Prepare for release v1.12.18

Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>

.github/maintainers-little-helper.yaml

@@ -1,4 +1,4 @@
-project: "https://github.com/cilium/cilium/projects/260"
+project: "https://github.com/cilium/cilium/projects/263"
 column: "In progress"
 auto-label:
   - "kind/backports"

AUTHORS

@@ -286,6 +286,7 @@ Liu Qun                                 qunliu@zyhx-group.com
 Livingstone S E                         livingstone.s.e@gmail.com
 Li Yi                                   denverdino@gmail.com
 Liz Rice                                liz@lizrice.com
+Lorenz Bauer                            lmb@isovalent.com
 Lorenzo Fundaró                         lorenzofundaro@gmail.com
 Louis DeLosSantos                       louis@isovalent.com
 lou-lan                                 loulan@loulan.me
@@ -452,6 +453,7 @@ Stevo Slavić                            sslavic@gmail.com
 Stijn Smits                             stijn@stijn98s.nl
 Strukov Anton                           anstrukov@luxoft.com
 Sugang Li                               sugangli@google.com
+Sven Haardiek                           sven.haardiek@uni-muenster.de
 Swaminathan Vasudevan                   svasudevan@suse.com
 Taeung Song                             treeze.taeung@gmail.com
 Tam Mach                                tam.mach@cilium.io

CHANGELOG.md

@@ -1,5 +1,44 @@
 # Changelog
 
+## v1.12.18
+
+Summary of Changes
+------------------
+
+**Minor Changes:**
+* Add option to configure the resources of the cgroups automount init Container in the Cilium Agent DaemonSet. (Backport PR #30004, Upstream PR #22384, @shaardie)
+
+**Bugfixes:**
+* Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30217, Upstream PR #29239, @jrajahalme)
+* cilium-preflight: use the k8s node name instead of relying on hostname (Backport PR #30004, Upstream PR #29809, @marseel)
+* Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #30004, Upstream PR #29616, @learnitall)
+* iptables: remove logic to control non-existent net.ipv6.ip_early_demux (Backport PR #30181, Upstream PR #29310, @julianwiedmann)
+* nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29979, Upstream PR #29964, @gandro)
+
+**CI Changes:**
+* ci-ipsec-upgrade: Add vxlan w/ no EP routes (Backport PR #29701, Upstream PR #29653, @brb)
+* ci: always use full matrix for scheduled cloud-provider workflows (Backport PR #29842, Upstream PR #29694, @mhofstetter)
+* datapath: Cover subnet encryption in XFRM leak test (Backport PR #30082, Upstream PR #27212, @pchaigno)
+* datapath: Fix TestNodeChurnXFRMLeaks (Backport PR #30082, Upstream PR #27274, @brb)
+* gha: enable IPv6 in clustermesh upgrade/downgrade workflow (Backport PR #29842, Upstream PR #29675, @giorio94)
+* node: Integration test for XFRM leaks on node churn (Backport PR #30082, Upstream PR #27187, @pchaigno)
+* workflows: Increase IPsec e2e test's timeout (Backport PR #30268, Upstream PR #30194, @julianwiedmann)
+* workflows: Increase IPsec upgrade test's timeout (Backport PR #30082, Upstream PR #29934, @pchaigno)
+* workflows: Make the conn-disrupt test more sensitive (Backport PR #29701, Upstream PR #29623, @pchaigno)
+
+**Misc Changes:**
+* bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #30004, Upstream PR #29880, @julianwiedmann)
+* docs: Fix keyid derivation in IPsec docs (Backport PR #30082, Upstream PR #30000, @brb)
+* fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #30181, Upstream PR #29971, @renovate[bot])
+* Revert "cilium: Ensure xfrm state is initialized for route IP before … (Backport PR #29871, Upstream PR #29801, @jrfastab)
+
+**Other Changes:**
+* install: Update image digests for v1.12.17 (#29808, @nebril)
+* v1.12: Ignore packet drops of type `Failed to update or lookup TC buffer` (#30202, @pchaigno)
+* v1.12: ipam: Fix invalid PodCIDR in CiliumNode in ENI/Azure/MultiPool mode (#30147, @pchaigno)
+* v1.12: update dependency cilium/cilium-cli to v0.15.19 (#30146, @pchaigno)
+* v1.12: workflow/ipsec-e2e: bump CLI to v0.15.19 (#30239, @pchaigno)
+
 ## v1.12.17
 
 Summary of Changes

Documentation/concepts/kubernetes/compatibility-table.rst

@@ -146,7 +146,9 @@
 +-----------------+----------------+
 | v1.12.16        | 1.25.7         |
 +-----------------+----------------+
+| v1.12.17        | 1.25.7         |
++-----------------+----------------+
 | v1.12           | 1.25.7         |
 +-----------------+----------------+
-| latest / master | 1.26.7         |
+| latest / master | 1.26.9         |
 +-----------------+----------------+

VERSION

@@ -1 +1 @@
-1.12.17
+1.12.18

install/kubernetes/Makefile.digests

@@ -2,12 +2,12 @@
 # Copyright 2023 Authors of Cilium
 # SPDX-License-Identifier: Apache-2.0
 
-export CILIUM_DIGEST := "sha256:323e5762a2412e4f274c34ffb655d57b439d3c057ada48167f8aa038729c1661"
-export CLUSTERMESH_APISERVER_DIGEST := "sha256:7bf626ebaafeaf51870f9f5dc4d5127797da97ab5365405cccadb480dae900cf"
-export DOCKER_PLUGIN_DIGEST := "sha256:f2c7392a06baf33084115ea98f96620eb49fc12a1815b08d5bcbb5976f58035f"
-export HUBBLE_RELAY_DIGEST := "sha256:4387d06a9c0089de6a27d815a9a475f539b2f9eaf6ec7d95d1670b502e18f7ea"
-export OPERATOR_ALIBABACLOUD_DIGEST := "sha256:06e7a741d4b74790dc8c9fcc594608630517cc7366e4d4ba97eef7133bd94bfb"
-export OPERATOR_AWS_DIGEST := "sha256:aa2ba6331ec84e64f46205dbd9043a69b89f2eb177bbd29d7c5c88a052809cb0"
-export OPERATOR_AZURE_DIGEST := "sha256:a1f1151454586b7aa7e93564975074d861d8020cb52bd82a565ce645ab671645"
-export OPERATOR_GENERIC_DIGEST := "sha256:17a1b1cbc38bcce00fd4d793c7b6ab630fdaaa464d53e05967625c7b7306730d"
-export OPERATOR_DIGEST := "sha256:e777fff0f61af556ad6c0c67abb1524dbfddb95da80875aa6456ad4b6899ae41"
+export CILIUM_DIGEST := ""
+export CLUSTERMESH_APISERVER_DIGEST := ""
+export DOCKER_PLUGIN_DIGEST := ""
+export HUBBLE_RELAY_DIGEST := ""
+export OPERATOR_ALIBABACLOUD_DIGEST := ""
+export OPERATOR_AWS_DIGEST := ""
+export OPERATOR_AZURE_DIGEST := ""
+export OPERATOR_GENERIC_DIGEST := ""
+export OPERATOR_DIGEST := ""

install/kubernetes/cilium/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.12.17
-appVersion: 1.12.17
+version: 1.12.18
+appVersion: 1.12.18
 kubeVersion: ">= 1.16.0-0"
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.12/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability

install/kubernetes/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.12.17](https://img.shields.io/badge/Version-1.12.17-informational?style=flat-square) ![AppVersion: 1.12.17](https://img.shields.io/badge/AppVersion-1.12.17-informational?style=flat-square)
+![Version: 1.12.18](https://img.shields.io/badge/Version-1.12.18-informational?style=flat-square) ![AppVersion: 1.12.18](https://img.shields.io/badge/AppVersion-1.12.18-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -99,7 +99,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:7bf626ebaafeaf51870f9f5dc4d5127797da97ab5365405cccadb480dae900cf","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.17","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.18","useDigest":false}` | Clustermesh API server image. |
 | clustermesh.apiserver.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods |
 | clustermesh.apiserver.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
@@ -257,7 +257,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. |
 | hubble.relay.extraVolumeMounts | list | `[]` | Additional hubble-relay volumeMounts. |
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
-| hubble.relay.image | object | `{"digest":"sha256:4387d06a9c0089de6a27d815a9a475f539b2f9eaf6ec7d95d1670b502e18f7ea","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.17","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.18","useDigest":false}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
@@ -348,7 +348,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/  |
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
-| image | object | `{"digest":"sha256:323e5762a2412e4f274c34ffb655d57b439d3c057ada48167f8aa038729c1661","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.17","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.18","useDigest":false}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. |
 | ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. |
@@ -417,7 +417,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:06e7a741d4b74790dc8c9fcc594608630517cc7366e4d4ba97eef7133bd94bfb","awsDigest":"sha256:aa2ba6331ec84e64f46205dbd9043a69b89f2eb177bbd29d7c5c88a052809cb0","azureDigest":"sha256:a1f1151454586b7aa7e93564975074d861d8020cb52bd82a565ce645ab671645","genericDigest":"sha256:17a1b1cbc38bcce00fd4d793c7b6ab630fdaaa464d53e05967625c7b7306730d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.17","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.18","useDigest":false}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/  |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -460,7 +460,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:323e5762a2412e4f274c34ffb655d57b439d3c057ada48167f8aa038729c1661","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.17","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.18","useDigest":false}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/  |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

install/kubernetes/cilium/values.yaml

@@ -110,11 +110,11 @@ rollOutCiliumPods: false
 image:
   override: ~
   repository: "quay.io/cilium/cilium"
-  tag: "v1.12.17"
+  tag: "v1.12.18"
   pullPolicy: "IfNotPresent"
   # cilium-digest
-  digest: "sha256:323e5762a2412e4f274c34ffb655d57b439d3c057ada48167f8aa038729c1661"
-  useDigest: true
+  digest: ""
+  useDigest: false
 
 # -- Affinity for cilium-agent.
 affinity:
@@ -848,10 +848,10 @@ hubble:
     image:
       override: ~
       repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.12.17"
+      tag: "v1.12.18"
        # hubble-relay-digest
-      digest: "sha256:4387d06a9c0089de6a27d815a9a475f539b2f9eaf6ec7d95d1670b502e18f7ea"
-      useDigest: true
+      digest: ""
+      useDigest: false
       pullPolicy: "IfNotPresent"
 
     # -- Specifies the resources for the hubble-relay pods
@@ -1648,16 +1648,16 @@ operator:
   image:
     override: ~
     repository: "quay.io/cilium/operator"
-    tag: "v1.12.17"
+    tag: "v1.12.18"
     # operator-generic-digest
-    genericDigest: "sha256:17a1b1cbc38bcce00fd4d793c7b6ab630fdaaa464d53e05967625c7b7306730d"
+    genericDigest: ""
     # operator-azure-digest
-    azureDigest: "sha256:a1f1151454586b7aa7e93564975074d861d8020cb52bd82a565ce645ab671645"
+    azureDigest: ""
     # operator-aws-digest
-    awsDigest: "sha256:aa2ba6331ec84e64f46205dbd9043a69b89f2eb177bbd29d7c5c88a052809cb0"
+    awsDigest: ""
     # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:06e7a741d4b74790dc8c9fcc594608630517cc7366e4d4ba97eef7133bd94bfb"
-    useDigest: true
+    alibabacloudDigest: ""
+    useDigest: false
     pullPolicy: "IfNotPresent"
     suffix: ""
 
@@ -1905,10 +1905,10 @@ preflight:
   image:
     override: ~
     repository: "quay.io/cilium/cilium"
-    tag: "v1.12.17"
+    tag: "v1.12.18"
     # cilium-digest
-    digest: "sha256:323e5762a2412e4f274c34ffb655d57b439d3c057ada48167f8aa038729c1661"
-    useDigest: true
+    digest: ""
+    useDigest: false
     pullPolicy: "IfNotPresent"
 
   # -- The priority class to use for the preflight pod.
@@ -2051,10 +2051,10 @@ clustermesh:
     image:
       override: ~
       repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.12.17"
+      tag: "v1.12.18"
       # clustermesh-apiserver-digest
-      digest: "sha256:7bf626ebaafeaf51870f9f5dc4d5127797da97ab5365405cccadb480dae900cf"
-      useDigest: true
+      digest: ""
+      useDigest: false
       pullPolicy: "IfNotPresent"
 
     etcd: