cilium/cilium v1.14.12

1.14.12

on GitHub

We are pleased to release Cilium v1.14.12 that improves background resynchronization of nodes, improves the CLI to troubleshoot connectivity issues, lowers CPU consumption with IPsec for large clusters, and brings a number of additional fixes. Thanks to all contributors, reviewers, testers, and users! ❤️

Summary of Changes

Minor Changes:

• (v1.14) Generate SBOMs using Syft instead of bom (#32750, @ferozsalam)
• Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (Backport PR #32874, Upstream PR #32577, @marseel)
• Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (Backport PR #32571, Upstream PR #32336, @giorio94)
• ipsec: Improve CPU usage of cilum-agent in large clusters (Backport PR #32883, Upstream PR #32588, @marseel)
• pkg/labels: print all leaf CIDRs, not just the last one. (Backport PR #32511, Upstream PR #28224, @squeed)

Bugfixes:

• .github/workflows: fix digests file creation (Backport PR #32888, Upstream PR #32860, @aanm)
• [v1.14] iptables: Do not install NOTRACK rules if IPv4NativeRoutingCIDR is nil (#32650, @pippolo84)
• cni: Reserve local ports for DNS proxy even if IPv6 is disabled (Backport PR #32787, Upstream PR #32725, @gandro)
• Fix PromQL query in Cilium Metrics dashboard (Backport PR #32695, Upstream PR #32017, @mikemykhaylov)
• Fix rare race condition afflicting clustermesh when disconnecting from a remote cluster, possibly causing the agent to panic (Backport PR #32695, Upstream PR #32513, @giorio94)
• Fix: Ensure enabling metrics turns on identity GC metrics (#32447, @jaredledvina)
• Fixes accidentally ignoring the preflight.nodeSelector Helm value. (Backport PR #32695, Upstream PR #32548, @squeed)
• ipsec: Safely delete Xfrm state (Backport PR #32704, Upstream PR #32450, @jschwinger233)
• proxy: Re-enable proxy rule installation in native-routing mode for CEC (Backport PR #32483, Upstream PR #32367, @sayboras)
• Remove deprecated hubble.ui.securityContext.enabled from hubble-ui deployment template (Backport PR #32888, Upstream PR #32338, @stelucz)

CI Changes:

• ci: Filter supported versions of EKS (Backport PR #32888, Upstream PR #32304, @marseel)
• ci: Filter supported versions of GKE (Backport PR #32695, Upstream PR #32302, @marseel)
• ci: l4lb: Don't hang on gathering logs forever (Backport PR #32968, Upstream PR #32947, @joestringer)
• ci: l4lb: gather more infos about docker-in-docker issues (Backport PR #32695, Upstream PR #32570, @mhofstetter)
• ci: l4lb: restart docker-in-docker container on failure (Backport PR #32695, Upstream PR #32600, @mhofstetter)
• eks: Don't use spot instances (Backport PR #32695, Upstream PR #32553, @michi-covalent)
• GCP OIDC instead of SA creds. (Backport PR #32708, Upstream PR #30809, @viktor-kurchenko)
• gha: test certificate generation methods in conformance clustermesh (Backport PR #32787, Upstream PR #32654, @giorio94)
• Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a workflow_dispatch event. (Backport PR #32503, Upstream PR #31424, @learnitall)
• Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR #32503, Upstream PR #32402, @michi-covalent)
• workflows: ignore "No egress gateway found" drops (Backport PR #32695, Upstream PR #32564, @jibi)
• workflows: Remove stale CodeQL workflow (Backport PR #32695, Upstream PR #32084, @pchaigno)

Misc Changes:

• (v1.14) Bump golang.org/x/net (#32792, @ferozsalam)
• background-sync: fix bootstrap issue and edge-case with 1 node (Backport PR #32874, Upstream PR #32630, @marseel)
• bump cni plugins to v1.5.0 (Backport PR #32695, Upstream PR #32629, @antonipp)
• Bump timeout of lint-build-commits.yaml (Backport PR #32787, Upstream PR #32746, @YutaroHayakawa)
• chore(deps): update all github action dependencies (v1.14) (#32495, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#32637, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#32720, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#32741, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#32842, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (#32925, @renovate[bot])
• chore(deps): update all github action dependencies (v1.14) (patch) (#32638, @renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.16.7 (v1.14) (#32496, @renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.18 (v1.14) (#32581, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.9 (v1.14) (#32836, @renovate[bot])
• chore(deps): update dependency cilium/hubble to v0.13.5 (v1.14) (#32949, @cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.10 docker digest to 16438a8 (v1.14) (#32636, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 19478ce (v1.14) (#32924, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to a6d2b38 (v1.14) (#32369, @renovate[bot])
• chore(deps): update github/codeql-action action to v3.25.5 (v1.14) (#32510, @renovate[bot])
• chore(deps): update go to v1.21.11 (v1.14) (#32895, @renovate[bot])
• chore(deps): update hubble cli to v0.13.4 (v1.14) (#32722, @renovate[bot])
• chore(deps): update stable lvh-images (v1.14) (patch) (#32723, @renovate[bot])
• contrib: Remove CHARTS_PATH dependency (Backport PR #32695, Upstream PR #32328, @joestringer)
• Docs: add note about AKS kube-apiserver entity (Backport PR #32695, Upstream PR #32464, @darox)
• docs: ipsec: remove limitation for native-routing with L7 egress policy (Backport PR #32956, Upstream PR #32906, @julianwiedmann)
• Miscellaneous improvements to the clustermesh troubleshooting guide (Backport PR #32571, Upstream PR #32552, @giorio94)
• Remove release scripts (Backport PR #32968, Upstream PR #32938, @aanm)

Other Changes:

• [1.14-backport] ipsec: Fix unencrypted traffic when IPsec is used with L7 egress proxy (#31976, @jschwinger233)
• [v1.14] bugtool: Avoid sensitive data in envoy config dump (#32965, @sayboras)
• [v1.14] envoy: Bump envoy version to v1.28.4 (#32910, @sayboras)
• envoy: Update envoy 1.27.x to 1.28.3 (#32482, @sayboras)
• install: Update image digests for v1.14.11 (#32545, @nebril)

v1.14.12

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.12@sha256:9c9612ed763a9ff823aca5e56aff6bb1e8ca36516282ed7f5c1b8866d011752c
quay.io/cilium/cilium:v1.14.12@sha256:9c9612ed763a9ff823aca5e56aff6bb1e8ca36516282ed7f5c1b8866d011752c

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.12@sha256:39e4ddad59cc3a4c05e7f44333fcbc8e1e64ee5eed8b9614916ed9673bb10a92
quay.io/cilium/clustermesh-apiserver:v1.14.12@sha256:39e4ddad59cc3a4c05e7f44333fcbc8e1e64ee5eed8b9614916ed9673bb10a92

docker-plugin

docker.io/cilium/docker-plugin:v1.14.12@sha256:7f358167a6c57fab052c524ee9b638784f90f904631423c7cf51f8fe301e1107
quay.io/cilium/docker-plugin:v1.14.12@sha256:7f358167a6c57fab052c524ee9b638784f90f904631423c7cf51f8fe301e1107

hubble-relay

docker.io/cilium/hubble-relay:v1.14.12@sha256:63749d9af901846b8a9229e01210afce2f9b1769419deaf55571dd16b7864574
quay.io/cilium/hubble-relay:v1.14.12@sha256:63749d9af901846b8a9229e01210afce2f9b1769419deaf55571dd16b7864574

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.12@sha256:c46f1939edd78d38f537e52b12ea051bafc591611b75e197bebb1e508764b565
quay.io/cilium/kvstoremesh:v1.14.12@sha256:c46f1939edd78d38f537e52b12ea051bafc591611b75e197bebb1e508764b565

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.12@sha256:e01302d3c00ce5b8e29703d4fdafefb0e9f4e65d1849a5551e0ad4d45a7af42c
quay.io/cilium/operator-alibabacloud:v1.14.12@sha256:e01302d3c00ce5b8e29703d4fdafefb0e9f4e65d1849a5551e0ad4d45a7af42c

operator-aws

docker.io/cilium/operator-aws:v1.14.12@sha256:a922c610fbc6e3e8bfda1876c6b2644f605b0cdec78f49854b9ce02213dc0abe
quay.io/cilium/operator-aws:v1.14.12@sha256:a922c610fbc6e3e8bfda1876c6b2644f605b0cdec78f49854b9ce02213dc0abe

operator-azure

docker.io/cilium/operator-azure:v1.14.12@sha256:416a39117ab7d261aacafc6e70e58bb0979c81c3c9d5cc4769f626de3f8015dd
quay.io/cilium/operator-azure:v1.14.12@sha256:416a39117ab7d261aacafc6e70e58bb0979c81c3c9d5cc4769f626de3f8015dd

operator-generic

docker.io/cilium/operator-generic:v1.14.12@sha256:0dd45f29aadeca7b9ef9f42991130ca135e54801c65416bd727add19e4727ba6
quay.io/cilium/operator-generic:v1.14.12@sha256:0dd45f29aadeca7b9ef9f42991130ca135e54801c65416bd727add19e4727ba6

operator

docker.io/cilium/operator:v1.14.12@sha256:5e1552ebb3e95655ec301637b2a9f90669e214d0d2f4c5397e867f4ae36bf262
quay.io/cilium/operator:v1.14.12@sha256:5e1552ebb3e95655ec301637b2a9f90669e214d0d2f4c5397e867f4ae36bf262