Cilium - v1.15.0-pre.3

Summary of Changes

Major Changes:
* Add dynamic flowlog exporters configured by yaml file (configmap) without a need of agent restart. (#28873, @marqc)
* Add support for extending ClusterMesh to 511 clusters
By setting the flag --max-connected-clusters=511, a new cluster will be able to connect to a ClusterMesh with up to 511 clusters. If enabled, the number of possible cluster-local identities will be reduced to 32,768. This feature can only be enabled on new clusters, and all clusters in the ClusterMesh must share the same configuration. (#27520, @thorn3r)
* Add support for Gateway API v1.0 (#28836, @sayboras)
* k8s: add support for k8s 1.29.0 (#29473, @aanm)

Minor Changes:
* Add a mode where routing is delegated to another CNI plugin. This enables support for using AWS security groups when chaining Cilium on top of AWS VPC CNI. (#29111, @Alex-Waring)
* Add lbipam support for shared ips (#28806, @usiegl00)
* Adds "best-effort" mode for XDP to skip interfaces without driver support (#28666, @poblahblahblah)
* Adds affinity, nodeSelector, podSecurityContext and securityContext to the SPIRE agent deployment values (#29077, @meyskens)
* Adds the CiliumPodIPPool selector type to BGP CP AdvertisedPathAttributes to match CiliumPodIPPool custom resources. Path attributes apply to routes announced for selected CiliumPodIPPools. (#28310, @danehans)
* api, cli: Show srv6 status in cilium status (#28700, @husnialhamdani)
* bgpv1: Add cilium-dbg bgp route-policies command & include it in the bugtool (#28973, @rastislavs)
* bgpv1: Use kube-system namespace by default for MD5 secret (#29478, @YutaroHayakawa)
* bpf: use bpf_xdp_load_bytes() / bpf_xdp_store_bytes() helpers when available (#29377, @julianwiedmann)
* Cilium DNS proxy now uses the original pod's address as the source address towards the DNS servers. (#28928, @jrajahalme)
* cilium-dbg: Add statedb query support and commands to inspect statedb tables devices, routes and l2-announce. (#28872, @joamaki)
* ciliumidentity resiliency improvement (#28912, @tommyp1ckles)
* cmd/watchdogs: add health reporter to watchdog controller. (#29038, @tommyp1ckles)
* Config option to customize the default IP Pool when using MultiPool (#28818, @chaunceyjiang)
* Default client-go QPS and burst in agent and operator have been increased to 10 and 20 respectively for k8s versions 1.27+ (#29445, @marseel)
* Deprecated helm options enableK8sEventHandover/enableCnpStatusUpdates were removed.
Corresponding flag "enable-k8s-event-handover" in Agent and "cnp-status-update-interval" in operator were removed. (#29395, @marseel)
* FQDN: transition to asynchronous IPCache APIs (#29036, @squeed)
* gateway-api: Add support for gateway.infrastructure attribute (#29122, @sayboras)
* gateway-api: Add supported features in GatewayClass status (#29116, @sayboras)
* gateway-api: Check for required CRDs upon startup (#28982, @sayboras)
* Handle IPv4 fragments in SNAT flows correctly. (#25340, @gentoo-root)
* Hide empty columns by default in "kubectl get ciliumendpoints" output (#28744, @Iiqbal2000)
* hubble-relay: Add support for peers joining during requests (#29326, @glrf)
* Hubble: add option to filter for pods and services in any namespace (#28921, @glrf)
* hubble: Add Support for filtering on HTTP headers (#28851, @ChrsMark)
* hubble: Conditionally redact user info present in URLs in (L7) HTTP flows (#28848, @ioandr)
* Improve Hubble Relay Kubernetes Readiness/Liveness check (#28765, @glrf)
* init: Poll CRD synchronization times have been lowered from 1 second to 50ms. (#28954, @howardjohn)
* Merge clustermesh-apiserver and kvstoremesh into a single image (#27888, @giorio94)
* metric: provide way to declare labels. (#27835, @tommyp1ckles)
* mutual-auth: Bump spire image version (#29101, @sayboras)
* Named ports in DNS policies are now resolved correctly. (#29023, @jrajahalme)
* pkg/datapath: Remove defunct --single-cluster-route flag (#29221, @gandro)
* policy: Cilium will not process or enforce network policies with port ranges or Kubernetes network policies that use "EndPort". (#28704, @nathanjsweet)
* Propagate prefixed labels from Ingress resource to LB service (#28598, @log1cb0mb)
* Remove deprecated tunnel option, and corresponding helm values setting (#29053, @giorio94)
* Replace etcd init script used for clustermesh with a Go equivalent.
Upgrade etcd to v3.5.10. (#29109, @JamesLaverack)
* Replace metricsmap-bpf-prom-sync with Prometheus Collector pattern (#27370, @carnerito)
* Respond with ICMP reply for traffic to services without backends (#28157, @dylandreimerink)
* show DSR-dispatch mode in cilium-dbg status (#29217, @chaunceyjiang)
* When tunneling is enabled, a packet will be encapsulated by Cilium's tunnel netdev before encrypting with WireGuard. (#29000, @brb)

Bugfixes:
* "envoy-admin" cluster is renamed as "/envoy-admin", requiring all references in CEC/CCEC to be updated. (#29020, @jrajahalme)
* ImplementationSpecific Ingress paths (which for Cilium Ingress means regex path matches) are now sorted correctly in between Exact and Prefix matches. (#29381, @youngnick)
* Avoid missed tail calls due to inserting policy programs too early during endpoint regeneration (#29307, @ti-mo)
* bpf: Add TC_ACT_REDIRECT check for nodeport (#28927, @sayboras)
* bpf: Fix drop of IPv6 reply traffic when 1) pod-originating connection is SNATed by iptables, and 2) Host Firewall is enabled. (#28813, @oblazek)
* bpf: xdp: don't support GENEVE passthrough with DSR-Hybrid (#28959, @julianwiedmann)
* Conntrack entries for Service connections are now printed in the canonical "source -> destination" format when using the "bpf ct list" command. (#28913, @julianwiedmann)
* ctmap: consider CT entry's .dsr flag in PurgeOrphanNATEntries() (#29098, @julianwiedmann)
* datapath: Fix ENI egress routing table for cilium_host IP (#29335, @gandro)
* datapath: Fix primary flag in NodeAddress (#29483, @joamaki)
* Do not skip FIB lookup when running in BPF Host Routing when Endpoint Routes enabled (#28264, @aspsk)
* egressgateway: Use UID to identify CiliumEndpoints in epDataStore (#29124, @rastislavs)
* egressgw: Fix the issue that an iptables SNAT rule in the host netns interferes packets to egress gw and bypass the egress GW policy (#29379, @ysksuzuki)
* endpointmanager: fix bpf policy pressure getting stuck. (#28185, @tommyp1ckles)
* endpointmanager: unmap ip for lookup (#29554, @tklauser)
* Fix external workloads not working with non-default ClusterID (#29378, @giorio94)
* Fix rendering helm operator-dashboard annotations (#29106, @Zariel)
* Fix source identity determination for DSR with Geneve-dispatch, by looking it up from the ipcache. (#29155, @chez-shanpu)
* Fix the Created timestamps in cilium bpf nat list that used to display the same values. (#27062, @gentoo-root)
* Fixed label synchronization issues in Cilium, ensuring accurate representation of endpoint labels during restoration and addressing out-of-sync problems caused by label changes while the Cilium agent is down. (#29248, @aanm)
* Fixes an L7 proxy issue by re-introducing 2005 route table. (#29530, @jschwinger233)
* gateway-api: add watch for reference grant in TLSRoute reconciler (#29007, @mhofstetter)
* gateway-api: Avoid redirect loop when the same host name is used for http and https listeners (#29115, @sayboras)
* gateway: Ignore loadbalancer class for Gateway service (#29547, @sayboras)
* Handle non-AEAD IPsec keys in cilium encrypt status. (#29182, @viktor-kurchenko)
* ingress: cleanup resources on changed ingress class field (#28886, @mhofstetter)
* ingress: fix foreground deletion of Ingress (#29367, @mhofstetter)
* Install loopback CNI atomically to protect against aborted copy (#29462, @akhilles)
* ipam: Fix bug where IP lease did not expire (#29443, @gandro)
* iptables: remove logic to control non-existent net.ipv6.ip_early_demux (#29310, @julianwiedmann)
* k8s ingress & gateway api: fix unintentional deletion of shared envoy cluster resource (#28896, @mhofstetter)
* l2announcer: Leases are only created for services that are being announced. (#29446, @f1ko)
* lbipam: Fix off-by-one error in LBIPAM range allocation (#29425, @YutaroHayakawa)
* neigh: Install neighbor entries only on devices where routes exist (#28782, @ysksuzuki)
* Policy revert used in rare error cases has been corrected. (#29162, @jrajahalme)
* Replace Cilium's base image from ubuntu:22.04 with Cilium's Runtime image (also ubuntu:22.04 based). (#29340, @aanm)
* Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#29202, @thorn3r)
* statedb: Fix termination of string and IP keys (#29368, @joamaki)
* When using stacked network interfaces (such as br0 -> eth0) in the egress path, ensure that BPF SNAT checks are applied on all interfaces. (#29160, @julianwiedmann)

CI Changes:
* Add 100 node scale test workflow (#29214, @learnitall)
* ariane: Disable ci-e2e-upgrade (#29488, @brb)
* bpf/tests: Fixed loop not unrolled error in pktgen (#28942, @dylandreimerink)
* bpf: complexity-tests: add HAVE_FIB_NEIGH (#29348, @julianwiedmann)
* ci aws: cleanup EKS cluster in separate job (#29412, @mhofstetter)
* ci-clustermesh-upgrade: Increment timeout between rollouts to 5min (#29560, @mhofstetter)
* ci-e2e-upgrade: Bring it on (#29073, @brb)
* ci-e2e-upgrade: Remove setting CLI vsn (#29435, @brb)
* ci-e2e: Use kernel 6.1 instead of 6.0 (#29345, @brb)
* ci-gke: remove duplicated wait for cilium (#29542, @mhofstetter)
* ci-ipsec-upgrade: Check for errors (#29189, @brb)
* ci-ipsec-upgrade: Drop no-missed-tail-calls exclusion (#29325, @brb)
* ci-ipsec-upgrade: Fix upgrade/downgrade path and add missed tail calls check to upgrade (#29072, @brb)
* ci: add K8s 1.28 platform testing (#29004, @nbusseneau)
* CI: Add merge_group trigger (#29276, @brlbil)
* ci: add nameserver 1.1.1.1 to conformance-runtime test LVM (#29455, @mhofstetter)
* ci: Bump timeout of ci-runtime (#29317, @YutaroHayakawa)
* ci: Bump up the memory of LVH in conformance-e2e (#29494, @michi-covalent)
* ci: bypass proxy.golang.org in Go toolchain installation (#29549, @tklauser)
* ci: disable envoy tracing in multi-pool workflow (#28966, @tklauser)
* ci: don't write github commit status on push event (#29404, @mhofstetter)
* ci: don't write github commit status on push event (#29438, @mhofstetter)
* ci: fix deployment issue with multiple clusters in same region (#29427, @mhofstetter)
* ci: fix dns issue when pulling cilium-docker-plugin in ci-runtime (#29502, @mhofstetter)
* ci: fix merge group required checks (#29337, @brlbil)
* ci: fix typo in clustermesh workflow job name (#29046, @tklauser)
* ci: increase cilium wait timeout to 10m on cloud providers (#29541, @mhofstetter)
* ci: increase disk size for GKE clusters (ci-gke & ci-external-workloads) (#29528, @mhofstetter)
* ci: migrate some schedule workflows to event trigger push (#29433, @mhofstetter)
* ci: Remove useless quotes in update label workflow (#28952, @pippolo84)
* cilium-cli action: Specify the repository parameter (#29338, @michi-covalent)
* datapath: Clean up XFRM configs after unit tests (#29332, @pchaigno)
* Drop support for EOLed Kubernetes versions (#29174, @michi-covalent)
* egressgw: tests: wait for initial sync reconciliation (#29084, @jibi)
* Extend BPF unit tests for IPsec (#28438, @jschwinger233)
* Fix pre-flight clusterrole check (#29224, @marseel)
* gh/workflows: Add lvh-kind action and use it in ci-e2e (#29485, @brb)
* gh/workflows: Dump Cilium LB node logs in case of failure (#28808, @brb)
* gh: datapath-verifier: also run on 6.1 kernel (#29349, @julianwiedmann)
* gha: Enable Ingress Controller tests in conformance-e2e (#29130, @sayboras)
* restore full go vet behaviour (#28945, @bimmlerd)
* scale-test-100-gce: Use CILIUM_CLI_VERSION (#29562, @michi-covalent)
* Set correct cluster name and id during upgrade test (#29165, @marseel)
* Skip k8s upstream conformance test for multiple protocols on a Service (#29524, @youngnick)
* Switch to on-demand instances for AWS tests on scheduled runs. (#29366, @marseel)
* Test upgrade/downgrade to patch release for IPsec (#28815, @qmonnet)
* test/k8s: clean up unused manifests (#29436, @tklauser)
* test: Use previous in-pod CLI name for updates (#29208, @joestringer)
* tests-e2e-upgrade: Use CILIUM_CLI_VERSION (#29496, @michi-covalent)
* Wait for downgrade images to be ready in GHA clustermesh upgrade/downgrade test (#29409, @giorio94)
* workflows: Add debug info to IPsec key rotation test (#29353, @pchaigno)
* workflows: move cilium_cli_version definition to set-env-variables action (#29237, @jibi)
* workflows: Pin conn-disrupt-test GH action to main (#29402, @pchaigno)

Misc Changes:
* .github/workflows: only cancel concurrent jobs if not in merge_group (#29431, @aanm)
* .github: do not group jobs on merge queues (#29551, @aanm)
* Add AirQo to Cilium USERS.md (#29467, @123MwanjeMike)
* Add an option to force BPF attachment to native device (#29176, @YutaroHayakawa)
* Add CEP and CES resources (#29244, @pippolo84)
* Add Cybozu to USERS.md (#29231, @chez-shanpu)
* Add Dcode.tech to USERS.md (#28996, @eliranw)
* Add IDNIC/Kadabra as user to Cilium (#28958, @ardikabs)
* Add node activity health reporters on node manager (#28799, @derailed)
* Add table for node addresses (#28962, @joamaki)
* add v1.15.0-pre.2 release (#28903, @aanm)
* api: Allow middleware to be injected via Hive (#29223, @gandro)
* BGP CP: Replaces LocalNodeStore with Local CiliumNode (#28238, @danehans)
* bgpv1: fix incorrect error messages in the reconcilePodIPPool function (#29125, @hargrovee)
* bgpv1: fix merge race conflict on NewGoBGPServer (#29321, @mhofstetter)
* bgpv1: Prevent multiple reconcilers with the same name (#29071, @rastislavs)
* bgpv1: Reorganize BGP config reconcilers (#29277, @rastislavs)
* bgpv1: Use specific log message and remove unused parameter (#28895, @hargrovee)
* bpf: fine-tune a few L3 header validations (#28669, @julianwiedmann)
* bpf: host: adjust scope of HostFW section in handle_ipv6() (#29052, @julianwiedmann)
* bpf: ipsec: move get_min_encrypt_key() to encrypt.h (#28991, @julianwiedmann)
* bpf: lb: fix missing drop reason in reverse_map_l4_port() (#28884, @julianwiedmann)
* bpf: lxc: avoid upgrade/downgrade woes with CB_FROM_TUNNEL in IPv6 path (#29304, @julianwiedmann)
* bpf: nat: fully switch to snat_v_rewrite_helpers() (#29403, @julianwiedmann)
* bpf: nat: limit EgressGW redirect check to bpf_host (#29159, @julianwiedmann)
* bpf: nat: pass NAT map to snat_v4_new_mapping() (#29049, @julianwiedmann)
* bpf: nodeport: re-introduce Ingress HostFW between RevSNAT and RevDNAT (#28960, @julianwiedmann)
* bpf: tests: minor cleanups (#29354, @julianwiedmann)
* bpf: tunnel-related cleanups in to-container path (#28920, @julianwiedmann)
* bpf: use l4_load_ports() everywhere (#29135, @julianwiedmann)
* Bug: Fix module health status output (#29140, @derailed)
* build: Declare GO in makefile before first use (#28983, @sayboras)
* Changed cilium status CLI output to render the modules health section as a tree structure vs tabular data. (#28800, @derailed)
* chore(deps): update actions/checkout action to v4 (main) (#29539, @renovate[bot])
* chore(deps): update actions/github-script action to v7 (main) (#29142, @renovate[bot])
* chore(deps): update all github action dependencies (main) (#28987, @renovate[bot])
* chore(deps): update all github action dependencies (main) (minor) (#29260, @renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (#29262, @renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (#29387, @renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (#29533, @renovate[bot])
* chore(deps): update all github action dependencies to v2 (main) (major) (#29540, @renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (#29388, @renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (#29534, @renovate[bot])
* chore(deps): update anchore/scan-action action to v3.3.8 (main) (#29573, @renovate[bot])
* chore(deps): update cilium/cilium digest to 614f2dd (main) (#29386, @renovate[bot])
* chore(deps): update cilium/cilium digest to 93f26fd (main) (#29141, @renovate[bot])
* chore(deps): update cilium/cilium digest to ef8ca62 (main) (#29120, @renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.15.13 (main) (#28989, @renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.15.14 (main) (#29234, @renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.15.16 (main) (#29464, @renovate[bot])
* chore(deps): update dependency eksctl-io/eksctl to v0.165.0 (main) (#29537, @renovate[bot])
* chore(deps): update dependency go to v1.21.4 (main) (#29558, @renovate[bot])
* chore(deps): update dependency kubernetes/kops to v1.28.1 (main) (#29128, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (main) (#29535, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.21.4 docker digest to 9baee0e (main) (#29261, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 8eab65d (main) (#29572, @renovate[bot])
* chore(deps): update go to v1.21.4 (main) (patch) (#29043, @renovate[bot])
* chore(deps): update golangci/golangci-lint docker tag to v1.55.2 (main) (#28990, @renovate[bot])
* chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.1 [security] (main) (#29314, @renovate[bot])
* chore(deps): update quay.io/cilium/kindest-node docker tag to v1.28.3 (main) (#29057, @renovate[bot])
* chore(deps): update quay.io/lvh-images/kind docker tag to bpf-next-20231123.012848 (main) (#28992, @renovate[bot])
* ci-ipsec-upgrade: Do not run conn tests after installing Cilium (#29178, @brb)
* ci: Bump timeout on ci-runtime privileged worksflow (#28923, @jrajahalme)
* CI: fix broken BPF complexity tests (#29510, @lmb)
* cilium-dbg, policy, api: Fix labels in policy selectors output (#29152, @christarazi)
* cilium: Add a few bwm setting tweaks (#29552, @borkmann)
* Clarify cilium_event_ts metric description (#29303, @christarazi)
* client: Use options pattern for NewRuntime (#29271, @gandro)
* clustermesh install documentation: missing step (#28889, @dashaun)
* cni: remove unused CILIUM_CNI_CONF variable from install script (#29063, @wedaly)
* CODEOWNERS: claim some new ipsec-related files for cilium/ipsec (#29516, @julianwiedmann)
* CODEOWNERS: IPsec owns pkg/common/ipsec (#29002, @pchaigno)
* CODEOWNERS: Let IPsec team to own GH workflows for IPsec (#29190, @brb)
* contrib: Fix prerelease pullPolicy (#28906, @joestringer)
* ctmap: limit NAT purging to expected CT tuple types (#28871, @julianwiedmann)
* daemon: Simplify cilium_host IP restoration (#28781, @gandro)
* datapath: Few minor improvements to DevicesController (#28887, @joamaki)
* datapath: Move linuxNodeHandler IPsec functions to their own file (#28941, @pchaigno)
* devices: fix busy loop (#29163, @bimmlerd)
* dnsproxy: convert LookupEndpointByIP to use netip.Addr (#28891, @tklauser)
* doc: Add roadmap for mutual authentication (#29006, @tgraf)
* docs: Add CiliumPodIPPool option in BGP Adv. Path Attributes docs (#29177, @rastislavs)
* docs: Add cluster install/prep guide for GKE-to-GKE clustermesh (#29342, @Neutrollized)
* docs: add instructions to build kindest-node image (#29079, @aanm)
* docs: bump required Helm version (#29273, @nebril)
* docs: Drop references to Helm v2 (#29463, @joestringer)
* docs: update versions and parameters for XDP Acceleration on AKS (#29091, @jshr-w)
* Docs: Updates BGP CP Developer Docs (#28908, @danehans)
* don't remove neighbor link state file if migrateOnly (#28659, @liuyuan10)
* enabled initalDelaySeconds on StartupProbe (#28816, @jignyasamishra)
* endpoint: Clarify policy locking requirements (#29024, @jrajahalme)
* endpoint: fix removed code comment. (#29172, @tommyp1ckles)
* endpointstate: Add an interface to wait for endpoint restore (#29243, @pippolo84)
* envoy: periodic version-check with hive timer job (#29513, @mhofstetter)
* envoy: Support internal listeners in CiliumEnvoyConfig CRDs (#29026, @jrajahalme)
* envoy: Update to pick up deny policy support (#28862, @jrajahalme)
* Extract tunnel options to simplify override, and inject them through hive (#29051, @giorio94)
* Fix bug preventing endpoint-related debug logs from being emitted (#29495, @learnitall)
* Fix Cilium Datapath Prometheus metric names (#29226, @carnerito)
* fix(deps): update all go dependencies main (main) (minor) (#28994, @renovate[bot])
* fix(deps): update all go dependencies main (main) (minor) (#29264, @renovate[bot])
* fix(deps): update all go dependencies main (main) (minor) (#29398, @renovate[bot])
* fix(deps): update all go dependencies main (main) (minor) (#29538, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#28993, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#29134, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#29389, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#29536, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#29574, @renovate[bot])
* fix(deps): update golang.org/x/sys digest to 13b15b7 (main) (#29279, @renovate[bot])
* fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.613 (main) (#29263, @renovate[bot])
* fix(deps): update module github.com/go-openapi/validate to v0.22.2 (main) (#29280, @renovate[bot])
* Fixes rate limiting for CES Controller (#28963, @alan-kut)
* Follow-up nits from etcd init script pull request (#29489, @JamesLaverack)
* fqdn/dnsproxy: drop dependency on global EnableIPv{4,6} option (#28968, @tklauser)
* gateway-api: cleanup cell imports & dependencies (#29204, @mhofstetter)
* gateway-api: don't register secretsync if required CRDs aren't present (#29437, @mhofstetter)
* gateway-api: fix up for import rename (#29143, @julianwiedmann)
* gateway-api: improve secret sync resiliency (#29017, @mhofstetter)
* gateway-api: Use Gateway API definition to check Route condition (#29359, @haiyuewa)
* go.mod, vendor: update golang.org/x/sys to latest unreleased version (#29070, @tklauser)
* Helm: Allow configuration of the install-cni container resources field (#27469, @RenaudWasTaken)
* helm: Fix annotation duplication problems for cilium-agent (#28978, @bradwhitfield)
* hubble/relay: Remove ReportOffline and refactor PeerManager (#28595, @glrf)
* images: drop the kvstoremesh dockerfile (#28961, @giorio94)
* images: Fix init-container script for cilium-dbg (#29424, @joestringer)
* Implement NodeAddressing on top of Table[NodeAddress] (#29033, @joamaki)
* Improve deletion of stale backends associated with non-global services, without waiting for full Cluster Mesh synchronization (#28745, @giorio94)
* ingress: migrate Cilium Ingress controller to use the controller-runtime library (#29327, @mhofstetter)
* ingress: migrate secret-sync to controller-runtime (#29198, @mhofstetter)
* Introduce sync.Map wrapper with generics support (#29452, @giorio94)
* ipam: Fix duplicate metric ipam_event release (#29520, @christarazi)
* ipcache: keep upserted prefixes from being deleted by InjectLabels (#29014, @squeed)
* ipcache: move CIDR restoration to asynchronous APIs (#28673, @squeed)
* ipsec: Improve encrypt flush command (#28795, @pchaigno)
* ipsec: Remove dead code for IPsec node encryption (#28898, @pchaigno)
* ipsec: Small refactorings on key loading and state creation (#29352, @pchaigno)
* k8s: remove unused slim k8s model for Ingress & IngressClass (#29517, @mhofstetter)
* L7 Loadbalancing: Migrate to controller-runtime library (#29126, @mhofstetter)
* labels: further optimize IPStringToLabel for single IP case (#29040, @tklauser)
* loader: attach XDP programs using bpf_link (#28308, @rgo3)
* loader: do not invoke llc separately (#29458, @lmb)
* makefile: add back the sed command to update the logo path (#28929, @bradwhitfield)
* maps: nat: fix copy & paste in error message from doFlush() (#29097, @julianwiedmann)
* Minor documentation fixes and improvements for the BGP MD5 feature (#29375, @nvibert)
* Miscellaneous improvements about kvstore logging (#28843, @giorio94)
* Miscellaneous improvements to the etcd client (#28834, @giorio94)
* Modularise MTU discovery (#28964, @bimmlerd)
* Modularize ipcache BPF listener (#29194, @giorio94)
* Modularize iptables manager (#28746, @pippolo84)
* Modularize kernel modules manager into its own cell (#28713, @pippolo84)
* Modularized the bandwidth manager (#28619, @dylandreimerink)
* mountinfo: fix build on linux/386 (#29481, @tklauser)
* node: allow to override enable encapsulation on a per-node basis (#29232, @giorio94)
* operator: extract controller-runtime integration into its own cell (#28931, @mhofstetter)
* option: add LoadBalancerUsesDSR() helper (#26898, @julianwiedmann)
* pkg/allocator: store key in variable for error message (#29076, @aanm)
* pkg/bgpv1: Updates getPeerConfig() Method (#28474, @danehans)
* plugins/cilium-cni: Move implementation into separate package (#29336, @gandro)
* policy: Return a real nil rather than a non-nil interface (#29022, @jrajahalme)
* policy: Simplify AccumulateMapChanges prototypes (#29025, @jrajahalme)
* Prepare for release v1.15.0-pre.2 (#28901, @aanm)
* probes: remove HAVE_FIB_LOOKUP leftovers (#29401, @rgo3)
* proxy: define and use well known datapath constants (#28955, @tklauser)
* README: Update releases (#29170, @nathanjsweet)
* Refactor LocalNode synchronization logic and remove NodeChain (#29319, @giorio94)
* Remove accidentally checked in .orig file (#29145, @christarazi)
* Remove usage of global options from iptables cell (#29088, @pippolo84)
* Renamed Hubble Dashboard so that it can be installed by Grafana Sidecar. (#28971, @saintdle)
* Report node source in cilium-dbg node list (#29196, @tklauser)
* secret-sync: extract secret-sync logic from gateway api controller & introduce hive cell (#29100, @mhofstetter)
* service: fix service manager interface mismatch caused by merge race (#29018, @giorio94)
* Some small fixes to make kind-fast (#28621, @squeed)
* statedb: Allow non-terminated keys (#29440, @joamaki)
* statedb: Simplify integration with Hive (#28892, @joamaki)
* stream: fix spurious event on termination when Debounce is used (#29347, @giorio94)
* Update lb-ipam.rst (#28756, @nvibert)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.15.0-pre.3@sha256:c09d3fc906f26edbc93494cc46e6616668d7931a05470f02b9f9a266c2cfc279
quay.io/cilium/cilium:v1.15.0-pre.3@sha256:c09d3fc906f26edbc93494cc46e6616668d7931a05470f02b9f9a266c2cfc279

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.15.0-pre.3@sha256:74f30ab524a07ffb3e74e2c0d5c34f7a03f1b090f45e3f4450db3d34800ada4d
quay.io/cilium/clustermesh-apiserver:v1.15.0-pre.3@sha256:74f30ab524a07ffb3e74e2c0d5c34f7a03f1b090f45e3f4450db3d34800ada4d

docker-plugin

docker.io/cilium/docker-plugin:v1.15.0-pre.3@sha256:dee40ce43396547b8ef34b005679e207bdc9f8413ac1abdedbc6ce10a58e3ff2
quay.io/cilium/docker-plugin:v1.15.0-pre.3@sha256:dee40ce43396547b8ef34b005679e207bdc9f8413ac1abdedbc6ce10a58e3ff2

hubble-relay

docker.io/cilium/hubble-relay:v1.15.0-pre.3@sha256:95833c3375b48cf72d1c122da6ffed2f69bd7c6b76cd373f5a8455c0c527cc4b
quay.io/cilium/hubble-relay:v1.15.0-pre.3@sha256:95833c3375b48cf72d1c122da6ffed2f69bd7c6b76cd373f5a8455c0c527cc4b

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.15.0-pre.3@sha256:a4ad0149c6ebfa87692379cd090ee25a41621dcf98af2a910f767ef46df72a51
quay.io/cilium/operator-alibabacloud:v1.15.0-pre.3@sha256:a4ad0149c6ebfa87692379cd090ee25a41621dcf98af2a910f767ef46df72a51

operator-aws

docker.io/cilium/operator-aws:v1.15.0-pre.3@sha256:c99a09adf0be9ec82d6407ad5d8a87c635258a88292417e4feebf83fb90d36f6
quay.io/cilium/operator-aws:v1.15.0-pre.3@sha256:c99a09adf0be9ec82d6407ad5d8a87c635258a88292417e4feebf83fb90d36f6

operator-azure

docker.io/cilium/operator-azure:v1.15.0-pre.3@sha256:136d55f7ad5dbbae6c79f6a4d547f2641c590e37a80d745b9c8135fd5b8b5553
quay.io/cilium/operator-azure:v1.15.0-pre.3@sha256:136d55f7ad5dbbae6c79f6a4d547f2641c590e37a80d745b9c8135fd5b8b5553

operator-generic

docker.io/cilium/operator-generic:v1.15.0-pre.3@sha256:01959fb5e0164fbe3f265f42da4e444d9511f716ac26210fea1080c948d4583e
quay.io/cilium/operator-generic:v1.15.0-pre.3@sha256:01959fb5e0164fbe3f265f42da4e444d9511f716ac26210fea1080c948d4583e

operator

docker.io/cilium/operator:v1.15.0-pre.3@sha256:1df2ea3840ca1c012d86f8e9dd785c3f24ce319915db3e6c99150627dfdc08cb
quay.io/cilium/operator:v1.15.0-pre.3@sha256:1df2ea3840ca1c012d86f8e9dd785c3f24ce319915db3e6c99150627dfdc08cb