Skip to content

Latest commit

 

History

History
332 lines (325 loc) · 25.9 KB

CHANGELOG.md

File metadata and controls

332 lines (325 loc) · 25.9 KB
Raw

Changelog

v1.15.0-pre.3

Summary of Changes

Major Changes:

  • Add dynamic flowlog exporters configured by yaml file (configmap) without a need of agent restart. (#28873, @marqc)
  • Add support for extending ClusterMesh to 511 clusters By setting the flag --max-connected-clusters=511, a new cluster will be able to connect to a ClusterMesh with up to 511 clusters. If enabled, the number of possible cluster-local identities will be reduced to 32,768. This feature can only be enabled on new clusters, and all clusters in the ClusterMesh must share the same configuration. (#27520, @thorn3r)
  • Add support for Gateway API v1.0 (#28836, @sayboras)
  • k8s: add support for k8s 1.29.0 (#29473, @aanm)

Minor Changes:

  • Add a mode where routing is delegated to another CNI plugin. This enables support for using AWS security groups when chaining Cilium on top of AWS VPC CNI. (#29111, @Alex-Waring)
  • Add lbipam support for shared ips (#28806, @usiegl00)
  • Adds "best-effort" mode for XDP to skip interfaces without driver support (#28666, @poblahblahblah)
  • Adds affinity, nodeSelector, podSecurityContext and securityContext to the SPIRE agent deployment values (#29077, @meyskens)
  • Adds the CiliumPodIPPool selector type to BGP CP AdvertisedPathAttributes to match CiliumPodIPPool custom resources. Path attributes apply to routes announced for selected CiliumPodIPPools. (#28310, @danehans)
  • api, cli: Show srv6 status in cilium status (#28700, @husnialhamdani)
  • bgpv1: Add cilium-dbg bgp route-policies command & include it in the bugtool (#28973, @rastislavs)
  • bgpv1: Use kube-system namespace by default for MD5 secret (#29478, @YutaroHayakawa)
  • bpf: use bpf_xdp_load_bytes() / bpf_xdp_store_bytes() helpers when available (#29377, @julianwiedmann)
  • Cilium DNS proxy now uses the original pod's address as the source address towards the DNS servers. (#28928, @jrajahalme)
  • cilium-dbg: Add statedb query support and commands to inspect statedb tables devices, routes and l2-announce. (#28872, @joamaki)
  • ciliumidentity resiliency improvement (#28912, @tommyp1ckles)
  • cmd/watchdogs: add health reporter to watchdog controller. (#29038, @tommyp1ckles)
  • Config option to customize the default IP Pool when using MultiPool (#28818, @chaunceyjiang)
  • Default client-go QPS and burst in agent and operator have been increased to 10 and 20 respectively for k8s versions 1.27+ (#29445, @marseel)
  • Deprecated helm options enableK8sEventHandover/enableCnpStatusUpdates were removed. Corresponding flag "enable-k8s-event-handover" in Agent and "cnp-status-update-interval" in operator were removed. (#29395, @marseel)
  • FQDN: transition to asynchronous IPCache APIs (#29036, @squeed)
  • gateway-api: Add support for gateway.infrastructure attribute (#29122, @sayboras)
  • gateway-api: Add supported features in GatewayClass status (#29116, @sayboras)
  • gateway-api: Check for required CRDs upon startup (#28982, @sayboras)
  • Handle IPv4 fragments in SNAT flows correctly. (#25340, @gentoo-root)
  • Hide empty columns by default in "kubectl get ciliumendpoints" output (#28744, @Iiqbal2000)
  • hubble-relay: Add support for peers joining during requests (#29326, @glrf)
  • Hubble: add option to filter for pods and services in any namespace (#28921, @glrf)
  • hubble: Add Support for filtering on HTTP headers (#28851, @ChrsMark)
  • hubble: Conditionally redact user info present in URLs in (L7) HTTP flows (#28848, @ioandr)
  • Improve Hubble Relay Kubernetes Readiness/Liveness check (#28765, @glrf)
  • init: Poll CRD synchronization times have been lowered from 1 second to 50ms. (#28954, @howardjohn)
  • Merge clustermesh-apiserver and kvstoremesh into a single image (#27888, @giorio94)
  • metric: provide way to declare labels. (#27835, @tommyp1ckles)
  • mutual-auth: Bump spire image version (#29101, @sayboras)
  • Named ports in DNS policies are now resolved correctly. (#29023, @jrajahalme)
  • pkg/datapath: Remove defunct --single-cluster-route flag (#29221, @gandro)
  • policy: Cilium will not process or enforce network policies with port ranges or Kubernetes network policies that use "EndPort". (#28704, @nathanjsweet)
  • Propagate prefixed labels from Ingress resource to LB service (#28598, @log1cb0mb)
  • Remove deprecated tunnel option, and corresponding helm values setting (#29053, @giorio94)
  • Replace etcd init script used for clustermesh with a Go equivalent. Upgrade etcd to v3.5.10. (#29109, @JamesLaverack)
  • Replace metricsmap-bpf-prom-sync with Prometheus Collector pattern (#27370, @carnerito)
  • Respond with ICMP reply for traffic to services without backends (#28157, @dylandreimerink)
  • show DSR-dispatch mode in cilium-dbg status (#29217, @chaunceyjiang)
  • When tunneling is enabled, a packet will be encapsulated by Cilium's tunnel netdev before encrypting with WireGuard. (#29000, @brb)

Bugfixes:

  • "envoy-admin" cluster is renamed as "/envoy-admin", requiring all references in CEC/CCEC to be updated. (#29020, @jrajahalme)
  • ImplementationSpecific Ingress paths (which for Cilium Ingress means regex path matches) are now sorted correctly in between Exact and Prefix matches. (#29381, @youngnick)
  • Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29307, @ti-mo)
  • bpf: Add TC_ACT_REDIRECT check for nodeport (#28927, @sayboras)
  • bpf: Fix drop of IPv6 reply traffic when 1) pod-originating connection is SNATed by iptables, and 2) Host Firewall is enabled. (#28813, @oblazek)
  • bpf: xdp: don't support GENEVE passthrough with DSR-Hybrid (#28959, @julianwiedmann)
  • Conntrack entries for Service connections are now printed in the canonical "source -> destination" format when using the "bpf ct list" command. (#28913, @julianwiedmann)
  • ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (#29098, @julianwiedmann)
  • datapath: Fix ENI egress routing table for cilium_host IP (#29335, @gandro)
  • datapath: Fix primary flag in NodeAddress (#29483, @joamaki)
  • Do not skip FIB lookup when running in BPF Host Routing when Endpoint Routes enabled (#28264, @aspsk)
  • egressgateway: Use UID to identify CiliumEndpoints in epDataStore (#29124, @rastislavs)
  • egressgw: Fix the issue that an iptables SNAT rule in the host netns interferes packets to egress gw and bypass the egress GW policy (#29379, @ysksuzuki)
  • endpointmanager: fix bpf policy pressure getting stuck. (#28185, @tommyp1ckles)
  • endpointmanager: unmap ip for lookup (#29554, @tklauser)
  • Fix external workloads not working with non-default ClusterID (#29378, @giorio94)
  • Fix rendering helm operator-dashboard annotations (#29106, @Zariel)
  • Fix source identity determination for DSR with Geneve-dispatch, by looking it up from the ipcache. (#29155, @chez-shanpu)
  • Fix the Created timestamps in cilium bpf nat list that used to display the same values. (#27062, @gentoo-root)
  • Fixed label synchronization issues in Cilium, ensuring accurate representation of endpoint labels during restoration and addressing out-of-sync problems caused by label changes while the Cilium agent is down. (#29248, @aanm)
  • Fixes an L7 proxy issue by re-introducing 2005 route table. (#29530, @jschwinger233)
  • gateway-api: add watch for reference grant in TLSRoute reconciler (#29007, @mhofstetter)
  • gateway-api: Avoid redirect loop when the same host name is used for http and https listeners (#29115, @sayboras)
  • gateway: Ignore loadbalancer class for Gateway service (#29547, @sayboras)
  • Handle non-AEAD IPsec keys in cilium encrypt status. (#29182, @viktor-kurchenko)
  • ingress: cleanup resources on changed ingress class field (#28886, @mhofstetter)
  • ingress: fix foreground deletion of Ingress (#29367, @mhofstetter)
  • Install loopback CNI atomically to protect against aborted copy (#29462, @akhilles)
  • ipam: Fix bug where IP lease did not expire (#29443, @gandro)
  • iptables: remove logic to control non-existent net.ipv6.ip_early_demux (#29310, @julianwiedmann)
  • k8s ingress & gateway api: fix unintentional deletion of shared envoy cluster resource (#28896, @mhofstetter)
  • l2announcer: Leases are only created for services that are being announced. (#29446, @f1ko)
  • lbipam: Fix off-by-one error in LBIPAM range allocation (#29425, @YutaroHayakawa)
  • neigh: Install neighbor entries only on devices where routes exist (#28782, @ysksuzuki)
  • Policy revert used in rare error cases has been corrected. (#29162, @jrajahalme)
  • Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (#29340, @aanm)
  • Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29202, @thorn3r)
  • statedb: Fix termination of string and IP keys (#29368, @joamaki)
  • When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (#29160, @julianwiedmann)

CI Changes:

  • Add 100 node scale test workflow (#29214, @learnitall)
  • ariane: Disable ci-e2e-upgrade (#29488, @brb)
  • bpf/tests: Fixed loop not unrolled error in pktgen (#28942, @dylandreimerink)
  • bpf: complexity-tests: add HAVE_FIB_NEIGH (#29348, @julianwiedmann)
  • ci aws: cleanup EKS cluster in separate job (#29412, @mhofstetter)
  • ci-clustermesh-upgrade: Increment timeout between rollouts to 5min (#29560, @mhofstetter)
  • ci-e2e-upgrade: Bring it on (#29073, @brb)
  • ci-e2e-upgrade: Remove setting CLI vsn (#29435, @brb)
  • ci-e2e: Use kernel 6.1 instead of 6.0 (#29345, @brb)
  • ci-gke: remove duplicated wait for cilium (#29542, @mhofstetter)
  • ci-ipsec-upgrade: Check for errors (#29189, @brb)
  • ci-ipsec-upgrade: Drop no-missed-tail-calls exclusion (#29325, @brb)
  • ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (#29072, @brb)
  • ci: add K8s 1.28 platform testing (#29004, @nbusseneau)
  • CI: Add merge_group trigger (#29276, @brlbil)
  • ci: add nameserver 1.1.1.1 to conformance-runtime test LVM (#29455, @mhofstetter)
  • ci: Bump timeout of ci-runtime (#29317, @YutaroHayakawa)
  • ci: Bump up the memory of LVH in conformance-e2e (#29494, @michi-covalent)
  • ci: bypass proxy.golang.org in Go toolchain installation (#29549, @tklauser)
  • ci: disable envoy tracing in multi-pool workflow (#28966, @tklauser)
  • ci: don't write github commit status on push event (#29404, @mhofstetter)
  • ci: don't write github commit status on push event (#29438, @mhofstetter)
  • ci: fix deployment issue with multiple clusters in same region (#29427, @mhofstetter)
  • ci: fix dns issue when pulling cilium-docker-plugin in ci-runtime (#29502, @mhofstetter)
  • ci: fix merge group required checks (#29337, @brlbil)
  • ci: fix typo in clustermesh workflow job name (#29046, @tklauser)
  • ci: increase cilium wait timeout to 10m on cloud providers (#29541, @mhofstetter)
  • ci: increase disk size for GKE clusters (ci-gke & ci-external-workloads) (#29528, @mhofstetter)
  • ci: migrate some schedule workflows to event trigger push (#29433, @mhofstetter)
  • ci: Remove useless quotes in update label workflow (#28952, @pippolo84)
  • cilium-cli action: Specify the repository parameter (#29338, @michi-covalent)
  • datapath: Clean up XFRM configs after unit tests (#29332, @pchaigno)
  • Drop support for EOLed Kubernetes versions (#29174, @michi-covalent)
  • egressgw: tests: wait for initial sync reconciliation (#29084, @jibi)
  • Extend BPF unit tests for IPsec (#28438, @jschwinger233)
  • Fix pre-flight clusterrole check (#29224, @marseel)
  • gh/workflows: Add lvh-kind action and use it in ci-e2e (#29485, @brb)
  • gh/workflows: Dump Cilium LB node logs in case of failure (#28808, @brb)
  • gh: datapath-verifier: also run on 6.1 kernel (#29349, @julianwiedmann)
  • gha: Enable Ingress Controller tests in conformance-e2e (#29130, @sayboras)
  • restore full go vet behaviour (#28945, @bimmlerd)
  • scale-test-100-gce: Use CILIUM_CLI_VERSION (#29562, @michi-covalent)
  • Set correct cluster name and id during upgrade test (#29165, @marseel)
  • Skip k8s upstream conformance test for multiple protocols on a Service (#29524, @youngnick)
  • Switch to on-demand instances for AWS tests on scheduled runs. (#29366, @marseel)
  • Test upgrade/downgrade to patch release for IPsec (#28815, @qmonnet)
  • test/k8s: clean up unused manifests (#29436, @tklauser)
  • test: Use previous in-pod CLI name for updates (#29208, @joestringer)
  • tests-e2e-upgrade: Use CILIUM_CLI_VERSION (#29496, @michi-covalent)
  • Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (#29409, @giorio94)
  • workflows: Add debug info to IPsec key rotation test (#29353, @pchaigno)
  • workflows: move cilium_cli_version definition to set-env-variables action (#29237, @jibi)
  • workflows: Pin conn-disrupt-test GH action to main (#29402, @pchaigno)

Misc Changes:

  • .github/workflows: only cancel concurrent jobs if not in merge_group (#29431, @aanm)
  • .github: do not group jobs on merge queues (#29551, @aanm)
  • Add AirQo to Cilium USERS.md (#29467, @123MwanjeMike)
  • Add an option to force BPF attachment to native device (#29176, @YutaroHayakawa)
  • Add CEP and CES resources (#29244, @pippolo84)
  • Add Cybozu to USERS.md (#29231, @chez-shanpu)
  • Add Dcode.tech to USERS.md (#28996, @eliranw)
  • Add IDNIC/Kadabra as user to Cilium (#28958, @ardikabs)
  • Add node activity health reporters on node manager (#28799, @derailed)
  • Add table for node addresses (#28962, @joamaki)
  • add v1.15.0-pre.2 release (#28903, @aanm)
  • api: Allow middleware to be injected via Hive (#29223, @gandro)
  • BGP CP: Replaces LocalNodeStore with Local CiliumNode (#28238, @danehans)
  • bgpv1: fix incorrect error messages in the reconcilePodIPPool function (#29125, @hargrovee)
  • bgpv1: fix merge race conflict on NewGoBGPServer (#29321, @mhofstetter)
  • bgpv1: Prevent multiple reconcilers with the same name (#29071, @rastislavs)
  • bgpv1: Reorganize BGP config reconcilers (#29277, @rastislavs)
  • bgpv1: Use specific log message and remove unused parameter (#28895, @hargrovee)
  • bpf: fine-tune a few L3 header validations (#28669, @julianwiedmann)
  • bpf: host: adjust scope of HostFW section in handle_ipv6() (#29052, @julianwiedmann)
  • bpf: ipsec: move get_min_encrypt_key() to encrypt.h (#28991, @julianwiedmann)
  • bpf: lb: fix missing drop reason in reverse_map_l4_port() (#28884, @julianwiedmann)
  • bpf: lxc: avoid upgrade/downgrade woes with CB_FROM_TUNNEL in IPv6 path (#29304, @julianwiedmann)
  • bpf: nat: fully switch to snat_v*_rewrite_helpers() (#29403, @julianwiedmann)
  • bpf: nat: limit EgressGW redirect check to bpf_host (#29159, @julianwiedmann)
  • bpf: nat: pass NAT map to snat_v4_new_mapping() (#29049, @julianwiedmann)
  • bpf: nodeport: re-introduce Ingress HostFW between RevSNAT and RevDNAT (#28960, @julianwiedmann)
  • bpf: tests: minor cleanups (#29354, @julianwiedmann)
  • bpf: tunnel-related cleanups in to-container path (#28920, @julianwiedmann)
  • bpf: use l4_load_ports() everywhere (#29135, @julianwiedmann)
  • Bug: Fix module health status output (#29140, @derailed)
  • build: Declare GO in makefile before first use (#28983, @sayboras)
  • Changed cilium status CLI output to render the modules health section as a tree structure vs tabular data. (#28800, @derailed)
  • chore(deps): update actions/checkout action to v4 (main) (#29539, @renovate[bot])
  • chore(deps): update actions/github-script action to v7 (main) (#29142, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (#28987, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (minor) (#29260, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#29262, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#29387, @renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (#29533, @renovate[bot])
  • chore(deps): update all github action dependencies to v2 (main) (major) (#29540, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#29388, @renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (#29534, @renovate[bot])
  • chore(deps): update anchore/scan-action action to v3.3.8 (main) (#29573, @renovate[bot])
  • chore(deps): update cilium/cilium digest to 614f2dd (main) (#29386, @renovate[bot])
  • chore(deps): update cilium/cilium digest to 93f26fd (main) (#29141, @renovate[bot])
  • chore(deps): update cilium/cilium digest to ef8ca62 (main) (#29120, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.13 (main) (#28989, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.14 (main) (#29234, @renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.15.16 (main) (#29464, @renovate[bot])
  • chore(deps): update dependency eksctl-io/eksctl to v0.165.0 (main) (#29537, @renovate[bot])
  • chore(deps): update dependency go to v1.21.4 (main) (#29558, @renovate[bot])
  • chore(deps): update dependency kubernetes/kops to v1.28.1 (main) (#29128, @renovate[bot])
  • chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (main) (#29535, @renovate[bot])
  • chore(deps): update docker.io/library/golang:1.21.4 docker digest to 9baee0e (main) (#29261, @renovate[bot])
  • chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 8eab65d (main) (#29572, @renovate[bot])
  • chore(deps): update go to v1.21.4 (main) (patch) (#29043, @renovate[bot])
  • chore(deps): update golangci/golangci-lint docker tag to v1.55.2 (main) (#28990, @renovate[bot])
  • chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 [security] (main) (#29314, @renovate[bot])
  • chore(deps): update quay.io/cilium/kindest-node docker tag to v1.28.3 (main) (#29057, @renovate[bot])
  • chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231123.012848 (main) (#28992, @renovate[bot])
  • ci-ipsec-upgrade: Do not run conn tests after installing Cilium (#29178, @brb)
  • ci: Bump timeout on ci-runtime privileged worksflow (#28923, @jrajahalme)
  • CI: fix broken BPF complexity tests (#29510, @lmb)
  • cilium-dbg, policy, api: Fix labels in policy selectors output (#29152, @christarazi)
  • cilium: Add a few bwm setting tweaks (#29552, @borkmann)
  • Clarify cilium_event_ts metric description (#29303, @christarazi)
  • client: Use options pattern for NewRuntime (#29271, @gandro)
  • clustermesh install documentation: missing step (#28889, @dashaun)
  • cni: remove unused CILIUM_CNI_CONF variable from install script (#29063, @wedaly)
  • CODEOWNERS: claim some new ipsec-related files for cilium/ipsec (#29516, @julianwiedmann)
  • CODEOWNERS: IPsec owns pkg/common/ipsec (#29002, @pchaigno)
  • CODEOWNERS: Let IPsec team to own GH workflows for IPsec (#29190, @brb)
  • contrib: Fix prerelease pullPolicy (#28906, @joestringer)
  • ctmap: limit NAT purging to expected CT tuple types (#28871, @julianwiedmann)
  • daemon: Simplify cilium_host IP restoration (#28781, @gandro)
  • datapath: Few minor improvements to DevicesController (#28887, @joamaki)
  • datapath: Move linuxNodeHandler IPsec functions to their own file (#28941, @pchaigno)
  • devices: fix busy loop (#29163, @bimmlerd)
  • dnsproxy: convert LookupEndpointByIP to use netip.Addr (#28891, @tklauser)
  • doc: Add roadmap for mutual authentication (#29006, @tgraf)
  • docs: Add CiliumPodIPPool option in BGP Adv. Path Attributes docs (#29177, @rastislavs)
  • docs: Add cluster install/prep guide for GKE-to-GKE clustermesh (#29342, @Neutrollized)
  • docs: add instructions to build kindest-node image (#29079, @aanm)
  • docs: bump required Helm version (#29273, @nebril)
  • docs: Drop references to Helm v2 (#29463, @joestringer)
  • docs: update versions and parameters for XDP Acceleration on AKS (#29091, @jshr-w)
  • Docs: Updates BGP CP Developer Docs (#28908, @danehans)
  • don't remove neighbor link state file if migrateOnly (#28659, @liuyuan10)
  • enabled initalDelaySeconds on StartupProbe (#28816, @jignyasamishra)
  • endpoint: Clarify policy locking requirements (#29024, @jrajahalme)
  • endpoint: fix removed code comment. (#29172, @tommyp1ckles)
  • endpointstate: Add an interface to wait for endpoint restore (#29243, @pippolo84)
  • envoy: periodic version-check with hive timer job (#29513, @mhofstetter)
  • envoy: Support internal listeners in CiliumEnvoyConfig CRDs (#29026, @jrajahalme)
  • envoy: Update to pick up deny policy support (#28862, @jrajahalme)
  • Extract tunnel options to simplify override, and inject them through hive (#29051, @giorio94)
  • Fix bug preventing endpoint-related debug logs from being emitted (#29495, @learnitall)
  • Fix Cilium Datapath Prometheus metric names (#29226, @carnerito)
  • fix(deps): update all go dependencies main (main) (minor) (#28994, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#29264, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#29398, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (minor) (#29538, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#28993, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#29134, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#29389, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#29536, @renovate[bot])
  • fix(deps): update all go dependencies main (main) (patch) (#29574, @renovate[bot])
  • fix(deps): update golang.org/x/sys digest to 13b15b7 (main) (#29279, @renovate[bot])
  • fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.613 (main) (#29263, @renovate[bot])
  • fix(deps): update module github.com/go-openapi/validate to v0.22.2 (main) (#29280, @renovate[bot])
  • Fixes rate limiting for CES Controller (#28963, @alan-kut)
  • Follow-up nits from etcd init script pull request (#29489, @JamesLaverack)
  • fqdn/dnsproxy: drop dependency on global EnableIPv{4,6} option (#28968, @tklauser)
  • gateway-api: cleanup cell imports & dependencies (#29204, @mhofstetter)
  • gateway-api: don't register secretsync if required CRDs aren't present (#29437, @mhofstetter)
  • gateway-api: fix up for import rename (#29143, @julianwiedmann)
  • gateway-api: improve secret sync resiliency (#29017, @mhofstetter)
  • gateway-api: Use Gateway API definition to check Route condition (#29359, @haiyuewa)
  • go.mod, vendor: update golang.org/x/sys to latest unreleased version (#29070, @tklauser)
  • Helm: Allow configuration of the install-cni container resources field (#27469, @RenaudWasTaken)
  • helm: Fix annotation duplication problems for cilium-agent (#28978, @bradwhitfield)
  • hubble/relay: Remove ReportOffline and refactor PeerManager (#28595, @glrf)
  • images: drop the kvstoremesh dockerfile (#28961, @giorio94)
  • images: Fix init-container script for cilium-dbg (#29424, @joestringer)
  • Implement NodeAddressing on top of Table[NodeAddress] (#29033, @joamaki)
  • Improve deletion of stale backends associated with non-global services, without waiting for full Cluster Mesh synchronization (#28745, @giorio94)
  • ingress: migrate Cilium Ingress controller to use the controller-runtime library (#29327, @mhofstetter)
  • ingress: migrate secret-sync to controller-runtime (#29198, @mhofstetter)
  • Introduce sync.Map wrapper with generics support (#29452, @giorio94)
  • ipam: Fix duplicate metric ipam_event release (#29520, @christarazi)
  • ipcache: keep upserted prefixes from being deleted by InjectLabels (#29014, @squeed)
  • ipcache: move CIDR restoration to asynchronous APIs (#28673, @squeed)
  • ipsec: Improve encrypt flush command (#28795, @pchaigno)
  • ipsec: Remove dead code for IPsec node encryption (#28898, @pchaigno)
  • ipsec: Small refactorings on key loading and state creation (#29352, @pchaigno)
  • k8s: remove unused slim k8s model for Ingress & IngressClass (#29517, @mhofstetter)
  • L7 Loadbalancing: Migrate to controller-runtime library (#29126, @mhofstetter)
  • labels: further optimize IPStringToLabel for single IP case (#29040, @tklauser)
  • loader: attach XDP programs using bpf_link (#28308, @rgo3)
  • loader: do not invoke llc separately (#29458, @lmb)
  • makefile: add back the sed command to update the logo path (#28929, @bradwhitfield)
  • maps: nat: fix copy & paste in error message from doFlush*() (#29097, @julianwiedmann)
  • Minor documentation fixes and improvements for the BGP MD5 feature (#29375, @nvibert)
  • Miscellaneous improvements about kvstore logging (#28843, @giorio94)
  • Miscellaneous improvements to the etcd client (#28834, @giorio94)
  • Modularise MTU discovery (#28964, @bimmlerd)
  • Modularize ipcache BPF listener (#29194, @giorio94)
  • Modularize iptables manager (#28746, @pippolo84)
  • Modularize kernel modules manager into its own cell (#28713, @pippolo84)
  • Modularized the bandwidth manager (#28619, @dylandreimerink)
  • mountinfo: fix build on linux/386 (#29481, @tklauser)
  • node: allow to override enable encapsulation on a per-node basis (#29232, @giorio94)
  • operator: extract controller-runtime integration into its own cell (#28931, @mhofstetter)
  • option: add LoadBalancerUsesDSR() helper (#26898, @julianwiedmann)
  • pkg/allocator: store key in variable for error message (#29076, @aanm)
  • pkg/bgpv1: Updates getPeerConfig() Method (#28474, @danehans)
  • plugins/cilium-cni: Move implementation into separate package (#29336, @gandro)
  • policy: Return a real nil rather than a non-nil interface (#29022, @jrajahalme)
  • policy: Simplify AccumulateMapChanges prototypes (#29025, @jrajahalme)
  • Prepare for release v1.15.0-pre.2 (#28901, @aanm)
  • probes: remove HAVE_FIB_LOOKUP leftovers (#29401, @rgo3)
  • proxy: define and use well known datapath constants (#28955, @tklauser)
  • README: Update releases (#29170, @nathanjsweet)
  • Refactor LocalNode synchronization logic and remove NodeChain (#29319, @giorio94)
  • Remove accidentally checked in .orig file (#29145, @christarazi)
  • Remove usage of global options from iptables cell (#29088, @pippolo84)
  • Renamed Hubble Dashboard so that it can be installed by Grafana Sidecar. (#28971, @saintdle)
  • Report node source in cilium-dbg node list (#29196, @tklauser)
  • secret-sync: extract secret-sync logic from gateway api controller & introduce hive cell (#29100, @mhofstetter)
  • service: fix service manager interface mismatch caused by merge race (#29018, @giorio94)
  • Some small fixes to make kind-fast (#28621, @squeed)
  • statedb: Allow non-terminated keys (#29440, @joamaki)
  • statedb: Simplify integration with Hive (#28892, @joamaki)
  • stream: fix spurious event on termination when Debounce is used (#29347, @giorio94)
  • Update lb-ipam.rst (#28756, @nvibert)