feat(helm): update chart cilium to 1.14.4 #39

renovate · 2023-07-29T01:06:44Z

This PR contains the following updates:

Package	Update	Change
cilium (source)	minor	`1.13.4` -> `1.14.4`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

cilium/cilium (cilium)

`v1.14.4`

Compare Source

`v1.14.3`: 1.14.3

Compare Source

We are pleased to release Cilium v1.14.3. This is bug fix release addressing the recent HTTP/2 Stream Cancellation Attack (CVE-2023-44487) and other bugs:

Envoy GHSA-jhv4-f7mr-xx76
Go GHSA-qppj-fm5r-hxr3

Summary of Changes

Minor Changes:

bump grpc dependency to 1.56.3 to fix security vulnerability GHSA-qppj-fm5r-hxr3 (#28527, @aanm)
Cut Cilium's initialization time for clusters with a large number of Kubernetes and Cilium Network Policies by 90% (Backport PR #28282, Upstream PR #28173, @aanm)
endpoint: Only perform the full policy map synchronization periodically (every 15 minutes) to reduce overhead with large endpoint policy maps (Backport PR #28095, Upstream PR #27693, @joamaki)
ipam: report IP owner of non-default pool IPs in multi-pool IPAM (Backport PR #28095, Upstream PR #27968, @tklauser)
metrics: add a metric for max observed endpoint ifindex (Backport PR #28282, Upstream PR #27953, @asauber)
metrics: Add map pressure metric for auth map (Backport PR #28442, Upstream PR #28357, @sayboras)
vendor, azure: Bump Azure SDK to Aug 2021 (Backport PR #28330, Upstream PR #28311, @christarazi)

Bugfixes:

bpf: lxc: support Pod->Service->Pod hairpinning with endpoint routes (Backport PR #28123, Upstream PR #27798, @ti-mo)
bpf: overlay: fix missing DBG_DECAP for Inter-Cluster-SNAT (Backport PR #28494, Upstream PR #28466, @julianwiedmann)
Change routing-mode and tunnel-protocol based on .Values.tunnel and .Values.routingMode (Backport PR #28282, Upstream PR #27841, @macmiranda)
datapath: fix NodePort to remote hostns backend with tunnel config (Backport PR #28494, Upstream PR #27323, @michaelasp)
envoy: Sync supported resources to fix not found issue (Backport PR #28349, Upstream PR #28272, @sayboras)
Fix a bug that causes pod-to-pod traffic between nodes to be dropped when IPsec is enabled and kube-proxy installed rules in both iptables-nft and iptables-legacy. (Backport PR #28442, Upstream PR #28258, @pchaigno)
fix bug: pull skb data in cil_from_netdev path for HIGH_SCALE_IPCACHE mode (Backport PR #28095, Upstream PR #27913, @sofat1989)
Fix Gateway API HttpRoute cannot strip path prefix. (Backport PR #28282, Upstream PR #28018, @chaunceyjiang)
Fix hubble metric labeling when only directed Source/Destination Ingress/Egress options are specified. (Backport PR #28095, Upstream PR #27792, @marqc)
Fix minor bug where the previous Cilium proxy port was not reused (Backport PR #28127, Upstream PR #27634, @christarazi)
Fix the trace notification for hairpinned reply traffic, to indicate the correct security identity for the client. (Backport PR #28282, Upstream PR #28133, @julianwiedmann)
Fix wrong host and router IP being used for some IPv6 deployments, which was causing various connectivity problems. (Backport PR #28435, Upstream PR #28417, @ti-mo)
Fix: Gateway API double slash while stripping path prefix (Backport PR #28442, Upstream PR #28294, @nxy7)
Fixes a bug causing panic when counting IPsec keys number via "cilium encrypt status". (Backport PR #28282, Upstream PR #27996, @jschwinger233)
fqdn proxy: fix data race by using separate sessionUDPFactories (Backport PR #28282, Upstream PR #28163, @mhofstetter)
ipam/multipool: Fix bug where allocator was unable to update CiliumNode (Backport PR #28095, Upstream PR #27963, @gandro)
ipcache: fix flapping labels in SelectorCache when reserved:host identity has multiple IPs (Backport PR #28418, Upstream PR #28332, @squeed)
Must have port for Service reference (Backport PR #28282, Upstream PR #27959, @chaunceyjiang)
pkg/k8s: use a deep copy of CNP in UpdateStatus to avoid race condition (Backport PR #28494, Upstream PR #28364, @aanm)
pkg/node: Updates GetIPv6AllocCIDRs() to Properly Return Secondary CIDRs (Backport PR #28095, Upstream PR #27855, @danehans)
resource: Fix race condition in handling of Kubernetes object delete event retrying. In the very rare case when an object was created, deleted and re-created with the same name and the handling of the first deletion failed, the handling of delete event may have been retried even though the object was re-created. Only affected features using the Resource-library (LB IPAM, Mutual Auth and ClusterMesh). (Backport PR #28494, Upstream PR #27340, @joamaki)
Restore host-stack bypass for pod-to-pod traffic in a configuration with kube-proxy, tunnel routing and per-endpoint routes. (Backport PR #28095, Upstream PR #27908, @julianwiedmann)

CI Changes:

[v1.14] ci: Add a call to the update label backport action (#27876, @pippolo84)
[v1.14] GHA: Add clustermesh upgrade and downgrade tests (#28355, @giorio94)
ci-ipsec-upgrade: Enable IPv6 (Backport PR #28095, Upstream PR #27220, @brb)
CI: Add conn-disrupt-test action for reuse (Backport PR #28282, Upstream PR #27567, @jschwinger233)
CI: Add IPsec key rotation test (Backport PR #28105, Upstream PR #27203, @jschwinger233)
CI: Move IPsec CI jobs into separate pipelines (Backport PR #28105, Upstream PR #26730, @jschwinger233)
ci: Run BPF lints on workflow definition changes (Backport PR #28282, Upstream PR #28122, @qmonnet)
ci: update k8s versions support for v1.14 (#28248, @nbusseneau)
Do not hardcode the AWS VPC CNI plugin version in the conformance-aws-cni GHA workflow (Backport PR #28442, Upstream PR #28392, @giorio94)
ginkgo: Remove K8sDatapathCustomCalls (Backport PR #28095, Upstream PR #27911, @brb)
Refactor CiliumExecContext() Retry Logic (Backport PR #28282, Upstream PR #28131, @carnerito)
workflows/ipsec: Add missing --flush-ct for key rotation (Backport PR #28105, Upstream PR #27883, @pchaigno)

Misc Changes:

[Docs] Clarify ClusterMesh troubleshooting steps when KVStoreMesh is enabled (Backport PR #28282, Upstream PR #27691, @weizhoublue)
Add option conntrackGCMaxInterval to allow limiting the maximum connection tracking GC interval. By default the automatic interval calculation may increase the interval up to 12 hours, which may incur an unreasonable delay to releasing of CIDR identities created from ToFQDN policies. Setting this option will limit the interval and ensure such identities are marked unused earlier and removed. (Backport PR #28282, Upstream PR #27870, @joamaki)
bugtool: various updates to BPF map dump (Backport PR #28282, Upstream PR #28065, @julianwiedmann)
bump k8s dependencies to 1.27.6 (#28560, @aanm)
chore(deps): update actions/checkout action to v4 (v1.14) (#27944, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (minor) (#27776, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (patch) (#28078, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (patch) (#28209, @renovate[bot])
chore(deps): update all github action dependencies to v3 (v1.14) (major) (#28101, @renovate[bot])
chore(deps): update all lvh-images main (v1.14) (patch) (#27942, @renovate[bot])
chore(deps): update all lvh-images main (v1.14) (patch) (#28210, @renovate[bot])
chore(deps): update aws-actions/configure-aws-credentials action to v4 (v1.14) (#28102, @renovate[bot])
chore(deps): update cilium/cilium digest to 6c12a0f (v1.14) (#28075, @renovate[bot])
chore(deps): update cilium/cilium digest to 8b7844d (v1.14) (#28196, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.8 (v1.14) (#28211, @renovate[bot])
chore(deps): update dependency cilium/hubble to v0.12.1 (v1.14) (#28521, @renovate[bot])
chore(deps): update dependency cilium/hubble to v0.12.2 (v1.14) (#28566, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.10 docker digest to 098d628 (v1.14) (#28623, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.8 docker digest to 6e1a67e (v1.14) (#28197, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2b7412e (v1.14) (#28630, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 990350f (v1.14) (#28579, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 9b8dec3 (v1.14) (#28384, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to aabed32 (v1.14) (#28076, @renovate[bot])
chore(deps): update docker/build-push-action action to v5 (v1.14) (#28093, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 92d40ee (v1.14) (#27941, @renovate[bot])
chore(deps): update go to v1.20.10 (v1.14) (patch) (#28515, @renovate[bot])
chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.14) (#28082, @renovate[bot])
chore(deps): update quay.io/cilium/hubble docker tag to v0.12.1 (v1.14) (#28538, @renovate[bot])
chore(deps): update quay.io/cilium/hubble docker tag to v0.12.2 (v1.14) (#28569, @renovate[bot])
chore(deps): update sigstore/cosign-installer action to v3.1.2 (v1.14) (#27943, @renovate[bot])
ci: fix AWS EKS K8s versions comment (Backport PR #28282, Upstream PR #28249, @nbusseneau)
docs: Add instructions for running LVH against custom kernel (Backport PR #28349, Upstream PR #28305, @brb)
docs: Add Makefile and documentation for "fast" development targets (Backport PR #28095, Upstream PR #27931, @aanm)
docs: Add more details for the Cluster Mesh key rotation (Backport PR #28282, Upstream PR #28145, @margamanterola)
docs: egressgw: document incompatibility with Clustermesh (Backport PR #28095, Upstream PR #27918, @julianwiedmann)
docs: Makefile, check-build.sh clean-ups and perf improvements (Backport PR #28282, Upstream PR #28161, @qmonnet)
docs: Mention RouteTableInterfacesOffset in system requirements (Backport PR #28442, Upstream PR #28358, @gandro)
docs: rephrasing the hubble intro doc (Backport PR #28095, Upstream PR #27712, @vipul-21)
docs: Update Sphinx and its dependencies, Cilium theme (Backport PR #28282, Upstream PR #28172, @qmonnet)
endpoint: Fix use of PolicyMapFullReconciliationInterval option (Backport PR #28095, Upstream PR #27985, @joamaki)
Fix bug when reusing the same cell in multiple hives (Backport PR #28282, Upstream PR #27873, @giorio94)
Fix potential nil pointer dereference in SelectorManager implementation (Backport PR #28095, Upstream PR #27805, @learnitall)
fix(deps): update module golang.org/x/net to v0.17.0 [security] (#28550, @aanm)
fqdn proxy: fix data race detection on TCP fqdn proxy (Backport PR #28282, Upstream PR #28219, @mhofstetter)
Helm: Improved description for tunnel, tunnelProtocol, routingMode flags (Backport PR #28349, Upstream PR #27926, @PhilipSchmid)
hubble: Use protobuf GetType() helper in v1.FlowProtocol() to avoid possible panic (Backport PR #28095, Upstream PR #27889, @chancez)
install/kubernetes: add the cilium/values.yaml target to .PHONY (Backport PR #28282, Upstream PR #28225, @nbusseneau)
ipsec: Atomically upgrade XFRM states with new output-mark (Backport PR #28563, Upstream PR #28485, @pchaigno)
Make tolerations configurable in clustermesh-apiserver certgen job (Backport PR #28282, Upstream PR #28221, @giorio94)
Makefile: fix 'fast' make targets (Backport PR #28442, Upstream PR #28380, @aanm)
policy: Move getNets to selector cache (Backport PR #28670, Upstream PR #27670, @jrajahalme)
Update docs theme (Backport PR #28442, Upstream PR #28403, @raphink)
Update Hubble UI from v0.12.0 to v0.12.1 (#28535, @rolinh)

Other Changes:

envoy: Bump envoy version to v1.25.10 (#28506, @sayboras)
Fix possible cross-cluster connection drops on agents restart when clustermesh is enabled (#27611, @giorio94)
v1.14: avoid relying on golang.org/exp/slices.SortFunc (#28473, @rolinh)

`v1.14.2`: 1.14.2

Compare Source

We are pleased to release Cilium v1.14.2.

Known IPsec related issues have been fixed. We encourage users to test this release and report any potentially remaining issues.

Summary of Changes

Minor Changes:

Add SPIRE connection to cilium status (Backport PR #27649, Upstream PR #26896, @meyskens)
Fix: Affinity in cilium-pre-flight-check daemonset. (Backport PR #27629, Upstream PR #27475, @ishuar)
gateway-api: Support all the extended features (Backport PR #27655, Upstream PR #27472, @sayboras)

Bugfixes:

bpf: nodeport: add RevDNAT-based FIB lookup for reply traffic (Backport PR #27381, Upstream PR #26638, @julianwiedmann)
cgroups: Fix race to load cgroup.hostRoot option (Backport PR #27629, Upstream PR #27561, @kvaps)
Do mutual authentication handshake again if mismatch between bpf map and cached map happens (Backport PR #27739, Upstream PR #27241, @meyskens)
envoy: fix panic writing accesslog without L7 tags (Backport PR #27629, Upstream PR #27453, @mhofstetter)
Fix a bug that could cause an incorrect max. sequence number to be reported by cilium encrypt status when IPsec is enabled. (Backport PR #27917, Upstream PR #27656, @pchaigno)
Fix a bug where cilium host IP is not read from k8s node annotations (Backport PR #27679, Upstream PR #27590, @hemanthmalla)
Fix behavior where SPIRE doesn't work when kubelet does not listen on 127.0.0.1 (Backport PR #27679, Upstream PR #27583, @weizhoublue)
Fix bug that could cause packet drops of type XfrmOutPolBlock while rotating the IPsec key. (Backport PR #27586, Upstream PR #27319, @jrfastab)
Fix connectivity issues caused by missing conntrack entry when service pod connects to itself via clusterIP. (Backport PR #27920, Upstream PR #27602, @julianwiedmann)
Fix deletion of tunnel map entries when node has non-zero cluster ID. (Backport PR #27629, Upstream PR #27353, @giorio94)
Fix Gateway managed services not exposing all ports (Backport PR #27917, Upstream PR #27695, @Managarmrr)
Fix global service incompatibility when v1.14 agents connect to a v1.13 cluster (#27882, @giorio94)
Fix issue which caused the map reconciliation process to never complete successfully if the error resolved automatically (Backport PR #27629, Upstream PR #26742, @giorio94)
Fix missing packet trace after from-container for reply traffic to the proxy. (Backport PR #27917, Upstream PR #27872, @pchaigno)
Fix potential cross-node connectivity issue when IPsec is enabled with ENI or Azure IPAM modes. (Backport PR #27924, Upstream PR #26663, @gandro)
Fix propagation of namespace labels to CEP labels (Backport PR #27917, Upstream PR #27831, @tklauser)
Fix several paths in the North-South load-balancer where the TTL / hop-limit field of a forwarded packet was not updated. (Backport PR #27379, Upstream PR #27299, @julianwiedmann)
Fixes a issue that IPsec key rotation can't be triggered. (Backport PR #27739, Upstream PR #27694, @jschwinger233)
gateway-api: Filter routes based on Section Name and port (Backport PR #27629, Upstream PR #27309, @sayboras)
gateway-api: Merge externally annotations and labels for kubernetes types (Backport PR #27629, Upstream PR #27251, @farodin91)
helm: fix envoy daemonset loglevel with multiple verbose debug groups (Backport PR #27917, Upstream PR #27698, @mhofstetter)
ingress: fix panic on ingress rule without HTTPIngressRule (Backport PR #27917, Upstream PR #27818, @mhofstetter)
ipam: when a CiliumNode is removed, delete node label from metrics. (Backport PR #27917, Upstream PR #27713, @tommyp1ckles)
IPSec fix for race on init resulting in XfrmIn errors and dropped packets (Backport PR #28021, Upstream PR #28012, @jrfastab)
k8s: Restrict configuring reserved:init policy via CNP (Backport PR #28038, Upstream PR #28007, @joestringer)
Prioritization of which DNS mappings to keep was suboptimal, leading to evictions of mappings related to alive connections, worsening performance of fqdn policies and causing spurious logging. (Backport PR #27917, Upstream PR #27572, @bimmlerd)
proxy: Ignore visibility annotation if proxy is disabled (Backport PR #27679, Upstream PR #27597, @sayboras)
Read FQDNRejectResponseCode from config (Backport PR #27739, Upstream PR #27362, @ayuspin)

CI Changes:

.github/workflows: unify time to wait for images to become available (Backport PR #27917, Upstream PR #27706, @tklauser)
Add missing ariane trigger phrases (Backport PR #27917, Upstream PR #27822, @tklauser)
Add secondary iface to KIND network (Backport PR #27679, Upstream PR #26338, @ysksuzuki)
bpf: complexity-tests: set -DHAVE_LARGE_INSN_LIMIT=1 for new kernels (Backport PR #27701, Upstream PR #27490, @julianwiedmann)
ci-e2e: Add secondary network NodePort tests (Backport PR #27917, Upstream PR #27738, @brb)
ci-ipsec-upgrade: Bump CLI to v0.15.5 (Backport PR #27629, Upstream PR #27230, @brb)
ci-ipsec-upgrade: Skip upon test/Documentation changes (Backport PR #27679, Upstream PR #27644, @brb)
ci: remove unavailable K8s 1.22 from GKE config (Backport PR #27629, Upstream PR #27365, @mhofstetter)
CI: Rename workflow names (Backport PR #27739, Upstream PR #27391, @brlbil)
CI: Update tested k8s version for aks (Backport PR #27629, Upstream PR #27457, @brlbil)
Disable the images digest when pushing the development helm chart (Backport PR #27739, Upstream PR #27646, @giorio94)
gh/actions: Customize cilium-config (Backport PR #27917, Upstream PR #27416, @brb)
gh/workflows: Use cilium-config action in ci-ipsec-upgrade (Backport PR #27917, Upstream PR #27359, @brb)
gha: fix waiting for images in conformance-gingko (Backport PR #27629, Upstream PR #27397, @giorio94)
Set kvstoremesh image when pushing the development helm chart (Backport PR #27679, Upstream PR #27645, @giorio94)
test: print logical instruction count per program (Backport PR #27629, Upstream PR #26641, @ti-mo)

Misc Changes:

[v1.14] cilium: Fix 16bit ifindex limitation (#27880, @borkmann)
Add WireGuard to the firewall rules documentation (Backport PR #27917, Upstream PR #27170, @joestringer)
bpf: egressgw: set trace reason for reply traffic (Backport PR #27524, Upstream PR #27218, @julianwiedmann)
bpf: nat: enable CT-driven trace aggregation (Backport PR #27524, Upstream PR #27178, @julianwiedmann)
bpf: nat: let caller determine whether SNATed connection needs CT (Backport PR #27524, Upstream PR #27079, @julianwiedmann)
bpf: nodeport: consolidate packet rewrite in RevDNAT path (Backport PR #27381, Upstream PR #26852, @julianwiedmann)
bpf: split complexity configurations into separate files (Backport PR #27701, Upstream PR #26925, @lmb)
chore(deps): update all kind-images main (v1.14) (#27746, @renovate[bot])
chore(deps): update all kind-images main (v1.14) (patch) (#27772, @renovate[bot])
chore(deps): update all lvh-images main (v1.14) (patch) (#27422, @renovate[bot])
chore(deps): update all lvh-images main (v1.14) (patch) (#27773, @renovate[bot])
chore(deps): update aws-actions/configure-aws-credentials action to v3 (v1.14) (#27777, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.6 (v1.14) (#27769, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.7 (v1.14) (#27919, @renovate[bot])
chore(deps): update dependency google/gops to v0.3.28 (v1.14) (#27413, @renovate[bot])
chore(deps): update dependency kubernetes/kubernetes to v1.27.5 (v1.14) (#27774, @renovate[bot])
chore(deps): update dependency ubuntu to v22 (v1.14) (#27778, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.3 (v1.14) (#27775, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.7 docker digest to 741d6f9 (v1.14) (#27768, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.8 docker digest to 700d726 (v1.14) (#28049, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ec050c3 (v1.14) (#27546, @renovate[bot])
chore(deps): update go to v1.20.8 (v1.14) (patch) (#27990, @renovate[bot])
chore: fixing blank k8sPodName in endpoint logger (Backport PR #27629, Upstream PR #26964, @vakalapa)
cilium, docs: Add a note about KPR and nfs dependencies (Backport PR #27739, Upstream PR #27678, @borkmann)
clean-up: remove check for permissive CCNPs (Backport PR #27739, Upstream PR #27690, @shawnh2)
contrib/scripts/kind.sh: specify IPv4 prefix and range on secondary network (Backport PR #27679, Upstream PR #27573, @tklauser)
Correct cni path in k3s installation documentation for rancher desktop (Backport PR #27739, Upstream PR #27702, @RichardoC)
docs: Clean up prerequisites for the Ingress Controller (Backport PR #27629, Upstream PR #27222, @qmonnet)
docs: Clean up references to deprecated modes "strict" and "partial" for kube-proxy replacement feature flag (Backport PR #27679, Upstream PR #27314, @qmonnet)
docs: Correct comment on toFQDN API definition (Backport PR #27629, Upstream PR #27496, @Alex-Waring)
docs: Fix config option for spelling filters (Backport PR #27629, Upstream PR #27537, @qmonnet)
docs: Fix Documentation Makefile to make Helm reference updates compatible with macOS (Backport PR #27629, Upstream PR #27495, @ishuar)
docs: Harmonise references to Cilium Slack (Backport PR #27629, Upstream PR #27346, @qmonnet)
docs: Improve wording for labels and services policies (Backport PR #27917, Upstream PR #27171, @joestringer)
docs: Remove proxylib limitation in observability section (Backport PR #27629, Upstream PR #27306, @darkrift)
docs: update L7 traffic CiliumClusterwideEnvoyConfig example (Backport PR #27629, Upstream PR #27409, @tanjunchen)
docs: Update the microservices-demo link (Backport PR #27917, Upstream PR #27814, @haiyuewa)
docs: Update the mutual authentication key format (Backport PR #27679, Upstream PR #27640, @haiyuewa)
egressgw: small test fixes (Backport PR #27701, Upstream PR #27574, @lmb)
Gatewap API: Implement generic route checks (Backport PR #27655, Upstream PR #25885, @meyskens)
renovate: Don't exclude github.com/{cilium,vishvananda}/netlink anymore (Backport PR #27629, Upstream PR #27342, @lambdanis)
typo: the clustermesh secret name (Backport PR #27739, Upstream PR #27658, @weizhoublue)
Update Cilium certgen from v0.1.8 to v0.1.9 (Backport PR #27629, Upstream PR #27511, @rolinh)

Other Changes:

[1.14] test: add namespace name in pod metadata test (#28032, @nebril)
backport v1.14: gh/workflows: Reusable workflow for ci-e2e and misc changes (#27375, @brb)
doc: Migrate to .readthedocs.yaml configuration file v2 (#27571, @doniacld)
envoy: Update envoy image with newer proxylib builder (#27650, @sayboras)
install: Update image digests for v1.14.1 (#27505, @nebril)

`v1.14.1`: 1.14.1

Compare Source

We are pleased to release Cilium v1.14.1. This release comes with fixes for IPsec, performance and resilience improvements and many CI and doc changes.

Remaining issues on the IPSec stack may cause interrupted connections during key rotations. Users may upgrade to this release only if this is considered acceptable.

Summary of Changes

Minor Changes:

gateway-api: Upgrade to v0.7.1 (Backport PR #27238, Upstream PR #27157, @sayboras)
Prevent Cilium from running with Delegated IPAM at the same time as Ingress (Backport PR #27238, Upstream PR #26744, @rickysumho)

Bugfixes:

Fix a bug that affected the health-check feature in Stand-alone L4LB mode. For certain configurations (eg if both IPv4 and IPv6 support is enabled) health-check traffic would not get IPIP-encapsulated. (Backport PR #27190, Upstream PR #27015, @julianwiedmann)
Fix a bug that affected the RevDNAT translation of IPv6 packets with extension headers. (Backport PR #27345, Upstream PR #27312, @julianwiedmann)
Fix a bug that could cause packet drops of type XfrmOutPolBlock when IPsec is enabled and node are recycled.
Fix a bug that could cause IPsec-encrypted packets to be sent to the wrong destination node when node churn is high. (Backport PR #27238, Upstream PR #27029, @pchaigno)
Fix agent panic in case malformed objects are retrieved from the kvstore, and improve validation (Backport PR #27345, Upstream PR #27237, @giorio94)
Fix bug limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #27345, Upstream PR #27168, @learnitall)
Fix bug where startup CIDR restore logic would mishandle reference counting, leading to persistent packet loss to those CIDRs (Backport PR #27419, Upstream PR #27327, @joestringer)
Fix generation of the clustermesh config through Helm when kvstoremesh is enabled, and the TLS key/cert pair is manually specified for a given remote cluster (Backport PR #27238, Upstream PR #27177, @giorio94)
operator: Adjust CiliumEndpoint gc to account for kvstore mode (Backport PR #27190, Upstream PR #25324, @learnitall)
Resolve a deadlock on startup when local redirect policies are used. (Backport PR #27238, Upstream PR #27115, @bimmlerd)

CI Changes:

.github: rebuild ginkgo tests in case of cache miss (Backport PR #27190, Upstream PR #27158, @sayboras)
Add renovate tags for automatic updates of kernel version in v1.14 (#27386, @aanm)
ci: fix and standardize checkouts in privileged workflows (Backport PR #27238, Upstream PR #27193, @nbusseneau)
ci: increase connectivity test timeout in GHA external workload (Backport PR #27345, Upstream PR #26975, @mhofstetter)

Misc Changes:

Add note for changing IPAM settings (Backport PR #27238, Upstream PR #27090, @darox)
chore(deps): update cilium/little-vm-helper action to v0.0.12 (v1.14) (#27270, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.5 (v1.14) (#27271, @renovate[bot])
chore(deps): update go to v1.20.6 (v1.14) (patch) (#26783, @renovate[bot])
chore(deps): update go to v1.20.7 (v1.14) (patch) (#27284, @renovate[bot])
docs/ipsec: Extend troubleshooting for long key rotations (Backport PR #27190, Upstream PR #26809, @pchaigno)
docs: Document DROP_NO_NODE_ID for IPsec (Backport PR #27345, Upstream PR #27184, @pchaigno)
docs: Have Makefile print generated image tags when running with V=0 (Backport PR #27345, Upstream PR #27250, @qmonnet)
docs: kpr: remove caveat about XDP + tunnel performance (Backport PR #27190, Upstream PR #27091, @julianwiedmann)
docs: Replace non-portable "sed -i" in Makefile (Backport PR #27238, Upstream PR #27122, @qmonnet)
docs: Simplify clustermesh example (Backport PR #27238, Upstream PR #27172, @joestringer)
docs: update ro

Configuration

📅 Schedule: Branch creation - "on saturday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate bot added renovate/helm type/minor labels Jul 29, 2023

github-actions bot added area/kubernetes area/ansible labels Jul 29, 2023

renovate bot force-pushed the renovate/cilium-1.x branch from 63bad47 to 7ed7327 Compare August 15, 2023 12:49

renovate bot changed the title ~~feat(helm): update chart cilium to 1.14.0~~ feat(helm): update chart cilium to 1.14.1 Aug 15, 2023

renovate bot force-pushed the renovate/cilium-1.x branch from 7ed7327 to 83b6638 Compare September 13, 2023 00:04

renovate bot changed the title ~~feat(helm): update chart cilium to 1.14.1~~ feat(helm): update chart cilium to 1.14.2 Sep 13, 2023

renovate bot force-pushed the renovate/cilium-1.x branch from 83b6638 to ace4563 Compare October 18, 2023 22:57

renovate bot changed the title ~~feat(helm): update chart cilium to 1.14.2~~ feat(helm): update chart cilium to 1.14.3 Oct 18, 2023

feat(helm): update chart cilium to 1.14.4

e6feb99

renovate bot force-pushed the renovate/cilium-1.x branch from ace4563 to e6feb99 Compare November 13, 2023 22:53

renovate bot changed the title ~~feat(helm): update chart cilium to 1.14.3~~ feat(helm): update chart cilium to 1.14.4 Nov 13, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(helm): update chart cilium to 1.14.4 #39

feat(helm): update chart cilium to 1.14.4 #39

renovate bot commented Jul 29, 2023 •

edited

Loading

feat(helm): update chart cilium to 1.14.4 #39

Are you sure you want to change the base?

feat(helm): update chart cilium to 1.14.4 #39

Conversation

renovate bot commented Jul 29, 2023 • edited Loading

Release Notes

v1.14.4

v1.14.3: 1.14.3

Summary of Changes

v1.14.2: 1.14.2

Summary of Changes

v1.14.1: 1.14.1

Summary of Changes

Configuration

renovate bot commented Jul 29, 2023 •

edited

Loading

`v1.14.4`

`v1.14.3`: 1.14.3

`v1.14.2`: 1.14.2

`v1.14.1`: 1.14.1