Prepare for release v1.10.10

joestringer · joestringer · commit 8a77a4a22ab3 · 2022-04-15T18:03:20.000+02:00
Signed-off-by: Joe Stringer &lt;joe@cilium.io&gt;
diff --git a/.github/maintainers-little-helper.yaml b/.github/maintainers-little-helper.yaml
@@ -1,4 +1,4 @@
-project: "https://github.com/cilium/cilium/projects/184"
+project: "https://github.com/cilium/cilium/projects/187"
 column: "In progress"
 auto-label:
   - "kind/backports"
diff --git a/.mailmap b/.mailmap
@@ -48,8 +48,9 @@ Jonathan Davies <jpds@protonmail.com>
 Joshua Roppo <joshroppo@gmail.com>
 Jun Chen <answer1991.chen@gmail.com>
 Junli Ou <oujunli306@gmail.com>
-Kamil Lach <kamil.lach.rs@gmail.com> <kamil@thor.asgard.local>
 Kaito Ii <kaitoii1111@gmail.com>
+Kamil Lach <kamil.lach.rs@gmail.com> <kamil@thor.asgard.local>
+Kante Yin <kerthcet@gmail.com>
 Karl Heins <karlheins@northwesternmutual.com>
 Kevin Holditch <82885135+kevholditch-f3@users.noreply.github.com>
 Bokang Li <libokang.dev@gmail.com>
diff --git a/AUTHORS b/AUTHORS
@@ -162,6 +162,7 @@ Jun Chen                                answer1991.chen@gmail.com
 Junli Ou                                oujunli306@gmail.com
 Jussi Maki                              jussi@isovalent.com
 Kaito Ii                                kaitoii1111@gmail.com
+Kante Yin                               kerthcet@gmail.com
 Karl Heins                              karlheins@northwesternmutual.com
 Katarzyna Borkmann                      kasia@iogearbox.net
 Kevin Burke                             kevin@burke.dev
@@ -243,6 +244,7 @@ Raghu Gyambavantha                      raghug@bld-ml-loan4.olympus.f5net.com
 Rahul Jadhav                            nyrahul@gmail.com
 Rajat Jindal                            rajatjindal83@gmail.com
 Raphael Campos                          raphael@accuknox.com
+Raphaël Pinson                          raphael@isovalent.com
 Ray Bejjani                             ray@isovalent.com
 Rei Shimizu                             Shikugawa@gmail.com
 Renat Tuktarov                          yandzeek@gmail.com
@@ -317,13 +319,15 @@ Weilong Cui                             cuiwl@google.com
 Wenxian Li                              wofanli@gmail.com
 Will Deuschle                           wdeuschle@palantir.com
 xentobias                               mosetobias@gmail.com
+Ye Sijun                                junnplus@gmail.com
 Yiannis Yiakoumis                       yiannis@selfienetworks.com
 Yongkun Gui                             ygui@google.com
 Yosh de Vos                             yosh@elzorro.nl
 Youssef Azrak                           yazrak.tech@gmail.com
 Yuan Liu                                liuyuan@google.com
 Yurii Dzobak                            yurii.dzobak@lotusflare.com
 Yurii Komar                             Subreptivus@gmail.com
+Yutaro Hayakawa                         yutaro.hayakawa@isovalent.com
 Yves Blusseau                           yves.blusseau@acoss.fr
 Zang Li                                 zangli@google.com
 Zhiyuan Hou                             zhiyuan2048@linux.alibaba.com
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,50 @@
 # Changelog
 
+## v1.10.10
+
+Summary of Changes
+------------------
+
+**Minor Changes:**
+* Locally allocated identities are now restored during restart, helping avoid transient drops due to identity changes in policies. (Backport PR #19404, Upstream PR #19360, @jrajahalme)
+
+**Bugfixes:**
+* cmd: Fix issue where a ConfigMap value of `{}` was parsed as `map["{}":""]`. (Backport PR #19254, Upstream PR #19172, @gandro)
+* Fix a bug where a backend pod can be selected by a local redirect policy deployed in a different namespace if the local redirect policy was deployed first. (Backport PR #19254, Upstream PR #19193, @aditighag)
+* Fix bug that would cause some pod traffic to leave through the wrong interface if --aws-release-excess-ips is used and masquerading disabled. (Backport PR #19296, Upstream PR #19162, @pchaigno)
+* Fix bug where FQDN policy calculation could trigger a deadlock in cilium-agent (Backport PR #19254, Upstream PR #19031, @joestringer)
+* Fix bug where the Cilium DNS proxy slows down significantly (and even OOMs) due to lock contention from spawning many goroutines when handling bursty DNS traffic (Backport PR #19416, Upstream PR #19336, @nebril)
+* Fixed node init in RKE (Backport PR #19416, Upstream PR #19286, @raphink)
+* helm: Removed unnecessary Kubernetes RBAC permissions for cilium-agent (Backport PR #19254, Upstream PR #19053, @nathanjsweet)
+* helm: Update Clustermesh-APIServer RBAC permissions for platforms (like Openshift) that have the OwnerReferencesPermissionEnforcement admission controller enabled. (Backport PR #19254, Upstream PR #19071, @nathanjsweet)
+* hubble/recorder: Sanitize pcap filename (Backport PR #19254, Upstream PR #18612, @gandro)
+* wireguard: Reject duplicate public keys (Backport PR #19416, Upstream PR #19344, @gandro)
+
+**CI Changes:**
+* jenkinsfiles: Update calls to Quay API (Backport PR #19254, Upstream PR #19229, @pchaigno)
+* test: Wait until host EP is ready (=regenerated) (Backport PR #19331, Upstream PR #18859, @brb)
+* Use docker manifest inspect to wait for images instead of using quay API (Backport PR #19331, Upstream PR #19307, @YutaroHayakawa)
+* workflows: Update call to Quay API (Backport PR #19254, Upstream PR #19228, @pchaigno)
+
+**Misc Changes:**
+* Add a 'Limitations' section to 'External Workloads'. (Backport PR #19416, Upstream PR #19366, @bmcustodio)
+* add context when return errors during datapath initialization (Backport PR #19254, Upstream PR #18011, @kerthcet)
+* build(deps): bump actions/cache from 3.0.0 to 3.0.1 (#19272, @dependabot[bot])
+* build(deps): bump actions/cache from 3.0.1 to 3.0.2 (#19392, @dependabot[bot])
+* build(deps): bump actions/checkout from 3.0.0 to 3.0.1 (#19446, @dependabot[bot])
+* build(deps): bump KyleMayes/install-llvm-action from 1.5.1 to 1.5.2 (#19324, @dependabot[bot])
+* ci: Pin down image for the documentation workflow (Backport PR #19416, Upstream PR #19356, @qmonnet)
+* docs: Clarify use of the `eni.subnetTagsFilter` option (Backport PR #19331, Upstream PR #19276, @gandro)
+* envoy: Limit accesslog socket permissions (Backport PR #19416, Upstream PR #19190, @jrajahalme)
+* ipcache: Add test asserting out-of-order Kubernetes events (Backport PR #19331, Upstream PR #19258, @christarazi)
+* Test runtime cilium in container (take two) (Backport PR #19404, Upstream PR #19310, @jrajahalme)
+* test: Fix whitespace in docker-run-cilium (Backport PR #19404, Upstream PR #19358, @jrajahalme)
+* vendor: pull in the latest changes from github.com/vishvananda/netlink (Backport PR #19404, Upstream PR #18618, @aditighag)
+* wireguard: Fix invalid bits when agent init (Backport PR #19254, Upstream PR #19118, @Junnplus)
+
+**Other Changes:**
+* install: Update image digests for v1.10.9 (#19239, @aanm)
+
 ## v1.10.9
 
 Summary of Changes
diff --git a/Documentation/concepts/kubernetes/compatibility-table.rst b/Documentation/concepts/kubernetes/compatibility-table.rst
@@ -76,6 +76,8 @@
 +-----------------+----------------+
 | v1.9.13         | 1.22.6         |
 +-----------------+----------------+
+| v1.9.14         | 1.22.6         |
++-----------------+----------------+
 | v1.9            | 1.22.6         |
 +-----------------+----------------+
 | v1.10.0-rc0     | 1.23.1         |
@@ -106,5 +108,6 @@
 +-----------------+----------------+
 | v1.10           | 1.23.4         |
 +-----------------+----------------+
-| latest / master | 1.24.2         |
+| latest / master | 1.26.0         |
+| 1.25.1          |                |
 +-----------------+----------------+
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.10.9
+1.10.10
diff --git a/install/kubernetes/Makefile.digests b/install/kubernetes/Makefile.digests
@@ -2,12 +2,12 @@
 # Copyright 2022 Authors of Cilium
 # SPDX-License-Identifier: Apache-2.0
 
-CILIUM_DIGEST := "sha256:ebe1696cebfdaa95112a48c40bcef01e2771113ae2d4be0dda762bece78293b9"
-CLUSTERMESH_APISERVER_DIGEST := "sha256:ae43adb896c47a0ebfc2124afc0c46393ec694285e744d00df57ba697d957442"
-DOCKER_PLUGIN_DIGEST := "sha256:33d64e022c57f8f48c8b51ade2ee360d7b2be47af36d3b33b55994ed66a7019a"
-HUBBLE_RELAY_DIGEST := "sha256:92a895d77a8d6c71efceedc111adc848842e5c8bb8ee6d8c0a7812a97ebc1e00"
-OPERATOR_ALIBABACLOUD_DIGEST := "sha256:9d66f9ee6080ffedf46cfcb554a7303b25a15935e7bcdc73e742e1830da08f82"
-OPERATOR_AWS_DIGEST := "sha256:ff3dc39157b4a0935495a3cb417ce3e4c70ca906a0f7e79a323b2e920a0b0265"
-OPERATOR_AZURE_DIGEST := "sha256:1af911a1a15bc7be78ca2e4f8a0ccdff037f0077005993e8c44a88f881c59018"
-OPERATOR_GENERIC_DIGEST := "sha256:7f9bf92d7e38372dc19899cc3055a04d93095886687f3c03e41932ad5a32e3ac"
-OPERATOR_DIGEST := "sha256:a4f7f32530b8632eecfec3b051ac6616fdc7f6c25a91f48721676d4c2a0edf67"
+CILIUM_DIGEST := ""
+CLUSTERMESH_APISERVER_DIGEST := ""
+DOCKER_PLUGIN_DIGEST := ""
+HUBBLE_RELAY_DIGEST := ""
+OPERATOR_ALIBABACLOUD_DIGEST := ""
+OPERATOR_AWS_DIGEST := ""
+OPERATOR_AZURE_DIGEST := ""
+OPERATOR_GENERIC_DIGEST := ""
+OPERATOR_DIGEST := ""
diff --git a/install/kubernetes/cilium/Chart.yaml b/install/kubernetes/cilium/Chart.yaml
@@ -2,10 +2,10 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.10.9
-appVersion: 1.10.9
+version: 1.10.10
+appVersion: 1.10.10
 kubeVersion: ">= 1.16.0-0"
-icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.10.9/Documentation/images/logo-solo.svg
+icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.10.10/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability
 keywords:
   - BPF
diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.10.9](https://img.shields.io/badge/Version-1.10.9-informational?style=flat-square) ![AppVersion: 1.10.9](https://img.shields.io/badge/AppVersion-1.10.9-informational?style=flat-square)
+![Version: 1.10.10](https://img.shields.io/badge/Version-1.10.10-informational?style=flat-square) ![AppVersion: 1.10.10](https://img.shields.io/badge/AppVersion-1.10.10-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -81,7 +81,7 @@ contributors across the globe, there is almost always someone available to help.
 | cluster.id | int | `nil` | Unique ID of the cluster. Must be unique across all connected clusters and in the range of 1 to 255. Only required for Cluster Mesh. |
 | cluster.name | string | `"default"` | Name of the cluster. Only required for Cluster Mesh. |
 | clustermesh.apiserver.etcd.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.4.13"}` | Clustermesh API server etcd image. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:ae43adb896c47a0ebfc2124afc0c46393ec694285e744d00df57ba697d957442","pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.10.9","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"","pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.10.10","useDigest":false}` | Clustermesh API server image. |
 | clustermesh.apiserver.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods |
 | clustermesh.apiserver.podLabels | object | `{}` | Labels to be added to clustermesh-apiserver pods |
@@ -198,7 +198,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.metrics.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor hubble |
 | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). |
 | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) |
-| hubble.relay.image | object | `{"digest":"sha256:92a895d77a8d6c71efceedc111adc848842e5c8bb8ee6d8c0a7812a97ebc1e00","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.10.9","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.10.10","useDigest":false}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
@@ -243,7 +243,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
-| image | object | `{"digest":"sha256:ebe1696cebfdaa95112a48c40bcef01e2771113ae2d4be0dda762bece78293b9","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.10.9","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.10.10","useDigest":false}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | installIptablesRules | bool | `true` | Configure whether to install iptables rules to allow for TPROXY (L7 proxy injection), iptables-based masquerading and compatibility with kube-proxy. |
 | installNoConntrackIptablesRules | bool | `false` | Install Iptables rules to skip netfilter connection tracking on all pod traffic. This option is only effective when Cilium is running in direct routing and full KPR mode. Moreover, this option cannot be enabled when Cilium is running in a managed Kubernetes environment or in a chained CNI setup. |
@@ -302,7 +302,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraInitContainers | list | `[]` | Additional InitContainers to initialize the pod. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:9d66f9ee6080ffedf46cfcb554a7303b25a15935e7bcdc73e742e1830da08f82","awsDigest":"sha256:ff3dc39157b4a0935495a3cb417ce3e4c70ca906a0f7e79a323b2e920a0b0265","azureDigest":"sha256:1af911a1a15bc7be78ca2e4f8a0ccdff037f0077005993e8c44a88f881c59018","genericDigest":"sha256:7f9bf92d7e38372dc19899cc3055a04d93095886687f3c03e41932ad5a32e3ac","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.10.9","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.10.10","useDigest":false}` | cilium-operator image. |
 | operator.nodeSelector | object | `{}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
 | operator.podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":1}` | PodDisruptionBudget settings ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
@@ -330,7 +330,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | object | `{}` | Additional preflight environment variables. |
 | preflight.extraHostPathMounts | list | `[]` | Additional preflight host path mounts. |
 | preflight.extraInitContainers | list | `[]` | Additional preflight init containers. |
-| preflight.image | object | `{"digest":"sha256:ebe1696cebfdaa95112a48c40bcef01e2771113ae2d4be0dda762bece78293b9","pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.10.9","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"","pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.10.10","useDigest":false}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget | object | `{"enabled":true,"maxUnavailable":2}` | PodDisruptionBudget settings ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
@@ -83,11 +83,11 @@ rollOutCiliumPods: false
 image:
   override: ~
   repository: quay.io/cilium/cilium
-  tag: v1.10.9
+  tag: v1.10.10
   pullPolicy: IfNotPresent
   # cilium-digest
-  digest: "sha256:ebe1696cebfdaa95112a48c40bcef01e2771113ae2d4be0dda762bece78293b9"
-  useDigest: true
+  digest: ""
+  useDigest: false
 
 # -- Pod affinity for cilium-agent.
 affinity:
@@ -659,10 +659,10 @@ hubble:
     image:
       override: ~
       repository: quay.io/cilium/hubble-relay
-      tag: v1.10.9
+      tag: v1.10.10
        # hubble-relay-digest
-      digest: "sha256:92a895d77a8d6c71efceedc111adc848842e5c8bb8ee6d8c0a7812a97ebc1e00"
-      useDigest: true
+      digest: ""
+      useDigest: false
       pullPolicy: IfNotPresent
 
     # -- Specifies the resources for the hubble-relay pods
@@ -1239,16 +1239,16 @@ operator:
   image:
     override: ~
     repository: quay.io/cilium/operator
-    tag: v1.10.9
+    tag: v1.10.10
     # operator-generic-digest
-    genericDigest: "sha256:7f9bf92d7e38372dc19899cc3055a04d93095886687f3c03e41932ad5a32e3ac"
+    genericDigest: ""
     # operator-azure-digest
-    azureDigest: "sha256:1af911a1a15bc7be78ca2e4f8a0ccdff037f0077005993e8c44a88f881c59018"
+    azureDigest: ""
     # operator-aws-digest
-    awsDigest: "sha256:ff3dc39157b4a0935495a3cb417ce3e4c70ca906a0f7e79a323b2e920a0b0265"
+    awsDigest: ""
     # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:9d66f9ee6080ffedf46cfcb554a7303b25a15935e7bcdc73e742e1830da08f82"
-    useDigest: true
+    alibabacloudDigest: ""
+    useDigest: false
     pullPolicy: IfNotPresent
     suffix: ""
 
@@ -1468,10 +1468,10 @@ preflight:
   # -- Cilium pre-flight image.
   image:
     repository: quay.io/cilium/cilium
-    tag: v1.10.9
+    tag: v1.10.10
     # cilium-digest
-    digest: "sha256:ebe1696cebfdaa95112a48c40bcef01e2771113ae2d4be0dda762bece78293b9"
-    useDigest: true
+    digest: ""
+    useDigest: false
     pullPolicy: IfNotPresent
 
   # -- The priority class to use for the preflight pod.
@@ -1607,10 +1607,10 @@ clustermesh:
     # -- Clustermesh API server image.
     image:
       repository: quay.io/cilium/clustermesh-apiserver
-      tag: v1.10.9
+      tag: v1.10.10
       # clustermesh-apiserver-digest
-      digest: "sha256:ae43adb896c47a0ebfc2124afc0c46393ec694285e744d00df57ba697d957442"
-      useDigest: true
+      digest: ""
+      useDigest: false
       pullPolicy: IfNotPresent
 
     etcd:

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-project: "https://github.com/cilium/cilium/projects/184"`
	`1`	`+project: "https://github.com/cilium/cilium/projects/187"`
`2`	`2`	`column: "In progress"`
`3`	`3`	`auto-label:`
`4`	`4`	`- "kind/backports"`