Revision ca1af73ffe025e2ebdb6c8cd5b2cfb1909cb3b06 authored by Tim Horner on 13 March 2024, 15:45:55 UTC, committed by Jarno Rajahalme on 13 March 2024, 21:52:50 UTC
Signed-off-by: Tim Horner <timothy.horner@isovalent.com>
1 parent a58e3f4
CHANGELOG.md
# Changelog
## v1.13.13
Summary of Changes
------------------
**Bugfixes:**
* Fixes an L7 proxy issue by re-introducing 2005 route table. (Backport PR #31161, Upstream PR #29530, @jschwinger233)
* Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (Backport PR #31161, Upstream PR #29594, @jschwinger233)
* Fixes proxy issues in egress direction (Backport PR #31161, Upstream PR #30095, @jschwinger233)
**CI Changes:**
* ci/ipsec: Fix downgrade version retrieval (Backport PR #31049, Upstream PR #30742, @qmonnet)
* ci: Enhance test execution security by restricting permissions to the 'organization-members' team (Backport PR #30865, Upstream PR #30790, @brlbil)
* CI: Update tested K8S versions across all cloud providers (Backport PR #30865, Upstream PR #30795, @brlbil)
* Fix datapath mode in Network Performance CI test (Backport PR #30865, Upstream PR #30756, @marseel)
* k8s_install.sh: specify the CNI version (Backport PR #31246, Upstream PR #31182, @aanm)
* workflows: Clean IPsec test output (Backport PR #30801, Upstream PR #30759, @pchaigno)
**Misc Changes:**
* bpf: host: skip from-proxy handling in from-netdev (Backport PR #31161, Upstream PR #29962, @julianwiedmann)
* bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic (Backport PR #31161, Upstream PR #29721, @julianwiedmann)
* bugtool: Capture memory fragmentation info from /proc (Backport PR #31157, Upstream PR #30966, @pchaigno)
* Bump google.golang.org/protobuf (v1.13) (#31312, @ferozsalam)
* Change ariane config CODEOWNERS (Backport PR #30865, Upstream PR #30803, @brlbil)
* chore(deps): update all github action dependencies (v1.13) (#30957, @renovate[bot])
* chore(deps): update all github action dependencies (v1.13) (#31115, @renovate[bot])
* chore(deps): update all github action dependencies (v1.13) (#31298, @renovate[bot])
* chore(deps): update all github action dependencies to v4 (v1.13) (major) (#30783, @renovate[bot])
* chore(deps): update all-dependencies (v1.13) (#30955, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 77906da (v1.13) (#31295, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e9569c2 (v1.13) (#30737, @renovate[bot])
* chore(deps): update go to v1.21.7 (v1.13) (#30956, @renovate[bot])
* chore(deps): update go to v1.21.8 (v1.13) (#31185, @renovate[bot])
* chore(deps): update hubble cli to v0.13.2 (v1.13) (#31340, @renovate[bot])
* chore(deps): update kindest/node docker tag to v1.27.11 (v1.13) (#31141, @renovate[bot])
* chore(deps): update quay.io/lvh-images/kind docker tag to v6.6-20240221.111541 (v1.13) (#30982, @renovate[bot])
* chore(deps): update stable lvh-images (v1.13) (patch) (#30812, @renovate[bot])
* chore(deps): update stable lvh-images (v1.13) (patch) (#31142, @renovate[bot])
* chore(deps): update stable lvh-images (v1.13) (patch) (#31296, @renovate[bot])
* docs: Document XfrmInStateInvalid errors (Backport PR #30801, Upstream PR #30151, @pchaigno)
* docs: Fix 'kubectl exec' invocations (quotes, double dash separator) in example script kafka-sw-gen-traffic.sh (Backport PR #31157, Upstream PR #30462, @saintdle)
* images: bump cni plugins to v1.4.1 (#31350, @aanm)
* pkg: proxy: only install from-proxy rules/routes for native routing (Backport PR #31161, Upstream PR #29761, @julianwiedmann)
**Other Changes:**
* [v1.13] envoy: Bump golang version to 1.21.8 (#31223, @sayboras)
* install: Update image digests for v1.13.12 (#30753, @michi-covalent)
## v1.13.12
Summary of Changes
------------------
**Minor Changes:**
* api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR #30386, Upstream PR #30167, @viktor-kurchenko)
* helm: Add extraVolumeMounts to cilium config init container (Backport PR #30386, Upstream PR #30131, @ayuspin)
* ui: release v0.13.0 (Backport PR #30723, Upstream PR #30711, @geakstr)
**Bugfixes:**
* Add specific drop reason for missing tail calls if the host datapath is not ready yet (Backport PR #30315, Upstream PR #29482, @ti-mo)
* Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR #30315, Upstream PR #30248, @ti-mo)
* Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR #30522, Upstream PR #30399, @tlcowling)
* Updating ENI prefix delegation fallback to use dedicated error codes (Backport PR #30679, Upstream PR #30536, @hemanthmalla)
**CI Changes:**
* [v1.13] backport Go version check fixes in preparation for Go 1.21 update (#30417, @tklauser)
* ci/ipsec: Fix version retrieval for downgrades to closest patch release (Backport PR #30522, Upstream PR #30503, @qmonnet)
* ci: add trigger phrase to Gateway API conformance test workflow name (Backport PR #30679, Upstream PR #30525, @tklauser)
* CI: Change cloud regions (Backport PR #30679, Upstream PR #30378, @brlbil)
* gha: explicilty specify beefier runner type for clustermesh workflows (Backport PR #30386, Upstream PR #30335, @giorio94)
* gha: make runner type for clustermesh workflows configurable (Backport PR #30679, Upstream PR #30496, @giorio94)
* Network performance (Backport PR #30679, Upstream PR #30247, @marseel)
* Rework GHA workflows to checkout the untrusted context in a separate directory for increased separation (Backport PR #30386, Upstream PR #30207, @giorio94)
* Update GitHub upload-artifact action (Backport PR #30522, Upstream PR #30443, @brlbil)
**Misc Changes:**
* Added Last page Edit on Documentation (Backport PR #30679, Upstream PR #30612, @gailsuccess)
* bpf: lb: return drop reasons from __lb4_rev_nat() (Backport PR #30522, Upstream PR #30410, @julianwiedmann)
* build(deps): bump jinja2 from 3.1.2 to 3.1.3 in /Documentation (Backport PR #30522, Upstream PR #30219, @dependabot[bot])
* chore(deps): update go to v1.20.13 (v1.13) (patch) (#30186, @renovate[bot])
* chore(deps): update go to v1.21.6 (v1.13) (minor) (#29817, @renovate[bot])
* chore(deps): update hubble cli to v0.13.0 (v1.13) (minor) (#30275, @renovate[bot])
* chore(deps): update stable lvh-images (v1.13) (patch) (#30493, @renovate[bot])
* doc: Add Azure CNI Powered by cilium as external installer (Backport PR #30386, Upstream PR #28286, @tamilmani1989)
* docs: warn users that IPsec and KPR are mutual exclusive (Backport PR #30522, Upstream PR #30403, @f1ko)
* hubble-ui: release v0.12.3 (Backport PR #30522, Upstream PR #30422, @geakstr)
* loader, bpf: remove context cancellation check, lower pending map removal Warning to Info (Backport PR #30315, Upstream PR #30214, @ti-mo)
**Other Changes:**
* [1.13] Ignore ct buffer drops on minor release downgrades only (#30270, @rgo3)
* [v1.13] ci/ipsec: Fix downgrade version for release preparation commits (#30715, @qmonnet)
* [v1.13] ci/ipsec: Re-enable node-to-node-encryption check (#30402, @qmonnet)
* [v1.13] pkg/allocator: Improve 'Key allocation attempt failed' handling for CRD mode (#30120, @antonipp)
* bpf: l3: fix-up kube-proxy workaround in l3_local_delivery() to bpf_overlay (#30313, @julianwiedmann)
* envoy: Bump envoy version for x/net library (#30516, @sayboras)
* envoy: Bump envoy version to v1.26.7 (#30694, @sayboras)
* install: Update image digests for v1.13.11 (#30317, @gentoo-root)
## v1.13.11
Summary of Changes
------------------
**Minor Changes:**
* Reduce "stale identity observed" warnings (Backport PR #29997, Upstream PR #27894, @leblowl)
**Bugfixes:**
* Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #30216, Upstream PR #29239, @jrajahalme)
* cilium-preflight: use the k8s node name instead of relying on hostname (Backport PR #29997, Upstream PR #29809, @marseel)
* Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #29997, Upstream PR #29616, @learnitall)
* iptables: remove logic to control non-existent net.ipv6.ip_early_demux (Backport PR #30182, Upstream PR #29310, @julianwiedmann)
* nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #29974, Upstream PR #29964, @gandro)
* Restore host-stack bypass for pod-to-pod traffic in a configuration with kube-proxy, tunnel routing and per-endpoint routes. (Backport PR #30182, Upstream PR #27908, @julianwiedmann)
**CI Changes:**
* Add secondary iface to KIND network (Backport PR #30010, Upstream PR #26338, @ysksuzuki)
* ci-ipsec-upgrade: Add vxlan w/ no EP routes (Backport PR #29702, Upstream PR #29653, @brb)
* ci-ipsec-{e2e,upgrade}: Use lvh-kind (Backport PR #30010, Upstream PR #29514, @brb)
* ci/ipsec: Skip waiting for images when skipping upgrade/dowgrade (Backport PR #30010, Upstream PR #29793, @qmonnet)
* ci: add nameserver 1.1.1.1 to conformance-runtime test LVM (Backport PR #29847, Upstream PR #29455, @mhofstetter)
* ci: always use full matrix for scheduled cloud-provider workflows (Backport PR #29847, Upstream PR #29694, @mhofstetter)
* datapath: Cover subnet encryption in XFRM leak test (Backport PR #30081, Upstream PR #27212, @pchaigno)
* datapath: Fix TestNodeChurnXFRMLeaks (Backport PR #30081, Upstream PR #27274, @brb)
* gh/workflows: Add lvh-kind action and use it in ci-e2e (Backport PR #30010, Upstream PR #29485, @brb)
* gha: enable IPv6 in clustermesh upgrade/downgrade workflow (Backport PR #29847, Upstream PR #29675, @giorio94)
* node: Integration test for XFRM leaks on node churn (Backport PR #30081, Upstream PR #27187, @pchaigno)
* workflows: Increase IPsec e2e test's timeout (Backport PR #30267, Upstream PR #30194, @julianwiedmann)
* workflows: Increase IPsec upgrade test's timeout (Backport PR #30081, Upstream PR #29934, @pchaigno)
* workflows: Make the conn-disrupt test more sensitive (Backport PR #29702, Upstream PR #29623, @pchaigno)
**Misc Changes:**
* bpf: ipv4: always return drop reason from ipv4_handle_fragmentation() (Backport PR #29997, Upstream PR #29880, @julianwiedmann)
* chore(deps): update all github action dependencies (v1.13) (patch) (#29850, @renovate[bot])
* chore(deps): update go (v1.13) (patch) (#30143, @renovate[bot])
* doc: Update recommended way for installing cilium on AKS (Backport PR #30182, Upstream PR #28910, @tamilmani1989)
* docs: Fix keyid derivation in IPsec docs (Backport PR #30081, Upstream PR #30000, @brb)
* Fix kind.sh development scripts on MacOS (Backport PR #30010, Upstream PR #25317, @chancez)
* fix(deps): update module golang.org/x/crypto to v0.17.0 [security] (main) (Backport PR #30182, Upstream PR #29971, @renovate[bot])
* hubble: Reduce "stale identities observed" debug messages even more (Backport PR #29997, Upstream PR #29957, @gandro)
* Revert "cilium: Ensure xfrm state is initialized for route IP before … (Backport PR #29869, Upstream PR #29801, @jrfastab)
**Other Changes:**
* [1.13] Ignore packet drops of type Failed to update or lookup TC buffer (#30249, @rgo3)
* [1.13] loader: fix obsolete XDP program removal (#30231, @rgo3)
* [v1.13] ci: In conn-disrupt-test action, disable node-to-node-encryption check (#29741, @qmonnet)
* [v1.13] go.mod: bump Go to 1.20 (#29818, @tklauser)
* [v1.13] node: Fix IP removal from ipset on node updates (#29898, @qmonnet)
* install: Update image digests for v1.13.10 (#29807, @nebril)
* v1.13: ipam: Fix invalid PodCIDR in CiliumNode in ENI/Azure/MultiPool mode (#30137, @pchaigno)
* v1.13: update dependency cilium/cilium-cli to v0.15.19 (#30136, @pchaigno)
## v1.13.10
Summary of Changes
------------------
**Minor Changes:**
* helm: Add missing SA automount configuration (Backport PR #29690, Upstream PR #29511, @ayuspin)
* helm: Add SA to nodeinit ds (Backport PR #29690, Upstream PR #24836, @darox)
* helm: Allow setting resources for the agent init containers (Backport PR #29690, Upstream PR #29610, @ayuspin)
**Bugfixes:**
* Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29309, @ti-mo)
* ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (Backport PR #29640, Upstream PR #29098, @julianwiedmann)
* datapath: Fix ENI egress routing table for cilium_host IP (Backport PR #29391, Upstream PR #29335, @gandro)
* Fix bug where deleted nodes would reappear in the cilium_node_connectivity_* metrics (Backport PR #29640, Upstream PR #29566, @christarazi)
* Handle non-AEAD IPsec keys in `cilium encrypt status`. (Backport PR #29640, Upstream PR #29182, @viktor-kurchenko)
* Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (Backport PR #29709, Upstream PR #29340, @aanm)
* Support downgrade path for XDP attachments from Cilium 1.15 (#29105, @ti-mo)
* When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (Backport PR #29475, Upstream PR #29160, @julianwiedmann)
**CI Changes:**
* ci-ipsec-upgrade: Check for errors (Backport PR #29272, Upstream PR #29189, @brb)
* ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (Backport PR #29003, Upstream PR #29072, @brb)
* CI: Let actions/cilium-config use Chart.yaml-specified image by default (Backport PR #29003, Upstream PR #28016, @jschwinger233)
* Clean up tests-ipsec-upgrade workflow (Backport PR #29003, Upstream PR #27977, @michi-covalent)
* gha: align ci-ipsec-e2e workflow name to main (#29687, @giorio94)
* Test upgrade/downgrade to patch release for IPsec (Backport PR #29003, Upstream PR #28815, @qmonnet)
* Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (Backport PR #29475, Upstream PR #29409, @giorio94)
* workflows: Add debug info to IPsec key rotation test (Backport PR #29475, Upstream PR #29353, @pchaigno)
* travis: install buildkit in pre-install
**Misc Changes:**
* .github: use GitHub workflow from the same branch (#29256, @aanm)
* chore(deps): update actions/checkout action to v4 (v1.13) (#29287, @renovate[bot])
* chore(deps): update all github action dependencies (v1.13) (minor) (#29286, @renovate[bot])
* chore(deps): update all github action dependencies (v1.13) (patch) (#29139, @renovate[bot])
* chore(deps): update all lvh-images main (v1.13) (patch) (#29150, @renovate[bot])
* chore(deps): update all lvh-images main (v1.13) (patch) (#29419, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.20.12 (v1.13) (#29661, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.20.11 docker digest to 77e4e42 (v1.13) (#29285, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2b7412e (v1.13) (#29138, @renovate[bot])
* chore(deps): update hubble cli to v0.12.3 (v1.13) (patch) (#29747, @renovate[bot])
* chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.13) (#29289, @renovate[bot])
* ci-ipsec-upgrade: Do not run conn tests after installing Cilium (Backport PR #29192, Upstream PR #29178, @brb)
* Docs: Adds Webhook Limitation to EKS Install Doc (Backport PR #29640, Upstream PR #29497, @danehans)
* examples: update guestbook example with new image registry (Backport PR #29640, Upstream PR #29603, @mhofstetter)
* Fix bug preventing endpoint-related debug logs from being emitted (Backport PR #29700, Upstream PR #29495, @learnitall)
* images: bump cni plugins to v1.4.0 (Backport PR #29723, Upstream PR #29622, @squeed)
* ipsec: Small refactorings on key loading and state creation (Backport PR #29475, Upstream PR #29352, @pchaigno)
* Update the logrus dependency to address a security issue. (#29672, @rolinh)
**Other Changes:**
* [1.13] Address selectorcache concurrent read/write (#29186, @tklauser)
* [v1.13] Let renovatebot update Go toolchain version in a single PR (#29743, @tklauser)
* envoy: Bump cilium-envoy with golang 1.21.5 (#29655, @sayboras)
* envoy: Bump envoy container image with golang 1.21 and latest grpc package (#29384, @sayboras)
* install: Update image digests for v1.13.9 (#29136, @nathanjsweet)
* Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29206, @thorn3r)
* v1.13: ariane: Run ci-ipsec-upgrade when testing backports (#29227, @brb)
## v1.13.9
Summary of Changes
------------------
**Minor Changes:**
* Cilium DNS proxy now uses the original pod's address as the source address towards the DNS servers. (Backport PR #29089, Upstream PR #28928, @jrajahalme)
* Cilium now properly deletes stale (deleted) nodes from the node_connectivity_status and node_connectivity_latency_seconds metrics, reducing metric cardinality. (Backport PR #28932, Upstream PR #28382, @derailed)
* Display interfaces used for IPsec decryption in `cilium encrypt status`. (Backport PR #28761, Upstream PR #28640, @pchaigno)
* ipsec: New Prometheus metrics for XFRM configs (Backport PR #28761, Upstream PR #28400, @pchaigno)
* policy: Fixed a bug that incorrectly omitted port-protocol policy rules that omitted the "protocol" field. An omitted "protocol" field now, correctly, is the same as using the "ANY" protocol. (Backport PR #28761, Upstream PR #28703, @nathanjsweet)
**Bugfixes:**
* [v1.13] Remove remote-node labels from ipcache on node delete (#28972, @tklauser)
* bpf: Add TC_ACT_REDIRECT check for nodeport (Backport PR #29034, Upstream PR #28927, @sayboras)
* envoy: fix lb backend endpoint calculation (Backport PR #28877, Upstream PR #27923, @mhofstetter)
* Fix CIDR labels computation (Backport PR #28877, Upstream PR #28788, @pippolo84)
* Fix IPsec error logs to always have all information needed to identify the XFRM configuration on which the error happened. (Backport PR #29034, Upstream PR #28642, @pchaigno)
* When the CT entry for a DSR connection is garbage-collected, the corresponding SNAT entry is now also removed. (Backport PR #28877, Upstream PR #28857, @julianwiedmann)
**CI Changes:**
* [v1.13] Use pull_request_target in Update Backport Label workflow (#29011, @pippolo84)
* gh/workflows: Dump Cilium LB node logs in case of failure (Backport PR #29034, Upstream PR #28808, @brb)
* Test both VXLAN and GENEVE tunneling as part of the Conformance Cluster Mesh workflow (Backport PR #28877, Upstream PR #28767, @giorio94)
**Misc Changes:**
* bpf: lb: fix missing drop reason in reverse_map_l4_port() (Backport PR #29034, Upstream PR #28884, @julianwiedmann)
* bpf: lxc: remove stale ENABLE_IDENTITY_MARK ifdefs (Backport PR #28761, Upstream PR #28391, @julianwiedmann)
* bugtool: Collect XFRM error counters twice (Backport PR #28877, Upstream PR #28790, @pchaigno)
* chore(deps): update docker.io/library/golang docker tag to v1.20.11 (v1.13) (#29041, @renovate[bot])
* datapath: Move `linuxNodeHandler` IPsec functions to their own file (Backport PR #29034, Upstream PR #28941, @pchaigno)
* docs: Clarify BPF Map Pressure Metric (Backport PR #28761, Upstream PR #28682, @nathanjsweet)
* docs: Update IPsec key rotation command (Backport PR #28761, Upstream PR #28141, @jschwinger233)
* go.mod, vendor: use github.com/cilium/dns fork directly (Backport PR #29089, Upstream PR #27582, @tklauser)
* ipsec: Improve `encrypt flush` command (Backport PR #29034, Upstream PR #28795, @pchaigno)
* ipsec: Remove dead code for IPsec node encryption (Backport PR #29034, Upstream PR #28898, @pchaigno)
* labels/cidr: Memoize labels for already seen prefixes (Backport PR #28877, Upstream PR #28465, @pippolo84)
* labels/cidr: On the fly char replacement for IPv6 (Backport PR #28950, Upstream PR #28647, @pippolo84)
* labels: Use slices.Sort instead of sort.Strings (Backport PR #28950, Upstream PR #28649, @pippolo84)
**Other Changes:**
* [v1.13] Always migrate cilium_calls_* during ELF load (#28829, @ti-mo)
* [v1.13] backports 2023-10-25 (#28776, @sayboras)
* [v1.13] envoy: Bump version to v1.26.6 (#28854, @sayboras)
* [v1.13] envoy: Update envoy version to 1.25.x (#28331, @sayboras)
* install: Update image digests for v1.13.8 (#28636, @jrajahalme)
## v1.13.8
Summary of Changes
------------------
**Minor Changes:**
* bump grpc dependency to 1.56.3 to fix security vulnerability https://github.com/advisories/GHSA-qppj-fm5r-hxr3 (#28528, @aanm)
* vendor, azure: Bump Azure SDK to Aug 2021 (Backport PR #28316, Upstream PR #28311, @christarazi)
**Bugfixes:**
* Add drop notifications from various error paths in the BPF datapath. (Backport PR #28443, Upstream PR #26956, @julianwiedmann)
* envoy: Sync supported resources to fix not found issue (Backport PR #28350, Upstream PR #28272, @sayboras)
* Fix a bug that causes pod-to-pod traffic between nodes to be dropped when IPsec is enabled and kube-proxy installed rules in both iptables-nft and iptables-legacy. (Backport PR #28443, Upstream PR #28258, @pchaigno)
* Fix the trace notification for hairpinned reply traffic, to indicate the correct security identity for the client. (Backport PR #28251, Upstream PR #28133, @julianwiedmann)
* Fixes a bug causing panic when counting IPsec keys number via "cilium encrypt status". (Backport PR #28251, Upstream PR #27996, @jschwinger233)
* ipcache: fix flapping labels in SelectorCache when reserved:host identity has multiple IPs (Backport PR #28416, Upstream PR #28332, @squeed)
* pkg/k8s: use a deep copy of CNP in UpdateStatus to avoid race condition (Backport PR #28519, Upstream PR #28364, @aanm)
* pkg/node: Updates GetIPv6AllocCIDRs() to Properly Return Secondary CIDRs (Backport PR #28103, Upstream PR #27855, @danehans)
**CI Changes:**
* [v1.13] ci: Add a call to the update label backport action (#27877, @pippolo84)
* [v1.14] GHA: Add clustermesh upgrade and downgrade tests (Backport PR #28519, Upstream PR #28355, @giorio94)
* Add missing ariane trigger phrases (Backport PR #28087, Upstream PR #27822, @tklauser)
* ci-ipsec-upgrade: Enable IPv6 (Backport PR #28103, Upstream PR #27220, @brb)
* CI: Add conn-disrupt-test action for reuse (Backport PR #28120, Upstream PR #27567, @jschwinger233)
* CI: Add IPsec key rotation test (Backport PR #28120, Upstream PR #27203, @jschwinger233)
* CI: Move IPsec CI jobs into separate pipelines (Backport PR #28120, Upstream PR #26730, @jschwinger233)
* ci: Run BPF lints on workflow definition changes (Backport PR #28251, Upstream PR #28122, @qmonnet)
* ci: update k8s versions support for v1.13 (#28247, @nbusseneau)
* Do not hardcode the AWS VPC CNI plugin version in the conformance-aws-cni GHA workflow (Backport PR #28443, Upstream PR #28392, @giorio94)
* gha: Remove priviledged helm option in {Ingress, Gateway} (Backport PR #28251, Upstream PR #28200, @sayboras)
* ingress: Add conformance test for KPR=false (Backport PR #28087, Upstream PR #27304, @sayboras)
* Refactor CiliumExecContext() Retry Logic (Backport PR #28251, Upstream PR #28131, @carnerito)
* Update image registry to quay.io (Backport PR #28251, Upstream PR #23093, @oxxenix)
* workflows/ipsec: Add missing `--flush-ct` for key rotation (Backport PR #28120, Upstream PR #27883, @pchaigno)
**Misc Changes:**
* Add option conntrackGCMaxInterval to allow limiting the maximum connection tracking GC interval. By default the automatic interval calculation may increase the interval up to 12 hours, which may incur an unreasonable delay to releasing of CIDR identities created from ToFQDN policies. Setting this option will limit the interval and ensure such identities are marked unused earlier and removed. (Backport PR #28251, Upstream PR #27870, @joamaki)
* bump k8s dependencies to 1.26.9 (#28559, @aanm)
* chore(deps): update all github action dependencies (v1.13) (patch) (#28106, @renovate[bot])
* chore(deps): update all github action dependencies to v3 (v1.13) (major) (#28109, @renovate[bot])
* chore(deps): update all lvh-images main (v1.13) (patch) (#28107, @renovate[bot])
* chore(deps): update all lvh-images main (v1.13) (patch) (#28213, @renovate[bot])
* chore(deps): update aws-actions/configure-aws-credentials action to v4 (v1.13) (#28110, @renovate[bot])
* chore(deps): update dependency cilium/hubble to v0.12.1 (v1.13) (#28525, @renovate[bot])
* chore(deps): update dependency cilium/hubble to v0.12.2 (v1.13) (#28567, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.20.10 (v1.13) (#28516, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.20.8 docker digest to 6b29720 (v1.13) (#28212, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.20.8 docker digest to 700d726 (v1.13) (#28083, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 9b8dec3 (v1.13) (#28385, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to a903800 (v1.13) (#28581, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to aabed32 (v1.13) (#27897, @renovate[bot])
* chore(deps): update docker/build-push-action action to v5 (v1.13) (#28111, @renovate[bot])
* chore(deps): update github/codeql-action action to v2.21.7 (v1.13) (#28214, @renovate[bot])
* chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.13) (#28112, @renovate[bot])
* chore(deps): update quay.io/cilium/hubble docker tag to v0.12.1 (v1.13) (#28543, @renovate[bot])
* chore(deps): update quay.io/cilium/hubble docker tag to v0.12.2 (v1.13) (#28572, @renovate[bot])
* ci: fix AWS EKS K8s versions comment (Backport PR #28350, Upstream PR #28249, @nbusseneau)
* docs: Add more details for the Cluster Mesh key rotation (Backport PR #28251, Upstream PR #28145, @margamanterola)
* docs: egressgw: document incompatibility with Clustermesh (Backport PR #28103, Upstream PR #27918, @julianwiedmann)
* docs: Makefile, check-build.sh clean-ups and perf improvements (Backport PR #28251, Upstream PR #28161, @qmonnet)
* docs: Mention `RouteTableInterfacesOffset` in system requirements (Backport PR #28443, Upstream PR #28358, @gandro)
* docs: rephrasing the hubble intro doc (Backport PR #28103, Upstream PR #27712, @vipul-21)
* docs: Update Sphinx and its dependencies, Cilium theme (Backport PR #28251, Upstream PR #28172, @qmonnet)
* Fix potential nil pointer dereference in SelectorManager implementation (Backport PR #28103, Upstream PR #27805, @learnitall)
* fix(deps): update module golang.org/x/net to v0.17.0 [security] (#28551, @aanm)
* hubble: Remove spammy debug log message on lost events (Backport PR #28103, Upstream PR #25321, @pchaigno)
* install/kubernetes: add the `cilium/values.yaml` target to `.PHONY` (Backport PR #28350, Upstream PR #28225, @nbusseneau)
* ipsec: Atomically upgrade XFRM states with new output-mark (Backport PR #28519, Upstream PR #28485, @pchaigno)
* Update docs theme (Backport PR #28443, Upstream PR #28403, @raphink)
* Update Hubble UI from v0.11.0 to v0.12.1 (#28534, @rolinh)
**Other Changes:**
* Backport v1.13: FQDN fixes (#28401, @joamaki)
* cocci: fix warnings related to const qualifiers and DROP_MISSED_TAIL_CALL (#28279, @giorio94)
* envoy: Bump envoy version to v1.24.11 (#28502, @sayboras)
* install: Update image digests for v1.13.7 (#28129, @michi-covalent)
## v1.13.7
Summary of Changes
------------------
**Minor Changes:**
* Report the kernel error code in case of packet drops due to failures to create NAT map entries. (Backport PR #27652, Upstream PR #25883, @julianwiedmann)
**Bugfixes:**
* bpf: lxc: support Pod->Service->Pod hairpinning with endpoint routes (Backport PR #27998, Upstream PR #27798, @ti-mo)
* envoy: fix panic writing accesslog without L7 tags (Backport PR #27651, Upstream PR #27453, @mhofstetter)
* Fix a bug that affected the RevDNAT translation of IPv6 packets with extension headers. (Backport PR #27393, Upstream PR #27312, @julianwiedmann)
* Fix a bug that could cause an incorrect max. sequence number to be reported by `cilium encrypt status` when IPsec is enabled. (Backport PR #27925, Upstream PR #27656, @pchaigno)
* Fix a bug where cilium host IP is not read from k8s node annotations (Backport PR #27651, Upstream PR #27590, @hemanthmalla)
* Fix bug limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #27393, Upstream PR #27168, @learnitall)
* Fix bug that could cause packet drops of type XfrmOutPolBlock while rotating the IPsec key. (Backport PR #27587, Upstream PR #27319, @jrfastab)
* Fix connectivity issues caused by missing conntrack entry when service pod connects to itself via clusterIP. (Backport PR #27998, Upstream PR #27602, @julianwiedmann)
* gateway-api: Merge externally annotations and labels for kubernetes types (Backport PR #27651, Upstream PR #27251, @farodin91)
* ingress: fix panic on ingress rule without HTTPIngressRule (Backport PR #27925, Upstream PR #27818, @mhofstetter)
* IPSec fix for race on init resulting in Xfrm*In* errors and dropped packets (Backport PR #28022, Upstream PR #28012, @jrfastab)
* k8s: Restrict configuring reserved:init policy via CNP (Backport PR #28039, Upstream PR #28007, @joestringer)
* Prioritization of which DNS mappings to keep was suboptimal, leading to evictions of mappings related to alive connections, worsening performance of fqdn policies and causing spurious logging. (Backport PR #27925, Upstream PR #27572, @bimmlerd)
* proxy: Ignore visibility annotation if proxy is disabled (Backport PR #27741, Upstream PR #27597, @sayboras)
**CI Changes:**
* .github/workflows: unify time to wait for images to become available (Backport PR #27925, Upstream PR #27706, @tklauser)
* ci-ipsec-upgrade: Bump CLI to v0.15.5 (Backport PR #27393, Upstream PR #27230, @brb)
* ci-ipsec-upgrade: Skip upon test/Documentation changes (Backport PR #27741, Upstream PR #27644, @brb)
* ci: fix and standardize checkouts in privileged workflows (Backport PR #27393, Upstream PR #27193, @nbusseneau)
* ci: increase connectivity test timeout in GHA external workload (Backport PR #27393, Upstream PR #26975, @mhofstetter)
* ci: remove unavailable K8s 1.22 from GKE config (Backport PR #27393, Upstream PR #27365, @mhofstetter)
* CI: Rename workflow names (Backport PR #27741, Upstream PR #27391, @brlbil)
* CI: Update tested k8s version for aks (Backport PR #27651, Upstream PR #27457, @brlbil)
* gh/actions: Customize cilium-config (Backport PR #27925, Upstream PR #27416, @brb)
* gh/workflows: Use cilium-config action in ci-ipsec-upgrade (Backport PR #27925, Upstream PR #27359, @brb)
* ginkgo: Remove K8sDatapathCustomCalls (Backport PR #27925, Upstream PR #27911, @brb)
**Misc Changes:**
* Add WireGuard to the firewall rules documentation (Backport PR #27925, Upstream PR #27170, @joestringer)
* bpf: egressgw: set trace reason for reply traffic (Backport PR #27526, Upstream PR #27218, @julianwiedmann)
* bpf: nat: enable CT-driven trace aggregation (Backport PR #27526, Upstream PR #27178, @julianwiedmann)
* chore(deps): update actions/checkout action to v4 (v1.13) (#27927, @renovate[bot])
* chore(deps): update all github action dependencies (v1.13) (minor) (#27782, @renovate[bot])
* chore(deps): update all lvh-images main (v1.13) (patch) (#27423, @renovate[bot])
* chore(deps): update all lvh-images main (v1.13) (patch) (#27780, @renovate[bot])
* chore(deps): update all lvh-images main (v1.13) (patch) (#27945, @renovate[bot])
* chore(deps): update aws-actions/configure-aws-credentials action to v3 (v1.13) (#27783, @renovate[bot])
* chore(deps): update cilium/coccicheck docker tag to v2.4 (v1.13) (#27947, @renovate[bot])
* chore(deps): update dependency ubuntu to v22 (v1.13) (#27784, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.17.5 (v1.13) (#27781, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.20.7 (v1.13) (#27486, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.20.8 (v1.13) (#27991, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.20.7 docker digest to 741d6f9 (v1.13) (#27779, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ec050c3 (v1.13) (#27554, @renovate[bot])
* chore(deps): update sigstore/cosign-installer action to v3.1.2 (v1.13) (#27946, @renovate[bot])
* docs: Document `DROP_NO_NODE_ID` for IPsec (Backport PR #27393, Upstream PR #27184, @pchaigno)
* docs: Fix config option for spelling filters (Backport PR #27651, Upstream PR #27537, @qmonnet)
* docs: Fix Documentation Makefile to make Helm reference updates compatible with macOS (Backport PR #27651, Upstream PR #27495, @ishuar)
* docs: Harmonise references to Cilium Slack (Backport PR #27393, Upstream PR #27346, @qmonnet)
* docs: Have Makefile print generated image tags when running with V=0 (Backport PR #27393, Upstream PR #27250, @qmonnet)
* docs: Improve wording for labels and services policies (Backport PR #27925, Upstream PR #27171, @joestringer)
* docs: update L7 traffic CiliumClusterwideEnvoyConfig example (Backport PR #27651, Upstream PR #27409, @tanjunchen)
* docs: Update the microservices-demo link (Backport PR #27925, Upstream PR #27814, @haiyuewa)
* Update Cilium certgen from v0.1.8 to v0.1.9 (Backport PR #27651, Upstream PR #27511, @rolinh)
**Other Changes:**
* [1.13] test: add namespace name in pod metadata test (#28033, @nebril)
* doc: Migrate to .readthedocs.yaml configuration file v2 (#27570, @doniacld)
* install: Update image digests for v1.13.6 (#27455, @nebril)
## v1.13.6
Summary of Changes
------------------
**Minor Changes:**
* Prevent Cilium from running with Delegated IPAM at the same time as Ingress (Backport PR #27239, Upstream PR #26744, @rickysumho)
* Update Service Mesh docs to fix a number of issues (#27333, @youngnick)
**Bugfixes:**
* Fix a bug that affected the health-check feature in Stand-alone L4LB mode. For certain configurations (eg if both IPv4 and IPv6 support is enabled) health-check traffic would not get IPIP-encapsulated. (Backport PR #27154, Upstream PR #27015, @julianwiedmann)
* Fix a bug that could cause packet drops of type XfrmOutPolBlock when IPsec is enabled and node are recycled.
Fix a bug that could cause IPsec-encrypted packets to be sent to the wrong destination node when node churn is high. (Backport PR #27107, Upstream PR #27029, @pchaigno)
* operator: Adjust CiliumEndpoint gc to account for kvstore mode (Backport PR #27154, Upstream PR #25324, @learnitall)
**CI Changes:**
* Add BPF unit tests for IPsec (Backport PR #27107, Upstream PR #25699, @jschwinger233)
* Add renovate tags for automatic updates of kernel version in v1.13 (#27387, @aanm)
* Fix verifier issues in IPv6 BPF tests (Backport PR #27107, Upstream PR #25191, @dylandreimerink)
* Trigger required workflows using Ariane (Backport PR #27095, Upstream PR #27002, @michi-covalent)
**Misc Changes:**
* Add note for changing IPAM settings (Backport PR #27239, Upstream PR #27090, @darox)
* bpf: test: Fix the byte order in the IPV4 macro (Backport PR #27107, Upstream PR #25114, @gentoo-root)
* chore(deps): update all github action dependencies (v1.13) (patch) (#27290, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.19.12 (v1.13) (#26825, @renovate[bot])
* chore(deps): update docker/setup-buildx-action action to v2.9.1 (v1.13) (#26827, @renovate[bot])
* chore(deps): update helm/kind-action action to v1.8.0 (v1.13) (#26828, @renovate[bot])
* docs: Fix gRPC API generation for online docs (Backport PR #27095, Upstream PR #27014, @qmonnet)
* docs: fixed search for every page (Backport PR #26906, Upstream PR #26892, @geakstr)
* docs: Ignore Helm values, update spelling list (Backport PR #26906, Upstream PR #26759, @qmonnet)
* docs: Replace non-portable "sed -i" in Makefile (Backport PR #27239, Upstream PR #27122, @qmonnet)
* docs: Revert Python version in docs-builder image to 3.7.9, downgrade sphinxcontrib-applehelp, to fix builds on Read The Docs (Backport PR #26906, Upstream PR #24099, @qmonnet)
* docs: Simplify clustermesh example (Backport PR #27239, Upstream PR #27172, @joestringer)
* docs: Update dependencies for documentation build system (Sphinx, add-ons etc.) (Backport PR #26906, Upstream PR #24014, @qmonnet)
* Documentation: enable parallel builds (Backport PR #26906, Upstream PR #23752, @squeed)
* Documentation: fix the broken links/dead links (Backport PR #27154, Upstream PR #26880, @vipul-21)
* endpoint: don't hold the endpoint lock while generating policy (Backport PR #26735, Upstream PR #26242, @squeed)
**Other Changes:**
* backport v1.13: IPsec upgrade tests (#27174, @brb)
* install: Update image digests for v1.13.5 (#27120, @nathanjsweet)
* k8s: fix incorrect EndpointSlice API version (#27277, @ysksuzuki)
* remove stable tag from image build (#27076, @aanm)
* v1.13 backport: gh/workflows: Reusable workflow for ci-e2e and misc changes (#27374, @brb)
## v1.13.5
Summary of Changes
------------------
**Minor Changes:**
* Add helm value `envoyConfig.enabled` that can be used to enable CiliumEnvoyConfig CRD independently of Cilium Ingress controller. (Backport PR #26421, Upstream PR #26005, @jrajahalme)
* Allow to disable external workloads support in clustermesh-apiserver to improve performance when not needed. (Backport PR #26421, Upstream PR #25259, @giorio94)
* daemon: don't allow egress gateway with KV store identity allocation (Backport PR #26421, Upstream PR #26189, @jibi)
* helm: Allow node port allocation for Ingress LB service (Backport PR #26861, Upstream PR #26502, @sayboras)
* ingress: Add loadBalancerIP and loadBalancerClass (Backport PR #26528, Upstream PR #22670, @oliver-ni)
**Bugfixes:**
* Avoid dropping short packets (that don't have their L3 header in linear data) in the to-netdev and from-host paths. (Backport PR #25739, Upstream PR #25159, @julianwiedmann)
* bgpv1: Unconditionally select node when empty nodeSelector is given (Backport PR #26737, Upstream PR #26590, @YutaroHayakawa)
* bpf: ct: fix CT-based packet tracing for IPv6 (Backport PR #26528, Upstream PR #26476, @julianwiedmann)
* bpf: fix error handling for invoke_tailcall_if() (Backport PR #26497, Upstream PR #26118, @julianwiedmann)
* bpf: lxc: fix one missing drop notification in CT lookup tail calls (Backport PR #26421, Upstream PR #26115, @julianwiedmann)
* client, health/client: set dummy host header on unix:// local communication (Backport PR #26861, Upstream PR #26800, @tklauser)
* Envoy resource namespacing (Backport PR #26421, Upstream PR #26037, @jrajahalme)
* Fix a bug in the Egress Gateway feature when using the --install-egress-gateway-routes option. Delete stale IP rules after a CiliumEgressGatewayPolicy is updated and selects a different egress network interface. (Backport PR #26947, Upstream PR #26846, @julianwiedmann)
* Fix bug that caused transient IPsec packet drops on upgrades when tunneling is enabled. (Backport PR #26792, Upstream PR #26708, @pchaigno)
* Fix bug where CNI gets installed even if cni.install=false (Backport PR #26421, Upstream PR #26278, @joestringer)
* Fix crash of cilium-agent happening when a remote node without node IP addresses is removed. (Backport PR #26421, Upstream PR #25851, @cyclinder)
* Fix missing metric "cilium_services_events_total" (Backport PR #27036, Upstream PR #26719, @christarazi)
* Fix path asymmetry when using pod-to-pod encryption with IPsec and tunnel mode. (Backport PR #26792, Upstream PR #25440, @pchaigno)
* Fix possible connection drops on agents restart when a service is associated with multiple endpointslices or has backends across multiple clusters (Backport PR #27036, Upstream PR #26912, @giorio94)
* Fix: Return "Content-Type" and "X-Content-Type-Options" headers from Health Check Node Port (Backport PR #26528, Upstream PR #26458, @cezarygerard)
* Fixed proxy redirect policy implementation when any deny rule prevents them. (Backport PR #26749, Upstream PR #26344, @jrajahalme)
* helm: Fix a bug caused by incorrect indentation of the extraEnv parameter for Hubble UI backend (Backport PR #26915, Upstream PR #26797, @toVersus)
* ingress: Delay secret sync if not available (Backport PR #26993, Upstream PR #26988, @sayboras)
* ipsec: Split removeStaleXFRMOnce to fix deprioritization issue (Backport PR #26421, Upstream PR #26113, @jschwinger233)
* Parses the IP addr passed as CIDR from the delegated IPAM and then use the IP addr from the parsed prefix. (Backport PR #26421, Upstream PR #22918, @vipul-21)
* Temporarily disable bpf-clock-probe to avoid causing interruptions for long-lived connections during upgrades (Backport PR #27034, Upstream PR #26981, @margamanterola)
**CI Changes:**
* .github: add 'name' field for the conformance-e2e job (Backport PR #26861, Upstream PR #26791, @aanm)
* ariane: don't skip verifier and l4lb tests on vendor/ changes (Backport PR #26737, Upstream PR #26715, @tklauser)
* ci: fix Azure cluster names sometimes being too long (Backport PR #27036, Upstream PR #26933, @nbusseneau)
* gh/workflows: Optionally enable dual stack in ci-e2e (Backport PR #26915, Upstream PR #26856, @brb)
* gha: uniform the final sysdump names in conformance clustermesh (#26686, @giorio94)
* test: Fix and unquarantine `Skip conntrack` test (Backport PR #27036, Upstream PR #25038, @pchaigno)
* v1.13: ci: use Ariane to trigger workflows (#26580, @nbusseneau)
**Misc Changes:**
* Add cilium bpf nodeid list to bugtool and print nodeid in hex in ipcache dump (Backport PR #26421, Upstream PR #26130, @brb)
* Adding an AWS architecture diagram for AWS FTR review (Backport PR #26421, Upstream PR #26016, @amitmavgupta)
* bpf: add drop reason for TTL exceeded (Backport PR #27036, Upstream PR #26884, @julianwiedmann)
* bpf: nodeport: wire up trace struct for IPv6 RevDNAT (Backport PR #26421, Upstream PR #26047, @julianwiedmann)
* bpf: Use "fallthrough;", compile with -Wimplicit-fallthrough (Backport PR #26421, Upstream PR #26211, @qmonnet)
* build(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible (Backport PR #26737, Upstream PR #25393, @dependabot[bot])
* Calling out support for Single-Region, Multi-Region, Multi-AZ for EKS (Backport PR #26421, Upstream PR #26015, @amitmavgupta)
* certloader: Correctly support RequestClientCert in WatchedClientConfig (Backport PR #26915, Upstream PR #26812, @chancez)
* chore(deps): update actions/setup-go action to v4 (v1.13) (#26320, @renovate[bot])
* chore(deps): update all github action dependencies (v1.13) (minor) (#26440, @renovate[bot])
* chore(deps): update all github action dependencies (v1.13) (patch) (#26702, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.17.4 (v1.13) (#26436, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.17.4 (v1.13) (#26437, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.10 docker digest to 405b708 (v1.13) (#26422, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.10 docker digest to 6fb612a (v1.13) (#26249, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 0bced47 (v1.13) (#26701, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2a357c4 (v1.13) (#26317, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 6120be6 (v1.13) (#26433, @renovate[bot])
* chore(deps): update docker/setup-buildx-action action to v2.8.0 (v1.13) (#26572, @renovate[bot])
* chore(deps): update docker/setup-buildx-action action to v2.9.0 (v1.13) (#26703, @renovate[bot])
* chore(deps): update hubble cli to v0.12.0 (v1.13) (minor) (#26765, @renovate[bot])
* chore(deps): update sigstore/cosign-installer action to v3 (v1.13) (#26441, @renovate[bot])
* chore(deps): update sigstore/cosign-installer action to v3 (v1.13) (#26704, @renovate[bot])
* doc: Documented incompatibility of EgressGW and kvstore (Backport PR #26637, Upstream PR #26139, @PhilipSchmid)
* docker: Detect default "desktop-linux" builder (Backport PR #26421, Upstream PR #25908, @jrajahalme)
* docs/ipsec: Clarify limitation on number of nodes (Backport PR #26861, Upstream PR #26810, @pchaigno)
* docs/ipsec: Document RSS limitation (Backport PR #27036, Upstream PR #26979, @pchaigno)
* docs/ipsec: Extend troubleshooting section (Backport PR #27036, Upstream PR #26808, @pchaigno)
* docs/upgrading: note that policy bug was fixed in v1.13.3 (#26661, @squeed)
* docs: clarify that L3 DNS policies require L7 proxy enabled (Backport PR #26421, Upstream PR #26180, @wedaly)
* docs: Pick up PyYAML 6.0.1 (Backport PR #26915, Upstream PR #26883, @michi-covalent)
* docs: remove no-longer-valid known policy issue (Backport PR #26861, Upstream PR #26660, @squeed)
* docs: reword incorrect L7 policy description (Backport PR #26421, Upstream PR #26092, @peterj)
* docs: Specify Helm chart version in "cilium install" commands (Backport PR #27036, Upstream PR #26934, @michi-covalent)
* Document that the `install-egress-gateway-routes` flag is only for EKS's ENI mode in egress gateway guide (Backport PR #26861, Upstream PR #23616, @deepeshaburse)
* Document that upgrades to 1.13.4 may experience interruptions of existing connections, while upgrades from 1.13.4 may encounter lingering connections. (#27048, @margamanterola)
* Dump maps and events for all lb4/6 v3 backends (Backport PR #26421, Upstream PR #26108, @ti-mo)
* Fix "make -C Documentation builder-image" (Backport PR #26915, Upstream PR #26874, @michi-covalent)
* fix(deps): update module github.com/docker/docker to v24 (main) (Backport PR #26737, Upstream PR #26316, @renovate[bot])
* helm: Add flag to disable CRD check for mass server-side apply (Backport PR #26421, Upstream PR #25956, @jcpunk)
* vendor: Update go-restful (Backport PR #26576, Upstream PR #26560, @ferozsalam)
**Other Changes:**
* [v1.13] bgpv1: skip invalid node selector config in policy selection (#26541, @harsimran-pabla)
* envoy: Bump envoy to v1.24.9 (#26805, @sayboras)
* envoy: Bump envoy version to v1.24.10 (#27070, @sayboras)
* envoy: Bump minor version to v1.24.x (#26309, @sayboras)
* envoy: Update for missing backports (#26722, @jrajahalme)
* gh/workflows: Bump CLI to v0.15.3 in ci-e2e (#26855, @brb)
* install: Update image digests for v1.13.4 (#26267, @qmonnet)
* metrics: fix missing k8s rest client metrics (#26412, @ysksuzuki)
* Revert "chore(deps): update sigstore/cosign-installer action to v3 (v1.13)" (#26690, @aanm)
* v1.13 Backports 2023-06-26 (#26477, @jibi)
* v1.13 docs: Use stable-v0.14.txt for cilium-cli version (#26465, @michi-covalent)
* v1.13: node: Fix node encryption condition in incorrect backport (#26953, @pchaigno)
## v1.13.4
Summary of Changes
------------------
**Minor Changes:**
* Add agent flag `enable-ipsec-key-watcher` to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR #25977, Upstream PR #25893, @pchaigno)
* Updating documentation helm values now works also on arm64. (Backport PR #25731, Upstream PR #25422, @jrajahalme)
**Bugfixes:**
* Add drop notifications for various error paths in the datapath. (Backport PR #25503, Upstream PR #25183, @julianwiedmann)
* bpf,datapath: read jiffies from /proc/schedstat (Backport PR #25855, Upstream PR #25795, @ti-mo)
* Compare annotations before discarding CiliumNode updates. (Backport PR #25588, Upstream PR #25465, @LynneD)
* CPU overhead regression introduced in v1.13 is fixed. (#25548, @jrajahalme)
* Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (Backport PR #25897, Upstream PR #25784, @pchaigno)
* Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (Backport PR #25897, Upstream PR #25724, @pchaigno)
* Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (Backport PR #25897, Upstream PR #25735, @pchaigno)
* Fix a possible deadlock when using WireGuard transparent encryption. (Backport PR #25923, Upstream PR #25419, @bimmlerd)
* Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (Backport PR #25897, Upstream PR #25744, @joamaki)
* Fix downgrade path from 1.14 to 1.13 due to stale IPAM-allocated IPv6 on cilium_host (#25962, @jschwinger233)
* Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (Backport PR #26160, Upstream PR #26093, @pchaigno)
* Fix incorrect hubble flow data when HTTP requests contain an `x-forwarded-for` header by adding an explicit `use_remote_address: true` config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of `x-forwarded-for` header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding `x-forwarded-for` headers is retained via an explicit `skip_xff_append: true` config setting, except for Cilium Ingress where the source IP address is now appended to `x-forwarded-for` header. (Backport PR #25731, Upstream PR #25674, @jrajahalme)
* Fix leak of IPsec XFRM FWD policies in IPAM modes `cluster-pool`, `kubernetes`, and `crd` when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR #26079, Upstream PR #25953, @pchaigno)
* Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (Backport PR #25588, Upstream PR #25426, @bleggett)
* Fix RevSNAT for ICMPv6 packets. (Backport PR #25503, Upstream PR #25306, @julianwiedmann)
* Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (Backport PR #25977, Upstream PR #25936, @joamaki)
* Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (Backport PR #26079, Upstream PR #25969, @jrajahalme)
* gateway-api: Race condition between routes and Gateway (Backport PR #25731, Upstream PR #25573, @sayboras)
* gateway-api: Skip reconciliation for non-matching controller routes (Backport PR #25731, Upstream PR #25549, @sayboras)
* helm: Correct typo in Ingress validation (Backport PR #25731, Upstream PR #25570, @sayboras)
* Reject incorrect configuration enable-host-legacy-routing=false kube-proxy-replacement=partial. (Backport PR #25855, Upstream PR #25803, @pchaigno)
**CI Changes:**
* [v1.13 backport] test: Switch target FQDN (#25584, @nbusseneau)
* Add github workflow to push development helm charts to quay.io (Backport PR #26087, Upstream PR #25205, @chancez)
* hostfw tests flake workaround (Backport PR #25588, Upstream PR #25323, @tommyp1ckles)
* Pick up the latest startup-script image (Backport PR #25855, Upstream PR #25774, @michi-covalent)
* test/k8s: add host firewall workaround for svc host policy test. (Backport PR #25588, Upstream PR #25461, @tommyp1ckles)
* test/k8s: for services test, wait for all applied manifests to delete (Backport PR #25503, Upstream PR #25341, @tommyp1ckles)
* test/k8s: quarantine K8sDatapathServicesTest (Backport PR #25731, Upstream PR #25670, @aanm)
* test/k8s: update host policies for firewall tests. (Backport PR #25503, Upstream PR #25374, @tommyp1ckles)
* test: delete ginkgo test "NodePort with L7 Policy from outside" (Backport PR #25731, Upstream PR #25702, @jschwinger233)
* test: prevent panic on k8s services host fw test on some runs. (Backport PR #25855, Upstream PR #25747, @tommyp1ckles)
**Misc Changes:**
* backport (v1.13): docs: Promote Deny Policies out of Beta (#26147, @nathanjsweet)
* bpf: dsr: fix typo in tail_nodeport_dsr_ingress_ipv4() (Backport PR #25855, Upstream PR #25742, @julianwiedmann)
* chore(deps): update all github action dependencies (v1.13) (patch) (#25704, @renovate[bot])
* chore(deps): update cilium/actions-app-token action to v0.21.1 (v1.13) (#25865, @renovate[bot])
* chore(deps): update dependency cilium/hubble to v0.11.6 (v1.13) (#26042, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (v1.13) (#25852, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.17.3 (v1.13) (#25853, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.19.10 (v1.13) (#25857, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ac58ff7 (v1.13) (#25547, @renovate[bot])
* chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (v1.13) (#25997, @renovate[bot])
* ctmap: right-shift kernel jiffies by BPF_MONO_SCALER (Backport PR #26200, Upstream PR #26197, @ti-mo)
* docs: Add Bottlerocket OS to validated distros (Backport PR #25503, Upstream PR #25390, @nebril)
* docs: document missing entity 'ingress' (Backport PR #25731, Upstream PR #25665, @mhofstetter)
* docs: Fix broken link to backends leak issue (Backport PR #25503, Upstream PR #25278, @akhilles)
* docs: Improve BGP Control Plane page (Backport PR #25731, Upstream PR #23939, @krouma)
* gateway-api: Remove unused function check (#26058, @ferozsalam)
* install: Fail helm if kube-proxy-replacement is not valid (Backport PR #25977, Upstream PR #25907, @jrajahalme)
* ipsec: Fix cleanup of XFRM states and policies (Backport PR #26079, Upstream PR #26072, @pchaigno)
* Slim down Node handler interface (Backport PR #25923, Upstream PR #25450, @bimmlerd)
* test/provision/compile.sh: Make usable from dev VM (Backport PR #25503, Upstream PR #25352, @jrajahalme)
* Update network attacker sections of the threat model (Backport PR #25977, Upstream PR #25640, @ferozsalam)
**Other Changes:**
* envoy: Bump envoy version to v1.23.10 (#25884, @mhofstetter)
* install: Update image digests for v1.13.3 (#25726, @thorn3r)
* wireguard: Always unset fwMark (#25858, @brb)
## v1.13.3
Summary of Changes
------------------
**Major Changes:**
* Assume Ingress identity for cluster internal traffic through Cilium Ingress for policy enforcement. (Backport PR #25019, Upstream PR #24826, @jrajahalme)
* policy: Promote Deny Policies from Beta to Stable (#25427, @nathanjsweet)
**Minor Changes:**
* Drop traffic matching an egress gateway policy when no gateway are found (Backport PR #24999, Upstream PR #24835, @MrFreezeex)
* ingress: Add ownerReferences for shared mode (Backport PR #25013, Upstream PR #24942, @sayboras)
* sysdump: Added Kubernetes CNI logs to sysdump. (Backport PR #25346, Upstream PR #23937, @marseel)
* Update CNI (loopback) to 1.3.0 (Backport PR #25454, Upstream PR #25400, @anfernee)
* Use BGP Control Plane annotations from Node Resource for creation of CiliumNode Resource (Backport PR #25346, Upstream PR #24914, @margau)
**Bugfixes:**
* Add support for builtin kernel modules (Backport PR #25137, Upstream PR #23953, @TheAifam5)
* Address cilium-agent startup performance regression. (Backport PR #25185, Upstream PR #25007, @bimmlerd)
* cmd/cleanup: Fix cleanup of generic XDP programs (Backport PR #25184, Upstream PR #25117, @pchaigno)
* datapath: Fix double SNAT (Backport PR #25223, Upstream PR #25189, @brb)
* DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (Backport PR #25346, Upstream PR #25147, @jrajahalme)
* Filter ipv6 advertisements when using metallb as BGP speaker. (Backport PR #25137, Upstream PR #25043, @harsimran-pabla)
* Fix a regression in which link-local addresses were not treated with the "host" identity in some circumstances. (Backport PR #25368, Upstream PR #25298, @asauber)
* Fix broken IPv4 connectivity from outside to NodePort service when using L7 ingress policy, by removing PROXY_RT route table. (Backport PR #25086, Upstream PR #24807, @jschwinger233)
* Fix bug that caused ToCIDR netpols matching kube-apiserver IPs (when external to the cluster) to not reliably allow connectivity. (#25241, @giorio94)
* Fix bug that causes enforcement of host policies on reply IPv6 pod traffic. (Backport PR #25137, Upstream PR #25024, @pchaigno)
* Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (Backport PR #25013, Upstream PR #24825, @christarazi)
* Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (Backport PR #25013, Upstream PR #24785, @giorio94)
* Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (Backport PR #25346, Upstream PR #25087, @joamaki)
* Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (Backport PR #25184, Upstream PR #24838, @alan-kut)
* Fix operator shutdown hanging when kvstore is enabled (Backport PR #25223, Upstream PR #24979, @giorio94)
* Fix operator startup delay caused by leader election lease not being released correctly (Backport PR #25137, Upstream PR #24978, @giorio94)
* Fix panic due to assignment to nil BGP service announcements map. (Backport PR #25013, Upstream PR #24985, @harsimran-pabla)
* Fix permission issue when copying cni plugins onto host path (Backport PR #25346, Upstream PR #24891, @JohnJAS)
* Fix security-group-tags not working in ENI (Backport PR #25013, Upstream PR #24951, @aanm)
* Fix spurious errors containing "Failed to map node IP address to allocated ID". (Backport PR #25346, Upstream PR #25222, @bimmlerd)
* Fix syncing of relevant node annotations into CiliumNode (Backport PR #25368, Upstream PR #25307, @meyskens)
* Fix the bug when long-living connections using egress gateway may be reset. (Backport PR #25346, Upstream PR #24905, @gentoo-root)
* ipcache don't short-circuit InjectLabels if source differs (Backport PR #25077, Upstream PR #24875, @squeed)
* pkg/kvstore: Fix for deadlock in etcd status checker (Backport PR #25013, Upstream PR #24786, @hemanthmalla)
* Track reply packets in long-living egress gateway connections and SNATed host-local connections. (Backport PR #25424, Upstream PR #25112, @gentoo-root)
* When using KPR Nodeport with DSR, support backends in hostNetwork or with L7 policies. (Backport PR #24795, Upstream PR #22978, @julianwiedmann)
**CI Changes:**
* Always use the 8.8.8.8 DNS resolver in kind (Backport PR #25409, Upstream PR #24713, @aspsk)
* ci: remove `STATUS` commands from upstream tests' Jenkinsfile (Backport PR #25137, Upstream PR #25046, @nbusseneau)
* Delete "Cilium monitor verbose mode" test (Backport PR #25346, Upstream PR #25212, @michi-covalent)
* Enable testing of BPF programs requiring XDP_TX in CI (Backport PR #25409, Upstream PR #24250, @lmb)
* inctimer: fix test flake where timer does not fire within time. (Backport PR #25346, Upstream PR #25219, @tommyp1ckles)
* jenkinsfiles: Fix order of ginkgo tests (Backport PR #25137, Upstream PR #25002, @pchaigno)
* mlh: update Jenkins jobs following removal of kernel 4.9 support (#24955, @nbusseneau)
* test: Unquarantine host firewall + nodeport test (Backport PR #25184, Upstream PR #25025, @pchaigno)
**Misc Changes:**
* bpf: dsr: don't track L2 addresses for DSR traffic (Backport PR #24795, Upstream PR #24524, @julianwiedmann)
* bpf: dsr: restore CB_SRC_LABEL across DSR-INGRESS tail-call (Backport PR #24795, Upstream PR #24794, @julianwiedmann)
* bpf: lb: introduce an optimized CT lookup (Backport PR #24795, Upstream PR #22936, @julianwiedmann)
* bpf: minor CT cleanups (Backport PR #24795, Upstream PR #23718, @julianwiedmann)
* bpf: nodeport: minor DSR improvements (Backport PR #24795, Upstream PR #23326, @julianwiedmann)
* chore(deps): update docker.io/library/golang:1.19.8 docker digest to 9f2dd04 (v1.13) (#25421, @renovate[bot])
* chore(deps): update hubble cli to v0.11.5 (v1.13) (patch) (#25125, @renovate[bot])
* daemon: Mark CES feature as beta in agent flag (Backport PR #25013, Upstream PR #24850, @pchaigno)
* docs: `socketLB.hostNamespaceOnly` also needed for gVisor (Backport PR #25346, Upstream PR #25322, @pchaigno)
* docs: Add matrix version between envoy and cilium (Backport PR #25223, Upstream PR #25109, @sayboras)
* docs: Add platform support to docs (Backport PR #25223, Upstream PR #25174, @joestringer)
* docs: small fixes for k8s upgrade guide (Backport PR #25013, Upstream PR #24869, @tklauser)
* Documentation: add migration document (Backport PR #25013, Upstream PR #23751, @squeed)
* documentation: move policy warning to v1.13.2 section (#24997, @squeed)
* envoy: Debug log remote IDs for Envoy policies (Backport PR #25013, Upstream PR #24939, @jrajahalme)
* Fix missed clustermesh config change race condition with back-to-back changes (Backport PR #25013, Upstream PR #24993, @giorio94)
* Fix possible panic in the ipcache when removing the prefix labels for an unknown resource ID (Backport PR #25346, Upstream PR #25230, @giorio94)
* Fixed documentation regarding cilium versioning scheme and support (Backport PR #25223, Upstream PR #25171, @ayesha-kr)
* gha: Add retry mechanism in http test (Backport PR #25346, Upstream PR #25244, @sayboras)
* helm: add clustermesh nodeport config warning about known bug #24692 (Backport PR #25223, Upstream PR #25033, @giorio94)
* hive: Don't log interrupt signal as error (Backport PR #25013, Upstream PR #23880, @joamaki)
* ipsec: Install default-drop XFRM policy sooner (Backport PR #25346, Upstream PR #25257, @pchaigno)
* Makefile: use a specific template for mktemp files (Backport PR #25223, Upstream PR #25192, @kaworu)
* node/manager: Only remove old IPs if they weren't already added (Backport PR #25013, Upstream PR #25067, @christarazi)
* pkg/service: Backends leak follow ups with revised fixes, debugging improvements and unit tests (Backport PR #25223, Upstream PR #24770, @aditighag)
* Remote node identities are enabled by default in the Cilium agent. They have already been enabled by default in the Helm charts since Cilium version 1.7. (Backport PR #25013, Upstream PR #24874, @tklauser)
* Update the documentation for required IAM policy rights needed for Cilium to work in EKS. (Backport PR #25137, Upstream PR #25078, @toredash)
* Update threat model (Backport PR #25013, Upstream PR #24760, @ferozsalam)
**Other Changes:**
* [v1.13] contrib/backporting: Fix main branch reference (#25091, @joestringer)
* envoy: Upgrade to v1.23.9 (#25208, @sayboras)
* install: Update image digests for v1.13.2 (#24952, @gentoo-root)
* v1.13: docs: Document upgrade impact for IPsec (#24963, @pchaigno)
* v1.13: docs: Fix typo in IPsec upgrade note (#24973, @pchaigno)
## v1.13.2
Summary of Changes
------------------
**Minor Changes:**
* envoy: Bump envoy to v1.23.8 (#24909, @sayboras)
* envoy: Bump envoy version to v1.23.7 (#24746, @sayboras)
* Move poststart eni script to agent pod from nodeinit pod (Backport PR #24547, Upstream PR #24134, @nebril)
* Provides operational state of BGP peers via CLI 'cilium bgp peers' (Backport PR #24821, Upstream PR #24612, @harsimran-pabla)
* Support L2-less devices with fast forward (bpf-based host routing) (Backport PR #24706, Upstream PR #23935, @jschwinger233)
**Bugfixes:**
* agent: rework clustermesh config watcher for increased robustness (Backport PR #24547, Upstream PR #24163, @giorio94)
* bpf: dsr: fix parsing of IPv6 AUTH extension header (Backport PR #24821, Upstream PR #24792, @julianwiedmann)
* bpf: fix ipv6 extension header parsing error (Backport PR #24706, Upstream PR #24309, @chenyuezhou)
* bpf: policy: fix handling of ICMPv6 packet with extension headers (Backport PR #24821, Upstream PR #24797, @julianwiedmann)
* Correctly configure extra SANs for the clustermesh API server certificate when generated through certgen (Backport PR #24607, Upstream PR #24339, @giorio94)
* daemon: initialize datapath before compiling sockops programs (Backport PR #24547, Upstream PR #24140, @jibi)
* egressgw: update all internal caches once k8s state is synced (Backport PR #24706, Upstream PR #24034, @jibi)
* endpoint: fix k8sNamespace log field when ep gets deleted (Backport PR #24706, Upstream PR #24575, @mhofstetter)
* Fix a bug where users are unable to change a wrong remote etcd configuration (Backport PR #24547, Upstream PR #24046, @oblazek)
* Fix a memory leak in the service cache, and possible missed service updates on scale to zero events in rare circumstances (Backport PR #24706, Upstream PR #24619, @giorio94)
* Fix bug in BGP CP where changing the route-id of an existing router would cause announcements to disappear (Backport PR #24547, Upstream PR #24304, @dylandreimerink)
* Fix bug where ingress policies for remote-note identities are not applied correctly new nodes join the cluster, specifically when the nodes joining the cluster had IP addresses specified in CIDR policies (Backport PR #24547, Upstream PR #23764, @christarazi)
* Fix Cilium Operator from crashing when encountering empty node pools on Azure (Backport PR #24547, Upstream PR #24189, @forgems)
* Fix for disabled cloud provider rate limiting (Backport PR #24547, Upstream PR #24413, @hemanthmalla)
* Fix missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible (#24870, @aanm)
* Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (Backport PR #24843, Upstream PR #24788, @jrajahalme)
* gateway-api: Re-queue gateway for namespace change (Backport PR #24758, Upstream PR #24624, @sayboras)
* Handle leaked service backends that may lead to filling up of `lb4_backends` map and thereby connectivity issues. (Backport PR #24758, Upstream PR #24681, @aditighag)
* helm: mandate issuer configuration when using cert-manager to generate certificates (Backport PR #24821, Upstream PR #24666, @giorio94)
* ipsec: Clean up stale XFRM policies and states (Backport PR #24821, Upstream PR #24773, @pchaigno)
* Prevent egress gateway from adding and then immediately removing BPF policy entries for policies that don't match any gateway node (Backport PR #24706, Upstream PR #24646, @MrFreezeex)
* Services backends with publishNotReadyAddresses are able to receive traffic independently if they are Terminating, since is the user intent to make them reachable despite its state. (Backport PR #24547, Upstream PR #24174, @aojea)
* Set user-agent for k8s client with Cilium's version (Backport PR #24547, Upstream PR #24275, @aanm)
* Solve control-plane deadlock issues leading to outages. A typical log line indicative of this issue is `probe=l7-proxy msg="No response from probe within 15 seconds"` (Backport PR #24814, Upstream PR #24672, @bimmlerd)
**CI Changes:**
* bpf/test: Add unit test to check whether netpol drops result in metric counter increament (Backport PR #24607, Upstream PR #24469, @brb)
* bpf/tests: fix mac addresses definitions in egressgw test (Backport PR #24607, Upstream PR #23351, @jibi)
* datapath/linux/route: fix CI expectations for rule string format (Backport PR #24607, Upstream PR #24577, @NikAleksandrov)
* Fix race conditions when deleting CNP / CCNP in e2e tests (Backport PR #24706, Upstream PR #24484, @jschwinger233)
* Fixed flake in the `TestRequestIPWithMismatchedLabel` LB-IPAM tests. (Backport PR #24547, Upstream PR #23297, @dylandreimerink)
* gha: Clean-up Ingress/GatewayAPI Conformance tests (Backport PR #24441, Upstream PR #24025, @sayboras)
* Increase timeout waiting for resources in Ingress conformance test (Backport PR #24441, Upstream PR #24388, @meyskens)
* Port verifier tests to Go (Backport PR #24706, Upstream PR #24538, @ti-mo)
* renovate: Fix Hubble release digest regex (Backport PR #24547, Upstream PR #24477, @gandro)
* test: Enable conformance tests for non-SCTP traffic in conjunction with SCTP policies (Backport PR #24547, Upstream PR #24144, @joestringer)
* test: Remove some {DP,Services} Ginkgo test cases (Backport PR #24547, Upstream PR #24223, @brb)
* test: Update 1.26 k8s version (Backport PR #24607, Upstream PR #24569, @sayboras)
* tests: add exceptions for lease errors due to etcd (Backport PR #24758, Upstream PR #24723, @jibi)
**Misc Changes:**
* Avoid clearing objects in CiliumEndpoint conversion funcs (Backport PR #24929, Upstream PR #24928, @aanm)
* Avoid clearing objects in conversion funcs (Backport PR #24929, Upstream PR #24241, @odinuge)
* bgp: extract exportPodCIDRReconciler logic into a generic function (Backport PR #24607, Upstream PR #24546, @jibi)
* bpf: Remove fib_redirect's BPF_FIB_LOOKUP_DIRECT (Backport PR #24547, Upstream PR #24271, @borkmann)
* bpf_test: use bpf.LoadCollection, print full verifier error logs (Backport PR #24607, Upstream PR #23281, @ti-mo)
* checker: Fix incorrect checker for ExportedEqual() (Backport PR #24547, Upstream PR #24373, @christarazi)
* chore(deps): update base-images (v1.13) (#24467, @renovate[bot])
* chore(deps): update dependency cilium/hubble to v0.11.3 (v1.13) (#24799, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.19.7 (v1.13) (#24233, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.19.7 (v1.13) (#24234, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.19.8 (v1.13) (#24800, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.19.8 (v1.13) (#24802, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.7 docker digest to d2078d2 (v1.13) (#24550, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.8 docker digest to 31a2f92 (v1.13) (#24831, @renovate[bot])
* chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (v1.13) (#24472, @renovate[bot])
* cilium, docs: Move sig-datapath meeting to on-demand only (Backport PR #24547, Upstream PR #24205, @borkmann)
* doc: Fixed CiliumNode CRD fields for cluster-pool doc (Backport PR #24547, Upstream PR #24428, @PhilipSchmid)
* doc: kubeProxyReplacement=strict / kube-proxy co-existence (Backport PR #24547, Upstream PR #24407, @PhilipSchmid)
* docs: add note that there are two Cilium CLIs (Backport PR #24547, Upstream PR #24435, @lizrice)
* docs: Cleanup and update list of supported drivers for XDP (Backport PR #24547, Upstream PR #24398, @pchaigno)
* docs: Document the threat model for Cilium (Backport PR #24706, Upstream PR #24497, @ferozsalam)
* docs: fix typo in operations/troubleshooting.rst (Backport PR #24547, Upstream PR #24460, @NikAleksandrov)
* docs: Fix upgradeCompatibility references (Backport PR #24758, Upstream PR #24711, @joestringer)
* docs: Update Cluster Mesh requirements to mention node InternalIP explicitly (Backport PR #24547, Upstream PR #24164, @jspaleta)
* docs: Update egress gateway limitations (Backport PR #24547, Upstream PR #24244, @pchaigno)
* docs: Update the documentation for the `--conntrack-gc-interval` flag (Backport PR #24547, Upstream PR #24400, @pchaigno)
* egressgw: change special values for gatewayIP (Backport PR #24849, Upstream PR #24449, @MrFreezeex)
* Emit full verifier logs to agent logs and verifier.log in the endpoint directory (Backport PR #24706, Upstream PR #24506, @ti-mo)
* endpoint: correctly log IPv6 addresses (Backport PR #24547, Upstream PR #24255, @tklauser)
* Expose bpf-lb-sock-hostns-only in cilium status (Backport PR #24758, Upstream PR #24570, @romanspb80)
* Fix duplicated logs for test-output.log (Backport PR #24547, Upstream PR #24171, @romanspb80)
* Fixed BPF tests which would fail on older kernels (<=5.8) due to unsupported program loading (Backport PR #24607, Upstream PR #22980, @dylandreimerink)
* gha: Skip HTTPRouteListenerHostnameMatching test temporarily (Backport PR #24821, Upstream PR #24521, @sayboras)
* hubble-ui: allow ingress from non root `/` urls (Backport PR #24607, Upstream PR #23631, @geakstr)
* loader: Don't compile `.asm` files by default (Backport PR #24821, Upstream PR #24769, @pchaigno)
* Operator: Move leader election to a separate Kubernetes client (Backport PR #24547, Upstream PR #24267, @alexkats)
* pkg/bandwidth: add error for bandwidth manager not being enabled (Backport PR #24758, Upstream PR #24715, @aanm)
* pkg/cgroups: Prune excessive debug logging (Backport PR #24843, Upstream PR #24815, @aditighag)
* pkg/service: Extend unit test cases (Backport PR #24821, Upstream PR #24742, @aditighag)
* proxylib: Downgrade noisy log msg to debug level (Backport PR #24547, Upstream PR #22848, @christarazi)
**Other Changes:**
* Backport warning about known policy bug to v1.13 (#24892, @squeed)
* docs: Document IPsec upgrade issue on v1.13.1 (#24705, @pchaigno)
* helm: fix poststart-eni.bash execution in agent DS (#24789, @nebril)
* install: Update image digests for v1.13.1 (#24427, @nebril)
* Prepare for release v1.13.2 (#24900, @gentoo-root)
* v1.13 egress gateway tests sync (#24859, @jibi)
## v1.13.1
Summary of Changes
------------------
**Minor Changes:**
* Add CLI command to dump cgroups metadata (Backport PR #23834, Upstream PR #23641, @alexkats)
* Add pod-name hubble metrics context for pod name label without namespace (Backport PR #24058, Upstream PR #23199, @chancez)
* envoy: Bump envoy to 1.23.4 (Backport PR #23956, Upstream PR #23800, @sayboras)
* helm: Add pod and container security context (Backport PR #24086, Upstream PR #23443, @sayboras)
* helm: Add SA automount configuration (Backport PR #24086, Upstream PR #23441, @sayboras)
* helm: Add support of annotations in hubble ui service (Backport PR #23834, Upstream PR #23709, @brnck)
* Hide `--install-iptables-rules` agent flag and remove `installIptablesRules` Helm flag (Backport PR #24200, Upstream PR #24081, @pchaigno)
**Bugfixes:**
* [EKS] Fix deadlock causing network connectivity outages when kube-apiservers scale down (Backport PR #23956, Upstream PR #23836, @christarazi)
* Add the option to preserve CNI configuration file on agent shutdown. This can help prevent issues where pods can no longer be deleted. This may cause some transient error messages to be displayed if a pod is scheduled while Cilium is being upgraded. (Backport PR #24200, Upstream PR #24009, @squeed)
* agent: fix incorrect deletion of veth host interfaces on bootstrap (Backport PR #23956, Upstream PR #23787, @giorio94)
* Avoid k8s CiliumNode initialization problems when Cilium connects to the KVStore (Backport PR #24200, Upstream PR #24156, @aanm)
* bpf: Fix broken remote-node identity classification (Backport PR #23956, Upstream PR #23091, @ysksuzuki)
* clustermesh: fix cluster synchronization wait group increment (Backport PR #24058, Upstream PR #23741, @giorio94)
* clustermesh: fix services cache bloat due to incorrect deletion (Backport PR #24058, Upstream PR #23947, @giorio94)
* daemon: fix panic when running with etcd with endpoint crd disabled (Backport PR #24387, Upstream PR #24085, @tommyp1ckles)
* envoy: Avoid empty typeURL for all resources (Backport PR #23860, Upstream PR #23763, @sayboras)
* Fix bug that would prevent IPsec from working with GENEVE encapsulation. (Backport PR #24200, Upstream PR #24116, @borkmann)
* Fix bug that would prevent SRv6 decapsulation when BPF Host Routing was disabled. (Backport PR #23834, Upstream PR #23825, @ldelossa)
* Fix connectivity issue upon agent restart in case of ipv6 + direct routing + KPR replacement (Backport PR #23956, Upstream PR #23857, @giorio94)
* Fix deadlock in cilium-operator when using CiliumEndpointSlices (Backport PR #24370, Upstream PR #24343, @alan-kut)
* Fix enable-stale-cilium-endpoint-cleanup flag not actually disabling the cleanup init set when set to false. This provides a workaround for an existing panic that can occur when running using etcd kvstore. (Backport PR #24311, Upstream PR #23874, @sjdot)
* Fix FIB lookup for traffic to a L7 service backend, when BPF host-routing is enabled and multiple external devices are configured. (Backport PR #24195, Upstream PR #24182, @julianwiedmann)
* Fix incorrectly dropping in-cluster traffic for L7 ingress resources (Backport PR #24200, Upstream PR #23984, @sayboras)
* Fix IPv6 policy enforcement for SNATed traffic from the Host (Backport PR #24370, Upstream PR #24132, @ysksuzuki)
* Fix memory leak caused on clustermesh reconnect. (Backport PR #24086, Upstream PR #23785, @oblazek)
* Fix operator crash race condition for CES identity map concurrent read/write (Backport PR #24086, Upstream PR #23605, @dlapcevic)
* Fix Pod connectivity interruption during agent restart (Backport PR #24370, Upstream PR #24336, @ti-mo)
* Fix restoreServicesLocked() potential nil pointer panic (Backport PR #23834, Upstream PR #23446, @dlapcevic)
* fix(helm): add missing updateStrategy to hubble-ui deployment (Backport PR #24058, Upstream PR #23975, @mhulscher)
* Fixes a bug where the Helm value `cni.configMap` no longer worked. (Backport PR #23834, Upstream PR #23743, @squeed)
* Fixes a memory leak and (possible) source of stale data for Clustermesh whenever the connection to the remote cluster is disrupted or restarted. (Backport PR #23834, Upstream PR #23532, @squeed)
* gateway-api: Combine metrics registry with operator (Backport PR #23834, Upstream PR #23501, @sayboras)
* helm: Fix duplicate `enable-envoy-config` flag when enabling L7LB, Ingress Controller, or GatewayAPI simultaneously (Backport PR #23956, Upstream PR #23866, @DWSR)
* Hubble Relay: fix reported uptime (Backport PR #24058, Upstream PR #23966, @rolinh)
* init.sh: fix cgroup program detachment and detach multiple progs with retry (Backport PR #24184, Upstream PR #24118, @ti-mo)
* install: don't render role / rolebinding when agent disabled (Backport PR #24200, Upstream PR #23877, @squeed)
* ipam/crd: Fix panic due to concurrent map read and map write (Backport PR #23834, Upstream PR #23713, @gandro)
* k8s: Handle EndpointSlice AddressType field properly (Backport PR #23956, Upstream PR #23803, @YutaroHayakawa)
* kvstore: prevent deletion delay for node-unrelated events (Backport PR #24086, Upstream PR #23745, @giorio94)
* node: require ipv4 address when wireguard is enabled (#23552, @giorio94)
* watchers: endpointsync can manage already owned CiliumEndpoints. (Backport PR #24086, Upstream PR #23499, @tommyp1ckles)
**CI Changes:**
* bpf/Makefile: Cover VTEP in compile tests (Backport PR #24200, Upstream PR #24106, @pchaigno)
* CI: switch to registry.k8s.io (Backport PR #24058, Upstream PR #23821, @ameukam)
* egressgw: test: switch to WaitForEgressPolicyEntries (Backport PR #24179, Upstream PR #24097, @jibi)
* test: Get rid of 4.9 pipeline (Backport PR #23834, Upstream PR #23343, @brb)
* test: Skip K8sPolicyTestExtended on the 4.19 (Backport PR #23956, Upstream PR #23934, @brb)
* test: Update policy for hairpin flow validation (Backport PR #23834, Upstream PR #23480, @aditighag)
**Misc Changes:**
* Add leader requirement to watch from Etcd. (Backport PR #24058, Upstream PR #23590, @marseel)
* agent: dump stack on stale probes (Backport PR #24086, Upstream PR #23915, @squeed)
* bpf,test: Define BPF_TEST macro for map-in-map/prog-map initialization (Backport PR #24200, Upstream PR #24127, @YutaroHayakawa)
* bpf: Fix usage of tunnel map structs (Backport PR #24086, Upstream PR #23469, @pchaigno)
* bugtool: Add ingress/egress tc filter dump (Backport PR #24200, Upstream PR #24057, @joestringer)
* chore(deps): update actions/checkout action to v3.3.0 (v1.13) (#23992, @renovate[bot])
* chore(deps): update all github action dependencies (v1.13) (patch) (#23991, @renovate[bot])
* chore(deps): update base-images (v1.13) (#24104, @renovate[bot])
* chore(deps): update dependency cilium/hubble to v0.11.2 (v1.13) (#23851, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.6 docker digest to 1a86aa6 (v1.13) (#24105, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.6 docker digest to 7ce31d1 (v1.13) (#23775, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.6 docker digest to 7ce31d1 (v1.13) (#23776, @renovate[bot])
* chore(deps): update quay.io/cilium/hubble docker tag to v0.11.2 (v1.13) (#23908, @renovate[bot])
* docs: Clarify basic kernel requirement (Backport PR #24058, Upstream PR #23951, @pchaigno)
* docs: Document CONFIG_PERF_EVENTS requirement (Backport PR #24200, Upstream PR #24055, @joestringer)
* docs: Document kernel requirement for L3 devices support (Backport PR #24200, Upstream PR #24101, @pchaigno)
* docs: Document upgrade behaviour for 1.13.x (#24364, @joestringer)
* docs: Fix missing disclaimer content to Ingress and Gateway API pages (Backport PR #23956, Upstream PR #23756, @kayceeDev)
* docs: Fix the dead link to Mellanox performance tuning guide (Backport PR #24086, Upstream PR #24012, @gentoo-root)
* docs: replace usage of api.twitter.com (Backport PR #23834, Upstream PR #23669, @kaworu)
* Document exemplars option for hubble httpV2 metrics (Backport PR #23834, Upstream PR #23620, @chancez)
* fix(deps): update module golang.org/x/net to v0.7.0 [security] (master) (Backport PR #23956, Upstream PR #23904, @renovate[bot])
* Fixed broken/deprecated links (Backport PR #24058, Upstream PR #23920, @PhilipSchmid)
* Fixed link to broken anchor in RKE doc (Backport PR #23834, Upstream PR #23706, @raphink)
* Fixes a flake in the kubectl wait part of the CI (Backport PR #23834, Upstream PR #23733, @meyskens)
* init.sh: clean up cgroup bpf_links created by newer versions of Cilium (Backport PR #24184, Upstream PR #23537, @ti-mo)
* IPsec: Remove `IP_POOLS` logic (Backport PR #24086, Upstream PR #24030, @pchaigno)
* kvstore: add clusterName suffix to session controllers (Backport PR #24086, Upstream PR #23928, @oblazek)
* Remove / in RKE doc link as it causes redirect bug (Backport PR #23834, Upstream PR #23728, @raphink)
* test/runtime: Set NO_COLOR for privileged tests (Backport PR #24058, Upstream PR #23151, @joestringer)
* Update CNI to 1.2.0 (#23319, @michi-covalent)
* Update signature verification docs for Sigstore 2.0 (Backport PR #24086, Upstream PR #24029, @jedsalazar)
* workflow: fixes LLVM, Clang cache and install path (Backport PR #23834, Upstream PR #23740, @brlbil)
**Other Changes:**
* .github: remove workflows that are not branch specific (#23842, @aanm)
* gha: Bump timeout to 90 minutes for build commit. (#23959, @sayboras)
* install: Update image digests for v1.13.0 (#23783, @aanm)
* update images 1.13 (#24331, @nebril)
* v1.13 - Backport initContainer change (#24333, @ferozsalam)
## v1.13.0
Summary of Changes
------------------
**Major Changes:**
* Add IPv6 BIG TCP support (#20349, @NikAleksandrov)
* Add LoadBalancer IP address management (LB-IPAM) (#21764, @dylandreimerink)
* Add partial support for SCTP (#20033, @DolceTriade)
* Add per-node configuration overrides. There is a new Kubernetes resource type, CiliumNodeConfig, which allows for fine-grained configuration of Nodes based on label selectors. (Backport PR #22822, Upstream PR #22656, @squeed)
* Add support for k8s 1.26 (#22270, @thorn3r)
* Add tracing for socket-based load balancing. (#20492, @aditighag)
* Added capability to announce LoadBalancer services via BGP Control Plane (#22397, @dylandreimerink)
* bpf: Add stateless RFC8215 NAT46/64 for standalone lb (#21777, @borkmann)
* cilium: completion of nat46/64 gateway (Backport PR #22948, Upstream PR #22421, @borkmann)
* CiliumNetworkPolicy now supports enforcement of SNI in TLS connections. (#22398, @jrajahalme)
* gateway-api: Add support for gateway-api v0.5.1 (#21749, @sayboras)
* ingress: Support shared load balancer mode (#21386, @sayboras)
* Sign Cilium container images using cosign (#21918, @sandipanpanda)
* Support Kubernetes v1.21 new field internalTrafficPolicy=Local. (Backport PR #23001, Upstream PR #21871, @gentoo-root)
**Minor Changes:**
* [v1.13] hubble-relay: deprecate peer svc through local unix domain socket (#23442, @kaworu)
* add `nonMasqueradeCIDRs` configuration to the ipMasqAgent section in Helm Chart values. (#20137, @cyclinder)
* Add "cilium map events <map>" command that lists bpf map operation events" (#21235, @tommyp1ckles)
* Add --source-ranges option to `cilium bpf lb list` (#19705, @julianwiedmann)
* Add ability to specify topologySpreadConstraints on all parts using kind Deployment.
This helps users to correctly spread the pods across failure-domains such as
regions, zones, nodes, and other user-defined topology domains to achieve
maximum high availability (HA) and efficient resource utilization. (#20046, @mkilchhofer)
* add an option to wait for kube-proxy (#20517, @michi-covalent)
* add helm option configuredMTU to overwrite auto-detected MTU and tunnelPort helm document (#20639, @vincentmli)
* Add metric on number of requests rejected by DNS Proxy semaphore (#20491, @rahulkjoshi)
* Add new ENI IPAM metrics for allocation, release (#20755, @wu0407)
* Add option to configure the resources of the cgroups automount init Container in the Cilium Agent DaemonSet. (#22384, @shaardie)
* Add Prometheus gRPC metrics for hubble and hubble-relay (#20376, @chancez)
* Add support for disabling ENI PD at node level (#20308, @hemanthmalla)
* add support for k8s 1.25.0 (#20995, @aanm)
* Add support to fallback from ENI PD if subnet is out of /28 prefixes (#20822, @hemanthmalla)
* Add the additional print columns `CiliumInternalIP` and `InternalIP` for `kubectl get ciliumnode` command. (#21258, @bavarianbidi)
* Add TraceID field to Hubble flow and populate it from L7/HTTP flow. (#21456, @rolinh)
* Add workload name and kind into L7 flows (#21039, @chancez)
* Added 'envoy.filters.http.jwt_authn' and 'envoy.filters.http.oauth2' to the build to be used in CiliumEnvoyConfig resources. (#22562, @jrajahalme)
* Added `hubble.ui.frontend.server.ipv6.enabled` helm flag to control nginx server ipv6 listener (#21127, @geakstr)
* Adjust CES bucket sizes for metrics (#21860, @AwesomePatrol)
* Allow users to specify hostports with localhost hostIP (#21366, @aspsk)
* Automatically adjust `bpf-policy-map-max` if the maximum value is exceeded (#22129, @Vishal-Chdhry)
* bpf/tests: fix redundant usage of variable offset (#22390, @sahid)
* bpf: Add missing identity to `TRACE_TO_STACK` packet traces (#21403, @pchaigno)
* bpf: Implement Segment Routing Header (SRH) support (#20764, @pchaigno)
* bpf: nat: fix usage of ipv6_hdrlen() with unhandled Extension headers (#22544, @julianwiedmann)
* Bugtool: add flag to exclude object for endpoints (#22370, @tbalthazar)
* Bump Linux minimum version to 4.19.57 (or equivalent) (Backport PR #23232, Upstream PR #23124, @joestringer)
* CA certificates in Envoy TLS validation contexts are supported via k8s Secrets with 'ca.crt' key. (#20458, @jrajahalme)
* Cilium Istio integration is updated to Istio release 1.10.6 (#18384, @jrajahalme)
* Cilium Network Policy can now have TLS termination and/or origination without L7 rules. (#21808, @jrajahalme)
* cilium, bwm: Disable slow start after idle under pacing (#21356, @borkmann)
* cilium: Add deprecation warning for service ids (Backport PR #22822, Upstream PR #22700, @joamaki)
* cilium: Remove attached bpf_xdp upon "cilium cleanup" (#19735, @zhanghe9702)
* clarify some docs around the kubeProxyReplacement=partial mode (#19831, @aecay)
* clustermesh: Add an infrastructure to connect time parameter exchange and capability negotiation (Backport PR #22822, Upstream PR #22553, @YutaroHayakawa)
* ctmap: add support for GC of DSR orphaned entries (#21626, @jibi)
* daemon: Deprecate SockOps (Backport PR #23687, Upstream PR #23555, @brb)
* daemon: Don't auto disable session affinity (#16179, @brb)
* daemon: Rename host-reachable services to socket LB (#20369, @brb)
* Default `NodesGCInterval` in CLI is 5m (0s before) to align with default helm value. (#20671, @hemslo)
* Disable and deprecate `force-local-policy-eval-at-source` (#22190, @pchaigno)
* Disable eBPF host routing in cni chaining mode (#22044, @smwyzi)
* DNS proxy: forward the original security identity (#20711, @aspsk)
* DNS Proxy: pass original security identity (#20859, @aspsk)
* dnsproxy: stop serving DNS traffic before agent shutdown (#20795, @nebril)
* docs: refactor AKS installation instructions (Backport PR #23687, Upstream PR #23304, @nbusseneau)
* document ipv4/ipv6 native routing cidr helm option missing in Documentation and helm reference (#21195, @vincentmli)
* egressgw: drop support for CiliumEgressNATPolicy (#21874, @julianwiedmann)
* Enable icmp error replies with enable-pmtu-discovery flag (#21825, @nnbu)
* Enable operator operation without kubernetes. (#21344, @pruiz)
* eni: Add garbage collector for leaked ENIs (#21409, @gandro)
* envoy: Bump envoy version to 1.21.5 (#20771, @sayboras)
* envoy: Bump envoy version to 1.22.7 (Backport PR #23644, Upstream PR #23502, @sayboras)
* envoy: Support LB capability for existing k8s Service (Backport PR #22835, Upstream PR #21244, @sayboras)
* Fatal when enabling DSR and tunneling on KubeProxyReplacement (#22031, @Shunpoco)
* feat(helm): allow adding extra containers to the cilium daemonset (#20343, @mhulscher)
* feat(hubble): add L7 verdicts to hubble_policy_verdicts_total metric (Backport PR #23147, Upstream PR #22622, @raphink)
* Fix behavior where packets leave node if there are no backends (#21539, @michaelasp)
* Fix crash of CES queue delay metric when CESTracker is nil (Backport PR #23147, Upstream PR #22884, @dlapcevic)
* fix empty message when tunnel and socketLB service missing in switch case (#21314, @vincentmli)
* fqdn/metrics: Fix ProxyUpstreamTime error=timeout (#20752, @joestringer)
* Get rid of KPR=probe and socket-LB protocols (#22083, @brb)
* helm: Add `node-role.kubernetes.io/control-plane` key (Backport PR #23001, Upstream PR #22893, @my-git9)
* helm: Add validation for Ingress Controller (#21550, @sayboras)
* helm: Document debug.verbose option (Backport PR #23284, Upstream PR #23178, @sayboras)
* Helm: optionally use less permissive linux capabilities. (#21506, @jonkerj)
* helm: Properly support passing subnet-tags/subnet-ids/instance-tags filters as a list (#21297, @slayer321)
* helm: Remove chart fields planned for removal in 1.12 (#21881, @my-git9)
* helm: Remove duplicated key hostAliases (#20278, @sayboras)
* helm: Set Linux nodeSelector for nodeinit and preflight (#20216, @gandro)
* helm: Support configuring Cilium shared Ingress Service type and nodePorts (#22583, @chancez)
* hubble/filter: add a new endpoint workload filter (#21296, @kaworu)
* hubble/metrics: Add source_ip/destination_ip labels to contextLabels (#21322, @chancez)
* hubble/metrics: Add workload-name and app options to sourceContext and destinationContext (#21320, @chancez)
* hubble: Add hubble_policy_verdicts_total metric (#20470, @michi-covalent)
* hubble: Add kafka metrics (#21318, @chancez)
* hubble: Add reserved-identity metric context (#20474, @michi-covalent)
* hubble: add support for filtering by trace ID (#21551, @rolinh)
* hubble: Add support for SockLB tracing (#21685, @gandro)
* hubble: Extract traceIDs into exemplars in HTTP metrics (#21599, @chancez)
* image: Bump base image to ubuntu 22.04 (#20943, @sayboras)
* image: Upgrade ubuntu base image to 22.04 (#21097, @sayboras)
* Improve policy deletion overhead by about 50% in large environments with a large number of policy rules (#22153, @odinuge)
* Improve verbosity of drop notification messages. (#20387, @aspsk)
* Improve verbosity of drop notification messages. (#20827, @aspsk)
* In ENI IPAM mode, try to allocate new ENIs in the same subnet as the primary ENI instead of the subnet with the most available addresses. (#22000, @bimmlerd)
* ingress: add websockets configuration (#20814, @nikhiljha)
* ingress: Follow-up items for shared LB mode (#21493, @sayboras)
* ingress: Propagate required annotations from Ingress to LB Service (#20860, @NikhilSharmaWe)
* ingress: Rename LB annotation to annotation prefixes (#21222, @sayboras)
* ingress: Support NodePort for dedicated Ingress (Backport PR #23284, Upstream PR #22974, @sayboras)
* install/kubernetes: make securityContext SELinux options configurable (Backport PR #22822, Upstream PR #22721, @tklauser)
* install: add TerminationMessagePolicy to cilium pods (#21012, @squeed)
* Introduce Hubble HTTP v2 metrics and dashboards (#21181, @chancez)
* Introduce smarter internal cache to reduce memory consumption for FQDN / DNS policy usage, especially in environment with heavy FQDN / DNS policy usage (#21288, @odinuge)
* ipam: Add exponential backoff when pool maintanance fails (#21473, @gandro)
* ipam: Change default rate limiting access to external APIs (#21387, @gandro)
* ipam: Support custom owner IPs in CRD IPAM pool (#21379, @llhhbc)
* K8s client as reusable cell (#21026, @joamaki)
* k8s/crds: Allow ingress entity in CNP (#20536, @sayboras)
* label all Cilium resources with "app.kubernetes.io/part-of: cilium" (#20213, @cyclinder)
* Load multiple programs for one CollectionSpec loading (#22025, @alexkats)
* maglev: support setting a weight of a backend in a service spec via new cmdline argument (#18306, @oblazek)
* makefile: add a new target to run 'golangci-lint run --fix' (#21547, @aspsk)
* Minor cleanups in FQDN name manager (#20886, @pippolo84)
* Move the clusterrole precheck inline script to one that can be ran locally. (#20786, @ldelossa)
* operator: Add RBAC permission for CiliumNodeConfigs resource (Backport PR #23001, Upstream PR #22824, @sayboras)
* pkg/metrics: include revision and arch info in cilium_version (Backport PR #23147, Upstream PR #22795, @ArthurChiao)
* Prepend Envoy resources with CEC namespace and name (#21500, @pippolo84)
* put stderr of iptables command into error instead of merging into stdout (#20895, @liuyuan10)
* relay: Add Go runtime metrics and process metrics (#22316, @chancez)
* Remove check on intSlice type from config map validation (#20638, @pippolo84)
* Remove deprecated `spec.eni.{min-allocate,pre-allocate,max-above-watermark}` parameters (#21951, @obaranov1)
* Remove IPVLAN support following the deprecation in v1.11. (#20453, @pchaigno)
* sctp: Handle SCTP when correlating Endpoints to services. (#21490, @DolceTriade)
* service: Improve memory usage when handling update of a big service. (#20410, @alan-kut)
* Sign container images with cosign (#21739, @sandipanpanda)
* Support configuring metricsRelabelings on ServiceMonitors (#21051, @chancez)
* Support L4 any port policy. (#21185, @liuxu623)
* Support new hubble metrics context: "labelsContext" (#21079, @chancez)
* The CNI configuration file is now written only after the agent has successfully started up. Configuring a custom CNI configuration file is now simpler and more reliable. See the docs for more details. (#21375, @squeed)
* The default CNI version is now v0.4.0. Cilium now supports the CNI CHECK action. (#20956, @squeed)
* Traffic addressed to a service IP is dropped, if no backend is available. (#22388, @julianwiedmann)
* Traffic can now we redirected to Envoy listeners via Cilium Network Policy `listener` option. (Backport PR #22822, Upstream PR #21600, @jrajahalme)
* Update cilium agent Grafana dashboard to filter by pod (#20307, @ungureanuvladvictor)
* Update connectivity tests for clusters running NodeLocal DNSCache with Local Redirect Policy. (#20086, @eminaktas)
* Update Helm Chart to use Hubble-UI v0.10.0 images by default. (Backport PR #23500, Upstream PR #23184, @pjbgf)
* When combining XDP Nodeport Acceleration with Egress Gateway, forwarding the EgressGW reply traffic no longer requires a specific iptables configuration on the Gateway node. (#20837, @julianwiedmann)
* XDP NodePort Acceleration can also be used for clusters in tunnel mode. (#21364, @julianwiedmann)
**Bugfixes:**
* `node-init` now takes `enableIPv4Masquerade` into account on GKE. (#19533, @bmcustodio)
* Add EndpointSlice support for clustermesh-apiserver (#20697, @YutaroHayakawa)
* Add missing inner IP header in ICMP error-reply packet (#21234, @nnbu)
* Added Agent init check that removes all CiliumEndpoints referencing local Node that are not managed. This fixes issues where sometimes CiliumEndpoints referencing still running Pods can become unmanaged during Cilium restart. (#20350, @tommyp1ckles)
* alibabacloud: Fix create ENI failure: The specified parameter "SecondaryPrivateIpAddressCount" is not valid (#21828, @jaffcheng)
* bpf: add drop notification for missed L7 LB tailcall in to-netdev (Backport PR #22822, Upstream PR #22679, @julianwiedmann)
* bpf: Add send_trace_notify hook for redirect_direct_{v4,v6} (#20479, @qmonnet)
* bpf: always track egress gateway connections (#21499, @jibi)
* bpf: Don't emit policy verdict post-L7 (#20245, @joestringer)
* bpf: lb: catch write error in lb6_xlate() (Backport PR #23147, Upstream PR #23075, @julianwiedmann)
* bpf: lb: fix check for L3 pseudo-hdr csum update in lb6_xlate() (Backport PR #23001, Upstream PR #22953, @julianwiedmann)
* bpf: nat: fix snat_v4_can_skip() for egress gateway (Backport PR #23500, Upstream PR #23274, @jibi)
* bpf: nodeport: fix drop notification in IPv6 revNAT (#22543, @julianwiedmann)
* bpf: nodeport: fix tracing for handle_nat_fwd() (Backport PR #23001, Upstream PR #22678, @julianwiedmann)
* bpf: nodeport: handle revDNAT for local backends at to-netdev/to-overlay (Backport PR #23232, Upstream PR #22756, @julianwiedmann)
* bpf: nodeport: wire up trace aggregation for rev_nodeport_lb6() (Backport PR #22835, Upstream PR #22794, @julianwiedmann)
* bpf: Provision HostPort also for case of Maglev (#20379, @borkmann)
* bug: Fixed a rare CiliumIdentity race deletion. (#19936, @nathanjsweet)
* bugtool: Fix pprof default ports (#21497, @pippolo84)
* Cilium now prefers the `kubernetes.io/ingress.class` annotation over the `spec.ingressClassName` field when handling a new Ingress (Backport PR #23500, Upstream PR #22629, @nikhiljha)
* Cilium-envoy now sets option to allow (source) port reuse when binding to a source address of a pod for upstream connections. (#20996, @jrajahalme)
* cilium-health status: fix endpoint reachability in succinct view (Backport PR #23687, Upstream PR #23506, @giorio94)
* cilium/cmd: check datapath mode on running daemon (#21304, @tklauser)
* cilium: make error message, not segfault (#20138, @aspsk)
* Clear stale CNP status nodes if updates have been disabled (#20366, @pippolo84)
* clustermesh-apiserver: fix key name for delete during k8s->kvstore sync (#21078, @tklauser)
* clustermesh: Add missing brackets of IPv6 address for etcd option (Backport PR #23147, Upstream PR #22962, @YutaroHayakawa)
* clustermesh: close etcd connection on config retrieval error (Backport PR #23687, Upstream PR #23466, @giorio94)
* clustermesh: make global and shared service annotations behavior uniform (Backport PR #23500, Upstream PR #23298, @giorio94)
* daemon, option: Fix vlan bpf bypass ids loading (#20282, @pippolo84)
* daemon: avoid nil pointer dereference on invalid endpoint state (#21449, @tklauser)
* daemon: Call initEnv from start hook to avoid data race (#21232, @joamaki)
* daemon: Do not remove PERM L2 entries in L4LB (Backport PR #22822, Upstream PR #22676, @brb)
* daemon: Fix a nil dereference on cleanup when DNS proxy is not enabled (#21365, @joamaki)
* daemon: Fix BPF host routing can't be enabled if the devices are wildcard (Backport PR #23232, Upstream PR #23009, @ysksuzuki)
* daemon: Fix issue where stale router IPs were not cleaned up (#20389, @gandro)
* datapath: allow local NodePort traffic for `eni+` container interfaces with CNI chaining (#21126, @ti-mo)
* datapath: Fix L7 ingress with XDP (Backport PR #23147, Upstream PR #22985, @brb)
* Do not enable health checks if only Terminating backends are present on a Node which is selected by a Service with `externalTrafficPolicy: Local` Service (#21062, @zuzzas)
* Do not let the bandwidth manager decrease existing sysctl values. (#22468, @ArthurChiao)
* docs: Update Cilium Sphinx RTD Theme reference (#22321, @kimstacy)
* egressgw: ensure stale IP routes/rules are deleted (Backport PR #23500, Upstream PR #23286, @jibi)
* Eliminate a delay between new node creation and creation of ENIs (#21027, @wu0407)
* Ensure that Cilium CNI in delegated-plugin IPAM mode avoids leaking IPs even when the network namespace has been deleted. (#20630, @wedaly)
* Ensure that the DNS proxy picks a new port if the previously-used port is unavailable. (#20896, @NikhilSharmaWe)
* Envoy version checking is now disabled whenever L7 proxy is disabled too (#20440, @bmcustodio)
* envoy: Fix lock leak in config validation failure (Backport PR #23147, Upstream PR #23077, @joestringer)
* etcd kvstore: rate limit watch retries on list errors (Backport PR #23687, Upstream PR #23467, @giorio94)
* Fail validate-cnp preflight check if a CiliumClusterwideNetworkPolicy is using an empty toEndpoints/fromEndpoints selector (#21990, @thorn3r)
* Fix a bug where Hubble flows-to-world metric doesn't count dropped flows when syn-only flag is used. (Backport PR #23500, Upstream PR #23470, @michi-covalent)
* Fix a crash in `cilium bpf endpoint delete` when ran without arguments. (#21349, @farcaller)
* Fix a data race in dnsproxy which could lead to DNS requests drops. (Backport PR #22822, Upstream PR #22619, @aspsk)
* Fix agent deadlock caused by frequent kube-apiserver IP recycling (#21629, @joestringer)
* Fix bug in AlibabaCloud where vSwitches could not be matched (#21635, @haozhangami)
* Fix bug that can cause some traffic covered by an L7 policy to be dropped when IPsec is enabled on EKS. (#21595, @pchaigno)
* Fix bug that caused ingress policies to be enforced twice when running with tunneling and endpoint routes. (Backport PR #22822, Upstream PR #22333, @pchaigno)
* Fix bug that could lead to inconsistent pod IP information between agents, sometimes leading to a failure to decrypt IPsec traffic. (#22127, @aanm)
* Fix bug where Cilium would crash on startup with an error about being unable to delete iptables rules. (#20885, @jibi)
* Fix bug where configuring the API rate limiter options could fail when providing multiple options (#22299, @thorn3r)
* Fix bug where traffic sent outside the cluster via ToFQDNs policy would be denied despite a policy that allows it (#20721, @joestringer)
* Fix bugs where ciliumendpoints for statefulset pods where being incorrectly overwritten/deleted (Backport PR #23147, Upstream PR #21768, @tommyp1ckles)
* Fix Cilium fatal "Could not create or update CiliumNode resource, despite retries" on environments with `enable-ipv4-egress-gateway` (#22298, @aanm)
* Fix cilium-bugtool --k8s-mode (#22160, @tbalthazar)
* Fix config map options validation (#20304, @pippolo84)
* Fix conflicting routes for multiple ENIs in IPAM mode (#20112, @recollir)
* Fix double-accounted RX packets in CT statistics when Nodeport is in use. (Backport PR #23147, Upstream PR #22810, @julianwiedmann)
* Fix drop of large packets redirected through an egress gateway node when running in native routing mode. (#20269, @pchaigno)
* Fix ENI leak in Alibaba due to miscounting of empty interface slots (#21800, @jaffcheng)
* Fix forwarding of the security identity by the DNS proxy which could cause random policy denials (#22361, @aspsk)
* Fix GC of CEPs that were not GCed by kube-apiserver (#22213, @aanm)
* Fix identity garbage collection in clustermesh environments (#20931, @aanm)
* fix identity gc to return correct max/min id (#20361, @dkhachyan)
* Fix ineffective post-start hook in ENI mode (#20741, @bmcustodio)
* fix k8s latency metrics label cardinality (#20831, @aanm)
* Fix label ordering in Hubble TCP metrics with contextOptions (#21824, @lambdanis)
* Fix masquerading bug that caused kube-proxy to pick the wrong IPv4 address in case of tunneling with endpoint routes. (Backport PR #23500, Upstream PR #23241, @pchaigno)
* Fix missing node neigh metric for counting arping requests (Backport PR #23001, Upstream PR #22930, @christarazi)
* Fix mtu setting for tunnel interface in init.sh (#20552, @ChengyuanLiCY)
* Fix node label synchronization in the KVStore when IPSec configuration changes (#21087, @aanm)
* Fix overlapping/duplicate PodCIDR allocation when nodes are added while operator is down (#21526, @dylandreimerink)
* Fix packet drops when service pod connects to itself via clusterIP, and selected by an ingress policy. (Backport PR #23147, Upstream PR #22972, @aditighag)
* Fix panic during Cilium initialization when a NetworkPolicy with a named-port selected an pod running on that node. (#20911, @aanm)
* Fix parsing of string map command line options when more than one separator is present. (#20673, @tklauser)
* Fix race condition in DNS proxy when multiple DNS requests for the same name end up with policy drops, even though the traffic is allowed (Backport PR #22822, Upstream PR #22252, @christarazi)
* Fix regression with cilium-health-probe controller in IPv6-only clusters (#20849, @aanm)
* Fix socket-lb tracing in environments with systemd and container runtimes like containerd, crio, and docker. (Backport PR #23001, Upstream PR #22773, @aditighag)
* Fix the bugs when empty CiliumEndpointSlices were created and leaked. (#20251, @alan-kut)
* Fix Wireguard connectivity issues when using kvstore mode (#21080, @aanm)
* fix: missing clustermesh metrics when more than one remote cluster is configured (#22033, @rcanderson23)
* fix: some tofqdn flags not being parsed (#22346, @carloscastrojumo)
* Fixed bug where the BGP Control Plane would ignore annotations on the node objects (#23276, @dylandreimerink)
* Fixed CCNP garbage collection (#21394, @zuzzas)
* Fixed PodCIDR announcement being overwritten by SVC announcement (#20413, @dylandreimerink)
* Fixes `semaphore_rejected_total` metric and adds new `scope` to `proxy_upstream_reply_seconds` metric. (#21267, @rahulkjoshi)
* Fixes a deadlock that can be exposed in high-churn clusters when Pods are deleted rapidly. (#21771, @squeed)
* Fixes cilium startup on certain AWS-VPC clusters. (#21444, @squeed)
* Fixes typos in enabling fqdn_semaphore_rejected_total metric (#20893, @rahulkjoshi)
* For configurations with Egress Gateway and Direct-Routing, avoid recreating the cilium_vxlan interface on every restart. (#20780, @julianwiedmann)
* helm: Add check for apparmor annotations (#21008, @sayboras)
* helm: Add relabelings config to ServiceMonitors and re-introduce node label on cilium/hubble metrics (#22297, @chancez)
* helm: Delete validations for certManagerIssuerRef (Backport PR #23284, Upstream PR #22921, @Shunpoco)
* helm: Fix cluster-id arguments in clustermesh deployment (#20312, @sayboras)
* helm: Guard apply sysctl init container (#20643, @sayboras)
* helm: Set KPR default to "disabled" for >= 1.12 (#20610, @brb)
* Helm: Use the correct operator.dnsPolicy value for the operator deployment template (#20844, @michi-covalent)
* hubble/parser/threefour: check (*Parser).linkGetter before accessing it (#20446, @tklauser)
* hubble: handle SCTP port in flows to world metrics (Backport PR #23687, Upstream PR #23607, @rolinh)
* Improve garbage collection for FQDNs particularly with high-churn IP names such as Amazon S3. (#22510, @joestringer)
* ingress/model: Support multiple certs based on SNI (Backport PR #23232, Upstream PR #22671, @sayboras)
* ingress: Support clustermesh service affinity (#20853, @sayboras)
* ipam/crd: Fix router initialization fatal when ENI data race happens (Backport PR #22822, Upstream PR #22477, @jaffcheng)
* ipcache/kvstore: fix panic when processing ip=<nil> entries (#20706, @ArthurChiao)
* ipcache: Fix metadata access from CIDR allocation (#21565, @joestringer)
* ipsec: Fix incorrect parsing of SPI from mark (#20900, @pchaigno)
* ipsec: Fix packet mark for FWD XFRM policy (Backport PR #23500, Upstream PR #23254, @pchaigno)
* ipsec: fix stale keys reclaim logic (#19932, @jibi)
* iptables: handle case where kernel IPv6 support is disabled (#20680, @jibi)
* k8s/watchers: fix panic in CiliumEndpoint labels update (#20865, @jaffcheng)
* kvstore/allocator: fix panic on receiving invalid identity entries (#21213, @ArthurChiao)
* metrics: fix ts_events API timestamp only emitting zero and unbounded scope label cardinality issue. (#20977, @tommyp1ckles)
* nodediscovery: make LocalNode return a deep copy of localNode (#20392, @jibi)
* nodeinit: Move kubelet version check to expected branch (#21772, @dctrwatson)
* operator: do not GC kvstore nodes if CiliumNodes are not available (#21133, @aanm)
* operator: fix key name for delete during k8s->kvstore sync (#20968, @tklauser)
* operator: update CiliumNode in kvstore without lease (#21202, @tklauser)
* Optimize Eni update latency after new eni created (#20609, @wu0407)
* pkg/k8s/version: Also set EndpointSlice when forcing version (#20383, @joamaki)
* pkg/k8s/watcher: fix deadlock crash that occurs when handling endpoint and service updates. (#21093, @tommyp1ckles)
* policy: Add type check to avoid panic (#20781, @sayboras)
* Preserve instruction metadata when inlining global constants (#21933, @ti-mo)
* Prevent cilium operator crash in AWS region with IPv6-only ENIs without subnet filters. (#22075, @bimmlerd)
* proxy: Fix deadlock in error path of CreateOrUpdateRedirect (Backport PR #23500, Upstream PR #23377, @gandro)
* Reduce the risk of packet fragmentation on IPv6 when using KPR with DSR mode. (Backport PR #23500, Upstream PR #23235, @julianwiedmann)
* Remove no more available dockershim flags in kubelet wrapper (#21311, @pippolo84)
* Restore patch in ciliumnetworkpolicies/status ClusterRole (#20373, @pippolo84)
* vtep: fix pod src identity in send_trace_notify (#19434, @vincentmli)
* When systemd-sysctl sets the rp_filter sysctl, tolerate missing lxc_* / cilium_* interfaces. (#21146, @julianwiedmann)
**CI Changes:**
* .github/workflows: bump ubuntu version for code-ql (#22505, @aanm)
* .github: add debug for codeql (#22607, @aanm)
* .github: Explicitly set build-commits job runner image version and install libtinfo5 (#22315, @chancez)
* .github: fix bpf-checks on ubuntu-latest runner (#22322, @julianwiedmann)
* .github: Pin docker buildx version to v0.9.1 (v2) (Backport PR #23233, Upstream PR #23220, @joestringer)
* .github: set do not use provenance from docker buildx (Backport PR #23500, Upstream PR #23431, @aanm)
* .travis.yml: disable arm64-graviton2 (#20340, @tklauser)
* [v1.13] ci: update cilium-cli to v0.12.12 in v1.13 workflows (#23129, @tklauser)
* Add a Node/CiliumNode test based on control-plane framework (#20622, @pippolo84)
* Add CNPs stale node updates GC controlplane test (#22365, @pippolo84)
* Add identities GC test based on control-plane framework (#20924, @pippolo84)
* bpf: Minor IPsec improvements (#20808, @pchaigno)
* bpf: test: fix xdp_lb4_forward_to_other_node test (Backport PR #23147, Upstream PR #23018, @julianwiedmann)
* certloader flake fixes (Backport PR #23500, Upstream PR #22995, @kaworu)
* CI: Add AKS helm overrides for E2E test (#21277, @vipul-21)
* ci: bump external workloads workflow timeouts (#21136, @tklauser)
* ci: Do not connect to Hubble for tests where flow-validation is disabled (#22068, @gandro)
* CI: Enable IPv6 in the L4LB suite (#20821, @brb)
* ci: fix AKS worfklow for 1.12 branch (#20533, @nbusseneau)
* ci: fix code changes detection on `push` events (#20685, @nbusseneau)
* ci: include v1.11 and v1.12 branches in CI image garbage collection (#20528, @tklauser)
* ci: Move HostPort test from Jenkins CI to the ConformanceKind GitHub Action (#21130, @gandro)
* CI: multi kernel DP conformance (#21465, @brb)
* ci: pick up cilium-cli v0.11.10 for master, v1.11 and v1.12 workflows (#20360, @tklauser)
* ci: pick up cilium-cli v0.11.11 for master, v1.11 and v1.12 workflows (#20420, @tklauser)
* ci: pick up cilium-cli v0.12.0 for master, v1.11 and v1.12 workflows (#20617, @tklauser)
* ci: remove workaround to clean up stale rbac objects (Backport PR #23500, Upstream PR #23123, @squeed)
* ci: Replace deprecated `hubble observe -o json` with `-o jsonpb` (Backport PR #22822, Upstream PR #22796, @gandro)
* CI: Revert "bpf_test: Skip instead of Fatal TestBPF when -bpf-test-path is not set" (#22043, @sahid)
* ci: switch to google-github-actions/auth for GKE based workflows (#21212, @tklauser)
* ci: switch to OIDC authentication for `az` CLI (#20489, @nbusseneau)
* ci: unquarantine failing test on net-next (#20310, @ysksuzuki)
* ci: update AWS VPC CNI plugin for AWS-CNI workflow in v1.11/v1.12 branches (#20318, @tklauser)
* ci: update cilium-cli to v0.12.1 for master, v1.11 and v1.12 workflows (#20817, @tklauser)
* CI: update cilium-cli to v0.12.10, force deploy connectivity test pods on GKE (#22441, @tklauser)
* ci: update cilium-cli to v0.12.11 for master, v1.11 and v1.12 workflows (#22494, @tklauser)
* ci: update cilium-cli to v0.12.4 for master, v1.11 and v1.12 workflows (#21388, @tklauser)
* ci: update cilium-cli to v0.12.7 for master, v1.11 and v1.12 workflows (#22140, @tklauser)
* ci: Update docs-builder image for documentation workflow (#21040, @qmonnet)
* ci: Update docs-builder image for documentation workflow (Backport PR #23687, Upstream PR #23598, @qmonnet)
* CI: Use custom Kind node image, get rid of Vagrant from L4LB job, disable BIGTCP test case (#20682, @brb)
* CI: Using the same function for Native CIDR for GKE and AKS (#21701, @vipul-21)
* cilium/cmd, test/runtime: convert test loading invalid policy JSON to unit test (#20512, @tklauser)
* config: Fix unit tests for native routing CIDR (#20473, @pchaigno)
* conformance-gke-v1.12: Miscellaneous fixes (#21613, @michi-covalent)
* contrib/scripts: Add check for use of viper's default instance (#22445, @joamaki)
* controlplane developer improvements (#21141, @aanm)
* controlplane: Add support for FieldSelectors and fix NodePort golden output (#21105, @joamaki)
* Create a composite action to define environment variables (#21156, @michi-covalent)
* ctmap: fix-up host_local flag in the DSR NAT entry for GC test (Backport PR #23147, Upstream PR #23037, @julianwiedmann)
* daemon/cmd: improve stale cilium endpoint error handling. (Backport PR #22822, Upstream PR #22600, @tommyp1ckles)
* dependabot: add configuration for Python module updates (#20941, @tklauser)
* dependabot: monthly update of cloud provider SDK Go modules (#22489, @tklauser)
* docs: Bump up Netlify Python version to 3.8 (#20486, @michi-covalent)
* egressGW: test improvements (#21385, @julianwiedmann)
* examples: Use https when testing connectivity to 1.1.1.1 (#22180, @brb)
* Fix ClusterMesh test flake (#22449, @aanm)
* Fix TestBPF (#22084, @tklauser)
* Fix when install k8s-1.25 ,no need cni install (#22355, @yanggangtony)
* fqdn/dnsproxy: Rewrite dnsproxy benchmark (#21895, @odinuge)
* gh/workflows: Add 4.19 kernel to the CI DP conformance (#22022, @brb)
* gh/workflows: Add datapath conformance suite (#21071, @brb)
* gh/workflows: Add DP CI for encryption (Backport PR #22822, Upstream PR #22418, @brb)
* gh/workflows: ci-datapath updates (Backport PR #23147, Upstream PR #22811, @brb)
* gh/workflows: Disable BPF masq in ci-datapath (Backport PR #23284, Upstream PR #23171, @brb)
* gh/workflows: Enable IPv6 in ci-datapath (Backport PR #23500, Upstream PR #23120, @brb)
* gh/workflows: Enable kube-proxy in some of DP conformance tests (#22062, @brb)
* gh/workflows: Extend ci-datapath config to include lb-mode and endpoint-routes (Backport PR #23147, Upstream PR #22825, @brb)
* gh/workflows: Make cilium status to wait in DP suite (#21501, @brb)
* gh/workflows: Pin lvh to v0.0.1 (#21525, @brb)
* gh/workflows: Set LVH image version to 5.10 (#21425, @brb)
* gh/workflows: stop using ubuntu-18.04 runner (#21015, @julianwiedmann)
* gh/workflows: tune LVH VM params (#22425, @brb)
* gh/workflows: Update L4LB 1.1{0,1,2} jobs (#20917, @brb)
* gh/worklows: Add connectivity tests to DP conformance (#21384, @brb)
* gh: bump timeout for ConformanceGKE (#21321, @julianwiedmann)
* gha: Add lb4lb test for v1.12 branch (#20402, @sayboras)
* gha: Add retry mechanism for conformance ingress (shared) (Backport PR #22822, Upstream PR #22673, @sayboras)
* gha: Pin minikube version used in CI (Backport PR #23232, Upstream PR #23099, @sayboras)
* gha: Remove debug logs in conformance tests (#21123, @sayboras)
* gha: Rename ConformanceKind1.19 to ConformanceKind (Backport PR #23687, Upstream PR #23534, @sayboras)
* github: Add -t -d to GKE connectivity tests (#20846, @brb)
* jenkinsfiles: fix docker manifest inspect commands in GKE pipeline (#20325, @tklauser)
* k8s: fix test flake in TestGenerateToCIDRFromEndpoint. (#21220, @tommyp1ckles)
* kind.sh: Retry pulling docker registry image (#21566, @michi-covalent)
* mlh: update Jenkins jobs following 1.25 support (#21104, @nbusseneau)
* mlh: update Jenkins jobs following 1.26 support (#22415, @nbusseneau)
* per-node config improvements: testing, null selector, cleanups (Backport PR #23147, Upstream PR #22950, @squeed)
* Pin gcloud CLI version (#21885, @michi-covalent)
* pkg/monitor/format: add fuzzer (#21968, @AdamKorcz)
* Provide Go file patterns to `go test`, removing for loops in Makefile (#21560, @ti-mo)
* Prune runtime/net_policies.go (#21140, @nebril)
* Push workflow status to Loki (#21238, @michi-covalent)
* Read quay organization names from env variables (#21197, @michi-covalent)
* Read quay.io organization names from secrets (#21110, @michi-covalent)
* Refactor the operator code to ease control-plane testing (#20847, @pippolo84)
* Remove cassandra and kafka runtime tests (#20765, @tklauser)
* Remove old Ginkgo based test on CiliumNode labels (#20759, @pippolo84)
* Remove Slack notifications (#21239, @michi-covalent)
* Remove tests-nightly.yaml (#21362, @michi-covalent)
* Remove the Bookinfo Test (#20934, @nathanjsweet)
* Replace `privileged_tests` build tag with `PRIVILEGED_TESTS` environment variable (#20769, @ti-mo)
* Revert ".travis.yml: disable arm64-graviton2" (#20568, @tklauser)
* Revert "dependabot: monthly update of cloud provider SDK Go modules" (#22571, @pippolo84)
* Revert "images/cilium-test: New test suite image" (Backport PR #23687, Upstream PR #22657, @pchaigno)
* Run 'go test' with CGO_ENABLED=0 (#21663, @ti-mo)
* Run tooling in module mode by removing GO111MODULE=off (#21606, @ti-mo)
* Set up env variables for build-and-push-with-qemu job (#21233, @michi-covalent)
* test/control-plane: Add tests for service load-balancing (#20320, @joamaki)
* test/controlplane: add 1.25, remove 1.23, bump all patch versions (#21286, @squeed)
* test/e2e: Clean up cli tests (#21152, @sayboras)
* test/e2e: Cleanup net_policies tests (#21114, @sayboras)
* test/e2e: Remove GuestBook test in net_policies.go (#21274, @sayboras)
* test/helpers: Fix retry condition for CiliumExecContext (Backport PR #22822, Upstream PR #22726, @christarazi)
* test/helpers: Fix variadic expansion related panic (#20332, @christarazi)
* test/k8s/manifests: bump test-verifier image to latest version (#20461, @tklauser)
* test/k8s: remove l7_demos test (#20619, @tklauser)
* test/k8s: Remove replaced service load-balancing tests (#20762, @joamaki)
* test/k8s: Remove some encryption tests (Backport PR #23500, Upstream PR #22830, @brb)
* test/k8s: remove unused manifests and image constants (#20693, @tklauser)
* test/k8s: remove unused test manifests and TLS cert/key (#21116, @tklauser)
* test/l4lb, nat64x46: pass k8s api server to the standalone proxy (Backport PR #22822, Upstream PR #22627, @squeed)
* test/l4lb,nat46x64: Replace Kind/Helm with DinD (Backport PR #23242, Upstream PR #22653, @brb)
* test/runtime: remove disabled memcache test (#20132, @tklauser)
* test/runtime: remove netperf benchmarks (#20539, @tklauser)
* test: add external_endpoints file for v1beta1 (#21242, @aanm)
* test: add ownership SIG for each ginkgo context (#21315, @aanm)
* test: Allow rerunning K8sUpdates locally (#22149, @pchaigno)
* test: Collect CiliumNodes objects as part of the test artifacts (#22152, @pchaigno)
* test: datapath_configuration: add -w to iptables commands (#21014, @jibi)
* test: Do not start cilium monitor in K8sServicesTest (#20499, @brb)
* test: egressgw: also test with XDP and tunnel mode (Backport PR #23500, Upstream PR #23193, @julianwiedmann)
* test: Extend checkReady condition (#21337, @brb)
* test: fix up the number of pods in DemoDaemonSet (#21588, @julianwiedmann)
* test: Keep trying exec if killed (#22570, @jrajahalme)
* test: Move log-gatherer image to Quay (#22363, @pchaigno)
* test: net_policies: delete custom IP routes after test completion (#21857, @julianwiedmann)
* test: print log messages that need to be investigated (Backport PR #23500, Upstream PR #23338, @aanm)
* test: Quarantine TLS test for now (Backport PR #23001, Upstream PR #22684, @jrajahalme)
* test: Remove e2e graceful termination test cases (#20618, @brb)
* test: Remove flaking test (#22403, @jrajahalme)
* test: Remove IPsec + ep routes + VXLAN from ginkgo tests (Backport PR #23687, Upstream PR #23505, @pchaigno)
* test: remove kube-proxy-replacement: probe from upstream tests (#22353, @aanm)
* test: remove nightly test leftovers (#20526, @tklauser)
* test: Remove sockops test cases (#20500, @brb)
* test: service: fix formatting of error msg in doFragmentedRequest() (Backport PR #22822, Upstream PR #22772, @julianwiedmann)
* test: service: wait for frontend entry (#21859, @julianwiedmann)
* test: Speify `test/k8s` directory on `k8s_install.sh` to modify pulling images (#22530, @Shunpoco)
* test: Switch back to official kind image (#20834, @brb)
* tests: add exception for etcd error (Backport PR #23500, Upstream PR #23334, @aanm)
* Update AWS VPC CNI plugin to 1.11 in docs and v1.10 branch (#20329, @tklauser)
* Update cilium-iproute2 (#20549, @pchaigno)
* Update Coccinelle (#20468, @pchaigno)
* vagrant: Bump 4.9 Vagrant box (Linux 4.9.326, to fix a kernel bug) (#21106, @qmonnet)
* vagrant: Bump net-next VM image version (#22085, @pchaigno)
* vagrant: Bump Vagrant box versions (#20469, @pchaigno)
* vagrant: Bump Vagrant box versions (#20980, @pchaigno)
* vagrant: Bump Vagrant net-next box version (#20660, @pchaigno)
* vagrant: update box versions (#20596, @tklauser)
* vagrant: update box versions (#20861, @tklauser)
* workflow: disable tests pod-to-world and pod-to-cidr (#22475, @brlbil)
* workflow: Reenable IPsec tests in EKS for v1.12 (#22618, @pchaigno)
* workflow: Workaround EKS flake (#22590, @pchaigno)
* workflows: add wait for no operation for cleaning up GKE (#22350, @brlbil)
* workflows: aks: bump timeout to 60m (#22359, @jibi)
* workflows: aks: collect sysdumps for each failing test (#22291, @jibi)
* workflows: aks: enable debug (#22287, @jibi)
* workflows: Bump timeout of ConformanceKind workflow (#22072, @pchaigno)
* workflows: Bump timeout of master GKE workflow (#22087, @pchaigno)
* workflows: Collect a final sysdump on AKS (#22537, @pchaigno)
* workflows: Collect sysdumps on failures (#22538, @pchaigno)
* workflows: fix skip condition for encryption tests in datapath conformance (Backport PR #23001, Upstream PR #22763, @tklauser)
* workflows: Reduce verbosity of connectivity tests (#22605, @pchaigno)
* workflows: Reduce verbosity of connectivity tests on AKS (#22536, @pchaigno)
**Misc Changes:**
* .clomonitor: Update CLOMonitor checks exemptions (#22371, @sandipanpanda)
* .github/dependabot.yaml: remove image updates (#22114, @aanm)
* .github/workflows: add version number in GH action (#23624, @aanm)
* .github/workflows: fix external contribution detection (Backport PR #23500, Upstream PR #23406, @aanm)
* .github/workflows: fix typo in organization parameter (Backport PR #23500, Upstream PR #23424, @aanm)
* .github/workflows: PR labeler fix GH workflow if expression (Backport PR #23500, Upstream PR #23482, @aanm)
* .github/workflows: print author association (#22606, @aanm)
* .github/workflows: set right secret name (Backport PR #23500, Upstream PR #23437, @aanm)
* .github/workflows: split the image tag update in two steps (#22268, @aanm)
* .github/workflows: use right event type for auto labeler (#22508, @aanm)
* .github: add kind/community-report to newly open issues (#22058, @aanm)
* .github: add more operations per run in stale bot (#20409, @aanm)
* .github: add more operations per run in stale bot (#20429, @aanm)
* .github: add original authors of bugs as reviewers (#21478, @aspsk)
* .github: add PR labeler for external contributions (#22461, @aanm)
* .github: pin alpine versions to 3.16 in stable branches (#22374, @aanm)
* .github: update right project for v1.12 branch (#20690, @aanm)
* [docs] Add training and support information to Getting Help (#20194, @lizrice)
* [feature branch merge] docs: restructure Getting Started section (#20681, @qmonnet)
* A couple of changes in bpf/nat to help adding new support of ICMP types (#22004, @sahid)
* Add --pprof-debug args to cilium-bugtool (#22282, @yanggangtony)
* Add `bpf policy list` command (#20277, @Thearas)
* Add a helper to assist net.IP -> netip.Addr conversion (#21183, @YutaroHayakawa)
* Add a section with distro-specific considerations (#21064, @bmcustodio)
* Add ArgoCD issues notes in the official documentation (#20313, @Kikiodazie)
* Add automatic creation of Cilium base images (#22179, @aanm)
* Add Cilium configuration documentation (Backport PR #23001, Upstream PR #22744, @squeed)
* Add Cilium debugger images and default debugging configuration for kind, vscode (#21108, @joestringer)
* add commit Sign-Off for renovate commits (#22101, @aanm)
* Add Edgeless Systems to Users (#21520, @m1ghtym0)
* Add ESP to firewall requirements in documentation for IPSec enabled C… (#20314, @Kikiodazie)
* Add F5 as Cilium integration third party vendor (#20324, @vincentmli)
* add frsca to users.md (#22071, @pxp928)
* add Giant Swarm as Cilium User (#21319, @bavarianbidi)
* Add helm-toolbox image for helm docs, lint (#20236, @joestringer)
* Add Immerok to USERS.md (#21714, @austince)
* add k8e to the Users doc (#20321, @xiaods)
* add Kryptos Logic to Users doc (#20284, @xmulligan)
* add kubeasz to users (#20300, @gjmzj)
* add kvstore TTL flag in cilium-operator (#21006, @NikhilSharmaWe)
* Add Magic Leap to USERS.md (#21193, @romachalm)
* Add metric to track terminating endpoint events (#20404, @aditighag)
* add missing bpftool vtep map dump in cilium bugtool (#21848, @vincentmli)
* Add missing egressGateway/SRV6 Go struct field align tag (#21363, @vincentmli)
* add more configuration to .github/renovate.json (#22108, @aanm)
* add Nine Internet Solutions AG to users (#20380, @thirdeyenick)
* Add option to configure the resources of the init container and the container of etcd in the apiserver pods. (#22392, @shaardie)
* Add Peer Service to Cilium DS Port List (#20296, @nathanjsweet)
* Add per-node configuration overrides. There is a new Kubernetes resource type, CiliumNodeConfig, which allows for fine-grained configuration of Nodes based on label selectors. (#22163, @squeed)
* Add Plaid to USERS.md (#20426, @diversario)
* Add PlanetScale to USERS.md (#20334, @dctrwatson)
* add policy fuzzers (#22038, @AdamKorcz)
* add renovate (#22080, @aanm)
* Add Schuberg Philis to the USERS.md (#20614, @marwinbaumannsbp)
* add solo.io to the list of users/vendors (#20257, @linsun)
* Add sphinxcontrib-googleanalytics to doc requirements (Backport PR #22822, Upstream PR #22821, @chalin)
* Add SuperOrbital to Cilium users (#20323, @jmcshane)
* Add tests for hubble metrics handlers (Backport PR #22822, Upstream PR #22518, @marqc)
* ADD to USERS.md Kilo and Sapian (#21503, @arpagon)
* add vtep bpf complexity test in bpf_host (#20087, @vincentmli)
* Add vtep map cilium bpf command (#19604, @vincentmli)
* add_vagrant_box.sh: move script to contrib/ (#15859, @qmonnet)
* Added discouragement warnings for MetalLB to docs and agent (Backport PR #23687, Upstream PR #23393, @dylandreimerink)
* Added Kube-Hetzner (#20778, @mysticaltech)
* Added Mobilabs to users (#20355, @xmulligan)
* Added Rafay Systems to the user list (#22250, @Saim-Safdar)
* Added Tetragon to the roadmap (#21338, @xmulligan)
* Added Tetragon to the roadmap (#21372, @xmulligan)
* Added ungleich to USERS.md (#21361, @xmulligan)
* Adding Polverio to Cilium users list (#22256, @stuartpreston)
* Adding Spherity as Users (#20657, @solidnerd)
* Adjust pkg/netns go formatting to make Go1.19 happy (#20862, @aspsk)
* alibabacloud: fix incorrect instance-type reported by cilium-agent (#21495, @ArthurChiao)
* Allocate 10MiB verifier buffer to prevent truncation (#20773, @ti-mo)
* Always insert CEPs into the largest available CES (#20969, @dlapcevic)
* Always use uint32 as ClusterID type. (#20400, @YutaroHayakawa)
* An emeritus section was added to MAINTAINERS (#21335, @xmulligan)
* api: re-sync bpf drop reasons (#20149, @julianwiedmann)
* backporting: leave `backport/author` PRs alone (Backport PR #22822, Upstream PR #22654, @bimmlerd)
* backports: Download correct binary of hub CLI based on architecture (#20629, @chancez)
* bgp: BGP Control Plane modularization (#22183, @dylandreimerink)
* bgp: BGP Control Plane modularization - revised (#22447, @dylandreimerink)
* bgp: Fixed broken bgp speaker unit tests (#20521, @dylandreimerink)
* bpf/nodeport: split ipv4/6 nodeport nat call into egress/ingress (#20425, @sahid)
* bpf: add hairpin flow test (#20414, @dylandreimerink)
* bpf: Added eBPF code coverage reporting (#20230, @dylandreimerink)
* bpf: Check for SRH type on SRv6 decapsulation (#21869, @pchaigno)
* bpf: egressgw: clarify IPSec key for tunnel encapsulation (#22284, @julianwiedmann)
* bpf: Finish rename of BPF programs to cil_ prefix (#20728, @joamaki)
* bpf: fix cb collision for nat46x64 (Backport PR #22948, Upstream PR #23012, @borkmann)
* bpf: fix two warnings/errors when building with clang 15 (#20566, @tklauser)
* bpf: Fixed session affinity test after naming conflict (#20719, @dylandreimerink)
* bpf: Handle tuple collisions for inactive backends (#20407, @borkmann)
* bpf: lb: fix L3 pseudo-hdr csum update for SCTP in __lb6_rev_nat() (Backport PR #23147, Upstream PR #23063, @julianwiedmann)
* bpf: minor cleanups (#21778, @julianwiedmann)
* bpf: minor nodeport cleanups (#22342, @julianwiedmann)
* bpf: nodeport cleanups (#20794, @julianwiedmann)
* bpf: nodeport: fix-up error check in rev_nodeport_lb*() for XDP (Backport PR #23147, Upstream PR #23119, @julianwiedmann)
* bpf: nodeport: NAT64 cleanups (Backport PR #22948, Upstream PR #22915, @julianwiedmann)
* bpf: nodeport: reset EDT aggregate ID for XDP-to-TC tunnel punt (Backport PR #23147, Upstream PR #23029, @julianwiedmann)
* bpf: Relax constant check for dst_id for clang 14+ (Backport PR #23147, Upstream PR #22919, @sayboras)
* bpf: Remove FIB lookup for IPsec (#22069, @pchaigno)
* bpf: Remove unused `ENABLE_L7_PROXY` macro (#21896, @pchaigno)
* bpf: SRv6 support (#20233, @pchaigno)
* bpf: switch egress gateway logic to identity_is_cluster() (#20209, @jibi)
* bpf: Tests for session affinity and bpf-lb-sock-hostns-only (#20615, @dylandreimerink)
* bpf: Updated CoverBee for improved eBPF test coverage reporting (#20661, @dylandreimerink)
* bpf_sockops string constant can use const eSockops replace (#22490, @tanberBro)
* bugtool: Dump envoy config for troubleshooting (#21348, @sayboras)
* bugtool: Dump envoy metrics for troubleshooting (Backport PR #23687, Upstream PR #22797, @sayboras)
* bugtool: Fix URL to blog.ralch.com (#22283, @yanggangtony)
* build(deps): bump 8398a7/action-slack from 3.13.0 to 3.13.2 (#21038, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.10 to 3.0.11 (#21727, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.11 to 3.2.0 (#22843, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.4 to 3.0.5 (#20497, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.5 to 3.0.6 (#20800, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.6 to 3.0.7 (#20869, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.7 to 3.0.8 (#21018, @dependabot[bot])
* build(deps): bump actions/cache from 3.0.8 to 3.0.10 (#21552, @dependabot[bot])
* build(deps): bump actions/cache from 3.2.0 to 3.2.3 (#22992, @dependabot[bot])
* build(deps): bump actions/cache from 3.2.3 to 3.2.4 (#23459, @dependabot[bot])
* build(deps): bump actions/checkout from 3.0.2 to 3.1.0 (#21572, @dependabot[bot])
* build(deps): bump actions/download-artifact from 3.0.0 to 3.0.1 (#21837, @dependabot[bot])
* build(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 (#22961, @dependabot[bot])
* build(deps): bump actions/github-script from 6.3.3 to 6.4.0 (#23420, @dependabot[bot])
* build(deps): bump actions/github-script from 6.3.3 to 6.4.0 (#23535, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.2.0 to 3.2.1 (#20463, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.2.1 to 3.3.0 (#21045, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.3.0 to 3.3.1 (#21779, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.3.0 to 3.3.1 (#22045, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.3.1 to 3.4.0 (#22483, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#22718, @dependabot[bot])
* build(deps): bump actions/stale from 5.0.0 to 5.1.0 (#20540, @dependabot[bot])
* build(deps): bump actions/stale from 5.1.0 to 5.1.1 (#20686, @dependabot[bot])
* build(deps): bump actions/stale from 5.1.1 to 6.0.1 (#22499, @dependabot[bot])
* build(deps): bump aws-actions/configure-aws-credentials from 1.6.1 to 1.7.0 (#20768, @dependabot[bot])
* build(deps): bump azure/login from 1.4.4 to 1.4.5 (#20266, @dependabot[bot])
* build(deps): bump azure/login from 1.4.5 to 1.4.6 (#21265, @dependabot[bot])
* build(deps): bump azure/setup-helm from 1.1 to 3.3 (#20962, @dependabot[bot])
* build(deps): bump azure/setup-helm from 3.3 to 3.4 (#21910, @dependabot[bot])
* build(deps): bump cilium/little-vm-helper from 4f44430a3c7573023ec58959cd0f88e1d2c00e13 to 9bb7d6016e00968adff49dae192a0be87d9c3aef (#22135, @dependabot[bot])
* build(deps): bump cilium/little-vm-helper from 83d306aeb0b731c4d29f8762f576ff484aa7a69c to 0.0.2 (#22440, @dependabot[bot])
* build(deps): bump cilium/little-vm-helper from 9bb7d6016e00968adff49dae192a0be87d9c3aef to 83d306aeb0b731c4d29f8762f576ff484aa7a69c (#22423, @dependabot[bot])
* build(deps): bump docker/build-push-action from 3.0.0 to 3.1.0 (#20593, @dependabot[bot])
* build(deps): bump docker/build-push-action from 3.1.0 to 3.1.1 (#20799, @dependabot[bot])
* build(deps): bump docker/build-push-action from 3.1.1 to 3.2.0 (#21687, @dependabot[bot])
* build(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 (#23116, @dependabot[bot])
* build(deps): bump docker/build-push-action from 3.3.0 to 4.0.0 (#23493, @dependabot[bot])
* build(deps): bump docker/login-action from 2.0.0 to 2.1.0 (#21686, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 2.0.0 to 2.1.0 (#21688, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 2.1.0 to 2.2.0 (#21754, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 2.2.0 to 2.2.1 (#21781, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 2.2.1 to 2.4.0 (#23460, @dependabot[bot])
* build(deps): bump docker/setup-buildx-action from 2.4.0 to 2.4.1 (#23597, @dependabot[bot])
* build(deps): bump docker/setup-qemu-action from 2.0.0 to 2.1.0 (#21726, @dependabot[bot])
* build(deps): bump dorny/paths-filter from 2.10.2 to 2.11.1 (#21713, @dependabot[bot])
* build(deps): bump github.com/cilium/coverbee from 0.1.5 to 0.2.0 (#20647, @dependabot[bot])
* build(deps): bump github.com/cilium/coverbee from 0.2.0 to 0.2.1 (#20663, @dependabot[bot])
* build(deps): bump github.com/cilium/coverbee from 0.2.1 to 0.2.2 (#20731, @dependabot[bot])
* build(deps): bump github.com/cilium/ebpf from 0.9.0 to 0.9.1 (#20584, @dependabot[bot])
* build(deps): bump github.com/cilium/ebpf from 0.9.1 to 0.9.3 (#21521, @dependabot[bot])
* build(deps): bump github.com/containernetworking/cni from 1.1.1 to 1.1.2 (#20688, @dependabot[bot])
* build(deps): bump github.com/coreos/go-systemd/v22 from 22.3.2 to 22.4.0 (#21358, @dependabot[bot])
* build(deps): bump github.com/coreos/go-systemd/v22 from 22.4.0 to 22.5.0 (#22210, @dependabot[bot])
* build(deps): bump github.com/docker/docker from 20.10.17+incompatible to 20.10.18+incompatible (#21266, @dependabot[bot])
* build(deps): bump github.com/docker/docker from 20.10.18+incompatible to 20.10.21+incompatible (#22231, @dependabot[bot])
* build(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0 (#21880, @dependabot[bot])
* build(deps): bump github.com/go-openapi/errors from 0.20.2 to 0.20.3 (#20870, @dependabot[bot])
* build(deps): bump github.com/go-openapi/loads from 0.21.1 to 0.21.2 (#20922, @dependabot[bot])
* build(deps): bump github.com/go-openapi/runtime from 0.24.1 to 0.24.2 (#21911, @dependabot[bot])
* build(deps): bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#22413, @dependabot[bot])
* build(deps): bump github.com/go-openapi/spec from 0.20.6 to 0.20.7 (#20921, @dependabot[bot])
* build(deps): bump github.com/go-openapi/strfmt from 0.21.2 to 0.21.3 (#20562, @dependabot[bot])
* build(deps): bump github.com/go-openapi/swag from 0.21.1 to 0.22.0 (#20825, @dependabot[bot])
* build(deps): bump github.com/go-openapi/swag from 0.22.0 to 0.22.1 (#20923, @dependabot[bot])
* build(deps): bump github.com/go-openapi/swag from 0.22.1 to 0.22.3 (#20986, @dependabot[bot])
* build(deps): bump github.com/google/go-cmp from 0.5.8 to 0.5.9 (#21245, @dependabot[bot])
* build(deps): bump github.com/hashicorp/consul/api from 1.13.0 to 1.13.1 (#20527, @dependabot[bot])
* build(deps): bump github.com/hashicorp/consul/api from 1.13.1 to 1.14.0 (#20854, @dependabot[bot])
* build(deps): bump github.com/hashicorp/consul/api from 1.14.0 to 1.15.2 (#21658, @dependabot[bot])
* build(deps): bump github.com/hashicorp/consul/api from 1.15.2 to 1.15.3 (#21912, @dependabot[bot])
* build(deps): bump github.com/hashicorp/consul/api from 1.15.3 to 1.17.0 (#22302, @dependabot[bot])
* build(deps): bump github.com/hashicorp/consul/api from 1.17.0 to 1.18.0 (#22549, @dependabot[bot])
* build(deps): bump github.com/kr/pretty from 0.3.0 to 0.3.1 (#21634, @dependabot[bot])
* build(deps): bump github.com/onsi/gomega from 1.19.0 to 1.20.0 (#20621, @dependabot[bot])
* build(deps): bump github.com/onsi/gomega from 1.20.0 to 1.20.2 (#21150, @dependabot[bot])
* build(deps): bump github.com/onsi/gomega from 1.20.2 to 1.22.1 (#21690, @dependabot[bot])
* build(deps): bump github.com/onsi/gomega from 1.23.0 to 1.24.1 (#22391, @dependabot[bot])
* build(deps): bump github.com/osrg/gobgp/v3 from 3.3.0 to 3.4.0 (#20386, @dependabot[bot])
* build(deps): bump github.com/osrg/gobgp/v3 from 3.4.0 to 3.5.0 (#20801, @dependabot[bot])
* build(deps): bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 (#20824, @dependabot[bot])
* build(deps): bump github.com/prometheus/client_golang from 1.13.0 to 1.14.0 (#22048, @dependabot[bot])
* build(deps): bump github.com/prometheus/procfs from 0.7.3 to 0.8.0 (#20662, @dependabot[bot])
* build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.5 to 3.22.6 (#20374, @dependabot[bot])
* build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.6 to 3.22.7 (#20730, @dependabot[bot])
* build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.7 to 3.22.8 (#21168, @dependabot[bot])
* build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.8 to 3.22.9 (#21645, @dependabot[bot])
* build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.9 to 3.22.10 (#21952, @dependabot[bot])
* build(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0 (#20585, @dependabot[bot])
* build(deps): bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (#20268, @dependabot[bot])
* build(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.1 (#21875, @dependabot[bot])
* build(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 (#21215, @dependabot[bot])
* build(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#22267, @dependabot[bot])
* build(deps): bump github.com/stretchr/testify from 1.7.3 to 1.7.4 (#20267, @dependabot[bot])
* build(deps): bump github.com/stretchr/testify from 1.7.4 to 1.7.5 (#20302, @dependabot[bot])
* build(deps): bump github.com/stretchr/testify from 1.7.5 to 1.8.0 (#20347, @dependabot[bot])
* build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#21953, @dependabot[bot])
* build(deps): bump github.com/tidwall/gjson from 1.14.3 to 1.14.4 (#22395, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.12 to 2.1.13 (#20262, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.13 to 2.1.14 (#20292, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.14 to 2.1.15 (#20341, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.15 to 2.1.16 (#20505, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.16 to 2.1.17 (#20709, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.17 to 2.1.18 (#20783, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.18 to 2.1.19 (#20985, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.19 to 2.1.20 (#21016, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.20 to 2.1.21 (#21089, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.21 to 2.1.22 (#21167, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.22 to 2.1.24 (#21339, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.24 to 2.1.25 (#21397, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.25 to 2.1.26 (#21511, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.26 to 2.1.27 (#21622, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.27 to 2.1.28 (#21780, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.28 to 2.1.29 (#21890, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.29 to 2.1.30 (#21966, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.30 to 2.1.32 (#22165, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.32 to 2.1.35 (#22498, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.35 to 2.1.36 (#22633, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.36 to 2.1.37 (#22736, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.37 to 2.1.38 (#23073, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.38 to 2.1.39 (#23191, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.39 to 2.2.1 (#23419, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.2.1 to 2.2.2 (#23613, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.2.2 to 2.2.3 (#23653, @dependabot[bot])
* build(deps): bump go.etcd.io/etcd/api/v3 from 3.5.4 to 3.5.5 (#21323, @dependabot[bot])
* build(deps): bump go.etcd.io/etcd/api/v3 from 3.5.5 to 3.5.6 (#22334, @dependabot[bot])
* build(deps): bump go.etcd.io/etcd/client/pkg/v3 from 3.5.5 to 3.5.6 (#22335, @dependabot[bot])
* build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.5 to 3.5.6 (#22349, @dependabot[bot])
* build(deps): bump go.opentelemetry.io/otel from 1.11.1 to 1.11.2 (#22621, @dependabot[bot])
* build(deps): bump go.opentelemetry.io/otel/trace from 1.10.0 to 1.11.1 (#21879, @dependabot[bot])
* build(deps): bump go.uber.org/fx from 1.17.1 to 1.18.1 (#20841, @dependabot[bot])
* build(deps): bump go.uber.org/goleak from 1.1.12 to 1.2.0 (#21246, @dependabot[bot])
* build(deps): bump golang.org/x/crypto from 0.1.0 to 0.3.0 (#22229, @dependabot[bot])
* build(deps): bump golang.org/x/net from 0.1.0 to 0.2.0 (#22211, @dependabot[bot])
* build(deps): bump golang.org/x/sys from 0.2.0 to 0.3.0 (#22548, @dependabot[bot])
* build(deps): bump golang.org/x/tools from 0.1.11 to 0.1.12 (#20689, @dependabot[bot])
* build(deps): bump golang.org/x/tools from 0.2.0 to 0.3.0 (#22230, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (#21836, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 (#22110, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 (#23253, @dependabot[bot])
* build(deps): bump google-github-actions/auth from 0.8.1 to 0.8.2 (#21728, @dependabot[bot])
* build(deps): bump google-github-actions/auth from 0.8.2 to 0.8.3 (#21741, @dependabot[bot])
* build(deps): bump google-github-actions/auth from 0.8.3 to 1.0.0 (#22059, @dependabot[bot])
* build(deps): bump google-github-actions/setup-gcloud from 0.6.0 to 0.6.1 (#21731, @dependabot[bot])
* build(deps): bump google-github-actions/setup-gcloud from 0.6.1 to 0.6.2 (#21742, @dependabot[bot])
* build(deps): bump google-github-actions/setup-gcloud from 0.6.2 to 1.0.0 (#22060, @dependabot[bot])
* build(deps): bump google-github-actions/setup-gcloud from 1.0.0 to 1.0.1 (#22079, @dependabot[bot])
* build(deps): bump google.golang.org/grpc from 1.47.0 to 1.48.0 (#20515, @dependabot[bot])
* build(deps): bump google.golang.org/grpc from 1.48.0 to 1.49.0 (#21073, @dependabot[bot])
* build(deps): bump google.golang.org/grpc from 1.49.0 to 1.50.1 (#21755, @dependabot[bot])
* build(deps): bump google.golang.org/grpc from 1.50.1 to 1.51.0 (#22348, @dependabot[bot])
* build(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 (#20687, @dependabot[bot])
* build(deps): bump gopkg.in/ini.v1 from 1.66.6 to 1.67.0 (#20826, @dependabot[bot])
* build(deps): bump helm/kind-action from 1.3.0 to 1.4.0 (#21423, @dependabot[bot])
* build(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#22720, @dependabot[bot])
* build(deps): bump jsonschema from 4.4.0 to 4.12.1 (#20976, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.5.3 to 1.5.4 (#20580, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.5.4 to 1.5.5 (#21406, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.5.5 to 1.6.0 (#21864, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.6.0 to 1.6.1 (#22592, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.6.1 to 1.7.0 (#23392, @dependabot[bot])
* build(deps): bump library/alpine from 3.16.0 to 3.16.1 in /images/cache (#20586, @dependabot[bot])
* build(deps): bump library/alpine from 3.16.1 to 3.16.2 in /images/cache (#20856, @dependabot[bot])
* build(deps): bump michi-covalent/push-to-loki from 0.2.0 to 0.2.1 (#21308, @dependabot[bot])
* build(deps): bump michi-covalent/push-to-loki from 0.2.1 to 0.2.2 (#21553, @dependabot[bot])
* build(deps): bump mistune from 2.0.2 to 2.0.3 in /Documentation (#20936, @dependabot[bot])
* build(deps): bump nick-invision/retry from 2.7.0 to 2.8.0 (#20782, @dependabot[bot])
* build(deps): bump nick-invision/retry from 2.8.0 to 2.8.1 (#20823, @dependabot[bot])
* build(deps): bump nick-invision/retry from 2.8.1 to 2.8.2 (#21748, @dependabot[bot])
* build(deps): bump pygments from 2.11.2 to 2.13.0 (#20947, @dependabot[bot])
* build(deps): bump requests from 2.27.1 to 2.28.1 (#20952, @dependabot[bot])
* build(deps): bump rstcheck from 3.3.1 to 6.1.1 in /Documentation/requirements-min (#22155, @dependabot[bot])
* build(deps): bump sphinxcontrib-spelling from 7.3.2 to 7.6.0 (#20951, @dependabot[bot])
* build(deps): bump sphinxcontrib-spelling from 7.6.0 to 7.7.0 in /Documentation/requirements-min (#22159, @dependabot[bot])
* build(deps): update package dependencies (Backport PR #23232, Upstream PR #23140, @fengshunli)
* build: Avoid re-building when building docs from the main Makefile (Backport PR #23147, Upstream PR #22979, @jrajahalme)
* build: Bump base image build time for SBOM (Backport PR #23233, Upstream PR #23148, @joestringer)
* build: Update Swagger to 0.30.3 (#21947, @jrajahalme)
* Bump go.mod to v1.19 since build tags now require it. (#21134, @ldelossa)
* Change message for the status of the policy enforcement in CEPs to be more accurate. (#21003, @aanm)
* change slice declarations to array initialization (#21536, @mstrYoda)
* Change start time for policy_implementation_delay to when a CNP is first received by the Agent (Backport PR #23001, Upstream PR #22503, @learnitall)
* chore(deps): update all github action dependencies (v1.13) (patch) (#23676, @renovate[bot])
* chore(deps): update base-images (master) (#22109, @renovate[bot])
* chore(deps): update base-images (v1.13) (#22647, @renovate[bot])
* chore(deps): update base-images (v1.13) (minor) (#23564, @renovate[bot])
* chore(deps): update dependency cilium/hubble to v0.11.1 (v1.13) (#23618, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.16.2 (master) (#22094, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.16.3 (master) (#22130, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.17.0 (master) (#22317, @renovate[bot])
* chore(deps): update docker.io/library/alpine:3.16.2 docker digest to 65a2763 (master) (#22090, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.19.5 (v1.13) (#23243, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.19.5 (v1.13) (#23244, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.20.0 (v1.13) (#23565, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.3 docker digest to 10e3c0f (master) (#22566, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.3 docker digest to 4198e0e (master) (#22188, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.3 docker digest to bf4b15c (master) (#22091, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.3 docker digest to dc76ef0 (master) (#22197, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.5 docker digest to 572f680 (v1.13) (#23576, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu docker tag to v22 (master) (#22120, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 450e066 (master) (#22092, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 27cb6e6 (v1.13) (#22661, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to f05532b (v1.13) (#23479, @renovate[bot])
* chore(deps): update module go to 1.19 (master) (#22096, @renovate[bot])
* chore(deps): update quay.io/cilium/hubble docker tag to v0.11.1 (v1.13) (#23520, @renovate[bot])
* chore: fix broken link in README.rst (#20830, @shaneutt)
* chore: Fix typo in contrib/script/kind-shell-helpers.sh (#21855, @sadikkuzu)
* ci, github: Fix IPv6 conformance test (Backport PR #23001, Upstream PR #22774, @borkmann)
* ci: Add go build tag for labels_test.go file (#20877, @sayboras)
* ci: extend nat46x64 l4lb test suite (Backport PR #23242, Upstream PR #23020, @borkmann)
* ci: reenable goerr113 and unused linters across the codebase (#21578, @ti-mo)
* CIDR errors in config: exit instead of panicking (#22020, @tbalthazar)
* cilium-cni: don't set interface link up twice (#20674, @tklauser)
* cilium-cni: use netip.Addr instead of CiliumIPv{4,6} types (#21421, @tklauser)
* cilium: Fix missing error log dump from compilation (Backport PR #23500, Upstream PR #23339, @borkmann)
* cilium: follow-up neigh fixes for gw (Backport PR #22948, Upstream PR #22814, @borkmann)
* cilium: minor follow-ups on stateless nat (#22389, @borkmann)
* Clarify annotation value in documentation for disable/enable websockets (io.cilium/websocket) (Backport PR #23284, Upstream PR #22662, @24601)
* Clarify in documentation that Azure CNI chaining is different from Azure CNI powered by Cilium. (#21897, @wedaly)
* clean package "io/ioutil" ,because "io" and "os" can replaced it totally (#22016, @yanggangtony)
* clean up IPVLAN leftover code in setupBaseDevice() (#20608, @vincentmli)
* cli: Update regex for key-value validation to allow spaces in values (#21796, @johngmyers)
* clustermesh docs: add global and shared services reference (Backport PR #23687, Upstream PR #23408, @giorio94)
* clustermesh, kvstore: consistently pass controller context to kvstore operations (Backport PR #23500, Upstream PR #23333, @tklauser)
* clustermesh-apiserver: Add support for pprof (#21584, @pippolo84)
* clustermesh: explicitly report zero remote nodes on connection release (#21248, @tklauser)
* cmd/bpf: Log if no policy maps found (#21429, @aditighag)
* Coalesce of health endpoint CIDRs (#20848, @dezmodue)
* CODEOWNERS: Add owner for ingress (#20946, @sayboras)
* CODEOWNERS: add ownership for SIG Hubble API team (#21950, @rolinh)
* CODEOWNERS: Add ownerships for IPsec team (#21567, @pchaigno)
* CODEOWNERS: Assign `pkg/nodediscovery` to the agent team (#22042, @pchaigno)
* CODEOWNERS: Update teams following removal of non-sig teams (#20668, @pchaigno)
* compile: consolidate OutputType check to single switch (#20391, @lx1036)
* connectivity-check: update images to latest versions (#21467, @tklauser)
* Consider `$GO` environment variable `make precheck` checks (#20750, @tklauser)
* consolidate_go_stacktrace.py: Add support for replacing Cilium source directory inline (#21518, @joestringer)
* consolidate_go_stacktrace.py: Use relative paths by default (#21673, @michi-covalent)
* consolidate_go_stacktrace: Fix relative paths (#21812, @joestringer)
* contrib/cherry-pick: parameterize the source branch (#21199, @julianwiedmann)
* contrib/vagrant: add more permissive firewall rule (#20107, @aanm)
* contrib: Add CRD generation to release process (#20564, @joestringer)
* contrib: add support for minor releases (#20700, @aanm)
* contrib: avoid reviews from non-collaborators (#21577, @bimmlerd)
* contrib: exclude non-running pods in k8s-unmanaged script (#22515, @felfa01)
* contrib: Fix jenkins-failures.sh triage script (#21058, @joestringer)
* contrib: update cilium/coccicheck docker image (#20476, @aanm)
* contrib: Update PR template for backport (Backport PR #23284, Upstream PR #23058, @sayboras)
* contributing: Document CNCF DCO Guidelines v1.0 (#22509, @joestringer)
* controlplane: Add test for externalTrafficPolicy=Local (#20881, @joamaki)
* controlplane: Refactor the framework (#20760, @joamaki)
* controlplane: use right node name in tests (#21098, @aanm)
* correct the stale documentation link (#21889, @dmitris)
* Corrected bad config example in BGP docs. (Backport PR #23500, Upstream PR #23336, @dylandreimerink)
* counter: add generic implementation and use it to replace StringCounter (#21301, @tklauser)
* ctmap: Add missing FromL7LB flag (#21997, @jrajahalme)
* ctmap: Do not use nil locks (#20388, @jrajahalme)
* daemon, options: remove deprecated, ineffective options (#21524, @tklauser)
* daemon/cmd: Fix error handling for getting proxy port (#22296, @christarazi)
* daemon: Close the identityAllocator on shutdown (#22411, @joestringer)
* daemon: convert Daemon.restoredCIDRs to netip.Prefix (#22209, @tklauser)
* daemon: Deprecate KPR=probe (#20328, @brb)
* daemon: Do not fail CI runs for already deleted CEP (#22474, @jrajahalme)
* daemon: Improve dnsproxy error when EP not found (#20649, @joestringer)
* daemon: Introduce the minimal fx application (#19795, @joamaki)
* daemon: Remove SelectiveRegeneration option (#21413, @joestringer)
* daemon: Skip KPR feature probing when DryMode is enabled (#21129, @joamaki)
* daemon: Top-level composition into a hierarchy of cells (#21736, @joamaki)
* dashboards: Enable exemplars for histogram queries in Hubble L7 workloads dashboard (#21773, @chancez)
* datapath: Fix race in the fake NodeHandler (#20727, @joamaki)
* datapath: Get rid of NO_REDIRECT define (Backport PR #23147, Upstream PR #23076, @brb)
* datapath: remove unused ENCRYPT_NODE macro (#22285, @julianwiedmann)
* delete redundant type conversion (#22376, @tanberBro)
* dependabot: disable gops updates (#20443, @tklauser)
* dev-doctor: Fix the docker buildx version regex (#21561, @gentoo-root)
* dns: Add DataSource field to ProxyRequestContext (#21854, @michi-covalent)
* dnsproxy: update dnsproxy benchmark memory calculation (#20305, @odinuge)
* Doc: add k3s --disable-kube-proxy to stop k3s from setting up cluster services iptable rules (#20256, @vincentmli)
* doc: add section to show how to customize cilium-agent metrics (#22178, @ArthurChiao)
* doc: clarify CentOS 7 third-part kernel upgrade and Cilium advance features kernel config requirements (#20605, @vincentmli)
* doc: Remove static pod ARP and pod hostnetwork limitation (#20187, @vincentmli)
* doc: update the api spec for fqdn egress policies code comments. (#20658, @wenhuwang)
* Docker image build enhecements for kind (#21806, @jrajahalme)
* docker: Do not specify syntax (#21805, @jrajahalme)
* docs(bandwidth-manager): add note on per-pod limits (#20916, @raphink)
* docs(bpf): fix minor grammar errors in struct padding section (#20249, @maxbrunet)
* docs(masquerading): add missing "address" (#20538, @raphink)
* docs(policy): add notes on DNS/L7 policies & Cilium agent availability (#20289, @raphink)
* docs, dependabot: Ignore dependencies udpates (#21041, @qmonnet)
* docs/crd: Support master RCs in schema bump script (#21535, @joestringer)
* docs: Add a policy "Troubleshooting" section to Egress Gateway's documentation (Backport PR #23284, Upstream PR #23167, @lizrice)
* docs: Add available options for Ingress Controller annotations (#20973, @NikhilSharmaWe)
* docs: Add cilium overview to internals section (#21412, @joestringer)
* docs: Add CLI installation for ServiceMesh (#20406, @sayboras)
* docs: Add cluster install/prep guide for AKS-to-AKS clustermesh (#20439, @dylandreimerink)
* docs: Add deprecation warning for socks-enable. (#23554, @brb)
* docs: Add example how to config ipmasq via ConfigMap (#20239, @brb)
* docs: Add Getting Started docs for clustermesh service affinity (#20228, @sayboras)
* docs: Add Getting Started guide for Gateway API support (#21908, @sayboras)
* docs: Add guide for proxy load balancing feature (Backport PR #23687, Upstream PR #23100, @sayboras)
* docs: Add install guide for deploying Cilium on K0s using k0sctl. (Backport PR #23001, Upstream PR #22029, @xinity)
* docs: add instructions to build the base images from external forks (#22304, @aanm)
* docs: Add more envoy supported extensions (#20241, @sayboras)
* docs: Add required ec2:DescribeInstances when instance-tags-filter is used (#20703, @lht)
* docs: add Seznam.cz to list of Cilium users (#22182, @oblazek)
* docs: Add troubleshooting docs for Ingress (#20428, @sayboras)
* docs: Added `Default` column in metrics details (#20255, @kanurag94)
* docs: Bump Sphinx and sphinx-tabs version. (#20997, @qmonnet)
* docs: cilium committers are also CNCF maintainers (#21802, @lizrice)
* docs: clarifications about CNCF maintainer status (#22351, @lizrice)
* docs: Clarify identity table for reserved identities (#20832, @joestringer)
* docs: Clarify KPR requirements for Kind (#20749, @brb)
* docs: Clarify wildcards and subdomains in FQDN policies (#22206, @felfa01)
* docs: CNCF maintainer update process (#21649, @lizrice)
* docs: correct IPAM mode name in BGP control plane installation docs (#20758, @tklauser)
* docs: correct Prometheus port (Backport PR #23687, Upstream PR #23404, @lizrice)
* docs: describe Cilium Feature Proposals (#22443, @lizrice)
* docs: Disable exclusive lock when chaining with aws-cni (Backport PR #23500, Upstream PR #23159, @jaygridley)
* docs: Document clustermesh datapath configuration for non-tunneled modes (#16499, @jrajahalme)
* docs: Document internalTrafficPolicy-related changes in the upgrade guide (Backport PR #23001, Upstream PR #22927, @gentoo-root)
* docs: Document the workaround for the kernel bug on new Intel CPUs (#21803, @gentoo-root)
* docs: Drop sphinxcontrib-openapi fork, switch back to upstream (Backport PR #23687, Upstream PR #23118, @qmonnet)
* docs: first set of eCHO video links added (#20480, @Kikiodazie)
* docs: Fix 'interface' field indentation (#21798, @lou-lan)
* docs: Fix `kubectl create` output in docs after some deployments have moved from K8s "extensions" to "apps". (#22002, @cleverhu)
* docs: fix a Links documentation style guide error (#20460, @Kikiodazie)
* docs: fix check-crd-compat-table script (#21208, @aanm)
* docs: fix flags for 1.12 branch (#20408, @aanm)
* docs: Fix inconsistent node label in egress gateway guide (Backport PR #23232, Upstream PR #23225, @pchaigno)
* docs: Fix live preview (install sphinx-autobuild in the image) (#21013, @qmonnet)
* docs: Fix markup to properly emphasize Kubernetes version in a note (Backport PR #23001, Upstream PR #22976, @Shunpoco)
* docs: Fix update-spelling_wordlist.sh to run command on spelling errors (#20481, @qmonnet)
* docs: Fixed service list command in clustermesh affinity guide (#20442, @dylandreimerink)
* docs: Hubble codeowners fix (#21995, @jrajahalme)
* docs: Improve IPsec guide (Backport PR #23232, Upstream PR #23135, @pchaigno)
* docs: Improve kubeproxy replacement and OKD GSG guide. (#20447, @tommyp1ckles)
* docs: Improve policy troubleshooting guide (#20399, @joestringer)
* docs: Improve wording for deny policies limitation (Backport PR #23232, Upstream PR #23095, @joestringer)
* docs: ipsec: remove node-to-node encryption (#20422, @NikAleksandrov)
* docs: L7 traffic management getting started guide (#20421, @sayboras)
* docs: Link KNP sections together to reduce duplication (Backport PR #23687, Upstream PR #23546, @christarazi)
* docs: link tutorials to training section (#21383, @xmulligan)
* docs: Make external links in docs open in a new tab (#20945, @Kikiodazie)
* docs: Mark Git repo as safe in docs-builder, for GitHub workflow too (#21043, @qmonnet)
* docs: Mark Git repository as safe, at runtime, if in a container (#21069, @qmonnet)
* docs: Mark pod-short option in Hubble metrics as deprecated (Backport PR #23232, Upstream PR #23025, @lambdanis)
* docs: merge Alibaba install guide into quick install guide (#21581, @yoyo-go)
* docs: move star wars demo to getting started (Backport PR #23147, Upstream PR #22379, @yoyo-go)
* docs: Regenerated `cilium-bugtool` docs to fix Travis CI (#22214, @dylandreimerink)
* docs: Remove 1.12 and earlier upgrade docs (#22219, @joestringer)
* docs: Remove `autoDirectNodeRoutes` where not needed (#21831, @pchaigno)
* Docs: Remove `RUNTIME=docker` option in dev_setup, given that K8s 1.24+ no longer supports it (options: containerd (default), crio). (#21940, @Shunpoco)
* docs: Remove RancherOS (#21182, @joestringer)
* Docs: Replace the way to install `golangci-lint` to `NA(OS-specific)` (#22532, @Shunpoco)
* docs: restructure bpf guide (#21922, @yoyo-go)
* docs: restructure network, security and other remaining sections (#20813, @yoyo-go)
* docs: retire install using microk8s (#21273, @yoyo-go)
* docs: Rework requirements.txt: Generate from minimal list (#20978, @qmonnet)
* docs: second set of video contents added (#20623, @Kikiodazie)
* docs: Switch to our own fork of sphinxcontrib-openapi (#20868, @qmonnet)
* docs: Update clustermesh troubleshooting with more details (#20260, @sayboras)
* docs: update cmdref with missing flag (#22525, @aanm)
* docs: update committer security requirements (Backport PR #23232, Upstream PR #23134, @xmulligan)
* docs: Update docs with minimum helm version (#20403, @aditighag)
* docs: Update docs.cilium.io navigation bar (#21436, @Kikiodazie)
* docs: update etcd kvstore migration instructions (#20624, @hhoover)
* docs: Update Helm values (#20716, @qmonnet)
* docs: Update https.rst for Gateway API (#22184, @nvibert)
* docs: Update k8s NetworkPolicy descriptions (#21670, @joestringer)
* docs: Update kind documentation with cgroup related requirements (#20607, @aditighag)
* docs: Update Minikube ver. requirement and manual BPFFS mount instructions (Backport PR #23232, Upstream PR #22913, @kimstacy)
* docs: update roadmap for graduation application (#22422, @xmulligan)
* docs: update stable version to v1.12 (#20602, @aanm)
* docs: update the version specific notes table for v1.12 release (#20669, @tklauser)
* docs: Update ToServices docs section (#21052, @joestringer)
* document missing bpf.hostLegacyRouting, bpf.tproxy, bpf.vlanBypass option (#21650, @vincentmli)
* Document existing FQDN metrics (#20516, @christarazi)
* document helm conntrackGCInterval crdWaitTimeout identityChangeGracePeriod (#22352, @vincentmli)
* Document missing bpf ctTcpMax ctAnyMax natMax neighMax helm option (#21627, @vincentmli)
* Document missing k8sService kubeConfigPath bpf.mapDynamicSizeRatio (#21817, @vincentmli)
* Document per-endpoint route requirement in aws-cni Helm snippet (#21276, @ti-mo)
* Document socket LB tracing (Backport PR #23232, Upstream PR #23141, @aditighag)
* Documentation: Fix copy-api on MacOS (#20444, @chancez)
* Documentation: Fix out-of-sync codeowners (#21583, @pchaigno)
* Documentation: Improve cilium-cli and hubble cli installation instructions (#20415, @chancez)
* Documentation: Only install 1 replica of operator on k3s (#20416, @chancez)
* Documentation: Restart cilium-operator and cilium after enabling Service Mesh (#20417, @chancez)
* Documention: fix crd-compat-table script (#21171, @aanm)
* Egress Gateway: move code into its own header file, and remove the dependency on TUNNEL_MAP. (#21719, @julianwiedmann)
* egressgw: cache matching endpoints in policy config (Backport PR #23687, Upstream PR #23529, @jibi)
* EgressGW: make logging less verbose (#21115, @julianwiedmann)
* elf: avoid flooding debug log with empty symbol names (#21448, @tklauser)
* Enable Google Analytics 4 (Backport PR #22835, Upstream PR #22220, @chalin)
* endpoint: remove unused DeleteBPFProgramLocked() (#20571, @julianwiedmann)
* endpointmanager: Add extra check for out-of-range endpoint IDs (#20363, @twpayne)
* eni: fix new node not triggering creation of ENI with fix deadlock (#21830, @wu0407)
* envoy: Allow use of architecture-specific Envoy images for testing (#21804, @jrajahalme)
* envoy: Skip NPHDS upsert when IP is already included (#22289, @jrajahalme)
* examples, docs: simplify manifest use in clustermesh global services example (Backport PR #23687, Upstream PR #23574, @tklauser)
* examples: Add connectivity check with netpol (#21415, @joestringer)
* examples: Add Envoy admin listener (#22386, @jrajahalme)
* Exclude interface's primary address from IP pool by default in Azure (#19743, @hemanthmalla)
* Expand documentation around CODEOWNERS and review expectations (#21057, @joestringer)
* filter out pod labels from synchronizing with cilium endpoint labels (#21135, @NikhilSharmaWe)
* fix 'egressIP' field indentation (#22303, @yulng)
* Fix `subnet_id` label value being empty in IP allocation and interface creation in ENI IPAM metrics (#20449, @wu0407)
* Fix a typo in the comment example (#21402, @farcaller)
* Fix broken link to CNCF CoC (#21616, @xmulligan)
* Fix bug where the ep_config.h template headerfile would remain open beyond the template preparation phase. (Backport PR #23687, Upstream PR #23642, @jiuker)
* Fix CEP batching FCFS mode to group CEPs per namespace. (#22041, @dlapcevic)
* Fix complaint about nil IP address on restore of cilium_host (#20734, @christarazi)
* Fix grpc-ingress.yaml path in Service Mesh docs (#21601, @pippolo84)
* Fix hubble metrics label ordering with contextOptions (#21732, @chancez)
* Fix improper regex in check-sources.sh awk command (#21285, @nathanperkins)
* Fix incorrect env var name used in docs for Helm installation on Rancher Desktop (#21835, @ehausig)
* Fix issues with policy handling introduced by new policy match support for L4 ports on any protocol. (Backport PR #23232, Upstream PR #22975, @jrajahalme)
* fix kernel config file and config option probe log (#20889, @vincentmli)
* Fix log level for "local-redirect service exists for frontend" error (#21898, @tbalthazar)
* Fix long-time failure of "ipcache-inject-labels" controller due to incorrect backoff time for retry (#21886, @ArthurChiao)
* Fix note for 'func numWorkerThreads()' (#22412, @yanggangtony)
* Fix prepare release process (#22487, @aanm)
* Fix up and lint SPDX headers in all Go files (#21821, @ti-mo)
* fix: correction in PR #21825 (#21904, @nnbu)
* Fix: prevent goroutine leakage (#21913, @kerthcet)
* fix:omit comparison to bool constant (#22588, @yulng)
* fix:remove ioutil to accomodate newer Go versions (#22383, @yulng)
* fixed broken gettingstarted link on helm chart README.md (#22218, @dotdc)
* fqdn/dnsproxy, daemon: Define new error type for DNS notification (#21517, @christarazi)
* fqdn/dnsproxy: Add concurrency grace period parameter (#21668, @pippolo84)
* fqdn/dnsproxy: fix test build (#20537, @tklauser)
* fqdn/dnsproxy: move init LRU cache call out of StartDNSProxy. (Backport PR #23687, Upstream PR #23429, @tommyp1ckles)
* fqdn: convert map keys and internal types to `netip.Addr` (#21620, @tklauser)
* fuzzing: bump go-fuzz-headers (#22501, @AdamKorcz)
* gateway-api/model: Refactor envoy virtual host (#22369, @pippolo84)
* Generate Software Bill of Materials during release (Backport PR #23147, Upstream PR #22191, @sandipanpanda)
* gh: fix indentation bug in ingress workflows (Backport PR #23232, Upstream PR #23195, @julianwiedmann)
* gha: Add images dir for l4lb jobs (#21068, @sayboras)
* gha: Bump cilium cli to v1.12.2 (#21112, @sayboras)
* gha: Bump k8s version in kind conformance tests (Backport PR #23147, Upstream PR #22325, @sayboras)
* gha: Improve coverage for Ingress/GatewayAPI (Backport PR #23147, Upstream PR #23007, @sayboras)
* gha: Pin ubuntu-20.04 for conformance-test-ipv6 (#22324, @sayboras)
* gha: Update the names for ConformanceIngress jobs (#21494, @sayboras)
* github: do not generate SBOM from source (Backport PR #23233, Upstream PR #23161, @aanm)
* Gitignore clangd cache folder for bpf code. (#21050, @ldelossa)
* go.mod, vendor: drop client-go from replace directives (#22547, @tklauser)
* go.mod, vendor: pin golang.org/x/* packages to tagged versions (#22051, @tklauser)
* go.mod, vendor: update cloud provider SDK Go modules for August 2022 (#20766, @tklauser)
* go.mod, vendor: update cloud provider SDK Go modules for December 2022 (#22469, @tklauser)
* go.mod, vendor: update cloud provider SDK Go modules for July 2022 (#20371, @tklauser)
* go.sum: run Go 1.19 `go mod tidy` after dependabot update (#20953, @tklauser)
* Google Season of Docs is now over so it is removed from the docs (#22442, @xmulligan)
* gops: Fix the gops default port (#21481, @joamaki)
* Graduation documentation updated (#21336, @xmulligan)
* helm/gateway-api: Add secret permission for agent (#22264, @sayboras)
* helm: Allow configure the scrape interval for ServiceMonitor (#20240, @LawlietLi)
* helm: avoid generating ConfigMapList (#21750, @kaworu)
* helm: Do not create Grafana dashboards by default (#22161, @chancez)
* helm: fix broken documentation URL in helm chart template (#22269, @nkrja)
* helm: Fix post-start and pre-stop hooks for cilium-nodeinit on Ubuntu EKS images (#20979, @dctrwatson)
* helm: Make DNS policy for cilium-agent and cilium-operator pods configurable (#20082, @michi-covalent)
* helm: Quote all the image fields. (#21463, @michi-covalent)
* helm: Use hubble-relay-ci image for master branch (#20283, @gandro)
* Highlight Non-Overlapping Functionality Between K8s and Cilium Network Policies (#21001, @nathanjsweet)
* hive: Add title to Module() and enforce format (#21915, @joamaki)
* hive: Allow multiple calls to `Hive.Shutdown` (#22551, @dylandreimerink)
* hive: Fix CodeQL lints in regex (#22471, @gandro)
* hive: Make cell config decoding strict (#21162, @joamaki)
* hive: Reimplement on top of dig (#21562, @joamaki)
* hive: Unwrap provider inputs and outputs in PrintObjects (#21976, @joamaki)
* hubble-ui: release v0.9.1 (#20572, @geakstr)
* hubble/metrics: ProcessFlow() is optional for metrics handlers (#20367, @chancez)
* hubble: Add "hubble-prefer-ipv6" option (#21751, @mKeRix)
* hubble: Add "syn-only" option to flows-to-world metric (#21571, @michi-covalent)
* hubble: Fix panic if IP address cannot be parsed (Backport PR #23147, Upstream PR #22994, @gandro)
* hubble: Update the reason label for hubble_drop_total metric (Backport PR #23232, Upstream PR #22408, @michi-covalent)
* identity: make `GetAllReservedIdentities()` return ordered identities (#20048, @kaworu)
* images, contrib/coccinelle: update alpine image to 3.16.0 (#20378, @tklauser)
* images/runtime, go.mod, vendor: update gops to v0.3.26 (#22385, @tklauser)
* images/runtime: bump iptables package to 1.8.8 (Backport PR #23232, Upstream PR #23163, @jibi)
* images: Bump Hubble CLI to v0.10.0 (#20286, @gandro)
* images: Fix image build for qemu workflow (#21154, @joestringer)
* images: Follow-up actions of ubuntu bump 22.04 (#20964, @sayboras)
* images: Name final docker target as 'release' (#21109, @joestringer)
* images: Update Hubble CLI to v0.11.0 (Backport PR #23147, Upstream PR #23043, @gandro)
* Implement Go-based kernel HZ (jiffy) measurement (#21833, @ti-mo)
* Improve CRD schema update automation during release process (#20875, @joestringer)
* Improve Egress Gateway Getting Started Guide (#20471, @pippolo84)
* Improve Egress Gateway Getting Started Guide (#20531, @pippolo84)
* Improve fqdn events logging management (Backport PR #23001, Upstream PR #22745, @pippolo84)
* Improve memory usage for encoding endpoint objects into JSON (#20524, @odinuge)
* Include DeleteNetworkInterface in ENI Required Privileges Docs (#20472, @espringsteen)
* ingestion/gateway-api: Map backend weight to model (#22380, @sayboras)
* Initial datapath support for Cilium mTLS has been added. (Backport PR #22822, Upstream PR #21822, @jrajahalme)
* install/kubernetes/Makefile: Check values.yaml for modifications (#20322, @gandro)
* install/kubernetes: do not initialize variable twice (#20430, @aanm)
* install/kubernetes: Re-order lines in Makefile.values (#22307, @aanm)
* Introduce a cluster-aware addressing scheme and convert some types to use that (#21161, @YutaroHayakawa)
* Introduce node IDs in the datapath and the agent, so datapath can later use them to identify remote nodes (Backport PR #23687, Upstream PR #23202, @pchaigno)
* Introduce v3 backend maps (Backport PR #22822, Upstream PR #21797, @YutaroHayakawa)
* ip: Add helpers to assist net -> netip transition (#20303, @joestringer)
* ip: Add helpers to assist net -> netip transition (#20478, @joestringer)
* ip: Add MustAddrFromIP (#21283, @christarazi)
* ip: rename IsExcluded() to ListContainsIP() (#21084, @julianwiedmann)
* ip: Simplify MustAddrFromIP (#21598, @christarazi)
* ipam/allocator/podcidr: remove unused CIDRAllocator.IsIPv6 (#21065, @tklauser)
* IPAM: fix ipam owner check (#21715, @llhhbc)
* ipcache: Fix IPcache leak of remote-node IP addresses (#21932, @pchaigno)
* ipcache: Fix lock leak (#20833, @joestringer)
* ipcache: Plumb daemon context through IPCache (#21676, @joestringer)
* ipcache: Release metadata mutex in loop error condition (#21653, @joestringer)
* ipcache: Remove unsafe ipc.metadata.get (#21608, @gandro)
* ipsec + ipv6-only nodes: add limitation note and better error handling (Backport PR #23687, Upstream PR #23553, @giorio94)
* ipsec: Fix slightly incorrect assumption in XFRM IN policies (#21621, @pchaigno)
* IPsec: Refactor `ipSecReplaceState{In,Out}` functions (Backport PR #23232, Upstream PR #23158, @pchaigno)
* ipsec: Refactoring around `UpsertIPsecEndpoint` (#21461, @pchaigno)
* ipsec: Simplify XFRM FWD policies (#21602, @pchaigno)
* ipsec: Simplify XFRM IN policies (#21370, @pchaigno)
* iptables: add support for iptables >= 1.8.7 (#21096, @jibi)
* iptables: skip reverse IP lookup (Backport PR #23147, Upstream PR #22977, @jibi)
* Isovalent added to Users (#20583, @xmulligan)
* k8s-conformance: fix doc formatting (#21203, @julianwiedmann)
* k8s/client: respect QPS and burst setting for clientset (#22226, @tklauser)
* k8s/{client,resource}: API improvements and support for custom retries (#21644, @joamaki)
* k8s: Add node-role.kubernetes.io/control-plane taint (Backport PR #23147, Upstream PR #22894, @sayboras)
* k8s: don't consider 4xx a successful interaction (#22393, @bimmlerd)
* k8s: optimize API calls made to kube-apiserver (#21088, @aanm)
* k8s: Remove the global client getters in favor of Clientset (#21877, @joamaki)
* k8s: Resource[T], an implementation of informers with per-sub queues (#21352, @joamaki)
* k8s: Update dependencies to v0.26.0 (Backport PR #23001, Upstream PR #22891, @sayboras)
* k8s: use netip.Prefix for endpoint backed prefixes (#22181, @tklauser)
* Keep command help message capital (#22276, @yanggangtony)
* kubectl get cep returns empty columns of policies statuses (#20548, @romanspb80)
* labels/cidr: use netip types to improve GetCIDRLabels and IPStringToLabel performace (#20316, @tklauser)
* labels: remove unused cilium-generated label source (#20820, @tklauser)
* labelsfilter: Improve sanitization (#22244, @joestringer)
* Load datapath ELFs using cilium/ebpf (#19159, @ti-mo)
* loader: replace DWARF with BTF for C and Go struct alignment check (#20809, @vincentmli)
* Log policy update event errors and silently delete bwmap entries (#20611, @zuzzas)
* Made the `TestPodCIDRAllocatorOverlap` test more robust (#21957, @dylandreimerink)
* maglev: Don't populate v4 inner table upon nat46 service (#20648, @borkmann)
* MAINTAINERS: Add Bill Mulligan (#22204, @lizrice)
* MAINTAINERS: add Chance Zibolski to the list of maintainers (#21792, @rolinh)
* Make cilium pprof listen address configurable (Backport PR #23147, Upstream PR #22768, @chancez)
* Make fsnotify event more readable. (#22278, @yanggangtony)
* make: fix kind-image-operator target to build the operator-generic image (#21263, @tklauser)
* make: minor Makefile cleanups (#20748, @tklauser)
* makefile: Remove removed mock target. (#20448, @DolceTriade)
* Makefile: Split agent and operator kind targets (#21094, @joestringer)
* makefile: use versioned Go container when formatting after api generate. (#21254, @tommyp1ckles)
* maps/ctmap: convert to use netip.Addr internally (#21529, @tklauser)
* Masquerading bpf mode - Improve code readability and comlexity of the datapath. (#19712, @sahid)
* metallb: bump to latest metallb version (#21131, @ldelossa)
* metrics: Remove unused ARP ping metrics (Backport PR #23284, Upstream PR #23057, @brb)
* Misc. clustermesh debug cleanups (Backport PR #23687, Upstream PR #23588, @tklauser)
* modify the deprecated label beta.kubernetes.io/instance-type (#21941, @my-git9)
* monitor: Add parser for socket-lb tracing events (#21516, @aditighag)
* monitor: Always print ObservationSource for DNS events (#21882, @michi-covalent)
* mount host /boot into cilium-agent container (#21113, @agrevtcev)
* mtu, node: fix build on all non-linux platforms (#22232, @tklauser)
* neigh: Support multi device neighbor discovery (#20092, @ysksuzuki)
* Node ID restoration (Backport PR #23687, Upstream PR #23578, @pchaigno)
* node: Add LocalNodeStore for coordinating updates to local node state (#21191, @joamaki)
* node: Fix incorrect code comment (#21209, @pchaigno)
* only setup ip rules when l7 policy enabled (#21636, @liuxu623)
* operator: Add leader lifecycle (#21457, @joamaki)
* operator: Avoid spamming logs with entire identity object (#22258, @lvyanru8200)
* operator: Fix enabling of API discovery (#21459, @joamaki)
* operator: Remove use of global vars in cilium node synchronizer (#22491, @joamaki)
* operator: rename (*OperatorConfig).Populate parameter (#20944, @tklauser)
* operator: rename OperatorConfig member to match flag name (#20971, @tklauser)
* operator: start the event queue in a dedicated go routine (#20353, @aanm)
* operator: Wait for informers to shut down when stopping (Backport PR #22835, Upstream PR #22761, @joamaki)
* Optimize generateLabelString() (#21718, @youhonglian)
* option, datapath: Move `AreDevicesRequired` to `option` package (#22457, @pchaigno)
* option/doc: fix kube-proxy-services-optional.md link broken (#20864, @ArthurChiao)
* option: Fix Populate entries using "viper" package. (#22426, @jrajahalme)
* Pick up etcd v3.5.7 (Backport PR #23500, Upstream PR #23463, @michi-covalent)
* pkg/bgpv1/annotations: Optimize annotations Errors (#20819, @MikeLing)
* pkg/datapath: return specific error message (#22137, @aanm)
* pkg/fqdn: add a test for fqdn caches overlimit behaviour (#20736, @pippolo84)
* pkg/k8s/resource: Fix test flake due to race between create and watch (#21681, @joamaki)
* pkg/k8s: do not wait for endpointslice cache sync in k8s >= 1.17 (#20569, @aanm)
* pkg/k8s: set the right IP addresses in log messages (#20757, @aanm)
* pkg/labels: Optimize LabelArray {GetModel(),String()} (#21643, @odinuge)
* pkg/maps,pkg/defaults: allow configuring map events on missing map types. (Backport PR #23001, Upstream PR #22746, @tommyp1ckles)
* pkg/metrics: Remove source node label (#20433, @aditighag)
* pkg/nodediscovery: protect variable against concurrent access (#21086, @aanm)
* pkg/set: add test cases for set package. (#20775, @0xff-dev)
* pkg: Follow Go convention on capitalization (#22534, @yulng)
* plugins/cilium-docker: use log default exit code 1 (#20612, @Abirdcfly)
* policy,labels: Convert more packages to use netip library (#21414, @joestringer)
* policy: Add more ICMP unit tests (#20779, @sayboras)
* policy: Replace RWMutex with Mutex to reduce locking times by a tiny bit. (#22106, @odinuge)
* policy: use netip.Addr when constructing CIDR rules (#21300, @tklauser)
* Prepare for 1.13 development cycle (#20273, @aanm)
* Prepare for release v1.13.0-rc0 (#21174, @aanm)
* Prepare for release v1.13.0-rc1 (#21534, @joestringer)
* Prepare for release v1.13.0-rc2 (#21949, @aanm)
* Prepare for release v1.13.0-rc3 (#22481, @aanm)
* Prepare v1.13 stable branch (#22612, @joestringer)
* probes: refactor bpftool feature macros generation (#21451, @rgo3)
* probes: replace ProbeManager with features API in cilium/ebpf (#20556, @rgo3)
* promise: Add promise package (#21295, @joamaki)
* promise: Document the Resolve/Reject functions (#21827, @joestringer)
* Rate limit "hubble events queue is full" logs (Backport PR #23284, Upstream PR #22864, @lambdanis)
* README.rst: Fix stable releases table (#20600, @joestringer)
* README: update stable releases (#20582, @aanm)
* Reduce the vtep route log noise and avoid cilium_vtep_map symbol substitution warning log (#20532, @vincentmli)
* refactoring of fetching cilium manifests in OKD installation (Backport PR #23232, Upstream PR #22695, @zisisli)
* Reference datapath metrics in feature and troubleshooting guides (#20520, @aditighag)
* relay: Add Go runtime metrics and process metrics (#22400, @chancez)
* Remove `__non_bpf_context` macro from bpf C code (#21475, @ti-mo)
* Remove beta.kubernetes.io/arch as it's already deprecated (#21799, @my-git9)
* Remove completed items from Service Mesh Roadmap (#20635, @margamanterola)
* Remove references to node encryption (#21333, @pchaigno)
* remove scripts to update docker images (#22115, @aanm)
* Remove unnecessary imports of pkg/policy (#21996, @jrajahalme)
* Remove unused sections for bpf_lxc from nodeport.h (#21505, @alexkats)
* Remove yaml parser from cilium policy trace (#22251, @rushi47)
* Removed `lb_services` bpfmap dump from bugtool (#22381, @Vishal-Chdhry)
* Replace addressing.CiliumIPv{4,6} by netip.Addr type (#21445, @tklauser)
* Replace the hash function implementation to license it under the dual GPL/BSD license. (#21794, @gentoo-root)
* resource: Fix queue entry coalescing (#22360, @joamaki)
* resource: Make the resource lazy by default (#21862, @joamaki)
* Restructure IPCache to handle metadata merging (#19765, @joestringer)
* Retry loading BPF programs if verifier log buffer is too small (#21973, @ti-mo)
* Revert "bgp: BGP Control Plane modularization" (#22431, @joestringer)
* Revert "cni-install: bump to v0.4.0, switch to ConfList" (#21207, @squeed)
* Revert "doc: update the api spec for fqdn egress policies code comments." (#20722, @joestringer)
* Revert "eni: fix new node not triggering creation of ENI" (#21477, @gandro)
* Revert "install: move cni config management to the agent" (#22012, @pchaigno)
* Revert "ip: Add helpers to assist net -> netip transition" (#20456, @aanm)
* Revert "Mount host /boot into cilium-agent container" (#22326, @ti-mo)
* Revert "per-node configuration overrides" pull request (#22630, @pchaigno)
* Revert "relay: Add Go runtime metrics and process metrics" (#22337, @joestringer)
* Revert "Revert "doc: update the api spec for fqdn egress policies cod… (#20744, @aanm)
* Revert "roadmap: add Tetragon, remove GSoD" (#21360, @joestringer)
* Revert "Sign container images" (#21846, @aanm)
* Revert "Test commit" (#22150, @pchaigno)
* Revert "WIP: 4.9 CI DP conformance" (#22061, @brb)
* Revert https://github.com/cilium/cilium/pull/21110 (#21153, @michi-covalent)
* Revert PR #21539 (#21981, @nbusseneau)
* Revert ubuntu 22.04 upgrade (#21067, @sayboras)
* Series of cleanups to ENI tests (#21975, @bimmlerd)
* Slack channels and descriptions updated in the docs (#21281, @xmulligan)
* Spring cleaning for the contributor guide (#21056, @joestringer)
* support reset backoff period (#21937, @wu0407)
* Test tls flake (#22420, @jrajahalme)
* test/alibabacloud: Fix flake in TestPrepareIPAllocation (#21987, @jaffcheng)
* test/bpf: Minor Makefile improvements for "make clean" (#20717, @qmonnet)
* test/control-plane: Add nil check for agentHandle.Close receiver (#22399, @dylandreimerink)
* test/control-plane: Add nil checks to shutdown logic (#22225, @dylandreimerink)
* test: bigtcp / nat46x64: delete the kind cluster after running the tests (#20455, @NikAleksandrov)
* test: Fix make target for k8s tests (#20264, @ysksuzuki)
* test: fix regression on check-complexity.sh introduced by 6e343142bf2 (#21216, @sahid)
* test: update k8s versions to the latest patched releases (#21103, @aanm)
* The hive and the cells: infrastructure for modular applications (#20965, @joamaki)
* trace: fix unknown dst security identity in to-overlay (#20772, @vincentmli)
* treewide: Refactor and simplify ipcache usage (#21774, @joestringer)
* treewide: Switch ipcache interface to netip.Prefix (#21586, @joestringer)
* Uniform leftover annotations in clustermesh docs (Backport PR #23687, Upstream PR #23516, @giorio94)
* Uniform the style of the annotations used in the Cilium codebase (Backport PR #23687, Upstream PR #23395, @giorio94)
* Update authors (#20913, @joestringer)
* Update Cilium install guide about EKS aws-node DaemonSet potential connectivity problem on uninstall (#22620, @NikAleksandrov)
* Update Cilium README description and image (#21100, @xmulligan)
* Update CLOMonitor badge url (#21166, @cynthia-sg)
* update comments (#21316, @lucming)
* Update documentation related to metrics; fix incorrect FQDN metrics reference (#22300, @christarazi)
* Update Go to 1.18.4 (#20501, @tklauser)
* Update Go to 1.18.5 (#20745, @tklauser)
* Update Go to 1.19 (#20816, @tklauser)
* Update Go to 1.19.1 (#21226, @tklauser)
* Update Go to 1.19.2 (#21591, @tklauser)
* Update Go to 1.19.3 (#22024, @tklauser)
* Update Go to 1.19.4 (#22589, @tklauser)
* Update Go version in backporting Dockerfile (#22030, @tbalthazar)
* update gops and ginkgo mod version for match the current go.mod (#22427, @yanggangtony)
* Update gops to v0.3.24 (#20311, @tklauser)
* Update gops to v0.3.25 (#20438, @tklauser)
* update k8s versions to the latest releases (#20507, @aanm)
* Update Layer 7 Protocol Visibility Document. (Backport PR #22835, Upstream PR #22807, @obaranov1)
* Update SECURITY.md (#20601, @aanm)
* Update stable releases (#20567, @joestringer)
* Update stable releases (#20935, @joestringer)
* Update stable releases (#21313, @nebril)
* Update stable releases (#21770, @qmonnet)
* Update stable releases (#22247, @michi-covalent)
* Update start-release.sh (#22193, @michi-covalent)
* Update the cert-manager's Certificate to fully qualify the duration (#21389, @farcaller)
* Update values.yaml.tmpl (#20357, @michi-covalent)
* Updated AWS ENI limits (#22405, @tsolodov)
* updates.go: bump stable version to 1.12 (#22134, @aanm)
* Use informer.NewInformer where appropriate (#22066, @tklauser)
* Use pod Deployment name as workload name for flow workload field (#21124, @chancez)
* Use rate instead of irate in Hubble L7 workloads dashboard (#21791, @chancez)
* util: fix wrong comment of GetNumPossibleCPUs (#22540, @117503445)
* vtep skip symbol substituation cilium_vtep_map (#20589, @vincentmli)
**Other Changes:**
* [v1.13] renovate: Replace update-hubble-version.sh with Renovate Bot (#23528, @gandro)
* build(deps): bump certifi from 2022.6.15 to 2022.12.7 in /Documentation (#22609, @dependabot[bot])
* devenv: add comment explicity usage around options defined (#20368, @sahid)
* images/runtime: bump FORCE_BUILD to force regeneration (#23725, @aanm)
* images: golang version to 1.19.6 (#23758, @aanm)
* install: Update image digests for v1.13.0-rc4 (#22852, @joestringer)
* install: Update image digests for v1.13.0-rc5 (#23271, @joestringer)
* Prepare for release v1.13.0-rc4 (#22851, @joestringer)
* Prepare for release v1.13.0-rc5 (#23270, @joestringer)
* Revert "Pick up etcd v3.5.7" (#23771, @michi-covalent)
* v1.13: revert golang 1.20.0 (#23626, @pchaigno)
## v1.13.0-rc5
Summary of Changes
------------------
**Major Changes:**
* cilium: completion of nat46/64 gateway (Backport PR #22948, Upstream PR #22421, @borkmann)
* Support Kubernetes v1.21 new field internalTrafficPolicy=Local. (Backport PR #23001, Upstream PR #21871, @gentoo-root)
**Minor Changes:**
* Bump Linux minimum version to 4.19.57 (or equivalent) (Backport PR #23232, Upstream PR #23124, @joestringer)
* feat(hubble): add L7 verdicts to hubble_policy_verdicts_total metric (Backport PR #23147, Upstream PR #22622, @raphink)
* Fix crash of CES queue delay metric when CESTracker is nil (Backport PR #23147, Upstream PR #22884, @dlapcevic)
* helm: Add `node-role.kubernetes.io/control-plane` key (Backport PR #23001, Upstream PR #22893, @my-git9)
* operator: Add RBAC permission for CiliumNodeConfigs resource (Backport PR #23001, Upstream PR #22824, @sayboras)
* pkg/metrics: include revision and arch info in cilium_version (Backport PR #23147, Upstream PR #22795, @ArthurChiao)
**Bugfixes:**
* bpf: lb: catch write error in lb6_xlate() (Backport PR #23147, Upstream PR #23075, @julianwiedmann)
* bpf: lb: fix check for L3 pseudo-hdr csum update in lb6_xlate() (Backport PR #23001, Upstream PR #22953, @julianwiedmann)
* bpf: nodeport: fix tracing for handle_nat_fwd() (Backport PR #23001, Upstream PR #22678, @julianwiedmann)
* bpf: nodeport: handle revDNAT for local backends at to-netdev/to-overlay (Backport PR #23232, Upstream PR #22756, @julianwiedmann)
* clustermesh: Add missing brackets of IPv6 address for etcd option (Backport PR #23147, Upstream PR #22962, @YutaroHayakawa)
* daemon: Fix BPF host routing can't be enabled if the devices are wildcard (Backport PR #23232, Upstream PR #23009, @ysksuzuki)
* datapath: Fix L7 ingress with XDP (Backport PR #23147, Upstream PR #22985, @brb)
* envoy: Fix lock leak in config validation failure (Backport PR #23147, Upstream PR #23077, @joestringer)
* Fix bugs where ciliumendpoints for statefulset pods where being incorrectly overwritten/deleted (Backport PR #23147, Upstream PR #21768, @tommyp1ckles)
* Fix double-accounted RX packets in CT statistics when Nodeport is in use. (Backport PR #23147, Upstream PR #22810, @julianwiedmann)
* Fix missing node neigh metric for counting arping requests (Backport PR #23001, Upstream PR #22930, @christarazi)
* Fix packet drops when service pod connects to itself via clusterIP, and selected by an ingress policy. (Backport PR #23147, Upstream PR #22972, @aditighag)
* Fix socket-lb tracing in environments with systemd and container runtimes like containerd, crio, and docker. (Backport PR #23001, Upstream PR #22773, @aditighag)
* ingress/model: Support multiple certs based on SNI (Backport PR #23232, Upstream PR #22671, @sayboras)
**CI Changes:**
* .github: Pin docker buildx version to v0.9.1 (v2) (Backport PR #23233, Upstream PR #23220, @joestringer)
* [v1.13] ci: update cilium-cli to v0.12.12 in v1.13 workflows (#23129, @tklauser)
* bpf: test: fix xdp_lb4_forward_to_other_node test (Backport PR #23147, Upstream PR #23018, @julianwiedmann)
* ctmap: fix-up host_local flag in the DSR NAT entry for GC test (Backport PR #23147, Upstream PR #23037, @julianwiedmann)
* gh/workflows: ci-datapath updates (Backport PR #23147, Upstream PR #22811, @brb)
* gh/workflows: Extend ci-datapath config to include lb-mode and endpoint-routes (Backport PR #23147, Upstream PR #22825, @brb)
* gha: Pin minikube version used in CI (Backport PR #23232, Upstream PR #23099, @sayboras)
* per-node config improvements: testing, null selector, cleanups (Backport PR #23147, Upstream PR #22950, @squeed)
* test/l4lb,nat46x64: Replace Kind/Helm with DinD (Backport PR #23242, Upstream PR #22653, @brb)
* test: Quarantine TLS test for now (Backport PR #23001, Upstream PR #22684, @jrajahalme)
* workflows: fix skip condition for encryption tests in datapath conformance (Backport PR #23001, Upstream PR #22763, @tklauser)
**Misc Changes:**
* Add Cilium configuration documentation (Backport PR #23001, Upstream PR #22744, @squeed)
* bpf: fix cb collision for nat46x64 (Backport PR #22948, Upstream PR #23012, @borkmann)
* bpf: lb: fix L3 pseudo-hdr csum update for SCTP in __lb6_rev_nat() (Backport PR #23147, Upstream PR #23063, @julianwiedmann)
* bpf: nodeport: fix-up error check in rev_nodeport_lb*() for XDP (Backport PR #23147, Upstream PR #23119, @julianwiedmann)
* bpf: nodeport: NAT64 cleanups (Backport PR #22948, Upstream PR #22915, @julianwiedmann)
* bpf: nodeport: reset EDT aggregate ID for XDP-to-TC tunnel punt (Backport PR #23147, Upstream PR #23029, @julianwiedmann)
* bpf: Relax constant check for dst_id for clang 14+ (Backport PR #23147, Upstream PR #22919, @sayboras)
* build(deps): bump actions/cache from 3.2.0 to 3.2.3 (#22992, @dependabot[bot])
* build(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 (#22961, @dependabot[bot])
* build(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 (#23116, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.37 to 2.1.38 (#23073, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.38 to 2.1.39 (#23191, @dependabot[bot])
* build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 (#23253, @dependabot[bot])
* build(deps): update package dependencies (Backport PR #23232, Upstream PR #23140, @fengshunli)
* build: Avoid re-building when building docs from the main Makefile (Backport PR #23147, Upstream PR #22979, @jrajahalme)
* build: Bump base image build time for SBOM (Backport PR #23233, Upstream PR #23148, @joestringer)
* Change start time for policy_implementation_delay to when a CNP is first received by the Agent (Backport PR #23001, Upstream PR #22503, @learnitall)
* chore(deps): update docker.io/library/golang docker tag to v1.19.5 (v1.13) (#23243, @renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.19.5 (v1.13) (#23244, @renovate[bot])
* ci, github: Fix IPv6 conformance test (Backport PR #23001, Upstream PR #22774, @borkmann)
* ci: extend nat46x64 l4lb test suite (Backport PR #23242, Upstream PR #23020, @borkmann)
* cilium: follow-up neigh fixes for gw (Backport PR #22948, Upstream PR #22814, @borkmann)
* datapath: Get rid of NO_REDIRECT define (Backport PR #23147, Upstream PR #23076, @brb)
* docs: Add install guide for deploying Cilium on K0s using k0sctl. (Backport PR #23001, Upstream PR #22029, @xinity)
* docs: Document internalTrafficPolicy-related changes in the upgrade guide (Backport PR #23001, Upstream PR #22927, @gentoo-root)
* docs: Fix inconsistent node label in egress gateway guide (Backport PR #23232, Upstream PR #23225, @pchaigno)
* docs: Fix markup to properly emphasize Kubernetes version in a note (Backport PR #23001, Upstream PR #22976, @Shunpoco)
* docs: Improve IPsec guide (Backport PR #23232, Upstream PR #23135, @pchaigno)
* docs: Improve wording for deny policies limitation (Backport PR #23232, Upstream PR #23095, @joestringer)
* docs: Mark pod-short option in Hubble metrics as deprecated (Backport PR #23232, Upstream PR #23025, @lambdanis)
* docs: move star wars demo to getting started (Backport PR #23147, Upstream PR #22379, @yoyo-go)
* docs: update committer security requirements (Backport PR #23232, Upstream PR #23134, @xmulligan)
* docs: Update Minikube ver. requirement and manual BPFFS mount instructions (Backport PR #23232, Upstream PR #22913, @kimstacy)
* Document socket LB tracing (Backport PR #23232, Upstream PR #23141, @aditighag)
* Fix issues with policy handling introduced by new policy match support for L4 ports on any protocol. (Backport PR #23232, Upstream PR #22975, @jrajahalme)
* Generate Software Bill of Materials during release (Backport PR #23147, Upstream PR #22191, @sandipanpanda)
* gh: fix indentation bug in ingress workflows (Backport PR #23232, Upstream PR #23195, @julianwiedmann)
* gha: Bump k8s version in kind conformance tests (Backport PR #23147, Upstream PR #22325, @sayboras)
* gha: Improve coverage for Ingress/GatewayAPI (Backport PR #23147, Upstream PR #23007, @sayboras)
* github: do not generate SBOM from source (Backport PR #23233, Upstream PR #23161, @aanm)
* hubble: Fix panic if IP address cannot be parsed (Backport PR #23147, Upstream PR #22994, @gandro)
* hubble: Update the reason label for hubble_drop_total metric (Backport PR #23232, Upstream PR #22408, @michi-covalent)
* images/runtime: bump iptables package to 1.8.8 (Backport PR #23232, Upstream PR #23163, @jibi)
* images: Update Hubble CLI to v0.11.0 (Backport PR #23147, Upstream PR #23043, @gandro)
* Improve fqdn events logging management (Backport PR #23001, Upstream PR #22745, @pippolo84)
* IPsec: Refactor `ipSecReplaceState{In,Out}` functions (Backport PR #23232, Upstream PR #23158, @pchaigno)
* iptables: skip reverse IP lookup (Backport PR #23147, Upstream PR #22977, @jibi)
* k8s: Add node-role.kubernetes.io/control-plane taint (Backport PR #23147, Upstream PR #22894, @sayboras)
* k8s: Update dependencies to v0.26.0 (Backport PR #23001, Upstream PR #22891, @sayboras)
* Make cilium pprof listen address configurable (Backport PR #23147, Upstream PR #22768, @chancez)
* pkg/maps,pkg/defaults: allow configuring map events on missing map types. (Backport PR #23001, Upstream PR #22746, @tommyp1ckles)
* refactoring of fetching cilium manifests in OKD installation (Backport PR #23232, Upstream PR #22695, @zisisli)
**Other Changes:**
* install: Update image digests for v1.13.0-rc4 (#22852, @joestringer)
## v1.13.0-rc4
Summary of Changes
------------------
**Major Changes:**
* Add per-node configuration overrides. There is a new Kubernetes resource type, CiliumNodeConfig, which allows for fine-grained configuration of Nodes based on label selectors. (Backport PR #22822, Upstream PR #22656, @squeed)
* Added capability to announce LoadBalancer services via BGP Control Plane (#22397, @dylandreimerink)
* CiliumNetworkPolicy now supports enforcement of SNI in TLS connections. (#22398, @jrajahalme)
**Minor Changes:**
* Add option to configure the resources of the cgroups automount init Container in the Cilium Agent DaemonSet. (#22384, @shaardie)
* Added 'envoy.filters.http.jwt_authn' and 'envoy.filters.http.oauth2' to the build to be used in CiliumEnvoyConfig resources. (#22562, @jrajahalme)
* bpf: nat: fix usage of ipv6_hdrlen() with unhandled Extension headers (#22544, @julianwiedmann)
* Bugtool: add flag to exclude object for endpoints (#22370, @tbalthazar)
* cilium: Add deprecation warning for service ids (Backport PR #22822, Upstream PR #22700, @joamaki)
* clustermesh: Add an infrastructure to connect time parameter exchange and capability negotiation (Backport PR #22822, Upstream PR #22553, @YutaroHayakawa)
* egressgw: drop support for CiliumEgressNATPolicy (#21874, @julianwiedmann)
* envoy: Support LB capability for existing k8s Service (Backport PR #22835, Upstream PR #21244, @sayboras)
* helm: Support configuring Cilium shared Ingress Service type and nodePorts (#22583, @chancez)
* install/kubernetes: make securityContext SELinux options configurable (Backport PR #22822, Upstream PR #22721, @tklauser)
* Load multiple programs for one CollectionSpec loading (#22025, @alexkats)
* Remove deprecated `spec.eni.{min-allocate,pre-allocate,max-above-watermark}` parameters (#21951, @obaranov1)
* Traffic can now we redirected to Envoy listeners via Cilium Network Policy `listener` option. (Backport PR #22822, Upstream PR #21600, @jrajahalme)
**Bugfixes:**
* bpf: add drop notification for missed L7 LB tailcall in to-netdev (Backport PR #22822, Upstream PR #22679, @julianwiedmann)
* bpf: nodeport: fix drop notification in IPv6 revNAT (#22543, @julianwiedmann)
* bpf: nodeport: wire up trace aggregation for rev_nodeport_lb6() (Backport PR #22835, Upstream PR #22794, @julianwiedmann)
* daemon: Do not remove PERM L2 entries in L4LB (Backport PR #22822, Upstream PR #22676, @brb)
* Do not let the bandwidth manager decrease existing sysctl values. (#22468, @ArthurChiao)
* Fix a data race in dnsproxy which could lead to DNS requests drops. (Backport PR #22822, Upstream PR #22619, @aspsk)
* Fix bug that caused ingress policies to be enforced twice when running with tunneling and endpoint routes. (Backport PR #22822, Upstream PR #22333, @pchaigno)
* Fix race condition in DNS proxy when multiple DNS requests for the same name end up with policy drops, even though the traffic is allowed (Backport PR #22822, Upstream PR #22252, @christarazi)
* Fixes `semaphore_rejected_total` metric and adds new `scope` to `proxy_upstream_reply_seconds` metric. (#21267, @rahulkjoshi)
* Improve garbage collection for FQDNs particularly with high-churn IP names such as Amazon S3. (#22510, @joestringer)
* ipam/crd: Fix router initialization fatal when ENI data race happens (Backport PR #22822, Upstream PR #22477, @jaffcheng)
**CI Changes:**
* .github/workflows: bump ubuntu version for code-ql (#22505, @aanm)
* .github: add debug for codeql (#22607, @aanm)
* ci: Replace deprecated `hubble observe -o json` with `-o jsonpb` (Backport PR #22822, Upstream PR #22796, @gandro)
* ci: update cilium-cli to v0.12.11 for master, v1.11 and v1.12 workflows (#22494, @tklauser)
* contrib/scripts: Add check for use of viper's default instance (#22445, @joamaki)
* daemon/cmd: improve stale cilium endpoint error handling. (Backport PR #22822, Upstream PR #22600, @tommyp1ckles)
* dependabot: monthly update of cloud provider SDK Go modules (#22489, @tklauser)
* Fix when install k8s-1.25 ,no need cni install (#22355, @yanggangtony)
* gh/workflows: Add DP CI for encryption (Backport PR #22822, Upstream PR #22418, @brb)
* gh/workflows: tune LVH VM params (#22425, @brb)
* gha: Add retry mechanism for conformance ingress (shared) (Backport PR #22822, Upstream PR #22673, @sayboras)
* Revert "dependabot: monthly update of cloud provider SDK Go modules" (#22571, @pippolo84)
* test/helpers: Fix retry condition for CiliumExecContext (Backport PR #22822, Upstream PR #22726, @christarazi)
* test/l4lb, nat64x46: pass k8s api server to the standalone proxy (Backport PR #22822, Upstream PR #22627, @squeed)
* test: Keep trying exec if killed (#22570, @jrajahalme)
* test: service: fix formatting of error msg in doFragmentedRequest() (Backport PR #22822, Upstream PR #22772, @julianwiedmann)
* test: Speify `test/k8s` directory on `k8s_install.sh` to modify pulling images (#22530, @Shunpoco)
* workflow: disable tests pod-to-world and pod-to-cidr (#22475, @brlbil)
* workflow: Reenable IPsec tests in EKS for v1.12 (#22618, @pchaigno)
* workflow: Workaround EKS flake (#22590, @pchaigno)
* workflows: add wait for no operation for cleaning up GKE (#22350, @brlbil)
* workflows: Collect a final sysdump on AKS (#22537, @pchaigno)
* workflows: Collect sysdumps on failures (#22538, @pchaigno)
* workflows: Reduce verbosity of connectivity tests (#22605, @pchaigno)
* workflows: Reduce verbosity of connectivity tests on AKS (#22536, @pchaigno)
**Misc Changes:**
* .github/workflows: print author association (#22606, @aanm)
* .github/workflows: use right event type for auto labeler (#22508, @aanm)
* .github: add PR labeler for external contributions (#22461, @aanm)
* Add --pprof-debug args to cilium-bugtool (#22282, @yanggangtony)
* Add per-node configuration overrides. There is a new Kubernetes resource type, CiliumNodeConfig, which allows for fine-grained configuration of Nodes based on label selectors. (#22163, @squeed)
* Add sphinxcontrib-googleanalytics to doc requirements (Backport PR #22822, Upstream PR #22821, @chalin)
* Add tests for hubble metrics handlers (Backport PR #22822, Upstream PR #22518, @marqc)
* backporting: leave `backport/author` PRs alone (Backport PR #22822, Upstream PR #22654, @bimmlerd)
* bpf_sockops string constant can use const eSockops replace (#22490, @tanberBro)
* build(deps): bump actions/cache from 3.0.11 to 3.2.0 (#22843, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.3.1 to 3.4.0 (#22483, @dependabot[bot])
* build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#22718, @dependabot[bot])
* build(deps): bump actions/stale from 5.1.1 to 6.0.1 (#22499, @dependabot[bot])
* build(deps): bump github.com/go-openapi/runtime from 0.24.2 to 0.25.0 (#22413, @dependabot[bot])
* build(deps): bump github.com/hashicorp/consul/api from 1.17.0 to 1.18.0 (#22549, @dependabot[bot])
* build(deps): bump github.com/onsi/gomega from 1.23.0 to 1.24.1 (#22391, @dependabot[bot])
* build(deps): bump github.com/tidwall/gjson from 1.14.3 to 1.14.4 (#22395, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.32 to 2.1.35 (#22498, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.35 to 2.1.36 (#22633, @dependabot[bot])
* build(deps): bump github/codeql-action from 2.1.36 to 2.1.37 (#22736, @dependabot[bot])
* build(deps): bump go.opentelemetry.io/otel from 1.11.1 to 1.11.2 (#22621, @dependabot[bot])
* build(deps): bump golang.org/x/sys from 0.2.0 to 0.3.0 (#22548, @dependabot[bot])
* build(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#22720, @dependabot[bot])
* build(deps): bump KyleMayes/install-llvm-action from 1.6.0 to 1.6.1 (#22592, @dependabot[bot])
* chore(deps): update base-images (v1.13) (#22647, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.17.0 (master) (#22317, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.19.3 docker digest to 10e3c0f (master) (#22566, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 27cb6e6 (v1.13) (#22661, @renovate[bot])
* contrib: exclude non-running pods in k8s-unmanaged script (#22515, @felfa01)
* contributing: Document CNCF DCO Guidelines v1.0 (#22509, @joestringer)
* daemon: Close the identityAllocator on shutdown (#22411, @joestringer)
* daemon: Do not fail CI runs for already deleted CEP (#22474, @jrajahalme)
* delete redundant type conversion (#22376, @tanberBro)
* Docs: Replace the way to install `golangci-lint` to `NA(OS-specific)` (#22532, @Shunpoco)
* docs: restructure bpf guide (#21922, @yoyo-go)
* docs: update cmdref with missing flag (#22525, @aanm)
* document helm conntrackGCInterval crdWaitTimeout identityChangeGracePeriod (#22352, @vincentmli)
* Enable Google Analytics 4 (Backport PR #22835, Upstream PR #22220, @chalin)
* envoy: Skip NPHDS upsert when IP is already included (#22289, @jrajahalme)
* examples: Add Envoy admin listener (#22386, @jrajahalme)
* Fix long-time failure of "ipcache-inject-labels" controller due to incorrect backoff time for retry (#21886, @ArthurChiao)
* Fix note for 'func numWorkerThreads()' (#22412, @yanggangtony)
* Fix prepare release process (#22487, @aanm)
* fix:omit comparison to bool constant (#22588, @yulng)
* fix:remove ioutil to accomodate newer Go versions (#22383, @yulng)
* fuzzing: bump go-fuzz-headers (#22501, @AdamKorcz)
* go.mod, vendor: drop client-go from replace directives (#22547, @tklauser)
* go.mod, vendor: update cloud provider SDK Go modules for December 2022 (#22469, @tklauser)
* hive: Allow multiple calls to `Hive.Shutdown` (#22551, @dylandreimerink)
* hubble/metrics: ProcessFlow() is optional for metrics handlers (#20367, @chancez)
* Initial datapath support for Cilium mTLS has been added. (Backport PR #22822, Upstream PR #21822, @jrajahalme)
* Introduce v3 backend maps (Backport PR #22822, Upstream PR #21797, @YutaroHayakawa)
* ipcache: Fix IPcache leak of remote-node IP addresses (#21932, @pchaigno)
* Keep command help message capital (#22276, @yanggangtony)
* modify the deprecated label beta.kubernetes.io/instance-type (#21941, @my-git9)
* operator: Remove use of global vars in cilium node synchronizer (#22491, @joamaki)
* operator: Wait for informers to shut down when stopping (Backport PR #22835, Upstream PR #22761, @joamaki)
* pkg: Follow Go convention on capitalization (#22534, @yulng)
* Prepare for release v1.13.0-rc3 (#22481, @aanm)
* Prepare v1.13 stable branch (#22612, @joestringer)
* Remove unnecessary imports of pkg/policy (#21996, @jrajahalme)
* Revert "Mount host /boot into cilium-agent container" (#22326, @ti-mo)
* Revert "per-node configuration overrides" pull request (#22630, @pchaigno)
* support reset backoff period (#21937, @wu0407)
* test/control-plane: Add nil check for agentHandle.Close receiver (#22399, @dylandreimerink)
* Update Cilium install guide about EKS aws-node DaemonSet potential connectivity problem on uninstall (#22620, @NikAleksandrov)
* Update Go to 1.19.4 (#22589, @tklauser)
* update gops and ginkgo mod version for match the current go.mod (#22427, @yanggangtony)
* Update Layer 7 Protocol Visibility Document. (Backport PR #22835, Upstream PR #22807, @obaranov1)
* util: fix wrong comment of GetNumPossibleCPUs (#22540, @117503445)
**Other Changes:**
* build(deps): bump certifi from 2022.6.15 to 2022.12.7 in /Documentation (#22609, @dependabot[bot])
Computing file changes ...
