Update dependency cilium/cilium to v1.14.0 (!70) · Merge requests · foss / kubernetes / manifests

capriSys Renovate Bot requested to merge renovate/cilium-cilium-1.x into main Jul 27, 2023

This MR contains the following updates:

Package	Update	Change
cilium/cilium	minor	`v1.13.4` -> `v1.14.0`

Release Notes

cilium/cilium (cilium/cilium)

`v1.14.0`: 1.14.0

Compare Source

Changelog

The Cilium core team are excited to announce the Cilium 1.14 release. 🎉

⚠ Warning - IPsec ⚠

Do NOT upgrade to this release if you are using IPsec.

Summary of Changes

Major Changes:

Add mtls-spiffe as auth mode in the CiliumNetworkPolicy (#24263, @meyskens)
Add support for Kubernetes v1.27 (#24837, @tklauser)
Add support for Kubernetes v1.27 (#25602, @nathanjsweet)
Add support for references to CiliumCIDRGroup inside FromCIDRSet for ingress rules in CNPs (#24638, @pippolo84)
Add TLSRoute support to GatewayAPI (#25106, @meyskens)
Add WireGuard host2host and LB encryption (#19401, @brb)
Added L2 announcement feature (#25471, @dylandreimerink)
cilium: fib lookup consolidation (#23884, @borkmann)
cilium: IPv4 BIG TCP support (#26172, @borkmann)
Implement BPF-based masquerading for IPv6 (#23165, @qmonnet)
Introduce kvstoremesh, a clustermesh-apiserver companion component allowing to cache remote cluster information in the local kvstore for increased scalability and separation. (#26083, @giorio94)
Module Health: Add Health Provider/Reporter (#25662, @tommyp1ckles)
New high-scale ipcache mode to support clustermeshes with millions of pods. (#25148, @pchaigno)
Support DSR with Geneve dispatch in CNI mode (#23890, @ysksuzuki)
Support for deploying Cilium L7 Proxy (Envoy) independently as a separate DaemonSet for availability, performance, and security benefits. (#25081, @mhofstetter)
The Cilium operator now taints nodes where Cilium is scheduled to run but is not running. This prevents pods from being scheduled on nodes without Cilium. The CNI configuration file is no longer removed on agent shutdown. This means that pod deletion will always succeed; previously it would fail if Cilium was down for an upgrade. This should help prevent nodes accidentally entering an unmanageable state. It also means that nodes are not removed from cloud LoadBalancer backends during Cilium upgrades. (#23486, @squeed)

Minor Changes:

1. Add a new set of flags for CES work queue limit and burst rates, CESWriteQPSLimit to andCESWriteQPSBurst`. The processed work queue items always trigger a single CES create, update or write request to the kube-apiserver. The work queue rate limiting effectively limits the rate of writes to the kube-apiserver for CES api objects.
2. Set the default CESWriteQPSLimit to 10 and CESWriteQPSBurst to 20.
3. Set the maximums for qps 50 and burst 100. These values cannot be exceeded regardless of any configuration.
4. Unhide CESMaxCEPsInCES and CESSlicingMode flags from appearing in logs when CES is enabled. (#24675, @dlapcevic)
[SNAT] add "need to frag" ICMP support (#18414, @sahid)
Add --hubble-monitor-events flag, to control the event types that get to the hubble subsystem. (#24828, @epk)
Add a mechanism for the SPIRE server to signal rotated certificates for re-authenticating connections (#24300, @meyskens)
Add a SPIRE delegate API client to receive SPIFFE certificates for mTLS (#23968, @meyskens)
Add flag to administratively enable APIs on bootstrap (#25009, @joestringer)
Add flag to configure the size of the egress gateway policy map (#23019, @cyclinder)
Add hubble_lost_events_total metric for the number of events lost by Hubble. (#22865, @lambdanis)
add native tunnel encapsulation support for the XDP Loadbalancer (#24422, @julianwiedmann)
Add network policy auth method "always-fail" (#24609, @meyskens)
Add new logging format option, 'json-ts', for JSON formatted logs with timestamps (#24307, @learnitall)
Add option to remove query from HTTP flows (#25746, @ChrsMark)
Add pod-asymmetric context labeling that either uses pod or pod-short based on traffic direction. (#22731, @marqc)
Add Prometheus metrics support to clustermesh-apiserver (#25316, @giorio94)
Add support for allocating PodCIDRs from multiple IPAM pools (#22762, @gandro)
Add support for BGP graceful restart configuration via CiliumBGPPeeringPolicy CRD (#25660, @harsimran-pabla)
Add support for eBGP-multihop configuration for CiliumBGPNeighbor in CiliumBGPPeeringPolicy CRD (#25708, @rastislavs)
Add support for Hybrid mode when using DSR with Geneve dispatch. (#25553, @julianwiedmann)
Add support for load-balancing encapsulated requests in a configuration with high-scale ipcache. (#25854, @julianwiedmann)
Add support for load-balancing unencapsulated requests in a configuration with high-scale ipcache. (#25745, @julianwiedmann)
Add support for paginated lists in etcd, and propagate config options (#25469, @giorio94)
Add support for setting BGP timer parameters in CiliumBGPNeighbor CRD (#25408, @rastislavs)
Add support for the ingressclass.kubernetes.io/is-default-class annotation on Cilium's IngressClass (#23719, @meyskens)
Add tls-server-enforce-mtls flag to hubble-relay to enforce mTLS connection with clients. (Backport MR #26636, Upstream MR #25582, @marqc)
Added Gratuitous ARP Pod Announcements (#25482, @markpash)
Adds peerPort field to CiliumBGPPeeringPolicy for specifying the port of a BGP neighbor. If unspecified, port 179 is used. (#25809, @danehans)
agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead (#26036, @brb)
alibabacloud: Support selecting subnet by IDs (#23131, @jaffcheng)
Align selection of IP addresses used for masquerading and NodePort SNAT with Linux kernel behavior, by preferring addresses assigned to the interface earlier and filtering out secondary addresses. (#22866, @akhilles)
Allow Cilium Operator to restart any unmanaged pods via --pod-restart-selector, rather than just kube-dns pods (#22911, @lvyanru8200)
Allow devices from local route table to be used for datapath programs. (#24608, @oblazek)
Allow to use a Secret for the caBundle (#25728, @farcaller)
auth: Add spire identity registration for CiliumIdentity (#24471, @sayboras)
bgpv1: Consolidate CRD API to follow K8s API Conventions (#26040, @rastislavs)
BGPv1: Set N-bit in graceful restart capability negotiation. (#26325, @harsimran-pabla)
BPF NodePort is now enabled by default if CiliumEnvoyConfig is configured. (Backport MR #26636, Upstream MR #25901, @jrajahalme)
bpf, ipcache: unconditionally assume support for LPM trie maps (#24258, @tklauser)
Change cilium_host IPv6 address, use node router IPv6 instead of native node IPv6, and fixed several relative IPv6 issues. (#24208, @jschwinger233)
Change default helm value of authentication.mutual.spire.install.enabled to true (Backport MR #27038, Upstream MR #26864, @meyskens)
Cilium by default overwrites changes to its CNI configuration file. With this change, setting cni.exclusive to false disables this behavior. This is useful when additional plugins wish to chain after Cilium, such as Istio. (Backport MR #27038, Upstream MR #26773, @squeed)
Cilium L7 Proxy: Envoy config dump contains Cilium network policies (#25028, @mhofstetter)
Cilium now supports chaining with arbitrary CNI plugins. To use, set the Helm value cni.chainingTarget. (#24956, @squeed)
Cilium now waits longer before returning a failure in the event of a pod creation burst. (#25805, @squeed)
cilium/cmd: Remove deprecated policy_trace command (#23550, @sayboras)
clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25388, @giorio94)
clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25905, @giorio94)
clustermesh-apiserver: rework services synchronization to improve performance (#25260, @giorio94)
clustermesh: enable per-cluster RBAC in etcd server (#24284, @giorio94)
cmd/cleanup: add socketlb program cleanup (#25136, @rgo3)
cmd/service: unify service list/get output (#24136, @oblazek)
cmd: Add NodeEncryption status to the cilium status command (#24399, @romanspb80)
daemon: remove deprecated force-local-policy-eval-at-source option (#24727, @tklauser)
Deprecate --tunnel in favor of --routing-mode and --tunnel-protocol. (#24561, @pchaigno)
Deprecate CNP Node status updates. (#24464, @marseel)
Disable by default CNP Node Status GC in cilium-operator. (#24390, @marseel)
DNS Proxy binds to loopback interfaces only (#25309, @mhofstetter)
dns proxy: Only reuse DNS proxy port when it's free (#25466, @anfernee)
dns: Set --tofqdns-min-ttl to zero by default (#21439, @michi-covalent)
egressgw: add support for excludedCIDRs (#23448, @jibi)
Enable configuration of the source IP verification per endpoint (#23985, @pchaigno)
Enable endpoint routes + veth fast redirect support (#22006, @aspsk)
Enable update-ec2-adapter-limit-via-api by default (#24564, @christarazi)
Enabled cilium_bpf_map_pressure metric by default (#24721, @vishal-chdhry)
endpoint: omit pre-1.11 compatibility restoration symlink (#24730, @tklauser)
envoy: Add idle timeout configuration option (#25214, @sayboras)
envoy: Bump envoy to 1.24.2 (#23940, @sayboras)
envoy: Bump envoy to 1.24.3 (#24148, @sayboras)
envoy: Bump envoy to v1.25.4 (#24649, @sayboras)
envoy: Bump envoy to v1.25.8 (Backport MR #26887, Upstream MR #26815, @sayboras)
envoy: Bump envoy version to v1.25.5 (#24893, @sayboras)
envoy: Bump envoy version to v1.25.6 (#25165, @mhofstetter)
envoy: Bump envoy version to v1.25.7 (#25882, @mhofstetter)
envoy: Use embedded proxylib from cilium-proxy image (#26101, @sayboras)
etcd: extend rate limiting to consider the number of inflight requests (#25817, @giorio94)
Expand agent metric Policy Import Errors to count all policy changes (#23349, @dlapcevic)
Expose Cilium agent go runtime scheduler latency prometheus metric go_sched_latencies_seconds (#24745, @derailed)
Extend clustermesh status reporting with remote configuration and synchronization information (Backport MR #27069, Upstream MR #26788, @giorio94)
Extend the Helm chart to allow configuring kvstoremesh. (#26109, @giorio94)
feat: optional bpf mount (#24161, @frezbo)
Fix broken IPv6 connectivity from outside to NodePort service when L7 ingress policy applied by removing MROXY_RT route table. (#24882, @jschwinger233)
Fix CIDR json tag in CNP CIDRRule (#25617, @pippolo84)
Fix docker-cilium-image target for DOCKER_FLAGS=--push (#23679, @pippolo84)
Fix endpoint slices filtering to ensure we filter out headless services and continue to support older k8s versions where service labels are not propagated to endpoint slices (Backport MR #26799, Upstream MR #25351, @odinuge)
Fixed incorrectly rendered chart when specified both configMap and customConf (#25200, @marseel)
gateway-api: Bump version to v0.6.0 (#22680, @sayboras)
helm: Add CPU panel to Hubble L7 HTTP Workload dashboard (#24934, @chancez)
helm: Add SA to nodeinit ds (#24836, @darox)
helm: Allow node port allocation for Ingress LB service (Backport MR #26799, Upstream MR #26502, @sayboras)
helm: Bump default spire image version (#25444, @sayboras)
Helm: Clean up deprecated values (#24214, @qmonnet)
helm: deprecate clustermesh CA configuration in favor of the global CA configuration (#25010, @giorio94)
helm: Improve spire template (#25589, @sayboras)
helm: simplify TLS configuration of clustermesh peers (#24222, @giorio94)
helm: use Helm hooks instead of Job unique name (#23102, @sathieu)
High-Scale IPcache: Chapter 3 (#25438, @pchaigno)
hubble-relay: deprecate peer svc through local unix domain socket (#23407, @kaworu)
hubble: Add GetNamespaces to observer API (#25563, @chancez)
hubble: traffic direction filter (#24120, @kaworu)
identity/cache: fix panic when re-init of cache after close. (#25269, @tommyp1ckles)
Improve cilium monitor output for dropped packets: display source file names instead of numerical ids (#24143, @aspsk)
Increase the default CiliumEndpointSlice sync time from 0 to 500ms (#23615, @dlapcevic)
ingress: Default TLS certificate for ingress (#26065, @sathieu)
install/kubernetes: make image digests for all components optional & configurable (#22732, @rastislavs)
Integration of sample dashboards with Helm chart (#23794, @jcpunk)
Introduce the support for specifying a CA bundle in the helm chart (#24862, @giorio94)
ipam/crd: Add new flag for configuring CiliumNode update rate (#23017, @jaffcheng)
ipam: Add ability to automatically create CiliumPodIPPool resources in multi-pool IPAM mode (#25991, @gandro)
ipmasq: Add support for ip-masq-agent with IPv6 (#23219, @qmonnet)
ipsec, option: Make the IPsec key rotation delay configurable (#24811, @pchaigno)
Make Envoy sockets for tproxy and the xDS API and bind to localhost only (#24011, @meyskens)
metrics: Add k8s client rate limiter latency metric (#25555, @ysksuzuki)
metrics: support toggle bootstrap times metric via daemon config (#22643, @ArthurChiao)
Modify operator metric CES errors sync to count all CES sync events (#23335, @dlapcevic)
mtls: SPIRE server and agent installation (#24765, @sayboras)
multi-pool: Determine IP pool based on ipam.cilium.io/ip-pool annotation (#25511, @gandro)
mutual-auth: Avoid confusion on mTLS wording (#25761, @sayboras)
mutual-auth: Support spire k8s service dns resolution (#26031, @sayboras)
operator/ipam/metrics: Add new, more accurate, per-node available/used/needed metrics to deprecated existing ipam_ips metric. (#24776, @tommyp1ckles)
operator: Fix default API server addr in metrics subcommand (#26132, @pippolo84)
operator: proper rolling update (#23589, @mhofstetter)
option,helm: Add a flag to opt out from support for Kubernetes NetworkPolicy in Cilium (#23127, @ChengyuanLiCY)
policy: Derivative policies (policies for cloud provider-specific identities) for egress deny rules were not being generated, this has now been fixed. (#23927, @rockc2020)
Prepare Cilium API for IPAM pools (#24248, @tklauser)
Remove sockops-enable and friends (#23606, @mohit-marathe)
Rename the sec_label field in remote_endpoint_info structure to sec_identity (#25057, @ldelossa)
Replace wait-for-it in SPIRE setup with a busybox script (#24959, @meyskens)
Report the kernel error code in case of packet drops due to failures to create conntrack map entries. (#24716, @gentoo-root)
Report the kernel error code in case of packet drops due to failures to create NAT map entries. (#25883, @julianwiedmann)
Retire Cilium-Integrated Istio documentation (#25722, @networkop)
Return better error codes from hooked syscalls, such as connect() and bind(). (#22965, @gentoo-root)
Revert "Revert agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead" (#26496, @brb)
Set BGP IdleHoldTimeAfterReset to 5 seconds, session reset can happen on BGP peer configuration change. (#26001, @harsimran-pabla)
Significantly reduce Hubble flow traffic by transmitting only requested information (#23198, @AwesomePatrol)
spire: Add identity GC capability (#25867, @sayboras)
Support enable-endpoint-routes with enable-high-scale-ipcache. (#25601, @pchaigno)
Support defining IPAM pools using CiliumPodIPPool CRD (#25824, @tklauser)
Support externalTrafficPolicy=local for BGP CPlane service VIP advertisement (#25477, @YutaroHayakawa)
Support Gateway API v0.7.0 (#25711, @meyskens)
Support GENEVE encapsulation with high-scale ipcache. (#25591, @pchaigno)
Supports IPv4 ICMP "fragmentation needed" in egress SNAT (#25054, @liuyuan10)
sysdump: Added Kubernetes CNI logs to sysdump. (#23937, @marseel)
The Cilium agent now manages the CNI configuration file. This will allow for faster startup times when injecting Cilium as a chained plugin, such as with aws-cni. (#24389, @squeed)
The deprecated pod-short context option in Hubble metrics is now removed (#26125, @lambdanis)

Bugfixes:

Add drop notifications from various error paths in the BPF datapath. (Backport MR #27038, Upstream MR #26956, @julianwiedmann)
Add host-side interface info to cni.Result, which allows bandwidth CNI to work with Cilium (Backport MR #26636, Upstream MR #26518, @nayihz)
Added validation to ensure that enabling Ingress or Gateway API support while l7proxy is disabled will fail, as this is an incompatible configuration. (#25215, @youngnick)
auth: Switch to observing identity changes (Backport MR #26636, Upstream MR #26375, @mhofstetter)
bgpv1: Unconditionally select node when empty nodeSelector is given (Backport MR #26734, Upstream MR #26590, @YutaroHayakawa)
bpf/nat: fix current behavior that is silently ignoring errors in a revSNAT context (#19753, @sahid)
bpf: lb: deal with stale rev_nat_index after svc lookup in fallback path (#24757, @julianwiedmann)
bpf: nodeport: don't reset aggregate ID when revDNAT is called by bpf_lxc (#25929, @julianwiedmann)
bpf: nodeport: fix handling of stale CT entry with CT_REPLY (#23894, @julianwiedmann)
bpf: nodeport: fix up trace point in to-overlay NAT paths (#24886, @julianwiedmann)
Bugfix: Invert --hubble-monitor-events logic to be an allowlist (#25167, @epk)
Bypassing policy check for IPv6 NDP to fix broken pod-to-pod connectivity when per-endpoint route is enabled with policy. (#24919, @jschwinger233)
CIDRGroup reference metric will not count nonexistent CIDRGroups (#26133, @akstron)
client, health/client: set dummy host header on unix:// local communication (Backport MR #26838, Upstream MR #26800, @tklauser)
datapath: bigtcp: Fix the IPv4 BIG TCP may not work (#26336, @haiyuewa)
datapath: Do not send ICMP6 NA over cilium_wg0 (#23969, @brb)
datapath: Fix L7 reply to outside when endpoint routes disabled (#21980, @brb)
egressgw: fix race with endpoint deletion (Backport MR #27038, Upstream MR #26901, @jibi)
egressgw: retry getIdentityLabels on failure (Backport MR #26734, Upstream MR #26457, @jibi)
Fix a bug in the Egress Gateway feature when using the --install-egress-gateway-routes option. Delete stale IP rules after a CiliumEgressGatewayPolicy is updated and selects a different egress network interface. (Backport MR #27069, Upstream MR #26846, @julianwiedmann)
Fix a bug where datapath option DisableSipVerification can no longer be used. (#25533, @oblazek)
Fix broken IPv6 access to native node devices due to wrong source IPv6 of NA response. (#25329, @jschwinger233)
Fix bug in AlibabaCloud where instance type limits could not be determined (#25387, @haozhangami)
Fix bug that caused transient IPsec packet drops on upgrades when tunneling is enabled. (Backport MR #26914, Upstream MR #26708, @pchaigno)
Fix bug where bpf map entries may not be reliably dumped or garbage collected when the map is actively being updated. (Backport MR #26838, Upstream MR #26583, @tommyp1ckles)
Fix bug with toServices policy where service backend churn left stale CIDR identities (#25687, @christarazi)
Fix Cilium crash during network policy computation (#24322, @joestringer)
Fix compilation error when enabling Wireguard and XDP (#25734, @ysksuzuki)
Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (#25087, @joamaki)
Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (#23874, @sjdot)
Fix error propagation issue in clustermesh which prevented retrying on certain validation errors (Backport MR #26799, Upstream MR #26613, @giorio94)
Fix failure to load the datapath for new pods on latest kernel when (almost) all datapath features are enabled. (#24405, @borkmann)
Fix for Identities that can be deleted before CESs are reconciled (#25001, @dlapcevic)
Fix issue where Cilium ServiceAPI would ignore backend changes to services with backends that were used in several services and updated at least once (#24474, @strudelPi)
Fix issues that caused SPIRE not to install properly (#25160, @meyskens)
Fix missed deletion events when reconnecting to/disconnecting from remote clusters (identities) (#25677, @giorio94)
Fix missed deletion events when reconnecting to/disconnecting from remote clusters (ipcache entries) (#25675, @giorio94)
Fix missed deletion events when reconnecting to/disconnecting from remote clusters (nodes and services) (#25499, @giorio94)
Fix missing metric "cilium_services_events_total" (Backport MR #27038, Upstream MR #26719, @christarazi)
Fix operator entering broken state when it has outdated version of the CES in the cache. (Backport MR #27038, Upstream MR #26455, @alan-kut)
Fix panic due to nil-map assignment in l2announcer (#26315, @dylandreimerink)
Fix panic in hubble http v2 metrics (#24350, @chancez)
Fix possible connection drops on agents restart when a service is associated with multiple endpointslices or has backends across multiple clusters (Backport MR #27038, Upstream MR #26912, @giorio94)
Fix SNAT by the N/S load-balancer for fragmented IPv4 requests. (Backport MR #26636, Upstream MR #26550, @julianwiedmann)
Fix some test failures for bpf_nat_test.c (#24534, @YutaroHayakawa)
Fixed double metric accounting for k8s events (Backport MR #26636, Upstream MR #26349, @dylandreimerink)
Fixed proxy redirect policy implementation when any deny rule prevents them. (Backport MR #26813, Upstream MR #26344, @jrajahalme)
Fixes an issue where SRv6 encapsulated packets are forwarded to the wrong layer 2 next hop. (#26136, @ldelossa)
Fixes issue in BGP reconciler when multiple pod cidr withdrawals are done. (#25320, @harsimran-pabla)
Handles nodeIP changes when CEPs are checkpointed to tmpfs and the nodeIP changes across a reboot. (#26281, @bprashanth)
helm: Fix a bug caused by incorrect indentation of the extraEnv parameter for Hubble UI backend (Backport MR #26914, Upstream MR #26797, @toVersus)
Implement OnAddNode handlers for CiliumNodeUpdater and EndpointManager (Backport MR #26734, Upstream MR #26484, @pippolo84)
ingress: Delay secret sync if not available (Backport MR #26995, Upstream MR #26988, @sayboras)
ipam/azure: fix crash due to race condition when handling new node. (Backport MR #27038, Upstream MR #26658, @tommyp1ckles)
iptables: Fix wrong use of podCIDR in cluster node NAT exclusion (#26397, @gandro)
Keep sync on deployed proxy ports when retrying proxy redirect creation. (#26343, @jrajahalme)
nat: fix usage in nat.h of csum.h module (#25576, @sahid)
Policy auth precedence fix (Backport MR #26813, Upstream MR #26331, @jrajahalme)
Removed unnecessary updates to service status by MetalLB (#23210, @ysksuzuki)
Revert "datapath: Remove 2005 route table" (#23346, @brb)
Solved an issue failing to forward traffic to Services if the Endpoint Slices had the same Address on different Slices (#24202, @aojea)
SPIRE Server image now is the value from the Helm values file (Backport MR #27038, Upstream MR #26911, @meyskens)
Support IPv4 DSR for packets with IP options. (#23810, @julianwiedmann)
Temporarily disable bpf-clock-probe to avoid causing interruptions for long-lived connections during upgrades (Backport MR #27033, Upstream MR #26981, @margamanterola)
test/controlplane: Disable endpoint GC (#26383, @pippolo84)
test: bigtcp: Update the BIG TCP checking message (#26377, @haiyuewa)
The operator now reconciles duplicate entries in a CiliumEndpointSlice on startup. (#24596, @alan-kut)
Updates TransformXXX Functions in k8s pkg (#26244, @danehans)
Validate "ownership" of hostPort service being deleted (Backport MR #26734, Upstream MR #22587, @yasz24)

CI Changes:

.github/workflows: add JUnit tag on workflows that have JUnits (#25930, @aanm)
.github/workflows: add missing GH action version annotations (#25369, @tklauser)
.github/workflows: let renovate update kind (#26312, @tklauser)
.github/workflows: let renovate update kind in ingress workflow (#26390, @tklauser)
.github/workflows: re-enable coverage in BPF tests (#23291, @tklauser)
.github/workflows: run datapath complexity tests directly in VM (#24117, @tklauser)
.github/workflows: use Helm mode cilium-cli in K8sUpstreamNetConformance (Backport MR #26734, Upstream MR #26692, @tklauser)
.github: add 'name' field for the conformance-e2e job (Backport MR #26838, Upstream MR #26791, @aanm)
.github: add cilium sysdump to test artifacts (#26143, @aanm)
.github: add missing job to check for code changes (#25926, @aanm)
.github: Clean up RBAC artifacts for v1.13 CI (#22823, @joestringer)
.github: Fail if print-chart-version.sh fails or does not exist (#26086, @chancez)
.github: Fix chart push on forks (#25274, @chancez)
.github: Pin docker buildx version to v0.9.1 (#23206, @joestringer)
.github: Rename failure step in actions (#24437, @joestringer)
.github: run scruffy for cilium/cilium only (#25772, @aanm)
.github: simplify conformance-runtime workflow (#25955, @aanm)
[UT]improve network_policy_test.go for apiversion (#22591, @my-git9)
Add 1.13 conformance test (#24033, @aanm)
Add BPF unit tests for IPsec (#25699, @jschwinger233)
Add checker to verify if comments from ginkgo GH workflows are in sync (#25971, @aanm)
Add container image scanning to Cilium images. (#26489, @ferozsalam)
Add improvements in Conformance Runtime (#25797, @aanm)
Add initial fuzz coverage of linux node handler. (#22577, @AdamKorcz)
Add schema validation for configuration-matrix files (#26081, @aanm)
Always use the 8.8.8.8 DNS resolver in kind (#24713, @aspsk)
ariane: don't skip verifier and l4lb tests on vendor/ changes (Backport MR #26734, Upstream MR #26715, @tklauser)
bgp,test: Properly wait for FRR container to be ready (#25777, @YutaroHayakawa)
bgpv1: Avoid ports from common ip_local_port_range in unit tests (#26174, @rastislavs)
bgpv1: Exercise HoldTime in Test_NeighborAddDel (#25760, @rastislavs)
bgpv1: Extend the timeout for the Test_NeighborAddDel test (#25970, @rastislavs)
bgpv1: Retry peer checks in NeighborAddDel test to avoid flakes (#25641, @rastislavs)
bpf unit tests: Run tests on changes to pks/bpf/** (#25911, @qmonnet)
bpf,test: Add an option to disable coverage report per file (#24338, @YutaroHayakawa)
bpf/test: Get rid of 4.9 leftovers (#23399, @brb)
bpf: Cover high-scale IPcache in complexity tests (#25592, @pchaigno)
bpf: inline test functions with ctx as input (#24662, @anfernee)
bpf: test: add some IPv6 DSR integration tests (#25443, @julianwiedmann)
bpf: test: fix pktgen for IPv6 NEXTHDR_DEST option (#26151, @julianwiedmann)
bpf: tests: pktgen infra for tunneling + GENEVE-DSR test (#26301, @julianwiedmann)
bpf: Update checkpatch image (#24215, @qmonnet)
bpf: Various fixes for MAX_*_OPTIONS and support for 5.10 (#24122, @pchaigno)
build: Generate SBOM during image release (#23221, @joestringer)
CI / Kind enhancements (#24714, @aanm)
CI Workflow: Add all AWS supported k8s versions (#26361, @brlbil)
CI Workflow: Add all Azure supported k8s versions (#26356, @brlbil)
CI Workflow: Add all GKE supported k8s version (#26364, @brlbil)
CI Workflows: Fix matrix generation (#26406, @brlbil)
CI Workflows: Fix sysdump file creation (#26402, @brlbil)
CI Workflows: Fix sysdump name typo (#26415, @brlbil)
ci-aks, ci-external-workloads: Use cilium-cli Helm mode (#26382, @michi-covalent)
ci-datapath: Enable IPV6 masquerading when KMR=off (#25111, @brb)
ci-datapath: Fix issue where test were wrongly reported as passing (#24813, @gandro)
ci-datapath: Use QUAY_ORGANIZATION_DEV for Quay org name (#25052, @michi-covalent)
ci-e2e-v1.13: Fix workflow (#25412, @brb)
ci-e2e: backport changes in conformance-e2e into v1.13 tests (#25386, @brb)
ci-e2e: Bump cilium-cli v0.1.4.5 (#25672, @brb)
ci-e2e: Bump CLI version to v0.14.8 (#26475, @brb)
ci-e2e: Enable --debug when running with EGW (#25789, @brb)
ci-e2e: Increase hubble buffer capacity (#25710, @brb)
ci-e2e: Run cilium-cli in Helm mode (#25780, @brb)
ci-gke: Set useDigest=false for Hubble Relay (Backport MR #26914, Upstream MR #26890, @gandro)
ci-l4lb-v1.1{1,2}: Remove helm charts (#25529, @brb)
ci-multi-pool: Use ip-masq-agent for masquerading (Backport MR #26636, Upstream MR #26538, @gandro)
ci-verifier: run verifier tests directly on VM instead of containerized (#26509, @ti-mo)
ci/github: Set useDigest=false for Hubble Relay (Backport MR #26887, Upstream MR #26869, @gandro)
ci/multicluster: Re-enable WireGuard testing (#22815, @gandro)
CI: Add JUnit reports upload (#25801, @brlbil)
ci: Add workflow for testing multi-pool IPAM (#26175, @gandro)
ci: Disable WireGuard in ci-multicluster again (#23045, @gandro)
ci: Disable wireguard in v1.13 conformance datapath (#24804, @pippolo84)
ci: don't use ./contrib/scripts/kind.sh --xdp in 1.13 workflow (#24611, @tklauser)
ci: fix Azure cluster names sometimes being too long (Backport MR #27038, Upstream MR #26933, @nbusseneau)
ci: fix Cilium CLI install in ConformanceKindEnvoyDaemonSet (#25459, @nbusseneau)
ci: fix clustermesh worfklows on stable branches (#25089, @nbusseneau)
ci: fix datapath complexity workflow (#24528, @tklauser)
ci: fix gke network starvation (#25597, @brlbil)
ci: fix missing timeout in Cyclonus test (#24529, @nbusseneau)
ci: fix status reporting in the ci-multicluster test (#24784, @giorio94)
ci: github actions job to run kubernetes upstream conformance tests (#25913, @aojea)
ci: Mark skipped matrix workflows as successful (#24922, @gandro)
ci: move 4.19 complexity tests to tests-datapath-verifier GHA workflow (#24517, @tklauser)
ci: quarantine K8sAgentIstioTest (#24476, @nbusseneau)
ci: remove GKE from Jenkins jobs (#23826, @nbusseneau)
ci: remove test namespace deletion workaround in GKE v1.12 workflow (#22655, @tklauser)
ci: replace deprecated set-output command in integraton test workflow (#23633, @tklauser)
CI: run integration-tests on test changes in MRs (#26405, @marseel)
CI: Stabilize ConformanceKindEnvoyDaemonSet (#26260, @mhofstetter)
ci: update cilium-cli to v0.12.12 (#23030, @tklauser)
CI: Verifier tests: Keep generated object files and logs on test failure (#25862, @qmonnet)
CI: wait for cilium to become ready in conformance-{aks,gke} before port forward relay (#25839, @learnitall)
cocci: Fix Python path for coccilib (#24430, @qmonnet)
CODEOWNERS: Add sig-foundations (#24976, @joamaki)
conformance-k8s-kind: disable kindnet, enable log dumping (#24982, @squeed)
conformance-k8s-kind: Use Helm mode cilium-cli (#25916, @michi-covalent)
conformance-runtime: Bump timeout to wait for images (#25947, @michi-covalent)
contrib/kind: no longer create local docker registry (#24541, @squeed)
datapath/linux/ethtool: deflake TestIsVirtualDriver (#26027, @tklauser)
datapath/linux/route: fix CI expectations for rule string format (#24577, @NikAleksandrov)
Disable failing encryption connectivity tests on GKE (#23183, @brlbil)
docs: add documentation for Ginkgo-based GHA (#26055, @aanm)
docs: Run rstcheck on the README.rst (#26454, @qmonnet)
docs: Update external workloads instructions (Backport MR #26734, Upstream MR #26607, @michi-covalent)
Drop the GKE-based multicluster GitHub actions workflow in favor of the kind-based one (#24996, @giorio94)
Drop the GKE-based multicluster GitHub actions workflow in favor of the kind-based ones (stable branches) (#26188, @giorio94)
drop v1.10 support for eks tests (#24037, @aanm)
egressgw: switch to Cilium CLI connectivity tests (#25719, @jibi)
Enable egress gateway in datapath CI (#24210, @lmb)
Enable loadBalancer.acceleration=testing-only in some datapath conformance cases (#24738, @lmb)
Enable previously disabled encryption tests on GKE (#24603, @brlbil)
Enable testing of BPF programs requiring XDP_TX in CI (#24250, @lmb)
Fix broken target_url for conformance-clustermesh (#24315, @YutaroHayakawa)
Fix execution of coccinelle checks (#24392, @qmonnet)
Fix external-contribution-label workflow renovate tag (#25429, @chancez)
Fix k8s podCIDRs for vagrant deployment (#22786, @romanspb80)
Fix potential panic logic for checker.go (#22354, @yanggangtony)
Fix verifier issues in IPv6 BPF tests (#25191, @dylandreimerink)
Fixed flake in pkg/hive/job tests. (#25293, @dylandreimerink)
Fixed TestTimer_ExitOnCloseFnCtx channel close panic (#25211, @dylandreimerink)
fuzzing: modify oss-fuzz build script (#24262, @AdamKorcz)
gateway-api: Add tests for standard CRD (#26372, @sayboras)
gateway-api: Enable HTTMRouteListenerHostnameMatching test (#26226, @sayboras)
gateway-api: Fix flaky conformance tests (#24317, @sayboras)
gh/workflow: change multicluster GKE cluster provisioning to none blocking mode (#25394, @brlbil)
gh/workflow: Reintroduce running GKE workflows in matrix strategy (#25654, @brlbil)
gh/workflow: Remove specific GKE 1.24.5 version (#23164, @brlbil)
gh/workflow: Run GKE workflow in matrix strategy (#25364, @brlbil)
gh/workflows: Enable Host FW in ci-dp (#24429, @brb)
gh/workflows: Fix encryption installation in ci-datapath (#23325, @brb)
gh/workflows: Optionally enable dual stack in ci-e2e (Backport MR #26914, Upstream MR #26856, @brb)
gh/workflows: Remove conformance-kind (#25707, @brb)
gh/workflows: Rename ci-datapath to ci-e2e (#25164, @brb)
gh/workflows: Split ci-dp encrypt tests into separate matrix configs (#24296, @brb)
gh/workflows: Use 2023042.212204 LVH images (#25681, @brb)
gh/workflows: Use cilium-cli GHA to install CLI exec (#25228, @brb)
gha: Bump timeout to 90 minutes for build commit. (#23996, @sayboras)
gha: Clean-up Ingress job configuration (#25311, @sayboras)
gha: enable debug logs in conformance-clustermesh workflows (#26186, @giorio94)
gha: Increase Ingress status wait time (#26219, @sayboras)
gha: Move to helm install mode for Gateway API jobs (#25608, @sayboras)
gha: Move to helm mode for aws-cni, eks, gke (#25820, @sayboras)
gha: Run integration tests in GHA (#22900, @sayboras)
gha: Run kubernetes Conformance and SIG-network tests (#24209, @aojea)
gha: test kvstoremesh in conformance-clustermesh (#26223, @giorio94)
gha: test the different auth modes in conformance-clustermesh (#26252, @giorio94)
gha: use Cilium CLI Helm mode for conformance-clustermesh (#25834, @giorio94)
github/workflows: Enable DSR with WireGuard in ci-dp (#25039, @brb)
Improve golangci-lint usage (#25157, @joestringer)
Improved reliability of pkg/hive/job timer double trigger unit test (#26022, @dylandreimerink)
kind: Bump k8s version to 1.27.0 (#24841, @sayboras)
kludge: hardcode Google Cloud SDK key due to error 500 (#24045, @nbusseneau)
kvstore: fix TestWorkqueueSyncStoreMetrics flake (#25706, @giorio94)
Let renovatebot update Go toolchain version in a single MR (#24895, @tklauser)
lint: enable gosec G402 (minimum TLS version) (#23247, @kaworu)
Make CI test resources unique for retries. (#25990, @viktor-kurchenko)
Make it easier to migrate off of gopkg.in/check.v1 (#25484, @lmb)
Migrate L7 TLS Ginkgo tests to cilium-cli (#24414, @meyskens)
mirror: Only run on cilium/cilium (#25179, @michi-covalent)
Mitigate GKE workflow flake (#24755, @brlbil)
mlh: update Jenkins jobs following 1.27 support (#24983, @nbusseneau)
mlh: update Jenkins jobs following removal of kernel 4.9 support (#23822, @nbusseneau)
mlh: update Jenkins jobs names (master > main) (#24958, @nbusseneau)
Move datapath verifier tests into GH actions workflow (#22754, @tklauser)
NONE (#25258, @aojea)
pin managed clusters' K8s version on stable branches (#22724, @nbusseneau)
pkg/k8s: Clean-up: Remove duplicate package import in pkg/k8s/factory_functions_test.go (#23433, @my-git9)
policy: add two more fuzzers (#22336, @AdamKorcz)
Quarantine "K8sDatapathConfig Iptables Skip conntrack for pod traffic test. (#23824, @marseel)
renovate: Add explicit gitAuthor (#24739, @gandro)
renovate: add packageRule group for cilium-cli (#24725, @tklauser)
renovate: Add packageRule group for Hubble CLI (#24637, @gandro)
renovate: automate golangci-lint upgrades (#24664, @mhofstetter)
renovate: ignore ginkgo updates (#26423, @tklauser)
renovate: Update builder and runtime images once a week (#24846, @michi-covalent)
renovate: Update Dockerfiles that use golang image weekly (#24877, @michi-covalent)
replace cilium/customvet by cilium/linters (Backport MR #26799, Upstream MR #26755, @rolinh)
Replace integration_tests build tag with INTEGRATION_TESTS env (#24925, @ti-mo)
resource: Work around a rare race in initial sync (#23292, @joamaki)
Revert ".github/workflows: run datapath complexity tests directly in VM" (#24535, @tklauser)
Revert "build: Generate SBOM during image release" (#23204, @ldelossa)
Revert "gh/workflow: Run GKE workflow in matrix strategy" (#25464, @thorn3r)
Revert "Use workflow configuration variables for quay organization na… (#23169, @michi-covalent)
Run all ginkgo tests on GitHub actions (#25713, @aanm)
Run latest fuzzers in OSS-Fuzz (#22580, @AdamKorcz)
Set CILIUM_CLI_MODE env variable at the top level (#26387, @michi-covalent)
Set CILIUM_CLI_MODE env variable at the top level (#26404, @michi-covalent)
Set VERSION to 1.14.0-dev (#25237, @michi-covalent)
test, jenkinsfile: Clean up natnetworks in CI after test run (#22704, @pchaigno)
test/k8s: quarantine High-scale IPcache test (#25668, @aanm)
test/k8s: remove istio.go test (#24894, @aanm)
test/k8s: remove k8s agent health tests (#24433, @tklauser)
test/nat46x64: silence curl output (#26024, @tklauser)
test/Updates: Explicit error message on failure (#24920, @pchaigno)
test/Vagrantfile: Debug information for natnetwork (#22675, @pchaigno)
test/Vagrantfile: Don't hide natnetwork errors (#22702, @pchaigno)
test/verifier: Fix compilation command (#24412, @pchaigno)
test: add cluster mesh conformance tests with Kind (#23496, @giorio94)
test: add comments for NFS's IP ranges on local CI VM scripts (#22934, @Shunpoco)
test: Avoid spamming logs in monitor aggregation test (#25152, @pchaigno)
test: Block HubbleObserveFollow until ready (#25090, @pchaigno)
test: Bump timeout of service plumbing check (#23439, @pchaigno)
test: Cleanup ginkgo test artifacts (#25833, @pchaigno)
test: Dump VirtualBox version used in CI jobs (#22701, @pchaigno)
test: Enable Envoy trace logs for TLS test (#22646, @jrajahalme)
test: Enable IPv6 masq for IPsec (#24885, @jschwinger233)
test: ensure cleanup in hubble "test L7 flow" (#23525, @giorio94)
test: Exclude per-endpoint object files from artifacts (#23382, @pchaigno)
test: Fix consistent failure in IPv6 masquerading test (#25036, @pchaigno)
test: Fix the attempted fix for the hostfw flake (#26362, @pchaigno)
test: gather containerd logs on failure (#24133, @squeed)
test: remove govalidator dependency (#25314, @rolinh)
test: Remove RuntimeDatapathLB (#24245, @brb)
test: Remove unused SkipGKEQuarantined helper (#23354, @pchaigno)
test: Unquarantine IPv6 masquerading test (#25149, @pchaigno)
test: Unquarantine K8sDatapathConfig Encapsulation (#22674, @pchaigno)
test: Unquarantine tests for iptables-based masquerading (#23228, @pchaigno)
test: Unquarantine working FQDN test (#23357, @pchaigno)
tests: quarantine services nodeport w/ L7 policy test. (#25236, @tommyp1ckles)
tests: small fixups for the GENEVE-DSR e2e tests (#25062, @julianwiedmann)
Transfer Runtime tests to GitHub actions (#25516, @aanm)
travis: Run on main branch (#25108, @pchaigno)
Trigger required workflows using Ariane (Backport MR #27097, Upstream MR #27002, @michi-covalent)
Update EKS conformance tests to use both amd64 and arm64 hosts. (#24853, @chancez)
Update image registry to quay.io (#23093, @obaranov1)
Update push-chart workflow concurrency group (#25431, @chancez)
Use cilium-cli latest stable version in conformance-datapath workflows (#24809, @pippolo84)
Use cli-based Helm install for tests-smoke conformance workflow (#25493, @bleggett)
Use CLI-based Helm installation for ingress tests (#25609, @dhawton)
Use workflow configuration variables for quay organization names (#23145, @michi-covalent)
v1.14: ci: use Ariane to trigger workflows (#26625, @nbusseneau)
vagrant: bump box versions to pick up Go 1.20.1 (#23983, @tklauser)
vagrant: Bump Vagrant box versions (#24984, @pchaigno)
vagrant: Bump VM images to the latest versions (#22781, @pchaigno)
vagrant: Default to 4.19 (#24950, @pchaigno)
workflow: Cover VXLAN + IPsec + endpoint routes in datapath tests (#23396, @pchaigno)
workflow: Disable monitor aggregation in IPv6 smoke test (#23816, @pchaigno)
workflow: enable pod-to-cidr tests (#23986, @brlbil)
workflow: enable pod-to-world tests (#23103, @brlbil)
workflow: Reenable L7 tests on EKS + IPsec (#22617, @pchaigno)
workflows/clustermesh: set kubectl version to match the one of the kubernetes cluster (#25221, @giorio94)
workflows/datapath: Fix always-passing step (#24918, @pchaigno)
workflows/externalworkload: Avoid using --config when unnecessary (#24567, @pchaigno)
workflows/k8skind: Disable the flaky Aggregator test (#24989, @pchaigno)
workflows/push charts: Checkout main branch before set-env-variables (#25296, @chancez)
workflows: add the kind-based clustermesh conformance test for stable branches (#25029, @giorio94)
workflows: add trigger sentence in ci-verifier workflow file (#23587, @kaworu)
workflows: Cover IPsec + GENEVE (#24125, @pchaigno)
workflows: e2e: bump Cilium CLI to v0.14.2 (#25194, @jibi)
workflows: e2e: bump max-parallel to 16 (#25763, @jibi)
workflows: Fix owner tag for stable branch workflows (#25158, @pchaigno)
workflows: l4lb/verifier: fix skip-test-run job (#24072, @jibi)
workflows: l4lb/verifier: replace tabs with spaces (#24108, @jibi)
workflows: Pin gke to 1.24.5 (#22798, @joamaki)
workflows: Run stable branches' L4LB workflows on a schedule (#25080, @pchaigno)
workflows: Run stable branches' workflows on a schedule (#24991, @pchaigno)

Misc Changes:

.gitattributes: Highlight Jenkinsfiles as Groovy (#23435, @pchaigno)
.gitattributes: Mark install/kubernetes/cilium/README.md as generated (#24295, @qmonnet)
.gitattributes: Mark install/kubernetes/cilium/values.yaml as generated (#24007, @qmonnet)
.github: add dedicated job to wait for images (#26184, @aanm)
.github: Add mirror from main -> master (#24941, @joestringer)
.github: add renovate/stop-updating label on renovate's MRs (#25649, @aanm)
.github: fix renovate docker image update (#23229, @aanm)
.github: fix renovate's config file (#23231, @aanm)
.github: Improve mirror workflow (#24962, @joestringer)
.github: Push Helm charts for hotfixes (#25836, @joestringer)
.github: rebuild ginkgo tests in case of cache miss (#26263, @aanm)
.github: refactor job matrix generation into YAML files (#26019, @aanm)
.github: set right project to track v1.13 backport MRs (#24157, @aanm)
@errordeveloper is no longer an active committer (#23293, @errordeveloper)
[cilium cmd] fix wrong notes. (#22871, @yanggangtony)
[cilium-cmd bpf-metrics-list] return first when []*metricsRow is nil. (#22873, @yanggangtony)
[UT] k8s/utils/util.go ut enhancement (#23680, @my-git9)
dev-doctor - if path to go.mod invalid, look in current directory (#25327, @bleggett)
A few cleanups for per-cluster CT/SNAT maps (#25712, @YutaroHayakawa)
Add a hint about using Vagrant on Apple Silicon (#24626, @brandshaide)
Add a package for slices utilities (#25069, @pippolo84)
Add Ascend.io to USERS.md (#24775, @thejosephstevens)
Add Back Market in the USERS list (#26413, @NitriKx)
add better errors for our calls to Setsockopt() (#24287, @squeed)
Add BPF test facility to test skb->cb (#24181, @YutaroHayakawa)
Add Cistec User (#25104, @olinux-dev)
add CNCF Resources and Link CoC to Governance docs (#23689, @xmulligan)
Add configuration docs for API restrictions (#24968, @joestringer)
add Cosmonic to the Users file (#23290, @xmulligan)
Add detailed panic messages for slim ObjectMeta and ListMeta (#25107, @hemanthmalla)
Add documentation about kvstoremesh (#26348, @giorio94)
Add fuzzer for pkg/fqdn (#22519, @AdamKorcz)
add helm option to customize nodeinit scripts (#24375, @mblaschke)
Add helm values for K8s API server client rate limits and instructions on how to size them when using L2 announcements. (Backport MR #26799, Upstream MR #26711, @dylandreimerink)
Add information about securing access to Cilium pods and provide a single page security reference (#23599, @zacharysarah)
Add kernel.org's .clang-format for editor-agnostic C formatting hints (#25488, @bleggett)
Add kvstoremesh Dockerfile and build images through the CI (#26106, @giorio94)
Add L2 responder map dumping to sysdump (Backport MR #26734, Upstream MR #26667, @dylandreimerink)
Add link to threat model in security policy (#24673, @ferozsalam)
Add Lorenz Bauer to committers (#24864, @xmulligan)
Add make commands for setting up clustermesh in kind (#24190, @marseel)
Add microsoft as user to cilium (#25838, @tamilmani1989)
Add missing LB IPAM description in the operator document (#25696, @YutaroHayakawa)
Add Palark GmbH to USERS.md (#24421, @shurup)
Add Proton to USERS (#24636, @MrFreezeex)
add renovate support for go mod (#23864, @aanm)
Add Robinhood Markets to Cilium USERS.md (#24026, @madhusudancs)
Add S&P Global to Users (#23700, @xmulligan)
Add the tunnel values to the config map even when the default values are used. (Backport MR #26838, Upstream MR #26712, @3u13r)
add toEntities/fromEntities CRD description missing options (#22279, @slayer321)
Add top level make run_bpf_tests target to run eBPF unit tests in the Cilium builder container (#25173, @ldelossa)
Add User DaimlerTruck AG (#24408, @brandshaide)
Add User doc to MR Template (#24186, @xmulligan)
add versioning schema for WireGuard in Renovate (#24015, @aanm)
Add Zero Hash to Cilium users (#25987, @eugenestarchenko)
Added ClickHouse to users (#24532, @tsolodov)
Added a new job group system to manage the lifecycle of jobs within cells (#24558, @dylandreimerink)
Added gARP capability to L2 announcer feature (#25933, @dylandreimerink)
Added link to CFP Design repo (#23792, @xmulligan)
Added metrics for pkg/k8s/resource (#26269, @dylandreimerink)
Adding Eficode to USERS.md (#25931, @punasusi)
Adding eni limits for missing aws instances of families c7g, m6idn, m6in, m7g, r6idn, r6in, and r7g` (#23835, @muratso)
Adding United Cloud to adopters list (#25084, @carnerito)
Adds a new NOTRACK rule for node-local-dns (#24230, @Weil0ng)
Agent: add support for watching kvstoremesh prefixes (#26154, @giorio94)
Alibabacloud API request performance improvements (#22478, @jaffcheng)
alignchecker: fully parse structures (#24365, @aspsk)
api: Add libraries to Pascalify API endpoints (#24967, @joestringer)
Auth Map: Initial Garbage Collection (#25754, @mhofstetter)
Auth use signalmap (#25284, @jrajahalme)
auth: add missing config values to helm values (#25973, @mhofstetter)
auth: add missing stream package import (#26018, @giorio94)
auth: auth map cache (#25634, @mhofstetter)
auth: define auth handlers as private hive cell (#24074, @mhofstetter)
auth: delete cache-entry on ErrKeyNotExist (#26342, @mhofstetter)
auth: display textual representation of auth type in authKey.String() (#26525, @mhofstetter)
auth: Enable ClusterFirstWithHostNet dnsPolicy conditionally (#24803, @sayboras)
auth: feature flag for authentication (#26208, @mhofstetter)
auth: fix initial k8s events sync in auth map gc (#26059, @mhofstetter)
auth: implement re-authentication in case of rotated certificates (#25927, @mhofstetter)
auth: introduce hive cell (modularization) (#24041, @mhofstetter)
auth: optimize log output for pending auth (Backport MR #26734, Upstream MR #26642, @mhofstetter)
auth: policy based auth map GC (#26068, @mhofstetter)
auth: streamline logging (#25965, @mhofstetter)
auth: temporarily disable node-based auth gc (#26073, @mhofstetter)
auth: Use authmap for auth_required policies (#24410, @jrajahalme)
auth: use NodeManager instead of k8s.CiliumNodeResource in auth gc (Backport MR #26636, Upstream MR #26592, @mhofstetter)
AWS CNI v1.12 Cilium install fixed. (#26084, @viktor-kurchenko)
Backport the 64-bit stack alignment patch for LLVM, which is expected on all modern kernel versions. (#25338, @gentoo-root)
backporting: Fix pattern to handle commit subjects that begin with a space (#25653, @gentoo-root)
BGP CP: Adds Intro to Docs (#26195, @danehans)
BGP CP: Updates docs for PeerPort (#25876, @danehans)
bgpv1: component test framework (#25362, @harsimran-pabla)
bgpv1: Documentation update to reflect current architecture (#25954, @harsimran-pabla)
bgpv1: Don't use net package for addressing (#25313, @YutaroHayakawa)
bgpv1: Fix use of k8s.LocalNodeResource and LocalCiliumNodeResource types (#25615, @joamaki)
bgpv1: graceful restart component test (#25914, @harsimran-pabla)
BGPv1: Introduce generic bgp manager layer (#25016, @harsimran-pabla)
bgpv1: pass router state to gobgp (#26194, @harsimran-pabla)
bgpv1: Reset BGP session in UpdateNeighbor if necessary (#25827, @rastislavs)
bgpv1: set correct upper limits to BPG timers and GR restart time (Backport MR #26636, Upstream MR #26534, @harsimran-pabla)
bgpv1: use slim_core_v1 node instead of corev1 in test fixtures (#25625, @harsimran-pabla)
bom: update to version 0.5.1 (#25451, @mhofstetter)
bpf & envoy: Add support for authentication on ingress policies (#23839, @mhofstetter)
bpf, cilium/cmd: remove unused hidden cilium bpf migrate-map sub-command (#25196, @tklauser)
bpf, datapath: unconditionally assume support for direct access to map values (#24504, @tklauser)
bpf, datapath: unconditionally assume support for LRU hash maps (#24378, @tklauser)
bpf, ebpf: remove GetMapType() and mock probing (#23634, @rgo3)
bpf, ipcache: unconditionally assume LPM trie delete/dump support (#24377, @tklauser)
bpf/init.sh: move node config generation to Go (#25380, @rgo3)
bpf/Makefile: Delete duplicate LB_OPTIONS in Makefile (#24883, @jschwinger233)
bpf/makefile: fix spelling issue and make it clear which bear cli. (#25273, @tommyp1ckles)
bpf/nat: remove unnecessary nexthdr variable (#24537, @sahid)
bpf/wireguard: Skip encryption for cluster-external traffic (#24586, @pchaigno)
bpf: add drop reason for TTL exceeded (Backport MR #27038, Upstream MR #26884, @julianwiedmann)
bpf: add new macro __section_entry (#26123, @Jack-R-lantern)
bpf: clean up some revalidate_data() users (#25337, @julianwiedmann)
bpf: Consistent usage of MARK_MAGIC_ constants (#23125, @pchaigno)
bpf: dsr: fix IPIP health-encap on older kernels (Backport MR #26636, Upstream MR #26609, @julianwiedmann)
bpf: encap: endianness cleanups (#23931, @julianwiedmann)
bpf: encap: send TO_OVERLAY trace before adding encapsulation (#25828, @julianwiedmann)
bpf: fib: delay smac selection until fib_do_redirect() has picked the oif (#26290, @julianwiedmann)
bpf: Fix VTEP compilation error (#24152, @pchaigno)
bpf: fixes for IPv6 revNAT (#24610, @julianwiedmann)
bpf: handle VLAN before XDP meta-data in from-netdev (#24063, @julianwiedmann)
bpf: init.sh: rename TUNNEL_MODE variable to TUNNEL_MROTOCOL (#24969, @julianwiedmann)
bpf: Inter-cluster SNAT with ClusterIP global service (#24212, @YutaroHayakawa)
bpf: Introduce per-cluster conntrack maps (#22857, @YutaroHayakawa)
bpf: L3 cleanups (#23876, @julianwiedmann)
bpf: lb: clean up IPv4 loopback handling (#25456, @julianwiedmann)
bpf: lb: minor cleanups (#26216, @julianwiedmann)
bpf: lb: misc cleanups (#25372, @julianwiedmann)
bpf: lb: small cleanups (#24320, @julianwiedmann)
bpf: minor HostFW cleanups (#25881, @julianwiedmann)
bpf: minor improvements to XDP punt with XFER_PKT_NO_SVC (#23106, @julianwiedmann)
bpf: minor LB cleanups (#25061, @julianwiedmann)
bpf: misc cleanups (#24291, @julianwiedmann)
bpf: misc CT cleanups (#26104, @julianwiedmann)
bpf: nat: consistently use has_l4_header in IPv4 SNAT path (#25741, @julianwiedmann)
bpf: nat: fix build error in snat_v6_prepare_state() (#26510, @julianwiedmann)
bpf: nat: fix L4 csum case in ingress path for ICMP-embedded SCTP (#25315, @julianwiedmann)
bpf: nat: reduce CT lookup scope (#25917, @julianwiedmann)
bpf: nat: remove unused ct_delete*() helpers (#26076, @julianwiedmann)
bpf: nat: tolerate unhandled protocol types in revSNAT path (#25740, @julianwiedmann)
bpf: nodeport cleanups (#23965, @julianwiedmann)
bpf: nodeport: don't set .addr in revSNAT target (#25381, @julianwiedmann)
bpf: nodeport: don't track L2 addr for connection to local backend (#24324, @julianwiedmann)
bpf: nodeport: handle result from encap ctx_redirect() in revDNAT path (#25058, @julianwiedmann)
bpf: nodeport: only set outer src IP for tunnel encap in XDP (Backport MR #26799, Upstream MR #26726, @julianwiedmann)
bpf: nodeport: reduce CT lookup scope (#25826, @julianwiedmann)
bpf: nodeport: remove lb4_populate_ports() (#25063, @julianwiedmann)
bpf: nodeport: SNAT before adding tunnel info in NAT egress path (#25305, @julianwiedmann)
bpf: nodeport: trivial cleanups (#24732, @julianwiedmann)
bpf: nodeport: wire up ext_err in revSNAT path (#25406, @julianwiedmann)
bpf: remove a redundant IPcache lookup in from-host (#24107, @julianwiedmann)
bpf: Remove dead code for consistency between IPv4/v6 (#24008, @pchaigno)
bpf: Remove flowlabel optimization for identity (#23795, @pchaigno)
bpf: remove MapInfo, DumpParser and MapKey/Value DeepCopy (#25792, @ti-mo)
bpf: remove redundant policy_mark_skip() in handle_ipv6_from_lxc() (#23447, @julianwiedmann)
bpf: remove special handle for ICMPv6 echo targeting router IPv6 (#24921, @jschwinger233)
bpf: Remove unneeded orig_dip from ipv6_host_policy_egress (#23724, @gentoo-root)
bpf: Remove unneeded orig_sip from ipv6_host_policy_ingress (#23577, @gentoo-root)
bpf: remove unused type ProgType and ProgType* consts (#26360, @tklauser)
bpf: Replace deprecated "-target bpf" with "--target=bpf" for clang (Backport MR #26636, Upstream MR #26553, @qmonnet)
bpf: simplify adding/removing types to alignchecker (#24736, @aspsk)
bpf: small CT cleanups (#24686, @julianwiedmann)
bpf: test: Fix the byte order in the IPV4 macro (#25114, @gentoo-root)
bpf: Update IPv6 BPF masquerading code to bring it closer to IPv4's, fix SNAT for packets from local endpoints, for overlay (#26236, @qmonnet)
bpf: Use inline assembly for packet context access, to prevent some undesirable optimizations from LLVM (#25336, @qmonnet)
bpf: xdp: fix coccicheck warning about DROP_MISSED_TAIL_CALL (#25924, @julianwiedmann)
bpf: xdp: use CT tuple hash for tunnel encap's source port (#26177, @julianwiedmann)
Break import cycles and move the datapath cell to datapath/cell.go (#24337, @bimmlerd)
bug: Fix Potential Nil Reference in GetLabels Implementation (#24416, @nathanjsweet)
bugtool: dump auth map related information (#26066, @mhofstetter)
bugtool: improve ss output (#24334, @squeed)
bugtool: simplify removeIfEmpty with more effiicient os.ReadDir (#24566, @Juneezee)
Build test darwin target (#23358, @aditighag)
build(deps): bump actions/cache from 3.0.11 to 3.2.3 (#22981, @dependabot[bot])
build(deps): bump actions/cache from 3.2.3 to 3.2.4 (#23450, @dependabot[bot])
build(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 (#22956, @dependabot[bot])
build(deps): bump actions/github-script from 6.3.3 to 6.4.0 (#23411, @dependabot[bot])
build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#22706, @dependabot[bot])
build(deps): bump actions/stale from 6.0.1 to 7.0.0 (#22828, @dependabot[bot])
build(deps): bump azure/setup-helm from 3.4 to 3.5 (#22705, @dependabot[bot])
build(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 (#23112, @dependabot[bot])
build(deps): bump docker/build-push-action from 3.3.0 to 4.0.0 (#23489, @dependabot[bot])
build(deps): bump docker/setup-buildx-action from 2.2.1 to 2.4.0 (#23449, @dependabot[bot])
build(deps): bump docker/setup-buildx-action from 2.4.0 to 2.4.1 (#23593, @dependabot[bot])
build(deps): bump github.com/cilium/lumberjack/v2 from 2.2.2 to 2.3.0 (#22448, @dependabot[bot])
build(deps): bump github.com/containernetworking/plugins from 1.1.1 to 1.2.0 (#23294, @dependabot[bot])
build(deps): bump github.com/docker/docker from 20.10.21+incompatible to 20.10.23+incompatible (#23388, @dependabot[bot])
build(deps): bump github.com/docker/docker from 20.10.23+incompatible to 23.0.1+incompatible (#23664, @dependabot[bot])
build(deps): bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible (#24753, @dependabot[bot])
build(deps): bump github.com/go-openapi/spec from 0.20.7 to 0.20.8 (#23673, @dependabot[bot])
build(deps): bump github.com/onsi/gomega from 1.24.1 to 1.26.0 (#23295, @dependabot[bot])
build(deps): bump github.com/osrg/gobgp/v3 from 3.5.0 to 3.10.0 (#22908, @dependabot[bot])
build(deps): bump github.com/prometheus/procfs from 0.8.0 to 0.9.0 (#23069, @dependabot[bot])
build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.10 to 3.23.1 (#23511, @dependabot[bot])
build(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#23414, @dependabot[bot])
build(deps): bump github/codeql-action from 2.1.36 to 2.1.37 (#22758, @dependabot[bot])
build(deps): bump github/codeql-action from 2.1.39 to 2.2.1 (#23410, @dependabot[bot])
build(deps): bump github/codeql-action from 2.2.1 to 2.2.2 (#23608, @dependabot[bot])
build(deps): bump github/codeql-action from 959cbb7 to 2.1.39 (#23196, @dependabot[bot])
build(deps): bump go.etcd.io/etcd/client/pkg/v3 from 3.5.6 to 3.5.7 (#23571, @dependabot[bot])
build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.6 to 3.5.7 (#23649, @dependabot[bot])
build(deps): bump go.opentelemetry.io/otel/trace from 1.11.2 to 1.12.0 (#23454, @dependabot[bot])
build(deps): bump go.uber.org/dig from 1.15.0 to 1.16.0 (#23039, @dependabot[bot])
build(deps): bump go.uber.org/dig from 1.16.0 to 1.16.1 (#23188, @dependabot[bot])
build(deps): bump go.uber.org/multierr from 1.8.0 to 1.9.0 (#23067, @dependabot[bot])
build(deps): bump golang.org/x/crypto from 0.3.0 to 0.5.0 (#22941, @dependabot[bot])
build(deps): bump golang.org/x/term from 0.4.0 to 0.5.0 (#23651, @dependabot[bot])
build(deps): bump golang.org/x/tools from 0.4.0 to 0.5.0 (#23610, @dependabot[bot])
build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 (#23249, @dependabot[bot])
build(deps): bump google-github-actions/setup-gcloud from 1.0.1 to 1.1.0 (#23570, @dependabot[bot])
build(deps): bump google.golang.org/grpc from 1.51.0 to 1.52.3 (#23390, @dependabot[bot])
build(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#22707, @dependabot[bot])
build(deps): bump KyleMayes/install-llvm-action from 1.6.1 to 1.7.0 (#23386, @dependabot[bot])
build(deps): bump nick-invision/retry from 2.8.2 to 2.8.3 (#22895, @dependabot[bot])
build(deps): bump requests from 2.28.2 to 2.31.0 in /Documentation (#25603, @dependabot[bot])
build: Avoid cross compilation issue on Windows (#25904, @sayboras)
build: custom-vet-check should respect make variable GO (#23668, @mhofstetter)
Bump readme with 1.13.0 (#23786, @aanm)
Bump version in Readme and fix script (#24459, @aanm)
Bumped CoverBee to v0.3.0 and cilium/ebpf to v0.10.0 (#23212, @dylandreimerink)
Bumped CoverBee version to v0.3.2 (#24180, @dylandreimerink)
certificatemanager,daemon: Modularized the certificate manager (#23132, @dylandreimerink)
certloader: Correctly support RequestClientCert in WatchedClientConfig (Backport MR #26887, Upstream MR #26812, @chancez)
Change enableEndpointCRD helm option type from string to boolean Fix operator panic that occurs when Endpoint CRD is disabled and CiliumEndpointSlice is enabled (#25798, @doniacld)
Change wording on toServices limitations (see #20067) (#25796, @atykhyy)
Check IP Family for LB source range (#24273, @sugangli)
chore(deps): pin dependencies (main) (#25275, @renovate[bot])
chore(deps): update actions/checkout action to v3.3.0 (master) (#23674, @renovate[bot])
chore(deps): update actions/setup-go action to v4 (main) (#24981, @renovate[bot])
chore(deps): update actions/setup-go action to v4.0.1 (main) (#26313, @renovate[bot])
chore(deps): update actions/stale action to v8 (main) (#25047, @renovate[bot])
chore(deps): update actions/upload-artifact action to v3 (main) (#25048, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#24995, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#25401, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#25850, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#26306, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#25198, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#25540, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#25701, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#25846, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#26054, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#26425, @renovate[bot])
chore(deps): update all github action dependencies (master) (minor) (#24006, @renovate[bot])
chore(deps): update all github action dependencies (master) (minor) (#24280, @renovate[bot])
chore(deps): update all github action dependencies (master) (patch) (#23671, @renovate[bot])
chore(deps): update all github action dependencies (master) (patch) (#23918, @renovate[bot])
chore(deps): update all github action dependencies (master) (patch) (#24278, @renovate[bot])
chore(deps): update all github action dependencies (master) (patch) (#24513, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (minor) (#26699, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (minor) (#26824, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (patch) (#26698, @renovate[bot])
chore(deps): update all github action dependencies (v1.14) (patch) (#26823, @renovate[bot])
chore(deps): update all github action dependencies to v1.1.1 (main) (patch) (#25402, @renovate[bot])
chore(deps): update aws-actions/configure-aws-credentials action to v2 (master) (#24281, @renovate[bot])
chore(deps): update base-images (master) (#22565, @renovate[bot])
chore(deps): update base-images (master) (#24102, @renovate[bot])
chore(deps): update base-images (master) (#24439, @renovate[bot])
chore(deps): update base-images (master) (minor) (#23563, @renovate[bot])
chore(deps): update cilium cli (main) (minor) (#25245, @renovate[bot])
chore(deps): update cilium/cilium-cli digest to 207512c (main) (#25397, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.13.2 (main) (#25027, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.14.3 (main) (#25541, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.14.5 (main) (#25700, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.14.7 (main) (#25847, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.14.8 (main) (#26482, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.0 (v1.14) (#26700, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.2 (v1.14) (#26782, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.4 (v1.14) (#26876, @renovate[bot])
chore(deps): update dependency cilium/hubble to v0.11.1 (master) (#23518, @renovate[bot])
chore(deps): update dependency cilium/hubble to v0.11.2 (master) (#23773, @renovate[bot])
chore(deps): update dependency cilium/hubble to v0.11.3 (master) (#24703, @renovate[bot])
chore(deps): update dependency cilium/hubble to v0.11.6 (main) (#26041, @renovate[bot])
chore(deps): update dependency go to v1.20.5 (main) (#26051, @renovate[bot])
chore(deps): update dependency google/gops to v0.3.27 (master) (#24005, @renovate[bot])
chore(deps): update dependency kubernetes-sigs/kind to v0.20.0 (main) (#26428, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.17.1 (master) (#22996, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.17.2 (master) (#23672, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (master) (#24639, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.0 (main) (#25415, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.2 (main) (#26261, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.2 (main) (#26297, @renovate[bot])
chore(deps): update docker.io/library/alpine:3.17.2 docker digest to ff6bdca (master) (#24354, @renovate[bot])
chore(deps): update docker.io/library/golang docker tag to v1.19.6 (master) (#23753, @renovate[bot])
chore(deps): update docker.io/library/golang docker tag to v1.19.6 (master) (#23754, @renovate[bot])
chore(deps): update docker.io/library/golang docker tag to v1.20.1 (master) (#23562, @renovate[bot])
chore(deps): update docker.io/library/golang docker tag to v1.20.2 (master) (#24231, @renovate[bot])
chore(deps): update docker.io/library/golang docker tag to v1.20.2 (master) (#24232, @renovate[bot])
chore(deps): update docker.io/library/golang docker tag to v1.20.5 (main) (#26304, @renovate[bot])
chore(deps): update docker.io/library/golang:1.19.5 docker digest to 572f680 (master) (#23575, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.1 docker digest to 52921e6 (master) (#24103, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.4 docker digest to 690e413 (main) (#25277, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.5 docker digest to 6b3fa4b (main) (#26050, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.5 docker digest to 8f958bf (main) (#26283, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.5 docker digest to fd9306e (v1.14) (#26696, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 0bced47 (v1.14) (#26697, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2a357c4 (main) (#26284, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ac58ff7 (main) (#25295, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to f05532b (master) (#23477, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 149531e (master) (#24614, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 21e5d22 (master) (#23726, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 26d07ba (master) (#23352, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 42ddd0c (master) (#23602, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 48e033b (master) (#23654, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 6b01107 (master) (#23498, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 9ecc53c (main) (#25398, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 9ecc53c (main) (#26285, @renovate[bot])
chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to ddde70b (master) (#24254, @renovate[bot])
chore(deps): update github/codeql-action action to v2.2.12 (main) (#25034, @renovate[bot])
chore(deps): update github/codeql-action action to v2.2.5 (master) (#24023, @renovate[bot])
chore(deps): update go to v1.20.3 (main) (patch) (#24980, @renovate[bot])
chore(deps): update go to v1.20.4 (main) (patch) (#25246, @renovate[bot])
chore(deps): update go to v1.20.5 (main) (patch) (#25957, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.52.2 (master) (#24722, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.53.2 (main) (#25841, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.53.3 (main) (#26258, @renovate[bot])
chore(deps): update helm/kind-action action to v1.7.0 (main) (#25546, @renovate[bot])
chore(deps): update hubble cli to v0.11.5 (main) (patch) (#25124, @renovate[bot])
chore(deps): update hubble cli to v0.12.0 (v1.14) (minor) (#26763, @renovate[bot])
chore(deps): update quay.io/cilium/hubble docker tag to v0.11.1 (master) (#23519, @renovate[bot])
chore(deps): update quay.io/cilium/hubble docker tag to v0.11.2 (master) (#23774, @renovate[bot])
chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (master) (#24465, @renovate[bot])
chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (main) (#25996, @renovate[bot])
chore(deps): update sigstore/cosign-installer action to v3 (master) (#24282, @renovate[bot])
chore: Fix typos in comments (#22837, @mainred)
chore: Update json-mock image (#24173, @sayboras)
chore: use errors.Is to check for a specific error (#22912, @Fish-pro)
ci, l4lb: Remove leftover args after DinD conversion (#23257, @borkmann)
ci: only report status after matrix jobs are done (#23865, @spacewander)
ci: update cilium-cli etcd version to v3.5.4 (#24028, @kahirokunn)
ci: update cilium-cli using renovate bot (#23902, @tklauser)
cilium statedb dump command & bugtool (#26256, @joamaki)
cilium, bigtcp: Add max gso/gro rates to sysdump (#26392, @borkmann)
cilium, bigtcp: Make probing for GRO/GSO max size more graceful (#26385, @borkmann)
cilium-cni: remove duplicated link set up operation (#23766, @giorio94)
cilium/cmd: Deprecate cilium endpoint regenerate command (#25949, @christarazi)
cilium: enable bpf host routing with per endpoint routes for IPv6 as well (#26205, @borkmann)
cilium: Improve IPv6 BIG TCP probing (#26303, @borkmann)
cilium: Repoint netlink lib back to upstream. (#26359, @borkmann)
Cleanup: improve metav1 package import statement (#23248, @my-git9)
cli: add "cilium bpf config list" (#26105, @mhofstetter)
cli: Remove unnecessary type for variable vp (Viper) (#23105, @tanberBro)
clustermesh-apiserver: add missing metrics and documentation (#26070, @giorio94)
clustermesh-apiserver: don't wait for the presence of unused CRDs (#26220, @giorio94)
clustermesh-apiserver: ExternalTrafficPolicy and internalTrafficPolicy can now be changed. (#24166, @kahirokunn)
clustermesh-apiserver: extract kvstore client initialization and heartbeat logic in separate cells (#25554, @giorio94)
clustermesh-apiserver: rework identities, endpoints and nodes synchronization to improve performance (#25049, @giorio94)
clustermesh/types: don't panic on invalid IP in PrefixClusterFromCIDR (#23137, @tklauser)
clustermesh: allow waiting for the CiliumClusterConfig to appear when required (#25671, @giorio94)
clustermesh: ensure that the status of the remote clusters controller is correcty reported (#26271, @giorio94)
clustermesh: fix broken test due to merge race (#26389, @giorio94)
clustermesh: fix client usage when setting the cluster configuration (#24591, @giorio94)
clustermesh: fix SyncedCanaries capability name mismatch (#25685, @giorio94)
clustermesh: improve reliability of TestClusterMesh (#26370, @giorio94)
clustermesh: Introduce ClusterID reservation mechanism (#26124, @marseel)
clustermesh: Introduce per-cluster NAT maps (#22875, @YutaroHayakawa)
clustermesh: Make IPCache CPlane aware of the ClusterID (#22935, @YutaroHayakawa)
clustermesh: reduce memory consumption due to non-shared services (#23948, @giorio94)
clustermesh: remote services handling misc improvements (#24515, @giorio94)
clustermesh: split the generic logic from the specific part (#25921, @giorio94)
clustermesh: unbreak test (#26294, @giorio94)
cmd/policy: Close file descriptor if required (#23945, @jiuker)
cmd: enhance cilium bpf policy list&get (#25389, @mhofstetter)
cni-plugin: Clean up code (#26505, @gandro)
cocci: Work around a bug in coccinelle to better check files, add a few missing const qualifiers to BPF code (#24606, @qmonnet)
CODEOWNERS: Add cilium/ipcache for pkg/source (#25176, @christarazi)
CODEOWNERS: Add ownerships of new BGP team (#23916, @pchaigno)
CODEOWNERS: additional coverage (#23494, @tklauser)
CODEOWNERS: assign /pkg/auth to sig-servicemesh (#23844, @mhofstetter)
CODEOWNERS: assign images/hubble-relay to SIG Hubble (#23277, @rolinh)
CODEOWNERS: assign operator/pkg/{gateway-api,model} to @cilium/sig-servicemesh (#22683, @tklauser)
CODEOWNERS: Assign pkg/slices to sig-foundations (#25737, @pippolo84)
CODEOWNERS: Cover test/bpf_tests by sig-datapath (#22928, @christarazi)
CODEOWNERS: Cover the egress gateway guide (#23194, @pchaigno)
CODEOWNERS: Fold cilium/health into cilium/sig-agent (#23952, @pchaigno)
CODEOWNERS: include @cilium/sig-datapath for all datapath specific CI changes (#24487, @tklauser)
CODEOWNERS: Make Hubble team (not docs-structure) own examples/hubble (#23778, @qmonnet)
CODEOWNERS: pkg/bpf to loader, pkg/recorder to sig-datapath (#25648, @ti-mo)
command/exec: remove unused (*Cmd).WithFilters method (#25642, @tklauser)
config: fix tunnel port for DSR-GENEVE with direct-routing (#25384, @julianwiedmann)
config: spell out that --egress-masquerade-interfaces is for iptables (Backport MR #27055, Upstream MR #26950, @julianwiedmann)
configmap & utime sync: provide via hive cell (#24830, @mhofstetter)
conformance-runtime: remove optimizations and update little-vm-helper (#25825, @aanm)
contrib/kind: adapt clustermesh related make targets to recent changes (#24693, @giorio94)
contrib/kind: default to dual-stack clusters (#23646, @squeed)
contrib/scripts: Ignore all vendor sub-directories (#25566, @michi-covalent)
contrib: Add devcontainer configuration (#22856, @sayboras)
contrib: Add support for snapshot releases (#24092, @joestringer)
contrib: detect pre-release version correctly (#24708, @aanm)
contrib: Fix codegen script to avoid double make (#24718, @joestringer)
contrib: Fix GitHub token check to allow fine-grained tokens (#22963, @gentoo-root)
contrib: output easier way to install Cilium in kind. (#23488, @squeed)
contrib: Remove deb,rpm packaging (#23081, @joestringer)
contrib: Set IPv6 for dual-stack Kubenetes nodeIP on dev VM (#23543, @jschwinger233)
Controller clean up (#25579, @jrajahalme)
Convert daemon ipcache usages to new ipcache async API (#25749, @christarazi)
Convert the clustermesh subsystem into a hive.Cell (#25561, @giorio94)
converted node manager dynamic metrics into modular metrics (#25887, @dylandreimerink)
CRD List Generation (#25910, @dhawton)
crd: Refactor RegisterCRDsCell to be extensible (#25590, @pippolo84)
daemon, ipam: omit IPAM mode check before calling ipam.Allocator.RestoreFinished (#25041, @tklauser)
daemon, ipcache: Plumb root context to IP identity watcher (#22626, @christarazi)
daemon, maps/ipcache: Replace usage of net.IP* for ingress IPs (#26045, @christarazi)
daemon/cmd: fix a couple of func doc string (#25030, @cuishuang)
daemon: Check for leaked goroutines from the agent cell (#24076, @joamaki)
daemon: Clarify host IP sync controller's intent (#21743, @christarazi)
daemon: Document the use for required API options (#25170, @joestringer)
daemon: fix issue where IPAM options in custom CNI confs was ignored (Backport MR #26799, Upstream MR #26732, @squeed)
daemon: fix spelling in ipam-multi-pool-pre-allocation flag usage (#26529, @tklauser)
daemon: ignore EEXIST on NodeEnsureLocalIMRule (#24645, @tklauser)
daemon: Log warning if BPF Clock probe fail (#25287, @pchaigno)
daemon: Mark flag for node encryption as beta (#25319, @pchaigno)
daemon: move circular initialization of policy.Repository to hive (#24073, @lmb)
daemon: Perform early (partial) local node info initialization (#24866, @joamaki)
daemon: Remove encrypt key from syncHostIPs() (#25252, @christarazi)
daemon: Remove execute bit from test (#25150, @joestringer)
daemon: Update code comment regarding PolicyReactionEvent (#25607, @christarazi)
daemon: use netlink for managed neighbor support probe (#25134, @rgo3)
daemon: use the real err instead of a nil one (#24115, @spacewander)
datapath: Add auth_type to policy verdict message (#25410, @jrajahalme)
datapath: Introduce helpers for __ctx_is checks (#23820, @spacewander)
datapath: Switch to LPM policy map (#23885, @jrajahalme)
dev: disable bpf monitor aggregation in kind helm values (#23846, @mhofstetter)
dnsproxy: Improve regex used for matching dns queries by reducing its complexity and size to save memory and speed up matching (#20246, @odinuge)
dnsproxy: stop using the regex lru in the dns proxy to avoid keeping large unused regex in memory when no longer needed (#22584, @odinuge)
Do not upgrade to golang 1.20 in 1.13 branch (#23723, @aanm)
doc: Documented incompatibility of EgressGW and kvstore (Backport MR #26636, Upstream MR #26139, @PhilipSchmid)
doc: update masquerading.rst to reflect new support for icmp (#24556, @sahid)
docs(bpf): update unprivileged_bpf_disabled description (#23378, @spacewander)
docs, kpr, maglev: Move Maglev out of beta (Backport MR #26636, Upstream MR #19541, @borkmann)
docs/contributing: update CRD registration instructions (#25008, @tklauser)
docs/ipsec: Clarify limitation on number of nodes (Backport MR #26838, Upstream MR #26810, @pchaigno)
docs/ipsec: Document RSS limitation (Backport MR #27038, Upstream MR #26979, @pchaigno)
docs/ipsec: Extend troubleshooting section (Backport MR #27038, Upstream MR #26808, @pchaigno)
docs/testing/e2e: correct cilium-cli usage for helm mode (Backport MR #26887, Upstream MR #26840, @tklauser)
Docs: Add policy_implementation_delay to metrics (#22998, @learnitall)
docs: Add a comparison table for IPAM modes (#24285, @raphink)
docs: Add APAC timezone meeting to README (#24902, @lizrice)
docs: Add contact link to threat model (#24674, @ferozsalam)
docs: Add debugging guide for inspecting gops / pprof profiles (Backport MR #26734, Upstream MR #26675, @christarazi)
docs: Add externalTrafficPolicy=Local description to BGP CPlane doc (#25960, @YutaroHayakawa)
docs: add FOSSA badge to readme (#22737, @lizrice)
docs: Add L2 Pod Announcements docs (Backport MR #26636, Upstream MR #26517, @markpash)
docs: Add missing backslash in Helm command (#25800, @james0209)
docs: Add notes for dev setup for Ubuntu desktop (#23691, @jschwinger233)
docs: Add requirements for installing Cilium on Raspberry Pi (#23337, @darox)
docs: Add section on development and RC images (#24424, @borkmann)
docs: Add steps to start Hubble UI with cilium-cli, but only after Hubble itself has started (#25538, @fujitatomoya)
docs: add trace observation point description (#23028, @mainred)
docs: add upgrade note about deletion of stale entries in clustermesh (#26067, @giorio94)
docs: Clarify committer vote procedures (#22787, @joestringer)
docs: Clarify the steps to update images (#25367, @gentoo-root)
docs: cleanup SPIRE & Envoy values in helm reference (#26039, @mhofstetter)
docs: Deprecate cluster-pool-v2beta (#25767, @gandro)
docs: Disable host DNS resolver with Virtualbox for Minikube quick installation guide (#25569, @zhouhaibing089)
docs: Document the hooks that Cilium uses (#22792, @joestringer)
docs: Endpoints are local to the node on which the cilium agent is running. (#24017, @tnorlin)
docs: Fix a typo in Istio integration documentation (#23584, @yanggangtony)
docs: Fix a typo in K8s with Kubespray installation guide (#23585, @yanggangtony)
docs: Fix gRPC API generation for online docs (Backport MR #27097, Upstream MR #27014, @qmonnet)
docs: Fix Makefile target name in CODEOWNERS update hint (#24583, @ferozsalam)
docs: fix Rule spec document typos (#24319, @nrnrk)
docs: fix Rule spec document typos (#24443, @nrnrk)
docs: fix SCM_WEB reference on mtls-auth docs (Backport MR #26914, Upstream MR #26899, @aanm)
docs: Fix the cilium-cli default branch name (#26461, @michi-covalent)
docs: Fix the cilium/proxy default branch name (#26464, @learnitall)
docs: fix typos and formatting (#25365, @peterj)
docs: fixed search for every page (Backport MR #27069, Upstream MR #26892, @geakstr)
docs: Fixing typo in description of label release-note/ci (#24665, @mhofstetter)
docs: HOWTO run cilium-cli e2e connectivity tests (Backport MR #26734, Upstream MR #25217, @brb)
docs: Ignore Helm values, update spelling list (Backport MR #26838, Upstream MR #26759, @qmonnet)
docs: Improve description of the installation steps to run cilium documentation locally (#24056, @kayceeDev)
docs: Istio docs fix sidecar inject method (Backport MR #26636, Upstream MR #26526, @networkop)
docs: Make CRD compat script work on older trees (#23710, @joestringer)
docs: Mark IPv6 BPF masquerading as beta (#26499, @qmonnet)
docs: Mention --kube-proxy-replacement=boolean changes (Backport MR #26734, Upstream MR #26577, @brb)
docs: Mention caveats about kube-proxy replacement config changes (#24531, @aditighag)
docs: modify MRELOAD_VM for local CI VM (#22902, @Shunpoco)
Docs: Move Maintainers to Committers (#24124, @xmulligan)
docs: Multi-Pool IPAM now partially supports iptables-based NAT (Backport MR #26636, Upstream MR #26522, @gandro)
docs: Note that CiliumEndpointSlice and K8s' EndpointSlice are distinct (#24842, @qmonnet)
docs: Pick up PyYAML 6.0.1 (Backport MR #26887, Upstream MR #26883, @michi-covalent)
docs: Policy Audit Mode improvements (#23591, @kaworu)
docs: Promote Deny Policies out of Beta (#23921, @nathanjsweet)
docs: Regenerate codeowners documentation (#23979, @pchaigno)
docs: remove clustermesh-apiserver gops port from system requirements (#26230, @giorio94)
docs: Remove custom entities note (Backport MR #26887, Upstream MR #26655, @joestringer)
docs: remove no-longer-valid known policy issue (Backport MR #26799, Upstream MR #26660, @squeed)
docs: Remove sockops, sockmaps from eBPF datapath diagrams (#24824, @zacharysarah)
docs: Revert Python version in docs-builder image to 3.7.9, downgrade sphinxcontrib-applehelp, to fix builds on Read The Docs (#24099, @qmonnet)
docs: Slack updates (#25723, @lizrice)
docs: Specify Helm chart version in "cilium install" commands (Backport MR #27038, Upstream MR #26934, @michi-covalent)
Docs: Update BGP docs to reflect CRD consolidation (#26196, @rastislavs)
docs: Update cluster mesh instructions (Backport MR #26734, Upstream MR #26608, @michi-covalent)
docs: Update dependencies for documentation build system (Sphinx, add-ons etc.) (#24014, @qmonnet)
docs: Update development setup with preferred kind-based approach (#25535, @christarazi)
docs: Update Documentation on Deny Policy Bug Fix (#23468, @nathanjsweet)
docs: Update gateway-api version to v0.6.1 (#25439, @sayboras)
docs: Update Go Extension docs (Backport MR #26799, Upstream MR #26504, @sayboras)
docs: Update governance voting templates (#25802, @joestringer)
docs: Update hostfw tuto with ICMP policy rule (#22999, @pchaigno)
docs: Update KMR limitations wrt IPsec (#22775, @raymonddejong)
docs: update KMR section on DSR (Backport MR #26636, Upstream MR #26582, @julianwiedmann)
docs: Update kvstore documentation with potential circular dependency. (#26353, @marseel)
docs: Update output for "cilium status" when troubleshooting (extensions/v1beta1::Ingress now deprecated in favor of networking.k8s.io/v1beta1::Ingress) (#22968, @yulng)
docs: Update the docs for Helm mode Cilium CLI (Backport MR #26734, Upstream MR #26606, @michi-covalent)
docs: Upgrade Note For Deny Policy Fix (Backport MR #26636, Upstream MR #26245, @nathanjsweet)
docs: Use kubeProxyReplacement=true for Gateway API docs (Backport MR #27097, Upstream MR #27066, @michi-covalent)
docu: add section about envoy daemonset deployment (#26033, @mhofstetter)
Document cilium_host's IPv6 change in upgrade guide (Backport MR #26734, Upstream MR #26615, @jschwinger233)
Document contributor steps to update the Helm chart (#23739, @meyskens)
Document how to migrate from Ingress to Gateway API (#25599, @nvibert)
Document multi-pool IPAM mode (#26308, @tklauser)
Documentation/community: add multi-pool IPAM to list of beta features (Backport MR #26636, Upstream MR #26566, @tklauser)
Documentation: add CONFIG_SCHEDSTATS to required kconfigs (#26035, @ti-mo)
Documentation: Add documentation for hive (#23746, @joamaki)
Documentation: Add graceful restart section in BGP documentation (#26354, @harsimran-pabla)
Documentation: add section to roadmap about modularization (#24096, @joamaki)
Documentation: Document BGP timers & neighbor update behavior (#25906, @rastislavs)
Documentation: enable parallel builds (#23752, @squeed)
Documentation: explicitly state that KVStoreMesh is beta level as part of the feature title (Backport MR #27038, Upstream MR #26868, @giorio94)
Documentation: Fix Envoy LB docs incorrect supported annotation values (Backport MR #27038, Upstream MR #26867, @rauanmayemir)
Documentation: include bgp cli commands in bgp-cp documentation (#25691, @harsimran-pabla)
documentation: remove release docs (#24463, @aanm)
drop v1.10 support (#23903, @aanm)
e2e-tests: git-ignore directory old-charts (#23705, @mhofstetter)
Egress Gateway: make CiliumEndpoint reconciliation asynchronous from k8s watcher (Backport MR #26799, Upstream MR #26741, @jibi)
egressgateway: provide a very basic Cell (#24330, @lmb)
egressgw: add policies by source IP cache (#23967, @jibi)
egressgw: fix up removal for IP routes (Backport MR #27097, Upstream MR #26857, @julianwiedmann)
egressgw: improve reconciliation for IP routes (Backport MR #27097, Upstream MR #26721, @julianwiedmann)
egressgw: improve reconciliation for IP rules (Backport MR #27097, Upstream MR #26736, @julianwiedmann)
egressgw: optimize policy matching logic (#24042, @jibi)
egressgw: policy: stop iterating through nodes after first match (#24898, @jibi)
endpoint: don't hold the endpoint lock while generating policy (#26242, @squeed)
endpoint: fix policy map sync warning due to policymap authtype diffs (#26218, @mhofstetter)
endpoint: Update comments for ToMapState() usage (#24321, @joestringer)
EndpointManager and NodeManager Cells (#21746, @joamaki)
endpointmgr: guard against potential nil deref (#22521, @ldelossa)
envoy: Avoid using deprecated field (#24043, @sayboras)
envoy: Re-organize supported envoy resource import (#26469, @sayboras)
envoy: remove unnecessary wait and log message after starting envoy (#24455, @mhofstetter)
envoy: Support more envoy image tag formats (#24750, @sayboras)
etcd: print debug message event value as string (#23714, @giorio94)
etcd: start the status checker only after establishing the initial session (#26363, @giorio94)
examples: setup HUBBLE_SERVER for the Hubble CLI Deployment (#24154, @kaworu)
Extend ipcache key with ClusterID (#22200, @YutaroHayakawa)
Extend tunnel map key with ClusterID (#22687, @YutaroHayakawa)
feat: add teuto.net to USERS (#25088, @cwrau)
Fix implicit conversion warning in DSR with GENEVE (#25299, @ysksuzuki)
Fix "make -C Documentation builder-image" (Backport MR #26887, Upstream MR #26874, @michi-covalent)
Fix 404s in the README.md (#23954, @aanm)
Fix a typo in pkg/option/config.go (#23731, @meyskens)
Fix and improve Conformance Ginkgo UX (#25950, @aanm)
Fix bug that causes traffic not to be encrypted when WireGuard node encryption is enabled. (#24903, @3u13r)
Fix CI image build cache (#26020, @aanm)
Fix comment error about monitorNotify in pkg/datapath/ipcache/listener.go. (#23963, @hxysayhi)
Fix fatal error when shutting down the clustermesh-apiserver (#25310, @giorio94)
Fix hive test argument order and race (#25545, @bimmlerd)
fix kind job with network policy failures (Backport MR #26799, Upstream MR #26639, @aojea)
Fix kind.sh development scripts on MacOS (#25317, @chancez)
Fix misleading use of bpf_ntohl (#24483, @lazybetrayer)
Fix neighbor test flakes (#26156, @borkmann)
Fix possible race condition in the clustermesh's users management test (#24652, @giorio94)
Fix some map handling logic as well as some issues with CLI commands related to ip-masq-agent, introduced with IPv6 support (#26435, @qmonnet)
Fix TLS policies after certificatemanager modularization (#23895, @tklauser)
Fix typo in doc: network/concepts/ipam/crd.rst (#24908, @takp)
fix(deps): pin dependencies (main) (#25026, @renovate[bot])
fix(deps): pin dependencies (main) (#25539, @renovate[bot])
fix(deps): pin dependencies (main) (#25849, @renovate[bot])
fix(deps): pin dependencies (master) (#24147, @renovate[bot])
fix(deps): pin dependencies (master) (#24277, @renovate[bot])
fix(deps): pin dependencies (master) (#24299, @renovate[bot])
fix(deps): pin dependencies (master) (#24438, @renovate[bot])
fix(deps): pin dependencies (master) (#24659, @renovate[bot])
fix(deps): pin dependencies (master) (#24881, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#26286, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#26429, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#25035, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#25414, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#25542, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#26056, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#26427, @renovate[bot])
fix(deps): update all go dependencies master (master) (#23987, @renovate[bot])
fix(deps): update all go dependencies master (master) (patch) (#23982, @renovate[bot])
fix(deps): update all go dependencies master (master) (patch) (#24149, @renovate[bot])
fix(deps): update all go dependencies master (master) (patch) (#24279, @renovate[bot])
fix(deps): update all go dependencies master to v2 (master) (major) (#24110, @renovate[bot])
fix(deps): update module github.com/prometheus/procfs to v0.11.0 (main) (#26319, @renovate[bot])
fix(deps): update module google.golang.org/protobuf to v1.29.1 [security] (master) (#24376, @renovate[bot])
fix(deps): update module gopkg.in/yaml.v2 to v3 (master) (#24112, @renovate[bot])
fix: clean golang code for golint (#22665, @yulng)
fix: Flag --ipv4-native-routing-cidr update in cli (#23643, @deepeshaburse)
Fix: Link Security Team (#24135, @xmulligan)
fix:'go routine' should be 'goroutine' (#22904, @yulng)
fix:prevent goroutine leakage for pkg/k8s/watchers (#22362, @yulng)
fix:Use ID instead of Id (#22569, @yulng)
Fixed panic when generating code coverage report of eBPF tests (#24094, @dylandreimerink)
fix：make fsnotify event more readable (#22903, @yulng)
fqdn: use map to dedup to reduce memory usage of dns gc job (#25142, @odinuge)
Further clarify the deprecation of MetalLB BGP ControlPlane in user facing docs. (Backport MR #27055, Upstream MR #27005, @ldelossa)
garp: Introduce Gratuitous ARP Cell (#25254, @markpash)
gateway-api: Add header modifier and splitting examples (#25186, @nvibert)
gateway-api: now function GatewayAPI also supports TLSRoute (#26060, @spacewander)
Generate preprocessed C source with BPF tests (#24093, @YutaroHayakawa)
Get CEP from k8s cache during initialization. (#24340, @marseel)
gha: fix conformance-ginkgo base branch retrieval (#26085, @giorio94)
gha: Replace deprecated set-output commands (#22890, @sayboras)
gha: Skip flaky test HTTMRouteHeaderMatching in GatewayAPI (#24169, @sayboras)
go.mod, golangci-lint: update base Go version to 1.20 (#24113, @tklauser)
go.mod, vendor: bump sigs.k8s.io/controller-runtime to v0.14.1 (#23011, @tklauser)
Godoc improvements for pkg/bgpv1 (#25686, @danehans)
golangci-lint: Update to v1.51.2 (#24153, @mhofstetter)
helm/hubble-ui: use v0.12.0 hubble-ui (Backport MR #27038, Upstream MR #27011, @geakstr)
helm: nodeEncryption is only supported with WireGuard (#25770, @gandro)
helm: add .extraEnv to cilium-agents config init container (#26408, @nberlee)
helm: add extraArgs to clustermesh-apiserver (#25693, @rcanderson23)
helm: Add support of additional labels to hubble ui ingress (#24077, @ReillyBrogan)
helm: address review comments regarding helm value docs (#26296, @tklauser)
helm: Allow adding annotations to certgen Job and CronJob (#22356, @eripa)
helm: Avoid error in IDE due to .range keyword (#25766, @sayboras)
helm: Correct the flag names in validate.yaml (#26167, @sayboras)
helm: Fix typo in dashboard path (#24733, @jcpunk)
helm: Ignore .github folder in .helmignore (#24719, @darox)
helm: Parameterize image registries in Makefile.values (#24635, @michi-covalent)
helm: Remove deprecated hubble.tls.ca (#25261, @ysksuzuki)
helm: Remove duplicated key k8sClientRateLimit (Backport MR #27038, Upstream MR #26986, @sayboras)
helm: Use kubeProxyReplacement as string (Backport MR #26636, Upstream MR #26549, @jrajahalme)
hive/jobs: fix enqueueing of multiple jobs via variadic func (#25633, @mhofstetter)
hive: Add hive.Command() (#23074, @joamaki)
hive: Add support for config overrides in tests (#24597, @joamaki)
hive: add support for map[string]string flags (#25643, @giorio94)
hive: fix documentation for cell.Provide & cell.ProvidePrivate (#24238, @mhofstetter)
hive: Make timer job test less flaky (#25308, @jrajahalme)
hubble-relay: set WORKDIR to nonroot home (#23405, @kaworu)
hubble: add a unique identifier to flows (#23638, @kaworu)
hubble: fix Hubble Relay BASE_IMAGE (#23636, @kaworu)
hubble: improve hubble lost event log rate limit (#24720, @kaworu)
hubble: Optimize namespace tracking (Backport MR #26799, Upstream MR #26547, @glibsm)
hubble: Remove spammy debug log message on lost events (#25321, @pchaigno)
hubble: Use netip.Addr instead of net.IP in getter functions (#23143, @lambdanis)
identity, policy: remove unused arguments from interfaces (#23946, @lmb)
identity/cache: don't panic in CachingIdentityAllocator.Close() (#24694, @lmb)
identity: cache: close channel in writing party (#25353, @bimmlerd)
identity: Make identity allocations observable (#26373, @mhofstetter)
images/builder: update proto dependencies (#24328, @rolinh)
images: scripts to update and check envoy image version (#25413, @mhofstetter)
images: update cilium-{runtime,builder} (#23146, @joestringer)
images: update golang images to 1.19.5 (#23157, @aanm)
images: update gops using renovate bot (#23907, @tklauser)
Implement commands for listing per-cluster CT/SNAT maps (#24629, @YutaroHayakawa)
Implement GC for per-cluster CT/SNAT maps (#24576, @YutaroHayakawa)
Improve clustermesh's users management test reliability (#24917, @giorio94)
improve inclusive language in governance (#23109, @xmulligan)
Improve logging statements in CES usage and reduce code reuse (#22428, @yanggangtony)
Improve Makefile to ease debugging (#26159, @pippolo84)
Improve reliability of kvstore-related tests (#26347, @giorio94)
Improved job docs on hive page (#25312, @dylandreimerink)
Increase logging verbosity of Kubernetes API Server in kind (#24384, @marseel)
Ingnore updating client-go fork in renovate dependencies (#26305, @marseel)
ingress: Avoid potential nil pointer during cleanup (#24444, @sayboras)
ingress: Improve coverage with unit tests (#24684, @sayboras)
init.sh,loader: load overlay programs in Go (#24876, @rgo3)
init.sh: move socketlb creation into own pkg (#23557, @rgo3)
Install fib rules and routes with proto kernel to avoid systemd messing with them (#24288, @NikAleksandrov)
internal-feature: We removed all instances of io.ReadAll to reduce the attack surface of possible DoS attacks. (#22602, @nathanjsweet)
introduces dedicated inline functions for per-packet-lb service translation on pod egress (#23715, @ldelossa)
IPAM multipool followups (#26138, @tklauser)
IPAM pools followups (#25498, @tklauser)
ipam/allocator: remove unused Allocator methods (#25053, @tklauser)
ipam/allocator: remove unused allocator types (#25963, @tklauser)
ipam/multipool: wait for restoration before releasing CIDRs (Backport MR #26734, Upstream MR #26668, @tklauser)
ipam: add method to get IP owner per pool (#24358, @tklauser)
ipam: clean up terminology around excluded IPs (#23942, @tklauser)
ipam: various minor cleanups (#23383, @tklauser)
ipcache: Add ability to override identity via UpsertMetadata (#21667, @gandro)
ipcache: fix not waiting for k8s caches to sync (#25975, @squeed)
ipcache: Fix wrong assertion in ipcache metadata test (#23549, @christarazi)
jenkinsfiles: remove ginkgo-based Jenkinsfiles (#26171, @aanm)
k8s / policy: allow all services for toServices when using highscale ipcache (#26127, @squeed)
k8s api: remove status documentation from CRD CiliumIdentity (#24512, @mhofstetter)
k8s/watchers: Fix calling Done() with proper error (#24616, @christarazi)
k8s/watchers: Fix erroneous warning logs due to empty CIDRGroupRef (#25072, @christarazi)
k8s/watchers: Fix race condition in init functions (#23170, @christarazi)
k8s: api: clean up CRD versioning (#24671, @julianwiedmann)
k8s: fix ciliumpodippools CRD controller-gen version (#25976, @mhofstetter)
k8s: remove unused singular CRD name consts (#25003, @tklauser)
k8s: Split SharedResources into binary specific cells (#25757, @pippolo84)
k8s: Update comment about rule preprocessing (#25864, @odinuge)
k8s: use core/v1 consts for topology-aware hints annotation/label (#23538, @tklauser)
k8s: Use Resource[*Pod] in pod watcher for the local pod watching (#26181, @joamaki)
k8s: Use slim Node in LocalNode Resource and K8s watchers (#25282, @joamaki)
kafka, go.mod, vendor: use github.com/cilium/kafka fork (#22689, @tklauser)
kafka: remove unused package (#26523, @tklauser)
kvstore/etcd: don't use atomic type for version check timeout (#24360, @tklauser)
kvstore: limit keys attached to single lease, and react to expiration (#25966, @giorio94)
kvstore: Propagate ClusterID with Service (#23514, @YutaroHayakawa)
kvstore: share etcd client logger to reduce memory usage (#26485, @giorio94)
kvstoremesh: mark the cilium-kvstoremesh secret as optional in the clustermesh-apiserver volume definition (#26318, @giorio94)
labels, ipcache: Introduce convenience NewFrom() (#23218, @christarazi)
labelsfilter: Assign review to sig-policy (#25290, @joestringer)
loader: check enabled L7 proxy via config property (Backport MR #26636, Upstream MR #26627, @mhofstetter)
Log error message on unhealthy /healthz check (#24683, @sjdot)
MAINTAINERS.md: add Casey Callendrello to the list of maintainers (#23344, @tklauser)
MAINTAINERS.md: add Julian Wiedmann (#23278, @tklauser)
MAINTAINERS: add Dylan Reimerink to the list of maintainers (#25577, @ti-mo)
MAINTAINERS: Add missing link to GitHub account (#23050, @christarazi)
MAINTAINERS: Add Nick Young (#25874, @joestringer)
MAINTAINERS: Move @twpayne to emeritus status (#23688, @twpayne)
MAINTAINERS: updates company affiliations for Michal and Tom (#23138, @tklauser)
Make api/v1/model/BackendAddressState const string , not manual define. (#22874, @yanggangtony)
Make log statements easier to read (#22971, @yulng)
make: rework kind-install-cilium-clustermesh for Cilium CLI Helm mode (Backport MR #26799, Upstream MR #26753, @giorio94)
make: use vendored goimports to format generated APIs (#24810, @tklauser)
Makefile: Fix kind deployment in quiet mode (#25873, @joestringer)
makefile: introduce variable CILIUM_CLI for cilium cli binary (#25031, @mhofstetter)
Makefile: new target kind-debug to debug cilium operator & agent in kind cluster (#23898, @mhofstetter)
Makefile: remove -test.v from GOTEST_BASE (#25703, @ti-mo)
Makefile: use CLI options to set local images for kind-install-cilium-clustermesh (#25810, @thorn3r)
Mark tests as successful if they are not supposed to run (#23847, @aanm)
Marking L2-announcements a beta feature (Backport MR #26914, Upstream MR #26891, @dylandreimerink)
metrics: Metrics initial modularization (#25651, @dylandreimerink)
metrics: provide the global services metric through the hive (#26157, @giorio94)
Minor improvements to DNS proxy around notifyOnDNSMsg() (#22341, @christarazi)
Modularize API server (api/v1/server) (#24016, @joamaki)
Modularize eventsmap and monitor.Agent (#25197, @bimmlerd)
monitor: update DBG_CT_LOOKUP4_2 / DBG_CT_LOOKUP6_2 output (Backport MR #26636, Upstream MR #26558, @julianwiedmann)
Move @lzang to emeritus committer (#23373, @xmulligan)
Move ct_lookup in bpf_host.c to a separate tailcall (#23831, @gentoo-root)
Move github.com/cilium/ipam packages to main repo (#25289, @tklauser)
Move policy package over to asynchronous IPCache API (#20116, @joestringer)
Moved @raybejjani to Emeritus Committers (#23323, @raybejjani)
multi-pool: Document unsupported kvstore mode (Backport MR #26734, Upstream MR #26662, @gandro)
multi-pool: Support allocating from new IPAM pools on demand (#25765, @gandro)
Mutual Auth Docs (Backport MR #26887, Upstream MR #25509, @nvibert)
mutual-auth: Add beta label for helm and cli flags (Backport MR #27038, Upstream MR #26984, @sayboras)
node/manager: Utilize set.SliceSubsetOf in ipcache deletion (#25180, @christarazi)
node: register ipsec metric once (#25335, @jrajahalme)
node: Use new asynchronous IPCache API for Manager (v2) (#23208, @christarazi)
node_ids: introduce GetNodeID (#26155, @mhofstetter)
nodehandler: register node-id restore as hive lifecycle hook (#25497, @mhofstetter)
nodeid map: provide map via hive cell (#25574, @mhofstetter)
nodemanager: inject ipcache into nodemanager via hive (#24261, @mhofstetter)
Operator api server modularization (#24228, @pippolo84)
operator, hive, k8s: don't call workerpool.New from hive constructors (#24419, @tklauser)
operator, k8s: Prevent CEC watcher goroutine leak (#24316, @yulng)
operator/cmd: add goleak check to TestOperatorHive (#24431, @tklauser)
operator/cmd: Move Cilium Operator version log earlier (#25018, @christarazi)
operator: Clarify log msg for unmanaged pods (#23855, @christarazi)
operator: cleanup CRD registration (#23701, @mhofstetter)
operator: fix deadlock when running in kvstore mode (#24631, @giorio94)
operator: Fix use of Resource.Events() in CEC controller (#22844, @joamaki)
operator: Remove duplicated package import (#24078, @pippolo84)
Optimize PrefixString() (#23201, @christarazi)
Optimize GetControllerName for CNP (#23717, @marseel)
Optimize getting identity by key with CRD Backend by introducing indexer. (#23064, @alan-kut)
Optimize the comparison mode of bool judgment (#22922, @Fish-pro)
option: Skip NodeEncryptionOptOutLabels when marshalling to json (#24470, @gandro)
Perform map creation and opening using cilium/ebpf API (#22693, @ti-mo)
pkg/datapath: skip TestArpPingHandling due flakiness (#25840, @aanm)
pkg/datapath: skip TestArpPingHandlingForMultiDevice due flakiness (#25821, @aanm)
pkg/endpoint: Use structured logging for error condition (#22846, @christarazi)
pkg/envoy/xds package cleanup (#24044, @tanberBro)
pkg/ip: Remove redundant type conversions (#23108, @tanberBro)
pkg/ipam: Update histogram buckets for trigger metrics (#25600, @hemanthmalla)
pkg/ipcache: add ipcacher interface (#24274, @aanm)
pkg/k8s: Replace label failure-domain.beta.kunerbetes.io deprecated in K8s 1.17 (with topology.kubernetes.io) (#23177, @my-git9)
pkg/policy: Add benchmark for ForEachGo (#22845, @christarazi)
pkg/stream: Simplify ToChannel usage (#24432, @joamaki)
plugins/cilium-cni: clean up code in cmdAdd (#26533, @tklauser)
policy: Add GetAuthTypes() (#26116, @jrajahalme)
policy: lazily start SelectorCache.handleUserNotifications (#24325, @lmb)
policy: mapstate should respect authType in dataPath equality (#23780, @mhofstetter)
policy: Optimize getNets() (#26345, @jrajahalme)
policy: track policy rule origin per selector (#23811, @bimmlerd)
policy: Utilize the DistillPolicy() code path in tests (#24402, @christarazi)
Pprof modularization (#24114, @pippolo84)
Preparatory refactoring for IPAM pools (#24247, @tklauser)
Prepare for release v1.14.0-rc.0 (#26546, @joestringer)
Prepare for release v1.14.0-snapshot.0 (#24091, @joestringer)
Prepare for release v1.14.0-snapshot.1 (#24695, @aanm)
Prepare for release v1.14.0-snapshot.3 (#25830, @aanm)
Prepare for release v1.14.0-snapshot.4 (#26324, @joestringer)
Prepare for v1.14 development cycle (#22614, @joestringer)
Prepare for v1.14.0-snapshot.2 release (#25206, @joestringer)
Prepare v1.14 stable branch (#26548, @joestringer)
proxy: introduce initial proxy cell (#25779, @mhofstetter)
Publish the 2022 Cilium security audits (#26213, @zacharysarah)
README.rst, MLH: Update stable releases, following the latest round of patch releases. (#23421, @qmonnet)
README.rst: Fix broken link to L7 policies (#24488, @PriyaSharma9)
README.rst: Fix timezones in details for community meeting (#24520, @qmonnet)
README: Bump latest snapshot release version (#26326, @joestringer)
README: Bump prerelease to v1.14.0-snapshot.2 (#25207, @joestringer)
README: Update for latest snapshot prerelease (#25845, @joestringer)
Reduce amount of bpf instructions needed for handling ipv6 addresses (#25195, @ti-mo)
Reduce the amount of repeating code in CT (#25356, @gentoo-root)
Refactor CRD generation in Makefile (#24615, @christarazi)
Refactor egressgateway specific maps into a cell (#24865, @lmb)
Refactor generate-k8s-api in Makefile (#24651, @mhofstetter)
Refactor k8s identities GC into a cell.Module (#22892, @pippolo84)
Refactor node annotations (#23772, @marseel)
Refactor set.SliceSubsetOf (#25559, @pippolo84)
refactor: move CRD registration to separate cell (#24219, @knight42)
Remove 'ip' shellout from setUpRoutingTable() (#26486, @ti-mo)
Remove COSIGN_EXPERIMENTAL: "true" env variable for signing images (#24845, @sandipanpanda)
Remove custom iproute2 fork (#26221, @ti-mo)
Remove dependency on $GOPATH for make generate-k8s-api (#23428, @ldelossa)
remove export from shell session to avoid the inconsistency (#22932, @fujitatomoya)
Remove ip assignments for cilium_host from init.sh (#25771, @rgo3)
Remove Jenkins CI documentation (Backport MR #26887, Upstream MR #26653, @joestringer)
Remove references to GOPATH in documentation (#25942, @JamesLaverack)
Remove relevant metrics series on pod deletion (#23162). (#23385, @marqc)
Remove unused parameter from NewCachingIdentityAllocator (#25594, @giorio94)
Rename master branch to main (#24717, @joestringer)
Renovate configuration fixes (#25330, @kaworu)
renovate/images: Revert accidental commits (#23497, @gandro)
renovate: Add stop updating label (#24065, @sayboras)
renovate: add support for GH workflow updates (#23625, @aanm)
renovate: allow golang 1.20 in "v1.13" and "master" branch (#23547, @aanm)
renovate: do not update 'github.com/mdlayher/arp' (#25807, @aanm)
renovate: exclude github.com/{cilium,vishvananda}/netlink (#26311, @tklauser)
renovate: fix config file format (#24109, @tklauser)
renovate: group golangci-lint updates (#24688, @mhofstetter)
renovate: ignore cilium-test Dockerfile (#23560, @aanm)
renovate: update source import paths on Go module major updates (#24003, @tklauser)
Replace client-go with private fork. (#26250, @marseel)
Replace legacy bpf syscalls with ebpf-go library APIs (#25355, @ti-mo)
Replace the string with constants from the http package (#25614, @Fish-pro)
Replaces K8s NewDeltaFIFO with NewDeltaFIFOWithOptions (#25606, @danehans)
Require binary.Size and unsafe.Sizeof of all types to match (#26340, @ti-mo)
Resource API refactoring and shared resources (#21744, @joamaki)
resource: Add Resource[Endpoints] and adapt existing watchers (#23977, @joamaki)
resource: Fix flaky test due to missing Done call (#25646, @joamaki)
resource: implement stream.Observable (#25934, @mhofstetter)
Revert "agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead" (#26493, @joestringer)
Revert "docs: fix Rule spec document typos" (#24418, @aditighag)
Revert "kludge: hardcode Google Cloud SDK key due to error 500" (#24060, @sayboras)
Revert "mlh: update Jenkins jobs following 1.27 support" (#25151, @pchaigno)
Revert "Update k8s tests and libraries to v1.27.0" (#25044, @pchaigno)
Revert and fix ip rules (#25350, @NikAleksandrov)
Revert https://github.com/cilium/cilium/pull/24288 (#24676, @aanm)
routing: Extend unit tests (#24933, @krabradosty)
Run Hubble Relay as non-root user by default. (#23259, @rolinh)
Service Mesh mTLS: auth request & response (#24159, @mhofstetter)
Service Mesh mTLS: BPF map auth provided by hive cell (#24406, @mhofstetter)
Service Mesh mTLS: Inject IPCache into auth manager via hive (#24259, @mhofstetter)
Service Mesh mTLS: introduce auth map (#24218, @mhofstetter)
Service Mesh mTLS: suppress policy verdict notification for authenticated packets (#24352, @mhofstetter)
Silence misleading log messages about service resolution in clustermesh (Backport MR #26734, Upstream MR #26614, @giorio94)
slices: Introduce slices.UniqueFunc() (#25743, @YutaroHayakawa)
Slightly improve UX around passing --metrics (#22888, @christarazi)
Small documentation fixups (Backport MR #27038, Upstream MR #26999, @aanm)
sort identities by id/name to avoid random results (#23329, @nickolaev)
source: Reorder sources based on strength (#25175, @christarazi)
statedb: An in-memory database (#24523, @joamaki)
statedb: Fix WriteJSON with multiple tables (#24970, @joamaki)
stateId: delete redundant type conversion (#23056, @XiaozhiD-web)
stream: Improve function documentation (#25922, @joamaki)
test-l4lb: Use QUAY_ORGANIZATION_DEV as the Quay org name (#25050, @michi-covalent)
test/k8s: make kafka tests more reliable (#26121, @aanm)
test: bump upgrade tests to test 1.13 (#23790, @aanm)
test: Update NetworkPolicy to networking.k8s.io/v1 (#22907, @yulng)
testutils: remove gocheck (#25684, @lmb)
This moves from the autogenerated badge from the deprecated slackin system hosted on heroku, to just a simple generated badge. (#26416, @thebsdbox)
This moves from the larger default code spaces logo, to a smaller logo in keeping with all existing links in the README. (#26417, @thebsdbox)
tools/maptool: correctly build with CGO_ENABLED=0 if not in RACE mode (#24142, @tklauser)
treewide: Fix code comment stutters (#24940, @joestringer)
treewide: fix some shebangs (#26293, @markpash)
Unify feature probing packages (#25627, @rgo3)
Update BGP related documentation to reflect feature status. (Backport MR #27038, Upstream MR #26951, @ldelossa)
Update CFP issue template to link repo (#23841, @xmulligan)
Update CNI to 1.2.0 (#23267, @michi-covalent)
Update docs for Kubernetes 1.27 (Backport MR #26734, Upstream MR #26671, @christarazi)
Update Go to 1.20.1 (#23896, @tklauser)
Update k3s cilium installation to match k3s default podCIDR (#25270, @vincentmli)
update k8s control plane tests (#23813, @aanm)
Update l2-announcements policy example in docs to be more realistic (Backport MR #27055, Upstream MR #27039, @dylandreimerink)
Update MAINTAINERS.md to include Tom Hadlaw (#22769, @christarazi)
Update NYTimes User (#25023, @abebars)
update readme with v1.14.0-snapshot.1 (#24707, @aanm)
Update stable release for v1.11.17 (#25517, @jrajahalme)
Update stable releases (#22820, @joestringer)
Update stable releases (#23742, @joestringer)
Update stable releases (#24960, @michi-covalent)
Update stable releases (#25727, @thorn3r)
Update stable releases (#26272, @qmonnet)
Update USERS.md for SIGHUP (#25982, @julianwiedmann)
Updates endpoint pkg to use netip.Addr (#25521, @danehans)
Updates informer pkg to use TransformFunc() (#25604, @danehans)
Updates k8sTest pkg to use netip.Addr (#25325, @danehans)
Updates Multi-Pool IPAM Docs for v1.14 Release (Backport MR #27055, Upstream MR #26967, @danehans)
Use &netlink.LinkNotFoundError{} to determine link not found error (#22438, @tanberBro)
use /usr/bin/env bash instead of /bin/bash in contrib, examples and test dirs (#24948, @MrFreezeex)
use /usr/bin/env bash instead of /bin/bash in images dir (#25558, @MrFreezeex)
use atomic.Pointer instead of bare LoadPointer (#23971, @lmb)
use DescribeVSwitches to get vswitch tags (#23635, @haozhangami)
Use resource for CNPs and CCNPs (#24509, @pippolo84)
Use veth device for probing managed neighbor support (#25598, @ti-mo)
USERS.md: Add Polar Signals (#24158, @brancz)
vendor: bump golang-lru to v2 (requires Go >= 1.18 support for generics) (#22644, @rolinh)
vendor: Update go-restful (Backport MR #26636, Upstream MR #26560, @ferozsalam)
vendor: Update vishvananda/netlink/ and x/sys (#26410, @borkmann)
vendor: update wireguard dependency (#23849, @aanm)
versioncheck: fix parsing of snapshot release versions (#24286, @tklauser)
When a k8s node contains multiple addresses of the same type and family, Cilium will now emit a warning-level log message stating: "Detected multiple IPs of the same address type, Cilium will only consider the first IP in the Node resource" (#25304, @danehans)

Other Changes:

[v1.14] Revert "Add support for --hubble-redact=http-url-query" (#26997, @chancez)
envoy: Bump envoy version to v1.25.9 (#27078, @sayboras)
install: Update image digests for v1.14.0-rc.1 (#26862, @joestringer)
Prepare for release v1.14.0-rc.1 (#26854, @joestringer)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Update dependency cilium/cilium to v1.14.0