1.14.7
We are pleased to release Cilium v1.14.7. This release contains various bug fixes and performance / usability improvements, including a fix for performance regression for pod-to-pod traffic WireGuard and tunneling (#30329).
Summary of Changes
Minor Changes:
- api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR #30554, Upstream PR #30167, @viktor-kurchenko)
- Envoy running inside the Cilium Agent may now be scraped by Prometheus when using Prometheus' ServiceMonitor objects. (Backport PR #30355, Upstream PR #30126, @youngnick)
- helm: Add extraVolumeMounts to cilium config init container (Backport PR #30355, Upstream PR #30131, @ayuspin)
- ui: release v0.13.0 (Backport PR #30724, Upstream PR #30711, @geakstr)
Bugfixes:
- envoy: Change socket option from 'STATE_LISTENING' to 'STATE_PREBIND' (Backport PR #30680, Upstream PR #30543, @chaunceyjiang)
- Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR #30323, Upstream PR #30248, @ti-mo)
- Fix cilium-envoy ServiceMonitor port name (Backport PR #30554, Upstream PR #27207, @pixiono)
- Fix error when using multiple allowRoutes namespaces in gateway (#30551, @mhofstetter)
- Fix error when using multiple allowRoutes namespaces in gateway (Backport PR #30554, Upstream PR #30100, @chaunceyjiang)
- Fix issue where agent attempting to restore local node information (such as cilium_host ip) would fail on k8s fallback method. (Backport PR #30355, Upstream PR #29460, @tommyp1ckles)
- Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR #30554, Upstream PR #30399, @tlcowling)
- Fix performance regression for pod-to-pod traffic WireGuard and tunneling. (Backport PR #30554, Upstream PR #30329, @3u13r)
- Fix rare bug possibly causing connection disruption and/or agent panic due to node events processing before full initialization. (Backport PR #30554, Upstream PR #30282, @giorio94)
- hive: Fix start hook log output (Backport PR #30724, Upstream PR #30712, @joamaki)
- init well-known identity before new policy repository to fix the fqdn policy issue when enable well-known identity. (Backport PR #30554, Upstream PR #30052, @yingnanzhang666)
- L2 announcements retry getting lease after losing it (Backport PR #30355, Upstream PR #30340, @dylandreimerink)
- node/wireguard: Fix node-to-node encryption inconsistencies in kvstore mode (Backport PR #30534, Upstream PR #30423, @gandro)
- Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR #30680, Upstream PR #30536, @hemanthmalla)
CI Changes:
- ci datapath-verifier: add connectivity test (Backport PR #30371, Upstream PR #29633, @mhofstetter)
- ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR #30554, Upstream PR #30503, @qmonnet)
- ci: add trigger phrase to Gateway API conformance test workflow name (Backport PR #30680, Upstream PR #30525, @tklauser)
- ci: Bump timeout of ci-runtime (Backport PR #30554, Upstream PR #29317, @YutaroHayakawa)
- ci: bypass proxy.golang.org in Go toolchain installation (Backport PR #30371, Upstream PR #29549, @tklauser)
- CI: Change cloud regions (Backport PR #30680, Upstream PR #30378, @brlbil)
- ci: disable cgo when installing Go toolchain (Backport PR #30371, Upstream PR #27869, @tklauser)
- ci: run verifier tests with proper Go toolchain version (Backport PR #30371, Upstream PR #27857, @tklauser)
- Extend the clustermesh workflows to additionally cover the external kvstore case (Backport PR #30355, Upstream PR #29983, @giorio94)
- gh: ci-verifier: use lvh-images/complexity-test as renovate dependency (Backport PR #30680, Upstream PR #30520, @julianwiedmann)
- gha: additionally cover BPF masquerade in clustermesh E2E tests (Backport PR #30680, Upstream PR #30321, @giorio94)
- gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR #30355, Upstream PR #30335, @giorio94)
- gha: make runner type for clustermesh workflows configurable (Backport PR #30680, Upstream PR #30496, @giorio94)
- Improve Conformance Cluster Mesh workflow coverage (Backport PR #30355, Upstream PR #29926, @giorio94)
- Network performance (Backport PR #30554, Upstream PR #30247, @marseel)
- Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR #30355, Upstream PR #30207, @giorio94)
- Update GitHub upload-artifact action (Backport PR #30554, Upstream PR #30443, @brlbil)
Misc Changes:
- Added Last page Edit on Documentation (Backport PR #30680, Upstream PR #30612, @gailsuccess)
- bpf: fib: fix issues with L2 resolution (Backport PR #30372, Upstream PR #30128, @julianwiedmann)
- bpf: lb: return drop reasons from __lb4_rev_nat() (Backport PR #30554, Upstream PR #30410, @julianwiedmann)
- bpf: overlay: restore bpf_clear_meta() in from-overlay (Backport PR #30355, Upstream PR #30343, @julianwiedmann)
- build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport PR #30554, Upstream PR #30219, @dependabot[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.15.20 (v1.14) (#30144, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.15.21 (v1.14) (#30571, @renovate[bot])
- chore(deps): update dependency go to v1.21.6 (v1.14) (#30174, @renovate[bot])
- chore(deps): update dependency go to v1.21.6 (v1.14) (#30640, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.18.6 (v1.14) (#30641, @renovate[bot])
- chore(deps): update go to v1.21.6 (v1.14) (minor) (#30145, @renovate[bot])
- chore(deps): update hubble cli to v0.13.0 (v1.14) (minor) (#30274, @renovate[bot])
- chore(deps): update stable lvh-images (v1.14) (patch) (#30492, @renovate[bot])
- chore(deps): update stable lvh-images (v1.14) (patch) (#30575, @renovate[bot])
- doc: Add Azure CNI Powered by cilium as external installer (Backport PR #30355, Upstream PR #28286, @tamilmani1989)
- docs: Add Egress Gateway Policy warning on
egressIP
andinterface
being mutually exclusive in theegressGateway
spec. (Backport PR #30554, Upstream PR #30236, @soggiest) - docs: warn users that IPsec and KPR are mutual exclusive (Backport PR #30554, Upstream PR #30403, @f1ko)
- hive: Fix hive hook output and move lifecycle to cell package (Backport PR #30554, Upstream PR #30416, @joamaki)
- hubble-ui: release v0.12.3 (Backport PR #30554, Upstream PR #30422, @geakstr)
- ipcache: Skip conflict logging for tunnelpeer if native routing (Backport PR #30355, Upstream PR #27331, @christarazi)
- loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport PR #30323, Upstream PR #30214, @ti-mo)
- Rename egress_policies.h to srv6.h and add SRv6 related trace reasons. (Backport PR #30680, Upstream PR #30154, @ldelossa)
- Rerun go mod tidy to fix missing entry (#30358, @giorio94)
Other Changes:
- [v1.14] ci/ipsec: Fix downgrade version for release preparation commits (#30716, @qmonnet)
- [v1.14] ci/ipsec: Re-enable node-to-node-encryption check (#30401, @qmonnet)
- envoy: Bump envoy version for x/net library (#30515, @sayboras)
- envoy: Bump envoy version to v1.26.7 (#30693, @sayboras)
- install: Update image digests for v1.14.6 (#30318, @gentoo-root)
- remove stable tags from 1.14 releases (#30557, @aanm)