chore(deps): update helm release cilium to v1.14.3
This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| cilium (source) | patch |
1.14.2 -> 1.14.3
|
⚠ WarningSome dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
cilium/cilium (cilium)
v1.14.3: 1.14.3
We are pleased to release Cilium v1.14.3. This is bug fix release addressing the recent HTTP/2 Stream Cancellation Attack (CVE-2023-44487) and other bugs:
- Envoy GHSA-jhv4-f7mr-xx76
- Go GHSA-qppj-fm5r-hxr3
Summary of Changes
Minor Changes:
- bump grpc dependency to 1.56.3 to fix security vulnerability https://github.com/advisories/GHSA-qppj-fm5r-hxr3 (#28527, @aanm)
- Cut Cilium's initialization time for clusters with a large number of Kubernetes and Cilium Network Policies by 90% (Backport MR #28282, Upstream MR #28173, @aanm)
- endpoint: Only perform the full policy map synchronization periodically (every 15 minutes) to reduce overhead with large endpoint policy maps (Backport MR #28095, Upstream MR #27693, @joamaki)
- ipam: report IP owner of non-default pool IPs in multi-pool IPAM (Backport MR #28095, Upstream MR #27968, @tklauser)
- metrics: add a metric for max observed endpoint ifindex (Backport MR #28282, Upstream MR #27953, @asauber)
- metrics: Add map pressure metric for auth map (Backport MR #28442, Upstream MR #28357, @sayboras)
- vendor, azure: Bump Azure SDK to Aug 2021 (Backport MR #28330, Upstream MR #28311, @christarazi)
Bugfixes:
- bpf: lxc: support Pod->Service->Pod hairpinning with endpoint routes (Backport MR #28123, Upstream MR #27798, @ti-mo)
- bpf: overlay: fix missing DBG_DECAP for Inter-Cluster-SNAT (Backport MR #28494, Upstream MR #28466, @julianwiedmann)
- Change routing-mode and tunnel-protocol based on .Values.tunnel and .Values.routingMode (Backport MR #28282, Upstream MR #27841, @macmiranda)
- datapath: fix NodePort to remote hostns backend with tunnel config (Backport MR #28494, Upstream MR #27323, @michaelasp)
- envoy: Sync supported resources to fix not found issue (Backport MR #28349, Upstream MR #28272, @sayboras)
- Fix a bug that causes pod-to-pod traffic between nodes to be dropped when IPsec is enabled and kube-proxy installed rules in both iptables-nft and iptables-legacy. (Backport MR #28442, Upstream MR #28258, @pchaigno)
- fix bug: pull skb data in cil_from_netdev path for HIGH_SCALE_IPCACHE mode (Backport MR #28095, Upstream MR #27913, @sofat1989)
- Fix Gateway API HttpRoute cannot strip path prefix. (Backport MR #28282, Upstream MR #28018, @chaunceyjiang)
- Fix hubble metric labeling when only directed Source/Destination Ingress/Egress options are specified. (Backport MR #28095, Upstream MR #27792, @marqc)
- Fix minor bug where the previous Cilium proxy port was not reused (Backport MR #28127, Upstream MR #27634, @christarazi)
- Fix the trace notification for hairpinned reply traffic, to indicate the correct security identity for the client. (Backport MR #28282, Upstream MR #28133, @julianwiedmann)
- Fix wrong host and router IP being used for some IPv6 deployments, which was causing various connectivity problems. (Backport MR #28435, Upstream MR #28417, @ti-mo)
- Fix: Gateway API double slash while stripping path prefix (Backport MR #28442, Upstream MR #28294, @nxy7)
- Fixes a bug causing panic when counting IPsec keys number via "cilium encrypt status". (Backport MR #28282, Upstream MR #27996, @jschwinger233)
- fqdn proxy: fix data race by using separate sessionUDPFactories (Backport MR #28282, Upstream MR #28163, @mhofstetter)
- ipam/multipool: Fix bug where allocator was unable to update CiliumNode (Backport MR #28095, Upstream MR #27963, @gandro)
- ipcache: fix flapping labels in SelectorCache when reserved:host identity has multiple IPs (Backport MR #28418, Upstream MR #28332, @squeed)
- Must have port for Service reference (Backport MR #28282, Upstream MR #27959, @chaunceyjiang)
- pkg/k8s: use a deep copy of CNP in UpdateStatus to avoid race condition (Backport MR #28494, Upstream MR #28364, @aanm)
- pkg/node: Updates GetIPv6AllocCIDRs() to Properly Return Secondary CIDRs (Backport MR #28095, Upstream MR #27855, @danehans)
- resource: Fix race condition in handling of Kubernetes object delete event retrying. In the very rare case when an object was created, deleted and re-created with the same name and the handling of the first deletion failed, the handling of delete event may have been retried even though the object was re-created. Only affected features using the Resource-library (LB IPAM, Mutual Auth and ClusterMesh). (Backport MR #28494, Upstream MR #27340, @joamaki)
- Restore host-stack bypass for pod-to-pod traffic in a configuration with kube-proxy, tunnel routing and per-endpoint routes. (Backport MR #28095, Upstream MR #27908, @julianwiedmann)
CI Changes:
- [v1.14] ci: Add a call to the update label backport action (#27876, @pippolo84)
- [v1.14] GHA: Add clustermesh upgrade and downgrade tests (#28355, @giorio94)
- ci-ipsec-upgrade: Enable IPv6 (Backport MR #28095, Upstream MR #27220, @brb)
- CI: Add conn-disrupt-test action for reuse (Backport MR #28282, Upstream MR #27567, @jschwinger233)
- CI: Add IPsec key rotation test (Backport MR #28105, Upstream MR #27203, @jschwinger233)
- CI: Move IPsec CI jobs into separate pipelines (Backport MR #28105, Upstream MR #26730, @jschwinger233)
- ci: Run BPF lints on workflow definition changes (Backport MR #28282, Upstream MR #28122, @qmonnet)
- ci: update k8s versions support for v1.14 (#28248, @nbusseneau)
- Do not hardcode the AWS VPC CNI plugin version in the conformance-aws-cni GHA workflow (Backport MR #28442, Upstream MR #28392, @giorio94)
- ginkgo: Remove K8sDatapathCustomCalls (Backport MR #28095, Upstream MR #27911, @brb)
- Refactor CiliumExecContext() Retry Logic (Backport MR #28282, Upstream MR #28131, @carnerito)
- workflows/ipsec: Add missing
--flush-ctfor key rotation (Backport MR #28105, Upstream MR #27883, @pchaigno)
Misc Changes:
- [Docs] Clarify ClusterMesh troubleshooting steps when KVStoreMesh is enabled (Backport MR #28282, Upstream MR #27691, @weizhoublue)
- Add option conntrackGCMaxInterval to allow limiting the maximum connection tracking GC interval. By default the automatic interval calculation may increase the interval up to 12 hours, which may incur an unreasonable delay to releasing of CIDR identities created from ToFQDN policies. Setting this option will limit the interval and ensure such identities are marked unused earlier and removed. (Backport MR #28282, Upstream MR #27870, @joamaki)
- bugtool: various updates to BPF map dump (Backport MR #28282, Upstream MR #28065, @julianwiedmann)
- bump k8s dependencies to 1.27.6 (#28560, @aanm)
- chore(deps): update actions/checkout action to v4 (v1.14) (#27944, @renovate[bot])
- chore(deps): update all github action dependencies (v1.14) (minor) (#27776, @renovate[bot])
- chore(deps): update all github action dependencies (v1.14) (patch) (#28078, @renovate[bot])
- chore(deps): update all github action dependencies (v1.14) (patch) (#28209, @renovate[bot])
- chore(deps): update all github action dependencies to v3 (v1.14) (major) (#28101, @renovate[bot])
- chore(deps): update all lvh-images main (v1.14) (patch) (#27942, @renovate[bot])
- chore(deps): update all lvh-images main (v1.14) (patch) (#28210, @renovate[bot])
- chore(deps): update aws-actions/configure-aws-credentials action to v4 (v1.14) (#28102, @renovate[bot])
- chore(deps): update cilium/cilium digest to
6c12a0f(v1.14) (#28075, @renovate[bot]) - chore(deps): update cilium/cilium digest to
8b7844d(v1.14) (#28196, @renovate[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.15.8 (v1.14) (#28211, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.12.1 (v1.14) (#28521, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.12.2 (v1.14) (#28566, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.20.10 docker digest to
098d628(v1.14) (#28623, @renovate[bot]) - chore(deps): update docker.io/library/golang:1.20.8 docker digest to
6e1a67e(v1.14) (#28197, @renovate[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to
2b7412e(v1.14) (#28630, @renovate[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to
990350f(v1.14) (#28579, @renovate[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to
9b8dec3(v1.14) (#28384, @renovate[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to
aabed32(v1.14) (#28076, @renovate[bot]) - chore(deps): update docker/build-push-action action to v5 (v1.14) (#28093, @renovate[bot])
- chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to
92d40ee(v1.14) (#27941, @renovate[bot]) - chore(deps): update go to v1.20.10 (v1.14) (patch) (#28515, @renovate[bot])
- chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.14) (#28082, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.12.1 (v1.14) (#28538, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.12.2 (v1.14) (#28569, @renovate[bot])
- chore(deps): update sigstore/cosign-installer action to v3.1.2 (v1.14) (#27943, @renovate[bot])
- ci: fix AWS EKS K8s versions comment (Backport MR #28282, Upstream MR #28249, @nbusseneau)
- docs: Add instructions for running LVH against custom kernel (Backport MR #28349, Upstream MR #28305, @brb)
- docs: Add Makefile and documentation for "fast" development targets (Backport MR #28095, Upstream MR #27931, @aanm)
- docs: Add more details for the Cluster Mesh key rotation (Backport MR #28282, Upstream MR #28145, @margamanterola)
- docs: egressgw: document incompatibility with Clustermesh (Backport MR #28095, Upstream MR #27918, @julianwiedmann)
- docs: Makefile, check-build.sh clean-ups and perf improvements (Backport MR #28282, Upstream MR #28161, @qmonnet)
- docs: Mention
RouteTableInterfacesOffsetin system requirements (Backport MR #28442, Upstream MR #28358, @gandro) - docs: rephrasing the hubble intro doc (Backport MR #28095, Upstream MR #27712, @vipul-21)
- docs: Update Sphinx and its dependencies, Cilium theme (Backport MR #28282, Upstream MR #28172, @qmonnet)
- endpoint: Fix use of PolicyMapFullReconciliationInterval option (Backport MR #28095, Upstream MR #27985, @joamaki)
- Fix bug when reusing the same cell in multiple hives (Backport MR #28282, Upstream MR #27873, @giorio94)
- Fix potential nil pointer dereference in SelectorManager implementation (Backport MR #28095, Upstream MR #27805, @learnitall)
- fix(deps): update module golang.org/x/net to v0.17.0 [security] (#28550, @aanm)
- fqdn proxy: fix data race detection on TCP fqdn proxy (Backport MR #28282, Upstream MR #28219, @mhofstetter)
- Helm: Improved description for tunnel, tunnelProtocol, routingMode flags (Backport MR #28349, Upstream MR #27926, @PhilipSchmid)
- hubble: Use protobuf GetType() helper in v1.FlowProtocol() to avoid possible panic (Backport MR #28095, Upstream MR #27889, @chancez)
- install/kubernetes: add the
cilium/values.yamltarget to.PHONY(Backport MR #28282, Upstream MR #28225, @nbusseneau) - ipsec: Atomically upgrade XFRM states with new output-mark (Backport MR #28563, Upstream MR #28485, @pchaigno)
- Make tolerations configurable in clustermesh-apiserver certgen job (Backport MR #28282, Upstream MR #28221, @giorio94)
- Makefile: fix 'fast' make targets (Backport MR #28442, Upstream MR #28380, @aanm)
- policy: Move getNets to selector cache (Backport MR #28670, Upstream MR #27670, @jrajahalme)
- Update docs theme (Backport MR #28442, Upstream MR #28403, @raphink)
- Update Hubble UI from v0.12.0 to v0.12.1 (#28535, @rolinh)
Other Changes:
- envoy: Bump envoy version to v1.25.10 (#28506, @sayboras)
- Fix possible cross-cluster connection drops on agents restart when clustermesh is enabled (#27611, @giorio94)
- v1.14: avoid relying on golang.org/exp/slices.SortFunc (#28473, @rolinh)
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.