devxp-tech
Update Helm release cilium to v1.15.5
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cilium (source) | HelmChart | patch | 1.15.4 -> 1.15.5 |
Release Notes
cilium/cilium (cilium)
v1.15.5: 1.15.5
We are pleased to announce the release of Cilium v1.15.5.
This release fixes a lot of bugs, including fixes for conflicting ports with DNS proxy, clustermesh startup issues, and StatefulSet handling.
Security Advisories
This release addresses following security vulnerabilities:
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-3mh5-6q8v-25wj
- https://github.com/advisories/GHSA-5fq7-4mxc-535h
Summary of Changes
Minor Changes:
- envoy: Bump go version to 1.22.3 (#​32413, @​sayboras)
- labels: Add controller-uid into default ignore list (Backport PR #​32103, Upstream PR #​31964, @​sayboras)
Bugfixes:
- Agent: add kubeconfigPath to initContainers (Backport PR #​32230, Upstream PR #​32008, @​darox)
- Avoids drops with "No mapping for NAT masquerade" for ICMP messages by local service backends. (Backport PR #​32384, Upstream PR #​32155, @​julianwiedmann)
- cilium-cni: Reserve ports that can conflict with transparent DNS proxy (Backport PR #​32418, Upstream PR #​32128, @​gandro)
- cni: Use correct route MTU when ENI, Azure or Alibaba Cloud IPAM is enabled (Backport PR #​32384, Upstream PR #​32244, @​learnitall)
- dnsproxy: Fix bug where DNS request timed out too soon (Backport PR #​32230, Upstream PR #​31999, @​gandro)
- Envoy upstream connections are now unique for each downstream connection when using the original source address of a source pod. (Backport PR #​32312, Upstream PR #​32270, @​jrajahalme)
- envoy: pass idle timeout configuration option to cilium configmap (Backport PR #​32230, Upstream PR #​32203, @​mhofstetter)
- Fix failing service connections, when the service requests are transported via cilium's overlay network. (Backport PR #​32230, Upstream PR #​32116, @​julianwiedmann)
- Fix issue causing clustermesh-apiserver/kvstoremesh to not start when run with a non-root user (Backport PR #​31879, Upstream PR #​31539, @​giorio94)
- Fix service connection to terminating backend, when the service has no more backends available. (Backport PR #​32092, Upstream PR #​31840, @​julianwiedmann)
- Fix various bugs related to restart of StatefulSet pods that may result in connectivity issues (Backport PR #​32432, Upstream PR #​31605, @​christarazi)
- Fixes a bug where Cilium in chained mode removed the
agent-not-readytaint too early if the primary network is slow in deploying. (Backport PR #​32230, Upstream PR #​32168, @​squeed) - Fixes an (unlikely) bug where HostFirewall policies may miss updates to a node's labels. (Backport PR #​32384, Upstream PR #​30548, @​squeed)
- fqdn: fix memory leak in transparent mode when there was a moderately high number of parallel DNS requests (>100). (Backport PR #​32103, Upstream PR #​31959, @​marseel)
- Ingress/Gateway API: merge Envoy listeners for HTTP(S) and TLS passthrough (Backport PR #​32178, Upstream PR #​31646, @​mhofstetter)
- ipam: retry netlink.LinkList call when setting up ENI devices (Backport PR #​32230, Upstream PR #​32099, @​jasonaliyetti)
- loader: sanitize bpffs directory strings for netdevs (Backport PR #​32103, Upstream PR #​32090, @​rgo3)
- Prevent Cilium agents from incorrectly restarting an etcd watch against a different etcd instance. (#​32005, @​giorio94)
- tables: Sort node addresses also by public vs private IP (Backport PR #​32103, Upstream PR #​30579, @​joamaki)
CI Changes:
- alibabacloud/eni: avoid racing node mgr in test (Backport PR #​31967, Upstream PR #​31877, @​bimmlerd)
- ci: Filter supported versions of AKS (Backport PR #​32384, Upstream PR #​32303, @​marseel)
- ci: Increase timeout for images for l4lb test (Backport PR #​32230, Upstream PR #​32201, @​marseel)
- ci: Set hubble.relay.retryTimeout=5s (Backport PR #​32230, Upstream PR #​32066, @​chancez)
- enable kube cache mutation detector (Backport PR #​32230, Upstream PR #​32069, @​aanm)
- gha: bump post-upgrade timeout in clustermesh upgrade/downgrade tests (Backport PR #​32384, Upstream PR #​32347, @​giorio94)
- gha: configure fully-qualified DNS names as external targets (Backport PR #​32103, Upstream PR #​31510, @​giorio94)
- gha: drop double installation of Cilium CLI in conformance-eks (Backport PR #​32103, Upstream PR #​32042, @​giorio94)
- Miscellaneous improvements to the clustermesh upgrade/downgrade test (Backport PR #​32103, Upstream PR #​31958, @​giorio94)
- route: dedicated net ns for each subtest of runListRules (Backport PR #​32230, Upstream PR #​29916, @​mhofstetter)
- test: De-flake xds server_e2e_test (Backport PR #​32103, Upstream PR #​32004, @​jrajahalme)
- workflows: Fix CI jobs for push events on private forks (Backport PR #​32230, Upstream PR #​32085, @​pchaigno)
Misc Changes:
- bpf: host: simplify MARK_MAGIC_PROXY_EGRESS_EPID handling (Backport PR #​32384, Upstream PR #​29803, @​julianwiedmann)
- build(deps): bump pydantic from 2.3.0 to 2.4.0 in /Documentation (Backport PR #​32230, Upstream PR #​32176, @​dependabot[bot])
- chore(deps): update all github action dependencies (v1.15) (#​31954, @​renovate[bot])
- chore(deps): update all github action dependencies (v1.15) (#​32107, @​renovate[bot])
- chore(deps): update all github action dependencies (v1.15) (#​32366, @​renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#​31993, @​renovate[bot])
- chore(deps): update all-dependencies (v1.15) (#​32238, @​renovate[bot])
- chore(deps): update azure/login action to v2.1.0 (v1.15) (#​31994, @​renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.16.6 (v1.15) (#​32365, @​renovate[bot])
- chore(deps): update docker.io/library/golang:1.21.9 docker digest to
81811f8(v1.15) (#​31953, @​renovate[bot]) - chore(deps): update docker.io/library/golang:1.21.9 docker digest to
d83472f(v1.15) (#​32257, @​renovate[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to
a6d2b38(v1.15) (#​32364, @​renovate[bot]) - chore(deps): update go to v1.21.10 (v1.15) (#​32417, @​renovate[bot])
- chore(deps): update golangci/golangci-lint-action action to v6 (v1.15) (#​32396, @​renovate[bot])
- chore(deps): update hubble cli to v0.13.3 (v1.15) (#​32108, @​renovate[bot])
- chore(deps): update stable lvh-images (v1.15) (patch) (#​31821, @​renovate[bot])
- CI: bump default FQDN datapath timeout from 100 to 250ms (Backport PR #​32230, Upstream PR #​31866, @​squeed)
- clustermesh: fix panic if the etcd client cannot be created (Backport PR #​32384, Upstream PR #​32225, @​giorio94)
- docs: Add annotation for Ingress endpoint (Backport PR #​32384, Upstream PR #​32284, @​sayboras)
- docs: add link to sig-policy meeting (Backport PR #​32384, Upstream PR #​32340, @​squeed)
- docs: Clean-up Host Firewall documentation, list known issues (Backport PR #​32384, Upstream PR #​32267, @​qmonnet)
- docs: Fix prometheus port regex (Backport PR #​32230, Upstream PR #​32030, @​JBodkin-Amphora)
- Docs: mark Tetragon as Stable (Backport PR #​31967, Upstream PR #​31886, @​sharlns)
- Document Cluster Mesh global services limitations when KPR=false (Backport PR #​31967, Upstream PR #​31798, @​giorio94)
- endpoint: Skip build queue warning log is context is canceled (Backport PR #​32230, Upstream PR #​32132, @​jrajahalme)
- Fix helm chart incompatible types for comparison (Backport PR #​32230, Upstream PR #​32025, @​lou-lan)
- fqdn: Change error log to warning (Backport PR #​32384, Upstream PR #​32333, @​jrajahalme)
- fqdn: Fix Upgrade Issue Between PortProto Versions (Backport PR #​32384, Upstream PR #​32325, @​nathanjsweet)
- golangci: Enable errorlint (Backport PR #​31783, Upstream PR #​31458, @​jrajahalme)
- images: Update bpftool, checkpatch images (Backport PR #​31896, Upstream PR #​31753, @​qmonnet)
- Improve release organization page (Backport PR #​32103, Upstream PR #​31970, @​joestringer)
- install/kubernetes: add AppArmor profile to Cilium Daemonset (Backport PR #​32384, Upstream PR #​32199, @​aanm)
- install/kubernetes: update nodeinit image to latest version (Backport PR #​32230, Upstream PR #​32181, @​tklauser)
- ipsec: Debug info for transient IPsec upgrade drops (Backport PR #​32384, Upstream PR #​32240, @​pchaigno)
- l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops (Backport PR #​32260, Upstream PR #​32200, @​mhofstetter)
- Remove aks-preview from AKS workflows (Backport PR #​32230, Upstream PR #​32118, @​marseel)
- Seamlessly downgrade bpf attachments from tcx to tc (Backport PR #​32337, Upstream PR #​32228, @​ti-mo)
Other Changes:
- [1.15] images: update cilium-{runtime,builder} (#​32444, @​nebril)
- [v1.15-backport] Introduce fromEgressProxyRule (#​31922, @​jschwinger233)
- [v1.15] cilium-dbg: remove section with unknown health status. (#​31905, @​tommyp1ckles)
- [v1.15] proxy: skip rule removal if address family is not supported (#​32007, @​rgo3)
- envoy: Bump envoy version to v1.27.5 (#​32077, @​sayboras)
- envoy: Update envoy 1.27.x to 1.28.3 (#​32149, @​sayboras)
- fix k8s versions tested in CI (#​31965, @​nbusseneau)
- install: Update image digests for v1.15.4 (#​31915, @​asauber)
v1.15.5
Docker Manifests
cilium
quay.io/cilium/cilium:v1.15.5@​sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
quay.io/cilium/cilium:stable@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.15.5@​sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7
quay.io/cilium/clustermesh-apiserver:stable@sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7
docker-plugin
quay.io/cilium/docker-plugin:v1.15.5@​sha256:c301dc000eff2940a82fc51f4a937793fa3a7212d77000a5aa06ae6116032437
quay.io/cilium/docker-plugin:stable@sha256:c301dc000eff2940a82fc51f4a937793fa3a7212d77000a5aa06ae6116032437
hubble-relay
quay.io/cilium/hubble-relay:v1.15.5@​sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781
quay.io/cilium/hubble-relay:stable@sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.15.5@​sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3
quay.io/cilium/operator-alibabacloud:stable@sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3
operator-aws
quay.io/cilium/operator-aws:v1.15.5@​sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9
quay.io/cilium/operator-aws:stable@sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9
operator-azure
quay.io/cilium/operator-azure:v1.15.5@​sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522
quay.io/cilium/operator-azure:stable@sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522
operator-generic
quay.io/cilium/operator-generic:v1.15.5@​sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8
quay.io/cilium/operator-generic:stable@sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8
operator
quay.io/cilium/operator:v1.15.5@​sha256:6f480128aa3d3b2c50a8dfa0bd5bc5121e48b1ee0bbc8eec9cae72e904bf10c3
quay.io/cilium/operator:stable@sha256:6f480128aa3d3b2c50a8dfa0bd5bc5121e48b1ee0bbc8eec9cae72e904bf10c3
Configuration
đź“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}