Cilium - v1.12.12

We are pleased to release Cilium v1.12.12.

This release addresses the following security issues:
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-pvgm-7jpg-pw5g
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-mc6h-6j9x-v3gq
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55

This release includes a security fix for Envoy, as well as numerous improvements to Network Policies and BGP.

See the notes below for a full description of the changes.

:warning: Warning - IPsec :warning:

Do NOT upgrade to this release if you are using IPsec.

Summary of Changes

Minor Changes:
* daemon: don't allow egress gateway with KV store identity allocation (Backport PR #26420, Upstream PR #26189, @jibi)

Bugfixes:
* bgpv1: Unconditionally select node when empty nodeSelector is given (Backport PR #26746, Upstream PR #26590, @YutaroHayakawa)
* client, health/client: set dummy host header on unix:// local communication (Backport PR #26916, Upstream PR #26800, @tklauser)
* Fix bug that caused transient IPsec packet drops on upgrades when tunneling is enabled. (Backport PR #26859, Upstream PR #26708, @pchaigno)
* Fix bug where CNI gets installed even if cni.install=false (Backport PR #26420, Upstream PR #26278, @joestringer)
* Fix path asymmetry when using pod-to-pod encryption with IPsec and tunnel mode. (Backport PR #26859, Upstream PR #25440, @pchaigno)
* Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (Backport PR #26420, Upstream PR #25969, @jrajahalme)
* Fixed proxy redirect policy implementation when any deny rule prevents them. (Backport PR #26750, Upstream PR #26344, @jrajahalme)
* ingress: Delay secret sync if not available (Backport PR #26994, Upstream PR #26988, @sayboras)
* ipsec: Split removeStaleXFRMOnce to fix deprioritization issue (Backport PR #26420, Upstream PR #26113, @jschwinger233)

CI Changes:
* ariane: don't skip verifier and l4lb tests on vendor/ changes (Backport PR #26738, Upstream PR #26715, @tklauser)
* v1.12: ci: use Ariane to trigger workflows (#26579, @nbusseneau)

Misc Changes:
* Add cilium bpf nodeid list to bugtool and print nodeid in hex in ipcache dump (Backport PR #26420, Upstream PR #26130, @brb)
* Adding an AWS architecture diagram for AWS FTR review (Backport PR #26420, Upstream PR #26016, @amitmavgupta)
* Calling out support for Single-Region, Multi-Region, Multi-AZ for EKS (Backport PR #26420, Upstream PR #26015, @amitmavgupta)
* chore(deps): update actions/setup-go action to v4 (v1.12) (#26447, @renovate[bot])
* chore(deps): update all github action dependencies (v1.12) (minor) (#26446, @renovate[bot])
* chore(deps): update all github action dependencies (v1.12) (patch) (#26443, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.16.6 (v1.12) (#26444, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.16.6 (v1.12) (#26445, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to c9820a4 (v1.12) (#26705, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to f8f6584 (v1.12) (#26442, @renovate[bot])
* chore(deps): update docker/setup-buildx-action action to v2.9.1 (v1.12) (#26829, @renovate[bot])
* chore(deps): update hubble cli to v0.12.0 (v1.12) (minor) (#26766, @renovate[bot])
* doc: Documented incompatibility of EgressGW and kvstore (Backport PR #26659, Upstream PR #26139, @PhilipSchmid)
* docker: Detect default "desktop-linux" builder (Backport PR #26420, Upstream PR #25908, @jrajahalme)
* docs/ipsec: Clarify limitation on number of nodes (Backport PR #26859, Upstream PR #26810, @pchaigno)
* docs: Bump Sphinx and sphinx-tabs version. (Backport PR #27059, Upstream PR #20997, @qmonnet)
* docs: clarify that L3 DNS policies require L7 proxy enabled (Backport PR #26420, Upstream PR #26180, @wedaly)
* docs: fixed search for every page (Backport PR #27059, Upstream PR #26892, @geakstr)
* docs: Ignore Helm values, update spelling list (Backport PR #27059, Upstream PR #26759, @qmonnet)
* docs: Pick up PyYAML 6.0.1 (Backport PR #26916, Upstream PR #26883, @michi-covalent)
* docs: Revert Python version in docs-builder image to 3.7.9, downgrade sphinxcontrib-applehelp, to fix builds on Read The Docs (Backport PR #27059, Upstream PR #24099, @qmonnet)
* docs: reword incorrect L7 policy description (Backport PR #26420, Upstream PR #26092, @peterj)
* docs: Rework requirements.txt: Generate from minimal list (Backport PR #27059, Upstream PR #20978, @qmonnet)
* docs: Update dependencies for documentation build system (Sphinx, add-ons etc.) (Backport PR #27059, Upstream PR #24014, @qmonnet)
* Documentation: enable parallel builds (Backport PR #27059, Upstream PR #23752, @squeed)
* Fix "make -C Documentation builder-image" (Backport PR #26916, Upstream PR #26874, @michi-covalent)

Other Changes:
* envoy: Bump envoy to v1.24.9 (#26806, @sayboras)
* envoy: Bump envoy version to v1.24.10 (#27068, @sayboras)
* envoy: Bump minor version to v1.24.x (#26328, @sayboras)
* install: Update image digests for v1.12.11 (#26270, @qmonnet)
* service: Handle backend with initial state set to Terminating (#25863, @sterchelen)
* v1.12 docs: Use stable-v0.14.txt for cilium-cli version (#26466, @michi-covalent)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.12.12@sha256:3cafa76253881a77c3613ed2967776b83b81fcdffcd2a90dae13b175297b92dd
quay.io/cilium/cilium:v1.12.12@sha256:3cafa76253881a77c3613ed2967776b83b81fcdffcd2a90dae13b175297b92dd

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.12.12@sha256:1d5e050510034b4e2c66b7f57b410b7ebf52ec2efc9c82e16dff4361eac6058d
quay.io/cilium/clustermesh-apiserver:v1.12.12@sha256:1d5e050510034b4e2c66b7f57b410b7ebf52ec2efc9c82e16dff4361eac6058d

docker-plugin

docker.io/cilium/docker-plugin:v1.12.12@sha256:b0a41e75101176145ff3933bd975968c90166d823d42cbef3babe16a7545b78d
quay.io/cilium/docker-plugin:v1.12.12@sha256:b0a41e75101176145ff3933bd975968c90166d823d42cbef3babe16a7545b78d

hubble-relay

docker.io/cilium/hubble-relay:v1.12.12@sha256:7a9265feccf24a4c49eb244cbbafe9d0ddf41dc9e6705494b4a12db6e5d3a8d8
quay.io/cilium/hubble-relay:v1.12.12@sha256:7a9265feccf24a4c49eb244cbbafe9d0ddf41dc9e6705494b4a12db6e5d3a8d8

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.12.12@sha256:d0c0189f5dd35d9e4002795ba3e5a3af26ae9e617b51b97dce06f887d1f7dbf3
quay.io/cilium/operator-alibabacloud:v1.12.12@sha256:d0c0189f5dd35d9e4002795ba3e5a3af26ae9e617b51b97dce06f887d1f7dbf3

operator-aws

docker.io/cilium/operator-aws:v1.12.12@sha256:71e08d8b92dfe2ef40e771e4e4ef0ea2d4984c1a978cf6050853673f9428adca
quay.io/cilium/operator-aws:v1.12.12@sha256:71e08d8b92dfe2ef40e771e4e4ef0ea2d4984c1a978cf6050853673f9428adca

operator-azure

docker.io/cilium/operator-azure:v1.12.12@sha256:e75189f338868acf6c65038e88ef470cbc46ae4a0ead899727519e4569aac533
quay.io/cilium/operator-azure:v1.12.12@sha256:e75189f338868acf6c65038e88ef470cbc46ae4a0ead899727519e4569aac533

operator-generic

docker.io/cilium/operator-generic:v1.12.12@sha256:fb2b1ef65fda0f102ef533f354a5cc462076bd70b281ce0eee71fc34badf551a
quay.io/cilium/operator-generic:v1.12.12@sha256:fb2b1ef65fda0f102ef533f354a5cc462076bd70b281ce0eee71fc34badf551a

operator

docker.io/cilium/operator:v1.12.12@sha256:a461487e70ada9c3577ed905df3e50d8c1d3ad8688bbfa9bedbf6f89c9bcb354
quay.io/cilium/operator:v1.12.12@sha256:a461487e70ada9c3577ed905df3e50d8c1d3ad8688bbfa9bedbf6f89c9bcb354