diff --git a/CHANGELOG.md b/CHANGELOG.md deleted file mode 100644 index 6796f37800794..0000000000000 --- a/CHANGELOG.md +++ /dev/null @@ -1,370 +0,0 @@ -# Changelog - -## v1.16.0-pre.0 - -Summary of Changes ------------------- - -**Major Changes:** -* Add support for matching CiliumCIDRGroups in Egress policy rules (#30624, @chaunceyjiang) -* api: Promote field_mask from experimental to stable, deprecating experimental option (#30133, @chancez) -* bpf: initial multicast datapath support (#29469, @ldelossa) -* identity: Allow nodes to be selectable by their labels instead of CIDR and/or remote-node entity. (#26924, @oblazek) -* This change introduces the BGP control-plane operator. (#28846, @harsimran-pabla) - -**Minor Changes:** -* Add a description to the default GatewayClass. (#30041, @chaunceyjiang) -* Add a new option to exclude unwanted k8s node labels from CiliumNode (#28290, @hemanthmalla) -* Add a simple node IPAM to allow using LoadBalancer Service type on "uncontrolled" networks (#30038, @MrFreezeex) -* Add flag --policy-accounting to enable/disable per-policy packet and byte accounting (default true) (#28749, @Jack-R-lantern) -* Add Hubble metrics HTTP endpoint status metrics. Two metrics are introduced: hubble_metrics_http_handler_requests_total, which counts requests made to the endpoint, grouped by HTTP status code, and hubble_metrics_http_handler_request_duration_seconds, also grouped by HTTP status code, which tracks duration of requests made to the endpoint. (#30648, @siwiutki) -* Add metrics count for dir=CT_SERVICE and disable conntrack metrics by default (#27527, @wenlxie) -* add readinessProbe to clustermesh-apiserver indicating kvstore sync status (#29643, @thorn3r) -* Add ServiceImport support in Cilium Gateway API (#28769, @MrFreezeex) -* Add support for the `cni.cilium.io/mac-address` annotation on Pod resources to control the L2 address used for Pod communication. (#29360, @chaunceyjiang) -* bgpv1: Allow specifying well-known BGP standard communities using their names (#30440, @rastislavs) -* bgpv2 - adding preflight and neighbor reconciler using CiliumBGPNodeConfig resource. (#30108, @harsimran-pabla) -* bpf, ctmap: Implement map pressure metric for CT maps (#28183, @christarazi) -* bpf: do not invoke llc from Makefiles (#29459, @lmb) -* bpf: xdp: use bpf_xdp_get_buff_len() when available (#29472, @julianwiedmann) -* Check sysctl values before writes to avoid errors on potentially read-only filesystem (#30519, @chaunceyjiang) -* Cilium Network Policy can now redirect to different listeners on the same destination port depending on the destination. (#28555, @jrajahalme) -* Cilium should accepts any value that is not "disabled" for svc topology mode (#30113, @BSWANG) -* Cilium-agent option `--endpoint-status` and helm option `endpointStatus` were removed. (#30761, @marseel) -* ciliumenvoyconfig: introduce NodeSelector (#30470, @mhofstetter) -* cleanup: Remove cilium_isitio sidecar configuration (#30130, @sayboras) -* envoy: Bump envoy minor version to v1.28.0 (#29820, @sayboras) -* envoy: Bump envoy version to v1.28.1 (#30697, @sayboras) -* envoy: Default to daemon set deployment from 1.16 (#30034, @sayboras) -* Expose bpf_map_pressure metric for egress_gw_policy_v4 (#29943, @ysksuzuki) -* gateway-api: Add support for proxy protocol (#30567, @chaunceyjiang) -* gateway-api: Bump to latest version from upstream (#31005, @sayboras) -* helm: Allow configuration of Envoy --base-id for Envoy DaemonSet (#30466, @cpu601) -* helm: Remove deprecated flags proxy.prometheus.{enabled,port} (#30598, @sayboras) -* helm: Remove deprecated values encryption.* (#30613, @sayboras) -* Hubble now has an option to emit v1.Events related to pods on detection of packet drops. (#29565, @robinelfrink) -* ICMP: Introduce ICMP type name in ICMPField (#30330, @Shunpoco) -* Increase the minimum required kernel version to v5.4 / RHEL 8.6. (#30869, @lmb) -* ingress/gateway-api: expose listeners on host network (#30840, @mhofstetter) -* ingress: Add check for kpr and nodeport (#30592, @sayboras) -* lb-ipam: Add annotation alias with lbipam.cilium.io prefix (#30169, @sayboras) -* lbipam: allow cross namespace IP sharing (#30055, @rissson) -* NodePort service frontends are now automatically updated when node's IP addresses change. This may have an impact to NodePort services manually added via the cilium-dbg tool if the used frontend IP is not assigned on the node. (#30374, @joamaki) -* policy: Do not select any identity with empty slices (#29608, @pippolo84) -* Rename the cilium cleanup command (#30471, @littlejo) -* Restore health IPs from local ciliumnode resource (#30383, @haozhangami) -* Small refactor in datapath/linux/node.go (#28849, @derailed) -* Support `ingress.cilium.io/force-https` annotation (functionally equivalent to `nginx.ingress.kubernetes.io/force-ssl-redirect`) (#30616, @youngnick) -* Supports for dynamic CES Controller throttling configuration based on the number of nodes (#29861, @alan-kut) -* Trim clustermesh-apiserver ClusterRole permissions when external workloads support is disabled (#30743, @giorio94) -* Update deprecated Prometheus Metrics (#30632, @karojohn) - -**Bugfixes:** -* Bandwidth limits are now enforced also for network devices added after Cilium agent has started (e.g. for new ENI devices). (#30419, @joamaki) -* Datasource error fixed for Hubble DNS and Network dashboards (#30580, @Pionerd) -* envoy: Avoid duplicated upstream callback (#30945, @sayboras) -* Fix an issue where cilium is unable to allocate IP addresses when it is running on newly launched AWS instances (#30308, @AnishShah) -* Fix bug in the VTEP feature which caused all traffic from the VTEP to be dropped with "Incorrect VNI from VTEP" (#31039, @joestringer) -* Fix Hubble label selector parsing for labels with dots (#30411, @glrf) -* Fix nodeipam cell not registered (#30250, @MrFreezeex) -* Fix the referenced interface in iptables rules (`eni+` instead of `lxc+`) when `--enable-endpoint-routes=true` and `--cni-chaining-mode="aws-cni"` (#30766, @pippolo84) -* Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (#30837, @jschwinger233) -* Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (#29594, @jschwinger233) -* Fixes proxy issues in egress direction (#30095, @jschwinger233) -* gateway-api: Correct the null check for GRPRRoute Match (#31052, @sayboras) -* Handle InvalidParameterValue as well for PD fallback (#31016, @hemanthmalla) -* helm: Fix Prometheus metrics annotations for Hubble Relay (#30501, @chaunceyjiang) -* If source address is remote node then we should treat it as ouside traffic. (#30240, @kvaster) -* tables: Sort node addresses also by public vs private IP (#30579, @joamaki) -* xds: Avoid xds timeout due to agent restart in envoy DS mode (#31061, @sayboras) - -**CI Changes:** -* .github: Don't update LVH bpf-next images on stable branches (#29835, @joestringer) -* .github: Fix LVH image bump for main branch (#30284, @joestringer) -* [Kind] ipfamily should be set by platform configuration. (#30332, @fujitatomoya) -* Add RHEL8 kernel to CI (#30421, @lmb) -* Always update lvh in tandem with lvh-images (#30596, @lmb) -* bgpv2: use different ports in unit tests (#30528, @harsimran-pabla) -* Centralize configuration of kind version/image in GitHub Action workflows (#30916, @giorio94) -* ci conformance e2e: increase request timeout from 10s to 30s. (#30192, @tommyp1ckles) -* ci-e2e: Enable Ingress Controller test for more setup (#30657, @sayboras) -* ci: check kvstoremesh for vulnerabilities only on v1.14 (#29918, @mhofstetter) -* ci: continue container scanning on error (#29921, @ferozsalam) -* CI: Fix Artifact Creation Failure Due to Invalid Character in Name (#29884, @brlbil) -* ci: fix conformance gateway-api & ingress sysdump gathering & upload (#29960, @mhofstetter) -* ci: fix eks image pull flake (#30030, @brlbil) -* ci: increase conformance-aks timeout (#30438, @brlbil) -* cli: Replace --cluster-name with --helm-set cluster.name (#31095, @michi-covalent) -* clustermesh up/downgrade: test maxConnectedCluster (#30446, @thorn3r) -* controlplane: fix mechanism for ensuring watchers (#31030, @bimmlerd) -* Fix bug preventing consistent symbols between ELF and BTF for eBPF unit tests. (#30610, @learnitall) -* gateway: Sync up the experimental conformance test (#31017, @sayboras) -* GCP OIDC instead of SA creds. (#30809, @viktor-kurchenko) -* GCP performance OIDC auth. (#30844, @viktor-kurchenko) -* gha: Avoid the warning for kind-action (#30601, @sayboras) -* gha: drop unused check_url environment variable (#30928, @giorio94) -* gha: Re-purpose Conformance Kind proxy test (#31074, @sayboras) -* golangci-lint: Fix goimports local prefix (#31106, @michi-covalent) -* identity: deflake test TestGetIdentity - part 2 (#30190, @mhofstetter) -* iptables: Fix `New port number` case in TestAddProxyRules{v4,v6} (#30555, @pippolo84) -* Prevent E2E tests from failing on a known-ok warning log of temporary CRD failure (#30778, @learnitall) -* Re-enable LRP and K8sSpecificMACAddressTests tests that were incorrectly skipped on non-AKS platforms due to a regression. (#30939, @aditighag) -* Reduce flakiness of controlplane tests (#30906, @bimmlerd) -* Remove remaining references to v4.19 (#30890, @lmb) -* removing reference to Metal LB in GHA now that MetalLB has been replaced with Cilium L2 Announcement (https://github.com/cilium/cilium/pull/28926) (#29854, @nvibert) -* renovate: add lvh-kind action (#30663, @lmb) -* Replace v4.19 with RHEL 8.6 in CI (#30872, @lmb) -* route: dedicated net ns for each subtest of runListRules (#29916, @mhofstetter) -* Scale tests improvements (#29859, @marseel) -* statedb/reflector: fix race condition in test (#30971, @bimmlerd) -* test: add standalone l4lb test to verify that traffic works even when cilium agent is restarted (#30114, @oblazek) -* test: verify that traffic to services work when agent (l4lb) is restarted (#30930, @oblazek) -* tests: check for pending maps after network policy tests finish (#30188, @lmb) -* Use AWS OIDC instead of access key for CI (#30713, @viktor-kurchenko) -* workflows: conformance-eks: use env.QUAY_ORGANIZATION_DEV (#30263, @julianwiedmann) - -**Misc Changes:** -* .github: switch kind images back to kind (#30659, @aanm) -* [operator] Refactor - export CiliumEndpointSlice test utils (#30577, @dlapcevic) -* add a `fast` make target for kind-clustermesh (#29910, @thorn3r) -* Add a new flag to endpoints in the IPCache to allow for overriding tunnel configuration (#29796, @learnitall) -* add how to clean up the e2e connectivity test. (#30428, @fujitatomoya) -* Add NetBird to the Cilium user list (#30645, @braginini) -* Add OpenVEX document (#30768, @ferozsalam) -* Add support for infinite retries for OneShot jobs (#30376, @dylandreimerink) -* Add support for skipping encapsulation for host-to-pod traffic (#30819, @learnitall) -* Add support for skipping encapsulation of nodeport-related traffic (#30608, @learnitall) -* add users doc to bug report template (#30603, @xmulligan) -* Added sysctl setting reconciliation (#30439, @dylandreimerink) -* Address race condition in TestGetIdentity (#30885, @bimmlerd) -* Adds NETWAYS Web Services to USERS.md (#30505, @mocdaniel) -* Allow packets leaving containers to skip encapsulation. (#30427, @learnitall) -* bandwidth: test: don't unlock OS thread too early (#30932, @bimmlerd) -* bgpv1: Modularize test fixtures (#30234, @rastislavs) -* bgpv1: Some test coverage improvements for bgpv1/agent (#30096, @YutaroHayakawa) -* bgpv2: Add service options to advertisement CRD (#30902, @harsimran-pabla) -* bgpv2: setting gobgp configuration based on new BGP APIs (#29988, @harsimran-pabla) -* bitlpm: Factor out common code (#31026, @jrajahalme) -* bpf: add ext_err for more callers of tail_call_internal() (#30023, @julianwiedmann) -* bpf: add improved helper for program-internal tail-call (#30001, @julianwiedmann) -* bpf: alignchecker: add encrypt_config and world_cidrs_key4 (#29886, @julianwiedmann) -* bpf: convert ep_tail_call() to tail_call_internal() (#30288, @julianwiedmann) -* bpf: ct: allow CT entry creation / lookup without detailed information (#30344, @julianwiedmann) -* bpf: explicitly pass map to policy_can_{in,e}gress{4,6} (#31053, @jibi) -* bpf: host: simplify MARK_MAGIC_PROXY_EGRESS_EPID handling (#29803, @julianwiedmann) -* bpf: host: skip from-proxy handling in from-netdev (#29962, @julianwiedmann) -* bpf: introduce ctx_load_and_clear_meta() (#30245, @julianwiedmann) -* bpf: ipv6: optimize ipv6_addr_copy() (#30029, @julianwiedmann) -* bpf: lb: clean up REV_NAT_F_TUPLE_SADDR parts in RevDNAT logic (#30701, @julianwiedmann) -* bpf: lb: small improvements to CT logic (#30950, @julianwiedmann) -* bpf: lxc: remove CB_FROM_TUNNEL upgrade toleration for IPv6 (#30244, @julianwiedmann) -* bpf: nat: pass back ipv4_load_l4_ports()'s actual drop reason (#29837, @julianwiedmann) -* bpf: nodeport: fix check to forward identity in nodeport_lb4 (#31085, @jibi) -* bpf: nodeport: remove TC_INDEX_F_SKIP_RECIRCULATION logic (#30435, @julianwiedmann) -* bpf: proxy: add IPv4 fragmentation support in ctx_redirect_to_proxy_first() (#29760, @julianwiedmann) -* bpf: test: future-proof some kernel version checks (#30127, @julianwiedmann) -* bpf: xdp: clean up xdp_adjust_hroom() (#30325, @julianwiedmann) -* Bump allowed Golang version to v1.21 (#30084, @ferozsalam) -* Bump readme, MLH for v1.15.0-rc.0 (#29909, @joestringer) -* Bump release versions references by readme, stable.txt, and MLH (#29879, @asauber) -* CEC: Extract CiliumEnvoyConfig from global k8s watcher (#30298, @mhofstetter) -* CEC: Move resource parser and envoy l7lb backend syncer to /pkg/ciliumenvoyconfig (#30290, @mhofstetter) -* cec: remove label break by extracting function to inject L7 filter (#30062, @mhofstetter) -* cec: timerbased reconcile job as fallback (#30866, @mhofstetter) -* check-sources.sh: move file lists to env variables (#30600, @jibi) -* chore(deps): update actions/download-artifact action to v4.1.3 (main) (#30985, @renovate[bot]) -* chore(deps): update actions/setup-go action to v5 (main) (#29952, @renovate[bot]) -* chore(deps): update all github action dependencies (main) (#30618, @renovate[bot]) -* chore(deps): update all github action dependencies (main) (#30898, @renovate[bot]) -* chore(deps): update all github action dependencies (main) (#30948, @renovate[bot]) -* chore(deps): update all github action dependencies (main) (#31109, @renovate[bot]) -* chore(deps): update all github action dependencies (main) (minor) (#29948, @renovate[bot]) -* chore(deps): update all github action dependencies (main) (minor) (#30394, @renovate[bot]) -* chore(deps): update all github action dependencies (main) (patch) (#30392, @renovate[bot]) -* chore(deps): update all github action dependencies (main) (patch) (#30478, @renovate[bot]) -* chore(deps): update all github action dependencies (main) (patch) (#30779, @renovate[bot]) -* chore(deps): update all github action dependencies (main) (patch) (#30830, @renovate[bot]) -* chore(deps): update all github action dependencies to v3 (main) (major) (#30485, @renovate[bot]) -* chore(deps): update all github action dependencies to v4 (main) (major) (#30048, @renovate[bot]) -* chore(deps): update all kind-images main (main) (#30828, @renovate[bot]) -* chore(deps): update all kind-images main (main) (patch) (#30621, @renovate[bot]) -* chore(deps): update all lvh-images main (main) (#30974, @renovate[bot]) -* chore(deps): update all lvh-images main (main) (patch) (#29945, @renovate[bot]) -* chore(deps): update all lvh-images main (main) (patch) (#30044, @renovate[bot]) -* chore(deps): update all lvh-images main (main) (patch) (#30805, @renovate[bot]) -* chore(deps): update all lvh-images main to bpf-next-20240204.012837 (main) (patch) (#30460, @renovate[bot]) -* chore(deps): update alpine-images (main) (patch) (#30479, @renovate[bot]) -* chore(deps): update dependency cilium/cilium-cli to v0.15.20 (main) (#30200, @renovate[bot]) -* chore(deps): update dependency cilium/cilium-cli to v0.15.21 (main) (#30569, @renovate[bot]) -* chore(deps): update dependency cilium/cilium-cli to v0.15.22 (main) (#30622, @renovate[bot]) -* chore(deps): update dependency cilium/cilium-cli to v0.15.23 (main) (#30832, @renovate[bot]) -* chore(deps): update dependency eksctl-io/eksctl to v0.167.0 (main) (#30046, @renovate[bot]) -* chore(deps): update dependency kubernetes-sigs/kind to v0.22.0 (main) (#30826, @renovate[bot]) -* chore(deps): update docker.io/library/golang:1.21.5 docker digest to 672a228 (main) (#30043, @renovate[bot]) -* chore(deps): update docker.io/library/golang:1.21.6 docker digest to 76aadd9 (main) (#30242, @renovate[bot]) -* chore(deps): update docker.io/library/golang:1.21.6 docker digest to 7b575fe (main) (#30619, @renovate[bot]) -* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 6042500 (main) (#29939, @renovate[bot]) -* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e6173d4 (main) (#30391, @renovate[bot]) -* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to f9d633f (main) (#30620, @renovate[bot]) -* chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 112a87f (main) (#29940, @renovate[bot]) -* chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 49af061 (main) (#30946, @renovate[bot]) -* chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 6a3500b (main) (#30829, @renovate[bot]) -* chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.12 (main) (#30623, @renovate[bot]) -* chore(deps): update go to v1.21.6 (main) (patch) (#30172, @renovate[bot]) -* chore(deps): update go to v1.22.0 (main) (minor) (#30673, @renovate[bot]) -* chore(deps): update golangci/golangci-lint docker tag to v1.56.2 (main) (#30839, @renovate[bot]) -* chore(deps): update golangci/golangci-lint-action action to v4 (main) (#30849, @renovate[bot]) -* chore(deps): update hubble cli to v0.13.0 (main) (minor) (#30272, @renovate[bot]) -* chore(deps): update nick-invision/retry action to v3 (main) (#30628, @renovate[bot]) -* chore: provide OSSF security insight (#30448, @mmorel-35) -* ci: fix typo in generate-k8s-api workflow (#30824, @chaunceyjiang) -* cilium, tests: Temporary disable agent restart test in l4lb (#30710, @borkmann) -* ciliumenvoyconfig: always inject Envoy Cilium filters (Network & L7) for L7 loadbalancing (#30546, @mhofstetter) -* CODEOWNERS: pull in sig-wireguard for wireguard-related files (#30380, @julianwiedmann) -* CODEOWNERS: sig-scalability owns scalability-specific GH workflows (#29819, @marseel) -* Consolidate network namespace handling (#29993, @bleggett) -* contrib: Autodetect GITHUB_TOKEN during release (#29901, @joestringer) -* contrib: Fix post-release.sh for branch candidates (#29907, @joestringer) -* Correct Istio Integration Documentation for Cilium CLI Flag Usage (#30152, @rootsongjc) -* daemon/hive: No longer make WireGuard an optional dependency (#30544, @gandro) -* daemon: inline lookupIPsBySecID (#30919, @tklauser) -* daemon: Refactor syncHostIPs (#30373, @joamaki) -* datapath/fake: Move commonly imported types to fake/types package (#30523, @gandro) -* datapath: add more nat/overlay/nodeport hooks (#30888, @jibi) -* datapath: Enable N/S LB for overlapping pod CIDR (#30348, @jibi) -* Defines the cilium-envoy image used in the build Dockerfile using ARG to allow overrides. (#29638, @EricMountain) -* Doc fix: Correct hubble exporter config lines (#30424, @saintdle) -* doc,bgpv1: Add documentation about the address family option (#30455, @YutaroHayakawa) -* doc,bgpv1: Bootstrap BGP Control Plane troubleshooting doc (#30506, @YutaroHayakawa) -* doc,bgpv1: Refresh BGP Control Plane document structure (#30345, @YutaroHayakawa) -* doc: Installation guide for Talos (#30388, @PhilipSchmid) -* doc: Rework the AKS tabs so that only instructions for BYOCNI remain. (#28933, @tamilmani1989) -* doc: Updated RKE/Rancher guides (#30178, @PhilipSchmid) -* docs: Add command hints in make kind output (#30564, @sayboras) -* Docs: add note on matchExpressions for cnp and ccnp (#30811, @darox) -* docs: Add reference to BGP Control Plane from Multi-Pool IPAM page (#30748, @rastislavs) -* docs: Add stubs for v1.16 upgrade notes (#29903, @joestringer) -* docs: add Veepee as cilium USERS (#30913, @nerzhul) -* Docs: Adds IPv6 Tunneling Caveat to Networking Concepts (#30364, @danehans) -* docs: Document NodePort BPF and iptables SNAT port collision (#30858, @brb) -* Docs: restructure Cluster Mesh scaling section (#30582, @thorn3r) -* docs: update note on WireGuard with tunnel routing (#31083, @julianwiedmann) -* docs: Updating Azure CNI chaining as Legacy approach (#28571, @vipul-21) -* Document supported upgrade and rollback paths (#30408, @lmb) -* Don't emit an error message on namespace termination due to Ingress reconciliation (#30808, @giorio94) -* Drop broken and superseded CiliumInternalIP restoration logic (#30436, @giorio94) -* Drop gopsutil dependecy (#30222, @nickolaev) -* egressgw: remove deleteStaleIPRulesAndRoutes() (#30025, @julianwiedmann) -* egressgw: remove nodeDataStore map from Manager (#30500, @markpash) -* endpoint: move locking into getProxyStatistics (#30414, @tklauser) -* endpoint: pause policymap-sync controller during regeneration (#30232, @squeed) -* endpoint: use PropertyCEP{Owner,Name} as CEP owner/name if set (#31021, @jibi) -* Ensure wireguard.h includes the correct headers (#30539, @ldelossa) -* Envoy: Extract Secret Sync from global k8swatcher (#30418, @mhofstetter) -* Expose Cilium operator go runtime scheduler latency prometheus metric `go_sched_latencies_seconds` (#29245, @derailed) -* Extend `kind-clustermesh` Makefile target to create dual stack clusters (#30129, @giorio94) -* Fix renovate config for grpc_health_probe (#30675, @glrf) -* Fix unnecessary warning by adding cilium_per_cluster_snat to the list of ignored ELF prefixes (#30998, @giorio94) -* fix(deps): update all go dependencies main (main) (#29941, @renovate[bot]) -* fix(deps): update all go dependencies main (main) (#30199, @renovate[bot]) -* fix(deps): update all go dependencies main (main) (#30947, @renovate[bot]) -* fix(deps): update all go dependencies main (main) (minor) (#30047, @renovate[bot]) -* fix(deps): update all go dependencies main (main) (minor) (#30122, @renovate[bot]) -* fix(deps): update all go dependencies main (main) (minor) (#30385, @renovate[bot]) -* fix(deps): update all go dependencies main (main) (minor) (#30482, @renovate[bot]) -* fix(deps): update all go dependencies main (main) (minor) (#30626, @renovate[bot]) -* fix(deps): update all go dependencies main (main) (minor) (#30848, @renovate[bot]) -* fix(deps): update all go dependencies main (main) (patch) (#29947, @renovate[bot]) -* fix(deps): update all go dependencies main (main) (patch) (#30045, @renovate[bot]) -* fix(deps): update all go dependencies main (main) (patch) (#30077, @renovate[bot]) -* fix(deps): update all go dependencies main (main) (patch) (#30140, @renovate[bot]) -* fix(deps): update all go dependencies main (main) (patch) (#30393, @renovate[bot]) -* fix(deps): update all go dependencies main (main) (patch) (#30625, @renovate[bot]) -* fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.681 (main) (#30976, @renovate[bot]) -* fix(deps): update module github.com/docker/docker to v25 (main) (#30395, @renovate[bot]) -* fix(deps): update module github.com/go-openapi/runtime to v0.27.1 (main) (#30481, @renovate[bot]) -* fix(deps): update module github.com/tidwall/gjson to v1.17.1 (main) (#30836, @renovate[bot]) -* fix(deps): update module golang.org/x/crypto to v0.20.0 (main) (#30987, @renovate[bot]) -* fix: Adding the fatal error for ipv6 cilium config on a single stack node (#28953, @vipul-21) -* fswatcher: fix goroutine leak and refactor tests (#30734, @lmb) -* gateway-api: Bump to the latest version from upstream (#30537, @sayboras) -* gh: template: query whether the bug is a regression (#30842, @julianwiedmann) -* go.mod: Bump controller-tools fork version to v0.8.0-2 to allow `XValidation` kubebuilder markers (#30362, @rastislavs) -* Helm: additional info for mtu value (#30175, @darox) -* helm: Bump helm-toolbox version (#30148, @sayboras) -* helm: don't create remote-users ConfigMap when the clustermesh-apiserver is not enabled (#30008, @giorio94) -* helm: Permit selection of datasources in UI (#30161, @jcpunk) -* hive: Add post-start log message to record duration (#30521, @joamaki) -* hive: Fix the ineffectual SetEnvPrefix (#30489, @joamaki) -* hubble: Add an interface for Parser struct (#29876, @anubhabMajumdar) -* images: support release branches when updating envoy image (#30463, @mhofstetter) -* ingress/gatewayapi: move construction of translators into hive cells (#30606, @mhofstetter) -* ingress: Copy LB IPAM related annotation by default (#30487, @sayboras) -* ingress: pass enforcedHttps from config (cell) to reconciler (#30804, @mhofstetter) -* ingress: remove unused annotations (#30733, @mhofstetter) -* Introducing `stylecheck` linter to detect duplicate package imports in Go code (#30215, @nickolaev) -* ipam/crd: remove redundant `len` and `nil` check (#30183, @Juneezee) -* iptables: early skip proxy rules install if BPF tproxy enabled (#30347, @mhofstetter) -* job: avoid a race condition in TestTimer_ExitOnCloseFnCtx (#30929, @bimmlerd) -* k8s: Fix envoyConfig description on CNP/CCNP CRDs (#29507, @hmonsalv) -* k8s: Migrate policy watchers to Cell + Resource (#30322, @gandro) -* k8s: Update to final v1.29.0 (#29873, @christarazi) -* L7LB: Extract Envoy related logic and dependencies from ServiceManager (#30184, @mhofstetter) -* l7lb: log service ns and name when upserting endpoints (#30502, @mhofstetter) -* Loader modularization (#30280, @dylandreimerink) -* loader: also populate NATIVE_DEV_IFINDEX for cilium_overlay (#31025, @julianwiedmann) -* loader: move Loader interface into separate package (#30876, @jibi) -* loader: refactor/cleanup replaceNetworkDatapath (#29825, @rgo3) -* loader: simplify template cache invalidation (#29449, @lmb) -* LRP: Use hive cell infra (#30923, @aditighag) -* MAINTAINERS: Add Yutaro (#29982, @pchaigno) -* make cilium/loader owner of pkg/elf (#29915, @lmb) -* Makefile: Move kind targets to dedicated Makefile.kind (#29920, @qmonnet) -* Makefile: Refactor hubble-relay target (#29867, @chancez) -* Modify gitignore to ignore direnv-related files (#30366, @learnitall) -* monitor/payload: remove bitrotted benchmark (#29728, @lmb) -* operator/identitygc: remove unused GC.allocationCfg (#30197, @tklauser) -* operator: Implement cache to be used for Cilium Identity management (#30649, @dlapcevic) -* optimize kind setup (#29758, @weizhoublue) -* Overall improvements in modularity (#30381, @aanm) -* pkg/ipcache: Updates IPListEntrySlice.Less() to Use netip Pkg (#30191, @danehans) -* pkg/service: Add backends as managed neighbor entry (#31003, @borkmann) -* Post release for 1.15.0 (#30560, @aanm) -* Prepare for v1.16 development cycle (#29802, @joestringer) -* proxy / envoy: Cleanup dependencies to XDSServer & Proxy (#29892, @mhofstetter) -* proxy: remove unused interface IPCacheManager (#30171, @mhofstetter) -* README: Update releases (#30389, @gentoo-root) -* README: Update releases (#30784, @michi-covalent) -* Refactor clustermesh global service cache to prepare for the endpoint slice clustermesh synchronization (#30883, @MrFreezeex) -* Refactor getEnvoyHTTPRouteConfiguration test (#30022, @youngnick) -* Refactor: remove config interface (#29506, @AwesomePatrol) -* release/bump-readme.sh: Don't overwrite latest -rc with older -pre tag (#30412, @qmonnet) -* Remove `skip-cnp-status-startup-clean` (#30508, @chaunceyjiang) -* Remove unused functions in pkg/comparator (#30075, @pippolo84) -* Remove unused kvstore methods to unclutter the backend interface (#30012, @giorio94) -* renovate: don't separate minor/patch updates of Go modules (#30195, @tklauser) -* renovate: match rhel8 lvh image updates (#30891, @tklauser) -* renovate: try to group dependency updates on single PR (#30874, @aanm) -* Replaced `declare_tailcall_if` with logic in the loader (#30467, @dylandreimerink) -* Require dead code elimination support (#30814, @dylandreimerink) -* require large instruction limit (#30896, @lmb) -* Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (#29300, @learnitall) -* Revert "renovate: don't separate minor/patch updates of Go modules" (#30210, @tklauser) -* Revert "workflow: yaml change - change "cosign attach" to "cosign attest"" (#30827, @aanm) -* statedb/reflector: Add Kubernetes to StateDB reflector (#30527, @joamaki) -* statedb: Reconciler utility (#30303, @joamaki) -* statedb: Add ServeHTTP and Iterate method (#30499, @joamaki) -* statedb: Derive, Observable and Map (#30246, @joamaki) -* stream: Add Buffer operator (#30444, @joamaki) -* Support extending hubble-relay as a downstream packager (#30357, @chancez) -* Unconditionally add NodeInternalIPs to the allowed IPs for WireGuard peers (#30975, @giorio94) -* Update AUTHORS (#29905, @joestringer) -* Update readme with v1.15.0-rc.1 (#30279, @aanm) -* Update XDP drivers support list in BPF docs (#30658, @janvi01) -* Updating Rancher Desktop Install instructions (#29911, @divya-mohan0209) -* Use Resource[T] to implement CiliumNode watcher (#29222, @pippolo84) -* USERS.md: Add Santa Claus to the list of users (#30083, @qmonnet) -* USERS.md: Add Sealos to the list of users (#30369, @yangchuansheng) -* users.md: sphere doesn't exist anymore, 👋 datadog (#29927, @mvisonneau) -* workflow: yaml change - change "cosign attach" to "cosign attest" (#30823, @umesh3034) -* xds: Move MockStream to stream_test.go (#30943, @sayboras) diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst index c191a0420fd52..8a0d46b65789f 100644 --- a/Documentation/helm-values.rst +++ b/Documentation/helm-values.rst @@ -95,7 +95,7 @@ * - :spelling:ignore:`authentication.mutual.spire.install.agent.image` - SPIRE agent image - object - - ``{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}`` + - ``{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}`` * - :spelling:ignore:`authentication.mutual.spire.install.agent.labels` - SPIRE agent labels - object @@ -135,7 +135,7 @@ * - :spelling:ignore:`authentication.mutual.spire.install.initImage` - init container image of SPIRE agent and server - object - - ``{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}`` + - ``{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"Always","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}`` * - :spelling:ignore:`authentication.mutual.spire.install.namespace` - SPIRE namespace to install into - string @@ -175,7 +175,7 @@ * - :spelling:ignore:`authentication.mutual.spire.install.server.image` - SPIRE server image - object - - ``{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}`` + - ``{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}`` * - :spelling:ignore:`authentication.mutual.spire.install.server.initContainers` - SPIRE server init containers - list @@ -375,7 +375,7 @@ * - :spelling:ignore:`certgen` - Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. - object - - ``{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}`` + - ``{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}`` * - :spelling:ignore:`certgen.affinity` - Affinity for certgen - object @@ -491,7 +491,7 @@ * - :spelling:ignore:`clustermesh.apiserver.image` - Clustermesh API server image. - object - - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.0-pre.0","useDigest":false}`` + - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/clustermesh-apiserver-ci","tag":"latest","useDigest":false}`` * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.enabled` - Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. - bool @@ -1127,7 +1127,7 @@ * - :spelling:ignore:`envoy.image` - Envoy container image. - object - - ``{"digest":"sha256:223fe3d2b7d2c82d0ec3f4fcfd8c322fb7d5052d128519768f6ebc8f6ae43eb7","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.28.1-f6d0ca17bd2f445e82eaf1892b132dbf10cb2124","useDigest":true}`` + - ``{"digest":"sha256:223fe3d2b7d2c82d0ec3f4fcfd8c322fb7d5052d128519768f6ebc8f6ae43eb7","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-envoy","tag":"v1.28.1-f6d0ca17bd2f445e82eaf1892b132dbf10cb2124","useDigest":true}`` * - :spelling:ignore:`envoy.livenessProbe.failureThreshold` - failure threshold of liveness probe - int @@ -1307,7 +1307,7 @@ * - :spelling:ignore:`etcd.image` - cilium-etcd-operator image. - object - - ``{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}`` + - ``{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}`` * - :spelling:ignore:`etcd.k8sService` - If etcd is behind a k8s service set this option to true so that Cilium does the service translation automatically without requiring a DNS to be running. - bool @@ -1655,7 +1655,7 @@ * - :spelling:ignore:`hubble.relay.image` - Hubble-relay container image. - object - - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.0-pre.0","useDigest":false}`` + - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-relay-ci","tag":"latest","useDigest":false}`` * - :spelling:ignore:`hubble.relay.listenHost` - Host to listen to. Specify an empty string to bind to all the interfaces. - string @@ -1887,7 +1887,7 @@ * - :spelling:ignore:`hubble.ui.backend.image` - Hubble-ui backend image. - object - - ``{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}`` + - ``{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}`` * - :spelling:ignore:`hubble.ui.backend.livenessProbe.enabled` - Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) - bool @@ -1927,7 +1927,7 @@ * - :spelling:ignore:`hubble.ui.frontend.image` - Hubble-ui frontend image. - object - - ``{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}`` + - ``{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}`` * - :spelling:ignore:`hubble.ui.frontend.resources` - Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. - object @@ -2035,7 +2035,7 @@ * - :spelling:ignore:`image` - Agent container image. - object - - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0-pre.0","useDigest":false}`` + - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}`` * - :spelling:ignore:`imagePullSecrets` - Configure image pull secrets for pulling container images - string @@ -2423,7 +2423,7 @@ * - :spelling:ignore:`nodeinit.image` - node-init image. - object - - ``{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}`` + - ``{"override":null,"pullPolicy":"Always","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}`` * - :spelling:ignore:`nodeinit.nodeSelector` - Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - object @@ -2519,7 +2519,7 @@ * - :spelling:ignore:`operator.image` - cilium-operator image. - object - - ``{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.0-pre.0","useDigest":false}`` + - ``{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/operator","suffix":"-ci","tag":"latest","useDigest":false}`` * - :spelling:ignore:`operator.nodeGCInterval` - Interval for cilium node garbage collection. - string @@ -2715,7 +2715,7 @@ * - :spelling:ignore:`preflight.image` - Cilium pre-flight image. - object - - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0-pre.0","useDigest":false}`` + - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}`` * - :spelling:ignore:`preflight.nodeSelector` - Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector - object diff --git a/VERSION b/VERSION index 4b0d2721e93e5..1f0d2f335194a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.16.0-pre.0 +1.16.0-dev diff --git a/install/kubernetes/cilium/Chart.yaml b/install/kubernetes/cilium/Chart.yaml index 29103af6a292b..06c5866aede7d 100644 --- a/install/kubernetes/cilium/Chart.yaml +++ b/install/kubernetes/cilium/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: cilium displayName: Cilium home: https://cilium.io/ -version: 1.16.0-pre.0 -appVersion: 1.16.0-pre.0 +version: 1.16.0-dev +appVersion: 1.16.0-dev kubeVersion: ">= 1.16.0-0" icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md index d3cd39c073914..f839a8d28f786 100644 --- a/install/kubernetes/cilium/README.md +++ b/install/kubernetes/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.16.0-pre.0](https://img.shields.io/badge/Version-1.16.0--pre.0-informational?style=flat-square) ![AppVersion: 1.16.0-pre.0](https://img.shields.io/badge/AppVersion-1.16.0--pre.0-informational?style=flat-square) +![Version: 1.16.0-dev](https://img.shields.io/badge/Version-1.16.0--dev-informational?style=flat-square) ![AppVersion: 1.16.0-dev](https://img.shields.io/badge/AppVersion-1.16.0--dev-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -73,7 +73,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.enabled | bool | `false` | Enable SPIRE integration (beta) | | authentication.mutual.spire.install.agent.affinity | object | `{}` | SPIRE agent affinity configuration | | authentication.mutual.spire.install.agent.annotations | object | `{}` | SPIRE agent annotations | -| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}` | SPIRE agent image | +| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}` | SPIRE agent image | | authentication.mutual.spire.install.agent.labels | object | `{}` | SPIRE agent labels | | authentication.mutual.spire.install.agent.nodeSelector | object | `{}` | SPIRE agent nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | authentication.mutual.spire.install.agent.podSecurityContext | object | `{}` | Security context to be added to spire agent pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | @@ -83,7 +83,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true | | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. | -| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | +| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"Always","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into | | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration | | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations | @@ -93,7 +93,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.server.dataStorage.enabled | bool | `true` | Enable SPIRE server data storage | | authentication.mutual.spire.install.server.dataStorage.size | string | `"1Gi"` | Size of the SPIRE server data storage | | authentication.mutual.spire.install.server.dataStorage.storageClass | string | `nil` | StorageClass of the SPIRE server data storage | -| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}` | SPIRE server image | +| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}` | SPIRE server image | | authentication.mutual.spire.install.server.initContainers | list | `[]` | SPIRE server init containers | | authentication.mutual.spire.install.server.labels | object | `{}` | SPIRE server labels | | authentication.mutual.spire.install.server.nodeSelector | object | `{}` | SPIRE server nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -143,7 +143,7 @@ contributors across the globe, there is almost always someone available to help. | bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. | | bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. | | bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. | -| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | +| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | | certgen.affinity | object | `{}` | Affinity for certgen | | certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob | | certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. | @@ -172,7 +172,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. | -| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.0-pre.0","useDigest":false}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/clustermesh-apiserver-ci","tag":"latest","useDigest":false}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | @@ -331,7 +331,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.extraVolumes | list | `[]` | Additional envoy volumes. | | envoy.healthPort | int | `9878` | TCP port for the health API. | | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s | -| envoy.image | object | `{"digest":"sha256:223fe3d2b7d2c82d0ec3f4fcfd8c322fb7d5052d128519768f6ebc8f6ae43eb7","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.28.1-f6d0ca17bd2f445e82eaf1892b132dbf10cb2124","useDigest":true}` | Envoy container image. | +| envoy.image | object | `{"digest":"sha256:223fe3d2b7d2c82d0ec3f4fcfd8c322fb7d5052d128519768f6ebc8f6ae43eb7","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-envoy","tag":"v1.28.1-f6d0ca17bd2f445e82eaf1892b132dbf10cb2124","useDigest":true}` | Envoy container image. | | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. | @@ -376,7 +376,7 @@ contributors across the globe, there is almost always someone available to help. | etcd.extraArgs | list | `[]` | Additional cilium-etcd-operator container arguments. | | etcd.extraVolumeMounts | list | `[]` | Additional cilium-etcd-operator volumeMounts. | | etcd.extraVolumes | list | `[]` | Additional cilium-etcd-operator volumes. | -| etcd.image | object | `{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}` | cilium-etcd-operator image. | +| etcd.image | object | `{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}` | cilium-etcd-operator image. | | etcd.k8sService | bool | `false` | If etcd is behind a k8s service set this option to true so that Cilium does the service translation automatically without requiring a DNS to be running. | | etcd.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-etcd-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | etcd.podAnnotations | object | `{}` | Annotations to be added to cilium-etcd-operator pods | @@ -463,7 +463,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.0-pre.0","useDigest":false}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-relay-ci","tag":"latest","useDigest":false}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -521,7 +521,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. | | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. | | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. | -| hubble.ui.backend.image | object | `{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}` | Hubble-ui backend image. | +| hubble.ui.backend.image | object | `{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}` | Hubble-ui backend image. | | hubble.ui.backend.livenessProbe.enabled | bool | `false` | Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.readinessProbe.enabled | bool | `false` | Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. | @@ -531,7 +531,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. | | hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. | | hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. | -| hubble.ui.frontend.image | object | `{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}` | Hubble-ui frontend image. | +| hubble.ui.frontend.image | object | `{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}` | Hubble-ui frontend image. | | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. | | hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. | | hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 | @@ -558,7 +558,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0-pre.0","useDigest":false}` | Agent container image. | +| image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}` | Agent container image. | | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -655,7 +655,7 @@ contributors across the globe, there is almost always someone available to help. | nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. | | nodeinit.extraVolumeMounts | list | `[]` | Additional nodeinit volumeMounts. | | nodeinit.extraVolumes | list | `[]` | Additional nodeinit volumes. | -| nodeinit.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}` | node-init image. | +| nodeinit.image | object | `{"override":null,"pullPolicy":"Always","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}` | node-init image. | | nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. | | nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. | @@ -679,7 +679,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.0-pre.0","useDigest":false}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/operator","suffix":"-ci","tag":"latest","useDigest":false}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -728,7 +728,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0-pre.0","useDigest":false}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml index 7ae3bb4580a1b..acd25dd2aacdb 100644 --- a/install/kubernetes/cilium/values.yaml +++ b/install/kubernetes/cilium/values.yaml @@ -134,9 +134,9 @@ rollOutCiliumPods: false # -- Agent container image. image: override: ~ - repository: "quay.io/cilium/cilium" - tag: "v1.16.0-pre.0" - pullPolicy: "IfNotPresent" + repository: "quay.io/cilium/cilium-ci" + tag: "latest" + pullPolicy: "Always" # cilium-digest digest: "" useDigest: false @@ -842,7 +842,7 @@ certgen: tag: "v0.1.9" digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f" useDigest: true - pullPolicy: "IfNotPresent" + pullPolicy: "Always" # -- Seconds after which the completed job pod will be deleted ttlSecondsAfterFinished: 1800 # -- Labels to be added to hubble-certgen pods @@ -1082,12 +1082,12 @@ hubble: # -- Hubble-relay container image. image: override: ~ - repository: "quay.io/cilium/hubble-relay" - tag: "v1.16.0-pre.0" + repository: "quay.io/cilium/hubble-relay-ci" + tag: "latest" # hubble-relay-digest digest: "" useDigest: false - pullPolicy: "IfNotPresent" + pullPolicy: "Always" # -- Specifies the resources for the hubble-relay pods resources: {} # -- Number of replicas run for the hubble-relay deployment. @@ -1289,7 +1289,7 @@ hubble: tag: "v0.13.0" digest: "sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803" useDigest: true - pullPolicy: "IfNotPresent" + pullPolicy: "Always" # -- Hubble-ui backend security context. securityContext: {} # -- Additional hubble-ui backend environment variables. @@ -1320,7 +1320,7 @@ hubble: tag: "v0.13.0" digest: "sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666" useDigest: true - pullPolicy: "IfNotPresent" + pullPolicy: "Always" # -- Hubble-ui frontend security context. securityContext: {} # -- Additional hubble-ui frontend environment variables. @@ -1821,7 +1821,7 @@ envoy: override: ~ repository: "quay.io/cilium/cilium-envoy" tag: "v1.28.1-f6d0ca17bd2f445e82eaf1892b132dbf10cb2124" - pullPolicy: "IfNotPresent" + pullPolicy: "Always" digest: "sha256:223fe3d2b7d2c82d0ec3f4fcfd8c322fb7d5052d128519768f6ebc8f6ae43eb7" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -2084,7 +2084,7 @@ etcd: tag: "v2.0.7" digest: "sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc" useDigest: true - pullPolicy: "IfNotPresent" + pullPolicy: "Always" # -- The priority class to use for cilium-etcd-operator priorityClassName: "" # -- Additional cilium-etcd-operator container arguments. @@ -2170,7 +2170,7 @@ operator: image: override: ~ repository: "quay.io/cilium/operator" - tag: "v1.16.0-pre.0" + tag: "latest" # operator-generic-digest genericDigest: "" # operator-azure-digest @@ -2180,8 +2180,8 @@ operator: # operator-alibabacloud-digest alibabacloudDigest: "" useDigest: false - pullPolicy: "IfNotPresent" - suffix: "" + pullPolicy: "Always" + suffix: "-ci" # -- Number of replicas to run for the cilium-operator deployment replicas: 2 # -- The priority class to use for cilium-operator @@ -2341,7 +2341,7 @@ nodeinit: override: ~ repository: "quay.io/cilium/startup-script" tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f" - pullPolicy: "IfNotPresent" + pullPolicy: "Always" # -- The priority class to use for the nodeinit pod. priorityClassName: "" # -- node-init update strategy @@ -2414,12 +2414,12 @@ preflight: # -- Cilium pre-flight image. image: override: ~ - repository: "quay.io/cilium/cilium" - tag: "v1.16.0-pre.0" + repository: "quay.io/cilium/cilium-ci" + tag: "latest" # cilium-digest digest: "" useDigest: false - pullPolicy: "IfNotPresent" + pullPolicy: "Always" # -- The priority class to use for the preflight pod. priorityClassName: "" # -- preflight update strategy @@ -2554,12 +2554,12 @@ clustermesh: # -- Clustermesh API server image. image: override: ~ - repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.16.0-pre.0" + repository: "quay.io/cilium/clustermesh-apiserver-ci" + tag: "latest" # clustermesh-apiserver-digest digest: "" useDigest: false - pullPolicy: "IfNotPresent" + pullPolicy: "Always" # -- TCP port for the clustermesh-apiserver health API. healthPort: 9880 etcd: @@ -2947,7 +2947,7 @@ authentication: tag: "1.36.1" digest: "sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b" useDigest: true - pullPolicy: "IfNotPresent" + pullPolicy: "Always" # SPIRE agent configuration agent: # -- SPIRE agent image @@ -2957,7 +2957,7 @@ authentication: tag: "1.8.5" digest: "sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b" useDigest: true - pullPolicy: "IfNotPresent" + pullPolicy: "Always" # -- SPIRE agent service account serviceAccount: create: true @@ -3005,7 +3005,7 @@ authentication: tag: "1.8.5" digest: "sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428" useDigest: true - pullPolicy: "IfNotPresent" + pullPolicy: "Always" # -- SPIRE server service account serviceAccount: create: true