Prepare for release v1.10.0-rc2

Signed-off-by: André Martins <[email protected]>

.github/cilium-actions.yml

@@ -1,4 +1,4 @@
-project: "https://github.com/cilium/cilium/projects/154"
+project: "https://github.com/cilium/cilium/projects/158"
 column: "In progress"
 auto-label:
   - "kind/backports"

AUTHORS

@@ -23,6 +23,7 @@ Andrzej Mamak                           [email protected]
 Anish Shah                              [email protected]
 Anit Gandhi                             [email protected]
 Ankur Kothiwal                          [email protected]
+anthr76                                 [email protected]
 Archana Shinde                          [email protected]
 Arika Chen                              [email protected]
 Arthur Chiao                            [email protected]
@@ -159,6 +160,7 @@ Lior Rozen                              [email protected]
 Liu Qun                                 [email protected]
 Livingstone S E                         [email protected]
 Li Yi                                   [email protected]
+Lorenzo Fundaró                         [email protected]
 Maciej Fijalkowski                      [email protected]
 Maciej Kwiek                            [email protected]
 Maciej Skrocki                          [email protected]

CHANGELOG.md

@@ -1,5 +1,96 @@
 # Changelog
 
+## v1.10.0-rc2
+
+Summary of Changes
+------------------
+
+**Major Changes:**
+* doc: New performance benchmarks and tuning guide (Backport PR #16049, Upstream PR #15943, @tgraf)
+
+**Minor Changes:**
+* daemon: Add wildcard support to --devices ("eth+") (Backport PR #15919, Upstream PR #15697, @joamaki)
+* doc: Add more generic install section for egress gateway guide (Backport PR #16150, Upstream PR #16087, @tgraf)
+* doc: Reword some results (Backport PR #16049, Upstream PR #15955, @tgraf)
+* doc: Update diagrams in benchmark report (Backport PR #16150, Upstream PR #16063, @tgraf)
+* Hubble logs for HTTP responses now include HTTP response headers. (Backport PR #16150, Upstream PR #16013, @jrajahalme)
+* images: Bump Hubble CLI to v0.8.0 (Backport PR #16049, Upstream PR #15983, @gandro)
+* install: Disable kube-proxy-replacement by default (Backport PR #16150, Upstream PR #15422, @tgraf)
+* node-neigh: Locking, logging, misc improvements (Backport PR #16049, Upstream PR #15783, @brb)
+* Store the previous Cilium's configuration options in the host (Backport PR #16103, Upstream PR #16017, @aanm)
+* wireguard: Set wireguard and route MTU to detected MTU (Backport PR #16103, Upstream PR #16020, @joamaki)
+
+**Bugfixes:**
+* cilium: Encryption EKS 4.14 kernel (default) fixes (Backport PR #16049, Upstream PR #15867, @jrfastab)
+* Drop a `@` in clustermesh-apiserver helm chart (Backport PR #16049, Upstream PR #15934, @anthr76)
+* eni: Fix Cilium overallocating network interfaces (Backport PR #16049, Upstream PR #15911, @gandro)
+* Envoy is updated to release 1.17.3 (Backport PR #16150, Upstream PR #16102, @jrajahalme)
+* Fix 5.10+ complexity issue with `kubeProxyReplacement=disabled` (Backport PR #16150, Upstream PR #16084, @pchaigno)
+* Fix aws-cni integration where pods were not being scheduled (Backport PR #16049, Upstream PR #15915, @aanm)
+* Fix bug where L7 ingress policies with IPsec dropped traffic in tunneling mode (Backport PR #16103, Upstream PR #16057, @christarazi)
+* ui envoy: fix config to keep grpc conn (Backport PR #16049, Upstream PR #15938, @geakstr)
+
+**CI Changes:**
+* ci-gke: Add -v=6 for `kubectl get pods` (Backport PR #16049, Upstream PR #15994, @michi-covalent)
+* ci/wireguard: Ensure allowedIPs are set as expected (Backport PR #16049, Upstream PR #16011, @gandro)
+* connectivity-check: Reduce chances of port conflict with proxy (Backport PR #16049, Upstream PR #15988, @pchaigno)
+* jenkinsfiles: fix race detector pipelines (Backport PR #16103, Upstream PR #16056, @nbusseneau)
+* node-neigh: Fix unit test flake (Backport PR #16150, Upstream PR #16072, @brb)
+* test/runtime: Wait for endpoints to be ready before querying by labels (Backport PR #16049, Upstream PR #15990, @pchaigno)
+* test: 5.4 CI job (Backport PR #16049, Upstream PR #15765, @pchaigno)
+* test: Extend the clusterIP tests with policy (Backport PR #16049, Upstream PR #15928, @aditighag)
+* test: Fix flake in ValidateEndpointsAreCorrect (Backport PR #16103, Upstream PR #16068, @pchaigno)
+* test: Fix fragment tracking test on GKE (Backport PR #16049, Upstream PR #15959, @pchaigno)
+* test: Fix the search for VIPs in `cilium service list` (Backport PR #16049, Upstream PR #15968, @pchaigno)
+* test: Run WG with per-endpoint routes (Backport PR #16049, Upstream PR #15906, @brb)
+* test: set kubeProxyReplacement=probe for upstream k8s tests (Backport PR #16150, Upstream PR #16162, @aanm)
+* wireguard: Fix timeout in unit test (Backport PR #16049, Upstream PR #16001, @gandro)
+
+**Misc Changes:**
+* Add arm64 support for the connectivity test (Backport PR #15919, Upstream PR #15894, @aanm)
+* build(deps): bump docker/login-action from f3364599c6aa293cdc2b8391b1b56d0c30e45c8a to 1.9.0 (#15918, @dependabot[bot])
+* build(deps): bump docker/setup-buildx-action from 012185ccbeb554a7f5f987bea0f1a73519b3cdf5 to 1.3.0 (#15941, @dependabot[bot])
+* build(deps): bump KyleMayes/install-llvm-action from 1.2.2 to 1.3.0 (#16090, @dependabot[bot])
+* bwm: queue mapping & cong fixes (Backport PR #16049, Upstream PR #15964, @borkmann)
+* CODEOWNERS: add maintainers to be codeowners of .github (#15925, @aanm)
+* contrib: Ensure release tag is upstream before push (Backport PR #15919, Upstream PR #15903, @joestringer)
+* contrib: Fix scripts for v1.10 (Backport PR #15919, Upstream PR #15898, @joestringer)
+* doc/encryption: improve consistency between ipsec and wireguard guides (Backport PR #16049, Upstream PR #15965, @rolinh)
+* doc: update Hubble/Hubble Relay guides for recent CLI changes (Backport PR #16049, Upstream PR #15981, @rolinh)
+* Dockerfile: use alpine 3.12 (Backport PR #16049, Upstream PR #15950, @aanm)
+* docs/ipsec: misc improvements (Backport PR #16103, Upstream PR #15978, @kaworu)
+* docs: add 'endpointRoutes.enabled=true' to aws-cni (Backport PR #16103, Upstream PR #16045, @bmcustodio)
+* docs: add ids to the list of special identities (Backport PR #16150, Upstream PR #16123, @bmcustodio)
+* docs: Add note about DNS-related policies on OpenShift (Backport PR #16150, Upstream PR #16083, @twpayne)
+* docs: clustermesh: fix output of "cilium clustermesh status" command (Backport PR #16049, Upstream PR #15982, @jibi)
+* docs: Fix egress gateway getting started guide (Backport PR #16049, Upstream PR #15984, @gandro)
+* docs: gsg/operations - use parsed-literal for all blocks referring SCM_WEB (Backport PR #16049, Upstream PR #15963, @ti-mo)
+* docs: improve and fix minor issues (Backport PR #16103, Upstream PR #15975, @qmonnet)
+* docs: improve the aws-cni chaining page (Backport PR #16103, Upstream PR #15979, @bmcustodio)
+* docs: minor improvements to tuning guide (Backport PR #16049, Upstream PR #16024, @borkmann)
+* docs: remove misplaced sentence from Quick Installation guide (Backport PR #16049, Upstream PR #15971, @lfundaro)
+* docs: Some Wireguard improvements (Backport PR #16049, Upstream PR #16023, @brb)
+* docs: tell how to deploy demo app in Hubble CLI guide (Backport PR #16049, Upstream PR #15973, @lfundaro)
+* docs: update OpenShift getting started guide (Backport PR #16103, Upstream PR #16006, @twpayne)
+* docs: Update SIG-Datapath meeting time. (Backport PR #16103, Upstream PR #16027, @joestringer)
+* ebpf: delete existing pinned map if incompatible with the spec (Backport PR #16049, Upstream PR #15832, @jibi)
+* Encryption docs update (Backport PR #16049, Upstream PR #14940, @aditighag)
+* Fix encryption getting started guides for v1.10 (Backport PR #16049, Upstream PR #15961, @jibi)
+* Follow ups for host firewall support of endpoint routes (Backport PR #16103, Upstream PR #15942, @pchaigno)
+* issue_14922: Fixed the 429 response code handling (Backport PR #15919, Upstream PR #15760, @Maddy007-maha)
+* Minor fixes for OKD GSG (Backport PR #16049, Upstream PR #16000, @errordeveloper)
+* node-neigh: Avoid flooding the same next hop (Backport PR #16049, Upstream PR #15882, @brb)
+* Update base images with most recent SHAs (Backport PR #15919, Upstream PR #15895, @aanm)
+* Update CI infrastructure for v1.10 release (Backport PR #15919, Upstream PR #15947, @christarazi)
+* Update weekly community meeting timeslot (Backport PR #16049, Upstream PR #15985, @joestringer)
+* v1.10: Update Go to 1.16.4 (#16061, @tklauser)
+* vendor: bump github.com/vishvananda/netlink to latest master (Backport PR #16103, Upstream PR #16070, @tklauser)
+* vendor: update wireguard library (Backport PR #16103, Upstream PR #16066, @aanm)
+
+**Other Changes:**
+* install: Update image digests for v1.10.0-rc1 (#15904, @joestringer)
+* workflows: fix image workflows for v1.10 (#16009, @nbusseneau)
+
 ## v1.10.0-rc1
 
 **Note**: The summary of changes below reflect the diff between the last

VERSION

@@ -1 +1 @@
-1.10.0-rc1
+1.10.0-rc2

install/kubernetes/Makefile.digests

@@ -2,12 +2,12 @@
 # Copyright 2021 Authors of Cilium
 # SPDX-License-Identifier: Apache-2.0
 
-CILIUM_DIGEST := "sha256:bdec5db5b9651c208a326f8d3b1d6a1caf5d943989ea2fdb68b24802dd17b134"
-CLUSTERMESH_APISERVER_DIGEST := "sha256:1a9b2488b13b43d6917b674dc17d86586fc3c8b37d787dbfe0c587275b22a12b"
-DOCKER_PLUGIN_DIGEST := "sha256:9ae94306f4b843312468d0d52e100017b28da6b6151000f1d596484800679040"
-HUBBLE_RELAY_DIGEST := "sha256:9e1120dd272bf5ebce5f7b2002ac7ae9a2854d9b7a799e0548312432c9c28b8d"
-OPERATOR_ALIBABACLOUD_DIGEST := "sha256:c31d79a2b8f5225632199a81c829270cb33f1f2e752fea30c8846d3a44dd07d7"
-OPERATOR_AWS_DIGEST := "sha256:301195fe8e5587353632f61e2ad53a037ae35816cf2c119406021883ebfcccbd"
-OPERATOR_AZURE_DIGEST := "sha256:2cd08484744f49ca86d3dd367ef4b63c3b9dfcd26a96072479f599e0f2a51d6b"
-OPERATOR_GENERIC_DIGEST := "sha256:3b46c6fc9dc085d395136ca9cf8af1d0f653184c797e0ad7038e103abfbffacd"
-OPERATOR_DIGEST := "sha256:79935c3b3124e93c74c74879c6231c9cba3a027336337596b1f32a7d8d2febe6"
+CILIUM_DIGEST := ""
+CLUSTERMESH_APISERVER_DIGEST := ""
+DOCKER_PLUGIN_DIGEST := ""
+HUBBLE_RELAY_DIGEST := ""
+OPERATOR_ALIBABACLOUD_DIGEST := ""
+OPERATOR_AWS_DIGEST := ""
+OPERATOR_AZURE_DIGEST := ""
+OPERATOR_GENERIC_DIGEST := ""
+OPERATOR_DIGEST := ""

install/kubernetes/cilium/Chart.yaml

@@ -2,10 +2,10 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.10.0-rc1
-appVersion: 1.10.0-rc1
+version: 1.10.0-rc2
+appVersion: 1.10.0-rc2
 kubeVersion: ">= 1.16.0-0"
-icon: https://cdn.jsdelivr.net/gh/cilium/[email protected]rc1/Documentation/images/logo-solo.svg
+icon: https://cdn.jsdelivr.net/gh/cilium/[email protected]rc2/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability
 keywords:
   - BPF

install/kubernetes/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.10.0-rc1](https://img.shields.io/badge/Version-1.10.0--rc1-informational?style=flat-square) ![AppVersion: 1.10.0-rc1](https://img.shields.io/badge/AppVersion-1.10.0--rc1-informational?style=flat-square)
+![Version: 1.10.0-rc2](https://img.shields.io/badge/Version-1.10.0--rc2-informational?style=flat-square) ![AppVersion: 1.10.0-rc2](https://img.shields.io/badge/AppVersion-1.10.0--rc2-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -78,7 +78,7 @@ contributors across the globe, there is almost always someone available to help.
 | cluster.id | int | `nil` | Unique ID of the cluster. Must be unique across all connected clusters and in the range of 1 to 255. Only required for Cluster Mesh. |
 | cluster.name | string | `"default"` | Name of the cluster. Only required for Cluster Mesh. |
 | clustermesh.apiserver.etcd.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.4.13"}` | Clustermesh API server etcd image. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:1a9b2488b13b43d6917b674dc17d86586fc3c8b37d787dbfe0c587275b22a12b","pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.10.0-rc1","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"","pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.10.0-rc2","useDigest":false}` | Clustermesh API server image. |
 | clustermesh.apiserver.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods |
 | clustermesh.apiserver.podLabels | object | `{}` | Labels to be added to clustermesh-apiserver pods |
@@ -189,7 +189,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.metricsServer | string | `""` |  |
 | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). |
 | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) |
-| hubble.relay.image | object | `{"digest":"sha256:9e1120dd272bf5ebce5f7b2002ac7ae9a2854d9b7a799e0548312432c9c28b8d","pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.10.0-rc1","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"","pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.10.0-rc2","useDigest":false}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
@@ -217,10 +217,10 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.tls.ca.key | string | `""` | The CA private key (optional). If it is provided, then it will be used by hubble.tls.auto.method=cronJob to generate all other certificates. Otherwise, a ephemeral CA is generated if hubble.tls.auto.enabled=true. |
 | hubble.tls.enabled | bool | `true` | Enable mutual TLS for listenAddress. Setting this value to false is highly discouraged as the Hubble API provides access to potentially sensitive network flow metadata and is exposed on the host network. |
 | hubble.tls.server | object | `{"cert":"","key":""}` | base64 encoded PEM values for the Hubble server certificate and private key |
-| hubble.ui.backend.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.7.7@sha256:11d06121c86549c0c8684571ffed4ff3d4c4417f551728f4fad6d05525c47e9d"}` | Hubble-ui backend image. |
+| hubble.ui.backend.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.7.9@sha256:632c938ef6ff30e3a080c59b734afb1fb7493689275443faa1435f7141aabe76"}` | Hubble-ui backend image. |
 | hubble.ui.backend.resources | object | `{}` |  |
 | hubble.ui.enabled | bool | `false` |  |
-| hubble.ui.frontend.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.7.7@sha256:f20b6b3074a431ecd2730cf19afad2562664cf98baecf32b4cbe2a09f04ad8fa"}` | Hubble-ui frontend image. |
+| hubble.ui.frontend.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.7.9@sha256:e0e461c680ccd083ac24fe4f9e19e675422485f04d8720635ec41f2ba9e5562c"}` | Hubble-ui frontend image. |
 | hubble.ui.frontend.resources | object | `{}` |  |
 | hubble.ui.ingress | object | `{"annotations":{},"enabled":false,"hosts":["chart-example.local"],"tls":[]}` | hubble-ui ingress configuration. |
 | hubble.ui.nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
@@ -234,7 +234,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` |  |
-| image | object | `{"digest":"sha256:bdec5db5b9651c208a326f8d3b1d6a1caf5d943989ea2fdb68b24802dd17b134","pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.10.0-rc1","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"","pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.10.0-rc2","useDigest":false}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | installIptablesRules | bool | `true` |  |
 | installNoConntrackIptablesRules | bool | `false` | Install Iptables rules to skip netfilter connection tracking on all pod traffic. This option is only effective when Cilium is running in direct routing and full KPR mode. Moreover, this option cannot be enabled when Cilium is running in a managed Kubernetes environment or in a chained CNI setup. |
@@ -288,7 +288,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraInitContainers | list | `[]` | Additional InitContainers to initialize the pod |
 | operator.identityGCInterval | string | `"15m0s"` |  |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` |  |
-| operator.image | object | `{"alibabacloudDigest":"sha256:c31d79a2b8f5225632199a81c829270cb33f1f2e752fea30c8846d3a44dd07d7","awsDigest":"sha256:301195fe8e5587353632f61e2ad53a037ae35816cf2c119406021883ebfcccbd","azureDigest":"sha256:2cd08484744f49ca86d3dd367ef4b63c3b9dfcd26a96072479f599e0f2a51d6b","genericDigest":"sha256:3b46c6fc9dc085d395136ca9cf8af1d0f653184c797e0ad7038e103abfbffacd","pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.10.0-rc1","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.10.0-rc2","useDigest":false}` | cilium-operator image. |
 | operator.nodeSelector | object | `{}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
 | operator.podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":1}` | PodDisruptionBudget settings ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
@@ -313,7 +313,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | object | `{}` |  |
 | preflight.extraHostPathMounts | list | `[]` |  |
 | preflight.extraInitContainers | list | `[]` |  |
-| preflight.image | object | `{"digest":"sha256:bdec5db5b9651c208a326f8d3b1d6a1caf5d943989ea2fdb68b24802dd17b134","pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.10.0-rc1","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"","pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.10.0-rc2","useDigest":false}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget | object | `{"enabled":true,"maxUnavailable":2}` | PodDisruptionBudget settings ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |