Prepare for release v1.12.10

Signed-off-by: Tim Horner <timothy.horner@isovalent.com>
cilium · May 17, 2023 · 628b520 · 628b520
1 parent 00f904a
commit 628b520
Show file tree

Hide file tree

Showing 10 changed files with 96 additions and 43 deletions.
diff --git a/.github/maintainers-little-helper.yaml b/.github/maintainers-little-helper.yaml
@@ -1,4 +1,4 @@
-project: "https://github.com/cilium/cilium/projects/230"
+project: "https://github.com/cilium/cilium/projects/234"
 column: "In progress"
 auto-label:
   - "kind/backports"

diff --git a/AUTHORS b/AUTHORS
@@ -189,6 +189,7 @@ Haitao Li                               lihaitao@gmail.com
 Hang Yan                                hang.yan@hotmail.com
 Han Zhou                                hzhou8@ebay.com
 Harsh Modi                              harshmodi@google.com
+harsimran pabla                         hpabla@isovalent.com
 Hart Hoover                             hart.hoover@gmail.com
 Heiko Rothe                             me@heikorothe.com
 Hemanth Malla                           hemanth.malla@datadoghq.com
@@ -364,7 +365,7 @@ Patrice Chalin                          chalin@cncf.io
 Patrice Peterson                        patrice.peterson@mailbox.org
 Patrick Mahoney                         pmahoney@greenkeytech.com
 Patrik Cyvoct                           patrik@ptrk.io
-Paul Chaignon                           paul@cilium.io
+Paul Chaignon                           paul.chaignon@gmail.com
 Pavel Pavlov                            40396270+PavelPavlov46@users.noreply.github.com
 Paweł Prażak                            pawelprazak@users.noreply.github.com
 Peiqi Shi                               uestc.shi@gmail.com

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,53 @@
 # Changelog
 
+## v1.12.10
+
+Summary of Changes
+------------------
+
+**Minor Changes:**
+* sysdump: Added Kubernetes CNI logs to sysdump. (Backport PR #25348, Upstream PR #23937, @marseel)
+* Update CNI (loopback) to 1.3.0 (Backport PR #25433, Upstream PR #25400, @anfernee)
+
+**Bugfixes:**
+* Address cilium-agent startup performance regression. (Backport PR #25190, Upstream PR #25007, @bimmlerd)
+* datapath: Fix double SNAT (Backport PR #25248, Upstream PR #25189, @brb)
+* DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (Backport PR #25348, Upstream PR #25147, @jrajahalme)
+* Filter ipv6 advertisements when using metallb as BGP speaker. (Backport PR #25138, Upstream PR #25043, @harsimran-pabla)
+* Fix bug where Cilium configurations running with tunneling disabled, BPF-masq disabled, but with masquerading enabled, do not clean up ipset configuration when a node IP changes. This can lead to a lack of masquerading on those node IPs. (Backport PR #25012, Upstream PR #24825, @christarazi)
+* Fix connectivity issue if nodes share the same name across the clustermesh and wireguard is enabled (Backport PR #25012, Upstream PR #24785, @giorio94)
+* Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (Backport PR #25348, Upstream PR #25087, @joamaki)
+* Fix incorrect network policy ebpf setup that may lead to incorrect packets denies when CEP is present in multiple CES (Backport PR #25188, Upstream PR #24838, @alan-kut)
+* Fix spurious errors containing "Failed to map node IP address to allocated ID". (Backport PR #25348, Upstream PR #25222, @bimmlerd)
+* ipsec: Fix packet mark for FWD XFRM policy (Backport PR #25348, Upstream PR #23254, @pchaigno)
+* pkg/kvstore: Fix for deadlock in etcd status checker (Backport PR #25012, Upstream PR #24786, @hemanthmalla)
+
+**CI Changes:**
+* ci: remove `STATUS` commands from upstream tests' Jenkinsfile (Backport PR #25138, Upstream PR #25046, @nbusseneau)
+* ci: remove `STATUS` commands from upstream tests' Jenkinsfile (Backport PR #25248, Upstream PR #25046, @nbusseneau)
+* Delete "Cilium monitor verbose mode" test (Backport PR #25348, Upstream PR #25212, @michi-covalent)
+* inctimer: fix test flake where timer does not fire within time. (Backport PR #25248, Upstream PR #25219, @tommyp1ckles)
+
+**Misc Changes:**
+* chore(deps): update hubble cli to v0.11.5 (v1.12) (patch) (#25126, @renovate[bot])
+* daemon: Mark CES feature as beta in agent flag (Backport PR #25012, Upstream PR #24850, @pchaigno)
+* docs: Add matrix version between envoy and cilium (Backport PR #25248, Upstream PR #25109, @sayboras)
+* docs: Add platform support to docs (Backport PR #25248, Upstream PR #25174, @joestringer)
+* docs: small fixes for k8s upgrade guide (Backport PR #25012, Upstream PR #24869, @tklauser)
+* envoy: Debug log remote IDs for Envoy policies (Backport PR #25012, Upstream PR #24939, @jrajahalme)
+* helm: add clustermesh nodeport config warning about known bug #24692 (Backport PR #25248, Upstream PR #25033, @giorio94)
+* ipsec: Install default-drop XFRM policy sooner (Backport PR #25348, Upstream PR #25257, @pchaigno)
+* Makefile: use a specific template for mktemp files (Backport PR #25248, Upstream PR #25192, @kaworu)
+* node/manager: Only remove old IPs if they weren't already added (Backport PR #25012, Upstream PR #25067, @christarazi)
+* pkg/service: Backends leak follow ups with revised fixes, debugging improvements and unit tests (Backport PR #25248, Upstream PR #24770, @aditighag)
+
+**Other Changes:**
+* [v1.12] contrib/backporting: Fix main branch reference (#25092, @joestringer)
+* contrib/backporting: Fix main branch reference (#25140, @sayboras)
+* envoy: Upgrade to v1.23.9 (#25209, @sayboras)
+* install: Update image digests for v1.12.9 (#24953, @gentoo-root)
+* v1.12: docs: Document upgrade impact for IPsec (#24972, @pchaigno)
+
 ## v1.12.9
 
 Summary of Changes

diff --git a/Documentation/concepts/kubernetes/compatibility-table.rst b/Documentation/concepts/kubernetes/compatibility-table.rst
@@ -92,6 +92,8 @@
 +-----------------+----------------+
 | v1.11.15        | 1.24.4         |
 +-----------------+----------------+
+| v1.11.16        | 1.24.4         |
++-----------------+----------------+
 | v1.11           | 1.24.4         |
 +-----------------+----------------+
 | v1.12.0-rc0     | 1.25.1         |
@@ -120,6 +122,8 @@
 +-----------------+----------------+
 | v1.12.8         | 1.25.7         |
 +-----------------+----------------+
+| v1.12.9         | 1.25.7         |
++-----------------+----------------+
 | v1.12           | 1.25.7         |
 +-----------------+----------------+
 | latest / master | 1.26.7         |

diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.12.9
+1.12.10
diff --git a/install/kubernetes/Makefile.digests b/install/kubernetes/Makefile.digests
@@ -2,12 +2,12 @@
 # Copyright 2023 Authors of Cilium
 # SPDX-License-Identifier: Apache-2.0
 
-export CILIUM_DIGEST := "sha256:677e7a906506b8a13fecb6f0f783ed647b36036786c8c640ff98e25ec2f2ab1f"
-export CLUSTERMESH_APISERVER_DIGEST := "sha256:51ac1cd2b9ff753e5e8e4881e2777095879f3c91b4366ce1c43b329c1eeeb5fa"
-export DOCKER_PLUGIN_DIGEST := "sha256:8d758033584cdae93ca14479e2bc93bf9cbd89bc489755121b1155713148199e"
-export HUBBLE_RELAY_DIGEST := "sha256:ec6cf2f48b9d2dec73a24eca1e881d9792c2ca6d6beb4c23b5ab97255feb3eb5"
-export OPERATOR_ALIBABACLOUD_DIGEST := "sha256:eb64357e4f130152e60ba02f83424e434aad1cf07efabaeb9f4b9da71b51cb78"
-export OPERATOR_AWS_DIGEST := "sha256:e09f06655437f62e2c332a4951798a56cf5e09f46e795e2ad9f5d4b8e8c48393"
-export OPERATOR_AZURE_DIGEST := "sha256:601321b0cadd218f369fb2d636f15d17a4ab0871047dee8a3bcfdb7abe897404"
-export OPERATOR_GENERIC_DIGEST := "sha256:cc8d7b222f63812c691a685b32fedab8a805d243da720653cdc2ff0c4a562673"
-export OPERATOR_DIGEST := "sha256:a2f69a499881873494bfdef8f3ae48dd8739fecd3e8e85b1fa88ae20f53a75b6"
+export CILIUM_DIGEST := ""
+export CLUSTERMESH_APISERVER_DIGEST := ""
+export DOCKER_PLUGIN_DIGEST := ""
+export HUBBLE_RELAY_DIGEST := ""
+export OPERATOR_ALIBABACLOUD_DIGEST := ""
+export OPERATOR_AWS_DIGEST := ""
+export OPERATOR_AZURE_DIGEST := ""
+export OPERATOR_GENERIC_DIGEST := ""
+export OPERATOR_DIGEST := ""
diff --git a/install/kubernetes/cilium/Chart.yaml b/install/kubernetes/cilium/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.12.9
-appVersion: 1.12.9
+version: 1.12.10
+appVersion: 1.12.10
 kubeVersion: ">= 1.16.0-0"
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.12/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability

diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.12.9](https://img.shields.io/badge/Version-1.12.9-informational?style=flat-square) ![AppVersion: 1.12.9](https://img.shields.io/badge/AppVersion-1.12.9-informational?style=flat-square)
+![Version: 1.12.10](https://img.shields.io/badge/Version-1.12.10-informational?style=flat-square) ![AppVersion: 1.12.10](https://img.shields.io/badge/AppVersion-1.12.10-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -98,7 +98,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:51ac1cd2b9ff753e5e8e4881e2777095879f3c91b4366ce1c43b329c1eeeb5fa","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.9","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.10","useDigest":false}` | Clustermesh API server image. |
 | clustermesh.apiserver.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods |
 | clustermesh.apiserver.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
@@ -252,7 +252,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). |
 | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) |
 | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. |
-| hubble.relay.image | object | `{"digest":"sha256:ec6cf2f48b9d2dec73a24eca1e881d9792c2ca6d6beb4c23b5ab97255feb3eb5","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.9","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.10","useDigest":false}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
@@ -343,7 +343,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
-| image | object | `{"digest":"sha256:677e7a906506b8a13fecb6f0f783ed647b36036786c8c640ff98e25ec2f2ab1f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.9","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.10","useDigest":false}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. |
 | ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. |
@@ -409,7 +409,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:eb64357e4f130152e60ba02f83424e434aad1cf07efabaeb9f4b9da71b51cb78","awsDigest":"sha256:e09f06655437f62e2c332a4951798a56cf5e09f46e795e2ad9f5d4b8e8c48393","azureDigest":"sha256:601321b0cadd218f369fb2d636f15d17a4ab0871047dee8a3bcfdb7abe897404","genericDigest":"sha256:cc8d7b222f63812c691a685b32fedab8a805d243da720653cdc2ff0c4a562673","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.9","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.10","useDigest":false}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -452,7 +452,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:677e7a906506b8a13fecb6f0f783ed647b36036786c8c640ff98e25ec2f2ab1f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.9","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.10","useDigest":false}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |