deps(go): bump github.com/cilium/cilium from 1.19.3 to 1.19.4

[dependabot]

Bumps github.com/cilium/cilium from 1.19.3 to 1.19.4.

Release notes

Sourced from github.com/cilium/cilium's releases.

1.19.4

Summary of Changes

Minor Changes:

• cilium-agent: when --k8s-service-proxy-name is set, EndpointSlices are now filtered by the service.kubernetes.io/service-proxy-name label at the watch level, matching how Services are already filtered, operators with hand-managed EndpointSlices must stamp the matching label on those slices. (Backport PR cilium/cilium#45755, Upstream PR cilium/cilium#45504, @​HadrienPatte)
• iptables-based masquerading: Ensure iptables rules respect longest prefix match by sorting routes by mask length when enable-masquerade-to-route-source is enabled (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#45192, @​liyihuang)
• operator/spire: make SPIRE client configurable for ztunnel (Backport PR cilium/cilium#45356, Upstream PR cilium/cilium#44136, @​nddq)
• pkg/endpoint: skip logger rebuild on policy revision updates (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#45533, @​sjohnsonpal)

Bugfixes:

• bpf: egressgw: respect egress ifindex during FIB lookup (Backport PR cilium/cilium#45695, Upstream PR cilium/cilium#45661, @​julianwiedmann)
• bpf: host: fix source identity for IPsec trace in to-netdev (Backport PR cilium/cilium#45594, Upstream PR cilium/cilium#45588, @​julianwiedmann)
• cilium-dbg: cilium map list now displays "unknown" instead of 0 for maps that do not support cache-based entry counting. (Backport PR cilium/cilium#45888, Upstream PR cilium/cilium#44951, @​skymensch)
• cilium: Fix incorrect IPv6 BIG TCP display (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#45529, @​pchaigno)
• clustermesh: fails gracefully instead of crashing when EndpointSliceSync is not able to setup the EndpointSlice watch (Backport PR cilium/cilium#45496, Upstream PR cilium/cilium#45402, @​MrFreezeex)
• clustermesh: Fix Helm typo preventing to add annotations when setting clustermesh.apiserver.tls.auto.method: certmanager (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#45576, @​owayss)
• Fix cilium-agent crash when a transient network error occurs during CiliumNode update. The agent now retries instead of calling Fatal. (Backport PR cilium/cilium#45673, Upstream PR cilium/cilium#44526, @​nebojsaj1726)
• Fix CiliumLocalRedirectPolicy addressMatcher overriding an existing Service's frontend when its backend pods are not yet Ready. (Backport PR cilium/cilium#45584, Upstream PR cilium/cilium#45522, @​ysksuzuki)
• Fix dedicated Ingress reconciliation panic on invalid TLS passthrough rules (Backport PR cilium/cilium#45888, Upstream PR cilium/cilium#45737, @​weizhoublue)
• Fix host L7 policy operation (Backport PR cilium/cilium#45496, Upstream PR cilium/cilium#45030, @​atykhyy)
• Fix IPsec packet drops during rolling restart with key rotation by deferring SPI advertisement until XFRM states are ready (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#44701, @​hbangT)
• Fix issue where datapath reinitialization may get stuck when triggered from the local API (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#45557, @​jrife)
• Fix missing global service backends in Cluster Mesh when multiple service ports point to the same target port. (Backport PR cilium/cilium#45356, Upstream PR cilium/cilium#45179, @​RiccardoAtzori91)
• fix(egressGateway): skip unmatched gateways when using multiple gateway (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#44705, @​ieth0)
• fix(gateway-api): prevent silent disable on CRD discovery timeout (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#44662, @​aslafy-z)
• fix(ipsec): panic in parseSPI on malformed input (Backport PR cilium/cilium#45496, Upstream PR cilium/cilium#44815, @​isoyuki)
• Fixed intermittent ARP failures for LoadBalancer services caused by pointer reuse during BPF map iteration in the L2 responder reconciler. (Backport PR cilium/cilium#45673, Upstream PR cilium/cilium#45197, @​Krishnachaitanyakc)
• Fixed SocketLB returning EPERM instead of EHOSTUNREACH when a Service has no backends. (Backport PR cilium/cilium#45673, Upstream PR cilium/cilium#45185, @​chez-shanpu)
• Fixes an issue where L7 LoadBalancer and Ingress traffic would be dropped on certain kernel versions when Cilium is attached to a bridge network device. (Backport PR cilium/cilium#45755, Upstream PR cilium/cilium#45582, @​liyihuang)
• Fixes dropped packets on ingress when full header not in linear skb area (Backport PR cilium/cilium#45496, Upstream PR cilium/cilium#45195, @​javiercardona-work)
• hubble-relay: fix TLS config variable shadowing preventing cleanup on shutdown (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#45085, @​Aprazor)
• policy: Fix CCG matching for duplicate label keys (Backport PR cilium/cilium#45356, Upstream PR cilium/cilium#45225, @​christarazi)
• Respect backends for BGP only when they are in state: active (Backport PR cilium/cilium#45673, Upstream PR cilium/cilium#45286, @​CallMeFoxie)
• secretsync recreate synced secret when source secret type changes (Backport PR cilium/cilium#45888, Upstream PR cilium/cilium#45721, @​ssam18)
• wireguard: clamp cilium_wg0 MTU to IPV6_MIN_MTU (1280) when IPv6 is enabled, preventing silent packet loss in tunnel+encryption mode with constrained path MTU (Backport PR cilium/cilium#45496, Upstream PR cilium/cilium#45425, @​tibrezus)

CI Changes:

• .github/workflows: skip full test suite for workflow_dispatch on dev … (Backport PR cilium/cilium#45356, Upstream PR cilium/cilium#45285, @​aanm)
• complexity-diff: Small improvements (Backport PR cilium/cilium#45673, Upstream PR cilium/cilium#45556, @​pchaigno)
• contrib: fix typo in identity_is_node.cocci (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#45505, @​julianwiedmann)
• datapath/loader: Add map count to verifier complexity records (Backport PR cilium/cilium#45673, Upstream PR cilium/cilium#44652, @​dylandreimerink)
• gha/clustermesh: use OCI registry for cert-manager (Backport PR cilium/cilium#45356, Upstream PR cilium/cilium#45326, @​giorio94)
• logging: Update leader election log level override (Backport PR cilium/cilium#45496, Upstream PR cilium/cilium#45358, @​joamaki)
• Use extra power github runner if available for multi-pool CI workflow (Backport PR cilium/cilium#45673, Upstream PR cilium/cilium#45555, @​fristonio)

Misc Changes:

• cilium/cilium#45935@​ferozsalam)
• Add documentation and warnings on DNS interception (Backport PR cilium/cilium#45888, Upstream PR cilium/cilium#45525, @​ferozsalam)
• cilium/cilium#45462@​cilium-renovate[bot])

... (truncated)

Changelog

Sourced from github.com/cilium/cilium's changelog.

v1.19.4

Summary of Changes

Minor Changes:

• cilium-agent: when --k8s-service-proxy-name is set, EndpointSlices are now filtered by the service.kubernetes.io/service-proxy-name label at the watch level, matching how Services are already filtered, operators with hand-managed EndpointSlices must stamp the matching label on those slices. (Backport PR cilium/cilium#45755, Upstream PR cilium/cilium#45504, @​HadrienPatte)
• iptables-based masquerading: Ensure iptables rules respect longest prefix match by sorting routes by mask length when enable-masquerade-to-route-source is enabled (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#45192, @​liyihuang)
• operator/spire: make SPIRE client configurable for ztunnel (Backport PR cilium/cilium#45356, Upstream PR cilium/cilium#44136, @​nddq)
• pkg/endpoint: skip logger rebuild on policy revision updates (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#45533, @​sjohnsonpal)

Bugfixes:

• bpf: egressgw: respect egress ifindex during FIB lookup (Backport PR cilium/cilium#45695, Upstream PR cilium/cilium#45661, @​julianwiedmann)
• bpf: host: fix source identity for IPsec trace in to-netdev (Backport PR cilium/cilium#45594, Upstream PR cilium/cilium#45588, @​julianwiedmann)
• cilium-dbg: cilium map list now displays "unknown" instead of 0 for maps that do not support cache-based entry counting. (Backport PR cilium/cilium#45888, Upstream PR cilium/cilium#44951, @​skymensch)
• cilium: Fix incorrect IPv6 BIG TCP display (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#45529, @​pchaigno)
• clustermesh: fails gracefully instead of crashing when EndpointSliceSync is not able to setup the EndpointSlice watch (Backport PR cilium/cilium#45496, Upstream PR cilium/cilium#45402, @​MrFreezeex)
• clustermesh: Fix Helm typo preventing to add annotations when setting clustermesh.apiserver.tls.auto.method: certmanager (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#45576, @​owayss)
• Fix cilium-agent crash when a transient network error occurs during CiliumNode update. The agent now retries instead of calling Fatal. (Backport PR cilium/cilium#45673, Upstream PR cilium/cilium#44526, @​nebojsaj1726)
• Fix CiliumLocalRedirectPolicy addressMatcher overriding an existing Service's frontend when its backend pods are not yet Ready. (Backport PR cilium/cilium#45584, Upstream PR cilium/cilium#45522, @​ysksuzuki)
• Fix dedicated Ingress reconciliation panic on invalid TLS passthrough rules (Backport PR cilium/cilium#45888, Upstream PR cilium/cilium#45737, @​weizhoublue)
• Fix host L7 policy operation (Backport PR cilium/cilium#45496, Upstream PR cilium/cilium#45030, @​atykhyy)
• Fix IPsec packet drops during rolling restart with key rotation by deferring SPI advertisement until XFRM states are ready (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#44701, @​hbangT)
• Fix issue where datapath reinitialization may get stuck when triggered from the local API (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#45557, @​jrife)
• Fix missing global service backends in Cluster Mesh when multiple service ports point to the same target port. (Backport PR cilium/cilium#45356, Upstream PR cilium/cilium#45179, @​RiccardoAtzori91)
• fix(egressGateway): skip unmatched gateways when using multiple gateway (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#44705, @​ieth0)
• fix(gateway-api): prevent silent disable on CRD discovery timeout (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#44662, @​aslafy-z)
• fix(ipsec): panic in parseSPI on malformed input (Backport PR cilium/cilium#45496, Upstream PR cilium/cilium#44815, @​isoyuki)
• Fixed intermittent ARP failures for LoadBalancer services caused by pointer reuse during BPF map iteration in the L2 responder reconciler. (Backport PR cilium/cilium#45673, Upstream PR cilium/cilium#45197, @​Krishnachaitanyakc)
• Fixed SocketLB returning EPERM instead of EHOSTUNREACH when a Service has no backends. (Backport PR cilium/cilium#45673, Upstream PR cilium/cilium#45185, @​chez-shanpu)
• Fixes an issue where L7 LoadBalancer and Ingress traffic would be dropped on certain kernel versions when Cilium is attached to a bridge network device. (Backport PR cilium/cilium#45755, Upstream PR cilium/cilium#45582, @​liyihuang)
• Fixes dropped packets on ingress when full header not in linear skb area (Backport PR cilium/cilium#45496, Upstream PR cilium/cilium#45195, @​javiercardona-work)
• hubble-relay: fix TLS config variable shadowing preventing cleanup on shutdown (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#45085, @​Aprazor)
• policy: Fix CCG matching for duplicate label keys (Backport PR cilium/cilium#45356, Upstream PR cilium/cilium#45225, @​christarazi)
• Respect backends for BGP only when they are in state: active (Backport PR cilium/cilium#45673, Upstream PR cilium/cilium#45286, @​CallMeFoxie)
• secretsync recreate synced secret when source secret type changes (Backport PR cilium/cilium#45888, Upstream PR cilium/cilium#45721, @​ssam18)
• wireguard: clamp cilium_wg0 MTU to IPV6_MIN_MTU (1280) when IPv6 is enabled, preventing silent packet loss in tunnel+encryption mode with constrained path MTU (Backport PR cilium/cilium#45496, Upstream PR cilium/cilium#45425, @​tibrezus)

CI Changes:

• .github/workflows: skip full test suite for workflow_dispatch on dev … (Backport PR cilium/cilium#45356, Upstream PR cilium/cilium#45285, @​aanm)
• complexity-diff: Small improvements (Backport PR cilium/cilium#45673, Upstream PR cilium/cilium#45556, @​pchaigno)
• contrib: fix typo in identity_is_node.cocci (Backport PR cilium/cilium#45630, Upstream PR cilium/cilium#45505, @​julianwiedmann)
• datapath/loader: Add map count to verifier complexity records (Backport PR cilium/cilium#45673, Upstream PR cilium/cilium#44652, @​dylandreimerink)
• gha/clustermesh: use OCI registry for cert-manager (Backport PR cilium/cilium#45356, Upstream PR cilium/cilium#45326, @​giorio94)
• logging: Update leader election log level override (Backport PR cilium/cilium#45496, Upstream PR cilium/cilium#45358, @​joamaki)
• Use extra power github runner if available for multi-pool CI workflow (Backport PR cilium/cilium#45673, Upstream PR cilium/cilium#45555, @​fristonio)

Misc Changes:

• cilium/cilium#45935@​ferozsalam)
• Add documentation and warnings on DNS interception (Backport PR cilium/cilium#45888, Upstream PR cilium/cilium#45525, @​ferozsalam)

... (truncated)

Commits

• 95e477f Prepare for release v1.19.4
• c26459e Bump x/net to v0.53
• 10f57cf chore(deps): update quay.io/cilium/cilium-envoy
• 0605613 images: update cilium-{runtime,builder}
• a8783b8 chore(deps): update base-images to v1.25.10
• 0953554 Add documentation and warnings on DNS interception
• 8852fc3 Fix dedicated Ingress reconciliation panic on invalid TLS passthrough rules
• 70cc82e cilium-dbg: show "unknown" entry count for maps without cache
• 8d7c4e5 docs: add small CiliumCIDRGroup scalability callout
• 8c506f5 hive/health: return error if no status found for health tree cmd filter
• Additional commits viewable in compare view

---

Note

Medium Risk
Dependency-only PR, but it upgrades github.com/cilium/cilium and several networking/Kubernetes-related transitive modules, which could change datapath/controller behavior at runtime. Risk is mainly compatibility/regression from upstream changes rather than local code modifications.

Overview
Bumps github.com/cilium/cilium from v1.19.3 to v1.19.4 and updates go.sum accordingly.

Includes related dependency upgrades pulled in by the bump, notably golang.org/x/net, golang.org/x/crypto, golang.org/x/text, and Kubernetes k8s.io/apiserver/k8s.io/apiextensions-apiserver (indirect) patch versions.

^{Reviewed by Cursor Bugbot for commit e659cd6. Bugbot is set up for automated code reviews on this repo. Configure here.}

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.