diff --git a/.github/maintainers-little-helper.yaml b/.github/maintainers-little-helper.yaml index 8e5484d17a14..0776f8d9df0e 100644 --- a/.github/maintainers-little-helper.yaml +++ b/.github/maintainers-little-helper.yaml @@ -1,4 +1,4 @@ -project: "https://github.com/cilium/cilium/projects/275" +project: "https://github.com/cilium/cilium/projects/278" column: "In progress" auto-label: - "kind/backports" diff --git a/CHANGELOG.md b/CHANGELOG.md index 11b673bb027e..1925cf24b18b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,46 @@ # Changelog +## v1.13.14 + +Summary of Changes +------------------ + +**Minor Changes:** +* cni: use default logger with timestamps. (Backport PR #31309, Upstream PR #31014, @tommyp1ckles) +* Introduce `cilium-dbg encrypt flush --stale` flag to remove XFRM states and policies with stale node IDs. (Backport PR #31309, Upstream PR #31159, @pchaigno) + +**Bugfixes:** +* Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (Backport PR #31476, Upstream PR #31395, @tklauser) +* Fix bug leading to missed ipcache updates for the CiliumInternalIP when `--enable-remote-node-identity=false`, and unnecessary `ipcache_errors_total` metric increase if Cilium operates in kvstore mode. (#31396, @giorio94) +* gateway-api: Retrieve LB service from same namespace (Backport PR #31496, Upstream PR #31271, @sayboras) +* Handle InvalidParameterValue as well for PD fallback (Backport PR #31496, Upstream PR #31016, @hemanthmalla) +* Hubble: fix traffic direction and is reply when IPSec is enabled (Backport PR #31496, Upstream PR #31211, @kaworu) +* k8s/utils: correctly filter out labels in StripPodSpecialLabels (Backport PR #31476, Upstream PR #31421, @tklauser) + +**CI Changes:** +* AKS: avoid overlapping pod and service CIDRs (Backport PR #31570, Upstream PR #31504, @bimmlerd) +* Centralize configuration of kind version/image in GitHub Action workflows (Backport PR #31195, Upstream PR #30916, @giorio94) +* Checkout the target branch, instead of the default one, on pull_request based GHA test workflows (Backport PR #31195, Upstream PR #31198, @giorio94) +* ci: Bump lvh-kind ssh-startup-wait-retries (Backport PR #31496, Upstream PR #31387, @YutaroHayakawa) +* gha: disable fail-fast on integration tests (Backport PR #31496, Upstream PR #31420, @giorio94) +* gha: drop unused check_url environment variable (Backport PR #31195, Upstream PR #30928, @giorio94) +* introduce ARM github workflows (Backport PR #31309, Upstream PR #31196, @aanm) +* ipam: deepcopy interface resource correctly. (Backport PR #31496, Upstream PR #26998, @tommyp1ckles) +* loader: fix issue where errors cancelled compile cause error logs. (Backport PR #31309, Upstream PR #30988, @tommyp1ckles) + +**Misc Changes:** +* Add monitor aggregation for all events related to packets ingressing to the network-facing device. (Backport PR #31309, Upstream PR #31015, @learnitall) +* chore(deps): update all github action dependencies (v1.13) (#31485, @renovate[bot]) +* chore(deps): update all github action dependencies (v1.13) (#31584, @renovate[bot]) +* chore(deps): update docker.io/library/golang:1.21.8 docker digest to 8560736 (v1.13) (#31484, @renovate[bot]) +* cilium-dbg: listing load-balancing configurations displays L7LB proxy port (Backport PR #31570, Upstream PR #31503, @mhofstetter) +* doc: Clarified GwAPI KPR prerequisites (Backport PR #31496, Upstream PR #31366, @PhilipSchmid) +* docs: Warn on key rotations during upgrades (Backport PR #31496, Upstream PR #31437, @pchaigno) + +**Other Changes:** +* install: Update image digests for v1.13.13 (#31405, @thorn3r) +* v1.13: IPsec Fixes (#31612, @pchaigno) + ## v1.13.13 Summary of Changes diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst index 59d20a416b8c..279c4771ffca 100644 --- a/Documentation/helm-values.rst +++ b/Documentation/helm-values.rst @@ -244,7 +244,7 @@ * - :spelling:ignore:`clustermesh.apiserver.image` - Clustermesh API server image. - object - - ``{"digest":"sha256:9f7a4a3f696f43e170b28d16e0e98d3c9d53b6f6a634bcae4c049839f6fa001d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.13.13","useDigest":true}`` + - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.13.14","useDigest":false}`` * - :spelling:ignore:`clustermesh.apiserver.nodeSelector` - Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - object @@ -968,7 +968,7 @@ * - :spelling:ignore:`hubble.relay.image` - Hubble-relay container image. - object - - ``{"digest":"sha256:19348701926a6c4a2e502e8aa185ffa147368ee1e93d2f4c9e1d451b9f81b153","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.13.13","useDigest":true}`` + - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.13.14","useDigest":false}`` * - :spelling:ignore:`hubble.relay.listenHost` - Host to listen to. Specify an empty string to bind to all the interfaces. - string @@ -1348,7 +1348,7 @@ * - :spelling:ignore:`image` - Agent container image. - object - - ``{"digest":"sha256:861772857f72bf9cf7b1bab95b3a3c5dc5de1c18c26cfffd4f4dea095ce1a59c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.13.13","useDigest":true}`` + - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.13.14","useDigest":false}`` * - :spelling:ignore:`imagePullSecrets` - Configure image pull secrets for pulling container images - string @@ -1720,7 +1720,7 @@ * - :spelling:ignore:`operator.image` - cilium-operator image. - object - - ``{"alibabacloudDigest":"sha256:847301ce51b1e6c3f61adddbd051c7832847dcd1df0ed2d37d2262f4c73d9880","awsDigest":"sha256:166c232bb82f211e0405c7bd52e3a4c5ffc70c4b6b7c1444e2d92b5eefb52abd","azureDigest":"sha256:a78a74ff804d82189144505a40841426a40edd499dd2973aae163c6450d5df2c","genericDigest":"sha256:42ca3f1a6a5ca1312119418c98d8e2b989c56e2a979da3b8c1a0d1961a78e40c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.13.13","useDigest":true}`` + - ``{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.13.14","useDigest":false}`` * - :spelling:ignore:`operator.nodeGCInterval` - Interval for cilium node garbage collection. - string @@ -1904,7 +1904,7 @@ * - :spelling:ignore:`preflight.image` - Cilium pre-flight image. - object - - ``{"digest":"sha256:861772857f72bf9cf7b1bab95b3a3c5dc5de1c18c26cfffd4f4dea095ce1a59c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.13.13","useDigest":true}`` + - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.13.14","useDigest":false}`` * - :spelling:ignore:`preflight.nodeSelector` - Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - object diff --git a/Documentation/network/kubernetes/compatibility-table.rst b/Documentation/network/kubernetes/compatibility-table.rst index d333f54ed12b..403a1a88bd76 100644 --- a/Documentation/network/kubernetes/compatibility-table.rst +++ b/Documentation/network/kubernetes/compatibility-table.rst @@ -142,7 +142,9 @@ +-----------------+----------------+ | v1.13.12 | 1.26.7 | +-----------------+----------------+ -| v1.13 | 1.26.7 | +| v1.13.13 | 1.26.7 | ++-----------------+----------------+ +| v1.13 | 1.26.8 | +-----------------+----------------+ | latest / master | 1.26.9 | +-----------------+----------------+ diff --git a/VERSION b/VERSION index faa640ed4331..f38a4c9427a8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.13.13 +1.13.14 diff --git a/install/kubernetes/Makefile.digests b/install/kubernetes/Makefile.digests index 34644bfe54ce..7933852e3fb4 100644 --- a/install/kubernetes/Makefile.digests +++ b/install/kubernetes/Makefile.digests @@ -2,12 +2,12 @@ # Copyright 2024 Authors of Cilium # SPDX-License-Identifier: Apache-2.0 -export CILIUM_DIGEST := "sha256:861772857f72bf9cf7b1bab95b3a3c5dc5de1c18c26cfffd4f4dea095ce1a59c" -export CLUSTERMESH_APISERVER_DIGEST := "sha256:9f7a4a3f696f43e170b28d16e0e98d3c9d53b6f6a634bcae4c049839f6fa001d" -export DOCKER_PLUGIN_DIGEST := "sha256:d04a8d96204d8f32f46b7bbb9e9329fc82dbc9f8197eddc39cb10915c16c97d4" -export HUBBLE_RELAY_DIGEST := "sha256:19348701926a6c4a2e502e8aa185ffa147368ee1e93d2f4c9e1d451b9f81b153" -export OPERATOR_ALIBABACLOUD_DIGEST := "sha256:847301ce51b1e6c3f61adddbd051c7832847dcd1df0ed2d37d2262f4c73d9880" -export OPERATOR_AWS_DIGEST := "sha256:166c232bb82f211e0405c7bd52e3a4c5ffc70c4b6b7c1444e2d92b5eefb52abd" -export OPERATOR_AZURE_DIGEST := "sha256:a78a74ff804d82189144505a40841426a40edd499dd2973aae163c6450d5df2c" -export OPERATOR_GENERIC_DIGEST := "sha256:42ca3f1a6a5ca1312119418c98d8e2b989c56e2a979da3b8c1a0d1961a78e40c" -export OPERATOR_DIGEST := "sha256:58d909aa2c788c58392e54c0877948b632598493e37a46a91cc324ec5d297618" +export CILIUM_DIGEST := "" +export CLUSTERMESH_APISERVER_DIGEST := "" +export DOCKER_PLUGIN_DIGEST := "" +export HUBBLE_RELAY_DIGEST := "" +export OPERATOR_ALIBABACLOUD_DIGEST := "" +export OPERATOR_AWS_DIGEST := "" +export OPERATOR_AZURE_DIGEST := "" +export OPERATOR_GENERIC_DIGEST := "" +export OPERATOR_DIGEST := "" diff --git a/install/kubernetes/cilium/Chart.yaml b/install/kubernetes/cilium/Chart.yaml index 4091f2b4e602..b0915c61d7aa 100644 --- a/install/kubernetes/cilium/Chart.yaml +++ b/install/kubernetes/cilium/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: cilium displayName: Cilium home: https://cilium.io/ -version: 1.13.13 -appVersion: 1.13.13 +version: 1.13.14 +appVersion: 1.13.14 kubeVersion: ">= 1.16.0-0" icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.13/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md index 2ac4f2930407..75980b0472e1 100644 --- a/install/kubernetes/cilium/README.md +++ b/install/kubernetes/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.13.13](https://img.shields.io/badge/Version-1.13.13-informational?style=flat-square) ![AppVersion: 1.13.13](https://img.shields.io/badge/AppVersion-1.13.13-informational?style=flat-square) +![Version: 1.13.14](https://img.shields.io/badge/Version-1.13.14-informational?style=flat-square) ![AppVersion: 1.13.14](https://img.shields.io/badge/AppVersion-1.13.14-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -111,7 +111,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. | | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | -| clustermesh.apiserver.image | object | `{"digest":"sha256:9f7a4a3f696f43e170b28d16e0e98d3c9d53b6f6a634bcae4c049839f6fa001d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.13.13","useDigest":true}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.13.14","useDigest":false}` | Clustermesh API server image. | | clustermesh.apiserver.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods | | clustermesh.apiserver.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | @@ -292,7 +292,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. | | hubble.relay.extraVolumeMounts | list | `[]` | Additional hubble-relay volumeMounts. | | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | -| hubble.relay.image | object | `{"digest":"sha256:19348701926a6c4a2e502e8aa185ffa147368ee1e93d2f4c9e1d451b9f81b153","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.13.13","useDigest":true}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.13.14","useDigest":false}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -387,7 +387,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"sha256:861772857f72bf9cf7b1bab95b3a3c5dc5de1c18c26cfffd4f4dea095ce1a59c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.13.13","useDigest":true}` | Agent container image. | +| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.13.14","useDigest":false}` | Agent container image. | | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images | | ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. | | ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. | @@ -480,7 +480,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"sha256:847301ce51b1e6c3f61adddbd051c7832847dcd1df0ed2d37d2262f4c73d9880","awsDigest":"sha256:166c232bb82f211e0405c7bd52e3a4c5ffc70c4b6b7c1444e2d92b5eefb52abd","azureDigest":"sha256:a78a74ff804d82189144505a40841426a40edd499dd2973aae163c6450d5df2c","genericDigest":"sha256:42ca3f1a6a5ca1312119418c98d8e2b989c56e2a979da3b8c1a0d1961a78e40c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.13.13","useDigest":true}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.13.14","useDigest":false}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -526,7 +526,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"sha256:861772857f72bf9cf7b1bab95b3a3c5dc5de1c18c26cfffd4f4dea095ce1a59c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.13.13","useDigest":true}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.13.14","useDigest":false}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml index 0111a4480086..4fabfae94814 100644 --- a/install/kubernetes/cilium/values.yaml +++ b/install/kubernetes/cilium/values.yaml @@ -125,11 +125,11 @@ rollOutCiliumPods: false image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.13.13" + tag: "v1.13.14" pullPolicy: "IfNotPresent" # cilium-digest - digest: "sha256:861772857f72bf9cf7b1bab95b3a3c5dc5de1c18c26cfffd4f4dea095ce1a59c" - useDigest: true + digest: "" + useDigest: false # -- Affinity for cilium-agent. affinity: @@ -1041,10 +1041,10 @@ hubble: image: override: ~ repository: "quay.io/cilium/hubble-relay" - tag: "v1.13.13" + tag: "v1.13.14" # hubble-relay-digest - digest: "sha256:19348701926a6c4a2e502e8aa185ffa147368ee1e93d2f4c9e1d451b9f81b153" - useDigest: true + digest: "" + useDigest: false pullPolicy: "IfNotPresent" # -- Specifies the resources for the hubble-relay pods @@ -1898,16 +1898,16 @@ operator: image: override: ~ repository: "quay.io/cilium/operator" - tag: "v1.13.13" + tag: "v1.13.14" # operator-generic-digest - genericDigest: "sha256:42ca3f1a6a5ca1312119418c98d8e2b989c56e2a979da3b8c1a0d1961a78e40c" + genericDigest: "" # operator-azure-digest - azureDigest: "sha256:a78a74ff804d82189144505a40841426a40edd499dd2973aae163c6450d5df2c" + azureDigest: "" # operator-aws-digest - awsDigest: "sha256:166c232bb82f211e0405c7bd52e3a4c5ffc70c4b6b7c1444e2d92b5eefb52abd" + awsDigest: "" # operator-alibabacloud-digest - alibabacloudDigest: "sha256:847301ce51b1e6c3f61adddbd051c7832847dcd1df0ed2d37d2262f4c73d9880" - useDigest: true + alibabacloudDigest: "" + useDigest: false pullPolicy: "IfNotPresent" suffix: "" @@ -2161,10 +2161,10 @@ preflight: image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.13.13" + tag: "v1.13.14" # cilium-digest - digest: "sha256:861772857f72bf9cf7b1bab95b3a3c5dc5de1c18c26cfffd4f4dea095ce1a59c" - useDigest: true + digest: "" + useDigest: false pullPolicy: "IfNotPresent" # -- The priority class to use for the preflight pod. @@ -2308,10 +2308,10 @@ clustermesh: image: override: ~ repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.13.13" + tag: "v1.13.14" # clustermesh-apiserver-digest - digest: "sha256:9f7a4a3f696f43e170b28d16e0e98d3c9d53b6f6a634bcae4c049839f6fa001d" - useDigest: true + digest: "" + useDigest: false pullPolicy: "IfNotPresent" etcd: