Skip to content

[v1.18] Fix IPsec startup panic in Multi-Pool IPAM mode#41725

Merged
pippolo84 merged 1 commit intocilium:v1.18from
pippolo84:pr/pippolo84/v1.18-fix-multi-pool-ipsec-startup-panic
Sep 18, 2025
Merged

[v1.18] Fix IPsec startup panic in Multi-Pool IPAM mode#41725
pippolo84 merged 1 commit intocilium:v1.18from
pippolo84:pr/pippolo84/v1.18-fix-multi-pool-ipsec-startup-panic

Conversation

@pippolo84
Copy link
Copy Markdown
Member

@pippolo84 pippolo84 commented Sep 17, 2025
edited
Loading

At startup, the IPv4 and IPv6 allocation CIDRs are first initialized as nil in the InitLocalNode function from the LocalNodeStart start hook. Later in the startup sequence, the multi-pool manager watches for CiliumNode updates and reflect those in the local node status, thus updating the v4 and v6 allocation CIDRs.

When IPSec is enabled, it might be possible for the linux node handler to receive a node update before the allocation CIDRs have been set. If this happen, the IPSec subsystem tries to update the routes in the host routing table and panic while accessing the nil v4 and v6 allocation CIDRs:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x37d0675]

goroutine 423 [running]:
github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).enableIPSecIPv6DoLocalHost(0xc000f6d6b0?, {0x0, 0x0})
	/go/src/github.com/cilium/cilium/pkg/datapath/linux/ipsec.go:607 +0x55
github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).enableIPsecIPv6(0xc001f9c388, 0xc003107b80, 0x5c27, 0x1, 0x0)
	/go/src/github.com/cilium/cilium/pkg/datapath/linux/ipsec.go:621 +0x3d4
github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).enableIPsec(0xc001f9c388, 0x0, 0xc003107b80, 0x5c27)
	/go/src/github.com/cilium/cilium/pkg/datapath/linux/ipsec.go:161 +0x3a8
github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).nodeUpdate(0xc001f9c388, 0x0, 0xc003107b80, 0x1)
	/go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:504 +0xa48
github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).NodeConfigurationChanged(_, {{0xc001bb3360, 0x10, 0x10}, {0xc001bb3390, 0x10, 0x10}, {0xc001e9d586, 0x10, 0x1a}, ...})
	/go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:739 +0x51b
github.com/cilium/cilium/pkg/node/manager.(*NodeConfigNotifier).Notify(_, {{0xc001bb3360, 0x10, 0x10}, {0xc001bb3390, 0x10, 0x10}, {0xc001e9d586, 0x10, 0x1a}, ...})
	/go/src/github.com/cilium/cilium/pkg/node/manager/node_config_notifier.go:47 +0xb5
github.com/cilium/cilium/pkg/datapath/loader.(*loader).Reinitialize(0xc00053d280, {0x50c79f8, 0xc000e8f1a0}, 0xc001f8b688, {{0x49a183e, 0x4}, {0xc001c40499, 0x5}, 0x2118, 0x0, ...}, ...)
	/go/src/github.com/cilium/cilium/pkg/datapath/loader/base.go:515 +0x1e05
github.com/cilium/cilium/pkg/datapath/orchestrator.(*orchestrator).reinitialize(0xc001f6cf08, {0x50c79f8?, 0xc000e8f1a0?}, {{0x0?, 0x0?}, 0x0?}, 0xc001f8b688)
	/go/src/github.com/cilium/cilium/pkg/datapath/orchestrator/orchestrator.go:275 +0x110
github.com/cilium/cilium/pkg/datapath/orchestrator.(*orchestrator).reconciler(0xc001f6cf08, {0x50c79f8, 0xc000e8f1a0}, {0x50d1f80, 0xc0029f2600})
	/go/src/github.com/cilium/cilium/pkg/datapath/orchestrator/orchestrator.go:219 +0x725
github.com/cilium/hive/job.(*jobOneShot).start(0xc001ee2ae0, {0x50c79f8, 0xc000e8f1a0}, 0xc002613fa8?, {0x50d1f80, 0xc001ee2a80}, {{{0x0, 0x0, 0x0}}, 0xc000dc8210, ...})
	/go/src/github.com/cilium/cilium/vendor/github.com/cilium/hive/job/oneshot.go:138 +0x4fd
created by github.com/cilium/hive/job.(*queuedJob).Start.func1 in goroutine 1
	/go/src/github.com/cilium/cilium/vendor/github.com/cilium/hive/job/job.go:126 +0x16f

The commit fixes the issue checking for the allocation CIDRs to be non-nil before updating the host routing tables.

This issue only affects v1.18, where multi-pool IPAM and IPSec are both supported. This is not affecting main, since the offending logic has been changed and does not have this problem.

Observed here from #41631

Fix panic at startup in IPsec subsystem with Multi-Pool IPAM mode

@pippolo84 pippolo84 requested a review from a team as a code owner September 17, 2025 08:31
@pippolo84 pippolo84 added release-note/bug This PR fixes an issue in a previous release of Cilium. area/multipool Affects Multi-Pool IPAM feature/ipsec Relates to Cilium's IPsec feature labels Sep 17, 2025
@maintainer-s-little-helper maintainer-s-little-helper Bot added backport/1.18 This PR represents a backport for Cilium 1.18.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Sep 17, 2025
@pippolo84 pippolo84 mentioned this pull request Sep 17, 2025
Merged
1 task
@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Sep 17, 2025

/test

@pippolo84
ipsec: Fix startup panic in multi-pool IPAM mode
82d026b 
At startup, the IPv4 and IPv6 allocation CIDRs are first initialized as
nil in the InitLocalNode function from the LocalNodeStart start hook.
Later in the startup sequence, the multi-pool manager watches for
CiliumNode updates and reflect those in the local node status, thus
updating the v4 and v6 allocation CIDRs.

When IPSec is enabled, it might be possible for the linux node handler
to receive a node update before the allocation CIDRs have been set. If
this happen, the IPSec subsystem tries to update the routes in the host
routing table and panic while accessing the nil v4 and v6 allocation
CIDRs:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x37d0675]

goroutine 423 [running]:
github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).enableIPSecIPv6DoLocalHost(0xc000f6d6b0?, {0x0, 0x0})
	/go/src/github.com/cilium/cilium/pkg/datapath/linux/ipsec.go:607 +0x55
github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).enableIPsecIPv6(0xc001f9c388, 0xc003107b80, 0x5c27, 0x1, 0x0)
	/go/src/github.com/cilium/cilium/pkg/datapath/linux/ipsec.go:621 +0x3d4
github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).enableIPsec(0xc001f9c388, 0x0, 0xc003107b80, 0x5c27)
	/go/src/github.com/cilium/cilium/pkg/datapath/linux/ipsec.go:161 +0x3a8
github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).nodeUpdate(0xc001f9c388, 0x0, 0xc003107b80, 0x1)
	/go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:504 +0xa48
github.com/cilium/cilium/pkg/datapath/linux.(*linuxNodeHandler).NodeConfigurationChanged(_, {{0xc001bb3360, 0x10, 0x10}, {0xc001bb3390, 0x10, 0x10}, {0xc001e9d586, 0x10, 0x1a}, ...})
	/go/src/github.com/cilium/cilium/pkg/datapath/linux/node.go:739 +0x51b
github.com/cilium/cilium/pkg/node/manager.(*NodeConfigNotifier).Notify(_, {{0xc001bb3360, 0x10, 0x10}, {0xc001bb3390, 0x10, 0x10}, {0xc001e9d586, 0x10, 0x1a}, ...})
	/go/src/github.com/cilium/cilium/pkg/node/manager/node_config_notifier.go:47 +0xb5
github.com/cilium/cilium/pkg/datapath/loader.(*loader).Reinitialize(0xc00053d280, {0x50c79f8, 0xc000e8f1a0}, 0xc001f8b688, {{0x49a183e, 0x4}, {0xc001c40499, 0x5}, 0x2118, 0x0, ...}, ...)
	/go/src/github.com/cilium/cilium/pkg/datapath/loader/base.go:515 +0x1e05
github.com/cilium/cilium/pkg/datapath/orchestrator.(*orchestrator).reinitialize(0xc001f6cf08, {0x50c79f8?, 0xc000e8f1a0?}, {{0x0?, 0x0?}, 0x0?}, 0xc001f8b688)
	/go/src/github.com/cilium/cilium/pkg/datapath/orchestrator/orchestrator.go:275 +0x110
github.com/cilium/cilium/pkg/datapath/orchestrator.(*orchestrator).reconciler(0xc001f6cf08, {0x50c79f8, 0xc000e8f1a0}, {0x50d1f80, 0xc0029f2600})
	/go/src/github.com/cilium/cilium/pkg/datapath/orchestrator/orchestrator.go:219 +0x725
github.com/cilium/hive/job.(*jobOneShot).start(0xc001ee2ae0, {0x50c79f8, 0xc000e8f1a0}, 0xc002613fa8?, {0x50d1f80, 0xc001ee2a80}, {{{0x0, 0x0, 0x0}}, 0xc000dc8210, ...})
	/go/src/github.com/cilium/cilium/vendor/github.com/cilium/hive/job/oneshot.go:138 +0x4fd
created by github.com/cilium/hive/job.(*queuedJob).Start.func1 in goroutine 1
	/go/src/github.com/cilium/cilium/vendor/github.com/cilium/hive/job/job.go:126 +0x16f

The commit fixes the issue checking for the allocation CIDRs to be
non-nil before updating the host routing tables.

This issue only affects v1.18, where multi-pool IPAM and IPSec are both
supported.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84 pippolo84 force-pushed the pr/pippolo84/v1.18-fix-multi-pool-ipsec-startup-panic branch from 09bf142 to 82d026b Compare September 17, 2025 15:58
@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Sep 17, 2025

/test

@pippolo84 pippolo84 enabled auto-merge September 17, 2025 16:43
@julianwiedmann julianwiedmann added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. and removed ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Sep 18, 2025
@julianwiedmann
Copy link
Copy Markdown
Member

julianwiedmann commented Sep 18, 2025

@aanm are you able to force this PR in? The Mergeability check is stuck pretty hard it seems 🙂

@aanm aanm added dont-merge/bad-bot To prevent MLH from marking ready-to-merge. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. and removed dont-merge/bad-bot To prevent MLH from marking ready-to-merge. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Sep 18, 2025
@pippolo84 pippolo84 added this pull request to the merge queue Sep 18, 2025
Merged via the queue into cilium:v1.18 with commit b98addd Sep 18, 2025
66 checks passed
@pippolo84 pippolo84 deleted the pr/pippolo84/v1.18-fix-multi-pool-ipsec-startup-panic branch September 18, 2025 08:56
schwarlex pushed a commit to la-demos/vcluster-workshop-prep that referenced this pull request Feb 11, 2026
chore(deps): update helm release cilium to v1.18.3 (#140)
d49d0c1 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | patch | `1.18.2` -> `1.18.3` |

---

### Release Notes

<details>
<summary>cilium/cilium (cilium)</summary>

### [`v1.18.3`](https://github.com/cilium/cilium/releases/tag/v1.18.3): 1.18.3

[Compare Source](cilium/cilium@1.18.2...1.18.3)

## Summary of Changes

:information\_source: The images in this release were signed with cosign v3. Please use cosign v3 tooling to validate signatures with the following command syntax:

```
cosign verify --certificate-github-workflow-repository cilium/cilium --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-github-workflow-name 'Image Release Build' --certificate-github-workflow-ref refs/tags/v1.18.3 --certificate-identity https://github.com/cilium/cilium/.github/workflows/build-images-releases.yaml@refs/tags/v1.18.3 quay.io/cilium/operator-aws:v1.18.3 | jq -r '.[].critical.image'
```

**Minor Changes:**

- Fix a complexity issue for the bpf\_xdp program (Backport PR [#&#8203;42198](cilium/cilium#42198), Upstream PR [#&#8203;42193](cilium/cilium#42193), [@&#8203;aspsk](https://github.com/aspsk))
- hubble: mark kafka l7 visibility as deprecated (Backport PR [#&#8203;41968](cilium/cilium#41968), Upstream PR [#&#8203;41072](cilium/cilium#41072), [@&#8203;kaworu](https://github.com/kaworu))

**Bugfixes:**

- add the port name for address based LRP so frontend can pick the right backend (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41602](cilium/cilium#41602), [@&#8203;liyihuang](https://github.com/liyihuang))
- Avoid scenario where ENI device configuration can be skipped. (Backport PR [#&#8203;41968](cilium/cilium#41968), Upstream PR [#&#8203;41760](cilium/cilium#41760), [@&#8203;jasonaliyetti](https://github.com/jasonaliyetti))
- Cilium now configures Envoy to allow websocket connections to be passed through with HTTP policies. (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41729](cilium/cilium#41729), [@&#8203;jrajahalme](https://github.com/jrajahalme))
- Fix a bug that was preventing Cilium to delete stale pod CIDRs routes when changing routing mode to native (Backport PR [#&#8203;41968](cilium/cilium#41968), Upstream PR [#&#8203;41819](cilium/cilium#41819), [@&#8203;pippolo84](https://github.com/pippolo84))
- Fix a fatal error when accessing multicast map using cilium-dbg bpf multicast (Backport PR [#&#8203;42151](cilium/cilium#42151), Upstream PR [#&#8203;42080](cilium/cilium#42080), [@&#8203;tklauser](https://github.com/tklauser))
- Fix BGP auto discovery not sending community info (Backport PR [#&#8203;41968](cilium/cilium#41968), Upstream PR [#&#8203;41920](cilium/cilium#41920), [@&#8203;jiashengz](https://github.com/jiashengz))
- Fix bug in ENI routing where Cilium would chose the wrong subnet for routing traffic on secondary interfaces (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;40860](cilium/cilium#40860), [@&#8203;liyihuang](https://github.com/liyihuang))
- Fix bug that could cause ICMP error packets to have an incorrect inner IP checksum when KPR is enabled. (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41551](cilium/cilium#41551), [@&#8203;yushoyamaguchi](https://github.com/yushoyamaguchi))
- Fix bug with delegated IPAM where IPv6 traffic was routed via the wrong interface (Backport PR [#&#8203;41968](cilium/cilium#41968), Upstream PR [#&#8203;41598](cilium/cilium#41598), [@&#8203;NihaNallappagari](https://github.com/NihaNallappagari))
- Fix failing node health check on dual stack cluster if NodeInternalIPs are not configured for both families. (Backport PR [#&#8203;42055](cilium/cilium#42055), Upstream PR [#&#8203;41633](cilium/cilium#41633), [@&#8203;Dennor](https://github.com/Dennor))
- Fix increase in memory usage when service names are looked up at high rate during Hubble flow creation (Backport PR [#&#8203;42151](cilium/cilium#42151), Upstream PR [#&#8203;41965](cilium/cilium#41965), [@&#8203;joamaki](https://github.com/joamaki))
- Fix panic at startup in IPsec subsystem with Multi-Pool IPAM mode ([#&#8203;41725](cilium/cilium#41725), [@&#8203;pippolo84](https://github.com/pippolo84))
- Fix race condition preventing the skiplbmap BPF map from sometimes being pruned after restart. (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41529](cilium/cilium#41529), [@&#8203;joamaki](https://github.com/joamaki))
- Fixes a rare bug where endpoints may have incomplete policies in large clusters. (Backport PR [#&#8203;42151](cilium/cilium#42151), Upstream PR [#&#8203;42049](cilium/cilium#42049), [@&#8203;squeed](https://github.com/squeed))
- hostfw: also exclude non-transparent proxy traffic when BPF masq is enabled (Backport PR [#&#8203;41989](cilium/cilium#41989), Upstream PR [#&#8203;41915](cilium/cilium#41915), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))
- Ignore expected error in neighbor reconciliation (Backport PR [#&#8203;41968](cilium/cilium#41968), Upstream PR [#&#8203;41815](cilium/cilium#41815), [@&#8203;dylandreimerink](https://github.com/dylandreimerink))
- loadbalancer: allow HostPort for multiple protos on same port (Backport PR [#&#8203;41913](cilium/cilium#41913), Upstream PR [#&#8203;41521](cilium/cilium#41521), [@&#8203;bersoare](https://github.com/bersoare))
- operator/pkg/lbipam: fix LoadBalancerIPPool conditions update logic (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41322](cilium/cilium#41322), [@&#8203;alimehrabikoshki](https://github.com/alimehrabikoshki))

**CI Changes:**

- .actions/cilium-config: add missing extraEnv in GH action (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41420](cilium/cilium#41420), [@&#8203;aanm](https://github.com/aanm))
- .github/workflows: add variable for renovate bot username (Backport PR [#&#8203;41843](cilium/cilium#41843), Upstream PR [#&#8203;41818](cilium/cilium#41818), [@&#8203;aanm](https://github.com/aanm))
- .github/workflows: automatically add /test for renovate PRs (Backport PR [#&#8203;41843](cilium/cilium#41843), Upstream PR [#&#8203;41770](cilium/cilium#41770), [@&#8203;aanm](https://github.com/aanm))
- .github/workflows: do not wait on linters form forks (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41822](cilium/cilium#41822), [@&#8203;aanm](https://github.com/aanm))
- .github/workflows: remove reviewers requested by auto-committer\[bot] (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41759](cilium/cilium#41759), [@&#8203;aanm](https://github.com/aanm))
- cli: Fix unreliable tests due to error emitted in Cilium logs "retrieving device lxc\*: Link not found" (Backport PR [#&#8203;42200](cilium/cilium#42200), Upstream PR [#&#8203;42146](cilium/cilium#42146), [@&#8203;fristonio](https://github.com/fristonio))
- gha: Correct k8s version for f12-datapath-service-ns-misc (Backport PR [#&#8203;41756](cilium/cilium#41756), Upstream PR [#&#8203;41753](cilium/cilium#41753), [@&#8203;sayboras](https://github.com/sayboras))
- ginkgo: add test ownership for ginkgo tests (Backport PR [#&#8203;42055](cilium/cilium#42055), Upstream PR [#&#8203;41950](cilium/cilium#41950), [@&#8203;aanm](https://github.com/aanm))
- Streamline ci-multi-pool workflow (Backport PR [#&#8203;41631](cilium/cilium#41631), Upstream PR [#&#8203;40658](cilium/cilium#40658), [@&#8203;pippolo84](https://github.com/pippolo84))
- workflows: fix GCP OIDC authentication's project ID ([#&#8203;42173](cilium/cilium#42173), [@&#8203;nbusseneau](https://github.com/nbusseneau))

**Misc Changes:**

- .github/workflows: stop build CI images until base images are built (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41681](cilium/cilium#41681), [@&#8203;aanm](https://github.com/aanm))
- agent: Add Cilium health config cell (Backport PR [#&#8203;42055](cilium/cilium#42055), Upstream PR [#&#8203;41627](cilium/cilium#41627), [@&#8203;aditighag](https://github.com/aditighag))
- bpf/nat: Move `ipv6_nat_entry` to map (Backport PR [#&#8203;41968](cilium/cilium#41968), Upstream PR [#&#8203;41902](cilium/cilium#41902), [@&#8203;pchaigno](https://github.com/pchaigno))
- bpf: hostfw: have from-host always pass the ipcache-based src identity (Backport PR [#&#8203;42113](cilium/cilium#42113), Upstream PR [#&#8203;42093](cilium/cilium#42093), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))
- bpf: Only send fillup signal to agent on ENOMEM error (Backport PR [#&#8203;41968](cilium/cilium#41968), Upstream PR [#&#8203;41864](cilium/cilium#41864), [@&#8203;borkmann](https://github.com/borkmann))
- chore(deps): update all github action dependencies (v1.18) ([#&#8203;41795](cilium/cilium#41795), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18) ([#&#8203;41931](cilium/cilium#41931), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18) ([#&#8203;42028](cilium/cilium#42028), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18) ([#&#8203;42136](cilium/cilium#42136), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18) ([#&#8203;42264](cilium/cilium#42264), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.18) ([#&#8203;41716](cilium/cilium#41716), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.18) ([#&#8203;41793](cilium/cilium#41793), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.18) ([#&#8203;42035](cilium/cilium#42035), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.18) ([#&#8203;42116](cilium/cilium#42116), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update dependency cilium/little-vm-helper to v0.0.27 (v1.18) ([#&#8203;42263](cilium/cilium#42263), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v33 (v1.18) ([#&#8203;42265](cilium/cilium#42265), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/golang:1.24.7 docker digest to [`2c5f7a0`](cilium/cilium@2c5f7a0) (v1.18) ([#&#8203;42026](cilium/cilium#42026), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/golang:1.24.7 docker digest to [`87916ac`](cilium/cilium@87916ac) (v1.18) ([#&#8203;41792](cilium/cilium#41792), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/golang:1.24.9 docker digest to [`02ce1d7`](cilium/cilium@02ce1d7) (v1.18) ([#&#8203;42253](cilium/cilium#42253), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update go to v1.24.8 (v1.18) ([#&#8203;42062](cilium/cilium#42062), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update go to v1.24.9 (v1.18) ([#&#8203;42166](cilium/cilium#42166), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.7-1759058812-49b096a457d6e7f6d650229cbf95c63d59759331 (v1.18) ([#&#8203;41933](cilium/cilium#41933), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;41730](cilium/cilium#41730), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;41794](cilium/cilium#41794), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;41930](cilium/cilium#41930), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;42027](cilium/cilium#42027), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;42135](cilium/cilium#42135), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;42300](cilium/cilium#42300), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- doc: add note on hostfw and ipsec interaction (Backport PR [#&#8203;41968](cilium/cilium#41968), Upstream PR [#&#8203;41810](cilium/cilium#41810), [@&#8203;darox](https://github.com/darox))
- docs/dsr: Remove IPIP example configuration (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41701](cilium/cilium#41701), [@&#8203;pchaigno](https://github.com/pchaigno))
- docs: Clarify list of capabilities in threat model (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41682](cilium/cilium#41682), [@&#8203;joestringer](https://github.com/joestringer))
- docs: fix broken Chainguard SBOM link (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41719](cilium/cilium#41719), [@&#8203;yashisrani](https://github.com/yashisrani))
- docs: remove stale kernel requirements (Backport PR [#&#8203;42151](cilium/cilium#42151), Upstream PR [#&#8203;42081](cilium/cilium#42081), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))
- docs: Update iproute2 compile steps in reference guide. (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41638](cilium/cilium#41638), [@&#8203;dkanaliev](https://github.com/dkanaliev))
- endpoint: reduce missed-policy-update log severity for restoring eps (Backport PR [#&#8203;42055](cilium/cilium#42055), Upstream PR [#&#8203;41095](cilium/cilium#41095), [@&#8203;fristonio](https://github.com/fristonio))
- endpointsynchronizer: suppress warning log when endpoint is terminating (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41755](cilium/cilium#41755), [@&#8203;giorio94](https://github.com/giorio94))
- gateway-api: Fix incorrect `Owns` call in refactor (Backport PR [#&#8203;41968](cilium/cilium#41968), Upstream PR [#&#8203;41807](cilium/cilium#41807), [@&#8203;youngnick](https://github.com/youngnick))
- hubble: allow overrrides if building from outside the tree (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41726](cilium/cilium#41726), [@&#8203;tklauser](https://github.com/tklauser))
- ipsec: add support for using remote PodCIDR entries (Backport PR [#&#8203;42073](cilium/cilium#42073), Upstream PR [#&#8203;41519](cilium/cilium#41519), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))
- Make kubeProxyReplacement available in the reference and documentation (Backport PR [#&#8203;41968](cilium/cilium#41968), Upstream PR [#&#8203;41535](cilium/cilium#41535), [@&#8203;liyihuang](https://github.com/liyihuang))
- redirectpolicy: Always OpenOrCreate SkipLB map to avoid loader race (Backport PR [#&#8203;41968](cilium/cilium#41968), Upstream PR [#&#8203;41707](cilium/cilium#41707), [@&#8203;joamaki](https://github.com/joamaki))
- redirectpolicy: Fix comparison of BackendParams (Backport PR [#&#8203;41848](cilium/cilium#41848), Upstream PR [#&#8203;41705](cilium/cilium#41705), [@&#8203;joamaki](https://github.com/joamaki))
- Remove kiam documentation from Local Redirect Policy (Backport PR [#&#8203;41968](cilium/cilium#41968), Upstream PR [#&#8203;41644](cilium/cilium#41644), [@&#8203;liyihuang](https://github.com/liyihuang))
- Update `checkpatch` and `startup-script` image digest (Backport PR [#&#8203;41828](cilium/cilium#41828), Upstream PR [#&#8203;41710](cilium/cilium#41710), [@&#8203;HadrienPatte](https://github.com/HadrienPatte))

**Other Changes:**

- \[v1.18] gateway-api: Refactor Gateway API reconciler ([#&#8203;41720](cilium/cilium#41720), [@&#8203;youngnick](https://github.com/youngnick))
- \[v1.18] workflows/release: add secrets for step 4 and 5 ([#&#8203;41733](cilium/cilium#41733), [@&#8203;jrajahalme](https://github.com/jrajahalme))
- install: Update image digests for v1.18.2 ([#&#8203;41722](cilium/cilium#41722), [@&#8203;cilium-release-bot](https://github.com/cilium-release-bot)\[bot])
- proxy: Bump cilium-envoy to 1.34.10 ([#&#8203;42251](cilium/cilium#42251), [@&#8203;sayboras](https://github.com/sayboras))

#### Docker Manifests

##### cilium

`quay.io/cilium/cilium:v1.18.3@&#8203;sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15`
`quay.io/cilium/cilium:stable@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15`

##### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.18.3@&#8203;sha256:0d15efc992a85003759232598bf05fb1a4cd3c9fa28fb96bee1789ffe27cc50d`
`quay.io/cilium/clustermesh-apiserver:stable@sha256:0d15efc992a85003759232598bf05fb1a4cd3c9fa28fb96bee1789ffe27cc50d`

##### docker-plugin

`quay.io/cilium/docker-plugin:v1.18.3@&#8203;sha256:996d9fa5747175b1806ce01dd90dc586a5f52a32b7da409937a1f42714827d67`
`quay.io/cilium/docker-plugin:stable@sha256:996d9fa5747175b1806ce01dd90dc586a5f52a32b7da409937a1f42714827d67`

##### hubble-relay

`quay.io/cilium/hubble-relay:v1.18.3@&#8203;sha256:e53e00c47fe4ffb9c086bad0c1c77f23cb968be4385881160683d9e15aa34dc3`
`quay.io/cilium/hubble-relay:stable@sha256:e53e00c47fe4ffb9c086bad0c1c77f23cb968be4385881160683d9e15aa34dc3`

##### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.18.3@&#8203;sha256:df8b6830ef0545199cffc5fb9fbf14c9dc8d92093b0e6355d8659705227f89ef`
`quay.io/cilium/operator-alibabacloud:stable@sha256:df8b6830ef0545199cffc5fb9fbf14c9dc8d92093b0e6355d8659705227f89ef`

##### operator-aws

`quay.io/cilium/operator-aws:v1.18.3@&#8203;sha256:ef39d61183b3bdf0e235650461b6c4d9ec7aa5f61a6c770f33c47a6bc5165e24`
`quay.io/cilium/operator-aws:stable@sha256:ef39d61183b3bdf0e235650461b6c4d9ec7aa5f61a6c770f33c47a6bc5165e24`

##### operator-azure

`quay.io/cilium/operator-azure:v1.18.3@&#8203;sha256:10a8a83ca6f0b02432c1ca0e67af98a48fdbefb684af44a399f58184ab174143`
`quay.io/cilium/operator-azure:stable@sha256:10a8a83ca6f0b02432c1ca0e67af98a48fdbefb684af44a399f58184ab174143`

##### operator-generic

`quay.io/cilium/operator-generic:v1.18.3@&#8203;sha256:b5a0138e1a38e4437c5215257ff4e35373619501f4877dbaf92c89ecfad81797`
`quay.io/cilium/operator-generic:stable@sha256:b5a0138e1a38e4437c5215257ff4e35373619501f4877dbaf92c89ecfad81797`

##### operator

`quay.io/cilium/operator:v1.18.3@&#8203;sha256:e350cea751afeae2f226a1bc275649c77a04a1e1ff50e61d782a371eae6fb2ff`
`quay.io/cilium/operator:stable@sha256:e350cea751afeae2f226a1bc275649c77a04a1e1ff50e61d782a371eae6fb2ff`

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTguMyIsInVwZGF0ZWRJblZlciI6IjQxLjE1OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

Reviewed-on: https://kubara.git.onstackit.cloud/STACKIT/kubara/pulls/140
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gandro gandro gandro approved these changes

Assignees

No one assigned

Labels

area/multipool Affects Multi-Pool IPAM backport/1.18 This PR represents a backport for Cilium 1.18.x of a PR that was merged to main. feature/ipsec Relates to Cilium's IPsec feature kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@pippolo84 @julianwiedmann @gandro @msune @aanm