Prepare for release v1.12.17

Co-authored-by: Andrew Sauber <2046750+asauber@users.noreply.github.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
cilium · Dec 11, 2023 · 4ceb82a · 4ceb82a
1 parent 0186818
commit 4ceb82a
Show file tree

Hide file tree

Showing 10 changed files with 106 additions and 43 deletions.
diff --git a/.github/maintainers-little-helper.yaml b/.github/maintainers-little-helper.yaml
@@ -1,4 +1,4 @@
-project: "https://github.com/cilium/cilium/projects/256"
+project: "https://github.com/cilium/cilium/projects/260"
 column: "In progress"
 auto-label:
   - "kind/backports"

diff --git a/AUTHORS b/AUTHORS
@@ -37,6 +37,7 @@ Andrew Sy Kim                           kim.andrewsy@gmail.com
 Andrey Devyatkin                        andrey.devyatkin@fivexl.io
 Andrey Klimentyev                       andrey.klimentyev@flant.com
 Andrey Voronkov                         voronkovaa@gmail.com
+Andrii Iuspin                           yuspin@gmail.com
 Andrzej Mamak                           nqaegg@gmail.com
 Aniruddha Amit Dutta                    duttaaniruddha31@gmail.com
 Anish Shah                              anishshah@google.com
@@ -483,6 +484,7 @@ Vadim Ponomarev                         velizarx@gmail.com
 Valas Valancius                         valas@google.com
 Vance Li                                vanceli@tencent.com
 Vigneshwaren Sunder                     vickymailed@gmail.com
+viktor-kurchenko                        viktor.kurchenko@isovalent.com
 Viktor Kuzmin                           kvaster@gmail.com
 Viktor Oreshkin                         imselfish@stek29.rocks
 Ville Ojamo                             bluikko@users.noreply.github.com

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,64 @@
 # Changelog
 
+## v1.12.17
+
+Summary of Changes
+------------------
+
+**Minor Changes:**
+* helm: Add missing SA automount configuration (Backport PR #29692, Upstream PR #29511, @ayuspin)
+* helm: Add SA to nodeinit ds (Backport PR #29692, Upstream PR #24836, @darox)
+* helm: Allow setting resources for the agent init containers (Backport PR #29692, Upstream PR #29610, @ayuspin)
+
+**Bugfixes:**
+* datapath: Fix ENI egress routing table for cilium_host IP (Backport PR #29392, Upstream PR #29335, @gandro)
+* Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (Backport PR #29639, Upstream PR #29566, @christarazi)
+* Handle non-AEAD IPsec keys in `cilium encrypt status`. (Backport PR #29639, Upstream PR #29182, @viktor-kurchenko)
+* Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (Backport PR #29708, Upstream PR #29340, @aanm)
+* When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (Backport PR #29474, Upstream PR #29160, @julianwiedmann)
+
+**CI Changes:**
+* ci-ipsec-upgrade: Check for errors (Backport PR #29274, Upstream PR #29189, @brb)
+* ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (Backport PR #29005, Upstream PR #29072, @brb)
+* CI: Let actions/cilium-config use Chart.yaml-specified image by default (Backport PR #29005, Upstream PR #28016, @jschwinger233)
+* ci: remove empty github workflow file tests-nightly.yaml (#29601, @mhofstetter)
+* Clean up tests-ipsec-upgrade workflow (Backport PR #29005, Upstream PR #27977, @michi-covalent)
+* gha: align ci-ipsec-e2e workflow name to main (#29686, @giorio94)
+* Test upgrade/downgrade to patch release for IPsec (Backport PR #29005, Upstream PR #28815, @qmonnet)
+* Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (Backport PR #29474, Upstream PR #29409, @giorio94)
+* workflows: Add debug info to IPsec key rotation test (Backport PR #29474, Upstream PR #29353, @pchaigno)
+* travis: install buildkit in pre-install
+
+**Misc Changes:**
+* chore(deps): update actions/checkout action to v4 (v1.12) (#29296, @renovate[bot])
+* chore(deps): update actions/github-script action to v7 (v1.12) (#29297, @renovate[bot])
+* chore(deps): update all github action dependencies (v1.12) (minor) (#29295, @renovate[bot])
+* chore(deps): update all github action dependencies (v1.12) (patch) (#29293, @renovate[bot])
+* chore(deps): update all lvh-images main (v1.12) (patch) (#29294, @renovate[bot])
+* chore(deps): update all lvh-images main (v1.12) (patch) (#29421, @renovate[bot])
+* chore(deps): update docker.io/library/golang docker tag to v1.20.12 (v1.12) (#29662, @renovate[bot])
+* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to ed4a422 (v1.12) (#29292, @renovate[bot])
+* chore(deps): update docker/dockerfile docker tag to v1.6 (v1.12) (#29253, @renovate[bot])
+* chore(deps): update docker/dockerfile docker tag to v1.6 (v1.12) (#29254, @renovate[bot])
+* chore(deps): update docker/dockerfile docker tag to v1.6 (v1.12) (#29255, @renovate[bot])
+* chore(deps): update hubble cli to v0.12.3 (v1.12) (patch) (#29748, @renovate[bot])
+* chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.12) (#29298, @renovate[bot])
+* ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29193, Upstream PR #29178, @brb)
+* endpoint: don't hold the endpoint lock while generating policy (Backport PR #29408, Upstream PR #26242, @squeed)
+* images: bump cni plugins to v1.4.0 (Backport PR #29722, Upstream PR #29622, @squeed)
+* ipsec: Small refactorings on key loading and state creation (Backport PR #29474, Upstream PR #29352, @pchaigno)
+* Update the logrus dependency to address a security issue. (#29673, @rolinh)
+
+**Other Changes:**
+* [1.12] Address selectorcache concurrent read/write (#29167, @bimmlerd)
+* [v1.12] Author Backport of 29603 (examples: update guestbook example & test with new image registry) (#29600, @mhofstetter)
+* [v1.12] ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (#29683, @julianwiedmann)
+* envoy: Bump cilium-envoy with golang 1.21.5 (#29654, @sayboras)
+* envoy: Bump envoy container image with golang 1.21 and latest grpc package (#29385, @sayboras)
+* install: Update image digests for v1.12.16 (#29137, @nathanjsweet)
+* Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29209, @thorn3r)
+* v1.12: ariane: Run ci-ipsec-upgrade when testing backports (#29228, @brb)
+
 ## v1.12.16
 
 Summary of Changes

diff --git a/Documentation/concepts/kubernetes/compatibility-table.rst b/Documentation/concepts/kubernetes/compatibility-table.rst
@@ -144,7 +144,9 @@
 +-----------------+----------------+
 | v1.12.15        | 1.25.7         |
 +-----------------+----------------+
+| v1.12.16        | 1.25.7         |
++-----------------+----------------+
 | v1.12           | 1.25.7         |
 +-----------------+----------------+
-| latest / master | 1.26.10        |
+| latest / master | 1.26.7         |
 +-----------------+----------------+
diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.12.16
+1.12.17
diff --git a/install/kubernetes/Makefile.digests b/install/kubernetes/Makefile.digests
@@ -2,12 +2,12 @@
 # Copyright 2023 Authors of Cilium
 # SPDX-License-Identifier: Apache-2.0
 
-export CILIUM_DIGEST := "sha256:74d0c8d91821bf5fb7a7a7ad4acdebd6f74dd52ba1d1e3d40fa543a506a7ee14"
-export CLUSTERMESH_APISERVER_DIGEST := "sha256:de5b80e9c95c94e2605f9aaf59965c8c22dab80d94d34189adbe30e728476326"
-export DOCKER_PLUGIN_DIGEST := "sha256:74eb31f091fe94f62c423ca5eafa57006ff086901db7df26ce8d2aa0accb65e3"
-export HUBBLE_RELAY_DIGEST := "sha256:503d39c3a2cb98d662f90c7952b58edbab1acff45abb212f8bb4c6ad607a7089"
-export OPERATOR_ALIBABACLOUD_DIGEST := "sha256:40a1e332e64735a5f91c2c286b738b200b7d96ceba1f9fd988dd9fcb818922bb"
-export OPERATOR_AWS_DIGEST := "sha256:b29e4a4f6c068e3500cc2091c6c3bf144e704d60723a2c49ae43904ee414a37f"
-export OPERATOR_AZURE_DIGEST := "sha256:8226a2b106f76e7a37f20dd7216ba9bdd3bcbf5287a3b39ed21bcaffe34af21f"
-export OPERATOR_GENERIC_DIGEST := "sha256:3132b821c1d3f617a1763ce32be8e42b33adfa8dbd267c7ec45f368794c5dcae"
-export OPERATOR_DIGEST := "sha256:076351699a55ec3b48753615cb24edb120e8fd8578d8a382fb01353de39d75b9"
+export CILIUM_DIGEST := ""
+export CLUSTERMESH_APISERVER_DIGEST := ""
+export DOCKER_PLUGIN_DIGEST := ""
+export HUBBLE_RELAY_DIGEST := ""
+export OPERATOR_ALIBABACLOUD_DIGEST := ""
+export OPERATOR_AWS_DIGEST := ""
+export OPERATOR_AZURE_DIGEST := ""
+export OPERATOR_GENERIC_DIGEST := ""
+export OPERATOR_DIGEST := ""
diff --git a/install/kubernetes/cilium/Chart.yaml b/install/kubernetes/cilium/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.12.16
-appVersion: 1.12.16
+version: 1.12.17
+appVersion: 1.12.17
 kubeVersion: ">= 1.16.0-0"
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.12/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability

diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.12.16](https://img.shields.io/badge/Version-1.12.16-informational?style=flat-square) ![AppVersion: 1.12.16](https://img.shields.io/badge/AppVersion-1.12.16-informational?style=flat-square)
+![Version: 1.12.17](https://img.shields.io/badge/Version-1.12.17-informational?style=flat-square) ![AppVersion: 1.12.17](https://img.shields.io/badge/AppVersion-1.12.17-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -98,7 +98,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:de5b80e9c95c94e2605f9aaf59965c8c22dab80d94d34189adbe30e728476326","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.16","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.17","useDigest":false}` | Clustermesh API server image. |
 | clustermesh.apiserver.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods |
 | clustermesh.apiserver.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
@@ -256,7 +256,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. |
 | hubble.relay.extraVolumeMounts | list | `[]` | Additional hubble-relay volumeMounts. |
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
-| hubble.relay.image | object | `{"digest":"sha256:503d39c3a2cb98d662f90c7952b58edbab1acff45abb212f8bb4c6ad607a7089","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.16","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.17","useDigest":false}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
@@ -347,7 +347,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/  |
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
-| image | object | `{"digest":"sha256:74d0c8d91821bf5fb7a7a7ad4acdebd6f74dd52ba1d1e3d40fa543a506a7ee14","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.16","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.17","useDigest":false}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. |
 | ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. |
@@ -416,7 +416,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:40a1e332e64735a5f91c2c286b738b200b7d96ceba1f9fd988dd9fcb818922bb","awsDigest":"sha256:b29e4a4f6c068e3500cc2091c6c3bf144e704d60723a2c49ae43904ee414a37f","azureDigest":"sha256:8226a2b106f76e7a37f20dd7216ba9bdd3bcbf5287a3b39ed21bcaffe34af21f","genericDigest":"sha256:3132b821c1d3f617a1763ce32be8e42b33adfa8dbd267c7ec45f368794c5dcae","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.16","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.17","useDigest":false}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/  |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -459,7 +459,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:74d0c8d91821bf5fb7a7a7ad4acdebd6f74dd52ba1d1e3d40fa543a506a7ee14","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.16","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.17","useDigest":false}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/  |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |