diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000000000..05f25bdbc0ef6 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,329 @@ +# Changelog + +## v1.15.0-pre.3 + +Summary of Changes +------------------ + +**Major Changes:** +* Add dynamic flowlog exporters configured by yaml file (configmap) without a need of agent restart. (#28873, @marqc) +* Add support for extending ClusterMesh to 511 clusters By setting the flag `--max-connected-clusters=511`, a new cluster will be able to connect to a ClusterMesh with up to 511 clusters. If enabled, the number of possible cluster-local identities will be reduced to 32,768. This feature can only be enabled on new clusters, and all clusters in the ClusterMesh must share the same configuration. (#27520, @thorn3r) +* Add support for Gateway API v1.0 (#28836, @sayboras) +* k8s: add support for k8s 1.29.0 (#29473, @aanm) + +**Minor Changes:** +* Add a mode where routing is delegated to another CNI plugin. This enables support for using AWS security groups when chaining Cilium on top of AWS VPC CNI. (#29111, @Alex-Waring) +* Add lbipam support for shared ips (#28806, @usiegl00) +* Adds "best-effort" mode for XDP to skip interfaces without driver support (#28666, @poblahblahblah) +* Adds affinity, nodeSelector, podSecurityContext and securityContext to the SPIRE agent deployment values (#29077, @meyskens) +* Adds the CiliumPodIPPool selector type to BGP CP AdvertisedPathAttributes to match CiliumPodIPPool custom resources. Path attributes apply to routes announced for selected CiliumPodIPPools. (#28310, @danehans) +* api, cli: Show srv6 status in cilium status (#28700, @husnialhamdani) +* bgpv1: Add `cilium-dbg bgp route-policies` command & include it in the bugtool (#28973, @rastislavs) +* bgpv1: Use kube-system namespace by default for MD5 secret (#29478, @YutaroHayakawa) +* bpf: use bpf_xdp_load_bytes() / bpf_xdp_store_bytes() helpers when available (#29377, @julianwiedmann) +* Cilium DNS proxy now uses the original pod's address as the source address towards the DNS servers. (#28928, @jrajahalme) +* cilium-dbg: Add statedb query support and commands to inspect statedb tables devices, routes and l2-announce. (#28872, @joamaki) +* ciliumidentity resiliency improvement (#28912, @tommyp1ckles) +* cmd/watchdogs: add health reporter to watchdog controller. (#29038, @tommyp1ckles) +* Config option to customize the default IP Pool when using MultiPool (#28818, @chaunceyjiang) +* Default client-go QPS and burst in agent and operator have been increased to 10 and 20 respectively for k8s versions 1.27+ (#29445, @marseel) +* Deprecated helm options enableK8sEventHandover/enableCnpStatusUpdates were removed. Corresponding flag "enable-k8s-event-handover" in Agent and "cnp-status-update-interval" in operator were removed. (#29395, @marseel) +* FQDN: transition to asynchronous IPCache APIs (#29036, @squeed) +* gateway-api: Add support for gateway.infrastructure attribute (#29122, @sayboras) +* gateway-api: Add supported features in GatewayClass status (#29116, @sayboras) +* gateway-api: Check for required CRDs upon startup (#28982, @sayboras) +* Handle IPv4 fragments in SNAT flows correctly. (#25340, @gentoo-root) +* Hide empty columns by default in "kubectl get ciliumendpoints" output (#28744, @Iiqbal2000) +* hubble-relay: Add support for peers joining during requests (#29326, @glrf) +* Hubble: add option to filter for pods and services in any namespace (#28921, @glrf) +* hubble: Add Support for filtering on HTTP headers (#28851, @ChrsMark) +* hubble: Conditionally redact user info present in URLs in (L7) HTTP flows (#28848, @ioandr) +* Improve Hubble Relay Kubernetes Readiness/Liveness check (#28765, @glrf) +* init: Poll CRD synchronization times have been lowered from 1 second to 50ms. (#28954, @howardjohn) +* Merge clustermesh-apiserver and kvstoremesh into a single image (#27888, @giorio94) +* metric: provide way to declare labels. (#27835, @tommyp1ckles) +* mutual-auth: Bump spire image version (#29101, @sayboras) +* Named ports in DNS policies are now resolved correctly. (#29023, @jrajahalme) +* pkg/datapath: Remove defunct `--single-cluster-route` flag (#29221, @gandro) +* policy: Cilium will not process or enforce network policies with port ranges or Kubernetes network policies that use "EndPort". (#28704, @nathanjsweet) +* Propagate prefixed labels from Ingress resource to LB service (#28598, @log1cb0mb) +* Remove deprecated tunnel option, and corresponding helm values setting (#29053, @giorio94) +* Replace etcd init script used for clustermesh with a Go equivalent. Upgrade etcd to v3.5.10. (#29109, @JamesLaverack) +* Replace metricsmap-bpf-prom-sync with Prometheus Collector pattern (#27370, @carnerito) +* Respond with ICMP reply for traffic to services without backends (#28157, @dylandreimerink) +* show DSR-dispatch mode in cilium-dbg status (#29217, @chaunceyjiang) +* When tunneling is enabled, a packet will be encapsulated by Cilium's tunnel netdev before encrypting with WireGuard. (#29000, @brb) + +**Bugfixes:** +* "envoy-admin" cluster is renamed as "/envoy-admin", requiring all references in CEC/CCEC to be updated. (#29020, @jrajahalme) +* `ImplementationSpecific` Ingress paths (which for Cilium Ingress means regex path matches) are now sorted correctly in between `Exact` and `Prefix` matches. (#29381, @youngnick) +* Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29307, @ti-mo) +* bpf: Add TC_ACT_REDIRECT check for nodeport (#28927, @sayboras) +* bpf: Fix drop of IPv6 reply traffic when 1) pod-originating connection is SNATed by iptables, and 2) Host Firewall is enabled. (#28813, @oblazek) +* bpf: xdp: don't support GENEVE passthrough with DSR-Hybrid (#28959, @julianwiedmann) +* Conntrack entries for Service connections are now printed in the canonical "source -> destination" format when using the "bpf ct list" command. (#28913, @julianwiedmann) +* ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (#29098, @julianwiedmann) +* datapath: Fix ENI egress routing table for cilium_host IP (#29335, @gandro) +* datapath: Fix primary flag in NodeAddress (#29483, @joamaki) +* Do not skip FIB lookup when running in BPF Host Routing when Endpoint Routes enabled (#28264, @aspsk) +* egressgateway: Use UID to identify CiliumEndpoints in epDataStore (#29124, @rastislavs) +* egressgw: Fix the issue that an iptables SNAT rule in the host netns interferes packets to egress gw and bypass the egress GW policy (#29379, @ysksuzuki) +* endpointmanager: fix bpf policy pressure getting stuck. (#28185, @tommyp1ckles) +* endpointmanager: unmap ip for lookup (#29554, @tklauser) +* Fix external workloads not working with non-default ClusterID (#29378, @giorio94) +* Fix rendering helm operator-dashboard annotations (#29106, @Zariel) +* Fix source identity determination for DSR with Geneve-dispatch, by looking it up from the ipcache. (#29155, @chez-shanpu) +* Fix the Created timestamps in `cilium bpf nat list` that used to display the same values. (#27062, @gentoo-root) +* Fixed label synchronization issues in Cilium, ensuring accurate representation of endpoint labels during restoration and addressing out-of-sync problems caused by label changes while the Cilium agent is down. (#29248, @aanm) +* Fixes an L7 proxy issue by re-introducing 2005 route table. (#29530, @jschwinger233) +* gateway-api: add watch for reference grant in TLSRoute reconciler (#29007, @mhofstetter) +* gateway-api: Avoid redirect loop when the same host name is used for http and https listeners (#29115, @sayboras) +* gateway: Ignore loadbalancer class for Gateway service (#29547, @sayboras) +* Handle non-AEAD IPsec keys in `cilium encrypt status`. (#29182, @viktor-kurchenko) +* ingress: cleanup resources on changed ingress class field (#28886, @mhofstetter) +* ingress: fix foreground deletion of Ingress (#29367, @mhofstetter) +* Install loopback CNI atomically to protect against aborted copy (#29462, @akhilles) +* ipam: Fix bug where IP lease did not expire (#29443, @gandro) +* iptables: remove logic to control non-existent net.ipv6.ip_early_demux (#29310, @julianwiedmann) +* k8s ingress & gateway api: fix unintentional deletion of shared envoy cluster resource (#28896, @mhofstetter) +* l2announcer: Leases are only created for services that are being announced. (#29446, @f1ko) +* lbipam: Fix off-by-one error in LBIPAM range allocation (#29425, @YutaroHayakawa) +* neigh: Install neighbor entries only on devices where routes exist (#28782, @ysksuzuki) +* Policy revert used in rare error cases has been corrected. (#29162, @jrajahalme) +* Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (#29340, @aanm) +* Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29202, @thorn3r) +* statedb: Fix termination of string and IP keys (#29368, @joamaki) +* When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (#29160, @julianwiedmann) + +**CI Changes:** +* Add 100 node scale test workflow (#29214, @learnitall) +* ariane: Disable ci-e2e-upgrade (#29488, @brb) +* bpf/tests: Fixed `loop not unrolled` error in pktgen (#28942, @dylandreimerink) +* bpf: complexity-tests: add HAVE_FIB_NEIGH (#29348, @julianwiedmann) +* ci aws: cleanup EKS cluster in separate job (#29412, @mhofstetter) +* ci-clustermesh-upgrade: Increment timeout between rollouts to 5min (#29560, @mhofstetter) +* ci-e2e-upgrade: Bring it on (#29073, @brb) +* ci-e2e-upgrade: Remove setting CLI vsn (#29435, @brb) +* ci-e2e: Use kernel 6.1 instead of 6.0 (#29345, @brb) +* ci-gke: remove duplicated wait for cilium (#29542, @mhofstetter) +* ci-ipsec-upgrade: Check for errors (#29189, @brb) +* ci-ipsec-upgrade: Drop no-missed-tail-calls exclusion (#29325, @brb) +* ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (#29072, @brb) +* ci: add K8s 1.28 platform testing (#29004, @nbusseneau) +* CI: Add merge_group trigger (#29276, @brlbil) +* ci: add nameserver 1.1.1.1 to conformance-runtime test LVM (#29455, @mhofstetter) +* ci: Bump timeout of ci-runtime (#29317, @YutaroHayakawa) +* ci: Bump up the memory of LVH in conformance-e2e (#29494, @michi-covalent) +* ci: bypass proxy.golang.org in Go toolchain installation (#29549, @tklauser) +* ci: disable envoy tracing in multi-pool workflow (#28966, @tklauser) +* ci: don't write github commit status on push event (#29404, @mhofstetter) +* ci: don't write github commit status on push event (#29438, @mhofstetter) +* ci: fix deployment issue with multiple clusters in same region (#29427, @mhofstetter) +* ci: fix dns issue when pulling cilium-docker-plugin in ci-runtime (#29502, @mhofstetter) +* ci: fix merge group required checks (#29337, @brlbil) +* ci: fix typo in clustermesh workflow job name (#29046, @tklauser) +* ci: increase cilium wait timeout to 10m on cloud providers (#29541, @mhofstetter) +* ci: increase disk size for GKE clusters (ci-gke & ci-external-workloads) (#29528, @mhofstetter) +* ci: migrate some schedule workflows to event trigger push (#29433, @mhofstetter) +* ci: Remove useless quotes in update label workflow (#28952, @pippolo84) +* cilium-cli action: Specify the repository parameter (#29338, @michi-covalent) +* datapath: Clean up XFRM configs after unit tests (#29332, @pchaigno) +* Drop support for EOLed Kubernetes versions (#29174, @michi-covalent) +* egressgw: tests: wait for initial sync reconciliation (#29084, @jibi) +* Extend BPF unit tests for IPsec (#28438, @jschwinger233) +* Fix pre-flight clusterrole check (#29224, @marseel) +* gh/workflows: Add lvh-kind action and use it in ci-e2e (#29485, @brb) +* gh/workflows: Dump Cilium LB node logs in case of failure (#28808, @brb) +* gh: datapath-verifier: also run on 6.1 kernel (#29349, @julianwiedmann) +* gha: Enable Ingress Controller tests in conformance-e2e (#29130, @sayboras) +* restore full go vet behaviour (#28945, @bimmlerd) +* scale-test-100-gce: Use CILIUM_CLI_VERSION (#29562, @michi-covalent) +* Set correct cluster name and id during upgrade test (#29165, @marseel) +* Skip k8s upstream conformance test for multiple protocols on a Service (#29524, @youngnick) +* Switch to on-demand instances for AWS tests on scheduled runs. (#29366, @marseel) +* Test upgrade/downgrade to patch release for IPsec (#28815, @qmonnet) +* test/k8s: clean up unused manifests (#29436, @tklauser) +* test: Use previous in-pod CLI name for updates (#29208, @joestringer) +* tests-e2e-upgrade: Use CILIUM_CLI_VERSION (#29496, @michi-covalent) +* Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (#29409, @giorio94) +* workflows: Add debug info to IPsec key rotation test (#29353, @pchaigno) +* workflows: move cilium_cli_version definition to set-env-variables action (#29237, @jibi) +* workflows: Pin conn-disrupt-test GH action to main (#29402, @pchaigno) + +**Misc Changes:** +* .github/workflows: only cancel concurrent jobs if not in merge_group (#29431, @aanm) +* .github: do not group jobs on merge queues (#29551, @aanm) +* Add AirQo to Cilium USERS.md (#29467, @123MwanjeMike) +* Add an option to force BPF attachment to native device (#29176, @YutaroHayakawa) +* Add CEP and CES resources (#29244, @pippolo84) +* Add Cybozu to USERS.md (#29231, @chez-shanpu) +* Add Dcode.tech to USERS.md (#28996, @eliranw) +* Add IDNIC/Kadabra as user to Cilium (#28958, @ardikabs) +* Add node activity health reporters on node manager (#28799, @derailed) +* Add table for node addresses (#28962, @joamaki) +* add v1.15.0-pre.2 release (#28903, @aanm) +* api: Allow middleware to be injected via Hive (#29223, @gandro) +* BGP CP: Replaces LocalNodeStore with Local CiliumNode (#28238, @danehans) +* bgpv1: fix incorrect error messages in the reconcilePodIPPool function (#29125, @hargrovee) +* bgpv1: fix merge race conflict on NewGoBGPServer (#29321, @mhofstetter) +* bgpv1: Prevent multiple reconcilers with the same name (#29071, @rastislavs) +* bgpv1: Reorganize BGP config reconcilers (#29277, @rastislavs) +* bgpv1: Use specific log message and remove unused parameter (#28895, @hargrovee) +* bpf: fine-tune a few L3 header validations (#28669, @julianwiedmann) +* bpf: host: adjust scope of HostFW section in handle_ipv6() (#29052, @julianwiedmann) +* bpf: ipsec: move get_min_encrypt_key() to encrypt.h (#28991, @julianwiedmann) +* bpf: lb: fix missing drop reason in reverse_map_l4_port() (#28884, @julianwiedmann) +* bpf: lxc: avoid upgrade/downgrade woes with CB_FROM_TUNNEL in IPv6 path (#29304, @julianwiedmann) +* bpf: nat: fully switch to snat_v*_rewrite_helpers() (#29403, @julianwiedmann) +* bpf: nat: limit EgressGW redirect check to bpf_host (#29159, @julianwiedmann) +* bpf: nat: pass NAT map to snat_v4_new_mapping() (#29049, @julianwiedmann) +* bpf: nodeport: re-introduce Ingress HostFW between RevSNAT and RevDNAT (#28960, @julianwiedmann) +* bpf: tests: minor cleanups (#29354, @julianwiedmann) +* bpf: tunnel-related cleanups in to-container path (#28920, @julianwiedmann) +* bpf: use l4_load_ports() everywhere (#29135, @julianwiedmann) +* Bug: Fix module health status output (#29140, @derailed) +* build: Declare GO in makefile before first use (#28983, @sayboras) +* Changed cilium status CLI output to render the modules health section as a tree structure vs tabular data. (#28800, @derailed) +* chore(deps): update actions/checkout action to v4 (main) (#29539, @renovate[bot]) +* chore(deps): update actions/github-script action to v7 (main) (#29142, @renovate[bot]) +* chore(deps): update all github action dependencies (main) (#28987, @renovate[bot]) +* chore(deps): update all github action dependencies (main) (minor) (#29260, @renovate[bot]) +* chore(deps): update all github action dependencies (main) (patch) (#29262, @renovate[bot]) +* chore(deps): update all github action dependencies (main) (patch) (#29387, @renovate[bot]) +* chore(deps): update all github action dependencies (main) (patch) (#29533, @renovate[bot]) +* chore(deps): update all github action dependencies to v2 (main) (major) (#29540, @renovate[bot]) +* chore(deps): update all lvh-images main (main) (patch) (#29388, @renovate[bot]) +* chore(deps): update all lvh-images main (main) (patch) (#29534, @renovate[bot]) +* chore(deps): update anchore/scan-action action to v3.3.8 (main) (#29573, @renovate[bot]) +* chore(deps): update cilium/cilium digest to 614f2dd (main) (#29386, @renovate[bot]) +* chore(deps): update cilium/cilium digest to 93f26fd (main) (#29141, @renovate[bot]) +* chore(deps): update cilium/cilium digest to ef8ca62 (main) (#29120, @renovate[bot]) +* chore(deps): update dependency cilium/cilium-cli to v0.15.13 (main) (#28989, @renovate[bot]) +* chore(deps): update dependency cilium/cilium-cli to v0.15.14 (main) (#29234, @renovate[bot]) +* chore(deps): update dependency cilium/cilium-cli to v0.15.16 (main) (#29464, @renovate[bot]) +* chore(deps): update dependency eksctl-io/eksctl to v0.165.0 (main) (#29537, @renovate[bot]) +* chore(deps): update dependency go to v1.21.4 (main) (#29558, @renovate[bot]) +* chore(deps): update dependency kubernetes/kops to v1.28.1 (main) (#29128, @renovate[bot]) +* chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (main) (#29535, @renovate[bot]) +* chore(deps): update docker.io/library/golang:1.21.4 docker digest to 9baee0e (main) (#29261, @renovate[bot]) +* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 8eab65d (main) (#29572, @renovate[bot]) +* chore(deps): update go to v1.21.4 (main) (patch) (#29043, @renovate[bot]) +* chore(deps): update golangci/golangci-lint docker tag to v1.55.2 (main) (#28990, @renovate[bot]) +* chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 [security] (main) (#29314, @renovate[bot]) +* chore(deps): update quay.io/cilium/kindest-node docker tag to v1.28.3 (main) (#29057, @renovate[bot]) +* chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231123.012848 (main) (#28992, @renovate[bot]) +* ci-ipsec-upgrade: Do not run conn tests after installing Cilium (#29178, @brb) +* ci: Bump timeout on ci-runtime privileged worksflow (#28923, @jrajahalme) +* CI: fix broken BPF complexity tests (#29510, @lmb) +* cilium-dbg, policy, api: Fix labels in policy selectors output (#29152, @christarazi) +* cilium: Add a few bwm setting tweaks (#29552, @borkmann) +* Clarify `cilium_event_ts metric` description (#29303, @christarazi) +* client: Use options pattern for NewRuntime (#29271, @gandro) +* clustermesh install documentation: missing step (#28889, @dashaun) +* cni: remove unused CILIUM_CNI_CONF variable from install script (#29063, @wedaly) +* CODEOWNERS: claim some new ipsec-related files for cilium/ipsec (#29516, @julianwiedmann) +* CODEOWNERS: IPsec owns `pkg/common/ipsec` (#29002, @pchaigno) +* CODEOWNERS: Let IPsec team to own GH workflows for IPsec (#29190, @brb) +* contrib: Fix prerelease pullPolicy (#28906, @joestringer) +* ctmap: limit NAT purging to expected CT tuple types (#28871, @julianwiedmann) +* daemon: Simplify `cilium_host` IP restoration (#28781, @gandro) +* datapath: Few minor improvements to DevicesController (#28887, @joamaki) +* datapath: Move `linuxNodeHandler` IPsec functions to their own file (#28941, @pchaigno) +* devices: fix busy loop (#29163, @bimmlerd) +* dnsproxy: convert LookupEndpointByIP to use netip.Addr (#28891, @tklauser) +* doc: Add roadmap for mutual authentication (#29006, @tgraf) +* docs: Add CiliumPodIPPool option in BGP Adv. Path Attributes docs (#29177, @rastislavs) +* docs: Add cluster install/prep guide for GKE-to-GKE clustermesh (#29342, @Neutrollized) +* docs: add instructions to build kindest-node image (#29079, @aanm) +* docs: bump required Helm version (#29273, @nebril) +* docs: Drop references to Helm v2 (#29463, @joestringer) +* docs: update versions and parameters for XDP Acceleration on AKS (#29091, @jshr-w) +* Docs: Updates BGP CP Developer Docs (#28908, @danehans) +* don't remove neighbor link state file if migrateOnly (#28659, @liuyuan10) +* enabled initalDelaySeconds on StartupProbe (#28816, @jignyasamishra) +* endpoint: Clarify policy locking requirements (#29024, @jrajahalme) +* endpoint: fix removed code comment. (#29172, @tommyp1ckles) +* endpointstate: Add an interface to wait for endpoint restore (#29243, @pippolo84) +* envoy: periodic version-check with hive timer job (#29513, @mhofstetter) +* envoy: Support internal listeners in CiliumEnvoyConfig CRDs (#29026, @jrajahalme) +* envoy: Update to pick up deny policy support (#28862, @jrajahalme) +* Extract tunnel options to simplify override, and inject them through hive (#29051, @giorio94) +* Fix bug preventing endpoint-related debug logs from being emitted (#29495, @learnitall) +* Fix Cilium Datapath Prometheus metric names (#29226, @carnerito) +* fix(deps): update all go dependencies main (main) (minor) (#28994, @renovate[bot]) +* fix(deps): update all go dependencies main (main) (minor) (#29264, @renovate[bot]) +* fix(deps): update all go dependencies main (main) (minor) (#29398, @renovate[bot]) +* fix(deps): update all go dependencies main (main) (minor) (#29538, @renovate[bot]) +* fix(deps): update all go dependencies main (main) (patch) (#28993, @renovate[bot]) +* fix(deps): update all go dependencies main (main) (patch) (#29134, @renovate[bot]) +* fix(deps): update all go dependencies main (main) (patch) (#29389, @renovate[bot]) +* fix(deps): update all go dependencies main (main) (patch) (#29536, @renovate[bot]) +* fix(deps): update all go dependencies main (main) (patch) (#29574, @renovate[bot]) +* fix(deps): update golang.org/x/sys digest to 13b15b7 (main) (#29279, @renovate[bot]) +* fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.613 (main) (#29263, @renovate[bot]) +* fix(deps): update module github.com/go-openapi/validate to v0.22.2 (main) (#29280, @renovate[bot]) +* Fixes rate limiting for CES Controller (#28963, @alan-kut) +* Follow-up nits from etcd init script pull request (#29489, @JamesLaverack) +* fqdn/dnsproxy: drop dependency on global EnableIPv{4,6} option (#28968, @tklauser) +* gateway-api: cleanup cell imports & dependencies (#29204, @mhofstetter) +* gateway-api: don't register secretsync if required CRDs aren't present (#29437, @mhofstetter) +* gateway-api: fix up for import rename (#29143, @julianwiedmann) +* gateway-api: improve secret sync resiliency (#29017, @mhofstetter) +* gateway-api: Use Gateway API definition to check Route condition (#29359, @haiyuewa) +* go.mod, vendor: update golang.org/x/sys to latest unreleased version (#29070, @tklauser) +* Helm: Allow configuration of the install-cni container resources field (#27469, @RenaudWasTaken) +* helm: Fix annotation duplication problems for cilium-agent (#28978, @bradwhitfield) +* hubble/relay: Remove ReportOffline and refactor PeerManager (#28595, @glrf) +* images: drop the kvstoremesh dockerfile (#28961, @giorio94) +* images: Fix init-container script for cilium-dbg (#29424, @joestringer) +* Implement NodeAddressing on top of Table[NodeAddress] (#29033, @joamaki) +* Improve deletion of stale backends associated with non-global services, without waiting for full Cluster Mesh synchronization (#28745, @giorio94) +* ingress: migrate Cilium Ingress controller to use the controller-runtime library (#29327, @mhofstetter) +* ingress: migrate secret-sync to controller-runtime (#29198, @mhofstetter) +* Introduce sync.Map wrapper with generics support (#29452, @giorio94) +* ipam: Fix duplicate metric ipam_event release (#29520, @christarazi) +* ipcache: keep upserted prefixes from being deleted by InjectLabels (#29014, @squeed) +* ipcache: move CIDR restoration to asynchronous APIs (#28673, @squeed) +* ipsec: Improve `encrypt flush` command (#28795, @pchaigno) +* ipsec: Remove dead code for IPsec node encryption (#28898, @pchaigno) +* ipsec: Small refactorings on key loading and state creation (#29352, @pchaigno) +* k8s: remove unused slim k8s model for Ingress & IngressClass (#29517, @mhofstetter) +* L7 Loadbalancing: Migrate to controller-runtime library (#29126, @mhofstetter) +* labels: further optimize IPStringToLabel for single IP case (#29040, @tklauser) +* loader: attach XDP programs using bpf_link (#28308, @rgo3) +* loader: do not invoke llc separately (#29458, @lmb) +* makefile: add back the sed command to update the logo path (#28929, @bradwhitfield) +* maps: nat: fix copy & paste in error message from doFlush*() (#29097, @julianwiedmann) +* Minor documentation fixes and improvements for the BGP MD5 feature (#29375, @nvibert) +* Miscellaneous improvements about kvstore logging (#28843, @giorio94) +* Miscellaneous improvements to the etcd client (#28834, @giorio94) +* Modularise MTU discovery (#28964, @bimmlerd) +* Modularize ipcache BPF listener (#29194, @giorio94) +* Modularize iptables manager (#28746, @pippolo84) +* Modularize kernel modules manager into its own cell (#28713, @pippolo84) +* Modularized the bandwidth manager (#28619, @dylandreimerink) +* mountinfo: fix build on linux/386 (#29481, @tklauser) +* node: allow to override enable encapsulation on a per-node basis (#29232, @giorio94) +* operator: extract controller-runtime integration into its own cell (#28931, @mhofstetter) +* option: add LoadBalancerUsesDSR() helper (#26898, @julianwiedmann) +* pkg/allocator: store key in variable for error message (#29076, @aanm) +* pkg/bgpv1: Updates getPeerConfig() Method (#28474, @danehans) +* plugins/cilium-cni: Move implementation into separate package (#29336, @gandro) +* policy: Return a real nil rather than a non-nil interface (#29022, @jrajahalme) +* policy: Simplify AccumulateMapChanges prototypes (#29025, @jrajahalme) +* Prepare for release v1.15.0-pre.2 (#28901, @aanm) +* probes: remove HAVE_FIB_LOOKUP leftovers (#29401, @rgo3) +* proxy: define and use well known datapath constants (#28955, @tklauser) +* README: Update releases (#29170, @nathanjsweet) +* Refactor LocalNode synchronization logic and remove NodeChain (#29319, @giorio94) +* Remove accidentally checked in .orig file (#29145, @christarazi) +* Remove usage of global options from iptables cell (#29088, @pippolo84) +* Renamed Hubble Dashboard so that it can be installed by Grafana Sidecar. (#28971, @saintdle) +* Report node source in `cilium-dbg node list` (#29196, @tklauser) +* secret-sync: extract secret-sync logic from gateway api controller & introduce hive cell (#29100, @mhofstetter) +* service: fix service manager interface mismatch caused by merge race (#29018, @giorio94) +* Some small fixes to make kind-fast (#28621, @squeed) +* statedb: Allow non-terminated keys (#29440, @joamaki) +* statedb: Simplify integration with Hive (#28892, @joamaki) +* stream: fix spurious event on termination when Debounce is used (#29347, @giorio94) +* Update lb-ipam.rst (#28756, @nvibert) diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst index 0e96e8ec96b39..2f7ab38c71176 100644 --- a/Documentation/helm-values.rst +++ b/Documentation/helm-values.rst @@ -95,7 +95,7 @@ * - :spelling:ignore:`authentication.mutual.spire.install.agent.image` - SPIRE agent image - object - - ``{"digest":"sha256:d489bc8470d7a0f292e0e3576c3e7025253343dc798241bcfd9061828e2a6bef","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.4","useDigest":true}`` + - ``{"digest":"sha256:d489bc8470d7a0f292e0e3576c3e7025253343dc798241bcfd9061828e2a6bef","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.4","useDigest":true}`` * - :spelling:ignore:`authentication.mutual.spire.install.agent.labels` - SPIRE agent labels - object @@ -131,7 +131,7 @@ * - :spelling:ignore:`authentication.mutual.spire.install.initImage` - init container image of SPIRE agent and server - object - - ``{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"Always","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}`` + - ``{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}`` * - :spelling:ignore:`authentication.mutual.spire.install.namespace` - SPIRE namespace to install into - string @@ -171,7 +171,7 @@ * - :spelling:ignore:`authentication.mutual.spire.install.server.image` - SPIRE server image - object - - ``{"digest":"sha256:bf79e0a921f8b8aa92602f7ea335616e72f7e91f939848e7ccc52d5bddfe96a1","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.4","useDigest":true}`` + - ``{"digest":"sha256:bf79e0a921f8b8aa92602f7ea335616e72f7e91f939848e7ccc52d5bddfe96a1","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.4","useDigest":true}`` * - :spelling:ignore:`authentication.mutual.spire.install.server.initContainers` - SPIRE server init containers - list @@ -367,7 +367,7 @@ * - :spelling:ignore:`certgen` - Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. - object - - ``{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}`` + - ``{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}`` * - :spelling:ignore:`certgen.affinity` - Affinity for certgen - object @@ -479,7 +479,7 @@ * - :spelling:ignore:`clustermesh.apiserver.image` - Clustermesh API server image. - object - - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/clustermesh-apiserver-ci","tag":"latest","useDigest":false}`` + - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.0-pre.3","useDigest":false}`` * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.enabled` - Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. - bool @@ -1131,7 +1131,7 @@ * - :spelling:ignore:`envoy.image` - Envoy container image. - object - - ``{"digest":"sha256:80de27c1d16ab92923cc0cd1fff90f2e7047a9abf3906fda712268d9cbc5b950","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-envoy","tag":"v1.27.2-f19708f3d0188fe39b7e024b4525b75a9eeee61f","useDigest":true}`` + - ``{"digest":"sha256:80de27c1d16ab92923cc0cd1fff90f2e7047a9abf3906fda712268d9cbc5b950","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.27.2-f19708f3d0188fe39b7e024b4525b75a9eeee61f","useDigest":true}`` * - :spelling:ignore:`envoy.livenessProbe.failureThreshold` - failure threshold of liveness probe - int @@ -1303,7 +1303,7 @@ * - :spelling:ignore:`etcd.image` - cilium-etcd-operator image. - object - - ``{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}`` + - ``{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}`` * - :spelling:ignore:`etcd.k8sService` - If etcd is behind a k8s service set this option to true so that Cilium does the service translation automatically without requiring a DNS to be running. - bool @@ -1619,7 +1619,7 @@ * - :spelling:ignore:`hubble.relay.image` - Hubble-relay container image. - object - - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-relay-ci","tag":"latest","useDigest":false}`` + - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.0-pre.3","useDigest":false}`` * - :spelling:ignore:`hubble.relay.listenHost` - Host to listen to. Specify an empty string to bind to all the interfaces. - string @@ -1851,7 +1851,7 @@ * - :spelling:ignore:`hubble.ui.backend.image` - Hubble-ui backend image. - object - - ``{"digest":"sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.12.1","useDigest":true}`` + - ``{"digest":"sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.12.1","useDigest":true}`` * - :spelling:ignore:`hubble.ui.backend.livenessProbe.enabled` - Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) - bool @@ -1891,7 +1891,7 @@ * - :spelling:ignore:`hubble.ui.frontend.image` - Hubble-ui frontend image. - object - - ``{"digest":"sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui","tag":"v0.12.1","useDigest":true}`` + - ``{"digest":"sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.12.1","useDigest":true}`` * - :spelling:ignore:`hubble.ui.frontend.resources` - Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. - object @@ -1999,7 +1999,7 @@ * - :spelling:ignore:`image` - Agent container image. - object - - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}`` + - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.0-pre.3","useDigest":false}`` * - :spelling:ignore:`imagePullSecrets` - Configure image pull secrets for pulling container images - string @@ -2351,7 +2351,7 @@ * - :spelling:ignore:`nodeinit.image` - node-init image. - object - - ``{"override":null,"pullPolicy":"Always","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}`` + - ``{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}`` * - :spelling:ignore:`nodeinit.nodeSelector` - Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - object @@ -2447,7 +2447,7 @@ * - :spelling:ignore:`operator.image` - cilium-operator image. - object - - ``{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/operator","suffix":"-ci","tag":"latest","useDigest":false}`` + - ``{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.0-pre.3","useDigest":false}`` * - :spelling:ignore:`operator.nodeGCInterval` - Interval for cilium node garbage collection. - string @@ -2647,7 +2647,7 @@ * - :spelling:ignore:`preflight.image` - Cilium pre-flight image. - object - - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}`` + - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.0-pre.3","useDigest":false}`` * - :spelling:ignore:`preflight.nodeSelector` - Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - object diff --git a/VERSION b/VERSION index 9a4866bbcedef..2631093f81287 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.15.0-dev +1.15.0-pre.3 diff --git a/install/kubernetes/cilium/Chart.yaml b/install/kubernetes/cilium/Chart.yaml index 3b5b9caa220ee..256a795429ce2 100644 --- a/install/kubernetes/cilium/Chart.yaml +++ b/install/kubernetes/cilium/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: cilium displayName: Cilium home: https://cilium.io/ -version: 1.15.0-dev -appVersion: 1.15.0-dev +version: 1.15.0-pre.3 +appVersion: 1.15.0-pre.3 kubeVersion: ">= 1.16.0-0" icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md index 589da1b8b0d79..bdbca6edc8de6 100644 --- a/install/kubernetes/cilium/README.md +++ b/install/kubernetes/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.15.0-dev](https://img.shields.io/badge/Version-1.15.0--dev-informational?style=flat-square) ![AppVersion: 1.15.0-dev](https://img.shields.io/badge/AppVersion-1.15.0--dev-informational?style=flat-square) +![Version: 1.15.0-pre.3](https://img.shields.io/badge/Version-1.15.0--pre.3-informational?style=flat-square) ![AppVersion: 1.15.0-pre.3](https://img.shields.io/badge/AppVersion-1.15.0--pre.3-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -73,7 +73,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.enabled | bool | `false` | Enable SPIRE integration (beta) | | authentication.mutual.spire.install.agent.affinity | object | `{}` | SPIRE agent affinity configuration | | authentication.mutual.spire.install.agent.annotations | object | `{}` | SPIRE agent annotations | -| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:d489bc8470d7a0f292e0e3576c3e7025253343dc798241bcfd9061828e2a6bef","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.4","useDigest":true}` | SPIRE agent image | +| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:d489bc8470d7a0f292e0e3576c3e7025253343dc798241bcfd9061828e2a6bef","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.4","useDigest":true}` | SPIRE agent image | | authentication.mutual.spire.install.agent.labels | object | `{}` | SPIRE agent labels | | authentication.mutual.spire.install.agent.nodeSelector | object | `{}` | SPIRE agent nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | authentication.mutual.spire.install.agent.podSecurityContext | object | `{}` | Security context to be added to spire agent pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | @@ -82,7 +82,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.agent.skipKubeletVerification | bool | `true` | SPIRE Workload Attestor kubelet verification. | | authentication.mutual.spire.install.agent.tolerations | list | `[]` | SPIRE agent tolerations configuration ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true | -| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"Always","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | +| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into | | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration | | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations | @@ -92,7 +92,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.server.dataStorage.enabled | bool | `true` | Enable SPIRE server data storage | | authentication.mutual.spire.install.server.dataStorage.size | string | `"1Gi"` | Size of the SPIRE server data storage | | authentication.mutual.spire.install.server.dataStorage.storageClass | string | `nil` | StorageClass of the SPIRE server data storage | -| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:bf79e0a921f8b8aa92602f7ea335616e72f7e91f939848e7ccc52d5bddfe96a1","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.4","useDigest":true}` | SPIRE server image | +| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:bf79e0a921f8b8aa92602f7ea335616e72f7e91f939848e7ccc52d5bddfe96a1","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.4","useDigest":true}` | SPIRE server image | | authentication.mutual.spire.install.server.initContainers | list | `[]` | SPIRE server init containers | | authentication.mutual.spire.install.server.labels | object | `{}` | SPIRE server labels | | authentication.mutual.spire.install.server.nodeSelector | object | `{}` | SPIRE server nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -141,7 +141,7 @@ contributors across the globe, there is almost always someone available to help. | bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. | | bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. | | bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. | -| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | +| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | | certgen.affinity | object | `{}` | Affinity for certgen | | certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob | | certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. | @@ -169,7 +169,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. | | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | -| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/clustermesh-apiserver-ci","tag":"latest","useDigest":false}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.0-pre.3","useDigest":false}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | @@ -332,7 +332,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.extraVolumes | list | `[]` | Additional envoy volumes. | | envoy.healthPort | int | `9878` | TCP port for the health API. | | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s | -| envoy.image | object | `{"digest":"sha256:80de27c1d16ab92923cc0cd1fff90f2e7047a9abf3906fda712268d9cbc5b950","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-envoy","tag":"v1.27.2-f19708f3d0188fe39b7e024b4525b75a9eeee61f","useDigest":true}` | Envoy container image. | +| envoy.image | object | `{"digest":"sha256:80de27c1d16ab92923cc0cd1fff90f2e7047a9abf3906fda712268d9cbc5b950","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.27.2-f19708f3d0188fe39b7e024b4525b75a9eeee61f","useDigest":true}` | Envoy container image. | | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. | @@ -375,7 +375,7 @@ contributors across the globe, there is almost always someone available to help. | etcd.extraArgs | list | `[]` | Additional cilium-etcd-operator container arguments. | | etcd.extraVolumeMounts | list | `[]` | Additional cilium-etcd-operator volumeMounts. | | etcd.extraVolumes | list | `[]` | Additional cilium-etcd-operator volumes. | -| etcd.image | object | `{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}` | cilium-etcd-operator image. | +| etcd.image | object | `{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}` | cilium-etcd-operator image. | | etcd.k8sService | bool | `false` | If etcd is behind a k8s service set this option to true so that Cilium does the service translation automatically without requiring a DNS to be running. | | etcd.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-etcd-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | etcd.podAnnotations | object | `{}` | Annotations to be added to cilium-etcd-operator pods | @@ -454,7 +454,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-relay-ci","tag":"latest","useDigest":false}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.0-pre.3","useDigest":false}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -512,7 +512,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. | | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. | | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. | -| hubble.ui.backend.image | object | `{"digest":"sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.12.1","useDigest":true}` | Hubble-ui backend image. | +| hubble.ui.backend.image | object | `{"digest":"sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.12.1","useDigest":true}` | Hubble-ui backend image. | | hubble.ui.backend.livenessProbe.enabled | bool | `false` | Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.readinessProbe.enabled | bool | `false` | Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. | @@ -522,7 +522,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. | | hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. | | hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. | -| hubble.ui.frontend.image | object | `{"digest":"sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui","tag":"v0.12.1","useDigest":true}` | Hubble-ui frontend image. | +| hubble.ui.frontend.image | object | `{"digest":"sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.12.1","useDigest":true}` | Hubble-ui frontend image. | | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. | | hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. | | hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 | @@ -549,7 +549,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}` | Agent container image. | +| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.0-pre.3","useDigest":false}` | Agent container image. | | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -637,7 +637,7 @@ contributors across the globe, there is almost always someone available to help. | nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. | | nodeinit.extraVolumeMounts | list | `[]` | Additional nodeinit volumeMounts. | | nodeinit.extraVolumes | list | `[]` | Additional nodeinit volumes. | -| nodeinit.image | object | `{"override":null,"pullPolicy":"Always","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}` | node-init image. | +| nodeinit.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}` | node-init image. | | nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. | | nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. | @@ -661,7 +661,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/operator","suffix":"-ci","tag":"latest","useDigest":false}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.0-pre.3","useDigest":false}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -711,7 +711,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.0-pre.3","useDigest":false}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml index 1fb6057da46d0..b36ad34e70a71 100644 --- a/install/kubernetes/cilium/values.yaml +++ b/install/kubernetes/cilium/values.yaml @@ -145,9 +145,9 @@ rollOutCiliumPods: false # -- Agent container image. image: override: ~ - repository: "quay.io/cilium/cilium-ci" - tag: "latest" - pullPolicy: "Always" + repository: "quay.io/cilium/cilium" + tag: "v1.15.0-pre.3" + pullPolicy: "IfNotPresent" # cilium-digest digest: "" useDigest: false @@ -965,7 +965,7 @@ certgen: tag: "v0.1.9" digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- Seconds after which the completed job pod will be deleted ttlSecondsAfterFinished: 1800 # -- Labels to be added to hubble-certgen pods @@ -1220,12 +1220,12 @@ hubble: # -- Hubble-relay container image. image: override: ~ - repository: "quay.io/cilium/hubble-relay-ci" - tag: "latest" + repository: "quay.io/cilium/hubble-relay" + tag: "v1.15.0-pre.3" # hubble-relay-digest digest: "" useDigest: false - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- Specifies the resources for the hubble-relay pods resources: {} @@ -1455,7 +1455,7 @@ hubble: tag: "v0.12.1" digest: "sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- Hubble-ui backend security context. securityContext: {} @@ -1494,7 +1494,7 @@ hubble: tag: "v0.12.1" digest: "sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- Hubble-ui frontend security context. securityContext: {} @@ -2056,7 +2056,7 @@ envoy: override: ~ repository: "quay.io/cilium/cilium-envoy" tag: "v1.27.2-f19708f3d0188fe39b7e024b4525b75a9eeee61f" - pullPolicy: "Always" + pullPolicy: "IfNotPresent" digest: "sha256:80de27c1d16ab92923cc0cd1fff90f2e7047a9abf3906fda712268d9cbc5b950" useDigest: true @@ -2351,7 +2351,7 @@ etcd: tag: "v2.0.7" digest: "sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- The priority class to use for cilium-etcd-operator priorityClassName: "" @@ -2456,7 +2456,7 @@ operator: image: override: ~ repository: "quay.io/cilium/operator" - tag: "latest" + tag: "v1.15.0-pre.3" # operator-generic-digest genericDigest: "" # operator-azure-digest @@ -2466,8 +2466,8 @@ operator: # operator-alibabacloud-digest alibabacloudDigest: "" useDigest: false - pullPolicy: "Always" - suffix: "-ci" + pullPolicy: "IfNotPresent" + suffix: "" # -- Number of replicas to run for the cilium-operator deployment replicas: 2 @@ -2660,7 +2660,7 @@ nodeinit: override: ~ repository: "quay.io/cilium/startup-script" tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f" - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- The priority class to use for the nodeinit pod. priorityClassName: "" @@ -2750,12 +2750,12 @@ preflight: # -- Cilium pre-flight image. image: override: ~ - repository: "quay.io/cilium/cilium-ci" - tag: "latest" + repository: "quay.io/cilium/cilium" + tag: "v1.15.0-pre.3" # cilium-digest digest: "" useDigest: false - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- The priority class to use for the preflight pod. priorityClassName: "" @@ -2912,12 +2912,12 @@ clustermesh: # -- Clustermesh API server image. image: override: ~ - repository: "quay.io/cilium/clustermesh-apiserver-ci" - tag: "latest" + repository: "quay.io/cilium/clustermesh-apiserver" + tag: "v1.15.0-pre.3" # clustermesh-apiserver-digest digest: "" useDigest: false - pullPolicy: "Always" + pullPolicy: "IfNotPresent" etcd: # The etcd binary is included in the clustermesh API server image, so the same image from above is reused. @@ -3352,7 +3352,7 @@ authentication: tag: "1.36.1" digest: "sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # SPIRE agent configuration agent: # -- SPIRE agent image @@ -3362,7 +3362,7 @@ authentication: tag: "1.8.4" digest: "sha256:d489bc8470d7a0f292e0e3576c3e7025253343dc798241bcfd9061828e2a6bef" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- SPIRE agent service account serviceAccount: create: true @@ -3397,7 +3397,7 @@ authentication: tag: "1.8.4" digest: "sha256:bf79e0a921f8b8aa92602f7ea335616e72f7e91f939848e7ccc52d5bddfe96a1" useDigest: true - pullPolicy: "Always" + pullPolicy: "IfNotPresent" # -- SPIRE server service account serviceAccount: create: true