helm/cilium/cilium 1.13.0-rc2

on Artifact Hub

We are pleased to release Cilium v1.13.0-rc2.

Summary of Changes

Major Changes:

• bpf: Add stateless RFC8215 NAT46/64 for standalone lb (#21777, @borkmann)
• gateway-api: Add support for gateway-api v0.5.1 (#21749, @sayboras)
• Sign Cilium container images using cosign (#21918, @sandipanpanda)

Minor Changes:

• Add --source-ranges option to cilium bpf lb list (#19705, @julianwiedmann)
• ctmap: add support for GC of DSR orphaned entries (#21626, @jibi)
• Enable icmp error replies with enable-pmtu-discovery flag (#21825, @nnbu)
• Enable operator operation without kubernetes. (#21344, @pruiz)
• Fix behavior where packets leave node if there are no backends (#21539, @michaelasp)
• helm: Add validation for Ingress Controller (#21550, @sayboras)
• Helm: optionally use less permissive linux capabilities. (#21506, @jonkerj)
• helm: Remove chart fields planned for removal in 1.12 (#21881, @my-git9)
• hubble/metrics: Add source_ip/destination_ip labels to contextLabels (#21322, @chancez)
• hubble/metrics: Add workload-name and app options to sourceContext and destinationContext (#21320, @chancez)
• hubble: add support for filtering by trace ID (#21551, @rolinh)
• hubble: Extract traceIDs into exemplars in HTTP metrics (#21599, @chancez)
• ingress: Follow-up items for shared LB mode (#21493, @sayboras)
• ipam: Support custom owner IPs in CRD IPAM pool (#21379, @llhhbc)
• makefile: add a new target to run 'golangci-lint run --fix' (#21547, @aspsk)
• Prepend Envoy resources with CEC namespace and name (#21500, @pippolo84)
• Sign container images with cosign (#21739, @sandipanpanda)
• The CNI configuration file is now written only after the agent has successfully started up. Configuring a custom CNI configuration file is now simpler and more reliable. See the docs for more details. (#21375, @squeed)
• XDP NodePort Acceleration can also be used for clusters in tunnel mode. (#21364, @julianwiedmann)

Bugfixes:

• Add missing inner IP header in ICMP error-reply packet (#21234, @nnbu)
• alibabacloud: Fix create ENI failure: The specified parameter "SecondaryPrivateIpAddressCount" is not valid (#21828, @jaffcheng)
• bpf: always track egress gateway connections (#21499, @jibi)
• bugtool: Fix pprof default ports (#21497, @pippolo84)
• Fix agent deadlock caused by frequent kube-apiserver IP recycling (#21629, @joestringer)
• Fix bug in AlibabaCloud where vSwitches could not be matched (#21635, @haozhangami)
• Fix bug that can cause some traffic covered by an L7 policy to be dropped when IPsec is enabled on EKS. (#21595, @pchaigno)
• Fix overlapping/duplicate PodCIDR allocation when nodes are added while operator is down (#21526, @dylandreimerink)
• Fixed CCNP garbage collection (#21394, @zuzzas)
• Fixes a deadlock that can be exposed in high-churn clusters when Pods are deleted rapidly. (#21771, @squeed)
• Fixes cilium startup on certain AWS-VPC clusters. (#21444, @squeed)
• ipam/crd: Fix ENI leak due to miscounting of empty interface slots (#21800, @jaffcheng)
• ipcache: Fix metadata access from CIDR allocation (#21565, @joestringer)
• nodeinit: Move kubelet version check to expected branch (#21772, @dctrwatson)

CI Changes:

• CI: Add AKS helm overrides for E2E test (#21277, @vipul-21)
• CI: Using the same function for Native CIDR for GKE and AKS (#21701, @vipul-21)
• conformance-gke-v1.12: Miscellaneous fixes (#21613, @michi-covalent)
• fqdn/dnsproxy: Rewrite dnsproxy benchmark (#21895, @odinuge)
• gh/workflows: Pin lvh to v0.0.1 (#21525, @brb)
• kind.sh: Retry pulling docker registry image (#21566, @michi-covalent)
• Pin gcloud CLI version (#21885, @michi-covalent)
• Provide Go file patterns to go test, removing for loops in Makefile (#21560, @ti-mo)
• Replace privileged_tests build tag with PRIVILEGED_TESTS environment variable (#20769, @ti-mo)
• Run 'go test' with CGO_ENABLED=0 (#21663, @ti-mo)
• Run tooling in module mode by removing GO111MODULE=off (#21606, @ti-mo)
• test: fix up the number of pods in DemoDaemonSet (#21588, @julianwiedmann)

Misc Changes:

• .github: add original authors of bugs as reviewers (#21478, @aspsk)
• Add a section with distro-specific considerations (#21064, @bmcustodio)
• Add Immerok to USERS.md (#21714, @austince)
• ADD to USERS.md Kilo and Sapian (#21503, @arpagon)
• bpf: minor cleanups (#21778, @julianwiedmann)
• build(deps): bump actions/cache from 3.0.10 to 3.0.11 (#21727, @dependabot[bot])
• build(deps): bump actions/cache from 3.0.8 to 3.0.10 (#21552, @dependabot[bot])
• build(deps): bump actions/checkout from 3.0.2 to 3.1.0 (#21572, @dependabot[bot])
• build(deps): bump actions/download-artifact from 3.0.0 to 3.0.1 (#21837, @dependabot[bot])
• build(deps): bump actions/setup-go from 3.3.0 to 3.3.1 (#21779, @dependabot[bot])
• build(deps): bump docker/build-push-action from 3.1.1 to 3.2.0 (#21687, @dependabot[bot])
• build(deps): bump docker/login-action from 2.0.0 to 2.1.0 (#21686, @dependabot[bot])
• build(deps): bump docker/setup-buildx-action from 2.0.0 to 2.1.0 (#21688, @dependabot[bot])
• build(deps): bump docker/setup-buildx-action from 2.1.0 to 2.2.0 (#21754, @dependabot[bot])
• build(deps): bump docker/setup-buildx-action from 2.2.0 to 2.2.1 (#21781, @dependabot[bot])
• build(deps): bump docker/setup-qemu-action from 2.0.0 to 2.1.0 (#21726, @dependabot[bot])
• build(deps): bump dorny/paths-filter from 2.10.2 to 2.11.1 (#21713, @dependabot[bot])
• build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.2 to 22.4.0 (#21358, @dependabot[bot])
• build(deps): bump github.com/hashicorp/consul/api from 1.14.0 to 1.15.2 (#21658, @dependabot[bot])
• build(deps): bump github.com/hashicorp/consul/api from 1.15.2 to 1.15.3 (#21912, @dependabot[bot])
• build(deps): bump github.com/kr/pretty from 0.3.0 to 0.3.1 (#21634, @dependabot[bot])
• build(deps): bump github.com/onsi/gomega from 1.20.2 to 1.22.1 (#21690, @dependabot[bot])
• build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.8 to 3.22.9 (#21645, @dependabot[bot])
• build(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 (#21215, @dependabot[bot])
• build(deps): bump github/codeql-action from 2.1.26 to 2.1.27 (#21622, @dependabot[bot])
• build(deps): bump github/codeql-action from 2.1.27 to 2.1.28 (#21780, @dependabot[bot])
• build(deps): bump github/codeql-action from 2.1.28 to 2.1.29 (#21890, @dependabot[bot])
• build(deps): bump go.etcd.io/etcd/api/v3 from 3.5.4 to 3.5.5 (#21323, @dependabot[bot])
• build(deps): bump go.opentelemetry.io/otel/trace from 1.10.0 to 1.11.1 (#21879, @dependabot[bot])
• build(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (#21836, @dependabot[bot])
• build(deps): bump google-github-actions/auth from 0.8.1 to 0.8.2 (#21728, @dependabot[bot])
• build(deps): bump google-github-actions/auth from 0.8.2 to 0.8.3 (#21741, @dependabot[bot])
• build(deps): bump google-github-actions/setup-gcloud from 0.6.0 to 0.6.1 (#21731, @dependabot[bot])
• build(deps): bump google-github-actions/setup-gcloud from 0.6.1 to 0.6.2 (#21742, @dependabot[bot])
• build(deps): bump google.golang.org/grpc from 1.49.0 to 1.50.1 (#21755, @dependabot[bot])
• build(deps): bump KyleMayes/install-llvm-action from 1.5.4 to 1.5.5 (#21406, @dependabot[bot])
• build(deps): bump KyleMayes/install-llvm-action from 1.5.5 to 1.6.0 (#21864, @dependabot[bot])
• build(deps): bump michi-covalent/push-to-loki from 0.2.1 to 0.2.2 (#21553, @dependabot[bot])
• build(deps): bump nick-invision/retry from 2.8.1 to 2.8.2 (#21748, @dependabot[bot])
• change slice declarations to array initialization (#21536, @mstrYoda)
• chore: Fix typo in contrib/script/kind-shell-helpers.sh (#21855, @sadikkuzu)
• ci: reenable goerr113 and unused linters across the codebase (#21578, @ti-mo)
• Clarify in documentation that Azure CNI chaining is different from Azure CNI powered by Cilium. (#21897, @wedaly)
• clustermesh-apiserver: Add support for pprof (#21584, @pippolo84)
• CODEOWNERS: Add ownerships for IPsec team (#21567, @pchaigno)
• consolidate_go_stacktrace.py: Add support for replacing Cilium source directory inline (#21518, @joestringer)
• consolidate_go_stacktrace.py: Use relative paths by default (#21673, @michi-covalent)
• consolidate_go_stacktrace: Fix relative paths (#21812, @joestringer)
• contrib: avoid reviews from non-collaborators (#21577, @bimmlerd)
• correct the stale documentation link (#21889, @dmitris)
• daemon, options: remove deprecated, ineffective options (#21524, @tklauser)
• dashboards: Enable exemplars for histogram queries in Hubble L7 workloads dashboard (#21773, @chancez)
• dev-doctor: Fix the docker buildx version regex (#21561, @gentoo-root)
• dns: Add DataSource field to ProxyRequestContext (#21854, @michi-covalent)
• docs/crd: Support master RCs in schema bump script (#21535, @joestringer)
• docs: cilium committers are also CNCF maintainers (#21802, @lizrice)
• docs: CNCF maintainer update process (#21649, @lizrice)
• docs: Document the workaround for the kernel bug on new Intel CPUs (#21803, @gentoo-root)
• docs: Fix 'interface' field indentation (#21798, @lou-lan)
• docs: merge Alibaba install guide into quick install guide (#21581, @yoyo-go)
• docs: Remove autoDirectNodeRoutes where not needed (#21831, @pchaigno)
• docs: Update k8s NetworkPolicy descriptions (#21670, @joestringer)
• document missing bpf.hostLegacyRouting, bpf.tproxy, bpf.vlanBypass option (#21650, @vincentmli)
• Document missing bpf ctTcpMax ctAnyMax natMax neighMax helm option (#21627, @vincentmli)
• Documentation: Fix out-of-sync codeowners (#21583, @pchaigno)
• Egress Gateway: move code into its own header file, and remove the dependency on TUNNEL_MAP. (#21719, @julianwiedmann)
• Fix broken link to CNCF CoC (#21616, @xmulligan)
• Fix grpc-ingress.yaml path in Service Mesh docs (#21601, @pippolo84)
• Fix hubble metrics label ordering with contextOptions (#21732, @chancez)
• Fix incorrect env var name used in docs for Helm installation on Rancher Desktop (#21835, @ehausig)
• fix kernel config file and config option probe log (#20889, @vincentmli)
• Fix log level for "local-redirect service exists for frontend" error (#21898, @tbalthazar)
• Fix up and lint SPDX headers in all Go files (#21821, @ti-mo)
• fix: correction in PR #21825 (#21904, @nnbu)
• Fix: prevent goroutine leakage (#21913, @kerthcet)
• fqdn/dnsproxy, daemon: Define new error type for DNS notification (#21517, @christarazi)
• fqdn/dnsproxy: Add concurrency grace period parameter (#21668, @pippolo84)
• fqdn: convert map keys and internal types to netip.Addr (#21620, @tklauser)
• gha: Update the names for ConformanceIngress jobs (#21494, @sayboras)
• helm: avoid generating ConfigMapList (#21750, @kaworu)
• hive: Add title to Module() and enforce format (#21915, @joamaki)
• hive: Reimplement on top of dig (#21562, @joamaki)
• hubble: Add "hubble-prefer-ipv6" option (#21751, @mKeRix)
• hubble: Add "syn-only" option to flows-to-world metric (#21571, @michi-covalent)
• ip: Simplify MustAddrFromIP (#21598, @christarazi)
• IPAM: fix ipam owner check (#21715, @llhhbc)
• ipcache: Plumb daemon context through IPCache (#21676, @joestringer)
• ipcache: Release metadata mutex in loop error condition (#21653, @joestringer)
• ipcache: Remove unsafe ipc.metadata.get (#21608, @gandro)
• ipsec: Fix slightly incorrect assumption in XFRM IN policies (#21621, @pchaigno)
• ipsec: Refactoring around UpsertIPsecEndpoint (#21461, @pchaigno)
• ipsec: Simplify XFRM FWD policies (#21602, @pchaigno)
• k8s/{client,resource}: API improvements and support for custom retries (#21644, @joamaki)
• k8s: optimize API calls made to kube-apiserver (#21088, @aanm)
• k8s: Remove the global client getters in favor of Clientset (#21877, @joamaki)
• MAINTAINERS: add Chance Zibolski to the list of maintainers (#21792, @rolinh)
• maps/ctmap: convert to use netip.Addr internally (#21529, @tklauser)
• only setup ip rules when l7 policy enabled (#21636, @liuxu623)
• operator: Add leader lifecycle (#21457, @joamaki)
• pkg/k8s/resource: Fix test flake due to race between create and watch (#21681, @joamaki)
• pkg/labels: Optimize LabelArray {GetModel(),String()} (#21643, @odinuge)
• Prepare for release v1.13.0-rc1 (#21534, @joestringer)
• promise: Document the Resolve/Reject functions (#21827, @joestringer)
• Remove beta.kubernetes.io/arch as it's already deprecated (#21799, @my-git9)
• Remove unused sections for bpf_lxc from nodeport.h (#21505, @alexkats)
• Replace the hash function implementation to license it under the dual GPL/BSD license. (#21794, @gentoo-root)
• resource: Make the resource lazy by default (#21862, @joamaki)
• Revert "Sign container images" (#21846, @aanm)
• treewide: Switch ipcache interface to netip.Prefix (#21586, @joestringer)
• Update Go to 1.19.2 (#21591, @tklauser)
• Update stable releases (#21770, @qmonnet)
• Update the cert-manager's Certificate to fully qualify the duration (#21389, @farcaller)
• Use rate instead of irate in Hubble L7 workloads dashboard (#21791, @chancez)