Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v1.15] iptables: Do not install NOTRACK rules if IPv4NativeRoutingCIDR is nil #32649

Merged
merged 1 commit into from
May 27, 2024
Merged

[v1.15] iptables: Do not install NOTRACK rules if IPv4NativeRoutingCIDR is nil #32649

merged 1 commit into from
May 27, 2024

Conversation

pippolo84
Copy link
Member

In case IPv4NativeRoutingCIDR is left unspecified, the related config option will be nil. To avoid panicking, check for this case before converting the CIDR to a string. Moreover, do not try to run the iptables command to install the NOTRACK rules if the resulting string is empty.

Fixes: #32607

@pippolo84
iptables: Do not install NOTRACK rules if IPv4NativeRoutingCIDR is nil
ca1d776 
In case IPv4NativeRoutingCIDR is left unspecified, the related config
option will be nil. To avoid panicking, check for this case before
converting the CIDR to a string. Moreover, do not try to run the
iptables command to install the NOTRACK rules if the resulting string is
empty.

Fixes: cilium#32607

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84 pippolo84 added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. area/iptables Impacts how Cilium interacts with iptables. labels May 21, 2024
@pippolo84 pippolo84 requested a review from a team as a code owner May 21, 2024 15:53
@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.15 This PR represents a backport for Cilium 1.15.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels May 21, 2024
@pippolo84 pippolo84 removed the kind/bug This is a bug in the Cilium logic. label May 21, 2024
@pippolo84
Copy link
Member Author

/test-backport-1.15

1 similar comment
@lmb
Copy link
Contributor

lmb commented May 23, 2024

/test-backport-1.15

@lmb
Copy link
Contributor

lmb commented May 24, 2024

/test-backport-1.15

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 27, 2024
@julianwiedmann julianwiedmann merged commit f36cc84 into cilium:v1.15 May 27, 2024
60 checks passed
@michi-covalent michi-covalent mentioned this pull request Jun 8, 2024
Merged
github-merge-queue bot pushed a commit to microsoft/retina that referenced this pull request Jun 11, 2024
@dependabot
deps: bump github.com/cilium/cilium from 1.15.5 to 1.15.6 (#464)
7e022b4 
Bumps [github.com/cilium/cilium](https://github.com/cilium/cilium) from
1.15.5 to 1.15.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/cilium/cilium/blob/1.15.6/CHANGELOG.md">github.com/cilium/cilium's
changelog</a>.</em></p>
<blockquote>
<h2>v1.15.6</h2>
<h2>Summary of Changes</h2>
<p><strong>Minor Changes:</strong></p>
<ul>
<li><code>cilium/cilium#32872</code><a
href="https://github.com/gandro"><code>@​gandro</code></a>)</li>
<li>Generate SBOMs using Syft instead of bom (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32307">#32307</a>,
<a
href="https://github.com/ferozsalam"><code>@​ferozsalam</code></a>)</li>
<li>Improved background resynchronization of nodes. Before all nodes
were being updated at the same time, now we spread updates over time to
average out CPU usage. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32748">#32748</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32577">#32577</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>Introduce CLI commands to troubleshoot connectivity issues to the
etcd kvstore and clustermesh control plane (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32336">#32336</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>ipsec: Improve CPU usage of cilum-agent in large clusters (Backport
PR <a
href="https://redirect.github.com/cilium/cilium/issues/32882">#32882</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32588">#32588</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>KVStoreMesh: expose remote clusters information and introduce
dedicated CLI command (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32156">#32156</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
</ul>
<p><strong>Bugfixes:</strong></p>
<ul>
<li>.github/workflows: fix digests file creation (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32860">#32860</a>,
<a href="https://github.com/aanm"><code>@​aanm</code></a>)</li>
<li><code>cilium/cilium#32649</code><a
href="https://github.com/pippolo84"><code>@​pippolo84</code></a>)</li>
<li>Add missing kvstore-max-consecutive-quorum-errors option to
clustermesh-apiserver/kvstoremesh binaries (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32117">#32117</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>bgp: service eTP=local, withdraw route when last backend on the node
goes in terminating state (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32536">#32536</a>,
<a
href="https://github.com/harsimran-pabla"><code>@​harsimran-pabla</code></a>)</li>
<li>Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields
for CiliumLoadBalancerIPPool (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32694">#32694</a>,
<a
href="https://github.com/dswaffordcw"><code>@​dswaffordcw</code></a>)</li>
<li>cni: Reserve local ports for DNS proxy even if IPv6 is disabled
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32725">#32725</a>,
<a href="https://github.com/gandro"><code>@​gandro</code></a>)</li>
<li>egressgw: Let the EGW manager relax rp_filter on egress device
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32778">#32778</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32679">#32679</a>,
<a
href="https://github.com/ysksuzuki"><code>@​ysksuzuki</code></a>)</li>
<li>Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31671">#31671</a>,
<a
href="https://github.com/foyerunix"><code>@​foyerunix</code></a>)</li>
<li>Fix indexing bug in the logic for picking NodePort addresses. In
rare cases this may have caused wrong address to be selected for
NodePort use, or an out-of-bounds access. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32506">#32506</a>,
<a href="https://github.com/joamaki"><code>@​joamaki</code></a>)</li>
<li>Fix PromQL query in Cilium Metrics dashboard (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32017">#32017</a>,
<a
href="https://github.com/mikemykhaylov"><code>@​mikemykhaylov</code></a>)</li>
<li>Fix rare race condition afflicting clustermesh when disconnecting
from a remote cluster, possibly causing the agent to panic (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32513">#32513</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>Fixes accidentally ignoring the preflight.nodeSelector Helm value.
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32548">#32548</a>,
<a href="https://github.com/squeed"><code>@​squeed</code></a>)</li>
<li>Fixes unencrypted traffic among nodes when IPsec is used with L7
egress proxy. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32932">#32932</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32683">#32683</a>,
<a
href="https://github.com/jschwinger233"><code>@​jschwinger233</code></a>)</li>
<li>ingress: Set the default value for max_stream_timeout (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31514">#31514</a>,
<a href="https://github.com/tskinn"><code>@​tskinn</code></a>)</li>
<li>Introduce timeout when waiting for the initial synchronization from
remote clusters, to avoid blocking forever necessary GC operations in
case of clustermesh misconfigurations. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32802">#32802</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32671">#32671</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>ipsec: Safely delete Xfrm state (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32450">#32450</a>,
<a
href="https://github.com/jschwinger233"><code>@​jschwinger233</code></a>)</li>
<li>proxy: Re-enable proxy rule installation in native-routing mode for
CEC (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32481">#32481</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32367">#32367</a>,
<a href="https://github.com/sayboras"><code>@​sayboras</code></a>)</li>
<li>Remove deprecated <code>hubble.ui.securityContext.enabled</code>
from hubble-ui deployment template (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32338">#32338</a>,
<a href="https://github.com/stelucz"><code>@​stelucz</code></a>)</li>
</ul>
<p><strong>CI Changes:</strong></p>
<ul>
<li>CI: Add job name validation (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32462">#32462</a>,
<a href="https://github.com/brlbil"><code>@​brlbil</code></a>)</li>
<li>ci: Filter supported versions of EKS (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32304">#32304</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>ci: Filter supported versions of GKE (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32302">#32302</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>ci: l4lb: gather more infos about docker-in-docker issues (Backport
PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32570">#32570</a>,
<a
href="https://github.com/mhofstetter"><code>@​mhofstetter</code></a>)</li>
<li>ci: l4lb: restart docker-in-docker container on failure (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32600">#32600</a>,
<a
href="https://github.com/mhofstetter"><code>@​mhofstetter</code></a>)</li>
<li>eks: Don't use spot instances (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32553">#32553</a>,
<a
href="https://github.com/michi-covalent"><code>@​michi-covalent</code></a>)</li>
<li>GCP OIDC instead of SA creds. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32707">#32707</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/30809">#30809</a>,
<a
href="https://github.com/viktor-kurchenko"><code>@​viktor-kurchenko</code></a>)</li>
<li>gha: cover TLS auth mode in clustermesh upgrade/downgrade tests
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32684">#32684</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>gha: test certificate generation methods in conformance clustermesh
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32654">#32654</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>Modify GitHub Actions Workflows to echo the inputs they are given
when triggered by a <code>workflow_dispatch</code> event. (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31424">#31424</a>,
<a
href="https://github.com/learnitall"><code>@​learnitall</code></a>)</li>
<li>Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32402">#32402</a>,
<a
href="https://github.com/michi-covalent"><code>@​michi-covalent</code></a>)</li>
<li>workflows: ignore &quot;No egress gateway found&quot; drops
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32564">#32564</a>,
<a href="https://github.com/jibi"><code>@​jibi</code></a>)</li>
<li>workflows: Remove stale CodeQL workflow (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32084">#32084</a>,
<a href="https://github.com/pchaigno"><code>@​pchaigno</code></a>)</li>
</ul>
<p><strong>Misc Changes:</strong></p>
<ul>
<li><code>cilium/cilium#32869</code><a
href="https://github.com/ferozsalam"><code>@​ferozsalam</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/cilium/cilium/commit/a09e05e6b63d82dbc3a1b0de1721a3407c340e7c"><code>a09e05e</code></a>
Prepare for release v1.15.6</li>
<li><a
href="https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741"><code>9299c0f</code></a>
bugtool: Add post-processing masking function for Envoy</li>
<li><a
href="https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407"><code>0191b1e</code></a>
bugtool: Add json masking function</li>
<li><a
href="https://github.com/cilium/cilium/commit/b6483461d5ce56f8abab9a2faefc5c0d984eda48"><code>b648346</code></a>
docs: ipsec: remove limitation for native-routing with L7 egress
policy</li>
<li><a
href="https://github.com/cilium/cilium/commit/5197d4ce2b953acc14c2879983948171dceb4934"><code>5197d4c</code></a>
proxy/routes: Also routes egress proxy's return traffic to 2005</li>
<li><a
href="https://github.com/cilium/cilium/commit/7f3e1b7992cfb4070dce4b13dc8e0a49e8f42f5a"><code>7f3e1b7</code></a>
iptables: Ensure iptables masquerading works for proxy traffic</li>
<li><a
href="https://github.com/cilium/cilium/commit/8dadbce310fc04dbf8488afa5599ee3130162b7a"><code>8dadbce</code></a>
Don't set 0x200 mark for proxy to world traffic in iptables
PREROUTING</li>
<li><a
href="https://github.com/cilium/cilium/commit/2091036619539ec546a0f525c1323ee258d45bc8"><code>2091036</code></a>
chore(deps): update dependency cilium/hubble to v0.13.5</li>
<li><a
href="https://github.com/cilium/cilium/commit/8a6f25ff602da8be9417667cea04c41759408713"><code>8a6f25f</code></a>
fqdn: Forward-compatibility with Cilium 1.16 fqdn identities</li>
<li><a
href="https://github.com/cilium/cilium/commit/6eb495d8a905dd88a471f06ceb7d4c785f5a1f09"><code>6eb495d</code></a>
images: update cilium-{runtime,builder}</li>
<li>Additional commits viewable in <a
href="https://github.com/cilium/cilium/compare/1.15.5...1.15.6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/cilium/cilium&package-manager=go_modules&previous-version=1.15.5&new-version=1.15.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
github-merge-queue bot pushed a commit to microsoft/retina that referenced this pull request Jun 11, 2024
@dependabot
deps: bump github.com/cilium/cilium from 1.15.5 to 1.15.6 (#464)
40d37e6 
Bumps [github.com/cilium/cilium](https://github.com/cilium/cilium) from
1.15.5 to 1.15.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/cilium/cilium/blob/1.15.6/CHANGELOG.md">github.com/cilium/cilium's
changelog</a>.</em></p>
<blockquote>
<h2>v1.15.6</h2>
<h2>Summary of Changes</h2>
<p><strong>Minor Changes:</strong></p>
<ul>
<li><code>cilium/cilium#32872</code><a
href="https://github.com/gandro"><code>@​gandro</code></a>)</li>
<li>Generate SBOMs using Syft instead of bom (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32307">#32307</a>,
<a
href="https://github.com/ferozsalam"><code>@​ferozsalam</code></a>)</li>
<li>Improved background resynchronization of nodes. Before all nodes
were being updated at the same time, now we spread updates over time to
average out CPU usage. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32748">#32748</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32577">#32577</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>Introduce CLI commands to troubleshoot connectivity issues to the
etcd kvstore and clustermesh control plane (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32336">#32336</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>ipsec: Improve CPU usage of cilum-agent in large clusters (Backport
PR <a
href="https://redirect.github.com/cilium/cilium/issues/32882">#32882</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32588">#32588</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>KVStoreMesh: expose remote clusters information and introduce
dedicated CLI command (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32156">#32156</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
</ul>
<p><strong>Bugfixes:</strong></p>
<ul>
<li>.github/workflows: fix digests file creation (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32860">#32860</a>,
<a href="https://github.com/aanm"><code>@​aanm</code></a>)</li>
<li><code>cilium/cilium#32649</code><a
href="https://github.com/pippolo84"><code>@​pippolo84</code></a>)</li>
<li>Add missing kvstore-max-consecutive-quorum-errors option to
clustermesh-apiserver/kvstoremesh binaries (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32117">#32117</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>bgp: service eTP=local, withdraw route when last backend on the node
goes in terminating state (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32536">#32536</a>,
<a
href="https://github.com/harsimran-pabla"><code>@​harsimran-pabla</code></a>)</li>
<li>Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields
for CiliumLoadBalancerIPPool (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32694">#32694</a>,
<a
href="https://github.com/dswaffordcw"><code>@​dswaffordcw</code></a>)</li>
<li>cni: Reserve local ports for DNS proxy even if IPv6 is disabled
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32725">#32725</a>,
<a href="https://github.com/gandro"><code>@​gandro</code></a>)</li>
<li>egressgw: Let the EGW manager relax rp_filter on egress device
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32778">#32778</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32679">#32679</a>,
<a
href="https://github.com/ysksuzuki"><code>@​ysksuzuki</code></a>)</li>
<li>Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31671">#31671</a>,
<a
href="https://github.com/foyerunix"><code>@​foyerunix</code></a>)</li>
<li>Fix indexing bug in the logic for picking NodePort addresses. In
rare cases this may have caused wrong address to be selected for
NodePort use, or an out-of-bounds access. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32506">#32506</a>,
<a href="https://github.com/joamaki"><code>@​joamaki</code></a>)</li>
<li>Fix PromQL query in Cilium Metrics dashboard (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32017">#32017</a>,
<a
href="https://github.com/mikemykhaylov"><code>@​mikemykhaylov</code></a>)</li>
<li>Fix rare race condition afflicting clustermesh when disconnecting
from a remote cluster, possibly causing the agent to panic (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32513">#32513</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>Fixes accidentally ignoring the preflight.nodeSelector Helm value.
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32548">#32548</a>,
<a href="https://github.com/squeed"><code>@​squeed</code></a>)</li>
<li>Fixes unencrypted traffic among nodes when IPsec is used with L7
egress proxy. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32932">#32932</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32683">#32683</a>,
<a
href="https://github.com/jschwinger233"><code>@​jschwinger233</code></a>)</li>
<li>ingress: Set the default value for max_stream_timeout (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31514">#31514</a>,
<a href="https://github.com/tskinn"><code>@​tskinn</code></a>)</li>
<li>Introduce timeout when waiting for the initial synchronization from
remote clusters, to avoid blocking forever necessary GC operations in
case of clustermesh misconfigurations. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32802">#32802</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32671">#32671</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>ipsec: Safely delete Xfrm state (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32450">#32450</a>,
<a
href="https://github.com/jschwinger233"><code>@​jschwinger233</code></a>)</li>
<li>proxy: Re-enable proxy rule installation in native-routing mode for
CEC (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32481">#32481</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32367">#32367</a>,
<a href="https://github.com/sayboras"><code>@​sayboras</code></a>)</li>
<li>Remove deprecated <code>hubble.ui.securityContext.enabled</code>
from hubble-ui deployment template (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32338">#32338</a>,
<a href="https://github.com/stelucz"><code>@​stelucz</code></a>)</li>
</ul>
<p><strong>CI Changes:</strong></p>
<ul>
<li>CI: Add job name validation (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32462">#32462</a>,
<a href="https://github.com/brlbil"><code>@​brlbil</code></a>)</li>
<li>ci: Filter supported versions of EKS (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32304">#32304</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>ci: Filter supported versions of GKE (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32302">#32302</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>ci: l4lb: gather more infos about docker-in-docker issues (Backport
PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32570">#32570</a>,
<a
href="https://github.com/mhofstetter"><code>@​mhofstetter</code></a>)</li>
<li>ci: l4lb: restart docker-in-docker container on failure (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32600">#32600</a>,
<a
href="https://github.com/mhofstetter"><code>@​mhofstetter</code></a>)</li>
<li>eks: Don't use spot instances (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32553">#32553</a>,
<a
href="https://github.com/michi-covalent"><code>@​michi-covalent</code></a>)</li>
<li>GCP OIDC instead of SA creds. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32707">#32707</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/30809">#30809</a>,
<a
href="https://github.com/viktor-kurchenko"><code>@​viktor-kurchenko</code></a>)</li>
<li>gha: cover TLS auth mode in clustermesh upgrade/downgrade tests
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32684">#32684</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>gha: test certificate generation methods in conformance clustermesh
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32654">#32654</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>Modify GitHub Actions Workflows to echo the inputs they are given
when triggered by a <code>workflow_dispatch</code> event. (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31424">#31424</a>,
<a
href="https://github.com/learnitall"><code>@​learnitall</code></a>)</li>
<li>Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32402">#32402</a>,
<a
href="https://github.com/michi-covalent"><code>@​michi-covalent</code></a>)</li>
<li>workflows: ignore &quot;No egress gateway found&quot; drops
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32564">#32564</a>,
<a href="https://github.com/jibi"><code>@​jibi</code></a>)</li>
<li>workflows: Remove stale CodeQL workflow (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32084">#32084</a>,
<a href="https://github.com/pchaigno"><code>@​pchaigno</code></a>)</li>
</ul>
<p><strong>Misc Changes:</strong></p>
<ul>
<li><code>cilium/cilium#32869</code><a
href="https://github.com/ferozsalam"><code>@​ferozsalam</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/cilium/cilium/commit/a09e05e6b63d82dbc3a1b0de1721a3407c340e7c"><code>a09e05e</code></a>
Prepare for release v1.15.6</li>
<li><a
href="https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741"><code>9299c0f</code></a>
bugtool: Add post-processing masking function for Envoy</li>
<li><a
href="https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407"><code>0191b1e</code></a>
bugtool: Add json masking function</li>
<li><a
href="https://github.com/cilium/cilium/commit/b6483461d5ce56f8abab9a2faefc5c0d984eda48"><code>b648346</code></a>
docs: ipsec: remove limitation for native-routing with L7 egress
policy</li>
<li><a
href="https://github.com/cilium/cilium/commit/5197d4ce2b953acc14c2879983948171dceb4934"><code>5197d4c</code></a>
proxy/routes: Also routes egress proxy's return traffic to 2005</li>
<li><a
href="https://github.com/cilium/cilium/commit/7f3e1b7992cfb4070dce4b13dc8e0a49e8f42f5a"><code>7f3e1b7</code></a>
iptables: Ensure iptables masquerading works for proxy traffic</li>
<li><a
href="https://github.com/cilium/cilium/commit/8dadbce310fc04dbf8488afa5599ee3130162b7a"><code>8dadbce</code></a>
Don't set 0x200 mark for proxy to world traffic in iptables
PREROUTING</li>
<li><a
href="https://github.com/cilium/cilium/commit/2091036619539ec546a0f525c1323ee258d45bc8"><code>2091036</code></a>
chore(deps): update dependency cilium/hubble to v0.13.5</li>
<li><a
href="https://github.com/cilium/cilium/commit/8a6f25ff602da8be9417667cea04c41759408713"><code>8a6f25f</code></a>
fqdn: Forward-compatibility with Cilium 1.16 fqdn identities</li>
<li><a
href="https://github.com/cilium/cilium/commit/6eb495d8a905dd88a471f06ceb7d4c785f5a1f09"><code>6eb495d</code></a>
images: update cilium-{runtime,builder}</li>
<li>Additional commits viewable in <a
href="https://github.com/cilium/cilium/compare/1.15.5...1.15.6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/cilium/cilium&package-manager=go_modules&previous-version=1.15.5&new-version=1.15.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
github-merge-queue bot pushed a commit to microsoft/retina that referenced this pull request Jun 12, 2024
@dependabot
deps: bump github.com/cilium/cilium from 1.15.5 to 1.15.6 (#464)
5dc15a9 
Bumps [github.com/cilium/cilium](https://github.com/cilium/cilium) from
1.15.5 to 1.15.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/cilium/cilium/blob/1.15.6/CHANGELOG.md">github.com/cilium/cilium's
changelog</a>.</em></p>
<blockquote>
<h2>v1.15.6</h2>
<h2>Summary of Changes</h2>
<p><strong>Minor Changes:</strong></p>
<ul>
<li><code>cilium/cilium#32872</code><a
href="https://github.com/gandro"><code>@​gandro</code></a>)</li>
<li>Generate SBOMs using Syft instead of bom (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32307">#32307</a>,
<a
href="https://github.com/ferozsalam"><code>@​ferozsalam</code></a>)</li>
<li>Improved background resynchronization of nodes. Before all nodes
were being updated at the same time, now we spread updates over time to
average out CPU usage. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32748">#32748</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32577">#32577</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>Introduce CLI commands to troubleshoot connectivity issues to the
etcd kvstore and clustermesh control plane (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32336">#32336</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>ipsec: Improve CPU usage of cilum-agent in large clusters (Backport
PR <a
href="https://redirect.github.com/cilium/cilium/issues/32882">#32882</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32588">#32588</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>KVStoreMesh: expose remote clusters information and introduce
dedicated CLI command (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32156">#32156</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
</ul>
<p><strong>Bugfixes:</strong></p>
<ul>
<li>.github/workflows: fix digests file creation (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32860">#32860</a>,
<a href="https://github.com/aanm"><code>@​aanm</code></a>)</li>
<li><code>cilium/cilium#32649</code><a
href="https://github.com/pippolo84"><code>@​pippolo84</code></a>)</li>
<li>Add missing kvstore-max-consecutive-quorum-errors option to
clustermesh-apiserver/kvstoremesh binaries (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32117">#32117</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>bgp: service eTP=local, withdraw route when last backend on the node
goes in terminating state (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32536">#32536</a>,
<a
href="https://github.com/harsimran-pabla"><code>@​harsimran-pabla</code></a>)</li>
<li>Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields
for CiliumLoadBalancerIPPool (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32694">#32694</a>,
<a
href="https://github.com/dswaffordcw"><code>@​dswaffordcw</code></a>)</li>
<li>cni: Reserve local ports for DNS proxy even if IPv6 is disabled
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32725">#32725</a>,
<a href="https://github.com/gandro"><code>@​gandro</code></a>)</li>
<li>egressgw: Let the EGW manager relax rp_filter on egress device
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32778">#32778</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32679">#32679</a>,
<a
href="https://github.com/ysksuzuki"><code>@​ysksuzuki</code></a>)</li>
<li>Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31671">#31671</a>,
<a
href="https://github.com/foyerunix"><code>@​foyerunix</code></a>)</li>
<li>Fix indexing bug in the logic for picking NodePort addresses. In
rare cases this may have caused wrong address to be selected for
NodePort use, or an out-of-bounds access. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32506">#32506</a>,
<a href="https://github.com/joamaki"><code>@​joamaki</code></a>)</li>
<li>Fix PromQL query in Cilium Metrics dashboard (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32017">#32017</a>,
<a
href="https://github.com/mikemykhaylov"><code>@​mikemykhaylov</code></a>)</li>
<li>Fix rare race condition afflicting clustermesh when disconnecting
from a remote cluster, possibly causing the agent to panic (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32513">#32513</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>Fixes accidentally ignoring the preflight.nodeSelector Helm value.
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32548">#32548</a>,
<a href="https://github.com/squeed"><code>@​squeed</code></a>)</li>
<li>Fixes unencrypted traffic among nodes when IPsec is used with L7
egress proxy. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32932">#32932</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32683">#32683</a>,
<a
href="https://github.com/jschwinger233"><code>@​jschwinger233</code></a>)</li>
<li>ingress: Set the default value for max_stream_timeout (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31514">#31514</a>,
<a href="https://github.com/tskinn"><code>@​tskinn</code></a>)</li>
<li>Introduce timeout when waiting for the initial synchronization from
remote clusters, to avoid blocking forever necessary GC operations in
case of clustermesh misconfigurations. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32802">#32802</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32671">#32671</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>ipsec: Safely delete Xfrm state (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32450">#32450</a>,
<a
href="https://github.com/jschwinger233"><code>@​jschwinger233</code></a>)</li>
<li>proxy: Re-enable proxy rule installation in native-routing mode for
CEC (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32481">#32481</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32367">#32367</a>,
<a href="https://github.com/sayboras"><code>@​sayboras</code></a>)</li>
<li>Remove deprecated <code>hubble.ui.securityContext.enabled</code>
from hubble-ui deployment template (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32338">#32338</a>,
<a href="https://github.com/stelucz"><code>@​stelucz</code></a>)</li>
</ul>
<p><strong>CI Changes:</strong></p>
<ul>
<li>CI: Add job name validation (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32462">#32462</a>,
<a href="https://github.com/brlbil"><code>@​brlbil</code></a>)</li>
<li>ci: Filter supported versions of EKS (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32304">#32304</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>ci: Filter supported versions of GKE (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32302">#32302</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>ci: l4lb: gather more infos about docker-in-docker issues (Backport
PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32570">#32570</a>,
<a
href="https://github.com/mhofstetter"><code>@​mhofstetter</code></a>)</li>
<li>ci: l4lb: restart docker-in-docker container on failure (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32600">#32600</a>,
<a
href="https://github.com/mhofstetter"><code>@​mhofstetter</code></a>)</li>
<li>eks: Don't use spot instances (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32553">#32553</a>,
<a
href="https://github.com/michi-covalent"><code>@​michi-covalent</code></a>)</li>
<li>GCP OIDC instead of SA creds. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32707">#32707</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/30809">#30809</a>,
<a
href="https://github.com/viktor-kurchenko"><code>@​viktor-kurchenko</code></a>)</li>
<li>gha: cover TLS auth mode in clustermesh upgrade/downgrade tests
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32684">#32684</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>gha: test certificate generation methods in conformance clustermesh
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32654">#32654</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>Modify GitHub Actions Workflows to echo the inputs they are given
when triggered by a <code>workflow_dispatch</code> event. (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31424">#31424</a>,
<a
href="https://github.com/learnitall"><code>@​learnitall</code></a>)</li>
<li>Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32402">#32402</a>,
<a
href="https://github.com/michi-covalent"><code>@​michi-covalent</code></a>)</li>
<li>workflows: ignore &quot;No egress gateway found&quot; drops
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32564">#32564</a>,
<a href="https://github.com/jibi"><code>@​jibi</code></a>)</li>
<li>workflows: Remove stale CodeQL workflow (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32084">#32084</a>,
<a href="https://github.com/pchaigno"><code>@​pchaigno</code></a>)</li>
</ul>
<p><strong>Misc Changes:</strong></p>
<ul>
<li><code>cilium/cilium#32869</code><a
href="https://github.com/ferozsalam"><code>@​ferozsalam</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/cilium/cilium/commit/a09e05e6b63d82dbc3a1b0de1721a3407c340e7c"><code>a09e05e</code></a>
Prepare for release v1.15.6</li>
<li><a
href="https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741"><code>9299c0f</code></a>
bugtool: Add post-processing masking function for Envoy</li>
<li><a
href="https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407"><code>0191b1e</code></a>
bugtool: Add json masking function</li>
<li><a
href="https://github.com/cilium/cilium/commit/b6483461d5ce56f8abab9a2faefc5c0d984eda48"><code>b648346</code></a>
docs: ipsec: remove limitation for native-routing with L7 egress
policy</li>
<li><a
href="https://github.com/cilium/cilium/commit/5197d4ce2b953acc14c2879983948171dceb4934"><code>5197d4c</code></a>
proxy/routes: Also routes egress proxy's return traffic to 2005</li>
<li><a
href="https://github.com/cilium/cilium/commit/7f3e1b7992cfb4070dce4b13dc8e0a49e8f42f5a"><code>7f3e1b7</code></a>
iptables: Ensure iptables masquerading works for proxy traffic</li>
<li><a
href="https://github.com/cilium/cilium/commit/8dadbce310fc04dbf8488afa5599ee3130162b7a"><code>8dadbce</code></a>
Don't set 0x200 mark for proxy to world traffic in iptables
PREROUTING</li>
<li><a
href="https://github.com/cilium/cilium/commit/2091036619539ec546a0f525c1323ee258d45bc8"><code>2091036</code></a>
chore(deps): update dependency cilium/hubble to v0.13.5</li>
<li><a
href="https://github.com/cilium/cilium/commit/8a6f25ff602da8be9417667cea04c41759408713"><code>8a6f25f</code></a>
fqdn: Forward-compatibility with Cilium 1.16 fqdn identities</li>
<li><a
href="https://github.com/cilium/cilium/commit/6eb495d8a905dd88a471f06ceb7d4c785f5a1f09"><code>6eb495d</code></a>
images: update cilium-{runtime,builder}</li>
<li>Additional commits viewable in <a
href="https://github.com/cilium/cilium/compare/1.15.5...1.15.6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/cilium/cilium&package-manager=go_modules&previous-version=1.15.5&new-version=1.15.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
github-merge-queue bot pushed a commit to microsoft/retina that referenced this pull request Jun 12, 2024
@dependabot
deps: bump github.com/cilium/cilium from 1.15.5 to 1.15.6 (#464)
e2d5f99 
Bumps [github.com/cilium/cilium](https://github.com/cilium/cilium) from
1.15.5 to 1.15.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/cilium/cilium/blob/1.15.6/CHANGELOG.md">github.com/cilium/cilium's
changelog</a>.</em></p>
<blockquote>
<h2>v1.15.6</h2>
<h2>Summary of Changes</h2>
<p><strong>Minor Changes:</strong></p>
<ul>
<li><code>cilium/cilium#32872</code><a
href="https://github.com/gandro"><code>@​gandro</code></a>)</li>
<li>Generate SBOMs using Syft instead of bom (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32307">#32307</a>,
<a
href="https://github.com/ferozsalam"><code>@​ferozsalam</code></a>)</li>
<li>Improved background resynchronization of nodes. Before all nodes
were being updated at the same time, now we spread updates over time to
average out CPU usage. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32748">#32748</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32577">#32577</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>Introduce CLI commands to troubleshoot connectivity issues to the
etcd kvstore and clustermesh control plane (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32336">#32336</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>ipsec: Improve CPU usage of cilum-agent in large clusters (Backport
PR <a
href="https://redirect.github.com/cilium/cilium/issues/32882">#32882</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32588">#32588</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>KVStoreMesh: expose remote clusters information and introduce
dedicated CLI command (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32156">#32156</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
</ul>
<p><strong>Bugfixes:</strong></p>
<ul>
<li>.github/workflows: fix digests file creation (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32860">#32860</a>,
<a href="https://github.com/aanm"><code>@​aanm</code></a>)</li>
<li><code>cilium/cilium#32649</code><a
href="https://github.com/pippolo84"><code>@​pippolo84</code></a>)</li>
<li>Add missing kvstore-max-consecutive-quorum-errors option to
clustermesh-apiserver/kvstoremesh binaries (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32117">#32117</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>bgp: service eTP=local, withdraw route when last backend on the node
goes in terminating state (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32536">#32536</a>,
<a
href="https://github.com/harsimran-pabla"><code>@​harsimran-pabla</code></a>)</li>
<li>Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields
for CiliumLoadBalancerIPPool (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32694">#32694</a>,
<a
href="https://github.com/dswaffordcw"><code>@​dswaffordcw</code></a>)</li>
<li>cni: Reserve local ports for DNS proxy even if IPv6 is disabled
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32725">#32725</a>,
<a href="https://github.com/gandro"><code>@​gandro</code></a>)</li>
<li>egressgw: Let the EGW manager relax rp_filter on egress device
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32778">#32778</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32679">#32679</a>,
<a
href="https://github.com/ysksuzuki"><code>@​ysksuzuki</code></a>)</li>
<li>Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31671">#31671</a>,
<a
href="https://github.com/foyerunix"><code>@​foyerunix</code></a>)</li>
<li>Fix indexing bug in the logic for picking NodePort addresses. In
rare cases this may have caused wrong address to be selected for
NodePort use, or an out-of-bounds access. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32506">#32506</a>,
<a href="https://github.com/joamaki"><code>@​joamaki</code></a>)</li>
<li>Fix PromQL query in Cilium Metrics dashboard (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32017">#32017</a>,
<a
href="https://github.com/mikemykhaylov"><code>@​mikemykhaylov</code></a>)</li>
<li>Fix rare race condition afflicting clustermesh when disconnecting
from a remote cluster, possibly causing the agent to panic (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32513">#32513</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>Fixes accidentally ignoring the preflight.nodeSelector Helm value.
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32548">#32548</a>,
<a href="https://github.com/squeed"><code>@​squeed</code></a>)</li>
<li>Fixes unencrypted traffic among nodes when IPsec is used with L7
egress proxy. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32932">#32932</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32683">#32683</a>,
<a
href="https://github.com/jschwinger233"><code>@​jschwinger233</code></a>)</li>
<li>ingress: Set the default value for max_stream_timeout (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31514">#31514</a>,
<a href="https://github.com/tskinn"><code>@​tskinn</code></a>)</li>
<li>Introduce timeout when waiting for the initial synchronization from
remote clusters, to avoid blocking forever necessary GC operations in
case of clustermesh misconfigurations. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32802">#32802</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32671">#32671</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>ipsec: Safely delete Xfrm state (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32450">#32450</a>,
<a
href="https://github.com/jschwinger233"><code>@​jschwinger233</code></a>)</li>
<li>proxy: Re-enable proxy rule installation in native-routing mode for
CEC (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32481">#32481</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32367">#32367</a>,
<a href="https://github.com/sayboras"><code>@​sayboras</code></a>)</li>
<li>Remove deprecated <code>hubble.ui.securityContext.enabled</code>
from hubble-ui deployment template (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32338">#32338</a>,
<a href="https://github.com/stelucz"><code>@​stelucz</code></a>)</li>
</ul>
<p><strong>CI Changes:</strong></p>
<ul>
<li>CI: Add job name validation (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32462">#32462</a>,
<a href="https://github.com/brlbil"><code>@​brlbil</code></a>)</li>
<li>ci: Filter supported versions of EKS (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32304">#32304</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>ci: Filter supported versions of GKE (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32302">#32302</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>ci: l4lb: gather more infos about docker-in-docker issues (Backport
PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32570">#32570</a>,
<a
href="https://github.com/mhofstetter"><code>@​mhofstetter</code></a>)</li>
<li>ci: l4lb: restart docker-in-docker container on failure (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32600">#32600</a>,
<a
href="https://github.com/mhofstetter"><code>@​mhofstetter</code></a>)</li>
<li>eks: Don't use spot instances (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32553">#32553</a>,
<a
href="https://github.com/michi-covalent"><code>@​michi-covalent</code></a>)</li>
<li>GCP OIDC instead of SA creds. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32707">#32707</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/30809">#30809</a>,
<a
href="https://github.com/viktor-kurchenko"><code>@​viktor-kurchenko</code></a>)</li>
<li>gha: cover TLS auth mode in clustermesh upgrade/downgrade tests
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32684">#32684</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>gha: test certificate generation methods in conformance clustermesh
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32654">#32654</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>Modify GitHub Actions Workflows to echo the inputs they are given
when triggered by a <code>workflow_dispatch</code> event. (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31424">#31424</a>,
<a
href="https://github.com/learnitall"><code>@​learnitall</code></a>)</li>
<li>Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32402">#32402</a>,
<a
href="https://github.com/michi-covalent"><code>@​michi-covalent</code></a>)</li>
<li>workflows: ignore &quot;No egress gateway found&quot; drops
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32564">#32564</a>,
<a href="https://github.com/jibi"><code>@​jibi</code></a>)</li>
<li>workflows: Remove stale CodeQL workflow (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32084">#32084</a>,
<a href="https://github.com/pchaigno"><code>@​pchaigno</code></a>)</li>
</ul>
<p><strong>Misc Changes:</strong></p>
<ul>
<li><code>cilium/cilium#32869</code><a
href="https://github.com/ferozsalam"><code>@​ferozsalam</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/cilium/cilium/commit/a09e05e6b63d82dbc3a1b0de1721a3407c340e7c"><code>a09e05e</code></a>
Prepare for release v1.15.6</li>
<li><a
href="https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741"><code>9299c0f</code></a>
bugtool: Add post-processing masking function for Envoy</li>
<li><a
href="https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407"><code>0191b1e</code></a>
bugtool: Add json masking function</li>
<li><a
href="https://github.com/cilium/cilium/commit/b6483461d5ce56f8abab9a2faefc5c0d984eda48"><code>b648346</code></a>
docs: ipsec: remove limitation for native-routing with L7 egress
policy</li>
<li><a
href="https://github.com/cilium/cilium/commit/5197d4ce2b953acc14c2879983948171dceb4934"><code>5197d4c</code></a>
proxy/routes: Also routes egress proxy's return traffic to 2005</li>
<li><a
href="https://github.com/cilium/cilium/commit/7f3e1b7992cfb4070dce4b13dc8e0a49e8f42f5a"><code>7f3e1b7</code></a>
iptables: Ensure iptables masquerading works for proxy traffic</li>
<li><a
href="https://github.com/cilium/cilium/commit/8dadbce310fc04dbf8488afa5599ee3130162b7a"><code>8dadbce</code></a>
Don't set 0x200 mark for proxy to world traffic in iptables
PREROUTING</li>
<li><a
href="https://github.com/cilium/cilium/commit/2091036619539ec546a0f525c1323ee258d45bc8"><code>2091036</code></a>
chore(deps): update dependency cilium/hubble to v0.13.5</li>
<li><a
href="https://github.com/cilium/cilium/commit/8a6f25ff602da8be9417667cea04c41759408713"><code>8a6f25f</code></a>
fqdn: Forward-compatibility with Cilium 1.16 fqdn identities</li>
<li><a
href="https://github.com/cilium/cilium/commit/6eb495d8a905dd88a471f06ceb7d4c785f5a1f09"><code>6eb495d</code></a>
images: update cilium-{runtime,builder}</li>
<li>Additional commits viewable in <a
href="https://github.com/cilium/cilium/compare/1.15.5...1.15.6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/cilium/cilium&package-manager=go_modules&previous-version=1.15.5&new-version=1.15.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
matmerr pushed a commit to matmerr/retina that referenced this pull request Jul 3, 2024
@dependabot @matmerr
deps: bump github.com/cilium/cilium from 1.15.5 to 1.15.6 (microsoft#464
e0e815f 
)

Bumps [github.com/cilium/cilium](https://github.com/cilium/cilium) from
1.15.5 to 1.15.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/cilium/cilium/blob/1.15.6/CHANGELOG.md">github.com/cilium/cilium's
changelog</a>.</em></p>
<blockquote>
<h2>v1.15.6</h2>
<h2>Summary of Changes</h2>
<p><strong>Minor Changes:</strong></p>
<ul>
<li><code>cilium/cilium#32872</code><a
href="https://github.com/gandro"><code>@​gandro</code></a>)</li>
<li>Generate SBOMs using Syft instead of bom (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32307">#32307</a>,
<a
href="https://github.com/ferozsalam"><code>@​ferozsalam</code></a>)</li>
<li>Improved background resynchronization of nodes. Before all nodes
were being updated at the same time, now we spread updates over time to
average out CPU usage. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32748">#32748</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32577">#32577</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>Introduce CLI commands to troubleshoot connectivity issues to the
etcd kvstore and clustermesh control plane (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32336">#32336</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>ipsec: Improve CPU usage of cilum-agent in large clusters (Backport
PR <a
href="https://redirect.github.com/cilium/cilium/issues/32882">#32882</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32588">#32588</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>KVStoreMesh: expose remote clusters information and introduce
dedicated CLI command (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32156">#32156</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
</ul>
<p><strong>Bugfixes:</strong></p>
<ul>
<li>.github/workflows: fix digests file creation (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32860">#32860</a>,
<a href="https://github.com/aanm"><code>@​aanm</code></a>)</li>
<li><code>cilium/cilium#32649</code><a
href="https://github.com/pippolo84"><code>@​pippolo84</code></a>)</li>
<li>Add missing kvstore-max-consecutive-quorum-errors option to
clustermesh-apiserver/kvstoremesh binaries (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32117">#32117</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>bgp: service eTP=local, withdraw route when last backend on the node
goes in terminating state (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32536">#32536</a>,
<a
href="https://github.com/harsimran-pabla"><code>@​harsimran-pabla</code></a>)</li>
<li>Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields
for CiliumLoadBalancerIPPool (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32694">#32694</a>,
<a
href="https://github.com/dswaffordcw"><code>@​dswaffordcw</code></a>)</li>
<li>cni: Reserve local ports for DNS proxy even if IPv6 is disabled
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32725">#32725</a>,
<a href="https://github.com/gandro"><code>@​gandro</code></a>)</li>
<li>egressgw: Let the EGW manager relax rp_filter on egress device
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32778">#32778</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32679">#32679</a>,
<a
href="https://github.com/ysksuzuki"><code>@​ysksuzuki</code></a>)</li>
<li>Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31671">#31671</a>,
<a
href="https://github.com/foyerunix"><code>@​foyerunix</code></a>)</li>
<li>Fix indexing bug in the logic for picking NodePort addresses. In
rare cases this may have caused wrong address to be selected for
NodePort use, or an out-of-bounds access. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32506">#32506</a>,
<a href="https://github.com/joamaki"><code>@​joamaki</code></a>)</li>
<li>Fix PromQL query in Cilium Metrics dashboard (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32017">#32017</a>,
<a
href="https://github.com/mikemykhaylov"><code>@​mikemykhaylov</code></a>)</li>
<li>Fix rare race condition afflicting clustermesh when disconnecting
from a remote cluster, possibly causing the agent to panic (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32513">#32513</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>Fixes accidentally ignoring the preflight.nodeSelector Helm value.
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32548">#32548</a>,
<a href="https://github.com/squeed"><code>@​squeed</code></a>)</li>
<li>Fixes unencrypted traffic among nodes when IPsec is used with L7
egress proxy. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32932">#32932</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32683">#32683</a>,
<a
href="https://github.com/jschwinger233"><code>@​jschwinger233</code></a>)</li>
<li>ingress: Set the default value for max_stream_timeout (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31514">#31514</a>,
<a href="https://github.com/tskinn"><code>@​tskinn</code></a>)</li>
<li>Introduce timeout when waiting for the initial synchronization from
remote clusters, to avoid blocking forever necessary GC operations in
case of clustermesh misconfigurations. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32802">#32802</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32671">#32671</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>ipsec: Safely delete Xfrm state (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32450">#32450</a>,
<a
href="https://github.com/jschwinger233"><code>@​jschwinger233</code></a>)</li>
<li>proxy: Re-enable proxy rule installation in native-routing mode for
CEC (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32481">#32481</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32367">#32367</a>,
<a href="https://github.com/sayboras"><code>@​sayboras</code></a>)</li>
<li>Remove deprecated <code>hubble.ui.securityContext.enabled</code>
from hubble-ui deployment template (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32338">#32338</a>,
<a href="https://github.com/stelucz"><code>@​stelucz</code></a>)</li>
</ul>
<p><strong>CI Changes:</strong></p>
<ul>
<li>CI: Add job name validation (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32462">#32462</a>,
<a href="https://github.com/brlbil"><code>@​brlbil</code></a>)</li>
<li>ci: Filter supported versions of EKS (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32304">#32304</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>ci: Filter supported versions of GKE (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32302">#32302</a>,
<a href="https://github.com/marseel"><code>@​marseel</code></a>)</li>
<li>ci: l4lb: gather more infos about docker-in-docker issues (Backport
PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32570">#32570</a>,
<a
href="https://github.com/mhofstetter"><code>@​mhofstetter</code></a>)</li>
<li>ci: l4lb: restart docker-in-docker container on failure (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32600">#32600</a>,
<a
href="https://github.com/mhofstetter"><code>@​mhofstetter</code></a>)</li>
<li>eks: Don't use spot instances (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32553">#32553</a>,
<a
href="https://github.com/michi-covalent"><code>@​michi-covalent</code></a>)</li>
<li>GCP OIDC instead of SA creds. (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32707">#32707</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/30809">#30809</a>,
<a
href="https://github.com/viktor-kurchenko"><code>@​viktor-kurchenko</code></a>)</li>
<li>gha: cover TLS auth mode in clustermesh upgrade/downgrade tests
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32684">#32684</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>gha: test certificate generation methods in conformance clustermesh
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32654">#32654</a>,
<a href="https://github.com/giorio94"><code>@​giorio94</code></a>)</li>
<li>Modify GitHub Actions Workflows to echo the inputs they are given
when triggered by a <code>workflow_dispatch</code> event. (Backport PR
<a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/31424">#31424</a>,
<a
href="https://github.com/learnitall"><code>@​learnitall</code></a>)</li>
<li>Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32402">#32402</a>,
<a
href="https://github.com/michi-covalent"><code>@​michi-covalent</code></a>)</li>
<li>workflows: ignore &quot;No egress gateway found&quot; drops
(Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32564">#32564</a>,
<a href="https://github.com/jibi"><code>@​jibi</code></a>)</li>
<li>workflows: Remove stale CodeQL workflow (Backport PR <a
href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>,
Upstream PR <a
href="https://redirect.github.com/cilium/cilium/issues/32084">#32084</a>,
<a href="https://github.com/pchaigno"><code>@​pchaigno</code></a>)</li>
</ul>
<p><strong>Misc Changes:</strong></p>
<ul>
<li><code>cilium/cilium#32869</code><a
href="https://github.com/ferozsalam"><code>@​ferozsalam</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/cilium/cilium/commit/a09e05e6b63d82dbc3a1b0de1721a3407c340e7c"><code>a09e05e</code></a>
Prepare for release v1.15.6</li>
<li><a
href="https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741"><code>9299c0f</code></a>
bugtool: Add post-processing masking function for Envoy</li>
<li><a
href="https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407"><code>0191b1e</code></a>
bugtool: Add json masking function</li>
<li><a
href="https://github.com/cilium/cilium/commit/b6483461d5ce56f8abab9a2faefc5c0d984eda48"><code>b648346</code></a>
docs: ipsec: remove limitation for native-routing with L7 egress
policy</li>
<li><a
href="https://github.com/cilium/cilium/commit/5197d4ce2b953acc14c2879983948171dceb4934"><code>5197d4c</code></a>
proxy/routes: Also routes egress proxy's return traffic to 2005</li>
<li><a
href="https://github.com/cilium/cilium/commit/7f3e1b7992cfb4070dce4b13dc8e0a49e8f42f5a"><code>7f3e1b7</code></a>
iptables: Ensure iptables masquerading works for proxy traffic</li>
<li><a
href="https://github.com/cilium/cilium/commit/8dadbce310fc04dbf8488afa5599ee3130162b7a"><code>8dadbce</code></a>
Don't set 0x200 mark for proxy to world traffic in iptables
PREROUTING</li>
<li><a
href="https://github.com/cilium/cilium/commit/2091036619539ec546a0f525c1323ee258d45bc8"><code>2091036</code></a>
chore(deps): update dependency cilium/hubble to v0.13.5</li>
<li><a
href="https://github.com/cilium/cilium/commit/8a6f25ff602da8be9417667cea04c41759408713"><code>8a6f25f</code></a>
fqdn: Forward-compatibility with Cilium 1.16 fqdn identities</li>
<li><a
href="https://github.com/cilium/cilium/commit/6eb495d8a905dd88a471f06ceb7d4c785f5a1f09"><code>6eb495d</code></a>
images: update cilium-{runtime,builder}</li>
<li>Additional commits viewable in <a
href="https://github.com/cilium/cilium/compare/1.15.5...1.15.6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/cilium/cilium&package-manager=go_modules&previous-version=1.15.5&new-version=1.15.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lmb lmb lmb approved these changes

Assignees
No one assigned
Labels
area/iptables Impacts how Cilium interacts with iptables. backport/1.15 This PR represents a backport for Cilium 1.15.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
No open projects
cilium v1.15.6
Status: Released
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@pippolo84 @lmb @julianwiedmann