Cilium - v1.14.2

We are pleased to release Cilium v1.14.2.

Known IPsec related issues have been fixed. We encourage users to test this release and report any potentially remaining issues.

Summary of Changes

Minor Changes:
* Add SPIRE connection to cilium status (Backport PR #27649, Upstream PR #26896, @meyskens)
* Fix: Affinity in cilium-pre-flight-check daemonset. (Backport PR #27629, Upstream PR #27475, @ishuar)
* gateway-api: Support all the extended features (Backport PR #27655, Upstream PR #27472, @sayboras)

Bugfixes:
* bpf: nodeport: add RevDNAT-based FIB lookup for reply traffic (Backport PR #27381, Upstream PR #26638, @julianwiedmann)
* cgroups: Fix race to load cgroup.hostRoot option (Backport PR #27629, Upstream PR #27561, @kvaps)
* Do mutual authentication handshake again if mismatch between bpf map and cached map happens (Backport PR #27739, Upstream PR #27241, @meyskens)
* envoy: fix panic writing accesslog without L7 tags (Backport PR #27629, Upstream PR #27453, @mhofstetter)
* Fix a bug that could cause an incorrect max. sequence number to be reported by cilium encrypt status when IPsec is enabled. (Backport PR #27917, Upstream PR #27656, @pchaigno)
* Fix a bug where cilium host IP is not read from k8s node annotations (Backport PR #27679, Upstream PR #27590, @hemanthmalla)
* Fix behavior where SPIRE doesn't work when kubelet does not listen on 127.0.0.1 (Backport PR #27679, Upstream PR #27583, @weizhoublue)
* Fix bug that could cause packet drops of type XfrmOutPolBlock while rotating the IPsec key. (Backport PR #27586, Upstream PR #27319, @jrfastab)
* Fix connectivity issues caused by missing conntrack entry when service pod connects to itself via clusterIP. (Backport PR #27920, Upstream PR #27602, @julianwiedmann)
* Fix deletion of tunnel map entries when node has non-zero cluster ID. (Backport PR #27629, Upstream PR #27353, @giorio94)
* Fix Gateway managed services not exposing all ports (Backport PR #27917, Upstream PR #27695, @Managarmrr)
* Fix global service incompatibility when v1.14 agents connect to a v1.13 cluster (#27882, @giorio94)
* Fix issue which caused the map reconciliation process to never complete successfully if the error resolved automatically (Backport PR #27629, Upstream PR #26742, @giorio94)
* Fix missing packet trace after from-container for reply traffic to the proxy. (Backport PR #27917, Upstream PR #27872, @pchaigno)
* Fix potential cross-node connectivity issue when IPsec is enabled with ENI or Azure IPAM modes. (Backport PR #27924, Upstream PR #26663, @gandro)
* Fix propagation of namespace labels to CEP labels (Backport PR #27917, Upstream PR #27831, @tklauser)
* Fix several paths in the North-South load-balancer where the TTL / hop-limit field of a forwarded packet was not updated. (Backport PR #27379, Upstream PR #27299, @julianwiedmann)
* Fixes a issue that IPsec key rotation can't be triggered. (Backport PR #27739, Upstream PR #27694, @jschwinger233)
* gateway-api: Filter routes based on Section Name and port (Backport PR #27629, Upstream PR #27309, @sayboras)
* gateway-api: Merge externally annotations and labels for kubernetes types (Backport PR #27629, Upstream PR #27251, @farodin91)
* helm: fix envoy daemonset loglevel with multiple verbose debug groups (Backport PR #27917, Upstream PR #27698, @mhofstetter)
* ingress: fix panic on ingress rule without HTTPIngressRule (Backport PR #27917, Upstream PR #27818, @mhofstetter)
* ipam: when a CiliumNode is removed, delete node label from metrics. (Backport PR #27917, Upstream PR #27713, @tommyp1ckles)
* IPSec fix for race on init resulting in XfrmIn errors and dropped packets (Backport PR #28021, Upstream PR #28012, @jrfastab)
* k8s: Restrict configuring reserved:init policy via CNP (Backport PR #28038, Upstream PR #28007, @joestringer)
* Prioritization of which DNS mappings to keep was suboptimal, leading to evictions of mappings related to alive connections, worsening performance of fqdn policies and causing spurious logging. (Backport PR #27917, Upstream PR #27572, @bimmlerd)
* proxy: Ignore visibility annotation if proxy is disabled (Backport PR #27679, Upstream PR #27597, @sayboras)
* Read FQDNRejectResponseCode from config (Backport PR #27739, Upstream PR #27362, @ayuspin)

CI Changes:
* .github/workflows: unify time to wait for images to become available (Backport PR #27917, Upstream PR #27706, @tklauser)
* Add missing ariane trigger phrases (Backport PR #27917, Upstream PR #27822, @tklauser)
* Add secondary iface to KIND network (Backport PR #27679, Upstream PR #26338, @ysksuzuki)
* bpf: complexity-tests: set -DHAVE_LARGE_INSN_LIMIT=1 for new kernels (Backport PR #27701, Upstream PR #27490, @julianwiedmann)
* ci-e2e: Add secondary network NodePort tests (Backport PR #27917, Upstream PR #27738, @brb)
* ci-ipsec-upgrade: Bump CLI to v0.15.5 (Backport PR #27629, Upstream PR #27230, @brb)
* ci-ipsec-upgrade: Skip upon test/Documentation changes (Backport PR #27679, Upstream PR #27644, @brb)
* ci: remove unavailable K8s 1.22 from GKE config (Backport PR #27629, Upstream PR #27365, @mhofstetter)
* CI: Rename workflow names (Backport PR #27739, Upstream PR #27391, @brlbil)
* CI: Update tested k8s version for aks (Backport PR #27629, Upstream PR #27457, @brlbil)
* Disable the images digest when pushing the development helm chart (Backport PR #27739, Upstream PR #27646, @giorio94)
* gh/actions: Customize cilium-config (Backport PR #27917, Upstream PR #27416, @brb)
* gh/workflows: Use cilium-config action in ci-ipsec-upgrade (Backport PR #27917, Upstream PR #27359, @brb)
* gha: fix waiting for images in conformance-gingko (Backport PR #27629, Upstream PR #27397, @giorio94)
* Set kvstoremesh image when pushing the development helm chart (Backport PR #27679, Upstream PR #27645, @giorio94)
* test: print logical instruction count per program (Backport PR #27629, Upstream PR #26641, @ti-mo)

Misc Changes:
* [v1.14] cilium: Fix 16bit ifindex limitation (#27880, @borkmann)
* Add WireGuard to the firewall rules documentation (Backport PR #27917, Upstream PR #27170, @joestringer)
* bpf: egressgw: set trace reason for reply traffic (Backport PR #27524, Upstream PR #27218, @julianwiedmann)
* bpf: nat: enable CT-driven trace aggregation (Backport PR #27524, Upstream PR #27178, @julianwiedmann)
* bpf: nat: let caller determine whether SNATed connection needs CT (Backport PR #27524, Upstream PR #27079, @julianwiedmann)
* bpf: nodeport: consolidate packet rewrite in RevDNAT path (Backport PR #27381, Upstream PR #26852, @julianwiedmann)
* bpf: split complexity configurations into separate files (Backport PR #27701, Upstream PR #26925, @lmb)
* chore(deps): update all kind-images main (v1.14) (#27746, @renovate[bot])
* chore(deps): update all kind-images main (v1.14) (patch) (#27772, @renovate[bot])
* chore(deps): update all lvh-images main (v1.14) (patch) (#27422, @renovate[bot])
* chore(deps): update all lvh-images main (v1.14) (patch) (#27773, @renovate[bot])
* chore(deps): update aws-actions/configure-aws-credentials action to v3 (v1.14) (#27777, @renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.15.6 (v1.14) (#27769, @renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.15.7 (v1.14) (#27919, @renovate[bot])
* chore(deps): update dependency google/gops to v0.3.28 (v1.14) (#27413, @renovate[bot])
* chore(deps): update dependency kubernetes/kubernetes to v1.27.5 (v1.14) (#27774, @renovate[bot])
* chore(deps): update dependency ubuntu to v22 (v1.14) (#27778, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.18.3 (v1.14) (#27775, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.20.7 docker digest to 741d6f9 (v1.14) (#27768, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.20.8 docker digest to 700d726 (v1.14) (#28049, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ec050c3 (v1.14) (#27546, @renovate[bot])
* chore(deps): update go to v1.20.8 (v1.14) (patch) (#27990, @renovate[bot])
* chore: fixing blank k8sPodName in endpoint logger (Backport PR #27629, Upstream PR #26964, @vakalapa)
* cilium, docs: Add a note about KPR and nfs dependencies (Backport PR #27739, Upstream PR #27678, @borkmann)
* clean-up: remove check for permissive CCNPs (Backport PR #27739, Upstream PR #27690, @shawnh2)
* contrib/scripts/kind.sh: specify IPv4 prefix and range on secondary network (Backport PR #27679, Upstream PR #27573, @tklauser)
* Correct cni path in k3s installation documentation for rancher desktop (Backport PR #27739, Upstream PR #27702, @RichardoC)
* docs: Clean up prerequisites for the Ingress Controller (Backport PR #27629, Upstream PR #27222, @qmonnet)
* docs: Clean up references to deprecated modes "strict" and "partial" for kube-proxy replacement feature flag (Backport PR #27679, Upstream PR #27314, @qmonnet)
* docs: Correct comment on toFQDN API definition (Backport PR #27629, Upstream PR #27496, @Alex-Waring)
* docs: Fix config option for spelling filters (Backport PR #27629, Upstream PR #27537, @qmonnet)
* docs: Fix Documentation Makefile to make Helm reference updates compatible with macOS (Backport PR #27629, Upstream PR #27495, @ishuar)
* docs: Harmonise references to Cilium Slack (Backport PR #27629, Upstream PR #27346, @qmonnet)
* docs: Improve wording for labels and services policies (Backport PR #27917, Upstream PR #27171, @joestringer)
* docs: Remove proxylib limitation in observability section (Backport PR #27629, Upstream PR #27306, @darkrift)
* docs: update L7 traffic CiliumClusterwideEnvoyConfig example (Backport PR #27629, Upstream PR #27409, @tanjunchen)
* docs: Update the microservices-demo link (Backport PR #27917, Upstream PR #27814, @haiyuewa)
* docs: Update the mutual authentication key format (Backport PR #27679, Upstream PR #27640, @haiyuewa)
* egressgw: small test fixes (Backport PR #27701, Upstream PR #27574, @lmb)
* Gatewap API: Implement generic route checks (Backport PR #27655, Upstream PR #25885, @meyskens)
* renovate: Don't exclude github.com/{cilium,vishvananda}/netlink anymore (Backport PR #27629, Upstream PR #27342, @lambdanis)
* typo: the clustermesh secret name (Backport PR #27739, Upstream PR #27658, @weizhoublue)
* Update Cilium certgen from v0.1.8 to v0.1.9 (Backport PR #27629, Upstream PR #27511, @rolinh)

Other Changes:
* [1.14] test: add namespace name in pod metadata test (#28032, @nebril)
* backport v1.14: gh/workflows: Reusable workflow for ci-e2e and misc changes (#27375, @brb)
* doc: Migrate to .readthedocs.yaml configuration file v2 (#27571, @doniacld)
* envoy: Update envoy image with newer proxylib builder (#27650, @sayboras)
* install: Update image digests for v1.14.1 (#27505, @nebril)