chore(deps): update kubezero-network-dependencies #344

renovate · 2024-07-23T12:58:38Z

renovate commented

2024-07-23 12:58:38 +00:00

This PR contains the following updates:

Package	Update	Change
cilium (source)	minor	`1.15.7` -> `1.16.2`
haproxy (source)	minor	`1.22.0` -> `1.23.0`
metallb (source)	patch	`0.14.7` -> `0.14.8`

Release Notes

cilium/cilium (cilium)

`v1.16.2`: 1.16.2

Compare Source

We are happy to release Cilium v1.16.2!

This release brings us improved validation for updating from v1.15, fixed panics, race conditions and deadlocks, CI fixes and many many more changes!

Check out the summary below for details.

Summary of Changes

Minor Changes:

Add validation to prevent users from using deprecated values that have been removed in v1.15 and v1.16 (Backport PR #34452, Upstream PR #34229, @chancez)
bgpv2: update status field of CiliumBGPNodeConfig CRD (Backport PR #34580, Upstream PR #33411, @harsimran-pabla)
docs: Update examples for CNP L7 Host (Backport PR #34644, Upstream PR #34578, @sayboras)
egressgw: drop traffic when gateway node is not configured for policy (Backport PR #34452, Upstream PR #33625, @julianwiedmann)

Bugfixes:

add support for validation of stringToString values in ConfigMap (Backport PR #34586, Upstream PR #34279, @alex-berger)
bgpv2: correct service reconciler initialization (Backport PR #34452, Upstream PR #34415, @harsimran-pabla)
bgpv2: fix cilium-dbg bgp filtering by ASN & route-policy dump format (Backport PR #34452, Upstream PR #34335, @rastislavs)
bpf: Fix Prune map operation leaking BPF map entries (Backport PR #34586, Upstream PR #34476, @gandro)
config: fix disabling config 'Debug' (Backport PR #34469, Upstream PR #34401, @mhofstetter)
daemon: Create IPsec and LRP maps early on startup (Backport PR #34452, Upstream PR #34388, @pchaigno)
daemon: Fix error logic flow for pod store being out of date (Backport PR #34586, Upstream PR #34389, @christarazi)
envoy: fix log level mapping when changing log level via API (Backport PR #34452, Upstream PR #34400, @mhofstetter)
Fix "invalid sysctl parameter" error when Cilium needs to modify a sysctl with capital letters in its name. (Backport PR #34586, Upstream PR #34298, @julianwiedmann)
Fix a bug in Cilium's kube-proxy replacement, where replies by a local backend are dropped with DROP_NO_FIB. (Backport PR #34452, Upstream PR #34303, @julianwiedmann)
Fix a race condition that would cause errors related to maps LB{4,6}_SKIP_MAP when loading programs. (Backport PR #34586, Upstream PR #34453, @pchaigno)
Fix agent panic when IPsec is enabled but XFRM stats are not exposed by the kernel. (Backport PR #34831, Upstream PR #34647, @chaunceyjiang)
Fix issue where a hostport service would be created on an incorrect node when cilium-agent is configured with disable-endpoint-crd (Backport PR #34644, Upstream PR #34385, @haozhangami)
Fix operator deployment connecting to clustermesh kvstoremesh when endpointslice sync or MCS-API Service exports is enabled (Backport PR #34586, Upstream PR #34295, @MrFreezeex)
Fix parsing of complex api-rate-limit options. The parsing failed when rate limits were configured for multiple API endpoints with multiple options, for example: "endpoint-create=rate-limit:1/s,rate-burst=1,endpoint-delete=rate-limit:2/s,rate-burst=2". The ability to also specify the rate limits as JSON strings was also returned. (Backport PR #34586, Upstream PR #34249, @joamaki)
Fix possible connection disruption on agent restart with WireGuard + native routing (Backport PR #34831, Upstream PR #34095, @giorio94)
Fix possible panic occurring in case errors are returned while updating/deleting IPv6 routes (Backport PR #34831, Upstream PR #34721, @giorio94)
Fix the Egress Gateway reconciliation logic to make progress after setting the rp_filter sysctl failed. (Backport PR #34831, Upstream PR #34775, @julianwiedmann)
Fixes broken pod-to-remote-hostport connectivity when IPsec is used with L7 ingress policy and KPR. (Backport PR #34586, Upstream PR #33805, @jschwinger233)
Fixes deadlock in identity watcher. This fixes an issue where a kvstore disconnect can cause the event receiver to exit and the event sender to get stuck forever. (Backport PR #34831, Upstream PR #34611, @dboslee)
helm: fix envoy prometheus metrics scraping with servicemonitor (Backport PR #34472, Upstream PR #34448, @mhofstetter)
ingress: Avoid opening of port 80 for TLSPassthrough only (Backport PR #34586, Upstream PR #34474, @sayboras)
ingress: Remove generated CEC if empty (Backport PR #34644, Upstream PR #34576, @sayboras)
lbipam: fix panic when changing the shared key & req. ip annotation (Backport PR #34452, Upstream PR #34236, @mhofstetter)
policy: Fixed CIDRGroupRef breaking the sanitization (Backport PR #34452, Upstream PR #34076, @chaunceyjiang)
Replace dotted sysctl names with string slices (Backport PR #34831, Upstream PR #34527, @dylandreimerink)

CI Changes:

.github: change nick-invision/retry -> nick-fields/retry. (#34735, @michi-covalent)
bgpv1/test: fix route matching in PodIPPoolAdvert test (Backport PR #34452, Upstream PR #34270, @rastislavs)
ci: clean disk only on ubuntu-latest runners (Backport PR #34831, Upstream PR #34711, @marseel)
ci: Confromance E2E wait for images before matrix generation (Backport PR #34831, Upstream PR #34707, @marseel)
ci: datapath-verifier: also run on 6.6 kernel (Backport PR #34452, Upstream PR #34420, @julianwiedmann)
ci: don't run AKS tests on LTS versions (Backport PR #34644, Upstream PR #34640, @marseel)
ci: Wait for images before generating test matrix (Backport PR #34831, Upstream PR #34727, @marseel)
Fix: push PR changes when renovate build images under the workflow_call context (Backport PR #34831, Upstream PR #34650, @Artyop)
gha: Add disk cleanup step for build and test workflow (Backport PR #34452, Upstream PR #34339, @sayboras)

Misc Changes:

.github: remove installation steps for arm64 (Backport PR #34452, Upstream PR #34336, @aanm)

v1.16] deps: update Docker dependency ([#&#8203;34354](https://github.com/cilium/cilium/issues/34354), [@&#8203;ferozsalam](https://github.com/ferozsalam))

bgpv2: correct error message log (Backport PR #34586, Upstream PR #34276, @harsimran-pabla)
chore(deps): update all github action dependencies (v1.16) (#34569, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (#34749, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.16) (patch) (#34568, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#34687, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.16) (#34883, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.15 (v1.16) (#34118, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.16 (v1.16) (#34497, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.17 (v1.16) (#34878, @cilium-renovate[bot])
chore(deps): update docker.io/library/busybox:1.36.1 docker digest to 34b191d (v1.16) (#34760, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.22.7 docker digest to 4594271 (v1.16) (#34887, @cilium-renovate[bot])
chore(deps): update go to v1.22.7 (v1.16) (#34797, @cilium-renovate[bot])
chore: Avoid docker warning due to casing (Backport PR #34856, Upstream PR #34125, @sayboras)
cilium-dbg: add Envoy admin commands (Backport PR #34586, Upstream PR #34398, @mhofstetter)
clustermesh/endpointslicesync: fix panic on failure in Test_meshEndpointSlice_Reconcile (Backport PR #34831, Upstream PR #34699, @tklauser)
contrib: allow l7proxy in egressgw config (Backport PR #34831, Upstream PR #34636, @julianwiedmann)
docs: Avoid using wildcard TLS certificate (Backport PR #34831, Upstream PR #34609, @sayboras)
docs: Improve disk based policy documentation (Backport PR #34452, Upstream PR #34234, @tamilmani1989)
docs: Update LB-IPAM allowFirstLastIPs documentation (Backport PR #34452, Upstream PR #34227, @dylandreimerink)
Documentation: Add instructions on accessing the Hubble API with TLS (Backport PR #34452, Upstream PR #34361, @chancez)
Documentation: Add section to validate Hubble TLS is enabled (Backport PR #34644, Upstream PR #34416, @chancez)
endpoint: Do not pass a function to WithFields (Backport PR #34452, Upstream PR #34346, @jrajahalme)
fix: base image update workflow will now be triggered on renovate branches with a workflow_call event type (Backport PR #34452, Upstream PR #34372, @Artyop)
images: fix path script (Backport PR #34768, Upstream PR #34764, @aanm)
ipsec: Document a new cause of XfrmInStateProtoError (Backport PR #34586, Upstream PR #34221, @jschwinger233)
pkg/endpointmanager: don't hold lock while iterating over subscribers (Backport PR #34586, Upstream PR #33896, @aanm)
Reorganize Hubble docs (Backport PR #34452, Upstream PR #34282, @chancez)
Use exponential backoff for etcd connection retries during quorum loss (Backport PR #34452, Upstream PR #34231, @hemanthmalla)
wireguard: minor improvements (Backport PR #34452, Upstream PR #34285, @julianwiedmann)

Other Changes:

v1.16] CODEOWNERS: switch cilium/tophat to cilium/committers ([#&#8203;34338](https://github.com/cilium/cilium/issues/34338), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))

v1.16] envoy: Bump envoy version from v1.29.7 to v1.29.9 ([#&#8203;34966](https://github.com/cilium/cilium/issues/34966), [@&#8203;sayboras](https://github.com/sayboras))

v1.16] envoy: Switch to image with timestamp tag ([#&#8203;34395](https://github.com/cilium/cilium/issues/34395), [@&#8203;sayboras](https://github.com/sayboras))

envoy: Bump golang version (#34328, @sayboras)
Fix panic in endpoint regeneration when DNS requests are processed during early initialization. (#34892, @joamaki)
install: Update image digests for v1.16.1 (#34378, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.2@sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea
quay.io/cilium/cilium:stable@sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.2@sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73
quay.io/cilium/clustermesh-apiserver:stable@sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73

docker-plugin

quay.io/cilium/docker-plugin:v1.16.2@sha256:9b455c663e43f785e3ef26471e29e22939c056af41d1e9215007b88dd37cd99b
quay.io/cilium/docker-plugin:stable@sha256:9b455c663e43f785e3ef26471e29e22939c056af41d1e9215007b88dd37cd99b

hubble-relay

quay.io/cilium/hubble-relay:v1.16.2@sha256:4b559907b378ac18af82541dafab430a857d94f1057f2598645624e6e7ea286c
quay.io/cilium/hubble-relay:stable@sha256:4b559907b378ac18af82541dafab430a857d94f1057f2598645624e6e7ea286c

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.2@sha256:16e33abb6b8381e2f66388b6d7141399f06c9b51b9ffa08fd159b8d321929716
quay.io/cilium/operator-alibabacloud:stable@sha256:16e33abb6b8381e2f66388b6d7141399f06c9b51b9ffa08fd159b8d321929716

operator-aws

quay.io/cilium/operator-aws:v1.16.2@sha256:b6a73ec94407a56cccc8a395225e2aecc3ca3611e7acfeec86201c19fc0727dd
quay.io/cilium/operator-aws:stable@sha256:b6a73ec94407a56cccc8a395225e2aecc3ca3611e7acfeec86201c19fc0727dd

operator-azure

quay.io/cilium/operator-azure:v1.16.2@sha256:fde7cf8bb887e106cd388bb5c3327e92682b2ec3ab4f03bb57b87f495b99f727
quay.io/cilium/operator-azure:stable@sha256:fde7cf8bb887e106cd388bb5c3327e92682b2ec3ab4f03bb57b87f495b99f727

operator-generic

quay.io/cilium/operator-generic:v1.16.2@sha256:cccfd3b886d52cb132c06acca8ca559f0fce91a6bd99016219b1a81fdbc4813a
quay.io/cilium/operator-generic:stable@sha256:cccfd3b886d52cb132c06acca8ca559f0fce91a6bd99016219b1a81fdbc4813a

operator

quay.io/cilium/operator:v1.16.2@sha256:01c4d846f65ecd2bd86f3d95a0ddc2bc4c813f6074a41828ca9ca2a30ed34381
quay.io/cilium/operator:stable@sha256:01c4d846f65ecd2bd86f3d95a0ddc2bc4c813f6074a41828ca9ca2a30ed34381

`v1.16.1`: 1.16.1

Compare Source

Security Advisories

This release addresses the following security vulnerabilities:

Summary of Changes

Minor Changes:

Deprecate providing Hubble TLS secrets in helm values (Backport PR #34297, Upstream PR #34114, @chancez)
gateway-api: Add required labels and annotations (Backport PR #34215, Upstream PR #33990, @sayboras)
helm: add config for nat-map-stats-{interval, entries} config. (Backport PR #34158, Upstream PR #33847, @tommyp1ckles)
Internal listener references are now properly qualified with namespace and CEC name. (Backport PR #34158, Upstream PR #34104, @jrajahalme)
Support configuring imagePullSecrets for spire agent/server pods (Backport PR #34158, Upstream PR #33952, @chancez)

Bugfixes:

auth: Fix data race in Upsert (Backport PR #34158, Upstream PR #33905, @chaunceyjiang)
BGPv1 + BGPv2: Fix incorrect service reconciliation in setups with multiple BGP instances (virtual routers) (Backport PR #34297, Upstream PR #34177, @rastislavs)
bgpv1: Fix data race in bgppSelection (Backport PR #34158, Upstream PR #33904, @chaunceyjiang)
bgpv2: Avoid duplicate route policy naming (Backport PR #34158, Upstream PR #34031, @rastislavs)
BGPv2: Fix Service advertisement selector: do not require matching CiliumLoadBalancerIPPool (Backport PR #34201, Upstream PR #34182, @rastislavs)
Fix a nil dereference crash during cilium-agent initialization affecting setups with FQDN policies. The crash is triggered when a restored endpoint performs a DNS request just a the right time during early cilium-agent restoration. Problem is not expected to be persistent and the agent should get pass the problematic part of the initialization on restart. (Backport PR #34158, Upstream PR #34059, @joamaki)
Fix appArmorProfile condition for CronJob helm template (Backport PR #34297, Upstream PR #34100, @sathieu)
Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport PR #34181, Upstream PR #34091, @giorio94)
Fix issue in picking node IP addresses from the loopback device. This fixes a regression in v1.15 and v1.16 where VIPs assigned to the lo device were not considered by Cilium.
Fix spurious updates node addresses to avoid unnecessary datapath reinitializations. (Backport PR #34085, Upstream PR #34012, @joamaki)
Fix possible connection disruption on agent restart with WireGuard + kvstore (Backport PR #34158, Upstream PR #34062, @giorio94)
Fixes DNS proxy "connect: cannot assign requested address" errors in transparent mode, which were due to opening multiple TCP connections to the upstream DNS server. (Backport PR #34201, Upstream PR #33989, @bimmlerd)
gateway-api: Add HTTP method condition in sortable routes (Backport PR #34158, Upstream PR #34109, @sayboras)
gateway-api: Enqueue gateway for Reference Grant changes (Backport PR #34158, Upstream PR #34032, @sayboras)
lbipam: fixed bug in sharing key logic (Backport PR #34158, Upstream PR #34106, @dylandreimerink)
policy: Fix policy cache covers context lookup. (#34322, @nathanjsweet)
service: Relax protocol matching for L7 Service (Backport PR #34195, Upstream PR #34131, @sayboras)

CI Changes:

.github: ginkgo: remove duplicate datapath ipv4only test in f09/f21. (Backport PR #34297, Upstream PR #34071, @tommyp1ckles)
bpf: egressgw: don't install allow-all policy in to-netdev tests (Backport PR #34201, Upstream PR #34143, @julianwiedmann)
ci: multi pool run tests concurrently (Backport PR #34297, Upstream PR #33945, @viktor-kurchenko)
Fix workflow telemetry in ci-ipsec-upgrade (Backport PR #34158, Upstream PR #34097, @chancez)
gha: Add extended features in gateway profile run (Backport PR #34215, Upstream PR #34098, @sayboras)
gha: Free up Github runner disk space (Backport PR #34297, Upstream PR #34247, @sayboras)
gha: lint absence of trailing spaces in workflow files (Backport PR #34158, Upstream PR #33908, @giorio94)
gha: simplify the call-backport-label-updater workflow (Backport PR #34158, Upstream PR #33934, @giorio94)
ginkgo-ci: split f09 into two groups to reduce timeouts & flakes (Backport PR #34297, Upstream PR #34038, @tommyp1ckles)
test: use cgr.dev/chainguard/busybox:latest instead of docker.io image. (Backport PR #34158, Upstream PR #34004, @tommyp1ckles)
tests-clustermesh-upgrade: Don't hardcode test namespace (Backport PR #34158, Upstream PR #34121, @michi-covalent)

Misc Changes:

v1.16] docs: Add note for CNP empty slices semantic under v1.16 section ([#&#8203;34008](https://github.com/cilium/cilium/issues/34008), [@&#8203;pippolo84](https://github.com/pippolo84))

Add source IP visibility info to Ingress and Gateway API docs (Backport PR #34297, Upstream PR #34137, @youngnick)
bgpv1: Reconcile with retry in BGP Controller (Backport PR #34158, Upstream PR #33971, @rastislavs)
bgpv2: deprecate local port setting in transport config (Backport PR #34209, Upstream PR #33438, @harsimran-pabla)
bgpv2: use correct path key in path reconciler (Backport PR #34158, Upstream PR #33947, @harsimran-pabla)
bitlpm: Avoid allocs in CIDR trie lookups (Backport PR #34158, Upstream PR #33518, @jrajahalme)
bitlpm: Simplify matchPrefix() (Backport PR #34158, Upstream PR #33517, @jrajahalme)
bugtool: dump cilium_skip_lb{4,6} (Backport PR #34158, Upstream PR #34017, @ysksuzuki)
bugtool: dumping more Envoy information (Backport PR #34158, Upstream PR #34110, @mhofstetter)
chore(deps): update all github action dependencies (v1.16) (#34166, @cilium-renovate[bot])
chore(deps): update dependency protocolbuffers/protobuf to v27.3 (v1.16) (#34165, @cilium-renovate[bot])
chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.15 (v1.16) (#34049, @cilium-renovate[bot])
Clean up documentation make targets for cases of nesting make builds inside container invocations (Backport PR #34297, Upstream PR #34151, @joestringer)
doc: update slack channel reference (Backport PR #34158, Upstream PR #34044, @Huweicai)
docs: Add warning on CRDs requirement for using the Gateway API (Backport PR #34297, Upstream PR #33974, @xtineskim)
Documentation: Introduce support for redirects (Backport PR #34297, Upstream PR #34233, @chancez)
Documentation: Update readthedocs configuration (Backport PR #34297, Upstream PR #34190, @joestringer)
Fix two bugs in dnsproxy tcp conn reuse (Backport PR #34201, Upstream PR #34175, @bimmlerd)
Improve documentation on configuring Hubble TLS (Backport PR #34297, Upstream PR #34115, @chancez)
iptables: Support Envoy listener chaining (Backport PR #34297, Upstream PR #34105, @jrajahalme)
Makefile: Fix docker flags for fast image targets (Backport PR #34297, Upstream PR #34132, @joestringer)
policy: Sanitize DNS Rules to Disallow Port Ranges (Backport PR #34201, Upstream PR #34023, @nathanjsweet)
Revert "fix: support validation of stringToString values in ConfigMap" (Backport PR #34305, Upstream PR #34277, @aanm)
vendor: Bump StateDB to version v0.2.1 (Backport PR #34246, Upstream PR #33587, @joamaki)

Other Changes:

install: Update image digests for v1.16.0 (#33994, @cilium-release-bot[bot])
v1.16: Remove leftover backporter state file (#34210, @gandro)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
quay.io/cilium/cilium:stable@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.1@sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f
quay.io/cilium/clustermesh-apiserver:stable@sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f

docker-plugin

quay.io/cilium/docker-plugin:v1.16.1@sha256:243fd7759818d990a7f9b33df3eb685a9f250a12020e22f660547f9516b76320
quay.io/cilium/docker-plugin:stable@sha256:243fd7759818d990a7f9b33df3eb685a9f250a12020e22f660547f9516b76320

hubble-relay

quay.io/cilium/hubble-relay:v1.16.1@sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35
quay.io/cilium/hubble-relay:stable@sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.1@sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804
quay.io/cilium/operator-alibabacloud:stable@sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804

operator-aws

quay.io/cilium/operator-aws:v1.16.1@sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4
quay.io/cilium/operator-aws:stable@sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4

operator-azure

quay.io/cilium/operator-azure:v1.16.1@sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22
quay.io/cilium/operator-azure:stable@sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22

operator-generic

quay.io/cilium/operator-generic:v1.16.1@sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4
quay.io/cilium/operator-generic:stable@sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4

operator

quay.io/cilium/operator:v1.16.1@sha256:258b28fefc9f3fe1cbcb21a3b2c4c96dcc72f6ee258eed0afebe9b0ac47f462b
quay.io/cilium/operator:stable@sha256:258b28fefc9f3fe1cbcb21a3b2c4c96dcc72f6ee258eed0afebe9b0ac47f462b

`v1.16.0`: 1.16.0

Compare Source

We are excited to announce the Cilium 1.16.0 release. A total of 2969 new commits have been contributed to this release by a growing community of over 750 developers and over 19300 GitHub stars! 🤩

To keep up to date with all the latest Cilium releases, join #release on Slack.

Here's what's new in v1.16.0:

🚠 Networking
- 🚤 Cilium NetKit: container-network throughput and latency as fast as host-network.
- 🌐 BGPv2: Fresh new API for Cilium's BGP feature.
- 📢 BGP ClusterIP Advertisement: BGP advertisements of ExternalIP and Cluster IP Services.
- 🔀 Service Traffic Distribution: Kubernetes 1.30 Service Traffic Distribution can be enabled directly in the Service spec instead of using annotations.
- 🔄 Local Redirect Policy promoted to Stable: Redirecting the traffic bound for services to the local backend, such as node-local DNS.
- 📡 Multicast Datapath: Define multicast groups in Cilium.
- 🏷️ Per-Pod Fixed MAC Address: Specify the MAC address used on a pod.
🕸️ Service Mesh & Ingress/Gateway API
- 🧭 Gateway API GAMMA Support: East-west traffic management for the cluster via Gateway API.
- ⛩️ Gateway API 1.1 Support: Cilium now supports Gateway API 1.1.
- 🛂 ExternalTrafficPolicy support for Ingress/Gateway API: External traffic can now be routed to node-local or cluster-wide endpoints.
- 🕸️ L7 Envoy Proxy as dedicated DaemonSet: With a dedicated DaemonSet, Envoy and Cilium can have a separate life-cycle from each other. Now on by default for new installs.
- 🗂️ NodeSelector support for CiliumEnvoyConfig: Instead of being applied on all nodes, it's now possible to select which nodes a particular CiliumEnvoyConfig should select.
💂‍♀️ Security
- 📶 Port Range support in Network Policies: This long-awaited feature has been implemented into Cilium.
- 📋 Network Policy Validation Status: kubectl describe cnp will be able to tell if the Cilium Network Policy is valid or invalid.
- ⛔ Control Cilium Network Policy Default Deny behavior: Policies usually enable default deny for the subject of the policies, but this can now be disabled on a per-policy basis.
- 👥 CIDRGroups support for Egress and Deny rules: Add support for matching CiliumCIDRGroups in Egress policy rules.
- 💾 Load "default" Network Policies from Filesystem: In addition to reading policies from Kubernetes, Cilium can be configured to read policies locally.
- 🗂️ Support to Select Nodes as Target of Cilium Network Policies: With new ToNodes/FromNodes selectors, traffic can be allowed or denied based on the labels of the target Node in the cluster.
🌅 Day 2 Operations and Scale
- 🧝 New ELF Loader Logic: With this new loader logic, the median memory usage of Cilium was decreased by 24%.
- 🚀 Improved DNS-based network policy performance: DNS-based network policies had up to 5x reduction in tail latency.
- 🕸️ KVStoreMesh default option for ClusterMesh: Introduced in Cilium 1.14, and after a lot of adoption and feedback from the community, KVStoreMesh is now the default way to deploy ClusterMesh.
🛰️ Hubble & Observability
- 🗣️ CEL Filters Support: Hubble supports Common Express Language (CEL) giving support for more complex conditions that cannot be expressed using the existing flow filters.
- 📊 Improved HTTP metrics: There are additional metrics to count the HTTP requests and their duration.
- 📏 Improved BPF map pressure metrics: New metric to track the BPF map pressure metric for the Connection Tracking BPF map.
- 👀 Improvements for Egress Traffic Path Observability: Some metrics were added on this release to help troubleshooting Cilium Egress Routing.
- 🔬 K8S Event Generation on Packet Drop: Hubble is now able to generate a k8s event for a packet dropped from a pod and it that can be verified with kubectl get events.
- 🗂️ Filtering Hubble flows by node labels: Filter Hubble flows observed on nodes matching the given label.
🏘️ Community:
- ❤️ Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!

And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️

For a full summary of changes, see https://github.com/cilium/cilium/blob/v1.16.0/CHANGELOG.md.

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.0@sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058
quay.io/cilium/cilium:stable@sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.0@sha256:a1597b7de97cfa03f1330e6b784df1721eb69494cd9efb0b3a6930680dfe7a8e
quay.io/cilium/clustermesh-apiserver:stable@sha256:a1597b7de97cfa03f1330e6b784df1721eb69494cd9efb0b3a6930680dfe7a8e

docker-plugin

quay.io/cilium/docker-plugin:v1.16.0@sha256:024a17aa8ec70d42f0ac1a4407ad9f8fd1411aa85fd8019938af582e20522efe
quay.io/cilium/docker-plugin:stable@sha256:024a17aa8ec70d42f0ac1a4407ad9f8fd1411aa85fd8019938af582e20522efe

hubble-relay

quay.io/cilium/hubble-relay:v1.16.0@sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d
quay.io/cilium/hubble-relay:stable@sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.0@sha256:d2d9f450f2fc650d74d4b3935f4c05736e61145b9c6927520ea52e1ebcf4f3ea
quay.io/cilium/operator-alibabacloud:stable@sha256:d2d9f450f2fc650d74d4b3935f4c05736e61145b9c6927520ea52e1ebcf4f3ea

operator-aws

quay.io/cilium/operator-aws:v1.16.0@sha256:8dbe47a77ba8e1a5b111647a43db10c213d1c7dfc9f9aab5ef7279321ad21a2f
quay.io/cilium/operator-aws:stable@sha256:8dbe47a77ba8e1a5b111647a43db10c213d1c7dfc9f9aab5ef7279321ad21a2f

operator-azure

quay.io/cilium/operator-azure:v1.16.0@sha256:dd7562e20bc72b55c65e2110eb98dca1dd2bbf6688b7d8cea2bc0453992c121d
quay.io/cilium/operator-azure:stable@sha256:dd7562e20bc72b55c65e2110eb98dca1dd2bbf6688b7d8cea2bc0453992c121d

operator-generic

quay.io/cilium/operator-generic:v1.16.0@sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316
quay.io/cilium/operator-generic:stable@sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316

operator

quay.io/cilium/operator:v1.16.0@sha256:6aaa05737f21993ff51abe0ffe7ea4be88d518aa05266c3482364dce65643488
quay.io/cilium/operator:stable@sha256:6aaa05737f21993ff51abe0ffe7ea4be88d518aa05266c3482364dce65643488

`v1.15.9`: 1.15.9

Compare Source

We are happy to release Cilium v1.15.9!

This release brings us upstream filter chains for L7 LB policy enforcement, BGP (and other!) bugfixes, CI changes and many many more!

Check out the summary below for details.

Summary of Changes

Minor Changes:

cilium-envoy now uses upstream filter chains for L7 LB policy enforcement. (Backport PR #34457, Upstream PR #32119, @jrajahalme)
docs: Update examples for CNP L7 Host (Backport PR #34645, Upstream PR #34578, @sayboras)

Bugfixes:

BGPv1 + BGPv2: Fix incorrect service reconciliation in setups with multiple BGP instances (virtual routers) (#34331, @rastislavs)
config: fix disabling config 'Debug' (Backport PR #34470, Upstream PR #34401, @mhofstetter)
daemon: Fix error logic flow for pod store being out of date (Backport PR #34587, Upstream PR #34389, @christarazi)
envoy: fix log level mapping when changing log level via API (Backport PR #34456, Upstream PR #34400, @mhofstetter)
Fix synchronization of CiliumEndpointSlices when running the Cilium Operator in identity-based slicing mode. (Backport PR #34456, Upstream PR #32239, @thorn3r)
Fix the Egress Gateway reconciliation logic to make progress after setting the rp_filter sysctl failed. (Backport PR #34830, Upstream PR #34775, @julianwiedmann)
helm: fix envoy prometheus metrics scraping with servicemonitor (Backport PR #34473, Upstream PR #34448, @mhofstetter)
ingress: Avoid opening of port 80 for TLSPassthrough only (Backport PR #34598, Upstream PR #34474, @sayboras)
ipcache: Yet another refcounting fix with mix of APIs (Backport PR #34933, Upstream PR #34715, @gandro)
lbipam: fix panic when changing the shared key & req. ip annotation (Backport PR #34456, Upstream PR #34236, @mhofstetter)

CI Changes:

.github: change nick-invision/retry -> nick-fields/retry. (#34736, @michi-covalent)
bgpv1/test: fix route matching in PodIPPoolAdvert test (Backport PR #34456, Upstream PR #34270, @rastislavs)
ci: clean disk only on ubuntu-latest runners (Backport PR #34830, Upstream PR #34711, @marseel)
ci: Confromance E2E wait for images before matrix generation (Backport PR #34830, Upstream PR #34707, @marseel)
ci: don't run AKS tests on LTS versions (Backport PR #34645, Upstream PR #34640, @marseel)
ci: multi pool run tests concurrently (Backport PR #34299, Upstream PR #33945, @viktor-kurchenko)
ci: Wait for images before generating test matrix (Backport PR #34830, Upstream PR #34727, @marseel)
Fix: push PR changes when renovate build images under the workflow_call context (Backport PR #34830, Upstream PR #34650, @Artyop)
gha: Add disk cleanup step for build and test workflow (Backport PR #34456, Upstream PR #34339, @sayboras)
gha: Free up Github runner disk space (Backport PR #34299, Upstream PR #34247, @sayboras)

Misc Changes:

Add source IP visibility info to Ingress and Gateway API docs (Backport PR #34299, Upstream PR #34137, @youngnick)
Add source IP visibility info to Ingress and Gateway API docs (Backport PR #34367, Upstream PR #34137, @youngnick)
chore(deps): update all github action dependencies (v1.15) (#34571, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.15) (#34750, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.15) (patch) (#34570, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.15) (#34696, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.15) (#34904, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.15 (v1.15) (#34119, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.16 (v1.15) (#34507, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.17 (v1.15) (#34884, @cilium-renovate[bot])
chore(deps): update dependency cilium/hubble to v1.16.1 (v1.15) (#34851, @cilium-renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.19.4 (v1.15) (#34761, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.22.7 docker digest to 4594271 (v1.15) (#34900, @cilium-renovate[bot])
chore(deps): update go to v1.22.7 (v1.15) (#34733, @cilium-renovate[bot])
chore: Avoid docker warning due to casing (Backport PR #34857, Upstream PR #34125, @sayboras)
cilium-dbg: add Envoy admin commands (Backport PR #34587, Upstream PR #34398, @mhofstetter)
docs: Avoid using wildcard TLS certificate (Backport PR #34830, Upstream PR #34609, @sayboras)
docs: Improve Ingress documentation (Backport PR #34367, Upstream PR #33698, @youngnick)
Documentation: Update readthedocs configuration (Backport PR #34299, Upstream PR #34190, @joestringer)
endpoint: Do not pass a function to WithFields (Backport PR #34456, Upstream PR #34346, @jrajahalme)
fix: base image update workflow will now be triggered on renovate branches with a workflow_call event type (Backport PR #34456, Upstream PR #34372, @Artyop)
images: fix path script (Backport PR #34767, Upstream PR #34764, @aanm)
ipsec: Document a new cause of XfrmInStateProtoError (Backport PR #34587, Upstream PR #34221, @jschwinger233)
pkg/endpointmanager: don't hold lock while iterating over subscribers (Backport PR #34587, Upstream PR #33896, @aanm)

Other Changes:

v1.15] CODEOWNERS: switch cilium/tophat to cilium/committers ([#&#8203;34889](https://github.com/cilium/cilium/issues/34889), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))

v1.15] envoy: Bump envoy version from v1.29.7 to v1.29.9 ([#&#8203;34965](https://github.com/cilium/cilium/issues/34965), [@&#8203;sayboras](https://github.com/sayboras))

v1.15] envoy: Switch to image with timestamp tag ([#&#8203;34394](https://github.com/cilium/cilium/issues/34394), [@&#8203;sayboras](https://github.com/sayboras))

envoy: Bump golang version (#34327, @sayboras)
install: Update image digests for v1.15.8 (#34376, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.9@sha256:c2a4c57a6baf758e975fbefbf638476906d1bb0c970e9547d216d9ea7b6471e3

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.9@sha256:ec82fb96dd0fbac4c6de333aaf8f7964a74c2194a3afdf765b3c260433a4aeed

docker-plugin

quay.io/cilium/docker-plugin:v1.15.9@sha256:1a86463fd5b38b5930069045af141ee577ead4c26f8ba4d4a532d1aa3f38a709

hubble-relay

quay.io/cilium/hubble-relay:v1.15.9@sha256:421afd9f4e46a7b9834f0542ceca6e8652ec0598982126dc2dd1dcf0dd690631

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.9@sha256:9fe2c3c6d49d4f501067ec525a3d792da17d055ebcefa37f4fbb5698109d217b

operator-aws

quay.io/cilium/operator-aws:v1.15.9@sha256:8c2b4a4d4d6ebf1c37a6ae72da2279286729a4982bf124d98f4bcc2db5eeb5e6

operator-azure

quay.io/cilium/operator-azure:v1.15.9@sha256:9b02e12c56b08d50eb1540d6cbb1119eee639a9795c752c4904311d03889d7fe

operator-generic

quay.io/cilium/operator-generic:v1.15.9@sha256:0ec30b4df0d097aedcbcb41748f10ce397f9656c128bea7e227b6bfd820f6d76

operator

quay.io/cilium/operator:v1.15.9@sha256:9ed87c339762c5b5422bd284e9672f6fedcee2aba376a5aa1328223c39bd9914

`v1.15.8`: 1.15.8

Compare Source

Security Advisories

This release addresses the following security vulnerabilities:

Summary of Changes

Minor Changes:

helm: Add validation to prevent users from using deprecated values that have been removed (#34213, @chancez)
helm: Cleanup old k8s version check and deprecated atributes (Backport PR #34157, Upstream PR #31940, @sayboras)
Make hubble-relay more resilient to transient errors (Backport PR #34157, Upstream PR #33894, @chancez)

Bugfixes:

add support for validation of stringToString values in ConfigMap (Backport PR #33962, Upstream PR #33779, @alex-berger)
auth: Fix data race in Upsert (Backport PR #34157, Upstream PR #33905, @chaunceyjiang)
auth: fix fatal error: concurrent map iteration and map write (Backport PR #33809, Upstream PR #33634, @chaunceyjiang)
cert: Adding H2 Protocol Support when Get gRPC Config For Client (Backport PR #33809, Upstream PR #33616, @mrproliu)
DNS Proxy: Allow SO_LINGER to be set to the socket to upstream (Backport PR #33809, Upstream PR #33592, @gandro)
Fix an issue in updates to node addresses which may have caused missing NodePort frontend IP addresses. May have affected NodePort/LoadBalancer services for users running with runtime device detection enabled when node's IP addresses were changed after Cilium had started.
Node IP as defined in the Kubernetes Node is now preferred when selecting the NodePort frontend IPs. (Backport PR #33818, Upstream PR #33629, @joamaki)
Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport PR #34183, Upstream PR #34091, @giorio94)
Fix issue in picking node IP addresses from the loopback device. This fixes a regression in v1.15 and v1.16 where VIPs assigned to the lo device were not considered by Cilium.
Fix spurious updates node addresses to avoid unnecessary datapath reinitializations. (Backport PR #34086, Upstream PR #34012, @joamaki)
Fix rare race condition afflicting clustermesh while stopping the retrieval of the remote cluster configuration, possibly causing a deadlock (Backport PR #33809, Upstream PR #33735, @giorio94)
Fixes a race condition during agent startup that causes the k8s node label updates to not get propagated to the host endpoint. (Backport PR #33663, Upstream PR #33511, @skmatti)
gateway-api: Add HTTP method condition in sortable routes (Backport PR #34157, Upstream PR #34109, @sayboras)
gateway-api: Enqueue gateway for Reference Grant changes (Backport PR #34157, Upstream PR #34032, @sayboras)
helm: remove duplicate metrics for Envoy pod (Backport PR #34157, Upstream PR #33803, @mhofstetter)
lbipam: fixed bug in sharing key logic (Backport PR #34157, Upstream PR #34106, @dylandreimerink)
pkg/metrics: fix data race warning on metrics init hook. (Backport PR #33962, Upstream PR #33823, @tommyp1ckles)
Reduce conntrack lifetime for closing service connections. (Backport PR #33962, Upstream PR #33907, @julianwiedmann)
Skip regenerating host endpoint on k8s node labels update if identity labels are unchanged (Backport PR #33809, Upstream PR #33306, @skmatti)
The cilium agent will now recover from stale nodeID mappings which could occur in clusters with high node churn, possibly manifesting itself in dropped IPsec traffic. (Backport PR #34157, Upstream PR #33666, @bimmlerd)

CI Changes:

v1.15] ci/ipsec: add missing config for patch-upgrade test with 6.6 kernel ([#&#8203;33736](https://github.com/cilium/cilium/issues/33736), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))

v1.15] gh/e2e: fix up config 15 to not use bpf-next ([#&#8203;33738](https://github.com/cilium/cilium/issues/33738), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))

gha: Add http client timeout in Ingress (Backport PR #33809, Upstream PR #33683, @sayboras)
gha: don't fail if all cloud provider matrix entries are filtered out (Backport PR #33962, Upstream PR #33819, @giorio94)
gha: ensure that helm values.schema.json is not accidentally backported (#33845, @giorio94)
gha: lint absence of trailing spaces in workflow files (Backport PR #34157, Upstream PR #33908, @giorio94)
gha: simplify the call-backport-label-updater workflow (Backport PR #33962, Upstream PR #33934, @giorio94)
test: use cgr.dev/chainguard/busybox:latest instead of docker.io image. (Backport PR #34157, Upstream PR #34004, @tommyp1ckles)
tests-clustermesh-upgrade: Don't hardcode test namespace (Backport PR #34157, Upstream PR #34121, @michi-covalent)
workflow: Use per-tunnel keys for the IPsec upgrade test (Backport PR #33809, Upstream PR #33769, @pchaigno)

Misc Changes:

v1.15] Update Docker dependency ([#&#8203;34196](https://github.com/cilium/cilium/issues/34196), [@&#8203;ferozsalam](https://github.com/ferozsalam))

bugtool: dumping more Envoy information (Backport PR #34157, Upstream PR #34110, @mhofstetter)
chore(deps): update all github action dependencies (v1.15) (#34170, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.15) (#33649, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.15) (#34168, @cilium-renovate[bot])
chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.15) (#33793, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.16.13 (v1.15) (#33794, @cilium-renovate[bot])
chore(deps): update dependency cilium/hubble to v1 (v1.15) (#34051, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.21.12 docker digest to 7e0e13a (v1.15) (#33792, @cilium-renovate[bot])
chore(deps): update go to v1.22.5 (v1.15) (#33857, @cilium-renovate[bot])
chore(deps): update go to v1.22.6 (v1.15) (#34167, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.15) (patch) (#33798, @cilium-renovate[bot])
daemon/ipam: don't swallow parse error of CIDR (Backport PR #33809, Upstream PR #33283, @bimmlerd)
doc: update slack channel reference (Backport PR #34157, Upstream PR #34044, @Huweicai)
docs,LRP: Add steps to restart agent and operator pods and update feature roadmap status (Backport PR #33809, Upstream PR #33655, @aditighag)
docs: Add node about socketLB.hostNamespaceOnly to Kata page (Backport PR #33809, Upstream PR #33725, @brb)
docs: Extend LRP guide with troubleshooting section (Backport PR #33809, Upstream PR #33373, @aditighag)
docs: generalize version specific notes section (Backport PR #33962, Upstream PR #33888, @giorio94)
docs: Remove CNCF graduation from the roadmap (Backport PR #33809, Upstream PR #33680, @joestringer)
docs: remove mention of outdated clustermesh + L7 policies + tunnel limitation (Backport PR #33809, Upstream PR #33626, @giorio94)
docs: Update LVH VM image pull instructions (Backport PR #33809, Upstream PR #33621, @brb)
Documentation: Add --set cni.exclusive=false for Azure Chain Mode (Backport PR #33809, Upstream PR #33708, @Mais316)
helm: Allow socket linger timeout to be set to zero (Backport PR #33962, Upstream PR #33887, @gandro)
policy: Fix mapstate.Diff() used in tests (Backport PR #33809, Upstream PR #33449, @jrajahalme)
Remove stable tags from v1.15 releases (#33985, @joestringer)
renovate: onboard etcd image used in integration tests (Backport PR #33809, Upstream PR #33679, @giorio94)
Revert "fix: support validation of stringToString values in ConfigMap" (Backport PR #34306, Upstream PR #34277, @aanm)

Other Changes:

v1.15] ci: use base and head SHAs from context in lint-build-commits workflow ([#&#8203;34267](https://github.com/cilium/cilium/issues/34267), [@&#8203;tklauser](https://github.com/tklauser))

v1.15] Revert "docs: Update LRP feature status" ([#&#8203;34238](https://github.com/cilium/cilium/issues/34238), [@&#8203;ysksuzuki](https://github.com/ysksuzuki))

Fix bug in Bandwidth Manager that caused it to not find native devices. (#33910, @joamaki)
install: Update image digests for v1.15.7 (#33744, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.8@sha256:4c1f33aae2b76392b57e867820471b5472f0886f7358513d47ee80c09af15a0e

docker-plugin

quay.io/cilium/docker-plugin:v1.15.8@sha256:15b1b6e83e1c0eea97df179660c1898661c1d0da5d431c68f98c702581e29310

hubble-relay

quay.io/cilium/hubble-relay:v1.15.8@sha256:47e8a19f60d0d226ec3d2c675ec63908f1f2fb936a39897f2e3255b3bab01ad6

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.8@sha256:388ef72febd719bc9d16d5ee47fe6f846f73f0d8a6f9586ada04cb39eb2962d1

operator-aws

quay.io/cilium/operator-aws:v1.15.8@sha256:3807dd23c2b5f90489824ddd13dca6e84e714dc9eae44e5718acfe86c855b7a1

operator-azure

quay.io/cilium/operator-azure:v1.15.8@sha256:c517db3d12fcf038a9a4a81b88027a19672078bf8c2fcd6b2563f3eff9514d21

operator-generic

quay.io/cilium/operator-generic:v1.15.8@sha256:e77ae6fc8a978f98363cf74d3c883dfaa6454c6e23ec417a60952f29408e2f18

operator

quay.io/cilium/operator:v1.15.8@sha256:e9cf35fe3dc86933ccf3fdfdb7620d218c50aaca5f14e4ba5f422460ea4cb23c

haproxytech/helm-charts (haproxy)

`v1.23.0`

Compare Source

A Helm chart for HAProxy on Kubernetes

metallb/metallb (metallb)

`v0.14.8`

Compare Source

See the release notes for the details

https://metallb.universe.tf/release-notes/#version-0-14-8

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | minor | `1.15.7` -> `1.16.2` | | [haproxy](https://github.com/haproxytech/helm-charts/tree/main/haproxy) ([source](https://github.com/haproxytech/helm-charts)) | minor | `1.22.0` -> `1.23.0` | | [metallb](https://metallb.universe.tf) ([source](https://github.com/metallb/metallb)) | patch | `0.14.7` -> `0.14.8` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.16.2`](https://github.com/cilium/cilium/releases/tag/v1.16.2): 1.16.2 [Compare Source](https://github.com/cilium/cilium/compare/1.16.1...1.16.2) We are happy to release Cilium v1.16.2! This release brings us improved validation for updating from v1.15, fixed panics, race conditions and deadlocks, CI fixes and many many more changes! Check out the summary below for details. ## Summary of Changes **Minor Changes:** - Add validation to prevent users from using deprecated values that have been removed in v1.15 and v1.16 (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34229](https://github.com/cilium/cilium/issues/34229), [@chancez](https://github.com/chancez)) - bgpv2: update status field of CiliumBGPNodeConfig CRD (Backport PR [#34580](https://github.com/cilium/cilium/issues/34580), Upstream PR [#33411](https://github.com/cilium/cilium/issues/33411), [@harsimran-pabla](https://github.com/harsimran-pabla)) - docs: Update examples for CNP L7 Host (Backport PR [#34644](https://github.com/cilium/cilium/issues/34644), Upstream PR [#34578](https://github.com/cilium/cilium/issues/34578), [@sayboras](https://github.com/sayboras)) - egressgw: drop traffic when gateway node is not configured for policy (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#33625](https://github.com/cilium/cilium/issues/33625), [@julianwiedmann](https://github.com/julianwiedmann)) **Bugfixes:** - add support for validation of stringToString values in ConfigMap (Backport PR [#34586](https://github.com/cilium/cilium/issues/34586), Upstream PR [#34279](https://github.com/cilium/cilium/issues/34279), [@alex-berger](https://github.com/alex-berger)) - bgpv2: correct service reconciler initialization (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34415](https://github.com/cilium/cilium/issues/34415), [@harsimran-pabla](https://github.com/harsimran-pabla)) - bgpv2: fix cilium-dbg bgp filtering by ASN & route-policy dump format (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34335](https://github.com/cilium/cilium/issues/34335), [@rastislavs](https://github.com/rastislavs)) - bpf: Fix `Prune` map operation leaking BPF map entries (Backport PR [#34586](https://github.com/cilium/cilium/issues/34586), Upstream PR [#34476](https://github.com/cilium/cilium/issues/34476), [@gandro](https://github.com/gandro)) - config: fix disabling config 'Debug' (Backport PR [#34469](https://github.com/cilium/cilium/issues/34469), Upstream PR [#34401](https://github.com/cilium/cilium/issues/34401), [@mhofstetter](https://github.com/mhofstetter)) - daemon: Create IPsec and LRP maps early on startup (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34388](https://github.com/cilium/cilium/issues/34388), [@pchaigno](https://github.com/pchaigno)) - daemon: Fix error logic flow for pod store being out of date (Backport PR [#34586](https://github.com/cilium/cilium/issues/34586), Upstream PR [#34389](https://github.com/cilium/cilium/issues/34389), [@christarazi](https://github.com/christarazi)) - envoy: fix log level mapping when changing log level via API (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34400](https://github.com/cilium/cilium/issues/34400), [@mhofstetter](https://github.com/mhofstetter)) - Fix "invalid sysctl parameter" error when Cilium needs to modify a sysctl with capital letters in its name. (Backport PR [#34586](https://github.com/cilium/cilium/issues/34586), Upstream PR [#34298](https://github.com/cilium/cilium/issues/34298), [@julianwiedmann](https://github.com/julianwiedmann)) - Fix a bug in Cilium's kube-proxy replacement, where replies by a local backend are dropped with DROP_NO_FIB. (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34303](https://github.com/cilium/cilium/issues/34303), [@julianwiedmann](https://github.com/julianwiedmann)) - Fix a race condition that would cause errors related to maps `LB{4,6}_SKIP_MAP` when loading programs. (Backport PR [#34586](https://github.com/cilium/cilium/issues/34586), Upstream PR [#34453](https://github.com/cilium/cilium/issues/34453), [@pchaigno](https://github.com/pchaigno)) - Fix agent panic when IPsec is enabled but XFRM stats are not exposed by the kernel. (Backport PR [#34831](https://github.com/cilium/cilium/issues/34831), Upstream PR [#34647](https://github.com/cilium/cilium/issues/34647), [@chaunceyjiang](https://github.com/chaunceyjiang)) - Fix issue where a hostport service would be created on an incorrect node when cilium-agent is configured with disable-endpoint-crd (Backport PR [#34644](https://github.com/cilium/cilium/issues/34644), Upstream PR [#34385](https://github.com/cilium/cilium/issues/34385), [@haozhangami](https://github.com/haozhangami)) - Fix operator deployment connecting to clustermesh kvstoremesh when endpointslice sync or MCS-API Service exports is enabled (Backport PR [#34586](https://github.com/cilium/cilium/issues/34586), Upstream PR [#34295](https://github.com/cilium/cilium/issues/34295), [@MrFreezeex](https://github.com/MrFreezeex)) - Fix parsing of complex api-rate-limit options. The parsing failed when rate limits were configured for multiple API endpoints with multiple options, for example: "endpoint-create=rate-limit:1/s,rate-burst=1,endpoint-delete=rate-limit:2/s,rate-burst=2". The ability to also specify the rate limits as JSON strings was also returned. (Backport PR [#34586](https://github.com/cilium/cilium/issues/34586), Upstream PR [#34249](https://github.com/cilium/cilium/issues/34249), [@joamaki](https://github.com/joamaki)) - Fix possible connection disruption on agent restart with WireGuard + native routing (Backport PR [#34831](https://github.com/cilium/cilium/issues/34831), Upstream PR [#34095](https://github.com/cilium/cilium/issues/34095), [@giorio94](https://github.com/giorio94)) - Fix possible panic occurring in case errors are returned while updating/deleting IPv6 routes (Backport PR [#34831](https://github.com/cilium/cilium/issues/34831), Upstream PR [#34721](https://github.com/cilium/cilium/issues/34721), [@giorio94](https://github.com/giorio94)) - Fix the Egress Gateway reconciliation logic to make progress after setting the rp_filter sysctl failed. (Backport PR [#34831](https://github.com/cilium/cilium/issues/34831), Upstream PR [#34775](https://github.com/cilium/cilium/issues/34775), [@julianwiedmann](https://github.com/julianwiedmann)) - Fixes broken pod-to-remote-hostport connectivity when IPsec is used with L7 ingress policy and KPR. (Backport PR [#34586](https://github.com/cilium/cilium/issues/34586), Upstream PR [#33805](https://github.com/cilium/cilium/issues/33805), [@jschwinger233](https://github.com/jschwinger233)) - Fixes deadlock in identity watcher. This fixes an issue where a kvstore disconnect can cause the event receiver to exit and the event sender to get stuck forever. (Backport PR [#34831](https://github.com/cilium/cilium/issues/34831), Upstream PR [#34611](https://github.com/cilium/cilium/issues/34611), [@dboslee](https://github.com/dboslee)) - helm: fix envoy prometheus metrics scraping with servicemonitor (Backport PR [#34472](https://github.com/cilium/cilium/issues/34472), Upstream PR [#34448](https://github.com/cilium/cilium/issues/34448), [@mhofstetter](https://github.com/mhofstetter)) - ingress: Avoid opening of port 80 for TLSPassthrough only (Backport PR [#34586](https://github.com/cilium/cilium/issues/34586), Upstream PR [#34474](https://github.com/cilium/cilium/issues/34474), [@sayboras](https://github.com/sayboras)) - ingress: Remove generated CEC if empty (Backport PR [#34644](https://github.com/cilium/cilium/issues/34644), Upstream PR [#34576](https://github.com/cilium/cilium/issues/34576), [@sayboras](https://github.com/sayboras)) - lbipam: fix panic when changing the shared key & req. ip annotation (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34236](https://github.com/cilium/cilium/issues/34236), [@mhofstetter](https://github.com/mhofstetter)) - policy: Fixed CIDRGroupRef breaking the sanitization (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34076](https://github.com/cilium/cilium/issues/34076), [@chaunceyjiang](https://github.com/chaunceyjiang)) - Replace dotted sysctl names with string slices (Backport PR [#34831](https://github.com/cilium/cilium/issues/34831), Upstream PR [#34527](https://github.com/cilium/cilium/issues/34527), [@dylandreimerink](https://github.com/dylandreimerink)) **CI Changes:** - .github: change nick-invision/retry -> nick-fields/retry. ([#34735](https://github.com/cilium/cilium/issues/34735), [@michi-covalent](https://github.com/michi-covalent)) - bgpv1/test: fix route matching in PodIPPoolAdvert test (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34270](https://github.com/cilium/cilium/issues/34270), [@rastislavs](https://github.com/rastislavs)) - ci: clean disk only on ubuntu-latest runners (Backport PR [#34831](https://github.com/cilium/cilium/issues/34831), Upstream PR [#34711](https://github.com/cilium/cilium/issues/34711), [@marseel](https://github.com/marseel)) - ci: Confromance E2E wait for images before matrix generation (Backport PR [#34831](https://github.com/cilium/cilium/issues/34831), Upstream PR [#34707](https://github.com/cilium/cilium/issues/34707), [@marseel](https://github.com/marseel)) - ci: datapath-verifier: also run on 6.6 kernel (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34420](https://github.com/cilium/cilium/issues/34420), [@julianwiedmann](https://github.com/julianwiedmann)) - ci: don't run AKS tests on LTS versions (Backport PR [#34644](https://github.com/cilium/cilium/issues/34644), Upstream PR [#34640](https://github.com/cilium/cilium/issues/34640), [@marseel](https://github.com/marseel)) - ci: Wait for images before generating test matrix (Backport PR [#34831](https://github.com/cilium/cilium/issues/34831), Upstream PR [#34727](https://github.com/cilium/cilium/issues/34727), [@marseel](https://github.com/marseel)) - Fix: push PR changes when renovate build images under the workflow_call context (Backport PR [#34831](https://github.com/cilium/cilium/issues/34831), Upstream PR [#34650](https://github.com/cilium/cilium/issues/34650), [@Artyop](https://github.com/Artyop)) - gha: Add disk cleanup step for build and test workflow (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34339](https://github.com/cilium/cilium/issues/34339), [@sayboras](https://github.com/sayboras)) **Misc Changes:** - .github: remove installation steps for arm64 (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34336](https://github.com/cilium/cilium/issues/34336), [@aanm](https://github.com/aanm)) - \[v1.16] deps: update Docker dependency ([#34354](https://github.com/cilium/cilium/issues/34354), [@ferozsalam](https://github.com/ferozsalam)) - bgpv2: correct error message log (Backport PR [#34586](https://github.com/cilium/cilium/issues/34586), Upstream PR [#34276](https://github.com/cilium/cilium/issues/34276), [@harsimran-pabla](https://github.com/harsimran-pabla)) - chore(deps): update all github action dependencies (v1.16) ([#34569](https://github.com/cilium/cilium/issues/34569), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#34749](https://github.com/cilium/cilium/issues/34749), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) (patch) ([#34568](https://github.com/cilium/cilium/issues/34568), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#34687](https://github.com/cilium/cilium/issues/34687), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#34883](https://github.com/cilium/cilium/issues/34883), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.15 (v1.16) ([#34118](https://github.com/cilium/cilium/issues/34118), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.16 (v1.16) ([#34497](https://github.com/cilium/cilium/issues/34497), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.17 (v1.16) ([#34878](https://github.com/cilium/cilium/issues/34878), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/busybox:1.36.1 docker digest to [`34b191d`](https://github.com/cilium/cilium/commit/34b191d) (v1.16) ([#34760](https://github.com/cilium/cilium/issues/34760), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.22.7 docker digest to [`4594271`](https://github.com/cilium/cilium/commit/4594271) (v1.16) ([#34887](https://github.com/cilium/cilium/issues/34887), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.22.7 (v1.16) ([#34797](https://github.com/cilium/cilium/issues/34797), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore: Avoid docker warning due to casing (Backport PR [#34856](https://github.com/cilium/cilium/issues/34856), Upstream PR [#34125](https://github.com/cilium/cilium/issues/34125), [@sayboras](https://github.com/sayboras)) - cilium-dbg: add Envoy admin commands (Backport PR [#34586](https://github.com/cilium/cilium/issues/34586), Upstream PR [#34398](https://github.com/cilium/cilium/issues/34398), [@mhofstetter](https://github.com/mhofstetter)) - clustermesh/endpointslicesync: fix panic on failure in Test_meshEndpointSlice_Reconcile (Backport PR [#34831](https://github.com/cilium/cilium/issues/34831), Upstream PR [#34699](https://github.com/cilium/cilium/issues/34699), [@tklauser](https://github.com/tklauser)) - contrib: allow l7proxy in egressgw config (Backport PR [#34831](https://github.com/cilium/cilium/issues/34831), Upstream PR [#34636](https://github.com/cilium/cilium/issues/34636), [@julianwiedmann](https://github.com/julianwiedmann)) - docs: Avoid using wildcard TLS certificate (Backport PR [#34831](https://github.com/cilium/cilium/issues/34831), Upstream PR [#34609](https://github.com/cilium/cilium/issues/34609), [@sayboras](https://github.com/sayboras)) - docs: Improve disk based policy documentation (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34234](https://github.com/cilium/cilium/issues/34234), [@tamilmani1989](https://github.com/tamilmani1989)) - docs: Update LB-IPAM `allowFirstLastIPs` documentation (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34227](https://github.com/cilium/cilium/issues/34227), [@dylandreimerink](https://github.com/dylandreimerink)) - Documentation: Add instructions on accessing the Hubble API with TLS (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34361](https://github.com/cilium/cilium/issues/34361), [@chancez](https://github.com/chancez)) - Documentation: Add section to validate Hubble TLS is enabled (Backport PR [#34644](https://github.com/cilium/cilium/issues/34644), Upstream PR [#34416](https://github.com/cilium/cilium/issues/34416), [@chancez](https://github.com/chancez)) - endpoint: Do not pass a function to WithFields (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34346](https://github.com/cilium/cilium/issues/34346), [@jrajahalme](https://github.com/jrajahalme)) - fix: base image update workflow will now be triggered on renovate branches with a workflow_call event type (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34372](https://github.com/cilium/cilium/issues/34372), [@Artyop](https://github.com/Artyop)) - images: fix path script (Backport PR [#34768](https://github.com/cilium/cilium/issues/34768), Upstream PR [#34764](https://github.com/cilium/cilium/issues/34764), [@aanm](https://github.com/aanm)) - ipsec: Document a new cause of XfrmInStateProtoError (Backport PR [#34586](https://github.com/cilium/cilium/issues/34586), Upstream PR [#34221](https://github.com/cilium/cilium/issues/34221), [@jschwinger233](https://github.com/jschwinger233)) - pkg/endpointmanager: don't hold lock while iterating over subscribers (Backport PR [#34586](https://github.com/cilium/cilium/issues/34586), Upstream PR [#33896](https://github.com/cilium/cilium/issues/33896), [@aanm](https://github.com/aanm)) - Reorganize Hubble docs (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34282](https://github.com/cilium/cilium/issues/34282), [@chancez](https://github.com/chancez)) - Use exponential backoff for etcd connection retries during quorum loss (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34231](https://github.com/cilium/cilium/issues/34231), [@hemanthmalla](https://github.com/hemanthmalla)) - wireguard: minor improvements (Backport PR [#34452](https://github.com/cilium/cilium/issues/34452), Upstream PR [#34285](https://github.com/cilium/cilium/issues/34285), [@julianwiedmann](https://github.com/julianwiedmann)) **Other Changes:** - \[v1.16] CODEOWNERS: switch cilium/tophat to cilium/committers ([#34338](https://github.com/cilium/cilium/issues/34338), [@julianwiedmann](https://github.com/julianwiedmann)) - \[v1.16] envoy: Bump envoy version from v1.29.7 to v1.29.9 ([#34966](https://github.com/cilium/cilium/issues/34966), [@sayboras](https://github.com/sayboras)) - \[v1.16] envoy: Switch to image with timestamp tag ([#34395](https://github.com/cilium/cilium/issues/34395), [@sayboras](https://github.com/sayboras)) - envoy: Bump golang version ([#34328](https://github.com/cilium/cilium/issues/34328), [@sayboras](https://github.com/sayboras)) - Fix panic in endpoint regeneration when DNS requests are processed during early initialization. ([#34892](https://github.com/cilium/cilium/issues/34892), [@joamaki](https://github.com/joamaki)) - install: Update image digests for v1.16.1 ([#34378](https://github.com/cilium/cilium/issues/34378), [@cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.16.2@sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea` `quay.io/cilium/cilium:stable@sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.16.2@sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73` `quay.io/cilium/clustermesh-apiserver:stable@sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.16.2@sha256:9b455c663e43f785e3ef26471e29e22939c056af41d1e9215007b88dd37cd99b` `quay.io/cilium/docker-plugin:stable@sha256:9b455c663e43f785e3ef26471e29e22939c056af41d1e9215007b88dd37cd99b` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.16.2@sha256:4b559907b378ac18af82541dafab430a857d94f1057f2598645624e6e7ea286c` `quay.io/cilium/hubble-relay:stable@sha256:4b559907b378ac18af82541dafab430a857d94f1057f2598645624e6e7ea286c` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.16.2@sha256:16e33abb6b8381e2f66388b6d7141399f06c9b51b9ffa08fd159b8d321929716` `quay.io/cilium/operator-alibabacloud:stable@sha256:16e33abb6b8381e2f66388b6d7141399f06c9b51b9ffa08fd159b8d321929716` ##### operator-aws `quay.io/cilium/operator-aws:v1.16.2@sha256:b6a73ec94407a56cccc8a395225e2aecc3ca3611e7acfeec86201c19fc0727dd` `quay.io/cilium/operator-aws:stable@sha256:b6a73ec94407a56cccc8a395225e2aecc3ca3611e7acfeec86201c19fc0727dd` ##### operator-azure `quay.io/cilium/operator-azure:v1.16.2@sha256:fde7cf8bb887e106cd388bb5c3327e92682b2ec3ab4f03bb57b87f495b99f727` `quay.io/cilium/operator-azure:stable@sha256:fde7cf8bb887e106cd388bb5c3327e92682b2ec3ab4f03bb57b87f495b99f727` ##### operator-generic `quay.io/cilium/operator-generic:v1.16.2@sha256:cccfd3b886d52cb132c06acca8ca559f0fce91a6bd99016219b1a81fdbc4813a` `quay.io/cilium/operator-generic:stable@sha256:cccfd3b886d52cb132c06acca8ca559f0fce91a6bd99016219b1a81fdbc4813a` ##### operator `quay.io/cilium/operator:v1.16.2@sha256:01c4d846f65ecd2bd86f3d95a0ddc2bc4c813f6074a41828ca9ca2a30ed34381` `quay.io/cilium/operator:stable@sha256:01c4d846f65ecd2bd86f3d95a0ddc2bc4c813f6074a41828ca9ca2a30ed34381` ### [`v1.16.1`](https://github.com/cilium/cilium/releases/tag/v1.16.1): 1.16.1 [Compare Source](https://github.com/cilium/cilium/compare/1.16.0...1.16.1) ## Security Advisories This release addresses the following security vulnerabilities: - https://github.com/cilium/cilium/security/advisories/GHSA-vwf8-q6fw-4wcm - https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww ## Summary of Changes **Minor Changes:** - Deprecate providing Hubble TLS secrets in helm values (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#34114](https://github.com/cilium/cilium/issues/34114), [@chancez](https://github.com/chancez)) - gateway-api: Add required labels and annotations (Backport PR [#34215](https://github.com/cilium/cilium/issues/34215), Upstream PR [#33990](https://github.com/cilium/cilium/issues/33990), [@sayboras](https://github.com/sayboras)) - helm: add config for nat-map-stats-{interval, entries} config. (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#33847](https://github.com/cilium/cilium/issues/33847), [@tommyp1ckles](https://github.com/tommyp1ckles)) - Internal listener references are now properly qualified with namespace and CEC name. (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#34104](https://github.com/cilium/cilium/issues/34104), [@jrajahalme](https://github.com/jrajahalme)) - Support configuring imagePullSecrets for spire agent/server pods (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#33952](https://github.com/cilium/cilium/issues/33952), [@chancez](https://github.com/chancez)) **Bugfixes:** - auth: Fix data race in Upsert (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#33905](https://github.com/cilium/cilium/issues/33905), [@chaunceyjiang](https://github.com/chaunceyjiang)) - BGPv1 + BGPv2: Fix incorrect service reconciliation in setups with multiple BGP instances (virtual routers) (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#34177](https://github.com/cilium/cilium/issues/34177), [@rastislavs](https://github.com/rastislavs)) - bgpv1: Fix data race in bgppSelection (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#33904](https://github.com/cilium/cilium/issues/33904), [@chaunceyjiang](https://github.com/chaunceyjiang)) - bgpv2: Avoid duplicate route policy naming (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#34031](https://github.com/cilium/cilium/issues/34031), [@rastislavs](https://github.com/rastislavs)) - BGPv2: Fix `Service` advertisement selector: do not require matching `CiliumLoadBalancerIPPool` (Backport PR [#34201](https://github.com/cilium/cilium/issues/34201), Upstream PR [#34182](https://github.com/cilium/cilium/issues/34182), [@rastislavs](https://github.com/rastislavs)) - Fix a nil dereference crash during cilium-agent initialization affecting setups with FQDN policies. The crash is triggered when a restored endpoint performs a DNS request just a the right time during early cilium-agent restoration. Problem is not expected to be persistent and the agent should get pass the problematic part of the initialization on restart. (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#34059](https://github.com/cilium/cilium/issues/34059), [@joamaki](https://github.com/joamaki)) - Fix appArmorProfile condition for CronJob helm template (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#34100](https://github.com/cilium/cilium/issues/34100), [@sathieu](https://github.com/sathieu)) - Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport PR [#34181](https://github.com/cilium/cilium/issues/34181), Upstream PR [#34091](https://github.com/cilium/cilium/issues/34091), [@giorio94](https://github.com/giorio94)) - Fix issue in picking node IP addresses from the loopback device. This fixes a regression in v1.15 and v1.16 where VIPs assigned to the lo device were not considered by Cilium. Fix spurious updates node addresses to avoid unnecessary datapath reinitializations. (Backport PR [#34085](https://github.com/cilium/cilium/issues/34085), Upstream PR [#34012](https://github.com/cilium/cilium/issues/34012), [@joamaki](https://github.com/joamaki)) - Fix possible connection disruption on agent restart with WireGuard + kvstore (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#34062](https://github.com/cilium/cilium/issues/34062), [@giorio94](https://github.com/giorio94)) - Fixes DNS proxy "connect: cannot assign requested address" errors in transparent mode, which were due to opening multiple TCP connections to the upstream DNS server. (Backport PR [#34201](https://github.com/cilium/cilium/issues/34201), Upstream PR [#33989](https://github.com/cilium/cilium/issues/33989), [@bimmlerd](https://github.com/bimmlerd)) - gateway-api: Add HTTP method condition in sortable routes (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#34109](https://github.com/cilium/cilium/issues/34109), [@sayboras](https://github.com/sayboras)) - gateway-api: Enqueue gateway for Reference Grant changes (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#34032](https://github.com/cilium/cilium/issues/34032), [@sayboras](https://github.com/sayboras)) - lbipam: fixed bug in sharing key logic (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#34106](https://github.com/cilium/cilium/issues/34106), [@dylandreimerink](https://github.com/dylandreimerink)) - policy: Fix policy cache covers context lookup. ([#34322](https://github.com/cilium/cilium/issues/34322), [@nathanjsweet](https://github.com/nathanjsweet)) - service: Relax protocol matching for L7 Service (Backport PR [#34195](https://github.com/cilium/cilium/issues/34195), Upstream PR [#34131](https://github.com/cilium/cilium/issues/34131), [@sayboras](https://github.com/sayboras)) **CI Changes:** - .github: ginkgo: remove duplicate datapath ipv4only test in f09/f21. (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#34071](https://github.com/cilium/cilium/issues/34071), [@tommyp1ckles](https://github.com/tommyp1ckles)) - bpf: egressgw: don't install allow-all policy in to-netdev tests (Backport PR [#34201](https://github.com/cilium/cilium/issues/34201), Upstream PR [#34143](https://github.com/cilium/cilium/issues/34143), [@julianwiedmann](https://github.com/julianwiedmann)) - ci: multi pool run tests concurrently (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#33945](https://github.com/cilium/cilium/issues/33945), [@viktor-kurchenko](https://github.com/viktor-kurchenko)) - Fix workflow telemetry in ci-ipsec-upgrade (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#34097](https://github.com/cilium/cilium/issues/34097), [@chancez](https://github.com/chancez)) - gha: Add extended features in gateway profile run (Backport PR [#34215](https://github.com/cilium/cilium/issues/34215), Upstream PR [#34098](https://github.com/cilium/cilium/issues/34098), [@sayboras](https://github.com/sayboras)) - gha: Free up Github runner disk space (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#34247](https://github.com/cilium/cilium/issues/34247), [@sayboras](https://github.com/sayboras)) - gha: lint absence of trailing spaces in workflow files (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#33908](https://github.com/cilium/cilium/issues/33908), [@giorio94](https://github.com/giorio94)) - gha: simplify the call-backport-label-updater workflow (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#33934](https://github.com/cilium/cilium/issues/33934), [@giorio94](https://github.com/giorio94)) - ginkgo-ci: split f09 into two groups to reduce timeouts & flakes (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#34038](https://github.com/cilium/cilium/issues/34038), [@tommyp1ckles](https://github.com/tommyp1ckles)) - test: use cgr.dev/chainguard/busybox:latest instead of docker.io image. (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#34004](https://github.com/cilium/cilium/issues/34004), [@tommyp1ckles](https://github.com/tommyp1ckles)) - tests-clustermesh-upgrade: Don't hardcode test namespace (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#34121](https://github.com/cilium/cilium/issues/34121), [@michi-covalent](https://github.com/michi-covalent)) **Misc Changes:** - \[v1.16] docs: Add note for CNP empty slices semantic under v1.16 section ([#34008](https://github.com/cilium/cilium/issues/34008), [@pippolo84](https://github.com/pippolo84)) - Add source IP visibility info to Ingress and Gateway API docs (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#34137](https://github.com/cilium/cilium/issues/34137), [@youngnick](https://github.com/youngnick)) - bgpv1: Reconcile with retry in BGP Controller (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#33971](https://github.com/cilium/cilium/issues/33971), [@rastislavs](https://github.com/rastislavs)) - bgpv2: deprecate local port setting in transport config (Backport PR [#34209](https://github.com/cilium/cilium/issues/34209), Upstream PR [#33438](https://github.com/cilium/cilium/issues/33438), [@harsimran-pabla](https://github.com/harsimran-pabla)) - bgpv2: use correct path key in path reconciler (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#33947](https://github.com/cilium/cilium/issues/33947), [@harsimran-pabla](https://github.com/harsimran-pabla)) - bitlpm: Avoid allocs in CIDR trie lookups (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#33518](https://github.com/cilium/cilium/issues/33518), [@jrajahalme](https://github.com/jrajahalme)) - bitlpm: Simplify matchPrefix() (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#33517](https://github.com/cilium/cilium/issues/33517), [@jrajahalme](https://github.com/jrajahalme)) - bugtool: dump cilium_skip_lb{4,6} (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#34017](https://github.com/cilium/cilium/issues/34017), [@ysksuzuki](https://github.com/ysksuzuki)) - bugtool: dumping more Envoy information (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#34110](https://github.com/cilium/cilium/issues/34110), [@mhofstetter](https://github.com/mhofstetter)) - chore(deps): update all github action dependencies (v1.16) ([#34166](https://github.com/cilium/cilium/issues/34166), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v27.3 (v1.16) ([#34165](https://github.com/cilium/cilium/issues/34165), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.15 (v1.16) ([#34049](https://github.com/cilium/cilium/issues/34049), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - Clean up documentation make targets for cases of nesting make builds inside container invocations (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#34151](https://github.com/cilium/cilium/issues/34151), [@joestringer](https://github.com/joestringer)) - doc: update slack channel reference (Backport PR [#34158](https://github.com/cilium/cilium/issues/34158), Upstream PR [#34044](https://github.com/cilium/cilium/issues/34044), [@Huweicai](https://github.com/Huweicai)) - docs: Add warning on CRDs requirement for using the Gateway API (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#33974](https://github.com/cilium/cilium/issues/33974), [@xtineskim](https://github.com/xtineskim)) - Documentation: Introduce support for redirects (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#34233](https://github.com/cilium/cilium/issues/34233), [@chancez](https://github.com/chancez)) - Documentation: Update readthedocs configuration (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#34190](https://github.com/cilium/cilium/issues/34190), [@joestringer](https://github.com/joestringer)) - Fix two bugs in dnsproxy tcp conn reuse (Backport PR [#34201](https://github.com/cilium/cilium/issues/34201), Upstream PR [#34175](https://github.com/cilium/cilium/issues/34175), [@bimmlerd](https://github.com/bimmlerd)) - Improve documentation on configuring Hubble TLS (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#34115](https://github.com/cilium/cilium/issues/34115), [@chancez](https://github.com/chancez)) - iptables: Support Envoy listener chaining (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#34105](https://github.com/cilium/cilium/issues/34105), [@jrajahalme](https://github.com/jrajahalme)) - Makefile: Fix docker flags for fast image targets (Backport PR [#34297](https://github.com/cilium/cilium/issues/34297), Upstream PR [#34132](https://github.com/cilium/cilium/issues/34132), [@joestringer](https://github.com/joestringer)) - policy: Sanitize DNS Rules to Disallow Port Ranges (Backport PR [#34201](https://github.com/cilium/cilium/issues/34201), Upstream PR [#34023](https://github.com/cilium/cilium/issues/34023), [@nathanjsweet](https://github.com/nathanjsweet)) - Revert "fix: support validation of stringToString values in ConfigMap" (Backport PR [#34305](https://github.com/cilium/cilium/issues/34305), Upstream PR [#34277](https://github.com/cilium/cilium/issues/34277), [@aanm](https://github.com/aanm)) - vendor: Bump StateDB to version v0.2.1 (Backport PR [#34246](https://github.com/cilium/cilium/issues/34246), Upstream PR [#33587](https://github.com/cilium/cilium/issues/33587), [@joamaki](https://github.com/joamaki)) **Other Changes:** - install: Update image digests for v1.16.0 ([#33994](https://github.com/cilium/cilium/issues/33994), [@cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) - v1.16: Remove leftover backporter state file ([#34210](https://github.com/cilium/cilium/issues/34210), [@gandro](https://github.com/gandro)) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39` `quay.io/cilium/cilium:stable@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.16.1@sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f` `quay.io/cilium/clustermesh-apiserver:stable@sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.16.1@sha256:243fd7759818d990a7f9b33df3eb685a9f250a12020e22f660547f9516b76320` `quay.io/cilium/docker-plugin:stable@sha256:243fd7759818d990a7f9b33df3eb685a9f250a12020e22f660547f9516b76320` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.16.1@sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35` `quay.io/cilium/hubble-relay:stable@sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.16.1@sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804` `quay.io/cilium/operator-alibabacloud:stable@sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804` ##### operator-aws `quay.io/cilium/operator-aws:v1.16.1@sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4` `quay.io/cilium/operator-aws:stable@sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4` ##### operator-azure `quay.io/cilium/operator-azure:v1.16.1@sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22` `quay.io/cilium/operator-azure:stable@sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22` ##### operator-generic `quay.io/cilium/operator-generic:v1.16.1@sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4` `quay.io/cilium/operator-generic:stable@sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4` ##### operator `quay.io/cilium/operator:v1.16.1@sha256:258b28fefc9f3fe1cbcb21a3b2c4c96dcc72f6ee258eed0afebe9b0ac47f462b` `quay.io/cilium/operator:stable@sha256:258b28fefc9f3fe1cbcb21a3b2c4c96dcc72f6ee258eed0afebe9b0ac47f462b` ### [`v1.16.0`](https://github.com/cilium/cilium/releases/tag/v1.16.0): 1.16.0 [Compare Source](https://github.com/cilium/cilium/compare/1.15.9...1.16.0) We are excited to announce the Cilium 1.16.0 release. A total of 2969 new commits have been contributed to this release by a growing community of over 750 developers and over 19300 GitHub stars! :star_struck: To keep up to date with all the latest Cilium releases, join #release on [Slack](https://cilium.herokuapp.com/). ##### Here's what's new in v1.16.0: - :mountain_cableway: *Networking* - :speedboat: *Cilium NetKit:* container-network throughput and latency as fast as host-network. - :globe_with_meridians: *BGPv2:* Fresh new API for Cilium's BGP feature. - :loudspeaker: *BGP ClusterIP Advertisement:* BGP advertisements of ExternalIP and Cluster IP Services. - :twisted_rightwards_arrows: *Service Traffic Distribution:* Kubernetes 1.30 Service Traffic Distribution can be enabled directly in the Service spec instead of using annotations. - :arrows_counterclockwise: *Local Redirect Policy promoted to Stable:* Redirecting the traffic bound for services to the local backend, such as node-local DNS. - :satellite: *Multicast Datapath:* Define multicast groups in Cilium. - :label: *Per-Pod Fixed MAC Address:* Specify the MAC address used on a pod. - :spider_web: *Service Mesh & Ingress/Gateway API* - :compass: *Gateway API GAMMA Support:* East-west traffic management for the cluster via Gateway API. - :shinto_shrine: *Gateway API 1.1 Support:* Cilium now supports Gateway API 1.1. - :passport_control: *ExternalTrafficPolicy support for Ingress/Gateway API:* External traffic can now be routed to node-local or cluster-wide endpoints. - :spider_web: *L7 Envoy Proxy as dedicated DaemonSet:* With a dedicated DaemonSet, Envoy and Cilium can have a separate life-cycle from each other. Now on by default for new installs. - :card_index_dividers: *NodeSelector support for CiliumEnvoyConfig:* Instead of being applied on all nodes, it's now possible to select which nodes a particular CiliumEnvoyConfig should select. - :guardswoman: *Security* - :signal_strength: *Port Range support in Network Policies:* This long-awaited feature has been implemented into Cilium. - :clipboard: *Network Policy Validation Status:* kubectl describe cnp <name> will be able to tell if the Cilium Network Policy is valid or invalid. - :no_entry: *Control Cilium Network Policy Default Deny behavior:* Policies usually enable default deny for the subject of the policies, but this can now be disabled on a per-policy basis. - :busts_in_silhouette: *CIDRGroups support for Egress and Deny rules:* Add support for matching CiliumCIDRGroups in Egress policy rules. - :floppy_disk: *Load "default" Network Policies from Filesystem:* In addition to reading policies from Kubernetes, Cilium can be configured to read policies locally. - :card_index_dividers: *Support to Select Nodes as Target of Cilium Network Policies:* With new ToNodes/FromNodes selectors, traffic can be allowed or denied based on the labels of the target Node in the cluster. - :sunrise: *Day 2 Operations and Scale* - :elf: *New ELF Loader Logic:* With this new loader logic, the median memory usage of Cilium was decreased by 24%. - :rocket: *Improved DNS-based network policy performance:* DNS-based network policies had up to 5x reduction in tail latency. - :spider_web: *KVStoreMesh default option for ClusterMesh:* Introduced in Cilium 1.14, and after a lot of adoption and feedback from the community, KVStoreMesh is now the default way to deploy ClusterMesh. - :artificial_satellite: *Hubble & Observability* - :speaking_head: *CEL Filters Support:* Hubble supports Common Express Language (CEL) giving support for more complex conditions that cannot be expressed using the existing flow filters. - :bar_chart: *Improved HTTP metrics:* There are additional metrics to count the HTTP requests and their duration. - :straight_ruler: *Improved BPF map pressure metrics:* New metric to track the BPF map pressure metric for the Connection Tracking BPF map. - :eyes: *Improvements for Egress Traffic Path Observability:* Some metrics were added on this release to help troubleshooting Cilium Egress Routing. - :microscope: *K8S Event Generation on Packet Drop:* Hubble is now able to generate a k8s event for a packet dropped from a pod and it that can be verified with kubectl get events. - :card_index_dividers: *Filtering Hubble flows by node labels:* Filter Hubble flows observed on nodes matching the given label. - :houses: *Community:* - :heart: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [Rabobank](https://www.cncf.io/case-studies/rabobank/) - [SmartNews](https://www.cncf.io/case-studies/smartnews/) - [G Data CyberDefense](https://www.cncf.io/case-studies/g-data-cyberdefense/) - [WSO2](https://www.cncf.io/case-studies/wso2/) - [Sicredi](https://www.cncf.io/case-studies/sicredi/) - [PostFinance](https://www.cncf.io/case-studies/postfinance/) - [DigitalOcean](https://www.cncf.io/case-studies/digitalocean/) - [Nemlig.com](https://www.cncf.io/case-studies/nemlig/) And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. :heart: For a full summary of changes, see https://github.com/cilium/cilium/blob/v1.16.0/CHANGELOG.md. #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.16.0@sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058` `quay.io/cilium/cilium:stable@sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.16.0@sha256:a1597b7de97cfa03f1330e6b784df1721eb69494cd9efb0b3a6930680dfe7a8e` `quay.io/cilium/clustermesh-apiserver:stable@sha256:a1597b7de97cfa03f1330e6b784df1721eb69494cd9efb0b3a6930680dfe7a8e` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.16.0@sha256:024a17aa8ec70d42f0ac1a4407ad9f8fd1411aa85fd8019938af582e20522efe` `quay.io/cilium/docker-plugin:stable@sha256:024a17aa8ec70d42f0ac1a4407ad9f8fd1411aa85fd8019938af582e20522efe` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.16.0@sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d` `quay.io/cilium/hubble-relay:stable@sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.16.0@sha256:d2d9f450f2fc650d74d4b3935f4c05736e61145b9c6927520ea52e1ebcf4f3ea` `quay.io/cilium/operator-alibabacloud:stable@sha256:d2d9f450f2fc650d74d4b3935f4c05736e61145b9c6927520ea52e1ebcf4f3ea` ##### operator-aws `quay.io/cilium/operator-aws:v1.16.0@sha256:8dbe47a77ba8e1a5b111647a43db10c213d1c7dfc9f9aab5ef7279321ad21a2f` `quay.io/cilium/operator-aws:stable@sha256:8dbe47a77ba8e1a5b111647a43db10c213d1c7dfc9f9aab5ef7279321ad21a2f` ##### operator-azure `quay.io/cilium/operator-azure:v1.16.0@sha256:dd7562e20bc72b55c65e2110eb98dca1dd2bbf6688b7d8cea2bc0453992c121d` `quay.io/cilium/operator-azure:stable@sha256:dd7562e20bc72b55c65e2110eb98dca1dd2bbf6688b7d8cea2bc0453992c121d` ##### operator-generic `quay.io/cilium/operator-generic:v1.16.0@sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316` `quay.io/cilium/operator-generic:stable@sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316` ##### operator `quay.io/cilium/operator:v1.16.0@sha256:6aaa05737f21993ff51abe0ffe7ea4be88d518aa05266c3482364dce65643488` `quay.io/cilium/operator:stable@sha256:6aaa05737f21993ff51abe0ffe7ea4be88d518aa05266c3482364dce65643488` ### [`v1.15.9`](https://github.com/cilium/cilium/releases/tag/v1.15.9): 1.15.9 [Compare Source](https://github.com/cilium/cilium/compare/1.15.8...1.15.9) We are happy to release Cilium v1.15.9! This release brings us upstream filter chains for L7 LB policy enforcement, BGP (and other!) bugfixes, CI changes and many many more! Check out the summary below for details. ## Summary of Changes **Minor Changes:** - cilium-envoy now uses upstream filter chains for L7 LB policy enforcement. (Backport PR [#34457](https://github.com/cilium/cilium/issues/34457), Upstream PR [#32119](https://github.com/cilium/cilium/issues/32119), [@jrajahalme](https://github.com/jrajahalme)) - docs: Update examples for CNP L7 Host (Backport PR [#34645](https://github.com/cilium/cilium/issues/34645), Upstream PR [#34578](https://github.com/cilium/cilium/issues/34578), [@sayboras](https://github.com/sayboras)) **Bugfixes:** - BGPv1 + BGPv2: Fix incorrect service reconciliation in setups with multiple BGP instances (virtual routers) ([#34331](https://github.com/cilium/cilium/issues/34331), [@rastislavs](https://github.com/rastislavs)) - config: fix disabling config 'Debug' (Backport PR [#34470](https://github.com/cilium/cilium/issues/34470), Upstream PR [#34401](https://github.com/cilium/cilium/issues/34401), [@mhofstetter](https://github.com/mhofstetter)) - daemon: Fix error logic flow for pod store being out of date (Backport PR [#34587](https://github.com/cilium/cilium/issues/34587), Upstream PR [#34389](https://github.com/cilium/cilium/issues/34389), [@christarazi](https://github.com/christarazi)) - envoy: fix log level mapping when changing log level via API (Backport PR [#34456](https://github.com/cilium/cilium/issues/34456), Upstream PR [#34400](https://github.com/cilium/cilium/issues/34400), [@mhofstetter](https://github.com/mhofstetter)) - Fix synchronization of CiliumEndpointSlices when running the Cilium Operator in identity-based slicing mode. (Backport PR [#34456](https://github.com/cilium/cilium/issues/34456), Upstream PR [#32239](https://github.com/cilium/cilium/issues/32239), [@thorn3r](https://github.com/thorn3r)) - Fix the Egress Gateway reconciliation logic to make progress after setting the rp_filter sysctl failed. (Backport PR [#34830](https://github.com/cilium/cilium/issues/34830), Upstream PR [#34775](https://github.com/cilium/cilium/issues/34775), [@julianwiedmann](https://github.com/julianwiedmann)) - helm: fix envoy prometheus metrics scraping with servicemonitor (Backport PR [#34473](https://github.com/cilium/cilium/issues/34473), Upstream PR [#34448](https://github.com/cilium/cilium/issues/34448), [@mhofstetter](https://github.com/mhofstetter)) - ingress: Avoid opening of port 80 for TLSPassthrough only (Backport PR [#34598](https://github.com/cilium/cilium/issues/34598), Upstream PR [#34474](https://github.com/cilium/cilium/issues/34474), [@sayboras](https://github.com/sayboras)) - ipcache: Yet another refcounting fix with mix of APIs (Backport PR [#34933](https://github.com/cilium/cilium/issues/34933), Upstream PR [#34715](https://github.com/cilium/cilium/issues/34715), [@gandro](https://github.com/gandro)) - lbipam: fix panic when changing the shared key & req. ip annotation (Backport PR [#34456](https://github.com/cilium/cilium/issues/34456), Upstream PR [#34236](https://github.com/cilium/cilium/issues/34236), [@mhofstetter](https://github.com/mhofstetter)) **CI Changes:** - .github: change nick-invision/retry -> nick-fields/retry. ([#34736](https://github.com/cilium/cilium/issues/34736), [@michi-covalent](https://github.com/michi-covalent)) - bgpv1/test: fix route matching in PodIPPoolAdvert test (Backport PR [#34456](https://github.com/cilium/cilium/issues/34456), Upstream PR [#34270](https://github.com/cilium/cilium/issues/34270), [@rastislavs](https://github.com/rastislavs)) - ci: clean disk only on ubuntu-latest runners (Backport PR [#34830](https://github.com/cilium/cilium/issues/34830), Upstream PR [#34711](https://github.com/cilium/cilium/issues/34711), [@marseel](https://github.com/marseel)) - ci: Confromance E2E wait for images before matrix generation (Backport PR [#34830](https://github.com/cilium/cilium/issues/34830), Upstream PR [#34707](https://github.com/cilium/cilium/issues/34707), [@marseel](https://github.com/marseel)) - ci: don't run AKS tests on LTS versions (Backport PR [#34645](https://github.com/cilium/cilium/issues/34645), Upstream PR [#34640](https://github.com/cilium/cilium/issues/34640), [@marseel](https://github.com/marseel)) - ci: multi pool run tests concurrently (Backport PR [#34299](https://github.com/cilium/cilium/issues/34299), Upstream PR [#33945](https://github.com/cilium/cilium/issues/33945), [@viktor-kurchenko](https://github.com/viktor-kurchenko)) - ci: Wait for images before generating test matrix (Backport PR [#34830](https://github.com/cilium/cilium/issues/34830), Upstream PR [#34727](https://github.com/cilium/cilium/issues/34727), [@marseel](https://github.com/marseel)) - Fix: push PR changes when renovate build images under the workflow_call context (Backport PR [#34830](https://github.com/cilium/cilium/issues/34830), Upstream PR [#34650](https://github.com/cilium/cilium/issues/34650), [@Artyop](https://github.com/Artyop)) - gha: Add disk cleanup step for build and test workflow (Backport PR [#34456](https://github.com/cilium/cilium/issues/34456), Upstream PR [#34339](https://github.com/cilium/cilium/issues/34339), [@sayboras](https://github.com/sayboras)) - gha: Free up Github runner disk space (Backport PR [#34299](https://github.com/cilium/cilium/issues/34299), Upstream PR [#34247](https://github.com/cilium/cilium/issues/34247), [@sayboras](https://github.com/sayboras)) **Misc Changes:** - Add source IP visibility info to Ingress and Gateway API docs (Backport PR [#34299](https://github.com/cilium/cilium/issues/34299), Upstream PR [#34137](https://github.com/cilium/cilium/issues/34137), [@youngnick](https://github.com/youngnick)) - Add source IP visibility info to Ingress and Gateway API docs (Backport PR [#34367](https://github.com/cilium/cilium/issues/34367), Upstream PR [#34137](https://github.com/cilium/cilium/issues/34137), [@youngnick](https://github.com/youngnick)) - chore(deps): update all github action dependencies (v1.15) ([#34571](https://github.com/cilium/cilium/issues/34571), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#34750](https://github.com/cilium/cilium/issues/34750), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) (patch) ([#34570](https://github.com/cilium/cilium/issues/34570), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#34696](https://github.com/cilium/cilium/issues/34696), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#34904](https://github.com/cilium/cilium/issues/34904), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.15 (v1.15) ([#34119](https://github.com/cilium/cilium/issues/34119), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.16 (v1.15) ([#34507](https://github.com/cilium/cilium/issues/34507), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.17 (v1.15) ([#34884](https://github.com/cilium/cilium/issues/34884), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.16.1 (v1.15) ([#34851](https://github.com/cilium/cilium/issues/34851), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/alpine docker tag to v3.19.4 (v1.15) ([#34761](https://github.com/cilium/cilium/issues/34761), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.22.7 docker digest to [`4594271`](https://github.com/cilium/cilium/commit/4594271) (v1.15) ([#34900](https://github.com/cilium/cilium/issues/34900), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.22.7 (v1.15) ([#34733](https://github.com/cilium/cilium/issues/34733), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore: Avoid docker warning due to casing (Backport PR [#34857](https://github.com/cilium/cilium/issues/34857), Upstream PR [#34125](https://github.com/cilium/cilium/issues/34125), [@sayboras](https://github.com/sayboras)) - cilium-dbg: add Envoy admin commands (Backport PR [#34587](https://github.com/cilium/cilium/issues/34587), Upstream PR [#34398](https://github.com/cilium/cilium/issues/34398), [@mhofstetter](https://github.com/mhofstetter)) - docs: Avoid using wildcard TLS certificate (Backport PR [#34830](https://github.com/cilium/cilium/issues/34830), Upstream PR [#34609](https://github.com/cilium/cilium/issues/34609), [@sayboras](https://github.com/sayboras)) - docs: Improve Ingress documentation (Backport PR [#34367](https://github.com/cilium/cilium/issues/34367), Upstream PR [#33698](https://github.com/cilium/cilium/issues/33698), [@youngnick](https://github.com/youngnick)) - Documentation: Update readthedocs configuration (Backport PR [#34299](https://github.com/cilium/cilium/issues/34299), Upstream PR [#34190](https://github.com/cilium/cilium/issues/34190), [@joestringer](https://github.com/joestringer)) - endpoint: Do not pass a function to WithFields (Backport PR [#34456](https://github.com/cilium/cilium/issues/34456), Upstream PR [#34346](https://github.com/cilium/cilium/issues/34346), [@jrajahalme](https://github.com/jrajahalme)) - fix: base image update workflow will now be triggered on renovate branches with a workflow_call event type (Backport PR [#34456](https://github.com/cilium/cilium/issues/34456), Upstream PR [#34372](https://github.com/cilium/cilium/issues/34372), [@Artyop](https://github.com/Artyop)) - images: fix path script (Backport PR [#34767](https://github.com/cilium/cilium/issues/34767), Upstream PR [#34764](https://github.com/cilium/cilium/issues/34764), [@aanm](https://github.com/aanm)) - ipsec: Document a new cause of XfrmInStateProtoError (Backport PR [#34587](https://github.com/cilium/cilium/issues/34587), Upstream PR [#34221](https://github.com/cilium/cilium/issues/34221), [@jschwinger233](https://github.com/jschwinger233)) - pkg/endpointmanager: don't hold lock while iterating over subscribers (Backport PR [#34587](https://github.com/cilium/cilium/issues/34587), Upstream PR [#33896](https://github.com/cilium/cilium/issues/33896), [@aanm](https://github.com/aanm)) **Other Changes:** - \[v1.15] CODEOWNERS: switch cilium/tophat to cilium/committers ([#34889](https://github.com/cilium/cilium/issues/34889), [@julianwiedmann](https://github.com/julianwiedmann)) - \[v1.15] envoy: Bump envoy version from v1.29.7 to v1.29.9 ([#34965](https://github.com/cilium/cilium/issues/34965), [@sayboras](https://github.com/sayboras)) - \[v1.15] envoy: Switch to image with timestamp tag ([#34394](https://github.com/cilium/cilium/issues/34394), [@sayboras](https://github.com/sayboras)) - envoy: Bump golang version ([#34327](https://github.com/cilium/cilium/issues/34327), [@sayboras](https://github.com/sayboras)) - install: Update image digests for v1.15.8 ([#34376](https://github.com/cilium/cilium/issues/34376), [@cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.9@sha256:c2a4c57a6baf758e975fbefbf638476906d1bb0c970e9547d216d9ea7b6471e3` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.9@sha256:ec82fb96dd0fbac4c6de333aaf8f7964a74c2194a3afdf765b3c260433a4aeed` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.9@sha256:1a86463fd5b38b5930069045af141ee577ead4c26f8ba4d4a532d1aa3f38a709` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.9@sha256:421afd9f4e46a7b9834f0542ceca6e8652ec0598982126dc2dd1dcf0dd690631` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.9@sha256:9fe2c3c6d49d4f501067ec525a3d792da17d055ebcefa37f4fbb5698109d217b` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.9@sha256:8c2b4a4d4d6ebf1c37a6ae72da2279286729a4982bf124d98f4bcc2db5eeb5e6` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.9@sha256:9b02e12c56b08d50eb1540d6cbb1119eee639a9795c752c4904311d03889d7fe` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.9@sha256:0ec30b4df0d097aedcbcb41748f10ce397f9656c128bea7e227b6bfd820f6d76` ##### operator `quay.io/cilium/operator:v1.15.9@sha256:9ed87c339762c5b5422bd284e9672f6fedcee2aba376a5aa1328223c39bd9914` ### [`v1.15.8`](https://github.com/cilium/cilium/releases/tag/v1.15.8): 1.15.8 [Compare Source](https://github.com/cilium/cilium/compare/1.15.7...1.15.8) ## Security Advisories This release addresses the following security vulnerabilities: - https://github.com/cilium/cilium/security/advisories/GHSA-vwf8-q6fw-4wcm - https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww - https://github.com/cilium/cilium/security/advisories/GHSA-q7w8-72mr-vpgw ## Summary of Changes **Minor Changes:** - helm: Add validation to prevent users from using deprecated values that have been removed ([#34213](https://github.com/cilium/cilium/issues/34213), [@chancez](https://github.com/chancez)) - helm: Cleanup old k8s version check and deprecated atributes (Backport PR [#34157](https://github.com/cilium/cilium/issues/34157), Upstream PR [#31940](https://github.com/cilium/cilium/issues/31940), [@sayboras](https://github.com/sayboras)) - Make hubble-relay more resilient to transient errors (Backport PR [#34157](https://github.com/cilium/cilium/issues/34157), Upstream PR [#33894](https://github.com/cilium/cilium/issues/33894), [@chancez](https://github.com/chancez)) **Bugfixes:** - add support for validation of stringToString values in ConfigMap (Backport PR [#33962](https://github.com/cilium/cilium/issues/33962), Upstream PR [#33779](https://github.com/cilium/cilium/issues/33779), [@alex-berger](https://github.com/alex-berger)) - auth: Fix data race in Upsert (Backport PR [#34157](https://github.com/cilium/cilium/issues/34157), Upstream PR [#33905](https://github.com/cilium/cilium/issues/33905), [@chaunceyjiang](https://github.com/chaunceyjiang)) - auth: fix fatal error: concurrent map iteration and map write (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33634](https://github.com/cilium/cilium/issues/33634), [@chaunceyjiang](https://github.com/chaunceyjiang)) - cert: Adding H2 Protocol Support when Get gRPC Config For Client (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33616](https://github.com/cilium/cilium/issues/33616), [@mrproliu](https://github.com/mrproliu)) - DNS Proxy: Allow SO_LINGER to be set to the socket to upstream (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33592](https://github.com/cilium/cilium/issues/33592), [@gandro](https://github.com/gandro)) - Fix an issue in updates to node addresses which may have caused missing NodePort frontend IP addresses. May have affected NodePort/LoadBalancer services for users running with runtime device detection enabled when node's IP addresses were changed after Cilium had started. Node IP as defined in the Kubernetes Node is now preferred when selecting the NodePort frontend IPs. (Backport PR [#33818](https://github.com/cilium/cilium/issues/33818), Upstream PR [#33629](https://github.com/cilium/cilium/issues/33629), [@joamaki](https://github.com/joamaki)) - Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport PR [#34183](https://github.com/cilium/cilium/issues/34183), Upstream PR [#34091](https://github.com/cilium/cilium/issues/34091), [@giorio94](https://github.com/giorio94)) - Fix issue in picking node IP addresses from the loopback device. This fixes a regression in v1.15 and v1.16 where VIPs assigned to the lo device were not considered by Cilium. Fix spurious updates node addresses to avoid unnecessary datapath reinitializations. (Backport PR [#34086](https://github.com/cilium/cilium/issues/34086), Upstream PR [#34012](https://github.com/cilium/cilium/issues/34012), [@joamaki](https://github.com/joamaki)) - Fix rare race condition afflicting clustermesh while stopping the retrieval of the remote cluster configuration, possibly causing a deadlock (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33735](https://github.com/cilium/cilium/issues/33735), [@giorio94](https://github.com/giorio94)) - Fixes a race condition during agent startup that causes the k8s node label updates to not get propagated to the host endpoint. (Backport PR [#33663](https://github.com/cilium/cilium/issues/33663), Upstream PR [#33511](https://github.com/cilium/cilium/issues/33511), [@skmatti](https://github.com/skmatti)) - gateway-api: Add HTTP method condition in sortable routes (Backport PR [#34157](https://github.com/cilium/cilium/issues/34157), Upstream PR [#34109](https://github.com/cilium/cilium/issues/34109), [@sayboras](https://github.com/sayboras)) - gateway-api: Enqueue gateway for Reference Grant changes (Backport PR [#34157](https://github.com/cilium/cilium/issues/34157), Upstream PR [#34032](https://github.com/cilium/cilium/issues/34032), [@sayboras](https://github.com/sayboras)) - helm: remove duplicate metrics for Envoy pod (Backport PR [#34157](https://github.com/cilium/cilium/issues/34157), Upstream PR [#33803](https://github.com/cilium/cilium/issues/33803), [@mhofstetter](https://github.com/mhofstetter)) - lbipam: fixed bug in sharing key logic (Backport PR [#34157](https://github.com/cilium/cilium/issues/34157), Upstream PR [#34106](https://github.com/cilium/cilium/issues/34106), [@dylandreimerink](https://github.com/dylandreimerink)) - pkg/metrics: fix data race warning on metrics init hook. (Backport PR [#33962](https://github.com/cilium/cilium/issues/33962), Upstream PR [#33823](https://github.com/cilium/cilium/issues/33823), [@tommyp1ckles](https://github.com/tommyp1ckles)) - Reduce conntrack lifetime for closing service connections. (Backport PR [#33962](https://github.com/cilium/cilium/issues/33962), Upstream PR [#33907](https://github.com/cilium/cilium/issues/33907), [@julianwiedmann](https://github.com/julianwiedmann)) - Skip regenerating host endpoint on k8s node labels update if identity labels are unchanged (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33306](https://github.com/cilium/cilium/issues/33306), [@skmatti](https://github.com/skmatti)) - The cilium agent will now recover from stale nodeID mappings which could occur in clusters with high node churn, possibly manifesting itself in dropped IPsec traffic. (Backport PR [#34157](https://github.com/cilium/cilium/issues/34157), Upstream PR [#33666](https://github.com/cilium/cilium/issues/33666), [@bimmlerd](https://github.com/bimmlerd)) **CI Changes:** - \[v1.15] ci/ipsec: add missing config for patch-upgrade test with 6.6 kernel ([#33736](https://github.com/cilium/cilium/issues/33736), [@julianwiedmann](https://github.com/julianwiedmann)) - \[v1.15] gh/e2e: fix up config 15 to not use bpf-next ([#33738](https://github.com/cilium/cilium/issues/33738), [@julianwiedmann](https://github.com/julianwiedmann)) - gha: Add http client timeout in Ingress (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33683](https://github.com/cilium/cilium/issues/33683), [@sayboras](https://github.com/sayboras)) - gha: don't fail if all cloud provider matrix entries are filtered out (Backport PR [#33962](https://github.com/cilium/cilium/issues/33962), Upstream PR [#33819](https://github.com/cilium/cilium/issues/33819), [@giorio94](https://github.com/giorio94)) - gha: ensure that helm values.schema.json is not accidentally backported ([#33845](https://github.com/cilium/cilium/issues/33845), [@giorio94](https://github.com/giorio94)) - gha: lint absence of trailing spaces in workflow files (Backport PR [#34157](https://github.com/cilium/cilium/issues/34157), Upstream PR [#33908](https://github.com/cilium/cilium/issues/33908), [@giorio94](https://github.com/giorio94)) - gha: simplify the call-backport-label-updater workflow (Backport PR [#33962](https://github.com/cilium/cilium/issues/33962), Upstream PR [#33934](https://github.com/cilium/cilium/issues/33934), [@giorio94](https://github.com/giorio94)) - test: use cgr.dev/chainguard/busybox:latest instead of docker.io image. (Backport PR [#34157](https://github.com/cilium/cilium/issues/34157), Upstream PR [#34004](https://github.com/cilium/cilium/issues/34004), [@tommyp1ckles](https://github.com/tommyp1ckles)) - tests-clustermesh-upgrade: Don't hardcode test namespace (Backport PR [#34157](https://github.com/cilium/cilium/issues/34157), Upstream PR [#34121](https://github.com/cilium/cilium/issues/34121), [@michi-covalent](https://github.com/michi-covalent)) - workflow: Use per-tunnel keys for the IPsec upgrade test (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33769](https://github.com/cilium/cilium/issues/33769), [@pchaigno](https://github.com/pchaigno)) **Misc Changes:** - \[v1.15] Update Docker dependency ([#34196](https://github.com/cilium/cilium/issues/34196), [@ferozsalam](https://github.com/ferozsalam)) - bugtool: dumping more Envoy information (Backport PR [#34157](https://github.com/cilium/cilium/issues/34157), Upstream PR [#34110](https://github.com/cilium/cilium/issues/34110), [@mhofstetter](https://github.com/mhofstetter)) - chore(deps): update all github action dependencies (v1.15) ([#34170](https://github.com/cilium/cilium/issues/34170), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#33649](https://github.com/cilium/cilium/issues/33649), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#34168](https://github.com/cilium/cilium/issues/34168), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.15) ([#33793](https://github.com/cilium/cilium/issues/33793), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.13 (v1.15) ([#33794](https://github.com/cilium/cilium/issues/33794), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1 (v1.15) ([#34051](https://github.com/cilium/cilium/issues/34051), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.21.12 docker digest to [`7e0e13a`](https://github.com/cilium/cilium/commit/7e0e13a) (v1.15) ([#33792](https://github.com/cilium/cilium/issues/33792), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.22.5 (v1.15) ([#33857](https://github.com/cilium/cilium/issues/33857), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.22.6 (v1.15) ([#34167](https://github.com/cilium/cilium/issues/34167), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#33798](https://github.com/cilium/cilium/issues/33798), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - daemon/ipam: don't swallow parse error of CIDR (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33283](https://github.com/cilium/cilium/issues/33283), [@bimmlerd](https://github.com/bimmlerd)) - doc: update slack channel reference (Backport PR [#34157](https://github.com/cilium/cilium/issues/34157), Upstream PR [#34044](https://github.com/cilium/cilium/issues/34044), [@Huweicai](https://github.com/Huweicai)) - docs,LRP: Add steps to restart agent and operator pods and update feature roadmap status (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33655](https://github.com/cilium/cilium/issues/33655), [@aditighag](https://github.com/aditighag)) - docs: Add node about socketLB.hostNamespaceOnly to Kata page (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33725](https://github.com/cilium/cilium/issues/33725), [@brb](https://github.com/brb)) - docs: Extend LRP guide with troubleshooting section (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33373](https://github.com/cilium/cilium/issues/33373), [@aditighag](https://github.com/aditighag)) - docs: generalize version specific notes section (Backport PR [#33962](https://github.com/cilium/cilium/issues/33962), Upstream PR [#33888](https://github.com/cilium/cilium/issues/33888), [@giorio94](https://github.com/giorio94)) - docs: Remove CNCF graduation from the roadmap (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33680](https://github.com/cilium/cilium/issues/33680), [@joestringer](https://github.com/joestringer)) - docs: remove mention of outdated clustermesh + L7 policies + tunnel limitation (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33626](https://github.com/cilium/cilium/issues/33626), [@giorio94](https://github.com/giorio94)) - docs: Update LVH VM image pull instructions (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33621](https://github.com/cilium/cilium/issues/33621), [@brb](https://github.com/brb)) - Documentation: Add --set cni.exclusive=false for Azure Chain Mode (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33708](https://github.com/cilium/cilium/issues/33708), [@Mais316](https://github.com/Mais316)) - helm: Allow socket linger timeout to be set to zero (Backport PR [#33962](https://github.com/cilium/cilium/issues/33962), Upstream PR [#33887](https://github.com/cilium/cilium/issues/33887), [@gandro](https://github.com/gandro)) - policy: Fix `mapstate.Diff()` used in tests (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33449](https://github.com/cilium/cilium/issues/33449), [@jrajahalme](https://github.com/jrajahalme)) - Remove stable tags from v1.15 releases ([#33985](https://github.com/cilium/cilium/issues/33985), [@joestringer](https://github.com/joestringer)) - renovate: onboard etcd image used in integration tests (Backport PR [#33809](https://github.com/cilium/cilium/issues/33809), Upstream PR [#33679](https://github.com/cilium/cilium/issues/33679), [@giorio94](https://github.com/giorio94)) - Revert "fix: support validation of stringToString values in ConfigMap" (Backport PR [#34306](https://github.com/cilium/cilium/issues/34306), Upstream PR [#34277](https://github.com/cilium/cilium/issues/34277), [@aanm](https://github.com/aanm)) **Other Changes:** - \[v1.15] ci: use base and head SHAs from context in lint-build-commits workflow ([#34267](https://github.com/cilium/cilium/issues/34267), [@tklauser](https://github.com/tklauser)) - \[v1.15] Revert "docs: Update LRP feature status" ([#34238](https://github.com/cilium/cilium/issues/34238), [@ysksuzuki](https://github.com/ysksuzuki)) - Fix bug in Bandwidth Manager that caused it to not find native devices. ([#33910](https://github.com/cilium/cilium/issues/33910), [@joamaki](https://github.com/joamaki)) - install: Update image digests for v1.15.7 ([#33744](https://github.com/cilium/cilium/issues/33744), [@cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.8@sha256:4c1f33aae2b76392b57e867820471b5472f0886f7358513d47ee80c09af15a0e` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.8@sha256:15b1b6e83e1c0eea97df179660c1898661c1d0da5d431c68f98c702581e29310` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.8@sha256:47e8a19f60d0d226ec3d2c675ec63908f1f2fb936a39897f2e3255b3bab01ad6` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.8@sha256:388ef72febd719bc9d16d5ee47fe6f846f73f0d8a6f9586ada04cb39eb2962d1` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.8@sha256:3807dd23c2b5f90489824ddd13dca6e84e714dc9eae44e5718acfe86c855b7a1` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.8@sha256:c517db3d12fcf038a9a4a81b88027a19672078bf8c2fcd6b2563f3eff9514d21` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.8@sha256:e77ae6fc8a978f98363cf74d3c883dfaa6454c6e23ec417a60952f29408e2f18` ##### operator `quay.io/cilium/operator:v1.15.8@sha256:e9cf35fe3dc86933ccf3fdfdb7620d218c50aaca5f14e4ba5f422460ea4cb23c` </details> <details> <summary>haproxytech/helm-charts (haproxy)</summary> ### [`v1.23.0`](https://github.com/haproxytech/helm-charts/releases/tag/haproxy-1.23.0) [Compare Source](https://github.com/haproxytech/helm-charts/compare/haproxy-1.22.0...haproxy-1.23.0) A Helm chart for HAProxy on Kubernetes </details> <details> <summary>metallb/metallb (metallb)</summary> ### [`v0.14.8`](https://github.com/metallb/metallb/releases/tag/v0.14.8) [Compare Source](https://github.com/metallb/metallb/compare/v0.14.7...v0.14.8) See the release notes for the details https://metallb.universe.tf/release-notes/#version-0-14-8 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate added the

renovate

label 2024-07-23 12:58:38 +00:00

renovate force-pushed renovate/kubezero-network-kubezero-network-dependencies from a25a99f833 to 816971341b

2024-07-25 03:06:58 +00:00

Compare

renovate changed title from ~~chore(deps): update helm release metallb to v0.14.8~~ to chore(deps): update kubezero-network-dependencies

2024-07-25 03:07:02 +00:00

renovate force-pushed renovate/kubezero-network-kubezero-network-dependencies from 816971341b to dcc79b2ec1

2024-08-15 03:15:22 +00:00

Compare

renovate force-pushed renovate/kubezero-network-kubezero-network-dependencies from dcc79b2ec1 to 8b8bb3a67b

2024-09-20 03:42:11 +00:00

Compare

renovate force-pushed renovate/kubezero-network-kubezero-network-dependencies from 8b8bb3a67b to 9f00738e70

2024-10-04 14:41:42 +00:00

Compare

stefan merged commit 0d910d478c into main

2024-10-10 14:09:24 +00:00

stefan referenced this issue from a commit

2024-10-10 14:09:26 +00:00

Merge pull request 'chore(deps): update kubezero-network-dependencies' (#344) from renovate/kubezero-network-kubezero-network-dependencies into main

stefan deleted branch renovate/kubezero-network-kubezero-network-dependencies

2024-10-10 14:09:26 +00:00

stefan referenced this issue from a commit

2024-10-16 13:03:26 +00:00

Merge pull request 'chore(deps): update kubezero-network-dependencies' (#344) from renovate/kubezero-network-kubezero-network-dependencies into main

Sign in to join this conversation.

No reviewers

No Label

renovate

No Milestone

No Assignees

1 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: ZeroDownTime/kubezero#344

chore(deps): update kubezero-network-dependencies #344

Release Notes

v1.16.2: 1.16.2

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.16.1: 1.16.1

Security Advisories

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.16.0: 1.16.0

Here's what's new in v1.16.0:

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.15.9: 1.15.9

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.15.8: 1.15.8

Security Advisories

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.23.0

v0.14.8

Configuration

`v1.16.2`: 1.16.2

`v1.16.1`: 1.16.1

`v1.16.0`: 1.16.0

`v1.15.9`: 1.15.9

`v1.15.8`: 1.15.8

`v1.23.0`

`v0.14.8`