble-relay: Add support for peers joining during requests (#29326, @glrf)
Hubble: add option to filter for pods and services in any namespace (#28921, @glrf)
hubble: Add Support for filtering on HTTP headers (#28851, @ChrsMark)
hubble: Conditionally redact user info present in URLs in (L7) HTTP flows (#28848, @ioandr)
Hubble: improve security by adding an option to redact API key in Kafka requests (L7) (#25844, @ioandr)
hubble: replace deprecated usage of grpc.WithInsecure. (#25631, @tommyp1ckles)
Ignore Indexed Job-specific label by default for CID creation batch.kubernetes.io/job-completion-index. (#28897, @tosi3k)
Ignore StatefulSet-specific labels by default for CID creation. This includes the two following labels:
statefulset.kubernetes.io/pod-name
apps.kubernetes.io/pod-index (#28003, @tosi3k)
Implement AdvertisedPathAttributes for CiliumBGPNeighbor in the CiliumBGPPeeringPolicy CRD to allow setting BGP Community and Local Preference path attributes for advertised BGP routes. (#27705, @rastislavs)
Improve cilium status --verbose and cilium-health status --succinct support to show IPv6 IPs as well (#27912, @chaunceyjiang)
Improve cilium-agent bootstrap time when using cluster-pool ipam. (#28354, @marseel)
Improve helm validation for clustermesh, and allow creating the clustermesh configuration also in kvstore mode (#28763, @giorio94)
Improve Hubble Relay Kubernetes Readiness/Liveness check (#28765, @glrf)
Improve the usability of the cilium policy selectors command by including the policy name and namespace in order to easily understand which selector comes from what policy (#27838, @christarazi)
Increase number of dnsproxy mutexes from 128 to 131. (#27147, @marseel)
init: Poll CRD synchronization times have been lowered from 1 second to 50ms. (#28954, @howardjohn)
Introduce ability to specify SAFI/AFI for specific BGP peers. (#26940, @ldelossa)
ipam, metrics: Add new capacity metric (#27710, @christarazi)
ipam/multipool: Introduce specific ip family annotations for specifying ip pools (#28244, @hargrovee)
ipam: Remove cluster-pool-v2beta code (#27753, @gandro)
Merge clustermesh-apiserver and kvstoremesh into a single image (#27888, @giorio94)
metrics: add bpf_map_capacity metric which provides max size of maps (#28146, @tommyp1ckles)
metrics: Add workqueue metrics (#27042, @ysksuzuki)
Modular daemon and operator (#25986, @pippolo84)
Mutual Auth: only respond handshake with certificate if security ID is in use on node (#27682, @meyskens)
mutual-auth: Bump spire image version (#29101, @sayboras)
Named ports in DNS policies are now resolved correctly. (#29023, @jrajahalme)
Named ports in DNS policies are now resolved correctly. (Backport PR #30529, Upstream PR #29023, @jrajahalme)
Operator modular metrics (#28005, @pippolo84)
operator: Remove identity GC and CES controller legacy metrics (#28166, @pippolo84)
pkg/datapath: Remove defunct --single-cluster-route flag (#29221, @gandro)
pkg/labels: print all leaf CIDRs, not just the last one. (#28224, @squeed)
Pre-initialize several known metric vectors to avoid empty metrics (specifically: endpoint_regenerations_total, policy_change_total, policy_implementation_delay, policy_l7_total and kubernetes_events metrics). (#27835, @tommyp1ckles)
Propagate prefixed labels from Ingress resource to LB service (#28598, @log1cb0mb)
Refactor hubble redact settings schema (#26989, @ChrsMark)
Refactor hubble redact settings schema [v2] (#27553, @ChrsMark)
Remove deprecate clustermesh CA configuration from the helm chart (#27162, @giorio94)
Remove deprecated policy_import_errors_total metric (#28423, @tklauser)
Remove deprecated tunnel option, and corresponding helm values setting (#29053, @giorio94)
Rename the CLI for local Cilium API access to 'cilium-dbg' (#28085, @joestringer)
Replace etcd init script used for clustermesh with a Go equivalent.
Upgrade etcd to v3.5.10. (#29109, @JamesLaverack)
Replace LB-IPAM IP allocator to remove limitations and enable additional features (#26488, @dylandreimerink)
Replace metricsmap-bpf-prom-sync with Prometheus Collector pattern (#27370, @carnerito)
Respond with ICMP reply for traffic to services without backends (#28157, @dylandreimerink)
show DSR-dispatch mode in cilium-dbg status (#29217, @chaunceyjiang)
Structured Health Reporter + EndpointManager Modular Health Checks (#27522, @tommyp1ckles)
The cilium-agent now sets GOMEMLIMIT to the container's memory resource limit, which helps the Go GC to avoid unnecessary OOMs. (#27958, @bimmlerd)
The podIPPoolSelector field has been added to CiliumBGPVirtualRouter for selectively advertising multi-pool IPAM CIDRs. (#27100, @danehans)
Update to Envoy 1.27.0, run cilium-envoy process without any privileges. (#27498, @jrajahalme)
When BGP control plane is enabled and configured for service announcements, it will only advertise a matching service that has an unspecified loadbalancerClass or set for "io.cilium/bgp-control-plane". (#26905, @danehans)
When master key protection is enabled, failed attempts at recreating k8s identity resources will now be retried. (#28912, @tommyp1ckles)
When tunneling is enabled, a packet will be encapsulated by Cilium's tunnel netdev before encrypting with WireGuard. (#29000, @brb)

Bugfixes:

ImplementationSpecific Ingress paths (which for Cilium Ingress means regex path matches) are now sorted correctly in between Exact and Prefix matches. (#29381, @youngnick)
Add a 5 second timeout to the Mutual Auth TCP handshake (#26650, @meyskens)
Add default toleration for SPIRE agent on control plane nodes (Backport PR #30230, Upstream PR #28947, @meyskens)
Allow unsupported protocol family errors when deleting IPv6 proxy routing rules (Backport PR #30529, Upstream PR #30299, @rgo3)
Avoid panic during BPF program compilation when clang command fails to start (Backport PR #30264, Upstream PR #30009, @ti-mo)
backporting: Revert changes until the new workflow will be in place (#28371, @pippolo84)
bgpv1: Avoid creating resource.Store in Start() hive hooks of BGP CP to ensure proper BGP CP initialization. (Backport PR #30079, Upstream PR #29954, @rastislavs)
bgpv1: fix manager_test.go build error (#27543, @ldelossa)
bpf: fix wrong loopback address mask value (Backport PR #30230, Upstream PR #29946, @haiyuewa)
bpf: fixes an issue where inserting inner maps into an outer may fail with EINVAL due to flags mismatch (#28710, @ldelossa)
bpf: nat: set .from_local_endpoint for all inter-cluster SNAT traffic (#26853, @julianwiedmann)
bug fix: close status collector when daemon exits (#27937, @sofat1989)
bug: In dual-stack mode (both IPv4 and IPv6 are enabled), Cilium incorrectly converted CIDRs that covered all possible addresses for an IP Family (e.g. 0.0.0.0/0) to the "reserved:world" entity. Both IP families must be completely covered for "reserved:world" to apply. This resulted in dual-stack mode network policies that could not distinguish between world IPv4 and IPv6 traffic, treating them as one entity instead. (#22625, @nathanjsweet)
Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30212, Upstream PR #29239, @jrajahalme)
cleanup: can clean the bpf filters created by the cilium agent with lower version (#27373, @sofat1989)
Conntrack entries for Service connections are now printed in the canonical "source -> destination" format when using the "bpf ct list" command. (#28913, @julianwiedmann)
daemon/cmd: Updates restoreIPCache() to use errors.Is() (Backport PR #30529, Upstream PR #30220, @danehans)
daemon: Fail init if requirements for BPF masquerade are not met (Backport PR #30230, Upstream PR #29778, @pippolo84)
datapath: fix dbg-capture-proxy-[pre/post] reporting (#27704, @mhofstetter)
datapath: Fix primary flag in NodeAddress (#29483, @joamaki)
Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail (Backport PR #30230, Upstream PR #29400, @meyskens)
Don't orphan CEPs when node IPV6 is preferred at dual stack k8s config (#28142, @rawmind0)
Due to a race condition in the experimental runtime device detection, Cilium could fail to make a newly added device available for node port services. (Backport PR #30230, Upstream PR #29917, @bimmlerd)
egressgateway: Use UID to identify CiliumEndpoints in epDataStore (#29124, @rastislavs)
egressgw: Fix the issue that an iptables SNAT rule in the host netns interferes packets to egress gw and bypass the egress GW policy (#29379, @ysksuzuki)
egressgw: policy: ensure egressGateway field is not nil (#27802, @jibi)
endpointmanager: fix bpf policy pressure getting stuck. (#28185, @tommyp1ckles)
envoy: Bump envoy image to include proxy_protocol filter (Backport PR #30349, Upstream PR #30260, @sayboras)
envoy: fix init order between accesslog and xDS server (#27617, @mhofstetter)
envoy: fix SO_REUSEPORT with BPF TPROXY (#30459, @mhofstetter)
examples: Fix YAML error backendRefs in HTTP Header Modifier (#27871, @haiyuewa)
Fix a bug that may cause traffic to the node internal IP addresses to be incorrectly masqueraded when node encryption and remote node identities are both disabled, due to an inconsistency in the node manager when handling ipset entries insertions and deletions on node updates. (Backport PR #30230, Upstream PR #29986, @qmonnet)
Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR #30324, Upstream PR #30248, @ti-mo)
Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #30079, Upstream PR #29616, @learnitall)
Fix bug that could cause IPsec route change failures to be silent. (Backport PR #30529, Upstream PR #29423, @derailed)
Fix bugs in health-server that cause the state in the prober's cache to drift and allow nodes with empty IP addresses to be added. (Backport PR #30230, Upstream PR #29745, @thorn3r)
Fix cilium-envoy ServiceMonitor port name (#27207, @pixiono)
Fix connection disruption for IPsec during downgrade to v1.14 by attaching correct bpf program to devices. (#27480, @jschwinger233)
Fix endpoint logger not formatting logs as JSON when daemon log format is set to JSON (#27263, @leblowl)
Fix error when using multiple allowRoutes namespaces in gateway (#30550, @mhofstetter)
Fix Helm rendering for dashboards.enabled=true (#28542, @bakito)
Fix instances of leaked health reporter updates. (Backport PR #30230, Upstream PR #30134, @tommyp1ckles)
Fix issue where agent attempting to restore local node information (such as cilium_host ip) would fail on k8s fallback method. (Backport PR #30349, Upstream PR #29460, @tommyp1ckles)
Fix missing NODE_ADD Hubble peer messages in some cases (#28226, @AwesomePatrol)
Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR #30529, Upstream PR #30399, @tlcowling)
Fix performance regression for pod-to-pod traffic WireGuard and tunneling. (Backport PR #30529, Upstream PR #30329, @3u13r)
Fix potential deadlock that results in stale authentication entries in Cilium (#29082, @meyskens)
Fix rare bug possibly causing connection disruption and/or agent panic due to node events processing before full initialization. (Backport PR #30529, Upstream PR #30282, @giorio94)
Fix rendering helm operator-dashboard annotations (#29106, @Zariel)
Fix wrong host and router IP being used for some IPv6 deployments, which was causing various connectivity problems. (Backport PR #28500, Upstream PR #28417, @ti-mo)
fix: PromQL syntax on cilium policy query Grafana dashboard (Backport PR #30529, Upstream PR #29938, @M0NsTeRRR)
Fixed health probing where ICMP probe was incorrectly reporting node as unreachable or reporting unreachable node as reachable in some cases. (Backport PR #30529, Upstream PR #30504, @marseel)
Fixes an issue where an empty ControlPlaneState was used during registration of BGP speakers. This would cause reconciliation issues as the current state would be unknown. (#27117, @ldelossa)
Fixes an L7 proxy issue by re-introducing 2005 route table. (#29530, @jschwinger233)
gateway-api: fix empty URI when removing path prefix (#28606, @dddddai)
gateway-api: fix status reconcile error handling (Backport PR #30230, Upstream PR #29894, @mhofstetter)
gateway-api: Requeue Gateway for owning GRPCRoute (Backport PR #30230, Upstream PR #30124, @sayboras)
gateway: Add GRPCRoute support for status changed predicate (Backport PR #30230, Upstream PR #30176, @sayboras)
Handle .status.conditions on Services using in accordance with KEP-1623 (#27399, @addreas)
health: Update Cilium agent to listen on nodeip (#26845, @tamilmani1989)
helm: Correct command for initContainer config (#28613, @sayboras)
helm: Fix envoy servicemonitor annotations (Backport PR #30230, Upstream PR #30017, @pmcgrath)
Implement full CES reconciliation logic in the operator (#26836, @alan-kut)
init well-known identity before new policy repository to fix the fqdn policy issue when enable well-known identity. (Backport PR #30529, Upstream PR #30052, @yingnanzhang666)
L2 announcements retry getting lease after losing it (Backport PR #30529, Upstream PR #30340, @dylandreimerink)
l2announcer: Leases are only created for services that are being announced. (#29446, @f1ko)
l7lb: Fix bug where not all relevant ports of a Service were synchronized to Envoy (Backport PR #30264, Upstream PR #30107, @mhofstetter)
lbipam: Fix off-by-one error in LBIPAM range allocation (#29425, @YutaroHayakawa)
maps/metricspath: protect against concurrent access in Collect (Backport PR #30230, Upstream PR #30104, @buroa)
neigh: Install neighbor entries only on devices where routes exist (#28782, @ysksuzuki)
node/wireguard: Fix node-to-node encryption inconsistencies in kvstore mode (Backport PR #30530, Upstream PR #30423, @gandro)
nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29973, Upstream PR #29964, @gandro)
pkg/endpoint: fix endpoint health update always being ok. (Backport PR #30529, Upstream PR #30365, @tommyp1ckles)
pkg/nodediscovery: Updates updateCiliumNodeResource() Warning Message (Backport PR #30349, Upstream PR #30257, @danehans)
Policy revert used in rare error cases has been corrected. (#29162, @jrajahalme)
policy: Fix mapstate changes error in entry change comparison (Backport PR #30079, Upstream PR #29815, @jrajahalme)
proxy: fix multiple envoy listeners for same proxyType (#27510, @mhofstetter)
Remove a misplaces ls alias that caused cilium-dbg bpf auth ls to flush the map. (Backport PR #30529, Upstream PR #30445, @meyskens)
Remove non fatal errors from SPIRE client in the operator (Backport PR #30230, Upstream PR #28698, @meyskens)
Replace use of strict to true for kubeProxyReplacement in helm chart (#27433, @xtineskim)
Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29202, @thorn3r)
srv6: modify h.encap location in the datapath to avoid incompatibility with IPv4Masq (#28817, @ldelossa)
statedb: Fix termination of string and IP keys (#29368, @joamaki)
The DNS proxy will now compute a UDP checksum over the IPv6 response packet and the pseudo-header. (#29493, @danehans)
Unify parsing of StringSlice flags and allow splitting by commas (preferably) or by spaces. This fixes parsing of 'prometheus.metrics'. (Backport PR #30079, Upstream PR #29848, @joamaki)

CI Changes:

.github/actions: remove GKE K8s v1.23 from test matrix. (#28297, @tommyp1ckles)
.github/workflows: don't error out if pkill finds no processes (#26357, @lmb)
.github: bump k8s version from v1.28.0 -> v1.28.2. (#28664, @tommyp1ckles)
.github: dump buddyinfo and pagetypeinfo when ci-e2e fails (#26600, @lmb)
.github: re-use common helm values from a single action (#28180, @aanm)
.github: Remove Loki action (#26676, @joestringer)
Add 100 node scale test workflow (#29214, @learnitall)
Add initial, in-progress workflow for automated scale testing (#28362, @learnitall)
Add time wrapper to test agent delays in CI (#27253, @joestringer)
ariane: Disable ci-e2e-upgrade (#29488, @brb)
bpf/tests: Cover IPsec key rotations (#27185, @pchaigno)
bpf/tests: Fixed loop not unrolled error in pktgen (#28942, @dylandreimerink)
bpf: fix flakes when checking metrics map values. (#28325, @tommyp1ckles)
bpf: fix test configuration for 5.10 and 6.1 kernels (Backport PR #30230, Upstream PR #29999, @julianwiedmann)
bpf: test: pktgen cleanups (#26776, @julianwiedmann)
bpf: tests: add helpers for boilerplate code (#27429, @julianwiedmann)
bpf: tests: add helpers for common patterns (#27134, @julianwiedmann)
bpf: tests: improve CT checks for observed TCP flags (#26802, @julianwiedmann)
build(deps): bump tornado from 6.2 to 6.3.3 in /Documentation (#27497, @dependabot[bot])
ci aws: cleanup EKS cluster in separate job (#29412, @mhofstetter)
CI images: Define a variable for the floating tags (#28008, @michi-covalent)
CI images: Define a variable for the floating tags (#28228, @michi-covalent)
CI Images: Don't push floating tags from feature branches (#28044, @michi-covalent)
ci-clustermesh-upgrade: Adjust name of test to run, to match cilium-cli's renaming (Backport PR #30264, Upstream PR #30211, @qmonnet)
ci-clustermesh-upgrade: Increment timeout between rollouts to 5min (#29560, @mhofstetter)
ci-e2e-upgrade: Bring it on (#29073, @brb)
ci-e2e-upgrade: Remove setting CLI vsn (#29435, @brb)
ci-e2e: Do not print matrix config in each step (#27999, @brb)
ci-e2e: Use kernel 6.1 instead of 6.0 (#29345, @brb)
ci-ginkgo: conditionally skip fetching artifacts & junit report (#27081, @mhofstetter)
ci-gke: adjust junit file names to matrix properties (#27072, @mhofstetter)
ci-gke: remove duplicated wait for cilium (#29542, @mhofstetter)
ci-ipsec-e2e: Misc refactor + more keys (#29592, @brb)
ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR #30529, Upstream PR #30503, @qmonnet)
ci: Add a call to the update label backport action (Backport PR #30264, Upstream PR #29902, @joestringer)
ci: Add a workflow to update labels of backported PRs (#27875, @pippolo84)
ci: add documentation check to documentation workflow (#29684, @mhofstetter)
ci: add K8s 1.28 platform testing (#29004, @nbusseneau)
CI: Add merge_group trigger (#29276, @brlbil)
ci: add scheduled runs for Ariane workflows (#27687, @nbusseneau)
ci: Automate generation and update of docs-builder image (#24121, @qmonnet)
ci: Avoid using deprecated "tunnel" flag (#28323, @gandro)
ci: Bump timeout of ci-runtime (#29317, @YutaroHayakawa)
ci: Bump up the memory of LVH in conformance-e2e (#29494, @michi-covalent)
ci: disable preemptible VM & GKE clusters on tests based on GKE (#29607, @mhofstetter)
ci: don't write github commit status on push event (#29404, @mhofstetter)
ci: don't write github commit status on push event (#29438, @mhofstetter)
ci: Enable link checker to ensure that all links in documentation are valid (#27116, @vipul-21)
ci: fix checking github.event.pull_request.head.sha (#26775, @mhofstetter)
ci: fix deployment issue with multiple clusters in same region (#29427, @mhofstetter)
ci: fix merge group required checks (#29337, @brlbil)
CI: fix missing names (#27839, @brlbil)
ci: fix typo in clustermesh workflow job name (#29046, @tklauser)
ci: increase cilium wait timeout to 10m on cloud providers (#29541, @mhofstetter)
ci: increase junit artifact retention from 2 to 5 days (#27021, @mhofstetter)
ci: migrate some schedule workflows to event trigger push (#29433, @mhofstetter)
ci: Remove useless quotes in update label workflow (#28952, @pippolo84)
ci: replace GHA action Sibz/github-status-action (#26976, @mhofstetter)
ci: Run documentation workflow on README.rst updates (#26559, @qmonnet)
ci: set multi-pool conformance workflow status on start (#27969, @tklauser)
ci: trigger multi-pool conformance workflow using ariane (#27957, @tklauser)
ci: upload and publish JUnit test results for conformance-multi-pool (#27025, @mhofstetter)
ci: use env variable to store branch name (#26779, @ferozsalam)
cilium-cli action: Specify the repository parameter (#29338, @michi-covalent)
Conformance AKS: wait for cilium-test namespace deletion during uninstallation (Backport PR #30230, Upstream PR #29893, @giorio94)
contrib/kind: Log DNS queries in CoreDNS pods (#27874, @pchaigno)
Correctly use cli installer action in ipv4/6 smoke (#28661, @bleggett)
datapath: Clean up XFRM configs after unit tests (#29332, @pchaigno)
Define PUSH_TO_DOCKER_HUB environment variable (#29644, @michi-covalent)
Drop support for EOLed Kubernetes versions (#29174, @michi-covalent)
egressgw: back out test for policy conflict in ENI mode (#27432, @julianwiedmann)
egressgw: make reconciliationEventsCount an atomic.Uint64 (#28154, @jibi)
egressgw: manager: test: mark helpers with c.Helper() (#28020, @jibi)
egressgw: switch unit tests to reconciliationEventsCount (#27881, @jibi)
egressgw: test for conflicting IP rules in ENI mode (#27428, @julianwiedmann)
egressgw: tests: wait for initial sync reconciliation (#29084, @jibi)
Extend BPF unit tests for IPsec (#28438, @jschwinger233)
Extend Integration Test timeout (#27811, @YutaroHayakawa)
Extend the clustermesh workflows to additionally cover the external kvstore case (Backport PR #30349, Upstream PR #29983, @giorio94)
Fix container scanning workflow (#26542, @ferozsalam)
Fix exporting results to gs bucket. (#29587, @marseel)
Fix pre-flight clusterrole check (#29224, @marseel)
Fix the build (#28229, @michi-covalent)
gateway-api: Disable HTTPRouteRequestMultipleMirrors again (#28524, @sayboras)
gateway-api: Enable CI for multiple mirror feature (#28838, @sayboras)
gh/workflows: Bump CLI to v0.15.18 (Backport PR #29899, Upstream PR #29849, @brb)
gh/workflows: Bump CLI to v0.15.8 in e2e tests (#28132, @brb)
gh/workflows: Drop rading /proc in case of failure (#29855, @brb)
gh/workflows: Fix setting endpoint routes in ci-e2e (#27384, @brb)
gh: e2e: test conformance & upgrade with 5.4 kernel and EgressGW (#29651, @julianwiedmann)
GHA: Add clustermesh upgrade and downgrade tests (#27232, @giorio94)
GHA: correctly test kvstoremesh in conformance-clustermesh (#28434, @giorio94)
gha: Disable HTTPRouteRequestMultipleMirrors test (#28396, @sayboras)
gha: Enable Ingress Controller tests in conformance-e2e (#29130, @sayboras)
gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR #30349, Upstream PR #30335, @giorio94)
gha: explicit branch and trigger in ariane-scheduled workflow (#28432, @giorio94)
gha: Migrate from MetalLB to L2LB (#28926, @sayboras)
gha: Remove priviledged helm option in {Ingress, Gateway} (#28200, @sayboras)
gha: sig-servicemesh owns Ingress or Gateway API related workflows (#29812, @sayboras)
golangci: enforce use of cilium/dns over miekg/dns (#27936, @tklauser)
identity: deflake test TestGetIdentity (Backport PR #30079, Upstream PR #29720, @mhofstetter)
Improve Conformance Cluster Mesh workflow coverage (Backport PR #30349, Upstream PR #29926, @giorio94)
Improve service unit test robustness (#26212, @strudelPi)
ingress: Add conformance test for KPR=false (#27304, @sayboras)
ipam: Fix race in NodeManager.Resync (#26963, @jaffcheng)
jenkinsfiles: remove kubernetes upstream (#27349, @aanm)
k8s: Replace generate-internal-groups.sh script (#27591, @sayboras)
Make ci-ipsec-upgrade a part of /test (#27557, @jschwinger233)
Make LB-IPAM tests less flaky (#29678, @dylandreimerink)
make: drop redundant go vet ./... from integration tests (#26565, @tklauser)
Mock out time for BPF ratelimit test to make it more stable (#29740, @dylandreimerink)
Network performance (Backport PR #30529, Upstream PR #30247, @marseel)
Remove coverage collection from BPF tests (#28090, @dylandreimerink)
Remove validation timeout in controlplane testing (#26414, @pippolo84)
renovate: enable Cilium CLI patch updates for Cilium <v1.14 (#29794, @giorio94)
renovate: fix match string for go version updates in go.mod (#28000, @tklauser)
renovate: Pin cilium-cli version for <v1.14 (#26716, @michi-covalent)
restore full go vet behaviour (#28945, @bimmlerd)
Revert "CI images: Define a variable for the floating tags" (#28041, @michi-covalent)
Revert quarantine k8s datapath services test (#26400, @marseel)
Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR #30349, Upstream PR #30207, @giorio94)
scale-test-100-gce: Use CILIUM_CLI_VERSION (#29562, @michi-covalent)
Set correct cluster name and id during upgrade test (#29165, @marseel)
Setup Renovate for SPIRE deployment (#27708, @meyskens)
Simplify CI image build workflow before v1.15 branch (#29834, @joestringer)
Skip k8s upstream conformance test for multiple protocols on a Service (#29524, @youngnick)
Switch to on-demand instances for AWS tests on scheduled runs. (#29366, @marseel)
test/k8s: clean up unused manifests (#29436, @tklauser)
test: custom calls: clean up kernel 4.9 leftovers (#27887, @julianwiedmann)
test: Fail ginkgo tests on warnings (#29624, @pchaigno)
test: Use previous in-pod CLI name for updates (#29208, @joestringer)
tests-e2e-upgrade: Use CILIUM_CLI_VERSION (#29496, @michi-covalent)
update upgrade tests to test from v1.14.0 to main (#27114, @aanm)
workflows: cilium-config: parametrize egressgw helm values (#28389, @jibi)
workflows: Increase IPsec e2e test's timeout (Backport PR #30230, Upstream PR #30194, @julianwiedmann)
workflows: Increase IPsec upgrade test's timeout (Backport PR #30079, Upstream PR #29934, @pchaigno)
workflows: Pin conn-disrupt-test GH action to main (#29402, @pchaigno)

Misc Changes:

.clang-format: Re-write and re-license .clang-format (#26640, @qmonnet)
.github/actions/helm-default: use the derived SHA as image tag (#28410, @aanm)
.github/workflows: only cancel concurrent jobs if not in merge_group (#29431, @aanm)
.github: add Dockerfile for hubble-relay image in Renovate config (#27404, @aanm)
.github: add workflow to track replied issues (#27283, @aanm)
.github: Build images for vX.Y.Z-pre.N releases (#27862, @joestringer)
.github: do not group jobs on merge queues (#29551, @aanm)
.github: do not upgrade ubuntu runner for integration tests (#27829, @aanm)
.github: fix renovate config (#27727, @aanm)
.github: Fix typo in workflow stage name (#28504, @joestringer)
.github: Remove master mirror (#25806, @joestringer)
.github: Remove remaining references to v1.11 (#26681, @joestringer)
.github: use kindest/node instead of quay.io/cilium/kindest-node (#27729, @aanm)
.github: write the right regex for little-vm-images versioning (#27390, @aanm)
@eloycoto is no longer an active committer (#27978, @eloycoto)

v1.15] docs: add deprecation notice for enable-remote-node-identity for v1.15 ([#&#8203;30208](https://github.com/cilium/cilium/issues/30208), [@&#8203;tklauser](https://github.com/tklauser))

Add a troubleshooting Gateway API part of the documentation (#25945, @meyskens)
Add AirQo to Cilium USERS.md (#29467, @123MwanjeMike)
Add an option to force BPF attachment to native device (#29176, @YutaroHayakawa)
Add Berops to USERS.md (#27483, @bernardhalas)
Add CEP and CES resources (#29244, @pippolo84)
Add checks to avoid use of logrus WithFields function in hot paths (#26327, @learnitall)
Add Cybozu to USERS.md (#29231, @chez-shanpu)
Add Dcode.tech to USERS.md (#28996, @eliranw)
Add deepcopy plugin (#26978, @AwesomePatrol)
Add docs on first and last IP of LB-IPAM pool (#27110, @darox)
Add error check during datapath/loader reinitialization as ApplySettings could return an error while applying sysctl settings. (#27195, @derailed)
Add G DATA CyberDefense AG as user (#27316, @farodin91)
Add guidance for bumping the Golang version in Cilium (#26789, @ferozsalam)
Add IDNIC/Kadabra as user to Cilium (#28958, @ardikabs)
Add link in maintainers.md and contributing guide to contributor ladder (#28778, @xmulligan)
Add link to getting started guide for kind cluster for common "too many files" issue (#28522, @dipankardas011)
add links to enterprise support and slack to the issues page for easier discoverability (#26551, @xmulligan)
add lint-go to merge queue check (#27542, @aanm)
Add metrics for LB-IPAM (#26173, @dylandreimerink)
Add node activity health reporters on node manager (#28799, @derailed)
Add note to the quick install documentation for increasing inotify limits (#27140, @leblowl)
Add Parseable to USERS.md (#28675, @nitisht)
Add prerelease-testing issue template (#27766, @jspaleta)
Add Schenker to the user list (#27833, @amirkkn)
Add script to run GitHub ginkgo workflow locally (#26540, @qmonnet)
Add table for node addresses (#28962, @joamaki)
add traffic shifting example for service mesh (#27845, @tanjunchen)
add Twilio to Users list (#27755, @michaelsaah)
add v1.15.0-pre.2 release (#28903, @aanm)
Add workload label context (hubble metrics). (#25667, @marqc)
Added metrics for jobs (#26077, @dylandreimerink)
Address device <-> node addressing race (#29555, @bimmlerd)
address missing binary checks for make dev-doctor. (#28269, @fujitatomoya)
alibabacloud: Allocate from vswitches with the most IP addresses (#27696, @jaffcheng)
Allow Golang bump to v1.20 on Cilium v1.12 and v1.13 (#27434, @ferozsalam)
api: Allow middleware to be injected via Hive (#29223, @gandro)
api: regenerate flow.pb.go (#27852, @Jack-R-lantern)
auth: depend on nodeIDHandler directly (#27106, @mhofstetter)
Avoid requiring the latest Go toolchain patch version to build (#28686, @joestringer)
BGP CP: API Helper Functions Cleanup (#28036, @danehans)
BGP CP: Calls String() Afi/Safi Methods instead of Duplicative Funcs (#28035, @danehans)
BGP CP: Replaces LocalNodeStore with Local CiliumNode (#28238, @danehans)
bgp: fix up formatting in CiliumBGPPeeringPolicy (#27219, @julianwiedmann)
bgpv1,ci: Add Test_AdvertisedPathAttributes into BGP component tests (#28484, @rastislavs)
bgpv1,ci: Do not use asserts in Eventually() test conditions (#28489, @rastislavs)
bgpv1: Add GetRoutes method to Router interface and generic Path type (#26803, @rastislavs)
bgpv1: Consolidate reconciler-specific maps into generic ReconcilerMetadata (#27568, @rastislavs)
bgpv1: fix incorrect error messages in the reconcilePodIPPool function (#29125, @hargrovee)
bgpv1: fix merge race conflict on NewGoBGPServer (#29321, @mhofstetter)
bgpv1: Prevent multiple reconcilers with the same name (#29071, @rastislavs)
bgpv1: Remove inappropriate comments and fix typo (#28562, @hargrovee)
bgpv1: remove references to advertisement from CiliumBGPPeeringPolicy (Backport PR #30531, Upstream PR #30337, @harsimran-pabla)
bgpv1: Reorganize BGP config reconcilers (#29277, @rastislavs)
bgpv1: set running flag in manager (Backport PR #30079, Upstream PR #30013, @harsimran-pabla)
bgpv1: Use Path type in AdvertisePath & WithdrawPath (#27223, @rastislavs)
bgpv1: Use specific log message and remove unused parameter (#28895, @hargrovee)
bigtcp: Modularize and use the devices table (#28643, @joamaki)
bpf,fib: refactor lib/fib.h to remove the now redundant code (#26380, @ldelossa)
bpf/Makefile: remove gen_compile_commands make target (#29611, @ti-mo)
bpf: avoid calculating L4 offset (#27313, @julianwiedmann)
bpf: clean up CB_NAT (#28375, @julianwiedmann)
bpf: clean up some drop notifications (#28431, @julianwiedmann)
bpf: clean up some IPv4 header validations (#29585, @julianwiedmann)
bpf: conntrack: improve handling of CT_REOPENED result (#28597, @julianwiedmann)
bpf: ct: clean up unused .seen_non_syn flag for ICMP entries (#26754, @julianwiedmann)
bpf: ct: document some unused fields in ct_entry struct (#27692, @julianwiedmann)
bpf: ct: reuse get_ct_map*() in get_cluster_ct_map*() (#27849, @julianwiedmann)
bpf: Delete obsolete do_netdev_encrypt_pools() (#28063, @jschwinger233)
bpf: don't build all bpf when making containers (fix) (#25937, @squeed)
bpf: dsr: ensure that Geneve options have correct size (#26707, @julianwiedmann)
bpf: egressgw: allow to override external API (#28277, @jibi)
bpf: egressgw: make ct_status an enum (#28399, @julianwiedmann)
bpf: egressgw: pass IPv4 tuple to egress_gw_request_needs_redirect (#27851, @jibi)
bpf: egressgw: tolerate BPF_FIB_LKUP_RET_NO_NEIGH on older kernels (Backport PR #30529, Upstream PR #30286, @julianwiedmann)
bpf: encap: clean up usage of __encap_and_redirect_with_nodeid() (#28411, @julianwiedmann)
bpf: exclude EgressGW logic in bpf_overlay (#26611, @julianwiedmann)
bpf: fib: fix issues with L2 resolution (Backport PR #30349, Upstream PR #30128, @julianwiedmann)
bpf: fine-tune a few L3 header validations (#28669, @julianwiedmann)
bpf: host: adjust scope of HostFW section in handle_ipv6() (#29052, @julianwiedmann)
bpf: hs-ipcache: use get_id_from_tunnel_id() (#28508, @julianwiedmann)
bpf: install proxy routes using Go, remove init.sh (#27445, @ti-mo)
bpf: ipsec: move get_min_encrypt_key() to encrypt.h (#28991, @julianwiedmann)
bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #30079, Upstream PR #29880, @julianwiedmann)
bpf: ipv4: refactor L4 port extraction for fragmented packets (#28717, @julianwiedmann)
bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic (#29721, @julianwiedmann)
bpf: lb: return drop reasons from __lb4_rev_nat() (Backport PR #30529, Upstream PR #30410, @julianwiedmann)
bpf: let set_identity_mark() also set MARK_MAGIC_IDENTITY (#28665, @julianwiedmann)
bpf: lxc: avoid upgrade/downgrade woes with CB_FROM_TUNNEL in IPv6 path (#29304, @julianwiedmann)
bpf: lxc: clarify kube-proxy workaround in to-container path (#27604, @julianwiedmann)
bpf: lxc: cleanups (#27044, @julianwiedmann)
bpf: lxc: remove unused IPv6 loopback code (#27601, @julianwiedmann)
bpf: lxc: transfer sec identity for per-EP loopback in reply direction (#27812, @julianwiedmann)
bpf: make it easier to figure out which BUILD_PERMUTATION failed (#27541, @lmb)
bpf: minor ICMPv6 improvements (#26563, @julianwiedmann)
bpf: minor loopback cleanups (#27764, @julianwiedmann)
bpf: nat: fully switch to snat_v*_rewrite_helpers() (#29403, @julianwiedmann)
bpf: nat: Handle errors from snat_v(4|6)_prepare_state() (#26501, @qmonnet)
bpf: nat: improve logic that creates the NAT entries (#26594, @julianwiedmann)
bpf: nat: limit EgressGW redirect check to bpf_host (#29159, @julianwiedmann)
bpf: nat: minor improvements (#26520, @julianwiedmann)
bpf: nat: pass NAT map to snat_v4_new_mapping() (#29049, @julianwiedmann)
bpf: nat: share rewrite logic in RevSNAT path (#27366, @julianwiedmann)
bpf: nat: small Masquerading improvements (#26848, @julianwiedmann)
bpf: nat: SNAT cleanups (#26889, @julianwiedmann)
bpf: nat: use common set of rewrite helpers (#27509, @julianwiedmann)
bpf: nodeport: constrain CT lookups to relevant entry types (#27607, @julianwiedmann)
bpf: nodeport: improve ICMP vs DSR co-existence (#26562, @julianwiedmann)
bpf: nodeport: improve tracing for inlined RevDNAT processing (#27191, @julianwiedmann)
bpf: nodeport: integrate Ingress RevSNAT and RevDNAT paths (#27488, @julianwiedmann)
bpf: nodeport: re-introduce Ingress HostFW between RevSNAT and RevDNAT (#28960, @julianwiedmann)
bpf: nodeport: split up ingress path when HostFW is enabled (Backport PR #30529, Upstream PR #30442, @julianwiedmann)
bpf: overlay: clarify delivery to local host (#27580, @julianwiedmann)
bpf: overlay: clean up CB_SRC_LABEL handling in inter-cluster-SNAT path (#28134, @julianwiedmann)
bpf: overlay: clean up extraction of source identity (#28608, @julianwiedmann)
bpf: overlay: remove unused code (#27026, @julianwiedmann)
bpf: overlay: restore bpf_clear_meta() in from-overlay (Backport PR #30349, Upstream PR #30343, @julianwiedmann)
bpf: policy: cleanups to reduce program size (#27369, @julianwiedmann)
bpf: Rename proxy_identity to src_sec_identity (#27517, @joestringer)
bpf: s/ipcache_lookup*()/lookup_ip*_remote_endpoint() (#28805, @julianwiedmann)
bpf: small improvements in TTL / hoplimit handling (#27146, @julianwiedmann)
bpf: snat: DSR-eligible traffic can skip check for Nodeport NAT conflict (#26674, @julianwiedmann)
bpf: tests: minor cleanups (#29354, @julianwiedmann)
bpf: tunnel-related cleanups in to-container path (#28920, @julianwiedmann)
bpf: use l4_load_ports() everywhere (#29135, @julianwiedmann)
bpf: xdp: remove unused XFER_ENCAP_* enums (#27264, @julianwiedmann)
Bug: Fix module health status output (#29140, @derailed)
build(deps): bump certifi from 2022.12.7 to 2023.7.22 in /Documentation (#27064, @dependabot[bot])
build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport PR #30529, Upstream PR #30219, @dependabot[bot])
build(deps): bump pygments from 2.14.0 to 2.15.0 in /Documentation (#26957, @dependabot[bot])
build(deps): bump urllib3 from 2.0.4 to 2.0.6 in /Documentation (#28365, @dependabot[bot])
build(deps): bump urllib3 from 2.0.6 to 2.0.7 in /Documentation (#28658, @dependabot[bot])
build: Declare GO in makefile before first use (#28983, @sayboras)
build: fix usage of local golangci-lint installation (#28162, @mhofstetter)
build: Remove envoy from Makefile target (#28436, @sayboras)
Bump allowed Golang version for v1.11 and v1.12 (#26713, @ferozsalam)
Bump controller-tools fork to v0.8.0-1 (#27063, @christarazi)
Change makefile cache to rebuild on header changes (#27605, @dylandreimerink)
Changed cilium status CLI output to render the modules health section as a tree structure vs tabular data. (#28800, @derailed)
chart: define the envoy image variable in the makefile (#27725, @weizhoublue)
Check for cilium.sock in /healthz endpoint (#28343, @chaunceyjiang)
chore(deps): pin hramos/needs-attention action to 4d47f33 (main) (#27286, @renovate[bot])
chore(deps): update actions/checkout action to v3.5.3 (main) (#26568, @renovate[bot])
chore(deps): update actions/checkout action to v4 (main) (#27940, @renovate[bot])
chore(deps): update actions/checkout action to v4 (main) (#29539, @renovate[bot])
chore(deps): update actions/github-script action to v7 (main) (#29142, @renovate[bot])
chore(deps): update actions/setup-go action to v5 (v1.15) (#30142, @renovate[bot])
chore(deps): update actions/setup-python action to v4.8.0 (main) (#29769, @renovate[bot])
chore(deps): update actions/stale action to v9 (main) (#29772, @renovate[bot])
chore(deps): update all github action dependencies (main) (#27904, @renovate[bot])
chore(deps): update all github action dependencies (main) (#28188, @renovate[bot])
chore(deps): update all github action dependencies (main) (#28736, @renovate[bot])
chore(deps): update all github action dependencies (main) (#28987, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#26570, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#26821, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#27737, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#28616, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#29260, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#26691, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#26819, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#27478, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#28066, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#28190, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#28603, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#28724, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#29262, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#29387, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#29533, @renovate[bot])
chore(deps): update all github action dependencies to v2 (main) (major) (#29540, @renovate[bot])
chore(deps): update all github action dependencies to v3 (main) (major) (#28099, @renovate[bot])
chore(deps): update all github action dependencies to v5 (main) (major) (#29773, @renovate[bot])
chore(deps): update all kind-images main (main) (#27477, @renovate[bot])
chore(deps): update all kind-images main (main) (patch) (#27479, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#27339, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#27372, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#27421, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#27858, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#28037, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#28147, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#28345, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#28725, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#28859, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#29388, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#29534, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#29556, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#29766, @renovate[bot])
chore(deps): update all lvh-images main (v1.15) (patch) (#30225, @renovate[bot])
chore(deps): update anchore/scan-action action to v3.3.8 (main) (#29573, @renovate[bot])
chore(deps): update aws-actions/configure-aws-credentials action to v3 (main) (#27743, @renovate[bot])
chore(deps): update aws-actions/configure-aws-credentials action to v4 (main) (#28100, @renovate[bot])
chore(deps): update cilium/cilium digest to 1633d7b (main) (#28868, @renovate[bot])
chore(deps): update cilium/cilium digest to 614f2dd (main) (#29386, @renovate[bot])
chore(deps): update cilium/cilium digest to 6180087 (main) (#28096, @renovate[bot])
chore(deps): update cilium/cilium digest to 8a11744 (main) (#28077, @renovate[bot])
chore(deps): update cilium/cilium digest to 93f26fd (main) (#29141, @renovate[bot])
chore(deps): update cilium/cilium digest to a79241a (main) (#28721, @renovate[bot])
chore(deps): update cilium/cilium digest to ccaaa85 (main) (#28069, @renovate[bot])
chore(deps): update cilium/cilium digest to ce02445 (main) (#28629, @renovate[bot])
chore(deps): update cilium/cilium digest to ef8ca62 (main) (#29120, @renovate[bot])
chore(deps): update cilium/cilium-cli action to v0.15.4 (main) (#26971, @renovate[bot])
chore(deps): update cilium/cilium-cli action to v0.15.6 (main) (#27600, @renovate[bot])
chore(deps): update cilium/little-vm-helper action to v0.0.12 (main) (#26974, @renovate[bot])
chore(deps): update cilium/little-vm-helper action to v0.0.12 (main) (#27257, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.0 (main) (#26571, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.10 (main) (#28460, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.10 (main) (#28604, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.11 (main) (#28624, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.13 (main) (#28989, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.14 (main) (#29234, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.16 (main) (#29464, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.17 (main) (#29557, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.19 (main) (Backport PR #30230, Upstream PR #29942, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.19 (v1.15) (#30141, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.2 (main) (#26784, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.20 (v1.15) (#30201, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.3 (main) (#26875, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.4 (main) (#27127, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.5 (main) (#27258, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.5 (main) (#27261, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.6 (main) (#27613, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.7 (main) (#27859, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.8 (main) (#28191, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.9 (#28406, @joestringer)
chore(deps): update dependency cilium/hubble to v0.12.1 (main) (#28520, @renovate[bot])
chore(deps): update dependency cilium/hubble to v0.12.2 (main) (#28565, @renovate[bot])
chore(deps): update dependency eksctl-io/eksctl to v0.165.0 (main) (#29537, @renovate[bot])
chore(deps): update dependency go to v1.21.1 (main) (#28067, @renovate[bot])
chore(deps): update dependency go to v1.21.4 (main) (#29558, @renovate[bot])
chore(deps): update dependency google/gops to v0.3.28 (main) (#27412, @renovate[bot])
chore(deps): update dependency kubernetes/kops to v1.28.1 (main) (#29128, @renovate[bot])
chore(deps): update dependency ubuntu to v22 (main) (#27745, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.3 (main) (#27735, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.4 (main) (#28346, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (main) (#29535, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.19.0 (main) (#29770, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.19.1 (v1.15) (#30491, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.5 docker digest to 344193a (main) (#26481, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.6 docker digest to cfc9d1b (main) (#26818, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.0 docker digest to b490ae1 (main) (#27598, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.1 docker digest to cffaba7 (main) (#28189, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.1 docker digest to d2aad22 (main) (#28064, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.3 docker digest to 24a0937 (main) (#28602, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.4 docker digest to 9baee0e (main) (#29261, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.5 docker digest to 2ff79bc (main) (#29765, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.6 docker digest to 6fbd2d3 (v1.15) (#30050, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.6 docker digest to 76aadd9 (v1.15) (#30464, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 0bced47 (main) (#26689, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2b7412e (main) (#28722, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 6120be6 (main) (#26432, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 8eab65d (main) (#29572, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 990350f (main) (#28578, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 9b8dec3 (main) (#28383, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to aabed32 (main) (#27895, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e6173d4 (v1.15) (#30465, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ec050c3 (main) (#27529, @renovate[bot])
chore(deps): update docker/build-push-action action to v5 (main) (#28092, @renovate[bot])
chore(deps): update docker/setup-buildx-action action to v2.9.0 (main) (#26694, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 112a87f (v1.15) (#30473, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 91ca472 (main) (#28468, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 92d40ee (main) (#27905, @renovate[bot])
chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.11 (main) (#29767, @renovate[bot])
chore(deps): update github/codeql-action action to v2.21.2 (main) (#27265, @renovate[bot])
chore(deps): update github/codeql-action action to v2.21.5 (main) (#27734, @renovate[bot])
chore(deps): update github/codeql-action action to v2.22.5 (main) (#28860, @renovate[bot])
chore(deps): update github/codeql-action action to v2.22.9 (main) (#29768, @renovate[bot])
chore(deps): update go to v1.20.6 (main) (patch) (#26781, @renovate[bot])
chore(deps): update go to v1.20.7 (main) (patch) (#27259, @renovate[bot])
chore(deps): update go to v1.21.0 (main) (minor) (#27444, @renovate[bot])
chore(deps): update go to v1.21.1 (main) (patch) (#27993, @renovate[bot])
chore(deps): update go to v1.21.3 (main) (patch) (#28471, @renovate[bot])
chore(deps): update go to v1.21.4 (main) (patch) (#29043, @renovate[bot])
chore(deps): update go to v1.21.5 (main) (patch) (#29659, @renovate[bot])
chore(deps): update go to v1.21.6 (v1.15) (patch) (#30173, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.54.0 (main) (#27385, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.54.1 (main) (#27538, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.54.2 (main) (#27619, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.55.0 (main) (#28728, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.55.1 (main) (#28865, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.55.2 (main) (#28990, @renovate[bot])
chore(deps): update google-github-actions/setup-gcloud action to v2 (main) (#29780, @renovate[bot])
chore(deps): update hubble cli to v0.12.0 (main) (minor) (#26762, @renovate[bot])
chore(deps): update hubble cli to v0.12.3 (main) (patch) (#29749, @renovate[bot])
chore(deps): update hubble cli to v0.13.0 (v1.15) (minor) (#30273, @renovate[bot])
chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 [security] (main) (#29314, @renovate[bot])
chore(deps): update myrotvorets/set-commit-status-action action to v2 (main) (#28073, @renovate[bot])
chore(deps): update quay.io/cilium/hubble docker tag to v0.12.1 (main) (#28539, @renovate[bot])
chore(deps): update quay.io/cilium/hubble docker tag to v0.12.2 (main) (#28589, @renovate[bot])
chore(deps): update quay.io/cilium/kindest-node docker tag to v1.28.3 (main) (#29057, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20230915.012620 (main) (#28192, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231010.012608 (main) (#28605, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231030.012704 (main) (#28869, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231123.012848 (main) (#28992, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231211.012942 (main) (#29777, @renovate[bot])
chore(deps): update sigstore/cosign-installer action to v3.1.2 (main) (#27907, @renovate[bot])
chore(deps): update stable lvh-images (v1.15) (patch) (#30461, @renovate[bot])
chore(lint): Enable linting with gosimple (#26965, @mrueg)
chore: Add deezer as cilium user (#27846, @zwindler)
chore: Add Prometheus templating to Cilium Metrics Dashboard (#28058, @kahirokunn)
chore: add SI Analytics as cilium user (#29744, @JhoLee)
chore: rename CIDRGroups resource to CiliumCIDRGroups (#29515, @pippolo84)
chore: Use slices package from Go std lib (#28614, @pippolo84)
chore: Use slices package from Go std lib (#28822, @schlosna)
chore: Use xxx.String() instead of string(xxx.Bytes()) (#26165, @testwill)
ci-e2e: add job testing node cidr feature (#28445, @squeed)
ci-e2e: Enable debug.verbose for envoy (#26860, @sayboras)
ci: fix go mod step name (#27711, @nbusseneau)
ci: set timeout on build images workflows (#27341, @mhofstetter)
CI: Silences call to cilium uninstall (#28048, @danehans)
ci: skip cosign / sbom in case of building images during cache rebuild (#26786, @mhofstetter)
ci: skip fetching sysdump in case of skipped LB test (#26774, @mhofstetter)
ci: skip post-test info gathering in case of skipped cilium installation (#26729, @mhofstetter)
Cilium Charts set the persistent keepalive for cilium_wg0 (#28013, @chaunceyjiang)
cilium node chain refactor (#26962, @bimmlerd)
cilium, docs: Add rc.0 to development releases (#26564, @borkmann)
cilium, iptables: Extend to cover default route in enable-masquerade-… (#27664, @borkmann)
cilium-dbg, policy, api: Fix labels in policy selectors output (#29152, @christarazi)
cilium-dbg: Add "statedb node-addresses" command (#29479, @joamaki)
cilium: Add a few bwm setting tweaks (#29552, @borkmann)
cilium: Add option to masq to source route (#27618, @borkmann)
cilium: Do not warn on socket tracing if EnableSocketLBTracing was not set (#29730, @borkmann)
cilium: iptables masquerade to route source fixes (#29591, @borkmann)
cilium: Remove platform references for completion (#28505, @joestringer)
Clarify cilium_event_ts metric description (#29303, @christarazi)
Clean up deprecated and unused IPCache APIs after FQDN transition to asynchronous APIs (#29657, @tklauser)
Clean up prefix length tracking implementations (#25153, @joestringer)
cleanup: code cleanup to remove unused parameter from repository add api (#26943, @tamilmani1989)
client: Use options pattern for NewRuntime (#29271, @gandro)
clustermesh install documentation: missing step (#28889, @dashaun)
clustermesh-apiserver/kvstoremesh: unify metrics cell (#28480, @giorio94)
clustermesh-apiserver: extract external workloads in a separate cell (#28478, @giorio94)
clustermesh: make extra ipcache watcher options configurable (#27336, @giorio94)
cni: Follow CNI spec by using (containerID, ifName) as unique endpoint identifier (#26894, @gandro)
cni: log format byte array as string (#26740, @aojea)
cni: remove unused CILIUM_CNI_CONF variable from install script (#29063, @wedaly)
cocci: Re-license Coccinelle scripts as Apache 2.0 (#26629, @qmonnet)
CODEOWNERS: assign .github/actions to github-sec and ci-structure (#28394, @jibi)
CODEOWNERS: assign bpf/lib/auth.h to sig-servicemesh (#27083, @mhofstetter)
CODEOWNERS: assign egressgw control plane/datapath logic to egress-gateway team (#26952, @jibi)
CODEOWNERS: assign pkg/backoff to @cilium/sig-agent (#26573, @jibi)
CODEOWNERS: assign pkg/ip to @cilium/sig-agent (#29669, @tklauser)
CODEOWNERS: claim some new ipsec-related files for cilium/ipsec (#29516, @julianwiedmann)
codeowners: include sig-servicemesh into cilium envoy & spire helm (#27559, @mhofstetter)
CODEOWNERS: IPsec owns pkg/common/ipsec (#29002, @pchaigno)
CODEOWNERS: Let IPsec team to own GH workflows for IPsec (#29190, @brb)
CODEOWNERS: remove stale cilium_egress_gateway_policy.go entry (#27234, @giorio94)
CODEOWNERS: sig-clustermesh additionally owns clustermesh-related GHA workflows and helm templates (#29671, @giorio94)
codeowners: use new teams cilium/envoy & cilium/fqdn (#29627, @mhofstetter)
Computed and propagated the value of OldEndpoints field when merging remote cluster information. (#26474, @akstron)
config: Use String instead of StringVar method (#27794, @pippolo84)
Configure the linux node config writer through Hive (#27180, @giorio94)
contrib/kind: custom kind values (#28155, @mhofstetter)
contrib: add check for new files in check-(api|k8s)-code-gen scripts (#26790, @giorio94)
contrib: Add ContainerLab-based BGP CPlane development environment (#28292, @YutaroHayakawa)
contrib: Add support for X.Y.Z-pre.N releases (#27807, @joestringer)
contrib: fix bump-readme script (#27648, @nebril)
contrib: Fix missing function in post-release.sh (#28372, @joestringer)
contrib: Fix prerelease pullPolicy (#28906, @joestringer)
contrib: Fix remote detection for security branches (#27891, @joestringer)
contrib: Fix remote repo detection for .git suffix (#28198, @joestringer)
contrib: Make hint command copy and paste friendly (#27585, @sayboras)
contrib: Move github draft release to post-release (#27861, @joestringer)
correct stats calculation for prepareBuild of endpoint_regeneration_time (#28150, @PlatformLC)
correct stats for total time of policyregenerateion (#28153, @PlatformLC)
Correct the comment for Service4Value and Service6Value (#27824, @haiyuewa)
Creation of the /hello endpoint is delayed until the host datapath has been initialized. (#27392, @lmb)
ctmap: limit NAT purging to expected CT tuple types (#28871, @julianwiedmann)
daemon, fqdn: Remove log "DNS request no matching endpoint" when endpoint is nil (#28071, @doniacld)
daemon,pkg/service: Use hive cell infra for pkg/service (#28732, @rastislavs)
daemon: Fix incorrect node and ciliumnode resource type in annotations (#29522, @hargrovee)
daemon: remove redundant wait on restoreComplete (#27603, @ti-mo)
daemon: Simplify cilium_host IP restoration (#28781, @gandro)
daemon: Skip Ingress Endpoint on BPF watchdog (#28462, @jrajahalme)
daemon: Uniquely identify daemon ipcache upserts (#28770, @joestringer)
Daemon: Updates Detect() Call to Return Detected Devices (#28010, @danehans)
daemon: Use API server cell and adapt handlers (#25000, @joamaki)
datapath/linux/probes: remove unused Have{Map,Program}Type wrappers (#26666, @tklauser)
datapath: alignchecker: allow to extend toCheck and toCheckSizes (#28711, @jibi)
datapath: Devices table and controller (#24677, @joamaki)
datapath: Few minor improvements to DevicesController (#28887, @joamaki)
datapath: Introduce fake datapath cell (#28611, @joamaki)
dep: Replace deprecated github.com/golang/protobuf (#28203, @sayboras)
dev-doctor command version strings should be array. (#28801, @fujitatomoya)
devices: fix busy loop (#29163, @bimmlerd)
devices: Remove logging and report reason in device struct (#28393, @joamaki)
Disable StateDB metrics by default (#27657, @dylandreimerink)
dnsproxy: convert LookupEndpointByIP to use netip.Addr (#28891, @tklauser)
Do not ignore link local addresses when detecting network devices. This fixes a problem in setups where network devices that only had link local addresses were ignored. (#27868, @joamaki)
Do not log on errant release of reserved identity (#26768, @asauber)
do not start bandwidth manager in dry mode (#29183, @dylandreimerink)
doc: Add Azure CNI Powered by cilium as external installer (Backport PR #30349, Upstream PR #28286, @tamilmani1989)
doc: add circuit-breaker example for cilium service mesh (#27641, @tanjunchen)
doc: Documented pitfall with NS labels in CNPs (#26134, @PhilipSchmid)
doc: Improved Cilium ingress annotations table (#26381, @PhilipSchmid)
doc: Update recommended way for installing cilium on AKS (Backport PR #30230, Upstream PR #28910, @tamilmani1989)
docker: Tame xargs warning (#27929, @qmonnet)
Docs: Add BGP Advertised Path Attributes documentation (#28482, @rastislavs)
docs: Add CiliumPodIPPool option in BGP Adv. Path Attributes docs (#29177, @rastislavs)
docs: Add cluster install/prep guide for GKE-to-GKE clustermesh (#29342, @Neutrollized)
docs: Add Conformance Badge for Gateway API (#27470, @sayboras)
docs: Add docs structure recommendations, update style guide (#26632, @qmonnet)
docs: add documentation for policy-cidr-match-mode=nodes (#28421, @squeed)
docs: Add Egress Gateway Policy warning on egressIP and interface being mutually exclusive in the egressGateway spec. (Backport PR #30529, Upstream PR #30236, @soggiest)
docs: add instructions to build kindest-node image (#29079, @aanm)
docs: Add Keploy to user list (#27244, @Sonichigo)
docs: add MaxConnectedClusters documentation (#29637, @thorn3r)
docs: Add missing spelling exception (#26780, @qmonnet)
docs: add plusserver Kubernetes Engine to users (#28306, @sknop-cgn)
docs: Add policymap pressure debugging guide (#27903, @christarazi)
Docs: Adds CiliumPodIPPool Special Purpose Selectors (#28819, @danehans)
docs: Document Potential Dual-Stack Upgrade Issues for 1.15 (#25204, @nathanjsweet)
docs: Document renovate testing strategy (Backport PR #30230, Upstream PR #30166, @joestringer)
docs: Drop references to Helm v2 (#29463, @joestringer)
docs: egressgw: describe routing on Gateway node (Backport PR #30529, Upstream PR #30488, @julianwiedmann)
docs: Fix a typo and improve readability of a control plane architecture description in BGP Control Plane documentation (#27461, @distributethe6ix)
docs: fix chained veth plugin example (Backport PR #30230, Upstream PR #30209, @squeed)
Docs: Fix ipam_nodes metric description (#27217, @antonipp)
docs: Fix keyid derivation in IPsec docs (Backport PR #30079, Upstream PR #30000, @brb)
docs: fix minor TOC issues (#26714, @networkop)
docs: fix reference to lvh kind images (#27376, @rgo3)
docs: Fix the typo for SPIRE PVC installation option name (#27503, @haiyuewa)
docs: fix typo in troubleshooting guide (#26811, @learnitall)
docs: Fix unintentional boolean value in YAML (#26682, @dgl)
docs: Improve wording in contributions guide (#27407, @joestringer)
docs: Modify BGP MD5 password with Helm default change (#29527, @YutaroHayakawa)
docs: optimize ingress default tls secret documentation (#26684, @mhofstetter)
docs: Remove "by Default" suffix in cilium-agent metrics header (#28045, @learnitall)
docs: Remove bare URLs from Flow gRPC API Reference (#28361, @kimstacy)
docs: Remove the duplicated envoy resource list (#28281, @sayboras)
docs: specify which further release for fqdn option removal. (#29531, @squeed)
docs: Split, update, improve the contributing guide for reviewers and committers (#27085, @qmonnet)
docs: Update BGP control plane documentation with regards to LB class support and service announcements (#28253, @danehans)
docs: Update Gateway API version in example (Backport PR #30230, Upstream PR #30115, @sayboras)
docs: Update Kubernetes Gateway-API version to v0.8.1 (#28388, @haiyuewa)
docs: Update the Gateway API badge (Backport PR #30529, Upstream PR #30477, @sayboras)
docs: Update the message of Gateway API 'Programmed' (#28055, @haiyuewa)
docs: Update the tile for 'kubectl get' Gateway API (#28056, @haiyuewa)
docs: update versions and parameters for XDP Acceleration on AKS (#29091, @jshr-w)
Docs: Updates BGP CP Developer Docs (#28908, @danehans)
Docs: Updates BGP CP for PodIPPoolSelector (#28312, @danehans)
Docs: Updates for Deprecation of CNI network-plugin Flag (#28046, @danehans)
Docs: Updates L2 Announce for LB Class Support (#28252, @danehans)
docs: Use host port for serving docs (#28307, @brb)
docs: warn users that IPsec and KPR are mutual exclusive (Backport PR #30529, Upstream PR #30403, @f1ko)
Document Kind Delve debugging workflow (#26506, @ti-mo)
Documentation: Consistently use --set for cilium install (#28577, @michi-covalent)
Documentation: Replace netperf images in StarWars demos (#26842, @hhoover)
Don't log an error if the to be deleted ipset entry does not exist (#29561, @giorio94)
don't remove neighbor link state file if migrateOnly (#28659, @liuyuan10)
Don't retry one shot jobs during hive shutdown (#27395, @giorio94)
Drop mock file support from clustermesh-apiserver (#27825, @giorio94)
drop support for 1.11 (#27077, @aanm)
During startup, the agent attempts to clear out any obsolete CiliumEndpoints.
Add retry logic to ensure this process is attempted more than once should errors occur during reconciliation. (#27593, @derailed)
egressgateway: switch to Resource[T] (#28091, @lmb)
egressgw: always set ifaceName in deriveFromPolicyGatewayConfig() (#26973, @julianwiedmann)
egressgw: delete stale nexthop routes (#27105, @julianwiedmann)
egressgw: detect conflicting configurations in ENI mode (#27281, @julianwiedmann)
egressgw: doc fixes for install-egress-gateway-routes removal (#28523, @lmb)
egressgw: Switch from net to netip (#28503, @joestringer)
egressgw: test CEGP parser (#27909, @julianwiedmann)
egressgw: use Resource[T] to consume CiliumEgressGatewayPolicy (#26960, @lmb)
egressgw: use route.Upsert() for inserting nexthop / prefix IP route (#26990, @julianwiedmann)
Enable k8s cache mutation detector in the CI (#28182, @aanm)
Enable strict validation of cluster config for clustermesh (#27246, @giorio94)
enabled initalDelaySeconds on StartupProbe (#28816, @jignyasamishra)
endpoint/id: simplify TestSplitID (#26581, @tklauser)
endpoint/id: use strings.IndexByte (#28202, @tklauser)
Endpoint: actually treat identifiers as immutable, remove lock (#26757, @squeed)
endpoint: Clarify policy locking requirements (#29024, @jrajahalme)
endpoint: Clarify policy locking requirements (Backport PR #30529, Upstream PR #29024, @jrajahalme)
endpoint: fix removed code comment. (#29172, @tommyp1ckles)
endpoint: moveNewFilesTo performance and error handling improvements (#26238, @learnitall)
endpoint: Use resolved named port also in the proxy stats (Backport PR #30079, Upstream PR #29813, @jrajahalme)
endpointmanager: unexport and inline functions only used in the package (#27426, @tklauser)
endpointslice: fix EndpointSlice import (#26938, @mhofstetter)
endpointstate: Add an interface to wait for endpoint restore (#29243, @pippolo84)
Ensures daemon managed controllers are stopped when the daemon shuts down. (#28148, @derailed)
Envoy silence expected internal listener warning (#29786, @jrajahalme)
envoy: Bump cilium proxy to latest version (#27555, @mhofstetter)
envoy: Import Health check sink API (#28463, @jrajahalme)
envoy: introduce artifact copier (#27728, @mhofstetter)
envoy: optimise getWildcardNetworkPolicyRule() (#27685, @jrajahalme)
envoy: perform version check directly on envoy binary (not starter) (#29512, @mhofstetter)
envoy: periodic version-check with hive timer job (#29513, @mhofstetter)
envoy: set socket opts only if not already present in CEC (#27531, @mhofstetter)
envoy: Support internal listeners in CiliumEnvoyConfig CRDs (#29026, @jrajahalme)
envoy: update cilium/proxy to latest version (#28170, @mhofstetter)
envoy: Update to a build with health checkers enabled (#28518, @jrajahalme)
envoy: Update to pick up deny policy support (#28862, @jrajahalme)
example/connectivity-check: fix port conflict, capture termination log (#28833, @squeed)
Extend cilium scale-test to export results and gather additional data (#28594, @marseel)
Extract tunnel options to simplify override, and inject them through hive (#29051, @giorio94)
Fix Cilium Datapath Prometheus metric names (#29226, @carnerito)
Fix cilium-envoy ServiceMonitor template typo (Backport PR #30230, Upstream PR #29976, @cornfeedhobo)
Fix data race during Hubble setup (#28322, @glrf)
fix duplicated ids in prerelease testing template (#27865, @jspaleta)
Fix IPv4 checksum recalculation in SNAT flows where ports are rewritten. (#28768, @gentoo-root)
Fix k8s code generation (#27964, @aanm)
Fix kind targets (#28548, @chancez)
Fix log error in clustermesh-apiserver when connecting external workloads (Backport PR #30079, Upstream PR #29896, @giorio94)
Fix LookupReservedIdentityByLabels function to return consistent results (#26795, @skmatti)
Fix regression causing a 10x increase in the duration of endpoint integration tests (Backport PR #30079, Upstream PR #29826, @giorio94)
Fix restore of previous router IP due to missing VPC CIDR in Alibabacloud section of CiliumNode Spec (#26843, @haozhangami)
Fix spelling for "WireGuard" (#26764, @qmonnet)
Fix up CCG related metrics (#27806, @christarazi)
fix(deps): update all go dependencies main (main) (#26567, @renovate[bot])
fix(deps): update all go dependencies main (main) (#27348, @renovate[bot])
fix(deps): update all go dependencies main (main) (#27440, @renovate[bot])
fix(deps): update all go dependencies main (main) (#27906, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#26695, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#26822, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#27266, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#27742, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#28072, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#28098, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#28618, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#28730, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#28994, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#29264, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#29398, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#29538, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#29771, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#26569, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#26693, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#26820, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#27135, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#27260, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#27441, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#27736, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#27939, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28070, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28193, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28348, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28514, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28615, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28727, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28866, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#28993, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#29134, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#29389, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#29536, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#29574, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#29593, @renovate[bot])
fix(deps): update golang.org/x/sys digest to 13b15b7 (main) (#29279, @renovate[bot])
fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.445 (main) (#26832, @renovate[bot])
fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.549 (main) (#28097, @renovate[bot])
fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.613 (main) (#29263, @renovate[bot])
fix(deps): update module github.com/go-openapi/validate to v0.22.2 (main) (#29280, @renovate[bot])
fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #30230, Upstream PR #29971, @renovate[bot])
fix(deps): update module golang.org/x/net to v0.17.0 [security] (main) (#28546, @renovate[bot])
fix: add check if debug is enabled when adding trace levels to envoy deamonset. (#27161, @dreanor65)
fix: platform typo (#27368, @testwill)
fix: remove help message in build config failure (Backport PR #30230, Upstream PR #28974, @vipul-21)
fix: Remove the latest image tag from docs as latest tag is not published (#28241, @vipul-21)
Fixed conflicting PRs in main (#27209, @dylandreimerink)
Fixes rate limiting for CES Controller (#28963, @alan-kut)
Fixes: typo (#27201, @weizhoublue)
Follow-up nits from etcd init script pull request (#29489, @JamesLaverack)
For services with External Traffic Policy: Local Service health returns http header "X-Load-Balancing-Endpoint-Weight" with number of local endpoints. The same information is still available in response body JSON payload.LocalEndpoints. (#27017, @cezarygerard)
Forcefully terminate stale sockets connected to deleted service backends when socket-lb is enabled, and allow applications to re-connect to active backends. (#25169, @aditighag)
fqdn/dnsproxy: drop dependency on global EnableIPv{4,6} option (#28968, @tklauser)
fqdn: avoid converting from netip.Addr to net.IP and back (#29625, @tklauser)
fqdn: serialize requests per-name (Backport PR #30230, Upstream PR #30109, @squeed)
fqdn: skip ipcache insertion for names without fqdn selectors (Backport PR #30230, Upstream PR #30110, @squeed)
gateway-api: Add conformance profile test (#28262, @sayboras)
gateway-api: cleanup cell imports & dependencies (#29204, @mhofstetter)
gateway-api: De-flake HTTPRouteRequestMultipleMirrors test (#28488, @sayboras)
gateway-api: don't register secretsync if required CRDs aren't present (#29437, @mhofstetter)
gateway-api: fix up for import rename (#29143, @julianwiedmann)
gateway-api: improve secret sync resiliency (#29017, @mhofstetter)
gateway-api: set controller-runtime logger (#27961, @mhofstetter)
gateway-api: Use Gateway API definition to check Route condition (#29359, @haiyuewa)
gateway-api: watch ownerreference to enable stricter reconcilation (#28641, @mhofstetter)
Generalize ClusterID reservation mechanism for clustermesh (#27248, @giorio94)
gh: feature template: s/request/proposal (#27023, @julianwiedmann)
gha: Update kube-proxy-replacement flag values (Backport PR #30529, Upstream PR #30483, @sayboras)
go.mod, renovate: specify and update Go toolchain version (#27820, @tklauser)
go.mod, vendor: update golang.org/x/sys to latest unreleased version (#29070, @tklauser)
go.mod, vendor: update vishvananda/netlink to latest (#28779, @tklauser)
guestbook: update example with leader/follower naming (#29642, @mhofstetter)
helm: add hubble UI support for GKE dataplane v2 (#28709, @dwalker-sabiogroup)
Helm: Add possibility to use affinity on certgen job (#28412, @seb-lafond)
Helm: Allow configuration of the install-cni container resources field (#27469, @RenaudWasTaken)
helm: Allow unsupported K8s versions for now (Backport PR #29899, Upstream PR #29888, @gandro)
Helm: enforce routing mode when either gke.enabled or aksbyocni.enabled are set (Backport PR #30079, Upstream PR #29674, @giorio94)
helm: Fix annotation duplication problems for cilium-agent (#28978, @bradwhitfield)
helm: Fix typo in cilium chart's description (#27389, @nu-wa)
helm: Improve debug.verbose docs (#26463, @lgadban)
helm: put extraConfig back to the end of ConfigMap cilium-config (#27556, @mhofstetter)
helm: Updated description for Helm 'devices' flag (#26557, @PhilipSchmid)
Hive obj output improvements (#28369, @bimmlerd)
hive: Fix hive hook output and move lifecycle to cell package (Backport PR #30529, Upstream PR #30416, @joamaki)
hive: ModuleID and FullModuleID, use full ID in module health (#28512, @joamaki)
hubble-relay: fix panic during server shutdown (#29705, @mhofstetter)
Hubble-ui now supports liveness and readiness probes (#27028, @mkilchhofer)
hubble-ui: release v0.12.3 (Backport PR #30529, Upstream PR #30422, @geakstr)
hubble/relay: Remove ReportOffline and refactor PeerManager (#28595, @glrf)
hubble: Reduce "stale identities observed" debug messages even more (Backport PR #30079, Upstream PR #29957, @gandro)
identity/cache: only call SortedList for release (#27796, @bimmlerd)
identity: stop double-update of selector cache and regenerate when a local identity is allocated (Backport PR #30079, Upstream PR #29865, @squeed)
images/builder: update dependencies (#27566, @rolinh)
images: drop the kvstoremesh dockerfile (#28961, @giorio94)
images: Fix init-container script for cilium-dbg (#29424, @joestringer)
images: Support updating Envoy to PR images (#27850, @jrajahalme)
Implement NodeAddressing on top of Table[NodeAddress] (#29033, @joamaki)
Import new version of forked controller-tools (#26918, @AwesomePatrol)
improv: check for k8s backing before running sync (#27269, @kwakubiney)
Improve bump-readme.sh (#27892, @joestringer)
Improve documentation for review process for contributors and reviewers (#27324, @joestringer)
Improve Hubble decoding performance for drop, debug, policy and tracesock events (#25751, @Jack-R-lantern)
Improve Hubble decoding performance for trace events (#24162, @brancz)
Improve k8s-get-cilium-pod.sh (#28774, @timoreimann)
Improve readability of clustermesh-related log messages (#28784, @giorio94)
improve the correctness of the rate limiting implementation in certain edge cases. (#29397, @dylandreimerink)
Improve translation of CIDRGroupRefs (#26369, @pippolo84)
ingress: add unit tests to test default ingressclass (#29792, @mhofstetter)
ingress: migrate Cilium Ingress controller to use the controller-runtime library (#29327, @mhofstetter)
ingress: migrate secret-sync to controller-runtime (#29198, @mhofstetter)
init.sh: move netlink device creation to Go (#27082, @rgo3)
init.sh: move obsolete bpf_host removal to Go (#26539, @rgo3)
Introduce new BGP CRDs to provide a more flexible way to configure BGP in Cilium. (#28175, @harsimran-pabla)
Introduce resiliency package (#27614, @derailed)
Introduce sync.Map wrapper with generics support (#29452, @giorio94)
ipam,alibabacloud: Improve event driven instance resync (#25619, @jaffcheng)
ipam/multipool: Fix comment for removeExpiration (#28031, @hargrovee)
ipam/multipool: Identity allocation via etcd is now supported (#28617, @gandro)
ipam: Fix duplicate metric ipam_event release (#29520, @christarazi)
ipam: let allocator.Dump return map of allocated IPs per pool (#27997, @tklauser)
ipam: remove always-nil NewCIDRRange error return value (#26706, @tklauser)
ipam: Remove unused mock function (#28370, @gandro)
ipcache: Deprecate old API (#27576, @joestringer)
ipcache: Fix incorrect source for kube-apiserver in tests (#28407, @christarazi)
ipcache: fix releasing node CIDRs after restoration (#28620, @squeed)
ipcache: keep upserted prefixes from being deleted by InjectLabels (#29014, @squeed)
ipcache: move CIDR restoration to asynchronous APIs (#28673, @squeed)
ipcache: propagate cluster ID as part of the key (#27337, @giorio94)
ipcache: use TriggerController, not UpdateController (#29548, @squeed)
ipsec: Fix Godoc document comment typo (#27721, @haiyuewa)
ipsec: misc cleanups (#28408, @julianwiedmann)
Jobs now report health (#28677, @dylandreimerink)
k8s/apis: refactor CRD registration helpers into a separate package (#26834, @tklauser)
k8s/resource: Add support for releasable Resource[T] (#29414, @pippolo84)
k8s/slim: Clarify instructions for updating slim files (Backport PR #30230, Upstream PR #29877, @christarazi)
k8s: remove extensions/v1beta1 support (#28002, @tklauser)
k8s: remove unused slim k8s model for Ingress & IngressClass (#29517, @mhofstetter)
kvstore: drop unused deleteInvalidPrefixes variable (#27074, @giorio94)
l2respondermap: Correct the comment for L2Responder Key and Stats (#27986, @haiyuewa)
l2respondermap: Rename the L2Responder key create function (#28015, @haiyuewa)
L7 Loadbalancing: Migrate to controller-runtime library (#29126, @mhofstetter)
labels/cidr: Fix slice preallocation size (#28378, @pippolo84)
labels: further optimize IPStringToLabel for single IP case (#29040, @tklauser)
labels: small optimization in NewFrom and various cleanups (Backport PR #30230, Upstream PR #30006, @tklauser)
loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport PR #30324, Upstream PR #30214, @ti-mo)
loader: attach XDP programs using bpf_link (#28308, @rgo3)
loader: do not invoke llc separately (#29458, @lmb)
Log endpoint instead of pod names where appropriate (#27427, @tklauser)
MAINTAINERS: Add Jussi Mäki (#26603, @michi-covalent)
Make it easier to depend on clustermesh types outside of its package (#27242, @giorio94)
Make the community team the owner of /USERS.md (#27321, @michi-covalent)
make: add "run-builder" target (#28587, @jrajahalme)
make: allow to override values.yaml template name (#27235, @giorio94)
makefile: add back the sed command to update the logo path (#28929, @bradwhitfield)
Makefile: add kind-egressgw targets (#28793, @jibi)
makefile: fix 'fast' targets for cilium-dbg (#28547, @aanm)
makefile: fix 'make kind' for mac (#28791, @f1ko)
Makefile: Fix variable override not working in all cases (#29599, @gandro)
maps/ctmap: simplify ip/port parsing using netip.ParseAddrPort (#28827, @tklauser)
maps: do not depend on global variable to initialize CT maps (#27275, @giorio94)
maps: maglev_test: remove toleration for 4.9 kernel (#27046, @julianwiedmann)
maps: nat: fix copy & paste in error message from doFlush*() (#29097, @julianwiedmann)
metrics: revert changes to pre-init kubernetes events metrics + improve metric logs (Backport PR #30079, Upstream PR #29343, @tommyp1ckles)
Minor documentation fixes and improvements for the BGP MD5 feature (#29375, @nvibert)
Misc updates in renovate configuration (#27328, @aanm)
Miscellaneous improvements about kvstore logging (#28843, @giorio94)
Miscellaneous improvements to the etcd client (#28834, @giorio94)
mlh: disable remove PR to project (#26863, @mhofstetter)
mlh: use a regexp to check signed-off-by (#27732, @kaworu)
Modularise MTU discovery (#28964, @bimmlerd)
Modularize ipcache BPF listener (#29194, @giorio94)
Modularize kernel modules manager into its own cell (#28713, @pippolo84)
Modularize stale endpoint gc in an independent cell (Backport PR #30079, Upstream PR #29246, @pippolo84)
Modularized the bandwidth manager (#28619, @dylandreimerink)
mountinfo: fix build on linux/386 (#29481, @tklauser)
netns: remove unused RemoveIfFromNetNSWithNameIfBothExist (#27411, @tklauser)
node: allow to override enable encapsulation on a per-node basis (#29232, @giorio94)
node: introduce prefix cluster mutator (#27354, @giorio94)
node: Only Add Enabled IPs to Labels (#28360, @nathanjsweet)
nodediscovery: support additional IP address sources for the local node (#27507, @tklauser)
None (#28738, @saschagrunert)
Operator: Add missing observability for Azure API calls (#26277, @hemanthmalla)
operator: extract controller-runtime integration into its own cell (#28931, @mhofstetter)
operator: Fix CEP and CES events debug logs (#28797, @dlapcevic)
operator: introduce cec l7 envoy loadbalancing cell (#28835, @mhofstetter)
operator: introduce gateway api cell (#28785, @mhofstetter)
operator: introduce Ingress cell (#28794, @mhofstetter)
operator: Migrate Cilium Endpoint GC to hive (#28233, @alan-kut)
Optimize IP/FQDN management in the DNSCache (#29691, @squeed)
option: add LoadBalancerUsesDSR() helper (#26898, @julianwiedmann)
pkg/aws: Improve event driven instance resync for AWS IPAM (#27791, @jaffcheng)
pkg/bgpv1: Updates getPeerConfig() Method (#28474, @danehans)
pkg/cidr: Move linux specific variable references from netlink (#27638, @aditighag)
pkg/policy: Convert benchmarks in resolve_test.go to std benchmarks (#27815, @christarazi)
pkg/pprof: add CODEOWNER (#28278, @lmb)
pkg/proxy/logger: switch to netip.Addr (#28783, @tklauser)
pkg/rand: remove random name generator (#29664, @aanm)
pkg: proxy: only install from-proxy rules/routes for native routing (#29761, @julianwiedmann)
plugins/cilium-cni: cleanups around IPAM allocation and veth pair creation (#26595, @tklauser)
plugins/cilium-cni: Introduce endpoint customization (#29707, @gandro)
plugins/cilium-cni: make error formatting consistent (#27535, @tklauser)
plugins/cilium-cni: Move implementation into separate package (#29336, @gandro)
plugins/cilium-cni: reduce string allocations of CNI command arguments (#27681, @tklauser)
policy/api: use netip.Addr when sanitizing CIDR rules (#28121, @tklauser)
policy: Describe CIDR superset logic for denies and FQDN (#26720, @joestringer)
policy: expand "world" entity selector to select all address families (Backport PR #29961, Upstream PR #29958, @squeed)
policy: Fix MapState.Equals() (Backport PR #30264, Upstream PR #30233, @jrajahalme)
policy: Return a real nil rather than a non-nil interface (#29022, @jrajahalme)
policy: Simplify AccumulateMapChanges prototypes (#29025, @jrajahalme)
policy: Simplify AccumulateMapChanges prototypes (Backport PR #30529, Upstream PR #29025, @jrajahalme)
Prepare for release v1.14.0-rc.0 (#26546, @joestringer)
Prepare for release v1.15.0-pre.0 (#27853, @aanm)
Prepare for release v1.15.0-pre.1 (#28336, @aanm)
Prepare for release v1.15.0-pre.2 (#28901, @aanm)
Prepare for release v1.15.0-pre.3 (#29596, @aanm)
Prepare for v1.15 development cycle (#26516, @joestringer)
Prepare v1.15 stable branch (#29838, @joestringer)
probes: remove HAVE_FIB_LOOKUP leftovers (#29401, @rgo3)
Propagate the CiliumClusterConfig through etcd when Cilium is configured in kvstore mode (#27109, @giorio94)
Provide CT/NAT maps GC logic through hive (#27356, @giorio94)
proxy: allow to provide fixed port for DNS proxy via cell (#28786, @tklauser)
proxy: define and use well known datapath constants (#28955, @tklauser)
proxy: export ProxyConfig fields (#29827, @tklauser)
proxy: introduce envoy cell (#26657, @mhofstetter)
proxy: refactor package global vars to proxy fields (#26619, @mhofstetter)
proxy: refactor proxy.CreateOrUpdateRedirect (#26839, @mhofstetter)
proxy: refactor redirect integration (#27049, @mhofstetter)
proxy: remove unused xds resource access timeout (#26747, @mhofstetter)
README: Remove v1.11 from stable releases table (#27466, @joestringer)
README: Update releases (#27864, @joestringer)
README: Update releases (#28179, @michi-covalent)
README: Update releases (#28340, @aanm)
README: Update releases (#28689, @jrajahalme)
README: Update releases (#29170, @nathanjsweet)
README: Update releases (#29609, @aanm)
Refactor duplicate imports for Cilium v2alpha1 API (#26620, @dlapcevic)
Refactor LocalNode synchronization logic and remove NodeChain (#29319, @giorio94)
Refactor the per-cluster CT maps manager (#27448, @giorio94)
Refactor the per-cluster NAT maps manager (#27430, @giorio94)
Refactor watchstore/watchsync metrics (#27485, @marseel)
Refactors the use of ControlPlaneState in the BGP-CP (#26992, @ldelossa)
Register cluster-id and cluster-name flags through hive (#27823, @giorio94)
Register endpointmanager metrics via dependency injected registry (#26078, @dylandreimerink)
Register service/endpoint flags through hive (#27817, @giorio94)
release image: Allow arbitrary pre-release identifiers (#29173, @michi-covalent)
relicense test/bpf/unit_test.c to not be GPL (#26618, @Joffref)
Remove accidentally checked in .orig file (#29145, @christarazi)
Remove daemon health from being reported via the CLI (#28404, @derailed)
Remove dependencies on linux probes for Windows builds (#28367, @glrf)
Remove NodeSpecer and ControlPlaneState from BGP-CP. Rely on Hive/Cell for further ConfigReconciler dependencies. (#27285, @ldelossa)
Remove unnecessary type conversions in fqdn zombies handling (#27047, @giorio94)
Remove usage of global options from iptables cell (#29088, @pippolo84)
removed unnecessary 'revert' parameter from Newk8sTranslator and updated api calls accordingly. (#26217, @akstron)
Removes Unused TransformToNode() Func (#26743, @danehans)
Rename egress_policies.h to srv6.h and add SRv6 related trace reasons. (Backport PR #30529, Upstream PR #30154, @ldelossa)
Renamed Hubble Dashboard so that it can be installed by Grafana Sidecar. (#28971, @saintdle)
renovate: ignore all gops updates (#27631, @tklauser)
renovate: schedule all renovate updates for Monday (#28585, @aanm)
Replace some usages of fmt.Sprintf with more efficient string concatenation (#27518, @schlosna)
Replace StateDB with StateDB2 (#27628, @dylandreimerink)
report endpoint ID on endpoint BPF program (#28747, @aanm)
Report node source in cilium-dbg node list (#29196, @tklauser)
Resiliency: Add checks to ensure endpoint BPF programs remain loaded (#27981, @derailed)
Resiliency: Add retry logic to attempt to clear out stale hostip (#27673, @derailed)
Resiliency: Node manager reconciliation path yields unchecked errors (#27714, @derailed)
resource: Add support for custom Indexers (#27032, @pippolo84)
Revert ".github: write the right regex for little-vm-images versioning" (#27415, @aanm)
Revert "Refactor hubble redact settings schema" (#27352, @joamaki)
secret-sync: extract secret-sync logic from gateway api controller & introduce hive cell (#29100, @mhofstetter)
service: fix service manager interface mismatch caused by merge race (#29018, @giorio94)
Set RouteMTU for generic veth (#26495, @sugangli)
Some small fixes to make kind-fast (#28621, @squeed)
Split mapstate keys into allow and deny (#28352, @bimmlerd)
Splits Apart kind-image-fast Make Target (#28079, @danehans)
SRv6: Add quality of life methods for SID map usage. (#27192, @ldelossa)
StateDB review follow-ups (#28030, @joamaki)
statedb v2.0 with per-table locks and delete tracking (#27160, @joamaki)
statedb: Allow non-terminated keys (#29440, @joamaki)
statedb: extract REST API handler to pkg (#26645, @bimmlerd)
statedb: Fix revision indexing (#29840, @joamaki)
statedb: Fix watch channel returned by LowerBound (#28644, @joamaki)
statedb: Rename statedb2 to statedb (#27643, @joamaki)
statedb: Simplify integration with Hive (#28892, @joamaki)
StateDB: split write methods from Table into RWTable (#28140, @joamaki)
statedb: Use proper context for graveyard rate limiting (#28888, @joamaki)
stream: fix spurious event on termination when Debounce is used (#29347, @giorio94)
Support for batch deletion of endpoints (#27351, @tklauser)
test/controlplane: Fix hostport test after API change (#26685, @pippolo84)
test: remove probes-test.sh (#29612, @rgo3)
tests: replace more incorrect DeepEquals uses (#25829, @markpash)
treewide: wrap multiple errors using the standard library (#26524, @rolinh)
typo fix (#28231, @yylt)
Typo fix in the docs (Backport PR #30529, Upstream PR #30407, @nvibert)
typo in the debug document (#27627, @weizhoublue)
Update codeowners for recent lb-ipam / ipalloc changes (#28803, @joestringer)
Update ec2 eni limits - current as of Oct 30, 2023 (#28880, @michaelsaah)
update github.com/cilium/ebpf to v0.12.0 (#28533, @lmb)
Update Hubble UI from v0.12.0 to v0.12.1 (#28532, @rolinh)
Update hubble-exporter.rst (#28081, @nvibert)
update k8s dependencies to v0.28.2 (#28648, @aanm)
Update l2-announcements.rst (#27988, @nvibert)
Update lb-ipam.rst (#28756, @nvibert)
Update Palantir usecases (#26633, @ungureanuvladvictor)
Update prereleases (#26871, @joestringer)
Update renovate configuration for ginkgo and kindest/node (#27347, @aanm)
Update SPIRE dependency to v1.8.5 (#29597, @meyskens)
Update stable releases (#27112, @aanm)
Update stable releases (#27126, @nathanjsweet)
Update stable releases (#27637, @asauber)
Update the TCP conntrack entry timeouts to a lower value, so that closed entries are garbage collected earlier, thus freeing up the conntrack map. (#27665, @aditighag)
Update v1.15.0-RC.1 digests (#30277, @aanm)
updated docs to reflect Envoy as a DS option (Backport PR #30230, Upstream PR #29518, @nvibert)
Use generic Set instead of specified Set (#26378, @bzsuni)
Use generics in k8s factory functions (#26367, @AwesomePatrol)
Use Go 1.19 atomic types (#27563, @tklauser)
Use Go 1.19 atomic types and their default value (#27844, @tklauser)
Use Resource[T] to implement CEP and CES watchers (Backport PR #30230, Upstream PR #29249, @pippolo84)
USERS: Add Trendyol (#26946, @eminaktas)
vendor: downgrade github.com/shirou/gopsutil/v3 to v3.23.2 (#27623, @aanm)
watchers: use resource for network policies (#26601, @bimmlerd)

Other Changes:

1.15] loader: fix obsolete XDP program removal ([#&#8203;30224](https://github.com/cilium/cilium/issues/30224), [@&#8203;rgo3](https://github.com/rgo3))

Add specific drop reason for missing tail calls if the host datapath is not ready yet (#30203, @ti-mo)
envoy: Bump envoy version for x/net library (#30509, @sayboras)
install: Update image digests for v1.15.0-rc.0 (#29906, @joestringer)
Prepare for release v1.15.0-rc.0 (#29883, @joestringer)
Prepare for release v1.15.0-rc.1 (#30271, @aanm)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.0@sha256:9cfd6a0a3a964780e73a11159f93cc363e616f7d9783608f62af6cfdf3759619
quay.io/cilium/cilium:stable@sha256:9cfd6a0a3a964780e73a11159f93cc363e616f7d9783608f62af6cfdf3759619

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.0@sha256:43feb49dfbaa82388dc653ce12c7626ce40ae375e9853d71b9f5cff0ce61d54a
quay.io/cilium/clustermesh-apiserver:stable@sha256:43feb49dfbaa82388dc653ce12c7626ce40ae375e9853d71b9f5cff0ce61d54a

docker-plugin

quay.io/cilium/docker-plugin:v1.15.0@sha256:6c79c492da7b3574509a94b0c6b4ef0570c005aa6be5879b71d8e59e103f2a7b
quay.io/cilium/docker-plugin:stable@sha256:6c79c492da7b3574509a94b0c6b4ef0570c005aa6be5879b71d8e59e103f2a7b

hubble-relay

quay.io/cilium/hubble-relay:v1.15.0@sha256:45b3ea70b73aee01644f800b8f6138c36446bfb130d2b88b0f75775ebe6a9ab6
quay.io/cilium/hubble-relay:stable@sha256:45b3ea70b73aee01644f800b8f6138c36446bfb130d2b88b0f75775ebe6a9ab6

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.0@sha256:ee03349caef5519f8e9123132cf17c85b771f8fff095c57f00a2af8bb3224b79
quay.io/cilium/operator-alibabacloud:stable@sha256:ee03349caef5519f8e9123132cf17c85b771f8fff095c57f00a2af8bb3224b79

operator-aws

quay.io/cilium/operator-aws:v1.15.0@sha256:cf45167a8bb336c763046553c6a97c0d7f12f7e2a498dfb2340fa27832a81b3a
quay.io/cilium/operator-aws:stable@sha256:cf45167a8bb336c763046553c6a97c0d7f12f7e2a498dfb2340fa27832a81b3a

operator-azure

quay.io/cilium/operator-azure:v1.15.0@sha256:498a9e940cddd4e58d401a13005b0784ed9597bfe1e5cf2f52b6ba9ccceee768
quay.io/cilium/operator-azure:stable@sha256:498a9e940cddd4e58d401a13005b0784ed9597bfe1e5cf2f52b6ba9ccceee768

operator-generic

quay.io/cilium/operator-generic:v1.15.0@sha256:e26ecd316e742e4c8aa1e302ba8b577c2d37d114583d6c4cdd2b638493546a79
quay.io/cilium/operator-generic:stable@sha256:e26ecd316e742e4c8aa1e302ba8b577c2d37d114583d6c4cdd2b638493546a79

operator

quay.io/cilium/operator:v1.15.0@sha256:949ec05e962d370437deb6ca4b27b05b8e9c8077bfa6a5b9b4d80d08a26d4fee
quay.io/cilium/operator:stable@sha256:949ec05e962d370437deb6ca4b27b05b8e9c8077bfa6a5b9b4d80d08a26d4fee

`v1.14.8`: 1.14.8

Compare Source

We are pleased to release Cilium v1.14.8.

Security Advisories

This patch release addresses security vulnerabilities. See the following security advisories
for details.

IPsec

This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy.

Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode.

Summary of Changes

Minor Changes:

Enhance trace events from the outbound SNAT path, to report the pre-SNAT IP address and the interface index of the egress interface. (Backport PR #30835, Upstream PR #28723, @julianwiedmann)
Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (Backport PR #31337, Upstream PR #31205, @squeed)

Bugfixes:

endpoint: fix inability to create endpoint with labels in a single API call (Backport PR #31000, Upstream PR #30170, @oblazek)
Fix bug prevented endpoints from sending or receiving network traffic due to the 'reserved:init' label persisting after initialization. (Backport PR #31048, Upstream PR #30909, @aanm)
Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (Backport PR #31186, Upstream PR #30837, @jschwinger233)
Fixes an L7 proxy issue by re-introducing 2005 route table. (Backport PR #31160, Upstream PR #29530, @jschwinger233)
Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (Backport PR #31160, Upstream PR #29594, @jschwinger233)
Fixes proxy issues in egress direction (Backport PR #31160, Upstream PR #30095, @jschwinger233)
helm: Probe Envoy DaemonSet localhost IP directly (Backport PR #31000, Upstream PR #30970, @iandrewt)
Policy revert used in rare error cases has been corrected. (Backport PR #30882, Upstream PR #29162, @jrajahalme)
srv6: Fix packet drop with GSO type mismatch (Backport PR #30800, Upstream PR #30732, @YutaroHayakawa)
xds: Avoid xds timeout due to agent restart in envoy DS mode (Backport PR #31156, Upstream PR #31061, @sayboras)

CI Changes:

Align again conformance clustermesh matrix entries with main as the interoperability issue has been fixed (#30912, @giorio94)
ci-e2e: restore 6.1 kernels (#30862, @lmb)
ci/ipsec: Fix downgrade version retrieval (Backport PR #31048, Upstream PR #30742, @qmonnet)
ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR #30864, Upstream PR #30790, @brlbil)
CI: Update tested K8S versions across all cloud providers (Backport PR #30864, Upstream PR #30795, @brlbil)
Fix datapath mode in Network Performance CI test (Backport PR #30864, Upstream PR #30756, @marseel)
workflows: Clean IPsec test output (Backport PR #30800, Upstream PR #30759, @pchaigno)

Misc Changes:

bgpv1: Remove disruptive error handling from BGPRouterManager (#30765, @YutaroHayakawa)
bgpv1: Remove or downgrade noisy logs (Backport PR #31000, Upstream PR #30868, @YutaroHayakawa)
bitlpm: Factor out common code (Backport PR #31156, Upstream PR #31026, @jrajahalme)
bpf: host: optimize from-host's ICMPv6 path (Backport PR #31186, Upstream PR #31127, @julianwiedmann)
bpf: host: skip from-proxy handling in from-netdev (Backport PR #31160, Upstream PR #29962, @julianwiedmann)
bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic (Backport PR #31160, Upstream PR #29721, @julianwiedmann)
bpf: minor ICMPv6 improvements (Backport PR #31186, Upstream PR #26563, @julianwiedmann)
bugtool: Capture memory fragmentation info from /proc (Backport PR #31156, Upstream PR #30966, @pchaigno)
Bump google.golang.org/protobuf (v1.14) (#31314, @ferozsalam)
chore(deps): update actions/download-artifact action to v4.1.3 (v1.14) (#30989, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (#30954, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (#31114, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (#31294, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (patch) (#31136, @renovate[bot])
chore(deps): update all github action dependencies to v4 (v1.14) (major) (#30782, @renovate[bot])
chore(deps): update all-dependencies (v1.14) (#30952, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.23 (v1.14) (#30861, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.0 (v1.14) (#31173, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 77906da (v1.14) (#31291, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e9569c2 (v1.14) (#30739, @renovate[bot])
chore(deps): update go to v1.21.7 (v1.14) (#30953, @renovate[bot])
chore(deps): update go to v1.21.8 (v1.14) (#31184, @renovate[bot])
chore(deps): update hubble cli to v0.13.2 (v1.14) (#31339, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to v6.6-20240221.111541 (v1.14) (#30979, @renovate[bot])
chore(deps): update stable lvh-images (v1.14) (patch) (#30653, @renovate[bot])
chore(deps): update stable lvh-images (v1.14) (patch) (#31137, @renovate[bot])
chore(deps): update stable lvh-images (v1.14) (patch) (#31293, @renovate[bot])
container/bitlpm: Add Lookup Boolean Return Value (Backport PR #31156, Upstream PR #31037, @nathanjsweet)
docs: Document XfrmInStateInvalid errors (Backport PR #30800, Upstream PR #30151, @pchaigno)
docs: Fix 'kubectl exec' invocations (quotes, double dash separator) in example script kafka-sw-gen-traffic.sh (Backport PR #31156, Upstream PR #30462, @saintdle)
identity/cache: only call SortedList for release (Backport PR #30864, Upstream PR #27796, @bimmlerd)
images: bump cni plugins to v1.4.1 (#31349, @aanm)
lbipam: copy slice before modification in (*LBIPAM).handlePoolModified (Backport PR #31000, Upstream PR #30859, @tklauser)
loader: also populate NATIVE_DEV_IFINDEX for cilium_overlay (Backport PR #31156, Upstream PR #31025, @julianwiedmann)
pkg: Add Bitwise LPM Trie Library (Backport PR #30864, Upstream PR #29717, @nathanjsweet)
pkg: proxy: only install from-proxy rules/routes for native routing (Backport PR #31160, Upstream PR #29761, @julianwiedmann)
slices: don't modify input slices in test (Backport PR #31000, Upstream PR #30677, @tklauser)

Other Changes:

v1.14] bpf: nodeport: add missing ifindex in NAT trace event ([#&#8203;31022](https://github.com/cilium/cilium/issues/31022), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))

v1.14] envoy: Bump golang version to 1.21.8 ([#&#8203;31222](https://github.com/cilium/cilium/issues/31222), [@&#8203;sayboras](https://github.com/sayboras))

v1.14] iptables: Read CNI chaining mode from CNI config manager ([#&#8203;31265](https://github.com/cilium/cilium/issues/31265), [@&#8203;pippolo84](https://github.com/pippolo84))

cli: Replace --cluster-name with --helm-set cluster.name (#31177, @michi-covalent)
install: Update image digests for v1.14.7 (#30752, @michi-covalent)
Upgrade GoBGP to v3.23.0 and backport #28293 (#30793, @YutaroHayakawa)
v1.14: WG L7 (#31267, @brb)

`v1.14.7`: 1.14.7

Compare Source

We are pleased to release Cilium v1.14.7. This release contains various bug fixes and performance / usability improvements, including a fix for performance regression for pod-to-pod traffic WireGuard and tunneling (https://github.com/cilium/cilium/pull/30329).

Summary of Changes

Minor Changes:

api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR #30554, Upstream PR #30167, @viktor-kurchenko)
Envoy running inside the Cilium Agent may now be scraped by Prometheus when using Prometheus' ServiceMonitor objects. (Backport PR #30355, Upstream PR #30126, @youngnick)
helm: Add extraVolumeMounts to cilium config init container (Backport PR #30355, Upstream PR #30131, @ayuspin)
ui: release v0.13.0 (Backport PR #30724, Upstream PR #30711, @geakstr)

Bugfixes:

envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' (Backport PR #30680, Upstream PR #30543, @chaunceyjiang)
Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR #30323, Upstream PR #30248, @ti-mo)
Fix cilium-envoy ServiceMonitor port name (Backport PR #30554, Upstream PR #27207, @pixiono)
Fix error when using multiple allowRoutes namespaces in gateway (#30551, @mhofstetter)
Fix error when using multiple allowRoutes namespaces in gateway (Backport PR #30554, Upstream PR #30100, @chaunceyjiang)
Fix issue where agent attempting to restore local node information (such as cilium_host ip) would fail on k8s fallback method. (Backport PR #30355, Upstream PR #29460, @tommyp1ckles)
Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR #30554, Upstream PR #30399, @tlcowling)
Fix performance regression for pod-to-pod traffic WireGuard and tunneling. (Backport PR #30554, Upstream PR #30329, @3u13r)
Fix rare bug possibly causing connection disruption and/or agent panic due to node events processing before full initialization. (Backport PR #30554, Upstream PR #30282, @giorio94)
hive: Fix start hook log output (Backport PR #30724, Upstream PR #30712, @joamaki)
init well-known identity before new policy repository to fix the fqdn policy issue when enable well-known identity. (Backport PR #30554, Upstream PR #30052, @yingnanzhang666)
L2 announcements retry getting lease after losing it (Backport PR #30355, Upstream PR #30340, @dylandreimerink)
node/wireguard: Fix node-to-node encryption inconsistencies in kvstore mode (Backport PR #30534, Upstream PR #30423, @gandro)
Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR #30680, Upstream PR #30536, @hemanthmalla)

CI Changes:

ci datapath-verifier: add connectivity test (Backport PR #30371, Upstream PR #29633, @mhofstetter)
ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR #30554, Upstream PR #30503, @qmonnet)
ci: add trigger phrase to Gateway API conformance test workflow name (Backport PR #30680, Upstream PR #30525, @tklauser)
ci: Bump timeout of ci-runtime (Backport PR #30554, Upstream PR #29317, @YutaroHayakawa)
ci: bypass proxy.golang.org in Go toolchain installation (Backport PR #30371, Upstream PR #29549, @tklauser)
CI: Change cloud regions (Backport PR #30680, Upstream PR #30378, @brlbil)
ci: disable cgo when installing Go toolchain (Backport PR #30371, Upstream PR #27869, @tklauser)
ci: run verifier tests with proper Go toolchain version (Backport PR #30371, Upstream PR #27857, @tklauser)
Extend the clustermesh workflows to additionally cover the external kvstore case (Backport PR #30355, Upstream PR #29983, @giorio94)
gh: ci-verifier: use lvh-images/complexity-test as renovate dependency (Backport PR #30680, Upstream PR #30520, @julianwiedmann)
gha: additionally cover BPF masquerade in clustermesh E2E tests (Backport PR #30680, Upstream PR #30321, @giorio94)
gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR #30355, Upstream PR #30335, @giorio94)
gha: make runner type for clustermesh workflows configurable (Backport PR #30680, Upstream PR #30496, @giorio94)
Improve Conformance Cluster Mesh workflow coverage (Backport PR #30355, Upstream PR #29926, @giorio94)
Network performance (Backport PR #30554, Upstream PR #30247, @marseel)
Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR #30355, Upstream PR #30207, @giorio94)
Update GitHub upload-artifact action (Backport PR #30554, Upstream PR #30443, @brlbil)

Misc Changes:

Added Last page Edit on Documentation (Backport PR #30680, Upstream PR #30612, @gailsuccess)
bpf: fib: fix issues with L2 resolution (Backport PR #30372, Upstream PR #30128, @julianwiedmann)
bpf: lb: return drop reasons from __lb4_rev_nat() (Backport PR #30554, Upstream PR #30410, @julianwiedmann)
bpf: overlay: restore bpf_clear_meta() in from-overlay (Backport PR #30355, Upstream PR #30343, @julianwiedmann)
build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport PR #30554, Upstream PR #30219, @dependabot[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.20 (v1.14) (#30144, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.21 (v1.14) (#30571, @renovate[bot])
chore(deps): update dependency go to v1.21.6 (v1.14) (#30174, @renovate[bot])
chore(deps): update dependency go to v1.21.6 (v1.14) (#30640, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.6 (v1.14) (#30641, @renovate[bot])
chore(deps): update go to v1.21.6 (v1.14) (minor) (#30145, @renovate[bot])
chore(deps): update hubble cli to v0.13.0 (v1.14) (minor) (#30274, @renovate[bot])
chore(deps): update stable lvh-images (v1.14) (patch) (#30492, @renovate[bot])
chore(deps): update stable lvh-images (v1.14) (patch) (#30575, @renovate[bot])
doc: Add Azure CNI Powered by cilium as external installer (Backport PR #30355, Upstream PR #28286, @tamilmani1989)
docs: Add Egress Gateway Policy warning on egressIP and interface being mutually exclusive in the egressGateway spec. (Backport PR #30554, Upstream PR #30236, @soggiest)
docs: warn users that IPsec and KPR are mutual exclusive (Backport PR #30554, Upstream PR #30403, @f1ko)
hive: Fix hive hook output and move lifecycle to cell package (Backport PR #30554, Upstream PR #30416, @joamaki)
hubble-ui: release v0.12.3 (Backport PR #30554, Upstream PR #30422, @geakstr)
ipcache: Skip conflict logging for tunnelpeer if native routing (Backport PR #30355, Upstream PR #27331, @christarazi)
loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport PR #30323, Upstream PR #30214, @ti-mo)
Rename egress_policies.h to srv6.h and add SRv6 related trace reasons. (Backport PR #30680, Upstream PR #30154, @ldelossa)
Rerun go mod tidy to fix missing entry (#30358, @giorio94)

Other Changes:

v1.14] ci/ipsec: Fix downgrade version for release preparation commits ([#&#8203;30716](https://github.com/cilium/cilium/issues/30716), [@&#8203;qmonnet](https://github.com/qmonnet))

v1.14] ci/ipsec: Re-enable node-to-node-encryption check ([#&#8203;30401](https://github.com/cilium/cilium/issues/30401), [@&#8203;qmonnet](https://github.com/qmonnet))

envoy: Bump envoy version for x/net library (#30515, @sayboras)
envoy: Bump envoy version to v1.26.7 (#30693, @sayboras)
install: Update image digests for v1.14.6 (#30318, @gentoo-root)
remove stable tags from 1.14 releases (#30557, @aanm)

`v1.14.6`: 1.14.6

Compare Source

We are pleased to release Cilium v1.14.6.

This release includes various bugfixes and performance enhancements. The amount of trace events is reduced when monitor aggregation is enabled, allowing to improve pod-to-pod performance with tunneling and IPsec. An inconsistency in the node manager is fixed, which led to incorrect masquerading of traffic to node internal IP addresses. Other fixes include fixes for mTLS, DNS proxy, datapath, etc.

Summary of Changes

Minor Changes:

Add Proxy l7 metrics proxy_type label and and Cleanup (Backport PR #29703, Upstream PR #27863, @tommyp1ckles)
Reduce "stale identity observed" warnings (Backport PR #29863, Upstream PR #27894, @leblowl)

Bugfixes:

1.14] ingress: fix ingress class reconciliation ([#&#8203;29810](https://github.com/cilium/cilium/issues/29810), [@&#8203;mhofstetter](https://github.com/mhofstetter))

Add default toleration for SPIRE agent on control plane nodes (Backport PR #30198, Upstream PR #28947, @meyskens)
Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30213, Upstream PR #29239, @jrajahalme)
cilium-preflight: use the k8s node name instead of relying on hostname (Backport PR #29996, Upstream PR #29809, @marseel)
Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail (Backport PR #30265, Upstream PR #29400, @meyskens)
Fix a bug that may cause traffic to the node internal IP addresses to be incorrectly masqueraded when node encryption and remote node identities are both disabled, due to an inconsistency in the node manager when handling ipset entries insertions and deletions on node updates. (Backport PR #30221, Upstream PR #29986, @qmonnet)
Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #29996, Upstream PR #29616, @learnitall)
Fix cleanup of AWS-related leftover iptables chains (Backport PR #29863, Upstream PR #29448, @giorio94)
helm: Fix envoy servicemonitor annotations (Backport PR #30198, Upstream PR #30017, @pmcgrath)
metrics: fix issue where logging err/warn metric is never updated. (Backport PR #29863, Upstream PR #29201, @tommyp1ckles)
nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29972, Upstream PR #29964, @gandro)
policy: Fix mapstate changes error in entry change comparison (Backport PR #29996, Upstream PR #29815, @jrajahalme)
Remove non fatal errors from SPIRE client in the operator (Backport PR #30265, Upstream PR #28698, @meyskens)
Unify parsing of StringSlice flags and allow splitting by commas (preferably) or by spaces. This fixes parsing of 'prometheus.metrics'. (Backport PR #30080, Upstream PR #29848, @joamaki)

CI Changes:

bpf: fix test configuration for 5.10 and 6.1 kernels (Backport PR #30198, Upstream PR #29999, @julianwiedmann)
ci-ipsec-upgrade: Add vxlan w/ no EP routes (Backport PR #29703, Upstream PR #29653, @brb)
ci-ipsec-{e2e,upgrade}: Use lvh-kind (Backport PR #29966, Upstream PR #29514, @brb)
ci/ipsec: Skip waiting for images when skipping upgrade/dowgrade (Backport PR #29966, Upstream PR #29793, @qmonnet)
ci: add nameserver 1.1.1.1 to conformance-runtime test LVM (Backport PR #29863, Upstream PR #29455, @mhofstetter)
ci: always use full matrix for scheduled cloud-provider workflows (Backport PR #29863, Upstream PR #29694, @mhofstetter)
ci: fix dns issue when pulling cilium-docker-plugin in ci-runtime (Backport PR #29863, Upstream PR #29502, @mhofstetter)
ci: increase disk size for GKE clusters (ci-gke & ci-external-workloads) (Backport PR #30198, Upstream PR #29528, @mhofstetter)
Conformance AKS: wait for cilium-test namespace deletion during uninstallation (Backport PR #30198, Upstream PR #29893, @giorio94)
datapath: Cover subnet encryption in XFRM leak test (Backport PR #30080, Upstream PR #27212, @pchaigno)
datapath: Fix TestNodeChurnXFRMLeaks (Backport PR #30080, Upstream PR #27274, @brb)
Fix collecting of verifier logs in ci-verifier (Backport PR #29863, Upstream PR #29752, @lmb)
gh/workflows: Add lvh-kind action and use it in ci-e2e (Backport PR #29966, Upstream PR #29485, @brb)
gha: add step to ensure presence/absence of the AWS iptables chains (Backport PR #29863, Upstream PR #29670, @giorio94)
gha: enable IPv6 in clustermesh upgrade/downgrade workflow (Backport PR #29863, Upstream PR #29675, @giorio94)
node: Integration test for XFRM leaks on node churn (Backport PR #30080, Upstream PR #27187, @pchaigno)
workflows: Increase IPsec e2e test's timeout (Backport PR #30265, Upstream PR #30194, @julianwiedmann)
workflows: Increase IPsec upgrade test's timeout (Backport PR #30080, Upstream PR #29934, @pchaigno)
workflows: Make the conn-disrupt test more sensitive (Backport PR #29703, Upstream PR #29623, @pchaigno)
workflows: move cilium_cli_version definition to set-env-variables action (Backport PR #30198, Upstream PR #29237, @jibi)

Misc Changes:

bgpv1: set running flag in manager (Backport PR #30080, Upstream PR #30013, @harsimran-pabla)
bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #29996, Upstream PR #29880, @julianwiedmann)
chore(deps): update all github action dependencies to v5 (v1.14) (major) (#29784, @renovate[bot])
chore(deps): update all lvh-images main (v1.14) (patch) (#29781, @renovate[bot])
chore(deps): update github/codeql-action action to v2.22.9 (v1.14) (#29783, @renovate[bot])
doc: Update recommended way for installing cilium on AKS (Backport PR #30198, Upstream PR #28910, @tamilmani1989)
docs: fix chained veth plugin example (Backport PR #30265, Upstream PR #30209, @squeed)
docs: Fix keyid derivation in IPsec docs (Backport PR #30080, Upstream PR #30000, @brb)
Fix bug preventing endpoint-related debug logs from being emitted (Backport PR #29829, Upstream PR #29495, @learnitall)
Fix cilium-envoy ServiceMonitor template typo (Backport PR #30198, Upstream PR #29976, @cornfeedhobo)
Fix log error in clustermesh-apiserver when connecting external workloads (Backport PR #29919, Upstream PR #29896, @giorio94)
fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #30198, Upstream PR #29971, @renovate[bot])
fix: remove help message in build config failure (Backport PR #30265, Upstream PR #28974, @vipul-21)
Helm: enforce routing mode when either gke.enabled or aksbyocni.enabled are set (Backport PR #30080, Upstream PR #29674, @giorio94)
hubble: Reduce "stale identities observed" debug messages even more (Backport PR #29996, Upstream PR #29957, @gandro)
k8s: Bump CRD schema version to 1.27.x (#29908, @joestringer)
Modularize iptables manager (Backport PR #30221, Upstream PR #28746, @pippolo84)
resource: Fix flaky TestResource_RepeatedDelete (Backport PR #29996, Upstream PR #28588, @joamaki)
Revert "cilium: Ensure xfrm state is initialized for route IP before … (Backport PR #29868, Upstream PR #29801, @jrfastab)

Other Changes:

1.14] loader: fix obsolete XDP program removal ([#&#8203;30229](https://github.com/cilium/cilium/issues/30229), [@&#8203;rgo3](https://github.com/rgo3))

v1.14] ci: In conn-disrupt-test action, disable node-to-node-encryption check ([#&#8203;29742](https://github.com/cilium/cilium/issues/29742), [@&#8203;qmonnet](https://github.com/qmonnet))

Add specific drop reason for missing tail calls if the host datapath is not ready yet (#30204, @ti-mo)
bgpv1: Add bgp/routes API endpoint and cilium bgp routes CLI command & integrate it in the bugtool (#30205, @rastislavs)
install: Update image digests for v1.14.5 (#29806, @nebril)
v1.14: update dependency cilium/cilium-cli to v0.15.19 (#30135, @pchaigno)

`v1.14.5`: 1.14.5

Compare Source

We are pleased to release Cilium v1.14.5.

This release include expanded credential and resource limit related configuration parameters for the Agent DaemonSet and SPIRE agent, fixes to an issue where stale nodes would appear in the cilium_node_connectivity_* metrics, enhancements to the detail shown by the IPsec CLI subcommands, a fix to a datapath fix for SNAT running behind multiple network interfaces, a fix to NAT entry GC when DSR enabled, a fix for endpoint label changes during the re-init restoration, and a variety of other stability enhancements. Also included are performance enhancements to concurrency techniques used in policy generation and the selectorcache read/write path.

Summary of Changes

Minor Changes:

Adds affinity, nodeSelector, podSecurityContext and securityContext to the SPIRE agent deployment values (Backport PR #29187, Upstream PR #29077, @meyskens)
helm: Add missing SA automount configuration (Backport PR #29689, Upstream PR #29511, @ayuspin)
helm: Allow setting resources for the agent init containers (Backport PR #29689, Upstream PR #29610, @ayuspin)
Network policies for reserved:ingress identity are now enforced by Cilium Ingress and Gateway API. (Backport PR #29447, Upstream PR #28126, @jrajahalme)

Bugfixes:

"envoy-admin" cluster is renamed as "/envoy-admin", requiring all references in CEC/CCEC to be updated. (Backport PR #29477, Upstream PR #29020, @jrajahalme)
Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29308, @ti-mo)
bpf: Fix drop of IPv6 reply traffic when 1) pod-originating connection is SNATed by iptables, and 2) Host Firewall is enabled. (Backport PR #29477, Upstream PR #28813, @oblazek)
bpf: xdp: don't support GENEVE passthrough with DSR-Hybrid (Backport PR #29187, Upstream PR #28959, @julianwiedmann)
ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (Backport PR #29641, Upstream PR #29098, @julianwiedmann)
datapath: Fix ENI egress routing table for cilium_host IP (Backport PR #29390, Upstream PR #29335, @gandro)
Do not skip FIB lookup when running in BPF Host Routing when Endpoint Routes enabled (Backport PR #29187, Upstream PR #28264, @aspsk)
endpoint: fix panic in RunMetadataResolver due to send on closed channel (Backport PR #29251, Upstream PR #29615, @mhofstetter)
endpointmanager: unmap ip for lookup (Backport PR #29641, Upstream PR #29554, @tklauser)
Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (Backport PR #29641, Upstream PR #29566, @christarazi)
Fix external workloads not working with non-default ClusterID (Backport PR #29477, Upstream PR #29378, @giorio94)
Fix possible disruption of long running, cross-cluster, pod to node traffic on agent restart (Backport PR #29641, Upstream PR #29613, @giorio94)
Fix routing delegation to AWS-VPC-CNI when using the security groups feature. (Backport PR #29641, Upstream PR #29111, @Alex-Waring)
Fix the Created timestamps in cilium bpf nat list that used to display the same values. (Backport PR #29187, Upstream PR #27062, @gentoo-root)
Fixed label synchronization issues in Cilium, ensuring accurate representation of endpoint labels during restoration and addressing out-of-sync problems caused by label changes while the Cilium agent is down. (Backport PR #29251, Upstream PR #29248, @aanm)
gateway-api: add watch for reference grant in TLSRoute reconciler (Backport PR #29187, Upstream PR #29007, @mhofstetter)
gateway-api: Avoid redirect loop when the same host name is used for http and https listeners (Backport PR #29442, Upstream PR #29115, @sayboras)
gateway: Ignore loadbalancer class for Gateway service (Backport PR #29641, Upstream PR #29547, @sayboras)
Handle non-AEAD IPsec keys in cilium encrypt status. (Backport PR #29641, Upstream PR #29182, @viktor-kurchenko)
ingress: fix foreground deletion of Ingress (Backport PR #29477, Upstream PR #29367, @mhofstetter)
Install loopback CNI atomically to protect against aborted copy (Backport PR #29641, Upstream PR #29462, @akhilles)
ipam: Fix bug where IP lease did not expire (Backport PR #29641, Upstream PR #29443, @gandro)
ipam: Fix bug where IP lease did not expire (Backport PR #29652, Upstream PR #29443, @gandro)
iptables: remove logic to control non-existent net.ipv6.ip_early_demux (Backport PR #29477, Upstream PR #29310, @julianwiedmann)
metrics: fix potential conflict on metrics registration (Backport PR #29270, Upstream PR #27007, @ysksuzuki)
metrics: fix potential conflict on metrics registration (Backport PR #29477, Upstream PR #27007, @ysksuzuki)
Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (Backport PR #29364, Upstream PR #29340, @aanm)
Support downgrade path for XDP attachments from Cilium 1.15 (#29104, @ti-mo)
When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (Backport PR #29477, Upstream PR #29160, @julianwiedmann)

CI Changes:

bpf: complexity-tests: add HAVE_FIB_NEIGH (Backport PR #29477, Upstream PR #29348, @julianwiedmann)
ci-ipsec-upgrade: Check for errors (Backport PR #29270, Upstream PR #29189, @brb)
ci-ipsec-upgrade: Check for errors (Backport PR #29477, Upstream PR #29189, @brb)
ci-ipsec-upgrade: Drop no-missed-tail-calls exclusion (Backport PR #29477, Upstream PR #29325, @brb)
ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (Backport PR #28876, Upstream PR #29072, @brb)
CI: Let actions/cilium-config use Chart.yaml-specified image by default (Backport PR #28876, Upstream PR #28016, @jschwinger233)
Clean up tests-ipsec-upgrade workflow (Backport PR #28876, Upstream PR #27977, @michi-covalent)
Test upgrade/downgrade to patch release for IPsec (Backport PR #28876, Upstream PR #28815, @qmonnet)
Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (Backport PR #29477, Upstream PR #29409, @giorio94)
workflows: Add debug info to IPsec key rotation test (Backport PR #29477, Upstream PR #29353, @pchaigno)

Misc Changes:

.github: use GitHub workflow from the same branch (#29252, @aanm)

v1.14] CI: fix broken BPF complexity tests ([#&#8203;29553](https://github.com/cilium/cilium/issues/29553), [@&#8203;lmb](https://github.com/lmb))

Add workqueue.(delayingType).waitingLoop to goleak exception list (Backport PR #29187, Upstream PR #28557, @dylandreimerink)
chore(deps): update actions/checkout action to v4 (v1.14) (#29595, @renovate[bot])
chore(deps): update actions/github-script action to v7 (v1.14) (#29149, @renovate[bot])
chore(deps): update actions/setup-python action to v4.8.0 (v1.14) (#29579, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (#29121, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (minor) (#29265, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (patch) (#29282, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (patch) (#29576, @renovate[bot])
chore(deps): update all lvh-images main (v1.14) (patch) (#29417, @renovate[bot])
chore(deps): update all lvh-images main (v1.14) (patch) (#29577, @renovate[bot])
chore(deps): update cilium/cilium digest to d42be92 (v1.14) (#29133, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.13 (v1.14) (#29123, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.14 (v1.14) (#29283, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.16 (v1.14) (#29465, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.17 (v1.14) (#29729, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (v1.14) (#29578, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.11 docker digest to 4e4a34f (v1.14) (#29416, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.11 docker digest to 77e4e42 (v1.14) (#29281, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 8eab65d (v1.14) (#29575, @renovate[bot])
chore(deps): update go to v1.20.12 (v1.14) (patch) (#29660, @renovate[bot])
chore(deps): update google-github-actions/auth action to v2 (v1.14) (#29598, @renovate[bot])
chore(deps): update hubble cli to v0.12.3 (v1.14) (patch) (#29746, @renovate[bot])
chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 [security] (v1.14) (#29320, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231113.012843 (v1.14) (#29129, @renovate[bot])
chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231120.012927 (v1.14) (#29284, @renovate[bot])
ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29270, Upstream PR #29178, @brb)
ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29477, Upstream PR #29178, @brb)
Docs: Adds Webhook Limitation to EKS Install Doc (Backport PR #29641, Upstream PR #29497, @danehans)
docs: bump required Helm version (Backport PR #29477, Upstream PR #29273, @nebril)
examples: update guestbook example with new image registry (Backport PR #29641, Upstream PR #29603, @mhofstetter)
images: bump cni plugins to v1.4.0 (Backport PR #29724, Upstream PR #29622, @squeed)
ipsec: Small refactorings on key loading and state creation (Backport PR #29477, Upstream PR #29352, @pchaigno)

Other Changes:

v1.14] Author Backport of 28896 (k8s ingress & gateway api: qualify envoy clusters and their references) ([#&#8203;29218](https://github.com/cilium/cilium/issues/29218), [@&#8203;mhofstetter](https://github.com/mhofstetter))

v1.14] bgpv1: Fix BGP component tests using the same VirtualRouter config ([#&#8203;29453](https://github.com/cilium/cilium/issues/29453), [@&#8203;rastislavs](https://github.com/rastislavs))

v1.14] bpf: Fix identity determination in bpf_overlay.c ([#&#8203;29606](https://github.com/cilium/cilium/issues/29606), [@&#8203;ysksuzuki](https://github.com/ysksuzuki))

v1.14] bpf: use bpf_xdp_load_bytes() / bpf_xdp_store_bytes() helpers ([#&#8203;29719](https://github.com/cilium/cilium/issues/29719), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))

v1.14] ci-ipsec-upgrade: Disable Linux 5.10-based configs ([#&#8203;29358](https://github.com/cilium/cilium/issues/29358), [@&#8203;brb](https://github.com/brb))

v1.14] gh: datapath-verifier: also run on 6.1 kernel ([#&#8203;29650](https://github.com/cilium/cilium/issues/29650), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))

envoy: Bump cilium-envoy with golang 1.21.5 (#29656, @sayboras)
envoy: Bump envoy container image with golang 1.21 and latest grpc package (#29383, @sayboras)
install: Update image digests for v1.14.4 (#29147, @thorn3r)
Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29205, @thorn3r)
v1.14: ariane: Run ci-ipsec-upgrade when testing backports (#29225, @brb)

metallb/metallb (metallb)

`v0.14.3`

Compare Source

See https://metallb.universe.tf/release-notes/ for details

`v0.14.2`

Compare Source

See https://metallb.universe.tf/release-notes/ for details

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | minor | `1.14.4` -> `1.15.2` | | [metallb](https://metallb.universe.tf) ([source](https://github.com/metallb/metallb)) | minor | `0.13.12` -> `0.14.3` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.15.2`](https://github.com/cilium/cilium/releases/tag/v1.15.2): 1.15.2 [Compare Source](https://github.com/cilium/cilium/compare/1.15.1...1.15.2) We are pleased to release Cilium v1.15.2. This release contains various bug fixes and improvements. ## Security Advisories This patch release addresses security vulnerabilities. See the following security advisories for details. - https://github.com/cilium/cilium/security/advisories/GHSA-68mj-9pjq-mc85 - https://github.com/cilium/cilium/security/advisories/GHSA-j89h-qrvr-xc36 - https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6 ## IPsec This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy. Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode. ## Summary of Changes **Minor Changes:** - Add default divisor for GOMEMLIMIT to satisfy Argo CD diff (Backport PR [#30997](https://github.com/cilium/cilium/issues/30997), Upstream PR [#30635](https://github.com/cilium/cilium/issues/30635), [@jdmcmahan](https://github.com/jdmcmahan)) - Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (Backport PR [#31318](https://github.com/cilium/cilium/issues/31318), Upstream PR [#31205](https://github.com/cilium/cilium/issues/31205), [@squeed](https://github.com/squeed)) - Gateway API BackendRef filters support (Backport PR [#30997](https://github.com/cilium/cilium/issues/30997), Upstream PR [#30090](https://github.com/cilium/cilium/issues/30090), [@chaunceyjiang](https://github.com/chaunceyjiang)) **Bugfixes:** - Cilium allows selecting 'lo' as a device again. (Backport PR [#31206](https://github.com/cilium/cilium/issues/31206), Upstream PR [#31200](https://github.com/cilium/cilium/issues/31200), [@bimmlerd](https://github.com/bimmlerd)) - endpoint: fix inability to create endpoint with labels in a single API call (Backport PR [#30997](https://github.com/cilium/cilium/issues/30997), Upstream PR [#30170](https://github.com/cilium/cilium/issues/30170), [@oblazek](https://github.com/oblazek)) - Fix bug in the VTEP feature which caused all traffic from the VTEP to be dropped with "Incorrect VNI from VTEP" (Backport PR [#31154](https://github.com/cilium/cilium/issues/31154), Upstream PR [#31039](https://github.com/cilium/cilium/issues/31039), [@joestringer](https://github.com/joestringer)) - Fix bug prevented endpoints from sending or receiving network traffic due to the 'reserved:init' label persisting after initialization. (Backport PR [#31047](https://github.com/cilium/cilium/issues/31047), Upstream PR [#30909](https://github.com/cilium/cilium/issues/30909), [@aanm](https://github.com/aanm)) - Fix GC interval calculation by taking into account the actual time passed between GC runs. (Backport PR [#31154](https://github.com/cilium/cilium/issues/31154), Upstream PR [#28657](https://github.com/cilium/cilium/issues/28657), [@gentoo-root](https://github.com/gentoo-root)) - Fix host firewall policy enforcement for pod to node traffic when tunneling is enabled and KPR is disabled (Backport PR [#30997](https://github.com/cilium/cilium/issues/30997), Upstream PR [#30818](https://github.com/cilium/cilium/issues/30818), [@giorio94](https://github.com/giorio94)) - Fix the referenced interface in iptables rules (`eni+` instead of `lxc+`) when `--enable-endpoint-routes=true` and `--cni-chaining-mode="aws-cni"` (Backport PR [#31154](https://github.com/cilium/cilium/issues/31154), Upstream PR [#30766](https://github.com/cilium/cilium/issues/30766), [@pippolo84](https://github.com/pippolo84)) - Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (Backport PR [#31155](https://github.com/cilium/cilium/issues/31155), Upstream PR [#30837](https://github.com/cilium/cilium/issues/30837), [@jschwinger233](https://github.com/jschwinger233)) - Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (Backport PR [#31158](https://github.com/cilium/cilium/issues/31158), Upstream PR [#29594](https://github.com/cilium/cilium/issues/29594), [@jschwinger233](https://github.com/jschwinger233)) - Fixes proxy issues in egress direction (Backport PR [#31158](https://github.com/cilium/cilium/issues/31158), Upstream PR [#30095](https://github.com/cilium/cilium/issues/30095), [@jschwinger233](https://github.com/jschwinger233)) - Fixes some valid GC entries being removed at agent restart (Backport PR [#30863](https://github.com/cilium/cilium/issues/30863), Upstream PR [#29696](https://github.com/cilium/cilium/issues/29696), [@rsafonseca](https://github.com/rsafonseca)) - gateway-api: Correct the null check for GRPRRoute Match (Backport PR [#31154](https://github.com/cilium/cilium/issues/31154), Upstream PR [#31052](https://github.com/cilium/cilium/issues/31052), [@sayboras](https://github.com/sayboras)) - helm: Probe Envoy DaemonSet localhost IP directly (Backport PR [#30997](https://github.com/cilium/cilium/issues/30997), Upstream PR [#30970](https://github.com/cilium/cilium/issues/30970), [@iandrewt](https://github.com/iandrewt)) - hubble: fix parsing of invalid HTTP URLs (Backport PR [#31154](https://github.com/cilium/cilium/issues/31154), Upstream PR [#31100](https://github.com/cilium/cilium/issues/31100), [@kaworu](https://github.com/kaworu)) - srv6: Fix packet drop with GSO type mismatch (Backport PR [#30799](https://github.com/cilium/cilium/issues/30799), Upstream PR [#30732](https://github.com/cilium/cilium/issues/30732), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - statedb: Fix race between Observable and DB stopping (Backport PR [#30863](https://github.com/cilium/cilium/issues/30863), Upstream PR [#30816](https://github.com/cilium/cilium/issues/30816), [@joamaki](https://github.com/joamaki)) - xds: Avoid xds timeout due to agent restart in envoy DS mode (Backport PR [#31154](https://github.com/cilium/cilium/issues/31154), Upstream PR [#31061](https://github.com/cilium/cilium/issues/31061), [@sayboras](https://github.com/sayboras)) **CI Changes:** - ci/ipsec: Fix downgrade version retrieval (Backport PR [#31047](https://github.com/cilium/cilium/issues/31047), Upstream PR [#30742](https://github.com/cilium/cilium/issues/30742), [@qmonnet](https://github.com/qmonnet)) - ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR [#30863](https://github.com/cilium/cilium/issues/30863), Upstream PR [#30790](https://github.com/cilium/cilium/issues/30790), [@brlbil](https://github.com/brlbil)) - CI: Update tested K8S versions across all cloud providers (Backport PR [#30863](https://github.com/cilium/cilium/issues/30863), Upstream PR [#30795](https://github.com/cilium/cilium/issues/30795), [@brlbil](https://github.com/brlbil)) - Fix datapath mode in Network Performance CI test (Backport PR [#30863](https://github.com/cilium/cilium/issues/30863), Upstream PR [#30756](https://github.com/cilium/cilium/issues/30756), [@marseel](https://github.com/marseel)) - Prevent E2E tests from failing on a known-ok warning log of temporary CRD failure (Backport PR [#31154](https://github.com/cilium/cilium/issues/31154), Upstream PR [#30778](https://github.com/cilium/cilium/issues/30778), [@learnitall](https://github.com/learnitall)) **Misc Changes:** - bgpv1: Remove disruptive error handling from BGPRouterManager ([#30735](https://github.com/cilium/cilium/issues/30735), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - bgpv1: Remove or downgrade noisy logs (Backport PR [#30997](https://github.com/cilium/cilium/issues/30997), Upstream PR [#30868](https://github.com/cilium/cilium/issues/30868), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - bitlpm: Factor out common code (Backport PR [#31154](https://github.com/cilium/cilium/issues/31154), Upstream PR [#31026](https://github.com/cilium/cilium/issues/31026), [@jrajahalme](https://github.com/jrajahalme)) - bpf: host: optimize from-host's ICMPv6 path (Backport PR [#31155](https://github.com/cilium/cilium/issues/31155), Upstream PR [#31127](https://github.com/cilium/cilium/issues/31127), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: host: skip from-proxy handling in from-netdev (Backport PR [#31158](https://github.com/cilium/cilium/issues/31158), Upstream PR [#29962](https://github.com/cilium/cilium/issues/29962), [@julianwiedmann](https://github.com/julianwiedmann)) - bugtool: Capture memory fragmentation info from /proc (Backport PR [#31154](https://github.com/cilium/cilium/issues/31154), Upstream PR [#30966](https://github.com/cilium/cilium/issues/30966), [@pchaigno](https://github.com/pchaigno)) - Bump google.golang.org/protobuf (v1.15) ([#31319](https://github.com/cilium/cilium/issues/31319), [@ferozsalam](https://github.com/ferozsalam)) - Change ariane config CODEOWNERS (Backport PR [#30863](https://github.com/cilium/cilium/issues/30863), Upstream PR [#30803](https://github.com/cilium/cilium/issues/30803), [@brlbil](https://github.com/brlbil)) - chore(deps): update actions/download-artifact action to v4.1.3 (v1.15) ([#30986](https://github.com/cilium/cilium/issues/30986), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#30951](https://github.com/cilium/cilium/issues/30951), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#31113](https://github.com/cilium/cilium/issues/31113), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#31290](https://github.com/cilium/cilium/issues/31290), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) (patch) ([#30780](https://github.com/cilium/cilium/issues/30780), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) (patch) ([#31133](https://github.com/cilium/cilium/issues/31133), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies to v4 (v1.15) (major) ([#30781](https://github.com/cilium/cilium/issues/30781), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all kind-images main (v1.15) ([#30851](https://github.com/cilium/cilium/issues/30851), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#30949](https://github.com/cilium/cilium/issues/30949), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#31287](https://github.com/cilium/cilium/issues/31287), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.23 (v1.15) ([#30860](https://github.com/cilium/cilium/issues/30860), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.0 (v1.15) ([#31172](https://github.com/cilium/cilium/issues/31172), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.21.7 docker digest to [`549dd88`](https://github.com/cilium/cilium/commit/549dd88) (v1.15) ([#30855](https://github.com/cilium/cilium/issues/30855), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`f9d633f`](https://github.com/cilium/cilium/commit/f9d633f) (v1.15) ([#30738](https://github.com/cilium/cilium/issues/30738), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update go to v1.21.7 (v1.15) (patch) ([#30672](https://github.com/cilium/cilium/issues/30672), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update go to v1.21.8 (v1.15) ([#31183](https://github.com/cilium/cilium/issues/31183), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update hubble cli to v0.13.2 (v1.15) ([#31338](https://github.com/cilium/cilium/issues/31338), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#30652](https://github.com/cilium/cilium/issues/30652), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#31134](https://github.com/cilium/cilium/issues/31134), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#31288](https://github.com/cilium/cilium/issues/31288), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update stable lvh-images to v6.6-20240221.111541 (v1.15) ([#30977](https://github.com/cilium/cilium/issues/30977), [@renovate](https://github.com/renovate)\[bot]) - CODEOWNERS: Ensure gha review for actions ([#31139](https://github.com/cilium/cilium/issues/31139), [@joestringer](https://github.com/joestringer)) - container/bitlpm: Add Lookup Boolean Return Value (Backport PR [#31154](https://github.com/cilium/cilium/issues/31154), Upstream PR [#31037](https://github.com/cilium/cilium/issues/31037), [@nathanjsweet](https://github.com/nathanjsweet)) - docs: Fix 'kubectl exec' invocations (quotes, double dash separator) in example script kafka-sw-gen-traffic.sh (Backport PR [#31154](https://github.com/cilium/cilium/issues/31154), Upstream PR [#30462](https://github.com/cilium/cilium/issues/30462), [@saintdle](https://github.com/saintdle)) - docs: kpr: DSR-Geneve with native-routing requires tunnelProtocol (Backport PR [#30997](https://github.com/cilium/cilium/issues/30997), Upstream PR [#30854](https://github.com/cilium/cilium/issues/30854), [@julianwiedmann](https://github.com/julianwiedmann)) - docs: update note on WireGuard with tunnel routing (Backport PR [#31154](https://github.com/cilium/cilium/issues/31154), Upstream PR [#31083](https://github.com/cilium/cilium/issues/31083), [@julianwiedmann](https://github.com/julianwiedmann)) - images: bump cni plugins to v1.4.1 ([#31348](https://github.com/cilium/cilium/issues/31348), [@aanm](https://github.com/aanm)) - lbipam: copy slice before modification in (\*LBIPAM).handlePoolModified (Backport PR [#30997](https://github.com/cilium/cilium/issues/30997), Upstream PR [#30859](https://github.com/cilium/cilium/issues/30859), [@tklauser](https://github.com/tklauser)) - loader: also populate NATIVE_DEV_IFINDEX for cilium_overlay (Backport PR [#31154](https://github.com/cilium/cilium/issues/31154), Upstream PR [#31025](https://github.com/cilium/cilium/issues/31025), [@julianwiedmann](https://github.com/julianwiedmann)) - pkg: Add Bitwise LPM Trie Library (Backport PR [#30863](https://github.com/cilium/cilium/issues/30863), Upstream PR [#29717](https://github.com/cilium/cilium/issues/29717), [@nathanjsweet](https://github.com/nathanjsweet)) - slices: don't modify input slices in test (Backport PR [#30997](https://github.com/cilium/cilium/issues/30997), Upstream PR [#30677](https://github.com/cilium/cilium/issues/30677), [@tklauser](https://github.com/tklauser)) - v1.15: Remove cilium/build from codeowners ([#31210](https://github.com/cilium/cilium/issues/31210), [@joestringer](https://github.com/joestringer)) **Other Changes:** - \[v1.15] envoy: Bump golang version to 1.21.8 ([#31221](https://github.com/cilium/cilium/issues/31221), [@sayboras](https://github.com/sayboras)) - bgpv1: Disable PodCIDR Reconciler for unsupported IPAM modes ([#31354](https://github.com/cilium/cilium/issues/31354), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - cli: Replace --cluster-name with --helm-set cluster.name ([#31176](https://github.com/cilium/cilium/issues/31176), [@michi-covalent](https://github.com/michi-covalent)) - install: Update image digests for v1.15.1 ([#30777](https://github.com/cilium/cilium/issues/30777), [@michi-covalent](https://github.com/michi-covalent)) - Upgrade GoBGP to v3.23.0 ([#30792](https://github.com/cilium/cilium/issues/30792), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - v1.15 envoy: Avoid duplicated upstream callback ([#30942](https://github.com/cilium/cilium/issues/30942), [@sayboras](https://github.com/sayboras)) - v1.15: WG L7 ([#31266](https://github.com/cilium/cilium/issues/31266), [@brb](https://github.com/brb)) ### [`v1.15.1`](https://github.com/cilium/cilium/releases/tag/v1.15.1): 1.15.1 [Compare Source](https://github.com/cilium/cilium/compare/1.15.0...1.15.1) We are pleased to release Cilium v1.15.1. This release contains various bug fixes and improvements, including a fix for a regression where veth devices were incorrectly getting classified as native devices (https://github.com/cilium/cilium/pull/30762). ## Summary of Changes **Minor Changes:** - Enhance trace events from the outbound SNAT path, to report the pre-SNAT IP address and the interface index of the egress interface. (Backport PR [#30704](https://github.com/cilium/cilium/issues/30704), Upstream PR [#28723](https://github.com/cilium/cilium/issues/28723), [@julianwiedmann](https://github.com/julianwiedmann)) - ui: release v0.13.0 (Backport PR [#30727](https://github.com/cilium/cilium/issues/30727), Upstream PR [#30711](https://github.com/cilium/cilium/issues/30711), [@geakstr](https://github.com/geakstr)) **Bugfixes:** - envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' (Backport PR [#30681](https://github.com/cilium/cilium/issues/30681), Upstream PR [#30543](https://github.com/cilium/cilium/issues/30543), [@chaunceyjiang](https://github.com/chaunceyjiang)) - Fix bug in indexing of routes that lead to veth devices being considered native devices, which caused the wrong BPF program to be loaded onto them. (Backport PR [#30767](https://github.com/cilium/cilium/issues/30767), Upstream PR [#30762](https://github.com/cilium/cilium/issues/30762), [@dylandreimerink](https://github.com/dylandreimerink)) - fix edge case in node addressing logic which could result in a panic (Backport PR [#30767](https://github.com/cilium/cilium/issues/30767), Upstream PR [#30757](https://github.com/cilium/cilium/issues/30757), [@dylandreimerink](https://github.com/dylandreimerink)) - hive: Fix start hook log output (Backport PR [#30727](https://github.com/cilium/cilium/issues/30727), Upstream PR [#30712](https://github.com/cilium/cilium/issues/30712), [@joamaki](https://github.com/joamaki)) - Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR [#30681](https://github.com/cilium/cilium/issues/30681), Upstream PR [#30536](https://github.com/cilium/cilium/issues/30536), [@hemanthmalla](https://github.com/hemanthmalla)) **CI Changes:** - ci: add trigger phrase to Gateway API conformance test workflow name (Backport PR [#30681](https://github.com/cilium/cilium/issues/30681), Upstream PR [#30525](https://github.com/cilium/cilium/issues/30525), [@tklauser](https://github.com/tklauser)) - CI: Change cloud regions (Backport PR [#30681](https://github.com/cilium/cilium/issues/30681), Upstream PR [#30378](https://github.com/cilium/cilium/issues/30378), [@brlbil](https://github.com/brlbil)) - ci: Fix PR labels parsing in update label workflow (Backport PR [#30681](https://github.com/cilium/cilium/issues/30681), Upstream PR [#30507](https://github.com/cilium/cilium/issues/30507), [@pippolo84](https://github.com/pippolo84)) - gh: ci-verifier: use lvh-images/complexity-test as renovate dependency (Backport PR [#30681](https://github.com/cilium/cilium/issues/30681), Upstream PR [#30520](https://github.com/cilium/cilium/issues/30520), [@julianwiedmann](https://github.com/julianwiedmann)) - gha: additionally cover BPF masquerade in clustermesh E2E tests (Backport PR [#30681](https://github.com/cilium/cilium/issues/30681), Upstream PR [#30321](https://github.com/cilium/cilium/issues/30321), [@giorio94](https://github.com/giorio94)) - gha: make runner type for clustermesh workflows configurable (Backport PR [#30681](https://github.com/cilium/cilium/issues/30681), Upstream PR [#30496](https://github.com/cilium/cilium/issues/30496), [@giorio94](https://github.com/giorio94)) - Update GitHub upload-artifact action (Backport PR [#30681](https://github.com/cilium/cilium/issues/30681), Upstream PR [#30443](https://github.com/cilium/cilium/issues/30443), [@brlbil](https://github.com/brlbil)) - workflows: Clean IPsec test output (Backport PR [#30767](https://github.com/cilium/cilium/issues/30767), Upstream PR [#30759](https://github.com/cilium/cilium/issues/30759), [@pchaigno](https://github.com/pchaigno)) **Misc Changes:** - Added Last page Edit on Documentation (Backport PR [#30681](https://github.com/cilium/cilium/issues/30681), Upstream PR [#30612](https://github.com/cilium/cilium/issues/30612), [@gailsuccess](https://github.com/gailsuccess)) - bgpv1: remove BGP Controller from daemon cell (Backport PR [#30767](https://github.com/cilium/cilium/issues/30767), Upstream PR [#30561](https://github.com/cilium/cilium/issues/30561), [@harsimran-pabla](https://github.com/harsimran-pabla)) - chore(deps): update all github action dependencies (v1.15) (patch) ([#30486](https://github.com/cilium/cilium/issues/30486), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all kind-images main (v1.15) (patch) ([#30670](https://github.com/cilium/cilium/issues/30670), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.21 (v1.15) ([#30570](https://github.com/cilium/cilium/issues/30570), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.22 (v1.15) ([#30671](https://github.com/cilium/cilium/issues/30671), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#30574](https://github.com/cilium/cilium/issues/30574), [@renovate](https://github.com/renovate)\[bot]) - dep: Bump grpc_health_probe to v0.4.24 (Backport PR [#30704](https://github.com/cilium/cilium/issues/30704), Upstream PR [#30643](https://github.com/cilium/cilium/issues/30643), [@ferozsalam](https://github.com/ferozsalam)) - docs: Document XfrmInStateInvalid errors (Backport PR [#30767](https://github.com/cilium/cilium/issues/30767), Upstream PR [#30151](https://github.com/cilium/cilium/issues/30151), [@pchaigno](https://github.com/pchaigno)) - egressgw: improvements for FIB-driven redirect path (Backport PR [#30681](https://github.com/cilium/cilium/issues/30681), Upstream PR [#30576](https://github.com/cilium/cilium/issues/30576), [@julianwiedmann](https://github.com/julianwiedmann)) - Fix failure in `FuzzDenyPreferredInsert` test (Backport PR [#30681](https://github.com/cilium/cilium/issues/30681), Upstream PR [#30368](https://github.com/cilium/cilium/issues/30368), [@christarazi](https://github.com/christarazi)) **Other Changes:** - \[v1.15] ci/ipsec: Fix downgrade version for release preparation commits ([#30718](https://github.com/cilium/cilium/issues/30718), [@qmonnet](https://github.com/qmonnet)) - envoy: Bump envoy version to v1.27.3 ([#30696](https://github.com/cilium/cilium/issues/30696), [@sayboras](https://github.com/sayboras)) - install: Update image digests for v1.15.0 ([#30559](https://github.com/cilium/cilium/issues/30559), [@aanm](https://github.com/aanm)) #### v1.15.0 #### Docker Manifests ### [`v1.15.0`](https://github.com/cilium/cilium/releases/tag/v1.15.0): 1.15.0 [Compare Source](https://github.com/cilium/cilium/compare/1.14.8...1.15.0) ### Changelog The Cilium core team are excited to announce the Cilium 1.15 release. :tada: ## Summary of Changes **Major Changes:** - Add dynamic flowlog exporters configured by yaml file (configmap) without a need of agent restart. ([#28873](https://github.com/cilium/cilium/issues/28873), [@marqc](https://github.com/marqc)) - Add support for extending ClusterMesh to 511 clusters By setting the flag `--max-connected-clusters=511`, a new cluster will be able to connect to a ClusterMesh with up to 511 clusters. If enabled, the number of possible cluster-local identities will be reduced to 32,768. This feature can only be enabled on new clusters, and all clusters in the ClusterMesh must share the same configuration. ([#27520](https://github.com/cilium/cilium/issues/27520), [@thorn3r](https://github.com/thorn3r)) - Add support for Gateway API v1.0 ([#28836](https://github.com/cilium/cilium/issues/28836), [@sayboras](https://github.com/sayboras)) - Add support for k8s 1.28 ([#27361](https://github.com/cilium/cilium/issues/27361), [@aanm](https://github.com/aanm)) - Allow selecting nodes by CIDR policy ([#27464](https://github.com/cilium/cilium/issues/27464), [@squeed](https://github.com/squeed)) - bgpv1: Add `bgp/routes` API endpoint and `cilium bgp routes` CLI command ([#27182](https://github.com/cilium/cilium/issues/27182), [@rastislavs](https://github.com/rastislavs)) - gateway-api: Support GRPCRoute resource ([#28654](https://github.com/cilium/cilium/issues/28654), [@sayboras](https://github.com/sayboras)) - k8s: add support for k8s 1.29.0 ([#29473](https://github.com/cilium/cilium/issues/29473), [@aanm](https://github.com/aanm)) - Module Health: Node Manager: First Iteration ([#25994](https://github.com/cilium/cilium/issues/25994), [@tommyp1ckles](https://github.com/tommyp1ckles)) - Support BGP passwords in the Go BGP implementation. ([#23759](https://github.com/cilium/cilium/issues/23759), [@dgl](https://github.com/dgl)) **Minor Changes:** - \*\_kvstore_operations_duration_seconds metrics do not include client-side rate-limiting latency anymore. ([#27396](https://github.com/cilium/cilium/issues/27396), [@marseel](https://github.com/marseel)) - `io.cilium.podippool.namespace: <CiliumPodIPPool_NAMESPACE>` and `io.cilium.podippool.name: <CiliumPodIPPool_NAME>` selectors can be specified for a PodIPPoolSelector of a CiliumBGPPeeringPolicy to select a CiliumPodIPPool by namespaced name instead of labels. ([#28314](https://github.com/cilium/cilium/issues/28314), [@danehans](https://github.com/danehans)) - Add `cilium bpf auth flush` command for debugging purposes ([#27216](https://github.com/cilium/cilium/issues/27216), [@meyskens](https://github.com/meyskens)) - Add an option to Cilium to set the persistent keepalive for cilium_wg0 ([#27932](https://github.com/cilium/cilium/issues/27932), [@chaunceyjiang](https://github.com/chaunceyjiang)) - Add an option to specify a filters and field mask for hubble-exporter ([#26379](https://github.com/cilium/cilium/issues/26379), [@AwesomePatrol](https://github.com/AwesomePatrol)) - Add documentation of Hubble exporter - an option to save Hubble flows to a file ([#27610](https://github.com/cilium/cilium/issues/27610), [@AwesomePatrol](https://github.com/AwesomePatrol)) - Add flows per second information to Hubble status ([#28205](https://github.com/cilium/cilium/issues/28205), [@glrf](https://github.com/glrf)) - Add Hubble Grafana dashboards: Network and DNS overview ([#27751](https://github.com/cilium/cilium/issues/27751), [@lambdanis](https://github.com/lambdanis)) - add Ingress controller proxy protocol support ([#28194](https://github.com/cilium/cilium/issues/28194), [@zetaab](https://github.com/zetaab)) - Add lbipam support for shared ips ([#28806](https://github.com/cilium/cilium/issues/28806), [@usiegl00](https://github.com/usiegl00)) - Add option to pass api-rate-limit via Helm values ([#28239](https://github.com/cilium/cilium/issues/28239), [@ungureanuvladvictor](https://github.com/ungureanuvladvictor)) - Add option to redact http headers ([#26724](https://github.com/cilium/cilium/issues/26724), [@ChrsMark](https://github.com/ChrsMark)) - Add per-controller success/failure count metrics and a config option for these ([#26850](https://github.com/cilium/cilium/issues/26850), [@asauber](https://github.com/asauber)) - Add Prometheus map pressure metrics for NAT maps ([#27001](https://github.com/cilium/cilium/issues/27001), [@derailed](https://github.com/derailed)) - Add securityContext for spire pod in helm chart ([#27363](https://github.com/cilium/cilium/issues/27363), [@ishuar](https://github.com/ishuar)) - Add source and destination workload_kind context labels (Hubble). ([#27350](https://github.com/cilium/cilium/issues/27350), [@marqc](https://github.com/marqc)) - Add strict mode for WireGuard Pod2Pod encryption ([#21856](https://github.com/cilium/cilium/issues/21856), [@3u13r](https://github.com/3u13r)) - Add support for filtering on HTTP URLs in Hubble ([#28275](https://github.com/cilium/cilium/issues/28275), [@glrf](https://github.com/glrf)) - Added cilium_kvstoremesh_kvstore_sync_errors_counter, cilium_clustermesh_apiserver_kvstore_sync_errors_counter and kvstore_sync_errors_counter metrics that capture data synchronization errors to kvstore. ([#28419](https://github.com/cilium/cilium/issues/28419), [@marseel](https://github.com/marseel)) - Added hubble_relay_pool_peer_connection_status metric for measuring the connection status of all peers. Metric keeps track of number of peers for each possible connectiion status. ([#28217](https://github.com/cilium/cilium/issues/28217), [@siwiutki](https://github.com/siwiutki)) - Added new `ingress.cilium.io/ssl-passthrough` annotation for Ingress objects ([#28751](https://github.com/cilium/cilium/issues/28751), [@youngnick](https://github.com/youngnick)) - Added the EnableHealthCheckLoadBalancerIP flag to address health checks on LoadBalancerIP in Google Cloud Platform using KubeProxyReplacement. ([#26728](https://github.com/cilium/cilium/issues/26728), [@nberlee](https://github.com/nberlee)) - Adds "best-effort" mode for XDP to skip interfaces without driver support ([#28666](https://github.com/cilium/cilium/issues/28666), [@poblahblahblah](https://github.com/poblahblahblah)) - Adds optional configurable jobLabel to cilium-agent, cilium-operator, and hubble serviceMonitors ([#28125](https://github.com/cilium/cilium/issues/28125), [@rbankston](https://github.com/rbankston)) - Adds the CiliumPodIPPool selector type to BGP CP AdvertisedPathAttributes to match CiliumPodIPPool custom resources. Path attributes apply to routes announced for selected CiliumPodIPPools. ([#28310](https://github.com/cilium/cilium/issues/28310), [@danehans](https://github.com/danehans)) - Allow case-insensitive name for CNI chaining mode ([#28050](https://github.com/cilium/cilium/issues/28050), [@asauber](https://github.com/asauber)) - api, cli: Show srv6 status in cilium status ([#28700](https://github.com/cilium/cilium/issues/28700), [@husnialhamdani](https://github.com/husnialhamdani)) - api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30167](https://github.com/cilium/cilium/issues/30167), [@viktor-kurchenko](https://github.com/viktor-kurchenko)) - api: Add extensions field to observer.GetFlowsRequest and flow.Flows types ([#27577](https://github.com/cilium/cilium/issues/27577), [@chancez](https://github.com/chancez)) - Augments `cilium status` CLI to report on agent modules health status. ([#25714](https://github.com/cilium/cilium/issues/25714), [@derailed](https://github.com/derailed)) - Auth map garbage collection will trigger if last local endpoint of a security identity was removed ([#27697](https://github.com/cilium/cilium/issues/27697), [@meyskens](https://github.com/meyskens)) - bgpv1: Add `cilium-dbg bgp route-policies` command & include it in the bugtool ([#28973](https://github.com/cilium/cilium/issues/28973), [@rastislavs](https://github.com/rastislavs)) - bgpv1: Enable `cilium-dbg bgp routes advertised` command without specifying a peer (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#30033](https://github.com/cilium/cilium/issues/30033), [@rastislavs](https://github.com/rastislavs)) - BGPv1: Set R-bit in graceful restart capability negotiation. ([#28293](https://github.com/cilium/cilium/issues/28293), [@ArsenyBelorukov](https://github.com/ArsenyBelorukov)) - bgpv1: Use kube-system namespace by default for MD5 secret ([#29478](https://github.com/cilium/cilium/issues/29478), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - bpf: allow overriding Makefile variables ([#27492](https://github.com/cilium/cilium/issues/27492), [@lmb](https://github.com/lmb)) - bpf: compile test ENABLE_EGRESS_GATEWAY_COMMON ([#27515](https://github.com/cilium/cilium/issues/27515), [@lmb](https://github.com/lmb)) - bpf: gate egressgw datapath on separate defines ([#27189](https://github.com/cilium/cilium/issues/27189), [@lmb](https://github.com/lmb)) - bpf: static data: use inline asm to access static data ([#27589](https://github.com/cilium/cilium/issues/27589), [@ti-mo](https://github.com/ti-mo)) - bpgv1: move the internal BGP signaler to a cell and allow other cells to depend on it. ([#26745](https://github.com/cilium/cilium/issues/26745), [@ldelossa](https://github.com/ldelossa)) - can create the directory for the customized cni conf and remove the cni conf file in cleanup command ([#27933](https://github.com/cilium/cilium/issues/27933), [@sofat1989](https://github.com/sofat1989)) - Change the Helm values configuration for SPIRE to match other images in the Helm charts ([#27621](https://github.com/cilium/cilium/issues/27621), [@weizhoublue](https://github.com/weizhoublue)) - cilium ingress should have an option to set the number of trusted loadbalancer hops ([#27952](https://github.com/cilium/cilium/issues/27952), [@chaunceyjiang](https://github.com/chaunceyjiang)) - cilium-agent: Remove the obsolete --bpf-lb-dev-ip-addr-inherit option (Backport PR [#30264](https://github.com/cilium/cilium/issues/30264), Upstream PR [#29963](https://github.com/cilium/cilium/issues/29963), [@joamaki](https://github.com/joamaki)) - cilium-dbg: Add statedb query support and commands to inspect statedb tables devices, routes and l2-announce. ([#28872](https://github.com/cilium/cilium/issues/28872), [@joamaki](https://github.com/joamaki)) - Cilium-operator and clustermesh's kvstore metrics are now enabled by default in Helm. ([#27653](https://github.com/cilium/cilium/issues/27653), [@marseel](https://github.com/marseel)) - cilium/cmd: make output of 'cilium policy selectors' sorted. ([#27803](https://github.com/cilium/cilium/issues/27803), [@tommyp1ckles](https://github.com/tommyp1ckles)) - cilium: export intermediate cobra.Commands ([#26265](https://github.com/cilium/cilium/issues/26265), [@lmb](https://github.com/lmb)) - cilium: use absolute path to include Makefile.defs ([#27054](https://github.com/cilium/cilium/issues/27054), [@lmb](https://github.com/lmb)) - CiliumL2AnnouncementPolicy will only select Services that do not specify a LoadBalancerClass or specify a LoadBalancerClass of "io.cilium/l2-announcer". ([#27976](https://github.com/cilium/cilium/issues/27976), [@danehans](https://github.com/danehans)) - cli: Update `cilium policy import` to allow policy replacement by label ([#27103](https://github.com/cilium/cilium/issues/27103), [@deverton-godaddy](https://github.com/deverton-godaddy)) - clustermesh-apiserver deployment support lifecycle and terminationGracePeriodSeconds. ([#26945](https://github.com/cilium/cilium/issues/26945), [@acgs771126](https://github.com/acgs771126)) - cmd/watchdogs: add health reporter to watchdog controller. ([#29038](https://github.com/cilium/cilium/issues/29038), [@tommyp1ckles](https://github.com/tommyp1ckles)) - cmd: Disable local node routes when endpoint routes are enabled ([#28324](https://github.com/cilium/cilium/issues/28324), [@gandro](https://github.com/gandro)) - Config option to customize the default IP Pool when using MultiPool ([#28818](https://github.com/cilium/cilium/issues/28818), [@chaunceyjiang](https://github.com/chaunceyjiang)) - Correlate flows with CiliumNetworkPolicies ([#27854](https://github.com/cilium/cilium/issues/27854), [@chancez](https://github.com/chancez)) - daemon: Do not require native routing CIDR if ipmasq-agent is enabled ([#27747](https://github.com/cilium/cilium/issues/27747), [@gandro](https://github.com/gandro)) - daemon: don't wait for presence of unused CiliumNodeConfig CRD ([#27684](https://github.com/cilium/cilium/issues/27684), [@akhilles](https://github.com/akhilles)) - daemon: The option "EnableRemoteNodeIdentity" is now deprecated and will be removed from the v1.16 release. ([#28300](https://github.com/cilium/cilium/issues/28300), [@nathanjsweet](https://github.com/nathanjsweet)) - Default client-go QPS and burst in agent and operator have been increased to 10 and 20 respectively for k8s versions 1.27+ ([#29445](https://github.com/cilium/cilium/issues/29445), [@marseel](https://github.com/marseel)) - Delete auth map entries for removed Security IDs in SPIRE ([#27663](https://github.com/cilium/cilium/issues/27663), [@meyskens](https://github.com/meyskens)) - Deprecated helm options enableK8sEventHandover/enableCnpStatusUpdates were removed. Corresponding flag "enable-k8s-event-handover" in Agent and "cnp-status-update-interval" in operator were removed. ([#29395](https://github.com/cilium/cilium/issues/29395), [@marseel](https://github.com/marseel)) - docs, cilium: Remove `cilium endpoint regenerate` command ([#27326](https://github.com/cilium/cilium/issues/27326), [@christarazi](https://github.com/christarazi)) - docs: remove annotations-based l7 visibility ([#28449](https://github.com/cilium/cilium/issues/28449), [@networkop](https://github.com/networkop)) - Don't automatically infer ClusterID and ClusterName for external workloads. ([#27886](https://github.com/cilium/cilium/issues/27886), [@giorio94](https://github.com/giorio94)) - egressgw: inject datapath config via hive ([#27414](https://github.com/cilium/cilium/issues/27414), [@lmb](https://github.com/lmb)) - EgressGW: interface selection is now done with BPF, using --install-egress-gateway-routes is no longer needed. ([#26215](https://github.com/cilium/cilium/issues/26215), [@jibi](https://github.com/jibi)) - egressgw: refactor check for conflicting egress IPs ([#27491](https://github.com/cilium/cilium/issues/27491), [@lmb](https://github.com/lmb)) - egressgw: reject config with CiliumEndpointSlice ([#27984](https://github.com/cilium/cilium/issues/27984), [@julianwiedmann](https://github.com/julianwiedmann)) - egressgw: tidy up Config handling ([#27221](https://github.com/cilium/cilium/issues/27221), [@lmb](https://github.com/lmb)) - endpoint, endpointmanager: Publish max policymap size as metric ([#27367](https://github.com/cilium/cilium/issues/27367), [@christarazi](https://github.com/christarazi)) - ENI: fix calculateExcessIPs excessive calculate of excess ip ([#28467](https://github.com/cilium/cilium/issues/28467), [@wu0407](https://github.com/wu0407)) - Envoy running inside the Cilium Agent may now be scraped by Prometheus when using Prometheus' ServiceMonitor objects. (Backport PR [#30349](https://github.com/cilium/cilium/issues/30349), Upstream PR [#30126](https://github.com/cilium/cilium/issues/30126), [@youngnick](https://github.com/youngnick)) - envoy: Bump envoy to 1.26.2 ([#26851](https://github.com/cilium/cilium/issues/26851), [@sayboras](https://github.com/sayboras)) - envoy: Bump envoy version to v1.26.4 ([#27104](https://github.com/cilium/cilium/issues/27104), [@sayboras](https://github.com/sayboras)) - envoy: Bump envoy version to v1.27.1 ([#28531](https://github.com/cilium/cilium/issues/28531), [@sayboras](https://github.com/sayboras)) - envoy: Bump envoy version to v1.27.2 ([#28671](https://github.com/cilium/cilium/issues/28671), [@mhofstetter](https://github.com/mhofstetter)) - envoy: Update envoy version to the latest build ([#27819](https://github.com/cilium/cilium/issues/27819), [@jrajahalme](https://github.com/jrajahalme)) - Extend AWS metadata-based policy enforcement to work with any VPC-enabled service. ([#27071](https://github.com/cilium/cilium/issues/27071), [@spacepants](https://github.com/spacepants)) - Fix inaccurate calculation for bootstrap stats of restore ([#27983](https://github.com/cilium/cilium/issues/27983), [@PlatformLC](https://github.com/PlatformLC)) - fix: Preserve OwnerReferences when updating Ingresses with Load Balancer in shared mode ([#28452](https://github.com/cilium/cilium/issues/28452), [@bittermandel](https://github.com/bittermandel)) - Fixes name used for disabling KVStoreMesh metrics. ([#27680](https://github.com/cilium/cilium/issues/27680), [@marseel](https://github.com/marseel)) - FQDN: transition to asynchronous IPCache APIs ([#29036](https://github.com/cilium/cilium/issues/29036), [@squeed](https://github.com/squeed)) - gateway-api: Add support for gateway.infrastructure attribute ([#29122](https://github.com/cilium/cilium/issues/29122), [@sayboras](https://github.com/sayboras)) - gateway-api: Add support for multiple request mirrors ([#28342](https://github.com/cilium/cilium/issues/28342), [@sayboras](https://github.com/sayboras)) - gateway-api: Add supported features in GatewayClass status ([#29116](https://github.com/cilium/cilium/issues/29116), [@sayboras](https://github.com/sayboras)) - gateway-api: Bump the version to v0.8.1 ([#28195](https://github.com/cilium/cilium/issues/28195), [@sayboras](https://github.com/sayboras)) - gateway-api: Bump the version to v1.0.0-rc1 ([#28757](https://github.com/cilium/cilium/issues/28757), [@sayboras](https://github.com/sayboras)) - gateway-api: Bump version to v0.8.0-rc1 ([#27592](https://github.com/cilium/cilium/issues/27592), [@sayboras](https://github.com/sayboras)) - gateway-api: Check for required CRDs upon startup ([#28982](https://github.com/cilium/cilium/issues/28982), [@sayboras](https://github.com/sayboras)) - gateway-api: Update API version for Reference Grant ([#29811](https://github.com/cilium/cilium/issues/29811), [@sayboras](https://github.com/sayboras)) - Handle IPv4 fragments in SNAT flows correctly. ([#25340](https://github.com/cilium/cilium/issues/25340), [@gentoo-root](https://github.com/gentoo-root)) - helm: Add extraVolumeMounts to cilium config init container (Backport PR [#30349](https://github.com/cilium/cilium/issues/30349), Upstream PR [#30131](https://github.com/cilium/cilium/issues/30131), [@ayuspin](https://github.com/ayuspin)) - helm: Added support for existing Cilium SPIRE NS ([#29032](https://github.com/cilium/cilium/issues/29032), [@PhilipSchmid](https://github.com/PhilipSchmid)) - helm: allow annotations to be set for preflight resources ([#27860](https://github.com/cilium/cilium/issues/27860), [@bradwhitfield](https://github.com/bradwhitfield)) - Hide empty columns by default in "kubectl get ciliumendpoints" output ([#28744](https://github.com/cilium/cilium/issues/28744), [@Iiqbal2000](https://github.com/Iiqbal2000)) - hive/cell: remove health reporting on health provider. ([#28773](https://github.com/cilium/cilium/issues/28773), [@tommyp1ckles](https://github.com/tommyp1ckles)) - hubble-relay: Add support for peers joining during requests ([#29326](https://github.com/cilium/cilium/issues/29326), [@glrf](https://github.com/glrf)) - Hubble: add option to filter for pods and services in any namespace ([#28921](https://github.com/cilium/cilium/issues/28921), [@glrf](https://github.com/glrf)) - hubble: Add Support for filtering on HTTP headers ([#28851](https://github.com/cilium/cilium/issues/28851), [@ChrsMark](https://github.com/ChrsMark)) - hubble: Conditionally redact user info present in URLs in (L7) HTTP flows ([#28848](https://github.com/cilium/cilium/issues/28848), [@ioandr](https://github.com/ioandr)) - Hubble: improve security by adding an option to redact API key in Kafka requests (L7) ([#25844](https://github.com/cilium/cilium/issues/25844), [@ioandr](https://github.com/ioandr)) - hubble: replace deprecated usage of grpc.WithInsecure. ([#25631](https://github.com/cilium/cilium/issues/25631), [@tommyp1ckles](https://github.com/tommyp1ckles)) - Ignore Indexed Job-specific label by default for CID creation `batch.kubernetes.io/job-completion-index`. ([#28897](https://github.com/cilium/cilium/issues/28897), [@tosi3k](https://github.com/tosi3k)) - Ignore StatefulSet-specific labels by default for CID creation. This includes the two following labels: - statefulset.kubernetes.io/pod-name - apps.kubernetes.io/pod-index ([#28003](https://github.com/cilium/cilium/issues/28003), [@tosi3k](https://github.com/tosi3k)) - Implement `AdvertisedPathAttributes` for `CiliumBGPNeighbor` in the `CiliumBGPPeeringPolicy` CRD to allow setting BGP Community and Local Preference path attributes for advertised BGP routes. ([#27705](https://github.com/cilium/cilium/issues/27705), [@rastislavs](https://github.com/rastislavs)) - Improve `cilium status --verbose` and `cilium-health status --succinct` support to show IPv6 IPs as well ([#27912](https://github.com/cilium/cilium/issues/27912), [@chaunceyjiang](https://github.com/chaunceyjiang)) - Improve cilium-agent bootstrap time when using cluster-pool ipam. ([#28354](https://github.com/cilium/cilium/issues/28354), [@marseel](https://github.com/marseel)) - Improve helm validation for clustermesh, and allow creating the clustermesh configuration also in kvstore mode ([#28763](https://github.com/cilium/cilium/issues/28763), [@giorio94](https://github.com/giorio94)) - Improve Hubble Relay Kubernetes Readiness/Liveness check ([#28765](https://github.com/cilium/cilium/issues/28765), [@glrf](https://github.com/glrf)) - Improve the usability of the `cilium policy selectors` command by including the policy name and namespace in order to easily understand which selector comes from what policy ([#27838](https://github.com/cilium/cilium/issues/27838), [@christarazi](https://github.com/christarazi)) - Increase number of dnsproxy mutexes from 128 to 131. ([#27147](https://github.com/cilium/cilium/issues/27147), [@marseel](https://github.com/marseel)) - init: Poll CRD synchronization times have been lowered from 1 second to 50ms. ([#28954](https://github.com/cilium/cilium/issues/28954), [@howardjohn](https://github.com/howardjohn)) - Introduce ability to specify SAFI/AFI for specific BGP peers. ([#26940](https://github.com/cilium/cilium/issues/26940), [@ldelossa](https://github.com/ldelossa)) - ipam, metrics: Add new capacity metric ([#27710](https://github.com/cilium/cilium/issues/27710), [@christarazi](https://github.com/christarazi)) - ipam/multipool: Introduce specific ip family annotations for specifying ip pools ([#28244](https://github.com/cilium/cilium/issues/28244), [@hargrovee](https://github.com/hargrovee)) - ipam: Remove cluster-pool-v2beta code ([#27753](https://github.com/cilium/cilium/issues/27753), [@gandro](https://github.com/gandro)) - Merge clustermesh-apiserver and kvstoremesh into a single image ([#27888](https://github.com/cilium/cilium/issues/27888), [@giorio94](https://github.com/giorio94)) - metrics: add bpf_map_capacity metric which provides max size of maps ([#28146](https://github.com/cilium/cilium/issues/28146), [@tommyp1ckles](https://github.com/tommyp1ckles)) - metrics: Add workqueue metrics ([#27042](https://github.com/cilium/cilium/issues/27042), [@ysksuzuki](https://github.com/ysksuzuki)) - Modular daemon and operator ([#25986](https://github.com/cilium/cilium/issues/25986), [@pippolo84](https://github.com/pippolo84)) - Mutual Auth: only respond handshake with certificate if security ID is in use on node ([#27682](https://github.com/cilium/cilium/issues/27682), [@meyskens](https://github.com/meyskens)) - mutual-auth: Bump spire image version ([#29101](https://github.com/cilium/cilium/issues/29101), [@sayboras](https://github.com/sayboras)) - Named ports in DNS policies are now resolved correctly. ([#29023](https://github.com/cilium/cilium/issues/29023), [@jrajahalme](https://github.com/jrajahalme)) - Named ports in DNS policies are now resolved correctly. (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#29023](https://github.com/cilium/cilium/issues/29023), [@jrajahalme](https://github.com/jrajahalme)) - Operator modular metrics ([#28005](https://github.com/cilium/cilium/issues/28005), [@pippolo84](https://github.com/pippolo84)) - operator: Remove identity GC and CES controller legacy metrics ([#28166](https://github.com/cilium/cilium/issues/28166), [@pippolo84](https://github.com/pippolo84)) - pkg/datapath: Remove defunct `--single-cluster-route` flag ([#29221](https://github.com/cilium/cilium/issues/29221), [@gandro](https://github.com/gandro)) - pkg/labels: print all leaf CIDRs, not just the last one. ([#28224](https://github.com/cilium/cilium/issues/28224), [@squeed](https://github.com/squeed)) - Pre-initialize several known metric vectors to avoid empty metrics (specifically: endpoint_regenerations_total, policy_change_total, policy_implementation_delay, policy_l7\_total and kubernetes_events metrics). ([#27835](https://github.com/cilium/cilium/issues/27835), [@tommyp1ckles](https://github.com/tommyp1ckles)) - Propagate prefixed labels from Ingress resource to LB service ([#28598](https://github.com/cilium/cilium/issues/28598), [@log1cb0mb](https://github.com/log1cb0mb)) - Refactor hubble redact settings schema ([#26989](https://github.com/cilium/cilium/issues/26989), [@ChrsMark](https://github.com/ChrsMark)) - Refactor hubble redact settings schema \[v2] ([#27553](https://github.com/cilium/cilium/issues/27553), [@ChrsMark](https://github.com/ChrsMark)) - Remove deprecate clustermesh CA configuration from the helm chart ([#27162](https://github.com/cilium/cilium/issues/27162), [@giorio94](https://github.com/giorio94)) - Remove deprecated `policy_import_errors_total` metric ([#28423](https://github.com/cilium/cilium/issues/28423), [@tklauser](https://github.com/tklauser)) - Remove deprecated tunnel option, and corresponding helm values setting ([#29053](https://github.com/cilium/cilium/issues/29053), [@giorio94](https://github.com/giorio94)) - Rename the CLI for local Cilium API access to 'cilium-dbg' ([#28085](https://github.com/cilium/cilium/issues/28085), [@joestringer](https://github.com/joestringer)) - Replace etcd init script used for clustermesh with a Go equivalent. Upgrade etcd to v3.5.10. ([#29109](https://github.com/cilium/cilium/issues/29109), [@JamesLaverack](https://github.com/JamesLaverack)) - Replace LB-IPAM IP allocator to remove limitations and enable additional features ([#26488](https://github.com/cilium/cilium/issues/26488), [@dylandreimerink](https://github.com/dylandreimerink)) - Replace metricsmap-bpf-prom-sync with Prometheus Collector pattern ([#27370](https://github.com/cilium/cilium/issues/27370), [@carnerito](https://github.com/carnerito)) - Respond with ICMP reply for traffic to services without backends ([#28157](https://github.com/cilium/cilium/issues/28157), [@dylandreimerink](https://github.com/dylandreimerink)) - show DSR-dispatch mode in cilium-dbg status ([#29217](https://github.com/cilium/cilium/issues/29217), [@chaunceyjiang](https://github.com/chaunceyjiang)) - Structured Health Reporter + EndpointManager Modular Health Checks ([#27522](https://github.com/cilium/cilium/issues/27522), [@tommyp1ckles](https://github.com/tommyp1ckles)) - The cilium-agent now sets GOMEMLIMIT to the container's memory resource limit, which helps the Go GC to avoid unnecessary OOMs. ([#27958](https://github.com/cilium/cilium/issues/27958), [@bimmlerd](https://github.com/bimmlerd)) - The podIPPoolSelector field has been added to CiliumBGPVirtualRouter for selectively advertising multi-pool IPAM CIDRs. ([#27100](https://github.com/cilium/cilium/issues/27100), [@danehans](https://github.com/danehans)) - Update to Envoy 1.27.0, run cilium-envoy process without any privileges. ([#27498](https://github.com/cilium/cilium/issues/27498), [@jrajahalme](https://github.com/jrajahalme)) - When BGP control plane is enabled and configured for service announcements, it will only advertise a matching service that has an unspecified loadbalancerClass or set for "io.cilium/bgp-control-plane". ([#26905](https://github.com/cilium/cilium/issues/26905), [@danehans](https://github.com/danehans)) - When master key protection is enabled, failed attempts at recreating k8s identity resources will now be retried. ([#28912](https://github.com/cilium/cilium/issues/28912), [@tommyp1ckles](https://github.com/tommyp1ckles)) - When tunneling is enabled, a packet will be encapsulated by Cilium's tunnel netdev before encrypting with WireGuard. ([#29000](https://github.com/cilium/cilium/issues/29000), [@brb](https://github.com/brb)) **Bugfixes:** - `ImplementationSpecific` Ingress paths (which for Cilium Ingress means regex path matches) are now sorted correctly in between `Exact` and `Prefix` matches. ([#29381](https://github.com/cilium/cilium/issues/29381), [@youngnick](https://github.com/youngnick)) - Add a 5 second timeout to the Mutual Auth TCP handshake ([#26650](https://github.com/cilium/cilium/issues/26650), [@meyskens](https://github.com/meyskens)) - Add default toleration for SPIRE agent on control plane nodes (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#28947](https://github.com/cilium/cilium/issues/28947), [@meyskens](https://github.com/meyskens)) - Allow unsupported protocol family errors when deleting IPv6 proxy routing rules (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30299](https://github.com/cilium/cilium/issues/30299), [@rgo3](https://github.com/rgo3)) - Avoid panic during BPF program compilation when clang command fails to start (Backport PR [#30264](https://github.com/cilium/cilium/issues/30264), Upstream PR [#30009](https://github.com/cilium/cilium/issues/30009), [@ti-mo](https://github.com/ti-mo)) - backporting: Revert changes until the new workflow will be in place ([#28371](https://github.com/cilium/cilium/issues/28371), [@pippolo84](https://github.com/pippolo84)) - bgpv1: Avoid creating `resource.Store` in `Start()` hive hooks of BGP CP to ensure proper BGP CP initialization. (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29954](https://github.com/cilium/cilium/issues/29954), [@rastislavs](https://github.com/rastislavs)) - bgpv1: fix manager_test.go build error ([#27543](https://github.com/cilium/cilium/issues/27543), [@ldelossa](https://github.com/ldelossa)) - bpf: fix wrong loopback address mask value (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29946](https://github.com/cilium/cilium/issues/29946), [@haiyuewa](https://github.com/haiyuewa)) - bpf: fixes an issue where inserting inner maps into an outer may fail with EINVAL due to flags mismatch ([#28710](https://github.com/cilium/cilium/issues/28710), [@ldelossa](https://github.com/ldelossa)) - bpf: nat: set .from_local_endpoint for all inter-cluster SNAT traffic ([#26853](https://github.com/cilium/cilium/issues/26853), [@julianwiedmann](https://github.com/julianwiedmann)) - bug fix: close status collector when daemon exits ([#27937](https://github.com/cilium/cilium/issues/27937), [@sofat1989](https://github.com/sofat1989)) - bug: In dual-stack mode (both IPv4 and IPv6 are enabled), Cilium incorrectly converted CIDRs that covered all possible addresses for an IP Family (e.g. 0.0.0.0/0) to the "reserved:world" entity. Both IP families must be completely covered for "reserved:world" to apply. This resulted in dual-stack mode network policies that could not distinguish between world IPv4 and IPv6 traffic, treating them as one entity instead. ([#22625](https://github.com/cilium/cilium/issues/22625), [@nathanjsweet](https://github.com/nathanjsweet)) - Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR [#30212](https://github.com/cilium/cilium/issues/30212), Upstream PR [#29239](https://github.com/cilium/cilium/issues/29239), [@jrajahalme](https://github.com/jrajahalme)) - cleanup: can clean the bpf filters created by the cilium agent with lower version ([#27373](https://github.com/cilium/cilium/issues/27373), [@sofat1989](https://github.com/sofat1989)) - Conntrack entries for Service connections are now printed in the canonical "source -> destination" format when using the "bpf ct list" command. ([#28913](https://github.com/cilium/cilium/issues/28913), [@julianwiedmann](https://github.com/julianwiedmann)) - daemon/cmd: Updates restoreIPCache() to use errors.Is() (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30220](https://github.com/cilium/cilium/issues/30220), [@danehans](https://github.com/danehans)) - daemon: Fail init if requirements for BPF masquerade are not met (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29778](https://github.com/cilium/cilium/issues/29778), [@pippolo84](https://github.com/pippolo84)) - datapath: fix dbg-capture-proxy-\[pre/post] reporting ([#27704](https://github.com/cilium/cilium/issues/27704), [@mhofstetter](https://github.com/mhofstetter)) - datapath: Fix primary flag in NodeAddress ([#29483](https://github.com/cilium/cilium/issues/29483), [@joamaki](https://github.com/joamaki)) - Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29400](https://github.com/cilium/cilium/issues/29400), [@meyskens](https://github.com/meyskens)) - Don't orphan CEPs when node IPV6 is preferred at dual stack k8s config ([#28142](https://github.com/cilium/cilium/issues/28142), [@rawmind0](https://github.com/rawmind0)) - Due to a race condition in the experimental runtime device detection, Cilium could fail to make a newly added device available for node port services. (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29917](https://github.com/cilium/cilium/issues/29917), [@bimmlerd](https://github.com/bimmlerd)) - egressgateway: Use UID to identify CiliumEndpoints in epDataStore ([#29124](https://github.com/cilium/cilium/issues/29124), [@rastislavs](https://github.com/rastislavs)) - egressgw: Fix the issue that an iptables SNAT rule in the host netns interferes packets to egress gw and bypass the egress GW policy ([#29379](https://github.com/cilium/cilium/issues/29379), [@ysksuzuki](https://github.com/ysksuzuki)) - egressgw: policy: ensure egressGateway field is not nil ([#27802](https://github.com/cilium/cilium/issues/27802), [@jibi](https://github.com/jibi)) - endpointmanager: fix bpf policy pressure getting stuck. ([#28185](https://github.com/cilium/cilium/issues/28185), [@tommyp1ckles](https://github.com/tommyp1ckles)) - envoy: Bump envoy image to include proxy_protocol filter (Backport PR [#30349](https://github.com/cilium/cilium/issues/30349), Upstream PR [#30260](https://github.com/cilium/cilium/issues/30260), [@sayboras](https://github.com/sayboras)) - envoy: fix init order between accesslog and xDS server ([#27617](https://github.com/cilium/cilium/issues/27617), [@mhofstetter](https://github.com/mhofstetter)) - envoy: fix SO_REUSEPORT with BPF TPROXY ([#30459](https://github.com/cilium/cilium/issues/30459), [@mhofstetter](https://github.com/mhofstetter)) - examples: Fix YAML error backendRefs in HTTP Header Modifier ([#27871](https://github.com/cilium/cilium/issues/27871), [@haiyuewa](https://github.com/haiyuewa)) - Fix a bug that may cause traffic to the node internal IP addresses to be incorrectly masqueraded when node encryption and remote node identities are both disabled, due to an inconsistency in the node manager when handling ipset entries insertions and deletions on node updates. (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29986](https://github.com/cilium/cilium/issues/29986), [@qmonnet](https://github.com/qmonnet)) - Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR [#30324](https://github.com/cilium/cilium/issues/30324), Upstream PR [#30248](https://github.com/cilium/cilium/issues/30248), [@ti-mo](https://github.com/ti-mo)) - Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29616](https://github.com/cilium/cilium/issues/29616), [@learnitall](https://github.com/learnitall)) - Fix bug that could cause IPsec route change failures to be silent. (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#29423](https://github.com/cilium/cilium/issues/29423), [@derailed](https://github.com/derailed)) - Fix bugs in health-server that cause the state in the prober's cache to drift and allow nodes with empty IP addresses to be added. (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29745](https://github.com/cilium/cilium/issues/29745), [@thorn3r](https://github.com/thorn3r)) - Fix cilium-envoy ServiceMonitor port name ([#27207](https://github.com/cilium/cilium/issues/27207), [@pixiono](https://github.com/pixiono)) - Fix connection disruption for IPsec during downgrade to v1.14 by attaching correct bpf program to devices. ([#27480](https://github.com/cilium/cilium/issues/27480), [@jschwinger233](https://github.com/jschwinger233)) - Fix endpoint logger not formatting logs as JSON when daemon log format is set to JSON ([#27263](https://github.com/cilium/cilium/issues/27263), [@leblowl](https://github.com/leblowl)) - Fix error when using multiple allowRoutes namespaces in gateway ([#30550](https://github.com/cilium/cilium/issues/30550), [@mhofstetter](https://github.com/mhofstetter)) - Fix Helm rendering for `dashboards.enabled=true` ([#28542](https://github.com/cilium/cilium/issues/28542), [@bakito](https://github.com/bakito)) - Fix instances of leaked health reporter updates. (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#30134](https://github.com/cilium/cilium/issues/30134), [@tommyp1ckles](https://github.com/tommyp1ckles)) - Fix issue where agent attempting to restore local node information (such as cilium_host ip) would fail on k8s fallback method. (Backport PR [#30349](https://github.com/cilium/cilium/issues/30349), Upstream PR [#29460](https://github.com/cilium/cilium/issues/29460), [@tommyp1ckles](https://github.com/tommyp1ckles)) - Fix missing NODE_ADD Hubble peer messages in some cases ([#28226](https://github.com/cilium/cilium/issues/28226), [@AwesomePatrol](https://github.com/AwesomePatrol)) - Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30399](https://github.com/cilium/cilium/issues/30399), [@tlcowling](https://github.com/tlcowling)) - Fix performance regression for pod-to-pod traffic WireGuard and tunneling. (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30329](https://github.com/cilium/cilium/issues/30329), [@3u13r](https://github.com/3u13r)) - Fix potential deadlock that results in stale authentication entries in Cilium ([#29082](https://github.com/cilium/cilium/issues/29082), [@meyskens](https://github.com/meyskens)) - Fix rare bug possibly causing connection disruption and/or agent panic due to node events processing before full initialization. (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30282](https://github.com/cilium/cilium/issues/30282), [@giorio94](https://github.com/giorio94)) - Fix rendering helm operator-dashboard annotations ([#29106](https://github.com/cilium/cilium/issues/29106), [@Zariel](https://github.com/Zariel)) - Fix wrong host and router IP being used for some IPv6 deployments, which was causing various connectivity problems. (Backport PR [#28500](https://github.com/cilium/cilium/issues/28500), Upstream PR [#28417](https://github.com/cilium/cilium/issues/28417), [@ti-mo](https://github.com/ti-mo)) - fix: PromQL syntax on cilium policy query Grafana dashboard (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#29938](https://github.com/cilium/cilium/issues/29938), [@M0NsTeRRR](https://github.com/M0NsTeRRR)) - Fixed health probing where ICMP probe was incorrectly reporting node as unreachable or reporting unreachable node as reachable in some cases. (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30504](https://github.com/cilium/cilium/issues/30504), [@marseel](https://github.com/marseel)) - Fixes an issue where an empty ControlPlaneState was used during registration of BGP speakers. This would cause reconciliation issues as the current state would be unknown. ([#27117](https://github.com/cilium/cilium/issues/27117), [@ldelossa](https://github.com/ldelossa)) - Fixes an L7 proxy issue by re-introducing 2005 route table. ([#29530](https://github.com/cilium/cilium/issues/29530), [@jschwinger233](https://github.com/jschwinger233)) - gateway-api: fix empty URI when removing path prefix ([#28606](https://github.com/cilium/cilium/issues/28606), [@dddddai](https://github.com/dddddai)) - gateway-api: fix status reconcile error handling (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29894](https://github.com/cilium/cilium/issues/29894), [@mhofstetter](https://github.com/mhofstetter)) - gateway-api: Requeue Gateway for owning GRPCRoute (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#30124](https://github.com/cilium/cilium/issues/30124), [@sayboras](https://github.com/sayboras)) - gateway: Add GRPCRoute support for status changed predicate (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#30176](https://github.com/cilium/cilium/issues/30176), [@sayboras](https://github.com/sayboras)) - Handle `.status.conditions` on `Service`s using in accordance with KEP-1623 ([#27399](https://github.com/cilium/cilium/issues/27399), [@addreas](https://github.com/addreas)) - health: Update Cilium agent to listen on nodeip ([#26845](https://github.com/cilium/cilium/issues/26845), [@tamilmani1989](https://github.com/tamilmani1989)) - helm: Correct command for initContainer config ([#28613](https://github.com/cilium/cilium/issues/28613), [@sayboras](https://github.com/sayboras)) - helm: Fix envoy servicemonitor annotations (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#30017](https://github.com/cilium/cilium/issues/30017), [@pmcgrath](https://github.com/pmcgrath)) - Implement full CES reconciliation logic in the operator ([#26836](https://github.com/cilium/cilium/issues/26836), [@alan-kut](https://github.com/alan-kut)) - init well-known identity before new policy repository to fix the fqdn policy issue when enable well-known identity. (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30052](https://github.com/cilium/cilium/issues/30052), [@yingnanzhang666](https://github.com/yingnanzhang666)) - L2 announcements retry getting lease after losing it (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30340](https://github.com/cilium/cilium/issues/30340), [@dylandreimerink](https://github.com/dylandreimerink)) - l2announcer: Leases are only created for services that are being announced. ([#29446](https://github.com/cilium/cilium/issues/29446), [@f1ko](https://github.com/f1ko)) - l7lb: Fix bug where not all relevant ports of a Service were synchronized to Envoy (Backport PR [#30264](https://github.com/cilium/cilium/issues/30264), Upstream PR [#30107](https://github.com/cilium/cilium/issues/30107), [@mhofstetter](https://github.com/mhofstetter)) - lbipam: Fix off-by-one error in LBIPAM range allocation ([#29425](https://github.com/cilium/cilium/issues/29425), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - maps/metricspath: protect against concurrent access in Collect (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#30104](https://github.com/cilium/cilium/issues/30104), [@buroa](https://github.com/buroa)) - neigh: Install neighbor entries only on devices where routes exist ([#28782](https://github.com/cilium/cilium/issues/28782), [@ysksuzuki](https://github.com/ysksuzuki)) - node/wireguard: Fix node-to-node encryption inconsistencies in kvstore mode (Backport PR [#30530](https://github.com/cilium/cilium/issues/30530), Upstream PR [#30423](https://github.com/cilium/cilium/issues/30423), [@gandro](https://github.com/gandro)) - nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR [#29973](https://github.com/cilium/cilium/issues/29973), Upstream PR [#29964](https://github.com/cilium/cilium/issues/29964), [@gandro](https://github.com/gandro)) - pkg/endpoint: fix endpoint health update always being ok. (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30365](https://github.com/cilium/cilium/issues/30365), [@tommyp1ckles](https://github.com/tommyp1ckles)) - pkg/nodediscovery: Updates updateCiliumNodeResource() Warning Message (Backport PR [#30349](https://github.com/cilium/cilium/issues/30349), Upstream PR [#30257](https://github.com/cilium/cilium/issues/30257), [@danehans](https://github.com/danehans)) - Policy revert used in rare error cases has been corrected. ([#29162](https://github.com/cilium/cilium/issues/29162), [@jrajahalme](https://github.com/jrajahalme)) - policy: Fix mapstate changes error in entry change comparison (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29815](https://github.com/cilium/cilium/issues/29815), [@jrajahalme](https://github.com/jrajahalme)) - proxy: fix multiple envoy listeners for same proxyType ([#27510](https://github.com/cilium/cilium/issues/27510), [@mhofstetter](https://github.com/mhofstetter)) - Remove a misplaces ls alias that caused `cilium-dbg bpf auth ls` to flush the map. (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30445](https://github.com/cilium/cilium/issues/30445), [@meyskens](https://github.com/meyskens)) - Remove non fatal errors from SPIRE client in the operator (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#28698](https://github.com/cilium/cilium/issues/28698), [@meyskens](https://github.com/meyskens)) - Replace use of `strict` to true for kubeProxyReplacement in helm chart ([#27433](https://github.com/cilium/cilium/issues/27433), [@xtineskim](https://github.com/xtineskim)) - Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. ([#29202](https://github.com/cilium/cilium/issues/29202), [@thorn3r](https://github.com/thorn3r)) - srv6: modify h.encap location in the datapath to avoid incompatibility with IPv4Masq ([#28817](https://github.com/cilium/cilium/issues/28817), [@ldelossa](https://github.com/ldelossa)) - statedb: Fix termination of string and IP keys ([#29368](https://github.com/cilium/cilium/issues/29368), [@joamaki](https://github.com/joamaki)) - The DNS proxy will now compute a UDP checksum over the IPv6 response packet and the pseudo-header. ([#29493](https://github.com/cilium/cilium/issues/29493), [@danehans](https://github.com/danehans)) - Unify parsing of StringSlice flags and allow splitting by commas (preferably) or by spaces. This fixes parsing of 'prometheus.metrics'. (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29848](https://github.com/cilium/cilium/issues/29848), [@joamaki](https://github.com/joamaki)) **CI Changes:** - .github/actions: remove GKE K8s v1.23 from test matrix. ([#28297](https://github.com/cilium/cilium/issues/28297), [@tommyp1ckles](https://github.com/tommyp1ckles)) - .github/workflows: don't error out if pkill finds no processes ([#26357](https://github.com/cilium/cilium/issues/26357), [@lmb](https://github.com/lmb)) - .github: bump k8s version from v1.28.0 -> v1.28.2. ([#28664](https://github.com/cilium/cilium/issues/28664), [@tommyp1ckles](https://github.com/tommyp1ckles)) - .github: dump buddyinfo and pagetypeinfo when ci-e2e fails ([#26600](https://github.com/cilium/cilium/issues/26600), [@lmb](https://github.com/lmb)) - .github: re-use common helm values from a single action ([#28180](https://github.com/cilium/cilium/issues/28180), [@aanm](https://github.com/aanm)) - .github: Remove Loki action ([#26676](https://github.com/cilium/cilium/issues/26676), [@joestringer](https://github.com/joestringer)) - Add 100 node scale test workflow ([#29214](https://github.com/cilium/cilium/issues/29214), [@learnitall](https://github.com/learnitall)) - Add initial, in-progress workflow for automated scale testing ([#28362](https://github.com/cilium/cilium/issues/28362), [@learnitall](https://github.com/learnitall)) - Add time wrapper to test agent delays in CI ([#27253](https://github.com/cilium/cilium/issues/27253), [@joestringer](https://github.com/joestringer)) - ariane: Disable ci-e2e-upgrade ([#29488](https://github.com/cilium/cilium/issues/29488), [@brb](https://github.com/brb)) - bpf/tests: Cover IPsec key rotations ([#27185](https://github.com/cilium/cilium/issues/27185), [@pchaigno](https://github.com/pchaigno)) - bpf/tests: Fixed `loop not unrolled` error in pktgen ([#28942](https://github.com/cilium/cilium/issues/28942), [@dylandreimerink](https://github.com/dylandreimerink)) - bpf: fix flakes when checking metrics map values. ([#28325](https://github.com/cilium/cilium/issues/28325), [@tommyp1ckles](https://github.com/tommyp1ckles)) - bpf: fix test configuration for 5.10 and 6.1 kernels (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29999](https://github.com/cilium/cilium/issues/29999), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: test: pktgen cleanups ([#26776](https://github.com/cilium/cilium/issues/26776), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: tests: add helpers for boilerplate code ([#27429](https://github.com/cilium/cilium/issues/27429), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: tests: add helpers for common patterns ([#27134](https://github.com/cilium/cilium/issues/27134), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: tests: improve CT checks for observed TCP flags ([#26802](https://github.com/cilium/cilium/issues/26802), [@julianwiedmann](https://github.com/julianwiedmann)) - build(deps): bump tornado from 6.2 to 6.3.3 in /Documentation ([#27497](https://github.com/cilium/cilium/issues/27497), [@dependabot](https://github.com/dependabot)\[bot]) - ci aws: cleanup EKS cluster in separate job ([#29412](https://github.com/cilium/cilium/issues/29412), [@mhofstetter](https://github.com/mhofstetter)) - CI images: Define a variable for the floating tags ([#28008](https://github.com/cilium/cilium/issues/28008), [@michi-covalent](https://github.com/michi-covalent)) - CI images: Define a variable for the floating tags ([#28228](https://github.com/cilium/cilium/issues/28228), [@michi-covalent](https://github.com/michi-covalent)) - CI Images: Don't push floating tags from feature branches ([#28044](https://github.com/cilium/cilium/issues/28044), [@michi-covalent](https://github.com/michi-covalent)) - ci-clustermesh-upgrade: Adjust name of test to run, to match cilium-cli's renaming (Backport PR [#30264](https://github.com/cilium/cilium/issues/30264), Upstream PR [#30211](https://github.com/cilium/cilium/issues/30211), [@qmonnet](https://github.com/qmonnet)) - ci-clustermesh-upgrade: Increment timeout between rollouts to 5min ([#29560](https://github.com/cilium/cilium/issues/29560), [@mhofstetter](https://github.com/mhofstetter)) - ci-e2e-upgrade: Bring it on ([#29073](https://github.com/cilium/cilium/issues/29073), [@brb](https://github.com/brb)) - ci-e2e-upgrade: Remove setting CLI vsn ([#29435](https://github.com/cilium/cilium/issues/29435), [@brb](https://github.com/brb)) - ci-e2e: Do not print matrix config in each step ([#27999](https://github.com/cilium/cilium/issues/27999), [@brb](https://github.com/brb)) - ci-e2e: Use kernel 6.1 instead of 6.0 ([#29345](https://github.com/cilium/cilium/issues/29345), [@brb](https://github.com/brb)) - ci-ginkgo: conditionally skip fetching artifacts & junit report ([#27081](https://github.com/cilium/cilium/issues/27081), [@mhofstetter](https://github.com/mhofstetter)) - ci-gke: adjust junit file names to matrix properties ([#27072](https://github.com/cilium/cilium/issues/27072), [@mhofstetter](https://github.com/mhofstetter)) - ci-gke: remove duplicated wait for cilium ([#29542](https://github.com/cilium/cilium/issues/29542), [@mhofstetter](https://github.com/mhofstetter)) - ci-ipsec-e2e: Misc refactor + more keys ([#29592](https://github.com/cilium/cilium/issues/29592), [@brb](https://github.com/brb)) - ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30503](https://github.com/cilium/cilium/issues/30503), [@qmonnet](https://github.com/qmonnet)) - ci: Add a call to the update label backport action (Backport PR [#30264](https://github.com/cilium/cilium/issues/30264), Upstream PR [#29902](https://github.com/cilium/cilium/issues/29902), [@joestringer](https://github.com/joestringer)) - ci: Add a workflow to update labels of backported PRs ([#27875](https://github.com/cilium/cilium/issues/27875), [@pippolo84](https://github.com/pippolo84)) - ci: add documentation check to documentation workflow ([#29684](https://github.com/cilium/cilium/issues/29684), [@mhofstetter](https://github.com/mhofstetter)) - ci: add K8s 1.28 platform testing ([#29004](https://github.com/cilium/cilium/issues/29004), [@nbusseneau](https://github.com/nbusseneau)) - CI: Add merge_group trigger ([#29276](https://github.com/cilium/cilium/issues/29276), [@brlbil](https://github.com/brlbil)) - ci: add scheduled runs for Ariane workflows ([#27687](https://github.com/cilium/cilium/issues/27687), [@nbusseneau](https://github.com/nbusseneau)) - ci: Automate generation and update of docs-builder image ([#24121](https://github.com/cilium/cilium/issues/24121), [@qmonnet](https://github.com/qmonnet)) - ci: Avoid using deprecated "tunnel" flag ([#28323](https://github.com/cilium/cilium/issues/28323), [@gandro](https://github.com/gandro)) - ci: Bump timeout of ci-runtime ([#29317](https://github.com/cilium/cilium/issues/29317), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - ci: Bump up the memory of LVH in conformance-e2e ([#29494](https://github.com/cilium/cilium/issues/29494), [@michi-covalent](https://github.com/michi-covalent)) - ci: disable preemptible VM & GKE clusters on tests based on GKE ([#29607](https://github.com/cilium/cilium/issues/29607), [@mhofstetter](https://github.com/mhofstetter)) - ci: don't write github commit status on push event ([#29404](https://github.com/cilium/cilium/issues/29404), [@mhofstetter](https://github.com/mhofstetter)) - ci: don't write github commit status on push event ([#29438](https://github.com/cilium/cilium/issues/29438), [@mhofstetter](https://github.com/mhofstetter)) - ci: Enable link checker to ensure that all links in documentation are valid ([#27116](https://github.com/cilium/cilium/issues/27116), [@vipul-21](https://github.com/vipul-21)) - ci: fix checking `github.event.pull_request.head.sha` ([#26775](https://github.com/cilium/cilium/issues/26775), [@mhofstetter](https://github.com/mhofstetter)) - ci: fix deployment issue with multiple clusters in same region ([#29427](https://github.com/cilium/cilium/issues/29427), [@mhofstetter](https://github.com/mhofstetter)) - ci: fix merge group required checks ([#29337](https://github.com/cilium/cilium/issues/29337), [@brlbil](https://github.com/brlbil)) - CI: fix missing names ([#27839](https://github.com/cilium/cilium/issues/27839), [@brlbil](https://github.com/brlbil)) - ci: fix typo in clustermesh workflow job name ([#29046](https://github.com/cilium/cilium/issues/29046), [@tklauser](https://github.com/tklauser)) - ci: increase cilium wait timeout to 10m on cloud providers ([#29541](https://github.com/cilium/cilium/issues/29541), [@mhofstetter](https://github.com/mhofstetter)) - ci: increase junit artifact retention from 2 to 5 days ([#27021](https://github.com/cilium/cilium/issues/27021), [@mhofstetter](https://github.com/mhofstetter)) - ci: migrate some schedule workflows to event trigger push ([#29433](https://github.com/cilium/cilium/issues/29433), [@mhofstetter](https://github.com/mhofstetter)) - ci: Remove useless quotes in update label workflow ([#28952](https://github.com/cilium/cilium/issues/28952), [@pippolo84](https://github.com/pippolo84)) - ci: replace GHA action Sibz/github-status-action ([#26976](https://github.com/cilium/cilium/issues/26976), [@mhofstetter](https://github.com/mhofstetter)) - ci: Run documentation workflow on README.rst updates ([#26559](https://github.com/cilium/cilium/issues/26559), [@qmonnet](https://github.com/qmonnet)) - ci: set multi-pool conformance workflow status on start ([#27969](https://github.com/cilium/cilium/issues/27969), [@tklauser](https://github.com/tklauser)) - ci: trigger multi-pool conformance workflow using ariane ([#27957](https://github.com/cilium/cilium/issues/27957), [@tklauser](https://github.com/tklauser)) - ci: upload and publish JUnit test results for conformance-multi-pool ([#27025](https://github.com/cilium/cilium/issues/27025), [@mhofstetter](https://github.com/mhofstetter)) - ci: use env variable to store branch name ([#26779](https://github.com/cilium/cilium/issues/26779), [@ferozsalam](https://github.com/ferozsalam)) - cilium-cli action: Specify the repository parameter ([#29338](https://github.com/cilium/cilium/issues/29338), [@michi-covalent](https://github.com/michi-covalent)) - Conformance AKS: wait for cilium-test namespace deletion during uninstallation (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29893](https://github.com/cilium/cilium/issues/29893), [@giorio94](https://github.com/giorio94)) - contrib/kind: Log DNS queries in CoreDNS pods ([#27874](https://github.com/cilium/cilium/issues/27874), [@pchaigno](https://github.com/pchaigno)) - Correctly use cli installer action in ipv4/6 smoke ([#28661](https://github.com/cilium/cilium/issues/28661), [@bleggett](https://github.com/bleggett)) - datapath: Clean up XFRM configs after unit tests ([#29332](https://github.com/cilium/cilium/issues/29332), [@pchaigno](https://github.com/pchaigno)) - Define PUSH_TO_DOCKER_HUB environment variable ([#29644](https://github.com/cilium/cilium/issues/29644), [@michi-covalent](https://github.com/michi-covalent)) - Drop support for EOLed Kubernetes versions ([#29174](https://github.com/cilium/cilium/issues/29174), [@michi-covalent](https://github.com/michi-covalent)) - egressgw: back out test for policy conflict in ENI mode ([#27432](https://github.com/cilium/cilium/issues/27432), [@julianwiedmann](https://github.com/julianwiedmann)) - egressgw: make reconciliationEventsCount an atomic.Uint64 ([#28154](https://github.com/cilium/cilium/issues/28154), [@jibi](https://github.com/jibi)) - egressgw: manager: test: mark helpers with c.Helper() ([#28020](https://github.com/cilium/cilium/issues/28020), [@jibi](https://github.com/jibi)) - egressgw: switch unit tests to reconciliationEventsCount ([#27881](https://github.com/cilium/cilium/issues/27881), [@jibi](https://github.com/jibi)) - egressgw: test for conflicting IP rules in ENI mode ([#27428](https://github.com/cilium/cilium/issues/27428), [@julianwiedmann](https://github.com/julianwiedmann)) - egressgw: tests: wait for initial sync reconciliation ([#29084](https://github.com/cilium/cilium/issues/29084), [@jibi](https://github.com/jibi)) - Extend BPF unit tests for IPsec ([#28438](https://github.com/cilium/cilium/issues/28438), [@jschwinger233](https://github.com/jschwinger233)) - Extend Integration Test timeout ([#27811](https://github.com/cilium/cilium/issues/27811), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - Extend the clustermesh workflows to additionally cover the external kvstore case (Backport PR [#30349](https://github.com/cilium/cilium/issues/30349), Upstream PR [#29983](https://github.com/cilium/cilium/issues/29983), [@giorio94](https://github.com/giorio94)) - Fix container scanning workflow ([#26542](https://github.com/cilium/cilium/issues/26542), [@ferozsalam](https://github.com/ferozsalam)) - Fix exporting results to gs bucket. ([#29587](https://github.com/cilium/cilium/issues/29587), [@marseel](https://github.com/marseel)) - Fix pre-flight clusterrole check ([#29224](https://github.com/cilium/cilium/issues/29224), [@marseel](https://github.com/marseel)) - Fix the build ([#28229](https://github.com/cilium/cilium/issues/28229), [@michi-covalent](https://github.com/michi-covalent)) - gateway-api: Disable HTTPRouteRequestMultipleMirrors again ([#28524](https://github.com/cilium/cilium/issues/28524), [@sayboras](https://github.com/sayboras)) - gateway-api: Enable CI for multiple mirror feature ([#28838](https://github.com/cilium/cilium/issues/28838), [@sayboras](https://github.com/sayboras)) - gh/workflows: Bump CLI to v0.15.18 (Backport PR [#29899](https://github.com/cilium/cilium/issues/29899), Upstream PR [#29849](https://github.com/cilium/cilium/issues/29849), [@brb](https://github.com/brb)) - gh/workflows: Bump CLI to v0.15.8 in e2e tests ([#28132](https://github.com/cilium/cilium/issues/28132), [@brb](https://github.com/brb)) - gh/workflows: Drop rading /proc in case of failure ([#29855](https://github.com/cilium/cilium/issues/29855), [@brb](https://github.com/brb)) - gh/workflows: Fix setting endpoint routes in ci-e2e ([#27384](https://github.com/cilium/cilium/issues/27384), [@brb](https://github.com/brb)) - gh: e2e: test conformance & upgrade with 5.4 kernel and EgressGW ([#29651](https://github.com/cilium/cilium/issues/29651), [@julianwiedmann](https://github.com/julianwiedmann)) - GHA: Add clustermesh upgrade and downgrade tests ([#27232](https://github.com/cilium/cilium/issues/27232), [@giorio94](https://github.com/giorio94)) - GHA: correctly test kvstoremesh in conformance-clustermesh ([#28434](https://github.com/cilium/cilium/issues/28434), [@giorio94](https://github.com/giorio94)) - gha: Disable HTTPRouteRequestMultipleMirrors test ([#28396](https://github.com/cilium/cilium/issues/28396), [@sayboras](https://github.com/sayboras)) - gha: Enable Ingress Controller tests in conformance-e2e ([#29130](https://github.com/cilium/cilium/issues/29130), [@sayboras](https://github.com/sayboras)) - gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR [#30349](https://github.com/cilium/cilium/issues/30349), Upstream PR [#30335](https://github.com/cilium/cilium/issues/30335), [@giorio94](https://github.com/giorio94)) - gha: explicit branch and trigger in ariane-scheduled workflow ([#28432](https://github.com/cilium/cilium/issues/28432), [@giorio94](https://github.com/giorio94)) - gha: Migrate from MetalLB to L2LB ([#28926](https://github.com/cilium/cilium/issues/28926), [@sayboras](https://github.com/sayboras)) - gha: Remove priviledged helm option in {Ingress, Gateway} ([#28200](https://github.com/cilium/cilium/issues/28200), [@sayboras](https://github.com/sayboras)) - gha: sig-servicemesh owns Ingress or Gateway API related workflows ([#29812](https://github.com/cilium/cilium/issues/29812), [@sayboras](https://github.com/sayboras)) - golangci: enforce use of cilium/dns over miekg/dns ([#27936](https://github.com/cilium/cilium/issues/27936), [@tklauser](https://github.com/tklauser)) - identity: deflake test TestGetIdentity (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29720](https://github.com/cilium/cilium/issues/29720), [@mhofstetter](https://github.com/mhofstetter)) - Improve Conformance Cluster Mesh workflow coverage (Backport PR [#30349](https://github.com/cilium/cilium/issues/30349), Upstream PR [#29926](https://github.com/cilium/cilium/issues/29926), [@giorio94](https://github.com/giorio94)) - Improve service unit test robustness ([#26212](https://github.com/cilium/cilium/issues/26212), [@strudelPi](https://github.com/strudelPi)) - ingress: Add conformance test for KPR=false ([#27304](https://github.com/cilium/cilium/issues/27304), [@sayboras](https://github.com/sayboras)) - ipam: Fix race in NodeManager.Resync ([#26963](https://github.com/cilium/cilium/issues/26963), [@jaffcheng](https://github.com/jaffcheng)) - jenkinsfiles: remove kubernetes upstream ([#27349](https://github.com/cilium/cilium/issues/27349), [@aanm](https://github.com/aanm)) - k8s: Replace generate-internal-groups.sh script ([#27591](https://github.com/cilium/cilium/issues/27591), [@sayboras](https://github.com/sayboras)) - Make ci-ipsec-upgrade a part of /test ([#27557](https://github.com/cilium/cilium/issues/27557), [@jschwinger233](https://github.com/jschwinger233)) - Make LB-IPAM tests less flaky ([#29678](https://github.com/cilium/cilium/issues/29678), [@dylandreimerink](https://github.com/dylandreimerink)) - make: drop redundant `go vet ./...` from integration tests ([#26565](https://github.com/cilium/cilium/issues/26565), [@tklauser](https://github.com/tklauser)) - Mock out time for BPF ratelimit test to make it more stable ([#29740](https://github.com/cilium/cilium/issues/29740), [@dylandreimerink](https://github.com/dylandreimerink)) - Network performance (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30247](https://github.com/cilium/cilium/issues/30247), [@marseel](https://github.com/marseel)) - Remove coverage collection from BPF tests ([#28090](https://github.com/cilium/cilium/issues/28090), [@dylandreimerink](https://github.com/dylandreimerink)) - Remove validation timeout in controlplane testing ([#26414](https://github.com/cilium/cilium/issues/26414), [@pippolo84](https://github.com/pippolo84)) - renovate: enable Cilium CLI patch updates for Cilium \<v1.14 ([#29794](https://github.com/cilium/cilium/issues/29794), [@giorio94](https://github.com/giorio94)) - renovate: fix match string for go version updates in go.mod ([#28000](https://github.com/cilium/cilium/issues/28000), [@tklauser](https://github.com/tklauser)) - renovate: Pin cilium-cli version for \<v1.14 ([#26716](https://github.com/cilium/cilium/issues/26716), [@michi-covalent](https://github.com/michi-covalent)) - restore full go vet behaviour ([#28945](https://github.com/cilium/cilium/issues/28945), [@bimmlerd](https://github.com/bimmlerd)) - Revert "CI images: Define a variable for the floating tags" ([#28041](https://github.com/cilium/cilium/issues/28041), [@michi-covalent](https://github.com/michi-covalent)) - Revert quarantine k8s datapath services test ([#26400](https://github.com/cilium/cilium/issues/26400), [@marseel](https://github.com/marseel)) - Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR [#30349](https://github.com/cilium/cilium/issues/30349), Upstream PR [#30207](https://github.com/cilium/cilium/issues/30207), [@giorio94](https://github.com/giorio94)) - scale-test-100-gce: Use CILIUM_CLI_VERSION ([#29562](https://github.com/cilium/cilium/issues/29562), [@michi-covalent](https://github.com/michi-covalent)) - Set correct cluster name and id during upgrade test ([#29165](https://github.com/cilium/cilium/issues/29165), [@marseel](https://github.com/marseel)) - Setup Renovate for SPIRE deployment ([#27708](https://github.com/cilium/cilium/issues/27708), [@meyskens](https://github.com/meyskens)) - Simplify CI image build workflow before v1.15 branch ([#29834](https://github.com/cilium/cilium/issues/29834), [@joestringer](https://github.com/joestringer)) - Skip k8s upstream conformance test for multiple protocols on a Service ([#29524](https://github.com/cilium/cilium/issues/29524), [@youngnick](https://github.com/youngnick)) - Switch to on-demand instances for AWS tests on scheduled runs. ([#29366](https://github.com/cilium/cilium/issues/29366), [@marseel](https://github.com/marseel)) - test/k8s: clean up unused manifests ([#29436](https://github.com/cilium/cilium/issues/29436), [@tklauser](https://github.com/tklauser)) - test: custom calls: clean up kernel 4.9 leftovers ([#27887](https://github.com/cilium/cilium/issues/27887), [@julianwiedmann](https://github.com/julianwiedmann)) - test: Fail ginkgo tests on warnings ([#29624](https://github.com/cilium/cilium/issues/29624), [@pchaigno](https://github.com/pchaigno)) - test: Use previous in-pod CLI name for updates ([#29208](https://github.com/cilium/cilium/issues/29208), [@joestringer](https://github.com/joestringer)) - tests-e2e-upgrade: Use CILIUM_CLI_VERSION ([#29496](https://github.com/cilium/cilium/issues/29496), [@michi-covalent](https://github.com/michi-covalent)) - update upgrade tests to test from v1.14.0 to main ([#27114](https://github.com/cilium/cilium/issues/27114), [@aanm](https://github.com/aanm)) - workflows: cilium-config: parametrize egressgw helm values ([#28389](https://github.com/cilium/cilium/issues/28389), [@jibi](https://github.com/jibi)) - workflows: Increase IPsec e2e test's timeout (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#30194](https://github.com/cilium/cilium/issues/30194), [@julianwiedmann](https://github.com/julianwiedmann)) - workflows: Increase IPsec upgrade test's timeout (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29934](https://github.com/cilium/cilium/issues/29934), [@pchaigno](https://github.com/pchaigno)) - workflows: Pin conn-disrupt-test GH action to main ([#29402](https://github.com/cilium/cilium/issues/29402), [@pchaigno](https://github.com/pchaigno)) **Misc Changes:** - .clang-format: Re-write and re-license .clang-format ([#26640](https://github.com/cilium/cilium/issues/26640), [@qmonnet](https://github.com/qmonnet)) - .github/actions/helm-default: use the derived SHA as image tag ([#28410](https://github.com/cilium/cilium/issues/28410), [@aanm](https://github.com/aanm)) - .github/workflows: only cancel concurrent jobs if not in merge_group ([#29431](https://github.com/cilium/cilium/issues/29431), [@aanm](https://github.com/aanm)) - .github: add Dockerfile for hubble-relay image in Renovate config ([#27404](https://github.com/cilium/cilium/issues/27404), [@aanm](https://github.com/aanm)) - .github: add workflow to track replied issues ([#27283](https://github.com/cilium/cilium/issues/27283), [@aanm](https://github.com/aanm)) - .github: Build images for vX.Y.Z-pre.N releases ([#27862](https://github.com/cilium/cilium/issues/27862), [@joestringer](https://github.com/joestringer)) - .github: do not group jobs on merge queues ([#29551](https://github.com/cilium/cilium/issues/29551), [@aanm](https://github.com/aanm)) - .github: do not upgrade ubuntu runner for integration tests ([#27829](https://github.com/cilium/cilium/issues/27829), [@aanm](https://github.com/aanm)) - .github: fix renovate config ([#27727](https://github.com/cilium/cilium/issues/27727), [@aanm](https://github.com/aanm)) - .github: Fix typo in workflow stage name ([#28504](https://github.com/cilium/cilium/issues/28504), [@joestringer](https://github.com/joestringer)) - .github: Remove master mirror ([#25806](https://github.com/cilium/cilium/issues/25806), [@joestringer](https://github.com/joestringer)) - .github: Remove remaining references to v1.11 ([#26681](https://github.com/cilium/cilium/issues/26681), [@joestringer](https://github.com/joestringer)) - .github: use kindest/node instead of quay.io/cilium/kindest-node ([#27729](https://github.com/cilium/cilium/issues/27729), [@aanm](https://github.com/aanm)) - .github: write the right regex for little-vm-images versioning ([#27390](https://github.com/cilium/cilium/issues/27390), [@aanm](https://github.com/aanm)) - [@eloycoto](https://github.com/eloycoto) is no longer an active committer ([#27978](https://github.com/cilium/cilium/issues/27978), [@eloycoto](https://github.com/eloycoto)) - \[v1.15] docs: add deprecation notice for enable-remote-node-identity for v1.15 ([#30208](https://github.com/cilium/cilium/issues/30208), [@tklauser](https://github.com/tklauser)) - Add a troubleshooting Gateway API part of the documentation ([#25945](https://github.com/cilium/cilium/issues/25945), [@meyskens](https://github.com/meyskens)) - Add AirQo to Cilium USERS.md ([#29467](https://github.com/cilium/cilium/issues/29467), [@123MwanjeMike](https://github.com/123MwanjeMike)) - Add an option to force BPF attachment to native device ([#29176](https://github.com/cilium/cilium/issues/29176), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - Add Berops to `USERS.md` ([#27483](https://github.com/cilium/cilium/issues/27483), [@bernardhalas](https://github.com/bernardhalas)) - Add CEP and CES resources ([#29244](https://github.com/cilium/cilium/issues/29244), [@pippolo84](https://github.com/pippolo84)) - Add checks to avoid use of logrus WithFields function in hot paths ([#26327](https://github.com/cilium/cilium/issues/26327), [@learnitall](https://github.com/learnitall)) - Add Cybozu to USERS.md ([#29231](https://github.com/cilium/cilium/issues/29231), [@chez-shanpu](https://github.com/chez-shanpu)) - Add Dcode.tech to USERS.md ([#28996](https://github.com/cilium/cilium/issues/28996), [@eliranw](https://github.com/eliranw)) - Add deepcopy plugin ([#26978](https://github.com/cilium/cilium/issues/26978), [@AwesomePatrol](https://github.com/AwesomePatrol)) - Add docs on first and last IP of LB-IPAM pool ([#27110](https://github.com/cilium/cilium/issues/27110), [@darox](https://github.com/darox)) - Add error check during datapath/loader reinitialization as ApplySettings could return an error while applying sysctl settings. ([#27195](https://github.com/cilium/cilium/issues/27195), [@derailed](https://github.com/derailed)) - Add G DATA CyberDefense AG as user ([#27316](https://github.com/cilium/cilium/issues/27316), [@farodin91](https://github.com/farodin91)) - Add guidance for bumping the Golang version in Cilium ([#26789](https://github.com/cilium/cilium/issues/26789), [@ferozsalam](https://github.com/ferozsalam)) - Add IDNIC/Kadabra as user to Cilium ([#28958](https://github.com/cilium/cilium/issues/28958), [@ardikabs](https://github.com/ardikabs)) - Add link in maintainers.md and contributing guide to contributor ladder ([#28778](https://github.com/cilium/cilium/issues/28778), [@xmulligan](https://github.com/xmulligan)) - Add link to getting started guide for kind cluster for common "too many files" issue ([#28522](https://github.com/cilium/cilium/issues/28522), [@dipankardas011](https://github.com/dipankardas011)) - add links to enterprise support and slack to the issues page for easier discoverability ([#26551](https://github.com/cilium/cilium/issues/26551), [@xmulligan](https://github.com/xmulligan)) - add lint-go to merge queue check ([#27542](https://github.com/cilium/cilium/issues/27542), [@aanm](https://github.com/aanm)) - Add metrics for LB-IPAM ([#26173](https://github.com/cilium/cilium/issues/26173), [@dylandreimerink](https://github.com/dylandreimerink)) - Add node activity health reporters on node manager ([#28799](https://github.com/cilium/cilium/issues/28799), [@derailed](https://github.com/derailed)) - Add note to the quick install documentation for increasing inotify limits ([#27140](https://github.com/cilium/cilium/issues/27140), [@leblowl](https://github.com/leblowl)) - Add Parseable to USERS.md ([#28675](https://github.com/cilium/cilium/issues/28675), [@nitisht](https://github.com/nitisht)) - Add prerelease-testing issue template ([#27766](https://github.com/cilium/cilium/issues/27766), [@jspaleta](https://github.com/jspaleta)) - Add Schenker to the user list ([#27833](https://github.com/cilium/cilium/issues/27833), [@amirkkn](https://github.com/amirkkn)) - Add script to run GitHub ginkgo workflow locally ([#26540](https://github.com/cilium/cilium/issues/26540), [@qmonnet](https://github.com/qmonnet)) - Add table for node addresses ([#28962](https://github.com/cilium/cilium/issues/28962), [@joamaki](https://github.com/joamaki)) - add traffic shifting example for service mesh ([#27845](https://github.com/cilium/cilium/issues/27845), [@tanjunchen](https://github.com/tanjunchen)) - add Twilio to Users list ([#27755](https://github.com/cilium/cilium/issues/27755), [@michaelsaah](https://github.com/michaelsaah)) - add v1.15.0-pre.2 release ([#28903](https://github.com/cilium/cilium/issues/28903), [@aanm](https://github.com/aanm)) - Add workload label context (hubble metrics). ([#25667](https://github.com/cilium/cilium/issues/25667), [@marqc](https://github.com/marqc)) - Added metrics for jobs ([#26077](https://github.com/cilium/cilium/issues/26077), [@dylandreimerink](https://github.com/dylandreimerink)) - Address device <-> node addressing race ([#29555](https://github.com/cilium/cilium/issues/29555), [@bimmlerd](https://github.com/bimmlerd)) - address missing binary checks for `make dev-doctor`. ([#28269](https://github.com/cilium/cilium/issues/28269), [@fujitatomoya](https://github.com/fujitatomoya)) - alibabacloud: Allocate from vswitches with the most IP addresses ([#27696](https://github.com/cilium/cilium/issues/27696), [@jaffcheng](https://github.com/jaffcheng)) - Allow Golang bump to v1.20 on Cilium v1.12 and v1.13 ([#27434](https://github.com/cilium/cilium/issues/27434), [@ferozsalam](https://github.com/ferozsalam)) - api: Allow middleware to be injected via Hive ([#29223](https://github.com/cilium/cilium/issues/29223), [@gandro](https://github.com/gandro)) - api: regenerate flow.pb.go ([#27852](https://github.com/cilium/cilium/issues/27852), [@Jack-R-lantern](https://github.com/Jack-R-lantern)) - auth: depend on nodeIDHandler directly ([#27106](https://github.com/cilium/cilium/issues/27106), [@mhofstetter](https://github.com/mhofstetter)) - Avoid requiring the latest Go toolchain patch version to build ([#28686](https://github.com/cilium/cilium/issues/28686), [@joestringer](https://github.com/joestringer)) - BGP CP: API Helper Functions Cleanup ([#28036](https://github.com/cilium/cilium/issues/28036), [@danehans](https://github.com/danehans)) - BGP CP: Calls String() Afi/Safi Methods instead of Duplicative Funcs ([#28035](https://github.com/cilium/cilium/issues/28035), [@danehans](https://github.com/danehans)) - BGP CP: Replaces LocalNodeStore with Local CiliumNode ([#28238](https://github.com/cilium/cilium/issues/28238), [@danehans](https://github.com/danehans)) - bgp: fix up formatting in CiliumBGPPeeringPolicy ([#27219](https://github.com/cilium/cilium/issues/27219), [@julianwiedmann](https://github.com/julianwiedmann)) - bgpv1,ci: Add Test_AdvertisedPathAttributes into BGP component tests ([#28484](https://github.com/cilium/cilium/issues/28484), [@rastislavs](https://github.com/rastislavs)) - bgpv1,ci: Do not use asserts in Eventually() test conditions ([#28489](https://github.com/cilium/cilium/issues/28489), [@rastislavs](https://github.com/rastislavs)) - bgpv1: Add GetRoutes method to Router interface and generic Path type ([#26803](https://github.com/cilium/cilium/issues/26803), [@rastislavs](https://github.com/rastislavs)) - bgpv1: Consolidate reconciler-specific maps into generic ReconcilerMetadata ([#27568](https://github.com/cilium/cilium/issues/27568), [@rastislavs](https://github.com/rastislavs)) - bgpv1: fix incorrect error messages in the reconcilePodIPPool function ([#29125](https://github.com/cilium/cilium/issues/29125), [@hargrovee](https://github.com/hargrovee)) - bgpv1: fix merge race conflict on NewGoBGPServer ([#29321](https://github.com/cilium/cilium/issues/29321), [@mhofstetter](https://github.com/mhofstetter)) - bgpv1: Prevent multiple reconcilers with the same name ([#29071](https://github.com/cilium/cilium/issues/29071), [@rastislavs](https://github.com/rastislavs)) - bgpv1: Remove inappropriate comments and fix typo ([#28562](https://github.com/cilium/cilium/issues/28562), [@hargrovee](https://github.com/hargrovee)) - bgpv1: remove references to advertisement from CiliumBGPPeeringPolicy (Backport PR [#30531](https://github.com/cilium/cilium/issues/30531), Upstream PR [#30337](https://github.com/cilium/cilium/issues/30337), [@harsimran-pabla](https://github.com/harsimran-pabla)) - bgpv1: Reorganize BGP config reconcilers ([#29277](https://github.com/cilium/cilium/issues/29277), [@rastislavs](https://github.com/rastislavs)) - bgpv1: set running flag in manager (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#30013](https://github.com/cilium/cilium/issues/30013), [@harsimran-pabla](https://github.com/harsimran-pabla)) - bgpv1: Use Path type in AdvertisePath & WithdrawPath ([#27223](https://github.com/cilium/cilium/issues/27223), [@rastislavs](https://github.com/rastislavs)) - bgpv1: Use specific log message and remove unused parameter ([#28895](https://github.com/cilium/cilium/issues/28895), [@hargrovee](https://github.com/hargrovee)) - bigtcp: Modularize and use the devices table ([#28643](https://github.com/cilium/cilium/issues/28643), [@joamaki](https://github.com/joamaki)) - bpf,fib: refactor lib/fib.h to remove the now redundant code ([#26380](https://github.com/cilium/cilium/issues/26380), [@ldelossa](https://github.com/ldelossa)) - bpf/Makefile: remove gen_compile_commands make target ([#29611](https://github.com/cilium/cilium/issues/29611), [@ti-mo](https://github.com/ti-mo)) - bpf: avoid calculating L4 offset ([#27313](https://github.com/cilium/cilium/issues/27313), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: clean up CB_NAT ([#28375](https://github.com/cilium/cilium/issues/28375), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: clean up some drop notifications ([#28431](https://github.com/cilium/cilium/issues/28431), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: clean up some IPv4 header validations ([#29585](https://github.com/cilium/cilium/issues/29585), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: conntrack: improve handling of CT_REOPENED result ([#28597](https://github.com/cilium/cilium/issues/28597), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: ct: clean up unused .seen_non_syn flag for ICMP entries ([#26754](https://github.com/cilium/cilium/issues/26754), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: ct: document some unused fields in ct_entry struct ([#27692](https://github.com/cilium/cilium/issues/27692), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: ct: reuse get_ct_map\*() in get_cluster_ct_map\*() ([#27849](https://github.com/cilium/cilium/issues/27849), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: Delete obsolete do_netdev_encrypt_pools() ([#28063](https://github.com/cilium/cilium/issues/28063), [@jschwinger233](https://github.com/jschwinger233)) - bpf: don't build all bpf when making containers (fix) ([#25937](https://github.com/cilium/cilium/issues/25937), [@squeed](https://github.com/squeed)) - bpf: dsr: ensure that Geneve options have correct size ([#26707](https://github.com/cilium/cilium/issues/26707), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: egressgw: allow to override external API ([#28277](https://github.com/cilium/cilium/issues/28277), [@jibi](https://github.com/jibi)) - bpf: egressgw: make ct_status an enum ([#28399](https://github.com/cilium/cilium/issues/28399), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: egressgw: pass IPv4 tuple to egress_gw_request_needs_redirect ([#27851](https://github.com/cilium/cilium/issues/27851), [@jibi](https://github.com/jibi)) - bpf: egressgw: tolerate BPF_FIB_LKUP_RET_NO_NEIGH on older kernels (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30286](https://github.com/cilium/cilium/issues/30286), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: encap: clean up usage of \__encap_and_redirect_with_nodeid() ([#28411](https://github.com/cilium/cilium/issues/28411), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: exclude EgressGW logic in bpf_overlay ([#26611](https://github.com/cilium/cilium/issues/26611), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: fib: fix issues with L2 resolution (Backport PR [#30349](https://github.com/cilium/cilium/issues/30349), Upstream PR [#30128](https://github.com/cilium/cilium/issues/30128), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: fine-tune a few L3 header validations ([#28669](https://github.com/cilium/cilium/issues/28669), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: host: adjust scope of HostFW section in handle_ipv6() ([#29052](https://github.com/cilium/cilium/issues/29052), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: hs-ipcache: use get_id_from_tunnel_id() ([#28508](https://github.com/cilium/cilium/issues/28508), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: install proxy routes using Go, remove init.sh ([#27445](https://github.com/cilium/cilium/issues/27445), [@ti-mo](https://github.com/ti-mo)) - bpf: ipsec: move get_min_encrypt_key() to encrypt.h ([#28991](https://github.com/cilium/cilium/issues/28991), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: ipv4: always return drop reason from ipv4\_handle_fragmentation() (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29880](https://github.com/cilium/cilium/issues/29880), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: ipv4: refactor L4 port extraction for fragmented packets ([#28717](https://github.com/cilium/cilium/issues/28717), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic ([#29721](https://github.com/cilium/cilium/issues/29721), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: lb: return drop reasons from \__lb4\_rev_nat() (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30410](https://github.com/cilium/cilium/issues/30410), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: let set_identity_mark() also set MARK_MAGIC_IDENTITY ([#28665](https://github.com/cilium/cilium/issues/28665), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: lxc: avoid upgrade/downgrade woes with CB_FROM_TUNNEL in IPv6 path ([#29304](https://github.com/cilium/cilium/issues/29304), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: lxc: clarify kube-proxy workaround in to-container path ([#27604](https://github.com/cilium/cilium/issues/27604), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: lxc: cleanups ([#27044](https://github.com/cilium/cilium/issues/27044), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: lxc: remove unused IPv6 loopback code ([#27601](https://github.com/cilium/cilium/issues/27601), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: lxc: transfer sec identity for per-EP loopback in reply direction ([#27812](https://github.com/cilium/cilium/issues/27812), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: make it easier to figure out which BUILD_PERMUTATION failed ([#27541](https://github.com/cilium/cilium/issues/27541), [@lmb](https://github.com/lmb)) - bpf: minor ICMPv6 improvements ([#26563](https://github.com/cilium/cilium/issues/26563), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: minor loopback cleanups ([#27764](https://github.com/cilium/cilium/issues/27764), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nat: fully switch to snat_v\*\_rewrite_helpers() ([#29403](https://github.com/cilium/cilium/issues/29403), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nat: Handle errors from snat_v(4|6)\_prepare_state() ([#26501](https://github.com/cilium/cilium/issues/26501), [@qmonnet](https://github.com/qmonnet)) - bpf: nat: improve logic that creates the NAT entries ([#26594](https://github.com/cilium/cilium/issues/26594), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nat: limit EgressGW redirect check to bpf_host ([#29159](https://github.com/cilium/cilium/issues/29159), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nat: minor improvements ([#26520](https://github.com/cilium/cilium/issues/26520), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nat: pass NAT map to snat_v4\_new_mapping() ([#29049](https://github.com/cilium/cilium/issues/29049), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nat: share rewrite logic in RevSNAT path ([#27366](https://github.com/cilium/cilium/issues/27366), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nat: small Masquerading improvements ([#26848](https://github.com/cilium/cilium/issues/26848), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nat: SNAT cleanups ([#26889](https://github.com/cilium/cilium/issues/26889), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nat: use common set of rewrite helpers ([#27509](https://github.com/cilium/cilium/issues/27509), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nodeport: constrain CT lookups to relevant entry types ([#27607](https://github.com/cilium/cilium/issues/27607), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nodeport: improve ICMP vs DSR co-existence ([#26562](https://github.com/cilium/cilium/issues/26562), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nodeport: improve tracing for inlined RevDNAT processing ([#27191](https://github.com/cilium/cilium/issues/27191), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nodeport: integrate Ingress RevSNAT and RevDNAT paths ([#27488](https://github.com/cilium/cilium/issues/27488), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nodeport: re-introduce Ingress HostFW between RevSNAT and RevDNAT ([#28960](https://github.com/cilium/cilium/issues/28960), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nodeport: split up ingress path when HostFW is enabled (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30442](https://github.com/cilium/cilium/issues/30442), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: overlay: clarify delivery to local host ([#27580](https://github.com/cilium/cilium/issues/27580), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: overlay: clean up CB_SRC_LABEL handling in inter-cluster-SNAT path ([#28134](https://github.com/cilium/cilium/issues/28134), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: overlay: clean up extraction of source identity ([#28608](https://github.com/cilium/cilium/issues/28608), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: overlay: remove unused code ([#27026](https://github.com/cilium/cilium/issues/27026), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: overlay: restore bpf_clear_meta() in from-overlay (Backport PR [#30349](https://github.com/cilium/cilium/issues/30349), Upstream PR [#30343](https://github.com/cilium/cilium/issues/30343), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: policy: cleanups to reduce program size ([#27369](https://github.com/cilium/cilium/issues/27369), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: Rename proxy_identity to src_sec_identity ([#27517](https://github.com/cilium/cilium/issues/27517), [@joestringer](https://github.com/joestringer)) - bpf: s/ipcache_lookup\*()/lookup_ip\*\_remote_endpoint() ([#28805](https://github.com/cilium/cilium/issues/28805), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: small improvements in TTL / hoplimit handling ([#27146](https://github.com/cilium/cilium/issues/27146), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: snat: DSR-eligible traffic can skip check for Nodeport NAT conflict ([#26674](https://github.com/cilium/cilium/issues/26674), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: tests: minor cleanups ([#29354](https://github.com/cilium/cilium/issues/29354), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: tunnel-related cleanups in to-container path ([#28920](https://github.com/cilium/cilium/issues/28920), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: use l4\_load_ports() everywhere ([#29135](https://github.com/cilium/cilium/issues/29135), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: xdp: remove unused XFER_ENCAP_\* enums ([#27264](https://github.com/cilium/cilium/issues/27264), [@julianwiedmann](https://github.com/julianwiedmann)) - Bug: Fix module health status output ([#29140](https://github.com/cilium/cilium/issues/29140), [@derailed](https://github.com/derailed)) - build(deps): bump certifi from 2022.12.7 to 2023.7.22 in /Documentation ([#27064](https://github.com/cilium/cilium/issues/27064), [@dependabot](https://github.com/dependabot)\[bot]) - build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30219](https://github.com/cilium/cilium/issues/30219), [@dependabot](https://github.com/dependabot)\[bot]) - build(deps): bump pygments from 2.14.0 to 2.15.0 in /Documentation ([#26957](https://github.com/cilium/cilium/issues/26957), [@dependabot](https://github.com/dependabot)\[bot]) - build(deps): bump urllib3 from 2.0.4 to 2.0.6 in /Documentation ([#28365](https://github.com/cilium/cilium/issues/28365), [@dependabot](https://github.com/dependabot)\[bot]) - build(deps): bump urllib3 from 2.0.6 to 2.0.7 in /Documentation ([#28658](https://github.com/cilium/cilium/issues/28658), [@dependabot](https://github.com/dependabot)\[bot]) - build: Declare GO in makefile before first use ([#28983](https://github.com/cilium/cilium/issues/28983), [@sayboras](https://github.com/sayboras)) - build: fix usage of local golangci-lint installation ([#28162](https://github.com/cilium/cilium/issues/28162), [@mhofstetter](https://github.com/mhofstetter)) - build: Remove envoy from Makefile target ([#28436](https://github.com/cilium/cilium/issues/28436), [@sayboras](https://github.com/sayboras)) - Bump allowed Golang version for v1.11 and v1.12 ([#26713](https://github.com/cilium/cilium/issues/26713), [@ferozsalam](https://github.com/ferozsalam)) - Bump controller-tools fork to v0.8.0-1 ([#27063](https://github.com/cilium/cilium/issues/27063), [@christarazi](https://github.com/christarazi)) - Change makefile cache to rebuild on header changes ([#27605](https://github.com/cilium/cilium/issues/27605), [@dylandreimerink](https://github.com/dylandreimerink)) - Changed cilium status CLI output to render the modules health section as a tree structure vs tabular data. ([#28800](https://github.com/cilium/cilium/issues/28800), [@derailed](https://github.com/derailed)) - chart: define the envoy image variable in the makefile ([#27725](https://github.com/cilium/cilium/issues/27725), [@weizhoublue](https://github.com/weizhoublue)) - Check for cilium.sock in /healthz endpoint ([#28343](https://github.com/cilium/cilium/issues/28343), [@chaunceyjiang](https://github.com/chaunceyjiang)) - chore(deps): pin hramos/needs-attention action to [`4d47f33`](https://github.com/cilium/cilium/commit/4d47f33) (main) ([#27286](https://github.com/cilium/cilium/issues/27286), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update actions/checkout action to v3.5.3 (main) ([#26568](https://github.com/cilium/cilium/issues/26568), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update actions/checkout action to v4 (main) ([#27940](https://github.com/cilium/cilium/issues/27940), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update actions/checkout action to v4 (main) ([#29539](https://github.com/cilium/cilium/issues/29539), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update actions/github-script action to v7 (main) ([#29142](https://github.com/cilium/cilium/issues/29142), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update actions/setup-go action to v5 (v1.15) ([#30142](https://github.com/cilium/cilium/issues/30142), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update actions/setup-python action to v4.8.0 (main) ([#29769](https://github.com/cilium/cilium/issues/29769), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update actions/stale action to v9 (main) ([#29772](https://github.com/cilium/cilium/issues/29772), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) ([#27904](https://github.com/cilium/cilium/issues/27904), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) ([#28188](https://github.com/cilium/cilium/issues/28188), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) ([#28736](https://github.com/cilium/cilium/issues/28736), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) ([#28987](https://github.com/cilium/cilium/issues/28987), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (minor) ([#26570](https://github.com/cilium/cilium/issues/26570), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (minor) ([#26821](https://github.com/cilium/cilium/issues/26821), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (minor) ([#27737](https://github.com/cilium/cilium/issues/27737), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (minor) ([#28616](https://github.com/cilium/cilium/issues/28616), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (minor) ([#29260](https://github.com/cilium/cilium/issues/29260), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (patch) ([#26691](https://github.com/cilium/cilium/issues/26691), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (patch) ([#26819](https://github.com/cilium/cilium/issues/26819), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (patch) ([#27478](https://github.com/cilium/cilium/issues/27478), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (patch) ([#28066](https://github.com/cilium/cilium/issues/28066), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (patch) ([#28190](https://github.com/cilium/cilium/issues/28190), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (patch) ([#28603](https://github.com/cilium/cilium/issues/28603), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (patch) ([#28724](https://github.com/cilium/cilium/issues/28724), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (patch) ([#29262](https://github.com/cilium/cilium/issues/29262), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (patch) ([#29387](https://github.com/cilium/cilium/issues/29387), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (main) (patch) ([#29533](https://github.com/cilium/cilium/issues/29533), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies to v2 (main) (major) ([#29540](https://github.com/cilium/cilium/issues/29540), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies to v3 (main) (major) ([#28099](https://github.com/cilium/cilium/issues/28099), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies to v5 (main) (major) ([#29773](https://github.com/cilium/cilium/issues/29773), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all kind-images main (main) ([#27477](https://github.com/cilium/cilium/issues/27477), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all kind-images main (main) (patch) ([#27479](https://github.com/cilium/cilium/issues/27479), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (main) (patch) ([#27339](https://github.com/cilium/cilium/issues/27339), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (main) (patch) ([#27372](https://github.com/cilium/cilium/issues/27372), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (main) (patch) ([#27421](https://github.com/cilium/cilium/issues/27421), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (main) (patch) ([#27858](https://github.com/cilium/cilium/issues/27858), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (main) (patch) ([#28037](https://github.com/cilium/cilium/issues/28037), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (main) (patch) ([#28147](https://github.com/cilium/cilium/issues/28147), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (main) (patch) ([#28345](https://github.com/cilium/cilium/issues/28345), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (main) (patch) ([#28725](https://github.com/cilium/cilium/issues/28725), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (main) (patch) ([#28859](https://github.com/cilium/cilium/issues/28859), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (main) (patch) ([#29388](https://github.com/cilium/cilium/issues/29388), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (main) (patch) ([#29534](https://github.com/cilium/cilium/issues/29534), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (main) (patch) ([#29556](https://github.com/cilium/cilium/issues/29556), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (main) (patch) ([#29766](https://github.com/cilium/cilium/issues/29766), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (v1.15) (patch) ([#30225](https://github.com/cilium/cilium/issues/30225), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update anchore/scan-action action to v3.3.8 (main) ([#29573](https://github.com/cilium/cilium/issues/29573), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update aws-actions/configure-aws-credentials action to v3 (main) ([#27743](https://github.com/cilium/cilium/issues/27743), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update aws-actions/configure-aws-credentials action to v4 (main) ([#28100](https://github.com/cilium/cilium/issues/28100), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update cilium/cilium digest to [`1633d7b`](https://github.com/cilium/cilium/commit/1633d7b) (main) ([#28868](https://github.com/cilium/cilium/issues/28868), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update cilium/cilium digest to [`614f2dd`](https://github.com/cilium/cilium/commit/614f2dd) (main) ([#29386](https://github.com/cilium/cilium/issues/29386), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update cilium/cilium digest to [`6180087`](https://github.com/cilium/cilium/commit/6180087) (main) ([#28096](https://github.com/cilium/cilium/issues/28096), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update cilium/cilium digest to [`8a11744`](https://github.com/cilium/cilium/commit/8a11744) (main) ([#28077](https://github.com/cilium/cilium/issues/28077), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update cilium/cilium digest to [`93f26fd`](https://github.com/cilium/cilium/commit/93f26fd) (main) ([#29141](https://github.com/cilium/cilium/issues/29141), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update cilium/cilium digest to [`a79241a`](https://github.com/cilium/cilium/commit/a79241a) (main) ([#28721](https://github.com/cilium/cilium/issues/28721), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update cilium/cilium digest to [`ccaaa85`](https://github.com/cilium/cilium/commit/ccaaa85) (main) ([#28069](https://github.com/cilium/cilium/issues/28069), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update cilium/cilium digest to [`ce02445`](https://github.com/cilium/cilium/commit/ce02445) (main) ([#28629](https://github.com/cilium/cilium/issues/28629), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update cilium/cilium digest to [`ef8ca62`](https://github.com/cilium/cilium/commit/ef8ca62) (main) ([#29120](https://github.com/cilium/cilium/issues/29120), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update cilium/cilium-cli action to v0.15.4 (main) ([#26971](https://github.com/cilium/cilium/issues/26971), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update cilium/cilium-cli action to v0.15.6 (main) ([#27600](https://github.com/cilium/cilium/issues/27600), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update cilium/little-vm-helper action to v0.0.12 (main) ([#26974](https://github.com/cilium/cilium/issues/26974), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update cilium/little-vm-helper action to v0.0.12 (main) ([#27257](https://github.com/cilium/cilium/issues/27257), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.0 (main) ([#26571](https://github.com/cilium/cilium/issues/26571), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.10 (main) ([#28460](https://github.com/cilium/cilium/issues/28460), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.10 (main) ([#28604](https://github.com/cilium/cilium/issues/28604), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.11 (main) ([#28624](https://github.com/cilium/cilium/issues/28624), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.13 (main) ([#28989](https://github.com/cilium/cilium/issues/28989), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.14 (main) ([#29234](https://github.com/cilium/cilium/issues/29234), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.16 (main) ([#29464](https://github.com/cilium/cilium/issues/29464), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.17 (main) ([#29557](https://github.com/cilium/cilium/issues/29557), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.19 (main) (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29942](https://github.com/cilium/cilium/issues/29942), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.19 (v1.15) ([#30141](https://github.com/cilium/cilium/issues/30141), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.2 (main) ([#26784](https://github.com/cilium/cilium/issues/26784), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.20 (v1.15) ([#30201](https://github.com/cilium/cilium/issues/30201), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.3 (main) ([#26875](https://github.com/cilium/cilium/issues/26875), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.4 (main) ([#27127](https://github.com/cilium/cilium/issues/27127), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.5 (main) ([#27258](https://github.com/cilium/cilium/issues/27258), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.5 (main) ([#27261](https://github.com/cilium/cilium/issues/27261), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.6 (main) ([#27613](https://github.com/cilium/cilium/issues/27613), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.7 (main) ([#27859](https://github.com/cilium/cilium/issues/27859), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.8 (main) ([#28191](https://github.com/cilium/cilium/issues/28191), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.9 ([#28406](https://github.com/cilium/cilium/issues/28406), [@joestringer](https://github.com/joestringer)) - chore(deps): update dependency cilium/hubble to v0.12.1 (main) ([#28520](https://github.com/cilium/cilium/issues/28520), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v0.12.2 (main) ([#28565](https://github.com/cilium/cilium/issues/28565), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency eksctl-io/eksctl to v0.165.0 (main) ([#29537](https://github.com/cilium/cilium/issues/29537), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency go to v1.21.1 (main) ([#28067](https://github.com/cilium/cilium/issues/28067), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency go to v1.21.4 (main) ([#29558](https://github.com/cilium/cilium/issues/29558), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency google/gops to v0.3.28 (main) ([#27412](https://github.com/cilium/cilium/issues/27412), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency kubernetes/kops to v1.28.1 (main) ([#29128](https://github.com/cilium/cilium/issues/29128), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency ubuntu to v22 (main) ([#27745](https://github.com/cilium/cilium/issues/27745), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/alpine docker tag to v3.18.3 (main) ([#27735](https://github.com/cilium/cilium/issues/27735), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/alpine docker tag to v3.18.4 (main) ([#28346](https://github.com/cilium/cilium/issues/28346), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (main) ([#29535](https://github.com/cilium/cilium/issues/29535), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/alpine docker tag to v3.19.0 (main) ([#29770](https://github.com/cilium/cilium/issues/29770), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/alpine docker tag to v3.19.1 (v1.15) ([#30491](https://github.com/cilium/cilium/issues/30491), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.20.5 docker digest to [`344193a`](https://github.com/cilium/cilium/commit/344193a) (main) ([#26481](https://github.com/cilium/cilium/issues/26481), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.20.6 docker digest to [`cfc9d1b`](https://github.com/cilium/cilium/commit/cfc9d1b) (main) ([#26818](https://github.com/cilium/cilium/issues/26818), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.21.0 docker digest to [`b490ae1`](https://github.com/cilium/cilium/commit/b490ae1) (main) ([#27598](https://github.com/cilium/cilium/issues/27598), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.21.1 docker digest to [`cffaba7`](https://github.com/cilium/cilium/commit/cffaba7) (main) ([#28189](https://github.com/cilium/cilium/issues/28189), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.21.1 docker digest to [`d2aad22`](https://github.com/cilium/cilium/commit/d2aad22) (main) ([#28064](https://github.com/cilium/cilium/issues/28064), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.21.3 docker digest to [`24a0937`](https://github.com/cilium/cilium/commit/24a0937) (main) ([#28602](https://github.com/cilium/cilium/issues/28602), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.21.4 docker digest to [`9baee0e`](https://github.com/cilium/cilium/commit/9baee0e) (main) ([#29261](https://github.com/cilium/cilium/issues/29261), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.21.5 docker digest to [`2ff79bc`](https://github.com/cilium/cilium/commit/2ff79bc) (main) ([#29765](https://github.com/cilium/cilium/issues/29765), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.21.6 docker digest to [`6fbd2d3`](https://github.com/cilium/cilium/commit/6fbd2d3) (v1.15) ([#30050](https://github.com/cilium/cilium/issues/30050), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.21.6 docker digest to [`76aadd9`](https://github.com/cilium/cilium/commit/76aadd9) (v1.15) ([#30464](https://github.com/cilium/cilium/issues/30464), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`0bced47`](https://github.com/cilium/cilium/commit/0bced47) (main) ([#26689](https://github.com/cilium/cilium/issues/26689), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`2b7412e`](https://github.com/cilium/cilium/commit/2b7412e) (main) ([#28722](https://github.com/cilium/cilium/issues/28722), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`6120be6`](https://github.com/cilium/cilium/commit/6120be6) (main) ([#26432](https://github.com/cilium/cilium/issues/26432), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`8eab65d`](https://github.com/cilium/cilium/commit/8eab65d) (main) ([#29572](https://github.com/cilium/cilium/issues/29572), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`990350f`](https://github.com/cilium/cilium/commit/990350f) (main) ([#28578](https://github.com/cilium/cilium/issues/28578), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`9b8dec3`](https://github.com/cilium/cilium/commit/9b8dec3) (main) ([#28383](https://github.com/cilium/cilium/issues/28383), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`aabed32`](https://github.com/cilium/cilium/commit/aabed32) (main) ([#27895](https://github.com/cilium/cilium/issues/27895), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`e6173d4`](https://github.com/cilium/cilium/commit/e6173d4) (v1.15) ([#30465](https://github.com/cilium/cilium/issues/30465), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`ec050c3`](https://github.com/cilium/cilium/commit/ec050c3) (main) ([#27529](https://github.com/cilium/cilium/issues/27529), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker/build-push-action action to v5 (main) ([#28092](https://github.com/cilium/cilium/issues/28092), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker/setup-buildx-action action to v2.9.0 (main) ([#26694](https://github.com/cilium/cilium/issues/26694), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to [`112a87f`](https://github.com/cilium/cilium/commit/112a87f) (v1.15) ([#30473](https://github.com/cilium/cilium/issues/30473), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to [`91ca472`](https://github.com/cilium/cilium/commit/91ca472) (main) ([#28468](https://github.com/cilium/cilium/issues/28468), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to [`92d40ee`](https://github.com/cilium/cilium/commit/92d40ee) (main) ([#27905](https://github.com/cilium/cilium/issues/27905), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.11 (main) ([#29767](https://github.com/cilium/cilium/issues/29767), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update github/codeql-action action to v2.21.2 (main) ([#27265](https://github.com/cilium/cilium/issues/27265), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update github/codeql-action action to v2.21.5 (main) ([#27734](https://github.com/cilium/cilium/issues/27734), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update github/codeql-action action to v2.22.5 (main) ([#28860](https://github.com/cilium/cilium/issues/28860), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update github/codeql-action action to v2.22.9 (main) ([#29768](https://github.com/cilium/cilium/issues/29768), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update go to v1.20.6 (main) (patch) ([#26781](https://github.com/cilium/cilium/issues/26781), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update go to v1.20.7 (main) (patch) ([#27259](https://github.com/cilium/cilium/issues/27259), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update go to v1.21.0 (main) (minor) ([#27444](https://github.com/cilium/cilium/issues/27444), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update go to v1.21.1 (main) (patch) ([#27993](https://github.com/cilium/cilium/issues/27993), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update go to v1.21.3 (main) (patch) ([#28471](https://github.com/cilium/cilium/issues/28471), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update go to v1.21.4 (main) (patch) ([#29043](https://github.com/cilium/cilium/issues/29043), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update go to v1.21.5 (main) (patch) ([#29659](https://github.com/cilium/cilium/issues/29659), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update go to v1.21.6 (v1.15) (patch) ([#30173](https://github.com/cilium/cilium/issues/30173), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update golangci/golangci-lint docker tag to v1.54.0 (main) ([#27385](https://github.com/cilium/cilium/issues/27385), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update golangci/golangci-lint docker tag to v1.54.1 (main) ([#27538](https://github.com/cilium/cilium/issues/27538), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update golangci/golangci-lint docker tag to v1.54.2 (main) ([#27619](https://github.com/cilium/cilium/issues/27619), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update golangci/golangci-lint docker tag to v1.55.0 (main) ([#28728](https://github.com/cilium/cilium/issues/28728), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update golangci/golangci-lint docker tag to v1.55.1 (main) ([#28865](https://github.com/cilium/cilium/issues/28865), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update golangci/golangci-lint docker tag to v1.55.2 (main) ([#28990](https://github.com/cilium/cilium/issues/28990), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update google-github-actions/setup-gcloud action to v2 (main) ([#29780](https://github.com/cilium/cilium/issues/29780), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update hubble cli to v0.12.0 (main) (minor) ([#26762](https://github.com/cilium/cilium/issues/26762), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update hubble cli to v0.12.3 (main) (patch) ([#29749](https://github.com/cilium/cilium/issues/29749), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update hubble cli to v0.13.0 (v1.15) (minor) ([#30273](https://github.com/cilium/cilium/issues/30273), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 \[security] (main) ([#29314](https://github.com/cilium/cilium/issues/29314), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update myrotvorets/set-commit-status-action action to v2 (main) ([#28073](https://github.com/cilium/cilium/issues/28073), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update quay.io/cilium/hubble docker tag to v0.12.1 (main) ([#28539](https://github.com/cilium/cilium/issues/28539), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update quay.io/cilium/hubble docker tag to v0.12.2 (main) ([#28589](https://github.com/cilium/cilium/issues/28589), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update quay.io/cilium/kindest-node docker tag to v1.28.3 (main) ([#29057](https://github.com/cilium/cilium/issues/29057), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20230915.012620 (main) ([#28192](https://github.com/cilium/cilium/issues/28192), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231010.012608 (main) ([#28605](https://github.com/cilium/cilium/issues/28605), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231030.012704 (main) ([#28869](https://github.com/cilium/cilium/issues/28869), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231123.012848 (main) ([#28992](https://github.com/cilium/cilium/issues/28992), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231211.012942 (main) ([#29777](https://github.com/cilium/cilium/issues/29777), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update sigstore/cosign-installer action to v3.1.2 (main) ([#27907](https://github.com/cilium/cilium/issues/27907), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#30461](https://github.com/cilium/cilium/issues/30461), [@renovate](https://github.com/renovate)\[bot]) - chore(lint): Enable linting with gosimple ([#26965](https://github.com/cilium/cilium/issues/26965), [@mrueg](https://github.com/mrueg)) - chore: Add deezer as cilium user ([#27846](https://github.com/cilium/cilium/issues/27846), [@zwindler](https://github.com/zwindler)) - chore: Add Prometheus templating to Cilium Metrics Dashboard ([#28058](https://github.com/cilium/cilium/issues/28058), [@kahirokunn](https://github.com/kahirokunn)) - chore: add SI Analytics as cilium user ([#29744](https://github.com/cilium/cilium/issues/29744), [@JhoLee](https://github.com/JhoLee)) - chore: rename CIDRGroups resource to CiliumCIDRGroups ([#29515](https://github.com/cilium/cilium/issues/29515), [@pippolo84](https://github.com/pippolo84)) - chore: Use slices package from Go std lib ([#28614](https://github.com/cilium/cilium/issues/28614), [@pippolo84](https://github.com/pippolo84)) - chore: Use slices package from Go std lib ([#28822](https://github.com/cilium/cilium/issues/28822), [@schlosna](https://github.com/schlosna)) - chore: Use xxx.String() instead of string(xxx.Bytes()) ([#26165](https://github.com/cilium/cilium/issues/26165), [@testwill](https://github.com/testwill)) - ci-e2e: add job testing node cidr feature ([#28445](https://github.com/cilium/cilium/issues/28445), [@squeed](https://github.com/squeed)) - ci-e2e: Enable debug.verbose for envoy ([#26860](https://github.com/cilium/cilium/issues/26860), [@sayboras](https://github.com/sayboras)) - ci: fix go mod step name ([#27711](https://github.com/cilium/cilium/issues/27711), [@nbusseneau](https://github.com/nbusseneau)) - ci: set timeout on build images workflows ([#27341](https://github.com/cilium/cilium/issues/27341), [@mhofstetter](https://github.com/mhofstetter)) - CI: Silences call to cilium uninstall ([#28048](https://github.com/cilium/cilium/issues/28048), [@danehans](https://github.com/danehans)) - ci: skip cosign / sbom in case of building images during cache rebuild ([#26786](https://github.com/cilium/cilium/issues/26786), [@mhofstetter](https://github.com/mhofstetter)) - ci: skip fetching sysdump in case of skipped LB test ([#26774](https://github.com/cilium/cilium/issues/26774), [@mhofstetter](https://github.com/mhofstetter)) - ci: skip post-test info gathering in case of skipped cilium installation ([#26729](https://github.com/cilium/cilium/issues/26729), [@mhofstetter](https://github.com/mhofstetter)) - Cilium Charts set the persistent keepalive for cilium_wg0 ([#28013](https://github.com/cilium/cilium/issues/28013), [@chaunceyjiang](https://github.com/chaunceyjiang)) - cilium node chain refactor ([#26962](https://github.com/cilium/cilium/issues/26962), [@bimmlerd](https://github.com/bimmlerd)) - cilium, docs: Add rc.0 to development releases ([#26564](https://github.com/cilium/cilium/issues/26564), [@borkmann](https://github.com/borkmann)) - cilium, iptables: Extend to cover default route in enable-masquerade-… ([#27664](https://github.com/cilium/cilium/issues/27664), [@borkmann](https://github.com/borkmann)) - cilium-dbg, policy, api: Fix labels in policy selectors output ([#29152](https://github.com/cilium/cilium/issues/29152), [@christarazi](https://github.com/christarazi)) - cilium-dbg: Add "statedb node-addresses" command ([#29479](https://github.com/cilium/cilium/issues/29479), [@joamaki](https://github.com/joamaki)) - cilium: Add a few bwm setting tweaks ([#29552](https://github.com/cilium/cilium/issues/29552), [@borkmann](https://github.com/borkmann)) - cilium: Add option to masq to source route ([#27618](https://github.com/cilium/cilium/issues/27618), [@borkmann](https://github.com/borkmann)) - cilium: Do not warn on socket tracing if EnableSocketLBTracing was not set ([#29730](https://github.com/cilium/cilium/issues/29730), [@borkmann](https://github.com/borkmann)) - cilium: iptables masquerade to route source fixes ([#29591](https://github.com/cilium/cilium/issues/29591), [@borkmann](https://github.com/borkmann)) - cilium: Remove platform references for completion ([#28505](https://github.com/cilium/cilium/issues/28505), [@joestringer](https://github.com/joestringer)) - Clarify `cilium_event_ts metric` description ([#29303](https://github.com/cilium/cilium/issues/29303), [@christarazi](https://github.com/christarazi)) - Clean up deprecated and unused IPCache APIs after FQDN transition to asynchronous APIs ([#29657](https://github.com/cilium/cilium/issues/29657), [@tklauser](https://github.com/tklauser)) - Clean up prefix length tracking implementations ([#25153](https://github.com/cilium/cilium/issues/25153), [@joestringer](https://github.com/joestringer)) - cleanup: code cleanup to remove unused parameter from repository add api ([#26943](https://github.com/cilium/cilium/issues/26943), [@tamilmani1989](https://github.com/tamilmani1989)) - client: Use options pattern for NewRuntime ([#29271](https://github.com/cilium/cilium/issues/29271), [@gandro](https://github.com/gandro)) - clustermesh install documentation: missing step ([#28889](https://github.com/cilium/cilium/issues/28889), [@dashaun](https://github.com/dashaun)) - clustermesh-apiserver/kvstoremesh: unify metrics cell ([#28480](https://github.com/cilium/cilium/issues/28480), [@giorio94](https://github.com/giorio94)) - clustermesh-apiserver: extract external workloads in a separate cell ([#28478](https://github.com/cilium/cilium/issues/28478), [@giorio94](https://github.com/giorio94)) - clustermesh: make extra ipcache watcher options configurable ([#27336](https://github.com/cilium/cilium/issues/27336), [@giorio94](https://github.com/giorio94)) - cni: Follow CNI spec by using `(containerID, ifName)` as unique endpoint identifier ([#26894](https://github.com/cilium/cilium/issues/26894), [@gandro](https://github.com/gandro)) - cni: log format byte array as string ([#26740](https://github.com/cilium/cilium/issues/26740), [@aojea](https://github.com/aojea)) - cni: remove unused CILIUM_CNI_CONF variable from install script ([#29063](https://github.com/cilium/cilium/issues/29063), [@wedaly](https://github.com/wedaly)) - cocci: Re-license Coccinelle scripts as Apache 2.0 ([#26629](https://github.com/cilium/cilium/issues/26629), [@qmonnet](https://github.com/qmonnet)) - CODEOWNERS: assign .github/actions to github-sec and ci-structure ([#28394](https://github.com/cilium/cilium/issues/28394), [@jibi](https://github.com/jibi)) - CODEOWNERS: assign bpf/lib/auth.h to sig-servicemesh ([#27083](https://github.com/cilium/cilium/issues/27083), [@mhofstetter](https://github.com/mhofstetter)) - CODEOWNERS: assign egressgw control plane/datapath logic to egress-gateway team ([#26952](https://github.com/cilium/cilium/issues/26952), [@jibi](https://github.com/jibi)) - CODEOWNERS: assign pkg/backoff to [@cilium/sig-agent](https://github.com/cilium/sig-agent) ([#26573](https://github.com/cilium/cilium/issues/26573), [@jibi](https://github.com/jibi)) - CODEOWNERS: assign pkg/ip to [@cilium/sig-agent](https://github.com/cilium/sig-agent) ([#29669](https://github.com/cilium/cilium/issues/29669), [@tklauser](https://github.com/tklauser)) - CODEOWNERS: claim some new ipsec-related files for cilium/ipsec ([#29516](https://github.com/cilium/cilium/issues/29516), [@julianwiedmann](https://github.com/julianwiedmann)) - codeowners: include sig-servicemesh into cilium envoy & spire helm ([#27559](https://github.com/cilium/cilium/issues/27559), [@mhofstetter](https://github.com/mhofstetter)) - CODEOWNERS: IPsec owns `pkg/common/ipsec` ([#29002](https://github.com/cilium/cilium/issues/29002), [@pchaigno](https://github.com/pchaigno)) - CODEOWNERS: Let IPsec team to own GH workflows for IPsec ([#29190](https://github.com/cilium/cilium/issues/29190), [@brb](https://github.com/brb)) - CODEOWNERS: remove stale cilium_egress_gateway_policy.go entry ([#27234](https://github.com/cilium/cilium/issues/27234), [@giorio94](https://github.com/giorio94)) - CODEOWNERS: sig-clustermesh additionally owns clustermesh-related GHA workflows and helm templates ([#29671](https://github.com/cilium/cilium/issues/29671), [@giorio94](https://github.com/giorio94)) - codeowners: use new teams cilium/envoy & cilium/fqdn ([#29627](https://github.com/cilium/cilium/issues/29627), [@mhofstetter](https://github.com/mhofstetter)) - Computed and propagated the value of OldEndpoints field when merging remote cluster information. ([#26474](https://github.com/cilium/cilium/issues/26474), [@akstron](https://github.com/akstron)) - config: Use String instead of StringVar method ([#27794](https://github.com/cilium/cilium/issues/27794), [@pippolo84](https://github.com/pippolo84)) - Configure the linux node config writer through Hive ([#27180](https://github.com/cilium/cilium/issues/27180), [@giorio94](https://github.com/giorio94)) - contrib/kind: custom kind values ([#28155](https://github.com/cilium/cilium/issues/28155), [@mhofstetter](https://github.com/mhofstetter)) - contrib: add check for new files in check-(api|k8s)-code-gen scripts ([#26790](https://github.com/cilium/cilium/issues/26790), [@giorio94](https://github.com/giorio94)) - contrib: Add ContainerLab-based BGP CPlane development environment ([#28292](https://github.com/cilium/cilium/issues/28292), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - contrib: Add support for X.Y.Z-pre.N releases ([#27807](https://github.com/cilium/cilium/issues/27807), [@joestringer](https://github.com/joestringer)) - contrib: fix bump-readme script ([#27648](https://github.com/cilium/cilium/issues/27648), [@nebril](https://github.com/nebril)) - contrib: Fix missing function in post-release.sh ([#28372](https://github.com/cilium/cilium/issues/28372), [@joestringer](https://github.com/joestringer)) - contrib: Fix prerelease pullPolicy ([#28906](https://github.com/cilium/cilium/issues/28906), [@joestringer](https://github.com/joestringer)) - contrib: Fix remote detection for security branches ([#27891](https://github.com/cilium/cilium/issues/27891), [@joestringer](https://github.com/joestringer)) - contrib: Fix remote repo detection for .git suffix ([#28198](https://github.com/cilium/cilium/issues/28198), [@joestringer](https://github.com/joestringer)) - contrib: Make hint command copy and paste friendly ([#27585](https://github.com/cilium/cilium/issues/27585), [@sayboras](https://github.com/sayboras)) - contrib: Move github draft release to post-release ([#27861](https://github.com/cilium/cilium/issues/27861), [@joestringer](https://github.com/joestringer)) - correct stats calculation for prepareBuild of endpoint_regeneration_time ([#28150](https://github.com/cilium/cilium/issues/28150), [@PlatformLC](https://github.com/PlatformLC)) - correct stats for total time of policyregenerateion ([#28153](https://github.com/cilium/cilium/issues/28153), [@PlatformLC](https://github.com/PlatformLC)) - Correct the comment for Service4Value and Service6Value ([#27824](https://github.com/cilium/cilium/issues/27824), [@haiyuewa](https://github.com/haiyuewa)) - Creation of the /hello endpoint is delayed until the host datapath has been initialized. ([#27392](https://github.com/cilium/cilium/issues/27392), [@lmb](https://github.com/lmb)) - ctmap: limit NAT purging to expected CT tuple types ([#28871](https://github.com/cilium/cilium/issues/28871), [@julianwiedmann](https://github.com/julianwiedmann)) - daemon, fqdn: Remove log "DNS request no matching endpoint" when endpoint is nil ([#28071](https://github.com/cilium/cilium/issues/28071), [@doniacld](https://github.com/doniacld)) - daemon,pkg/service: Use hive cell infra for pkg/service ([#28732](https://github.com/cilium/cilium/issues/28732), [@rastislavs](https://github.com/rastislavs)) - daemon: Fix incorrect node and ciliumnode resource type in annotations ([#29522](https://github.com/cilium/cilium/issues/29522), [@hargrovee](https://github.com/hargrovee)) - daemon: remove redundant wait on restoreComplete ([#27603](https://github.com/cilium/cilium/issues/27603), [@ti-mo](https://github.com/ti-mo)) - daemon: Simplify `cilium_host` IP restoration ([#28781](https://github.com/cilium/cilium/issues/28781), [@gandro](https://github.com/gandro)) - daemon: Skip Ingress Endpoint on BPF watchdog ([#28462](https://github.com/cilium/cilium/issues/28462), [@jrajahalme](https://github.com/jrajahalme)) - daemon: Uniquely identify daemon ipcache upserts ([#28770](https://github.com/cilium/cilium/issues/28770), [@joestringer](https://github.com/joestringer)) - Daemon: Updates Detect() Call to Return Detected Devices ([#28010](https://github.com/cilium/cilium/issues/28010), [@danehans](https://github.com/danehans)) - daemon: Use API server cell and adapt handlers ([#25000](https://github.com/cilium/cilium/issues/25000), [@joamaki](https://github.com/joamaki)) - datapath/linux/probes: remove unused Have{Map,Program}Type wrappers ([#26666](https://github.com/cilium/cilium/issues/26666), [@tklauser](https://github.com/tklauser)) - datapath: alignchecker: allow to extend toCheck and toCheckSizes ([#28711](https://github.com/cilium/cilium/issues/28711), [@jibi](https://github.com/jibi)) - datapath: Devices table and controller ([#24677](https://github.com/cilium/cilium/issues/24677), [@joamaki](https://github.com/joamaki)) - datapath: Few minor improvements to DevicesController ([#28887](https://github.com/cilium/cilium/issues/28887), [@joamaki](https://github.com/joamaki)) - datapath: Introduce fake datapath cell ([#28611](https://github.com/cilium/cilium/issues/28611), [@joamaki](https://github.com/joamaki)) - dep: Replace deprecated github.com/golang/protobuf ([#28203](https://github.com/cilium/cilium/issues/28203), [@sayboras](https://github.com/sayboras)) - dev-doctor command version strings should be array. ([#28801](https://github.com/cilium/cilium/issues/28801), [@fujitatomoya](https://github.com/fujitatomoya)) - devices: fix busy loop ([#29163](https://github.com/cilium/cilium/issues/29163), [@bimmlerd](https://github.com/bimmlerd)) - devices: Remove logging and report reason in device struct ([#28393](https://github.com/cilium/cilium/issues/28393), [@joamaki](https://github.com/joamaki)) - Disable StateDB metrics by default ([#27657](https://github.com/cilium/cilium/issues/27657), [@dylandreimerink](https://github.com/dylandreimerink)) - dnsproxy: convert LookupEndpointByIP to use netip.Addr ([#28891](https://github.com/cilium/cilium/issues/28891), [@tklauser](https://github.com/tklauser)) - Do not ignore link local addresses when detecting network devices. This fixes a problem in setups where network devices that only had link local addresses were ignored. ([#27868](https://github.com/cilium/cilium/issues/27868), [@joamaki](https://github.com/joamaki)) - Do not log on errant release of reserved identity ([#26768](https://github.com/cilium/cilium/issues/26768), [@asauber](https://github.com/asauber)) - do not start bandwidth manager in dry mode ([#29183](https://github.com/cilium/cilium/issues/29183), [@dylandreimerink](https://github.com/dylandreimerink)) - doc: Add Azure CNI Powered by cilium as external installer (Backport PR [#30349](https://github.com/cilium/cilium/issues/30349), Upstream PR [#28286](https://github.com/cilium/cilium/issues/28286), [@tamilmani1989](https://github.com/tamilmani1989)) - doc: add circuit-breaker example for cilium service mesh ([#27641](https://github.com/cilium/cilium/issues/27641), [@tanjunchen](https://github.com/tanjunchen)) - doc: Documented pitfall with NS labels in CNPs ([#26134](https://github.com/cilium/cilium/issues/26134), [@PhilipSchmid](https://github.com/PhilipSchmid)) - doc: Improved Cilium ingress annotations table ([#26381](https://github.com/cilium/cilium/issues/26381), [@PhilipSchmid](https://github.com/PhilipSchmid)) - doc: Update recommended way for installing cilium on AKS (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#28910](https://github.com/cilium/cilium/issues/28910), [@tamilmani1989](https://github.com/tamilmani1989)) - docker: Tame xargs warning ([#27929](https://github.com/cilium/cilium/issues/27929), [@qmonnet](https://github.com/qmonnet)) - Docs: Add BGP Advertised Path Attributes documentation ([#28482](https://github.com/cilium/cilium/issues/28482), [@rastislavs](https://github.com/rastislavs)) - docs: Add CiliumPodIPPool option in BGP Adv. Path Attributes docs ([#29177](https://github.com/cilium/cilium/issues/29177), [@rastislavs](https://github.com/rastislavs)) - docs: Add cluster install/prep guide for GKE-to-GKE clustermesh ([#29342](https://github.com/cilium/cilium/issues/29342), [@Neutrollized](https://github.com/Neutrollized)) - docs: Add Conformance Badge for Gateway API ([#27470](https://github.com/cilium/cilium/issues/27470), [@sayboras](https://github.com/sayboras)) - docs: Add docs structure recommendations, update style guide ([#26632](https://github.com/cilium/cilium/issues/26632), [@qmonnet](https://github.com/qmonnet)) - docs: add documentation for policy-cidr-match-mode=nodes ([#28421](https://github.com/cilium/cilium/issues/28421), [@squeed](https://github.com/squeed)) - docs: Add Egress Gateway Policy warning on `egressIP` and `interface` being mutually exclusive in the `egressGateway` spec. (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30236](https://github.com/cilium/cilium/issues/30236), [@soggiest](https://github.com/soggiest)) - docs: add instructions to build kindest-node image ([#29079](https://github.com/cilium/cilium/issues/29079), [@aanm](https://github.com/aanm)) - docs: Add Keploy to user list ([#27244](https://github.com/cilium/cilium/issues/27244), [@Sonichigo](https://github.com/Sonichigo)) - docs: add MaxConnectedClusters documentation ([#29637](https://github.com/cilium/cilium/issues/29637), [@thorn3r](https://github.com/thorn3r)) - docs: Add missing spelling exception ([#26780](https://github.com/cilium/cilium/issues/26780), [@qmonnet](https://github.com/qmonnet)) - docs: add plusserver Kubernetes Engine to users ([#28306](https://github.com/cilium/cilium/issues/28306), [@sknop-cgn](https://github.com/sknop-cgn)) - docs: Add policymap pressure debugging guide ([#27903](https://github.com/cilium/cilium/issues/27903), [@christarazi](https://github.com/christarazi)) - Docs: Adds CiliumPodIPPool Special Purpose Selectors ([#28819](https://github.com/cilium/cilium/issues/28819), [@danehans](https://github.com/danehans)) - docs: Document Potential Dual-Stack Upgrade Issues for 1.15 ([#25204](https://github.com/cilium/cilium/issues/25204), [@nathanjsweet](https://github.com/nathanjsweet)) - docs: Document renovate testing strategy (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#30166](https://github.com/cilium/cilium/issues/30166), [@joestringer](https://github.com/joestringer)) - docs: Drop references to Helm v2 ([#29463](https://github.com/cilium/cilium/issues/29463), [@joestringer](https://github.com/joestringer)) - docs: egressgw: describe routing on Gateway node (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30488](https://github.com/cilium/cilium/issues/30488), [@julianwiedmann](https://github.com/julianwiedmann)) - docs: Fix a typo and improve readability of a control plane architecture description in BGP Control Plane documentation ([#27461](https://github.com/cilium/cilium/issues/27461), [@distributethe6ix](https://github.com/distributethe6ix)) - docs: fix chained veth plugin example (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#30209](https://github.com/cilium/cilium/issues/30209), [@squeed](https://github.com/squeed)) - Docs: Fix ipam_nodes metric description ([#27217](https://github.com/cilium/cilium/issues/27217), [@antonipp](https://github.com/antonipp)) - docs: Fix keyid derivation in IPsec docs (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#30000](https://github.com/cilium/cilium/issues/30000), [@brb](https://github.com/brb)) - docs: fix minor TOC issues ([#26714](https://github.com/cilium/cilium/issues/26714), [@networkop](https://github.com/networkop)) - docs: fix reference to lvh kind images ([#27376](https://github.com/cilium/cilium/issues/27376), [@rgo3](https://github.com/rgo3)) - docs: Fix the typo for SPIRE PVC installation option name ([#27503](https://github.com/cilium/cilium/issues/27503), [@haiyuewa](https://github.com/haiyuewa)) - docs: fix typo in troubleshooting guide ([#26811](https://github.com/cilium/cilium/issues/26811), [@learnitall](https://github.com/learnitall)) - docs: Fix unintentional boolean value in YAML ([#26682](https://github.com/cilium/cilium/issues/26682), [@dgl](https://github.com/dgl)) - docs: Improve wording in contributions guide ([#27407](https://github.com/cilium/cilium/issues/27407), [@joestringer](https://github.com/joestringer)) - docs: Modify BGP MD5 password with Helm default change ([#29527](https://github.com/cilium/cilium/issues/29527), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - docs: optimize ingress default tls secret documentation ([#26684](https://github.com/cilium/cilium/issues/26684), [@mhofstetter](https://github.com/mhofstetter)) - docs: Remove "by Default" suffix in cilium-agent metrics header ([#28045](https://github.com/cilium/cilium/issues/28045), [@learnitall](https://github.com/learnitall)) - docs: Remove bare URLs from Flow gRPC API Reference ([#28361](https://github.com/cilium/cilium/issues/28361), [@kimstacy](https://github.com/kimstacy)) - docs: Remove the duplicated envoy resource list ([#28281](https://github.com/cilium/cilium/issues/28281), [@sayboras](https://github.com/sayboras)) - docs: specify which further release for fqdn option removal. ([#29531](https://github.com/cilium/cilium/issues/29531), [@squeed](https://github.com/squeed)) - docs: Split, update, improve the contributing guide for reviewers and committers ([#27085](https://github.com/cilium/cilium/issues/27085), [@qmonnet](https://github.com/qmonnet)) - docs: Update BGP control plane documentation with regards to LB class support and service announcements ([#28253](https://github.com/cilium/cilium/issues/28253), [@danehans](https://github.com/danehans)) - docs: Update Gateway API version in example (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#30115](https://github.com/cilium/cilium/issues/30115), [@sayboras](https://github.com/sayboras)) - docs: Update Kubernetes Gateway-API version to v0.8.1 ([#28388](https://github.com/cilium/cilium/issues/28388), [@haiyuewa](https://github.com/haiyuewa)) - docs: Update the Gateway API badge (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30477](https://github.com/cilium/cilium/issues/30477), [@sayboras](https://github.com/sayboras)) - docs: Update the message of Gateway API 'Programmed' ([#28055](https://github.com/cilium/cilium/issues/28055), [@haiyuewa](https://github.com/haiyuewa)) - docs: Update the tile for 'kubectl get' Gateway API ([#28056](https://github.com/cilium/cilium/issues/28056), [@haiyuewa](https://github.com/haiyuewa)) - docs: update versions and parameters for XDP Acceleration on AKS ([#29091](https://github.com/cilium/cilium/issues/29091), [@jshr-w](https://github.com/jshr-w)) - Docs: Updates BGP CP Developer Docs ([#28908](https://github.com/cilium/cilium/issues/28908), [@danehans](https://github.com/danehans)) - Docs: Updates BGP CP for PodIPPoolSelector ([#28312](https://github.com/cilium/cilium/issues/28312), [@danehans](https://github.com/danehans)) - Docs: Updates for Deprecation of CNI network-plugin Flag ([#28046](https://github.com/cilium/cilium/issues/28046), [@danehans](https://github.com/danehans)) - Docs: Updates L2 Announce for LB Class Support ([#28252](https://github.com/cilium/cilium/issues/28252), [@danehans](https://github.com/danehans)) - docs: Use host port for serving docs ([#28307](https://github.com/cilium/cilium/issues/28307), [@brb](https://github.com/brb)) - docs: warn users that IPsec and KPR are mutual exclusive (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30403](https://github.com/cilium/cilium/issues/30403), [@f1ko](https://github.com/f1ko)) - Document Kind Delve debugging workflow ([#26506](https://github.com/cilium/cilium/issues/26506), [@ti-mo](https://github.com/ti-mo)) - Documentation: Consistently use --set for cilium install ([#28577](https://github.com/cilium/cilium/issues/28577), [@michi-covalent](https://github.com/michi-covalent)) - Documentation: Replace netperf images in StarWars demos ([#26842](https://github.com/cilium/cilium/issues/26842), [@hhoover](https://github.com/hhoover)) - Don't log an error if the to be deleted ipset entry does not exist ([#29561](https://github.com/cilium/cilium/issues/29561), [@giorio94](https://github.com/giorio94)) - don't remove neighbor link state file if migrateOnly ([#28659](https://github.com/cilium/cilium/issues/28659), [@liuyuan10](https://github.com/liuyuan10)) - Don't retry one shot jobs during hive shutdown ([#27395](https://github.com/cilium/cilium/issues/27395), [@giorio94](https://github.com/giorio94)) - Drop mock file support from clustermesh-apiserver ([#27825](https://github.com/cilium/cilium/issues/27825), [@giorio94](https://github.com/giorio94)) - drop support for 1.11 ([#27077](https://github.com/cilium/cilium/issues/27077), [@aanm](https://github.com/aanm)) - During startup, the agent attempts to clear out any obsolete CiliumEndpoints. Add retry logic to ensure this process is attempted more than once should errors occur during reconciliation. ([#27593](https://github.com/cilium/cilium/issues/27593), [@derailed](https://github.com/derailed)) - egressgateway: switch to Resource\[T] ([#28091](https://github.com/cilium/cilium/issues/28091), [@lmb](https://github.com/lmb)) - egressgw: always set ifaceName in deriveFromPolicyGatewayConfig() ([#26973](https://github.com/cilium/cilium/issues/26973), [@julianwiedmann](https://github.com/julianwiedmann)) - egressgw: delete stale nexthop routes ([#27105](https://github.com/cilium/cilium/issues/27105), [@julianwiedmann](https://github.com/julianwiedmann)) - egressgw: detect conflicting configurations in ENI mode ([#27281](https://github.com/cilium/cilium/issues/27281), [@julianwiedmann](https://github.com/julianwiedmann)) - egressgw: doc fixes for install-egress-gateway-routes removal ([#28523](https://github.com/cilium/cilium/issues/28523), [@lmb](https://github.com/lmb)) - egressgw: Switch from net to netip ([#28503](https://github.com/cilium/cilium/issues/28503), [@joestringer](https://github.com/joestringer)) - egressgw: test CEGP parser ([#27909](https://github.com/cilium/cilium/issues/27909), [@julianwiedmann](https://github.com/julianwiedmann)) - egressgw: use Resource\[T] to consume CiliumEgressGatewayPolicy ([#26960](https://github.com/cilium/cilium/issues/26960), [@lmb](https://github.com/lmb)) - egressgw: use route.Upsert() for inserting nexthop / prefix IP route ([#26990](https://github.com/cilium/cilium/issues/26990), [@julianwiedmann](https://github.com/julianwiedmann)) - Enable k8s cache mutation detector in the CI ([#28182](https://github.com/cilium/cilium/issues/28182), [@aanm](https://github.com/aanm)) - Enable strict validation of cluster config for clustermesh ([#27246](https://github.com/cilium/cilium/issues/27246), [@giorio94](https://github.com/giorio94)) - enabled initalDelaySeconds on StartupProbe ([#28816](https://github.com/cilium/cilium/issues/28816), [@jignyasamishra](https://github.com/jignyasamishra)) - endpoint/id: simplify TestSplitID ([#26581](https://github.com/cilium/cilium/issues/26581), [@tklauser](https://github.com/tklauser)) - endpoint/id: use strings.IndexByte ([#28202](https://github.com/cilium/cilium/issues/28202), [@tklauser](https://github.com/tklauser)) - Endpoint: actually treat identifiers as immutable, remove lock ([#26757](https://github.com/cilium/cilium/issues/26757), [@squeed](https://github.com/squeed)) - endpoint: Clarify policy locking requirements ([#29024](https://github.com/cilium/cilium/issues/29024), [@jrajahalme](https://github.com/jrajahalme)) - endpoint: Clarify policy locking requirements (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#29024](https://github.com/cilium/cilium/issues/29024), [@jrajahalme](https://github.com/jrajahalme)) - endpoint: fix removed code comment. ([#29172](https://github.com/cilium/cilium/issues/29172), [@tommyp1ckles](https://github.com/tommyp1ckles)) - endpoint: moveNewFilesTo performance and error handling improvements ([#26238](https://github.com/cilium/cilium/issues/26238), [@learnitall](https://github.com/learnitall)) - endpoint: Use resolved named port also in the proxy stats (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29813](https://github.com/cilium/cilium/issues/29813), [@jrajahalme](https://github.com/jrajahalme)) - endpointmanager: unexport and inline functions only used in the package ([#27426](https://github.com/cilium/cilium/issues/27426), [@tklauser](https://github.com/tklauser)) - endpointslice: fix EndpointSlice import ([#26938](https://github.com/cilium/cilium/issues/26938), [@mhofstetter](https://github.com/mhofstetter)) - endpointstate: Add an interface to wait for endpoint restore ([#29243](https://github.com/cilium/cilium/issues/29243), [@pippolo84](https://github.com/pippolo84)) - Ensures daemon managed controllers are stopped when the daemon shuts down. ([#28148](https://github.com/cilium/cilium/issues/28148), [@derailed](https://github.com/derailed)) - Envoy silence expected internal listener warning ([#29786](https://github.com/cilium/cilium/issues/29786), [@jrajahalme](https://github.com/jrajahalme)) - envoy: Bump cilium proxy to latest version ([#27555](https://github.com/cilium/cilium/issues/27555), [@mhofstetter](https://github.com/mhofstetter)) - envoy: Import Health check sink API ([#28463](https://github.com/cilium/cilium/issues/28463), [@jrajahalme](https://github.com/jrajahalme)) - envoy: introduce artifact copier ([#27728](https://github.com/cilium/cilium/issues/27728), [@mhofstetter](https://github.com/mhofstetter)) - envoy: optimise getWildcardNetworkPolicyRule() ([#27685](https://github.com/cilium/cilium/issues/27685), [@jrajahalme](https://github.com/jrajahalme)) - envoy: perform version check directly on envoy binary (not starter) ([#29512](https://github.com/cilium/cilium/issues/29512), [@mhofstetter](https://github.com/mhofstetter)) - envoy: periodic version-check with hive timer job ([#29513](https://github.com/cilium/cilium/issues/29513), [@mhofstetter](https://github.com/mhofstetter)) - envoy: set socket opts only if not already present in CEC ([#27531](https://github.com/cilium/cilium/issues/27531), [@mhofstetter](https://github.com/mhofstetter)) - envoy: Support internal listeners in CiliumEnvoyConfig CRDs ([#29026](https://github.com/cilium/cilium/issues/29026), [@jrajahalme](https://github.com/jrajahalme)) - envoy: update cilium/proxy to latest version ([#28170](https://github.com/cilium/cilium/issues/28170), [@mhofstetter](https://github.com/mhofstetter)) - envoy: Update to a build with health checkers enabled ([#28518](https://github.com/cilium/cilium/issues/28518), [@jrajahalme](https://github.com/jrajahalme)) - envoy: Update to pick up deny policy support ([#28862](https://github.com/cilium/cilium/issues/28862), [@jrajahalme](https://github.com/jrajahalme)) - example/connectivity-check: fix port conflict, capture termination log ([#28833](https://github.com/cilium/cilium/issues/28833), [@squeed](https://github.com/squeed)) - Extend cilium scale-test to export results and gather additional data ([#28594](https://github.com/cilium/cilium/issues/28594), [@marseel](https://github.com/marseel)) - Extract tunnel options to simplify override, and inject them through hive ([#29051](https://github.com/cilium/cilium/issues/29051), [@giorio94](https://github.com/giorio94)) - Fix Cilium Datapath Prometheus metric names ([#29226](https://github.com/cilium/cilium/issues/29226), [@carnerito](https://github.com/carnerito)) - Fix cilium-envoy ServiceMonitor template typo (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29976](https://github.com/cilium/cilium/issues/29976), [@cornfeedhobo](https://github.com/cornfeedhobo)) - Fix data race during Hubble setup ([#28322](https://github.com/cilium/cilium/issues/28322), [@glrf](https://github.com/glrf)) - fix duplicated ids in prerelease testing template ([#27865](https://github.com/cilium/cilium/issues/27865), [@jspaleta](https://github.com/jspaleta)) - Fix IPv4 checksum recalculation in SNAT flows where ports are rewritten. ([#28768](https://github.com/cilium/cilium/issues/28768), [@gentoo-root](https://github.com/gentoo-root)) - Fix k8s code generation ([#27964](https://github.com/cilium/cilium/issues/27964), [@aanm](https://github.com/aanm)) - Fix kind targets ([#28548](https://github.com/cilium/cilium/issues/28548), [@chancez](https://github.com/chancez)) - Fix log error in clustermesh-apiserver when connecting external workloads (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29896](https://github.com/cilium/cilium/issues/29896), [@giorio94](https://github.com/giorio94)) - Fix LookupReservedIdentityByLabels function to return consistent results ([#26795](https://github.com/cilium/cilium/issues/26795), [@skmatti](https://github.com/skmatti)) - Fix regression causing a 10x increase in the duration of endpoint integration tests (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29826](https://github.com/cilium/cilium/issues/29826), [@giorio94](https://github.com/giorio94)) - Fix restore of previous router IP due to missing VPC CIDR in Alibabacloud section of CiliumNode Spec ([#26843](https://github.com/cilium/cilium/issues/26843), [@haozhangami](https://github.com/haozhangami)) - Fix spelling for "WireGuard" ([#26764](https://github.com/cilium/cilium/issues/26764), [@qmonnet](https://github.com/qmonnet)) - Fix up CCG related metrics ([#27806](https://github.com/cilium/cilium/issues/27806), [@christarazi](https://github.com/christarazi)) - fix(deps): update all go dependencies main (main) ([#26567](https://github.com/cilium/cilium/issues/26567), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) ([#27348](https://github.com/cilium/cilium/issues/27348), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) ([#27440](https://github.com/cilium/cilium/issues/27440), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) ([#27906](https://github.com/cilium/cilium/issues/27906), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (minor) ([#26695](https://github.com/cilium/cilium/issues/26695), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (minor) ([#26822](https://github.com/cilium/cilium/issues/26822), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (minor) ([#27266](https://github.com/cilium/cilium/issues/27266), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (minor) ([#27742](https://github.com/cilium/cilium/issues/27742), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (minor) ([#28072](https://github.com/cilium/cilium/issues/28072), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (minor) ([#28098](https://github.com/cilium/cilium/issues/28098), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (minor) ([#28618](https://github.com/cilium/cilium/issues/28618), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (minor) ([#28730](https://github.com/cilium/cilium/issues/28730), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (minor) ([#28994](https://github.com/cilium/cilium/issues/28994), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (minor) ([#29264](https://github.com/cilium/cilium/issues/29264), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (minor) ([#29398](https://github.com/cilium/cilium/issues/29398), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (minor) ([#29538](https://github.com/cilium/cilium/issues/29538), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (minor) ([#29771](https://github.com/cilium/cilium/issues/29771), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#26569](https://github.com/cilium/cilium/issues/26569), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#26693](https://github.com/cilium/cilium/issues/26693), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#26820](https://github.com/cilium/cilium/issues/26820), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#27135](https://github.com/cilium/cilium/issues/27135), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#27260](https://github.com/cilium/cilium/issues/27260), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#27441](https://github.com/cilium/cilium/issues/27441), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#27736](https://github.com/cilium/cilium/issues/27736), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#27939](https://github.com/cilium/cilium/issues/27939), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#28070](https://github.com/cilium/cilium/issues/28070), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#28193](https://github.com/cilium/cilium/issues/28193), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#28348](https://github.com/cilium/cilium/issues/28348), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#28514](https://github.com/cilium/cilium/issues/28514), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#28615](https://github.com/cilium/cilium/issues/28615), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#28727](https://github.com/cilium/cilium/issues/28727), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#28866](https://github.com/cilium/cilium/issues/28866), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#28993](https://github.com/cilium/cilium/issues/28993), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#29134](https://github.com/cilium/cilium/issues/29134), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#29389](https://github.com/cilium/cilium/issues/29389), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#29536](https://github.com/cilium/cilium/issues/29536), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#29574](https://github.com/cilium/cilium/issues/29574), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update all go dependencies main (main) (patch) ([#29593](https://github.com/cilium/cilium/issues/29593), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update golang.org/x/sys digest to [`13b15b7`](https://github.com/cilium/cilium/commit/13b15b7) (main) ([#29279](https://github.com/cilium/cilium/issues/29279), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.445 (main) ([#26832](https://github.com/cilium/cilium/issues/26832), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.549 (main) ([#28097](https://github.com/cilium/cilium/issues/28097), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.613 (main) ([#29263](https://github.com/cilium/cilium/issues/29263), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update module github.com/go-openapi/validate to v0.22.2 (main) ([#29280](https://github.com/cilium/cilium/issues/29280), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update module golang.org/x/crypto to v0.17.0 \[security] (main) (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29971](https://github.com/cilium/cilium/issues/29971), [@renovate](https://github.com/renovate)\[bot]) - fix(deps): update module golang.org/x/net to v0.17.0 \[security] (main) ([#28546](https://github.com/cilium/cilium/issues/28546), [@renovate](https://github.com/renovate)\[bot]) - fix: add check if debug is enabled when adding trace levels to envoy deamonset. ([#27161](https://github.com/cilium/cilium/issues/27161), [@dreanor65](https://github.com/dreanor65)) - fix: platform typo ([#27368](https://github.com/cilium/cilium/issues/27368), [@testwill](https://github.com/testwill)) - fix: remove help message in build config failure (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#28974](https://github.com/cilium/cilium/issues/28974), [@vipul-21](https://github.com/vipul-21)) - fix: Remove the latest image tag from docs as latest tag is not published ([#28241](https://github.com/cilium/cilium/issues/28241), [@vipul-21](https://github.com/vipul-21)) - Fixed conflicting PRs in main ([#27209](https://github.com/cilium/cilium/issues/27209), [@dylandreimerink](https://github.com/dylandreimerink)) - Fixes rate limiting for CES Controller ([#28963](https://github.com/cilium/cilium/issues/28963), [@alan-kut](https://github.com/alan-kut)) - Fixes: typo ([#27201](https://github.com/cilium/cilium/issues/27201), [@weizhoublue](https://github.com/weizhoublue)) - Follow-up nits from etcd init script pull request ([#29489](https://github.com/cilium/cilium/issues/29489), [@JamesLaverack](https://github.com/JamesLaverack)) - For services with `External Traffic Policy: Local` Service health returns http header "X-Load-Balancing-Endpoint-Weight" with number of local endpoints. The same information is still available in response body JSON payload.LocalEndpoints. ([#27017](https://github.com/cilium/cilium/issues/27017), [@cezarygerard](https://github.com/cezarygerard)) - Forcefully terminate stale sockets connected to deleted service backends when socket-lb is enabled, and allow applications to re-connect to active backends. ([#25169](https://github.com/cilium/cilium/issues/25169), [@aditighag](https://github.com/aditighag)) - fqdn/dnsproxy: drop dependency on global EnableIPv{4,6} option ([#28968](https://github.com/cilium/cilium/issues/28968), [@tklauser](https://github.com/tklauser)) - fqdn: avoid converting from `netip.Addr` to `net.IP` and back ([#29625](https://github.com/cilium/cilium/issues/29625), [@tklauser](https://github.com/tklauser)) - fqdn: serialize requests per-name (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#30109](https://github.com/cilium/cilium/issues/30109), [@squeed](https://github.com/squeed)) - fqdn: skip ipcache insertion for names without fqdn selectors (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#30110](https://github.com/cilium/cilium/issues/30110), [@squeed](https://github.com/squeed)) - gateway-api: Add conformance profile test ([#28262](https://github.com/cilium/cilium/issues/28262), [@sayboras](https://github.com/sayboras)) - gateway-api: cleanup cell imports & dependencies ([#29204](https://github.com/cilium/cilium/issues/29204), [@mhofstetter](https://github.com/mhofstetter)) - gateway-api: De-flake HTTPRouteRequestMultipleMirrors test ([#28488](https://github.com/cilium/cilium/issues/28488), [@sayboras](https://github.com/sayboras)) - gateway-api: don't register secretsync if required CRDs aren't present ([#29437](https://github.com/cilium/cilium/issues/29437), [@mhofstetter](https://github.com/mhofstetter)) - gateway-api: fix up for import rename ([#29143](https://github.com/cilium/cilium/issues/29143), [@julianwiedmann](https://github.com/julianwiedmann)) - gateway-api: improve secret sync resiliency ([#29017](https://github.com/cilium/cilium/issues/29017), [@mhofstetter](https://github.com/mhofstetter)) - gateway-api: set controller-runtime logger ([#27961](https://github.com/cilium/cilium/issues/27961), [@mhofstetter](https://github.com/mhofstetter)) - gateway-api: Use Gateway API definition to check Route condition ([#29359](https://github.com/cilium/cilium/issues/29359), [@haiyuewa](https://github.com/haiyuewa)) - gateway-api: watch ownerreference to enable stricter reconcilation ([#28641](https://github.com/cilium/cilium/issues/28641), [@mhofstetter](https://github.com/mhofstetter)) - Generalize ClusterID reservation mechanism for clustermesh ([#27248](https://github.com/cilium/cilium/issues/27248), [@giorio94](https://github.com/giorio94)) - gh: feature template: s/request/proposal ([#27023](https://github.com/cilium/cilium/issues/27023), [@julianwiedmann](https://github.com/julianwiedmann)) - gha: Update kube-proxy-replacement flag values (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30483](https://github.com/cilium/cilium/issues/30483), [@sayboras](https://github.com/sayboras)) - go.mod, renovate: specify and update Go toolchain version ([#27820](https://github.com/cilium/cilium/issues/27820), [@tklauser](https://github.com/tklauser)) - go.mod, vendor: update golang.org/x/sys to latest unreleased version ([#29070](https://github.com/cilium/cilium/issues/29070), [@tklauser](https://github.com/tklauser)) - go.mod, vendor: update vishvananda/netlink to latest ([#28779](https://github.com/cilium/cilium/issues/28779), [@tklauser](https://github.com/tklauser)) - guestbook: update example with leader/follower naming ([#29642](https://github.com/cilium/cilium/issues/29642), [@mhofstetter](https://github.com/mhofstetter)) - helm: add hubble UI support for GKE dataplane v2 ([#28709](https://github.com/cilium/cilium/issues/28709), [@dwalker-sabiogroup](https://github.com/dwalker-sabiogroup)) - Helm: Add possibility to use affinity on certgen job ([#28412](https://github.com/cilium/cilium/issues/28412), [@seb-lafond](https://github.com/seb-lafond)) - Helm: Allow configuration of the install-cni container resources field ([#27469](https://github.com/cilium/cilium/issues/27469), [@RenaudWasTaken](https://github.com/RenaudWasTaken)) - helm: Allow unsupported K8s versions for now (Backport PR [#29899](https://github.com/cilium/cilium/issues/29899), Upstream PR [#29888](https://github.com/cilium/cilium/issues/29888), [@gandro](https://github.com/gandro)) - Helm: enforce routing mode when either gke.enabled or aksbyocni.enabled are set (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29674](https://github.com/cilium/cilium/issues/29674), [@giorio94](https://github.com/giorio94)) - helm: Fix annotation duplication problems for cilium-agent ([#28978](https://github.com/cilium/cilium/issues/28978), [@bradwhitfield](https://github.com/bradwhitfield)) - helm: Fix typo in cilium chart's description ([#27389](https://github.com/cilium/cilium/issues/27389), [@nu-wa](https://github.com/nu-wa)) - helm: Improve debug.verbose docs ([#26463](https://github.com/cilium/cilium/issues/26463), [@lgadban](https://github.com/lgadban)) - helm: put extraConfig back to the end of ConfigMap cilium-config ([#27556](https://github.com/cilium/cilium/issues/27556), [@mhofstetter](https://github.com/mhofstetter)) - helm: Updated description for Helm 'devices' flag ([#26557](https://github.com/cilium/cilium/issues/26557), [@PhilipSchmid](https://github.com/PhilipSchmid)) - Hive obj output improvements ([#28369](https://github.com/cilium/cilium/issues/28369), [@bimmlerd](https://github.com/bimmlerd)) - hive: Fix hive hook output and move lifecycle to cell package (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30416](https://github.com/cilium/cilium/issues/30416), [@joamaki](https://github.com/joamaki)) - hive: ModuleID and FullModuleID, use full ID in module health ([#28512](https://github.com/cilium/cilium/issues/28512), [@joamaki](https://github.com/joamaki)) - hubble-relay: fix panic during server shutdown ([#29705](https://github.com/cilium/cilium/issues/29705), [@mhofstetter](https://github.com/mhofstetter)) - Hubble-ui now supports liveness and readiness probes ([#27028](https://github.com/cilium/cilium/issues/27028), [@mkilchhofer](https://github.com/mkilchhofer)) - hubble-ui: release v0.12.3 (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30422](https://github.com/cilium/cilium/issues/30422), [@geakstr](https://github.com/geakstr)) - hubble/relay: Remove ReportOffline and refactor PeerManager ([#28595](https://github.com/cilium/cilium/issues/28595), [@glrf](https://github.com/glrf)) - hubble: Reduce "stale identities observed" debug messages even more (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29957](https://github.com/cilium/cilium/issues/29957), [@gandro](https://github.com/gandro)) - identity/cache: only call SortedList for release ([#27796](https://github.com/cilium/cilium/issues/27796), [@bimmlerd](https://github.com/bimmlerd)) - identity: stop double-update of selector cache and regenerate when a local identity is allocated (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29865](https://github.com/cilium/cilium/issues/29865), [@squeed](https://github.com/squeed)) - images/builder: update dependencies ([#27566](https://github.com/cilium/cilium/issues/27566), [@rolinh](https://github.com/rolinh)) - images: drop the kvstoremesh dockerfile ([#28961](https://github.com/cilium/cilium/issues/28961), [@giorio94](https://github.com/giorio94)) - images: Fix init-container script for cilium-dbg ([#29424](https://github.com/cilium/cilium/issues/29424), [@joestringer](https://github.com/joestringer)) - images: Support updating Envoy to PR images ([#27850](https://github.com/cilium/cilium/issues/27850), [@jrajahalme](https://github.com/jrajahalme)) - Implement NodeAddressing on top of Table\[NodeAddress] ([#29033](https://github.com/cilium/cilium/issues/29033), [@joamaki](https://github.com/joamaki)) - Import new version of forked controller-tools ([#26918](https://github.com/cilium/cilium/issues/26918), [@AwesomePatrol](https://github.com/AwesomePatrol)) - improv: check for k8s backing before running sync ([#27269](https://github.com/cilium/cilium/issues/27269), [@kwakubiney](https://github.com/kwakubiney)) - Improve bump-readme.sh ([#27892](https://github.com/cilium/cilium/issues/27892), [@joestringer](https://github.com/joestringer)) - Improve documentation for review process for contributors and reviewers ([#27324](https://github.com/cilium/cilium/issues/27324), [@joestringer](https://github.com/joestringer)) - Improve Hubble decoding performance for drop, debug, policy and tracesock events ([#25751](https://github.com/cilium/cilium/issues/25751), [@Jack-R-lantern](https://github.com/Jack-R-lantern)) - Improve Hubble decoding performance for trace events ([#24162](https://github.com/cilium/cilium/issues/24162), [@brancz](https://github.com/brancz)) - Improve k8s-get-cilium-pod.sh ([#28774](https://github.com/cilium/cilium/issues/28774), [@timoreimann](https://github.com/timoreimann)) - Improve readability of clustermesh-related log messages ([#28784](https://github.com/cilium/cilium/issues/28784), [@giorio94](https://github.com/giorio94)) - improve the correctness of the rate limiting implementation in certain edge cases. ([#29397](https://github.com/cilium/cilium/issues/29397), [@dylandreimerink](https://github.com/dylandreimerink)) - Improve translation of CIDRGroupRefs ([#26369](https://github.com/cilium/cilium/issues/26369), [@pippolo84](https://github.com/pippolo84)) - ingress: add unit tests to test default ingressclass ([#29792](https://github.com/cilium/cilium/issues/29792), [@mhofstetter](https://github.com/mhofstetter)) - ingress: migrate Cilium Ingress controller to use the controller-runtime library ([#29327](https://github.com/cilium/cilium/issues/29327), [@mhofstetter](https://github.com/mhofstetter)) - ingress: migrate secret-sync to controller-runtime ([#29198](https://github.com/cilium/cilium/issues/29198), [@mhofstetter](https://github.com/mhofstetter)) - init.sh: move netlink device creation to Go ([#27082](https://github.com/cilium/cilium/issues/27082), [@rgo3](https://github.com/rgo3)) - init.sh: move obsolete bpf_host removal to Go ([#26539](https://github.com/cilium/cilium/issues/26539), [@rgo3](https://github.com/rgo3)) - Introduce new BGP CRDs to provide a more flexible way to configure BGP in Cilium. ([#28175](https://github.com/cilium/cilium/issues/28175), [@harsimran-pabla](https://github.com/harsimran-pabla)) - Introduce resiliency package ([#27614](https://github.com/cilium/cilium/issues/27614), [@derailed](https://github.com/derailed)) - Introduce sync.Map wrapper with generics support ([#29452](https://github.com/cilium/cilium/issues/29452), [@giorio94](https://github.com/giorio94)) - ipam,alibabacloud: Improve event driven instance resync ([#25619](https://github.com/cilium/cilium/issues/25619), [@jaffcheng](https://github.com/jaffcheng)) - ipam/multipool: Fix comment for removeExpiration ([#28031](https://github.com/cilium/cilium/issues/28031), [@hargrovee](https://github.com/hargrovee)) - ipam/multipool: Identity allocation via etcd is now supported ([#28617](https://github.com/cilium/cilium/issues/28617), [@gandro](https://github.com/gandro)) - ipam: Fix duplicate metric ipam_event release ([#29520](https://github.com/cilium/cilium/issues/29520), [@christarazi](https://github.com/christarazi)) - ipam: let `allocator.Dump` return map of allocated IPs per pool ([#27997](https://github.com/cilium/cilium/issues/27997), [@tklauser](https://github.com/tklauser)) - ipam: remove always-nil NewCIDRRange error return value ([#26706](https://github.com/cilium/cilium/issues/26706), [@tklauser](https://github.com/tklauser)) - ipam: Remove unused mock function ([#28370](https://github.com/cilium/cilium/issues/28370), [@gandro](https://github.com/gandro)) - ipcache: Deprecate old API ([#27576](https://github.com/cilium/cilium/issues/27576), [@joestringer](https://github.com/joestringer)) - ipcache: Fix incorrect source for kube-apiserver in tests ([#28407](https://github.com/cilium/cilium/issues/28407), [@christarazi](https://github.com/christarazi)) - ipcache: fix releasing node CIDRs after restoration ([#28620](https://github.com/cilium/cilium/issues/28620), [@squeed](https://github.com/squeed)) - ipcache: keep upserted prefixes from being deleted by InjectLabels ([#29014](https://github.com/cilium/cilium/issues/29014), [@squeed](https://github.com/squeed)) - ipcache: move CIDR restoration to asynchronous APIs ([#28673](https://github.com/cilium/cilium/issues/28673), [@squeed](https://github.com/squeed)) - ipcache: propagate cluster ID as part of the key ([#27337](https://github.com/cilium/cilium/issues/27337), [@giorio94](https://github.com/giorio94)) - ipcache: use TriggerController, not UpdateController ([#29548](https://github.com/cilium/cilium/issues/29548), [@squeed](https://github.com/squeed)) - ipsec: Fix Godoc document comment typo ([#27721](https://github.com/cilium/cilium/issues/27721), [@haiyuewa](https://github.com/haiyuewa)) - ipsec: misc cleanups ([#28408](https://github.com/cilium/cilium/issues/28408), [@julianwiedmann](https://github.com/julianwiedmann)) - Jobs now report health ([#28677](https://github.com/cilium/cilium/issues/28677), [@dylandreimerink](https://github.com/dylandreimerink)) - k8s/apis: refactor CRD registration helpers into a separate package ([#26834](https://github.com/cilium/cilium/issues/26834), [@tklauser](https://github.com/tklauser)) - k8s/resource: Add support for releasable Resource\[T] ([#29414](https://github.com/cilium/cilium/issues/29414), [@pippolo84](https://github.com/pippolo84)) - k8s/slim: Clarify instructions for updating slim files (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29877](https://github.com/cilium/cilium/issues/29877), [@christarazi](https://github.com/christarazi)) - k8s: remove extensions/v1beta1 support ([#28002](https://github.com/cilium/cilium/issues/28002), [@tklauser](https://github.com/tklauser)) - k8s: remove unused slim k8s model for Ingress & IngressClass ([#29517](https://github.com/cilium/cilium/issues/29517), [@mhofstetter](https://github.com/mhofstetter)) - kvstore: drop unused deleteInvalidPrefixes variable ([#27074](https://github.com/cilium/cilium/issues/27074), [@giorio94](https://github.com/giorio94)) - l2respondermap: Correct the comment for L2Responder Key and Stats ([#27986](https://github.com/cilium/cilium/issues/27986), [@haiyuewa](https://github.com/haiyuewa)) - l2respondermap: Rename the L2Responder key create function ([#28015](https://github.com/cilium/cilium/issues/28015), [@haiyuewa](https://github.com/haiyuewa)) - L7 Loadbalancing: Migrate to controller-runtime library ([#29126](https://github.com/cilium/cilium/issues/29126), [@mhofstetter](https://github.com/mhofstetter)) - labels/cidr: Fix slice preallocation size ([#28378](https://github.com/cilium/cilium/issues/28378), [@pippolo84](https://github.com/pippolo84)) - labels: further optimize IPStringToLabel for single IP case ([#29040](https://github.com/cilium/cilium/issues/29040), [@tklauser](https://github.com/tklauser)) - labels: small optimization in NewFrom and various cleanups (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#30006](https://github.com/cilium/cilium/issues/30006), [@tklauser](https://github.com/tklauser)) - loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport PR [#30324](https://github.com/cilium/cilium/issues/30324), Upstream PR [#30214](https://github.com/cilium/cilium/issues/30214), [@ti-mo](https://github.com/ti-mo)) - loader: attach XDP programs using bpf_link ([#28308](https://github.com/cilium/cilium/issues/28308), [@rgo3](https://github.com/rgo3)) - loader: do not invoke llc separately ([#29458](https://github.com/cilium/cilium/issues/29458), [@lmb](https://github.com/lmb)) - Log endpoint instead of pod names where appropriate ([#27427](https://github.com/cilium/cilium/issues/27427), [@tklauser](https://github.com/tklauser)) - MAINTAINERS: Add Jussi Mäki ([#26603](https://github.com/cilium/cilium/issues/26603), [@michi-covalent](https://github.com/michi-covalent)) - Make it easier to depend on clustermesh types outside of its package ([#27242](https://github.com/cilium/cilium/issues/27242), [@giorio94](https://github.com/giorio94)) - Make the community team the owner of /USERS.md ([#27321](https://github.com/cilium/cilium/issues/27321), [@michi-covalent](https://github.com/michi-covalent)) - make: add "run-builder" target ([#28587](https://github.com/cilium/cilium/issues/28587), [@jrajahalme](https://github.com/jrajahalme)) - make: allow to override values.yaml template name ([#27235](https://github.com/cilium/cilium/issues/27235), [@giorio94](https://github.com/giorio94)) - makefile: add back the sed command to update the logo path ([#28929](https://github.com/cilium/cilium/issues/28929), [@bradwhitfield](https://github.com/bradwhitfield)) - Makefile: add kind-egressgw targets ([#28793](https://github.com/cilium/cilium/issues/28793), [@jibi](https://github.com/jibi)) - makefile: fix 'fast' targets for cilium-dbg ([#28547](https://github.com/cilium/cilium/issues/28547), [@aanm](https://github.com/aanm)) - makefile: fix 'make kind' for mac ([#28791](https://github.com/cilium/cilium/issues/28791), [@f1ko](https://github.com/f1ko)) - Makefile: Fix variable override not working in all cases ([#29599](https://github.com/cilium/cilium/issues/29599), [@gandro](https://github.com/gandro)) - maps/ctmap: simplify ip/port parsing using netip.ParseAddrPort ([#28827](https://github.com/cilium/cilium/issues/28827), [@tklauser](https://github.com/tklauser)) - maps: do not depend on global variable to initialize CT maps ([#27275](https://github.com/cilium/cilium/issues/27275), [@giorio94](https://github.com/giorio94)) - maps: maglev_test: remove toleration for 4.9 kernel ([#27046](https://github.com/cilium/cilium/issues/27046), [@julianwiedmann](https://github.com/julianwiedmann)) - maps: nat: fix copy & paste in error message from doFlush\*() ([#29097](https://github.com/cilium/cilium/issues/29097), [@julianwiedmann](https://github.com/julianwiedmann)) - metrics: revert changes to pre-init kubernetes events metrics + improve metric logs (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29343](https://github.com/cilium/cilium/issues/29343), [@tommyp1ckles](https://github.com/tommyp1ckles)) - Minor documentation fixes and improvements for the BGP MD5 feature ([#29375](https://github.com/cilium/cilium/issues/29375), [@nvibert](https://github.com/nvibert)) - Misc updates in renovate configuration ([#27328](https://github.com/cilium/cilium/issues/27328), [@aanm](https://github.com/aanm)) - Miscellaneous improvements about kvstore logging ([#28843](https://github.com/cilium/cilium/issues/28843), [@giorio94](https://github.com/giorio94)) - Miscellaneous improvements to the etcd client ([#28834](https://github.com/cilium/cilium/issues/28834), [@giorio94](https://github.com/giorio94)) - mlh: disable remove PR to project ([#26863](https://github.com/cilium/cilium/issues/26863), [@mhofstetter](https://github.com/mhofstetter)) - mlh: use a regexp to check signed-off-by ([#27732](https://github.com/cilium/cilium/issues/27732), [@kaworu](https://github.com/kaworu)) - Modularise MTU discovery ([#28964](https://github.com/cilium/cilium/issues/28964), [@bimmlerd](https://github.com/bimmlerd)) - Modularize ipcache BPF listener ([#29194](https://github.com/cilium/cilium/issues/29194), [@giorio94](https://github.com/giorio94)) - Modularize kernel modules manager into its own cell ([#28713](https://github.com/cilium/cilium/issues/28713), [@pippolo84](https://github.com/pippolo84)) - Modularize stale endpoint gc in an independent cell (Backport PR [#30079](https://github.com/cilium/cilium/issues/30079), Upstream PR [#29246](https://github.com/cilium/cilium/issues/29246), [@pippolo84](https://github.com/pippolo84)) - Modularized the bandwidth manager ([#28619](https://github.com/cilium/cilium/issues/28619), [@dylandreimerink](https://github.com/dylandreimerink)) - mountinfo: fix build on linux/386 ([#29481](https://github.com/cilium/cilium/issues/29481), [@tklauser](https://github.com/tklauser)) - netns: remove unused RemoveIfFromNetNSWithNameIfBothExist ([#27411](https://github.com/cilium/cilium/issues/27411), [@tklauser](https://github.com/tklauser)) - node: allow to override enable encapsulation on a per-node basis ([#29232](https://github.com/cilium/cilium/issues/29232), [@giorio94](https://github.com/giorio94)) - node: introduce prefix cluster mutator ([#27354](https://github.com/cilium/cilium/issues/27354), [@giorio94](https://github.com/giorio94)) - node: Only Add Enabled IPs to Labels ([#28360](https://github.com/cilium/cilium/issues/28360), [@nathanjsweet](https://github.com/nathanjsweet)) - nodediscovery: support additional IP address sources for the local node ([#27507](https://github.com/cilium/cilium/issues/27507), [@tklauser](https://github.com/tklauser)) - None ([#28738](https://github.com/cilium/cilium/issues/28738), [@saschagrunert](https://github.com/saschagrunert)) - Operator: Add missing observability for Azure API calls ([#26277](https://github.com/cilium/cilium/issues/26277), [@hemanthmalla](https://github.com/hemanthmalla)) - operator: extract controller-runtime integration into its own cell ([#28931](https://github.com/cilium/cilium/issues/28931), [@mhofstetter](https://github.com/mhofstetter)) - operator: Fix CEP and CES events debug logs ([#28797](https://github.com/cilium/cilium/issues/28797), [@dlapcevic](https://github.com/dlapcevic)) - operator: introduce cec l7 envoy loadbalancing cell ([#28835](https://github.com/cilium/cilium/issues/28835), [@mhofstetter](https://github.com/mhofstetter)) - operator: introduce gateway api cell ([#28785](https://github.com/cilium/cilium/issues/28785), [@mhofstetter](https://github.com/mhofstetter)) - operator: introduce Ingress cell ([#28794](https://github.com/cilium/cilium/issues/28794), [@mhofstetter](https://github.com/mhofstetter)) - operator: Migrate Cilium Endpoint GC to hive ([#28233](https://github.com/cilium/cilium/issues/28233), [@alan-kut](https://github.com/alan-kut)) - Optimize IP/FQDN management in the DNSCache ([#29691](https://github.com/cilium/cilium/issues/29691), [@squeed](https://github.com/squeed)) - option: add LoadBalancerUsesDSR() helper ([#26898](https://github.com/cilium/cilium/issues/26898), [@julianwiedmann](https://github.com/julianwiedmann)) - pkg/aws: Improve event driven instance resync for AWS IPAM ([#27791](https://github.com/cilium/cilium/issues/27791), [@jaffcheng](https://github.com/jaffcheng)) - pkg/bgpv1: Updates getPeerConfig() Method ([#28474](https://github.com/cilium/cilium/issues/28474), [@danehans](https://github.com/danehans)) - pkg/cidr: Move linux specific variable references from netlink ([#27638](https://github.com/cilium/cilium/issues/27638), [@aditighag](https://github.com/aditighag)) - pkg/policy: Convert benchmarks in resolve_test.go to std benchmarks ([#27815](https://github.com/cilium/cilium/issues/27815), [@christarazi](https://github.com/christarazi)) - pkg/pprof: add CODEOWNER ([#28278](https://github.com/cilium/cilium/issues/28278), [@lmb](https://github.com/lmb)) - pkg/proxy/logger: switch to netip.Addr ([#28783](https://github.com/cilium/cilium/issues/28783), [@tklauser](https://github.com/tklauser)) - pkg/rand: remove random name generator ([#29664](https://github.com/cilium/cilium/issues/29664), [@aanm](https://github.com/aanm)) - pkg: proxy: only install from-proxy rules/routes for native routing ([#29761](https://github.com/cilium/cilium/issues/29761), [@julianwiedmann](https://github.com/julianwiedmann)) - plugins/cilium-cni: cleanups around IPAM allocation and veth pair creation ([#26595](https://github.com/cilium/cilium/issues/26595), [@tklauser](https://github.com/tklauser)) - plugins/cilium-cni: Introduce endpoint customization ([#29707](https://github.com/cilium/cilium/issues/29707), [@gandro](https://github.com/gandro)) - plugins/cilium-cni: make error formatting consistent ([#27535](https://github.com/cilium/cilium/issues/27535), [@tklauser](https://github.com/tklauser)) - plugins/cilium-cni: Move implementation into separate package ([#29336](https://github.com/cilium/cilium/issues/29336), [@gandro](https://github.com/gandro)) - plugins/cilium-cni: reduce string allocations of CNI command arguments ([#27681](https://github.com/cilium/cilium/issues/27681), [@tklauser](https://github.com/tklauser)) - policy/api: use netip.Addr when sanitizing CIDR rules ([#28121](https://github.com/cilium/cilium/issues/28121), [@tklauser](https://github.com/tklauser)) - policy: Describe CIDR superset logic for denies and FQDN ([#26720](https://github.com/cilium/cilium/issues/26720), [@joestringer](https://github.com/joestringer)) - policy: expand "world" entity selector to select all address families (Backport PR [#29961](https://github.com/cilium/cilium/issues/29961), Upstream PR [#29958](https://github.com/cilium/cilium/issues/29958), [@squeed](https://github.com/squeed)) - policy: Fix MapState.Equals() (Backport PR [#30264](https://github.com/cilium/cilium/issues/30264), Upstream PR [#30233](https://github.com/cilium/cilium/issues/30233), [@jrajahalme](https://github.com/jrajahalme)) - policy: Return a real nil rather than a non-nil interface ([#29022](https://github.com/cilium/cilium/issues/29022), [@jrajahalme](https://github.com/jrajahalme)) - policy: Simplify AccumulateMapChanges prototypes ([#29025](https://github.com/cilium/cilium/issues/29025), [@jrajahalme](https://github.com/jrajahalme)) - policy: Simplify AccumulateMapChanges prototypes (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#29025](https://github.com/cilium/cilium/issues/29025), [@jrajahalme](https://github.com/jrajahalme)) - Prepare for release v1.14.0-rc.0 ([#26546](https://github.com/cilium/cilium/issues/26546), [@joestringer](https://github.com/joestringer)) - Prepare for release v1.15.0-pre.0 ([#27853](https://github.com/cilium/cilium/issues/27853), [@aanm](https://github.com/aanm)) - Prepare for release v1.15.0-pre.1 ([#28336](https://github.com/cilium/cilium/issues/28336), [@aanm](https://github.com/aanm)) - Prepare for release v1.15.0-pre.2 ([#28901](https://github.com/cilium/cilium/issues/28901), [@aanm](https://github.com/aanm)) - Prepare for release v1.15.0-pre.3 ([#29596](https://github.com/cilium/cilium/issues/29596), [@aanm](https://github.com/aanm)) - Prepare for v1.15 development cycle ([#26516](https://github.com/cilium/cilium/issues/26516), [@joestringer](https://github.com/joestringer)) - Prepare v1.15 stable branch ([#29838](https://github.com/cilium/cilium/issues/29838), [@joestringer](https://github.com/joestringer)) - probes: remove HAVE_FIB_LOOKUP leftovers ([#29401](https://github.com/cilium/cilium/issues/29401), [@rgo3](https://github.com/rgo3)) - Propagate the CiliumClusterConfig through etcd when Cilium is configured in kvstore mode ([#27109](https://github.com/cilium/cilium/issues/27109), [@giorio94](https://github.com/giorio94)) - Provide CT/NAT maps GC logic through hive ([#27356](https://github.com/cilium/cilium/issues/27356), [@giorio94](https://github.com/giorio94)) - proxy: allow to provide fixed port for DNS proxy via cell ([#28786](https://github.com/cilium/cilium/issues/28786), [@tklauser](https://github.com/tklauser)) - proxy: define and use well known datapath constants ([#28955](https://github.com/cilium/cilium/issues/28955), [@tklauser](https://github.com/tklauser)) - proxy: export ProxyConfig fields ([#29827](https://github.com/cilium/cilium/issues/29827), [@tklauser](https://github.com/tklauser)) - proxy: introduce envoy cell ([#26657](https://github.com/cilium/cilium/issues/26657), [@mhofstetter](https://github.com/mhofstetter)) - proxy: refactor package global vars to proxy fields ([#26619](https://github.com/cilium/cilium/issues/26619), [@mhofstetter](https://github.com/mhofstetter)) - proxy: refactor proxy.CreateOrUpdateRedirect ([#26839](https://github.com/cilium/cilium/issues/26839), [@mhofstetter](https://github.com/mhofstetter)) - proxy: refactor redirect integration ([#27049](https://github.com/cilium/cilium/issues/27049), [@mhofstetter](https://github.com/mhofstetter)) - proxy: remove unused xds resource access timeout ([#26747](https://github.com/cilium/cilium/issues/26747), [@mhofstetter](https://github.com/mhofstetter)) - README: Remove v1.11 from stable releases table ([#27466](https://github.com/cilium/cilium/issues/27466), [@joestringer](https://github.com/joestringer)) - README: Update releases ([#27864](https://github.com/cilium/cilium/issues/27864), [@joestringer](https://github.com/joestringer)) - README: Update releases ([#28179](https://github.com/cilium/cilium/issues/28179), [@michi-covalent](https://github.com/michi-covalent)) - README: Update releases ([#28340](https://github.com/cilium/cilium/issues/28340), [@aanm](https://github.com/aanm)) - README: Update releases ([#28689](https://github.com/cilium/cilium/issues/28689), [@jrajahalme](https://github.com/jrajahalme)) - README: Update releases ([#29170](https://github.com/cilium/cilium/issues/29170), [@nathanjsweet](https://github.com/nathanjsweet)) - README: Update releases ([#29609](https://github.com/cilium/cilium/issues/29609), [@aanm](https://github.com/aanm)) - Refactor duplicate imports for Cilium v2alpha1 API ([#26620](https://github.com/cilium/cilium/issues/26620), [@dlapcevic](https://github.com/dlapcevic)) - Refactor LocalNode synchronization logic and remove NodeChain ([#29319](https://github.com/cilium/cilium/issues/29319), [@giorio94](https://github.com/giorio94)) - Refactor the per-cluster CT maps manager ([#27448](https://github.com/cilium/cilium/issues/27448), [@giorio94](https://github.com/giorio94)) - Refactor the per-cluster NAT maps manager ([#27430](https://github.com/cilium/cilium/issues/27430), [@giorio94](https://github.com/giorio94)) - Refactor watchstore/watchsync metrics ([#27485](https://github.com/cilium/cilium/issues/27485), [@marseel](https://github.com/marseel)) - Refactors the use of ControlPlaneState in the BGP-CP ([#26992](https://github.com/cilium/cilium/issues/26992), [@ldelossa](https://github.com/ldelossa)) - Register cluster-id and cluster-name flags through hive ([#27823](https://github.com/cilium/cilium/issues/27823), [@giorio94](https://github.com/giorio94)) - Register endpointmanager metrics via dependency injected registry ([#26078](https://github.com/cilium/cilium/issues/26078), [@dylandreimerink](https://github.com/dylandreimerink)) - Register service/endpoint flags through hive ([#27817](https://github.com/cilium/cilium/issues/27817), [@giorio94](https://github.com/giorio94)) - release image: Allow arbitrary pre-release identifiers ([#29173](https://github.com/cilium/cilium/issues/29173), [@michi-covalent](https://github.com/michi-covalent)) - relicense test/bpf/unit_test.c to not be GPL ([#26618](https://github.com/cilium/cilium/issues/26618), [@Joffref](https://github.com/Joffref)) - Remove accidentally checked in .orig file ([#29145](https://github.com/cilium/cilium/issues/29145), [@christarazi](https://github.com/christarazi)) - Remove daemon health from being reported via the CLI ([#28404](https://github.com/cilium/cilium/issues/28404), [@derailed](https://github.com/derailed)) - Remove dependencies on linux probes for Windows builds ([#28367](https://github.com/cilium/cilium/issues/28367), [@glrf](https://github.com/glrf)) - Remove NodeSpecer and ControlPlaneState from BGP-CP. Rely on Hive/Cell for further ConfigReconciler dependencies. ([#27285](https://github.com/cilium/cilium/issues/27285), [@ldelossa](https://github.com/ldelossa)) - Remove unnecessary type conversions in fqdn zombies handling ([#27047](https://github.com/cilium/cilium/issues/27047), [@giorio94](https://github.com/giorio94)) - Remove usage of global options from iptables cell ([#29088](https://github.com/cilium/cilium/issues/29088), [@pippolo84](https://github.com/pippolo84)) - removed unnecessary 'revert' parameter from Newk8sTranslator and updated api calls accordingly. ([#26217](https://github.com/cilium/cilium/issues/26217), [@akstron](https://github.com/akstron)) - Removes Unused TransformToNode() Func ([#26743](https://github.com/cilium/cilium/issues/26743), [@danehans](https://github.com/danehans)) - Rename egress_policies.h to srv6.h and add SRv6 related trace reasons. (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30154](https://github.com/cilium/cilium/issues/30154), [@ldelossa](https://github.com/ldelossa)) - Renamed Hubble Dashboard so that it can be installed by Grafana Sidecar. ([#28971](https://github.com/cilium/cilium/issues/28971), [@saintdle](https://github.com/saintdle)) - renovate: ignore all gops updates ([#27631](https://github.com/cilium/cilium/issues/27631), [@tklauser](https://github.com/tklauser)) - renovate: schedule all renovate updates for Monday ([#28585](https://github.com/cilium/cilium/issues/28585), [@aanm](https://github.com/aanm)) - Replace some usages of fmt.Sprintf with more efficient string concatenation ([#27518](https://github.com/cilium/cilium/issues/27518), [@schlosna](https://github.com/schlosna)) - Replace StateDB with StateDB2 ([#27628](https://github.com/cilium/cilium/issues/27628), [@dylandreimerink](https://github.com/dylandreimerink)) - report endpoint ID on endpoint BPF program ([#28747](https://github.com/cilium/cilium/issues/28747), [@aanm](https://github.com/aanm)) - Report node source in `cilium-dbg node list` ([#29196](https://github.com/cilium/cilium/issues/29196), [@tklauser](https://github.com/tklauser)) - Resiliency: Add checks to ensure endpoint BPF programs remain loaded ([#27981](https://github.com/cilium/cilium/issues/27981), [@derailed](https://github.com/derailed)) - Resiliency: Add retry logic to attempt to clear out stale hostip ([#27673](https://github.com/cilium/cilium/issues/27673), [@derailed](https://github.com/derailed)) - Resiliency: Node manager reconciliation path yields unchecked errors ([#27714](https://github.com/cilium/cilium/issues/27714), [@derailed](https://github.com/derailed)) - resource: Add support for custom Indexers ([#27032](https://github.com/cilium/cilium/issues/27032), [@pippolo84](https://github.com/pippolo84)) - Revert ".github: write the right regex for little-vm-images versioning" ([#27415](https://github.com/cilium/cilium/issues/27415), [@aanm](https://github.com/aanm)) - Revert "Refactor hubble redact settings schema" ([#27352](https://github.com/cilium/cilium/issues/27352), [@joamaki](https://github.com/joamaki)) - secret-sync: extract secret-sync logic from gateway api controller & introduce hive cell ([#29100](https://github.com/cilium/cilium/issues/29100), [@mhofstetter](https://github.com/mhofstetter)) - service: fix service manager interface mismatch caused by merge race ([#29018](https://github.com/cilium/cilium/issues/29018), [@giorio94](https://github.com/giorio94)) - Set RouteMTU for generic veth ([#26495](https://github.com/cilium/cilium/issues/26495), [@sugangli](https://github.com/sugangli)) - Some small fixes to make kind-fast ([#28621](https://github.com/cilium/cilium/issues/28621), [@squeed](https://github.com/squeed)) - Split mapstate keys into allow and deny ([#28352](https://github.com/cilium/cilium/issues/28352), [@bimmlerd](https://github.com/bimmlerd)) - Splits Apart kind-image-fast Make Target ([#28079](https://github.com/cilium/cilium/issues/28079), [@danehans](https://github.com/danehans)) - SRv6: Add quality of life methods for SID map usage. ([#27192](https://github.com/cilium/cilium/issues/27192), [@ldelossa](https://github.com/ldelossa)) - StateDB review follow-ups ([#28030](https://github.com/cilium/cilium/issues/28030), [@joamaki](https://github.com/joamaki)) - statedb v2.0 with per-table locks and delete tracking ([#27160](https://github.com/cilium/cilium/issues/27160), [@joamaki](https://github.com/joamaki)) - statedb: Allow non-terminated keys ([#29440](https://github.com/cilium/cilium/issues/29440), [@joamaki](https://github.com/joamaki)) - statedb: extract REST API handler to pkg ([#26645](https://github.com/cilium/cilium/issues/26645), [@bimmlerd](https://github.com/bimmlerd)) - statedb: Fix revision indexing ([#29840](https://github.com/cilium/cilium/issues/29840), [@joamaki](https://github.com/joamaki)) - statedb: Fix watch channel returned by LowerBound ([#28644](https://github.com/cilium/cilium/issues/28644), [@joamaki](https://github.com/joamaki)) - statedb: Rename statedb2 to statedb ([#27643](https://github.com/cilium/cilium/issues/27643), [@joamaki](https://github.com/joamaki)) - statedb: Simplify integration with Hive ([#28892](https://github.com/cilium/cilium/issues/28892), [@joamaki](https://github.com/joamaki)) - StateDB: split write methods from Table into RWTable ([#28140](https://github.com/cilium/cilium/issues/28140), [@joamaki](https://github.com/joamaki)) - statedb: Use proper context for graveyard rate limiting ([#28888](https://github.com/cilium/cilium/issues/28888), [@joamaki](https://github.com/joamaki)) - stream: fix spurious event on termination when Debounce is used ([#29347](https://github.com/cilium/cilium/issues/29347), [@giorio94](https://github.com/giorio94)) - Support for batch deletion of endpoints ([#27351](https://github.com/cilium/cilium/issues/27351), [@tklauser](https://github.com/tklauser)) - test/controlplane: Fix hostport test after API change ([#26685](https://github.com/cilium/cilium/issues/26685), [@pippolo84](https://github.com/pippolo84)) - test: remove probes-test.sh ([#29612](https://github.com/cilium/cilium/issues/29612), [@rgo3](https://github.com/rgo3)) - tests: replace more incorrect DeepEquals uses ([#25829](https://github.com/cilium/cilium/issues/25829), [@markpash](https://github.com/markpash)) - treewide: wrap multiple errors using the standard library ([#26524](https://github.com/cilium/cilium/issues/26524), [@rolinh](https://github.com/rolinh)) - typo fix ([#28231](https://github.com/cilium/cilium/issues/28231), [@yylt](https://github.com/yylt)) - Typo fix in the docs (Backport PR [#30529](https://github.com/cilium/cilium/issues/30529), Upstream PR [#30407](https://github.com/cilium/cilium/issues/30407), [@nvibert](https://github.com/nvibert)) - typo in the debug document ([#27627](https://github.com/cilium/cilium/issues/27627), [@weizhoublue](https://github.com/weizhoublue)) - Update codeowners for recent lb-ipam / ipalloc changes ([#28803](https://github.com/cilium/cilium/issues/28803), [@joestringer](https://github.com/joestringer)) - Update ec2 eni limits - current as of Oct 30, 2023 ([#28880](https://github.com/cilium/cilium/issues/28880), [@michaelsaah](https://github.com/michaelsaah)) - update github.com/cilium/ebpf to v0.12.0 ([#28533](https://github.com/cilium/cilium/issues/28533), [@lmb](https://github.com/lmb)) - Update Hubble UI from v0.12.0 to v0.12.1 ([#28532](https://github.com/cilium/cilium/issues/28532), [@rolinh](https://github.com/rolinh)) - Update hubble-exporter.rst ([#28081](https://github.com/cilium/cilium/issues/28081), [@nvibert](https://github.com/nvibert)) - update k8s dependencies to v0.28.2 ([#28648](https://github.com/cilium/cilium/issues/28648), [@aanm](https://github.com/aanm)) - Update l2-announcements.rst ([#27988](https://github.com/cilium/cilium/issues/27988), [@nvibert](https://github.com/nvibert)) - Update lb-ipam.rst ([#28756](https://github.com/cilium/cilium/issues/28756), [@nvibert](https://github.com/nvibert)) - Update Palantir usecases ([#26633](https://github.com/cilium/cilium/issues/26633), [@ungureanuvladvictor](https://github.com/ungureanuvladvictor)) - Update prereleases ([#26871](https://github.com/cilium/cilium/issues/26871), [@joestringer](https://github.com/joestringer)) - Update renovate configuration for ginkgo and kindest/node ([#27347](https://github.com/cilium/cilium/issues/27347), [@aanm](https://github.com/aanm)) - Update SPIRE dependency to v1.8.5 ([#29597](https://github.com/cilium/cilium/issues/29597), [@meyskens](https://github.com/meyskens)) - Update stable releases ([#27112](https://github.com/cilium/cilium/issues/27112), [@aanm](https://github.com/aanm)) - Update stable releases ([#27126](https://github.com/cilium/cilium/issues/27126), [@nathanjsweet](https://github.com/nathanjsweet)) - Update stable releases ([#27637](https://github.com/cilium/cilium/issues/27637), [@asauber](https://github.com/asauber)) - Update the TCP conntrack entry timeouts to a lower value, so that closed entries are garbage collected earlier, thus freeing up the conntrack map. ([#27665](https://github.com/cilium/cilium/issues/27665), [@aditighag](https://github.com/aditighag)) - Update v1.15.0-RC.1 digests ([#30277](https://github.com/cilium/cilium/issues/30277), [@aanm](https://github.com/aanm)) - updated docs to reflect Envoy as a DS option (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29518](https://github.com/cilium/cilium/issues/29518), [@nvibert](https://github.com/nvibert)) - Use generic Set instead of specified Set ([#26378](https://github.com/cilium/cilium/issues/26378), [@bzsuni](https://github.com/bzsuni)) - Use generics in k8s factory functions ([#26367](https://github.com/cilium/cilium/issues/26367), [@AwesomePatrol](https://github.com/AwesomePatrol)) - Use Go 1.19 atomic types ([#27563](https://github.com/cilium/cilium/issues/27563), [@tklauser](https://github.com/tklauser)) - Use Go 1.19 atomic types and their default value ([#27844](https://github.com/cilium/cilium/issues/27844), [@tklauser](https://github.com/tklauser)) - Use Resource\[T] to implement CEP and CES watchers (Backport PR [#30230](https://github.com/cilium/cilium/issues/30230), Upstream PR [#29249](https://github.com/cilium/cilium/issues/29249), [@pippolo84](https://github.com/pippolo84)) - USERS: Add Trendyol ([#26946](https://github.com/cilium/cilium/issues/26946), [@eminaktas](https://github.com/eminaktas)) - vendor: downgrade github.com/shirou/gopsutil/v3 to v3.23.2 ([#27623](https://github.com/cilium/cilium/issues/27623), [@aanm](https://github.com/aanm)) - watchers: use resource for network policies ([#26601](https://github.com/cilium/cilium/issues/26601), [@bimmlerd](https://github.com/bimmlerd)) **Other Changes:** - \[1.15] loader: fix obsolete XDP program removal ([#30224](https://github.com/cilium/cilium/issues/30224), [@rgo3](https://github.com/rgo3)) - Add specific drop reason for missing tail calls if the host datapath is not ready yet ([#30203](https://github.com/cilium/cilium/issues/30203), [@ti-mo](https://github.com/ti-mo)) - envoy: Bump envoy version for x/net library ([#30509](https://github.com/cilium/cilium/issues/30509), [@sayboras](https://github.com/sayboras)) - install: Update image digests for v1.15.0-rc.0 ([#29906](https://github.com/cilium/cilium/issues/29906), [@joestringer](https://github.com/joestringer)) - Prepare for release v1.15.0-rc.0 ([#29883](https://github.com/cilium/cilium/issues/29883), [@joestringer](https://github.com/joestringer)) - Prepare for release v1.15.0-rc.1 ([#30271](https://github.com/cilium/cilium/issues/30271), [@aanm](https://github.com/aanm)) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.0@sha256:9cfd6a0a3a964780e73a11159f93cc363e616f7d9783608f62af6cfdf3759619` `quay.io/cilium/cilium:stable@sha256:9cfd6a0a3a964780e73a11159f93cc363e616f7d9783608f62af6cfdf3759619` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.0@sha256:43feb49dfbaa82388dc653ce12c7626ce40ae375e9853d71b9f5cff0ce61d54a` `quay.io/cilium/clustermesh-apiserver:stable@sha256:43feb49dfbaa82388dc653ce12c7626ce40ae375e9853d71b9f5cff0ce61d54a` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.0@sha256:6c79c492da7b3574509a94b0c6b4ef0570c005aa6be5879b71d8e59e103f2a7b` `quay.io/cilium/docker-plugin:stable@sha256:6c79c492da7b3574509a94b0c6b4ef0570c005aa6be5879b71d8e59e103f2a7b` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.0@sha256:45b3ea70b73aee01644f800b8f6138c36446bfb130d2b88b0f75775ebe6a9ab6` `quay.io/cilium/hubble-relay:stable@sha256:45b3ea70b73aee01644f800b8f6138c36446bfb130d2b88b0f75775ebe6a9ab6` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.0@sha256:ee03349caef5519f8e9123132cf17c85b771f8fff095c57f00a2af8bb3224b79` `quay.io/cilium/operator-alibabacloud:stable@sha256:ee03349caef5519f8e9123132cf17c85b771f8fff095c57f00a2af8bb3224b79` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.0@sha256:cf45167a8bb336c763046553c6a97c0d7f12f7e2a498dfb2340fa27832a81b3a` `quay.io/cilium/operator-aws:stable@sha256:cf45167a8bb336c763046553c6a97c0d7f12f7e2a498dfb2340fa27832a81b3a` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.0@sha256:498a9e940cddd4e58d401a13005b0784ed9597bfe1e5cf2f52b6ba9ccceee768` `quay.io/cilium/operator-azure:stable@sha256:498a9e940cddd4e58d401a13005b0784ed9597bfe1e5cf2f52b6ba9ccceee768` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.0@sha256:e26ecd316e742e4c8aa1e302ba8b577c2d37d114583d6c4cdd2b638493546a79` `quay.io/cilium/operator-generic:stable@sha256:e26ecd316e742e4c8aa1e302ba8b577c2d37d114583d6c4cdd2b638493546a79` ##### operator `quay.io/cilium/operator:v1.15.0@sha256:949ec05e962d370437deb6ca4b27b05b8e9c8077bfa6a5b9b4d80d08a26d4fee` `quay.io/cilium/operator:stable@sha256:949ec05e962d370437deb6ca4b27b05b8e9c8077bfa6a5b9b4d80d08a26d4fee` ### [`v1.14.8`](https://github.com/cilium/cilium/releases/tag/v1.14.8): 1.14.8 [Compare Source](https://github.com/cilium/cilium/compare/1.14.7...1.14.8) We are pleased to release Cilium v1.14.8. ## Security Advisories This patch release addresses security vulnerabilities. See the following security advisories for details. - https://github.com/cilium/cilium/security/advisories/GHSA-68mj-9pjq-mc85 - https://github.com/cilium/cilium/security/advisories/GHSA-j89h-qrvr-xc36 - https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6 ## IPsec This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy. Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode. ## Summary of Changes **Minor Changes:** - Enhance trace events from the outbound SNAT path, to report the pre-SNAT IP address and the interface index of the egress interface. (Backport PR [#30835](https://github.com/cilium/cilium/issues/30835), Upstream PR [#28723](https://github.com/cilium/cilium/issues/28723), [@julianwiedmann](https://github.com/julianwiedmann)) - Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting existing connections. (Backport PR [#31337](https://github.com/cilium/cilium/issues/31337), Upstream PR [#31205](https://github.com/cilium/cilium/issues/31205), [@squeed](https://github.com/squeed)) **Bugfixes:** - endpoint: fix inability to create endpoint with labels in a single API call (Backport PR [#31000](https://github.com/cilium/cilium/issues/31000), Upstream PR [#30170](https://github.com/cilium/cilium/issues/30170), [@oblazek](https://github.com/oblazek)) - Fix bug prevented endpoints from sending or receiving network traffic due to the 'reserved:init' label persisting after initialization. (Backport PR [#31048](https://github.com/cilium/cilium/issues/31048), Upstream PR [#30909](https://github.com/cilium/cilium/issues/30909), [@aanm](https://github.com/aanm)) - Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (Backport PR [#31186](https://github.com/cilium/cilium/issues/31186), Upstream PR [#30837](https://github.com/cilium/cilium/issues/30837), [@jschwinger233](https://github.com/jschwinger233)) - Fixes an L7 proxy issue by re-introducing 2005 route table. (Backport PR [#31160](https://github.com/cilium/cilium/issues/31160), Upstream PR [#29530](https://github.com/cilium/cilium/issues/29530), [@jschwinger233](https://github.com/jschwinger233)) - Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (Backport PR [#31160](https://github.com/cilium/cilium/issues/31160), Upstream PR [#29594](https://github.com/cilium/cilium/issues/29594), [@jschwinger233](https://github.com/jschwinger233)) - Fixes proxy issues in egress direction (Backport PR [#31160](https://github.com/cilium/cilium/issues/31160), Upstream PR [#30095](https://github.com/cilium/cilium/issues/30095), [@jschwinger233](https://github.com/jschwinger233)) - helm: Probe Envoy DaemonSet localhost IP directly (Backport PR [#31000](https://github.com/cilium/cilium/issues/31000), Upstream PR [#30970](https://github.com/cilium/cilium/issues/30970), [@iandrewt](https://github.com/iandrewt)) - Policy revert used in rare error cases has been corrected. (Backport PR [#30882](https://github.com/cilium/cilium/issues/30882), Upstream PR [#29162](https://github.com/cilium/cilium/issues/29162), [@jrajahalme](https://github.com/jrajahalme)) - srv6: Fix packet drop with GSO type mismatch (Backport PR [#30800](https://github.com/cilium/cilium/issues/30800), Upstream PR [#30732](https://github.com/cilium/cilium/issues/30732), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - xds: Avoid xds timeout due to agent restart in envoy DS mode (Backport PR [#31156](https://github.com/cilium/cilium/issues/31156), Upstream PR [#31061](https://github.com/cilium/cilium/issues/31061), [@sayboras](https://github.com/sayboras)) **CI Changes:** - Align again conformance clustermesh matrix entries with main as the interoperability issue has been fixed ([#30912](https://github.com/cilium/cilium/issues/30912), [@giorio94](https://github.com/giorio94)) - ci-e2e: restore 6.1 kernels ([#30862](https://github.com/cilium/cilium/issues/30862), [@lmb](https://github.com/lmb)) - ci/ipsec: Fix downgrade version retrieval (Backport PR [#31048](https://github.com/cilium/cilium/issues/31048), Upstream PR [#30742](https://github.com/cilium/cilium/issues/30742), [@qmonnet](https://github.com/qmonnet)) - ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR [#30864](https://github.com/cilium/cilium/issues/30864), Upstream PR [#30790](https://github.com/cilium/cilium/issues/30790), [@brlbil](https://github.com/brlbil)) - CI: Update tested K8S versions across all cloud providers (Backport PR [#30864](https://github.com/cilium/cilium/issues/30864), Upstream PR [#30795](https://github.com/cilium/cilium/issues/30795), [@brlbil](https://github.com/brlbil)) - Fix datapath mode in Network Performance CI test (Backport PR [#30864](https://github.com/cilium/cilium/issues/30864), Upstream PR [#30756](https://github.com/cilium/cilium/issues/30756), [@marseel](https://github.com/marseel)) - workflows: Clean IPsec test output (Backport PR [#30800](https://github.com/cilium/cilium/issues/30800), Upstream PR [#30759](https://github.com/cilium/cilium/issues/30759), [@pchaigno](https://github.com/pchaigno)) **Misc Changes:** - bgpv1: Remove disruptive error handling from BGPRouterManager ([#30765](https://github.com/cilium/cilium/issues/30765), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - bgpv1: Remove or downgrade noisy logs (Backport PR [#31000](https://github.com/cilium/cilium/issues/31000), Upstream PR [#30868](https://github.com/cilium/cilium/issues/30868), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - bitlpm: Factor out common code (Backport PR [#31156](https://github.com/cilium/cilium/issues/31156), Upstream PR [#31026](https://github.com/cilium/cilium/issues/31026), [@jrajahalme](https://github.com/jrajahalme)) - bpf: host: optimize from-host's ICMPv6 path (Backport PR [#31186](https://github.com/cilium/cilium/issues/31186), Upstream PR [#31127](https://github.com/cilium/cilium/issues/31127), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: host: skip from-proxy handling in from-netdev (Backport PR [#31160](https://github.com/cilium/cilium/issues/31160), Upstream PR [#29962](https://github.com/cilium/cilium/issues/29962), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic (Backport PR [#31160](https://github.com/cilium/cilium/issues/31160), Upstream PR [#29721](https://github.com/cilium/cilium/issues/29721), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: minor ICMPv6 improvements (Backport PR [#31186](https://github.com/cilium/cilium/issues/31186), Upstream PR [#26563](https://github.com/cilium/cilium/issues/26563), [@julianwiedmann](https://github.com/julianwiedmann)) - bugtool: Capture memory fragmentation info from /proc (Backport PR [#31156](https://github.com/cilium/cilium/issues/31156), Upstream PR [#30966](https://github.com/cilium/cilium/issues/30966), [@pchaigno](https://github.com/pchaigno)) - Bump google.golang.org/protobuf (v1.14) ([#31314](https://github.com/cilium/cilium/issues/31314), [@ferozsalam](https://github.com/ferozsalam)) - chore(deps): update actions/download-artifact action to v4.1.3 (v1.14) ([#30989](https://github.com/cilium/cilium/issues/30989), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.14) ([#30954](https://github.com/cilium/cilium/issues/30954), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.14) ([#31114](https://github.com/cilium/cilium/issues/31114), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.14) ([#31294](https://github.com/cilium/cilium/issues/31294), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.14) (patch) ([#31136](https://github.com/cilium/cilium/issues/31136), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies to v4 (v1.14) (major) ([#30782](https://github.com/cilium/cilium/issues/30782), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all-dependencies (v1.14) ([#30952](https://github.com/cilium/cilium/issues/30952), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.23 (v1.14) ([#30861](https://github.com/cilium/cilium/issues/30861), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.0 (v1.14) ([#31173](https://github.com/cilium/cilium/issues/31173), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`77906da`](https://github.com/cilium/cilium/commit/77906da) (v1.14) ([#31291](https://github.com/cilium/cilium/issues/31291), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`e9569c2`](https://github.com/cilium/cilium/commit/e9569c2) (v1.14) ([#30739](https://github.com/cilium/cilium/issues/30739), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update go to v1.21.7 (v1.14) ([#30953](https://github.com/cilium/cilium/issues/30953), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update go to v1.21.8 (v1.14) ([#31184](https://github.com/cilium/cilium/issues/31184), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update hubble cli to v0.13.2 (v1.14) ([#31339](https://github.com/cilium/cilium/issues/31339), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update quay.io/lvh-images/kind docker tag to v6.6-20240221.111541 (v1.14) ([#30979](https://github.com/cilium/cilium/issues/30979), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update stable lvh-images (v1.14) (patch) ([#30653](https://github.com/cilium/cilium/issues/30653), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update stable lvh-images (v1.14) (patch) ([#31137](https://github.com/cilium/cilium/issues/31137), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update stable lvh-images (v1.14) (patch) ([#31293](https://github.com/cilium/cilium/issues/31293), [@renovate](https://github.com/renovate)\[bot]) - container/bitlpm: Add Lookup Boolean Return Value (Backport PR [#31156](https://github.com/cilium/cilium/issues/31156), Upstream PR [#31037](https://github.com/cilium/cilium/issues/31037), [@nathanjsweet](https://github.com/nathanjsweet)) - docs: Document XfrmInStateInvalid errors (Backport PR [#30800](https://github.com/cilium/cilium/issues/30800), Upstream PR [#30151](https://github.com/cilium/cilium/issues/30151), [@pchaigno](https://github.com/pchaigno)) - docs: Fix 'kubectl exec' invocations (quotes, double dash separator) in example script kafka-sw-gen-traffic.sh (Backport PR [#31156](https://github.com/cilium/cilium/issues/31156), Upstream PR [#30462](https://github.com/cilium/cilium/issues/30462), [@saintdle](https://github.com/saintdle)) - identity/cache: only call SortedList for release (Backport PR [#30864](https://github.com/cilium/cilium/issues/30864), Upstream PR [#27796](https://github.com/cilium/cilium/issues/27796), [@bimmlerd](https://github.com/bimmlerd)) - images: bump cni plugins to v1.4.1 ([#31349](https://github.com/cilium/cilium/issues/31349), [@aanm](https://github.com/aanm)) - lbipam: copy slice before modification in (\*LBIPAM).handlePoolModified (Backport PR [#31000](https://github.com/cilium/cilium/issues/31000), Upstream PR [#30859](https://github.com/cilium/cilium/issues/30859), [@tklauser](https://github.com/tklauser)) - loader: also populate NATIVE_DEV_IFINDEX for cilium_overlay (Backport PR [#31156](https://github.com/cilium/cilium/issues/31156), Upstream PR [#31025](https://github.com/cilium/cilium/issues/31025), [@julianwiedmann](https://github.com/julianwiedmann)) - pkg: Add Bitwise LPM Trie Library (Backport PR [#30864](https://github.com/cilium/cilium/issues/30864), Upstream PR [#29717](https://github.com/cilium/cilium/issues/29717), [@nathanjsweet](https://github.com/nathanjsweet)) - pkg: proxy: only install from-proxy rules/routes for native routing (Backport PR [#31160](https://github.com/cilium/cilium/issues/31160), Upstream PR [#29761](https://github.com/cilium/cilium/issues/29761), [@julianwiedmann](https://github.com/julianwiedmann)) - slices: don't modify input slices in test (Backport PR [#31000](https://github.com/cilium/cilium/issues/31000), Upstream PR [#30677](https://github.com/cilium/cilium/issues/30677), [@tklauser](https://github.com/tklauser)) **Other Changes:** - \[v1.14] bpf: nodeport: add missing ifindex in NAT trace event ([#31022](https://github.com/cilium/cilium/issues/31022), [@julianwiedmann](https://github.com/julianwiedmann)) - \[v1.14] envoy: Bump golang version to 1.21.8 ([#31222](https://github.com/cilium/cilium/issues/31222), [@sayboras](https://github.com/sayboras)) - \[v1.14] iptables: Read CNI chaining mode from CNI config manager ([#31265](https://github.com/cilium/cilium/issues/31265), [@pippolo84](https://github.com/pippolo84)) - cli: Replace --cluster-name with --helm-set cluster.name ([#31177](https://github.com/cilium/cilium/issues/31177), [@michi-covalent](https://github.com/michi-covalent)) - install: Update image digests for v1.14.7 ([#30752](https://github.com/cilium/cilium/issues/30752), [@michi-covalent](https://github.com/michi-covalent)) - Upgrade GoBGP to v3.23.0 and backport [#28293](https://github.com/cilium/cilium/issues/28293) ([#30793](https://github.com/cilium/cilium/issues/30793), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - v1.14: WG L7 ([#31267](https://github.com/cilium/cilium/issues/31267), [@brb](https://github.com/brb)) ### [`v1.14.7`](https://github.com/cilium/cilium/releases/tag/v1.14.7): 1.14.7 [Compare Source](https://github.com/cilium/cilium/compare/1.14.6...1.14.7) We are pleased to release Cilium v1.14.7. This release contains various bug fixes and performance / usability improvements, including a fix for performance regression for pod-to-pod traffic WireGuard and tunneling (https://github.com/cilium/cilium/pull/30329). ## Summary of Changes **Minor Changes:** - api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30167](https://github.com/cilium/cilium/issues/30167), [@viktor-kurchenko](https://github.com/viktor-kurchenko)) - Envoy running inside the Cilium Agent may now be scraped by Prometheus when using Prometheus' ServiceMonitor objects. (Backport PR [#30355](https://github.com/cilium/cilium/issues/30355), Upstream PR [#30126](https://github.com/cilium/cilium/issues/30126), [@youngnick](https://github.com/youngnick)) - helm: Add extraVolumeMounts to cilium config init container (Backport PR [#30355](https://github.com/cilium/cilium/issues/30355), Upstream PR [#30131](https://github.com/cilium/cilium/issues/30131), [@ayuspin](https://github.com/ayuspin)) - ui: release v0.13.0 (Backport PR [#30724](https://github.com/cilium/cilium/issues/30724), Upstream PR [#30711](https://github.com/cilium/cilium/issues/30711), [@geakstr](https://github.com/geakstr)) **Bugfixes:** - envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' (Backport PR [#30680](https://github.com/cilium/cilium/issues/30680), Upstream PR [#30543](https://github.com/cilium/cilium/issues/30543), [@chaunceyjiang](https://github.com/chaunceyjiang)) - Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR [#30323](https://github.com/cilium/cilium/issues/30323), Upstream PR [#30248](https://github.com/cilium/cilium/issues/30248), [@ti-mo](https://github.com/ti-mo)) - Fix cilium-envoy ServiceMonitor port name (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#27207](https://github.com/cilium/cilium/issues/27207), [@pixiono](https://github.com/pixiono)) - Fix error when using multiple allowRoutes namespaces in gateway ([#30551](https://github.com/cilium/cilium/issues/30551), [@mhofstetter](https://github.com/mhofstetter)) - Fix error when using multiple allowRoutes namespaces in gateway (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30100](https://github.com/cilium/cilium/issues/30100), [@chaunceyjiang](https://github.com/chaunceyjiang)) - Fix issue where agent attempting to restore local node information (such as cilium_host ip) would fail on k8s fallback method. (Backport PR [#30355](https://github.com/cilium/cilium/issues/30355), Upstream PR [#29460](https://github.com/cilium/cilium/issues/29460), [@tommyp1ckles](https://github.com/tommyp1ckles)) - Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30399](https://github.com/cilium/cilium/issues/30399), [@tlcowling](https://github.com/tlcowling)) - Fix performance regression for pod-to-pod traffic WireGuard and tunneling. (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30329](https://github.com/cilium/cilium/issues/30329), [@3u13r](https://github.com/3u13r)) - Fix rare bug possibly causing connection disruption and/or agent panic due to node events processing before full initialization. (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30282](https://github.com/cilium/cilium/issues/30282), [@giorio94](https://github.com/giorio94)) - hive: Fix start hook log output (Backport PR [#30724](https://github.com/cilium/cilium/issues/30724), Upstream PR [#30712](https://github.com/cilium/cilium/issues/30712), [@joamaki](https://github.com/joamaki)) - init well-known identity before new policy repository to fix the fqdn policy issue when enable well-known identity. (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30052](https://github.com/cilium/cilium/issues/30052), [@yingnanzhang666](https://github.com/yingnanzhang666)) - L2 announcements retry getting lease after losing it (Backport PR [#30355](https://github.com/cilium/cilium/issues/30355), Upstream PR [#30340](https://github.com/cilium/cilium/issues/30340), [@dylandreimerink](https://github.com/dylandreimerink)) - node/wireguard: Fix node-to-node encryption inconsistencies in kvstore mode (Backport PR [#30534](https://github.com/cilium/cilium/issues/30534), Upstream PR [#30423](https://github.com/cilium/cilium/issues/30423), [@gandro](https://github.com/gandro)) - Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR [#30680](https://github.com/cilium/cilium/issues/30680), Upstream PR [#30536](https://github.com/cilium/cilium/issues/30536), [@hemanthmalla](https://github.com/hemanthmalla)) **CI Changes:** - ci datapath-verifier: add connectivity test (Backport PR [#30371](https://github.com/cilium/cilium/issues/30371), Upstream PR [#29633](https://github.com/cilium/cilium/issues/29633), [@mhofstetter](https://github.com/mhofstetter)) - ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30503](https://github.com/cilium/cilium/issues/30503), [@qmonnet](https://github.com/qmonnet)) - ci: add trigger phrase to Gateway API conformance test workflow name (Backport PR [#30680](https://github.com/cilium/cilium/issues/30680), Upstream PR [#30525](https://github.com/cilium/cilium/issues/30525), [@tklauser](https://github.com/tklauser)) - ci: Bump timeout of ci-runtime (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#29317](https://github.com/cilium/cilium/issues/29317), [@YutaroHayakawa](https://github.com/YutaroHayakawa)) - ci: bypass proxy.golang.org in Go toolchain installation (Backport PR [#30371](https://github.com/cilium/cilium/issues/30371), Upstream PR [#29549](https://github.com/cilium/cilium/issues/29549), [@tklauser](https://github.com/tklauser)) - CI: Change cloud regions (Backport PR [#30680](https://github.com/cilium/cilium/issues/30680), Upstream PR [#30378](https://github.com/cilium/cilium/issues/30378), [@brlbil](https://github.com/brlbil)) - ci: disable cgo when installing Go toolchain (Backport PR [#30371](https://github.com/cilium/cilium/issues/30371), Upstream PR [#27869](https://github.com/cilium/cilium/issues/27869), [@tklauser](https://github.com/tklauser)) - ci: run verifier tests with proper Go toolchain version (Backport PR [#30371](https://github.com/cilium/cilium/issues/30371), Upstream PR [#27857](https://github.com/cilium/cilium/issues/27857), [@tklauser](https://github.com/tklauser)) - Extend the clustermesh workflows to additionally cover the external kvstore case (Backport PR [#30355](https://github.com/cilium/cilium/issues/30355), Upstream PR [#29983](https://github.com/cilium/cilium/issues/29983), [@giorio94](https://github.com/giorio94)) - gh: ci-verifier: use lvh-images/complexity-test as renovate dependency (Backport PR [#30680](https://github.com/cilium/cilium/issues/30680), Upstream PR [#30520](https://github.com/cilium/cilium/issues/30520), [@julianwiedmann](https://github.com/julianwiedmann)) - gha: additionally cover BPF masquerade in clustermesh E2E tests (Backport PR [#30680](https://github.com/cilium/cilium/issues/30680), Upstream PR [#30321](https://github.com/cilium/cilium/issues/30321), [@giorio94](https://github.com/giorio94)) - gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR [#30355](https://github.com/cilium/cilium/issues/30355), Upstream PR [#30335](https://github.com/cilium/cilium/issues/30335), [@giorio94](https://github.com/giorio94)) - gha: make runner type for clustermesh workflows configurable (Backport PR [#30680](https://github.com/cilium/cilium/issues/30680), Upstream PR [#30496](https://github.com/cilium/cilium/issues/30496), [@giorio94](https://github.com/giorio94)) - Improve Conformance Cluster Mesh workflow coverage (Backport PR [#30355](https://github.com/cilium/cilium/issues/30355), Upstream PR [#29926](https://github.com/cilium/cilium/issues/29926), [@giorio94](https://github.com/giorio94)) - Network performance (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30247](https://github.com/cilium/cilium/issues/30247), [@marseel](https://github.com/marseel)) - Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR [#30355](https://github.com/cilium/cilium/issues/30355), Upstream PR [#30207](https://github.com/cilium/cilium/issues/30207), [@giorio94](https://github.com/giorio94)) - Update GitHub upload-artifact action (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30443](https://github.com/cilium/cilium/issues/30443), [@brlbil](https://github.com/brlbil)) **Misc Changes:** - Added Last page Edit on Documentation (Backport PR [#30680](https://github.com/cilium/cilium/issues/30680), Upstream PR [#30612](https://github.com/cilium/cilium/issues/30612), [@gailsuccess](https://github.com/gailsuccess)) - bpf: fib: fix issues with L2 resolution (Backport PR [#30372](https://github.com/cilium/cilium/issues/30372), Upstream PR [#30128](https://github.com/cilium/cilium/issues/30128), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: lb: return drop reasons from \__lb4\_rev_nat() (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30410](https://github.com/cilium/cilium/issues/30410), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: overlay: restore bpf_clear_meta() in from-overlay (Backport PR [#30355](https://github.com/cilium/cilium/issues/30355), Upstream PR [#30343](https://github.com/cilium/cilium/issues/30343), [@julianwiedmann](https://github.com/julianwiedmann)) - build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30219](https://github.com/cilium/cilium/issues/30219), [@dependabot](https://github.com/dependabot)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.20 (v1.14) ([#30144](https://github.com/cilium/cilium/issues/30144), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.21 (v1.14) ([#30571](https://github.com/cilium/cilium/issues/30571), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency go to v1.21.6 (v1.14) ([#30174](https://github.com/cilium/cilium/issues/30174), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency go to v1.21.6 (v1.14) ([#30640](https://github.com/cilium/cilium/issues/30640), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/alpine docker tag to v3.18.6 (v1.14) ([#30641](https://github.com/cilium/cilium/issues/30641), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update go to v1.21.6 (v1.14) (minor) ([#30145](https://github.com/cilium/cilium/issues/30145), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update hubble cli to v0.13.0 (v1.14) (minor) ([#30274](https://github.com/cilium/cilium/issues/30274), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update stable lvh-images (v1.14) (patch) ([#30492](https://github.com/cilium/cilium/issues/30492), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update stable lvh-images (v1.14) (patch) ([#30575](https://github.com/cilium/cilium/issues/30575), [@renovate](https://github.com/renovate)\[bot]) - doc: Add Azure CNI Powered by cilium as external installer (Backport PR [#30355](https://github.com/cilium/cilium/issues/30355), Upstream PR [#28286](https://github.com/cilium/cilium/issues/28286), [@tamilmani1989](https://github.com/tamilmani1989)) - docs: Add Egress Gateway Policy warning on `egressIP` and `interface` being mutually exclusive in the `egressGateway` spec. (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30236](https://github.com/cilium/cilium/issues/30236), [@soggiest](https://github.com/soggiest)) - docs: warn users that IPsec and KPR are mutual exclusive (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30403](https://github.com/cilium/cilium/issues/30403), [@f1ko](https://github.com/f1ko)) - hive: Fix hive hook output and move lifecycle to cell package (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30416](https://github.com/cilium/cilium/issues/30416), [@joamaki](https://github.com/joamaki)) - hubble-ui: release v0.12.3 (Backport PR [#30554](https://github.com/cilium/cilium/issues/30554), Upstream PR [#30422](https://github.com/cilium/cilium/issues/30422), [@geakstr](https://github.com/geakstr)) - ipcache: Skip conflict logging for tunnelpeer if native routing (Backport PR [#30355](https://github.com/cilium/cilium/issues/30355), Upstream PR [#27331](https://github.com/cilium/cilium/issues/27331), [@christarazi](https://github.com/christarazi)) - loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport PR [#30323](https://github.com/cilium/cilium/issues/30323), Upstream PR [#30214](https://github.com/cilium/cilium/issues/30214), [@ti-mo](https://github.com/ti-mo)) - Rename egress_policies.h to srv6.h and add SRv6 related trace reasons. (Backport PR [#30680](https://github.com/cilium/cilium/issues/30680), Upstream PR [#30154](https://github.com/cilium/cilium/issues/30154), [@ldelossa](https://github.com/ldelossa)) - Rerun go mod tidy to fix missing entry ([#30358](https://github.com/cilium/cilium/issues/30358), [@giorio94](https://github.com/giorio94)) **Other Changes:** - \[v1.14] ci/ipsec: Fix downgrade version for release preparation commits ([#30716](https://github.com/cilium/cilium/issues/30716), [@qmonnet](https://github.com/qmonnet)) - \[v1.14] ci/ipsec: Re-enable node-to-node-encryption check ([#30401](https://github.com/cilium/cilium/issues/30401), [@qmonnet](https://github.com/qmonnet)) - envoy: Bump envoy version for x/net library ([#30515](https://github.com/cilium/cilium/issues/30515), [@sayboras](https://github.com/sayboras)) - envoy: Bump envoy version to v1.26.7 ([#30693](https://github.com/cilium/cilium/issues/30693), [@sayboras](https://github.com/sayboras)) - install: Update image digests for v1.14.6 ([#30318](https://github.com/cilium/cilium/issues/30318), [@gentoo-root](https://github.com/gentoo-root)) - remove stable tags from 1.14 releases ([#30557](https://github.com/cilium/cilium/issues/30557), [@aanm](https://github.com/aanm)) ### [`v1.14.6`](https://github.com/cilium/cilium/releases/tag/v1.14.6): 1.14.6 [Compare Source](https://github.com/cilium/cilium/compare/1.14.5...1.14.6) We are pleased to release Cilium v1.14.6. This release includes various bugfixes and performance enhancements. The amount of trace events is reduced when monitor aggregation is enabled, allowing to improve pod-to-pod performance with tunneling and IPsec. An inconsistency in the node manager is fixed, which led to incorrect masquerading of traffic to node internal IP addresses. Other fixes include fixes for mTLS, DNS proxy, datapath, etc. ## Summary of Changes **Minor Changes:** - Add Proxy l7 metrics proxy_type label and and Cleanup (Backport PR [#29703](https://github.com/cilium/cilium/issues/29703), Upstream PR [#27863](https://github.com/cilium/cilium/issues/27863), [@tommyp1ckles](https://github.com/tommyp1ckles)) - Reduce "stale identity observed" warnings (Backport PR [#29863](https://github.com/cilium/cilium/issues/29863), Upstream PR [#27894](https://github.com/cilium/cilium/issues/27894), [@leblowl](https://github.com/leblowl)) **Bugfixes:** - \[1.14] ingress: fix ingress class reconciliation ([#29810](https://github.com/cilium/cilium/issues/29810), [@mhofstetter](https://github.com/mhofstetter)) - Add default toleration for SPIRE agent on control plane nodes (Backport PR [#30198](https://github.com/cilium/cilium/issues/30198), Upstream PR [#28947](https://github.com/cilium/cilium/issues/28947), [@meyskens](https://github.com/meyskens)) - Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR [#30213](https://github.com/cilium/cilium/issues/30213), Upstream PR [#29239](https://github.com/cilium/cilium/issues/29239), [@jrajahalme](https://github.com/jrajahalme)) - cilium-preflight: use the k8s node name instead of relying on hostname (Backport PR [#29996](https://github.com/cilium/cilium/issues/29996), Upstream PR [#29809](https://github.com/cilium/cilium/issues/29809), [@marseel](https://github.com/marseel)) - Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail (Backport PR [#30265](https://github.com/cilium/cilium/issues/30265), Upstream PR [#29400](https://github.com/cilium/cilium/issues/29400), [@meyskens](https://github.com/meyskens)) - Fix a bug that may cause traffic to the node internal IP addresses to be incorrectly masqueraded when node encryption and remote node identities are both disabled, due to an inconsistency in the node manager when handling ipset entries insertions and deletions on node updates. (Backport PR [#30221](https://github.com/cilium/cilium/issues/30221), Upstream PR [#29986](https://github.com/cilium/cilium/issues/29986), [@qmonnet](https://github.com/qmonnet)) - Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR [#29996](https://github.com/cilium/cilium/issues/29996), Upstream PR [#29616](https://github.com/cilium/cilium/issues/29616), [@learnitall](https://github.com/learnitall)) - Fix cleanup of AWS-related leftover iptables chains (Backport PR [#29863](https://github.com/cilium/cilium/issues/29863), Upstream PR [#29448](https://github.com/cilium/cilium/issues/29448), [@giorio94](https://github.com/giorio94)) - helm: Fix envoy servicemonitor annotations (Backport PR [#30198](https://github.com/cilium/cilium/issues/30198), Upstream PR [#30017](https://github.com/cilium/cilium/issues/30017), [@pmcgrath](https://github.com/pmcgrath)) - metrics: fix issue where logging err/warn metric is never updated. (Backport PR [#29863](https://github.com/cilium/cilium/issues/29863), Upstream PR [#29201](https://github.com/cilium/cilium/issues/29201), [@tommyp1ckles](https://github.com/tommyp1ckles)) - nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR [#29972](https://github.com/cilium/cilium/issues/29972), Upstream PR [#29964](https://github.com/cilium/cilium/issues/29964), [@gandro](https://github.com/gandro)) - policy: Fix mapstate changes error in entry change comparison (Backport PR [#29996](https://github.com/cilium/cilium/issues/29996), Upstream PR [#29815](https://github.com/cilium/cilium/issues/29815), [@jrajahalme](https://github.com/jrajahalme)) - Remove non fatal errors from SPIRE client in the operator (Backport PR [#30265](https://github.com/cilium/cilium/issues/30265), Upstream PR [#28698](https://github.com/cilium/cilium/issues/28698), [@meyskens](https://github.com/meyskens)) - Unify parsing of StringSlice flags and allow splitting by commas (preferably) or by spaces. This fixes parsing of 'prometheus.metrics'. (Backport PR [#30080](https://github.com/cilium/cilium/issues/30080), Upstream PR [#29848](https://github.com/cilium/cilium/issues/29848), [@joamaki](https://github.com/joamaki)) **CI Changes:** - bpf: fix test configuration for 5.10 and 6.1 kernels (Backport PR [#30198](https://github.com/cilium/cilium/issues/30198), Upstream PR [#29999](https://github.com/cilium/cilium/issues/29999), [@julianwiedmann](https://github.com/julianwiedmann)) - ci-ipsec-upgrade: Add vxlan w/ no EP routes (Backport PR [#29703](https://github.com/cilium/cilium/issues/29703), Upstream PR [#29653](https://github.com/cilium/cilium/issues/29653), [@brb](https://github.com/brb)) - ci-ipsec-{e2e,upgrade}: Use lvh-kind (Backport PR [#29966](https://github.com/cilium/cilium/issues/29966), Upstream PR [#29514](https://github.com/cilium/cilium/issues/29514), [@brb](https://github.com/brb)) - ci/ipsec: Skip waiting for images when skipping upgrade/dowgrade (Backport PR [#29966](https://github.com/cilium/cilium/issues/29966), Upstream PR [#29793](https://github.com/cilium/cilium/issues/29793), [@qmonnet](https://github.com/qmonnet)) - ci: add nameserver 1.1.1.1 to conformance-runtime test LVM (Backport PR [#29863](https://github.com/cilium/cilium/issues/29863), Upstream PR [#29455](https://github.com/cilium/cilium/issues/29455), [@mhofstetter](https://github.com/mhofstetter)) - ci: always use full matrix for scheduled cloud-provider workflows (Backport PR [#29863](https://github.com/cilium/cilium/issues/29863), Upstream PR [#29694](https://github.com/cilium/cilium/issues/29694), [@mhofstetter](https://github.com/mhofstetter)) - ci: fix dns issue when pulling cilium-docker-plugin in ci-runtime (Backport PR [#29863](https://github.com/cilium/cilium/issues/29863), Upstream PR [#29502](https://github.com/cilium/cilium/issues/29502), [@mhofstetter](https://github.com/mhofstetter)) - ci: increase disk size for GKE clusters (ci-gke & ci-external-workloads) (Backport PR [#30198](https://github.com/cilium/cilium/issues/30198), Upstream PR [#29528](https://github.com/cilium/cilium/issues/29528), [@mhofstetter](https://github.com/mhofstetter)) - Conformance AKS: wait for cilium-test namespace deletion during uninstallation (Backport PR [#30198](https://github.com/cilium/cilium/issues/30198), Upstream PR [#29893](https://github.com/cilium/cilium/issues/29893), [@giorio94](https://github.com/giorio94)) - datapath: Cover subnet encryption in XFRM leak test (Backport PR [#30080](https://github.com/cilium/cilium/issues/30080), Upstream PR [#27212](https://github.com/cilium/cilium/issues/27212), [@pchaigno](https://github.com/pchaigno)) - datapath: Fix TestNodeChurnXFRMLeaks (Backport PR [#30080](https://github.com/cilium/cilium/issues/30080), Upstream PR [#27274](https://github.com/cilium/cilium/issues/27274), [@brb](https://github.com/brb)) - Fix collecting of verifier logs in ci-verifier (Backport PR [#29863](https://github.com/cilium/cilium/issues/29863), Upstream PR [#29752](https://github.com/cilium/cilium/issues/29752), [@lmb](https://github.com/lmb)) - gh/workflows: Add lvh-kind action and use it in ci-e2e (Backport PR [#29966](https://github.com/cilium/cilium/issues/29966), Upstream PR [#29485](https://github.com/cilium/cilium/issues/29485), [@brb](https://github.com/brb)) - gha: add step to ensure presence/absence of the AWS iptables chains (Backport PR [#29863](https://github.com/cilium/cilium/issues/29863), Upstream PR [#29670](https://github.com/cilium/cilium/issues/29670), [@giorio94](https://github.com/giorio94)) - gha: enable IPv6 in clustermesh upgrade/downgrade workflow (Backport PR [#29863](https://github.com/cilium/cilium/issues/29863), Upstream PR [#29675](https://github.com/cilium/cilium/issues/29675), [@giorio94](https://github.com/giorio94)) - node: Integration test for XFRM leaks on node churn (Backport PR [#30080](https://github.com/cilium/cilium/issues/30080), Upstream PR [#27187](https://github.com/cilium/cilium/issues/27187), [@pchaigno](https://github.com/pchaigno)) - workflows: Increase IPsec e2e test's timeout (Backport PR [#30265](https://github.com/cilium/cilium/issues/30265), Upstream PR [#30194](https://github.com/cilium/cilium/issues/30194), [@julianwiedmann](https://github.com/julianwiedmann)) - workflows: Increase IPsec upgrade test's timeout (Backport PR [#30080](https://github.com/cilium/cilium/issues/30080), Upstream PR [#29934](https://github.com/cilium/cilium/issues/29934), [@pchaigno](https://github.com/pchaigno)) - workflows: Make the conn-disrupt test more sensitive (Backport PR [#29703](https://github.com/cilium/cilium/issues/29703), Upstream PR [#29623](https://github.com/cilium/cilium/issues/29623), [@pchaigno](https://github.com/pchaigno)) - workflows: move cilium_cli_version definition to set-env-variables action (Backport PR [#30198](https://github.com/cilium/cilium/issues/30198), Upstream PR [#29237](https://github.com/cilium/cilium/issues/29237), [@jibi](https://github.com/jibi)) **Misc Changes:** - bgpv1: set running flag in manager (Backport PR [#30080](https://github.com/cilium/cilium/issues/30080), Upstream PR [#30013](https://github.com/cilium/cilium/issues/30013), [@harsimran-pabla](https://github.com/harsimran-pabla)) - bpf: ipv4: always return drop reason from ipv4\_handle_fragmentation() (Backport PR [#29996](https://github.com/cilium/cilium/issues/29996), Upstream PR [#29880](https://github.com/cilium/cilium/issues/29880), [@julianwiedmann](https://github.com/julianwiedmann)) - chore(deps): update all github action dependencies to v5 (v1.14) (major) ([#29784](https://github.com/cilium/cilium/issues/29784), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (v1.14) (patch) ([#29781](https://github.com/cilium/cilium/issues/29781), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update github/codeql-action action to v2.22.9 (v1.14) ([#29783](https://github.com/cilium/cilium/issues/29783), [@renovate](https://github.com/renovate)\[bot]) - doc: Update recommended way for installing cilium on AKS (Backport PR [#30198](https://github.com/cilium/cilium/issues/30198), Upstream PR [#28910](https://github.com/cilium/cilium/issues/28910), [@tamilmani1989](https://github.com/tamilmani1989)) - docs: fix chained veth plugin example (Backport PR [#30265](https://github.com/cilium/cilium/issues/30265), Upstream PR [#30209](https://github.com/cilium/cilium/issues/30209), [@squeed](https://github.com/squeed)) - docs: Fix keyid derivation in IPsec docs (Backport PR [#30080](https://github.com/cilium/cilium/issues/30080), Upstream PR [#30000](https://github.com/cilium/cilium/issues/30000), [@brb](https://github.com/brb)) - Fix bug preventing endpoint-related debug logs from being emitted (Backport PR [#29829](https://github.com/cilium/cilium/issues/29829), Upstream PR [#29495](https://github.com/cilium/cilium/issues/29495), [@learnitall](https://github.com/learnitall)) - Fix cilium-envoy ServiceMonitor template typo (Backport PR [#30198](https://github.com/cilium/cilium/issues/30198), Upstream PR [#29976](https://github.com/cilium/cilium/issues/29976), [@cornfeedhobo](https://github.com/cornfeedhobo)) - Fix log error in clustermesh-apiserver when connecting external workloads (Backport PR [#29919](https://github.com/cilium/cilium/issues/29919), Upstream PR [#29896](https://github.com/cilium/cilium/issues/29896), [@giorio94](https://github.com/giorio94)) - fix(deps): update module golang.org/x/crypto to v0.17.0 \[security] (main) (Backport PR [#30198](https://github.com/cilium/cilium/issues/30198), Upstream PR [#29971](https://github.com/cilium/cilium/issues/29971), [@renovate](https://github.com/renovate)\[bot]) - fix: remove help message in build config failure (Backport PR [#30265](https://github.com/cilium/cilium/issues/30265), Upstream PR [#28974](https://github.com/cilium/cilium/issues/28974), [@vipul-21](https://github.com/vipul-21)) - Helm: enforce routing mode when either gke.enabled or aksbyocni.enabled are set (Backport PR [#30080](https://github.com/cilium/cilium/issues/30080), Upstream PR [#29674](https://github.com/cilium/cilium/issues/29674), [@giorio94](https://github.com/giorio94)) - hubble: Reduce "stale identities observed" debug messages even more (Backport PR [#29996](https://github.com/cilium/cilium/issues/29996), Upstream PR [#29957](https://github.com/cilium/cilium/issues/29957), [@gandro](https://github.com/gandro)) - k8s: Bump CRD schema version to 1.27.x ([#29908](https://github.com/cilium/cilium/issues/29908), [@joestringer](https://github.com/joestringer)) - Modularize iptables manager (Backport PR [#30221](https://github.com/cilium/cilium/issues/30221), Upstream PR [#28746](https://github.com/cilium/cilium/issues/28746), [@pippolo84](https://github.com/pippolo84)) - resource: Fix flaky TestResource_RepeatedDelete (Backport PR [#29996](https://github.com/cilium/cilium/issues/29996), Upstream PR [#28588](https://github.com/cilium/cilium/issues/28588), [@joamaki](https://github.com/joamaki)) - Revert "cilium: Ensure xfrm state is initialized for route IP before … (Backport PR [#29868](https://github.com/cilium/cilium/issues/29868), Upstream PR [#29801](https://github.com/cilium/cilium/issues/29801), [@jrfastab](https://github.com/jrfastab)) **Other Changes:** - \[1.14] loader: fix obsolete XDP program removal ([#30229](https://github.com/cilium/cilium/issues/30229), [@rgo3](https://github.com/rgo3)) - \[v1.14] ci: In conn-disrupt-test action, disable node-to-node-encryption check ([#29742](https://github.com/cilium/cilium/issues/29742), [@qmonnet](https://github.com/qmonnet)) - Add specific drop reason for missing tail calls if the host datapath is not ready yet ([#30204](https://github.com/cilium/cilium/issues/30204), [@ti-mo](https://github.com/ti-mo)) - bgpv1: Add bgp/routes API endpoint and cilium bgp routes CLI command & integrate it in the bugtool ([#30205](https://github.com/cilium/cilium/issues/30205), [@rastislavs](https://github.com/rastislavs)) - install: Update image digests for v1.14.5 ([#29806](https://github.com/cilium/cilium/issues/29806), [@nebril](https://github.com/nebril)) - v1.14: update dependency cilium/cilium-cli to v0.15.19 ([#30135](https://github.com/cilium/cilium/issues/30135), [@pchaigno](https://github.com/pchaigno)) ### [`v1.14.5`](https://github.com/cilium/cilium/releases/tag/v1.14.5): 1.14.5 [Compare Source](https://github.com/cilium/cilium/compare/1.14.4...1.14.5) We are pleased to release Cilium v1.14.5. This release include expanded credential and resource limit related configuration parameters for the Agent DaemonSet and SPIRE agent, fixes to an issue where stale nodes would appear in the cilium_node_connectivity_\* metrics, enhancements to the detail shown by the IPsec CLI subcommands, a fix to a datapath fix for SNAT running behind multiple network interfaces, a fix to NAT entry GC when DSR enabled, a fix for endpoint label changes during the re-init restoration, and a variety of other stability enhancements. Also included are performance enhancements to concurrency techniques used in policy generation and the selectorcache read/write path. ## Summary of Changes **Minor Changes:** - Adds affinity, nodeSelector, podSecurityContext and securityContext to the SPIRE agent deployment values (Backport PR [#29187](https://github.com/cilium/cilium/issues/29187), Upstream PR [#29077](https://github.com/cilium/cilium/issues/29077), [@meyskens](https://github.com/meyskens)) - helm: Add missing SA automount configuration (Backport PR [#29689](https://github.com/cilium/cilium/issues/29689), Upstream PR [#29511](https://github.com/cilium/cilium/issues/29511), [@ayuspin](https://github.com/ayuspin)) - helm: Allow setting resources for the agent init containers (Backport PR [#29689](https://github.com/cilium/cilium/issues/29689), Upstream PR [#29610](https://github.com/cilium/cilium/issues/29610), [@ayuspin](https://github.com/ayuspin)) - Network policies for reserved:ingress identity are now enforced by Cilium Ingress and Gateway API. (Backport PR [#29447](https://github.com/cilium/cilium/issues/29447), Upstream PR [#28126](https://github.com/cilium/cilium/issues/28126), [@jrajahalme](https://github.com/jrajahalme)) **Bugfixes:** - "envoy-admin" cluster is renamed as "/envoy-admin", requiring all references in CEC/CCEC to be updated. (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#29020](https://github.com/cilium/cilium/issues/29020), [@jrajahalme](https://github.com/jrajahalme)) - Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration ([#29308](https://github.com/cilium/cilium/issues/29308), [@ti-mo](https://github.com/ti-mo)) - bpf: Fix drop of IPv6 reply traffic when 1) pod-originating connection is SNATed by iptables, and 2) Host Firewall is enabled. (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#28813](https://github.com/cilium/cilium/issues/28813), [@oblazek](https://github.com/oblazek)) - bpf: xdp: don't support GENEVE passthrough with DSR-Hybrid (Backport PR [#29187](https://github.com/cilium/cilium/issues/29187), Upstream PR [#28959](https://github.com/cilium/cilium/issues/28959), [@julianwiedmann](https://github.com/julianwiedmann)) - ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (Backport PR [#29641](https://github.com/cilium/cilium/issues/29641), Upstream PR [#29098](https://github.com/cilium/cilium/issues/29098), [@julianwiedmann](https://github.com/julianwiedmann)) - datapath: Fix ENI egress routing table for cilium_host IP (Backport PR [#29390](https://github.com/cilium/cilium/issues/29390), Upstream PR [#29335](https://github.com/cilium/cilium/issues/29335), [@gandro](https://github.com/gandro)) - Do not skip FIB lookup when running in BPF Host Routing when Endpoint Routes enabled (Backport PR [#29187](https://github.com/cilium/cilium/issues/29187), Upstream PR [#28264](https://github.com/cilium/cilium/issues/28264), [@aspsk](https://github.com/aspsk)) - endpoint: fix panic in RunMetadataResolver due to send on closed channel (Backport PR [#29251](https://github.com/cilium/cilium/issues/29251), Upstream PR [#29615](https://github.com/cilium/cilium/issues/29615), [@mhofstetter](https://github.com/mhofstetter)) - endpointmanager: unmap ip for lookup (Backport PR [#29641](https://github.com/cilium/cilium/issues/29641), Upstream PR [#29554](https://github.com/cilium/cilium/issues/29554), [@tklauser](https://github.com/tklauser)) - Fix bug where deleted nodes would reappear in the cilium_node_connectivity_\* metrics (Backport PR [#29641](https://github.com/cilium/cilium/issues/29641), Upstream PR [#29566](https://github.com/cilium/cilium/issues/29566), [@christarazi](https://github.com/christarazi)) - Fix external workloads not working with non-default ClusterID (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#29378](https://github.com/cilium/cilium/issues/29378), [@giorio94](https://github.com/giorio94)) - Fix possible disruption of long running, cross-cluster, pod to node traffic on agent restart (Backport PR [#29641](https://github.com/cilium/cilium/issues/29641), Upstream PR [#29613](https://github.com/cilium/cilium/issues/29613), [@giorio94](https://github.com/giorio94)) - Fix routing delegation to AWS-VPC-CNI when using the security groups feature. (Backport PR [#29641](https://github.com/cilium/cilium/issues/29641), Upstream PR [#29111](https://github.com/cilium/cilium/issues/29111), [@Alex-Waring](https://github.com/Alex-Waring)) - Fix the Created timestamps in `cilium bpf nat list` that used to display the same values. (Backport PR [#29187](https://github.com/cilium/cilium/issues/29187), Upstream PR [#27062](https://github.com/cilium/cilium/issues/27062), [@gentoo-root](https://github.com/gentoo-root)) - Fixed label synchronization issues in Cilium, ensuring accurate representation of endpoint labels during restoration and addressing out-of-sync problems caused by label changes while the Cilium agent is down. (Backport PR [#29251](https://github.com/cilium/cilium/issues/29251), Upstream PR [#29248](https://github.com/cilium/cilium/issues/29248), [@aanm](https://github.com/aanm)) - gateway-api: add watch for reference grant in TLSRoute reconciler (Backport PR [#29187](https://github.com/cilium/cilium/issues/29187), Upstream PR [#29007](https://github.com/cilium/cilium/issues/29007), [@mhofstetter](https://github.com/mhofstetter)) - gateway-api: Avoid redirect loop when the same host name is used for http and https listeners (Backport PR [#29442](https://github.com/cilium/cilium/issues/29442), Upstream PR [#29115](https://github.com/cilium/cilium/issues/29115), [@sayboras](https://github.com/sayboras)) - gateway: Ignore loadbalancer class for Gateway service (Backport PR [#29641](https://github.com/cilium/cilium/issues/29641), Upstream PR [#29547](https://github.com/cilium/cilium/issues/29547), [@sayboras](https://github.com/sayboras)) - Handle non-AEAD IPsec keys in `cilium encrypt status`. (Backport PR [#29641](https://github.com/cilium/cilium/issues/29641), Upstream PR [#29182](https://github.com/cilium/cilium/issues/29182), [@viktor-kurchenko](https://github.com/viktor-kurchenko)) - ingress: fix foreground deletion of Ingress (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#29367](https://github.com/cilium/cilium/issues/29367), [@mhofstetter](https://github.com/mhofstetter)) - Install loopback CNI atomically to protect against aborted copy (Backport PR [#29641](https://github.com/cilium/cilium/issues/29641), Upstream PR [#29462](https://github.com/cilium/cilium/issues/29462), [@akhilles](https://github.com/akhilles)) - ipam: Fix bug where IP lease did not expire (Backport PR [#29641](https://github.com/cilium/cilium/issues/29641), Upstream PR [#29443](https://github.com/cilium/cilium/issues/29443), [@gandro](https://github.com/gandro)) - ipam: Fix bug where IP lease did not expire (Backport PR [#29652](https://github.com/cilium/cilium/issues/29652), Upstream PR [#29443](https://github.com/cilium/cilium/issues/29443), [@gandro](https://github.com/gandro)) - iptables: remove logic to control non-existent net.ipv6.ip_early_demux (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#29310](https://github.com/cilium/cilium/issues/29310), [@julianwiedmann](https://github.com/julianwiedmann)) - metrics: fix potential conflict on metrics registration (Backport PR [#29270](https://github.com/cilium/cilium/issues/29270), Upstream PR [#27007](https://github.com/cilium/cilium/issues/27007), [@ysksuzuki](https://github.com/ysksuzuki)) - metrics: fix potential conflict on metrics registration (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#27007](https://github.com/cilium/cilium/issues/27007), [@ysksuzuki](https://github.com/ysksuzuki)) - Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (Backport PR [#29364](https://github.com/cilium/cilium/issues/29364), Upstream PR [#29340](https://github.com/cilium/cilium/issues/29340), [@aanm](https://github.com/aanm)) - Support downgrade path for XDP attachments from Cilium 1.15 ([#29104](https://github.com/cilium/cilium/issues/29104), [@ti-mo](https://github.com/ti-mo)) - When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#29160](https://github.com/cilium/cilium/issues/29160), [@julianwiedmann](https://github.com/julianwiedmann)) **CI Changes:** - bpf: complexity-tests: add HAVE_FIB_NEIGH (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#29348](https://github.com/cilium/cilium/issues/29348), [@julianwiedmann](https://github.com/julianwiedmann)) - ci-ipsec-upgrade: Check for errors (Backport PR [#29270](https://github.com/cilium/cilium/issues/29270), Upstream PR [#29189](https://github.com/cilium/cilium/issues/29189), [@brb](https://github.com/brb)) - ci-ipsec-upgrade: Check for errors (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#29189](https://github.com/cilium/cilium/issues/29189), [@brb](https://github.com/brb)) - ci-ipsec-upgrade: Drop no-missed-tail-calls exclusion (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#29325](https://github.com/cilium/cilium/issues/29325), [@brb](https://github.com/brb)) - ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (Backport PR [#28876](https://github.com/cilium/cilium/issues/28876), Upstream PR [#29072](https://github.com/cilium/cilium/issues/29072), [@brb](https://github.com/brb)) - CI: Let actions/cilium-config use Chart.yaml-specified image by default (Backport PR [#28876](https://github.com/cilium/cilium/issues/28876), Upstream PR [#28016](https://github.com/cilium/cilium/issues/28016), [@jschwinger233](https://github.com/jschwinger233)) - Clean up tests-ipsec-upgrade workflow (Backport PR [#28876](https://github.com/cilium/cilium/issues/28876), Upstream PR [#27977](https://github.com/cilium/cilium/issues/27977), [@michi-covalent](https://github.com/michi-covalent)) - Test upgrade/downgrade to patch release for IPsec (Backport PR [#28876](https://github.com/cilium/cilium/issues/28876), Upstream PR [#28815](https://github.com/cilium/cilium/issues/28815), [@qmonnet](https://github.com/qmonnet)) - Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#29409](https://github.com/cilium/cilium/issues/29409), [@giorio94](https://github.com/giorio94)) - workflows: Add debug info to IPsec key rotation test (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#29353](https://github.com/cilium/cilium/issues/29353), [@pchaigno](https://github.com/pchaigno)) **Misc Changes:** - .github: use GitHub workflow from the same branch ([#29252](https://github.com/cilium/cilium/issues/29252), [@aanm](https://github.com/aanm)) - \[v1.14] CI: fix broken BPF complexity tests ([#29553](https://github.com/cilium/cilium/issues/29553), [@lmb](https://github.com/lmb)) - Add workqueue.(delayingType).waitingLoop to goleak exception list (Backport PR [#29187](https://github.com/cilium/cilium/issues/29187), Upstream PR [#28557](https://github.com/cilium/cilium/issues/28557), [@dylandreimerink](https://github.com/dylandreimerink)) - chore(deps): update actions/checkout action to v4 (v1.14) ([#29595](https://github.com/cilium/cilium/issues/29595), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update actions/github-script action to v7 (v1.14) ([#29149](https://github.com/cilium/cilium/issues/29149), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update actions/setup-python action to v4.8.0 (v1.14) ([#29579](https://github.com/cilium/cilium/issues/29579), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.14) ([#29121](https://github.com/cilium/cilium/issues/29121), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.14) (minor) ([#29265](https://github.com/cilium/cilium/issues/29265), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.14) (patch) ([#29282](https://github.com/cilium/cilium/issues/29282), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.14) (patch) ([#29576](https://github.com/cilium/cilium/issues/29576), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (v1.14) (patch) ([#29417](https://github.com/cilium/cilium/issues/29417), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update all lvh-images main (v1.14) (patch) ([#29577](https://github.com/cilium/cilium/issues/29577), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update cilium/cilium digest to [`d42be92`](https://github.com/cilium/cilium/commit/d42be92) (v1.14) ([#29133](https://github.com/cilium/cilium/issues/29133), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.13 (v1.14) ([#29123](https://github.com/cilium/cilium/issues/29123), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.14 (v1.14) ([#29283](https://github.com/cilium/cilium/issues/29283), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.16 (v1.14) ([#29465](https://github.com/cilium/cilium/issues/29465), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.17 (v1.14) ([#29729](https://github.com/cilium/cilium/issues/29729), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (v1.14) ([#29578](https://github.com/cilium/cilium/issues/29578), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.20.11 docker digest to [`4e4a34f`](https://github.com/cilium/cilium/commit/4e4a34f) (v1.14) ([#29416](https://github.com/cilium/cilium/issues/29416), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.20.11 docker digest to [`77e4e42`](https://github.com/cilium/cilium/commit/77e4e42) (v1.14) ([#29281](https://github.com/cilium/cilium/issues/29281), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`8eab65d`](https://github.com/cilium/cilium/commit/8eab65d) (v1.14) ([#29575](https://github.com/cilium/cilium/issues/29575), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update go to v1.20.12 (v1.14) (patch) ([#29660](https://github.com/cilium/cilium/issues/29660), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update google-github-actions/auth action to v2 (v1.14) ([#29598](https://github.com/cilium/cilium/issues/29598), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update hubble cli to v0.12.3 (v1.14) (patch) ([#29746](https://github.com/cilium/cilium/issues/29746), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 \[security] (v1.14) ([#29320](https://github.com/cilium/cilium/issues/29320), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231113.012843 (v1.14) ([#29129](https://github.com/cilium/cilium/issues/29129), [@renovate](https://github.com/renovate)\[bot]) - chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231120.012927 (v1.14) ([#29284](https://github.com/cilium/cilium/issues/29284), [@renovate](https://github.com/renovate)\[bot]) - ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR [#29270](https://github.com/cilium/cilium/issues/29270), Upstream PR [#29178](https://github.com/cilium/cilium/issues/29178), [@brb](https://github.com/brb)) - ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#29178](https://github.com/cilium/cilium/issues/29178), [@brb](https://github.com/brb)) - Docs: Adds Webhook Limitation to EKS Install Doc (Backport PR [#29641](https://github.com/cilium/cilium/issues/29641), Upstream PR [#29497](https://github.com/cilium/cilium/issues/29497), [@danehans](https://github.com/danehans)) - docs: bump required Helm version (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#29273](https://github.com/cilium/cilium/issues/29273), [@nebril](https://github.com/nebril)) - examples: update guestbook example with new image registry (Backport PR [#29641](https://github.com/cilium/cilium/issues/29641), Upstream PR [#29603](https://github.com/cilium/cilium/issues/29603), [@mhofstetter](https://github.com/mhofstetter)) - images: bump cni plugins to v1.4.0 (Backport PR [#29724](https://github.com/cilium/cilium/issues/29724), Upstream PR [#29622](https://github.com/cilium/cilium/issues/29622), [@squeed](https://github.com/squeed)) - ipsec: Small refactorings on key loading and state creation (Backport PR [#29477](https://github.com/cilium/cilium/issues/29477), Upstream PR [#29352](https://github.com/cilium/cilium/issues/29352), [@pchaigno](https://github.com/pchaigno)) **Other Changes:** - \[v1.14] Author Backport of 28896 (k8s ingress & gateway api: qualify envoy clusters and their references) ([#29218](https://github.com/cilium/cilium/issues/29218), [@mhofstetter](https://github.com/mhofstetter)) - \[v1.14] bgpv1: Fix BGP component tests using the same VirtualRouter config ([#29453](https://github.com/cilium/cilium/issues/29453), [@rastislavs](https://github.com/rastislavs)) - \[v1.14] bpf: Fix identity determination in bpf_overlay.c ([#29606](https://github.com/cilium/cilium/issues/29606), [@ysksuzuki](https://github.com/ysksuzuki)) - \[v1.14] bpf: use bpf_xdp_load_bytes() / bpf_xdp_store_bytes() helpers ([#29719](https://github.com/cilium/cilium/issues/29719), [@julianwiedmann](https://github.com/julianwiedmann)) - \[v1.14] ci-ipsec-upgrade: Disable Linux 5.10-based configs ([#29358](https://github.com/cilium/cilium/issues/29358), [@brb](https://github.com/brb)) - \[v1.14] gh: datapath-verifier: also run on 6.1 kernel ([#29650](https://github.com/cilium/cilium/issues/29650), [@julianwiedmann](https://github.com/julianwiedmann)) - envoy: Bump cilium-envoy with golang 1.21.5 ([#29656](https://github.com/cilium/cilium/issues/29656), [@sayboras](https://github.com/sayboras)) - envoy: Bump envoy container image with golang 1.21 and latest grpc package ([#29383](https://github.com/cilium/cilium/issues/29383), [@sayboras](https://github.com/sayboras)) - install: Update image digests for v1.14.4 ([#29147](https://github.com/cilium/cilium/issues/29147), [@thorn3r](https://github.com/thorn3r)) - Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. ([#29205](https://github.com/cilium/cilium/issues/29205), [@thorn3r](https://github.com/thorn3r)) - v1.14: ariane: Run ci-ipsec-upgrade when testing backports ([#29225](https://github.com/cilium/cilium/issues/29225), [@brb](https://github.com/brb)) </details> <details> <summary>metallb/metallb (metallb)</summary> ### [`v0.14.3`](https://github.com/metallb/metallb/releases/tag/v0.14.3) [Compare Source](https://github.com/metallb/metallb/compare/v0.14.2...v0.14.3) See https://metallb.universe.tf/release-notes/ for details ### [`v0.14.2`](https://github.com/metallb/metallb/releases/tag/v0.14.2) [Compare Source](https://github.com/metallb/metallb/compare/v0.13.12...v0.14.2) See https://metallb.universe.tf/release-notes/ for details </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate added the

renovate

label 2023-12-14 03:05:28 +00:00

renovate force-pushed renovate/kubezero-network-kubezero-network-dependencies from 99238df192 to cf87dc3df4

2024-01-19 03:08:59 +00:00

Compare

renovate changed title from ~~chore(deps): update helm release cilium to v1.14.5~~ to chore(deps): update helm release cilium to v1.14.6

2024-01-19 03:08:59 +00:00

renovate force-pushed renovate/kubezero-network-kubezero-network-dependencies from cf87dc3df4 to 648a188b76

2024-01-29 13:39:03 +00:00

Compare

renovate changed title from ~~chore(deps): update helm release cilium to v1.14.6~~ to chore(deps): update kubezero-network-dependencies

2024-01-29 13:39:03 +00:00

renovate force-pushed renovate/kubezero-network-kubezero-network-dependencies from 648a188b76 to be550bef71

2024-01-31 03:08:31 +00:00

Compare

renovate force-pushed renovate/kubezero-network-kubezero-network-dependencies from be550bef71 to f2d15d4e76

2024-02-01 03:09:22 +00:00

Compare

renovate force-pushed renovate/kubezero-network-kubezero-network-dependencies from f2d15d4e76 to 06e1b18a9c

2024-02-15 03:11:09 +00:00

Compare

renovate force-pushed renovate/kubezero-network-kubezero-network-dependencies from 06e1b18a9c to 48e381cb0f

2024-03-14 03:21:53 +00:00

Compare

stefan merged commit e55f986de8 into master

2024-03-21 13:09:34 +00:00

stefan referenced this issue from a commit

2024-03-21 13:09:35 +00:00

Merge pull request 'chore(deps): update kubezero-network-dependencies' (#154) from renovate/kubezero-network-kubezero-network-dependencies into master

stefan deleted branch renovate/kubezero-network-kubezero-network-dependencies

2024-03-21 13:09:37 +00:00

Sign in to join this conversation.

No reviewers

No Label

renovate

No Milestone

No Assignees

1 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: ZeroDownTime/kubezero#154

chore(deps): update kubezero-network-dependencies #154

Release Notes

v1.15.2: 1.15.2

Security Advisories

IPsec

Summary of Changes

v1.15.1: 1.15.1

Summary of Changes

v1.15.0

Docker Manifests

v1.15.0: 1.15.0

Changelog

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.14.8: 1.14.8

Security Advisories

IPsec

Summary of Changes

v1.14.7: 1.14.7

Summary of Changes

v1.14.6: 1.14.6

Summary of Changes

v1.14.5: 1.14.5

Summary of Changes

v0.14.3

v0.14.2

Configuration

`v1.15.2`: 1.15.2

`v1.15.1`: 1.15.1

`v1.15.0`: 1.15.0

`v1.14.8`: 1.14.8

`v1.14.7`: 1.14.7

`v1.14.6`: 1.14.6

`v1.14.5`: 1.14.5

`v0.14.3`

`v0.14.2`