azure-container-networking
azure-container-networking copied to clipboard
Published
20 hours ago •
Azure
Azure
deps: bump github.com/cilium/cilium from 1.15.15 to 1.17.5
Bumps github.com/cilium/cilium from 1.15.15 to 1.17.5.
Release notes
Sourced from github.com/cilium/cilium's releases.
1.17.4
Summary of Changes
Minor Changes:
- Add TRACE_{FROM/TO}_CRYPTO observation point and bpf metrics for packets forwarded-to/received-from Wireguard. (Backport PR cilium/cilium#39260, Upstream PR cilium/cilium#34958,
@smagnani96)- Cilium Agent liveness probe no longer fails if Kubernetes apiserver cannot be reached. Earlier the agent was restarted if the apiserver could not be reached for approximately 5 minutes. This avoids traffic disruptions on apiserver downtime (e.g. due to maintenance) for features such as L7 and FQDN proxy that require cilium-agent to always be up. (Backport PR cilium/cilium#38703, Upstream PR cilium/cilium#38458,
@joamaki)- Update kafka apiKey helm chart value to true (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#38963,
@kyle-c-simmons)Bugfixes:
- bpf: nodeport: avoid accidental NAT46x64 clash in from-container (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#38916,
@julianwiedmann)- Check the TLSRoute and HasServiceImportSupport through the CRD. (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#39122,
@liyihuang)- Fix a bug where a
CiliumNetworkPolicy/CiliumClusterwideNetworkPolicycontaining invalid rules would not be reported with invalid status. (Backport PR cilium/cilium#38948, Upstream PR cilium/cilium#38801,@tklauser)- Fix a bug where services would fail to match wildcard protocols after switching to Local traffic policy with protocol differentiation enabled. (Backport PR cilium/cilium#39404, Upstream PR cilium/cilium#39360,
@pasteley)- Fix a deadlock when a host has no IPv4 address. (Backport PR cilium/cilium#39075, Upstream PR cilium/cilium#38938,
@EmilyShepherd)- Fix a panic happening in the ipset reconciler when a previous reconciliation failed. (Backport PR cilium/cilium#39075, Upstream PR cilium/cilium#38890,
@pippolo84)- Fix bug that would cause the
cilium-dbg encrypt statuscommand to not list any decryption interfaces when KPR is enabled. (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#39170,@pchaigno)- Fixes a bug where layer-7 rules would override enableDefaultDeny: false, incorrectly dropping traffic. (Backport PR cilium/cilium#39375, Upstream PR cilium/cilium#38841,
@nimishamehta5)- gateway-api: Fix Gateway reconciler failure when TLSRoute CRD is not installed (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#38874,
@syedazeez337)- gateway-api: Fix parentRefMatched to check Group and Kind (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#39275,
@syedazeez337)- helm: fix hubble dynamic metrics config conflict (Backport PR cilium/cilium#39075, Upstream PR cilium/cilium#38893,
@devodev)- ipsec: Fix key derivation error in case of corrupted boot IDs (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#39059,
@pchaigno)- k8s: Fixed a case when delete event for service endpointslices might have been missed if connectivity to k8s apiserver was broken causing stale service cache for service. (Backport PR cilium/cilium#38948, Upstream PR cilium/cilium#38779,
@marseel)- wireguard:overlay: cleanup calls map when unused (Backport PR cilium/cilium#38899, Upstream PR cilium/cilium#38655,
@smagnani96)- xds: Fix a case in which after cilium-agent we were not sending updated resources to Envoy (Backport PR cilium/cilium#38977, Upstream PR cilium/cilium#38654,
@marseel)CI Changes:
- .github/workflows: Enable DualStack for conformance-kind-proxy-embedded (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#36398,
@dylandreimerink)cilium/cilium#39408@joestringer)- Align main and stable branch workflows for availability of cilium-cli (Backport PR cilium/cilium#38141, Upstream PR cilium/cilium#38138,
@joestringer)- bpf: tests: fix ethertype when building inner headers of VXLAN packet (Backport PR cilium/cilium#39075, Upstream PR cilium/cilium#39060,
@julianwiedmann)- ci-aks: Enable dual-stack in Conformance AKS (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#37704,
@gandro)- gateway-api: Add translation tests for GAMMA (Backport PR cilium/cilium#39221, Upstream PR cilium/cilium#39207,
@sayboras)- gh: e2e-upgrade: check for unexpected drops from connectivity tests (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#39111,
@julianwiedmann)- gh: e2e-upgrade: generate config matrix from file (Backport PR cilium/cilium#39058, Upstream PR cilium/cilium#38512,
@julianwiedmann)- gh: e2e-upgrade: minor log output improvements (Backport PR cilium/cilium#39058, Upstream PR cilium/cilium#38011,
@julianwiedmann)- gh: use e2e-upgrade for IPsec minor upgrade testing (Backport PR cilium/cilium#39058, Upstream PR cilium/cilium#38757,
@julianwiedmann)- gha: always respect the given image tag in the wait-for-images action (Backport PR cilium/cilium#38141, Upstream PR cilium/cilium#37901,
@giorio94)- rate: Disable TestStressRateLimiter (Backport PR cilium/cilium#38896, Upstream PR cilium/cilium#38877,
@YutaroHayakawa)Misc Changes:
cilium/cilium#39329@ferozsalam)cilium/cilium#39491@ferozsalam)- Add the doc for multi-pool ipam about how to update the existing ip pool (Backport PR cilium/cilium#38948, Upstream PR cilium/cilium#38539,
@liyihuang)- bpf: host: use MARK_MAGIC_EGW_DONE-embedded identity in to-netdev (Backport PR cilium/cilium#38948, Upstream PR cilium/cilium#38768,
@julianwiedmann)- bpf: nat: ICMP v4 improvements (Backport PR cilium/cilium#39332, Upstream PR cilium/cilium#36767,
@julianwiedmann)- bpf:hubble: update trace/drop notify for L2-less packets (Backport PR cilium/cilium#39263, Upstream PR cilium/cilium#37097,
@smagnani96)cilium/cilium#39183@cilium-renovate[bot])cilium/cilium#39316@cilium-renovate[bot])cilium/cilium#38908@cilium-renovate[bot])
... (truncated)
Changelog
Sourced from github.com/cilium/cilium's changelog.
v1.17.5
Summary of Changes
Bugfixes:
- aws/ENI: Only use pagination when not specifying IDs (Backport PR cilium/cilium#39564, Upstream PR cilium/cilium#39120,
@HadrienPatte)- Fix connections to deleted service backends not getting terminated in certain cases involving services with multiple protocol ports. (Backport PR cilium/cilium#39564, Upstream PR cilium/cilium#37745,
@foyerunix)- Fix handle_policy_egress programs not being cleaned up during endpoint teardown (Backport PR cilium/cilium#39685, Upstream PR cilium/cilium#39560,
@ti-mo)- Fixed bug where datapath is unable to compile when active connection tracking and IPv6 are enabled at the same time. (Backport PR cilium/cilium#39564, Upstream PR cilium/cilium#39509,
@dylandreimerink)- Fixes a bug where a CIDRRule of 0.0.0.0/0 would not select all external traffic. (Backport PR cilium/cilium#39765, Upstream PR cilium/cilium#39693,
@squeed)- gateway-api: Use original source address for GAMMA (Backport PR cilium/cilium#39685, Upstream PR cilium/cilium#39206,
@sayboras)- helm/hubble: Fix wrong value for metrics server tls existingSecret (Backport PR cilium/cilium#39685, Upstream PR cilium/cilium#39668,
@devodev)- install/kubernetes: change mapDynamicSizeRatio from number to string (Backport PR cilium/cilium#39963, Upstream PR cilium/cilium#39834,
@aanm)- operator: skip retry of node taint update when node not found (Backport PR cilium/cilium#39564, Upstream PR cilium/cilium#39517,
@jshr-w)- Persist parent interface index of endpoint across agent restarts (Backport PR cilium/cilium#39765, Upstream PR cilium/cilium#39575,
@dylandreimerink)- Policy updates to Envoy no longer consider a single selector as an L3 wildcard. Cilium bpf datapath policy enforcement is not done for Cilium Ingress policy enforcement so the L3 identity needs to be enforced in all cases. (Backport PR cilium/cilium#39564, Upstream PR cilium/cilium#39511,
@jrajahalme)CI Changes:
- bpf: test: fix up mis-spelled HAVE_NETNS_COOKIE (Backport PR cilium/cilium#39564, Upstream PR cilium/cilium#39420,
@julianwiedmann)- call for metrics in smoke tests from runner instead of installing apt/curl on cilium pod (Backport PR cilium/cilium#39862, Upstream PR cilium/cilium#37362,
@Artyop)- gh: e2e: enable secondary-network LB testing for all KPR=true configs (Backport PR cilium/cilium#39780, Upstream PR cilium/cilium#39718,
@julianwiedmann)- gh: eks: restore concurrent execution of connectivity tests (Backport PR cilium/cilium#39685, Upstream PR cilium/cilium#39673,
@julianwiedmann)- Re-optimize CI build process (Backport PR cilium/cilium#39862, Upstream PR cilium/cilium#39802,
@aanm)Misc Changes:
cilium/cilium#39801@aanm)cilium/cilium#38233@julianwiedmann)- Add a section to talk about the native routing masquerading in the cloud environment. (Backport PR cilium/cilium#39564, Upstream PR cilium/cilium#39343,
@liyihuang)- bpf: host: flag Cilium's ESP traffic as TRACE_REASON_ENCRYPTED (Backport PR cilium/cilium#39685, Upstream PR cilium/cilium#39558,
@julianwiedmann)- bpf: Skip lxc src IP check for proxy traffic (Backport PR cilium/cilium#39564, Upstream PR cilium/cilium#39530,
@sayboras)- bpf:wireguard: reuse MARK_MAGIC_ENCRYPT for encrypted packets (Backport PR cilium/cilium#39652, Upstream PR cilium/cilium#39651,
@smagnani96)cilium/cilium#39476@cilium-renovate[bot])cilium/cilium#39704@cilium-renovate[bot])cilium/cilium#39570@cilium-renovate[bot])cilium/cilium#39687@cilium-renovate[bot])cilium/cilium#39821@cilium-renovate[bot])cilium/cilium#39879@cilium-renovate[bot])cilium/cilium#39607@cilium-renovate[bot])cilium/cilium#39951@cilium-renovate[bot])cilium/cilium#39725@cilium-renovate[bot])cilium/cilium#39822@cilium-renovate[bot])cilium/cilium#39605@cilium-renovate[bot])cilium/cilium#39606@cilium-renovate[bot])cilium/cilium#39949@cilium-renovate[bot])cilium/cilium#39886@cilium-renovate[bot])cilium/cilium#39935@cilium-renovate[bot])cilium/cilium#39703@cilium-renovate[bot])cilium/cilium#39950@cilium-renovate[bot])- HELM: Adding Label Support to clustermesh apiserver service (Backport PR cilium/cilium#39564, Upstream PR cilium/cilium#39520,
@camrossi)
... (truncated)
Commits
69aab28Prepare for release v1.17.5194c149chore(deps): update all github action dependencies2ea392fimages: update cilium-{runtime,builder}307baf5chore(deps): update docker.io/library/golang:1.24.4 docker digest to 10c1318f3f1594chore(deps): update stable lvh-imagesbaae32cpkg/fswatcher: Rewrite without underlying use of fsnotifyfad6440install/kubernetes: add mapDynamicSizeRatio string schema10dfbfaimages: update cilium-{runtime,builder}67e50f2chore(deps): update dependency protocolbuffers/protobuf to v31.17b15f73chore(deps): update stable lvh-images- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "Published by a pub.dev verified publisher"){kind=small}