Summary of Changes

Major Changes:

• Add L2 announcement IPv6 support (#39648, @msune)
• Add support for VRRP and IGMP protocols in host firewall. (#39872, @aditighag)
• Support IPv6 underlay on dual-stack clusters (#40324, @pchaigno)

Minor Changes:

• Add a new config field to enable remote node masquerading in BPF routing mode. This can help to establish the pods-remote nodes communication in a BPF-masquerade enabled cluster when pod and node network are in different subnets (#37568, @behzad-mir)
• Add option for daemon kube-apiserver access to bypass host firewall (#40346, @atykhyy)
• Add securityContext & disable hostNetwork in clustermesh-apiserver cronjob helm template (#39368, @giorio94)
• Add support for Multi-Pool IPAM mode with ipsec encryption and direct routing. (#40460, @pippolo84)
• Added initial scaffolding for a standalone DNS proxy component in Cilium. This includes a new module to manage the proxy lifecycle, configuration updates, and basic test coverage. The proxy functionality is currently a placeholder and will be expanded in future releases. (#39906, @vipul-21)
• Automatically skip creating maps that are unused by Cilium's current configuration (#40416, @ti-mo)
• Avoid VXLAN/Geneve connections filling up conntrack when tunneling is enabled (#38782, @BenoitKnecht)
• bpf: Init (ipv6_frag_hdr) frag struct (#41263, @brb)
• build: Add flag to control goexperiments and add configuration to use fipsonly package when the boringcrypto goexperiment is used (#38807, @HadrienPatte)
• Cilium EndpointSlices: improve metrics from the Operator CES controller (#40418, @antonipp)
• cilium: dsr ipip dispatch with tcx (#41269, @borkmann)
• clustermesh: add prometheus metrics about local ServiceExport and ServiceImport (#40736, @MrFreezeex)
• clustermesh: helm: add support for dict type for clustermesh.config.clusters values (#40857, @MrFreezeex)
• clustermesh: helm: move MCS-API helm config and add a job to autoconfigure CoreDNS for MCS-API for CoreDNS v1.12.2+ (#40506, @MrFreezeex)
• Deprecate v2alpha1 version of CiliumLoadBalancerIPPool CRD in favor of the v2 version (#39134, @pippolo84)
• Disables the configuration resolver InitContainer when CiliumNodeConfig is not a configuration source. (#40556, @atykhyy)
• Enhance Cilium helm chart with dedicated pod restart selector field (#41146, @thetillhoff)
• envoy: Bump envoy proxy to 1.35.0 (#40569, @sayboras)
• feat(agent): Add route-based node IP discovery (#40095, @tsotne95)
• feat: setting policy map pressure metrics threshold (#40188, @pasteley)
• Fix operator k8s workqueue metrics to use correct prefix of cilium_operator_workqueue_ (#40884, @tommyp1ckles)
• Fixes the Operator's configuration to be compatible with Azure workload identity. (#40269, @atykhyy)
• gateway-api: Replace Endpoint with EndpointSlice (#41083, @sayboras)
• helm: use sane defaults in combination with eni.enabled=true (#40445, @f1ko)
• hubble: remove deprecated experimental fieldmask (#40245, @kaworu)
• Introduce wildcard service entries to ensure traffic towards a LoadBalancer and ClusterIPs with an unknown protocol/port combination is dropped by the data path, rather than being forwarded back to the network. (#40684, @ajmmm @mikn)
• k8s: Update tests and libraries to v1.34.0-rc.1 (#41068, @sayboras)
• kpr: Remove some deprecated flags (#41238, @brb)
• KVStoreMesh: add support for leader election, to allow running multiple replicas when Cilium operates in kvstore identity allocation mode. (#39848, @balous)
• metrics: cilium_k8s_client_rate_limiter_duration_seconds no longer has labels path and method (#41247, @marseel)
• NodePort functionality is now enabled when --kube-proxy-replacement is enabled. The --enable-nodeport flag has been removed. (#41380, @brb)
• operator: added --aws-pagination-enabled flag for enabling/disabling AWS API pagination (#39543, @antonipp)
• policy: clustermesh: policy-default-local-cluster is now set by default. See the upgrade guide for guidance on how to prepare your migration if you are using ClusterMesh and have network policies (#40609, @MrFreezeex)
• proxy: Add deprecated warning for Kafka (#40967, @sayboras)
• refactor: removed previously deprecated -bpf-lb-proto-diff option. (#40505, @Surya-7890)
• Remove EnableExternalIP and EnableHostPort (#41277, @brb)
• Support IPPrefix unassignment in order to reuse those IPPrefixes and prevent IP starvation. This would require cilium-operator's AWS IAM role update to add "ec2:DescribeRouteTables" permissions. (#39300, @hsalluri259)
• Supports device exclusion in --devices flag (#40152, @liuyuan10)
• Switch Operator to use *metrics.Registry infra. (#39341, @tommyp1ckles)
• treewide: Remove pcap recorder (#41237, @gandro)

Bugfixes:

• Add missing safeguards to topology-aware routing: use all backends when no suitable one matching the zone hints are found or a backend exists without a zone hint. (#41024, @joamaki)
• Add option to configure BGP origin attribute for LoadBalancer IPs in BGP Control Plane v2, allowing smoother migration from MetalLB integration. (#41231, @hanapedia)
• bpf/bpf_host: host-fw: still attempt nodeport rev-snat on icmpv6. (#40405, @tommyp1ckles)
• bpf: fib: Fix issue where neighbor entries remain stale forever in some cases. (#37725, @jrife)
• Disable unnecessary headless service watching to reduce API server load in clusters not using the Gateway API or Ingress features. (#40844, @moscicky)
• Do not fail on CNI del if namespace no longer exists (#40843, @aojea)
• Fix a regression where enabling unknown Hubble metrics would crash the cilium agent (#41368, @devodev)
• Fix bug that would cause error messages when disabling agent health checks (#41297, @HadrienPatte)
• Fix the bug local redirect policy not doing filter based destination port (#41411, @liyihuang)
• Fixes a cosmetic bug where the cilium_bpf_map_ops_total error count was incorrectly being incremented for map cilium_lb_affinity_match. (#41378, @squeed)
• fqdn: fix persisted endpoint state synchronization for FQDN operations (#40119, @fristonio)
• gamma: support group "core" in GAMMA service parent ref check (#41268, @mhofstetter)
• Helm: Correct seccompProfile for cilium-agent pods (#40476, @jcpunk)
• ip-masq-agent: Ensure ip rules on the host match the BPF ip-masq-agent configuration in AWS ENI mode. Note that rules are set up once at pod creation and will not be regenerated if the ip-masq-agent configuration changes. (#40141, @antonipp)
• ipmasq: fix race causing potential concurrent map read/write. (#40856, @tommyp1ckles)
• Kubernetes endpoints that are terminating are retained in the backends BPF state regardless of the "serving" condition to avoid connection disruptions when a pod no longer signals readiness to process new connections. (#40969, @joamaki)
• lxcmap: rollback previous updates on failure in WriteEndpoint (#40677, @suchit07-git)
• multicast: fix nil assignment to node configuration cell.Out map (#40859, @ldelossa)
• policy: Fix a bug where transient errors in endpoint regeneration lead to broken connectivity. (#40255, @jrife)

CI Changes:

• .github/actions: fix boolean condition check in post-logic action (#41395, @aanm)
• .github/workflows: separate feature json files in different dirs (#41403, @aanm)
• .github/workflows: simplify ginkgo workflow (#41396, @aanm)
• .github/workflows: skip IPv6DualStack test (#41145, @aanm)
• .github: Run CES migration tests concurrently (#41162, @joestringer)
• Add caches to unit tests (#40388, @aanm)
• Add linter for metrics parameter matching (#40863, @joestringer)
• Add missing fuzzers from cncf-fuzzing project (#41336, @joestringer)
• Add retry logic to cosign commands (#41152, @aanm)
• Add reusable test config workflow (#40935, @joestringer)
• AKS cluster creation action (#41320, @Artyop)
• Allow Egress Gateway connectivity tests to run concurrently (#40980, @tommyp1ckles)
• ariane: allow for whitespaces after /test command (#41309, @marseel)
• bpf/complexity-tests: Improse coverage w.r.t. BPF TPROXY and BPF Host Routing (#41248, @pchaigno)
• bpf/tests: add coverage for bpf icmp nodeport snat tests. (#41142, @tommyp1ckles)
• bpf/tests: remove v6_ext_node_two_addr in pktgen.h (#40963, @msune)
• bpf: fix: Simplify and fix test structure validation logic (#41139, @jrife)
• bpf: scapy support (dev. experience) (#40294, @msune)
• ci-aks: Enable KPR and BPF masquerading (#40349, @aditighag)
• ci: Allow for running scale test for up to 1k nodes (#40227, @marseel)
• ci: fix performance testing for tunnel-ipsec (#40323, @marseel)
• ci: Gateway API conformance test logic moved to reusable Make target for better maintainability. (#41038, @pillai-ashwin)
• ci: Increase timeout for golangci-lint (#40432, @pippolo84)
• ci: reduce gke failures (#41018, @brlbil)
• ci: reuse common-post-jobs for scalability jobs (#40535, @marseel)
• ci: Temporarily disable go caches for privileged unit tests (#41004, @rastislavs)
• ci: Temporarily prevent populating go caches for privileged unit tests (#41069, @rastislavs)
• ci: update scale-tests-actions to show summary with results (#40290, @marseel)
• ci: Use newer lvh image for privileged tests (#41082, @rastislavs)
• cli: switch coredns image to registry.k8s.io, and fix renovate (#40706, @giorio94)
• contrib/cocci: add hexdump() and hexdump.h include coccinelle rules (#40930, @msune)
• Convert policy unit tests to use incremental path (#39973, @fristonio)
• Fix multiple workflows with missing features and steps (#41398, @aanm)
• Fixed an issue where privileged tests failed locally (#40150, @AritraDey-Dev)
• gh: e2e-upgrade: skip even more steps when not downgrading (#41468, @julianwiedmann)
• gha: configure read actions permissions for scalability jobs (#41032, @giorio94)
• gha: fix operator tolerations in GKE-based workflows (#40507, @giorio94)
• github: netpol-e2e: re-raise FD count to 5000 (#41149, @bimmlerd)
• GKE cluster creation action (#41090, @Artyop)
• gke: Run tests concurrently (#41191, @joestringer)
• golangci-lint: use gopacket/gopacket instead of google/gopacket (#40321, @tklauser)
• Improved capabilities of verifier complexity tests (#40367, @dylandreimerink)
• ipsec: Extend Go tests to cover IPv6 (#39978, @pchaigno)
• Make fuzzing infrastructure more reliable (#41288, @joestringer)
• make verifier complexity tests on RHEL 8.6 run with mcpu=v3 (#40390, @dylandreimerink)
• pkg/metrics: define default CIDR policies values (#41422, @aanm)
• renovate: hubble related cleanup (#38122, @kaworu)
• Streamline ci-multi-pool workflow (#40658, @pippolo84)
• tests: fix ignored unparallel tests (#41385, @smagnani96)
• Use fake external target in LVH-based workflows. (#40640, @gentoo-root)
• workflows/integration-test: fix Go cache architecture-specific restoration (#41173, @aanm)
• workflows: Cover IPv6 underlay with encryption for dual-stack clusters (#40411, @pchaigno)

Misc Changes:

• .github/release: Filter out CLI-only release notes (#40550, @joestringer)
• .github/workflows: add step 5 as part of the image build process (#41113, @aanm)
• .github/workflows: remove threshold 50m to show all files (#40372, @aanm)
• .github: add helm in release workflow (#41189, @aanm)
• .github: Notify teams as part of filing a CFP (#39298, @joestringer)
• .github: renovate add missing configuration for cilium-cli (#40947, @aanm)
• @b3a-dev is no longer an active committer (#40508, @b3a-dev)
• Add Beatriz Martínez to emeritus (#40509, @xmulligan)
• Add documentation and examples for using the egressDeny field in CiliumNetworkPolicy (#40272, @syedazeez337)
• Add Kubernetes ServiceAccount to CiliumEndpoint and CiliumEndpointSlice structures (#41276, @ldelossa)
• Add more comprehensive icmp6 snat testing (#40610, @tommyp1ckles)
• allocator: remove unused Allocator.suffix field (#40483, @tklauser)
• bgp,script: Identify gobgp server with name (#40145, @YutaroHayakawa)
• bgp: Refactor route policy reconciler (#40319, @YutaroHayakawa)
• bgp: Reset peers properly upon policy update with empty MatchNeighbors (#40339, @YutaroHayakawa)
• bgpv2: Refactor service route policy rendering logic (#40123, @rastislavs)
• bpf/fib: Remove unecessary maybe_unused (#41301, @pchaigno)
• bpf/tests/scapy: add v6 addrs and fix existing (#40990, @msune)
• bpf/tests/scapy: improve README.md guide (#41086, @msune)
• bpf/tests/scapy: show pkt diffs on assertion failures and improve outputs (#41124, @msune)
• bpf/tests: port L2 IPv6 announce to scapy and some cleanups (#41071, @msune)
• bpf/tests: remove unused method mock_ctx_redirect_peer (#40588, @Andreagit97)
• bpf: Add check for null state in snat_v6_nat (#40991, @rastislavs)
• bpf: built-in support for up to 128 bytes (#41017, @msune)
• bpf: encrypt: unify overlay handling (#39660, @julianwiedmann)
• bpf: fix invalid escape sequence '(' warning (#40964, @msune)
• bpf: gitignore CLANG tmp files (*.o.tmp) (#40694, @msune)
• bpf: lxc: don't special-case the RevDNAT path for IPsec configs (#41487, @julianwiedmann)
• bpf: minor svc wildcard followups/fixes (#41470, @borkmann)
• bpf: Skip E/W translation for proxy delegation (#40573, @borkmann)
• bpf: wireguard: re-add IPv6 fragment check in from-wireguard (#41451, @julianwiedmann)
• build: Don't include bpf test files in cilium image (#40634, @HadrienPatte)
• build: Enforce docker build checks (#40528, @HadrienPatte)
• build: Only copy bpftool binary from bpftool image (#40469, @HadrienPatte)
• build: Update compilers and tester base images (#40422, @HadrienPatte)
• cec: introduce annotation to control use-original-source-address (#40707, @mhofstetter)
• cec: introduce annotation to override IsL7LB detection during CEC parsing (#40570, @mhofstetter)
• ces: refactor and clean up (#40789, @jshr-w)
• checkpatch: Update image digest (#41360, @HadrienPatte)
• chore(deps): update actions/download-artifact action to v5 (main) (#41052, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#40503, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#40600, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#40896, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#41053, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#41348, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#41436, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#40594, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#40261, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#40362, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#40595, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#40672, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#40889, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#41048, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#40366, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#40465, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#40596, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#40739, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#40893, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#41046, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#41340, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#41358, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#41433, @cilium-renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.18.5 (main) (#40333, @cilium-renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.18.6 (main) (#40890, @cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.25 (main) (#40380, @cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.26 (main) (#40495, @cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.4 docker digest to 20a022e (main) (#40379, @cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.5 docker digest to ef5b4be (main) (#40738, @cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.25.0 docker digest to 5502b0e (main) (#41343, @cilium-renovate[bot])
• chore(deps): update go to v1.24.5 (main) (#40496, @cilium-renovate[bot])
• chore(deps): update go to v1.24.6 (main) (#40992, @cilium-renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v2.2.1 (main) (#40382, @cilium-renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v2.2.2 (main) (#40498, @cilium-renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v2.3.0 (main) (#40644, @cilium-renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v2.3.1 (main) (#40891, @cilium-renovate[bot])
• chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] (main) (#41318, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.1-1752029260-6675448d88d49594fff5ac5d9786c51378263b9d (main) (#40431, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.0-1754542821-43b62ac18029bf5e22cbcc9e7141ee55eb09555d (main) (#40986, @cilium-renovate[bot])
• chore(deps): update renovate dependencies to v41.31.1 (main) (#40501, @cilium-renovate[bot])
• chore(deps): update renovate dependencies to v41.40.0 (main) (#40599, @cilium-renovate[bot])
• chore(deps): update renovate dependencies to v41.43.5 (main) (#40740, @cilium-renovate[bot])
• chore(deps): update renovate dependencies to v41.51.0 (main) (#40894, @cilium-renovate[bot])
• chore(deps): update renovate dependencies to v41.60.3 (main) (#41050, @cilium-renovate[bot])
• chore(deps): update renovate dependencies to v41.83.1 (main) (#41346, @cilium-renovate[bot])
• ci: filter runner upgrade for old stable branches (#40716, @Artyop)
• ci: fix renovate hourly and concurrent pr count (#40654, @Artyop)
• ci: regex update variable runners (#40921, @Artyop)
• ci: remove filter for runner update in lint wfs (#40683, @Artyop)
• ci: Update workflow permissions (#41383, @kyle-c-simmons)
• Cilium EndpointSlices: fix label values for the ces_sync_total metric (#40817, @antonipp)
• Cilium monitor now shows Socket LB trace events when Socket LB is enabled for host namespace only (#40943, @eddyduer)
• Cilium's Gateway API reconciler has been completely refactored and should be more reliable and performant as a result. (#41232, @youngnick)
• cilium, socklb: Add a flag for opting into terminating all protos (#40479, @borkmann)
• cilium, socklb: Terminate both UDP and TCP sockets (#40304, @borkmann)
• cilium-cli: report openshift detection in feature status (#41328, @aanm)
• cilium-dbg: Rename "statedb dump" to just "statedb" (#40917, @joamaki)
• Cleanup daemon options and move validation (#40409, @tklauser)
• clustermesh: improve logic to report back IPs from the derived service to the ServiceImport (#40732, @MrFreezeex)
• cni: Avoid lockfile leak on context timeout (#40958, @joestringer)
• CODEOWNERS: move pkg/logging to sig-agent (#40296, @squeed)
• CODEOWNERS: Update for common release files (#32327, @joestringer)
• codeowners: update l7lb & pod-to-ingress connectivity-test ownership (#41144, @mhofstetter)
• contrib: update verifier_diff.py to new formats (#41400, @smagnani96)
• Convert bpf endpoint config macros to load time config (#40430, @fristonio)
• Corrected logic for adding tolerations key in helm template for cilium-operator deployment (#40938, @walnuts1018)
• daemon: remove useless error log (#41097, @imroc)
• datapath: remove unused IPV4_MASK define (#40961, @tklauser)
• datapath: Use go 1.23 timers (#41040, @HadrienPatte)
• Disable host firewall bypass by default (#40691, @marseel)
• doc,bgp: Update prefix aggregation documentation (#40586, @YutaroHayakawa)
• docker: order dockerignore rules by depth to include nested targets.o (#40952, @smagnani96)
• docs: add batumbu to USERS.md (#40926, @gustysap)
• docs: add link to Slack Guidelines (#40484, @xmulligan)
• docs: Add missing dsrDispatch parameter to annotation-based DSR examples (#40873, @gitsofaryan)
• docs: clarify kernel config dependencies for CONFIG_FIB_RULES on embedded/custom Linux (#40168, @theoDev-alt)
• docs: clarify Prometheus annotation logic for metrics (#40532, @RayyanSeliya)
• docs: Clarify use of routing table IDs in Cilium. (#40248, @nocturo)
• docs: enable debug information before first authentication in mutual auth example (#40940, @sudeephb)
• docs: Enhance DSR with Geneve (#40626, @alagoutte)
• docs: fix typo in ipsec vs wireguard comparison (#40761, @jwswj)
• docs: Format masquerading docs (#41285, @joestringer)
• docs: include KubeCon talk showing Cilium, Prometheus & Grafana (#41311, @lizrice)
• docs: Remove stale mention of externalIPs.enabled (#41044, @nueavv)
• docs: Update docker images development documentation (#40299, @HadrienPatte)
• docs: update FakeClientCell reference (#40334, @emmanuel-ferdman)
• docs: Update Gateway API docs to reference Gateway API v1.3.0 (#40825, @Untersander)
• docs: update mutual auth example (#40510, @ep4sh)
• docs: Update theme to add dark mode support (#41174, @qmonnet)
• Don't enable host firewall bypass unless host firewall is enabled (#40942, @atykhyy)
• endpoint: reduce missed-policy-update log severity for restoring eps (#41095, @fristonio)
• endpoint: remove explicit debug log checks (#40486, @tklauser)
• Enhance error context in pkg/datapath/loader/netlink.go for easier debugging (#40734, @iwanhae)
• envoy: update to latest version and import DNS cluster extension (#40343, @mhofstetter)
• examples: Update httpbin example for Istio latest release compatibility (#40151, @AritraDey-Dev)
• feat(sdp): Cilium agent server handling SDP conn (#39220, @vipul-21)
• feat(sdp): interaction flow between cells for standalone dns proxy (#40982, @vipul-21)
• Fix misc typos (#40769, @HadrienPatte)
• fix(deps): update all go dependencies main (main) (#40325, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#40383, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#40499, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#40593, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#40897, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#41047, @cilium-renovate[bot])
• fix(deps): update aws-sdk-go-v2 monorepo (main) (#40597, @cilium-renovate[bot])
• fix(deps): update aws-sdk-go-v2 monorepo (main) (#40895, @cilium-renovate[bot])
• fix(deps): update aws-sdk-go-v2 monorepo (main) (#41049, @cilium-renovate[bot])
• fix(deps): update aws-sdk-go-v2 monorepo (main) (#41345, @cilium-renovate[bot])
• fix(deps): update kubernetes packages to v0.33.3 (main) (#40598, @cilium-renovate[bot])
• fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.231.0 (main) (#40502, @cilium-renovate[bot])
• fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.236.0 (main) (#40741, @cilium-renovate[bot])
• fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azcore to v1.18.1 (main) (#40500, @cilium-renovate[bot])
• fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azcore to v1.18.2 (main) (#40892, @cilium-renovate[bot])
• fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azcore to v1.19.0 (main) (#41347, @cilium-renovate[bot])
• fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azidentity to v1.11.0 (main) (#41051, @cilium-renovate[bot])
• fix(deps): update module github.com/docker/docker to v28.3.3+incompatible [security] (main) (#40792, @cilium-renovate[bot])
• fix(deps): update module github.com/go-openapi/errors to v0.22.2 (main) (#41063, @cilium-renovate[bot])
• fix(deps): update module helm.sh/helm/v3 to v3.18.4 [security] (main) (#40429, @cilium-renovate[bot])
• fix: eBPF logo (#41367, @xmulligan)
• fqdn/proxy: remove unused MockFQDNProxy (#40534, @tklauser)
• fqdn/restore: remove test-only Sort methods (#40681, @tklauser)
• fqdn: clean up regex cache (#40365, @squeed)
• go.mod, vendor: pull in charts for Cilium 1.18.0 and Tetragon 1.5.0 (#40823, @tklauser)
• go.mod: use go 1.25 (#41100, @bimmlerd)
• helm: improve k8sServiceHost automatic lookup function (#41291, @iuriaranda)
• helm: misc small cleanups with certgen job spec (#40628, @MrFreezeex)
• helm: support extending cilium-operator volumes and clustermesh-apiserver arguments (#41246, @giorio94)
• images/builder: add python3 scapy dependency (bis) (#40874, @msune)
• images/builder: add python3 scapy dependency (#40838, @msune)
• images: Remove unused install-builder-deps.sh script (#40870, @qmonnet)
• images: update cilium-builder (#40560, @jrife)
• Improve logs around ipcache upserts (#40866, @kamilWyszynski1)
• Include bgp remote peer capabilities in the sysdump (#40719, @liyihuang)
• ip-masq-agent: refactor into a Hive Cell (#40347, @antonipp)
• ipam/multipool: Update local node on CiliumNode changes (#41302, @joamaki)
• ipcache: simplify generateUniqueCIDRs test helper (#40945, @tklauser)
• ipcache: slightly reduce API surface (#40671, @tklauser)
• ipsec: keep SPI in sync between keyCustodian and BPF map (#41456, @smagnani96)
• k8s: cleanup old Endpoints/beta EndpointSlices/Lease code (#40555, @marseel)
• k8s: remove a bunch of unused code (#40816, @tklauser)
• k8s: Skip endpoints without conditions (#41234, @joamaki)
• loadbalancer: Shrink BackendParams (#40826, @joamaki)
• loader: Flush BTF cache after loading bpf_sock_term programs (#41009, @jrife)
• Log kube-proxy replacement config before starting kube-proxy replacement (#41133, @liyihuang)
• Log whether CES is enabled in CID controller (#41023, @kamilWyszynski1)
• lower log severity for stale metadata to avoid CI issue (#41389, @liyihuang)
• MAINTAINERS: Add Marcel Zięba (#41284, @joestringer)
• MAINTAINERS: Move Ian to Emeritus (#40833, @joestringer)
• MAINTAINERS: New emeritus commiter (#40821, @vadorovsky)
• MAINTAINERS: New emeritus committer (#40767, @xmulligan)
• metrics/features: Fix counter metrics to use Set() instead of Add() (#41382, @aanm)
• Miscellaneous improvements to option.NewNamedMapOptions (#40529, @giorio94)
• Miscellaneous improvements to the gneigh subsystem (#40939, @giorio94)
• Modularization of WireGuard Agent. (#40360, @smagnani96)
• monitor/format: use MonitorFormatter to print on any bufio.Writer and not just on Stdout (#39957, @Andreagit97)
• multicast: use Go 1.20 slice-to-array conversion for SolicitedNodeMaddr() (#40591, @suchit07-git)
• node: Implement LocalNodeStore as StateDB table (#40918, @joamaki)
• nodediscovery: Do not log error on kvstore update if context cancelled (#41315, @joamaki)
• nodediscovery: remove unused WaitForLocalNodeInit function (#40657, @giorio94)
• operator: Attach context to logs when available (#39728, @HadrienPatte)
• operator: Modularize kvstore lock sweeper (#40249, @pippolo84)
• pkg/bpf/collection: Temporarily don't error on unused maps (#41379, @dylandreimerink)
• plugins: Don't install CNI conf in container image (#39516, @joestringer)
• plugins: Fix cilium-cni build for kind-image-fast (#41270, @gandro)
• pprof: support mutex contention and blocked goroutine profiling (#41154, @antonipp)
• Prepare for v1.19 development cycle (#40238, @joestringer)
• proxy/proxyports: move test-only code and use fake datapath iptables manager (#40637, @tklauser)
• README: Update releases (#40309, @joestringer)
• README: Update releases (#40547, @aanm)
• README: Update releases (#41187, @aanm)
• refactor ciliumidentity tests and export helper functions (#40773, @jshr-w)
• refactor: Add proxy lookup handler cell for DNS policy enforcement (#40882, @vipul-21)
• refactor: cleanups in unparallel tests and replace netlink with safenetlink (#41363, @smagnani96)
• Remove failsafe checks for deprecated single CIDR options (#40258, @ldlb9527)
• renovate: add more trusted dependencies for auto-merge (#40948, @aanm)
• renovate: Allow updates of images from the image-tools repo (#41230, @HadrienPatte)
• renovate: Bump cilium-envoy version for stable branches (#40364, @sayboras)
• renovate: Correct branch typo for cilium-envoy (#40461, @sayboras)
• renovate: Fix go-github exclusion rule (#40911, @HadrienPatte)
• renovate: Rebase if dont-merge/needs-rebase label is set (#41271, @HadrienPatte)
• Revert "endpoint, policy: Don't accidentally clear out endpoint policy maps" (#40695, @joestringer)
• Revert "k8s: Update tests and libraries to v1.34.0-rc.1" (#41143, @sayboras)
• Revert "loadbalancer: increase timeout for initial sync" (#40668, @YutaroHayakawa)
• Revert "Update .readthedocs.yaml" (#40517, @joestringer)
• Revert commit 59b97ee ("maps/policymap, daemon: Create policy maps from daemon") (#40257, @atykhyy)
• shell: don't reconnect on connection close (#40950, @bimmlerd)
• shell: Prevent server error on graceful shutdown (#41401, @HadrienPatte)
• slices: add map helper function (#41282, @giorio94)
• sockets: In socket-LB mode, terminate sockets connected to deleted backends using BPF socket iterators. (#38693, @jrife)
• Support triggering Makefiles from outside of the tree (#40286, @sayboras)
• Support WireGuard with IPv6 Underlay (#40051, @pchaigno)
• tools/dev-doctor: remove vagrant dev VM specific checks (#40536, @tklauser)
• treewide: Centralize goleak options to pkg/testutils (#41129, @joamaki)
• Update .readthedocs.yaml to generate pdfs and epubs (#40330, @skewballfox)
• Update all github action dependencies (main) (#41212, @cilium-renovate[bot])
• Update all github action dependencies (main) (patch) (#41205, @cilium-renovate[bot])
• Update all go dependencies main (main) (#41203, @cilium-renovate[bot])
• Update all lvh-images main (main) (patch) (#41206, @cilium-renovate[bot])
• Update all-dependencies (main) (#41125, @cilium-renovate[bot])
• Update all-dependencies (main) (#41175, @cilium-renovate[bot])
• Update aws-sdk-go-v2 monorepo (main) (#41208, @cilium-renovate[bot])
• Update dependency protocolbuffers/protobuf to v32 (main) (#41213, @cilium-renovate[bot])
• Update docker.io/alpine/socat:1.8.0.3 Docker digest to 29d0f24 (main) (#41204, @cilium-renovate[bot])
• Update Functionality Overview in README (#40275, @xmulligan)
• Update Go to v1.25.0 (main) (#41209, @cilium-renovate[bot])
• Update golangci/golangci-lint Docker tag to v2.4.0 (main) (#41210, @cilium-renovate[bot])
• Update kubernetes packages to v0.33.4 (main) (#41207, @cilium-renovate[bot])
• Update maintainer affiliations (#40511, @xmulligan)
• Update makefile in containerlab/bgpv2 from hardcode to dynamic stable version and new logic to handle local image for development environments. (#40726, @liyihuang)
• Update module helm.sh/helm/v3 to v3.18.5 [SECURITY] (main) (#41156, @cilium-renovate[bot])
• Update renovate dependencies to v41.76.0 (main) (#41211, @cilium-renovate[bot])
• v1.18.0: drop support for 1.15 and add v1.18 (#40781, @aanm)
• vendor,treewide: Bump to StateDB v0.5.0 and update API usage (#41002, @joamaki)
• vendor: Prevent renovate from updating gobgp dependency (#40612, @HadrienPatte)
• vendor: Update Azure SDK armcompute module to v7 (#40718, @HadrienPatte)
• vendor: Update github.com/google/go-github to v73 (#40326, @HadrienPatte)
• version: parse Cilium version string only once (#40652, @tklauser)
• xds: optimize log message of waiting for proxy update (#41190, @mhofstetter)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.0-pre.0@sha256:02d8349bea5a6a0c19dc9a8b58fef113c7b57e7480302c06f7f7d438f75982e6

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.0-pre.0@sha256:6f287a8fab9771088117e9d93cc5e2a2ef6951002fe924aaea86f9ec2dca3cdd

docker-plugin

quay.io/cilium/docker-plugin:v1.19.0-pre.0@sha256:b9850ec9b3e45240261ed0e798c1d24822ec020a8c9bacdcb92e2cceda8cd138

hubble-relay

quay.io/cilium/hubble-relay:v1.19.0-pre.0@sha256:584cfccd3f3a3f8e791767bace0e7563c2fc9f630b0a7986fa00f8debbd5d751

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.0-pre.0@sha256:0638e3f906a327f2adcd427cef73841da5ed458e06da5ca686ec68f127de5dea

operator-aws

quay.io/cilium/operator-aws:v1.19.0-pre.0@sha256:7f34d0a22ab307be575528f3828f3ee0ef72c37dfdfae449e434aa32ae94aa77

operator-azure

quay.io/cilium/operator-azure:v1.19.0-pre.0@sha256:905996bce67b9d99c20de0bdc51d89381ec7c257340d8da6ebfa9c65c9852f20

operator-generic

quay.io/cilium/operator-generic:v1.19.0-pre.0@sha256:84c935be65c01c5298764def57a147ca130267c070ce970473a8f40b29c61c7e

operator

quay.io/cilium/operator:v1.19.0-pre.0@sha256:bc1df458f342e74c2143664458e8caaff6c3d0f62bd7f3a9b0ea1e7f9f19d4b3