Changelog

v1.15.0-pre.0

Summary of Changes

Major Changes:

Add support for k8s 1.28 (#27361, @aanm)
bgpv1: Add bgp/routes API endpoint and cilium bgp routes CLI command (#27182, @rastislavs)
Introduce ability to specify SAFI/AFI for specific BGP peers. (#26940, @ldelossa)
Module Health: Node Manager: First Iteration (#25994, @tommyp1ckles)

Minor Changes:

*_kvstore_operations_duration_seconds metrics do not include client-side rate-limiting latency anymore. (#27396, @marseel)
.github/workflows: don't error out if pkill finds no processes (#26357, @lmb)
.github: dump buddyinfo and pagetypeinfo when ci-e2e fails (#26600, @lmb)
Add cilium bpf auth flush command for debugging purposes (#27216, @meyskens)
Add an option to specify a filters and field mask for hubble-exporter (#26379, @AwesomePatrol)
Add documentation of Hubble exporter - an option to save Hubble flows to a file (#27610, @AwesomePatrol)
Add per-controller success/failure count metrics and a config option for these (#26850, @asauber)
Add Prometheus map pressure metrics for NAT maps (#27001, @derailed)
Add securityContext for spire pod in helm chart (#27363, @ishuar)
Add source and destination workload_kind context labels (Hubble). (#27350, @marqc)
Add SPIRE connection to cilium status (#26896, @meyskens)
Add strict mode for WireGuard Pod2Pod encryption (#21856, @3u13r)
Added the EnableHealthCheckLoadBalancerIP flag to address health checks on LoadBalancerIP in Google Cloud Platform using KubeProxyReplacement. (#26728, @nberlee)
api: Add extensions field to observer.GetFlowsRequest and flow.Flows types (#27577, @chancez)
Augments cilium status CLI to report on agent modules health status. (#25714, @derailed)
bpf: allow overriding Makefile variables (#27492, @lmb)
bpf: compile test ENABLE_EGRESS_GATEWAY_COMMON (#27515, @lmb)
bpf: gate egressgw datapath on separate defines (#27189, @lmb)
bpgv1: move the internal BGP signaler to a cell and allow other cells to depend on it. (#26745, @ldelossa)
Change the Helm values configuration for SPIRE to match other images in the Helm charts (#27621, @weizhoublue)
cilium/cmd: make output of 'cilium policy selectors' sorted. (#27803, @tommyp1ckles)
cilium: export intermediate cobra.Commands (#26265, @lmb)
cilium: use absolute path to include Makefile.defs (#27054, @lmb)
cli: Update cilium policy import to allow policy replacement by label (#27103, @deverton-godaddy)
clustermesh-apiserver deployment support lifecycle and terminationGracePeriodSeconds. (#26945, @acgs771126)
daemon: Do not require native routing CIDR if ipmasq-agent is enabled (#27747, @gandro)
docs, cilium: Remove cilium endpoint regenerate command (#27326, @christarazi)
egressgw: inject datapath config via hive (#27414, @lmb)
egressgw: refactor check for conflicting egress IPs (#27491, @lmb)
egressgw: tidy up Config handling (#27221, @lmb)
endpoint, endpointmanager: Publish max policymap size as metric (#27367, @christarazi)
envoy: Bump envoy to 1.26.2 (#26851, @sayboras)
envoy: Bump envoy version to v1.26.4 (#27104, @sayboras)
envoy: Update envoy version to the latest build (#27819, @jrajahalme)
Extend AWS metadata-based policy enforcement to work with any VPC-enabled service. (#27071, @spacepants)
Fix LookupReservedIdentityByLabels function to return consistent results (#26795, @skmatti)
gateway-api: Bump version to v0.8.0-rc1 (#27592, @sayboras)
Hubble: improve security by adding an option to redact API key in Kafka requests (L7) (#25844, @ioandr)
hubble: replace deprecated usage of grpc.WithInsecure. (#25631, @tommyp1ckles)
Increase number of dnsproxy mutexes from 128 to 131. (#27147, @marseel)
ipam, metrics: Add new capacity metric (#27710, @christarazi)
Modular daemon and operator (#25986, @pippolo84)
Refactor hubble redact settings schema (#26989, @ChrsMark)
Refactor hubble redact settings schema [v2] (#27553, @ChrsMark)
Remove deprecate clustermesh CA configuration from the helm chart (#27162, @giorio94)
When BGP control plane is enabled and configured for service announcements, it will only advertise a matching service that has an unspecified loadbalancerClass or set for "io.cilium/bgp-control-plane". (#26905, @danehans)

Bugfixes:

Add a 5 second timeout to the Mutual Auth TCP handshake (#26650, @meyskens)
bgpv1: fix manager_test.go build error (#27543, @ldelossa)
bpf: nat: set .from_local_endpoint for all inter-cluster SNAT traffic (#26853, @julianwiedmann)
bpf: nodeport: add RevDNAT-based FIB lookup for reply traffic (#26638, @julianwiedmann)
bug: In dual-stack mode (both IPv4 and IPv6 are enabled), Cilium incorrectly converted CIDRs that covered all possible addresses for an IP Family (e.g. 0.0.0.0/0) to the "reserved:world" entity. Both IP families must be completely covered for "reserved:world" to apply. This resulted in dual-stack mode network policies that could not distinguish between world IPv4 and IPv6 traffic, treating them as one entity instead. (#22625, @nathanjsweet)
cleanup: can clean the bpf filters created by the cilium agent with lower version (#27373, @sofat1989)
Do mutual authentication handshake again if mismatch between bpf map and cached map happens (#27241, @meyskens)
egressgw: policy: ensure egressGateway field is not nil (#27802, @jibi)
envoy: fix init order between accesslog and xDS server (#27617, @mhofstetter)
Fix a bug that could cause an incorrect max. sequence number to be reported by cilium encrypt status when IPsec is enabled. (#27656, @pchaigno)
Fix cilium-envoy ServiceMonitor port name (#27207, @pixiono)
Fix connection disruption for IPsec during downgrade to v1.14 by attaching correct bpf program to devices. (#27480, @jschwinger233)
Fix connectivity issues caused by missing conntrack entry when service pod connects to itself via clusterIP. (#27602, @julianwiedmann)
Fix endpoint logger not formatting logs as JSON when daemon log format is set to JSON (#27263, @leblowl)
Fix Gateway managed services not exposing all ports (#27695, @Managarmrr)
Fix possible cross-cluster connection drops on agents restart when clustermesh is enabled (#27575, @giorio94)
Fix potential cross-node connectivity issue when IPsec is enabled with ENI or Azure IPAM modes. (#26663, @gandro)
Fixes a issue that IPsec key rotation can't be triggered. (#27694, @jschwinger233)
Fixes an issue where an empty ControlPlaneState was used during registration of BGP speakers. This would cause reconciliation issues as the current state would be unknown. (#27117, @ldelossa)
Handle .status.conditions on Services using in accordance with KEP-1623 (#27399, @addreas)
health: Update Cilium agent to listen on nodeip (#26845, @tamilmani1989)
helm: fix envoy daemonset loglevel with multiple verbose debug groups (#27698, @mhofstetter)
ingress: fix panic on ingress rule without HTTPIngressRule (#27818, @mhofstetter)
ipam: when a CiliumNode is removed, delete node label from metrics. (#27713, @tommyp1ckles)
metrics: fix potential conflict on metrics registration (#27007, @ysksuzuki)
Prioritization of which DNS mappings to keep was suboptimal, leading to evictions of mappings related to alive connections, worsening performance of fqdn policies and causing spurious logging. (#27572, @bimmlerd)
proxy: fix multiple envoy listeners for same proxyType (#27510, @mhofstetter)
Read FQDNRejectResponseCode from config (#27362, @ayuspin)
spire: add scheduling configurations to helm-chart (#27229, @tvonhacht-apple)

CI Changes:

.github: Remove Loki action (#26676, @joestringer)
Add missing ariane trigger phrases (#27822, @tklauser)
bpf/tests: Cover IPsec key rotations (#27185, @pchaigno)
bpf: test: pktgen cleanups (#26776, @julianwiedmann)
bpf: tests: add helpers for boilerplate code (#27429, @julianwiedmann)
bpf: tests: add helpers for common patterns (#27134, @julianwiedmann)
bpf: tests: improve CT checks for observed TCP flags (#26802, @julianwiedmann)
build(deps): bump tornado from 6.2 to 6.3.3 in /Documentation (#27497, @dependabot[bot])
ci-ginkgo: conditionally skip fetching artifacts & junit report (#27081, @mhofstetter)
ci-gke: adjust junit file names to matrix properties (#27072, @mhofstetter)
CI: Add conn-disrupt-test action for reuse (#27567, @jschwinger233)
CI: Add IPsec key rotation test (#27203, @jschwinger233)
ci: add scheduled runs for Ariane workflows (#27687, @nbusseneau)
ci: Automate generation and update of docs-builder image (#24121, @qmonnet)
ci: fix checking github.event.pull_request.head.sha (#26775, @mhofstetter)
ci: increase junit artifact retention from 2 to 5 days (#27021, @mhofstetter)
CI: Move IPsec CI jobs into separate pipelines (#26730, @jschwinger233)
CI: Rename workflow names (#27391, @brlbil)
ci: replace GHA action Sibz/github-status-action (#26976, @mhofstetter)
ci: Run documentation workflow on README.rst updates (#26559, @qmonnet)
ci: upload and publish JUnit test results for conformance-multi-pool (#27025, @mhofstetter)
ci: use env variable to store branch name (#26779, @ferozsalam)
datapath: Cover subnet encryption in XFRM leak test (#27212, @pchaigno)
datapath: Fix TestNodeChurnXFRMLeaks (#27274, @brb)
Disable the images digest when pushing the development helm chart (#27646, @giorio94)
egressgw: back out test for policy conflict in ENI mode (#27432, @julianwiedmann)
Extend Integration Test timeout (#27811, @YutaroHayakawa)
Fix container scanning workflow (#26542, @ferozsalam)
gh/actions: Customize cilium-config (#27416, @brb)
gh/workflows: Fix setting endpoint routes in ci-e2e (#27384, @brb)
Improve service unit test robustness (#26212, @strudelPi)
ingress: Add conformance test for KPR=false (#27304, @sayboras)
ipam: Fix race in NodeManager.Resync (#26963, @jaffcheng)
jenkinsfiles: remove kubernetes upstream (#27349, @aanm)
k8s: Replace generate-internal-groups.sh script (#27591, @sayboras)
Make ci-ipsec-upgrade a part of /test (#27557, @jschwinger233)
make: drop redundant go vet ./... from integration tests (#26565, @tklauser)
node: Integration test for XFRM leaks on node churn (#27187, @pchaigno)
Remove validation timeout in controlplane testing (#26414, @pippolo84)
renovate: Pin cilium-cli version for <v1.14 (#26716, @michi-covalent)
Revert quarantine k8s datapath services test (#26400, @marseel)
update upgrade tests to test from v1.14.0 to main (#27114, @aanm)

Misc Changes:

.clang-format: Re-write and re-license .clang-format (#26640, @qmonnet)
.github: add Dockerfile for hubble-relay image in Renovate config (#27404, @aanm)
.github: add workflow to track replied issues (#27283, @aanm)
.github: do not upgrade ubuntu runner for integration tests (#27829, @aanm)
.github: fix renovate config (#27727, @aanm)
.github: Remove master mirror (#25806, @joestringer)
.github: Remove remaining references to v1.11 (#26681, @joestringer)
.github: use kindest/node instead of quay.io/cilium/kindest-node (#27729, @aanm)
.github: write the right regex for little-vm-images versioning (#27390, @aanm)
Add a troubleshooting Gateway API part of the documentation (#25945, @meyskens)
Add Berops to USERS.md (#27483, @bernardhalas)
Add checks to avoid use of logrus WithFields function in hot paths (#26327, @learnitall)
Add deepcopy plugin (#26978, @AwesomePatrol)
Add docs on first and last IP of LB-IPAM pool (#27110, @darox)
Add G DATA CyberDefense AG as user (#27316, @farodin91)
Add guidance for bumping the Golang version in Cilium (#26789, @ferozsalam)
add links to enterprise support and slack to the issues page for easier discoverability (#26551, @xmulligan)
add lint-go to merge queue check (#27542, @aanm)
Add metrics for LB-IPAM (#26173, @dylandreimerink)
Add note to the quick install documentation for increasing inotify limits (#27140, @leblowl)
Add prerelease-testing issue template (#27766, @jspaleta)
Add script to run GitHub ginkgo workflow locally (#26540, @qmonnet)
add Twilio to Users list (#27755, @michaelsaah)
Add workload label context (hubble metrics). (#25667, @marqc)
Added metrics for jobs (#26077, @dylandreimerink)
alibabacloud: Allocate from vswitches with the most IP addresses (#27696, @jaffcheng)
Allow Golang bump to v1.20 on Cilium v1.12 and v1.13 (#27434, @ferozsalam)
auth: depend on nodeIDHandler directly (#27106, @mhofstetter)
bgp: fix up formatting in CiliumBGPPeeringPolicy (#27219, @julianwiedmann)
bgpv1: Add GetRoutes method to Router interface and generic Path type (#26803, @rastislavs)
bgpv1: Use Path type in AdvertisePath & WithdrawPath (#27223, @rastislavs)
bpf: avoid calculating L4 offset (#27313, @julianwiedmann)
bpf: ct: clean up tuple swapping for forward lookups (#26826, @julianwiedmann)
bpf: ct: clean up unused .seen_non_syn flag for ICMP entries (#26754, @julianwiedmann)
bpf: ct: document some unused fields in ct_entry struct (#27692, @julianwiedmann)
bpf: ct: simplify ct_action parameter for CT lookup (#26527, @julianwiedmann)
bpf: dsr: don't track ifindex of ingress interface (#27528, @julianwiedmann)
bpf: dsr: ensure that Geneve options have correct size (#26707, @julianwiedmann)
bpf: dsr: merge Ingress tail-calls into nodeport_lb*() (#27267, @julianwiedmann)
bpf: exclude EgressGW logic in bpf_overlay (#26611, @julianwiedmann)
bpf: install proxy routes using Go, remove init.sh (#27445, @ti-mo)
bpf: lxc: clarify kube-proxy workaround in to-container path (#27604, @julianwiedmann)
bpf: lxc: cleanups (#27044, @julianwiedmann)
bpf: lxc: remove unused IPv6 loopback code (#27601, @julianwiedmann)
bpf: minor ICMPv6 improvements (#26563, @julianwiedmann)
bpf: minor loopback cleanups (#27764, @julianwiedmann)
bpf: nat: Handle errors from snat_v(4|6)_prepare_state() (#26501, @qmonnet)
bpf: nat: improve logic that creates the NAT entries (#26594, @julianwiedmann)
bpf: nat: minor improvements (#26520, @julianwiedmann)
bpf: nat: share rewrite logic in RevSNAT path (#27366, @julianwiedmann)
bpf: nat: small Masquerading improvements (#26848, @julianwiedmann)
bpf: nat: SNAT cleanups (#26889, @julianwiedmann)
bpf: nat: use common set of rewrite helpers (#27509, @julianwiedmann)
bpf: nodeport: consolidate packet rewrite in RevDNAT path (#26852, @julianwiedmann)
bpf: nodeport: improve ICMP vs DSR co-existence (#26562, @julianwiedmann)
bpf: nodeport: improve tracing for inlined RevDNAT processing (#27191, @julianwiedmann)
bpf: nodeport: integrate Ingress RevSNAT and RevDNAT paths (#27488, @julianwiedmann)
bpf: overlay: clarify delivery to local host (#27580, @julianwiedmann)
bpf: overlay: remove unused code (#27026, @julianwiedmann)
bpf: policy: cleanups to reduce program size (#27369, @julianwiedmann)
bpf: Rename proxy_identity to src_sec_identity (#27517, @joestringer)
bpf: small improvements in TTL / hoplimit handling (#27146, @julianwiedmann)
bpf: snat: DSR-eligible traffic can skip check for Nodeport NAT conflict (#26674, @julianwiedmann)
bpf: xdp: remove unused XFER_ENCAP_* enums (#27264, @julianwiedmann)
build(deps): bump certifi from 2022.12.7 to 2023.7.22 in /Documentation (#27064, @dependabot[bot])
build(deps): bump pygments from 2.14.0 to 2.15.0 in /Documentation (#26957, @dependabot[bot])
Bump allowed Golang version for v1.11 and v1.12 (#26713, @ferozsalam)
Bump controller-tools fork to v0.8.0-1 (#27063, @christarazi)
Change makefile cache to rebuild on header changes (#27605, @dylandreimerink)
chart: define the envoy image variable in the makefile (#27725, @weizhoublue)
chore(deps): pin hramos/needs-attention action to 4d47f33 (main) (#27286, @renovate[bot])
chore(deps): update actions/checkout action to v3.5.3 (main) (#26568, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#26570, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#26821, @renovate[bot])
chore(deps): update all github action dependencies (main) (minor) (#27737, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#26691, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#26819, @renovate[bot])
chore(deps): update all github action dependencies (main) (patch) (#27478, @renovate[bot])
chore(deps): update all kind-images main (main) (#27477, @renovate[bot])
chore(deps): update all kind-images main (main) (patch) (#27479, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#27339, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#27372, @renovate[bot])
chore(deps): update all lvh-images main (main) (patch) (#27421, @renovate[bot])
chore(deps): update aws-actions/configure-aws-credentials action to v3 (main) (#27743, @renovate[bot])
chore(deps): update cilium/cilium-cli action to v0.15.4 (main) (#26971, @renovate[bot])
chore(deps): update cilium/cilium-cli action to v0.15.6 (main) (#27600, @renovate[bot])
chore(deps): update cilium/little-vm-helper action to v0.0.12 (main) (#26974, @renovate[bot])
chore(deps): update cilium/little-vm-helper action to v0.0.12 (main) (#27257, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.0 (main) (#26571, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.2 (main) (#26784, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.3 (main) (#26875, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.4 (main) (#27127, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.5 (main) (#27258, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.5 (main) (#27261, @renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.15.6 (main) (#27613, @renovate[bot])
chore(deps): update dependency google/gops to v0.3.28 (main) (#27412, @renovate[bot])
chore(deps): update dependency ubuntu to v22 (main) (#27745, @renovate[bot])
chore(deps): update docker.io/library/alpine docker tag to v3.18.3 (main) (#27735, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.5 docker digest to 344193a (main) (#26481, @renovate[bot])
chore(deps): update docker.io/library/golang:1.20.6 docker digest to cfc9d1b (main) (#26818, @renovate[bot])
chore(deps): update docker.io/library/golang:1.21.0 docker digest to b490ae1 (main) (#27598, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 0bced47 (main) (#26689, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 6120be6 (main) (#26432, @renovate[bot])
chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ec050c3 (main) (#27529, @renovate[bot])
chore(deps): update docker/setup-buildx-action action to v2.9.0 (main) (#26694, @renovate[bot])
chore(deps): update github/codeql-action action to v2.21.2 (main) (#27265, @renovate[bot])
chore(deps): update github/codeql-action action to v2.21.5 (main) (#27734, @renovate[bot])
chore(deps): update go to v1.20.6 (main) (patch) (#26781, @renovate[bot])
chore(deps): update go to v1.20.7 (main) (patch) (#27259, @renovate[bot])
chore(deps): update go to v1.21.0 (main) (minor) (#27444, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.54.0 (main) (#27385, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.54.1 (main) (#27538, @renovate[bot])
chore(deps): update golangci/golangci-lint docker tag to v1.54.2 (main) (#27619, @renovate[bot])
chore(deps): update hubble cli to v0.12.0 (main) (minor) (#26762, @renovate[bot])
chore(lint): Enable linting with gosimple (#26965, @mrueg)
chore: Use xxx.String() instead of string(xxx.Bytes()) (#26165, @testwill)
ci-e2e: Enable debug.verbose for envoy (#26860, @sayboras)
ci: fix go mod step name (#27711, @nbusseneau)
ci: set timeout on build images workflows (#27341, @mhofstetter)
ci: skip cosign / sbom in case of building images during cache rebuild (#26786, @mhofstetter)
ci: skip fetching sysdump in case of skipped LB test (#26774, @mhofstetter)
ci: skip post-test info gathering in case of skipped cilium installation (#26729, @mhofstetter)
cilium, docs: Add a note about KPR and nfs dependencies (#27678, @borkmann)
cilium, docs: Add rc.0 to development releases (#26564, @borkmann)
cilium, iptables: Extend to cover default route in enable-masquerade-… (#27664, @borkmann)
cilium: Add option to masq to source route (#27618, @borkmann)
cilium: Fix 16bit ifindex limitation (#27622, @borkmann)
clean-up: remove check for permissive CCNPs (#27690, @shawnh2)
cleanup: code cleanup to remove unused parameter from repository add api (#26943, @tamilmani1989)
clustermesh: make extra ipcache watcher options configurable (#27336, @giorio94)
cni: Follow CNI spec by using (containerID, ifName) as unique endpoint identifier (#26894, @gandro)
cni: log format byte array as string (#26740, @aojea)
cocci: Re-license Coccinelle scripts as Apache 2.0 (#26629, @qmonnet)
CODEOWNERS: assign bpf/lib/auth.h to sig-servicemesh (#27083, @mhofstetter)
CODEOWNERS: assign egressgw control plane/datapath logic to egress-gateway team (#26952, @jibi)
CODEOWNERS: assign pkg/backoff to @cilium/sig-agent (#26573, @jibi)
codeowners: include sig-servicemesh into cilium envoy & spire helm (#27559, @mhofstetter)
CODEOWNERS: remove stale cilium_egress_gateway_policy.go entry (#27234, @giorio94)
Computed and propagated the value of OldEndpoints field when merging remote cluster information. (#26474, @akstron)
config: Use String instead of StringVar method (#27794, @pippolo84)
Configure the linux node config writer through Hive (#27180, @giorio94)
contrib: add check for new files in check-(api|k8s)-code-gen scripts (#26790, @giorio94)
contrib: Add support for X.Y.Z-pre.N releases (#27807, @joestringer)
contrib: fix bump-readme script (#27648, @nebril)
contrib: Make hint command copy and paste friendly (#27585, @sayboras)
Correct cni path in k3s installation documentation for rancher desktop (#27702, @RichardoC)
Creation of the /hello endpoint is delayed until the host datapath has been initialized. (#27392, @lmb)
daemon: remove redundant wait on restoreComplete (#27603, @ti-mo)
daemon: Use API server cell and adapt handlers (#25000, @joamaki)
datapath/linux/probes: remove unused Have{Map,Program}Type wrappers (#26666, @tklauser)
datapath: Devices table and controller (#24677, @joamaki)
Disable StateDB metrics by default (#27657, @dylandreimerink)
Do not log on errant release of reserved identity (#26768, @asauber)
doc: Documented pitfall with NS labels in CNPs (#26134, @PhilipSchmid)
doc: Improved Cilium ingress annotations table (#26381, @PhilipSchmid)
docs: Add Conformance Badge for Gateway API (#27470, @sayboras)
docs: Add docs structure recommendations, update style guide (#26632, @qmonnet)
docs: Add Keploy to user list (#27244, @Sonichigo)
docs: Add missing spelling exception (#26780, @qmonnet)
docs: Document Potential Dual-Stack Upgrade Issues for 1.15 (#25204, @nathanjsweet)
docs: Fix a typo and improve readability of a control plane architecture description in BGP Control Plane documentation (#27461, @distributethe6ix)
Docs: Fix ipam_nodes metric description (#27217, @antonipp)
docs: fix minor TOC issues (#26714, @networkop)
docs: Fix the typo for SPIRE PVC installation option name (#27503, @haiyuewa)
docs: fix typo in troubleshooting guide (#26811, @learnitall)
docs: Fix unintentional boolean value in YAML (#26682, @dgl)
docs: Improve wording for labels and services policies (#27171, @joestringer)
docs: Improve wording in contributions guide (#27407, @joestringer)
docs: optimize ingress default tls secret documentation (#26684, @mhofstetter)
docs: Split, update, improve the contributing guide for reviewers and committers (#27085, @qmonnet)
Document Kind Delve debugging workflow (#26506, @ti-mo)
Documentation: Replace netperf images in StarWars demos (#26842, @hhoover)
Don't retry one shot jobs during hive shutdown (#27395, @giorio94)
Drop mock file support from clustermesh-apiserver (#27825, @giorio94)
drop support for 1.11 (#27077, @aanm)
egressgw: always set ifaceName in deriveFromPolicyGatewayConfig() (#26973, @julianwiedmann)
egressgw: delete stale nexthop routes (#27105, @julianwiedmann)
egressgw: detect conflicting configurations in ENI mode (#27281, @julianwiedmann)
egressgw: use Resource[T] to consume CiliumEgressGatewayPolicy (#26960, @lmb)
egressgw: use route.Upsert() for inserting nexthop / prefix IP route (#26990, @julianwiedmann)
Enable strict validation of cluster config for clustermesh (#27246, @giorio94)
endpoint/id: simplify TestSplitID (#26581, @tklauser)
Endpoint: actually treat identifiers as immutable, remove lock (#26757, @squeed)
endpoint: moveNewFilesTo performance and error handling improvements (#26238, @learnitall)
endpointmanager: unexport and inline functions only used in the package (#27426, @tklauser)
endpointslice: fix EndpointSlice import (#26938, @mhofstetter)
envoy: Bump cilium proxy to latest version (#27555, @mhofstetter)
envoy: set socket opts only if not already present in CEC (#27531, @mhofstetter)
Fix restore of previous router IP due to missing VPC CIDR in Alibabacloud section of CiliumNode Spec (#26843, @haozhangami)
Fix spelling for "WireGuard" (#26764, @qmonnet)
fix(deps): update all go dependencies main (main) (#26567, @renovate[bot])
fix(deps): update all go dependencies main (main) (#27348, @renovate[bot])
fix(deps): update all go dependencies main (main) (#27440, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#26695, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#26822, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#27266, @renovate[bot])
fix(deps): update all go dependencies main (main) (minor) (#27742, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#26569, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#26693, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#26820, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#27135, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#27260, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#27441, @renovate[bot])
fix(deps): update all go dependencies main (main) (patch) (#27736, @renovate[bot])
fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.445 (main) (#26832, @renovate[bot])
fix: add check if debug is enabled when adding trace levels to envoy deamonset. (#27161, @dreanor65)
fix: platform typo (#27368, @testwill)
Fixed conflicting PRs in main (#27209, @dylandreimerink)
Fixes: typo (#27201, @weizhoublue)
For services with External Traffic Policy: Local Service health returns http header "X-Load-Balancing-Endpoint-Weight" with number of local endpoints. The same information is still available in response body JSON payload.LocalEndpoints. (#27017, @cezarygerard)
Generalize ClusterID reservation mechanism for clustermesh (#27248, @giorio94)
gh: feature template: s/request/proposal (#27023, @julianwiedmann)
go.mod, renovate: specify and update Go toolchain version (#27820, @tklauser)
go.mod, vendor: use github.com/cilium/dns fork directly (#27582, @tklauser)
helm: Fix typo in cilium chart's description (#27389, @nu-wa)
helm: Improve debug.verbose docs (#26463, @lgadban)
helm: put extraConfig back to the end of ConfigMap cilium-config (#27556, @mhofstetter)
helm: Updated description for Helm 'devices' flag (#26557, @PhilipSchmid)
Hubble-ui now supports liveness and readiness probes (#27028, @mkilchhofer)
images/builder: update dependencies (#27566, @rolinh)
Import new version of forked controller-tools (#26918, @AwesomePatrol)
improv: check for k8s backing before running sync (#27269, @kwakubiney)
Improve documentation for review process for contributors and reviewers (#27324, @joestringer)
Improve Hubble decoding performance for drop, debug, policy and tracesock events (#25751, @Jack-R-lantern)
Improve Hubble decoding performance for trace events (#24162, @brancz)
Improve translation of CIDRGroupRefs (#26369, @pippolo84)
init.sh: move netlink device creation to Go (#27082, @rgo3)
init.sh: move obsolete bpf_host removal to Go (#26539, @rgo3)
Introduce resiliency package (#27614, @derailed)
ipam,alibabacloud: Improve event driven instance resync (#25619, @jaffcheng)
ipam: remove always-nil NewCIDRRange error return value (#26706, @tklauser)
ipcache: Deprecate old API (#27576, @joestringer)
ipcache: propagate cluster ID as part of the key (#27337, @giorio94)
ipcache: Skip conflict logging for tunnelpeer if native routing (#27331, @christarazi)
k8s/apis: refactor CRD registration helpers into a separate package (#26834, @tklauser)
kvstore: drop unused deleteInvalidPrefixes variable (#27074, @giorio94)
Log endpoint instead of pod names where appropriate (#27427, @tklauser)
MAINTAINERS: Add Jussi Mäki (#26603, @michi-covalent)
Make it easier to depend on clustermesh types outside of its package (#27242, @giorio94)
Make the community team the owner of /USERS.md (#27321, @michi-covalent)
make: allow to override values.yaml template name (#27235, @giorio94)
Makefile: remove check-go-version target (#27460, @tklauser)
maps: do not depend on global variable to initialize CT maps (#27275, @giorio94)
maps: maglev_test: remove toleration for 4.9 kernel (#27046, @julianwiedmann)
Misc updates in renovate configuration (#27328, @aanm)
mlh: disable remove PR to project (#26863, @mhofstetter)
mlh: use a regexp to check signed-off-by (#27732, @kaworu)
netns: remove unused RemoveIfFromNetNSWithNameIfBothExist (#27411, @tklauser)
node: introduce prefix cluster mutator (#27354, @giorio94)
nodediscovery: support additional IP address sources for the local node (#27507, @tklauser)
Operator: Add missing observability for Azure API calls (#26277, @hemanthmalla)
pkg/aws: Improve event driven instance resync for AWS IPAM (#27791, @jaffcheng)
pkg/cidr: Move linux specific variable references from netlink (#27638, @aditighag)
pkg/policy: Convert benchmarks in resolve_test.go to std benchmarks (#27815, @christarazi)
plugins/cilium-cni: cleanups around IPAM allocation and veth pair creation (#26595, @tklauser)
plugins/cilium-cni: make error formatting consistent (#27535, @tklauser)
plugins/cilium-cni: reduce string allocations of CNI command arguments (#27681, @tklauser)
policy: Describe CIDR superset logic for denies and FQDN (#26720, @joestringer)
Prepare for release v1.14.0-rc.0 (#26546, @joestringer)
Prepare for v1.15 development cycle (#26516, @joestringer)
Provide CT/NAT maps GC logic through hive (#27356, @giorio94)
proxy: introduce envoy cell (#26657, @mhofstetter)
proxy: refactor package global vars to proxy fields (#26619, @mhofstetter)
proxy: refactor proxy.CreateOrUpdateRedirect (#26839, @mhofstetter)
proxy: remove unused xds resource access timeout (#26747, @mhofstetter)
README: Remove v1.11 from stable releases table (#27466, @joestringer)
Refactor duplicate imports for Cilium v2alpha1 API (#26620, @dlapcevic)
Refactor the per-cluster CT maps manager (#27448, @giorio94)
Refactor the per-cluster NAT maps manager (#27430, @giorio94)
Refactor watchstore/watchsync metrics (#27485, @marseel)
Refactors the use of ControlPlaneState in the BGP-CP (#26992, @ldelossa)
Register endpointmanager metrics via dependency injected registry (#26078, @dylandreimerink)
relicense test/bpf/unit_test.c to not be GPL (#26618, @Joffref)
Remove NodeSpecer and ControlPlaneState from BGP-CP. Rely on Hive/Cell for further ConfigReconciler dependencies. (#27285, @ldelossa)
Remove unnecessary type conversions in fqdn zombies handling (#27047, @giorio94)
removed unnecessary 'revert' parameter from Newk8sTranslator and updated api calls accordingly. (#26217, @akstron)
Removes Unused TransformToNode() Func (#26743, @danehans)
renovate: ignore all gops updates (#27631, @tklauser)
Replace some usages of fmt.Sprintf with more efficient string concatenation (#27518, @schlosna)
Replace StateDB with StateDB2 (#27628, @dylandreimerink)
resource: Add support for custom Indexers (#27032, @pippolo84)
Revert ".github: write the right regex for little-vm-images versioning" (#27415, @aanm)
Revert "Refactor hubble redact settings schema" (#27352, @joamaki)
Set RouteMTU for generic veth (#26495, @sugangli)
SRv6: Add quality of life methods for SID map usage. (#27192, @ldelossa)
statedb v2.0 with per-table locks and delete tracking (#27160, @joamaki)
statedb: extract REST API handler to pkg (#26645, @bimmlerd)
statedb: Rename statedb2 to statedb (#27643, @joamaki)
Support for batch deletion of endpoints (#27351, @tklauser)
test/controlplane: Fix hostport test after API change (#26685, @pippolo84)
tests: replace more incorrect DeepEquals uses (#25829, @markpash)
treewide: wrap multiple errors using the standard library (#26524, @rolinh)
typo in the debug document (#27627, @weizhoublue)
typo: the clustermesh secret name (#27658, @weizhoublue)
Update Palantir usecases (#26633, @ungureanuvladvictor)
Update prereleases (#26871, @joestringer)
Update renovate configuration for ginkgo and kindest/node (#27347, @aanm)
Update stable releases (#27112, @aanm)
Update stable releases (#27126, @nathanjsweet)
Update stable releases (#27637, @asauber)
Update the TCP conntrack entry timeouts to a lower value, so that closed entries are garbage collected earlier, thus freeing up the conntrack map. (#27665, @aditighag)
Use generic Set instead of specified Set (#26378, @bzsuni)
Use generics in k8s factory functions (#26367, @AwesomePatrol)
Use Go 1.19 atomic types (#27563, @tklauser)
USERS: Add Trendyol (#26946, @eminaktas)
vendor: downgrade github.com/shirou/gopsutil/v3 to v3.23.2 (#27623, @aanm)
watchers: use resource for network policies (#26601, @bimmlerd)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.15.0-pre.0@sha256:1304d3708e5a82a222f95993e19635e1db892cdc0c6ed7c07870953adc6afa7a
quay.io/cilium/cilium:v1.15.0-pre.0@sha256:1304d3708e5a82a222f95993e19635e1db892cdc0c6ed7c07870953adc6afa7a

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.15.0-pre.0@sha256:2e23459444d4422352a2f69aba5f2daa041f5fcbb4e0be83d339819ac44c60fd
quay.io/cilium/clustermesh-apiserver:v1.15.0-pre.0@sha256:2e23459444d4422352a2f69aba5f2daa041f5fcbb4e0be83d339819ac44c60fd

docker-plugin

docker.io/cilium/docker-plugin:v1.15.0-pre.0@sha256:e9bbb0e0ca7071a62a1b25ff4a5bfa296cd81622fa64f25853006272a607bd53
quay.io/cilium/docker-plugin:v1.15.0-pre.0@sha256:e9bbb0e0ca7071a62a1b25ff4a5bfa296cd81622fa64f25853006272a607bd53

hubble-relay

docker.io/cilium/hubble-relay:v1.15.0-pre.0@sha256:3221382f24e65d4e91d1849f7f59229303cda6bfd73b083196bd15efb14d876b
quay.io/cilium/hubble-relay:v1.15.0-pre.0@sha256:3221382f24e65d4e91d1849f7f59229303cda6bfd73b083196bd15efb14d876b

kvstoremesh

docker.io/cilium/kvstoremesh:v1.15.0-pre.0@sha256:99704026b6d03301dafe0582fe49f35f5bb27d118a8137ef172aa539663c5146
quay.io/cilium/kvstoremesh:v1.15.0-pre.0@sha256:99704026b6d03301dafe0582fe49f35f5bb27d118a8137ef172aa539663c5146

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.15.0-pre.0@sha256:423494d02450e3032d4faf7e8eb2d128e7aa8ff03a7345e9e501932eb4a8f626
quay.io/cilium/operator-alibabacloud:v1.15.0-pre.0@sha256:423494d02450e3032d4faf7e8eb2d128e7aa8ff03a7345e9e501932eb4a8f626

operator-aws

docker.io/cilium/operator-aws:v1.15.0-pre.0@sha256:8f1bbb26ce99c742ed7540f5743844af6af39aa1673b41d8f42575fa3f92b505
quay.io/cilium/operator-aws:v1.15.0-pre.0@sha256:8f1bbb26ce99c742ed7540f5743844af6af39aa1673b41d8f42575fa3f92b505

operator-azure

docker.io/cilium/operator-azure:v1.15.0-pre.0@sha256:cef7f3e08d2583ff2164619ee292f83a3f6080726aef234b668140e73af0b3c2
quay.io/cilium/operator-azure:v1.15.0-pre.0@sha256:cef7f3e08d2583ff2164619ee292f83a3f6080726aef234b668140e73af0b3c2

operator-generic

docker.io/cilium/operator-generic:v1.15.0-pre.0@sha256:70e4783222ccf4906fd28b404d7c64022af9262380fdbfc45f4f66c9892f7b82
quay.io/cilium/operator-generic:v1.15.0-pre.0@sha256:70e4783222ccf4906fd28b404d7c64022af9262380fdbfc45f4f66c9892f7b82

operator

docker.io/cilium/operator:v1.15.0-pre.0@sha256:87346a6675725fff13ebf07eb6f48f46385c1464d2ea5572d5a843784143c13d
quay.io/cilium/operator:v1.15.0-pre.0@sha256:87346a6675725fff13ebf07eb6f48f46385c1464d2ea5572d5a843784143c13d

helm/cilium/cilium 1.15.0-pre.0 on Artifact Hub