-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v1.15] iptables: Do not install NOTRACK rules if IPv4NativeRoutingCIDR is nil #32649
Merged
julianwiedmann
merged 1 commit into
cilium:v1.15
from
pippolo84:pr/pippolo84/v1.15-fix-skip-pod-traffic-ct
May 27, 2024
Merged
[v1.15] iptables: Do not install NOTRACK rules if IPv4NativeRoutingCIDR is nil #32649
julianwiedmann
merged 1 commit into
cilium:v1.15
from
pippolo84:pr/pippolo84/v1.15-fix-skip-pod-traffic-ct
May 27, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In case IPv4NativeRoutingCIDR is left unspecified, the related config option will be nil. To avoid panicking, check for this case before converting the CIDR to a string. Moreover, do not try to run the iptables command to install the NOTRACK rules if the resulting string is empty. Fixes: cilium#32607 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
/test-backport-1.15 |
1 similar comment
/test-backport-1.15 |
lmb
approved these changes
May 24, 2024
/test-backport-1.15 |
github-merge-queue bot
pushed a commit
to microsoft/retina
that referenced
this pull request
Jun 11, 2024
Bumps [github.com/cilium/cilium](https://github.com/cilium/cilium) from 1.15.5 to 1.15.6. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/cilium/cilium/blob/1.15.6/CHANGELOG.md">github.com/cilium/cilium's changelog</a>.</em></p> <blockquote> <h2>v1.15.6</h2> <h2>Summary of Changes</h2> <p><strong>Minor Changes:</strong></p> <ul> <li><code>cilium/cilium#32872</code><a href="https://github.com/gandro"><code>@gandro</code></a>)</li> <li>Generate SBOMs using Syft instead of bom (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32307">#32307</a>, <a href="https://github.com/ferozsalam"><code>@ferozsalam</code></a>)</li> <li>Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32748">#32748</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32577">#32577</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32336">#32336</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>ipsec: Improve CPU usage of cilum-agent in large clusters (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32882">#32882</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32588">#32588</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>KVStoreMesh: expose remote clusters information and introduce dedicated CLI command (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32156">#32156</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> </ul> <p><strong>Bugfixes:</strong></p> <ul> <li>.github/workflows: fix digests file creation (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32860">#32860</a>, <a href="https://github.com/aanm"><code>@aanm</code></a>)</li> <li><code>cilium/cilium#32649</code><a href="https://github.com/pippolo84"><code>@pippolo84</code></a>)</li> <li>Add missing kvstore-max-consecutive-quorum-errors option to clustermesh-apiserver/kvstoremesh binaries (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32117">#32117</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>bgp: service eTP=local, withdraw route when last backend on the node goes in terminating state (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32536">#32536</a>, <a href="https://github.com/harsimran-pabla"><code>@harsimran-pabla</code></a>)</li> <li>Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields for CiliumLoadBalancerIPPool (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32694">#32694</a>, <a href="https://github.com/dswaffordcw"><code>@dswaffordcw</code></a>)</li> <li>cni: Reserve local ports for DNS proxy even if IPv6 is disabled (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32725">#32725</a>, <a href="https://github.com/gandro"><code>@gandro</code></a>)</li> <li>egressgw: Let the EGW manager relax rp_filter on egress device (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32778">#32778</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32679">#32679</a>, <a href="https://github.com/ysksuzuki"><code>@ysksuzuki</code></a>)</li> <li>Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31671">#31671</a>, <a href="https://github.com/foyerunix"><code>@foyerunix</code></a>)</li> <li>Fix indexing bug in the logic for picking NodePort addresses. In rare cases this may have caused wrong address to be selected for NodePort use, or an out-of-bounds access. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32506">#32506</a>, <a href="https://github.com/joamaki"><code>@joamaki</code></a>)</li> <li>Fix PromQL query in Cilium Metrics dashboard (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32017">#32017</a>, <a href="https://github.com/mikemykhaylov"><code>@mikemykhaylov</code></a>)</li> <li>Fix rare race condition afflicting clustermesh when disconnecting from a remote cluster, possibly causing the agent to panic (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32513">#32513</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>Fixes accidentally ignoring the preflight.nodeSelector Helm value. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32548">#32548</a>, <a href="https://github.com/squeed"><code>@squeed</code></a>)</li> <li>Fixes unencrypted traffic among nodes when IPsec is used with L7 egress proxy. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32932">#32932</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32683">#32683</a>, <a href="https://github.com/jschwinger233"><code>@jschwinger233</code></a>)</li> <li>ingress: Set the default value for max_stream_timeout (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31514">#31514</a>, <a href="https://github.com/tskinn"><code>@tskinn</code></a>)</li> <li>Introduce timeout when waiting for the initial synchronization from remote clusters, to avoid blocking forever necessary GC operations in case of clustermesh misconfigurations. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32802">#32802</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32671">#32671</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>ipsec: Safely delete Xfrm state (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32450">#32450</a>, <a href="https://github.com/jschwinger233"><code>@jschwinger233</code></a>)</li> <li>proxy: Re-enable proxy rule installation in native-routing mode for CEC (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32481">#32481</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32367">#32367</a>, <a href="https://github.com/sayboras"><code>@sayboras</code></a>)</li> <li>Remove deprecated <code>hubble.ui.securityContext.enabled</code> from hubble-ui deployment template (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32338">#32338</a>, <a href="https://github.com/stelucz"><code>@stelucz</code></a>)</li> </ul> <p><strong>CI Changes:</strong></p> <ul> <li>CI: Add job name validation (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32462">#32462</a>, <a href="https://github.com/brlbil"><code>@brlbil</code></a>)</li> <li>ci: Filter supported versions of EKS (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32304">#32304</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>ci: Filter supported versions of GKE (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32302">#32302</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>ci: l4lb: gather more infos about docker-in-docker issues (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32570">#32570</a>, <a href="https://github.com/mhofstetter"><code>@mhofstetter</code></a>)</li> <li>ci: l4lb: restart docker-in-docker container on failure (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32600">#32600</a>, <a href="https://github.com/mhofstetter"><code>@mhofstetter</code></a>)</li> <li>eks: Don't use spot instances (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32553">#32553</a>, <a href="https://github.com/michi-covalent"><code>@michi-covalent</code></a>)</li> <li>GCP OIDC instead of SA creds. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32707">#32707</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/30809">#30809</a>, <a href="https://github.com/viktor-kurchenko"><code>@viktor-kurchenko</code></a>)</li> <li>gha: cover TLS auth mode in clustermesh upgrade/downgrade tests (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32684">#32684</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>gha: test certificate generation methods in conformance clustermesh (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32654">#32654</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a <code>workflow_dispatch</code> event. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31424">#31424</a>, <a href="https://github.com/learnitall"><code>@learnitall</code></a>)</li> <li>Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32402">#32402</a>, <a href="https://github.com/michi-covalent"><code>@michi-covalent</code></a>)</li> <li>workflows: ignore "No egress gateway found" drops (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32564">#32564</a>, <a href="https://github.com/jibi"><code>@jibi</code></a>)</li> <li>workflows: Remove stale CodeQL workflow (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32084">#32084</a>, <a href="https://github.com/pchaigno"><code>@pchaigno</code></a>)</li> </ul> <p><strong>Misc Changes:</strong></p> <ul> <li><code>cilium/cilium#32869</code><a href="https://github.com/ferozsalam"><code>@ferozsalam</code></a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cilium/cilium/commit/a09e05e6b63d82dbc3a1b0de1721a3407c340e7c"><code>a09e05e</code></a> Prepare for release v1.15.6</li> <li><a href="https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741"><code>9299c0f</code></a> bugtool: Add post-processing masking function for Envoy</li> <li><a href="https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407"><code>0191b1e</code></a> bugtool: Add json masking function</li> <li><a href="https://github.com/cilium/cilium/commit/b6483461d5ce56f8abab9a2faefc5c0d984eda48"><code>b648346</code></a> docs: ipsec: remove limitation for native-routing with L7 egress policy</li> <li><a href="https://github.com/cilium/cilium/commit/5197d4ce2b953acc14c2879983948171dceb4934"><code>5197d4c</code></a> proxy/routes: Also routes egress proxy's return traffic to 2005</li> <li><a href="https://github.com/cilium/cilium/commit/7f3e1b7992cfb4070dce4b13dc8e0a49e8f42f5a"><code>7f3e1b7</code></a> iptables: Ensure iptables masquerading works for proxy traffic</li> <li><a href="https://github.com/cilium/cilium/commit/8dadbce310fc04dbf8488afa5599ee3130162b7a"><code>8dadbce</code></a> Don't set 0x200 mark for proxy to world traffic in iptables PREROUTING</li> <li><a href="https://github.com/cilium/cilium/commit/2091036619539ec546a0f525c1323ee258d45bc8"><code>2091036</code></a> chore(deps): update dependency cilium/hubble to v0.13.5</li> <li><a href="https://github.com/cilium/cilium/commit/8a6f25ff602da8be9417667cea04c41759408713"><code>8a6f25f</code></a> fqdn: Forward-compatibility with Cilium 1.16 fqdn identities</li> <li><a href="https://github.com/cilium/cilium/commit/6eb495d8a905dd88a471f06ceb7d4c785f5a1f09"><code>6eb495d</code></a> images: update cilium-{runtime,builder}</li> <li>Additional commits viewable in <a href="https://github.com/cilium/cilium/compare/1.15.5...1.15.6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/cilium/cilium&package-manager=go_modules&previous-version=1.15.5&new-version=1.15.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
github-merge-queue bot
pushed a commit
to microsoft/retina
that referenced
this pull request
Jun 11, 2024
Bumps [github.com/cilium/cilium](https://github.com/cilium/cilium) from 1.15.5 to 1.15.6. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/cilium/cilium/blob/1.15.6/CHANGELOG.md">github.com/cilium/cilium's changelog</a>.</em></p> <blockquote> <h2>v1.15.6</h2> <h2>Summary of Changes</h2> <p><strong>Minor Changes:</strong></p> <ul> <li><code>cilium/cilium#32872</code><a href="https://github.com/gandro"><code>@gandro</code></a>)</li> <li>Generate SBOMs using Syft instead of bom (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32307">#32307</a>, <a href="https://github.com/ferozsalam"><code>@ferozsalam</code></a>)</li> <li>Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32748">#32748</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32577">#32577</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32336">#32336</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>ipsec: Improve CPU usage of cilum-agent in large clusters (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32882">#32882</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32588">#32588</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>KVStoreMesh: expose remote clusters information and introduce dedicated CLI command (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32156">#32156</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> </ul> <p><strong>Bugfixes:</strong></p> <ul> <li>.github/workflows: fix digests file creation (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32860">#32860</a>, <a href="https://github.com/aanm"><code>@aanm</code></a>)</li> <li><code>cilium/cilium#32649</code><a href="https://github.com/pippolo84"><code>@pippolo84</code></a>)</li> <li>Add missing kvstore-max-consecutive-quorum-errors option to clustermesh-apiserver/kvstoremesh binaries (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32117">#32117</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>bgp: service eTP=local, withdraw route when last backend on the node goes in terminating state (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32536">#32536</a>, <a href="https://github.com/harsimran-pabla"><code>@harsimran-pabla</code></a>)</li> <li>Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields for CiliumLoadBalancerIPPool (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32694">#32694</a>, <a href="https://github.com/dswaffordcw"><code>@dswaffordcw</code></a>)</li> <li>cni: Reserve local ports for DNS proxy even if IPv6 is disabled (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32725">#32725</a>, <a href="https://github.com/gandro"><code>@gandro</code></a>)</li> <li>egressgw: Let the EGW manager relax rp_filter on egress device (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32778">#32778</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32679">#32679</a>, <a href="https://github.com/ysksuzuki"><code>@ysksuzuki</code></a>)</li> <li>Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31671">#31671</a>, <a href="https://github.com/foyerunix"><code>@foyerunix</code></a>)</li> <li>Fix indexing bug in the logic for picking NodePort addresses. In rare cases this may have caused wrong address to be selected for NodePort use, or an out-of-bounds access. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32506">#32506</a>, <a href="https://github.com/joamaki"><code>@joamaki</code></a>)</li> <li>Fix PromQL query in Cilium Metrics dashboard (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32017">#32017</a>, <a href="https://github.com/mikemykhaylov"><code>@mikemykhaylov</code></a>)</li> <li>Fix rare race condition afflicting clustermesh when disconnecting from a remote cluster, possibly causing the agent to panic (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32513">#32513</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>Fixes accidentally ignoring the preflight.nodeSelector Helm value. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32548">#32548</a>, <a href="https://github.com/squeed"><code>@squeed</code></a>)</li> <li>Fixes unencrypted traffic among nodes when IPsec is used with L7 egress proxy. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32932">#32932</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32683">#32683</a>, <a href="https://github.com/jschwinger233"><code>@jschwinger233</code></a>)</li> <li>ingress: Set the default value for max_stream_timeout (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31514">#31514</a>, <a href="https://github.com/tskinn"><code>@tskinn</code></a>)</li> <li>Introduce timeout when waiting for the initial synchronization from remote clusters, to avoid blocking forever necessary GC operations in case of clustermesh misconfigurations. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32802">#32802</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32671">#32671</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>ipsec: Safely delete Xfrm state (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32450">#32450</a>, <a href="https://github.com/jschwinger233"><code>@jschwinger233</code></a>)</li> <li>proxy: Re-enable proxy rule installation in native-routing mode for CEC (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32481">#32481</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32367">#32367</a>, <a href="https://github.com/sayboras"><code>@sayboras</code></a>)</li> <li>Remove deprecated <code>hubble.ui.securityContext.enabled</code> from hubble-ui deployment template (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32338">#32338</a>, <a href="https://github.com/stelucz"><code>@stelucz</code></a>)</li> </ul> <p><strong>CI Changes:</strong></p> <ul> <li>CI: Add job name validation (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32462">#32462</a>, <a href="https://github.com/brlbil"><code>@brlbil</code></a>)</li> <li>ci: Filter supported versions of EKS (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32304">#32304</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>ci: Filter supported versions of GKE (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32302">#32302</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>ci: l4lb: gather more infos about docker-in-docker issues (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32570">#32570</a>, <a href="https://github.com/mhofstetter"><code>@mhofstetter</code></a>)</li> <li>ci: l4lb: restart docker-in-docker container on failure (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32600">#32600</a>, <a href="https://github.com/mhofstetter"><code>@mhofstetter</code></a>)</li> <li>eks: Don't use spot instances (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32553">#32553</a>, <a href="https://github.com/michi-covalent"><code>@michi-covalent</code></a>)</li> <li>GCP OIDC instead of SA creds. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32707">#32707</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/30809">#30809</a>, <a href="https://github.com/viktor-kurchenko"><code>@viktor-kurchenko</code></a>)</li> <li>gha: cover TLS auth mode in clustermesh upgrade/downgrade tests (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32684">#32684</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>gha: test certificate generation methods in conformance clustermesh (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32654">#32654</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a <code>workflow_dispatch</code> event. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31424">#31424</a>, <a href="https://github.com/learnitall"><code>@learnitall</code></a>)</li> <li>Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32402">#32402</a>, <a href="https://github.com/michi-covalent"><code>@michi-covalent</code></a>)</li> <li>workflows: ignore "No egress gateway found" drops (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32564">#32564</a>, <a href="https://github.com/jibi"><code>@jibi</code></a>)</li> <li>workflows: Remove stale CodeQL workflow (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32084">#32084</a>, <a href="https://github.com/pchaigno"><code>@pchaigno</code></a>)</li> </ul> <p><strong>Misc Changes:</strong></p> <ul> <li><code>cilium/cilium#32869</code><a href="https://github.com/ferozsalam"><code>@ferozsalam</code></a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cilium/cilium/commit/a09e05e6b63d82dbc3a1b0de1721a3407c340e7c"><code>a09e05e</code></a> Prepare for release v1.15.6</li> <li><a href="https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741"><code>9299c0f</code></a> bugtool: Add post-processing masking function for Envoy</li> <li><a href="https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407"><code>0191b1e</code></a> bugtool: Add json masking function</li> <li><a href="https://github.com/cilium/cilium/commit/b6483461d5ce56f8abab9a2faefc5c0d984eda48"><code>b648346</code></a> docs: ipsec: remove limitation for native-routing with L7 egress policy</li> <li><a href="https://github.com/cilium/cilium/commit/5197d4ce2b953acc14c2879983948171dceb4934"><code>5197d4c</code></a> proxy/routes: Also routes egress proxy's return traffic to 2005</li> <li><a href="https://github.com/cilium/cilium/commit/7f3e1b7992cfb4070dce4b13dc8e0a49e8f42f5a"><code>7f3e1b7</code></a> iptables: Ensure iptables masquerading works for proxy traffic</li> <li><a href="https://github.com/cilium/cilium/commit/8dadbce310fc04dbf8488afa5599ee3130162b7a"><code>8dadbce</code></a> Don't set 0x200 mark for proxy to world traffic in iptables PREROUTING</li> <li><a href="https://github.com/cilium/cilium/commit/2091036619539ec546a0f525c1323ee258d45bc8"><code>2091036</code></a> chore(deps): update dependency cilium/hubble to v0.13.5</li> <li><a href="https://github.com/cilium/cilium/commit/8a6f25ff602da8be9417667cea04c41759408713"><code>8a6f25f</code></a> fqdn: Forward-compatibility with Cilium 1.16 fqdn identities</li> <li><a href="https://github.com/cilium/cilium/commit/6eb495d8a905dd88a471f06ceb7d4c785f5a1f09"><code>6eb495d</code></a> images: update cilium-{runtime,builder}</li> <li>Additional commits viewable in <a href="https://github.com/cilium/cilium/compare/1.15.5...1.15.6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/cilium/cilium&package-manager=go_modules&previous-version=1.15.5&new-version=1.15.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
github-merge-queue bot
pushed a commit
to microsoft/retina
that referenced
this pull request
Jun 12, 2024
Bumps [github.com/cilium/cilium](https://github.com/cilium/cilium) from 1.15.5 to 1.15.6. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/cilium/cilium/blob/1.15.6/CHANGELOG.md">github.com/cilium/cilium's changelog</a>.</em></p> <blockquote> <h2>v1.15.6</h2> <h2>Summary of Changes</h2> <p><strong>Minor Changes:</strong></p> <ul> <li><code>cilium/cilium#32872</code><a href="https://github.com/gandro"><code>@gandro</code></a>)</li> <li>Generate SBOMs using Syft instead of bom (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32307">#32307</a>, <a href="https://github.com/ferozsalam"><code>@ferozsalam</code></a>)</li> <li>Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32748">#32748</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32577">#32577</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32336">#32336</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>ipsec: Improve CPU usage of cilum-agent in large clusters (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32882">#32882</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32588">#32588</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>KVStoreMesh: expose remote clusters information and introduce dedicated CLI command (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32156">#32156</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> </ul> <p><strong>Bugfixes:</strong></p> <ul> <li>.github/workflows: fix digests file creation (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32860">#32860</a>, <a href="https://github.com/aanm"><code>@aanm</code></a>)</li> <li><code>cilium/cilium#32649</code><a href="https://github.com/pippolo84"><code>@pippolo84</code></a>)</li> <li>Add missing kvstore-max-consecutive-quorum-errors option to clustermesh-apiserver/kvstoremesh binaries (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32117">#32117</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>bgp: service eTP=local, withdraw route when last backend on the node goes in terminating state (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32536">#32536</a>, <a href="https://github.com/harsimran-pabla"><code>@harsimran-pabla</code></a>)</li> <li>Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields for CiliumLoadBalancerIPPool (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32694">#32694</a>, <a href="https://github.com/dswaffordcw"><code>@dswaffordcw</code></a>)</li> <li>cni: Reserve local ports for DNS proxy even if IPv6 is disabled (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32725">#32725</a>, <a href="https://github.com/gandro"><code>@gandro</code></a>)</li> <li>egressgw: Let the EGW manager relax rp_filter on egress device (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32778">#32778</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32679">#32679</a>, <a href="https://github.com/ysksuzuki"><code>@ysksuzuki</code></a>)</li> <li>Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31671">#31671</a>, <a href="https://github.com/foyerunix"><code>@foyerunix</code></a>)</li> <li>Fix indexing bug in the logic for picking NodePort addresses. In rare cases this may have caused wrong address to be selected for NodePort use, or an out-of-bounds access. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32506">#32506</a>, <a href="https://github.com/joamaki"><code>@joamaki</code></a>)</li> <li>Fix PromQL query in Cilium Metrics dashboard (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32017">#32017</a>, <a href="https://github.com/mikemykhaylov"><code>@mikemykhaylov</code></a>)</li> <li>Fix rare race condition afflicting clustermesh when disconnecting from a remote cluster, possibly causing the agent to panic (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32513">#32513</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>Fixes accidentally ignoring the preflight.nodeSelector Helm value. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32548">#32548</a>, <a href="https://github.com/squeed"><code>@squeed</code></a>)</li> <li>Fixes unencrypted traffic among nodes when IPsec is used with L7 egress proxy. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32932">#32932</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32683">#32683</a>, <a href="https://github.com/jschwinger233"><code>@jschwinger233</code></a>)</li> <li>ingress: Set the default value for max_stream_timeout (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31514">#31514</a>, <a href="https://github.com/tskinn"><code>@tskinn</code></a>)</li> <li>Introduce timeout when waiting for the initial synchronization from remote clusters, to avoid blocking forever necessary GC operations in case of clustermesh misconfigurations. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32802">#32802</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32671">#32671</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>ipsec: Safely delete Xfrm state (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32450">#32450</a>, <a href="https://github.com/jschwinger233"><code>@jschwinger233</code></a>)</li> <li>proxy: Re-enable proxy rule installation in native-routing mode for CEC (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32481">#32481</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32367">#32367</a>, <a href="https://github.com/sayboras"><code>@sayboras</code></a>)</li> <li>Remove deprecated <code>hubble.ui.securityContext.enabled</code> from hubble-ui deployment template (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32338">#32338</a>, <a href="https://github.com/stelucz"><code>@stelucz</code></a>)</li> </ul> <p><strong>CI Changes:</strong></p> <ul> <li>CI: Add job name validation (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32462">#32462</a>, <a href="https://github.com/brlbil"><code>@brlbil</code></a>)</li> <li>ci: Filter supported versions of EKS (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32304">#32304</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>ci: Filter supported versions of GKE (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32302">#32302</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>ci: l4lb: gather more infos about docker-in-docker issues (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32570">#32570</a>, <a href="https://github.com/mhofstetter"><code>@mhofstetter</code></a>)</li> <li>ci: l4lb: restart docker-in-docker container on failure (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32600">#32600</a>, <a href="https://github.com/mhofstetter"><code>@mhofstetter</code></a>)</li> <li>eks: Don't use spot instances (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32553">#32553</a>, <a href="https://github.com/michi-covalent"><code>@michi-covalent</code></a>)</li> <li>GCP OIDC instead of SA creds. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32707">#32707</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/30809">#30809</a>, <a href="https://github.com/viktor-kurchenko"><code>@viktor-kurchenko</code></a>)</li> <li>gha: cover TLS auth mode in clustermesh upgrade/downgrade tests (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32684">#32684</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>gha: test certificate generation methods in conformance clustermesh (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32654">#32654</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a <code>workflow_dispatch</code> event. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31424">#31424</a>, <a href="https://github.com/learnitall"><code>@learnitall</code></a>)</li> <li>Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32402">#32402</a>, <a href="https://github.com/michi-covalent"><code>@michi-covalent</code></a>)</li> <li>workflows: ignore "No egress gateway found" drops (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32564">#32564</a>, <a href="https://github.com/jibi"><code>@jibi</code></a>)</li> <li>workflows: Remove stale CodeQL workflow (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32084">#32084</a>, <a href="https://github.com/pchaigno"><code>@pchaigno</code></a>)</li> </ul> <p><strong>Misc Changes:</strong></p> <ul> <li><code>cilium/cilium#32869</code><a href="https://github.com/ferozsalam"><code>@ferozsalam</code></a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cilium/cilium/commit/a09e05e6b63d82dbc3a1b0de1721a3407c340e7c"><code>a09e05e</code></a> Prepare for release v1.15.6</li> <li><a href="https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741"><code>9299c0f</code></a> bugtool: Add post-processing masking function for Envoy</li> <li><a href="https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407"><code>0191b1e</code></a> bugtool: Add json masking function</li> <li><a href="https://github.com/cilium/cilium/commit/b6483461d5ce56f8abab9a2faefc5c0d984eda48"><code>b648346</code></a> docs: ipsec: remove limitation for native-routing with L7 egress policy</li> <li><a href="https://github.com/cilium/cilium/commit/5197d4ce2b953acc14c2879983948171dceb4934"><code>5197d4c</code></a> proxy/routes: Also routes egress proxy's return traffic to 2005</li> <li><a href="https://github.com/cilium/cilium/commit/7f3e1b7992cfb4070dce4b13dc8e0a49e8f42f5a"><code>7f3e1b7</code></a> iptables: Ensure iptables masquerading works for proxy traffic</li> <li><a href="https://github.com/cilium/cilium/commit/8dadbce310fc04dbf8488afa5599ee3130162b7a"><code>8dadbce</code></a> Don't set 0x200 mark for proxy to world traffic in iptables PREROUTING</li> <li><a href="https://github.com/cilium/cilium/commit/2091036619539ec546a0f525c1323ee258d45bc8"><code>2091036</code></a> chore(deps): update dependency cilium/hubble to v0.13.5</li> <li><a href="https://github.com/cilium/cilium/commit/8a6f25ff602da8be9417667cea04c41759408713"><code>8a6f25f</code></a> fqdn: Forward-compatibility with Cilium 1.16 fqdn identities</li> <li><a href="https://github.com/cilium/cilium/commit/6eb495d8a905dd88a471f06ceb7d4c785f5a1f09"><code>6eb495d</code></a> images: update cilium-{runtime,builder}</li> <li>Additional commits viewable in <a href="https://github.com/cilium/cilium/compare/1.15.5...1.15.6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/cilium/cilium&package-manager=go_modules&previous-version=1.15.5&new-version=1.15.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
github-merge-queue bot
pushed a commit
to microsoft/retina
that referenced
this pull request
Jun 12, 2024
Bumps [github.com/cilium/cilium](https://github.com/cilium/cilium) from 1.15.5 to 1.15.6. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/cilium/cilium/blob/1.15.6/CHANGELOG.md">github.com/cilium/cilium's changelog</a>.</em></p> <blockquote> <h2>v1.15.6</h2> <h2>Summary of Changes</h2> <p><strong>Minor Changes:</strong></p> <ul> <li><code>cilium/cilium#32872</code><a href="https://github.com/gandro"><code>@gandro</code></a>)</li> <li>Generate SBOMs using Syft instead of bom (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32307">#32307</a>, <a href="https://github.com/ferozsalam"><code>@ferozsalam</code></a>)</li> <li>Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32748">#32748</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32577">#32577</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32336">#32336</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>ipsec: Improve CPU usage of cilum-agent in large clusters (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32882">#32882</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32588">#32588</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>KVStoreMesh: expose remote clusters information and introduce dedicated CLI command (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32156">#32156</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> </ul> <p><strong>Bugfixes:</strong></p> <ul> <li>.github/workflows: fix digests file creation (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32860">#32860</a>, <a href="https://github.com/aanm"><code>@aanm</code></a>)</li> <li><code>cilium/cilium#32649</code><a href="https://github.com/pippolo84"><code>@pippolo84</code></a>)</li> <li>Add missing kvstore-max-consecutive-quorum-errors option to clustermesh-apiserver/kvstoremesh binaries (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32117">#32117</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>bgp: service eTP=local, withdraw route when last backend on the node goes in terminating state (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32536">#32536</a>, <a href="https://github.com/harsimran-pabla"><code>@harsimran-pabla</code></a>)</li> <li>Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields for CiliumLoadBalancerIPPool (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32694">#32694</a>, <a href="https://github.com/dswaffordcw"><code>@dswaffordcw</code></a>)</li> <li>cni: Reserve local ports for DNS proxy even if IPv6 is disabled (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32725">#32725</a>, <a href="https://github.com/gandro"><code>@gandro</code></a>)</li> <li>egressgw: Let the EGW manager relax rp_filter on egress device (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32778">#32778</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32679">#32679</a>, <a href="https://github.com/ysksuzuki"><code>@ysksuzuki</code></a>)</li> <li>Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31671">#31671</a>, <a href="https://github.com/foyerunix"><code>@foyerunix</code></a>)</li> <li>Fix indexing bug in the logic for picking NodePort addresses. In rare cases this may have caused wrong address to be selected for NodePort use, or an out-of-bounds access. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32506">#32506</a>, <a href="https://github.com/joamaki"><code>@joamaki</code></a>)</li> <li>Fix PromQL query in Cilium Metrics dashboard (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32017">#32017</a>, <a href="https://github.com/mikemykhaylov"><code>@mikemykhaylov</code></a>)</li> <li>Fix rare race condition afflicting clustermesh when disconnecting from a remote cluster, possibly causing the agent to panic (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32513">#32513</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>Fixes accidentally ignoring the preflight.nodeSelector Helm value. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32548">#32548</a>, <a href="https://github.com/squeed"><code>@squeed</code></a>)</li> <li>Fixes unencrypted traffic among nodes when IPsec is used with L7 egress proxy. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32932">#32932</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32683">#32683</a>, <a href="https://github.com/jschwinger233"><code>@jschwinger233</code></a>)</li> <li>ingress: Set the default value for max_stream_timeout (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31514">#31514</a>, <a href="https://github.com/tskinn"><code>@tskinn</code></a>)</li> <li>Introduce timeout when waiting for the initial synchronization from remote clusters, to avoid blocking forever necessary GC operations in case of clustermesh misconfigurations. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32802">#32802</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32671">#32671</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>ipsec: Safely delete Xfrm state (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32450">#32450</a>, <a href="https://github.com/jschwinger233"><code>@jschwinger233</code></a>)</li> <li>proxy: Re-enable proxy rule installation in native-routing mode for CEC (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32481">#32481</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32367">#32367</a>, <a href="https://github.com/sayboras"><code>@sayboras</code></a>)</li> <li>Remove deprecated <code>hubble.ui.securityContext.enabled</code> from hubble-ui deployment template (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32338">#32338</a>, <a href="https://github.com/stelucz"><code>@stelucz</code></a>)</li> </ul> <p><strong>CI Changes:</strong></p> <ul> <li>CI: Add job name validation (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32462">#32462</a>, <a href="https://github.com/brlbil"><code>@brlbil</code></a>)</li> <li>ci: Filter supported versions of EKS (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32304">#32304</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>ci: Filter supported versions of GKE (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32302">#32302</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>ci: l4lb: gather more infos about docker-in-docker issues (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32570">#32570</a>, <a href="https://github.com/mhofstetter"><code>@mhofstetter</code></a>)</li> <li>ci: l4lb: restart docker-in-docker container on failure (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32600">#32600</a>, <a href="https://github.com/mhofstetter"><code>@mhofstetter</code></a>)</li> <li>eks: Don't use spot instances (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32553">#32553</a>, <a href="https://github.com/michi-covalent"><code>@michi-covalent</code></a>)</li> <li>GCP OIDC instead of SA creds. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32707">#32707</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/30809">#30809</a>, <a href="https://github.com/viktor-kurchenko"><code>@viktor-kurchenko</code></a>)</li> <li>gha: cover TLS auth mode in clustermesh upgrade/downgrade tests (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32684">#32684</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>gha: test certificate generation methods in conformance clustermesh (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32654">#32654</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a <code>workflow_dispatch</code> event. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31424">#31424</a>, <a href="https://github.com/learnitall"><code>@learnitall</code></a>)</li> <li>Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32402">#32402</a>, <a href="https://github.com/michi-covalent"><code>@michi-covalent</code></a>)</li> <li>workflows: ignore "No egress gateway found" drops (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32564">#32564</a>, <a href="https://github.com/jibi"><code>@jibi</code></a>)</li> <li>workflows: Remove stale CodeQL workflow (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32084">#32084</a>, <a href="https://github.com/pchaigno"><code>@pchaigno</code></a>)</li> </ul> <p><strong>Misc Changes:</strong></p> <ul> <li><code>cilium/cilium#32869</code><a href="https://github.com/ferozsalam"><code>@ferozsalam</code></a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cilium/cilium/commit/a09e05e6b63d82dbc3a1b0de1721a3407c340e7c"><code>a09e05e</code></a> Prepare for release v1.15.6</li> <li><a href="https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741"><code>9299c0f</code></a> bugtool: Add post-processing masking function for Envoy</li> <li><a href="https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407"><code>0191b1e</code></a> bugtool: Add json masking function</li> <li><a href="https://github.com/cilium/cilium/commit/b6483461d5ce56f8abab9a2faefc5c0d984eda48"><code>b648346</code></a> docs: ipsec: remove limitation for native-routing with L7 egress policy</li> <li><a href="https://github.com/cilium/cilium/commit/5197d4ce2b953acc14c2879983948171dceb4934"><code>5197d4c</code></a> proxy/routes: Also routes egress proxy's return traffic to 2005</li> <li><a href="https://github.com/cilium/cilium/commit/7f3e1b7992cfb4070dce4b13dc8e0a49e8f42f5a"><code>7f3e1b7</code></a> iptables: Ensure iptables masquerading works for proxy traffic</li> <li><a href="https://github.com/cilium/cilium/commit/8dadbce310fc04dbf8488afa5599ee3130162b7a"><code>8dadbce</code></a> Don't set 0x200 mark for proxy to world traffic in iptables PREROUTING</li> <li><a href="https://github.com/cilium/cilium/commit/2091036619539ec546a0f525c1323ee258d45bc8"><code>2091036</code></a> chore(deps): update dependency cilium/hubble to v0.13.5</li> <li><a href="https://github.com/cilium/cilium/commit/8a6f25ff602da8be9417667cea04c41759408713"><code>8a6f25f</code></a> fqdn: Forward-compatibility with Cilium 1.16 fqdn identities</li> <li><a href="https://github.com/cilium/cilium/commit/6eb495d8a905dd88a471f06ceb7d4c785f5a1f09"><code>6eb495d</code></a> images: update cilium-{runtime,builder}</li> <li>Additional commits viewable in <a href="https://github.com/cilium/cilium/compare/1.15.5...1.15.6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/cilium/cilium&package-manager=go_modules&previous-version=1.15.5&new-version=1.15.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
matmerr
pushed a commit
to matmerr/retina
that referenced
this pull request
Jul 3, 2024
) Bumps [github.com/cilium/cilium](https://github.com/cilium/cilium) from 1.15.5 to 1.15.6. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/cilium/cilium/blob/1.15.6/CHANGELOG.md">github.com/cilium/cilium's changelog</a>.</em></p> <blockquote> <h2>v1.15.6</h2> <h2>Summary of Changes</h2> <p><strong>Minor Changes:</strong></p> <ul> <li><code>cilium/cilium#32872</code><a href="https://github.com/gandro"><code>@gandro</code></a>)</li> <li>Generate SBOMs using Syft instead of bom (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32307">#32307</a>, <a href="https://github.com/ferozsalam"><code>@ferozsalam</code></a>)</li> <li>Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32748">#32748</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32577">#32577</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32336">#32336</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>ipsec: Improve CPU usage of cilum-agent in large clusters (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32882">#32882</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32588">#32588</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>KVStoreMesh: expose remote clusters information and introduce dedicated CLI command (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32568">#32568</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32156">#32156</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> </ul> <p><strong>Bugfixes:</strong></p> <ul> <li>.github/workflows: fix digests file creation (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32860">#32860</a>, <a href="https://github.com/aanm"><code>@aanm</code></a>)</li> <li><code>cilium/cilium#32649</code><a href="https://github.com/pippolo84"><code>@pippolo84</code></a>)</li> <li>Add missing kvstore-max-consecutive-quorum-errors option to clustermesh-apiserver/kvstoremesh binaries (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32117">#32117</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>bgp: service eTP=local, withdraw route when last backend on the node goes in terminating state (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32536">#32536</a>, <a href="https://github.com/harsimran-pabla"><code>@harsimran-pabla</code></a>)</li> <li>Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields for CiliumLoadBalancerIPPool (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32694">#32694</a>, <a href="https://github.com/dswaffordcw"><code>@dswaffordcw</code></a>)</li> <li>cni: Reserve local ports for DNS proxy even if IPv6 is disabled (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32725">#32725</a>, <a href="https://github.com/gandro"><code>@gandro</code></a>)</li> <li>egressgw: Let the EGW manager relax rp_filter on egress device (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32778">#32778</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32679">#32679</a>, <a href="https://github.com/ysksuzuki"><code>@ysksuzuki</code></a>)</li> <li>Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31671">#31671</a>, <a href="https://github.com/foyerunix"><code>@foyerunix</code></a>)</li> <li>Fix indexing bug in the logic for picking NodePort addresses. In rare cases this may have caused wrong address to be selected for NodePort use, or an out-of-bounds access. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32506">#32506</a>, <a href="https://github.com/joamaki"><code>@joamaki</code></a>)</li> <li>Fix PromQL query in Cilium Metrics dashboard (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32017">#32017</a>, <a href="https://github.com/mikemykhaylov"><code>@mikemykhaylov</code></a>)</li> <li>Fix rare race condition afflicting clustermesh when disconnecting from a remote cluster, possibly causing the agent to panic (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32513">#32513</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>Fixes accidentally ignoring the preflight.nodeSelector Helm value. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32548">#32548</a>, <a href="https://github.com/squeed"><code>@squeed</code></a>)</li> <li>Fixes unencrypted traffic among nodes when IPsec is used with L7 egress proxy. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32932">#32932</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32683">#32683</a>, <a href="https://github.com/jschwinger233"><code>@jschwinger233</code></a>)</li> <li>ingress: Set the default value for max_stream_timeout (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31514">#31514</a>, <a href="https://github.com/tskinn"><code>@tskinn</code></a>)</li> <li>Introduce timeout when waiting for the initial synchronization from remote clusters, to avoid blocking forever necessary GC operations in case of clustermesh misconfigurations. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32802">#32802</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32671">#32671</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>ipsec: Safely delete Xfrm state (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32450">#32450</a>, <a href="https://github.com/jschwinger233"><code>@jschwinger233</code></a>)</li> <li>proxy: Re-enable proxy rule installation in native-routing mode for CEC (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32481">#32481</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32367">#32367</a>, <a href="https://github.com/sayboras"><code>@sayboras</code></a>)</li> <li>Remove deprecated <code>hubble.ui.securityContext.enabled</code> from hubble-ui deployment template (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32338">#32338</a>, <a href="https://github.com/stelucz"><code>@stelucz</code></a>)</li> </ul> <p><strong>CI Changes:</strong></p> <ul> <li>CI: Add job name validation (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32462">#32462</a>, <a href="https://github.com/brlbil"><code>@brlbil</code></a>)</li> <li>ci: Filter supported versions of EKS (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32889">#32889</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32304">#32304</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>ci: Filter supported versions of GKE (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32302">#32302</a>, <a href="https://github.com/marseel"><code>@marseel</code></a>)</li> <li>ci: l4lb: gather more infos about docker-in-docker issues (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32570">#32570</a>, <a href="https://github.com/mhofstetter"><code>@mhofstetter</code></a>)</li> <li>ci: l4lb: restart docker-in-docker container on failure (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32600">#32600</a>, <a href="https://github.com/mhofstetter"><code>@mhofstetter</code></a>)</li> <li>eks: Don't use spot instances (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32553">#32553</a>, <a href="https://github.com/michi-covalent"><code>@michi-covalent</code></a>)</li> <li>GCP OIDC instead of SA creds. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32707">#32707</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/30809">#30809</a>, <a href="https://github.com/viktor-kurchenko"><code>@viktor-kurchenko</code></a>)</li> <li>gha: cover TLS auth mode in clustermesh upgrade/downgrade tests (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32684">#32684</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>gha: test certificate generation methods in conformance clustermesh (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32789">#32789</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32654">#32654</a>, <a href="https://github.com/giorio94"><code>@giorio94</code></a>)</li> <li>Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a <code>workflow_dispatch</code> event. (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/31424">#31424</a>, <a href="https://github.com/learnitall"><code>@learnitall</code></a>)</li> <li>Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32500">#32500</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32402">#32402</a>, <a href="https://github.com/michi-covalent"><code>@michi-covalent</code></a>)</li> <li>workflows: ignore "No egress gateway found" drops (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32564">#32564</a>, <a href="https://github.com/jibi"><code>@jibi</code></a>)</li> <li>workflows: Remove stale CodeQL workflow (Backport PR <a href="https://redirect.github.com/cilium/cilium/issues/32691">#32691</a>, Upstream PR <a href="https://redirect.github.com/cilium/cilium/issues/32084">#32084</a>, <a href="https://github.com/pchaigno"><code>@pchaigno</code></a>)</li> </ul> <p><strong>Misc Changes:</strong></p> <ul> <li><code>cilium/cilium#32869</code><a href="https://github.com/ferozsalam"><code>@ferozsalam</code></a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cilium/cilium/commit/a09e05e6b63d82dbc3a1b0de1721a3407c340e7c"><code>a09e05e</code></a> Prepare for release v1.15.6</li> <li><a href="https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741"><code>9299c0f</code></a> bugtool: Add post-processing masking function for Envoy</li> <li><a href="https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407"><code>0191b1e</code></a> bugtool: Add json masking function</li> <li><a href="https://github.com/cilium/cilium/commit/b6483461d5ce56f8abab9a2faefc5c0d984eda48"><code>b648346</code></a> docs: ipsec: remove limitation for native-routing with L7 egress policy</li> <li><a href="https://github.com/cilium/cilium/commit/5197d4ce2b953acc14c2879983948171dceb4934"><code>5197d4c</code></a> proxy/routes: Also routes egress proxy's return traffic to 2005</li> <li><a href="https://github.com/cilium/cilium/commit/7f3e1b7992cfb4070dce4b13dc8e0a49e8f42f5a"><code>7f3e1b7</code></a> iptables: Ensure iptables masquerading works for proxy traffic</li> <li><a href="https://github.com/cilium/cilium/commit/8dadbce310fc04dbf8488afa5599ee3130162b7a"><code>8dadbce</code></a> Don't set 0x200 mark for proxy to world traffic in iptables PREROUTING</li> <li><a href="https://github.com/cilium/cilium/commit/2091036619539ec546a0f525c1323ee258d45bc8"><code>2091036</code></a> chore(deps): update dependency cilium/hubble to v0.13.5</li> <li><a href="https://github.com/cilium/cilium/commit/8a6f25ff602da8be9417667cea04c41759408713"><code>8a6f25f</code></a> fqdn: Forward-compatibility with Cilium 1.16 fqdn identities</li> <li><a href="https://github.com/cilium/cilium/commit/6eb495d8a905dd88a471f06ceb7d4c785f5a1f09"><code>6eb495d</code></a> images: update cilium-{runtime,builder}</li> <li>Additional commits viewable in <a href="https://github.com/cilium/cilium/compare/1.15.5...1.15.6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/cilium/cilium&package-manager=go_modules&previous-version=1.15.5&new-version=1.15.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/iptables
Impacts how Cilium interacts with iptables.
backport/1.15
This PR represents a backport for Cilium 1.15.x of a PR that was merged to main.
kind/backports
This PR provides functionality previously merged into master.
ready-to-merge
This PR has passed all tests and received consensus from code owners to merge.
release-note/bug
This PR fixes an issue in a previous release of Cilium.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In case IPv4NativeRoutingCIDR is left unspecified, the related config option will be nil. To avoid panicking, check for this case before converting the CIDR to a string. Moreover, do not try to run the iptables command to install the NOTRACK rules if the resulting string is empty.
Fixes: #32607