Closed renovate[bot] closed 1 week ago
This PR contains the following updates:
1.15.5
1.15.6
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
1.15.5
->1.15.6
Release Notes
cilium/cilium (cilium)
### [`v1.15.6`](https://togithub.com/cilium/cilium/releases/tag/v1.15.6): 1.15.6 [Compare Source](https://togithub.com/cilium/cilium/compare/1.15.5...1.15.6) We are pleased to release Cilium v1.15.6 that improves background resynchronization of nodes, improves the CLI to troubleshoot connectivity issues, lowers CPU consumption with IPsec for large clusters, and brings a number of additional fixes. Thanks to all contributors, reviewers, testers, and users! :heart: ## Summary of Changes **Minor Changes:** - \[v1.15] fqdn: Forward-compatibility with Cilium 1.16 FQDN identities ([#32872](https://togithub.com/cilium/cilium/issues/32872), [@gandro](https://togithub.com/gandro)) - Generate SBOMs using Syft instead of bom (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32307](https://togithub.com/cilium/cilium/issues/32307), [@ferozsalam](https://togithub.com/ferozsalam)) - Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (Backport PR [#32748](https://togithub.com/cilium/cilium/issues/32748), Upstream PR [#32577](https://togithub.com/cilium/cilium/issues/32577), [@marseel](https://togithub.com/marseel)) - Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (Backport PR [#32568](https://togithub.com/cilium/cilium/issues/32568), Upstream PR [#32336](https://togithub.com/cilium/cilium/issues/32336), [@giorio94](https://togithub.com/giorio94)) - ipsec: Improve CPU usage of cilum-agent in large clusters (Backport PR [#32882](https://togithub.com/cilium/cilium/issues/32882), Upstream PR [#32588](https://togithub.com/cilium/cilium/issues/32588), [@marseel](https://togithub.com/marseel)) - KVStoreMesh: expose remote clusters information and introduce dedicated CLI command (Backport PR [#32568](https://togithub.com/cilium/cilium/issues/32568), Upstream PR [#32156](https://togithub.com/cilium/cilium/issues/32156), [@giorio94](https://togithub.com/giorio94)) **Bugfixes:** - .github/workflows: fix digests file creation (Backport PR [#32889](https://togithub.com/cilium/cilium/issues/32889), Upstream PR [#32860](https://togithub.com/cilium/cilium/issues/32860), [@aanm](https://togithub.com/aanm)) - \[v1.15] iptables: Do not install NOTRACK rules if IPv4NativeRoutingCIDR is nil ([#32649](https://togithub.com/cilium/cilium/issues/32649), [@pippolo84](https://togithub.com/pippolo84)) - Add missing kvstore-max-consecutive-quorum-errors option to clustermesh-apiserver/kvstoremesh binaries (Backport PR [#32500](https://togithub.com/cilium/cilium/issues/32500), Upstream PR [#32117](https://togithub.com/cilium/cilium/issues/32117), [@giorio94](https://togithub.com/giorio94)) - bgp: service eTP=local, withdraw route when last backend on the node goes in terminating state (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32536](https://togithub.com/cilium/cilium/issues/32536), [@harsimran-pabla](https://togithub.com/harsimran-pabla)) - Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields for CiliumLoadBalancerIPPool (Backport PR [#32889](https://togithub.com/cilium/cilium/issues/32889), Upstream PR [#32694](https://togithub.com/cilium/cilium/issues/32694), [@dswaffordcw](https://togithub.com/dswaffordcw)) - cni: Reserve local ports for DNS proxy even if IPv6 is disabled (Backport PR [#32789](https://togithub.com/cilium/cilium/issues/32789), Upstream PR [#32725](https://togithub.com/cilium/cilium/issues/32725), [@gandro](https://togithub.com/gandro)) - egressgw: Let the EGW manager relax rp_filter on egress device (Backport PR [#32778](https://togithub.com/cilium/cilium/issues/32778), Upstream PR [#32679](https://togithub.com/cilium/cilium/issues/32679), [@ysksuzuki](https://togithub.com/ysksuzuki)) - Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes (Backport PR [#32789](https://togithub.com/cilium/cilium/issues/32789), Upstream PR [#31671](https://togithub.com/cilium/cilium/issues/31671), [@foyerunix](https://togithub.com/foyerunix)) - Fix indexing bug in the logic for picking NodePort addresses. In rare cases this may have caused wrong address to be selected for NodePort use, or an out-of-bounds access. (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32506](https://togithub.com/cilium/cilium/issues/32506), [@joamaki](https://togithub.com/joamaki)) - Fix PromQL query in Cilium Metrics dashboard (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32017](https://togithub.com/cilium/cilium/issues/32017), [@mikemykhaylov](https://togithub.com/mikemykhaylov)) - Fix rare race condition afflicting clustermesh when disconnecting from a remote cluster, possibly causing the agent to panic (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32513](https://togithub.com/cilium/cilium/issues/32513), [@giorio94](https://togithub.com/giorio94)) - Fixes accidentally ignoring the preflight.nodeSelector Helm value. (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32548](https://togithub.com/cilium/cilium/issues/32548), [@squeed](https://togithub.com/squeed)) - Fixes unencrypted traffic among nodes when IPsec is used with L7 egress proxy. (Backport PR [#32932](https://togithub.com/cilium/cilium/issues/32932), Upstream PR [#32683](https://togithub.com/cilium/cilium/issues/32683), [@jschwinger233](https://togithub.com/jschwinger233)) - ingress: Set the default value for max_stream_timeout (Backport PR [#32889](https://togithub.com/cilium/cilium/issues/32889), Upstream PR [#31514](https://togithub.com/cilium/cilium/issues/31514), [@tskinn](https://togithub.com/tskinn)) - Introduce timeout when waiting for the initial synchronization from remote clusters, to avoid blocking forever necessary GC operations in case of clustermesh misconfigurations. (Backport PR [#32802](https://togithub.com/cilium/cilium/issues/32802), Upstream PR [#32671](https://togithub.com/cilium/cilium/issues/32671), [@giorio94](https://togithub.com/giorio94)) - ipsec: Safely delete Xfrm state (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32450](https://togithub.com/cilium/cilium/issues/32450), [@jschwinger233](https://togithub.com/jschwinger233)) - proxy: Re-enable proxy rule installation in native-routing mode for CEC (Backport PR [#32481](https://togithub.com/cilium/cilium/issues/32481), Upstream PR [#32367](https://togithub.com/cilium/cilium/issues/32367), [@sayboras](https://togithub.com/sayboras)) - Remove deprecated `hubble.ui.securityContext.enabled` from hubble-ui deployment template (Backport PR [#32889](https://togithub.com/cilium/cilium/issues/32889), Upstream PR [#32338](https://togithub.com/cilium/cilium/issues/32338), [@stelucz](https://togithub.com/stelucz)) **CI Changes:** - CI: Add job name validation (Backport PR [#32500](https://togithub.com/cilium/cilium/issues/32500), Upstream PR [#32462](https://togithub.com/cilium/cilium/issues/32462), [@brlbil](https://togithub.com/brlbil)) - ci: Filter supported versions of EKS (Backport PR [#32889](https://togithub.com/cilium/cilium/issues/32889), Upstream PR [#32304](https://togithub.com/cilium/cilium/issues/32304), [@marseel](https://togithub.com/marseel)) - ci: Filter supported versions of GKE (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32302](https://togithub.com/cilium/cilium/issues/32302), [@marseel](https://togithub.com/marseel)) - ci: l4lb: gather more infos about docker-in-docker issues (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32570](https://togithub.com/cilium/cilium/issues/32570), [@mhofstetter](https://togithub.com/mhofstetter)) - ci: l4lb: restart docker-in-docker container on failure (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32600](https://togithub.com/cilium/cilium/issues/32600), [@mhofstetter](https://togithub.com/mhofstetter)) - eks: Don't use spot instances (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32553](https://togithub.com/cilium/cilium/issues/32553), [@michi-covalent](https://togithub.com/michi-covalent)) - GCP OIDC instead of SA creds. (Backport PR [#32707](https://togithub.com/cilium/cilium/issues/32707), Upstream PR [#30809](https://togithub.com/cilium/cilium/issues/30809), [@viktor-kurchenko](https://togithub.com/viktor-kurchenko)) - gha: cover TLS auth mode in clustermesh upgrade/downgrade tests (Backport PR [#32789](https://togithub.com/cilium/cilium/issues/32789), Upstream PR [#32684](https://togithub.com/cilium/cilium/issues/32684), [@giorio94](https://togithub.com/giorio94)) - gha: test certificate generation methods in conformance clustermesh (Backport PR [#32789](https://togithub.com/cilium/cilium/issues/32789), Upstream PR [#32654](https://togithub.com/cilium/cilium/issues/32654), [@giorio94](https://togithub.com/giorio94)) - Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a `workflow_dispatch` event. (Backport PR [#32500](https://togithub.com/cilium/cilium/issues/32500), Upstream PR [#31424](https://togithub.com/cilium/cilium/issues/31424), [@learnitall](https://togithub.com/learnitall)) - Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR [#32500](https://togithub.com/cilium/cilium/issues/32500), Upstream PR [#32402](https://togithub.com/cilium/cilium/issues/32402), [@michi-covalent](https://togithub.com/michi-covalent)) - workflows: ignore "No egress gateway found" drops (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32564](https://togithub.com/cilium/cilium/issues/32564), [@jibi](https://togithub.com/jibi)) - workflows: Remove stale CodeQL workflow (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32084](https://togithub.com/cilium/cilium/issues/32084), [@pchaigno](https://togithub.com/pchaigno)) **Misc Changes:** - (v1.15) Bump go-jose ([#32869](https://togithub.com/cilium/cilium/issues/32869), [@ferozsalam](https://togithub.com/ferozsalam)) - (v1.15) Bump golang.org/x/net ([#32793](https://togithub.com/cilium/cilium/issues/32793), [@ferozsalam](https://togithub.com/ferozsalam)) - background-sync: fix bootstrap issue and edge-case with 1 node (Backport PR [#32748](https://togithub.com/cilium/cilium/issues/32748), Upstream PR [#32630](https://togithub.com/cilium/cilium/issues/32630), [@marseel](https://togithub.com/marseel)) - bpf: add ext_err for more callers of tail_call_internal() (Backport PR [#32332](https://togithub.com/cilium/cilium/issues/32332), Upstream PR [#30023](https://togithub.com/cilium/cilium/issues/30023), [@julianwiedmann](https://togithub.com/julianwiedmann)) - bpf: add improved helper for program-internal tail-call (Backport PR [#32332](https://togithub.com/cilium/cilium/issues/32332), Upstream PR [#30001](https://togithub.com/cilium/cilium/issues/30001), [@julianwiedmann](https://togithub.com/julianwiedmann)) - bpf: add multicast in MAX_OVERLAY_OPTIONS (Backport PR [#32332](https://togithub.com/cilium/cilium/issues/32332), Upstream PR [#32129](https://togithub.com/cilium/cilium/issues/32129), [@harsimran-pabla](https://togithub.com/harsimran-pabla)) - bpf: convert ep_tail_call() to tail_call_internal() (Backport PR [#32332](https://togithub.com/cilium/cilium/issues/32332), Upstream PR [#30288](https://togithub.com/cilium/cilium/issues/30288), [@julianwiedmann](https://togithub.com/julianwiedmann)) - bpf: egw: delay SNAT for local client to actual egress interface (Backport PR [#32789](https://togithub.com/cilium/cilium/issues/32789), Upstream PR [#32428](https://togithub.com/cilium/cilium/issues/32428), [@julianwiedmann](https://togithub.com/julianwiedmann)) - bpf: hide dynamic/static variant for policy tail-call (Backport PR [#32332](https://togithub.com/cilium/cilium/issues/32332), Upstream PR [#32299](https://togithub.com/cilium/cilium/issues/32299), [@julianwiedmann](https://togithub.com/julianwiedmann)) - bpf: minor tail-call cleanups (Backport PR [#32332](https://togithub.com/cilium/cilium/issues/32332), Upstream PR [#31990](https://togithub.com/cilium/cilium/issues/31990), [@julianwiedmann](https://togithub.com/julianwiedmann)) - bump cni plugins to v1.5.0 (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32629](https://togithub.com/cilium/cilium/issues/32629), [@antonipp](https://togithub.com/antonipp)) - Bump timeout of lint-build-commits.yaml (Backport PR [#32789](https://togithub.com/cilium/cilium/issues/32789), Upstream PR [#32746](https://togithub.com/cilium/cilium/issues/32746), [@YutaroHayakawa](https://togithub.com/YutaroHayakawa)) - chore(deps): update all github action dependencies (v1.15) ([#32493](https://togithub.com/cilium/cilium/issues/32493), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#32632](https://togithub.com/cilium/cilium/issues/32632), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#32719](https://togithub.com/cilium/cilium/issues/32719), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#32841](https://togithub.com/cilium/cilium/issues/32841), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#32923](https://togithub.com/cilium/cilium/issues/32923), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) (patch) ([#32633](https://togithub.com/cilium/cilium/issues/32633), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update cilium/cilium-cli action to v0.16.7 (v1.15) ([#32395](https://togithub.com/cilium/cilium/issues/32395), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update cilium/little-vm-helper action to v0.0.18 (v1.15) ([#32580](https://togithub.com/cilium/cilium/issues/32580), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.8 (v1.15) ([#32780](https://togithub.com/cilium/cilium/issues/32780), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.9 (v1.15) ([#32835](https://togithub.com/cilium/cilium/issues/32835), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v0.13.4 (v1.15) ([#32519](https://togithub.com/cilium/cilium/issues/32519), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v0.13.5 (v1.15) ([#32948](https://togithub.com/cilium/cilium/issues/32948), [@cilium-renovate](https://togithub.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`19478ce`](https://togithub.com/cilium/cilium/commit/19478ce) (v1.15) ([#32922](https://togithub.com/cilium/cilium/issues/32922), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.14 (v1.15) ([#32838](https://togithub.com/cilium/cilium/issues/32838), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update go (v1.15) ([#32623](https://togithub.com/cilium/cilium/issues/32623), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update go to v1.21.11 (v1.15) ([#32894](https://togithub.com/cilium/cilium/issues/32894), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update quay.io/cilium/hubble docker tag to v0.13.4 (v1.15) ([#32634](https://togithub.com/cilium/cilium/issues/32634), [@renovate](https://togithub.com/renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#32635](https://togithub.com/cilium/cilium/issues/32635), [@renovate](https://togithub.com/renovate)\[bot]) - contrib: Remove CHARTS_PATH dependency (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32328](https://togithub.com/cilium/cilium/issues/32328), [@joestringer](https://togithub.com/joestringer)) - datapath: report distinct drop reason for missed endpoint policy tailcall (Backport PR [#32332](https://togithub.com/cilium/cilium/issues/32332), Upstream PR [#32151](https://togithub.com/cilium/cilium/issues/32151), [@julianwiedmann](https://togithub.com/julianwiedmann)) - docs: Add example for kube-apiserver entity policy (Backport PR [#32500](https://togithub.com/cilium/cilium/issues/32500), Upstream PR [#32278](https://togithub.com/cilium/cilium/issues/32278), [@joestringer](https://togithub.com/joestringer)) - Docs: add note about AKS kube-apiserver entity (Backport PR [#32691](https://togithub.com/cilium/cilium/issues/32691), Upstream PR [#32464](https://togithub.com/cilium/cilium/issues/32464), [@darox](https://togithub.com/darox)) - docs: ipsec: remove limitation for native-routing with L7 egress policy (Backport PR [#32955](https://togithub.com/cilium/cilium/issues/32955), Upstream PR [#32906](https://togithub.com/cilium/cilium/issues/32906), [@julianwiedmann](https://togithub.com/julianwiedmann)) - Miscellaneous improvements to the clustermesh troubleshooting guide (Backport PR [#32568](https://togithub.com/cilium/cilium/issues/32568), Upstream PR [#32552](https://togithub.com/cilium/cilium/issues/32552), [@giorio94](https://togithub.com/giorio94)) **Other Changes:** - \[v1.15] bugtool: Avoid sensitive data in envoy config dump ([#32964](https://togithub.com/cilium/cilium/issues/32964), [@sayboras](https://togithub.com/sayboras)) - \[v1.15] envoy: Bump envoy version to v1.28.4 ([#32908](https://togithub.com/cilium/cilium/issues/32908), [@sayboras](https://togithub.com/sayboras)) - Fix: LB service lookup for flow matching conntrack entry ([#32608](https://togithub.com/cilium/cilium/issues/32608), [@sypakine](https://togithub.com/sypakine)) - install: Update image digests for v1.15.5 ([#32544](https://togithub.com/cilium/cilium/issues/32544), [@nebril](https://togithub.com/nebril)) - Revert golang image version of hubble-relay ([#32732](https://togithub.com/cilium/cilium/issues/32732), [@YutaroHayakawa](https://togithub.com/YutaroHayakawa)) #### v1.15.6 #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def` `quay.io/cilium/cilium:stable@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.6@sha256:6365c2fe8a038fc7adcdeb7ffb8d7a8a2cd3ee524687f35fff9df76fafeeb029` `quay.io/cilium/clustermesh-apiserver:stable@sha256:6365c2fe8a038fc7adcdeb7ffb8d7a8a2cd3ee524687f35fff9df76fafeeb029` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.6@sha256:5615f007989bdf878291417b571f753948200087f2dd483a594693e320520b5b` `quay.io/cilium/docker-plugin:stable@sha256:5615f007989bdf878291417b571f753948200087f2dd483a594693e320520b5b` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.6@sha256:a0863dd70d081b273b87b9b7ce7e2d3f99171c2f5e202cd57bc6691e51283e0c` `quay.io/cilium/hubble-relay:stable@sha256:a0863dd70d081b273b87b9b7ce7e2d3f99171c2f5e202cd57bc6691e51283e0c` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.6@sha256:7e1664bd18645b38fd41dc1c2decd334abeefe63d4d69bfbc65765806eb4a31f` `quay.io/cilium/operator-alibabacloud:stable@sha256:7e1664bd18645b38fd41dc1c2decd334abeefe63d4d69bfbc65765806eb4a31f` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.6@sha256:9656d44ee69817d156cc7d3797f92de2e534dfb991610c79c00e097b4dedd620` `quay.io/cilium/operator-aws:stable@sha256:9656d44ee69817d156cc7d3797f92de2e534dfb991610c79c00e097b4dedd620` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.6@sha256:386456c055c5d1380daf966d565fcafaed68467a4fe692679530764e3b56f170` `quay.io/cilium/operator-azure:stable@sha256:386456c055c5d1380daf966d565fcafaed68467a4fe692679530764e3b56f170` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.6@sha256:5789f0935eef96ad571e4f5565a8800d3a8fbb05265cf6909300cd82fd513c3d` `quay.io/cilium/operator-generic:stable@sha256:5789f0935eef96ad571e4f5565a8800d3a8fbb05265cf6909300cd82fd513c3d` ##### operator `quay.io/cilium/operator:v1.15.6@sha256:f3ebc5eac9c0b37aabdf120e120a704ccd77d8c34191adec120e9ee021b8a875` `quay.io/cilium/operator:stable@sha256:f3ebc5eac9c0b37aabdf120e120a704ccd77d8c34191adec120e9ee021b8a875`Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.