Prepare for release v1.9.1

Signed-off-by: André Martins <andre@cilium.io>

.github/cilium-actions.yml

@@ -1,4 +1,4 @@
-project: "https://github.com/cilium/cilium/projects/137"
+project: "https://github.com/cilium/cilium/projects/140"
 column: "In progress"
 auto-label:
   - "kind/backports"

.mailmap

@@ -34,6 +34,7 @@ Junli Ou <oujunli306@gmail.com>
 Karl Heins <karlheins@northwesternmutual.com>
 Liu Qun <qunliu@zyhx-group.com>
 Madhu Challa <challa@gmail.com>
+Mandar U Jog <mjog@google.com> <mandarjog@gmail.com>
 Matthew Gumport <me@gum.pt>
 Michael Vorburger <vorburger@redhat.com>
 Peiqi Shi <uestc.shi@gmail.com>

AUTHORS

@@ -133,6 +133,7 @@ Madhu Challa                            madhu@cilium.io
 MaiReo                                  sawako.saki@gmail.com
 Maksym Lushpenko                        iviakciivi@gmail.com
 Manali Bhutiyani                        manali@covalent.io
+Mandar U Jog                            mjog@google.com
 Manuel Buil                             mbuil@suse.com
 Marcin Skarbek                          git@skarbek.name
 Marius Gerling                          marius.gerling@uniberg.com
@@ -173,6 +174,7 @@ Peter Slovak                            slovak.peto@gmail.com
 Philippe Lafoucrière                   philippe.lafoucriere@gmail.com
 Philipp Gniewosz                        philipp.gniewosz@posteo.de
 Pierre-Yves Aillet                      pyaillet@users.noreply.github.com
+Pranavi Roy                             pranvyr@gmail.com
 Qasim Sarfraz                           qasim.sarfraz@esailors.de
 Quentin Monnet                          quentin@isovalent.com
 Raghu Gyambavantha                      raghug@bld-ml-loan4.olympus.f5net.com

CHANGELOG.md

@@ -1,5 +1,92 @@
 # Changelog
 
+## v1.9.1
+
+Summary of Changes
+------------------
+
+**Minor Changes:**
+* bpf: add metrics for fragmented ipv4 packets (Backport PR #14088, Upstream PR #13347, @jibi)
+* helm: Add extraConfig in configmap template (Backport PR #14270, Upstream PR #14077, @michi-covalent)
+* helm: Correct nodeSelector values (Backport PR #14212, Upstream PR #14104, @sayboras)
+* helm: fix usage of `hostPath` and add `hostPathType` in `extraHostPathMounts` (Backport PR #14212, Upstream PR #14134, @errordeveloper)
+* install: Disable operator HA for quick/experimental install YAMLs (Backport PR #14116, Upstream PR #14102, @joestringer)
+* k8s: update k8s libraries to 1.19.4 (#14033, @aanm)
+* node: Handle arpinging when remote node is in different L2 (Backport PR #14246, Upstream PR #14201, @brb)
+
+**Bugfixes:**
+* bpf: Don't compile unused BPF sections (Backport PR #14212, Upstream PR #14141, @pchaigno)
+* ctmap: GC orphan SNAT entries (Backport PR #14060, Upstream PR #13912, @brb)
+* Fix bug where Cilium on smaller instance types cannot allocate IPs (Backport PR #14060, Upstream PR #13865, @christarazi)
+* Fix etcd's auth token invalid after watch reconnects (Backport PR #14270, Upstream PR #14238, @aanm)
+* Fixed Goroutine leak for unresponded ARP pings. (Backport PR #14246, Upstream PR #14222, @jrajahalme)
+* FQDN rule restoration IP limit has been made configurable (`--tofqdns-max-ips-per-restored-rule`, default 1000). (Backport PR #14060, Upstream PR #13992, @jrajahalme)
+* fqdn: Delay ipcache upserts until policies have been updated (Backport PR #14212, Upstream PR #14110, @jrajahalme)
+* hubble/parser: Always preserve datapath numeric identity (Backport PR #14212, Upstream PR #14090, @gandro)
+* kpr: ensure DirectRoutingDevice is in devices (Backport PR #14246, Upstream PR #14054, @kkourt)
+* metricsmap: fix Prometheus exporter (Backport PR #14270, Upstream PR #14220, @jibi)
+* Trim spaces from loadBalancerSourceRanges when parsing its values. (Backport PR #14060, Upstream PR #13996, @aanm)
+
+**CI Changes:**
+* .travis: Run race detection builds on master commits only (Backport PR #14270, Upstream PR #14189, @pchaigno)
+* build, ci: extend API checks to include Hubble API (Backport PR #14116, Upstream PR #14091, @tklauser)
+* checkpatch: update image tag to latest (Backport PR #14060, Upstream PR #13976, @qmonnet)
+* checkpatch: update image tag to latest (Backport PR #14212, Upstream PR #14135, @qmonnet)
+* ci/helpers: Delete CRDs in CleanupCiliumComponents (Backport PR #14246, Upstream PR #14187, @gandro)
+* ci: log in to docker in vagrant boxes (Backport PR #14060, Upstream PR #13969, @nebril)
+* daemon: Fix netns usage in kpr privileged unit tests (Backport PR #14212, Upstream PR #14171, @brb)
+* Revert commits that skip running tests on CI with EKS (Backport PR #14088, Upstream PR #13961, @christarazi)
+* test: Avoid installing Cilium for K8sBandwidth if tests are skipped (Backport PR #14212, Upstream PR #14185, @pchaigno)
+* test: Avoid use of install with NFS (Backport PR #14212, Upstream PR #14191, @pchaigno)
+* test: Bump migrate-svc-test image (Backport PR #14060, Upstream PR #14044, @brb)
+* test: Don't wait for network to schedule test-verifier (Backport PR #14116, Upstream PR #14074, @pchaigno)
+* test: Switch from Cilium test logger to Ginkgo (Backport PR #14060, Upstream PR #13754, @manuelbuil)
+* test: Use NFS by default in test VMs (Backport PR #14212, Upstream PR #13983, @pchaigno)
+
+**Misc Changes:**
+* Add Registry Credentials to Tests (Backport PR #14010, Upstream PR #13959, @nathanjsweet)
+* Added new Cilium agent option --debug-verbose=policy to log policy map updates. (Backport PR #14212, Upstream PR #14112, @jrajahalme)
+* bpf: don't override DROP_FRAG_NOT_FOUND error (Backport PR #14088, Upstream PR #13936, @jibi)
+* bpf: Fix IS_BPF_HOST macro (Backport PR #14270, Upstream PR #14255, @pchaigno)
+* bpf: Fix program size issue with host firewall in IPv4-only mode (Backport PR #14246, Upstream PR #14232, @pchaigno)
+* bpf: revert changes to metrics directions contants (Backport PR #14246, Upstream PR #14217, @jibi)
+* bugtool: Add lsmod (Backport PR #14212, Upstream PR #14145, @joestringer)
+* ci/github: Replace set-env command by echo command (Backport PR #14060, Upstream PR #14053, @sayboras)
+* cilium: disable bind-protection in kube-proxy free probe mode (Backport PR #14212, Upstream PR #14182, @borkmann)
+* cilium: fix redirect limits on multi dev case (Backport PR #14060, Upstream PR #13884, @borkmann)
+* contrib: Add script to bump stable docker image tags (Backport PR #14088, Upstream PR #13364, @joestringer)
+* dnsproxy: print total number of rules if too many (Backport PR #14060, Upstream PR #13991, @kkourt)
+* doc/hubble-internals: update Hubble Relay section to reflect current state (Backport PR #14060, Upstream PR #14042, @Rolinh)
+* doc: Link hubble metrics to L7 visibility (Backport PR #14212, Upstream PR #13923, @mandarjog)
+* docs: Correct typo in upgrade notes (Backport PR #14246, Upstream PR #14214, @sayboras)
+* docs: encryption: interface clarifications (Backport PR #14088, Upstream PR #13660, @kkourt)
+* docs: Fix helm install command in kubeadm getting started guide (Backport PR #14088, Upstream PR #14061, @pchaigno)
+* docs: Fix wording around labels configuration (Backport PR #14088, Upstream PR #14064, @joestringer)
+* docs: Improve visibility limitations docs (Backport PR #14116, Upstream PR #14073, @joestringer)
+* docs: Replace outdated backporting docs with link (Backport PR #14060, Upstream PR #13986, @twpayne)
+* fqdn: Fix confusion of ToFQDNs vs. DNS rules. (Backport PR #14088, Upstream PR #14012, @jrajahalme)
+* fqdn: Fix unit test (Backport PR #14116, Upstream PR #14085, @jrajahalme)
+* helm/hubble-relay: fixed indentation error (Backport PR #14088, Upstream PR #14029, @PranaviRoy)
+* helm/hubble-ui: fixed ingress configuration on EKS clusters (Backport PR #14060, Upstream PR #14023, @mvisonneau)
+* helm: 'upgradeCompatibility' needs to be a string, not a float64 (Backport PR #14088, Upstream PR #14019, @mvisonneau)
+* helm: Fix description for clustermesh (Backport PR #14212, Upstream PR #14163, @joestringer)
+* Hubble-Relay: proxy metadata from originating client (Backport PR #14060, Upstream PR #13994, @nathanjsweet)
+* Improve the Helm readme (Backport PR #14116, Upstream PR #14083, @joestringer)
+* Improve the Helm readme (Backport PR #14139, Upstream PR #14083, @joestringer)
+* ipam: Remove unnecessary deep copies (Backport PR #14116, Upstream PR #14078, @christarazi)
+* kvstore: add tests for etcd ratelimiter implementation (Backport PR #14116, Upstream PR #14063, @fristonio)
+* Log host routing fallback & document kernel requirement (Backport PR #14270, Upstream PR #14263, @pchaigno)
+* Mention kernel MTU bug in IPv4 fragmentation document (Backport PR #14088, Upstream PR #14030, @liuyuan10)
+* metrics: add cilium_datapath_nat_gc_entries (Backport PR #14116, Upstream PR #12832, @ArthurChiao)
+* node: Fix ineffectual assignment (Backport PR #14270, Upstream PR #14256, @brb)
+* node: Misc neighbor related changes (Backport PR #14116, Upstream PR #14070, @brb)
+* test: use kubectl helper for cilium cleanup in upgrade tests (Backport PR #14212, Upstream PR #14165, @fristonio)
+* Update troubleshooting docs for cilium-sysdump (Backport PR #14139, Upstream PR #14111, @christarazi)
+
+**Other Changes:**
+* Fix potential panic in Hubble when applying time range on non-flow events, e.g. LostEvent. (#14197, @tklauser)
+* v1.9: Update Go to 1.15.5 (#14014, @tklauser)
+
 ## v1.9.0
 
 Summary of Changes

Documentation/concepts/kubernetes/compatibility-table.rst

@@ -76,6 +76,8 @@
 +-----------------+----------------+
 | v1.7.11         | 1.18.1         |
 +-----------------+----------------+
+| v1.7.12         | 1.18.1         |
++-----------------+----------------+
 | v1.7            | 1.18.1         |
 +-----------------+----------------+
 | v1.8.0-rc1      | 1.19           |
@@ -98,6 +100,8 @@
 +-----------------+----------------+
 | v1.8.5          | 1.21.2         |
 +-----------------+----------------+
+| v1.8.6          | 1.21.2         |
++-----------------+----------------+
 | v1.8            | 1.21.2         |
 +-----------------+----------------+
 | v1.9.0-rc0      | 1.22.1         |
@@ -110,6 +114,8 @@
 +-----------------+----------------+
 | v1.9.0          | 1.22.3         |
 +-----------------+----------------+
+| v1.9.1          | 1.22.3         |
++-----------------+----------------+
 | v1.9            | 1.22.3         |
 +-----------------+----------------+
 | latest / master | 1.22.3         |

VERSION

@@ -1 +1 @@
-1.9.0
+1.9.1

install/kubernetes/cilium/Chart.yaml

@@ -2,10 +2,10 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.9.0
-appVersion: 1.9.0
+version: 1.9.1
+appVersion: 1.9.1
 kubeVersion: ">= 1.12.0-0"
-icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.9.0/Documentation/images/logo-solo.svg
+icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.9.1/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability
 keywords:
   - BPF

install/kubernetes/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.9.0](https://img.shields.io/badge/Version-1.9.0-informational?style=flat-square) ![AppVersion: 1.9.0](https://img.shields.io/badge/AppVersion-1.9.0-informational?style=flat-square)
+![Version: 1.9.1](https://img.shields.io/badge/Version-1.9.1-informational?style=flat-square) ![AppVersion: 1.9.1](https://img.shields.io/badge/AppVersion-1.9.1-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -73,7 +73,7 @@ contributors across the globe, there is almost always someone available to help.
 | cluster.id | int | `nil` | Unique ID of the cluster. Must be unique across all connected clusters and in the range of 1 to 255. Only required for Cluster Mesh. |
 | cluster.name | string | `"default"` | Name of the cluster. Only required for Cluster Mesh. |
 | clustermesh.apiserver.etcd.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.4.13"}` | Clustermesh API server etcd image. |
-| clustermesh.apiserver.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.9.0"}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.9.1"}` | Clustermesh API server image. |
 | clustermesh.apiserver.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods |
 | clustermesh.apiserver.replicas | int | `1` | Number of replicas run for the clustermesh-apiserver deployment. |
@@ -167,7 +167,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.metricsServer | string | `""` |  |
 | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). |
 | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) |
-| hubble.relay.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.9.0"}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.9.1"}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
@@ -208,7 +208,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` |  |
-| image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.9.0"}` | Agent container image. |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.9.1"}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | installIptablesRules | bool | `true` |  |
 | ipMasqAgent | object | `{"enabled":false}` | Configure the eBPF-based ip-masq-agent |
@@ -264,7 +264,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraInitContainers | list | `[]` | Additional InitContainers to initialize the pod |
 | operator.identityGCInterval | string | `"15m0s"` |  |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` |  |
-| operator.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","tag":"v1.9.0"}` | cilium-operator image. |
+| operator.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","tag":"v1.9.1"}` | cilium-operator image. |
 | operator.nodeSelector | object | `{}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
 | operator.podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":1}` | PodDisruptionBudget settings ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
@@ -288,7 +288,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | object | `{}` |  |
 | preflight.extraHostPathMounts | list | `[]` |  |
 | preflight.extraInitContainers | list | `[]` |  |
-| preflight.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.9.0"}` | Cilium pre-flight image. |
+| preflight.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.9.1"}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget | object | `{"enabled":true,"maxUnavailable":2}` | PodDisruptionBudget settings ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

install/kubernetes/cilium/values.yaml

@@ -67,7 +67,7 @@ name: cilium
 # -- Agent container image.
 image:
   repository: quay.io/cilium/cilium
-  tag: v1.9.0
+  tag: v1.9.1
   pullPolicy: IfNotPresent
 
 # -- Pod affinity for cilium-agent.
@@ -539,7 +539,7 @@ hubble:
     # -- Hubble-relay container image.
     image:
       repository: quay.io/cilium/hubble-relay
-      tag: v1.9.0
+      tag: v1.9.1
       pullPolicy: IfNotPresent
 
     # -- Specifies the resources for the hubble-relay pods
@@ -1049,7 +1049,7 @@ operator:
   # -- cilium-operator image.
   image:
     repository: quay.io/cilium/operator
-    tag: v1.9.0
+    tag: v1.9.1
     pullPolicy: IfNotPresent
 
   # -- Number of replicas to run for the cilium-operator deployment
@@ -1254,7 +1254,7 @@ preflight:
   # -- Cilium pre-flight image.
   image:
     repository: quay.io/cilium/cilium
-    tag: v1.9.0
+    tag: v1.9.1
     pullPolicy: IfNotPresent
 
   priorityClassName: ""
@@ -1362,7 +1362,7 @@ clustermesh:
     # -- Clustermesh API server image.
     image:
       repository: quay.io/cilium/clustermesh-apiserver
-      tag: v1.9.0
+      tag: v1.9.1
       pullPolicy: IfNotPresent
 
     etcd:

install/kubernetes/experimental-install.yaml

@@ -797,7 +797,7 @@ spec:
               key: custom-cni-conf
               name: cilium-config
               optional: true
-        image: quay.io/cilium/cilium:v1.9.0
+        image: quay.io/cilium/cilium:v1.9.1
         imagePullPolicy: IfNotPresent
         lifecycle:
           postStart:
@@ -868,7 +868,7 @@ spec:
               key: wait-bpf-mount
               name: cilium-config
               optional: true
-        image: quay.io/cilium/cilium:v1.9.0
+        image: quay.io/cilium/cilium:v1.9.1
         imagePullPolicy: IfNotPresent
         name: clean-cilium-state
         securityContext:
@@ -1016,7 +1016,7 @@ spec:
               key: debug
               name: cilium-config
               optional: true
-        image: quay.io/cilium/operator-generic:v1.9.0
+        image: quay.io/cilium/operator-generic:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cilium-operator
         livenessProbe:
@@ -1080,7 +1080,7 @@ spec:
             topologyKey: "kubernetes.io/hostname"
       containers:
         - name: hubble-relay
-          image: quay.io/cilium/hubble-relay:v1.9.0
+          image: quay.io/cilium/hubble-relay:v1.9.1
           imagePullPolicy: IfNotPresent
           command:
             - hubble-relay

install/kubernetes/quick-install.yaml

@@ -469,7 +469,7 @@ spec:
               key: custom-cni-conf
               name: cilium-config
               optional: true
-        image: quay.io/cilium/cilium:v1.9.0
+        image: quay.io/cilium/cilium:v1.9.1
         imagePullPolicy: IfNotPresent
         lifecycle:
           postStart:
@@ -532,7 +532,7 @@ spec:
               key: wait-bpf-mount
               name: cilium-config
               optional: true
-        image: quay.io/cilium/cilium:v1.9.0
+        image: quay.io/cilium/cilium:v1.9.1
         imagePullPolicy: IfNotPresent
         name: clean-cilium-state
         securityContext:
@@ -663,7 +663,7 @@ spec:
               key: debug
               name: cilium-config
               optional: true
-        image: quay.io/cilium/operator-generic:v1.9.0
+        image: quay.io/cilium/operator-generic:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cilium-operator
         livenessProbe: