search

chaijunkin / home-ops

K3s Cluster powered by proxmox
Do What The F*ck You Want To Public License
3 stars 0 forks source link

fix(helm): update chart cilium to 1.15.5 #56

Closed renovate[bot] closed 6 months ago

renovate[bot] commented 8 months ago

Mend Renovate

This PR contains the following updates:

Package Update Change
cilium (source) patch 1.15.1 -> 1.15.5
cilium (source) patch 1.15.3 -> 1.15.5

Release Notes

cilium/cilium (cilium) ### [`v1.15.5`](https://togithub.com/cilium/cilium/releases/tag/v1.15.5): 1.15.5 [Compare Source](https://togithub.com/cilium/cilium/compare/1.15.4...1.15.5) We are pleased to announce the release of Cilium v1.15.5. This release fixes a lot of bugs, including fixes for conflicting ports with DNS proxy, clustermesh startup issues, and StatefulSet handling. ## Security Advisories This release addresses following security vulnerabilities: - https://github.com/envoyproxy/envoy/security/advisories/GHSA-3mh5-6q8v-25wj - https://github.com/advisories/GHSA-5fq7-4mxc-535h ## Summary of Changes **Minor Changes:** - envoy: Bump go version to 1.22.3 ([#​32413](https://togithub.com/cilium/cilium/issues/32413), [@​sayboras](https://togithub.com/sayboras)) - labels: Add controller-uid into default ignore list (Backport PR [#​32103](https://togithub.com/cilium/cilium/issues/32103), Upstream PR [#​31964](https://togithub.com/cilium/cilium/issues/31964), [@​sayboras](https://togithub.com/sayboras)) **Bugfixes:** - Agent: add kubeconfigPath to initContainers (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32008](https://togithub.com/cilium/cilium/issues/32008), [@​darox](https://togithub.com/darox)) - Avoids drops with "No mapping for NAT masquerade" for ICMP messages by local service backends. (Backport PR [#​32384](https://togithub.com/cilium/cilium/issues/32384), Upstream PR [#​32155](https://togithub.com/cilium/cilium/issues/32155), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - cilium-cni: Reserve ports that can conflict with transparent DNS proxy (Backport PR [#​32418](https://togithub.com/cilium/cilium/issues/32418), Upstream PR [#​32128](https://togithub.com/cilium/cilium/issues/32128), [@​gandro](https://togithub.com/gandro)) - cni: Use correct route MTU when ENI, Azure or Alibaba Cloud IPAM is enabled (Backport PR [#​32384](https://togithub.com/cilium/cilium/issues/32384), Upstream PR [#​32244](https://togithub.com/cilium/cilium/issues/32244), [@​learnitall](https://togithub.com/learnitall)) - dnsproxy: Fix bug where DNS request timed out too soon (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​31999](https://togithub.com/cilium/cilium/issues/31999), [@​gandro](https://togithub.com/gandro)) - Envoy upstream connections are now unique for each downstream connection when using the original source address of a source pod. (Backport PR [#​32312](https://togithub.com/cilium/cilium/issues/32312), Upstream PR [#​32270](https://togithub.com/cilium/cilium/issues/32270), [@​jrajahalme](https://togithub.com/jrajahalme)) - envoy: pass idle timeout configuration option to cilium configmap (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32203](https://togithub.com/cilium/cilium/issues/32203), [@​mhofstetter](https://togithub.com/mhofstetter)) - Fix failing service connections, when the service requests are transported via cilium's overlay network. (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32116](https://togithub.com/cilium/cilium/issues/32116), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - Fix issue causing clustermesh-apiserver/kvstoremesh to not start when run with a non-root user (Backport PR [#​31879](https://togithub.com/cilium/cilium/issues/31879), Upstream PR [#​31539](https://togithub.com/cilium/cilium/issues/31539), [@​giorio94](https://togithub.com/giorio94)) - Fix service connection to terminating backend, when the service has no more backends available. (Backport PR [#​32092](https://togithub.com/cilium/cilium/issues/32092), Upstream PR [#​31840](https://togithub.com/cilium/cilium/issues/31840), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - Fix various bugs related to restart of StatefulSet pods that may result in connectivity issues (Backport PR [#​32432](https://togithub.com/cilium/cilium/issues/32432), Upstream PR [#​31605](https://togithub.com/cilium/cilium/issues/31605), [@​christarazi](https://togithub.com/christarazi)) - Fixes a bug where Cilium in chained mode removed the `agent-not-ready` taint too early if the primary network is slow in deploying. (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32168](https://togithub.com/cilium/cilium/issues/32168), [@​squeed](https://togithub.com/squeed)) - Fixes an (unlikely) bug where HostFirewall policies may miss updates to a node's labels. (Backport PR [#​32384](https://togithub.com/cilium/cilium/issues/32384), Upstream PR [#​30548](https://togithub.com/cilium/cilium/issues/30548), [@​squeed](https://togithub.com/squeed)) - fqdn: fix memory leak in transparent mode when there was a moderately high number of parallel DNS requests (>100). (Backport PR [#​32103](https://togithub.com/cilium/cilium/issues/32103), Upstream PR [#​31959](https://togithub.com/cilium/cilium/issues/31959), [@​marseel](https://togithub.com/marseel)) - Ingress/Gateway API: merge Envoy listeners for HTTP(S) and TLS passthrough (Backport PR [#​32178](https://togithub.com/cilium/cilium/issues/32178), Upstream PR [#​31646](https://togithub.com/cilium/cilium/issues/31646), [@​mhofstetter](https://togithub.com/mhofstetter)) - ipam: retry netlink.LinkList call when setting up ENI devices (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32099](https://togithub.com/cilium/cilium/issues/32099), [@​jasonaliyetti](https://togithub.com/jasonaliyetti)) - loader: sanitize bpffs directory strings for netdevs (Backport PR [#​32103](https://togithub.com/cilium/cilium/issues/32103), Upstream PR [#​32090](https://togithub.com/cilium/cilium/issues/32090), [@​rgo3](https://togithub.com/rgo3)) - Prevent Cilium agents from incorrectly restarting an etcd watch against a different etcd instance. ([#​32005](https://togithub.com/cilium/cilium/issues/32005), [@​giorio94](https://togithub.com/giorio94)) - tables: Sort node addresses also by public vs private IP (Backport PR [#​32103](https://togithub.com/cilium/cilium/issues/32103), Upstream PR [#​30579](https://togithub.com/cilium/cilium/issues/30579), [@​joamaki](https://togithub.com/joamaki)) **CI Changes:** - alibabacloud/eni: avoid racing node mgr in test (Backport PR [#​31967](https://togithub.com/cilium/cilium/issues/31967), Upstream PR [#​31877](https://togithub.com/cilium/cilium/issues/31877), [@​bimmlerd](https://togithub.com/bimmlerd)) - ci: Filter supported versions of AKS (Backport PR [#​32384](https://togithub.com/cilium/cilium/issues/32384), Upstream PR [#​32303](https://togithub.com/cilium/cilium/issues/32303), [@​marseel](https://togithub.com/marseel)) - ci: Increase timeout for images for l4lb test (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32201](https://togithub.com/cilium/cilium/issues/32201), [@​marseel](https://togithub.com/marseel)) - ci: Set hubble.relay.retryTimeout=5s (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32066](https://togithub.com/cilium/cilium/issues/32066), [@​chancez](https://togithub.com/chancez)) - enable kube cache mutation detector (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32069](https://togithub.com/cilium/cilium/issues/32069), [@​aanm](https://togithub.com/aanm)) - gha: bump post-upgrade timeout in clustermesh upgrade/downgrade tests (Backport PR [#​32384](https://togithub.com/cilium/cilium/issues/32384), Upstream PR [#​32347](https://togithub.com/cilium/cilium/issues/32347), [@​giorio94](https://togithub.com/giorio94)) - gha: configure fully-qualified DNS names as external targets (Backport PR [#​32103](https://togithub.com/cilium/cilium/issues/32103), Upstream PR [#​31510](https://togithub.com/cilium/cilium/issues/31510), [@​giorio94](https://togithub.com/giorio94)) - gha: drop double installation of Cilium CLI in conformance-eks (Backport PR [#​32103](https://togithub.com/cilium/cilium/issues/32103), Upstream PR [#​32042](https://togithub.com/cilium/cilium/issues/32042), [@​giorio94](https://togithub.com/giorio94)) - Miscellaneous improvements to the clustermesh upgrade/downgrade test (Backport PR [#​32103](https://togithub.com/cilium/cilium/issues/32103), Upstream PR [#​31958](https://togithub.com/cilium/cilium/issues/31958), [@​giorio94](https://togithub.com/giorio94)) - route: dedicated net ns for each subtest of runListRules (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​29916](https://togithub.com/cilium/cilium/issues/29916), [@​mhofstetter](https://togithub.com/mhofstetter)) - test: De-flake xds server_e2e_test (Backport PR [#​32103](https://togithub.com/cilium/cilium/issues/32103), Upstream PR [#​32004](https://togithub.com/cilium/cilium/issues/32004), [@​jrajahalme](https://togithub.com/jrajahalme)) - workflows: Fix CI jobs for push events on private forks (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32085](https://togithub.com/cilium/cilium/issues/32085), [@​pchaigno](https://togithub.com/pchaigno)) **Misc Changes:** - bpf: host: simplify MARK_MAGIC_PROXY_EGRESS_EPID handling (Backport PR [#​32384](https://togithub.com/cilium/cilium/issues/32384), Upstream PR [#​29803](https://togithub.com/cilium/cilium/issues/29803), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - build(deps): bump pydantic from 2.3.0 to 2.4.0 in /Documentation (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32176](https://togithub.com/cilium/cilium/issues/32176), [@​dependabot](https://togithub.com/dependabot)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​31954](https://togithub.com/cilium/cilium/issues/31954), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​32107](https://togithub.com/cilium/cilium/issues/32107), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​32366](https://togithub.com/cilium/cilium/issues/32366), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​31993](https://togithub.com/cilium/cilium/issues/31993), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​32238](https://togithub.com/cilium/cilium/issues/32238), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update azure/login action to v2.1.0 (v1.15) ([#​31994](https://togithub.com/cilium/cilium/issues/31994), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.6 (v1.15) ([#​32365](https://togithub.com/cilium/cilium/issues/32365), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.21.9 docker digest to [`81811f8`](https://togithub.com/cilium/cilium/commit/81811f8) (v1.15) ([#​31953](https://togithub.com/cilium/cilium/issues/31953), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.21.9 docker digest to [`d83472f`](https://togithub.com/cilium/cilium/commit/d83472f) (v1.15) ([#​32257](https://togithub.com/cilium/cilium/issues/32257), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`a6d2b38`](https://togithub.com/cilium/cilium/commit/a6d2b38) (v1.15) ([#​32364](https://togithub.com/cilium/cilium/issues/32364), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update go to v1.21.10 (v1.15) ([#​32417](https://togithub.com/cilium/cilium/issues/32417), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update golangci/golangci-lint-action action to v6 (v1.15) ([#​32396](https://togithub.com/cilium/cilium/issues/32396), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update hubble cli to v0.13.3 (v1.15) ([#​32108](https://togithub.com/cilium/cilium/issues/32108), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​31821](https://togithub.com/cilium/cilium/issues/31821), [@​renovate](https://togithub.com/renovate)\[bot]) - CI: bump default FQDN datapath timeout from 100 to 250ms (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​31866](https://togithub.com/cilium/cilium/issues/31866), [@​squeed](https://togithub.com/squeed)) - clustermesh: fix panic if the etcd client cannot be created (Backport PR [#​32384](https://togithub.com/cilium/cilium/issues/32384), Upstream PR [#​32225](https://togithub.com/cilium/cilium/issues/32225), [@​giorio94](https://togithub.com/giorio94)) - docs: Add annotation for Ingress endpoint (Backport PR [#​32384](https://togithub.com/cilium/cilium/issues/32384), Upstream PR [#​32284](https://togithub.com/cilium/cilium/issues/32284), [@​sayboras](https://togithub.com/sayboras)) - docs: add link to sig-policy meeting (Backport PR [#​32384](https://togithub.com/cilium/cilium/issues/32384), Upstream PR [#​32340](https://togithub.com/cilium/cilium/issues/32340), [@​squeed](https://togithub.com/squeed)) - docs: Clean-up Host Firewall documentation, list known issues (Backport PR [#​32384](https://togithub.com/cilium/cilium/issues/32384), Upstream PR [#​32267](https://togithub.com/cilium/cilium/issues/32267), [@​qmonnet](https://togithub.com/qmonnet)) - docs: Fix prometheus port regex (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32030](https://togithub.com/cilium/cilium/issues/32030), [@​JBodkin-Amphora](https://togithub.com/JBodkin-Amphora)) - Docs: mark Tetragon as Stable (Backport PR [#​31967](https://togithub.com/cilium/cilium/issues/31967), Upstream PR [#​31886](https://togithub.com/cilium/cilium/issues/31886), [@​sharlns](https://togithub.com/sharlns)) - Document Cluster Mesh global services limitations when KPR=false (Backport PR [#​31967](https://togithub.com/cilium/cilium/issues/31967), Upstream PR [#​31798](https://togithub.com/cilium/cilium/issues/31798), [@​giorio94](https://togithub.com/giorio94)) - endpoint: Skip build queue warning log is context is canceled (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32132](https://togithub.com/cilium/cilium/issues/32132), [@​jrajahalme](https://togithub.com/jrajahalme)) - Fix helm chart incompatible types for comparison (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32025](https://togithub.com/cilium/cilium/issues/32025), [@​lou-lan](https://togithub.com/lou-lan)) - fqdn: Change error log to warning (Backport PR [#​32384](https://togithub.com/cilium/cilium/issues/32384), Upstream PR [#​32333](https://togithub.com/cilium/cilium/issues/32333), [@​jrajahalme](https://togithub.com/jrajahalme)) - fqdn: Fix Upgrade Issue Between PortProto Versions (Backport PR [#​32384](https://togithub.com/cilium/cilium/issues/32384), Upstream PR [#​32325](https://togithub.com/cilium/cilium/issues/32325), [@​nathanjsweet](https://togithub.com/nathanjsweet)) - golangci: Enable errorlint (Backport PR [#​31783](https://togithub.com/cilium/cilium/issues/31783), Upstream PR [#​31458](https://togithub.com/cilium/cilium/issues/31458), [@​jrajahalme](https://togithub.com/jrajahalme)) - images: Update bpftool, checkpatch images (Backport PR [#​31896](https://togithub.com/cilium/cilium/issues/31896), Upstream PR [#​31753](https://togithub.com/cilium/cilium/issues/31753), [@​qmonnet](https://togithub.com/qmonnet)) - Improve release organization page (Backport PR [#​32103](https://togithub.com/cilium/cilium/issues/32103), Upstream PR [#​31970](https://togithub.com/cilium/cilium/issues/31970), [@​joestringer](https://togithub.com/joestringer)) - install/kubernetes: add AppArmor profile to Cilium Daemonset (Backport PR [#​32384](https://togithub.com/cilium/cilium/issues/32384), Upstream PR [#​32199](https://togithub.com/cilium/cilium/issues/32199), [@​aanm](https://togithub.com/aanm)) - install/kubernetes: update nodeinit image to latest version (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32181](https://togithub.com/cilium/cilium/issues/32181), [@​tklauser](https://togithub.com/tklauser)) - ipsec: Debug info for transient IPsec upgrade drops (Backport PR [#​32384](https://togithub.com/cilium/cilium/issues/32384), Upstream PR [#​32240](https://togithub.com/cilium/cilium/issues/32240), [@​pchaigno](https://togithub.com/pchaigno)) - l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops (Backport PR [#​32260](https://togithub.com/cilium/cilium/issues/32260), Upstream PR [#​32200](https://togithub.com/cilium/cilium/issues/32200), [@​mhofstetter](https://togithub.com/mhofstetter)) - Remove aks-preview from AKS workflows (Backport PR [#​32230](https://togithub.com/cilium/cilium/issues/32230), Upstream PR [#​32118](https://togithub.com/cilium/cilium/issues/32118), [@​marseel](https://togithub.com/marseel)) - Seamlessly downgrade bpf attachments from tcx to tc (Backport PR [#​32337](https://togithub.com/cilium/cilium/issues/32337), Upstream PR [#​32228](https://togithub.com/cilium/cilium/issues/32228), [@​ti-mo](https://togithub.com/ti-mo)) **Other Changes:** - \[1.15] images: update cilium-{runtime,builder} ([#​32444](https://togithub.com/cilium/cilium/issues/32444), [@​nebril](https://togithub.com/nebril)) - \[v1.15-backport] Introduce fromEgressProxyRule ([#​31922](https://togithub.com/cilium/cilium/issues/31922), [@​jschwinger233](https://togithub.com/jschwinger233)) - \[v1.15] cilium-dbg: remove section with unknown health status. ([#​31905](https://togithub.com/cilium/cilium/issues/31905), [@​tommyp1ckles](https://togithub.com/tommyp1ckles)) - \[v1.15] proxy: skip rule removal if address family is not supported ([#​32007](https://togithub.com/cilium/cilium/issues/32007), [@​rgo3](https://togithub.com/rgo3)) - envoy: Bump envoy version to v1.27.5 ([#​32077](https://togithub.com/cilium/cilium/issues/32077), [@​sayboras](https://togithub.com/sayboras)) - envoy: Update envoy 1.27.x to 1.28.3 ([#​32149](https://togithub.com/cilium/cilium/issues/32149), [@​sayboras](https://togithub.com/sayboras)) - fix k8s versions tested in CI ([#​31965](https://togithub.com/cilium/cilium/issues/31965), [@​nbusseneau](https://togithub.com/nbusseneau)) - install: Update image digests for v1.15.4 ([#​31915](https://togithub.com/cilium/cilium/issues/31915), [@​asauber](https://togithub.com/asauber)) #### v1.15.5 #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.5@​sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40` `quay.io/cilium/cilium:stable@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.5@​sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7` `quay.io/cilium/clustermesh-apiserver:stable@sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.5@​sha256:c301dc000eff2940a82fc51f4a937793fa3a7212d77000a5aa06ae6116032437` `quay.io/cilium/docker-plugin:stable@sha256:c301dc000eff2940a82fc51f4a937793fa3a7212d77000a5aa06ae6116032437` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.5@​sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781` `quay.io/cilium/hubble-relay:stable@sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.5@​sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3` `quay.io/cilium/operator-alibabacloud:stable@sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.5@​sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9` `quay.io/cilium/operator-aws:stable@sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.5@​sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522` `quay.io/cilium/operator-azure:stable@sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.5@​sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8` `quay.io/cilium/operator-generic:stable@sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8` ##### operator `quay.io/cilium/operator:v1.15.5@​sha256:6f480128aa3d3b2c50a8dfa0bd5bc5121e48b1ee0bbc8eec9cae72e904bf10c3` `quay.io/cilium/operator:stable@sha256:6f480128aa3d3b2c50a8dfa0bd5bc5121e48b1ee0bbc8eec9cae72e904bf10c3` ### [`v1.15.4`](https://togithub.com/cilium/cilium/releases/tag/v1.15.4): 1.15.4 [Compare Source](https://togithub.com/cilium/cilium/compare/1.15.3...1.15.4) We are pleased to announce the release of Cilium v1.15.4. This release includes the option to configure Node map size, additional detail when using `cilium-dbg bpf metrics list`, a fix to an issue with overlapping keys that may have affected the ability to recover from a full Service map, and performance improvements to the Connection Tracking implementation. Bugfixes include improved behavior for overlapping and restored DNS policies, a fix to a race condition in Service updates for L7 LB, and a fix to the retry logic in the cilium health controllers. ## Security Advisories This release addresses a security vulnerability. For more information, see [GHSA-j654-3ccm-vfmm](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm) ## Summary of Changes **Minor Changes:** - Add "node-map-max" to allow configuring nodemap size. (Backport PR [#​31727](https://togithub.com/cilium/cilium/issues/31727), Upstream PR [#​31407](https://togithub.com/cilium/cilium/issues/31407), [@​tommyp1ckles](https://togithub.com/tommyp1ckles)) - Add line numbers and file names to all metrics in 'cilium-dbg bpf metrics list' (Backport PR [#​31558](https://togithub.com/cilium/cilium/issues/31558), Upstream PR [#​30972](https://togithub.com/cilium/cilium/issues/30972), [@​ti-mo](https://togithub.com/ti-mo)) - bugtool: Collect hubble metrics (Backport PR [#​31890](https://togithub.com/cilium/cilium/issues/31890), Upstream PR [#​31533](https://togithub.com/cilium/cilium/issues/31533), [@​chancez](https://togithub.com/chancez)) - feat: Add the http return code to metric api_processed_total (Backport PR [#​31890](https://togithub.com/cilium/cilium/issues/31890), Upstream PR [#​31227](https://togithub.com/cilium/cilium/issues/31227), [@​vipul-21](https://togithub.com/vipul-21)) - Fix overlapping keys in agent-side service BPF map cache used for retries. In rare cases this bug may have caused retrying of a failed BPF map update for a services entry to be skipped leading to a missing entry. This may have, for example, adversely affected recovering from a full BPF service map after excess services were removed. (Backport PR [#​31890](https://togithub.com/cilium/cilium/issues/31890), Upstream PR [#​29581](https://togithub.com/cilium/cilium/issues/29581), [@​xyz-li](https://togithub.com/xyz-li)) - Skip overlay traffic in the BPF SNAT processing, and thus reduce pressure on the BPF Connection tracking and NAT maps. (Backport PR [#​31785](https://togithub.com/cilium/cilium/issues/31785), Upstream PR [#​31082](https://togithub.com/cilium/cilium/issues/31082), [@​julianwiedmann](https://togithub.com/julianwiedmann)) **Bugfixes:** - Avoid drops with "CT: Unknown L4 protocol" for non-ICMP/TCP/UDP traffic, caused by an error check in the BPF NAT engine. (Backport PR [#​31890](https://togithub.com/cilium/cilium/issues/31890), Upstream PR [#​31820](https://togithub.com/cilium/cilium/issues/31820), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - cilium-health: Fix broken retry loop in `cilium-health-ep` controller (Backport PR [#​31727](https://togithub.com/cilium/cilium/issues/31727), Upstream PR [#​31622](https://togithub.com/cilium/cilium/issues/31622), [@​gandro](https://togithub.com/gandro)) - cni: Allow text-ts log format value (Backport PR [#​31890](https://togithub.com/cilium/cilium/issues/31890), Upstream PR [#​31686](https://togithub.com/cilium/cilium/issues/31686), [@​sayboras](https://togithub.com/sayboras)) - Fix a bug that could cause local packet delivery to be skipped, leading to lower performance, when IPsec was enabled and `--devices` provided. (Backport PR [#​31601](https://togithub.com/cilium/cilium/issues/31601), Upstream PR [#​31345](https://togithub.com/cilium/cilium/issues/31345), [@​pchaigno](https://togithub.com/pchaigno)) - Fix incorrect reporting of the number of etcd lock leases in cilium-dbg status. (Backport PR [#​31890](https://togithub.com/cilium/cilium/issues/31890), Upstream PR [#​31781](https://togithub.com/cilium/cilium/issues/31781), [@​giorio94](https://togithub.com/giorio94)) - fix: Delegated ipam not configure ipv6 if ipv6 disabled in agent (Backport PR [#​31727](https://togithub.com/cilium/cilium/issues/31727), Upstream PR [#​31104](https://togithub.com/cilium/cilium/issues/31104), [@​tamilmani1989](https://togithub.com/tamilmani1989)) - Fixed a race condition in service updates for L7 LB. (Backport PR [#​31860](https://togithub.com/cilium/cilium/issues/31860), Upstream PR [#​31744](https://togithub.com/cilium/cilium/issues/31744), [@​jrajahalme](https://togithub.com/jrajahalme)) - fqdn: Fix minor restore bug that causes false negative checks against a restored DNS IP map. ([#​31870](https://togithub.com/cilium/cilium/issues/31870), [@​nathanjsweet](https://togithub.com/nathanjsweet)) - fqdn: Fixed bug that caused DNS Proxy to be overly restrictive on allowed DNS selectors. (Backport PR [#​31727](https://togithub.com/cilium/cilium/issues/31727), Upstream PR [#​31328](https://togithub.com/cilium/cilium/issues/31328), [@​nathanjsweet](https://togithub.com/nathanjsweet)) - gateway-api: Ensure hostname check when set on both the HTTPRoute and the Gateway Listener (Backport PR [#​31769](https://togithub.com/cilium/cilium/issues/31769), Upstream PR [#​30686](https://togithub.com/cilium/cilium/issues/30686), [@​cjvirtucio87](https://togithub.com/cjvirtucio87)) - gateway-api: fixed RequestRedirect picks wrong port with multiple listeners (Backport PR [#​31769](https://togithub.com/cilium/cilium/issues/31769), Upstream PR [#​31361](https://togithub.com/cilium/cilium/issues/31361), [@​chaunceyjiang](https://togithub.com/chaunceyjiang)) - gateway-api: shorten the length of the value of the svc's label. (Backport PR [#​31769](https://togithub.com/cilium/cilium/issues/31769), Upstream PR [#​31292](https://togithub.com/cilium/cilium/issues/31292), [@​chaunceyjiang](https://togithub.com/chaunceyjiang)) - ingress/gateway-api: sort virtual hosts in CEC (Backport PR [#​31739](https://togithub.com/cilium/cilium/issues/31739), Upstream PR [#​31493](https://togithub.com/cilium/cilium/issues/31493), [@​mhofstetter](https://togithub.com/mhofstetter)) - ingress/gateway-api: stable envoy listener filterchain sort-order (Backport PR [#​31601](https://togithub.com/cilium/cilium/issues/31601), Upstream PR [#​31572](https://togithub.com/cilium/cilium/issues/31572), [@​mhofstetter](https://togithub.com/mhofstetter)) - metric: Avoid memory leak/increase in cilium-agent (Backport PR [#​31890](https://togithub.com/cilium/cilium/issues/31890), Upstream PR [#​31714](https://togithub.com/cilium/cilium/issues/31714), [@​sayboras](https://togithub.com/sayboras)) **CI Changes:** - ci-e2e: Add e2e test with WireGuard + Host Firewall (Backport PR [#​31727](https://togithub.com/cilium/cilium/issues/31727), Upstream PR [#​31594](https://togithub.com/cilium/cilium/issues/31594), [@​qmonnet](https://togithub.com/qmonnet)) - ci/ipsec: Print more info to debug credentials removal check failures (Backport PR [#​31727](https://togithub.com/cilium/cilium/issues/31727), Upstream PR [#​31652](https://togithub.com/cilium/cilium/issues/31652), [@​qmonnet](https://togithub.com/qmonnet)) - deflake endpointmanager tests (Backport PR [#​31601](https://togithub.com/cilium/cilium/issues/31601), Upstream PR [#​31488](https://togithub.com/cilium/cilium/issues/31488), [@​bimmlerd](https://togithub.com/bimmlerd)) - gh/workflows: Add IPsec key rotation action and use it in ci-eks / ci-ipsec-e2e (Backport PR [#​31428](https://togithub.com/cilium/cilium/issues/31428), Upstream PR [#​29704](https://togithub.com/cilium/cilium/issues/29704), [@​brb](https://togithub.com/brb)) - Make BPF unit tests reproducible (Backport PR [#​31663](https://togithub.com/cilium/cilium/issues/31663), Upstream PR [#​31526](https://togithub.com/cilium/cilium/issues/31526), [@​ti-mo](https://togithub.com/ti-mo)) - Make testdata build output more stable by reducing header includes (Backport PR [#​31663](https://togithub.com/cilium/cilium/issues/31663), Upstream PR [#​31644](https://togithub.com/cilium/cilium/issues/31644), [@​ti-mo](https://togithub.com/ti-mo)) - update azure k8s versions (Backport PR [#​31890](https://togithub.com/cilium/cilium/issues/31890), Upstream PR [#​31220](https://togithub.com/cilium/cilium/issues/31220), [@​brlbil](https://togithub.com/brlbil)) - workflows: Debug info for key rotations (Backport PR [#​31727](https://togithub.com/cilium/cilium/issues/31727), Upstream PR [#​31627](https://togithub.com/cilium/cilium/issues/31627), [@​pchaigno](https://togithub.com/pchaigno)) - workflows: ipsec-e2e: add missing key types for some configs (Backport PR [#​31727](https://togithub.com/cilium/cilium/issues/31727), Upstream PR [#​31636](https://togithub.com/cilium/cilium/issues/31636), [@​julianwiedmann](https://togithub.com/julianwiedmann)) **Misc Changes:** - bitlpm: Document and Fix Descendants Bug (Backport PR [#​31890](https://togithub.com/cilium/cilium/issues/31890), Upstream PR [#​31851](https://togithub.com/cilium/cilium/issues/31851), [@​nathanjsweet](https://togithub.com/nathanjsweet)) - bpf: host: restore HostFW for overlay traffic in to-netdev (Backport PR [#​31785](https://togithub.com/cilium/cilium/issues/31785), Upstream PR [#​31818](https://togithub.com/cilium/cilium/issues/31818), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - bpf: tests: don't define HAVE_ENCAP in IPsec tests (Backport PR [#​31785](https://togithub.com/cilium/cilium/issues/31785), Upstream PR [#​31737](https://togithub.com/cilium/cilium/issues/31737), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - chore(deps): update all github action dependencies (v1.15) ([#​31822](https://togithub.com/cilium/cilium/issues/31822), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​31698](https://togithub.com/cilium/cilium/issues/31698), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update cilium/little-vm-helper action to v0.0.17 (v1.15) ([#​31703](https://togithub.com/cilium/cilium/issues/31703), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.4 (v1.15) ([#​31674](https://togithub.com/cilium/cilium/issues/31674), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update docker/setup-buildx-action action to v3.3.0 (v1.15) ([#​31828](https://togithub.com/cilium/cilium/issues/31828), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to [`f41b84c`](https://togithub.com/cilium/cilium/commit/f41b84c) (v1.15) ([#​31747](https://togithub.com/cilium/cilium/issues/31747), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update go to v1.21.9 (v1.15) ([#​31764](https://togithub.com/cilium/cilium/issues/31764), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​31704](https://togithub.com/cilium/cilium/issues/31704), [@​renovate](https://togithub.com/renovate)\[bot]) - cilium-dbg: avoid leaking file resources (Backport PR [#​31890](https://togithub.com/cilium/cilium/issues/31890), Upstream PR [#​31750](https://togithub.com/cilium/cilium/issues/31750), [@​tklauser](https://togithub.com/tklauser)) - docs: Document `No node ID found` drops in case of remote node deletion (Backport PR [#​31727](https://togithub.com/cilium/cilium/issues/31727), Upstream PR [#​31635](https://togithub.com/cilium/cilium/issues/31635), [@​pchaigno](https://togithub.com/pchaigno)) - docs: ipsec: document native-routing + Egress proxy case (Backport PR [#​31727](https://togithub.com/cilium/cilium/issues/31727), Upstream PR [#​31478](https://togithub.com/cilium/cilium/issues/31478), [@​julianwiedmann](https://togithub.com/julianwiedmann)) - Fix spelling in DNS-based proxy info (Backport PR [#​31890](https://togithub.com/cilium/cilium/issues/31890), Upstream PR [#​31728](https://togithub.com/cilium/cilium/issues/31728), [@​saintdle](https://togithub.com/saintdle)) - helm: update nodeinit image using renovate (Backport PR [#​31727](https://togithub.com/cilium/cilium/issues/31727), Upstream PR [#​31641](https://togithub.com/cilium/cilium/issues/31641), [@​tklauser](https://togithub.com/tklauser)) - ingress: sort all shared ingresses during model generation (Backport PR [#​31727](https://togithub.com/cilium/cilium/issues/31727), Upstream PR [#​31494](https://togithub.com/cilium/cilium/issues/31494), [@​mhofstetter](https://togithub.com/mhofstetter)) - loader: refactor/cleanup replaceNetworkDatapath (Backport PR [#​31663](https://togithub.com/cilium/cilium/issues/31663), Upstream PR [#​29825](https://togithub.com/cilium/cilium/issues/29825), [@​rgo3](https://togithub.com/rgo3)) - Move governance docs to the Cilium community repo (Backport PR [#​31890](https://togithub.com/cilium/cilium/issues/31890), Upstream PR [#​31692](https://togithub.com/cilium/cilium/issues/31692), [@​katiestruthers](https://togithub.com/katiestruthers)) - Remove Hubble-OTel from the roadmap (Backport PR [#​31890](https://togithub.com/cilium/cilium/issues/31890), Upstream PR [#​31847](https://togithub.com/cilium/cilium/issues/31847), [@​xmulligan](https://togithub.com/xmulligan)) - Remove tcx links created by Cilium 1.16 onwards (Backport PR [#​31663](https://togithub.com/cilium/cilium/issues/31663), Upstream PR [#​31553](https://togithub.com/cilium/cilium/issues/31553), [@​ti-mo](https://togithub.com/ti-mo)) - Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (Backport PR [#​31727](https://togithub.com/cilium/cilium/issues/31727), Upstream PR [#​29300](https://togithub.com/cilium/cilium/issues/29300), [@​learnitall](https://togithub.com/learnitall)) - v1.15: update cilium/certgen to v0.1.11 ([#​31882](https://togithub.com/cilium/cilium/issues/31882), [@​rolinh](https://togithub.com/rolinh)) **Other Changes:** - \[v1.15] envoy: Bump envoy image for golang 1.21.9 ([#​31770](https://togithub.com/cilium/cilium/issues/31770), [@​sayboras](https://togithub.com/sayboras)) - \[v1.15] Multicast Datapath Backport ([#​31668](https://togithub.com/cilium/cilium/issues/31668), [@​ldelossa](https://togithub.com/ldelossa)) - \[v1.15] route: Specify "proto kernel" for ip routes and rules ([#​31777](https://togithub.com/cilium/cilium/issues/31777), [@​jschwinger233](https://togithub.com/jschwinger233)) - envoy: Bump envoy version to v1.27.4 ([#​31807](https://togithub.com/cilium/cilium/issues/31807), [@​sayboras](https://togithub.com/sayboras)) - install: Update image digests for v1.15.3 ([#​31623](https://togithub.com/cilium/cilium/issues/31623), [@​jrajahalme](https://togithub.com/jrajahalme)) ##### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.4@​sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426` `quay.io/cilium/cilium:stable@sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.4@​sha256:3fadf85d2aa0ecec09152e7e2d57648bda7e35bdc161b25ab54066dd4c3b299c` `quay.io/cilium/clustermesh-apiserver:stable@sha256:3fadf85d2aa0ecec09152e7e2d57648bda7e35bdc161b25ab54066dd4c3b299c` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.4@​sha256:af22e26e927ec01633526b3d2fd5e15f2c7f3aab9d8c399081eeb746a4e0db47` `quay.io/cilium/docker-plugin:stable@sha256:af22e26e927ec01633526b3d2fd5e15f2c7f3aab9d8c399081eeb746a4e0db47` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.4@​sha256:03ad857feaf52f1b4774c29614f42a50b370680eb7d0bfbc1ae065df84b1070a` `quay.io/cilium/hubble-relay:stable@sha256:03ad857feaf52f1b4774c29614f42a50b370680eb7d0bfbc1ae065df84b1070a` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.4@​sha256:7c0e5346483a517e18a8951f4d4399337fb47020f2d9225e2ceaa8c5d9a45a5f` `quay.io/cilium/operator-alibabacloud:stable@sha256:7c0e5346483a517e18a8951f4d4399337fb47020f2d9225e2ceaa8c5d9a45a5f` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.4@​sha256:8675486ce8938333390c37302af162ebd12aaebc08eeeaf383bfb73128143fa9` `quay.io/cilium/operator-aws:stable@sha256:8675486ce8938333390c37302af162ebd12aaebc08eeeaf383bfb73128143fa9` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.4@​sha256:4c1a31502931681fa18a41ead2a3904b97d47172a92b7a7b205026bd1e715207` `quay.io/cilium/operator-azure:stable@sha256:4c1a31502931681fa18a41ead2a3904b97d47172a92b7a7b205026bd1e715207` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.4@​sha256:404890a83cca3f28829eb7e54c1564bb6904708cdb7be04ebe69c2b60f164e9a` `quay.io/cilium/operator-generic:stable@sha256:404890a83cca3f28829eb7e54c1564bb6904708cdb7be04ebe69c2b60f164e9a` ##### operator `quay.io/cilium/operator:v1.15.4@​sha256:4e42b867d816808f10b38f555d6ae50065ebdc6ddc4549635f2fe50ed6dc8d7f` `quay.io/cilium/operator:stable@sha256:4e42b867d816808f10b38f555d6ae50065ebdc6ddc4549635f2fe50ed6dc8d7f` ### [`v1.15.3`](https://togithub.com/cilium/cilium/releases/tag/v1.15.3): 1.15.3 [Compare Source](https://togithub.com/cilium/cilium/compare/1.15.2...1.15.3) We are pleased to release Cilium v1.15.3. ## Security Advisories This release addresses a security vulnerability. For more information, see https://github.com/cilium/cilium/security/advisories/GHSA-pwqm-x5x6-5586. ## Summary of Changes **Minor Changes:** - bgpv1: BGP Control Plane metrics (Backport PR [#​31568](https://togithub.com/cilium/cilium/issues/31568), Upstream PR [#​31469](https://togithub.com/cilium/cilium/issues/31469), [@​YutaroHayakawa](https://togithub.com/YutaroHayakawa)) - cni: use default logger with timestamps. (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​31014](https://togithub.com/cilium/cilium/issues/31014), [@​tommyp1ckles](https://togithub.com/tommyp1ckles)) - Introduce `cilium-dbg encrypt flush --stale` flag to remove XFRM states and policies with stale node IDs. (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​31159](https://togithub.com/cilium/cilium/issues/31159), [@​pchaigno](https://togithub.com/pchaigno)) **Bugfixes:** - \[v1.15 - Author backport] envoy: enable k8s secret watch even if only CEC is enabled ([#​31451](https://togithub.com/cilium/cilium/issues/31451), [@​mhofstetter](https://togithub.com/mhofstetter)) - cni: Use batch endpoint deletion API in chaining plugin (Backport PR [#​31515](https://togithub.com/cilium/cilium/issues/31515), Upstream PR [#​31456](https://togithub.com/cilium/cilium/issues/31456), [@​sayboras](https://togithub.com/sayboras)) - Fix a bug in the StateDB library that may have caused stale read after write. This may have potentially affected the L2 announcements feature and the node address selection. (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​31164](https://togithub.com/cilium/cilium/issues/31164), [@​joamaki](https://togithub.com/joamaki)) - Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (Backport PR [#​31473](https://togithub.com/cilium/cilium/issues/31473), Upstream PR [#​31395](https://togithub.com/cilium/cilium/issues/31395), [@​tklauser](https://togithub.com/tklauser)) - Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space. Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled. Otherwise, it was merely generating unnecessary error log messages. (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31380](https://togithub.com/cilium/cilium/issues/31380), [@​marseel](https://togithub.com/marseel)) - gateway-api: Retrieve LB service from same namespace (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31271](https://togithub.com/cilium/cilium/issues/31271), [@​sayboras](https://togithub.com/sayboras)) - Handle InvalidParameterValue as well for PD fallback (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31016](https://togithub.com/cilium/cilium/issues/31016), [@​hemanthmalla](https://togithub.com/hemanthmalla)) - helm: Update pod affinity for cilium-envoy (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31150](https://togithub.com/cilium/cilium/issues/31150), [@​sayboras](https://togithub.com/sayboras)) - hubble/relay: Fix certificate reloading in PeerManager (Backport PR [#​31568](https://togithub.com/cilium/cilium/issues/31568), Upstream PR [#​31376](https://togithub.com/cilium/cilium/issues/31376), [@​glrf](https://togithub.com/glrf)) - Hubble: fix traffic direction and is reply when IPSec is enabled (Backport PR [#​31568](https://togithub.com/cilium/cilium/issues/31568), Upstream PR [#​31211](https://togithub.com/cilium/cilium/issues/31211), [@​kaworu](https://togithub.com/kaworu)) - k8s/utils: correctly filter out labels in StripPodSpecialLabels (Backport PR [#​31473](https://togithub.com/cilium/cilium/issues/31473), Upstream PR [#​31421](https://togithub.com/cilium/cilium/issues/31421), [@​tklauser](https://togithub.com/tklauser)) - metrics: Disable prometheus metrics by default (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​31144](https://togithub.com/cilium/cilium/issues/31144), [@​joestringer](https://togithub.com/joestringer)) - operator: fix errors/warnings metric. (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31214](https://togithub.com/cilium/cilium/issues/31214), [@​tommyp1ckles](https://togithub.com/tommyp1ckles)) **CI Changes:** - \[v1.15] test: Remove duplicate Cilium deployments in some datapath config tests ([#​31520](https://togithub.com/cilium/cilium/issues/31520), [@​qmonnet](https://togithub.com/qmonnet)) - Additionally test host firewall + KPR disabled in E2E tests (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​30914](https://togithub.com/cilium/cilium/issues/30914), [@​giorio94](https://togithub.com/giorio94)) - AKS: avoid overlapping pod and service CIDRs (Backport PR [#​31568](https://togithub.com/cilium/cilium/issues/31568), Upstream PR [#​31504](https://togithub.com/cilium/cilium/issues/31504), [@​bimmlerd](https://togithub.com/bimmlerd)) - bgpv1: avoid object tracker vs informer race (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31010](https://togithub.com/cilium/cilium/issues/31010), [@​bimmlerd](https://togithub.com/bimmlerd)) - bgpv1: fix Test_PodIPPoolAdvert flakiness (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31365](https://togithub.com/cilium/cilium/issues/31365), [@​rastislavs](https://togithub.com/rastislavs)) - bpf: fix go testdata check in ci (Backport PR [#​31554](https://togithub.com/cilium/cilium/issues/31554), Upstream PR [#​31419](https://togithub.com/cilium/cilium/issues/31419), [@​mhofstetter](https://togithub.com/mhofstetter)) - Centralize configuration of kind version/image in GitHub Action workflows (Backport PR [#​31191](https://togithub.com/cilium/cilium/issues/31191), Upstream PR [#​30916](https://togithub.com/cilium/cilium/issues/30916), [@​giorio94](https://togithub.com/giorio94)) - Checkout the target branch, instead of the default one, on pull_request based GHA test workflows (Backport PR [#​31191](https://togithub.com/cilium/cilium/issues/31191), Upstream PR [#​31198](https://togithub.com/cilium/cilium/issues/31198), [@​giorio94](https://togithub.com/giorio94)) - ci-e2e: Add matrix for bpf.tproxy and ingress-controller (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31272](https://togithub.com/cilium/cilium/issues/31272), [@​sayboras](https://togithub.com/sayboras)) - ci: Bump lvh-kind ssh-startup-wait-retries (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31387](https://togithub.com/cilium/cilium/issues/31387), [@​YutaroHayakawa](https://togithub.com/YutaroHayakawa)) - controlplane: fix mechanism for ensuring watchers (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31030](https://togithub.com/cilium/cilium/issues/31030), [@​bimmlerd](https://togithub.com/bimmlerd)) - Fix bug preventing consistent symbols between ELF and BTF for eBPF unit tests. (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​30610](https://togithub.com/cilium/cilium/issues/30610), [@​learnitall](https://togithub.com/learnitall)) - gateway-api: Enable GRPCRoute conformance tests (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​31055](https://togithub.com/cilium/cilium/issues/31055), [@​sayboras](https://togithub.com/sayboras)) - gha: disable fail-fast on integration tests (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31420](https://togithub.com/cilium/cilium/issues/31420), [@​giorio94](https://togithub.com/giorio94)) - gha: drop unused check_url environment variable (Backport PR [#​31191](https://togithub.com/cilium/cilium/issues/31191), Upstream PR [#​30928](https://togithub.com/cilium/cilium/issues/30928), [@​giorio94](https://togithub.com/giorio94)) - introduce ARM github workflows (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​31196](https://togithub.com/cilium/cilium/issues/31196), [@​aanm](https://togithub.com/aanm)) - ipam: deepcopy interface resource correctly. (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​26998](https://togithub.com/cilium/cilium/issues/26998), [@​tommyp1ckles](https://togithub.com/tommyp1ckles)) - k8s_install.sh: specify the CNI version (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​31182](https://togithub.com/cilium/cilium/issues/31182), [@​aanm](https://togithub.com/aanm)) - loader: fix issue where errors cancelled compile cause error logs. (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​30988](https://togithub.com/cilium/cilium/issues/30988), [@​tommyp1ckles](https://togithub.com/tommyp1ckles)) - Reduce flakiness of controlplane tests (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​30906](https://togithub.com/cilium/cilium/issues/30906), [@​bimmlerd](https://togithub.com/bimmlerd)) - slices: don't modify missed input slice in test (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31119](https://togithub.com/cilium/cilium/issues/31119), [@​bimmlerd](https://togithub.com/bimmlerd)) **Misc Changes:** - Add monitor aggregation for all events related to packets ingressing to the network-facing device. (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​31015](https://togithub.com/cilium/cilium/issues/31015), [@​learnitall](https://togithub.com/learnitall)) - Address race condition in TestGetIdentity (Backport PR [#​31541](https://togithub.com/cilium/cilium/issues/31541), Upstream PR [#​30885](https://togithub.com/cilium/cilium/issues/30885), [@​bimmlerd](https://togithub.com/bimmlerd)) - bgpv1: Adjust ConnectionRetryTimeSeconds to 1 in component tests (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​31218](https://togithub.com/cilium/cilium/issues/31218), [@​YutaroHayakawa](https://togithub.com/YutaroHayakawa)) - chore(deps): update all github action dependencies (v1.15) ([#​31480](https://togithub.com/cilium/cilium/issues/31480), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​31582](https://togithub.com/cilium/cilium/issues/31582), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.3 (v1.15) ([#​31464](https://togithub.com/cilium/cilium/issues/31464), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.21.8 docker digest to [`8560736`](https://togithub.com/cilium/cilium/commit/8560736) (v1.15) ([#​31450](https://togithub.com/cilium/cilium/issues/31450), [@​renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to [`55c6361`](https://togithub.com/cilium/cilium/commit/55c6361) (v1.15) ([#​31453](https://togithub.com/cilium/cilium/issues/31453), [@​renovate](https://togithub.com/renovate)\[bot]) - chore: update json-mock image source in examples (Backport PR [#​31568](https://togithub.com/cilium/cilium/issues/31568), Upstream PR [#​31373](https://togithub.com/cilium/cilium/issues/31373), [@​loomkoom](https://togithub.com/loomkoom)) - cilium-dbg: listing load-balancing configurations displays L7LB proxy port (Backport PR [#​31568](https://togithub.com/cilium/cilium/issues/31568), Upstream PR [#​31503](https://togithub.com/cilium/cilium/issues/31503), [@​mhofstetter](https://togithub.com/mhofstetter)) - datapath, bpf: Remove unnecessary IPsec code (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31344](https://togithub.com/cilium/cilium/issues/31344), [@​pchaigno](https://togithub.com/pchaigno)) - doc: Clarified GwAPI KPR prerequisites (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31366](https://togithub.com/cilium/cilium/issues/31366), [@​PhilipSchmid](https://togithub.com/PhilipSchmid)) - docs: Warn on key rotations during upgrades (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31437](https://togithub.com/cilium/cilium/issues/31437), [@​pchaigno](https://togithub.com/pchaigno)) - Don't emit an error message on namespace termination due to Ingress reconciliation (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​30808](https://togithub.com/cilium/cilium/issues/30808), [@​giorio94](https://togithub.com/giorio94)) - Downgrade L2 Neighbor Discovery failure log to Debug (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​31179](https://togithub.com/cilium/cilium/issues/31179), [@​YutaroHayakawa](https://togithub.com/YutaroHayakawa)) - endpointmanager: Improve health reporter messages when stopped (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​31231](https://togithub.com/cilium/cilium/issues/31231), [@​christarazi](https://togithub.com/christarazi)) - hive/cell/health: don't warn when reporting on stopped reporter. (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31262](https://togithub.com/cilium/cilium/issues/31262), [@​tommyp1ckles](https://togithub.com/tommyp1ckles)) - ingress: Update docs with network policy example (Backport PR [#​31342](https://togithub.com/cilium/cilium/issues/31342), Upstream PR [#​31060](https://togithub.com/cilium/cilium/issues/31060), [@​sayboras](https://togithub.com/sayboras)) - job: avoid a race condition in TestTimer_ExitOnCloseFnCtx (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​30929](https://togithub.com/cilium/cilium/issues/30929), [@​bimmlerd](https://togithub.com/bimmlerd)) - loader: add message if error is ENOTSUP (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31413](https://togithub.com/cilium/cilium/issues/31413), [@​kkourt](https://togithub.com/kkourt)) - policy: Fix missing labels from SelectorCache selectors (Backport PR [#​31490](https://togithub.com/cilium/cilium/issues/31490), Upstream PR [#​31358](https://togithub.com/cilium/cilium/issues/31358), [@​christarazi](https://togithub.com/christarazi)) - Replaced `declare_tailcall_if` with logic in the loader (Backport PR [#​31554](https://togithub.com/cilium/cilium/issues/31554), Upstream PR [#​30467](https://togithub.com/cilium/cilium/issues/30467), [@​dylandreimerink](https://togithub.com/dylandreimerink)) **Other Changes:** - install: Update image digests for v1.15.2 ([#​31378](https://togithub.com/cilium/cilium/issues/31378), [@​jrajahalme](https://togithub.com/jrajahalme)) - v1.15: IPsec Fixes ([#​31610](https://togithub.com/cilium/cilium/issues/31610), [@​pchaigno](https://togithub.com/pchaigno)) ### [`v1.15.2`](https://togithub.com/cilium/cilium/releases/tag/v1.15.2): 1.15.2 [Compare Source](https://togithub.com/cilium/cilium/compare/1.15.1...1.15.2) We are pleased to release Cilium v1.15.2. This release contains various bug fixes and improvements. ## Security Advisories This patch release addresses security vulnerabilities. See the following security advisories for details. - https://github.com/cilium/cilium/security/advisories/GHSA-68mj-9pjq-mc85 - https://github.com/cilium/cilium/security/advisories/GHSA-j89h-qrvr-xc36 - https://github.com/cilium/cilium/security/advisories/GHSA-v6q2-4qr3-5cw6 ## IPsec This patch release includes significant changes for the IPsec stack, to resolve issues for connections that are selected by a L7 Network Policy or a DNS Policy. Such connections may experience disruption during the upgrade, in particular in configurations with overlay routing mode. ## Summary of Changes **Minor Changes:** - Add default divisor for GOMEMLIMIT to satisfy Argo CD diff (Backport PR [#​30997](https://togithub.com/cilium/cilium/issues/30997), Upstream PR [#​30635](https://togithub.com/cilium/cilium/issues/30635), [@​jdmcmahan](https://togithub.com/jdmcmahan)) - Fixes a bug where ToFQDN IPs may be garbage collected too early, disrupting ex

Configuration

📅 Schedule: Branch creation - "on saturday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

This PR has been generated by Mend Renovate. View repository job log here.

github-actions[bot] commented 8 months ago 
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -120,12 +120,15 @@

   tofqdns-proxy-response-max-delay: 100ms
   agent-not-ready-taint-key: node.cilium.io/agent-not-ready
   mesh-auth-enabled: 'true'
   mesh-auth-queue-size: '1024'
   mesh-auth-rotated-identities-queue-size: '1024'
   mesh-auth-gc-interval: 5m0s
+  proxy-xff-num-trusted-hops-ingress: '0'
+  proxy-xff-num-trusted-hops-egress: '0'
   proxy-connect-timeout: '2'
   proxy-max-requests-per-connection: '0'
   proxy-max-connection-duration-seconds: '0'
+  proxy-idle-timeout-seconds: '60'
   external-envoy-proxy: 'false'
   max-connected-clusters: '255'

--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,25 +16,24 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 6e5106790087d0ec2488a61288743f3b25c6f59fa8999d0fe95fd8d928c23260
-        container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
-        container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
-        container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
-        container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
+        cilium.io/cilium-configmap-checksum: aaff7bc90434efa97c620ee8bce7a362db04d6acf3e6ef6b0d18dc4c4557c196
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
+      securityContext:
+        appArmorProfile:
+          type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.15.3@sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0
+        image: quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -191,13 +190,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.15.3@sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0
+        image: quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -216,13 +215,13 @@

           value: '6444'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.15.3@sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0
+        image: quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /sys/fs/cgroup
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -248,13 +247,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.15.3@sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0
+        image: quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -278,13 +277,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.15.3@sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0
+        image: quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -294,13 +293,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.15.3@sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0
+        image: quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -342,13 +341,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.15.3@sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0
+        image: quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,22 +20,22 @@

       maxSurge: 25%
       maxUnavailable: 100%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 6e5106790087d0ec2488a61288743f3b25c6f59fa8999d0fe95fd8d928c23260
+        cilium.io/cilium-configmap-checksum: aaff7bc90434efa97c620ee8bce7a362db04d6acf3e6ef6b0d18dc4c4557c196
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.15.3@sha256:c97f23161906b82f5c81a2d825b0646a5aa1dfb4adf1d49cbb87815079e69d61
+        image: quay.io/cilium/operator-generic:v1.15.5@sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -34,13 +34,13 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.15.3@sha256:b9c6431aa4f22242a5d0d750c621d9d04bdc25549e4fb1116bfec98dd87958a2
+        image: quay.io/cilium/hubble-relay:v1.15.5@sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:
github-actions[bot] commented 8 months ago 
--- kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: flux-system
-      version: 1.15.3
+      version: 1.15.5
   install:
     remediation:
       retries: 3
   interval: 30m
   uninstall:
     keepHistory: false