Bump github.com/cilium/cilium from 1.16.4 to 1.16.5

[dependabot]

Bumps github.com/cilium/cilium from 1.16.4 to 1.16.5.

Release notes

Sourced from github.com/cilium/cilium's releases.

1.16.5

Summary of Changes

Minor Changes:

• hubble: Stop building 32-bit binaries (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35974, @​michi-covalent)

Bugfixes:

• Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (Backport PR cilium/cilium#36540, Upstream PR cilium/cilium#36484, @​julianwiedmann)
• bgp: fix race in bgp stores (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35971, @​harsimran-pabla)
• BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36230, @​rastislavs)
• BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36165, @​rastislavs)
• Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (Backport PR cilium/cilium#36049, Upstream PR cilium/cilium#35984, @​jrajahalme)
• Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (Backport PR cilium/cilium#36462, Upstream PR cilium/cilium#36252, @​bimmlerd)
• cilium-health-ep controller is made to be more robust against successive failures. (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35936, @​jrajahalme)
• DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (Backport PR cilium/cilium#36468, Upstream PR cilium/cilium#36142, @​jrajahalme)
• Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (Backport PR cilium/cilium#36049, Upstream PR cilium/cilium#36060, @​jrajahalme)
• Fix an issue where pod-to-world traffic goes up stack when BPF host routing is enabled with tunnel. (Backport PR cilium/cilium#35861, Upstream PR cilium/cilium#35098, @​jschwinger233)
• Fix identity leak for kvstore identity mode (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#34893, @​odinuge)
• Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (Backport PR cilium/cilium#36302, Upstream PR cilium/cilium#36292, @​giorio94)
• gateway-api: Fix gateway checks for namespace (Backport PR cilium/cilium#36462, Upstream PR cilium/cilium#35452, @​sayboras)
• gha: Remove hostLegacyRouting in clustermesh (Backport PR cilium/cilium#36357, Upstream PR cilium/cilium#35418, @​sayboras)
• helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#36005, @​devodev)
• hubble: consistently use v as prefix for the Hubble version (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#35891, @​rolinh)
• iptables: Fix data race in iptables manager (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35902, @​pippolo84)
• lrp: update LRP services with stale backends on agent restart (Backport PR cilium/cilium#36106, Upstream PR cilium/cilium#36036, @​ysksuzuki)
• cilium/cilium#36050@​nathanjsweet)
• Unbreak the cilium-dbg preflight migrate-identity command (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36089, @​giorio94)
• Use strconv.Itoa instead of string() for the correct behavior when converting kafka.ErrorCode from int32 to string. Add relevant unit tests for Kafka plugin and handler. (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35856, @​nddq)

CI Changes:

• cilium/cilium#35958@​ferozsalam)
• gh: conformance-clustermesh: test with IPsec + BPF NodePort (Backport PR cilium/cilium#36462, Upstream PR cilium/cilium#36384, @​julianwiedmann)
• gha: configure environment in build-images-base/image-digests job (Backport PR cilium/cilium#36462, Upstream PR cilium/cilium#36318, @​giorio94)
• node_local_store: prevent racey tests while using mock node store. (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35945, @​tommyp1ckles)
• Remove unnecessary hubble port-forward commands (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#33523, @​michi-covalent)

Misc Changes:

• cilium/cilium#36333@​viktor-kurchenko)
• cilium/cilium#36092@​ferozsalam)
• bugtool: dump tail-call map for bpf_wireguard (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36183, @​julianwiedmann)
• cilium/cilium#36155@​cilium-renovate[bot])
• cilium/cilium#36275@​cilium-renovate[bot])
• cilium/cilium#36443@​cilium-renovate[bot])
• cilium/cilium#36277@​cilium-renovate[bot])
• cilium/cilium#35546@​cilium-renovate[bot])
• cilium/cilium#36152@​cilium-renovate[bot])
• cilium/cilium#36279@​cilium-renovate[bot])
• cilium/cilium#36444@​cilium-renovate[bot])
• cilium/cilium#36153@​cilium-renovate[bot])

... (truncated)

Changelog

Sourced from github.com/cilium/cilium's changelog.

v1.16.5

Summary of Changes

Minor Changes:

• hubble: Stop building 32-bit binaries (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35974, @​michi-covalent)

Bugfixes:

• Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (Backport PR cilium/cilium#36540, Upstream PR cilium/cilium#36484, @​julianwiedmann)
• bgp: fix race in bgp stores (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35971, @​harsimran-pabla)
• BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36230, @​rastislavs)
• BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36165, @​rastislavs)
• Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (Backport PR cilium/cilium#36049, Upstream PR cilium/cilium#35984, @​jrajahalme)
• Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (Backport PR cilium/cilium#36462, Upstream PR cilium/cilium#36252, @​bimmlerd)
• cilium-health-ep controller is made to be more robust against successive failures. (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35936, @​jrajahalme)
• DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (Backport PR cilium/cilium#36468, Upstream PR cilium/cilium#36142, @​jrajahalme)
• Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (Backport PR cilium/cilium#36049, Upstream PR cilium/cilium#36060, @​jrajahalme)
• Fix an issue where pod-to-world traffic goes up stack when BPF host routing is enabled with tunnel. (Backport PR cilium/cilium#35861, Upstream PR cilium/cilium#35098, @​jschwinger233)
• Fix identity leak for kvstore identity mode (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#34893, @​odinuge)
• Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (Backport PR cilium/cilium#36302, Upstream PR cilium/cilium#36292, @​giorio94)
• gateway-api: Fix gateway checks for namespace (Backport PR cilium/cilium#36462, Upstream PR cilium/cilium#35452, @​sayboras)
• gha: Remove hostLegacyRouting in clustermesh (Backport PR cilium/cilium#36357, Upstream PR cilium/cilium#35418, @​sayboras)
• helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#36005, @​devodev)
• hubble: consistently use v as prefix for the Hubble version (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#35891, @​rolinh)
• iptables: Fix data race in iptables manager (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35902, @​pippolo84)
• lrp: update LRP services with stale backends on agent restart (Backport PR cilium/cilium#36106, Upstream PR cilium/cilium#36036, @​ysksuzuki)
• cilium/cilium#36050@​nathanjsweet)
• Unbreak the cilium-dbg preflight migrate-identity command (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36089, @​giorio94)
• Use strconv.Itoa instead of string() for the correct behavior when converting kafka.ErrorCode from int32 to string. Add relevant unit tests for Kafka plugin and handler. (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35856, @​nddq)

CI Changes:

• cilium/cilium#35958@​ferozsalam)
• gh: conformance-clustermesh: test with IPsec + BPF NodePort (Backport PR cilium/cilium#36462, Upstream PR cilium/cilium#36384, @​julianwiedmann)
• gha: configure environment in build-images-base/image-digests job (Backport PR cilium/cilium#36462, Upstream PR cilium/cilium#36318, @​giorio94)
• node_local_store: prevent racey tests while using mock node store. (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35945, @​tommyp1ckles)
• Remove unnecessary hubble port-forward commands (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#33523, @​michi-covalent)

Misc Changes:

• cilium/cilium#36333@​viktor-kurchenko)
• cilium/cilium#36092@​ferozsalam)
• bugtool: dump tail-call map for bpf_wireguard (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36183, @​julianwiedmann)
• cilium/cilium#36155@​cilium-renovate[bot])
• cilium/cilium#36275@​cilium-renovate[bot])
• cilium/cilium#36443@​cilium-renovate[bot])
• cilium/cilium#36277@​cilium-renovate[bot])
• cilium/cilium#35546@​cilium-renovate[bot])
• cilium/cilium#36152@​cilium-renovate[bot])
• cilium/cilium#36279@​cilium-renovate[bot])
• cilium/cilium#36444@​cilium-renovate[bot])

... (truncated)

Commits

• ad68827 Prepare for release v1.16.5
• 0e50b72 policy/api: Disallow Port Ranges for All L7 Rules
• a156169 gh: Revert upgrade semantics in ci-ipsec-upgrade workflow
• b322ed7 chore(deps): update dependency cilium/cilium-cli to v0.16.22
• 5c3ce65 bpf: nodeport: use skb->mark for L7 LB redirect
• 0874bb4 bpf: ipsec: use skb->mark for encryption metadata
• 2ec58db bpf: lxc: use skb->mark for proxy redirect
• bd73c2d bpf: host: support ctx->mark for metadata transfer
• e8a3e3b fix(deps): update module golang.org/x/crypto to v0.31.0 [security]
• c7d12c0 cilium, service: Fix checkLBSrcRange propagation to LB map
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)