Prepare for release v1.9.2

Signed-off-by: André Martins <andre@cilium.io>

AUTHORS

@@ -65,19 +65,22 @@ Eloy Coto                               eloy.coto@gmail.com
 Eohyung Lee                             liquidnuker@gmail.com
 Eric Bailey                             e.bailey@sportradar.com
 Erik Chang                              erik.chang@nordstrom.com
+fafucoder                               lx1960753013@gmail.com
 Faiyaz Ahmed                            faiyaza@gmail.com
 Florian Koch                            f0@users.noreply.github.com
 francoisj                               48206448+joulaud@users.noreply.github.com
 Frank Villaro-Dixon                     frank.villaro@infomaniak.com
 Fred Hsu                                fredlhsu@gmail.com
 Fredrik Lönnegren                       fredrik.lonnegren@gmail.com
 Fulvio Risso                            fulvio.risso@polito.it
+George Gaál                             gb12335@gmail.com
 George Kontridze                        gkontridze@plaid.com
 Gianluca Arbezzano                      gianarb92@gmail.com
 Gilberto Bertin                         gilberto@isovalent.com
 Glib Smaga                              code@gsmaga.com
 Gowtham S                               gowtham.sundara@rapyuta-robotics.com
 Guilherme Oki                           guilherme.oki@wildlifestudios.com
+Guilherme Souza                         101073+guilhermef@users.noreply.github.com
 Han Zhou                                hzhou8@ebay.com
 huangxuesen                             huangxuesen@kuaishou.com
 Hui Kong                                hui.kong@qunar.com
@@ -127,6 +130,7 @@ Lehner Florian                          dev@der-flo.net
 Liu Qun                                 qunliu@zyhx-group.com
 Li Yi                                   denverdino@gmail.com
 m4rx0                                   m@footek.ch
+Maciej Fijalkowski                      maciej.fijalkowski@intel.com
 Maciej Kwiek                            maciej@isovalent.com
 Maciej Skrocki                          maciejskrocki@google.com
 Madhu Challa                            madhu@cilium.io
@@ -160,6 +164,7 @@ Nate Sweet                              nathanjsweet@pm.me
 Nathan Bird                             njbird@infiniteenergy.com
 Nathan Taylor                           ntaylor1781@gmail.com
 Neelajacques                            68304471+Neelajacques@users.noreply.github.com
+Neil Wilson                             neil@aldur.co.uk
 networkop                               mmkashin@gmail.com
 Nick M                                  4718+rkage@users.noreply.github.com
 Nirmoy Das                              ndas@suse.de
@@ -172,7 +177,7 @@ Paweł Prażak                            pawelprazak@users.noreply.github.com
 Peiqi Shi                               uestc.shi@gmail.com
 Peter Slovak                            slovak.peto@gmail.com
 Philippe Lafoucrière                   philippe.lafoucriere@gmail.com
-Philipp Gniewosz                        philipp.gniewosz@posteo.de
+Philipp Gniewosz                        philipp.gniewosz@cegeka.de
 Pierre-Yves Aillet                      pyaillet@users.noreply.github.com
 Pranavi Roy                             pranvyr@gmail.com
 Qasim Sarfraz                           qasim.sarfraz@esailors.de

CHANGELOG.md

@@ -1,5 +1,85 @@
 # Changelog
 
+## v1.9.2
+
+Summary of Changes
+------------------
+
+**Minor Changes:**
+* Update Go to 1.15.6 (#14303, @tklauser)
+* k8s: Update libraries to v1.19.6 (#14480, @christarazi)
+* daemon, node: refresh neighbor by sending arping periodically (Backport PR #14578, Upstream PR #14498, @jaffcheng)
+* install: Provide quick-hubble-install.yaml for Relay and UI (Backport PR #14443, Upstream PR #14221, @gandro)
+* ipsec: Fatal on unsupported, <4.19 kernels in tunneling mode (Backport PR #14585, Upstream PR #14525, @pchaigno)
+* Istio integration is updated to Istio release 1.6.14 (Backport PR #14538, Upstream PR #14271, @jrajahalme)
+* No longer wait for and modify `/var/run/azure-vnet.json`. This confuses azure-vnet during Pod removal, causing it to incorrectly clean up machine state.
+  In Azure IPAM mode, remove /var/run/azure-vnet.json on Cilium agent startup, flush ebtables and remove permanent neigh entries. (Backport PR #14613, Upstream PR #14452, @ti-mo)
+
+**Bugfixes:**
+* Add missing requireIPv6PodCIDR setting (Backport PR #14538, Upstream PR #14508, @NeilW)
+* bpf: fix misconfigured nat to 0.0.0.0 on !masquerade config (Backport PR #14613, Upstream PR #14596, @borkmann)
+* cilium, gops: remap to fixed port to avoid collision with nodeport range (Backport PR #14419, Upstream PR #14329, @borkmann)
+* clustermesh: Ignore symlink files on fsnotify events (Backport PR #14613, Upstream PR #14565, @tgraf)
+* Fix BPF verifier rejection with IPv6 prefilter (Backport PR #14538, Upstream PR #14447, @pchaigno)
+* Fix bug where CCNPs are not validated properly in preflight (Backport PR #14613, Upstream PR #14557, @christarazi)
+* Fix bug where Cilium would constantly regenerate endpoints in environments with etcd and Linux 4.15 or below. (Backport PR #14405, Upstream PR #14300, @dctrwatson)
+* Fix CIDR rule bug potentially dropping allowed traffic or allowing denied traffic for deny policies (beta feature) when using ExceptCIDRs expressions. (Backport PR #14613, Upstream PR #14516, @jrajahalme)
+* Fix clustermesh-apiserver dependencies on pkg/option (Backport PR #14613, Upstream PR #14577, @tgraf)
+* Fix missing packet mark mask that can cause policy deny drops in IPSec configuration. (Backport PR #14419, Upstream PR #14381, @pchaigno)
+* Fix possible overflow in values presented in the `k8s_event_lag_seconds` metric. (Backport PR #14405, Upstream PR #14313, @aanm)
+* Fix potential nil pointer exception for an invalid CCNP in the Cilium Operator (Backport PR #14405, Upstream PR #14375, @aanm)
+* Fix potential panic when closing etcd connection on error (Backport PR #14644, Upstream PR #14623, @aanm)
+* Fix rare crash on startup when kubernetes initialization occurs before IP address configuration (Backport PR #14405, Upstream PR #14299, @joestringer)
+* Fixing Hubble ServiceMonitor k8s-app label (Backport PR #14538, Upstream PR #14473, @guilhermef)
+* Handle cluster names with dots for TLS server names. This prevented Hubble Relay from connecting to peers with TLS enabled in such a scenario. (Backport PR #14405, Upstream PR #14378, @Rolinh)
+* helm/cilium-configmap: added checks to deduplicate keys (Backport PR #14308, Upstream PR #14153, @PranaviRoy)
+* helm: Fix preflight check resource quota conflict (Backport PR #14308, Upstream PR #14295, @gandro)
+* install/kubernetes: set the right option for expectAzureVnet (Backport PR #14538, Upstream PR #14449, @aanm)
+* maglev: Delete map if previous M's do not match (Backport PR #14424, Upstream PR #14345, @brb)
+* node: Remove check whether nextHop is in same L2 (#14453, @brb)
+* Split AKS node-init into two stages. Use azure0 presence as a condition for flushing ebtables & neigh. (Backport PR #14613, Upstream PR #14616, @ti-mo)
+* Remove 'bridge' parameter in Azure CNI chaining configuration. (Backport PR #14644, Upstream PR #14624, @ti-mo)
+
+**CI Changes:**
+* ci/helpers: Clean-up resource quotas (Backport PR #14405, Upstream PR #14294, @gandro)
+* ci: check if gke cluster has a nodepool before reserving it (Backport PR #14613, Upstream PR #14576, @nebril)
+* ci: Use correct `agent` value in preflight check (Backport PR #14419, Upstream PR #14393, @gandro)
+* jenkinsfile: Allow enabling host firewall in k8s-all CI (Backport PR #14644, Upstream PR #14524, @pchaigno)
+* test: Fix flake on policy verdict count check (Backport PR #14405, Upstream PR #14286, @pchaigno)
+* test: Fix microk8s deployment hurdles (Backport PR #14538, Upstream PR #14420, @joestringer)
+* test: RuntimePolicies: Fix flake when validating logs (Backport PR #14585, Upstream PR #14529, @pchaigno)
+* test: Test policy enforcement through tunnels (Backport PR #14538, Upstream PR #14412, @pchaigno)
+* test: Add missing gomega Eventually intervals (Backport PR #14538, Upstream PR #14388, @jrajahalme)
+
+**Misc Changes:**
+* docs: Add cgroups kernel config requirements (Backport PR #14538, Upstream PR #14517, @joestringer)
+* docs: add info about tailcalls in bpf subprograms (Backport PR #14538, Upstream PR #13888, @mfijalko)
+* docs: Clarify from/toRequires documentation with a new example (Backport PR #14308, Upstream PR #14262, @pchaigno)
+* docs: Document expected behavior for node-local DNS (Backport PR #14405, Upstream PR #14297, @aditighag)
+* docs: Fix connectivity check output (Backport PR #14308, Upstream PR #14278, @errordeveloper)
+* docs: Fix dependency conflict (Backport PR #14308, Upstream PR #14264, @joestringer)
+* docs: Fix values.yaml upgrade guide to match helm args (Backport PR #14308, Upstream PR #14237, @joestringer)
+* docs: Update linux distribution compatibility (Backport PR #14538, Upstream PR #14434, @joestringer)
+* Fix bug Cilium hangs with kvstore configured (#14629, @aanm)
+* helm: 'bpf.ctTcpMax' and 'bpf.ctAnyMax' need to be strings, not integers (Backport PR #14538, Upstream PR #14021, @mvisonneau)
+* helm: Do not deploy Hubble mTLS secrets unless Relay is enabled (Backport PR #14443, Upstream PR #14394, @gandro)
+* helm: fix TLS cert server name for cluster names containing dots (Backport PR #14538, Upstream PR #14413, @kaworu)
+* helm: fix TLS cert server name for cluster names containing dots with certgen (Backport PR #14538, Upstream PR #14416, @kaworu)
+* hubble relay: various logging improvements (Backport PR #14613, Upstream PR #14521, @kaworu)
+* microk8s: fix  add-on-command for enabling cilium (Backport PR #14405, Upstream PR #14325, @brandshaide)
+* pkg/datapath: fix arp ping handling (Backport PR #14613, Upstream PR #14501, @aanm)
+* pkg/endpoint: Readd GetRealizedPolicyRuleLabelsForKey (Backport PR #14308, Upstream PR #14257, @gandro)
+* pkg/logging: Init klog with flag set name (Backport PR #14538, Upstream PR #14346, @fafucoder)
+* pkg/node: fix concurrent access of entry node (Backport PR #14613, Upstream PR #14591, @aanm)
+* Update policy-creation.rst (Backport PR #14538, Upstream PR #14241, @gecube)
+* vendor: Update vishvananda/netlink (Backport PR #14538, Upstream PR #14513, @pchaigno)
+
+**Other Changes:**
+* [v1.9] docker: bump cilium-iproute2 image (#14619, @qmonnet)
+* backport 1.9: vendor: Bump github.com/cilium/arping (#14637, @brb)
+* policy: Don't nil an empty selectors map. (#14391, @jrajahalme)
+* policy: Track selectors that contribute to MapStateEntries (#14362, @jrajahalme)
+
 ## v1.9.1
 
 Summary of Changes

VERSION

@@ -1 +1 @@
-1.9.1
+1.9.2

install/kubernetes/cilium/Chart.yaml

@@ -2,10 +2,10 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.9.1
-appVersion: 1.9.1
+version: 1.9.2
+appVersion: 1.9.2
 kubeVersion: ">= 1.12.0-0"
-icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.9.1/Documentation/images/logo-solo.svg
+icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.9.2/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability
 keywords:
   - BPF

install/kubernetes/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.9.1](https://img.shields.io/badge/Version-1.9.1-informational?style=flat-square) ![AppVersion: 1.9.1](https://img.shields.io/badge/AppVersion-1.9.1-informational?style=flat-square)
+![Version: 1.9.2](https://img.shields.io/badge/Version-1.9.2-informational?style=flat-square) ![AppVersion: 1.9.2](https://img.shields.io/badge/AppVersion-1.9.2-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -73,7 +73,7 @@ contributors across the globe, there is almost always someone available to help.
 | cluster.id | int | `nil` | Unique ID of the cluster. Must be unique across all connected clusters and in the range of 1 to 255. Only required for Cluster Mesh. |
 | cluster.name | string | `"default"` | Name of the cluster. Only required for Cluster Mesh. |
 | clustermesh.apiserver.etcd.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.4.13"}` | Clustermesh API server etcd image. |
-| clustermesh.apiserver.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.9.1"}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.9.2"}` | Clustermesh API server image. |
 | clustermesh.apiserver.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods |
 | clustermesh.apiserver.replicas | int | `1` | Number of replicas run for the clustermesh-apiserver deployment. |
@@ -168,7 +168,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.metricsServer | string | `""` |  |
 | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). |
 | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) |
-| hubble.relay.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.9.1"}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.9.2"}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
@@ -209,7 +209,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` |  |
-| image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.9.1"}` | Agent container image. |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.9.2"}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | installIptablesRules | bool | `true` |  |
 | ipMasqAgent | object | `{"enabled":false}` | Configure the eBPF-based ip-masq-agent |
@@ -265,7 +265,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraInitContainers | list | `[]` | Additional InitContainers to initialize the pod |
 | operator.identityGCInterval | string | `"15m0s"` |  |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` |  |
-| operator.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","tag":"v1.9.1"}` | cilium-operator image. |
+| operator.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","tag":"v1.9.2"}` | cilium-operator image. |
 | operator.nodeSelector | object | `{}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
 | operator.podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":1}` | PodDisruptionBudget settings ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
@@ -289,7 +289,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | object | `{}` |  |
 | preflight.extraHostPathMounts | list | `[]` |  |
 | preflight.extraInitContainers | list | `[]` |  |
-| preflight.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.9.1"}` | Cilium pre-flight image. |
+| preflight.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.9.2"}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget | object | `{"enabled":true,"maxUnavailable":2}` | PodDisruptionBudget settings ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

install/kubernetes/cilium/values.yaml

@@ -67,7 +67,7 @@ name: cilium
 # -- Agent container image.
 image:
   repository: quay.io/cilium/cilium
-  tag: v1.9.1
+  tag: v1.9.2
   pullPolicy: IfNotPresent
 
 # -- Pod affinity for cilium-agent.
@@ -539,7 +539,7 @@ hubble:
     # -- Hubble-relay container image.
     image:
       repository: quay.io/cilium/hubble-relay
-      tag: v1.9.1
+      tag: v1.9.2
       pullPolicy: IfNotPresent
 
     # -- Specifies the resources for the hubble-relay pods
@@ -1049,7 +1049,7 @@ operator:
   # -- cilium-operator image.
   image:
     repository: quay.io/cilium/operator
-    tag: v1.9.1
+    tag: v1.9.2
     pullPolicy: IfNotPresent
 
   # -- Number of replicas to run for the cilium-operator deployment
@@ -1254,7 +1254,7 @@ preflight:
   # -- Cilium pre-flight image.
   image:
     repository: quay.io/cilium/cilium
-    tag: v1.9.1
+    tag: v1.9.2
     pullPolicy: IfNotPresent
 
   priorityClassName: ""
@@ -1362,7 +1362,7 @@ clustermesh:
     # -- Clustermesh API server image.
     image:
       repository: quay.io/cilium/clustermesh-apiserver
-      tag: v1.9.1
+      tag: v1.9.2
       pullPolicy: IfNotPresent
 
     etcd:

install/kubernetes/experimental-install.yaml

@@ -797,7 +797,7 @@ spec:
               key: custom-cni-conf
               name: cilium-config
               optional: true
-        image: quay.io/cilium/cilium:v1.9.1
+        image: quay.io/cilium/cilium:v1.9.2
         imagePullPolicy: IfNotPresent
         lifecycle:
           postStart:
@@ -868,7 +868,7 @@ spec:
               key: wait-bpf-mount
               name: cilium-config
               optional: true
-        image: quay.io/cilium/cilium:v1.9.1
+        image: quay.io/cilium/cilium:v1.9.2
         imagePullPolicy: IfNotPresent
         name: clean-cilium-state
         securityContext:
@@ -1016,7 +1016,7 @@ spec:
               key: debug
               name: cilium-config
               optional: true
-        image: quay.io/cilium/operator-generic:v1.9.1
+        image: quay.io/cilium/operator-generic:v1.9.2
         imagePullPolicy: IfNotPresent
         name: cilium-operator
         livenessProbe:
@@ -1080,7 +1080,7 @@ spec:
             topologyKey: "kubernetes.io/hostname"
       containers:
         - name: hubble-relay
-          image: quay.io/cilium/hubble-relay:v1.9.1
+          image: quay.io/cilium/hubble-relay:v1.9.2
           imagePullPolicy: IfNotPresent
           command:
             - hubble-relay

install/kubernetes/quick-hubble-install.yaml

@@ -321,7 +321,7 @@ spec:
             topologyKey: "kubernetes.io/hostname"
       containers:
         - name: hubble-relay
-          image: quay.io/cilium/hubble-relay:v1.9.1
+          image: quay.io/cilium/hubble-relay:v1.9.2
           imagePullPolicy: IfNotPresent
           command:
             - hubble-relay