build(deps): bump github.com/cilium/cilium from 1.14.1 to 1.15.6

[dependabot[bot]]

Bumps github.com/cilium/cilium from 1.14.1 to 1.15.6.

Release notes

Sourced from github.com/cilium/cilium's releases.

1.15.6

We are pleased to release Cilium v1.15.6 that improves background resynchronization of nodes, improves the CLI to troubleshoot connectivity issues, lowers CPU consumption with IPsec for large clusters, and brings a number of additional fixes. Thanks to all contributors, reviewers, testers, and users! :heart:

Summary of Changes

Minor Changes:

• cilium/cilium#32872@​gandro)
• Generate SBOMs using Syft instead of bom (Backport PR #32691, Upstream PR #32307, @​ferozsalam)
• Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (Backport PR #32748, Upstream PR #32577, @​marseel)
• Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (Backport PR #32568, Upstream PR #32336, @​giorio94)
• ipsec: Improve CPU usage of cilum-agent in large clusters (Backport PR #32882, Upstream PR #32588, @​marseel)
• KVStoreMesh: expose remote clusters information and introduce dedicated CLI command (Backport PR #32568, Upstream PR #32156, @​giorio94)

Bugfixes:

• .github/workflows: fix digests file creation (Backport PR #32889, Upstream PR #32860, @​aanm)
• cilium/cilium#32649@​pippolo84)
• Add missing kvstore-max-consecutive-quorum-errors option to clustermesh-apiserver/kvstoremesh binaries (Backport PR #32500, Upstream PR #32117, @​giorio94)
• bgp: service eTP=local, withdraw route when last backend on the node goes in terminating state (Backport PR #32691, Upstream PR #32536, @​harsimran-pabla)
• Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields for CiliumLoadBalancerIPPool (Backport PR #32889, Upstream PR #32694, @​dswaffordcw)
• cni: Reserve local ports for DNS proxy even if IPv6 is disabled (Backport PR #32789, Upstream PR #32725, @​gandro)
• egressgw: Let the EGW manager relax rp_filter on egress device (Backport PR #32778, Upstream PR #32679, @​ysksuzuki)
• Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes (Backport PR #32789, Upstream PR #31671, @​foyerunix)
• Fix indexing bug in the logic for picking NodePort addresses. In rare cases this may have caused wrong address to be selected for NodePort use, or an out-of-bounds access. (Backport PR #32691, Upstream PR #32506, @​joamaki)
• Fix PromQL query in Cilium Metrics dashboard (Backport PR #32691, Upstream PR #32017, @​mikemykhaylov)
• Fix rare race condition afflicting clustermesh when disconnecting from a remote cluster, possibly causing the agent to panic (Backport PR #32691, Upstream PR #32513, @​giorio94)
• Fixes accidentally ignoring the preflight.nodeSelector Helm value. (Backport PR #32691, Upstream PR #32548, @​squeed)
• Fixes unencrypted traffic among nodes when IPsec is used with L7 egress proxy. (Backport PR #32932, Upstream PR #32683, @​jschwinger233)
• ingress: Set the default value for max_stream_timeout (Backport PR #32889, Upstream PR #31514, @​tskinn)
• Introduce timeout when waiting for the initial synchronization from remote clusters, to avoid blocking forever necessary GC operations in case of clustermesh misconfigurations. (Backport PR #32802, Upstream PR #32671, @​giorio94)
• ipsec: Safely delete Xfrm state (Backport PR #32691, Upstream PR #32450, @​jschwinger233)
• proxy: Re-enable proxy rule installation in native-routing mode for CEC (Backport PR #32481, Upstream PR #32367, @​sayboras)
• Remove deprecated hubble.ui.securityContext.enabled from hubble-ui deployment template (Backport PR #32889, Upstream PR #32338, @​stelucz)

CI Changes:

• CI: Add job name validation (Backport PR #32500, Upstream PR #32462, @​brlbil)
• ci: Filter supported versions of EKS (Backport PR #32889, Upstream PR #32304, @​marseel)
• ci: Filter supported versions of GKE (Backport PR #32691, Upstream PR #32302, @​marseel)
• ci: l4lb: gather more infos about docker-in-docker issues (Backport PR #32691, Upstream PR #32570, @​mhofstetter)
• ci: l4lb: restart docker-in-docker container on failure (Backport PR #32691, Upstream PR #32600, @​mhofstetter)
• eks: Don't use spot instances (Backport PR #32691, Upstream PR #32553, @​michi-covalent)
• GCP OIDC instead of SA creds. (Backport PR #32707, Upstream PR #30809, @​viktor-kurchenko)
• gha: cover TLS auth mode in clustermesh upgrade/downgrade tests (Backport PR #32789, Upstream PR #32684, @​giorio94)
• gha: test certificate generation methods in conformance clustermesh (Backport PR #32789, Upstream PR #32654, @​giorio94)
• Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a workflow_dispatch event. (Backport PR #32500, Upstream PR #31424, @​learnitall)
• Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR #32500, Upstream PR #32402, @​michi-covalent)
• workflows: ignore "No egress gateway found" drops (Backport PR #32691, Upstream PR #32564, @​jibi)
• workflows: Remove stale CodeQL workflow (Backport PR #32691, Upstream PR #32084, @​pchaigno)

Misc Changes:

... (truncated)

Changelog

Sourced from github.com/cilium/cilium's changelog.

v1.15.6

Summary of Changes

Minor Changes:

• cilium/cilium#32872@​gandro)
• Generate SBOMs using Syft instead of bom (Backport PR #32691, Upstream PR #32307, @​ferozsalam)
• Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (Backport PR #32748, Upstream PR #32577, @​marseel)
• Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (Backport PR #32568, Upstream PR #32336, @​giorio94)
• ipsec: Improve CPU usage of cilum-agent in large clusters (Backport PR #32882, Upstream PR #32588, @​marseel)
• KVStoreMesh: expose remote clusters information and introduce dedicated CLI command (Backport PR #32568, Upstream PR #32156, @​giorio94)

Bugfixes:

• .github/workflows: fix digests file creation (Backport PR #32889, Upstream PR #32860, @​aanm)
• cilium/cilium#32649@​pippolo84)
• Add missing kvstore-max-consecutive-quorum-errors option to clustermesh-apiserver/kvstoremesh binaries (Backport PR #32500, Upstream PR #32117, @​giorio94)
• bgp: service eTP=local, withdraw route when last backend on the node goes in terminating state (Backport PR #32691, Upstream PR #32536, @​harsimran-pabla)
• Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields for CiliumLoadBalancerIPPool (Backport PR #32889, Upstream PR #32694, @​dswaffordcw)
• cni: Reserve local ports for DNS proxy even if IPv6 is disabled (Backport PR #32789, Upstream PR #32725, @​gandro)
• egressgw: Let the EGW manager relax rp_filter on egress device (Backport PR #32778, Upstream PR #32679, @​ysksuzuki)
• Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes (Backport PR #32789, Upstream PR #31671, @​foyerunix)
• Fix indexing bug in the logic for picking NodePort addresses. In rare cases this may have caused wrong address to be selected for NodePort use, or an out-of-bounds access. (Backport PR #32691, Upstream PR #32506, @​joamaki)
• Fix PromQL query in Cilium Metrics dashboard (Backport PR #32691, Upstream PR #32017, @​mikemykhaylov)
• Fix rare race condition afflicting clustermesh when disconnecting from a remote cluster, possibly causing the agent to panic (Backport PR #32691, Upstream PR #32513, @​giorio94)
• Fixes accidentally ignoring the preflight.nodeSelector Helm value. (Backport PR #32691, Upstream PR #32548, @​squeed)
• Fixes unencrypted traffic among nodes when IPsec is used with L7 egress proxy. (Backport PR #32932, Upstream PR #32683, @​jschwinger233)
• ingress: Set the default value for max_stream_timeout (Backport PR #32889, Upstream PR #31514, @​tskinn)
• Introduce timeout when waiting for the initial synchronization from remote clusters, to avoid blocking forever necessary GC operations in case of clustermesh misconfigurations. (Backport PR #32802, Upstream PR #32671, @​giorio94)
• ipsec: Safely delete Xfrm state (Backport PR #32691, Upstream PR #32450, @​jschwinger233)
• proxy: Re-enable proxy rule installation in native-routing mode for CEC (Backport PR #32481, Upstream PR #32367, @​sayboras)
• Remove deprecated hubble.ui.securityContext.enabled from hubble-ui deployment template (Backport PR #32889, Upstream PR #32338, @​stelucz)

CI Changes:

• CI: Add job name validation (Backport PR #32500, Upstream PR #32462, @​brlbil)
• ci: Filter supported versions of EKS (Backport PR #32889, Upstream PR #32304, @​marseel)
• ci: Filter supported versions of GKE (Backport PR #32691, Upstream PR #32302, @​marseel)
• ci: l4lb: gather more infos about docker-in-docker issues (Backport PR #32691, Upstream PR #32570, @​mhofstetter)
• ci: l4lb: restart docker-in-docker container on failure (Backport PR #32691, Upstream PR #32600, @​mhofstetter)
• eks: Don't use spot instances (Backport PR #32691, Upstream PR #32553, @​michi-covalent)
• GCP OIDC instead of SA creds. (Backport PR #32707, Upstream PR #30809, @​viktor-kurchenko)
• gha: cover TLS auth mode in clustermesh upgrade/downgrade tests (Backport PR #32789, Upstream PR #32684, @​giorio94)
• gha: test certificate generation methods in conformance clustermesh (Backport PR #32789, Upstream PR #32654, @​giorio94)
• Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a workflow_dispatch event. (Backport PR #32500, Upstream PR #31424, @​learnitall)
• Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR #32500, Upstream PR #32402, @​michi-covalent)
• workflows: ignore "No egress gateway found" drops (Backport PR #32691, Upstream PR #32564, @​jibi)
• workflows: Remove stale CodeQL workflow (Backport PR #32691, Upstream PR #32084, @​pchaigno)

Misc Changes:

• cilium/cilium#32869@​ferozsalam)

... (truncated)

Commits

• a09e05e Prepare for release v1.15.6
• 9299c0f bugtool: Add post-processing masking function for Envoy
• 0191b1e bugtool: Add json masking function
• b648346 docs: ipsec: remove limitation for native-routing with L7 egress policy
• 5197d4c proxy/routes: Also routes egress proxy's return traffic to 2005
• 7f3e1b7 iptables: Ensure iptables masquerading works for proxy traffic
• 8dadbce Don't set 0x200 mark for proxy to world traffic in iptables PREROUTING
• 2091036 chore(deps): update dependency cilium/hubble to v0.13.5
• 8a6f25f fqdn: Forward-compatibility with Cilium 1.16 fqdn identities
• 6eb495d images: update cilium-{runtime,builder}
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot[bot]]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.