Cilium - v1.12.11

We are pleased to release Cilium v1.12.11. This release promotes Deny Policies from beta to stable. It contains fixes related to IPsec, WireGuard, Hubble flow data, as well as a range of other regular bugfixes.

See the notes below for a full description of the changes.

:warning: Warning - IPsec :warning:

Do NOT upgrade to this release if you are using IPsec.

Summary of Changes

Major Changes:
* policy: Promote Deny Policies from Beta to Stable (#25491, @nathanjsweet)

Minor Changes:
* Add agent flag enable-ipsec-key-watcher to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (Backport PR #26006, Upstream PR #25893, @pchaigno)
* Updating documentation helm values now works also on arm64. (Backport PR #25732, Upstream PR #25422, @jrajahalme)

Bugfixes:
* Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (Backport PR #25896, Upstream PR #25784, @pchaigno)
* Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (Backport PR #25896, Upstream PR #25724, @pchaigno)
* Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (Backport PR #25896, Upstream PR #25735, @pchaigno)
* Fix a possible deadlock when using WireGuard transparent encryption. (Backport PR #25928, Upstream PR #25419, @bimmlerd)
* Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (Backport PR #25896, Upstream PR #25744, @joamaki)
* Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (Backport PR #26161, Upstream PR #26093, @pchaigno)
* Fix incorrect hubble flow data when HTTP requests contain an x-forwarded-for header by adding an explicit use_remote_address: true config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of x-forwarded-for header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding x-forwarded-for headers is retained via an explicit skip_xff_append: true config setting, except for Cilium Ingress where the source IP address is now appended to x-forwarded-for header. (Backport PR #25732, Upstream PR #25674, @jrajahalme)
* Fix leak of IPsec XFRM FWD policies in IPAM modes cluster-pool, kubernetes, and crd when nodes are deleted. Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (Backport PR #26117, Upstream PR #25953, @pchaigno)
* Fix the bug when long-living connections using egress gateway may be reset. (Backport PR #25678, Upstream PR #24905, @gentoo-root)
* Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (Backport PR #26006, Upstream PR #25936, @joamaki)
* helm: Correct typo in Ingress validation (Backport PR #25732, Upstream PR #25570, @sayboras)

CI Changes:
* [v1.12 backport] test: Switch target FQDN (#25585, @nbusseneau)
* Add github workflow to push development helm charts to quay.io (Backport PR #26088, Upstream PR #25205, @chancez)
* hostfw tests flake workaround (Backport PR #25587, Upstream PR #25323, @tommyp1ckles)
* Pick up the latest startup-script image (Backport PR #25919, Upstream PR #25774, @michi-covalent)
* test: Collect sysdump as part of artifacts (Backport PR #25919, Upstream PR #25079, @pchaigno)

Misc Changes:
* Add helm-toolbox image for helm docs, lint (Backport PR #25452, Upstream PR #20236, @joestringer)
* backport (v1.12): docs: Promote Deny Policies out of Beta (#26148, @nathanjsweet)
* chore(deps): update dependency cilium/hubble to v0.11.6 (v1.12) (#26043, @renovate[bot])
* chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (v1.12) (#25999, @renovate[bot])
* docs: document missing entity 'ingress' (Backport PR #25732, Upstream PR #25665, @mhofstetter)
* docs: Fix broken link to backends leak issue (Backport PR #25587, Upstream PR #25278, @akhilles)
* install: Fail helm if kube-proxy-replacement is not valid (Backport PR #26006, Upstream PR #25907, @jrajahalme)
* ipsec: Fix cleanup of XFRM states and policies (Backport PR #26117, Upstream PR #26072, @pchaigno)
* Slim down Node handler interface (Backport PR #25928, Upstream PR #25450, @bimmlerd)
* test/provision/compile.sh: Make usable from dev VM (Backport PR #25452, Upstream PR #25352, @jrajahalme)

Other Changes:
* envoy: Bump envoy version to v1.23.10 (#25889, @mhofstetter)
* install: Update image digests for v1.12.10 (#25534, @thorn3r)
* v1.12: Fix L4LB GHA (#25523, @brb)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.12.11@sha256:3fd8d9a6130783c245d90658ca379a7db88f249ec69464450fb53490cfbd7c55
quay.io/cilium/cilium:v1.12.11@sha256:3fd8d9a6130783c245d90658ca379a7db88f249ec69464450fb53490cfbd7c55

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.12.11@sha256:f52391e0b74ac019a1ba22a19c0f4c979aa00f582332a3162af2a1fca3206371
quay.io/cilium/clustermesh-apiserver:v1.12.11@sha256:f52391e0b74ac019a1ba22a19c0f4c979aa00f582332a3162af2a1fca3206371

docker-plugin

docker.io/cilium/docker-plugin:v1.12.11@sha256:bbfb63b99655e0f3f2fc63ef4b49161d7454fdf127d62347162b4ee577a273fb
quay.io/cilium/docker-plugin:v1.12.11@sha256:bbfb63b99655e0f3f2fc63ef4b49161d7454fdf127d62347162b4ee577a273fb

hubble-relay

docker.io/cilium/hubble-relay:v1.12.11@sha256:f52db09b652fd60d9d2bbebafd3befa9be0abecac923dd21d0f7052cd585270e
quay.io/cilium/hubble-relay:v1.12.11@sha256:f52db09b652fd60d9d2bbebafd3befa9be0abecac923dd21d0f7052cd585270e

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.12.11@sha256:66ad7b1f2a39f336aade25b688e5b05da7df345b33c50a92f3e21dc949281507
quay.io/cilium/operator-alibabacloud:v1.12.11@sha256:66ad7b1f2a39f336aade25b688e5b05da7df345b33c50a92f3e21dc949281507

operator-aws

docker.io/cilium/operator-aws:v1.12.11@sha256:30dfe79131766c7ba992c9e5abe6dcb0d2d8e2021514dc56a4b89321dde45472
quay.io/cilium/operator-aws:v1.12.11@sha256:30dfe79131766c7ba992c9e5abe6dcb0d2d8e2021514dc56a4b89321dde45472

operator-azure

docker.io/cilium/operator-azure:v1.12.11@sha256:7753588ef3c038af47576feabeffd8a8a04f1a0911009c9752ee303658152d2d
quay.io/cilium/operator-azure:v1.12.11@sha256:7753588ef3c038af47576feabeffd8a8a04f1a0911009c9752ee303658152d2d

operator-generic

docker.io/cilium/operator-generic:v1.12.11@sha256:8fad1da87c9f308c21ad54784c91c0fc92dc620e2781561473e2c8e4f871eb29
quay.io/cilium/operator-generic:v1.12.11@sha256:8fad1da87c9f308c21ad54784c91c0fc92dc620e2781561473e2c8e4f871eb29

operator

docker.io/cilium/operator:v1.12.11@sha256:966056e8a05eca5fb2f9eb6c099e5a465e048d1351fbabf88406c53f2425990c
quay.io/cilium/operator:v1.12.11@sha256:966056e8a05eca5fb2f9eb6c099e5a465e048d1351fbabf88406c53f2425990c