Update Cilium to v1.12.10

pkg/model/components/cilium.go

@@ -40,7 +40,7 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error {
 	}
 
 	if c.Version == "" {
-		c.Version = "v1.12.5"
+		c.Version = "v1.12.10"
 	}
 
 	if c.EnableEndpointHealthChecking == nil {

tests/e2e/pkg/tester/skip_regex.go

@@ -63,17 +63,12 @@ func (t *Tester) setSkipRegexFlag() error {
 		// https://github.com/cilium/cilium/issues/15361
 		skipRegex += "|external.IP.is.not.assigned.to.a.node"
 		// https://github.com/cilium/cilium/issues/14287
-		skipRegex += "|same.port.number.but.different.protocols|same.hostPort.but.different.hostIP.and.protocol"
+		skipRegex += "|same.port.number.but.different.protocols"
+		skipRegex += "|same.hostPort.but.different.hostIP.and.protocol"
 		// https://github.com/cilium/cilium/issues/9207
 		skipRegex += "|serve.endpoints.on.same.port.and.different.protocols"
 		// This may be fixed in Cilium 1.13 but skipping for now
 		skipRegex += "|Service.with.multiple.ports.specified.in.multiple.EndpointSlices"
-		if k8sVersion.Minor >= 22 {
-			// ref:
-			// https://github.com/kubernetes/kubernetes/issues/96717
-			// https://github.com/cilium/cilium/issues/5719
-			skipRegex += "|should.create.a.Pod.with.SCTP.HostPort"
-		}
 		// https://github.com/cilium/cilium/issues/18241
 		skipRegex += "|Services.should.create.endpoints.for.unready.pods"
 		skipRegex += "|Services.should.be.able.to.connect.to.terminating.and.unready.endpoints.if.PublishNotReadyAddresses.is.true"

tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content

@@ -236,7 +236,7 @@ spec:
       sidecarIstioProxyImage: cilium/istio_proxy
       toFqdnsDnsRejectResponseCode: refused
       tunnel: disabled
-      version: v1.12.5
+      version: v1.12.10
   nonMasqueradeCIDR: ::/0
   secretStore: memfs://clusters.example.com/minimal-ipv6.example.com/secrets
   serviceClusterIPRange: fd00:5e4f:ce::/108

tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content

@@ -55,7 +55,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.12.yaml
-    manifestHash: f067524e5a9b34b2ed9533fe81e308cc7d25723ffbbd54be681be00f9edf155c
+    manifestHash: dea487bf6b1b7fe738189959345233264860eb0476be3aa9bf2adea26c8d62e2
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.cilium.io-k8s-1.16_content

@@ -454,7 +454,7 @@ spec:
           value: api.internal.minimal-ipv6.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/cilium:v1.12.5
+        image: quay.io/cilium/cilium:v1.12.10
         imagePullPolicy: IfNotPresent
         lifecycle:
           postStart:
@@ -519,8 +519,6 @@ spec:
           name: bpf-maps
         - mountPath: /var/run/cilium
           name: cilium-run
-        - mountPath: /host/opt/cni/bin
-          name: cni-path
         - mountPath: /host/etc/cni/net.d
           name: etc-cni-netd
         - mountPath: /var/lib/cilium/clustermesh
@@ -536,6 +534,24 @@ spec:
           name: xtables-lock
       hostNetwork: true
       initContainers:
+      - command:
+        - /install-plugin.sh
+        image: quay.io/cilium/cilium:v1.12.10
+        imagePullPolicy: IfNotPresent
+        name: install-cni-binaries
+        resources:
+          requests:
+            cpu: 100m
+            memory: 10Mi
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+        - mountPath: /host/opt/cni/bin
+          name: cni-path
       - command:
         - /init-container.sh
         env:
@@ -551,7 +567,7 @@ spec:
               key: clean-cilium-bpf-state
               name: cilium-config
               optional: true
-        image: quay.io/cilium/cilium:v1.12.5
+        image: quay.io/cilium/cilium:v1.12.10
         imagePullPolicy: IfNotPresent
         name: clean-cilium-state
         resources:
@@ -688,7 +704,7 @@ spec:
           value: api.internal.minimal-ipv6.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/operator:v1.12.5
+        image: quay.io/cilium/operator:v1.12.10
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:

tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data

@@ -177,7 +177,7 @@ ConfigServer:
   - https://kops-controller.internal.minimal-warmpool.example.com:3988/
 InstanceGroupName: nodes
 InstanceGroupRole: Node
-NodeupConfigHash: etxF12d5FOTWEiQyh5jdrDOmYecD639XnWKCQk3xF+Q=
+NodeupConfigHash: n2pd1x+RceYtlzVyoiNOxnGejm5hoU5YTceFEy1yWxc=
 
 __EOF_KUBE_ENV
 

tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content

@@ -227,7 +227,7 @@ spec:
       sidecarIstioProxyImage: cilium/istio_proxy
       toFqdnsDnsRejectResponseCode: refused
       tunnel: vxlan
-      version: v1.12.5
+      version: v1.12.10
   nonMasqueradeCIDR: 100.64.0.0/10
   podCIDR: 100.96.0.0/11
   secretStore: memfs://clusters.example.com/minimal-warmpool.example.com/secrets

tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-bootstrap_content

@@ -48,7 +48,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.12.yaml
-    manifestHash: e94026a9dabe207b365e65f483c6f584be7b0ac125767a4e8487472741297b18
+    manifestHash: e47a9b297b7164c269de1f5218bbf5112ce68771648075156819f04c151d0814
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-networking.cilium.io-k8s-1.16_content

@@ -454,7 +454,7 @@ spec:
           value: api.internal.minimal-warmpool.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/cilium:v1.12.5
+        image: quay.io/cilium/cilium:v1.12.10
         imagePullPolicy: IfNotPresent
         lifecycle:
           postStart:
@@ -519,8 +519,6 @@ spec:
           name: bpf-maps
         - mountPath: /var/run/cilium
           name: cilium-run
-        - mountPath: /host/opt/cni/bin
-          name: cni-path
         - mountPath: /host/etc/cni/net.d
           name: etc-cni-netd
         - mountPath: /var/lib/cilium/clustermesh
@@ -536,6 +534,24 @@ spec:
           name: xtables-lock
       hostNetwork: true
       initContainers:
+      - command:
+        - /install-plugin.sh
+        image: quay.io/cilium/cilium:v1.12.10
+        imagePullPolicy: IfNotPresent
+        name: install-cni-binaries
+        resources:
+          requests:
+            cpu: 100m
+            memory: 10Mi
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+        - mountPath: /host/opt/cni/bin
+          name: cni-path
       - command:
         - /init-container.sh
         env:
@@ -551,7 +567,7 @@ spec:
               key: clean-cilium-bpf-state
               name: cilium-config
               optional: true
-        image: quay.io/cilium/cilium:v1.12.5
+        image: quay.io/cilium/cilium:v1.12.10
         imagePullPolicy: IfNotPresent
         name: clean-cilium-state
         resources:
@@ -688,7 +704,7 @@ spec:
           value: api.internal.minimal-warmpool.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/operator:v1.12.5
+        image: quay.io/cilium/operator:v1.12.10
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:

tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_nodeupconfig-nodes_content

@@ -66,8 +66,8 @@ useInstanceIDForNodeName: true
 usesLegacyGossip: false
 usesNoneDNS: false
 warmPoolImages:
-- quay.io/cilium/cilium:v1.12.5
-- quay.io/cilium/operator:v1.12.5
+- quay.io/cilium/cilium:v1.12.10
+- quay.io/cilium/operator:v1.12.10
 - registry.k8s.io/kube-proxy:v1.26.0
 - registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.14.1
 - registry.k8s.io/provider-aws/cloud-controller-manager:v1.26.0

tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content

@@ -207,7 +207,7 @@ spec:
       sidecarIstioProxyImage: cilium/istio_proxy
       toFqdnsDnsRejectResponseCode: refused
       tunnel: vxlan
-      version: v1.12.5
+      version: v1.12.10
   nonMasqueradeCIDR: 100.64.0.0/10
   podCIDR: 100.96.0.0/11
   secretStore: memfs://tests/scw-minimal.k8s.local/secrets

tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_scw-minimal.k8s.local-addons-bootstrap_content

@@ -62,7 +62,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.12.yaml
-    manifestHash: 2a401de64e2b3059502cd039f8da8da993b4e1577d202fb1b02f154a7850ee73
+    manifestHash: 6fae0d9dfb1e3c9adeaa10ec433a5cd5b738149e5e50bd9c1522618911a8a8f1
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_scw-minimal.k8s.local-addons-networking.cilium.io-k8s-1.16_content

@@ -454,7 +454,7 @@ spec:
           value: api.internal.scw-minimal.k8s.local
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/cilium:v1.12.5
+        image: quay.io/cilium/cilium:v1.12.10
         imagePullPolicy: IfNotPresent
         lifecycle:
           postStart:
@@ -519,8 +519,6 @@ spec:
           name: bpf-maps
         - mountPath: /var/run/cilium
           name: cilium-run
-        - mountPath: /host/opt/cni/bin
-          name: cni-path
         - mountPath: /host/etc/cni/net.d
           name: etc-cni-netd
         - mountPath: /var/lib/cilium/clustermesh
@@ -536,6 +534,24 @@ spec:
           name: xtables-lock
       hostNetwork: true
       initContainers:
+      - command:
+        - /install-plugin.sh
+        image: quay.io/cilium/cilium:v1.12.10
+        imagePullPolicy: IfNotPresent
+        name: install-cni-binaries
+        resources:
+          requests:
+            cpu: 100m
+            memory: 10Mi
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+        - mountPath: /host/opt/cni/bin
+          name: cni-path
       - command:
         - /init-container.sh
         env:
@@ -551,7 +567,7 @@ spec:
               key: clean-cilium-bpf-state
               name: cilium-config
               optional: true
-        image: quay.io/cilium/cilium:v1.12.5
+        image: quay.io/cilium/cilium:v1.12.10
         imagePullPolicy: IfNotPresent
         name: clean-cilium-state
         resources:
@@ -688,7 +704,7 @@ spec:
           value: api.internal.scw-minimal.k8s.local
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/operator:v1.12.5
+        image: quay.io/cilium/operator:v1.12.10
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:

tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content

@@ -229,7 +229,7 @@ spec:
       sidecarIstioProxyImage: cilium/istio_proxy
       toFqdnsDnsRejectResponseCode: refused
       tunnel: disabled
-      version: v1.12.5
+      version: v1.12.10
   nonMasqueradeCIDR: 100.64.0.0/10
   podCIDR: 100.96.0.0/11
   secretStore: memfs://clusters.example.com/privatecilium.example.com/secrets

tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content

@@ -48,7 +48,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.12.yaml
-    manifestHash: a74648938bd05093db333999da4d5acb9277c5d4111f5919a19d1e980f544e4b
+    manifestHash: 6c62e2232c454c915ee5eaba78b28b4e2b26df64dd006a736a2cb2d7235b40d5
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content

@@ -457,7 +457,7 @@ spec:
           value: api.internal.privatecilium.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/cilium:v1.12.5
+        image: quay.io/cilium/cilium:v1.12.10
         imagePullPolicy: IfNotPresent
         lifecycle:
           postStart:
@@ -522,8 +522,6 @@ spec:
           name: bpf-maps
         - mountPath: /var/run/cilium
           name: cilium-run
-        - mountPath: /host/opt/cni/bin
-          name: cni-path
         - mountPath: /host/etc/cni/net.d
           name: etc-cni-netd
         - mountPath: /var/lib/cilium/clustermesh
@@ -539,6 +537,24 @@ spec:
           name: xtables-lock
       hostNetwork: true
       initContainers:
+      - command:
+        - /install-plugin.sh
+        image: quay.io/cilium/cilium:v1.12.10
+        imagePullPolicy: IfNotPresent
+        name: install-cni-binaries
+        resources:
+          requests:
+            cpu: 100m
+            memory: 10Mi
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+        - mountPath: /host/opt/cni/bin
+          name: cni-path
       - command:
         - /init-container.sh
         env:
@@ -554,7 +570,7 @@ spec:
               key: clean-cilium-bpf-state
               name: cilium-config
               optional: true
-        image: quay.io/cilium/cilium:v1.12.5
+        image: quay.io/cilium/cilium:v1.12.10
         imagePullPolicy: IfNotPresent
         name: clean-cilium-state
         resources:
@@ -691,7 +707,7 @@ spec:
           value: api.internal.privatecilium.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/operator:v1.12.5
+        image: quay.io/cilium/operator:v1.12.10
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:

tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content

@@ -237,7 +237,7 @@ spec:
       sidecarIstioProxyImage: cilium/istio_proxy
       toFqdnsDnsRejectResponseCode: refused
       tunnel: vxlan
-      version: v1.12.5
+      version: v1.12.10
   nonMasqueradeCIDR: 100.64.0.0/10
   podCIDR: 100.96.0.0/11
   secretStore: memfs://clusters.example.com/privatecilium.example.com/secrets

tests/integration/update_cluster/privatecilium/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content

@@ -48,7 +48,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.12.yaml
-    manifestHash: d1db96e7bf2e42c0e9514182f66fc48ca5eca29063c103f5e1b73c770f750c3a
+    manifestHash: b1fd164b9daad8e508ed4586271d5646be9696e1f23a15b9a79d12f771eb9ed9
     name: networking.cilium.io
     needsRollingUpdate: all
     selector: