feat(helm): update chart cilium to 1.14.1

[renovate]

This PR contains the following updates:

Package	Update	Change
cilium (source)	minor	1.13.4 -> 1.14.1

---

Release Notes

cilium/cilium (cilium)

v1.14.1: 1.14.1

Compare Source

We are pleased to release Cilium v1.14.1. This release comes with fixes for IPsec, performance and resilience improvements and many CI and doc changes.

Remaining issues on the IPSec stack may cause interrupted connections during key rotations. Users may upgrade to this release only if this is considered acceptable.

Summary of Changes

Minor Changes:

• gateway-api: Upgrade to v0.7.1 (Backport PR #​27238, Upstream PR #​27157, @​sayboras)
• Prevent Cilium from running with Delegated IPAM at the same time as Ingress (Backport PR #​27238, Upstream PR #​26744, @​rickysumho)

Bugfixes:

• Fix a bug that affected the health-check feature in Stand-alone L4LB mode. For certain configurations (eg if both IPv4 and IPv6 support is enabled) health-check traffic would not get IPIP-encapsulated. (Backport PR #​27190, Upstream PR #​27015, @​julianwiedmann)
• Fix a bug that affected the RevDNAT translation of IPv6 packets with extension headers. (Backport PR #​27345, Upstream PR #​27312, @​julianwiedmann)
• Fix a bug that could cause packet drops of type XfrmOutPolBlock when IPsec is enabled and node are recycled.
• Fix a bug that could cause IPsec-encrypted packets to be sent to the wrong destination node when node churn is high. (Backport PR #​27238, Upstream PR #​27029, @​pchaigno)
• Fix agent panic in case malformed objects are retrieved from the kvstore, and improve validation (Backport PR #​27345, Upstream PR #​27237, @​giorio94)
• Fix bug limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #​27345, Upstream PR #​27168, @​learnitall)
• Fix bug where startup CIDR restore logic would mishandle reference counting, leading to persistent packet loss to those CIDRs (Backport PR #​27419, Upstream PR #​27327, @​joestringer)
• Fix generation of the clustermesh config through Helm when kvstoremesh is enabled, and the TLS key/cert pair is manually specified for a given remote cluster (Backport PR #​27238, Upstream PR #​27177, @​giorio94)
• operator: Adjust CiliumEndpoint gc to account for kvstore mode (Backport PR #​27190, Upstream PR #​25324, @​learnitall)
• Resolve a deadlock on startup when local redirect policies are used. (Backport PR #​27238, Upstream PR #​27115, @​bimmlerd)

CI Changes:

• .github: rebuild ginkgo tests in case of cache miss (Backport PR #​27190, Upstream PR #​27158, @​sayboras)
• Add renovate tags for automatic updates of kernel version in v1.14 (#​27386, @​aanm)
• ci: fix and standardize checkouts in privileged workflows (Backport PR #​27238, Upstream PR #​27193, @​nbusseneau)
• ci: increase connectivity test timeout in GHA external workload (Backport PR #​27345, Upstream PR #​26975, @​mhofstetter)

Misc Changes:

• Add note for changing IPAM settings (Backport PR #​27238, Upstream PR #​27090, @​darox)
• chore(deps): update cilium/little-vm-helper action to v0.0.12 (v1.14) (#​27270, @​renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.15.5 (v1.14) (#​27271, @​renovate[bot])
• chore(deps): update go to v1.20.6 (v1.14) (patch) (#​26783, @​renovate[bot])
• chore(deps): update go to v1.20.7 (v1.14) (patch) (#​27284, @​renovate[bot])
• docs/ipsec: Extend troubleshooting for long key rotations (Backport PR #​27190, Upstream PR #​26809, @​pchaigno)
• docs: Document DROP_NO_NODE_ID for IPsec (Backport PR #​27345, Upstream PR #​27184, @​pchaigno)
• docs: Have Makefile print generated image tags when running with V=0 (Backport PR #​27345, Upstream PR #​27250, @​qmonnet)
• docs: kpr: remove caveat about XDP + tunnel performance (Backport PR #​27190, Upstream PR #​27091, @​julianwiedmann)
• docs: Replace non-portable "sed -i" in Makefile (Backport PR #​27238, Upstream PR #​27122, @​qmonnet)
• docs: Simplify clustermesh example (Backport PR #​27238, Upstream PR #​27172, @​joestringer)
• docs: update roadmap after 1.14 release (Backport PR #​27238, Upstream PR #​27089, @​lizrice)
• Documentation: fix the broken links/dead links (Backport PR #​27190, Upstream PR #​26880, @​vipul-21)
• fix: use proper helm param name for specifying pod cidr (Backport PR #​27238, Upstream PR #​27141, @​yandzee)
• mutual-auth: Add note for PVC requirement (Backport PR #​27345, Upstream PR #​27311, @​sayboras)
• remove systemd-based distributions issue from docs (Backport PR #​27345, Upstream PR #​27208, @​WeirdMachine)
• Update Service Mesh docs (Backport PR #​27345, Upstream PR #​27231, @​youngnick)

Other Changes:

• backport v1.14: IPsec upgrade tests (#​27175, @​brb)
• install: Update image digests for v1.14.0 (#​27111, @​aanm)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.1@​sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72
quay.io/cilium/cilium:v1.14.1@​sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72
docker.io/cilium/cilium:stable@sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72
quay.io/cilium/cilium:stable@sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.1@​sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c
quay.io/cilium/clustermesh-apiserver:v1.14.1@​sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c
docker.io/cilium/clustermesh-apiserver:stable@sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c
quay.io/cilium/clustermesh-apiserver:stable@sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c

docker-plugin

docker.io/cilium/docker-plugin:v1.14.1@​sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad
quay.io/cilium/docker-plugin:v1.14.1@​sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad
docker.io/cilium/docker-plugin:stable@sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad
quay.io/cilium/docker-plugin:stable@sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad

hubble-relay

docker.io/cilium/hubble-relay:v1.14.1@​sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8
quay.io/cilium/hubble-relay:v1.14.1@​sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8
docker.io/cilium/hubble-relay:stable@sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8
quay.io/cilium/hubble-relay:stable@sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.1@​sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e
quay.io/cilium/kvstoremesh:v1.14.1@​sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e
docker.io/cilium/kvstoremesh:stable@sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e
quay.io/cilium/kvstoremesh:stable@sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.1@​sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b
quay.io/cilium/operator-alibabacloud:v1.14.1@​sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b
docker.io/cilium/operator-alibabacloud:stable@sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b
quay.io/cilium/operator-alibabacloud:stable@sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b

operator-aws

docker.io/cilium/operator-aws:v1.14.1@​sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a
quay.io/cilium/operator-aws:v1.14.1@​sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a
docker.io/cilium/operator-aws:stable@sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a
quay.io/cilium/operator-aws:stable@sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a

operator-azure

docker.io/cilium/operator-azure:v1.14.1@​sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7
quay.io/cilium/operator-azure:v1.14.1@​sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7
docker.io/cilium/operator-azure:stable@sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7
quay.io/cilium/operator-azure:stable@sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7

operator-generic

docker.io/cilium/operator-generic:v1.14.1@​sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7
quay.io/cilium/operator-generic:v1.14.1@​sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7
docker.io/cilium/operator-generic:stable@sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7
quay.io/cilium/operator-generic:stable@sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7

operator

docker.io/cilium/operator:v1.14.1@​sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5
quay.io/cilium/operator:v1.14.1@​sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5
docker.io/cilium/operator:stable@sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5
quay.io/cilium/operator:stable@sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5

v1.14.0: 1.14.0

Compare Source

Changelog

The Cilium core team are excited to announce the Cilium 1.14 release. 🎉

⚠️ Warning - IPsec ⚠️

Do NOT upgrade to this release if you are using IPsec.

Summary of Changes

Major Changes:

• Add mtls-spiffe as auth mode in the CiliumNetworkPolicy (#​24263, @​meyskens)
• Add support for Kubernetes v1.27 (#​24837, @​tklauser)
• Add support for Kubernetes v1.27 (#​25602, @​nathanjsweet)
• Add support for references to CiliumCIDRGroup inside FromCIDRSet for ingress rules in CNPs (#​24638, @​pippolo84)
• Add TLSRoute support to GatewayAPI (#​25106, @​meyskens)
• Add WireGuard host2host and LB encryption (#​19401, @​brb)
• Added L2 announcement feature (#​25471, @​dylandreimerink)
• cilium: fib lookup consolidation (#​23884, @​borkmann)
• cilium: IPv4 BIG TCP support (#​26172, @​borkmann)
• Implement BPF-based masquerading for IPv6 (#​23165, @​qmonnet)
• Introduce kvstoremesh, a clustermesh-apiserver companion component allowing to cache remote cluster information in the local kvstore for increased scalability and separation. (#​26083, @​giorio94)
• Module Health: Add Health Provider/Reporter (#​25662, @​tommyp1ckles)
• New high-scale ipcache mode to support clustermeshes with millions of pods. (#​25148, @​pchaigno)
• Support DSR with Geneve dispatch in CNI mode (#​23890, @​ysksuzuki)
• Support for deploying Cilium L7 Proxy (Envoy) independently as a separate DaemonSet for availability, performance, and security benefits. (#​25081, @​mhofstetter)
• The Cilium operator now taints nodes where Cilium is scheduled to run but is not running.
  This prevents pods from being scheduled on nodes without Cilium.
  The CNI configuration file is no longer removed on agent shutdown.
  This means that pod deletion will always succeed; previously it would fail if Cilium was down for an upgrade.
  This should help prevent nodes accidentally entering an unmanageable state.
  It also means that nodes are not removed from cloud LoadBalancer backends during Cilium upgrades. (#​23486, @​squeed)

Minor Changes:

• 1. Add a new set of flags for CES work queue limit and burst rates, CESWriteQPSLimit to andCESWriteQPSBurst`.
     The processed work queue items always trigger a single CES create, update or write request to the kube-apiserver.
     The work queue rate limiting effectively limits the rate of writes to the kube-apiserver for CES api objects.
  2. Set the default CESWriteQPSLimit to 10 and CESWriteQPSBurst to 20.
  3. Set the maximums for qps 50 and burst 100. These values cannot be exceeded regardless of any configuration.
  4. Unhide CESMaxCEPsInCES and CESSlicingMode flags from appearing in logs when CES is enabled. (#​24675, @​dlapcevic)
• [SNAT] add "need to frag" ICMP support (#​18414, @​sahid)
• Add --hubble-monitor-events flag, to control the event types that get to the hubble subsystem. (#​24828, @​epk)
• Add a mechanism for the SPIRE server to signal rotated certificates for re-authenticating connections (#​24300, @​meyskens)
• Add a SPIRE delegate API client to receive SPIFFE certificates for mTLS (#​23968, @​meyskens)
• Add flag to administratively enable APIs on bootstrap (#​25009, @​joestringer)
• Add flag to configure the size of the egress gateway policy map (#​23019, @​cyclinder)
• Add hubble_lost_events_total metric for the number of events lost by Hubble. (#​22865, @​lambdanis)
• add native tunnel encapsulation support for the XDP Loadbalancer (#​24422, @​julianwiedmann)
• Add network policy auth method "always-fail" (#​24609, @​meyskens)
• Add new logging format option, 'json-ts', for JSON formatted logs with timestamps (#​24307, @​learnitall)
• Add option to remove query from HTTP flows (#​25746, @​ChrsMark)
• Add pod-asymmetric context labeling that either uses pod or pod-short based on traffic direction. (#​22731, @​marqc)
• Add Prometheus metrics support to clustermesh-apiserver (#​25316, @​giorio94)
• Add support for allocating PodCIDRs from multiple IPAM pools (#​22762, @​gandro)
• Add support for BGP graceful restart configuration via CiliumBGPPeeringPolicy CRD (#​25660, @​harsimran-pabla)
• Add support for eBGP-multihop configuration for CiliumBGPNeighbor in CiliumBGPPeeringPolicy CRD (#​25708, @​rastislavs)
• Add support for Hybrid mode when using DSR with Geneve dispatch. (#​25553, @​julianwiedmann)
• Add support for load-balancing encapsulated requests in a configuration with high-scale ipcache. (#​25854, @​julianwiedmann)
• Add support for load-balancing unencapsulated requests in a configuration with high-scale ipcache. (#​25745, @​julianwiedmann)
• Add support for paginated lists in etcd, and propagate config options (#​25469, @​giorio94)
• Add support for setting BGP timer parameters in CiliumBGPNeighbor CRD (#​25408, @​rastislavs)
• Add support for the ingressclass.kubernetes.io/is-default-class annotation on Cilium's IngressClass (#​23719, @​meyskens)
• Add tls-server-enforce-mtls flag to hubble-relay to enforce mTLS connection with clients. (Backport PR #​26636, Upstream PR #​25582, @​marqc)
• Added Gratuitous ARP Pod Announcements (#​25482, @​markpash)
• Adds peerPort field to CiliumBGPPeeringPolicy for specifying the port of a BGP neighbor. If unspecified, port 179 is used. (#​25809, @​danehans)
• agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead (#​26036, @​brb)
• alibabacloud: Support selecting subnet by IDs (#​23131, @​jaffcheng)
• Align selection of IP addresses used for masquerading and NodePort SNAT with Linux kernel behavior, by preferring addresses assigned to the interface earlier and filtering out secondary addresses. (#​22866, @​akhilles)
• Allow Cilium Operator to restart any unmanaged pods via --pod-restart-selector, rather than just kube-dns pods (#​22911, @​lvyanru8200)
• Allow devices from local route table to be used for datapath programs. (#​24608, @​oblazek)
• Allow to use a Secret for the caBundle (#​25728, @​farcaller)
• auth: Add spire identity registration for CiliumIdentity (#​24471, @​sayboras)
• bgpv1: Consolidate CRD API to follow K8s API Conventions (#​26040, @​rastislavs)
• BGPv1: Set N-bit in graceful restart capability negotiation. (#​26325, @​harsimran-pabla)
• BPF NodePort is now enabled by default if CiliumEnvoyConfig is configured. (Backport PR #​26636, Upstream PR #​25901, @​jrajahalme)
• bpf, ipcache: unconditionally assume support for LPM trie maps (#​24258, @​tklauser)
• Change cilium_host IPv6 address, use node router IPv6 instead of native node IPv6, and fixed several relative IPv6 issues. (#​24208, @​jschwinger233)
• Change default helm value of authentication.mutual.spire.install.enabled to true (Backport PR #​27038, Upstream PR #​26864, @​meyskens)
• Cilium by default overwrites changes to its CNI configuration file. With this change, setting cni.exclusive to false disables this behavior. This is useful when additional plugins wish to chain after Cilium, such as Istio. (Backport PR #​27038, Upstream PR #​26773, @​squeed)
• Cilium L7 Proxy: Envoy config dump contains Cilium network policies (#​25028, @​mhofstetter)
• Cilium now supports chaining with arbitrary CNI plugins. To use, set the Helm value cni.chainingTarget. (#​24956, @​squeed)
• Cilium now waits longer before returning a failure in the event of a pod creation burst. (#​25805, @​squeed)
• cilium/cmd: Remove deprecated policy_trace command (#​23550, @​sayboras)
• clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#​25388, @​giorio94)
• clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#​25905, @​giorio94)
• clustermesh-apiserver: rework services synchronization to improve performance (#​25260, @​giorio94)
• clustermesh: enable per-cluster RBAC in etcd server (#​24284, @​giorio94)
• cmd/cleanup: add socketlb program cleanup (#​25136, @​rgo3)
• cmd/service: unify service list/get output (#​24136, @​oblazek)
• cmd: Add NodeEncryption status to the cilium status command (#​24399, @​romanspb80)
• daemon: remove deprecated force-local-policy-eval-at-source option (#​24727, @​tklauser)
• Deprecate --tunnel in favor of --routing-mode and --tunnel-protocol. (#​24561, @​pchaigno)
• Deprecate CNP Node status updates. (#​24464, @​marseel)
• Disable by default CNP Node Status GC in cilium-operator. (#​24390, @​marseel)
• DNS Proxy binds to loopback interfaces only (#​25309, @​mhofstetter)
• dns proxy: Only reuse DNS proxy port when it's free (#​25466, @​anfernee)
• dns: Set --tofqdns-min-ttl to zero by default (#​21439, @​michi-covalent)
• egressgw: add support for excludedCIDRs (#​23448, @​jibi)
• Enable configuration of the source IP verification per endpoint (#​23985, @​pchaigno)
• Enable endpoint routes + veth fast redirect support (#​22006, @​aspsk)
• Enable update-ec2-adapter-limit-via-api by default (#​24564, @​christarazi)
• Enabled cilium_bpf_map_pressure metric by default (#​24721, @​vishal-chdhry)
• endpoint: omit pre-1.11 compatibility restoration symlink (#​24730, @​tklauser)
• envoy: Add idle timeout configuration option (#​25214, @​sayboras)
• envoy: Bump envoy to 1.24.2 (#​23940, @​sayboras)
• envoy: Bump envoy to 1.24.3 (#​24148, @​sayboras)
• envoy: Bump envoy to v1.25.4 (#​24649, @​sayboras)
• envoy: Bump envoy to v1.25.8 (Backport PR #​26887, Upstream PR #​26815, @​sayboras)
• envoy: Bump envoy version to v1.25.5 (#​24893, @​sayboras)
• envoy: Bump envoy version to v1.25.6 (#​25165, @​mhofstetter)
• envoy: Bump envoy version to v1.25.7 (#​25882, @​mhofstetter)
• envoy: Use embedded proxylib from cilium-proxy image (#​26101, @​sayboras)
• etcd: extend rate limiting to consider the number of inflight requests (#​25817, @​giorio94)
• Expand agent metric Policy Import Errors to count all policy changes (#​23349, @​dlapcevic)
• Expose Cilium agent go runtime scheduler latency prometheus metric go_sched_latencies_seconds (#​24745, @​derailed)
• Extend clustermesh status reporting with remote configuration and synchronization information (Backport PR #​27069, Upstream PR #​26788, @​giorio94)
• Extend the Helm chart to allow configuring kvstoremesh. (#​26109, @​giorio94)
• feat: optional bpf mount (#​24161, @​frezbo)
• Fix broken IPv6 connectivity from outside to NodePort service when L7 ingress policy applied by removing PROXY_RT route table. (#​24882, @​jschwinger233)
• Fix CIDR json tag in CNP CIDRRule (#​25617, @​pippolo84)
• Fix docker-cilium-image target for DOCKER_FLAGS=--push (#​23679, @​pippolo84)
• Fix endpoint slices filtering to ensure we filter out headless services and continue to support older k8s versions where service labels are not propagated to endpoint slices (Backport PR #​26799, Upstream PR #​25351, @​odinuge)
• Fixed incorrectly rendered chart when specified both configMap and customConf (#​25200, @​marseel)
• gateway-api: Bump version to v0.6.0 (#​22680, @​sayboras)
• helm: Add CPU panel to Hubble L7 HTTP Workload dashboard (#​24934, @​chancez)
• helm: Add SA to nodeinit ds (#​24836, @​darox)
• helm: Allow node port allocation for Ingress LB service (Backport PR #​26799, Upstream PR #​26502, @​sayboras)
• helm: Bump default spire image version (#​25444, @​sayboras)
• Helm: Clean up deprecated values (#​24214, @​qmonnet)
• helm: deprecate clustermesh CA configuration in favor of the global CA configuration (#​25010, @​giorio94)
• helm: Improve spire template (#​25589, @​sayboras)
• helm: simplify TLS configuration of clustermesh peers (#​24222, @​giorio94)
• helm: use Helm hooks instead of Job unique name (#​23102, @​sathieu)
• High-Scale IPcache: Chapter 3 (#​25438, @​pchaigno)
• hubble-relay: deprecate peer svc through local unix domain socket (#​23407, @​kaworu)
• hubble: Add GetNamespaces to observer API (#​25563, @​chancez)
• hubble: traffic direction filter (#​24120, @​kaworu)
• identity/cache: fix panic when re-init of cache after close. (#​25269, @​tommyp1ckles)
• Improve cilium monitor output for dropped packets: display source file names instead of numerical ids (#​24143, @​aspsk)
• Increase the default CiliumEndpointSlice sync time from 0 to 500ms (#​23615, @​dlapcevic)
• ingress: Default TLS certificate for ingress (#​26065, @​sathieu)
• install/kubernetes: make image digests for all components optional & configurable (#​22732, @​rastislavs)
• Integration of sample dashboards with Helm chart (#​23794, @​jcpunk)
• Introduce the support for specifying a CA bundle in the helm chart (#​24862, @​giorio94)
• ipam/crd: Add new flag for configuring CiliumNode update rate (#​23017, @​jaffcheng)
• ipam: Add ability to automatically create CiliumPodIPPool resources in multi-pool IPAM mode (#​25991, @​gandro)
• ipmasq: Add support for ip-masq-agent with IPv6 (#​23219, @​qmonnet)
• ipsec, option: Make the IPsec key rotation delay configurable (#​24811, @​pchaigno)
• Make Envoy sockets for tproxy and the xDS API and bind to localhost only (#​24011, @​meyskens)
• metrics: Add k8s client rate limiter latency metric (#​25555, @​ysksuzuki)
• metrics: support toggle bootstrap times metric via daemon config (#​22643, @​ArthurChiao)
• Modify operator metric CES errors sync to count all CES sync events (#​23335, @​dlapcevic)
• mtls: SPIRE server and agent installation (#​24765, @​sayboras)
• multi-pool: Determine IP pool based on ipam.cilium.io/ip-pool annotation (#​25511, @​gandro)
• mutual-auth: Avoid confusion on mTLS wording (#​25761, @​sayboras)
• mutual-auth: Support spire k8s service dns resolution (#​26031, @​sayboras)
• operator/ipam/metrics: Add new, more accurate, per-node available/used/needed metrics to deprecated existing ipam_ips metric. (#​24776, @​tommyp1ckles)
• operator: Fix default API server addr in metrics subcommand (#​26132, @​pippolo84)
• operator: proper rolling update (#​23589, @​mhofstetter)
• option,helm: Add a flag to opt out from support for Kubernetes NetworkPolicy in Cilium (#​23127, @​ChengyuanLiCY)
• policy: Derivative policies (policies for cloud provider-specific identities) for egress deny rules were not being generated, this has now been fixed. (#​23927, @​rockc2020)
• Prepare Cilium API for IPAM pools (#​24248, @​tklauser)
• Remove sockops-enable and friends (#​23606, @​mohit-marathe)
• Rename the sec_label field in remote_endpoint_info structure to sec_identity (#​25057, @​ldelossa)
• Replace wait-for-it in SPIRE setup with a busybox script (#​24959, @​meyskens)
• Report the kernel error code in case of packet drops due to failures to create conntrack map entries. (#​24716, @​gentoo-root)
• Report the kernel error code in case of packet drops due to failures to create NAT map entries. (#​25883, @​julianwiedmann)
• Retire Cilium-Integrated Istio documentation (#​25722, @​networkop)
• Return better error codes from hooked syscalls, such as connect() and bind(). (#​22965, @​gentoo-root)
• Revert "Revert agent/helm: Deprecate --kpr=partial|strict|disabled and use --kpr=true|false instead" (#​26496, @​brb)
• Set BGP IdleHoldTimeAfterReset to 5 seconds, session reset can happen on BGP peer configuration change. (#​26001, @​harsimran-pabla)
• Significantly reduce Hubble flow traffic by transmitting only requested information (#​23198, @​AwesomePatrol)
• spire: Add identity GC capability (#​25867, @​sayboras)
• Support enable-endpoint-routes with enable-high-scale-ipcache. (#​25601, @​pchaigno)
• Support defining IPAM pools using CiliumPodIPPool CRD (#​25824, @​tklauser)
• Support externalTrafficPolicy=local for BGP CPlane service VIP advertisement (#​25477, @​YutaroHayakawa)
• Support Gateway API v0.7.0 (#​25711, @​meyskens)
• Support GENEVE encapsulation with high-scale ipcache. (#​25591, @​pchaigno)
• Supports IPv4 ICMP "fragmentation needed" in egress SNAT (#​25054, @​liuyuan10)
• sysdump: Added Kubernetes CNI logs to sysdump. (#​23937, @​marseel)
• The Cilium agent now manages the CNI configuration file. This will allow for faster startup times when injecting Cilium as a chained plugin, such as with aws-cni. (#​24389, @​squeed)
• The deprecated pod-short context option in Hubble metrics is now removed (#​26125, @​lambdanis)

Bugfixes:

• Add drop notifications from various error paths in the BPF datapath. (Backport PR #​27038, Upstream PR #​26956, @​julianwiedmann)
• Add host-side interface info to cni.Result, which allows bandwidth CNI to work with Cilium (Backport PR #​26636, Upstream PR #​26518, @​nayihz)
• Added validation to ensure that enabling Ingress or Gateway API support while l7proxy is disabled will fail, as this is an incompatible configuration. (#​25215, @​youngnick)
• auth: Switch to observing identity changes (Backport PR #​26636, Upstream PR #​26375, @​mhofstetter)
• bgpv1: Unconditionally select node when empty nodeSelector is given (Backport PR #​26734, Upstream PR #​26590, @​YutaroHayakawa)
• bpf/nat: fix current behavior that is silently ignoring errors in a revSNAT context (#​19753, @​sahid)
• bpf: lb: deal with stale rev_nat_index after svc lookup in fallback path (#​24757, @​julianwiedmann)
• bpf: nodeport: don't reset aggregate ID when revDNAT is called by bpf_lxc (#​25929, @​julianwiedmann)
• bpf: nodeport: fix handling of stale CT entry with CT_REPLY (#​23894, @​julianwiedmann)
• bpf: nodeport: fix up trace point in to-overlay NAT paths (#​24886, @​julianwiedmann)
• Bugfix: Invert --hubble-monitor-events logic to be an allowlist (#​25167, @​epk)
• Bypassing policy check for IPv6 NDP to fix broken pod-to-pod connectivity when per-endpoint route is enabled with policy. (#​24919, @​jschwinger233)
• CIDRGroup reference metric will not count nonexistent CIDRGroups (#​26133, @​akstron)
• client, health/client: set dummy host header on unix:// local communication (Backport PR #​26838, Upstream PR #​26800, @​tklauser)
• datapath: bigtcp: Fix the IPv4 BIG TCP may not work (#​26336, @​haiyuewa)
• datapath: Do not send ICMP6 NA over cilium_wg0 (#​23969, @​brb)
• datapath: Fix L7 reply to outside when endpoint routes disabled (#​21980, @​brb)
• egressgw: fix race with endpoint deletion (Backport PR #​27038, Upstream PR #​26901, @​jibi)
• egressgw: retry getIdentityLabels on failure (Backport PR #​26734, Upstream PR #​26457, @​jibi)
• Fix a bug in the Egress Gateway feature when using the --install-egress-gateway-routes option. Delete stale IP rules after a CiliumEgressGatewayPolicy is updated and selects a different egress network interface. (Backport PR #​27069, Upstream PR #​26846, @​julianwiedmann)
• Fix a bug where datapath option DisableSipVerification can no longer be used. (#​25533, @​oblazek)
• Fix broken IPv6 access to native node devices due to wrong source IPv6 of NA response. (#​25329, @​jschwinger233)
• Fix bug in AlibabaCloud where instance type limits could not be determined (#​25387, @​haozhangami)
• Fix bug that caused transient IPsec packet drops on upgrades when tunneling is enabled. (Backport PR #​26914, Upstream PR #​26708, @​pchaigno)
• Fix bug where bpf map entries may not be reliably dumped or garbage collected when the map is actively being updated. (Backport PR #​26838, Upstream PR #​26583, @​tommyp1ckles)
• Fix bug with toServices policy where service backend churn left stale CIDR identities (#​25687, @​christarazi)
• Fix Cilium crash during network policy computation (#​24322, @​joestringer)
• Fix compilation error when enabling Wireguard and XDP (#​25734, @​ysksuzuki)
• Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (#​25087, @​joamaki)
• Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (#​23874, @​sjdot)
• Fix error propagation issue in clustermesh which prevented retrying on certain validation errors (Backport PR #​26799, Upstream PR #​26613, @​giorio94)
• Fix failure to load the datapath for new pods on latest kernel when (almost) all datapath features are enabled. (#​24405, @​borkmann)
• Fix for Identities that can be deleted before CESs are reconciled (#​25001, @​dlapcevic)
• Fix issue where Cilium ServiceAPI would ignore backend changes to services with backends that were used in several services and updated at least once (#​24474, @​strudelPi)
• Fix issues that caused SPIRE not to install properly (#​25160, @​meyskens)
• Fix missed deletion events when reconnecting to/disconnecting from remote clusters (identities) (#​25677, @​giorio94)
• Fix missed deletion events when reconnecting to/disconnecting from remote clusters (ipcache entries) (#​25675, @​giorio94)
• Fix missed deletion events when reconnecting to/disconnecting from remote clusters (nodes and services) (#​25499, @​giorio94)
• Fix missing metric "cilium_services_events_total" (Backport PR #​27038, Upstream PR #​26719, @​christarazi)
• Fix operator entering broken state when it has outdated version of the CES in the cache. (Backport PR #​27038, Upstream PR #​26455, @​alan-kut)
• Fix panic due to nil-map assignment in l2announcer (#​26315, @​dylandreimerink)
• Fix panic in hubble http v2 metrics (#​24350, @​chancez)
• Fix possible connection drops on agents restart when a service is associated with multiple endpointslices or has backends across multiple clusters (Backport PR #​27038, Upstream PR #​26912, @​giorio94)
• Fix SNAT by the N/S load-balancer for fragmented IPv4 requests. (Backport PR #​26636, Upstream PR #​26550, @​julianwiedmann)
• Fix some test failures for bpf_nat_test.c (#​24534, @​YutaroHayakawa)
• Fixed double metric accounting for k8s events (Backport PR #​26636, Upstream PR #​26349, @​dylandreimerink)
• Fixed proxy redirect policy implementation when any deny rule prevents them. (Backport PR #​26813, Upstream PR #​26344, @​jrajahalme)
• Fixes an issue where SRv6 encapsulated packets are forwarded to the wrong layer 2 next hop. (#​26136, @​ldelossa)
• Fixes issue in BGP reconciler when multiple pod cidr withdrawals are done. (#​25320, [@​harsimran-pabla](https://togithub.c

---

Configuration

📅 Schedule: Branch creation - "before 6am" in timezone America/Detroit, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[madbuda-bot]

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
✅ COPYPASTE	jscpd	yes		no	1.71s
✅ REPOSITORY	git_diff	yes		no	0.03s
✅ REPOSITORY	secretlint	yes		no	2.2s
✅ YAML	prettier	1		0	0.38s
✅ YAML	yamllint	1		0	0.25s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by