Cilium - v1.14.1

We are pleased to release Cilium v1.14.1. This release comes with fixes for IPsec, performance and resilience improvements and many CI and doc changes.

Remaining issues on the IPSec stack may cause interrupted connections during key rotations. Users may upgrade to this release only if this is considered acceptable.

Summary of Changes

Minor Changes:
* gateway-api: Upgrade to v0.7.1 (Backport PR #27238, Upstream PR #27157, @sayboras)
* Prevent Cilium from running with Delegated IPAM at the same time as Ingress (Backport PR #27238, Upstream PR #26744, @rickysumho)

Bugfixes:
* Fix a bug that affected the health-check feature in Stand-alone L4LB mode. For certain configurations (eg if both IPv4 and IPv6 support is enabled) health-check traffic would not get IPIP-encapsulated. (Backport PR #27190, Upstream PR #27015, @julianwiedmann)
* Fix a bug that affected the RevDNAT translation of IPv6 packets with extension headers. (Backport PR #27345, Upstream PR #27312, @julianwiedmann)
* Fix a bug that could cause packet drops of type XfrmOutPolBlock when IPsec is enabled and node are recycled.
* Fix a bug that could cause IPsec-encrypted packets to be sent to the wrong destination node when node churn is high. (Backport PR #27238, Upstream PR #27029, @pchaigno)
* Fix agent panic in case malformed objects are retrieved from the kvstore, and improve validation (Backport PR #27345, Upstream PR #27237, @giorio94)
* Fix bug limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #27345, Upstream PR #27168, @learnitall)
* Fix bug where startup CIDR restore logic would mishandle reference counting, leading to persistent packet loss to those CIDRs (Backport PR #27419, Upstream PR #27327, @joestringer)
* Fix generation of the clustermesh config through Helm when kvstoremesh is enabled, and the TLS key/cert pair is manually specified for a given remote cluster (Backport PR #27238, Upstream PR #27177, @giorio94)
* operator: Adjust CiliumEndpoint gc to account for kvstore mode (Backport PR #27190, Upstream PR #25324, @learnitall)
* Resolve a deadlock on startup when local redirect policies are used. (Backport PR #27238, Upstream PR #27115, @bimmlerd)

CI Changes:
* .github: rebuild ginkgo tests in case of cache miss (Backport PR #27190, Upstream PR #27158, @sayboras)
* Add renovate tags for automatic updates of kernel version in v1.14 (#27386, @aanm)
* ci: fix and standardize checkouts in privileged workflows (Backport PR #27238, Upstream PR #27193, @nbusseneau)
* ci: increase connectivity test timeout in GHA external workload (Backport PR #27345, Upstream PR #26975, @mhofstetter)

Misc Changes:
* Add note for changing IPAM settings (Backport PR #27238, Upstream PR #27090, @darox)
* chore(deps): update cilium/little-vm-helper action to v0.0.12 (v1.14) (#27270, @renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.15.5 (v1.14) (#27271, @renovate[bot])
* chore(deps): update go to v1.20.6 (v1.14) (patch) (#26783, @renovate[bot])
* chore(deps): update go to v1.20.7 (v1.14) (patch) (#27284, @renovate[bot])
* docs/ipsec: Extend troubleshooting for long key rotations (Backport PR #27190, Upstream PR #26809, @pchaigno)
* docs: Document DROP_NO_NODE_ID for IPsec (Backport PR #27345, Upstream PR #27184, @pchaigno)
* docs: Have Makefile print generated image tags when running with V=0 (Backport PR #27345, Upstream PR #27250, @qmonnet)
* docs: kpr: remove caveat about XDP + tunnel performance (Backport PR #27190, Upstream PR #27091, @julianwiedmann)
* docs: Replace non-portable "sed -i" in Makefile (Backport PR #27238, Upstream PR #27122, @qmonnet)
* docs: Simplify clustermesh example (Backport PR #27238, Upstream PR #27172, @joestringer)
* docs: update roadmap after 1.14 release (Backport PR #27238, Upstream PR #27089, @lizrice)
* Documentation: fix the broken links/dead links (Backport PR #27190, Upstream PR #26880, @vipul-21)
* fix: use proper helm param name for specifying pod cidr (Backport PR #27238, Upstream PR #27141, @yandzee)
* mutual-auth: Add note for PVC requirement (Backport PR #27345, Upstream PR #27311, @sayboras)
* remove systemd-based distributions issue from docs (Backport PR #27345, Upstream PR #27208, @WeirdMachine)
* Update Service Mesh docs (Backport PR #27345, Upstream PR #27231, @youngnick)

Other Changes:
* backport v1.14: IPsec upgrade tests (#27175, @brb)
* install: Update image digests for v1.14.0 (#27111, @aanm)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.1@sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72
quay.io/cilium/cilium:v1.14.1@sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72
docker.io/cilium/cilium:stable@sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72
quay.io/cilium/cilium:stable@sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.1@sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c
quay.io/cilium/clustermesh-apiserver:v1.14.1@sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c
docker.io/cilium/clustermesh-apiserver:stable@sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c
quay.io/cilium/clustermesh-apiserver:stable@sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c

docker-plugin

docker.io/cilium/docker-plugin:v1.14.1@sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad
quay.io/cilium/docker-plugin:v1.14.1@sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad
docker.io/cilium/docker-plugin:stable@sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad
quay.io/cilium/docker-plugin:stable@sha256:e8654c133119dff2447ebd93342a11ddaa5472eae1625c1c6866eea8d99c74ad

hubble-relay

docker.io/cilium/hubble-relay:v1.14.1@sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8
quay.io/cilium/hubble-relay:v1.14.1@sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8
docker.io/cilium/hubble-relay:stable@sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8
quay.io/cilium/hubble-relay:stable@sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.1@sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e
quay.io/cilium/kvstoremesh:v1.14.1@sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e
docker.io/cilium/kvstoremesh:stable@sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e
quay.io/cilium/kvstoremesh:stable@sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.1@sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b
quay.io/cilium/operator-alibabacloud:v1.14.1@sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b
docker.io/cilium/operator-alibabacloud:stable@sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b
quay.io/cilium/operator-alibabacloud:stable@sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b

operator-aws

docker.io/cilium/operator-aws:v1.14.1@sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a
quay.io/cilium/operator-aws:v1.14.1@sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a
docker.io/cilium/operator-aws:stable@sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a
quay.io/cilium/operator-aws:stable@sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a

operator-azure

docker.io/cilium/operator-azure:v1.14.1@sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7
quay.io/cilium/operator-azure:v1.14.1@sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7
docker.io/cilium/operator-azure:stable@sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7
quay.io/cilium/operator-azure:stable@sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7

operator-generic

docker.io/cilium/operator-generic:v1.14.1@sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7
quay.io/cilium/operator-generic:v1.14.1@sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7
docker.io/cilium/operator-generic:stable@sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7
quay.io/cilium/operator-generic:stable@sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7

operator

docker.io/cilium/operator:v1.14.1@sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5
quay.io/cilium/operator:v1.14.1@sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5
docker.io/cilium/operator:stable@sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5
quay.io/cilium/operator:stable@sha256:f15b3252dfa3fc71897fd9276a1d75c8d0ff8c9dd930832586491c8e4e4b77a5