Cilium - v1.16.0-pre.0

Summary of Changes

Major Changes:
* Add support for matching CiliumCIDRGroups in Egress policy rules (#30624, @chaunceyjiang)
* api: Promote field_mask from experimental to stable, deprecating experimental option (#30133, @chancez)
* bpf: initial multicast datapath support (#29469, @ldelossa)
* identity: Allow nodes to be selectable by their labels instead of CIDR and/or remote-node entity. (#26924, @oblazek)
* This change introduces the BGP control-plane operator. (#28846, @harsimran-pabla)

Minor Changes:
* Add a description to the default GatewayClass. (#30041, @chaunceyjiang)
* Add a new option to exclude unwanted k8s node labels from CiliumNode (#28290, @hemanthmalla)
* Add a simple node IPAM to allow using LoadBalancer Service type on "uncontrolled" networks (#30038, @MrFreezeex)
* Add flag --policy-accounting to enable/disable per-policy packet and byte accounting (default true) (#28749, @Jack-R-lantern)
* Add Hubble metrics HTTP endpoint status metrics. Two metrics are introduced: hubble_metrics_http_handler_requests_total, which counts requests made to the endpoint, grouped by HTTP status code, and hubble_metrics_http_handler_request_duration_seconds, also grouped by HTTP status code, which tracks duration of requests made to the endpoint. (#30648, @siwiutki)
* Add metrics count for dir=CT_SERVICE and disable conntrack metrics by default (#27527, @wenlxie)
* add readinessProbe to clustermesh-apiserver indicating kvstore sync status (#29643, @thorn3r)
* Add ServiceImport support in Cilium Gateway API (#28769, @MrFreezeex)
* Add support for the cni.cilium.io/mac-address annotation on Pod resources to control the L2 address used for Pod communication. (#29360, @chaunceyjiang)
* bgpv1: Allow specifying well-known BGP standard communities using their names (#30440, @rastislavs)
* bgpv2 - adding preflight and neighbor reconciler using CiliumBGPNodeConfig resource. (#30108, @harsimran-pabla)
* bpf, ctmap: Implement map pressure metric for CT maps (#28183, @christarazi)
* bpf: do not invoke llc from Makefiles (#29459, @lmb)
* bpf: xdp: use bpf_xdp_get_buff_len() when available (#29472, @julianwiedmann)
* Check sysctl values before writes to avoid errors on potentially read-only filesystem (#30519, @chaunceyjiang)
* Cilium Network Policy can now redirect to different listeners on the same destination port depending on the destination. (#28555, @jrajahalme)
* Cilium should accepts any value that is not "disabled" for svc topology mode (#30113, @BSWANG)
* Cilium-agent option --endpoint-status and helm option endpointStatus were removed. (#30761, @marseel)
* ciliumenvoyconfig: introduce NodeSelector (#30470, @mhofstetter)
* cleanup: Remove cilium_isitio sidecar configuration (#30130, @sayboras)
* envoy: Bump envoy minor version to v1.28.0 (#29820, @sayboras)
* envoy: Bump envoy version to v1.28.1 (#30697, @sayboras)
* envoy: Default to daemon set deployment from 1.16 (#30034, @sayboras)
* Expose bpf_map_pressure metric for egress_gw_policy_v4 (#29943, @ysksuzuki)
* gateway-api: Add support for proxy protocol (#30567, @chaunceyjiang)
* gateway-api: Bump to latest version from upstream (#31005, @sayboras)
* helm: Allow configuration of Envoy --base-id for Envoy DaemonSet (#30466, @cpu601)
* helm: Remove deprecated flags proxy.prometheus.{enabled,port} (#30598, @sayboras)
* helm: Remove deprecated values encryption.* (#30613, @sayboras)
* Hubble now has an option to emit v1.Events related to pods on detection of packet drops. (#29565, @robinelfrink)
* ICMP: Introduce ICMP type name in ICMPField (#30330, @Shunpoco)
* Increase the minimum required kernel version to v5.4 / RHEL 8.6. (#30869, @lmb)
* ingress/gateway-api: expose listeners on host network (#30840, @mhofstetter)
* ingress: Add check for kpr and nodeport (#30592, @sayboras)
* lb-ipam: Add annotation alias with lbipam.cilium.io prefix (#30169, @sayboras)
* lbipam: allow cross namespace IP sharing (#30055, @rissson)
* NodePort service frontends are now automatically updated when node's IP addresses change. This may have an impact to NodePort services manually added via the cilium-dbg tool if the used frontend IP is not assigned on the node. (#30374, @joamaki)
* policy: Do not select any identity with empty slices (#29608, @pippolo84)
* Rename the cilium cleanup command (#30471, @littlejo)
* Restore health IPs from local ciliumnode resource (#30383, @haozhangami)
* Small refactor in datapath/linux/node.go (#28849, @derailed)
* Support ingress.cilium.io/force-https annotation (functionally equivalent to nginx.ingress.kubernetes.io/force-ssl-redirect) (#30616, @youngnick)
* Supports for dynamic CES Controller throttling configuration based on the number of nodes (#29861, @alan-kut)
* Trim clustermesh-apiserver ClusterRole permissions when external workloads support is disabled (#30743, @giorio94)
* Update deprecated Prometheus Metrics (#30632, @karojohn)

Bugfixes:
* Bandwidth limits are now enforced also for network devices added after Cilium agent has started (e.g. for new ENI devices). (#30419, @joamaki)
* Datasource error fixed for Hubble DNS and Network dashboards (#30580, @Pionerd)
* envoy: Avoid duplicated upstream callback (#30945, @sayboras)
* Fix an issue where cilium is unable to allocate IP addresses when it is running on newly launched AWS instances (#30308, @AnishShah)
* Fix bug in the VTEP feature which caused all traffic from the VTEP to be dropped with "Incorrect VNI from VTEP" (#31039, @joestringer)
* Fix Hubble label selector parsing for labels with dots (#30411, @glrf)
* Fix nodeipam cell not registered (#30250, @MrFreezeex)
* Fix the referenced interface in iptables rules (eni+ instead of lxc+) when --enable-endpoint-routes=true and --cni-chaining-mode="aws-cni" (#30766, @pippolo84)
* Fixes an IPv6 issue that cilium doesn't respond to Neighbor Solicitation targeting the pods on same node. (#30837, @jschwinger233)
* Fixes proxy issues by opting out from SNAT for L7 + Tunnel. (#29594, @jschwinger233)
* Fixes proxy issues in egress direction (#30095, @jschwinger233)
* gateway-api: Correct the null check for GRPRRoute Match (#31052, @sayboras)
* Handle InvalidParameterValue as well for PD fallback (#31016, @hemanthmalla)
* helm: Fix Prometheus metrics annotations for Hubble Relay (#30501, @chaunceyjiang)
* If source address is remote node then we should treat it as ouside traffic. (#30240, @kvaster)
* tables: Sort node addresses also by public vs private IP (#30579, @joamaki)
* xds: Avoid xds timeout due to agent restart in envoy DS mode (#31061, @sayboras)

CI Changes:
* .github: Don't update LVH bpf-next images on stable branches (#29835, @joestringer)
* .github: Fix LVH image bump for main branch (#30284, @joestringer)
* [Kind] ipfamily should be set by platform configuration. (#30332, @fujitatomoya)
* Add RHEL8 kernel to CI (#30421, @lmb)
* Always update lvh in tandem with lvh-images (#30596, @lmb)
* bgpv2: use different ports in unit tests (#30528, @harsimran-pabla)
* Centralize configuration of kind version/image in GitHub Action workflows (#30916, @giorio94)
* ci conformance e2e: increase request timeout from 10s to 30s. (#30192, @tommyp1ckles)
* ci-e2e: Enable Ingress Controller test for more setup (#30657, @sayboras)
* ci: check kvstoremesh for vulnerabilities only on v1.14 (#29918, @mhofstetter)
* ci: continue container scanning on error (#29921, @ferozsalam)
* CI: Fix Artifact Creation Failure Due to Invalid Character in Name (#29884, @brlbil)
* ci: fix conformance gateway-api & ingress sysdump gathering & upload (#29960, @mhofstetter)
* ci: fix eks image pull flake (#30030, @brlbil)
* ci: increase conformance-aks timeout (#30438, @brlbil)
* cli: Replace --cluster-name with --helm-set cluster.name (#31095, @michi-covalent)
* clustermesh up/downgrade: test maxConnectedCluster (#30446, @thorn3r)
* controlplane: fix mechanism for ensuring watchers (#31030, @bimmlerd)
* Fix bug preventing consistent symbols between ELF and BTF for eBPF unit tests. (#30610, @learnitall)
* gateway: Sync up the experimental conformance test (#31017, @sayboras)
* GCP OIDC instead of SA creds. (#30809, @viktor-kurchenko)
* GCP performance OIDC auth. (#30844, @viktor-kurchenko)
* gha: Avoid the warning for kind-action (#30601, @sayboras)
* gha: drop unused check_url environment variable (#30928, @giorio94)
* gha: Re-purpose Conformance Kind proxy test (#31074, @sayboras)
* golangci-lint: Fix goimports local prefix (#31106, @michi-covalent)
* identity: deflake test TestGetIdentity - part 2 (#30190, @mhofstetter)
* iptables: Fix New port number case in TestAddProxyRules{v4,v6} (#30555, @pippolo84)
* Prevent E2E tests from failing on a known-ok warning log of temporary CRD failure (#30778, @learnitall)
* Re-enable LRP and K8sSpecificMACAddressTests tests that were incorrectly skipped on non-AKS platforms due to a regression. (#30939, @aditighag)
* Reduce flakiness of controlplane tests (#30906, @bimmlerd)
* Remove remaining references to v4.19 (#30890, @lmb)
* removing reference to Metal LB in GHA now that MetalLB has been replaced with Cilium L2 Announcement (https://github.com/cilium/cilium/pull/28926) (#29854, @nvibert)
* renovate: add lvh-kind action (#30663, @lmb)
* Replace v4.19 with RHEL 8.6 in CI (#30872, @lmb)
* route: dedicated net ns for each subtest of runListRules (#29916, @mhofstetter)
* Scale tests improvements (#29859, @marseel)
* statedb/reflector: fix race condition in test (#30971, @bimmlerd)
* test: add standalone l4lb test to verify that traffic works even when cilium agent is restarted (#30114, @oblazek)
* test: verify that traffic to services work when agent (l4lb) is restarted (#30930, @oblazek)
* tests: check for pending maps after network policy tests finish (#30188, @lmb)
* Use AWS OIDC instead of access key for CI (#30713, @viktor-kurchenko)
* workflows: conformance-eks: use env.QUAY_ORGANIZATION_DEV (#30263, @julianwiedmann)

Misc Changes:
* .github: switch kind images back to kind (#30659, @aanm)
* [operator] Refactor - export CiliumEndpointSlice test utils (#30577, @dlapcevic)
* add a fast make target for kind-clustermesh (#29910, @thorn3r)
* Add a new flag to endpoints in the IPCache to allow for overriding tunnel configuration (#29796, @learnitall)
* add how to clean up the e2e connectivity test. (#30428, @fujitatomoya)
* Add NetBird to the Cilium user list (#30645, @braginini)
* Add OpenVEX document (#30768, @ferozsalam)
* Add support for infinite retries for OneShot jobs (#30376, @dylandreimerink)
* Add support for skipping encapsulation for host-to-pod traffic (#30819, @learnitall)
* Add support for skipping encapsulation of nodeport-related traffic (#30608, @learnitall)
* add users doc to bug report template (#30603, @xmulligan)
* Added sysctl setting reconciliation (#30439, @dylandreimerink)
* Address race condition in TestGetIdentity (#30885, @bimmlerd)
* Adds NETWAYS Web Services to USERS.md (#30505, @mocdaniel)
* Allow packets leaving containers to skip encapsulation. (#30427, @learnitall)
* bandwidth: test: don't unlock OS thread too early (#30932, @bimmlerd)
* bgpv1: Modularize test fixtures (#30234, @rastislavs)
* bgpv1: Some test coverage improvements for bgpv1/agent (#30096, @YutaroHayakawa)
* bgpv2: Add service options to advertisement CRD (#30902, @harsimran-pabla)
* bgpv2: setting gobgp configuration based on new BGP APIs (#29988, @harsimran-pabla)
* bitlpm: Factor out common code (#31026, @jrajahalme)
* bpf: add ext_err for more callers of tail_call_internal() (#30023, @julianwiedmann)
* bpf: add improved helper for program-internal tail-call (#30001, @julianwiedmann)
* bpf: alignchecker: add encrypt_config and world_cidrs_key4 (#29886, @julianwiedmann)
* bpf: convert ep_tail_call() to tail_call_internal() (#30288, @julianwiedmann)
* bpf: ct: allow CT entry creation / lookup without detailed information (#30344, @julianwiedmann)
* bpf: explicitly pass map to policy_can_{in,e}gress{4,6} (#31053, @jibi)
* bpf: host: simplify MARK_MAGIC_PROXY_EGRESS_EPID handling (#29803, @julianwiedmann)
* bpf: host: skip from-proxy handling in from-netdev (#29962, @julianwiedmann)
* bpf: introduce ctx_load_and_clear_meta() (#30245, @julianwiedmann)
* bpf: ipv6: optimize ipv6_addr_copy() (#30029, @julianwiedmann)
* bpf: lb: clean up REV_NAT_F_TUPLE_SADDR parts in RevDNAT logic (#30701, @julianwiedmann)
* bpf: lb: small improvements to CT logic (#30950, @julianwiedmann)
* bpf: lxc: remove CB_FROM_TUNNEL upgrade toleration for IPv6 (#30244, @julianwiedmann)
* bpf: nat: pass back ipv4_load_l4_ports()'s actual drop reason (#29837, @julianwiedmann)
* bpf: nodeport: fix check to forward identity in nodeport_lb4 (#31085, @jibi)
* bpf: nodeport: remove TC_INDEX_F_SKIP_RECIRCULATION logic (#30435, @julianwiedmann)
* bpf: proxy: add IPv4 fragmentation support in ctx_redirect_to_proxy_first() (#29760, @julianwiedmann)
* bpf: test: future-proof some kernel version checks (#30127, @julianwiedmann)
* bpf: xdp: clean up xdp_adjust_hroom() (#30325, @julianwiedmann)
* Bump allowed Golang version to v1.21 (#30084, @ferozsalam)
* Bump readme, MLH for v1.15.0-rc.0 (#29909, @joestringer)
* Bump release versions references by readme, stable.txt, and MLH (#29879, @asauber)
* CEC: Extract CiliumEnvoyConfig from global k8s watcher (#30298, @mhofstetter)
* CEC: Move resource parser and envoy l7lb backend syncer to /pkg/ciliumenvoyconfig (#30290, @mhofstetter)
* cec: remove label break by extracting function to inject L7 filter (#30062, @mhofstetter)
* cec: timerbased reconcile job as fallback (#30866, @mhofstetter)
* check-sources.sh: move file lists to env variables (#30600, @jibi)
* chore(deps): update actions/download-artifact action to v4.1.3 (main) (#30985, @renovate[bot])
* chore(deps): update actions/setup-go action to v5 (main) (#29952, @renovate[bot])
* chore(deps): update all github action dependencies (main) (#30618, @renovate[bot])
* chore(deps): update all github action dependencies (main) (#30898, @renovate[bot])
* chore(deps): update all github action dependencies (main) (#30948, @renovate[bot])
* chore(deps): update all github action dependencies (main) (#31109, @renovate[bot])
* chore(deps): update all github action dependencies (main) (minor) (#29948, @renovate[bot])
* chore(deps): update all github action dependencies (main) (minor) (#30394, @renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (#30392, @renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (#30478, @renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (#30779, @renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (#30830, @renovate[bot])
* chore(deps): update all github action dependencies to v3 (main) (major) (#30485, @renovate[bot])
* chore(deps): update all github action dependencies to v4 (main) (major) (#30048, @renovate[bot])
* chore(deps): update all kind-images main (main) (#30828, @renovate[bot])
* chore(deps): update all kind-images main (main) (patch) (#30621, @renovate[bot])
* chore(deps): update all lvh-images main (main) (#30974, @renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (#29945, @renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (#30044, @renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (#30805, @renovate[bot])
* chore(deps): update all lvh-images main to bpf-next-20240204.012837 (main) (patch) (#30460, @renovate[bot])
* chore(deps): update alpine-images (main) (patch) (#30479, @renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.15.20 (main) (#30200, @renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.15.21 (main) (#30569, @renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.15.22 (main) (#30622, @renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.15.23 (main) (#30832, @renovate[bot])
* chore(deps): update dependency eksctl-io/eksctl to v0.167.0 (main) (#30046, @renovate[bot])
* chore(deps): update dependency kubernetes-sigs/kind to v0.22.0 (main) (#30826, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.21.5 docker digest to 672a228 (main) (#30043, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.21.6 docker digest to 76aadd9 (main) (#30242, @renovate[bot])
* chore(deps): update docker.io/library/golang:1.21.6 docker digest to 7b575fe (main) (#30619, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 6042500 (main) (#29939, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to e6173d4 (main) (#30391, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to f9d633f (main) (#30620, @renovate[bot])
* chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 112a87f (main) (#29940, @renovate[bot])
* chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 49af061 (main) (#30946, @renovate[bot])
* chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 6a3500b (main) (#30829, @renovate[bot])
* chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.12 (main) (#30623, @renovate[bot])
* chore(deps): update go to v1.21.6 (main) (patch) (#30172, @renovate[bot])
* chore(deps): update go to v1.22.0 (main) (minor) (#30673, @renovate[bot])
* chore(deps): update golangci/golangci-lint docker tag to v1.56.2 (main) (#30839, @renovate[bot])
* chore(deps): update golangci/golangci-lint-action action to v4 (main) (#30849, @renovate[bot])
* chore(deps): update hubble cli to v0.13.0 (main) (minor) (#30272, @renovate[bot])
* chore(deps): update nick-invision/retry action to v3 (main) (#30628, @renovate[bot])
* chore: provide OSSF security insight (#30448, @mmorel-35)
* ci: fix typo in generate-k8s-api workflow (#30824, @chaunceyjiang)
* cilium, tests: Temporary disable agent restart test in l4lb (#30710, @borkmann)
* ciliumenvoyconfig: always inject Envoy Cilium filters (Network & L7) for L7 loadbalancing (#30546, @mhofstetter)
* CODEOWNERS: pull in sig-wireguard for wireguard-related files (#30380, @julianwiedmann)
* CODEOWNERS: sig-scalability owns scalability-specific GH workflows (#29819, @marseel)
* Consolidate network namespace handling (#29993, @bleggett)
* contrib: Autodetect GITHUB_TOKEN during release (#29901, @joestringer)
* contrib: Fix post-release.sh for branch candidates (#29907, @joestringer)
* Correct Istio Integration Documentation for Cilium CLI Flag Usage (#30152, @rootsongjc)
* daemon/hive: No longer make WireGuard an optional dependency (#30544, @gandro)
* daemon: inline lookupIPsBySecID (#30919, @tklauser)
* daemon: Refactor syncHostIPs (#30373, @joamaki)
* datapath/fake: Move commonly imported types to fake/types package (#30523, @gandro)
* datapath: add more nat/overlay/nodeport hooks (#30888, @jibi)
* datapath: Enable N/S LB for overlapping pod CIDR (#30348, @jibi)
* Defines the cilium-envoy image used in the build Dockerfile using ARG to allow overrides. (#29638, @EricMountain)
* Doc fix: Correct hubble exporter config lines (#30424, @saintdle)
* doc,bgpv1: Add documentation about the address family option (#30455, @YutaroHayakawa)
* doc,bgpv1: Bootstrap BGP Control Plane troubleshooting doc (#30506, @YutaroHayakawa)
* doc,bgpv1: Refresh BGP Control Plane document structure (#30345, @YutaroHayakawa)
* doc: Installation guide for Talos (#30388, @PhilipSchmid)
* doc: Rework the AKS tabs so that only instructions for BYOCNI remain. (#28933, @tamilmani1989)
* doc: Updated RKE/Rancher guides (#30178, @PhilipSchmid)
* docs: Add command hints in make kind output (#30564, @sayboras)
* Docs: add note on matchExpressions for cnp and ccnp (#30811, @darox)
* docs: Add reference to BGP Control Plane from Multi-Pool IPAM page (#30748, @rastislavs)
* docs: Add stubs for v1.16 upgrade notes (#29903, @joestringer)
* docs: add Veepee as cilium USERS (#30913, @nerzhul)
* Docs: Adds IPv6 Tunneling Caveat to Networking Concepts (#30364, @danehans)
* docs: Document NodePort BPF and iptables SNAT port collision (#30858, @brb)
* Docs: restructure Cluster Mesh scaling section (#30582, @thorn3r)
* docs: update note on WireGuard with tunnel routing (#31083, @julianwiedmann)
* docs: Updating Azure CNI chaining as Legacy approach (#28571, @vipul-21)
* Document supported upgrade and rollback paths (#30408, @lmb)
* Don't emit an error message on namespace termination due to Ingress reconciliation (#30808, @giorio94)
* Drop broken and superseded CiliumInternalIP restoration logic (#30436, @giorio94)
* Drop gopsutil dependecy (#30222, @nickolaev)
* egressgw: remove deleteStaleIPRulesAndRoutes() (#30025, @julianwiedmann)
* egressgw: remove nodeDataStore map from Manager (#30500, @markpash)
* endpoint: move locking into getProxyStatistics (#30414, @tklauser)
* endpoint: pause policymap-sync controller during regeneration (#30232, @squeed)
* endpoint: use PropertyCEP{Owner,Name} as CEP owner/name if set (#31021, @jibi)
* Ensure wireguard.h includes the correct headers (#30539, @ldelossa)
* Envoy: Extract Secret Sync from global k8swatcher (#30418, @mhofstetter)
* Expose Cilium operator go runtime scheduler latency prometheus metric go_sched_latencies_seconds (#29245, @derailed)
* Extend kind-clustermesh Makefile target to create dual stack clusters (#30129, @giorio94)
* Fix renovate config for grpc_health_probe (#30675, @glrf)
* Fix unnecessary warning by adding cilium_per_cluster_snat to the list of ignored ELF prefixes (#30998, @giorio94)
* fix(deps): update all go dependencies main (main) (#29941, @renovate[bot])
* fix(deps): update all go dependencies main (main) (#30199, @renovate[bot])
* fix(deps): update all go dependencies main (main) (#30947, @renovate[bot])
* fix(deps): update all go dependencies main (main) (minor) (#30047, @renovate[bot])
* fix(deps): update all go dependencies main (main) (minor) (#30122, @renovate[bot])
* fix(deps): update all go dependencies main (main) (minor) (#30385, @renovate[bot])
* fix(deps): update all go dependencies main (main) (minor) (#30482, @renovate[bot])
* fix(deps): update all go dependencies main (main) (minor) (#30626, @renovate[bot])
* fix(deps): update all go dependencies main (main) (minor) (#30848, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#29947, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#30045, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#30077, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#30140, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#30393, @renovate[bot])
* fix(deps): update all go dependencies main (main) (patch) (#30625, @renovate[bot])
* fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.681 (main) (#30976, @renovate[bot])
* fix(deps): update module github.com/docker/docker to v25 (main) (#30395, @renovate[bot])
* fix(deps): update module github.com/go-openapi/runtime to v0.27.1 (main) (#30481, @renovate[bot])
* fix(deps): update module github.com/tidwall/gjson to v1.17.1 (main) (#30836, @renovate[bot])
* fix(deps): update module golang.org/x/crypto to v0.20.0 (main) (#30987, @renovate[bot])
* fix: Adding the fatal error for ipv6 cilium config on a single stack node (#28953, @vipul-21)
* fswatcher: fix goroutine leak and refactor tests (#30734, @lmb)
* gateway-api: Bump to the latest version from upstream (#30537, @sayboras)
* gh: template: query whether the bug is a regression (#30842, @julianwiedmann)
* go.mod: Bump controller-tools fork version to v0.8.0-2 to allow XValidation kubebuilder markers (#30362, @rastislavs)
* Helm: additional info for mtu value (#30175, @darox)
* helm: Bump helm-toolbox version (#30148, @sayboras)
* helm: don't create remote-users ConfigMap when the clustermesh-apiserver is not enabled (#30008, @giorio94)
* helm: Permit selection of datasources in UI (#30161, @jcpunk)
* hive: Add post-start log message to record duration (#30521, @joamaki)
* hive: Fix the ineffectual SetEnvPrefix (#30489, @joamaki)
* hubble: Add an interface for Parser struct (#29876, @anubhabMajumdar)
* images: support release branches when updating envoy image (#30463, @mhofstetter)
* ingress/gatewayapi: move construction of translators into hive cells (#30606, @mhofstetter)
* ingress: Copy LB IPAM related annotation by default (#30487, @sayboras)
* ingress: pass enforcedHttps from config (cell) to reconciler (#30804, @mhofstetter)
* ingress: remove unused annotations (#30733, @mhofstetter)
* Introducing stylecheck linter to detect duplicate package imports in Go code (#30215, @nickolaev)
* ipam/crd: remove redundant len and nil check (#30183, @Juneezee)
* iptables: early skip proxy rules install if BPF tproxy enabled (#30347, @mhofstetter)
* job: avoid a race condition in TestTimer_ExitOnCloseFnCtx (#30929, @bimmlerd)
* k8s: Fix envoyConfig description on CNP/CCNP CRDs (#29507, @hmonsalv)
* k8s: Migrate policy watchers to Cell + Resource (#30322, @gandro)
* k8s: Update to final v1.29.0 (#29873, @christarazi)
* L7LB: Extract Envoy related logic and dependencies from ServiceManager (#30184, @mhofstetter)
* l7lb: log service ns and name when upserting endpoints (#30502, @mhofstetter)
* Loader modularization (#30280, @dylandreimerink)
* loader: also populate NATIVE_DEV_IFINDEX for cilium_overlay (#31025, @julianwiedmann)
* loader: move Loader interface into separate package (#30876, @jibi)
* loader: refactor/cleanup replaceNetworkDatapath (#29825, @rgo3)
* loader: simplify template cache invalidation (#29449, @lmb)
* LRP: Use hive cell infra (#30923, @aditighag)
* MAINTAINERS: Add Yutaro (#29982, @pchaigno)
* make cilium/loader owner of pkg/elf (#29915, @lmb)
* Makefile: Move kind targets to dedicated Makefile.kind (#29920, @qmonnet)
* Makefile: Refactor hubble-relay target (#29867, @chancez)
* Modify gitignore to ignore direnv-related files (#30366, @learnitall)
* monitor/payload: remove bitrotted benchmark (#29728, @lmb)
* operator/identitygc: remove unused GC.allocationCfg (#30197, @tklauser)
* operator: Implement cache to be used for Cilium Identity management (#30649, @dlapcevic)
* optimize kind setup (#29758, @weizhoublue)
* Overall improvements in modularity (#30381, @aanm)
* pkg/ipcache: Updates IPListEntrySlice.Less() to Use netip Pkg (#30191, @danehans)
* pkg/service: Add backends as managed neighbor entry (#31003, @borkmann)
* Post release for 1.15.0 (#30560, @aanm)
* Prepare for v1.16 development cycle (#29802, @joestringer)
* proxy / envoy: Cleanup dependencies to XDSServer & Proxy (#29892, @mhofstetter)
* proxy: remove unused interface IPCacheManager (#30171, @mhofstetter)
* README: Update releases (#30389, @gentoo-root)
* README: Update releases (#30784, @michi-covalent)
* Refactor clustermesh global service cache to prepare for the endpoint slice clustermesh synchronization (#30883, @MrFreezeex)
* Refactor getEnvoyHTTPRouteConfiguration test (#30022, @youngnick)
* Refactor: remove config interface (#29506, @AwesomePatrol)
* release/bump-readme.sh: Don't overwrite latest -rc with older -pre tag (#30412, @qmonnet)
* Remove skip-cnp-status-startup-clean (#30508, @chaunceyjiang)
* Remove unused functions in pkg/comparator (#30075, @pippolo84)
* Remove unused kvstore methods to unclutter the backend interface (#30012, @giorio94)
* renovate: don't separate minor/patch updates of Go modules (#30195, @tklauser)
* renovate: match rhel8 lvh image updates (#30891, @tklauser)
* renovate: try to group dependency updates on single PR (#30874, @aanm)
* Replaced declare_tailcall_if with logic in the loader (#30467, @dylandreimerink)
* Require dead code elimination support (#30814, @dylandreimerink)
* require large instruction limit (#30896, @lmb)
* Restructure OpenShift installation instructions to point to Red Hat Ecosystem Catalog (#29300, @learnitall)
* Revert "renovate: don't separate minor/patch updates of Go modules" (#30210, @tklauser)
* Revert "workflow: yaml change - change "cosign attach" to "cosign attest"" (#30827, @aanm)
* statedb/reflector: Add Kubernetes to StateDB reflector (#30527, @joamaki)
* statedb: Reconciler utility (#30303, @joamaki)
* statedb: Add ServeHTTP and Iterate method (#30499, @joamaki)
* statedb: Derive, Observable and Map (#30246, @joamaki)
* stream: Add Buffer operator (#30444, @joamaki)
* Support extending hubble-relay as a downstream packager (#30357, @chancez)
* Unconditionally add NodeInternalIPs to the allowed IPs for WireGuard peers (#30975, @giorio94)
* Update AUTHORS (#29905, @joestringer)
* Update readme with v1.15.0-rc.1 (#30279, @aanm)
* Update XDP drivers support list in BPF docs (#30658, @janvi01)
* Updating Rancher Desktop Install instructions (#29911, @divya-mohan0209)
* Use Resource[T] to implement CiliumNode watcher (#29222, @pippolo84)
* USERS.md: Add Santa Claus to the list of users (#30083, @qmonnet)
* USERS.md: Add Sealos to the list of users (#30369, @yangchuansheng)
* users.md: sphere doesn't exist anymore, 👋 datadog (#29927, @mvisonneau)
* workflow: yaml change - change "cosign attach" to "cosign attest" (#30823, @umesh3034)
* xds: Move MockStream to stream_test.go (#30943, @sayboras)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.0-pre.0@sha256:77c3157afed1397e33bd0d60465d9236bdc53e18e45a3b880477540f322be0c8

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.0-pre.0@sha256:fd6360fe5ebd575187637857b3745fead00fe70ad6a470c7701a549a1ae7f194

docker-plugin

quay.io/cilium/docker-plugin:v1.16.0-pre.0@sha256:54a9bd7234015019c455b069637a370dc23eb9e7d4827127580eaabad2e88827

hubble-relay

quay.io/cilium/hubble-relay:v1.16.0-pre.0@sha256:a75580f561b6b554c0b153c82e70ea927b3e1c73ba534844d381b9dc426a54be

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.0-pre.0@sha256:660ec968ae61438766a6ef09e2c56b09f1e12b9b91c9b75c6a4638602e2bcd80

operator-aws

quay.io/cilium/operator-aws:v1.16.0-pre.0@sha256:17f47450e2b2aacd44852ee9ab798fc3fa822b50c271c6ec0d96302fdc657a7b

operator-azure

quay.io/cilium/operator-azure:v1.16.0-pre.0@sha256:b14c7f8d0816fc9a39088f3244e9ac0765f448fcd5296b22dcf1886f1aa13a22

operator-generic

quay.io/cilium/operator-generic:v1.16.0-pre.0@sha256:94d216972dfe0da98937de7dec75bc15df220d862ee50687ae91ffe8d49daddd

operator

quay.io/cilium/operator:v1.16.0-pre.0@sha256:d8a0c0f638f004b5413031c744ebd148804a037c9fdb73006e361ba9487b29ab