Prepare for release v1.11.16

.github/maintainers-little-helper.yaml

@@ -1,4 +1,4 @@
-project: "https://github.com/cilium/cilium/projects/227"
+project: "https://github.com/cilium/cilium/projects/231"
 column: "In progress"
 auto-label:
   - "kind/backports"

AUTHORS

@@ -91,6 +91,7 @@ Daniel T. Lee                           danieltimlee@gmail.com
 Danni Skov Høglund                      skuffe@pwnz.dk
 Dan Sexton                              dan.b.sexton@gmail.com
 Dan Wendlandt                           dan@covalent.io
+darox                                   maderdario@gmail.com
 Darren Foo                              darren.foo@shopify.com
 Darren Mackintosh                       unixdaddy@gmail.com
 Darshan Chaudhary                       deathbullet@gmail.com
@@ -149,6 +150,7 @@ Gilberto Bertin                         jibi@cilium.io
 Glib Smaga                              code@gsmaga.com
 Gobinath Krishnamoorthy                 gobinathk@google.com
 Gowtham Sundara                         gowtham.sundara@rapyuta-robotics.com
+gray                                    gray.liang@isovalent.com
 Guilherme Oki                           guilherme.oki@wildlifestudios.com
 Guilherme Souza                         101073+guilhermef@users.noreply.github.com
 Han Zhou                                hzhou8@ebay.com
@@ -170,6 +172,7 @@ Jan-Erik Rediger                        janerik@fnordig.de
 Jarno Rajahalme                         jarno@isovalent.com
 Jean Raby                               jean@raby.sh
 Jed Salazar                             jed@isovalent.com
+Jef Spaleta                             jspaleta@gmail.com
 Jerry J. Muzsik                         jerrymuzsik@icloud.com
 Jess Frazelle                           acidburn@microsoft.com
 Jianlin Lv                              Jianlin.Lv@arm.com
@@ -224,6 +227,7 @@ Li Yi                                   denverdino@gmail.com
 Liz Rice                                liz@lizrice.com
 Lorenzo Fundaró                         lorenzofundaro@gmail.com
 Louis DeLosSantos                       louis@isovalent.com
+Maartje Eyskens                         maartje.eyskens@isovalent.com
 Maciej Fijalkowski                      maciej.fijalkowski@intel.com
 Maciej Kwiek                            maciej@isovalent.com
 Maciej Skrocki                          maciejskrocki@google.com

CHANGELOG.md

@@ -1,5 +1,50 @@
 # Changelog
 
+## v1.11.16
+
+Summary of Changes
+------------------
+
+**Minor Changes:**
+* envoy: Bump envoy version to v1.23.7 (#24748, @sayboras)
+
+**Bugfixes:**
+* Add missing xfrm-no-track rules for IPv6 IPSec. This fixes a connectivity issue for IPv6 IPSec with externalTrafficPolicy=local. (Backport PR #24604, Upstream PR #24557, @jschwinger233)
+* Fix for disabled cloud provider rate limiting (Backport PR #24458, Upstream PR #24413, @hemanthmalla)
+* Fix missing delete events on informer re-lists to ensure all delete events are correctly emitted and using the latest known object state, so that all event handlers and stores always reflect the actual apiserver state as best as possible (#24872, @aanm)
+* Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified. (Backport PR #24852, Upstream PR #24788, @jrajahalme)
+* Handle leaked service backends that may lead to filling up of `lb4_backends` map and thereby connectivity issues. (Backport PR #24823, Upstream PR #24681, @aditighag)
+* ipsec: Clean up stale XFRM policies and states (Backport PR #24823, Upstream PR #24773, @pchaigno)
+
+**CI Changes:**
+* Fix race conditions when deleting CNP / CCNP in e2e tests (Backport PR #24710, Upstream PR #24484, @jschwinger233)
+* renovate: Fix Hubble release digest regex (Backport PR #24604, Upstream PR #24477, @gandro)
+* tests: add exceptions for lease errors due to etcd (Backport PR #24823, Upstream PR #24723, @jibi)
+
+**Misc Changes:**
+* checker: Fix incorrect checker for ExportedEqual() (Backport PR #24458, Upstream PR #24373, @christarazi)
+* chore(deps): update dependency cilium/hubble to v0.11.3 (v1.11) (#24820, @renovate[bot])
+* chore(deps): update docker.io/library/alpine docker tag to v3.16.5 (v1.11) (#24644, @renovate[bot])
+* chore(deps): update docker.io/library/alpine:3.16.4 docker digest to 2cf17aa (v1.11) (#24493, @renovate[bot])
+* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 24a0df4 (v1.11) (#24498, @renovate[bot])
+* chore(deps): update quay.io/cilium/hubble docker tag to v0.11.3 (v1.11) (#24499, @renovate[bot])
+* docs: add note that there are two Cilium CLIs (Backport PR #24604, Upstream PR #24435, @lizrice)
+* docs: fix typo in operations/troubleshooting.rst (Backport PR #24604, Upstream PR #24460, @NikAleksandrov)
+* docs: Fix upgradeCompatibility references (Backport PR #24823, Upstream PR #24711, @joestringer)
+* docs: Update Cluster Mesh requirements to mention node InternalIP explicitly (Backport PR #24458, Upstream PR #24164, @jspaleta)
+* docs: Update the documentation for the `--conntrack-gc-interval` flag (Backport PR #24458, Upstream PR #24400, @pchaigno)
+* Fix duplicated logs for test-output.log (Backport PR #24458, Upstream PR #24171, @romanspb80)
+* hubble-ui: allow ingress from non root `/` urls (Backport PR #24604, Upstream PR #23631, @geakstr)
+* loader: Don't compile `.asm` files by default (Backport PR #24823, Upstream PR #24769, @pchaigno)
+* pkg/bandwidth: add error for bandwidth manager not being enabled (Backport PR #24823, Upstream PR #24715, @aanm)
+
+**Other Changes:**
+* Add IPSec remark for upgrade to v1.11.15 (#24632, @darox)
+* Add note about known regression in ConfigMap values prioritized over flags in Cilium agent (#24743, @aanm)
+* In service recovery, don't skip if one of the service recovery fails (#23922, @jaredledvina)
+* install: Update image digests for v1.11.15 (#24425, @nebril)
+* v1.11: docs: Document IPsec upgrade issue on v1.11.15 (#24704, @pchaigno)
+
 ## v1.11.15
 
 Summary of Changes

Documentation/concepts/kubernetes/compatibility-table.rst

@@ -138,6 +138,8 @@
 +-----------------+----------------+
 | v1.11.14        | 1.24.4         |
 +-----------------+----------------+
+| v1.11.15        | 1.24.4         |
++-----------------+----------------+
 | v1.11           | 1.24.4         |
 +-----------------+----------------+
 | latest / master | 1.26.7         |

VERSION

@@ -1 +1 @@
-1.11.15
+1.11.16

install/kubernetes/Makefile.digests

@@ -2,12 +2,12 @@
 # Copyright 2023 Authors of Cilium
 # SPDX-License-Identifier: Apache-2.0
 
-export CILIUM_DIGEST := "sha256:434ea1ff40b8db76c2be6cabfa1bbd2b887eaabe42e757651ea14757468e3bf4"
-export CLUSTERMESH_APISERVER_DIGEST := "sha256:66071d67f0249909c81cc3f94ad1dd2ae51e1451c400183a9337c04b9c1e076f"
-export DOCKER_PLUGIN_DIGEST := "sha256:e2d10187f4e31a00fd751b6e5ac56bd3698ab6bd3c404cff06b7b2740d4327df"
-export HUBBLE_RELAY_DIGEST := "sha256:352a65dde7c324ace5d6442f626f82c19550dd581e17f8f7e7aba30325c96d9e"
-export OPERATOR_ALIBABACLOUD_DIGEST := "sha256:712972b46f592bd80a8e4c66e9b5cdcc73705740bf2cea84a6df131107a01699"
-export OPERATOR_AWS_DIGEST := "sha256:3aa776003eee064a6896b6ad712f55293d4e045defbe14d3768d224ce254d5c3"
-export OPERATOR_AZURE_DIGEST := "sha256:81e5168c977806a7f310aa57cca74c908fe6ea323518804e15c48bc786b99271"
-export OPERATOR_GENERIC_DIGEST := "sha256:1feed1b895b39c7bdcbfe6232536e26edba9beb41c160c66d539de4358275a2e"
-export OPERATOR_DIGEST := "sha256:97e6df665e10a08b2fbb5aefb183564debe0a0a4108b371a2f4d95f38c56f56c"
+export CILIUM_DIGEST := ""
+export CLUSTERMESH_APISERVER_DIGEST := ""
+export DOCKER_PLUGIN_DIGEST := ""
+export HUBBLE_RELAY_DIGEST := ""
+export OPERATOR_ALIBABACLOUD_DIGEST := ""
+export OPERATOR_AWS_DIGEST := ""
+export OPERATOR_AZURE_DIGEST := ""
+export OPERATOR_GENERIC_DIGEST := ""
+export OPERATOR_DIGEST := ""

install/kubernetes/cilium/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.11.15
-appVersion: 1.11.15
+version: 1.11.16
+appVersion: 1.11.16
 kubeVersion: ">= 1.16.0-0"
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.11/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability

install/kubernetes/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.11.15](https://img.shields.io/badge/Version-1.11.15-informational?style=flat-square) ![AppVersion: 1.11.15](https://img.shields.io/badge/AppVersion-1.11.15-informational?style=flat-square)
+![Version: 1.11.16](https://img.shields.io/badge/Version-1.11.16-informational?style=flat-square) ![AppVersion: 1.11.16](https://img.shields.io/badge/AppVersion-1.11.16-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -90,7 +90,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.etcd.securityContext | object | `{}` | Security context to be added to clustermesh-apiserver etcd containers |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:66071d67f0249909c81cc3f94ad1dd2ae51e1451c400183a9337c04b9c1e076f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.11.15","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.11.16","useDigest":false}` | Clustermesh API server image. |
 | clustermesh.apiserver.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods |
 | clustermesh.apiserver.podLabels | object | `{}` | Labels to be added to clustermesh-apiserver pods |
@@ -227,7 +227,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.peerService.targetPort | int | `4244` | Target Port for the Peer service. |
 | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). |
 | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) |
-| hubble.relay.image | object | `{"digest":"sha256:352a65dde7c324ace5d6442f626f82c19550dd581e17f8f7e7aba30325c96d9e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.11.15","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.11.16","useDigest":false}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
@@ -286,7 +286,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
-| image | object | `{"digest":"sha256:434ea1ff40b8db76c2be6cabfa1bbd2b887eaabe42e757651ea14757468e3bf4","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.11.15","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.11.16","useDigest":false}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | installIptablesRules | bool | `true` | Configure whether to install iptables rules to allow for TPROXY (L7 proxy injection), iptables-based masquerading and compatibility with kube-proxy. |
 | installNoConntrackIptablesRules | bool | `false` | Install Iptables rules to skip netfilter connection tracking on all pod traffic. This option is only effective when Cilium is running in direct routing and full KPR mode. Moreover, this option cannot be enabled when Cilium is running in a managed Kubernetes environment or in a chained CNI setup. |
@@ -348,7 +348,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraInitContainers | list | `[]` | Additional InitContainers to initialize the pod. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:712972b46f592bd80a8e4c66e9b5cdcc73705740bf2cea84a6df131107a01699","awsDigest":"sha256:3aa776003eee064a6896b6ad712f55293d4e045defbe14d3768d224ce254d5c3","azureDigest":"sha256:81e5168c977806a7f310aa57cca74c908fe6ea323518804e15c48bc786b99271","genericDigest":"sha256:1feed1b895b39c7bdcbfe6232536e26edba9beb41c160c66d539de4358275a2e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.11.15","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.11.16","useDigest":false}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -386,7 +386,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraInitContainers | list | `[]` | Additional preflight init containers. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:434ea1ff40b8db76c2be6cabfa1bbd2b887eaabe42e757651ea14757468e3bf4","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.11.15","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.11.16","useDigest":false}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget | object | `{"enabled":true,"maxUnavailable":2}` | PodDisruptionBudget settings ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |