fix(deps): update all go dependencies main (patch)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/cilium/cilium	require	patch	v1.14.0-rc.0 -> v1.14.0-snapshot.5
google.golang.org/grpc	require	patch	v1.56.1 -> v1.56.2

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.14.0-snapshot.5

Compare Source

v1.14.0-snapshot.4: 1.14.0-snapshot.4

Compare Source

Summary of Changes

Major Changes:

• Add support for Kubernetes v1.27 (#​25602, @​nathanjsweet)
• Added L2 announcement feature (#​25471, @​dylandreimerink)
• cilium: IPv4 BIG TCP support (#​26172, @​borkmann)
• Implement BPF-based masquerading for IPv6 (#​23165, @​qmonnet)
• Introduce kvstoremesh, a clustermesh-apiserver companion component allowing to cache remote cluster information in the local kvstore for increased scalability and separation. (#​26083, @​giorio94)
• Module Health: Add Health Provider/Reporter (#​25662, @​tommyp1ckles)

Minor Changes:

• Add agent flag enable-ipsec-key-watcher to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (#​25893, @​pchaigno)
• Add helm value envoyConfig.enabled that can be used to enable CiliumEnvoyConfig CRD independently of Cilium Ingress controller. (#​26005, @​jrajahalme)
• Add option to remove query from HTTP flows (#​25746, @​ChrsMark)
• Add support for BGP graceful restart configuration via CiliumBGPPeeringPolicy CRD (#​25660, @​harsimran-pabla)
• Add support for eBGP-multihop configuration for CiliumBGPNeighbor in CiliumBGPPeeringPolicy CRD (#​25708, @​rastislavs)
• Add support for Hybrid mode when using DSR with Geneve dispatch. (#​25553, @​julianwiedmann)
• Add support for load-balancing encapsulated requests in a configuration with high-scale ipcache. (#​25854, @​julianwiedmann)
• Add support for load-balancing unencapsulated requests in a configuration with high-scale ipcache. (#​25745, @​julianwiedmann)
• Added Gratuitous ARP Pod Announcements (#​25482, @​markpash)
• Adds peerPort field to CiliumBGPPeeringPolicy for specifying the port of a BGP neighbor. If unspecified, port 179 is used. (#​25809, @​danehans)
• Allow devices from local route table to be used for datapath programs. (#​24608, @​oblazek)
• bgpv1: Consolidate CRD API to follow K8s API Conventions (#​26040, @​rastislavs)
• clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#​25905, @​giorio94)
• daemon: don't allow egress gateway with KV store identity allocation (#​26189, @​jibi)
• Deprecate CNP Node status updates. (#​24464, @​marseel)
• envoy: Bump envoy version to v1.25.7 (#​25882, @​mhofstetter)
• etcd: extend rate limiting to consider the number of inflight requests (#​25817, @​giorio94)
• Extend the Helm chart to allow configuring kvstoremesh. (#​26109, @​giorio94)
• hubble: Add GetNamespaces to observer API (#​25563, @​chancez)
• ingress: Default TLS certificate for ingress (#​26065, @​sathieu)
• ipam: Add ability to automatically create CiliumPodIPPool resources in multi-pool IPAM mode (#​25991, @​gandro)
• ipmasq: Add support for ip-masq-agent with IPv6 (#​23219, @​qmonnet)
• mutual-auth: Avoid confusion on mTLS wording (#​25761, @​sayboras)
• mutual-auth: Support spire k8s service dns resolution (#​26031, @​sayboras)
• operator: Fix default API server addr in metrics subcommand (#​26132, @​pippolo84)
• Report the kernel error code in case of packet drops due to failures to create NAT map entries. (#​25883, @​julianwiedmann)
• Set BGP IdleHoldTimeAfterReset to 5 seconds, session reset can happen on BGP peer configuration change. (#​26001, @​harsimran-pabla)
• spire: Add identity GC capability (#​25867, @​sayboras)
• Support defining IPAM pools using CiliumPodIPPool CRD (#​25824, @​tklauser)
• Support externalTrafficPolicy=local for BGP CPlane service VIP advertisement (#​25477, @​YutaroHayakawa)
• Support Gateway API v0.7.0 (#​25711, @​meyskens)
• The deprecated pod-short context option in Hubble metrics is now removed (#​26125, @​lambdanis)

Bugfixes:

• bpf: fix error handling for invoke_tailcall_if() (#​26118, @​julianwiedmann)
• bpf: lxc: fix one missing drop notification in CT lookup tail calls (#​26115, @​julianwiedmann)
• bpf: nodeport: don't reset aggregate ID when revDNAT is called by bpf_lxc (#​25929, @​julianwiedmann)
• Envoy resource namespacing (#​26037, @​jrajahalme)
• Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (#​25735, @​pchaigno)
• Fix bug with toServices policy where service backend churn left stale CIDR identities (#​25687, @​christarazi)
• Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (#​26093, @​pchaigno)
• Fix for Identities that can be deleted before CESs are reconciled (#​25001, @​dlapcevic)
• Fix issue where Cilium ServiceAPI would ignore backend changes to services with backends that were used in several services and updated at least once (#​24474, @​strudelPi)
• Fix leak of IPsec XFRM FWD policies in IPAM modes cluster-pool, kubernetes, and crd when nodes are deleted.
  Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (#​25953, @​pchaigno)
• Fix missed deletion events when reconnecting to/disconnecting from remote clusters (identities) (#​25677, @​giorio94)
• Fix missed deletion events when reconnecting to/disconnecting from remote clusters (ipcache entries) (#​25675, @​giorio94)
• Fix panic due to nil-map assignment in l2announcer (#​26315, @​dylandreimerink)
• Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (#​25936, @​joamaki)
• Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (#​25969, @​jrajahalme)
• Fixes an issue where SRv6 encapsulated packets are forwarded to the wrong layer 2 next hop. (#​26136, @​ldelossa)

CI Changes:

• .github/workflows: add JUnit tag on workflows that have JUnits (#​25930, @​aanm)
• .github/workflows: let renovate update kind (#​26312, @​tklauser)
• .github: add cilium sysdump to test artifacts (#​26143, @​aanm)
• .github: add missing job to check for code changes (#​25926, @​aanm)
• .github: Fail if print-chart-version.sh fails or does not exist (#​26086, @​chancez)
• .github: simplify conformance-runtime workflow (#​25955, @​aanm)
• Add checker to verify if comments from ginkgo GH workflows are in sync (#​25971, @​aanm)
• Add schema validation for configuration-matrix files (#​26081, @​aanm)
• bgp,test: Properly wait for FRR container to be ready (#​25777, @​YutaroHayakawa)
• bgpv1: Avoid ports from common ip_local_port_range in unit tests (#​26174, @​rastislavs)
• bgpv1: Extend the timeout for the Test_NeighborAddDel test (#​25970, @​rastislavs)
• bpf unit tests: Run tests on changes to pks/bpf/** (#​25911, @​qmonnet)
• bpf: test: fix pktgen for IPv6 NEXTHDR_DEST option (#​26151, @​julianwiedmann)
• bpf: tests: test EgressGW reply path with native routing (#​25932, @​julianwiedmann)
• CI: Add JUnit reports upload (#​25801, @​brlbil)
• ci: github actions job to run kubernetes upstream conformance tests (#​25913, @​aojea)
• CI: Stabilize ConformanceKindEnvoyDaemonSet (#​26260, @​mhofstetter)
• CI: Verifier tests: Keep generated object files and logs on test failure (#​25862, @​qmonnet)
• CI: wait for cilium to become ready in conformance-{aks,gke} before port forward relay (#​25839, @​learnitall)
• conformance-k8s-kind: Use Helm mode cilium-cli (#​25916, @​michi-covalent)
• conformance-runtime: Bump timeout to wait for images (#​25947, @​michi-covalent)
• datapath/linux/ethtool: deflake TestIsVirtualDriver (#​26027, @​tklauser)
• docs: add documentation for Ginkgo-based GHA (#​26055, @​aanm)
• Drop the GKE-based multicluster GitHub actions workflow in favor of the kind-based ones (stable branches) (#​26188, @​giorio94)
• egressgw: switch to Cilium CLI connectivity tests (#​25719, @​jibi)
• gha: Increase Ingress status wait time (#​26219, @​sayboras)
• gha: Move to helm mode for aws-cni, eks, gke (#​25820, @​sayboras)
• gha: use Cilium CLI Helm mode for conformance-clustermesh (#​25834, @​giorio94)
• Improved reliability of pkg/hive/job timer double trigger unit test (#​26022, @​dylandreimerink)
• Run all ginkgo tests on GitHub actions (#​25713, @​aanm)
• test/nat46x64: silence curl output (#​26024, @​tklauser)
• test: Cleanup ginkgo test artifacts (#​25833, @​pchaigno)

Misc Changes:

• .github: add dedicated job to wait for images (#​26184, @​aanm)
• .github: Push Helm charts for hotfixes (#​25836, @​joestringer)
• .github: rebuild ginkgo tests in case of cache miss (#​26263, @​aanm)
• .github: refactor job matrix generation into YAML files (#​26019, @​aanm)
• Add detailed panic messages for slim ObjectMeta and ListMeta (#​25107, @​hemanthmalla)
• Add kvstoremesh Dockerfile and build images through the CI (#​26106, @​giorio94)
• Add microsoft as user to cilium (#​25838, @​tamilmani1989)
• Add Zero Hash to Cilium users (#​25987, @​eugenestarchenko)
• Added gARP capability to L2 announcer feature (#​25933, @​dylandreimerink)
• Added metrics for pkg/k8s/resource (#​26269, @​dylandreimerink)
• Adding Eficode to USERS.md (#​25931, @​punasusi)
• Agent: add support for watching kvstoremesh prefixes (#​26154, @​giorio94)
• Auth Map: Initial Garbage Collection (#​25754, @​mhofstetter)
• auth: add missing config values to helm values (#​25973, @​mhofstetter)
• auth: add missing stream package import (#​26018, @​giorio94)
• auth: feature flag for authentication (#​26208, @​mhofstetter)
• auth: fix initial k8s events sync in auth map gc (#​26059, @​mhofstetter)
• auth: implement re-authentication in case of rotated certificates (#​25927, @​mhofstetter)
• auth: policy based auth map GC (#​26068, @​mhofstetter)
• auth: streamline logging (#​25965, @​mhofstetter)
• auth: temporarily disable node-based auth gc (#​26073, @​mhofstetter)
• AWS CNI v1.12 Cilium install fixed. (#​26084, @​viktor-kurchenko)
• BGP CP: Updates docs for PeerPort (#​25876, @​danehans)
• bgpv1: Documentation update to reflect current architecture (#​25954, @​harsimran-pabla)
• bgpv1: graceful restart component test (#​25914, @​harsimran-pabla)
• bgpv1: Reset BGP session in UpdateNeighbor if necessary (#​25827, @​rastislavs)
• bpf: clean up some revalidate_data() users (#​25337, @​julianwiedmann)
• bpf: encap: send TO_OVERLAY trace before adding encapsulation (#​25828, @​julianwiedmann)
• bpf: fib: delay smac selection until fib_do_redirect() has picked the oif (#​26290, @​julianwiedmann)
• bpf: lb: minor cleanups (#​26216, @​julianwiedmann)
• bpf: minor HostFW cleanups (#​25881, @​julianwiedmann)
• bpf: misc CT cleanups (#​26104, @​julianwiedmann)
• bpf: nat: reduce CT lookup scope (#​25917, @​julianwiedmann)
• bpf: nat: remove unused ct_delete*() helpers (#​26076, @​julianwiedmann)
• bpf: nodeport: reduce CT lookup scope (#​25826, @​julianwiedmann)
• bpf: nodeport: wire up trace struct for IPv6 RevDNAT (#​26047, @​julianwiedmann)
• bpf: remove MapInfo, DumpParser and MapKey/Value DeepCopy (#​25792, @​ti-mo)
• bpf: Use "fallthrough;", compile with -Wimplicit-fallthrough (#​26211, @​qmonnet)
• bpf: xdp: fix coccicheck warning about DROP_MISSED_TAIL_CALL (#​25924, @​julianwiedmann)
• bpf: xdp: use CT tuple hash for tunnel encap's source port (#​26177, @​julianwiedmann)
• bugtool: dump auth map related information (#​26066, @​mhofstetter)
• build(deps): bump requests from 2.28.2 to 2.31.0 in /Documentation (#​25603, @​dependabot[bot])
• build: Avoid cross compilation issue on Windows (#​25904, @​sayboras)
• Change enableEndpointCRD helm option type from string to boolean
  Fix operator panic that occurs when Endpoint CRD is disabled and CiliumEndpointSlice is enabled (#​25798, @​doniacld)
• chore(deps): update all github action dependencies (main) (minor) (#​25850, @​renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#​25846, @​renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#​26054, @​renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.14.7 (main) (#​25847, @​renovate[bot])
• chore(deps): update dependency cilium/hubble to v0.11.6 (main) (#​26041, @​renovate[bot])
• chore(deps): update dependency go to v1.20.5 (main) (#​26051, @​renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.18.2 (main) (#​26261, @​renovate[bot])
• chore(deps): update docker.io/library/golang:1.20.4 docker digest to 690e413 (main) (#​25277, @​renovate[bot])
• chore(deps): update docker.io/library/golang:1.20.5 docker digest to 6b3fa4b (main) (#​26050, @​renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2a357c4 (main) (#​26284, @​renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ac58ff7 (main) (#​25295, @​renovate[bot])
• chore(deps): update go to v1.20.5 (main) (patch) (#​25957, @​renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v1.53.2 (main) (#​25841, @​renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v1.53.3 (main) (#​26258, @​renovate[bot])
• chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (main) (#​25996, @​renovate[bot])
• cilium/cmd: Deprecate cilium endpoint regenerate command (#​25949, @​christarazi)
• cilium: Improve IPv6 BIG TCP probing (#​26303, @​borkmann)
• cli: add "cilium bpf config list" (#​26105, @​mhofstetter)
• clustermesh-apiserver: add missing metrics and documentation (#​26070, @​giorio94)
• clustermesh-apiserver: don't wait for the presence of unused CRDs (#​26220, @​giorio94)
• clustermesh-apiserver: rework identities, endpoints and nodes synchronization to improve performance (#​25049, @​giorio94)
• clustermesh: ensure that the status of the remote clusters controller is correcty reported (#​26271, @​giorio94)
• clustermesh: Introduce ClusterID reservation mechanism (#​26124, @​marseel)
• clustermesh: split the generic logic from the specific part (#​25921, @​giorio94)
• clustermesh: unbreak test (#​26294, @​giorio94)
• conformance-runtime: remove optimizations and update little-vm-helper (#​25825, @​aanm)
• Controller clean up (#​25579, @​jrajahalme)
• Convert daemon ipcache usages to new ipcache async API (#​25749, @​christarazi)
• converted node manager dynamic metrics into modular metrics (#​25887, @​dylandreimerink)
• CRD List Generation (#​25910, @​dhawton)
• ctmap: right-shift kernel jiffies by BPF_MONO_SCALER (#​26197, @​ti-mo)
• daemon, maps/ipcache: Replace usage of net.IP* for ingress IPs (#​26045, @​christarazi)
• daemon: Perform early (partial) local node info initialization (#​24866, @​joamaki)
• dnsproxy: stop using the regex lru in the dns proxy to avoid keeping large unused regex in memory when no longer needed (#​22584, @​odinuge)
• docker: Detect default "desktop-linux" builder (#​25908, @​jrajahalme)
• docs: Add APAC timezone meeting to README (#​24902, @​lizrice)
• docs: Add externalTrafficPolicy=Local description to BGP CPlane doc (#​25960, @​YutaroHayakawa)
• docs: add upgrade note about deletion of stale entries in clustermesh (#​26067, @​giorio94)
• docs: cleanup SPIRE & Envoy values in helm reference (#​26039, @​mhofstetter)
• docs: Deprecate cluster-pool-v2beta (#​25767, @​gandro)
• docs: remove clustermesh-apiserver gops port from system requirements (#​26230, @​giorio94)
• docs: Slack updates (#​25723, @​lizrice)
• Docs: Update BGP docs to reflect CRD consolidation (#​26196, @​rastislavs)
• docs: Update development setup with preferred kind-based approach (#​25535, @​christarazi)
• docs: Update governance voting templates (#​25802, @​joestringer)
• Document how to migrate from Ingress to Gateway API (#​25599, @​nvibert)
• Documentation: add CONFIG_SCHEDSTATS to required kconfigs (#​26035, @​ti-mo)
• Documentation: Document BGP timers & neighbor update behavior (#​25906, @​rastislavs)
• Documentation: include bgp cli commands in bgp-cp documentation (#​25691, @​harsimran-pabla)
• Dump maps and events for all lb4/6 v3 backends (#​26108, @​ti-mo)
• endpoint: fix policy map sync warning due to policymap authtype diffs (#​26218, @​mhofstetter)
• Fix and improve Conformance Ginkgo UX (#​25950, @​aanm)
• Fix CI image build cache (#​26020, @​aanm)
• Fix neighbor test flakes (#​26156, @​borkmann)
• fix(deps): pin dependencies (main) (#​25539, @​renovate[bot])
• fix(deps): pin dependencies (main) (#​25849, @​renovate[bot])
• fix(deps): update all go dependencies main (main) (minor) (#​26286, @​renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#​25542, @​renovate[bot])
• fix(deps): update module github.com/docker/docker to v24 (main) (#​26316, @​renovate[bot])
• gateway-api: now function GatewayAPI also supports TLSRoute (#​26060, @​spacewander)
• gha: fix conformance-ginkgo base branch retrieval (#​26085, @​giorio94)
• helm: add extraArgs to clustermesh-apiserver (#​25693, @​rcanderson23)
• helm: Add flag to disable CRD check for mass server-side apply (#​25956, @​jcpunk)
• helm: address review comments regarding helm value docs (#​26296, @​tklauser)
• helm: Correct the flag names in validate.yaml (#​26167, @​sayboras)
• Improve Makefile to ease debugging (#​26159, @​pippolo84)
• Ingnore updating client-go fork in renovate dependencies (#​26305, @​marseel)
• install: Fail helm if kube-proxy-replacement is not valid (#​25907, @​jrajahalme)
• IPAM multipool followups (#​26138, @​tklauser)
• ipam/allocator: remove unused allocator types (#​25963, @​tklauser)
• ipcache: fix not waiting for k8s caches to sync (#​25975, @​squeed)
• ipsec: Fix cleanup of XFRM states and policies (#​26072, @​pchaigno)
• jenkinsfiles: remove ginkgo-based Jenkinsfiles (#​26171, @​aanm)
• k8s / policy: allow all services for toServices when using highscale ipcache (#​26127, @​squeed)
• k8s: fix ciliumpodippools CRD controller-gen version (#​25976, @​mhofstetter)
• k8s: Update comment about rule preprocessing (#​25864, @​odinuge)
• k8s: Use Resource[*Pod] in pod watcher for the local pod watching (#​26181, @​joamaki)
• kvstore: limit keys attached to single lease, and react to expiration (#​25966, @​giorio94)
• MAINTAINERS: Add Nick Young (#​25874, @​joestringer)
• Makefile: Fix kind deployment in quiet mode (#​25873, @​joestringer)
• Makefile: remove -test.v from GOTEST_BASE (#​25703, @​ti-mo)
• Makefile: use CLI options to set local images for kind-install-cilium-clustermesh (#​25810, @​thorn3r)
• metrics: Metrics initial modularization (#​25651, @​dylandreimerink)
• metrics: provide the global services metric through the hive (#​26157, @​giorio94)
• node_ids: introduce GetNodeID (#​26155, @​mhofstetter)
• pkg/datapath: skip TestArpPingHandling due flakiness (#​25840, @​aanm)
• pkg/ipam: Update histogram buckets for trigger metrics (#​25600, @​hemanthmalla)
• policy: Add GetAuthTypes() (#​26116, @​jrajahalme)
• Prepare for release v1.14.0-snapshot.3 (#​25830, @​aanm)
• proxy: introduce initial proxy cell (#​25779, @​mhofstetter)
• README: Update for latest snapshot prerelease (#​25845, @​joestringer)
• Remove custom iproute2 fork (#​26221, @​ti-mo)
• Remove ip assignments for cilium_host from init.sh (#​25771, @​rgo3)
• Remove references to GOPATH in documentation (#​25942, @​JamesLaverack)
• renovate: exclude github.com/{cilium,vishvananda}/netlink (#​26311, @​tklauser)
• Replace client-go with private fork. (#​26250, @​marseel)
• Replaces K8s NewDeltaFIFO with NewDeltaFIFOWithOptions (#​25606, @​danehans)
• resource: Add Resource[Endpoints] and adapt existing watchers (#​23977, @​joamaki)
• resource: Fix flaky test due to missing Done call (#​25646, @​joamaki)
• resource: implement stream.Observable (#​25934, @​mhofstetter)
• statedb: Fix WriteJSON with multiple tables (#​24970, @​joamaki)
• stream: Improve function documentation (#​25922, @​joamaki)
• test/k8s: make kafka tests more reliable (#​26121, @​aanm)
• testutils: remove gocheck (#​25684, @​lmb)
• Update network attacker sections of the threat model (#​25640, @​ferozsalam)
• Update stable releases (#​26272, @​qmonnet)
• Update USERS.md for SIGHUP (#​25982, @​julianwiedmann)
• Updates informer pkg to use TransformFunc() (#​25604, @​danehans)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.0-snapshot.4@​sha256:dd75919c7b81d06289ffa1dcc0e238f77294a45c57212a87634f277f28835e7d
quay.io/cilium/cilium:v1.14.0-snapshot.4@​sha256:dd75919c7b81d06289ffa1dcc0e238f77294a45c57212a87634f277f28835e7d

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.4@​sha256:2b844061901af8bd3da5bb99d893694c915e2ceee05e661131e2d684fb0de68c
quay.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.4@​sha256:2b844061901af8bd3da5bb99d893694c915e2ceee05e661131e2d684fb0de68c

docker-plugin

docker.io/cilium/docker-plugin:v1.14.0-snapshot.4@​sha256:0282b913a1fecd2088d64296e492a1a786a3f839551bf00679ae469a4558b620
quay.io/cilium/docker-plugin:v1.14.0-snapshot.4@​sha256:0282b913a1fecd2088d64296e492a1a786a3f839551bf00679ae469a4558b620

hubble-relay

docker.io/cilium/hubble-relay:v1.14.0-snapshot.4@​sha256:5a04cc8b09a00a254466b09f8ff77b9e4e56954aa5ac13f43c8a7c05a5725cd1
quay.io/cilium/hubble-relay:v1.14.0-snapshot.4@​sha256:5a04cc8b09a00a254466b09f8ff77b9e4e56954aa5ac13f43c8a7c05a5725cd1

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.0-snapshot.4@​sha256:a6c5a3f0f420fde69d4e60fdda82bd78c244fb2c12d09a6041a636840a02cc17
quay.io/cilium/kvstoremesh:v1.14.0-snapshot.4@​sha256:a6c5a3f0f420fde69d4e60fdda82bd78c244fb2c12d09a6041a636840a02cc17

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.0-snapshot.4@​sha256:86e40be4fac515ec3aae3f54bad8b7112ed0001a860c86092342dfd49fb5b97f
quay.io/cilium/operator-alibabacloud:v1.14.0-snapshot.4@​sha256:86e40be4fac515ec3aae3f54bad8b7112ed0001a860c86092342dfd49fb5b97f

operator-aws

docker.io/cilium/operator-aws:v1.14.0-snapshot.4@​sha256:449e30b7bf5492adfc605c50a1a0f5fc822af20ec6787fa93070a22fd5524731
quay.io/cilium/operator-aws:v1.14.0-snapshot.4@​sha256:449e30b7bf5492adfc605c50a1a0f5fc822af20ec6787fa93070a22fd5524731

operator-azure

docker.io/cilium/operator-azure:v1.14.0-snapshot.4@​sha256:72055583294266a78a2262d17fba2129f568946ba61708ee89e2bf74f7da693b
quay.io/cilium/operator-azure:v1.14.0-snapshot.4@​sha256:72055583294266a78a2262d17fba2129f568946ba61708ee89e2bf74f7da693b

operator-generic

docker.io/cilium/operator-generic:v1.14.0-snapshot.4@​sha256:1bfe879fff900180000265743afde223c809e3189c8dd704b1c10fb0ccedba6f
quay.io/cilium/operator-generic:v1.14.0-snapshot.4@​sha256:1bfe879fff900180000265743afde223c809e3189c8dd704b1c10fb0ccedba6f

operator

docker.io/cilium/operator:v1.14.0-snapshot.4@​sha256:2d47129ebb7bfca3b65e628c0eaaf02d1708ae4aedd29d70ea0f9dc282a7ebda
quay.io/cilium/operator:v1.14.0-snapshot.4@​sha256:2d47129ebb7bfca3b65e628c0eaaf02d1708ae4aedd29d70ea0f9dc282a7ebda

v1.14.0-snapshot.3: 1.14.0-snapshot.3

Compare Source

Summary of Changes

Major Changes:

• Add TLSRoute support to GatewayAPI (#​25106, @​meyskens)
• New high-scale ipcache mode to support clustermeshes with millions of pods. (#​25148, @​pchaigno)
• Support for deploying Cilium L7 Proxy (Envoy) independently as a separate DaemonSet for availability, performance, and security benefits. (#​25081, @​mhofstetter)

Minor Changes:

• add native tunnel encapsulation support for the XDP Loadbalancer (#​24422, @​julianwiedmann)
• Add Prometheus metrics support to clustermesh-apiserver (#​25316, @​giorio94)
• Add support for allocating PodCIDRs from multiple IPAM pools (#​22762, @​gandro)
• Add support for paginated lists in etcd, and propagate config options (#​25469, @​giorio94)
• Add support for setting BGP timer parameters in CiliumBGPNeighbor CRD (#​25408, @​rastislavs)
• Allow to disable external workloads support in clustermesh-apiserver to improve performance when not needed. (#​25259, @​giorio94)
• Cilium now supports chaining with arbitrary CNI plugins. To use, set the Helm value cni.chainingTarget. (#​24956, @​squeed)
• clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#​25388, @​giorio94)
• clustermesh-apiserver: rework services synchronization to improve performance (#​25260, @​giorio94)
• cmd/cleanup: add socketlb program cleanup (#​25136, @​rgo3)
• DNS Proxy binds to loopback interfaces only (#​25309, @​mhofstetter)
• dns proxy: Only reuse DNS proxy port when it's free (#​25466, @​anfernee)
• envoy: Add idle timeout configuration option (#​25214, @​sayboras)
• Fix CIDR json tag in CNP CIDRRule (#​25617, @​pippolo84)
• Fixed incorrectly rendered chart when specified both configMap and customConf (#​25200, @​marseel)
• helm: Bump default spire image version (#​25444, @​sayboras)
• helm: deprecate clustermesh CA configuration in favor of the global CA configuration (#​25010, @​giorio94)
• helm: Improve spire template (#​25589, @​sayboras)
• High-Scale IPcache: Chapter 3 (#​25438, @​pchaigno)
• identity/cache: fix panic when re-init of cache after close. (#​25269, @​tommyp1ckles)
• multi-pool: Determine IP pool based on ipam.cilium.io/ip-pool annotation (#​25511, @​gandro)
• operator/ipam/metrics: Add new, more accurate, per-node available/used/needed metrics to deprecated existing ipam_ips metric. (#​24776, @​tommyp1ckles)
• Replace wait-for-it in SPIRE setup with a busybox script (#​24959, @​meyskens)
• Significantly reduce Hubble flow traffic by transmitting only requested information (#​23198, @​AwesomePatrol)
• Support enable-endpoint-routes with enable-high-scale-ipcache. (#​25601, @​pchaigno)
• Support GENEVE encapsulation with high-scale ipcache. (#​25591, @​pchaigno)
• Update CNI (loopback) to 1.3.0 (#​25400, @​anfernee)
• Updating documentation helm values now works also on arm64. (#​25422, @​jrajahalme)
• Use BGP Control Plane annotations from Node Resource for creation of CiliumNode Resource (#​24914, @​margau)

Bugfixes:

• Add drop notifications for various error paths in the datapath. (#​25183, @​julianwiedmann)
• Added validation to ensure that enabling Ingress or Gateway API support while l7proxy is disabled will fail, as this is an incompatible configuration. (#​25215, @​youngnick)
• Avoid dropping short packets (that don't have their L3 header in linear data) in the to-netdev and from-host paths. (#​25159, @​julianwiedmann)
• bpf,datapath: read jiffies from /proc/schedstat (#​25795, @​ti-mo)
• bpf/nat: fix current behavior that is silently ignoring errors in a revSNAT context (#​19753, @​sahid)
• bpf: lb: deal with stale rev_nat_index after svc lookup in fallback path (#​24757, @​julianwiedmann)
• Compare annotations before discarding CiliumNode updates. (#​25465, @​LynneD)
• datapath: Fix double SNAT (#​25189, @​brb)
• DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (#​25147, @​jrajahalme)
• Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (#​25784, @​pchaigno)
• Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (#​25724, @​pchaigno)
• Fix a possible deadlock when using WireGuard transparent encryption. (#​25419, @​bimmlerd)
• Fix a regression in which link-local addresses were not treated with the "host" identity in some circumstances. (#​25298, @​asauber)
• Fix broken IPv6 access to native node devices due to wrong source IPv6 of NA response. (#​25329, @​jschwinger233)
• Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (#​25744, @​joamaki)
• Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (#​25087, @​joamaki)
• Fix incorrect hubble flow data when HTTP requests contain an x-forwarded-for header by adding an explicit use_remote_address: true config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of x-forwarded-for header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding x-forwarded-for headers is retained via an explicit skip_xff_append: true config setting, except for Cilium Ingress where the source IP address is now appended to x-forwarded-for header. (#​25674, @​jrajahalme)
• Fix missed deletion events when reconnecting to/disconnecting from remote clusters (nodes and services) (#​25499, @​giorio94)
• Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. ([#​25426](https://togithub.com/cilium/cil

---

Configuration

📅 Schedule: Branch creation - "on friday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[rolinh]

For those of you wondering, snapshot is semantically higher than rc. We'll switch to using pre in the Cilium v1.15 release cycles. To avoid problems, RCs are dual tagged with snapshot. In this specific instance, -snapshot.5 is the same as -rc.0.

[tklauser]

Thank you for the explanation ❤️ TIL