Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🌱 Bump github.com/cilium/cilium from 1.15.5 to 1.16.4 #265

Closed

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 11, 2024

Bumps github.com/cilium/cilium from 1.15.5 to 1.16.4.

Release notes

Sourced from github.com/cilium/cilium's releases.

1.16.4

Security Advisories

This release addresses GHSA-xg58-75qf-9r67.

Summary of Changes

Minor Changes:

  • Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport PR #35908, Upstream PR #35809, @​jrajahalme)
  • clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport PR #35543, Upstream PR #35349, @​giorio94)
  • helm: Lower default hubble.tls.auto.certValidityDuration to 365 days (Backport PR #35781, Upstream PR #35630, @​chancez)
  • helm: New socketLB.tracing flag (Backport PR #35781, Upstream PR #35747, @​pchaigno)
  • hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR #35781, Upstream PR #35632, @​chancez)
  • netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport PR #35543, Upstream PR #35306, @​jrife)

Bugfixes:

  • Avoid duplicate errors in health status for node-neighbor-link-updater (Backport PR #35468, Upstream PR #35179, @​wedaly)
  • bgpv1: fix reconciliation of services with shared VIPs (Backport PR #35468, Upstream PR #35333, @​rastislavs)
  • bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport PR #35863, Upstream PR #35690, @​YutaroHayakawa)
  • bgpv2: set local peering address when specified (Backport PR #35781, Upstream PR #35552, @​harsimran-pabla)
  • Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport PR #35603, Upstream PR #35150, @​jrajahalme)
  • Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an timeout waiting for response error is encountered. (Backport PR #35781, Upstream PR #35589, @​bimmlerd)
  • config: Remove superfluous warning on native routing CIDR (Backport PR #35781, Upstream PR #35738, @​gandro)
  • Fix missing flowlabel hash on SRv6 traffic. (Backport PR #35781, Upstream PR #35498, @​akaliwod)
  • Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport PR #35543, Upstream PR #35173, @​smagnani96)
  • Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (Backport PR #35781, Upstream PR #35673, @​giorio94)
  • Fix redirect from L3 device to remote endpoint via overlay network. (Backport PR #35468, Upstream PR #35165, @​julianwiedmann)
  • Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR #35908, Upstream PR #35694, @​julianwiedmann)
  • Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (Backport PR #35781, Upstream PR #35599, @​squeed)
  • Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (Backport PR #35543, Upstream PR #35293, @​squeed)
  • Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (Backport PR #35906, Upstream PR #35890, @​squeed)
  • cilium/cilium#35611@​pippolo84)
  • helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (Backport PR #35319, Upstream PR #35301, @​hox)
  • helm: fix duplicate configmap key for bpf-lb-sock-terminate-pod-connections (Backport PR #35781, Upstream PR #35703, @​solidDoWant)
  • helm: set automountServiceAccountToken to false for hubble-relay sa (Backport PR #35781, Upstream PR #35674, @​ayuspin)
  • hubble: fix endpoint cluster name (Backport PR #35781, Upstream PR #35415, @​kaworu)
  • hubble: Lock exporters while gathering metrics (Backport PR #35908, Upstream PR #35860, @​joestringer)
  • Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (Backport PR #35781, Upstream PR #35143, @​jrajahalme)
  • ipam: Validate CiliumNode resource in ENI mode (Backport PR #35792, Upstream PR #35784, @​sayboras)
  • l7lb: fix registration of flag loadbalancer-l7 (Backport PR #35781, Upstream PR #35623, @​mhofstetter)
  • Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (Backport PR #35319, Upstream PR #35069, @​chancez)
  • option: Reduce log level for WG strict mode + IPv6 (Backport PR #35908, Upstream PR #35763, @​pchaigno)
  • Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (Backport PR #35468, Upstream PR #35381, @​jrajahalme)
  • treewide: Add wrapper for netlink functions that may fail with ErrDumpInterrupted (Backport PR #35654, Upstream PR #35614, @​gandro)
  • wireguard: Fix connectivity issues following node reboots. (Backport PR #35908, Upstream PR #35750, @​jrife)

CI Changes:

  • .github/conformance-ginkgo: replace deprecated jq flag (Backport PR #35468, Upstream PR #35399, @​aanm)

... (truncated)

Changelog

Sourced from github.com/cilium/cilium's changelog.

v1.16.4

Summary of Changes

Minor Changes:

  • Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport PR #35908, Upstream PR #35809, @​jrajahalme)
  • clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport PR #35543, Upstream PR #35349, @​giorio94)
  • helm: Lower default hubble.tls.auto.certValidityDuration to 365 days (Backport PR #35781, Upstream PR #35630, @​chancez)
  • helm: New socketLB.tracing flag (Backport PR #35781, Upstream PR #35747, @​pchaigno)
  • hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR #35781, Upstream PR #35632, @​chancez)
  • netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport PR #35543, Upstream PR #35306, @​jrife)

Bugfixes:

  • Avoid duplicate errors in health status for node-neighbor-link-updater (Backport PR #35468, Upstream PR #35179, @​wedaly)
  • bgpv1: fix reconciliation of services with shared VIPs (Backport PR #35468, Upstream PR #35333, @​rastislavs)
  • bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport PR #35863, Upstream PR #35690, @​YutaroHayakawa)
  • bgpv2: set local peering address when specified (Backport PR #35781, Upstream PR #35552, @​harsimran-pabla)
  • Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport PR #35603, Upstream PR #35150, @​jrajahalme)
  • Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an timeout waiting for response error is encountered. (Backport PR #35781, Upstream PR #35589, @​bimmlerd)
  • config: Remove superfluous warning on native routing CIDR (Backport PR #35781, Upstream PR #35738, @​gandro)
  • Fix missing flowlabel hash on SRv6 traffic. (Backport PR #35781, Upstream PR #35498, @​akaliwod)
  • Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport PR #35543, Upstream PR #35173, @​smagnani96)
  • Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (Backport PR #35781, Upstream PR #35673, @​giorio94)
  • Fix redirect from L3 device to remote endpoint via overlay network. (Backport PR #35468, Upstream PR #35165, @​julianwiedmann)
  • Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR #35908, Upstream PR #35694, @​julianwiedmann)
  • Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (Backport PR #35781, Upstream PR #35599, @​squeed)
  • Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (Backport PR #35543, Upstream PR #35293, @​squeed)
  • Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (Backport PR #35906, Upstream PR #35890, @​squeed)
  • cilium/cilium#35611@​pippolo84)
  • helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (Backport PR #35319, Upstream PR #35301, @​hox)
  • helm: fix duplicate configmap key for bpf-lb-sock-terminate-pod-connections (Backport PR #35781, Upstream PR #35703, @​solidDoWant)
  • helm: set automountServiceAccountToken to false for hubble-relay sa (Backport PR #35781, Upstream PR #35674, @​ayuspin)
  • hubble: fix endpoint cluster name (Backport PR #35781, Upstream PR #35415, @​kaworu)
  • hubble: Lock exporters while gathering metrics (Backport PR #35908, Upstream PR #35860, @​joestringer)
  • Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (Backport PR #35781, Upstream PR #35143, @​jrajahalme)
  • ipam: Validate CiliumNode resource in ENI mode (Backport PR #35792, Upstream PR #35784, @​sayboras)
  • l7lb: fix registration of flag loadbalancer-l7 (Backport PR #35781, Upstream PR #35623, @​mhofstetter)
  • Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (Backport PR #35319, Upstream PR #35069, @​chancez)
  • option: Reduce log level for WG strict mode + IPv6 (Backport PR #35908, Upstream PR #35763, @​pchaigno)
  • Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (Backport PR #35468, Upstream PR #35381, @​jrajahalme)
  • treewide: Add wrapper for netlink functions that may fail with ErrDumpInterrupted (Backport PR #35654, Upstream PR #35614, @​gandro)
  • wireguard: Fix connectivity issues following node reboots. (Backport PR #35908, Upstream PR #35750, @​jrife)

CI Changes:

... (truncated)

Commits
  • 0380724 Prepare for release v1.16.4
  • a7d4aed gha: additionally test kvstore mode in IPSec workflows
  • 3f66742 gha: additionally test kvstore mode in E2E upgrade workflow
  • bb6fc94 makefile: add target to install Cilium in kvstore mode
  • 36fdc3e docs: update 1.16 upgrade note for LRP
  • 988c335 endpoint: silence metadata resolver not found errors during restoration
  • 0203bcb loader: bail out if context is closed after serialization
  • 591adb3 chore(deps): update cilium-envoy dependency
  • ce744df endpoint: don't start DNS history trigger when parsing endpoint
  • 212a6ff proxy: Ensure ports are stored on shutdown
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added the dependencies dependency updates including security fixes label Dec 11, 2024
Copy link
Contributor Author

dependabot bot commented on behalf of github Dec 11, 2024

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.

@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/cilium/cilium-1.16.4 branch 4 times, most recently from 0f14b50 to 76e7770 Compare December 12, 2024 02:54
@rahulait
Copy link
Collaborator

@dependabot rebase

Copy link
Contributor Author

dependabot bot commented on behalf of github Dec 12, 2024

Looks like this PR is already up-to-date with main! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/cilium/cilium-1.16.4 branch 2 times, most recently from 7e2aa86 to d98e50c Compare December 12, 2024 22:15
Bumps [github.com/cilium/cilium](https://github.com/cilium/cilium) from 1.15.5 to 1.16.4.
- [Release notes](https://github.com/cilium/cilium/releases)
- [Changelog](https://github.com/cilium/cilium/blob/1.16.4/CHANGELOG.md)
- [Commits](cilium/cilium@1.15.5...1.16.4)

---
updated-dependencies:
- dependency-name: github.com/cilium/cilium
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/cilium/cilium-1.16.4 branch from d98e50c to b977bd9 Compare December 16, 2024 15:13
Copy link
Contributor Author

dependabot bot commented on behalf of github Dec 17, 2024

Looks like github.com/cilium/cilium is up-to-date now, so this is no longer needed.

@dependabot dependabot bot closed this Dec 17, 2024
@dependabot dependabot bot deleted the dependabot/go_modules/github.com/cilium/cilium-1.16.4 branch December 17, 2024 15:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies dependency updates including security fixes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant