Prepare for release v1.13.10

Co-authored-by: Andrew Sauber <2046750+asauber@users.noreply.github.com> Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
cilium · Dec 11, 2023 · b773bc2 · b773bc2
1 parent 286d113
commit b773bc2
Show file tree

Hide file tree

Showing 10 changed files with 109 additions and 43 deletions.
diff --git a/.github/maintainers-little-helper.yaml b/.github/maintainers-little-helper.yaml
@@ -1,4 +1,4 @@
-project: "https://github.com/cilium/cilium/projects/257"
+project: "https://github.com/cilium/cilium/projects/259"
 column: "In progress"
 auto-label:
   - "kind/backports"

diff --git a/AUTHORS b/AUTHORS
@@ -41,6 +41,7 @@ Andrew Sy Kim                           kim.andrewsy@gmail.com
 Andrey Devyatkin                        andrey.devyatkin@fivexl.io
 Andrey Klimentyev                       andrey.klimentyev@flant.com
 Andrey Voronkov                         voronkovaa@gmail.com
+Andrii Iuspin                           yuspin@gmail.com
 Andrzej Mamak                           nqaegg@gmail.com
 Aniruddha Amit Dutta                    duttaaniruddha31@gmail.com
 Anish Shah                              anishshah@google.com
@@ -554,6 +555,7 @@ Vadim Ponomarev                         velizarx@gmail.com
 Valas Valancius                         valas@google.com
 Vance Li                                vanceli@tencent.com
 Vigneshwaren Sunder                     vickymailed@gmail.com
+viktor-kurchenko                        viktor.kurchenko@isovalent.com
 Viktor Kuzmin                           kvaster@gmail.com
 Viktor Oreshkin                         imselfish@stek29.rocks
 Ville Ojamo                             bluikko@users.noreply.github.com

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,65 @@
 # Changelog
 
+## v1.13.10
+
+Summary of Changes
+------------------
+
+**Minor Changes:**
+* helm: Add missing SA automount configuration (Backport PR #29690, Upstream PR #29511, @ayuspin)
+* helm: Add SA to nodeinit ds (Backport PR #29690, Upstream PR #24836, @darox)
+* helm: Allow setting resources for the agent init containers (Backport PR #29690, Upstream PR #29610, @ayuspin)
+
+**Bugfixes:**
+* Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29309, @ti-mo)
+* ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (Backport PR #29640, Upstream PR #29098, @julianwiedmann)
+* datapath: Fix ENI egress routing table for cilium_host IP (Backport PR #29391, Upstream PR #29335, @gandro)
+* Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (Backport PR #29640, Upstream PR #29566, @christarazi)
+* Handle non-AEAD IPsec keys in `cilium encrypt status`. (Backport PR #29640, Upstream PR #29182, @viktor-kurchenko)
+* Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (Backport PR #29709, Upstream PR #29340, @aanm)
+* Support downgrade path for XDP attachments from Cilium 1.15 (#29105, @ti-mo)
+* When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (Backport PR #29475, Upstream PR #29160, @julianwiedmann)
+
+**CI Changes:**
+* ci-ipsec-upgrade: Check for errors (Backport PR #29272, Upstream PR #29189, @brb)
+* ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (Backport PR #29003, Upstream PR #29072, @brb)
+* CI: Let actions/cilium-config use Chart.yaml-specified image by default (Backport PR #29003, Upstream PR #28016, @jschwinger233)
+* Clean up tests-ipsec-upgrade workflow (Backport PR #29003, Upstream PR #27977, @michi-covalent)
+* gha: align ci-ipsec-e2e workflow name to main (#29687, @giorio94)
+* Test upgrade/downgrade to patch release for IPsec (Backport PR #29003, Upstream PR #28815, @qmonnet)
+* Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (Backport PR #29475, Upstream PR #29409, @giorio94)
+* workflows: Add debug info to IPsec key rotation test (Backport PR #29475, Upstream PR #29353, @pchaigno)
+* travis: install buildkit in pre-install
+
+**Misc Changes:**
+* .github: use GitHub workflow from the same branch (#29256, @aanm)
+* chore(deps): update actions/checkout action to v4 (v1.13) (#29287, @renovate[bot])
+* chore(deps): update all github action dependencies (v1.13) (minor) (#29286, @renovate[bot])
+* chore(deps): update all github action dependencies (v1.13) (patch) (#29139, @renovate[bot])
+* chore(deps): update all lvh-images main (v1.13) (patch) (#29150, @renovate[bot])
+* chore(deps): update all lvh-images main (v1.13) (patch) (#29419, @renovate[bot])
+* chore(deps): update docker.io/library/golang docker tag to v1.20.12 (v1.13) (#29661, @renovate[bot])
+* chore(deps): update docker.io/library/golang:1.20.11 docker digest to 77e4e42 (v1.13) (#29285, @renovate[bot])
+* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2b7412e (v1.13) (#29138, @renovate[bot])
+* chore(deps): update hubble cli to v0.12.3 (v1.13) (patch) (#29747, @renovate[bot])
+* chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.13) (#29289, @renovate[bot])
+* ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29192, Upstream PR #29178, @brb)
+* Docs: Adds Webhook Limitation to EKS Install Doc (Backport PR #29640, Upstream PR #29497, @danehans)
+* examples: update guestbook example with new image registry (Backport PR #29640, Upstream PR #29603, @mhofstetter)
+* Fix bug preventing endpoint-related debug logs from being emitted (Backport PR #29700, Upstream PR #29495, @learnitall)
+* images: bump cni plugins to v1.4.0 (Backport PR #29723, Upstream PR #29622, @squeed)
+* ipsec: Small refactorings on key loading and state creation (Backport PR #29475, Upstream PR #29352, @pchaigno)
+* Update the logrus dependency to address a security issue. (#29672, @rolinh)
+
+**Other Changes:**
+* [1.13] Address selectorcache concurrent read/write (#29186, @tklauser)
+* [v1.13] Let renovatebot update Go toolchain version in a single PR (#29743, @tklauser)
+* envoy: Bump cilium-envoy with golang 1.21.5 (#29655, @sayboras)
+* envoy: Bump envoy container image with golang 1.21 and latest grpc package (#29384, @sayboras)
+* install: Update image digests for v1.13.9 (#29136, @nathanjsweet)
+* Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29206, @thorn3r)
+* v1.13: ariane: Run ci-ipsec-upgrade when testing backports (#29227, @brb)
+
 ## v1.13.9
 
 Summary of Changes

diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
diff --git a/Documentation/network/kubernetes/compatibility-table.rst b/Documentation/network/kubernetes/compatibility-table.rst
@@ -94,6 +94,8 @@
 +-----------------+----------------+
 | v1.12.15        | 1.25.7         |
 +-----------------+----------------+
+| v1.12.16        | 1.25.7         |
++-----------------+----------------+
 | v1.12           | 1.25.7         |
 +-----------------+----------------+
 | v1.13.0-rc0     | 1.26.0         |
@@ -126,7 +128,9 @@
 +-----------------+----------------+
 | v1.13.8         | 1.26.7         |
 +-----------------+----------------+
+| v1.13.9         | 1.26.7         |
++-----------------+----------------+
 | v1.13           | 1.26.7         |
 +-----------------+----------------+
-| latest / master | 1.26.10        |
+| latest / master | 1.26.7         |
 +-----------------+----------------+
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.13.9
+1.13.10
diff --git a/install/kubernetes/Makefile.digests b/install/kubernetes/Makefile.digests
@@ -2,12 +2,12 @@
 # Copyright 2023 Authors of Cilium
 # SPDX-License-Identifier: Apache-2.0
 
-export CILIUM_DIGEST := "sha256:859d4390df6f683479e83c8b8d69b0e52eb893d6a9ba36e8bbb4d6ec9be03c42"
-export CLUSTERMESH_APISERVER_DIGEST := "sha256:fc5f20f95a0684c364e606c4a13e4b0ab6869ce7abdaf5a1316c5cb9ecb25bf9"
-export DOCKER_PLUGIN_DIGEST := "sha256:01643fc108dfeef150f1d4ec2f92485f3ed0c3c0f7e6b7ee26f9e0aacea46999"
-export HUBBLE_RELAY_DIGEST := "sha256:c2ce5b36535acc70d3425fa51844560094030d0a00c8853d721a0a56a7bf5ed3"
-export OPERATOR_ALIBABACLOUD_DIGEST := "sha256:fce2b4d6c5b1c2dc221a221d051c88613892ca7e7c0c1f57222309fa87d507a7"
-export OPERATOR_AWS_DIGEST := "sha256:cb6ef13809a320c6580ca14b91d9a34195e8b76f0afaa13763e9ea0c03a9ce4d"
-export OPERATOR_AZURE_DIGEST := "sha256:df41fdfe072b525dcfce23faf4cf4612690672b09b5b008102af2609e8eb6981"
-export OPERATOR_GENERIC_DIGEST := "sha256:b4cce66722ec4962c19518a6b1117d1e93a283835b208adb082b60e9cb3cf398"
-export OPERATOR_DIGEST := "sha256:57c0abe456413b2861f3984c56af8bd19d362330071853d4b52cf2cf55d765c6"
+export CILIUM_DIGEST := ""
+export CLUSTERMESH_APISERVER_DIGEST := ""
+export DOCKER_PLUGIN_DIGEST := ""
+export HUBBLE_RELAY_DIGEST := ""
+export OPERATOR_ALIBABACLOUD_DIGEST := ""
+export OPERATOR_AWS_DIGEST := ""
+export OPERATOR_AZURE_DIGEST := ""
+export OPERATOR_GENERIC_DIGEST := ""
+export OPERATOR_DIGEST := ""
diff --git a/install/kubernetes/cilium/Chart.yaml b/install/kubernetes/cilium/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.13.9
-appVersion: 1.13.9
+version: 1.13.10
+appVersion: 1.13.10
 kubeVersion: ">= 1.16.0-0"
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.13/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability

diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.13.9](https://img.shields.io/badge/Version-1.13.9-informational?style=flat-square) ![AppVersion: 1.13.9](https://img.shields.io/badge/AppVersion-1.13.9-informational?style=flat-square)
+![Version: 1.13.10](https://img.shields.io/badge/Version-1.13.10-informational?style=flat-square) ![AppVersion: 1.13.10](https://img.shields.io/badge/AppVersion-1.13.10-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -111,7 +111,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:fc5f20f95a0684c364e606c4a13e4b0ab6869ce7abdaf5a1316c5cb9ecb25bf9","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.13.9","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.13.10","useDigest":false}` | Clustermesh API server image. |
 | clustermesh.apiserver.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods |
 | clustermesh.apiserver.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
@@ -292,7 +292,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. |
 | hubble.relay.extraVolumeMounts | list | `[]` | Additional hubble-relay volumeMounts. |
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
-| hubble.relay.image | object | `{"digest":"sha256:c2ce5b36535acc70d3425fa51844560094030d0a00c8853d721a0a56a7bf5ed3","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.13.9","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.13.10","useDigest":false}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -387,7 +387,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:859d4390df6f683479e83c8b8d69b0e52eb893d6a9ba36e8bbb4d6ec9be03c42","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.13.9","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.13.10","useDigest":false}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. |
 | ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. |
@@ -480,7 +480,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:fce2b4d6c5b1c2dc221a221d051c88613892ca7e7c0c1f57222309fa87d507a7","awsDigest":"sha256:cb6ef13809a320c6580ca14b91d9a34195e8b76f0afaa13763e9ea0c03a9ce4d","azureDigest":"sha256:df41fdfe072b525dcfce23faf4cf4612690672b09b5b008102af2609e8eb6981","genericDigest":"sha256:b4cce66722ec4962c19518a6b1117d1e93a283835b208adb082b60e9cb3cf398","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.13.9","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.13.10","useDigest":false}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -526,7 +526,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:859d4390df6f683479e83c8b8d69b0e52eb893d6a9ba36e8bbb4d6ec9be03c42","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.13.9","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.13.10","useDigest":false}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |