feat(helm): update chart cilium ( 1.14.5 → 1.19.1 )

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
cilium (source)	HelmChart	minor	1.14.5 → 1.19.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

cilium/cilium (cilium)

v1.19.1

Compare Source

v1.19.0: 1.19.0

Compare Source

🎉 Release Announcement 🎉: We are excited to announce the Cilium 1.19.0 release!

A total of 2934 new commits have been contributed to this release by a growing community of over 1010 developers and over 23,600 GitHub stars! 🤩

⚠️ You may need to take action during upgrade to Cilium v1.19 if you use Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the Upgrade Guide for more details.

The full changelog can be found here.

Here are some of the highlights:

• 🛡️ Network Policy

  • 🃏 Multi-Level DNS Matches: DNS Policies match pattern now support a wildcard prefix(**.) to match multilevel subdomain as pattern prefix. (cilium/cilium#43420, @​fristonio)
  • 📡 Match New Protocols: You can now match VRRP and IGMP protocols in host firewall rules. (cilium/cilium#39872, @​aditighag; cilium/cilium#41949, @​kyounghunJang)
  • ⛔ Actively Deny Connections: When Network Policies deny a connection, Cilium can return ICMPv4 "Destination unreachable" messages for a friendlier deny. (cilium/cilium#41406, @​antonipp)
  • 🌐 Select Clusters Explicitly: When network policy selectors don't explicitly define a cluster for communication to be allowed, they will now default to only allowing the local cluster. (cilium/cilium#40609, @​MrFreezeex)
  • 🔧 Unlock Future Work: This release brings several internal improvements to the network policy engine in preparation for features planned in the next Cilium minor release (cilium/cilium#39906, @​vipul-21; cilium/cilium#42784, cilium/cilium#42896, @​jrajahalme)
  • ⚠️ Deprecate underutilized features: To focus on solving common problems Cilium users face, this release deprecates the Kafka protocol match fields (beta), as well as the ToRequires and FromRequires policy fields. (cilium/cilium#43167, @​sayboras; cilium/cilium#40967, @​TheBeeZee)

• 🔒 Encryption & Authentication

  • 🔐 Encryption Strict Modes: Both IPsec and WireGuard transparent encryption modes now support a "strict mode" to require traffic to be encrypted between nodes. Unencrypted traffic will be dropped in this mode. (cilium/cilium#39239, cilium/cilium#42115, @​rgo3, @​julianwiedmann)
  • 🚇 Ztunnel Beta: You can enroll namespaces into Ztunnel, which enables TCP connections between workloads to be transparently encrypted and authenticated. (cilium/cilium#42766, cilium/cilium#42819, cilium/cilium#43227 and others, @​ldelossa, @​rgo3, @​nddq)
  • 👥 Mutual Authentication: The out-of-band Mutual Authentication feature is now disabled by default, pending community feedback. If you have a requirement for mTLS, consider trying the new Ztunnel integration. (cilium/cilium#42665, @​christarazi)
  • ↪️ Accelerate IPsec: The IPsec encryption mode now supports BPF Host Routing for faster route lookups (cilium/cilium#41997, @​pchaigno)

• 🚠 Networking

  • 🚀 BIG TCP in Tunnels: Leverage upcoming Linux support for BIG TCP when communicating over UDP-based tunnels such as VXLAN and Geneve. (cilium/cilium#43416, @​gentoo-root)
  • 🥌 Packetization-Layer Path MTU Discovery: Detect maximum transmission unit (MTU) sizes for network paths using TCP. (cilium/cilium#42012, cilium/cilium#43710, @​tommyp1ckles)
  • 🚆 IPv6 Underlay: You can now choose IPv6 for the tunnel underlay address family on dual-stack clusters. (cilium/cilium#40324, @​pchaigno)
  • 🏷️ Multi-Pool IPAM is ready for wider use: Update the Multi-Pool IPAM feature to work with IPsec and direct routing modes, and promote it from Beta to Stable. (cilium/cilium#40460, cilium/cilium#42191, @​pippolo84)
  • 🎭 More Configurable Masquerade: IP Masquerade configuration can now be customized for traffic sent to nodes in other IP subnets, and addresses in IPAM pools can be excluded from masquerade (cilium/cilium#37568, @​behzad-mir; cilium/cilium#43380, @​alimehrabikoshki)

• 🕸️ Services and Service Mesh

  • 📣 Layer-2 Announcements: Add support for Neighbor Discovery Advertisements for IPv6 Layer-2 Announcements. (cilium/cilium#39648, @​msune)
  • 🔁 IPv6 Service Loopback: Pods can now connect to themselves via a Kubernetes "loopback service" using IPv6. (cilium/cilium#39594, @​saiaunghlyanhtet)
  • ⛩️ Gateway API Enhancements: Cilium's GAMMA support now includes support for using GRPCRoute as well as HTTPRoute. (cilium/cilium#41936, @​youngnick)

• 🛣️ Border Gateway Protocol (BGP)

  • 🔌 Advertise Addresses from Interfaces: There's a new Interface BGP advertisement type that allows advertisement of IPs assigned on local interfaces. This can be useful for example in multi-homing setups, where a common node's loopback address can be advertised via multiple BGP sessions over different network interfaces. (cilium/cilium#42469, @​rastislavs)
  • ✉️ Override Source IP addresses: You can override the auto-generated BGP session source IP with the IP address applied on the configured sourceInterface to allow binding the BGP connection to the loopback address which is not tied to the specific physical interface's lifecycle (cilium/cilium#42583, @​rastislavs)
  • 🔁 Withdraw Empty Routes: Optionally withdraw BGP routes when a service has 0 endpoints, to allow balancing to a different DC/cluster with externalTrafficPolicy=Cluster (cilium/cilium#40717, @​oblazek)
  • ⚠️ Move to cilium.io/v2 API: The support for the older CiliumBGPPeeringPolicy v1 API is now removed and should be replaced with v2 APIs. (cilium/cilium#42278, @​rastislavs)

• 🛰️ Observability

  • 🔬 Trace IP Options: Configure Cilium and Hubble to trace specific packets through the cluster using IP Options. (cilium/cilium#41306, @​Bigdelle)
  • 🚩 Filter Encrypted Flows: Filter flows when using the hubble command line to understand the encryption status of the traffic, either --encrypted or --unencrypted. (cilium/cilium#43096, @​SRodi)
  • 🔖 Tag Drops with Policy Names: Hubble v1.Events drop messages now include which Network Policy caused the drop. (cilium/cilium#41693, @​41ks)

• 🌅 Performance and Scale

  • ⚡ Faster Network Policy Computation: Improve Cilium resource usage for handling selectors in network policies. (cilium/cilium#42008, @​jrajahalme; cilium/cilium#42580, @​odinuge)
  • 🔌 More Efficient Connection Tracking: Several improvements have been made to reduce the number of connections being tracked by Cilium, particularly when using Geneve, VXLAN or WireGuard. (cilium/cilium#38782, @​BenoitKnecht; cilium/cilium#41990, @​bersoare)
  • 💾 Better Scale in AWS: Reduce memory usage for cilium-operator in large AWS environments with many resources. (cilium/cilium#42529, @​liyihuang)

• ⚙️ Operations

  • 📦 Access Helm charts via Registry: Helm charts are also available under quay.io/cilium/charts/cilium (cilium/cilium#43624, @​aanm)
  • 📊 Metrics Encryption: Add TLS/mTLS support for Prometheus metrics exposed by the Cilium Operator. (cilium/cilium#42077, @​phuhung273)
  • 🤖 Easier Multi-Cluster install: There's now support for auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster Services (MCS). (cilium/cilium#40729, @​MrFreezeex)
  • 📜 Simpler Certificate Management: Streamline Cluster Mesh and Hubble certificate generation when using GitOps approaches. (cilium/cilium#42298, @​MrFreezeex)
  • 🛠️ Cilium dependencies were updated to Kubernetes v1.35, Envoy v1.35, Gateway API v1.4, and GoBGP v3.37. (cilium/cilium#43422, @​aanm; cilium/cilium#40569, @​sayboras; cilium/cilium#41936, @​youngnick; cilium/cilium#42824, @​rastislavs).

• 🏠 Community

  • ❤️ Production Case Studies: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
  • 📰 See studies with Airbnb, Cloudera, Cybozu, ESnet, Nutanix, OVHcloud, TikTok, University of Wisconsin–Madison.
  • 🇺🇸 Atlanta Events: The community gathered at CiliumCon and the Cilium Developer Summit in Atlanta.
  • 🇳🇱 Amsterdam Events: Meet us at the upcoming CiliumCon and Cilium Developer Summit in Amsterdam, March 23-27. Read more about where to find Cilium during the show.
  • 🔟 Cilium is 10: Read the 2025 Cilium Annual Report to see the latest project milestones, a decade on from its first commit.

To keep up to date with all the latest Cilium releases, join #release 🎉

🎂❤️❤️❤️🎂
This is a very special release for Cilium, as it celebrates 10 years since the first commit. We couldn’t be more proud of what this project has accomplished. All the GitHub issues, pull requests, reviews, stars, forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug reports, design docs, discussions, meetings, Slack messages, YouTube streams, eCHO episodes, conference talks, blog posts, demos, and presentations have made the project the success it is today.
🎂❤️❤️❤️🎂

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.0@​sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.0@​sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49

docker-plugin

quay.io/cilium/docker-plugin:v1.19.0@​sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50

hubble-relay

quay.io/cilium/hubble-relay:v1.19.0@​sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.0@​sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0

operator-aws

quay.io/cilium/operator-aws:v1.19.0@​sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6

operator-azure

quay.io/cilium/operator-azure:v1.19.0@​sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a

operator-generic

quay.io/cilium/operator-generic:v1.19.0@​sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648

operator

quay.io/cilium/operator:v1.19.0@​sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65

v1.18.7: 1.18.7

Compare Source

Summary of Changes

Minor Changes:

• Exclude topology.kubernetes.io labels from security labels by default (Backport PR #​43777, Upstream PR #​43725, @​moscicky)
• hubble-relay: Add hubble.relay.logOptions.format and hubble.relay.logOptions.level Helm values to configure log format (text, text-ts, json, json-ts) and level (debug, info, warn, error) (Backport PR #​44004, Upstream PR #​43644, @​puwun)

Bugfixes:

• Add permissions to the cilium-operator so that it can create EndpointSlices when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #​44034, Upstream PR #​43912, @​fgiloux)
• bpf: Correct refinement of inner packet L4 checksum detection (Backport PR #​43923, Upstream PR #​43868, @​br4243)
• bpf: Fix marker to skip nodeport when punting to proxy (Backport PR #​43886, Upstream PR #​43069, @​borkmann)
• clustermesh: correctly phase out not ready/not service endpoints from global services (Backport PR #​44056, Upstream PR #​43807, @​MrFreezeex)
• Fix a bug with local redirect service entries being created when backend pods weren't ready. (Backport PR #​43756, Upstream PR #​43095, @​aditighag)
• Fix ICMP error packet handling by adding the missing checksum recalculation performed during RevNAT for SNATed load-balanced traffic. (Backport PR #​43861, Upstream PR #​43196, @​yushoyamaguchi)
• Grant permissions to the cilium-operator so that it can reconcile ingresses when the when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #​44034, Upstream PR #​43949, @​giorio94)
• helm: Fixed RBAC errors with operator.enabled=false by aligning cilium-tlsinterception-secrets Role/RoleBinding conditionals (Backport PR #​44281, Upstream PR #​44159, @​puwun)
• loadbalancer: Fix GetInstancesOfService to avoid removing an endpoint from Service A causes all requests to Service B to fail if the name of Service A is the prefix of Service B (Backport PR #​43777, Upstream PR #​43620, @​imroc)
• Reduces rtnl_mutex contention on SR-IOV nodes by not requesting VF information in netlink RTM_GETLINK operations (Backport PR #​44281, Upstream PR #​43517, @​pasteley)

CI Changes:

• fix(ctmap/gc): fix race conditions and flakiness in TestGCEnableRatchet (Backport PR #​44056, Upstream PR #​42009, @​AritraDey-Dev)
• gh: ariane: don't run cloud workflows for LVH kernel updates (Backport PR #​44148, Upstream PR #​44109, @​julianwiedmann)
• gh: ariane: skip more workflows for LVH kernel updates (Backport PR #​44148, Upstream PR #​44115, @​julianwiedmann)
• gha: let CiliumEndpointSlice migration be run nightly on stable branches (Backport PR #​44004, Upstream PR #​43921, @​giorio94)
• gke: lower scope of ESP firewall rule (Backport PR #​43865, Upstream PR #​43691, @​marseel)

Misc Changes:

• .github/workflows: use proper directory structure for GH actions (#​43760, @​aanm)
• chore(deps): update all github action dependencies (v1.18) (#​43845, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​43984, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44099, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44253, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​43839, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​43840, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​43983, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​44098, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.0 (v1.18) (#​43844, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.22.3 (v1.18) (#​44096, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to b3255e7 (v1.18) (#​44249, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to e226d63 (v1.18) (#​43979, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/ubuntu:24.04 docker digest to cd1dba6 (v1.18) (#​43980, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to f9f84bd (v1.18) (#​44250, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/certgen docker tag to v0.3.2 (v1.18) (#​43841, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768610924-2528359430c6adba1ab20fc8396b4effe491ed96 (v1.18) (#​43842, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768828720-c6e4827ebca9c47af2a3a6540c563c30947bae29 (v1.18) (#​43981, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770265024-9828c064a10df81f1939b692b01203d88bb439e4 (v1.18) (#​44251, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770554954-8ce3bb4eca04188f4a0a1bfbd0a06a40f90883de (v1.18) (#​44260, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43843, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43982, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44097, @​cilium-renovate[bot])
• docs: add helm underlayProtocol value to documentation (Backport PR #​44056, Upstream PR #​43934, @​aanm)
• docs: adjust URL to latest stable Hubble CLI version (Backport PR #​43777, Upstream PR #​43745, @​tklauser)
• docs: Document hubble requirement on kernels with BPF_EVENTS compiled in (Backport PR #​44056, Upstream PR #​44042, @​EmilyShepherd)
• docs: Update docsearch to v4.5.4 (Backport PR #​44273, Upstream PR #​44233, @​joestringer)
• Documentation: Added Helm configuration instructions for enabling and customizing metrics. (Backport PR #​44056, Upstream PR #​43481, @​suunj)
• gitattributes: make install/kubernetes driver match more specific. (Backport PR #​44056, Upstream PR #​43943, @​tommyp1ckles)
• multicast: fix nil assignment to node configuration cell.Out map (Backport PR #​43865, Upstream PR #​40859, @​ldelossa)
• workflows: Add id-token permission to call-publish-helm job (Backport PR #​43777, Upstream PR #​43717, @​aanm)

Other Changes:

• .github/workflows: remove stable from v1.18 branch (#​44153, @​aanm)
• [v1.18] Backport setup gke cluster (#​43793, @​Artyop)
• install: Update image digests for v1.18.6 (#​43714, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.7@​sha256:99b029a0a7c2224dac8c1cc3b6b3ba52af00e2ff981d927e84260ee781e9753c

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.7@​sha256:3d4512153afc5d8ceda3517f9b243619b55a67f9abaebcc92c4be2df94d43cfa

docker-plugin

quay.io/cilium/docker-plugin:v1.18.7@​sha256:e9f15016c7247dffeb2a9216cccc2ab6d36345a2504d34e319c6e9a7873bf3e9

hubble-relay

quay.io/cilium/hubble-relay:v1.18.7@​sha256:9bb9b2b1a4f4bef12a77738756cfbf970daa701e536e42f0a9c64a621bc7c9d5

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.7@​sha256:ca3f0dd26a4b447524dce51ee8ef82485a08187b840c21ce4a1398c02b5174a0

operator-aws

quay.io/cilium/operator-aws:v1.18.7@​sha256:fe56a6289afea7f6420f8de0218710ccaaa7af891df5fc180ddd33e6c7509b45

operator-azure

quay.io/cilium/operator-azure:v1.18.7@​sha256:5fb753344c84ab0989d525f789738c874f3fa8f07fbb5cfce06034d027c9728f

operator-generic

quay.io/cilium/operator-generic:v1.18.7@​sha256:244306c5e7c6b73dc7193424f46ed8a0530767b03f03baac80dd717a3a3f0ad7

operator

quay.io/cilium/operator:v1.18.7@​sha256:8aa2bb32df776b8e8f6cfb57ab3eaed5a451bc9f20f1d62a2393840fc072678f

v1.18.6: 1.18.6

Compare Source

Summary of Changes

Major Changes:

• Publish Helm charts to OCI registries (Backport PR #​43689, Upstream PR #​43624, @​aanm)

Minor Changes:

• Cilium Preflight check no longer includes Envoy Configmaps, making it easier to correctly run. (Backport PR #​43290, Upstream PR #​43153, @​youngnick)
• runtime: Add libatomic1 for cilium-envoy dependency (Backport PR #​43642, Upstream PR #​43292, @​sayboras)

Bugfixes:

• bpf:wireguard: delivery host packets to bpf_host for ingress policies (Backport PR #​43690, Upstream PR #​42892, @​smagnani96)
• cgroup: don't start watch if KPRConfig.EnableSocketLB is disabled (Backport PR #​43290, Upstream PR #​43256, @​mhofstetter)
• Fix a bug with local redirect service entries being created when backend pods weren't ready. (Backport PR #​43425, Upstream PR #​43095, @​aditighag)
• Fix an issue in proxy NOTRACK iptables rule for aws-cni chaining mode which causes proxy->upstream(outside cluster) traffic not being SNAT'd. (Backport PR #​43676, Upstream PR #​43566, @​fristonio)
• Fix GC of possible duplicated identities in kvstore mode (Backport PR #​43425, Upstream PR #​43287, @​giorio94)
• Fixes a deadlock that was causing endpoint to be stuck without progressing with any updates. (Backport PR #​43290, Upstream PR #​43242, @​marseel)
• gateway-api: correctly handle CiliumGatewayClassConfig as a namespaced resource. (Backport PR #​43290, Upstream PR #​43254, @​youngnick)
• xds: fix nil-pointer in processRequestStream (Backport PR #​43612, Upstream PR #​43609, @​mhofstetter)

CI Changes:

• bpf: tests: egressgw: enable HostFW (Backport PR #​43337, Upstream PR #​42955, @​julianwiedmann)
• bpf: tests: egressgw: install ipcache_v6_add_world_entry() (Backport PR #​43337, Upstream PR #​42988, @​julianwiedmann)
• chore: comment job to use generated token instead of PAT (Backport PR #​43612, Upstream PR #​43148, @​sekhar-isovalent)
• ci: Use newer lvh image for privileged tests (Backport PR #​43490, Upstream PR #​41082, @​rastislavs)

Misc Changes:

• .github/workflows: remove auto-requested reviewers (Backport PR #​43425, Upstream PR #​42952, @​aanm)
• Add documentation and examples for using the egressDeny field in CiliumNetworkPolicy (Backport PR #​43425, Upstream PR #​40272, @​syedazeez337)
• bpf: clear mark content before storing the cluster ID (Backport PR #​43290, Upstream PR #​43159, @​giorio94)
• bpf: prevent cluster ID from being incorrectly retrieved from mark when aliased (Backport PR #​43290, Upstream PR #​43258, @​giorio94)
• chore(deps): update all github action dependencies (v1.18) (#​43467, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​43665, @​cilium-renovate[bot])
• chore(deps): update anchore/sbom-action action to v0.21.0 (v1.18) (#​43512, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​43543, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​43664, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to 2383baa (v1.18) (#​43662, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.11 docker digest to 54528d1 (v1.18) (#​43464, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.7 (v1.18) (#​43465, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.12-1767177245-7935d4d711cb6f8020385a50c996b90896e16a71 (v1.18) (#​43539, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1767794330-db497dd19e346b39d81d7b5c0dedf6c812bcc5c9 (v1.18) (#​43638, @​cilium-renovate[bot])
• chore(deps): update rhysd/actionlint docker tag to v1.7.10 (v1.18) (#​43541, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43466, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43542, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43571, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43663, @​cilium-renovate[bot])
• cmapisrv/test: miscellaneous fixes to the ciliumidentities script test (Backport PR #​43425, Upstream PR #​43372, @​giorio94)
• docs: Add missing IPv6 fragmentation BPF map reference (Backport PR #​43290, Upstream PR #​43161, @​doniacld)
• Fix a regression in the new services control plane where loadBalancerSourceRanges was applied by default to all service types. (Backport PR #​43575, Upstream PR #​42351, @​borkmann)
• operator: the K8s Secret synchronization process now resynchronizes after an hour for synced Secrets. (Backport PR #​43425, Upstream PR #​42414, @​youngnick)
• release: change OCI registry (Backport PR #​43689, Upstream PR #​43646, @​aanm)
• route: install ingress proxy routes with WireGuard and L7Proxy (Backport PR #​43434, Upstream PR #​42835, @​smagnani96)

Other Changes:

• [v1.18] bpf:hubble: support policy verdict from L3 devices (#​43381, @​smagnani96)
• [v1.18] deps: bump CNI plugins version to v1.9.0 (#​43593, @​diyi0926)
• install: Update image digests for v1.18.5 (#​43400, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.6@​sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4
quay.io/cilium/cilium:stable@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.6@​sha256:8ee142912a0e261850c0802d9256ddbe3729e1cd35c6bea2d93077f334c3cf3b
quay.io/cilium/clustermesh-apiserver:stable@sha256:8ee142912a0e261850c0802d9256ddbe3729e1cd35c6bea2d93077f334c3cf3b

docker-plugin

quay.io/cilium/docker-plugin:v1.18.6@​sha256:7931555ad713a48a28e4bf097402e0e398461dbf51b81cb8192558c5cb0dc48f
quay.io/cilium/docker-plugin:stable@sha256:7931555ad713a48a28e4bf097402e0e398461dbf51b81cb8192558c5cb0dc48f

hubble-relay

quay.io/cilium/hubble-relay:v1.18.6@​sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e
quay.io/cilium/hubble-relay:stable@sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.6@​sha256:212c4cbe27da3772bcb952b8f8cbaa0b0eef72488b52edf90ad2b32072a3ca4c
quay.io/cilium/operator-alibabacloud:stable@sha256:212c4cbe27da3772bcb952b8f8cbaa0b0eef72488b52edf90ad2b32072a3ca4c

operator-aws

quay.io/cilium/operator-aws:v1.18.6@​sha256:47dbc1a5bd483fec170dab7fb0bf2cca3585a4893675b0324d41d97bac8be5eb
quay.io/cilium/operator-aws:stable@sha256:47dbc1a5bd483fec170dab7fb0bf2cca3585a4893675b0324d41d97bac8be5eb

operator-azure

quay.io/cilium/operator-azure:v1.18.6@​sha256:a57aff47aeb32eccfedaa2a49d1af984d996d6d6de79609c232e0c4cf9ce97a1
quay.io/cilium/operator-azure:stable@sha256:a57aff47aeb32eccfedaa2a49d1af984d996d6d6de79609c232e0c4cf9ce97a1

operator-generic

quay.io/cilium/operator-generic:v1.18.6@​sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af
quay.io/cilium/operator-generic:stable@sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af

operator

quay.io/cilium/operator:v1.18.6@​sha256:0e8903aa092025918761d24ae9a91af35baa5b6910b5d0e3feac91ab8a2bc65b
quay.io/cilium/operator:stable@sha256:0e8903aa092025918761d24ae9a91af35baa5b6910b5d0e3feac91ab8a2bc65b

v1.18.5: 1.18.5

Compare Source

Summary of Changes

Minor Changes:

• [v1.18] proxy: Bump envoy version to v1.34.11 (#​43143, @​sayboras)
• Change the sidecar etcd instance of the Cluster Mesh API Server listen on all IP addresses (Backport PR #​42948, Upstream PR #​42818, @​giorio94)

Bugfixes:

• allow missing verbs for cilium-agent cluster role when readSecretsOnlyFromSecretsNamespace is false (Backport PR #​42948, Upstream PR #​42790, @​kraashen)
• AWS EC2: Fix ENI attachment on multi-network card instances with high-performance networking (EFA) setups (Backport PR #​42745, Upstream PR #​42512, @​41ks)
• CiliumEnvoyConfig proxy ports are now restored on agent restarts. (Backport PR #​43117, Upstream PR #​43108, @​jrajahalme)
• Cleanup FQDNs that have leaked into the global FQDN cache (Backport PR #​42864, Upstream PR #​42485, @​sjohnsonpal)
• Do not opt-out Endpoint ID 1 from dnsproxy transparent mode. (Backport PR #​42948, Upstream PR #​42887, @​jrajahalme)
• ENI: Fix panic on nil subnet (Backport PR #​43117, Upstream PR #​43023, @​HadrienPatte)
• Ensure cilium-agent gracefully does fallbacks when etcd is in a bad state. (Backport PR #​43059, Upstream PR #​42977, @​odinuge)
• Fix a bug that would cause Cilium to not report L4 checksum update errors when the length attribute is missing in ICMP Error messages with TCP inner packets. (Backport PR #​42828, Upstream PR #​42426, @​yushoyamaguchi)
• Fix a bug that would cause IPsec logs to incorrectly report the XFRM rules being processed as "Ingress" rules. (Backport PR #​42828, Upstream PR #​42640, @​sjohnsonpal)
• Fix agent local identity leak (Backport PR #​43117, Upstream PR #​42662, @​odinuge)
• Fix bug that could cause the agent to fail to add XFRM states when IPsec is enabled, thus preventing a proper startup. (Backport PR #​42948, Upstream PR #​42666, @​pchaigno)
• Fix GC of per-cluster ctmap entries (Backport PR #​43294, Upstream PR #​43160, @​giorio94)
• Fix ipcache issues causing severe issues with the fqdn subsystem (Backport PR #​42864, Upstream PR #​42815, @​odinuge)
• Fix issue where endpoints got stuck in "waiting-to-regenerate" (Backport PR #​42948, Upstream PR #​42856, @​odinuge)
• Fix leak in the policy subsystem (Backport PR #​43117, Upstream PR #​42661, @​odinuge)
• Fix rare kvstore issue where cilium continues to use an expired lease causing kvstore operations to fail consistently (Backport PR #​42745, Upstream PR #​42709, @​odinuge)
• fqdn: Fix fqdn subsystem correctness issues causing packet drops and inconsistent ipcache (Backport PR #​43117, Upstream PR #​42500, @​odinuge)
• In rare cases, the cilium-operator losing the lead of the HA deployment could continue acting as if leading for at most a minute, leading to split-brain problems such as double allocation of pod CIDRs. (Backport PR #​43059, Upstream PR #​42920, @​bimmlerd)
• KVStoreMesh now correctly respects the CA bundle setting when validating remote cluster certificates (Backport PR #​42828, Upstream PR #​42726, @​giorio94)
• policy: Fix rare Endpoint Selector Policy Deadlock causing policies to not be updated with new identities (Backport PR #​42864, Upstream PR #​42306, @​odinuge)
• Recreate CiliumEndpoints (k8s resource) if they are accidentally deleted. (Backport PR #​43117, Upstream PR #​42877, @​aanm)
• redirectpolicy: Avoid recomputing on pod changes that do not change resulting redirect backends (Backport PR #​42948, Upstream PR #​42814, @​joamaki)

CI Changes:

• bpf: test: add BPF Masq tests for unknown / handled protocols (Backport PR #​42711, Upstream PR #​42144, @​julianwiedmann)
• bpf: test: egressgw: fix up ENABLE_MASQUERADE (Backport PR #​42966, Upstream PR #​42912, @​julianwiedmann)
• bpf: tests: add BPF MASQ test for ICMP ECHOs (Backport PR #​42711, Upstream PR #​42656, @​julianwiedmann)
• bpf: tests: set ENABLE_MASQUERADE_IPV6 for EGW XDP test (Backport PR #​43059, Upstream PR #​42962, @​julianwiedmann)
• bpf:test: cover host endpoint case in tc_nodeport_l3_dev.h (Backport PR #​43059, Upstream PR #​42983, @​smagnani96)
• Delete .github/workflows/build-images-hotfixes.yaml (Backport PR #​42966, Upstream PR #​42958, @​sekhar-isovalent)
• gh: conn-disrupt: fix XFRM error checks (Backport PR #​42764, Upstream PR #​42724, @​julianwiedmann)
• gh: ipsec-e2e: fix flaky connection disruptivity test (Backport PR #​42823, Upstream PR [#​42780](https://redirect.github.com/cilium/cilium/issues

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[carpenike-bot]

🦙 MegaLinter status: ❌ ERROR

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
❌ COPYPASTE	jscpd	yes		2	no	1.55s
✅ REPOSITORY	git_diff	yes		no	no	0.06s
✅ REPOSITORY	secretlint	yes		no	no	3.91s
✅ YAML	prettier	1		0	0	0.4s
✅ YAML	yamllint	1		0	0	0.73s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

[carpenike-bot]

--- kubernetes/cluster-0/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/cluster-0/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

@@ -14,13 +14,13 @@

       chart: cilium
       interval: 30m
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: flux-system
-      version: 1.16.4
+      version: 1.17.1
   interval: 30m
   values:
     dashboards:
       annotations:
         grafana_folder: Cilium
       enabled: true

[carpenike-bot]

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

@@ -15,261 +15,323 @@

   cilium-dashboard.json: |
     {
       "annotations": {
         "list": [
           {
             "builtIn": 1,
-            "datasource": "-- Grafana --",
+            "datasource": {
+              "type": "datasource",
+              "uid": "grafana"
+            },
             "enable": true,
             "hide": true,
             "iconColor": "rgba(0, 211, 255, 1)",
             "name": "Annotations & Alerts",
             "type": "dashboard"
           }
         ]
       },
       "description": "Dashboard for Cilium (https://cilium.io/) metrics",
       "editable": true,
-      "gnetId": null,
+      "fiscalYearStartMonth": 0,
       "graphTooltip": 1,
-      "iteration": 1606309591568,
+      "id": 1,
       "links": [],
       "panels": [
         {
-          "aliasColors": {
-            "error": "#890f02",
-            "warning": "#c15c17"
-          },
-          "bars": false,
-          "dashLength": 10,
-          "dashes": false,
           "datasource": {
             "type": "prometheus",
             "uid": "${DS_PROMETHEUS}"
           },
           "fieldConfig": {
             "defaults": {
-              "custom": {}
-            },
-            "overrides": []
-          },
-          "fill": 1,
-          "fillGradient": 0,
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "axisBorderShow": false,
+                "axisCenteredZero": false,
+                "axisColorMode": "text",
+                "axisLabel": "",
+                "axisPlacement": "auto",
+                "barAlignment": 0,
+                "drawStyle": "line",
+                "fillOpacity": 10,
+                "gradientMode": "none",
+                "hideFrom": {
+                  "legend": false,
+                  "tooltip": false,
+                  "viz": false
+                },
+                "insertNulls": false,
+                "lineInterpolation": "linear",
+                "lineWidth": 1,
+                "pointSize": 5,
+                "scaleDistribution": {
+                  "type": "linear"
+                },
+                "showPoints": "never",
+                "spanNulls": false,
+                "stacking": {
+                  "group": "A",
+                  "mode": "none"
+                },
+                "thresholdsStyle": {
+                  "mode": "off"
+                }
+              },
+              "links": [],
+              "mappings": [],
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "green",
+                    "value": null
+                  },
+                  {
+                    "color": "red",
+                    "value": 80
+                  }
+                ]
+              },
+              "unit": "opm"
+            },
+            "overrides": [
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "error"
+                },
+                "properties": [
+                  {
+                    "id": "color",
+                    "value": {
+                      "fixedColor": "#890f02",
+                      "mode": "fixed"
+                    }
+                  }
+                ]
+              },
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "warning"
+                },
+                "properties": [
+                  {
+                    "id": "color",
+                    "value": {
+                      "fixedColor": "#c15c17",
+                      "mode": "fixed"
+                    }
+                  }
+                ]
+              }
+            ]
+          },
           "gridPos": {
             "h": 5,
             "w": 12,
             "x": 0,
             "y": 0
           },
-          "hiddenSeries": false,
           "id": 76,
-          "legend": {
-            "avg": false,
-            "current": false,
-            "max": false,
-            "min": false,
-            "show": true,
-            "total": false,
-            "values": false
-          },
-          "lines": true,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
           "options": {
-            "dataLinks": []
-          },
-          "paceLength": 10,
-          "percentage": false,
-          "pointradius": 5,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [
-            {
-              "alias": "error",
-              "yaxis": 2
-            }
-          ],
-          "spaceLength": 10,
-          "stack": false,
-          "steppedLine": false,
+            "legend": {
+              "calcs": [],
+              "displayMode": "list",
+              "placement": "bottom",
+              "showLegend": true
+            },
+            "tooltip": {
+              "mode": "multi",
+              "sort": "none"
+            }
+          },
+          "pluginVersion": "10.4.3",
           "targets": [
             {
+              "datasource": {
+                "type": "prometheus",
+                "uid": "${DS_PROMETHEUS}"
+              },
+              "editorMode": "code",
               "expr": "sum(rate(cilium_errors_warnings_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m])) by (pod, level) * 60",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "{{level}}",
+              "range": true,
               "refId": "A"
             }
           ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeRegions": [],
-          "timeShift": null,
           "title": "Errors & Warnings",
-          "tooltip": {
-            "shared": true,
-            "sort": 0,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "opm",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "opm",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
+          "type": "timeseries"
         },
         {
-          "aliasColors": {
-            "avg": "#cffaff"
-          },
-          "bars": false,
-          "dashLength": 10,
-          "dashes": false,
           "datasource": {
             "type": "prometheus",
             "uid": "${DS_PROMETHEUS}"
           },
           "fieldConfig": {
             "defaults": {
-              "custom": {}
-            },
-            "overrides": []
-          },
-          "fill": 0,
-          "fillGradient": 0,
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "axisBorderShow": false,
+                "axisCenteredZero": false,
+                "axisColorMode": "text",
+                "axisLabel": "",
+                "axisPlacement": "auto",
+                "barAlignment": 0,
+                "drawStyle": "line",
+                "fillOpacity": 35,
+                "gradientMode": "none",
+                "hideFrom": {
+                  "legend": false,
+                  "tooltip": false,
+                  "viz": false
+                },
+                "insertNulls": false,
+                "lineInterpolation": "linear",
+                "lineWidth": 1,
+                "pointSize": 5,
+                "scaleDistribution": {
+                  "type": "linear"
+                },
+                "showPoints": "never",
+                "spanNulls": false,
+                "stacking": {
+                  "group": "A",
+                  "mode": "none"
+                },
+                "thresholdsStyle": {
+                  "mode": "off"
+                }
+              },
+              "links": [],
+              "mappings": [],
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "green",
+                    "value": null
+                  },
+                  {
+                    "color": "red",
+                    "value": 80
+                  }
+                ]
+              },
+              "unit": "percent"
+            },
+            "overrides": [
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "avg"
+                },
+                "properties": [
+                  {
+                    "id": "color",
+                    "value": {
+                      "fixedColor": "#cffaff",
+                      "mode": "fixed"
+                    }
+                  }
+                ]
+              },
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "max"
+                },
+                "properties": [
+                  {
+                    "id": "custom.fillBelowTo",
+                    "value": "min"
+                  },
+                  {
+                    "id": "custom.lineWidth",
+                    "value": 0
+                  }
+                ]
+              },
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "min"
+                },
+                "properties": [
+                  {
+                    "id": "custom.lineWidth",
+                    "value": 0
+                  }
+                ]
+              }
+            ]
+          },
           "gridPos": {
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -16,75 +16,85 @@

   policy-cidr-match-mode: ''
   prometheus-serve-addr: :9962
   controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services
   proxy-prometheus-port: '9964'
   operator-prometheus-serve-addr: :9963
   enable-metrics: 'true'
+  enable-policy-secrets-sync: 'true'
+  policy-secrets-only-from-secrets-namespace: 'true'
+  policy-secrets-namespace: cilium-secrets
   enable-ipv4: 'true'
   enable-ipv6: 'false'
   custom-cni-conf: 'false'
   enable-bpf-clock-probe: 'false'
   enable-bpf-tproxy: 'true'
   monitor-aggregation: medium
   monitor-aggregation-interval: 5s
   monitor-aggregation-flags: all
   bpf-map-dynamic-size-ratio: '0.0025'
   bpf-policy-map-max: '16384'
   bpf-lb-map-max: '65536'
   bpf-lb-external-clusterip: 'false'
+  bpf-lb-source-range-all-types: 'false'
+  bpf-lb-algorithm-annotation: 'false'
+  bpf-lb-mode-annotation: 'false'
   bpf-events-drop-enabled: 'true'
   bpf-events-policy-verdict-enabled: 'true'
   bpf-events-trace-enabled: 'true'
   preallocate-bpf-maps: 'false'
   cluster-name: cluster-0
   cluster-id: '1'
   routing-mode: native
+  tunnel-protocol: vxlan
   service-no-backend-response: reject
   enable-l7-proxy: 'true'
   enable-ipv4-masquerade: 'true'
   enable-ipv4-big-tcp: 'false'
   enable-ipv6-big-tcp: 'false'
   enable-ipv6-masquerade: 'true'
   enable-tcx: 'true'
   datapath-mode: veth
   enable-bpf-masquerade: 'true'
   enable-masquerade-to-route-source: 'false'
   enable-xt-socket-fallback: 'true'
   install-no-conntrack-iptables-rules: 'false'
+  iptables-random-fully: 'false'
   auto-direct-node-routes: 'true'
   direct-routing-skip-unreachable: 'false'
   enable-bandwidth-manager: 'true'
   enable-bbr: 'true'
   enable-local-redirect-policy: 'true'
   ipv4-native-routing-cidr: 10.244.0.0/16
   devices: bond+
   enable-runtime-device-detection: 'true'
   kube-proxy-replacement: 'true'
   kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256
   bpf-lb-sock: 'false'
-  bpf-lb-sock-terminate-pod-connections: 'false'
   nodeport-addresses: ''
   enable-health-check-nodeport: 'true'
   enable-health-check-loadbalancer-ip: 'false'
   node-port-bind-protection: 'true'
   enable-auto-protect-node-port-range: 'true'
   bpf-lb-mode: dsr
   bpf-lb-algorithm: maglev
   bpf-lb-acceleration: disabled
+  enable-experimental-lb: 'false'
   enable-svc-source-range-check: 'true'
   enable-l2-neigh-discovery: 'true'
   arping-refresh-period: 30s
   k8s-require-ipv4-pod-cidr: 'false'
   k8s-require-ipv6-pod-cidr: 'false'
   enable-endpoint-routes: 'true'
   enable-k8s-networkpolicy: 'true'
+  enable-endpoint-lockdown-on-policy-overflow: 'false'
   write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
   cni-exclusive: 'false'
   cni-log-file: /var/run/cilium/cilium-cni.log
   enable-endpoint-health-checking: 'true'
   enable-health-checking: 'true'
+  health-check-icmp-failure-threshold: '3'
   enable-well-known-identities: 'false'
   enable-node-selector-labels: 'false'
   synchronize-k8s-nodes: 'true'
   operator-api-serve-addr: 127.0.0.1:9234
   enable-hubble: 'true'
   hubble-socket-path: /var/run/cilium/hubble.sock
@@ -97,37 +107,38 @@

   hubble-listen-address: :4244
   hubble-disable-tls: 'false'
   hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
   hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
   hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
   ipam: kubernetes
+  ipam-multi-pool-pre-allocation: null
   ipam-cilium-node-update-rate: 15s
+  default-lb-service-ipam: lbipam
   egress-gateway-reconciliation-trigger-interval: 1s
   enable-vtep: 'false'
   vtep-endpoint: ''
   vtep-cidr: ''
   vtep-mask: ''
   vtep-mac: ''
   enable-bgp-control-plane: 'true'
   bgp-secrets-namespace: kube-system
+  enable-bgp-control-plane-status-report: 'true'
   procfs: /host/proc
   bpf-root: /sys/fs/bpf
   cgroup-root: /sys/fs/cgroup
   enable-k8s-terminating-endpoint: 'true'
   enable-sctp: 'false'
-  k8s-client-qps: '10'
-  k8s-client-burst: '20'
   remove-cilium-node-taints: 'true'
   set-cilium-node-taints: 'true'
   set-cilium-is-up-condition: 'true'
   unmanaged-pod-watcher-interval: '15'
   dnsproxy-enable-transparent-mode: 'true'
   dnsproxy-socket-linger-timeout: '10'
   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: 'true'
-  tofqdns-endpoint-max-ip-per-hostname: '50'
+  tofqdns-endpoint-max-ip-per-hostname: '1000'
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: '10000'
   tofqdns-proxy-response-max-delay: 100ms
   agent-not-ready-taint-key: node.cilium.io/agent-not-ready
   mesh-auth-enabled: 'true'
   mesh-auth-queue-size: '1024'
@@ -137,15 +148,22 @@

   proxy-xff-num-trusted-hops-egress: '0'
   proxy-connect-timeout: '2'
   proxy-initial-fetch-timeout: '30'
   proxy-max-requests-per-connection: '0'
   proxy-max-connection-duration-seconds: '0'
   proxy-idle-timeout-seconds: '60'
+  proxy-max-concurrent-retries: '128'
+  http-retry-count: '3'
   external-envoy-proxy: 'false'
   envoy-base-id: '0'
+  envoy-access-log-buffer-size: '4096'
   envoy-keep-cap-netbindservice: 'false'
   max-connected-clusters: '255'
   clustermesh-enable-endpoint-sync: 'false'
   clustermesh-enable-mcs-api: 'false'
   nat-map-stats-entries: '32'
   nat-map-stats-interval: 30s
+  enable-internal-traffic-policy: 'true'
+  enable-lb-ipam: 'true'
+  enable-non-default-deny-policies: 'true'
+  enable-source-ip-verification: 'true'
 
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-operator-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-operator-dashboard

@@ -1013,13 +1013,19 @@

       ],
       "refresh": false,
       "schemaVersion": 25,
       "style": "dark",
       "tags": [],
       "templating": {
-        "list": []
+        "list": [
+          {
+            "type": "datasource",
+            "name": "DS_PROMETHEUS",
+            "query": "prometheus"
+          }
+        ]
       },
       "time": {
         "from": "now-30m",
         "to": "now"
       },
       "timepicker": {
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-relay-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-relay-config

@@ -2,13 +2,12 @@

 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: hubble-relay-config
   namespace: kube-system
 data:
-  config.yaml: "cluster-name: cluster-0\npeer-service: \"hubble-peer.kube-system.svc.cluster.local:443\"\
-    \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\
-    \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file:\
-    \ /var/lib/hubble-relay/tls/client.crt\ntls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key\n\
-    tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\n\
-    disable-server-tls: true\n"
+  config.yaml: "cluster-name: cluster-0\npeer-service: \"hubble-peer.kube-system.svc.cluster.local.:443\"\
+    \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\
+    \ \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt\n\
+    tls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key\ntls-hubble-server-ca-files:\
+    \ /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\ndisable-server-tls: true\n"
 
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx

@@ -5,20 +5,14 @@

   name: hubble-ui-nginx
   namespace: kube-system
 data:
   nginx.conf: "server {\n    listen       8081;\n    listen       [::]:8081;\n   \
     \ server_name  localhost;\n    root /app;\n    index index.html;\n    client_max_body_size\
     \ 1G;\n\n    location / {\n        proxy_set_header Host $host;\n        proxy_set_header\
-    \ X-Real-IP $remote_addr;\n\n        # CORS\n        add_header Access-Control-Allow-Methods\
-    \ \"GET, POST, PUT, HEAD, DELETE, OPTIONS\";\n        add_header Access-Control-Allow-Origin\
-    \ *;\n        add_header Access-Control-Max-Age 1728000;\n        add_header Access-Control-Expose-Headers\
-    \ content-length,grpc-status,grpc-message;\n        add_header Access-Control-Allow-Headers\
-    \ range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout;\n\
-    \        if ($request_method = OPTIONS) {\n            return 204;\n        }\n\
-    \        # /CORS\n\n        location /api {\n            proxy_http_version 1.1;\n\
-    \            proxy_pass_request_headers on;\n            proxy_hide_header Access-Control-Allow-Origin;\n\
-    \            proxy_pass http://127.0.0.1:8090;\n        }\n        location /\
-    \ {\n            # double `/index.html` is required here \n            try_files\
-    \ $uri $uri/ /index.html /index.html;\n        }\n\n        # Liveness probe\n\
-    \        location /healthz {\n            access_log off;\n            add_header\
-    \ Content-Type text/plain;\n            return 200 'ok';\n        }\n    }\n}"
+    \ X-Real-IP $remote_addr;\n\n        location /api {\n            proxy_http_version\
+    \ 1.1;\n            proxy_pass_request_headers on;\n            proxy_pass http://127.0.0.1:8090;\n\
+    \        }\n        location / {\n            # double `/index.html` is required\
+    \ here \n            try_files $uri $uri/ /index.html /index.html;\n        }\n\
+    \n        # Liveness probe\n        location /healthz {\n            access_log\
+    \ off;\n            add_header Content-Type text/plain;\n            return 200\
+    \ 'ok';\n        }\n    }\n}"
 
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

@@ -53,12 +53,13 @@

   - update
   - patch
 - apiGroups:
   - ''
   resources:
   - namespaces
+  - secrets
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - ''
@@ -135,12 +136,19 @@

   - update
   - get
   - list
   - watch
   - delete
   - patch
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumbgpclusterconfigs/status
+  - ciliumbgppeerconfigs/status
+  verbs:
+  - update
 - apiGroups:
   - apiextensions.k8s.io
   resources:
   - customresourcedefinitions
   verbs:
   - create
@@ -181,12 +189,13 @@

   resources:
   - ciliumloadbalancerippools
   - ciliumpodippools
   - ciliumbgppeeringpolicies
   - ciliumbgpclusterconfigs
   - ciliumbgpnodeconfigoverrides
+  - ciliumbgppeerconfigs
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - cilium.io
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,24 +16,24 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 8ccc775e2ade7492a5090bf955129e170af9722b95dc3de1354260d62070c197
+        cilium.io/cilium-configmap-checksum: 03e23c0db04fae9cea471e30c79b753b96681c763707d8eba4ced33c992293ca
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+        image: quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -177,12 +177,15 @@

           mountPath: /sys/fs/bpf
           mountPropagation: HostToContainer
         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
         - name: cilium-run
           mountPath: /var/run/cilium
+        - name: cilium-netns
+          mountPath: /var/run/cilium/netns
+          mountPropagation: HostToContainer
         - name: etc-cni-netd
           mountPath: /host/etc/cni/net.d
         - name: clustermesh-secrets
           mountPath: /var/lib/cilium/clustermesh
           readOnly: true
         - name: lib-modules
@@ -194,13 +197,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+        image: quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -219,13 +222,13 @@

           value: '6443'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+        image: quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -249,13 +252,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+        image: quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -265,13 +268,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+        image: quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -313,13 +316,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+        image: quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
@@ -356,12 +359,16 @@

       - name: tmp
         emptyDir: {}
       - name: cilium-run
         hostPath:
           path: /var/run/cilium
           type: DirectoryOrCreate
+      - name: cilium-netns
+        hostPath:
+          path: /var/run/netns
+          type: DirectoryOrCreate
       - name: bpf-maps
         hostPath:
           path: /sys/fs/bpf
           type: DirectoryOrCreate
       - name: hostproc
         hostPath:
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,22 +20,22 @@

       maxSurge: 25%
       maxUnavailable: 50%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 8ccc775e2ade7492a5090bf955129e170af9722b95dc3de1354260d62070c197
+        cilium.io/cilium-configmap-checksum: 03e23c0db04fae9cea471e30c79b753b96681c763707d8eba4ced33c992293ca
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
+        image: quay.io/cilium/operator-generic:v1.17.1@sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -17,13 +17,13 @@

     rollingUpdate:
       maxUnavailable: 1
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/hubble-relay-configmap-checksum: 0304f6d69709901711287ed1079c2bd4a53ac354ededf278efd9a91cc8c9e3ec
+        cilium.io/hubble-relay-configmap-checksum: 80f4142b3824a92f96a2d629a0d772c3b7b2cb628da842e4f52dded4638c8587
       labels:
         k8s-app: hubble-relay
         app.kubernetes.io/name: hubble-relay
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
@@ -34,13 +34,13 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
+        image: quay.io/cilium/hubble-relay:v1.17.1@sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

@@ -17,13 +17,13 @@

     rollingUpdate:
       maxUnavailable: 1
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/hubble-ui-nginx-configmap-checksum: e8acee96ed990156efd0291c8c33709d2c7902d2ec993eefa16c7cd3d1a9d84b
+        cilium.io/hubble-ui-nginx-configmap-checksum: de069d2597e16e4de004ce684b15d74b2ab6051c717ae073d86199a76d91fcf1
       labels:
         k8s-app: hubble-ui
         app.kubernetes.io/name: hubble-ui
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
--- HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent

+++ HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent

@@ -6,13 +6,13 @@

   namespace: kube-system
   labels:
     app.kubernetes.io/part-of: cilium
 spec:
   selector:
     matchLabels:
-      k8s-app: cilium
+      app.kubernetes.io/name: cilium-agent
   namespaceSelector:
     matchNames:
     - kube-system
   endpoints:
   - port: metrics
     interval: 10s
--- HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets

+++ HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets

@@ -0,0 +1,8 @@

+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-tlsinterception-secrets

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cilium-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets

@@ -0,0 +1,19 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cilium-operator-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - update
+  - patch
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets

@@ -0,0 +1,17 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cilium-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+  name: cilium
+  namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets

@@ -0,0 +1,17 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cilium-operator-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-operator-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+  name: cilium-operator
+  namespace: kube-system
+