Update chart cilium to 1.16.5 #962

Merged
jahanson merged 1 commit from renovate/patch-cilium into main 2024-12-20 13:49:16 -06:00
Collaborator

This PR contains the following updates:

Package Update Change
cilium (source) patch 1.16.3 -> 1.16.5

Release Notes

cilium/cilium (cilium)

v1.16.5: 1.16.5

Compare Source

Summary of Changes

Minor Changes:

Bugfixes:

  • Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (Backport PR #​36540, Upstream PR #​36484, @​julianwiedmann)
  • bgp: fix race in bgp stores (Backport PR #​36066, Upstream PR #​35971, @​harsimran-pabla)
  • BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR #​36286, Upstream PR #​36230, @​rastislavs)
  • BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR #​36286, Upstream PR #​36165, @​rastislavs)
  • Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (Backport PR #​36049, Upstream PR #​35984, @​jrajahalme)
  • Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (Backport PR #​36462, Upstream PR #​36252, @​bimmlerd)
  • cilium-health-ep controller is made to be more robust against successive failures. (Backport PR #​36066, Upstream PR #​35936, @​jrajahalme)
  • DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (Backport PR #​36468, Upstream PR #​36142, @​jrajahalme)
  • Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (Backport PR #​36049, Upstream PR #​36060, @​jrajahalme)
  • Fix an issue where pod-to-world traffic goes up stack when BPF host routing is enabled with tunnel. (Backport PR #​35861, Upstream PR #​35098, @​jschwinger233)
  • Fix identity leak for kvstore identity mode (Backport PR #​36066, Upstream PR #​34893, @​odinuge)
  • Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (Backport PR #​36302, Upstream PR #​36292, @​giorio94)
  • gateway-api: Fix gateway checks for namespace (Backport PR #​36462, Upstream PR #​35452, @​sayboras)
  • gha: Remove hostLegacyRouting in clustermesh (Backport PR #​36357, Upstream PR #​35418, @​sayboras)
  • helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (Backport PR #​36066, Upstream PR #​36005, @​devodev)
  • hubble: consistently use v as prefix for the Hubble version (Backport PR #​36286, Upstream PR #​35891, @​rolinh)
  • iptables: Fix data race in iptables manager (Backport PR #​36066, Upstream PR #​35902, @​pippolo84)
  • lrp: update LRP services with stale backends on agent restart (Backport PR #​36106, Upstream PR #​36036, @​ysksuzuki)
  • policy: Fix bug that allowed port ranges to be attached to L7 policies, which is not permitted. (#​36050, @​nathanjsweet)
  • Unbreak the cilium-dbg preflight migrate-identity command (Backport PR #​36286, Upstream PR #​36089, @​giorio94)
  • Use strconv.Itoa instead of string() for the correct behavior when converting kafka.ErrorCode from int32 to string. Add relevant unit tests for Kafka plugin and handler. (Backport PR #​36066, Upstream PR #​35856, @​nddq)

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests
cilium

quay.io/cilium/cilium:v1.16.5@​sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
quay.io/cilium/cilium:stable@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.5@​sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958
quay.io/cilium/clustermesh-apiserver:stable@sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958

docker-plugin

quay.io/cilium/docker-plugin:v1.16.5@​sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768
quay.io/cilium/docker-plugin:stable@sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768

hubble-relay

quay.io/cilium/hubble-relay:v1.16.5@​sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00
quay.io/cilium/hubble-relay:stable@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.5@​sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0
quay.io/cilium/operator-alibabacloud:stable@sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0

operator-aws

quay.io/cilium/operator-aws:v1.16.5@​sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476
quay.io/cilium/operator-aws:stable@sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476

operator-azure

quay.io/cilium/operator-azure:v1.16.5@​sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9
quay.io/cilium/operator-azure:stable@sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9

operator-generic

quay.io/cilium/operator-generic:v1.16.5@​sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039
quay.io/cilium/operator-generic:stable@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039

operator

quay.io/cilium/operator:v1.16.5@​sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940
quay.io/cilium/operator:stable@sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940

v1.16.4: 1.16.4

Compare Source

Security Advisories

This release addresses https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67.

Summary of Changes

Minor Changes:

  • Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport PR #​35908, Upstream PR #​35809, @​jrajahalme)
  • clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport PR #​35543, Upstream PR #​35349, @​giorio94)
  • helm: Lower default hubble.tls.auto.certValidityDuration to 365 days (Backport PR #​35781, Upstream PR #​35630, @​chancez)
  • helm: New socketLB.tracing flag (Backport PR #​35781, Upstream PR #​35747, @​pchaigno)
  • hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR #​35781, Upstream PR #​35632, @​chancez)
  • netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport PR #​35543, Upstream PR #​35306, @​jrife)

Bugfixes:

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests
cilium

quay.io/cilium/cilium:v1.16.4@​sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
quay.io/cilium/cilium:stable@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.4@​sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2
quay.io/cilium/clustermesh-apiserver:stable@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2

docker-plugin

quay.io/cilium/docker-plugin:v1.16.4@​sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e
quay.io/cilium/docker-plugin:stable@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e

hubble-relay

quay.io/cilium/hubble-relay:v1.16.4@​sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
quay.io/cilium/hubble-relay:stable@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.4@​sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686
quay.io/cilium/operator-alibabacloud:stable@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686

operator-aws

quay.io/cilium/operator-aws:v1.16.4@​sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be
quay.io/cilium/operator-aws:stable@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be

operator-azure

quay.io/cilium/operator-azure:v1.16.4@​sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de
quay.io/cilium/operator-azure:stable@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de

operator-generic

quay.io/cilium/operator-generic:v1.16.4@​sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
quay.io/cilium/operator-generic:stable@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5

operator

quay.io/cilium/operator:v1.16.4@​sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff
quay.io/cilium/operator:stable@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | patch | `1.16.3` -> `1.16.5` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.16.5`](https://github.com/cilium/cilium/releases/tag/v1.16.5): 1.16.5 [Compare Source](https://github.com/cilium/cilium/compare/1.16.4...1.16.5) ## Summary of Changes **Minor Changes:** - hubble: Stop building 32-bit binaries (Backport PR [#&#8203;36066](https://github.com/cilium/cilium/issues/36066), Upstream PR [#&#8203;35974](https://github.com/cilium/cilium/issues/35974), [@&#8203;michi-covalent](https://github.com/michi-covalent)) **Bugfixes:** - Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (Backport PR [#&#8203;36540](https://github.com/cilium/cilium/issues/36540), Upstream PR [#&#8203;36484](https://github.com/cilium/cilium/issues/36484), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - bgp: fix race in bgp stores (Backport PR [#&#8203;36066](https://github.com/cilium/cilium/issues/36066), Upstream PR [#&#8203;35971](https://github.com/cilium/cilium/issues/35971), [@&#8203;harsimran-pabla](https://github.com/harsimran-pabla)) - BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR [#&#8203;36286](https://github.com/cilium/cilium/issues/36286), Upstream PR [#&#8203;36230](https://github.com/cilium/cilium/issues/36230), [@&#8203;rastislavs](https://github.com/rastislavs)) - BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR [#&#8203;36286](https://github.com/cilium/cilium/issues/36286), Upstream PR [#&#8203;36165](https://github.com/cilium/cilium/issues/36165), [@&#8203;rastislavs](https://github.com/rastislavs)) - Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (Backport PR [#&#8203;36049](https://github.com/cilium/cilium/issues/36049), Upstream PR [#&#8203;35984](https://github.com/cilium/cilium/issues/35984), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (Backport PR [#&#8203;36462](https://github.com/cilium/cilium/issues/36462), Upstream PR [#&#8203;36252](https://github.com/cilium/cilium/issues/36252), [@&#8203;bimmlerd](https://github.com/bimmlerd)) - cilium-health-ep controller is made to be more robust against successive failures. (Backport PR [#&#8203;36066](https://github.com/cilium/cilium/issues/36066), Upstream PR [#&#8203;35936](https://github.com/cilium/cilium/issues/35936), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (Backport PR [#&#8203;36468](https://github.com/cilium/cilium/issues/36468), Upstream PR [#&#8203;36142](https://github.com/cilium/cilium/issues/36142), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (Backport PR [#&#8203;36049](https://github.com/cilium/cilium/issues/36049), Upstream PR [#&#8203;36060](https://github.com/cilium/cilium/issues/36060), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Fix an issue where pod-to-world traffic goes up stack when BPF host routing is enabled with tunnel. (Backport PR [#&#8203;35861](https://github.com/cilium/cilium/issues/35861), Upstream PR [#&#8203;35098](https://github.com/cilium/cilium/issues/35098), [@&#8203;jschwinger233](https://github.com/jschwinger233)) - Fix identity leak for kvstore identity mode (Backport PR [#&#8203;36066](https://github.com/cilium/cilium/issues/36066), Upstream PR [#&#8203;34893](https://github.com/cilium/cilium/issues/34893), [@&#8203;odinuge](https://github.com/odinuge)) - Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (Backport PR [#&#8203;36302](https://github.com/cilium/cilium/issues/36302), Upstream PR [#&#8203;36292](https://github.com/cilium/cilium/issues/36292), [@&#8203;giorio94](https://github.com/giorio94)) - gateway-api: Fix gateway checks for namespace (Backport PR [#&#8203;36462](https://github.com/cilium/cilium/issues/36462), Upstream PR [#&#8203;35452](https://github.com/cilium/cilium/issues/35452), [@&#8203;sayboras](https://github.com/sayboras)) - gha: Remove hostLegacyRouting in clustermesh (Backport PR [#&#8203;36357](https://github.com/cilium/cilium/issues/36357), Upstream PR [#&#8203;35418](https://github.com/cilium/cilium/issues/35418), [@&#8203;sayboras](https://github.com/sayboras)) - helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (Backport PR [#&#8203;36066](https://github.com/cilium/cilium/issues/36066), Upstream PR [#&#8203;36005](https://github.com/cilium/cilium/issues/36005), [@&#8203;devodev](https://github.com/devodev)) - hubble: consistently use v as prefix for the Hubble version (Backport PR [#&#8203;36286](https://github.com/cilium/cilium/issues/36286), Upstream PR [#&#8203;35891](https://github.com/cilium/cilium/issues/35891), [@&#8203;rolinh](https://github.com/rolinh)) - iptables: Fix data race in iptables manager (Backport PR [#&#8203;36066](https://github.com/cilium/cilium/issues/36066), Upstream PR [#&#8203;35902](https://github.com/cilium/cilium/issues/35902), [@&#8203;pippolo84](https://github.com/pippolo84)) - lrp: update LRP services with stale backends on agent restart (Backport PR [#&#8203;36106](https://github.com/cilium/cilium/issues/36106), Upstream PR [#&#8203;36036](https://github.com/cilium/cilium/issues/36036), [@&#8203;ysksuzuki](https://github.com/ysksuzuki)) - policy: Fix bug that allowed port ranges to be attached to L7 policies, which is not permitted. ([#&#8203;36050](https://github.com/cilium/cilium/issues/36050), [@&#8203;nathanjsweet](https://github.com/nathanjsweet)) - Unbreak the cilium-dbg preflight migrate-identity command (Backport PR [#&#8203;36286](https://github.com/cilium/cilium/issues/36286), Upstream PR [#&#8203;36089](https://github.com/cilium/cilium/issues/36089), [@&#8203;giorio94](https://github.com/giorio94)) - Use `strconv.Itoa` instead of `string()` for the correct behavior when converting `kafka.ErrorCode` from `int32` to `string`. Add relevant unit tests for Kafka plugin and handler. (Backport PR [#&#8203;36066](https://github.com/cilium/cilium/issues/36066), Upstream PR [#&#8203;35856](https://github.com/cilium/cilium/issues/35856), [@&#8203;nddq](https://github.com/nddq)) **CI Changes:** - \[v1.16] ci: modularize chart CI push workflow ([#&#8203;35958](https://github.com/cilium/cilium/issues/35958), [@&#8203;ferozsalam](https://github.com/ferozsalam)) - gh: conformance-clustermesh: test with IPsec + BPF NodePort (Backport PR [#&#8203;36462](https://github.com/cilium/cilium/issues/36462), Upstream PR [#&#8203;36384](https://github.com/cilium/cilium/issues/36384), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - gha: configure environment in build-images-base/image-digests job (Backport PR [#&#8203;36462](https://github.com/cilium/cilium/issues/36462), Upstream PR [#&#8203;36318](https://github.com/cilium/cilium/issues/36318), [@&#8203;giorio94](https://github.com/giorio94)) - node_local_store: prevent racey tests while using mock node store. (Backport PR [#&#8203;36066](https://github.com/cilium/cilium/issues/36066), Upstream PR [#&#8203;35945](https://github.com/cilium/cilium/issues/35945), [@&#8203;tommyp1ckles](https://github.com/tommyp1ckles)) - Remove unnecessary hubble port-forward commands (Backport PR [#&#8203;36066](https://github.com/cilium/cilium/issues/36066), Upstream PR [#&#8203;33523](https://github.com/cilium/cilium/issues/33523), [@&#8203;michi-covalent](https://github.com/michi-covalent)) **Misc Changes:** - \[v1.16] docs: egress masquerade selector ([#&#8203;36333](https://github.com/cilium/cilium/issues/36333), [@&#8203;viktor-kurchenko](https://github.com/viktor-kurchenko)) - \[v1.16] images: bump cni plugins to v1.6.0 ([#&#8203;36092](https://github.com/cilium/cilium/issues/36092), [@&#8203;ferozsalam](https://github.com/ferozsalam)) - bugtool: dump tail-call map for bpf_wireguard (Backport PR [#&#8203;36286](https://github.com/cilium/cilium/issues/36286), Upstream PR [#&#8203;36183](https://github.com/cilium/cilium/issues/36183), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - chore(deps): update all github action dependencies (v1.16) ([#&#8203;36155](https://github.com/cilium/cilium/issues/36155), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#&#8203;36275](https://github.com/cilium/cilium/issues/36275), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#&#8203;36443](https://github.com/cilium/cilium/issues/36443), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) (patch) ([#&#8203;36277](https://github.com/cilium/cilium/issues/36277), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#&#8203;35546](https://github.com/cilium/cilium/issues/35546), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#&#8203;36152](https://github.com/cilium/cilium/issues/36152), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#&#8203;36279](https://github.com/cilium/cilium/issues/36279), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#&#8203;36444](https://github.com/cilium/cilium/issues/36444), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.16) ([#&#8203;36153](https://github.com/cilium/cilium/issues/36153), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.22.9 docker digest to [`147f428`](https://github.com/cilium/cilium/commit/147f428) (v1.16) ([#&#8203;36222](https://github.com/cilium/cilium/issues/36222), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.22.10 (v1.16) ([#&#8203;36441](https://github.com/cilium/cilium/issues/36441), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1732605705-2aa20ee3acb68cd38d57669af19508bea8f0ba62 (v1.16) ([#&#8203;36180](https://github.com/cilium/cilium/issues/36180), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8 (v1.16) ([#&#8203;36495](https://github.com/cilium/cilium/issues/36495), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241129.013349 (v1.16) ([#&#8203;36278](https://github.com/cilium/cilium/issues/36278), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241206.013345 (v1.16) ([#&#8203;36442](https://github.com/cilium/cilium/issues/36442), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.16) (patch) ([#&#8203;36154](https://github.com/cilium/cilium/issues/36154), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - docs: Add the tls:// prefix before the IP address (Backport PR [#&#8203;36286](https://github.com/cilium/cilium/issues/36286), Upstream PR [#&#8203;36118](https://github.com/cilium/cilium/issues/36118), [@&#8203;liyihuang](https://github.com/liyihuang)) - docs: Fix typo in multi-pool section title (Backport PR [#&#8203;36312](https://github.com/cilium/cilium/issues/36312), Upstream PR [#&#8203;36305](https://github.com/cilium/cilium/issues/36305), [@&#8203;joestringer](https://github.com/joestringer)) - docs: In k0s guide, remove dashes to fix invalid Bash variable names. (Backport PR [#&#8203;36066](https://github.com/cilium/cilium/issues/36066), Upstream PR [#&#8203;35923](https://github.com/cilium/cilium/issues/35923), [@&#8203;yilas](https://github.com/yilas)) - docs: lrp: fix kernel version requirement for skipRedirectFromBackend (Backport PR [#&#8203;36066](https://github.com/cilium/cilium/issues/36066), Upstream PR [#&#8203;35921](https://github.com/cilium/cilium/issues/35921), [@&#8203;ysksuzuki](https://github.com/ysksuzuki)) - docs: system-requirements: require 5.4 kernel (Backport PR [#&#8203;36462](https://github.com/cilium/cilium/issues/36462), Upstream PR [#&#8203;36386](https://github.com/cilium/cilium/issues/36386), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - docs: WireGuard doesn't require overlay port in Network Firewalls (Backport PR [#&#8203;36286](https://github.com/cilium/cilium/issues/36286), Upstream PR [#&#8203;36208](https://github.com/cilium/cilium/issues/36208), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - Endpoint populate new policymap early if empty (Backport PR [#&#8203;36479](https://github.com/cilium/cilium/issues/36479), Upstream PR [#&#8203;36361](https://github.com/cilium/cilium/issues/36361), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - envoy: Configure internal_address_config to avoid warning log (Backport PR [#&#8203;36015](https://github.com/cilium/cilium/issues/36015), Upstream PR [#&#8203;35943](https://github.com/cilium/cilium/issues/35943), [@&#8203;sayboras](https://github.com/sayboras)) - envoy: Pass tofqdns-proxy-response-max-delay to Envoy (Backport PR [#&#8203;36468](https://github.com/cilium/cilium/issues/36468), Upstream PR [#&#8203;36330](https://github.com/cilium/cilium/issues/36330), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - fix(deps): update module golang.org/x/crypto to v0.31.0 \[security] (v1.16) ([#&#8203;36530](https://github.com/cilium/cilium/issues/36530), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - Fixed BGP documentation (Backport PR [#&#8203;36066](https://github.com/cilium/cilium/issues/36066), Upstream PR [#&#8203;35953](https://github.com/cilium/cilium/issues/35953), [@&#8203;seadog007](https://github.com/seadog007)) - images: Use cilium-builder image instead of golang to build hubble (Backport PR [#&#8203;36312](https://github.com/cilium/cilium/issues/36312), Upstream PR [#&#8203;35697](https://github.com/cilium/cilium/issues/35697), [@&#8203;learnitall](https://github.com/learnitall)) - lrp: fix kernel version requirement in warning log (Backport PR [#&#8203;36286](https://github.com/cilium/cilium/issues/36286), Upstream PR [#&#8203;36141](https://github.com/cilium/cilium/issues/36141), [@&#8203;ysksuzuki](https://github.com/ysksuzuki)) - Makefile: fix swagger definition for automatic renovate updates (Backport PR [#&#8203;36066](https://github.com/cilium/cilium/issues/36066), Upstream PR [#&#8203;35979](https://github.com/cilium/cilium/issues/35979), [@&#8203;aanm](https://github.com/aanm)) - proxy: Take proxy port reference for new redirects immediately (Backport PR [#&#8203;36468](https://github.com/cilium/cilium/issues/36468), Upstream PR [#&#8203;36435](https://github.com/cilium/cilium/issues/36435), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - proxyports: Resolve data races in test (Backport PR [#&#8203;36468](https://github.com/cilium/cilium/issues/36468), Upstream PR [#&#8203;36399](https://github.com/cilium/cilium/issues/36399), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - proxyports: Sleep a bit longer in tests (Backport PR [#&#8203;36468](https://github.com/cilium/cilium/issues/36468), Upstream PR [#&#8203;36389](https://github.com/cilium/cilium/issues/36389), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Remove duplicated watch on services and endpoint in the cilium-agent (Backport PR [#&#8203;36066](https://github.com/cilium/cilium/issues/36066), Upstream PR [#&#8203;35838](https://github.com/cilium/cilium/issues/35838), [@&#8203;MrFreezeex](https://github.com/MrFreezeex)) - Rework error handling logic in neighbor discovery (Backport PR [#&#8203;36093](https://github.com/cilium/cilium/issues/36093), Upstream PR [#&#8203;35144](https://github.com/cilium/cilium/issues/35144), [@&#8203;pippolo84](https://github.com/pippolo84)) - Silence spurious clustermesh-related warnings (Backport PR [#&#8203;36225](https://github.com/cilium/cilium/issues/36225), Upstream PR [#&#8203;35867](https://github.com/cilium/cilium/issues/35867), [@&#8203;giorio94](https://github.com/giorio94)) - Update documentation for egress masquerading behavior (Backport PR [#&#8203;36462](https://github.com/cilium/cilium/issues/36462), Upstream PR [#&#8203;36267](https://github.com/cilium/cilium/issues/36267), [@&#8203;liyihuang](https://github.com/liyihuang)) **Other Changes:** - \[1.16] ci/ipsec-upgrade: increase cilium status wait duration ([#&#8203;36082](https://github.com/cilium/cilium/issues/36082), [@&#8203;harsimran-pabla](https://github.com/harsimran-pabla)) - \[v1.16] cilium, service: Fix checkLBSrcRange propagation to LB map ([#&#8203;36511](https://github.com/cilium/cilium/issues/36511), [@&#8203;borkmann](https://github.com/borkmann)) - install: Update image digests for v1.16.4 ([#&#8203;36047](https://github.com/cilium/cilium/issues/36047), [@&#8203;cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) - jrajahalme/v1.16 cilium cli ([#&#8203;36541](https://github.com/cilium/cilium/issues/36541), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Revert "workflows/ipsec: Cover Ingress" ([#&#8203;36116](https://github.com/cilium/cilium/issues/36116), [@&#8203;harsimran-pabla](https://github.com/harsimran-pabla)) ##### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.16.5@&#8203;sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d` `quay.io/cilium/cilium:stable@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.16.5@&#8203;sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958` `quay.io/cilium/clustermesh-apiserver:stable@sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.16.5@&#8203;sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768` `quay.io/cilium/docker-plugin:stable@sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.16.5@&#8203;sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00` `quay.io/cilium/hubble-relay:stable@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.16.5@&#8203;sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0` `quay.io/cilium/operator-alibabacloud:stable@sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0` ##### operator-aws `quay.io/cilium/operator-aws:v1.16.5@&#8203;sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476` `quay.io/cilium/operator-aws:stable@sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476` ##### operator-azure `quay.io/cilium/operator-azure:v1.16.5@&#8203;sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9` `quay.io/cilium/operator-azure:stable@sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9` ##### operator-generic `quay.io/cilium/operator-generic:v1.16.5@&#8203;sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039` `quay.io/cilium/operator-generic:stable@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039` ##### operator `quay.io/cilium/operator:v1.16.5@&#8203;sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940` `quay.io/cilium/operator:stable@sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940` ### [`v1.16.4`](https://github.com/cilium/cilium/releases/tag/v1.16.4): 1.16.4 [Compare Source](https://github.com/cilium/cilium/compare/1.16.3...1.16.4) #### Security Advisories This release addresses https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67. #### Summary of Changes **Minor Changes:** - Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport PR [#&#8203;35908](https://github.com/cilium/cilium/issues/35908), Upstream PR [#&#8203;35809](https://github.com/cilium/cilium/issues/35809), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport PR [#&#8203;35543](https://github.com/cilium/cilium/issues/35543), Upstream PR [#&#8203;35349](https://github.com/cilium/cilium/issues/35349), [@&#8203;giorio94](https://github.com/giorio94)) - helm: Lower default `hubble.tls.auto.certValidityDuration` to 365 days (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35630](https://github.com/cilium/cilium/issues/35630), [@&#8203;chancez](https://github.com/chancez)) - helm: New socketLB.tracing flag (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35747](https://github.com/cilium/cilium/issues/35747), [@&#8203;pchaigno](https://github.com/pchaigno)) - hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35632](https://github.com/cilium/cilium/issues/35632), [@&#8203;chancez](https://github.com/chancez)) - netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport PR [#&#8203;35543](https://github.com/cilium/cilium/issues/35543), Upstream PR [#&#8203;35306](https://github.com/cilium/cilium/issues/35306), [@&#8203;jrife](https://github.com/jrife)) **Bugfixes:** - Avoid duplicate errors in health status for node-neighbor-link-updater (Backport PR [#&#8203;35468](https://github.com/cilium/cilium/issues/35468), Upstream PR [#&#8203;35179](https://github.com/cilium/cilium/issues/35179), [@&#8203;wedaly](https://github.com/wedaly)) - bgpv1: fix reconciliation of services with shared VIPs (Backport PR [#&#8203;35468](https://github.com/cilium/cilium/issues/35468), Upstream PR [#&#8203;35333](https://github.com/cilium/cilium/issues/35333), [@&#8203;rastislavs](https://github.com/rastislavs)) - bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport PR [#&#8203;35863](https://github.com/cilium/cilium/issues/35863), Upstream PR [#&#8203;35690](https://github.com/cilium/cilium/issues/35690), [@&#8203;YutaroHayakawa](https://github.com/YutaroHayakawa)) - bgpv2: set local peering address when specified (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35552](https://github.com/cilium/cilium/issues/35552), [@&#8203;harsimran-pabla](https://github.com/harsimran-pabla)) - Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport PR [#&#8203;35603](https://github.com/cilium/cilium/issues/35603), Upstream PR [#&#8203;35150](https://github.com/cilium/cilium/issues/35150), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an `timeout waiting for response` error is encountered. (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35589](https://github.com/cilium/cilium/issues/35589), [@&#8203;bimmlerd](https://github.com/bimmlerd)) - config: Remove superfluous warning on native routing CIDR (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35738](https://github.com/cilium/cilium/issues/35738), [@&#8203;gandro](https://github.com/gandro)) - Fix missing flowlabel hash on SRv6 traffic. (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35498](https://github.com/cilium/cilium/issues/35498), [@&#8203;akaliwod](https://github.com/akaliwod)) - Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport PR [#&#8203;35543](https://github.com/cilium/cilium/issues/35543), Upstream PR [#&#8203;35173](https://github.com/cilium/cilium/issues/35173), [@&#8203;smagnani96](https://github.com/smagnani96)) - Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35673](https://github.com/cilium/cilium/issues/35673), [@&#8203;giorio94](https://github.com/giorio94)) - Fix redirect from L3 device to remote endpoint via overlay network. (Backport PR [#&#8203;35468](https://github.com/cilium/cilium/issues/35468), Upstream PR [#&#8203;35165](https://github.com/cilium/cilium/issues/35165), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR [#&#8203;35908](https://github.com/cilium/cilium/issues/35908), Upstream PR [#&#8203;35694](https://github.com/cilium/cilium/issues/35694), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35599](https://github.com/cilium/cilium/issues/35599), [@&#8203;squeed](https://github.com/squeed)) - Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (Backport PR [#&#8203;35543](https://github.com/cilium/cilium/issues/35543), Upstream PR [#&#8203;35293](https://github.com/cilium/cilium/issues/35293), [@&#8203;squeed](https://github.com/squeed)) - Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (Backport PR [#&#8203;35906](https://github.com/cilium/cilium/issues/35906), Upstream PR [#&#8203;35890](https://github.com/cilium/cilium/issues/35890), [@&#8203;squeed](https://github.com/squeed)) - Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". ([#&#8203;35611](https://github.com/cilium/cilium/issues/35611), [@&#8203;pippolo84](https://github.com/pippolo84)) - helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (Backport PR [#&#8203;35319](https://github.com/cilium/cilium/issues/35319), Upstream PR [#&#8203;35301](https://github.com/cilium/cilium/issues/35301), [@&#8203;hox](https://github.com/hox)) - helm: fix duplicate configmap key for `bpf-lb-sock-terminate-pod-connections` (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35703](https://github.com/cilium/cilium/issues/35703), [@&#8203;solidDoWant](https://github.com/solidDoWant)) - helm: set automountServiceAccountToken to false for hubble-relay sa (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35674](https://github.com/cilium/cilium/issues/35674), [@&#8203;ayuspin](https://github.com/ayuspin)) - hubble: fix endpoint cluster name (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35415](https://github.com/cilium/cilium/issues/35415), [@&#8203;kaworu](https://github.com/kaworu)) - hubble: Lock exporters while gathering metrics (Backport PR [#&#8203;35908](https://github.com/cilium/cilium/issues/35908), Upstream PR [#&#8203;35860](https://github.com/cilium/cilium/issues/35860), [@&#8203;joestringer](https://github.com/joestringer)) - Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35143](https://github.com/cilium/cilium/issues/35143), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - ipam: Validate CiliumNode resource in ENI mode (Backport PR [#&#8203;35792](https://github.com/cilium/cilium/issues/35792), Upstream PR [#&#8203;35784](https://github.com/cilium/cilium/issues/35784), [@&#8203;sayboras](https://github.com/sayboras)) - l7lb: fix registration of flag loadbalancer-l7 (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35623](https://github.com/cilium/cilium/issues/35623), [@&#8203;mhofstetter](https://github.com/mhofstetter)) - Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (Backport PR [#&#8203;35319](https://github.com/cilium/cilium/issues/35319), Upstream PR [#&#8203;35069](https://github.com/cilium/cilium/issues/35069), [@&#8203;chancez](https://github.com/chancez)) - option: Reduce log level for WG strict mode + IPv6 (Backport PR [#&#8203;35908](https://github.com/cilium/cilium/issues/35908), Upstream PR [#&#8203;35763](https://github.com/cilium/cilium/issues/35763), [@&#8203;pchaigno](https://github.com/pchaigno)) - Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (Backport PR [#&#8203;35468](https://github.com/cilium/cilium/issues/35468), Upstream PR [#&#8203;35381](https://github.com/cilium/cilium/issues/35381), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - treewide: Add wrapper for `netlink` functions that may fail with `ErrDumpInterrupted` (Backport PR [#&#8203;35654](https://github.com/cilium/cilium/issues/35654), Upstream PR [#&#8203;35614](https://github.com/cilium/cilium/issues/35614), [@&#8203;gandro](https://github.com/gandro)) - wireguard: Fix connectivity issues following node reboots. (Backport PR [#&#8203;35908](https://github.com/cilium/cilium/issues/35908), Upstream PR [#&#8203;35750](https://github.com/cilium/cilium/issues/35750), [@&#8203;jrife](https://github.com/jrife)) **CI Changes:** - .github/conformance-ginkgo: replace deprecated jq flag (Backport PR [#&#8203;35468](https://github.com/cilium/cilium/issues/35468), Upstream PR [#&#8203;35399](https://github.com/cilium/cilium/issues/35399), [@&#8203;aanm](https://github.com/aanm)) - .github: extend timeout for tests-ipsec-upgrade workflow (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35657](https://github.com/cilium/cilium/issues/35657), [@&#8203;rastislavs](https://github.com/rastislavs)) - .github: remove libncurses5 from integration tests (Backport PR [#&#8203;35468](https://github.com/cilium/cilium/issues/35468), Upstream PR [#&#8203;35408](https://github.com/cilium/cilium/issues/35408), [@&#8203;aanm](https://github.com/aanm)) - \[v1.16] gh: e2e-upgrade: restart LRP backend pod after upgrade ([#&#8203;35329](https://github.com/cilium/cilium/issues/35329), [@&#8203;ysksuzuki](https://github.com/ysksuzuki)) - \[v1.16] github: update rhel8 LVH image to rhel8.6 ([#&#8203;35733](https://github.com/cilium/cilium/issues/35733), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - Additionally test KVStore mode in E2E/IPSec workflows (Backport PR [#&#8203;35905](https://github.com/cilium/cilium/issues/35905), Upstream PR [#&#8203;35679](https://github.com/cilium/cilium/issues/35679), [@&#8203;giorio94](https://github.com/giorio94)) - ci: conformance-kind: re-enable flaky Aggregator test (Backport PR [#&#8203;35582](https://github.com/cilium/cilium/issues/35582), Upstream PR [#&#8203;35286](https://github.com/cilium/cilium/issues/35286), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - ci: datapath-verifier: bump lvh images (Backport PR [#&#8203;35648](https://github.com/cilium/cilium/issues/35648), Upstream PR [#&#8203;35456](https://github.com/cilium/cilium/issues/35456), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - gha: Update chmod command (Backport PR [#&#8203;35468](https://github.com/cilium/cilium/issues/35468), Upstream PR [#&#8203;35400](https://github.com/cilium/cilium/issues/35400), [@&#8203;sayboras](https://github.com/sayboras)) - github: Pass the workflow step timeout to go test (Backport PR [#&#8203;35908](https://github.com/cilium/cilium/issues/35908), Upstream PR [#&#8203;35814](https://github.com/cilium/cilium/issues/35814), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Refactor and set a default for GH_RUNNER_EXTRA_POWER (Backport PR [#&#8203;35319](https://github.com/cilium/cilium/issues/35319), Upstream PR [#&#8203;35267](https://github.com/cilium/cilium/issues/35267), [@&#8203;aanm](https://github.com/aanm)) - workflows/gateway-api: Cover IPsec with GatewayAPI (Backport PR [#&#8203;35908](https://github.com/cilium/cilium/issues/35908), Upstream PR [#&#8203;35584](https://github.com/cilium/cilium/issues/35584), [@&#8203;pchaigno](https://github.com/pchaigno)) - workflows/ingress: Run basic checks (Backport PR [#&#8203;35908](https://github.com/cilium/cilium/issues/35908), Upstream PR [#&#8203;35683](https://github.com/cilium/cilium/issues/35683), [@&#8203;pchaigno](https://github.com/pchaigno)) - workflows/ipsec: Cover Ingress (Backport PR [#&#8203;35908](https://github.com/cilium/cilium/issues/35908), Upstream PR [#&#8203;35476](https://github.com/cilium/cilium/issues/35476), [@&#8203;pchaigno](https://github.com/pchaigno)) - workflows: Extend IPsec tests to cover egress gateway (Backport PR [#&#8203;35540](https://github.com/cilium/cilium/issues/35540), Upstream PR [#&#8203;35323](https://github.com/cilium/cilium/issues/35323), [@&#8203;pchaigno](https://github.com/pchaigno)) **Misc Changes:** - .github/build-images-base: checkout base branch to get scripts (Backport PR [#&#8203;35319](https://github.com/cilium/cilium/issues/35319), Upstream PR [#&#8203;35236](https://github.com/cilium/cilium/issues/35236), [@&#8203;aanm](https://github.com/aanm)) - .github: remove retention days for image digests (Backport PR [#&#8203;35468](https://github.com/cilium/cilium/issues/35468), Upstream PR [#&#8203;35457](https://github.com/cilium/cilium/issues/35457), [@&#8203;aanm](https://github.com/aanm)) - bpf: vxlan helper improvements (Backport PR [#&#8203;35543](https://github.com/cilium/cilium/issues/35543), Upstream PR [#&#8203;34755](https://github.com/cilium/cilium/issues/34755), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - chore(deps): update all github action dependencies (v1.16) ([#&#8203;35382](https://github.com/cilium/cilium/issues/35382), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#&#8203;35439](https://github.com/cilium/cilium/issues/35439), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#&#8203;35573](https://github.com/cilium/cilium/issues/35573), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#&#8203;35710](https://github.com/cilium/cilium/issues/35710), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#&#8203;35438](https://github.com/cilium/cilium/issues/35438), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.22.8 docker digest to [`0ca97f4`](https://github.com/cilium/cilium/commit/0ca97f4) (v1.16) ([#&#8203;35730](https://github.com/cilium/cilium/issues/35730), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.22.8 docker digest to [`b274ff1`](https://github.com/cilium/cilium/commit/b274ff1) (v1.16) ([#&#8203;35379](https://github.com/cilium/cilium/issues/35379), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.22.9 (v1.16) ([#&#8203;35854](https://github.com/cilium/cilium/issues/35854), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1729635771-fa4efeff33a344a45e14a4068c61dc438b3d2270 (v1.16) ([#&#8203;35491](https://github.com/cilium/cilium/issues/35491), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.16) (patch) ([#&#8203;35731](https://github.com/cilium/cilium/issues/35731), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot]) - cilium, docs: Extend requirements for L7 proxy (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35669](https://github.com/cilium/cilium/issues/35669), [@&#8203;borkmann](https://github.com/borkmann)) - cilium: add probe for netkit for more user friendly error when not supported (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35551](https://github.com/cilium/cilium/issues/35551), [@&#8203;borkmann](https://github.com/borkmann)) - ctrl-runtime: lower severity of retryable reconcile errors (Backport PR [#&#8203;35592](https://github.com/cilium/cilium/issues/35592), Upstream PR [#&#8203;35364](https://github.com/cilium/cilium/issues/35364), [@&#8203;giorio94](https://github.com/giorio94)) - daemon: Reduce level of socket LB tracing warning (Backport PR [#&#8203;35908](https://github.com/cilium/cilium/issues/35908), Upstream PR [#&#8203;35798](https://github.com/cilium/cilium/issues/35798), [@&#8203;pchaigno](https://github.com/pchaigno)) - datapath: move policy map value prefix length to flags (Backport PR [#&#8203;35603](https://github.com/cilium/cilium/issues/35603), Upstream PR [#&#8203;35534](https://github.com/cilium/cilium/issues/35534), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - dnsproxy: fix error when sessionUDPFactory fails (Backport PR [#&#8203;35543](https://github.com/cilium/cilium/issues/35543), Upstream PR [#&#8203;33998](https://github.com/cilium/cilium/issues/33998), [@&#8203;marseel](https://github.com/marseel)) - docs/ipsec: Remove KPR limitation (Backport PR [#&#8203;35908](https://github.com/cilium/cilium/issues/35908), Upstream PR [#&#8203;35743](https://github.com/cilium/cilium/issues/35743), [@&#8203;pchaigno](https://github.com/pchaigno)) - docs/xfrm: Fix incorrect statement regarding XFRM IN policies (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35626](https://github.com/cilium/cilium/issues/35626), [@&#8203;pchaigno](https://github.com/pchaigno)) - docs: Change invalid Helm option --agent.enabled with --agent=false in upgrade documentation (Backport PR [#&#8203;35319](https://github.com/cilium/cilium/issues/35319), Upstream PR [#&#8203;35288](https://github.com/cilium/cilium/issues/35288), [@&#8203;oneumyvakin](https://github.com/oneumyvakin)) - docs: clean up stale kernel requirements (Backport PR [#&#8203;35582](https://github.com/cilium/cilium/issues/35582), Upstream PR [#&#8203;35575](https://github.com/cilium/cilium/issues/35575), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - docs: Fix incorrect link to RFC 4271 for BGP control plane timers. (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35725](https://github.com/cilium/cilium/issues/35725), [@&#8203;nvibert](https://github.com/nvibert)) - docs: kpr: update error message regarding SocketLB tracing (Backport PR [#&#8203;35468](https://github.com/cilium/cilium/issues/35468), Upstream PR [#&#8203;35337](https://github.com/cilium/cilium/issues/35337), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - docs: tuning: XDP LB also supports tunnel routing (Backport PR [#&#8203;35582](https://github.com/cilium/cilium/issues/35582), Upstream PR [#&#8203;35574](https://github.com/cilium/cilium/issues/35574), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - docs: update 1.16 upgrade note for LRP ([#&#8203;35944](https://github.com/cilium/cilium/issues/35944), [@&#8203;ysksuzuki](https://github.com/ysksuzuki)) - docs: update default identity label filters (Backport PR [#&#8203;35468](https://github.com/cilium/cilium/issues/35468), Upstream PR [#&#8203;35422](https://github.com/cilium/cilium/issues/35422), [@&#8203;marseel](https://github.com/marseel)) - docs: XFRM reference guide for IPsec development (Backport PR [#&#8203;35582](https://github.com/cilium/cilium/issues/35582), Upstream PR [#&#8203;35322](https://github.com/cilium/cilium/issues/35322), [@&#8203;pchaigno](https://github.com/pchaigno)) - Envoy simplify listener setup (Backport PR [#&#8203;35764](https://github.com/cilium/cilium/issues/35764), Upstream PR [#&#8203;35642](https://github.com/cilium/cilium/issues/35642), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - envoy: Configure internal_address_config to avoid warning log (Backport PR [#&#8203;35471](https://github.com/cilium/cilium/issues/35471), Upstream PR [#&#8203;35090](https://github.com/cilium/cilium/issues/35090), [@&#8203;sayboras](https://github.com/sayboras)) - envoy: Limit started serving logging to the typeURL of the stream (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35736](https://github.com/cilium/cilium/issues/35736), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Fix wrongly spelled config option in error message (Backport PR [#&#8203;35543](https://github.com/cilium/cilium/issues/35543), Upstream PR [#&#8203;35390](https://github.com/cilium/cilium/issues/35390), [@&#8203;baurmatt](https://github.com/baurmatt)) - helm: clarify text for serviceNoBackendResponse (Backport PR [#&#8203;35908](https://github.com/cilium/cilium/issues/35908), Upstream PR [#&#8203;35734](https://github.com/cilium/cilium/issues/35734), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - hubble: Add 'release' Make target (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35561](https://github.com/cilium/cilium/issues/35561), [@&#8203;michi-covalent](https://github.com/michi-covalent)) - image: Use cilium-builder instead of golang as operator builder image (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35351](https://github.com/cilium/cilium/issues/35351), [@&#8203;learnitall](https://github.com/learnitall)) - iptables: always warn about missing xt_socket module (Backport PR [#&#8203;35781](https://github.com/cilium/cilium/issues/35781), Upstream PR [#&#8203;35591](https://github.com/cilium/cilium/issues/35591), [@&#8203;julianwiedmann](https://github.com/julianwiedmann)) - makefile: add target to install Cilium in kvstore mode (Backport PR [#&#8203;35905](https://github.com/cilium/cilium/issues/35905), Upstream PR [#&#8203;35646](https://github.com/cilium/cilium/issues/35646), [@&#8203;giorio94](https://github.com/giorio94)) - proxy: Ensure proxy ports are written on shutdown (Backport PR [#&#8203;35908](https://github.com/cilium/cilium/issues/35908), Upstream PR [#&#8203;35839](https://github.com/cilium/cilium/issues/35839), [@&#8203;jrajahalme](https://github.com/jrajahalme)) - Silence spurious clustermesh-related warnings (Backport PR [#&#8203;35850](https://github.com/cilium/cilium/issues/35850), Upstream PR [#&#8203;35867](https://github.com/cilium/cilium/issues/35867), [@&#8203;giorio94](https://github.com/giorio94)) **Other Changes:** - \[v1.16] envoy: Add configuration for OverloadManager ([#&#8203;35787](https://github.com/cilium/cilium/issues/35787), [@&#8203;sayboras](https://github.com/sayboras)) - \[v1.16] envoy: Bump envoy version from 1.29.x to 1.30.x ([#&#8203;35563](https://github.com/cilium/cilium/issues/35563), [@&#8203;sayboras](https://github.com/sayboras)) - \[v1.16] policy/correlation: Fix `PolicyMatch{L3Proto,L4Only}` case ([#&#8203;35681](https://github.com/cilium/cilium/issues/35681), [@&#8203;gandro](https://github.com/gandro)) - chore(deps): update cilium-envoy dependency ([#&#8203;35920](https://github.com/cilium/cilium/issues/35920), [@&#8203;sayboras](https://github.com/sayboras)) - install: Update image digests for v1.16.3 ([#&#8203;35361](https://github.com/cilium/cilium/issues/35361), [@&#8203;cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) - Policy add deny rule test and benchmark ([#&#8203;35714](https://github.com/cilium/cilium/issues/35714), [@&#8203;jrajahalme](https://github.com/jrajahalme)) ##### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.16.4@&#8203;sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf` `quay.io/cilium/cilium:stable@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.16.4@&#8203;sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2` `quay.io/cilium/clustermesh-apiserver:stable@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.16.4@&#8203;sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e` `quay.io/cilium/docker-plugin:stable@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.16.4@&#8203;sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2` `quay.io/cilium/hubble-relay:stable@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.16.4@&#8203;sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686` `quay.io/cilium/operator-alibabacloud:stable@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686` ##### operator-aws `quay.io/cilium/operator-aws:v1.16.4@&#8203;sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be` `quay.io/cilium/operator-aws:stable@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be` ##### operator-azure `quay.io/cilium/operator-azure:v1.16.4@&#8203;sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de` `quay.io/cilium/operator-azure:stable@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de` ##### operator-generic `quay.io/cilium/operator-generic:v1.16.4@&#8203;sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5` `quay.io/cilium/operator-generic:stable@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5` ##### operator `quay.io/cilium/operator:v1.16.4@&#8203;sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff` `quay.io/cilium/operator:stable@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS42Mi42IiwidXBkYXRlZEluVmVyIjoiMzkuNzEuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUvaGVsbSIsInR5cGUvcGF0Y2giXX0=-->
smeagol-help added 1 commit 2024-12-11 23:35:01 -06:00
smeagol-help force-pushed renovate/patch-cilium from bc4ec2d9a9 to b502a83b1e 2024-12-17 18:05:44 -06:00 Compare
smeagol-help changed title from Update chart cilium to 1.16.4 to Update chart cilium to 1.16.5 2024-12-17 18:05:52 -06:00
smeagol-help force-pushed renovate/patch-cilium from b502a83b1e to dad96114d3 2024-12-20 13:35:17 -06:00 Compare
jahanson merged commit 4346ee5c76 into main 2024-12-20 13:49:16 -06:00
jahanson deleted branch renovate/patch-cilium 2024-12-20 13:49:16 -06:00
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: jahanson/theshire#962
No description provided.