Prepare for release v1.12.16

Signed-off-by: Nate Sweet <nathanjsweet@pm.me>

.github/maintainers-little-helper.yaml

@@ -1,4 +1,4 @@
-project: "https://github.com/cilium/cilium/projects/253"
+project: "https://github.com/cilium/cilium/projects/256"
 column: "In progress"
 auto-label:
   - "kind/backports"

AUTHORS

@@ -133,6 +133,7 @@ David Wolffberg                         1350533+wolffberg@users.noreply.github.c
 Dawn                                    lx1960753013@gmail.com
 Deepesh Pathak                          deepshpathak@gmail.com
 Denis Khachyan                          khachyanda.gmail.com
+derailed                                fernand.galiana@gmail.com
 Derek Gaffney                           17263955+gaffneyd4@users.noreply.github.com
 Devarshi Sathiya                        devarshisathiya5@gmail.com
 Dharma Bellamkonda                      dharma.bellamkonda@gmail.com

CHANGELOG.md

@@ -1,5 +1,46 @@
 # Changelog
 
+## v1.12.16
+
+Summary of Changes
+------------------
+
+**Minor Changes:**
+* Cilium DNS proxy now uses the original pod's address as the source address towards the DNS servers. (Backport PR #29090, Upstream PR #28928, @jrajahalme)
+* Cilium now properly deletes stale (deleted) nodes from the node_connectivity_status and node_connectivity_latency_seconds metrics, reducing metric cardinality. (Backport PR #28977, Upstream PR #28382, @derailed)
+* Display interfaces used for IPsec decryption in `cilium encrypt status`. (Backport PR #28762, Upstream PR #28640, @pchaigno)
+* ipsec: New Prometheus metrics for XFRM configs (Backport PR #28762, Upstream PR #28400, @pchaigno)
+* policy: Fixed a bug that incorrectly omitted port-protocol policy rules that omitted the "protocol" field. An omitted "protocol" field now, correctly, is the same as using the "ANY" protocol. (Backport PR #28762, Upstream PR #28703, @nathanjsweet)
+
+**Bugfixes:**
+* bpf: Add TC_ACT_REDIRECT check for nodeport (Backport PR #29035, Upstream PR #28927, @sayboras)
+* Fix CIDR labels computation (Backport PR #28893, Upstream PR #28788, @pippolo84)
+* Fix IPsec error logs to always have all information needed to identify the XFRM configuration on which the error happened. (Backport PR #29035, Upstream PR #28642, @pchaigno)
+
+**CI Changes:**
+* [v1.12] Use pull_request_target in Update Backport Label workflow (#29012, @pippolo84)
+* gh/workflows: Dump Cilium LB node logs in case of failure (Backport PR #29035, Upstream PR #28808, @brb)
+* Test both VXLAN and GENEVE tunneling as part of the Conformance Cluster Mesh workflow (Backport PR #28893, Upstream PR #28767, @giorio94)
+
+**Misc Changes:**
+* bpf: lb: fix missing drop reason in reverse_map_l4_port() (Backport PR #29035, Upstream PR #28884, @julianwiedmann)
+* bpf: lxc: remove stale ENABLE_IDENTITY_MARK ifdefs (Backport PR #28762, Upstream PR #28391, @julianwiedmann)
+* bugtool: Collect XFRM error counters twice (Backport PR #28893, Upstream PR #28790, @pchaigno)
+* chore(deps): update docker.io/library/golang docker tag to v1.20.11 (v1.12) (#29042, @renovate[bot])
+* datapath: Move `linuxNodeHandler` IPsec functions to their own file (Backport PR #29035, Upstream PR #28941, @pchaigno)
+* docs: Clarify BPF Map Pressure Metric (Backport PR #28762, Upstream PR #28682, @nathanjsweet)
+* docs: Update IPsec key rotation command (Backport PR #28762, Upstream PR #28141, @jschwinger233)
+* go.mod, vendor: use github.com/cilium/dns fork directly (Backport PR #29090, Upstream PR #27582, @tklauser)
+* ipsec: Improve `encrypt flush` command (Backport PR #29035, Upstream PR #28795, @pchaigno)
+* labels/cidr: Memoize labels for already seen prefixes (Backport PR #28893, Upstream PR #28465, @pippolo84)
+* labels/cidr: On the fly char replacement for IPv6 (Backport PR #28951, Upstream PR #28647, @pippolo84)
+* labels: Use slices.Sort instead of sort.Strings (Backport PR #28951, Upstream PR #28649, @pippolo84)
+
+**Other Changes:**
+* [v1.12] envoy: Bump version to v1.26.6 (#28855, @sayboras)
+* [v1.12] envoy: Update envoy version to 1.25.x (#28333, @sayboras)
+* install: Update image digests for v1.12.15 (#28653, @jrajahalme)
+
 ## v1.12.15
 
 Summary of Changes

Documentation/concepts/kubernetes/compatibility-table.rst

@@ -142,7 +142,9 @@
 +-----------------+----------------+
 | v1.12.14        | 1.25.7         |
 +-----------------+----------------+
+| v1.12.15        | 1.25.7         |
++-----------------+----------------+
 | v1.12           | 1.25.7         |
 +-----------------+----------------+
-| latest / master | 1.26.9         |
+| latest / master | 1.26.10        |
 +-----------------+----------------+

VERSION

@@ -1 +1 @@
-1.12.15
+1.12.16

install/kubernetes/Makefile.digests

@@ -2,12 +2,12 @@
 # Copyright 2023 Authors of Cilium
 # SPDX-License-Identifier: Apache-2.0
 
-export CILIUM_DIGEST := "sha256:24c4c9d756b2467ec20475309b68d640cdf91aa0008e136a826197590f028cca"
-export CLUSTERMESH_APISERVER_DIGEST := "sha256:9e9dccc8bc7bfcf6f32cc4a17e434517fdc13f89474049e36f4500eb5d40fad7"
-export DOCKER_PLUGIN_DIGEST := "sha256:04d5463be836feaa6e4affaf7a57c7a35b432bd8d236b4969b6e907e501bb95b"
-export HUBBLE_RELAY_DIGEST := "sha256:7caa0af7576db3cc137aa0125eae98435777c1b29eff79b049cbe681308e2794"
-export OPERATOR_ALIBABACLOUD_DIGEST := "sha256:0bb7b1ef7401c73e89794e6c66151b2654f3cc0d0d4ba22391ba3204e6a10ae8"
-export OPERATOR_AWS_DIGEST := "sha256:454e7c2b755204b6417f514e4385ff7b22cc9e4fd737202e6bff098f1f023e9a"
-export OPERATOR_AZURE_DIGEST := "sha256:adec8ed7ca41c0c52368f9d4cf247de29d11d1d43afc42f50aacca104e3fda53"
-export OPERATOR_GENERIC_DIGEST := "sha256:ef8acf5b11f033032b55e2ece07179d925bfcb6f0cb501a898fdc031bad900ea"
-export OPERATOR_DIGEST := "sha256:5dfbd80c6d279e5495f1258924be06781cf6f1a8ee701251986b80593ccda5ed"
+export CILIUM_DIGEST := ""
+export CLUSTERMESH_APISERVER_DIGEST := ""
+export DOCKER_PLUGIN_DIGEST := ""
+export HUBBLE_RELAY_DIGEST := ""
+export OPERATOR_ALIBABACLOUD_DIGEST := ""
+export OPERATOR_AWS_DIGEST := ""
+export OPERATOR_AZURE_DIGEST := ""
+export OPERATOR_GENERIC_DIGEST := ""
+export OPERATOR_DIGEST := ""

install/kubernetes/cilium/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.12.15
-appVersion: 1.12.15
+version: 1.12.16
+appVersion: 1.12.16
 kubeVersion: ">= 1.16.0-0"
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.12/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability

install/kubernetes/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.12.15](https://img.shields.io/badge/Version-1.12.15-informational?style=flat-square) ![AppVersion: 1.12.15](https://img.shields.io/badge/AppVersion-1.12.15-informational?style=flat-square)
+![Version: 1.12.16](https://img.shields.io/badge/Version-1.12.16-informational?style=flat-square) ![AppVersion: 1.12.16](https://img.shields.io/badge/AppVersion-1.12.16-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -98,7 +98,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:9e9dccc8bc7bfcf6f32cc4a17e434517fdc13f89474049e36f4500eb5d40fad7","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.15","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.16","useDigest":false}` | Clustermesh API server image. |
 | clustermesh.apiserver.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods |
 | clustermesh.apiserver.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
@@ -254,7 +254,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). |
 | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) |
 | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. |
-| hubble.relay.image | object | `{"digest":"sha256:7caa0af7576db3cc137aa0125eae98435777c1b29eff79b049cbe681308e2794","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.15","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.16","useDigest":false}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
@@ -345,7 +345,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/  |
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
-| image | object | `{"digest":"sha256:24c4c9d756b2467ec20475309b68d640cdf91aa0008e136a826197590f028cca","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.15","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.16","useDigest":false}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. |
 | ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. |
@@ -411,7 +411,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:0bb7b1ef7401c73e89794e6c66151b2654f3cc0d0d4ba22391ba3204e6a10ae8","awsDigest":"sha256:454e7c2b755204b6417f514e4385ff7b22cc9e4fd737202e6bff098f1f023e9a","azureDigest":"sha256:adec8ed7ca41c0c52368f9d4cf247de29d11d1d43afc42f50aacca104e3fda53","genericDigest":"sha256:ef8acf5b11f033032b55e2ece07179d925bfcb6f0cb501a898fdc031bad900ea","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.15","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.16","useDigest":false}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/  |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -454,7 +454,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:24c4c9d756b2467ec20475309b68d640cdf91aa0008e136a826197590f028cca","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.15","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.16","useDigest":false}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/  |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

install/kubernetes/cilium/values.yaml

@@ -99,11 +99,11 @@ rollOutCiliumPods: false
 image:
   override: ~
   repository: "quay.io/cilium/cilium"
-  tag: "v1.12.15"
+  tag: "v1.12.16"
   pullPolicy: "IfNotPresent"
   # cilium-digest
-  digest: "sha256:24c4c9d756b2467ec20475309b68d640cdf91aa0008e136a826197590f028cca"
-  useDigest: true
+  digest: ""
+  useDigest: false
 
 # -- Affinity for cilium-agent.
 affinity:
@@ -834,10 +834,10 @@ hubble:
     image:
       override: ~
       repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.12.15"
+      tag: "v1.12.16"
        # hubble-relay-digest
-      digest: "sha256:7caa0af7576db3cc137aa0125eae98435777c1b29eff79b049cbe681308e2794"
-      useDigest: true
+      digest: ""
+      useDigest: false
       pullPolicy: "IfNotPresent"
 
     # -- Specifies the resources for the hubble-relay pods
@@ -1630,16 +1630,16 @@ operator:
   image:
     override: ~
     repository: "quay.io/cilium/operator"
-    tag: "v1.12.15"
+    tag: "v1.12.16"
     # operator-generic-digest
-    genericDigest: "sha256:ef8acf5b11f033032b55e2ece07179d925bfcb6f0cb501a898fdc031bad900ea"
+    genericDigest: ""
     # operator-azure-digest
-    azureDigest: "sha256:adec8ed7ca41c0c52368f9d4cf247de29d11d1d43afc42f50aacca104e3fda53"
+    azureDigest: ""
     # operator-aws-digest
-    awsDigest: "sha256:454e7c2b755204b6417f514e4385ff7b22cc9e4fd737202e6bff098f1f023e9a"
+    awsDigest: ""
     # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:0bb7b1ef7401c73e89794e6c66151b2654f3cc0d0d4ba22391ba3204e6a10ae8"
-    useDigest: true
+    alibabacloudDigest: ""
+    useDigest: false
     pullPolicy: "IfNotPresent"
     suffix: ""
 
@@ -1881,10 +1881,10 @@ preflight:
   image:
     override: ~
     repository: "quay.io/cilium/cilium"
-    tag: "v1.12.15"
+    tag: "v1.12.16"
     # cilium-digest
-    digest: "sha256:24c4c9d756b2467ec20475309b68d640cdf91aa0008e136a826197590f028cca"
-    useDigest: true
+    digest: ""
+    useDigest: false
     pullPolicy: "IfNotPresent"
 
   # -- The priority class to use for the preflight pod.
@@ -2027,10 +2027,10 @@ clustermesh:
     image:
       override: ~
       repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.12.15"
+      tag: "v1.12.16"
       # clustermesh-apiserver-digest
-      digest: "sha256:9e9dccc8bc7bfcf6f32cc4a17e434517fdc13f89474049e36f4500eb5d40fad7"
-      useDigest: true
+      digest: ""
+      useDigest: false
       pullPolicy: "IfNotPresent"
 
     etcd: