Update module github.com/cilium/cilium to v1.17.0-rc.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/cilium/cilium	v1.17.0-pre.2 -> v1.17.0-rc.0

Trigger E2E tests:

/run app-test-suites

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.17.0-rc.0: 1.17.0-rc.0

Compare Source

Summary of Changes

Major Changes:

• Add support for pod level Networking QoS classes with BW Manager and FQ (#​36025, @​hemanthmalla)
• bgp: remove metallb bgp integration. (#​36191, @​harsimran-pabla)
• CLI: cilium upgrade preserve prev config (#​36347, @​saiaunghlyanhtet)
• HTTP policies are now supported on port ranges. (#​36056, @​jrajahalme)

Minor Changes:

• Add option for user-supplied Envoy bootstrap configmaps in helm chart (#​35597, @​byxorna)
• Adds the ability to add labels to external CIDRs for policy selection and Hubble flows. (#​36087, @​squeed)
• Allow delegated IPAM to specify uplink interface (#​34779, @​ruicao93)
• Batch processing of Service and EndpointSlices up to 200 milliseconds to merge repeated changes to a single Service. This significantly reduces the amount of processing Cilium performs for Services with many EndpointSlices. (#​36466, @​joamaki)
• BGP: Introducing metrics for tracking health of BGP subsystem reconcile loop (#​36369, @​harsimran-pabla)
• bpffs: Use defaults.BPFFSRoot to distinguish default/custom BPF FS mount location (#​36150, @​rastislavs)
• CFP: Egress Gateway Additional NodeSelectors (#​35421, @​chaunceyjiang)
• cilium-cli: Derive the default version from cilium/charts (#​36344, @​michi-covalent)
• ciliumidentity: Fixes missing enqueue time tracker entries (#​36548, @​ovidiutirla)
• docs, daemon: Deprecate high-scale ipcache mode (#​36373, @​pchaigno)
• docs: Remove cassandra and memcached examples (#​36477, @​joestringer)
• Documentation: Add more details regarding svc lb map sizing. (#​36217, @​tommyp1ckles)
• endpoint: Add an option to lock endpoints down (that is, drop all traffic) when their policy maps overflow. (#​35042, @​nathanjsweet)
• envoy: Bump cilium-envoy to latest version (#​36295, @​sayboras)
• hive/metrics: Fix flaky test (#​36418, @​ovidiutirla)
• k8s: Bump k8s to v1.32.0 (#​36534, @​sayboras)
• k8s: Bump k8s to v1.32.rc-2 (#​36412, @​sayboras)
• operator: Add more common metrics to operator (kvstore, rate-limiting, version) (#​36014, @​odinuge)
• service: Cap number of backends included in monitor message (#​36394, @​joamaki)
• The agent now tries to deduplicate the strings and maps holding Kubernetes labels and annotations to reduce overall memory consumption. (#​36294, @​joamaki)

Bugfixes:

• Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (#​36484, @​julianwiedmann)
• bgpv2: Do not fail if PeerAddress is not configured for a peer (#​36488, @​rastislavs)
• Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (#​36252, @​bimmlerd)
• cilium: LB source ranges fixes (#​36517, @​borkmann)
• DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (#​36142, @​jrajahalme)
• Do not leak ipcache entries when apiserver entities are cluster external (#​35868, @​hemanthmalla)
• eni.subnetTagsFilter and eni.instanceTagsFilter are now templated to comma separated string (#​36617, @​sderoe)
• Fix connectivity issue caused by stale cilium eBPF program when using --bpf-filter-priority (#​36176, @​tamilmani1989)
• gateway-api: Fix gateway checks for namespace (#​35452, @​sayboras)
• helm: avoid setting bpf-lb-sock-terminate-pod-connections (#​36508, @​ysksuzuki)
• metrics/features: remove reporting metrics' defaults by default (#​36298, @​aanm)
• Restore the original flag semantics for --egress-masquerade-interfaces to the same as v1.17.0-pre.2 or earlier (#​36504, @​viktor-kurchenko)
• sysctlfix: close systemd config file before triggering reload (#​36368, @​dylandreimerink)
• ui: drop CORS headers from api response (#​35762, @​geakstr)

CI Changes:

• .github/workflows: Enable DualStack for conformance-kind-proxy-embedded (#​36398, @​dylandreimerink)
• ariane: don't run tests for renovate config changes (#​36543, @​tklauser)
• bpf/tests: test ipv6 udp packets when redirecting from l3 to l2 (#​36536, @​rgo3)
• ci/ipsec: Cilium agents in ci-ipsec-e2e no longer share host's boot ID (#​35951, @​jschwinger233)
• ci: add network policy scale test (#​35278, @​marseel)
• ci: configure connectivity test in delegated ipam e2e (#​36475, @​wedaly)
• ci: datapath-verifier: also run on 6.12 kernel (#​36619, @​julianwiedmann)
• ci: fix job names for various ci workflows (#​36397, @​marseel)
• cilium-cli/connectivity: disable warning log checks before v1.17 (#​36358, @​giorio94)
• cilium-cli/connectivity: fix IPv6 feature check for 2ndary node IPv6 (#​36513, @​tklauser)
• Fix cilium CLI connectivity tests in IPv6-only clusters. (#​36026, @​wedaly)
• gh: conformance-clustermesh: test with IPsec + BPF NodePort (#​36384, @​julianwiedmann)
• gh: e2e-upgrade: add coverage for 6.12 kernel (#​36640, @​julianwiedmann)
• gh: e2e-upgrade: add coverage for 6.6 kernel (#​36626, @​julianwiedmann)
• gh: e2e-upgrade: de-renovate the config example (#​36463, @​julianwiedmann)
• gha: always collect and upload sysdump if 100 nodes scale test fails (#​36367, @​giorio94)
• gha: always respect the given image-tag in the helm-default action (#​36293, @​giorio94)
• gha: configure environment in build-images-base/image-digests job (#​36318, @​giorio94)
• gha: default the helm-default image-tag also in pull request workflows (#​36314, @​giorio94)
• gha: Enable parallel requests for L7 tests (#​36623, @​sayboras)
• gha: extra Cilium agents CPU and Mem metrics in clustermesh scale test (#​36481, @​giorio94)
• gha: Use ubuntu-24.04 for integration-test (#​36628, @​sayboras)
• Quarantine of high-scale IPcache (#​36376, @​Artyop)
• test/k8s: remove unused migrate-svc manifests (#​36388, @​tklauser)
• Update oss-fuzz CI workflow (#​36472, @​joestringer)

Misc Changes:

• .gitattributes: Syntax highlight bpftrace script (#​36512, @​pchaigno)
• .github/workflows: do not fail ginkgo if unable to fetch features (#​36461, @​aanm)
• .github: fix conformance-k8s NP test (#​36355, @​aanm)
• Add documentation for feature metrics (#​36579, @​aanm)
• Add Kakao to USERS.md (#​36630, @​gyutaeb)
• Add policy-related features tracking in Cilium agent as prometheus metrics (#​36203, @​aanm)
• Add test for generation and extraction of debug symbols. Add debug symbol support for gdb. (#​36515, @​EricMountain)
• Add the tls:// prefix in the Hubble TLS doc (#​36410, @​liyihuang)
• Add versioning to drop notify events. (#​35413, @​sypakine)
• api: silence warning if API response failed due to connection closed (#​36332, @​giorio94)
• bgp: remove metallb-bgp documentation (#​36306, @​harsimran-pabla)
• bpf: add host_wg_encrypt hook (#​36266, @​rgo3)
• bpf: Avoid implicit shorten-64-to-32 in clang 19 (#​36186, @​sayboras)
• bpf: host: exit early when to-host handles to-proxy traffic (#​36395, @​julianwiedmann)
• bpf: host: minor cleanups (#​36574, @​julianwiedmann)
• bpf: host: misc improvements for cil_from_netdev() / cil_from_host() (#​36360, @​julianwiedmann)
• bpf: host: remove unused code in handle_netdev() (#​36328, @​julianwiedmann)
• bpf: nodeport: forward L7 svc traffic straight to proxy (#​36383, @​julianwiedmann)
• bpf: proxy: cleanup ctx_redirect_to_proxy_first_tproxy() (#​36382, @​julianwiedmann)
• bpf: proxy: split out the TPROXY parts from ctx_redirect_to_proxy_first() (#​36327, @​julianwiedmann)
• build(deps): bump tornado from 6.4.1 to 6.4.2 in /Documentation (#​36586, @​dependabot[bot])
• Bump github.com/mdlayher/arp to latest, adjust usage (#​36571, @​tklauser)
• Bump StateDB to v0.3.4 and refactor db command usages (#​36325, @​joamaki)
• certloader: prevent panic when Watcher.Stop is called multiple times (#​36366, @​devodev)
• chore(deps): update all github action dependencies (main) (#​36439, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#​36501, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#​36605, @​cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#​36436, @​cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#​36606, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#​36316, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#​36440, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#​36499, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.16.22 (main) (#​36500, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.21 (main) (#​36420, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.22 (main) (#​36514, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.23.4 docker digest to 7003184 (main) (#​36604, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.4 (main) (#​36437, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.3-1733229491-16e43f505747e9351d9e96927f02d72eecffa3e4 (main) (#​36348, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.4-1733710912-e119b3d3cbe9727886d0a502a5dcfc3d55acbe58 (main) (#​36453, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.4-1734096493-fff09f16c2c269b22509c86dfc1d3e8f52eb3857 (main) (#​36607, @​cilium-renovate[bot])
• Cilium-cli connectivity test now supports use of parallel requests with curl (#​35949, @​jrajahalme)
• cilium: Dump supported svc annotations (#​36353, @​borkmann)
• cilium: streamline lb mode config to lb alg (#​36297, @​borkmann)
• CODEOWNERS: Add feature owners for masquerade (#​36378, @​joestringer)
• CODEOWNERS: create new group hubble-metrics (#​35991, @​rectified95)
• Connecticity tests with L7 policies and port ranges are skipped on Cilium releases prior to 1.17. (#​36460, @​jrajahalme)
• connectivity: run client-egress-to-cidrgroup-deny conditionally (#​36426, @​aanm)
• contrib: suppress noop taint removal (#​36539, @​nebril)
• daemon: disable dependent bpf-sock-lb options if bpf-sock-lb=false (#​36396, @​tklauser)
• datapath/linux: Fix neighbor table index conversions (#​36429, @​rastislavs)
• datapath/linux: Remove device's neighbors upon device deletion (#​36424, @​rastislavs)
• datapath/tables: Add Neighbor statedb table and populate it in Devices Controller (#​36317, @​rastislavs)
• Decouple orchestrator from the local node store multicast stream (#​36331, @​pippolo84)
• defaults: bump FQDN max ips per host (#​36255, @​bimmlerd)
• docs: Add missing default identity label in the description of identity-relevant labels' example (#​36558, @​liyihuang)
• docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (#​36549, @​verysonglaa)
• docs: Fix typo in multi-pool section title (#​36305, @​joestringer)
• docs: system-requirements: require 5.4 kernel (#​36386, @​julianwiedmann)
• Don't mark KVstoreLeaseTTL flag as hidden (#​36380, @​hemanthmalla)
• Endpoint populate new policymap early if empty (#​36361, @​jrajahalme)
• endpoint: stop regenerating all endpoints on every identity allocation; switch to periodic regens instead. (#​35815, @​squeed)
• Ensure debug symbols are generated for the debug image even when stripping symbols for the release image. (#​36417, @​EricMountain)
• envoy: Pass tofqdns-proxy-response-max-delay to Envoy (#​36330, @​jrajahalme)
• envoy: remove incorrect comments (#​36385, @​tklauser)
• envoy: update to latest version (#​36622, @​mhofstetter)
• experimental: ShadowInstances from many sources (#​35810, @​DamianSawicki)
• fix(deps): update all go dependencies main (main) (#​36272, @​cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#​36454, @​cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#​36550, @​cilium-renovate[bot])
• fix(deps): update aws-sdk-go-v2 monorepo (main) (#​36438, @​cilium-renovate[bot])
• fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (main) (#​36529, @​cilium-renovate[bot])
• fix: set netpol disablement values before disabling CEP (#​36339, @​jshr-w)
• images: Use cilium-builder image instead of golang to build hubble (#​35697, @​learnitall)
• ipcache: Remove metric for idempotent operations (#​35367, @​joestringer)
• Isolate node-to-node encryption tests to wireguard (#​36556, @​ldelossa)
• k8s: Bump k8s to v1.32.rc-1 (#​36352, @​sayboras)
• lock: Remove StoppableWaitGroup.Done(), return done function from Add() (#​35892, @​joamaki)
• Lower interval for icmp probes and stop on first success (#​36400, @​marseel)
• maglev: Cleanup implementation (#​35885, @​joamaki)
• make: Fix kind-image-fast-agent (#​36545, @​brb)
• make: Fix kind-image-fast-agent from scratch (#​36587, @​joestringer)
• make: Update cilium-bugtool upon fast target (#​36516, @​brb)
• metrics/features: enable ClusterMesh (#​36402, @​aanm)
• metrics: Sample metrics periodically and dump samples as part of sysdump (#​35916, @​joamaki)
• Miscellaneous improvements and fixes concerning the endpoints UID checks and surrounding logic (#​36392, @​giorio94)
• Miscellaneous improvements to the etcd ListAndWatch implementation (#​36091, @​giorio94)
• node: remove refresh parameter from NodeNeighborRefresh (#​36319, @​mhofstetter)
• nodemanager: cleanup clusternodesclient (#​36315, @​mhofstetter)
• pkg/endpoint: delete unused const backupDirectorySuffix in directory.go (#​36601, @​Sm0ckingBird)
• Policy: move ingestion to cell, batch updates (#​36044, @​squeed)
• Prepare for release v1.17.0-pre.3 (#​36300, @​cilium-release-bot[bot])
• Prepare v1.17 stable branch (#​36627, @​aanm)
• promise: Replace go routine with context.AfterFunc (#​36185, @​gandro)
• proxy: Take proxy port reference for new redirects immediately (#​36435, @​jrajahalme)
• proxyports: Resolve data races in test (#​36399, @​jrajahalme)
• proxyports: Sleep a bit longer in tests (#​36389, @​jrajahalme)
• README: Update releases (#​36304, @​aanm)
• renovate: do not pin digest for helm/kind-action (#​36459, @​aanm)
• renovate: re-enable updates for github.com/mdlayher/arp (#​36542, @​tklauser)
• Update documentation for egress masquerading behavior (#​36267, @​liyihuang)
• Update Service Mesh Makefile targets (#​36350, @​youngnick)
• Use bash syntax to consume env variable (#​36544, @​ferozsalam)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.0-rc.0@​sha256:fd460ee60e3d5dc785128539aa4cf7e2f797b994602d27ec69146eb50fbf4b95

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.0-rc.0@​sha256:f02419adf8265518f464a15a5434cbdab870b60930a2f0017a3bd0d9cd6f77d7

docker-plugin

quay.io/cilium/docker-plugin:v1.17.0-rc.0@​sha256:79e817b338e9921c093d3dac80005054f37a3bf96f37b54cfbbe8a7f5e9920dc

hubble-relay

quay.io/cilium/hubble-relay:v1.17.0-rc.0@​sha256:ecf1a7133c73603a59dacabb2ca3756b938465bc05d78396e3bca3afd63b90ed

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.0-rc.0@​sha256:296eadb324441538049996ae3a780db1ac909d98c9f820fdeee110023fbf3a94

operator-aws

quay.io/cilium/operator-aws:v1.17.0-rc.0@​sha256:f204409d9fb9e176a062c16eb9f6c564bbed450b06409f3f2afe9cbddb9af8fe

operator-azure

quay.io/cilium/operator-azure:v1.17.0-rc.0@​sha256:9e77740f394b0ec27c6a51f6bee239e40fc9f5b3cd70bd7bcc4244c1ad538ea7

operator-generic

quay.io/cilium/operator-generic:v1.17.0-rc.0@​sha256:2b60ecc195ed929113e49d648aad491981153693a905bff93d5939f93c97bd8f

operator

quay.io/cilium/operator:v1.17.0-rc.0@​sha256:cdac6386e20e1520d42a9e1b94e8ce5d3736562c44fe4b0da35cb3ddbdeea68f

v1.17.0-pre.3: 1.17.0-pre.3

Compare Source

Summary of Changes

Major Changes:

• Add feature tracking in Cilium agent as prometheus metrics (#​35852, @​aanm)
• Add feature tracking in Cilium Operator as prometheus metrics (#​36077, @​aanm)
• Allow users to override the load balancing algorithm for Services by setting the service.cilium.io/lb-algorithm annotation. (#​35735, @​kl52752)
• Cilium now sends TLS Interception and Header manipulation secrets referenced in CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy by reference using SDS, using the same secret synchronization method used for Ingress, Gateway API, and BGP control plane secrets. (#​35513, @​youngnick)
• feat: add dynamically configured Hubble metrics (#​35185, @​rectified95)

Minor Changes:

• Add a commonLabel to all cilium deployed resources (#​35628, @​strongjz)
• Add cli support for impersonation --as and --as-group flags (#​35240, @​cnmcavoy)
• Add Multi-Pool Pre-Allocation Helm chart setting (#​35812, @​CallMeFoxie)
• Add new batched iterator type in pkg/bpf (#​35079, @​tommyp1ckles)
• Add the option --health-check-icmp-failure-threshold to set the number of ICMP requests to send during health checking before marking a node or endpoint as unreachable. (#​36023, @​pippolo84)
• Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (#​35809, @​jrajahalme)
• Added Lock and Unlock metric for kvstore locks (#​36037, @​odinuge)
• Adjust verification for tunnel-protocol and routing-mode in helm templates to remove occurrence of duplicate entries in rendered configmap. Remove constraint on tunnelProtocol for aksbyocni. (#​36226, @​jonasbadstuebner)
• AWS AL2023 support (#​36076, @​viktor-kurchenko)
• bgp: Add neighbor_asn label to BGP metrics (#​35503, @​mikejoh)
• bgpv2: Add a knob to disable CRD status reporting (#​35976, @​YutaroHayakawa)
• bpf: Enforce symmetric routing for endpoints with parent interfaces (#​35298, @​dylandreimerink)
• cilium: Add option for lb src ranges to act as deny cidr list (#​36120, @​borkmann)
• connectivity health checking: improve the reliability of health checking at large scales by rate-limiting probes (#​35163, @​jshr-w)
• Decouples the creation of metrics services from ServiceMonitors in the Cilium Helm chart, providing greater flexibility for Prometheus integration. (#​36013, @​saiaunghlyanhtet)
• Disable deprecated support for running the Cilium KVStore in pod network (#​35741, @​giorio94)
• Don't mark the agent as ready until successfully connecting to the kvstore (if enabled) (#​36035, @​giorio94)
• Egress masquerade multiple interfaces fix (#​36103, @​viktor-kurchenko)
• envoy: Bump envoy version to v1.31 (#​35959, @​sayboras)
• helm: New socketLB.tracing flag (#​35747, @​pchaigno)
• hubble: from and to cluster filters (#​33325, @​kaworu)
• hubble: Stop building 32-bit binaries (#​35974, @​michi-covalent)
• images: Update LLVM to 18.1.8 (#​36197, @​sayboras)
• Improve the CiliumNode to KVStore synchronization logic of the Cilium operator (#​35840, @​giorio94)
• introducing a new CLI option to display ipcache information by labels or cidr (#​35275, @​vasu-dasari)
• k8s: Add support for 1.32.0 (#​36235, @​sayboras)
• Limit FQDNS matchName and matchPattern length to 255 characters (#​35577, @​rudrakhp)
• operator: improve the responsiveness of tainting and setting conditions on k8s nodes (#​35785, @​marseel)
• operator: make max consecutive quorum errors configurable (#​36033, @​giorio94)
• policy: Add selectorcache cardinality metrics (#​35859, @​joestringer)
• Remove support for the insecure, deprecated global IPsec key. Per-tunnel IPsec keys will now be used regardless of the IPsec secret format. (#​34709, @​pchaigno)
• Skip WireGuard traffic in the BPF SNAT processing, slightly reducing pressure on the BPF Connection tracking and NAT maps. (#​35900, @​smagnani96)
• Stop propagating duplicate health and ingress endpoint information to the kvstore (#​35997, @​giorio94)
• sysdump: respect worker count and collect Cilium profiling data as first task (#​35897, @​giorio94)

Bugfixes:

• bgp: fix race in bgp stores (#​35971, @​harsimran-pabla)
• BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (#​36230, @​rastislavs)
• bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (#​35690, @​YutaroHayakawa)
• BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (#​36165, @​rastislavs)
• bpf:nat: restore a NAT entry if its REV NAT is not found (#​35304, @​sugangli)
• Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (#​35984, @​jrajahalme)
• cilium-cli/connectivity: fix nil-pointer dereference if minimum version can't be detected (#​35802, @​tklauser)
• cilium-health-ep controller is made to be more robust against successive failures. (#​35936, @​jrajahalme)
• config: Remove superfluous warning on native routing CIDR (#​35738, @​gandro)
• Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (#​36060, @​jrajahalme)
• Export Map{Key,Value} fields to prevent map {get,list} handler panics. (#​36219, @​tommyp1ckles)
• Fix bug that would break all pod-to-pod connectivity when using the per-tunnel IPsec key system. (#​35806, @​pchaigno)
• Fix identity leak for kvstore identity mode (#​34893, @​odinuge)
• Fix incorrect trace reason for egress packets when WireGuard is used with Host Firewall. (#​35354, @​smagnani96)
• Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (#​36292, @​giorio94)
• Fix: cilium-cli install --repository flag respects repository even with cached versions. (#​35670, @​renyunkang)
• Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (#​35694, @​julianwiedmann)
• Fixes a bug where identities may be leaked if a pod changes labels and is immediately deleted. (#​35947, @​orange30)
• Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (#​35890, @​squeed)
• Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". (#​35624, @​pippolo84)
• helm: fix duplicate configmap key for bpf-lb-sock-terminate-pod-connections (#​35703, @​solidDoWant)
• helm: set automountServiceAccountToken to false for hubble-relay sa (#​35674, @​ayuspin)
• helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (#​36005, @​devodev)
• hubble: consistently use v as prefix for the Hubble version (#​35891, @​rolinh)
• hubble: Lock exporters while gathering metrics (#​35860, @​joestringer)
• ipam: Avoid empty CIDR in ENI mode (#​35695, @​sayboras)
• ipam: Validate CiliumNode resource in ENI mode (#​35784, @​sayboras)
• iptables: Fix data race in iptables manager (#​35902, @​pippolo84)
• k8s: Avoid panic while checking ip mode (#​35782, @​sayboras)
• lrp: update LRP services with stale backends on agent restart (#​36036, @​ysksuzuki)
• option: Reduce log level for WG strict mode + IPv6 (#​35763, @​pchaigno)
• pkg/redirectpolicy: Fix backend slices in processConfig (#​35496, @​Sm0ckingBird)
• policy/correlation: Fix PolicyMatchL3Proto case (#​35680, @​gandro)
• Unbreak the cilium-dbg preflight migrate-identity command (#​36089, @​giorio94)
• Use strconv.Itoa instead of string() for the correct behavior when converting kafka.ErrorCode from int32 to string. Add relevant unit tests for Kafka plugin and handler. (#​35856, @​nddq)
• wireguard: Fix connectivity issues following node reboots. (#​35750, @​jrife)

CI Changes:

• .github: extend timeout for tests-e2e-upgrade workflow (#​35696, @​rastislavs)
• .github: quote arguments in bash string comparison (#​35842, @​devodev)
• .github: remove use of deprecated --disable-check cilium-cli option (#​35776, @​tklauser)
• .github: Use --input-file when testing piping flows into Hubble CLI (#​35858, @​chancez)
• Additionally test KVStore mode in E2E/IPSec workflows (#​35679, @​giorio94)
• ci: add watch request thresholds (#​35808, @​marseel)
• ci: fix cleanup of stale kops clusters. (#​35986, @​marseel)
• ci: fix native wireguard encryption (#​35520, @​marseel)
• CI: Update tested K8S versions (#​35726, @​brlbil)
• ci: use the VERSION file from the PR branch in push-charts-ci.yaml (#​35950, @​ferozsalam)
• cilium-cli/connectivity: allow to specify log levels to check (#​36231, @​tklauser)
• cilium-cli: Improve tcpdump termination timeout handling (#​36021, @​liyihuang)
• cilium-cli: retry exec-in-pod requests in case of transient errors (#​35961, @​tklauser)
• cilium-cli: Run BGP tests sequentially (#​35727, @​rastislavs)
• Cleanup leaked GCE kops clusters (#​35915, @​marseel)
• cli/connectivity: Check for unexpected warning logs (#​35723, @​pchaigno)
• cli: Don't ignore datapath bug packet drops (#​36105, @​pchaigno)
• datapath: Improve XFRM leak tests (#​35796, @​pchaigno)
• Enabling IPSec pod-to-pod-with-l7-policy-encryption connectivity test for v1.15 and v1.16. (#​35742, @​smagnani96)
• Fix flake in node manager TestNodeManagerEmitStatus test (#​36097, @​glrf)
• gha: Add coverage for policy secret sync (#​36040, @​sayboras)
• gha: Enable ingress-controller in e2e tests (#​36043, @​sayboras)
• gha: enable the log-errors check in the clustermesh upgrade workflow (#​35739, @​giorio94)
• gha: merge artifacts in net-perf-gke workflow (#​36236, @​giorio94)
• gha: test disabled kvstoremesh clustermesh upgrade/downgrade tests (#​36242, @​giorio94)
• gha: uniform downgrade settings in clustermesh upgrade/downgrade test (#​36239, @​giorio94)
• ginkgo: Get rid of K8sUpdates (#​35035, @​brb)
• github: bump LVH image versions (#​35719, @​julianwiedmann)
• github: Checkout code before running cilium/cilium-cli action (#​36117, @​michi-covalent)
• github: Pass the workflow step timeout to go test (#​35814, @​jrajahalme)
• github: Simplify the checkout logic (#​36190, @​michi-covalent)
• hubble: ignore some testifylint linter errors (#​36096, @​rolinh)
• ipsec: Fix arguments in XFRM IN policy test (#​36030, @​pchaigno)
• node_local_store: prevent racey tests while using mock node store. (#​35945, @​tommyp1ckles)
• renovate: Fix image updates for IP

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: tests/e2e/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 20 additional dependencies were updated

Details:

Package	Change
github.com/cilium/ebpf	v0.16.0 -> v0.16.1-0.20241212130635-98ede8ac7aa8
github.com/cilium/hive	v0.0.0-20241021113747-bb8f3c0bede4 -> v0.0.0-20241213121623-605c1412b9b3
github.com/cilium/proxy	v0.0.0-20240909042906-ae435a5bef38 -> v0.0.0-20241115112946-fb67566cbd95
github.com/cilium/statedb	v0.3.2 -> v0.3.4
github.com/cilium/stream	v0.0.0-20240816054136-71321e385273 -> v0.0.0-20241203114243-53c3e5d79744
github.com/docker/docker	v27.3.1+incompatible -> v27.4.0+incompatible
github.com/fsnotify/fsnotify	v1.7.0 -> v1.8.0
github.com/golang/groupcache	v0.0.0-20210331224755-41bb18bfe9da -> v0.0.0-20241129210726-2c02b8208cf8
github.com/gopacket/gopacket	v1.3.0 -> v1.3.1
github.com/prometheus/common	v0.60.0 -> v0.61.0
github.com/vishvananda/netns	v0.0.4 -> v0.0.5
go.opentelemetry.io/otel	v1.31.0 -> v1.32.0
go.opentelemetry.io/otel/metric	v1.31.0 -> v1.32.0
go.opentelemetry.io/otel/trace	v1.31.0 -> v1.32.0
golang.org/x/time	v0.7.0 -> v0.8.0
google.golang.org/genproto/googleapis/api	v0.0.0-20240903143218-8af14fe29dc1 -> v0.0.0-20241104194629-dd2ea8efbc28
google.golang.org/genproto/googleapis/rpc	v0.0.0-20241021214115-324edc3d5d38 -> v0.0.0-20241209162323-e6fa225c2576
google.golang.org/grpc	v1.67.1 -> v1.69.0
k8s.io/utils	v0.0.0-20241104100929-3ea5e8cea738 -> v0.0.0-20241210054802-24370beab758
sigs.k8s.io/mcs-api	v0.1.1-0.20241002142749-eff1ba8c3ab2 -> v0.1.1-0.20241209122601-8690854b517f

[tinkerers-ci]

app-test-suites - capa

Run name	cilium-app-app-test-suites-capa-zsvw7
Commit SHA	0625760
Result	Failed ❌

📋 View full results in Tekton Dashboard

Rerun trigger:
/run app-test-suites-single PROVIDER=capa

[mcharriere]

/run app-test-suites-single PROVIDER=capa

[tinkerers-ci]

app-test-suites - capa

Run name	pr-cilium-app-250-app-test-suites-singlenk2vj
Commit SHA	a579852
Result	Failed ❌

📋 View full results in Tekton Dashboard

Rerun trigger:
/run app-test-suites-single PROVIDER=capa

[mcharriere]

Test fails with:

# e2e/suites/basic [e2e/suites/basic.test]
./basic_suite_test.go:117:56: not enough arguments in call to k8s.NewClient
	have (string, string, string)
	want (string, string, string, string, []string)

which means the api changed and we need to update our test suite. I'll do it in a separated PR.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v1.17.0-rc.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.