feat(helm): update chart cilium to 1.16.6

[renovate]

This PR contains the following updates:

Package	Update	Change
cilium (source)	minor	1.15.4 -> 1.16.6

---

Release Notes

cilium/cilium (cilium)

v1.16.6: 1.16.6

Compare Source

Summary of Changes

Major Changes:

• Add feature tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​35852, @​aanm)
• Add feature tracking in Cilium Operator as prometheus metrics (Backport PR #​36263, Upstream PR #​36077, @​aanm)

Minor Changes:

• envoy: Use yaml format for bootstrap config (Backport PR #​36782, Upstream PR #​36820, @​sayboras)
• Reject CNP/CCNP with CIDR rules where CIDRGroupRef is used in combination with ExceptCIDRs (#​36561, @​pippolo84)
• service: Cap number of backends included in monitor message (Backport PR #​36635, Upstream PR #​36394, @​joamaki)

Bugfixes:

• cilium: LB source ranges fixes (Backport PR #​36635, Upstream PR #​36517, @​borkmann)
• eni.subnetTagsFilter and eni.instanceTagsFilter are now templated to comma separated string (Backport PR #​36872, Upstream PR #​36617, @​sderoe)
• envoy: Configure internal address config based on IP family (Backport PR #​36782, Upstream PR #​36733, @​sayboras)
• Fix connectivity issue caused by stale cilium eBPF program when using --bpf-filter-priority (Backport PR #​36635, Upstream PR #​36176, @​tamilmani1989)
• metrics/features: remove reporting metrics' defaults by default (Backport PR #​36263, Upstream PR #​36298, @​aanm)
• pkg/redirectpolicy: Fix backend slices in processConfig (Backport PR #​36872, Upstream PR #​35496, @​Sm0ckingBird)
• ui: drop CORS headers from api response (Backport PR #​36872, Upstream PR #​35762, @​geakstr)

CI Changes:

• [v1.16] .github: Remove CI Fuzz workflow (#​36641, @​joestringer)
• [v1.16] gh: e2e-upgrade: use 6.12 kernel for netkit test configs (#​36620, @​julianwiedmann)
• [v1.16] gha: use /test to trigger tests in stable branches (#​36673, @​giorio94)
• ci: fix job names for various ci workflows (Backport PR #​36263, Upstream PR #​36397, @​marseel)
• Extend the check-ipsec-leak bpftrace script to capture additional details of leaked packets (Backport PR #​36872, Upstream PR #​33398, @​giorio94)
• gh: e2e-upgrade: add coverage for 6.6 kernel (Backport PR #​36988, Upstream PR #​36626, @​julianwiedmann)
• gh: e2e-upgrade: de-renovate the config example (Backport PR #​36635, Upstream PR #​36463, @​julianwiedmann)
• gha: drop leftover token parameter in net-perf-gke workflow (#​36684, @​giorio94)
• gha: fix merging of features-related artifacts (#​36665, @​giorio94)
• gha: merge artifacts in net-perf-gke workflow (Backport PR #​36263, Upstream PR #​36236, @​giorio94)
• gha: Use ubuntu-24.04 for integration-test (Backport PR #​36659, Upstream PR #​36628, @​sayboras)

Misc Changes:

• .github/workflows: always install cilium-cli (Backport PR #​36263, Upstream PR #​36234, @​aanm)
• .github/workflows: do not fail ginkgo if unable to fetch features (Backport PR #​36263, Upstream PR #​36461, @​aanm)
• .github: fix conformance-k8s NP test (Backport PR #​36263, Upstream PR #​36355, @​aanm)
• [v1.16] Use bash syntax to consume env variable (#​36636, @​ferozsalam)
• Add more features tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​36078, @​aanm)
• Add policy-related features tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​36203, @​aanm)
• Add the tls:// prefix in the Hubble TLS doc (Backport PR #​36635, Upstream PR #​36410, @​liyihuang)
• chore(deps): update all github action dependencies (v1.16) (#​36612, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36762, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36950, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​37099, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (patch) (#​36760, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36707, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36787, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36949, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​37033, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.23 (v1.16) (#​36895, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.36.1 docker digest to 7c3c3ce (v1.16) (#​36609, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.10 docker digest to 1a6e657 (v1.16) (#​36850, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.10 docker digest to 9855006 (v1.16) (#​36610, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.11 (v1.16) (#​37045, @​cilium-renovate[bot])
• chore(deps): update helm/kind-action action to v1.12.0 (v1.16) (#​36839, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36611, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36699, @​cilium-renovate[bot])
• doc: fix typo on kubeproxy-free (CEV -> CVE) (Backport PR #​36872, Upstream PR #​36701, @​alagoutte)
• docs: Add missing default identity label in the description of identity-relevant labels' example (Backport PR #​36635, Upstream PR #​36558, @​liyihuang)
• docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (Backport PR #​36635, Upstream PR #​36549, @​verysonglaa)
• Ensure debug symbols are generated for the debug image even when stripping symbols for the release image. (Backport PR #​36635, Upstream PR #​36417, @​EricMountain)
• Fix make -C Documentation update-cmdref when make uses --jobserver-style=fifo. (Backport PR #​36872, Upstream PR #​36788, @​gentoo-root)
• fix(deps): update module golang.org/x/net to v0.33.0 [security] (v1.16) (#​36711, @​cilium-renovate[bot])
• ingress, gateway-api: Convert test fixtures to file based (Backport PR #​36782, Upstream PR #​36732, @​sayboras)
• metrics/features: enable ClusterMesh (Backport PR #​36263, Upstream PR #​36402, @​aanm)
• metrics/features: refactor metric names (Backport PR #​36263, Upstream PR #​36209, @​aanm)
• Prepare for release v1.16.6 (#​36989, @​cilium-release-bot[bot])
• Remove reference to DNS polling (Backport PR #​36872, Upstream PR #​36679, @​JacobHenner)

Other Changes:

• [v1.16] author backport: helm: avoid setting bpf-lb-sock-terminate-pod-connections (#​36650, @​ysksuzuki)
• install: Update image digests for v1.16.5 (#​36671, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.6@​sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
quay.io/cilium/cilium:stable@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.6@​sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a
quay.io/cilium/clustermesh-apiserver:stable@sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a

docker-plugin

quay.io/cilium/docker-plugin:v1.16.6@​sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66
quay.io/cilium/docker-plugin:stable@sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66

hubble-relay

quay.io/cilium/hubble-relay:v1.16.6@​sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b
quay.io/cilium/hubble-relay:stable@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.6@​sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9
quay.io/cilium/operator-alibabacloud:stable@sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9

operator-aws

quay.io/cilium/operator-aws:v1.16.6@​sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d
quay.io/cilium/operator-aws:stable@sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d

operator-azure

quay.io/cilium/operator-azure:v1.16.6@​sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd
quay.io/cilium/operator-azure:stable@sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd

operator-generic

quay.io/cilium/operator-generic:v1.16.6@​sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
quay.io/cilium/operator-generic:stable@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc

operator

quay.io/cilium/operator:v1.16.6@​sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46
quay.io/cilium/operator:stable@sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46

v1.16.5: 1.16.5

Compare Source

Summary of Changes

Minor Changes:

• hubble: Stop building 32-bit binaries (Backport PR #​36066, Upstream PR #​35974, @​michi-covalent)

Bugfixes:

• Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (Backport PR #​36540, Upstream PR #​36484, @​julianwiedmann)
• bgp: fix race in bgp stores (Backport PR #​36066, Upstream PR #​35971, @​harsimran-pabla)
• BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR #​36286, Upstream PR #​36230, @​rastislavs)
• BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR #​36286, Upstream PR #​36165, @​rastislavs)
• Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (Backport PR #​36049, Upstream PR #​35984, @​jrajahalme)
• Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (Backport PR #​36462, Upstream PR #​36252, @​bimmlerd)
• cilium-health-ep controller is made to be more robust against successive failures. (Backport PR #​36066, Upstream PR #​35936, @​jrajahalme)
• DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (Backport PR #​36468, Upstream PR #​36142, @​jrajahalme)
• Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (Backport PR #​36049, Upstream PR #​36060, @​jrajahalme)
• Fix an issue where pod-to-world traffic goes up stack when BPF host routing is enabled with tunnel. (Backport PR #​35861, Upstream PR #​35098, @​jschwinger233)
• Fix identity leak for kvstore identity mode (Backport PR #​36066, Upstream PR #​34893, @​odinuge)
• Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (Backport PR #​36302, Upstream PR #​36292, @​giorio94)
• gateway-api: Fix gateway checks for namespace (Backport PR #​36462, Upstream PR #​35452, @​sayboras)
• gha: Remove hostLegacyRouting in clustermesh (Backport PR #​36357, Upstream PR #​35418, @​sayboras)
• helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (Backport PR #​36066, Upstream PR #​36005, @​devodev)
• hubble: consistently use v as prefix for the Hubble version (Backport PR #​36286, Upstream PR #​35891, @​rolinh)
• iptables: Fix data race in iptables manager (Backport PR #​36066, Upstream PR #​35902, @​pippolo84)
• lrp: update LRP services with stale backends on agent restart (Backport PR #​36106, Upstream PR #​36036, @​ysksuzuki)
• policy: Fix bug that allowed port ranges to be attached to L7 policies, which is not permitted. (#​36050, @​nathanjsweet)
• Unbreak the cilium-dbg preflight migrate-identity command (Backport PR #​36286, Upstream PR #​36089, @​giorio94)
• Use strconv.Itoa instead of string() for the correct behavior when converting kafka.ErrorCode from int32 to string. Add relevant unit tests for Kafka plugin and handler. (Backport PR #​36066, Upstream PR #​35856, @​nddq)

CI Changes:

• [v1.16] ci: modularize chart CI push workflow (#​35958, @​ferozsalam)
• gh: conformance-clustermesh: test with IPsec + BPF NodePort (Backport PR #​36462, Upstream PR #​36384, @​julianwiedmann)
• gha: configure environment in build-images-base/image-digests job (Backport PR #​36462, Upstream PR #​36318, @​giorio94)
• node_local_store: prevent racey tests while using mock node store. (Backport PR #​36066, Upstream PR #​35945, @​tommyp1ckles)
• Remove unnecessary hubble port-forward commands (Backport PR #​36066, Upstream PR #​33523, @​michi-covalent)

Misc Changes:

• [v1.16] docs: egress masquerade selector (#​36333, @​viktor-kurchenko)
• [v1.16] images: bump cni plugins to v1.6.0 (#​36092, @​ferozsalam)
• bugtool: dump tail-call map for bpf_wireguard (Backport PR #​36286, Upstream PR #​36183, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.16) (#​36155, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36275, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36443, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (patch) (#​36277, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​35546, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36152, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36279, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36444, @​cilium-renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.16) (#​36153, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.9 docker digest to 147f428 (v1.16) (#​36222, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.10 (v1.16) (#​36441, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1732605705-2aa20ee3acb68cd38d57669af19508bea8f0ba62 (v1.16) (#​36180, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8 (v1.16) (#​36495, @​cilium-renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241129.013349 (v1.16) (#​36278, @​cilium-renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241206.013345 (v1.16) (#​36442, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36154, @​cilium-renovate[bot])
• docs: Add the tls:// prefix before the IP address (Backport PR #​36286, Upstream PR #​36118, @​liyihuang)
• docs: Fix typo in multi-pool section title (Backport PR #​36312, Upstream PR #​36305, @​joestringer)
• docs: In k0s guide, remove dashes to fix invalid Bash variable names. (Backport PR #​36066, Upstream PR #​35923, @​yilas)
• docs: lrp: fix kernel version requirement for skipRedirectFromBackend (Backport PR #​36066, Upstream PR #​35921, @​ysksuzuki)
• docs: system-requirements: require 5.4 kernel (Backport PR #​36462, Upstream PR #​36386, @​julianwiedmann)
• docs: WireGuard doesn't require overlay port in Network Firewalls (Backport PR #​36286, Upstream PR #​36208, @​julianwiedmann)
• Endpoint populate new policymap early if empty (Backport PR #​36479, Upstream PR #​36361, @​jrajahalme)
• envoy: Configure internal_address_config to avoid warning log (Backport PR #​36015, Upstream PR #​35943, @​sayboras)
• envoy: Pass tofqdns-proxy-response-max-delay to Envoy (Backport PR #​36468, Upstream PR #​36330, @​jrajahalme)
• fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (v1.16) (#​36530, @​cilium-renovate[bot])
• Fixed BGP documentation (Backport PR #​36066, Upstream PR #​35953, @​seadog007)
• images: Use cilium-builder image instead of golang to build hubble (Backport PR #​36312, Upstream PR #​35697, @​learnitall)
• lrp: fix kernel version requirement in warning log (Backport PR #​36286, Upstream PR #​36141, @​ysksuzuki)
• Makefile: fix swagger definition for automatic renovate updates (Backport PR #​36066, Upstream PR #​35979, @​aanm)
• proxy: Take proxy port reference for new redirects immediately (Backport PR #​36468, Upstream PR #​36435, @​jrajahalme)
• proxyports: Resolve data races in test (Backport PR #​36468, Upstream PR #​36399, @​jrajahalme)
• proxyports: Sleep a bit longer in tests (Backport PR #​36468, Upstream PR #​36389, @​jrajahalme)
• Remove duplicated watch on services and endpoint in the cilium-agent (Backport PR #​36066, Upstream PR #​35838, @​MrFreezeex)
• Rework error handling logic in neighbor discovery (Backport PR #​36093, Upstream PR #​35144, @​pippolo84)
• Silence spurious clustermesh-related warnings (Backport PR #​36225, Upstream PR #​35867, @​giorio94)
• Update documentation for egress masquerading behavior (Backport PR #​36462, Upstream PR #​36267, @​liyihuang)

Other Changes:

• [1.16] ci/ipsec-upgrade: increase cilium status wait duration (#​36082, @​harsimran-pabla)
• [v1.16] cilium, service: Fix checkLBSrcRange propagation to LB map (#​36511, @​borkmann)
• install: Update image digests for v1.16.4 (#​36047, @​cilium-release-bot[bot])
• jrajahalme/v1.16 cilium cli (#​36541, @​jrajahalme)
• Revert "workflows/ipsec: Cover Ingress" (#​36116, @​harsimran-pabla)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.5@​sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
quay.io/cilium/cilium:stable@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.5@​sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958
quay.io/cilium/clustermesh-apiserver:stable@sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958

docker-plugin

quay.io/cilium/docker-plugin:v1.16.5@​sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768
quay.io/cilium/docker-plugin:stable@sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768

hubble-relay

quay.io/cilium/hubble-relay:v1.16.5@​sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00
quay.io/cilium/hubble-relay:stable@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.5@​sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0
quay.io/cilium/operator-alibabacloud:stable@sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0

operator-aws

quay.io/cilium/operator-aws:v1.16.5@​sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476
quay.io/cilium/operator-aws:stable@sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476

operator-azure

quay.io/cilium/operator-azure:v1.16.5@​sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9
quay.io/cilium/operator-azure:stable@sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9

operator-generic

quay.io/cilium/operator-generic:v1.16.5@​sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039
quay.io/cilium/operator-generic:stable@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039

operator

quay.io/cilium/operator:v1.16.5@​sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940
quay.io/cilium/operator:stable@sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940

v1.16.4: 1.16.4

Compare Source

Security Advisories

This release addresses GHSA-xg58-75qf-9r67.

Summary of Changes

Minor Changes:

• Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport PR #​35908, Upstream PR #​35809, @​jrajahalme)
• clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport PR #​35543, Upstream PR #​35349, @​giorio94)
• helm: Lower default hubble.tls.auto.certValidityDuration to 365 days (Backport PR #​35781, Upstream PR #​35630, @​chancez)
• helm: New socketLB.tracing flag (Backport PR #​35781, Upstream PR #​35747, @​pchaigno)
• hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR #​35781, Upstream PR #​35632, @​chancez)
• netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport PR #​35543, Upstream PR #​35306, @​jrife)

Bugfixes:

• Avoid duplicate errors in health status for node-neighbor-link-updater (Backport PR #​35468, Upstream PR #​35179, @​wedaly)
• bgpv1: fix reconciliation of services with shared VIPs (Backport PR #​35468, Upstream PR #​35333, @​rastislavs)
• bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport PR #​35863, Upstream PR #​35690, @​YutaroHayakawa)
• bgpv2: set local peering address when specified (Backport PR #​35781, Upstream PR #​35552, @​harsimran-pabla)
• Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport PR #​35603, Upstream PR #​35150, @​jrajahalme)
• Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an timeout waiting for response error is encountered. (Backport PR #​35781, Upstream PR #​35589, @​bimmlerd)
• config: Remove superfluous warning on native routing CIDR (Backport PR #​35781, Upstream PR #​35738, @​gandro)
• Fix missing flowlabel hash on SRv6 traffic. (Backport PR #​35781, Upstream PR #​35498, @​akaliwod)
• Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport PR #​35543, Upstream PR #​35173, @​smagnani96)
• Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (Backport PR #​35781, Upstream PR #​35673, @​giorio94)
• Fix redirect from L3 device to remote endpoint via overlay network. (Backport PR #​35468, Upstream PR #​35165, @​julianwiedmann)
• Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR #​35908, Upstream PR #​35694, @​julianwiedmann)
• Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (Backport PR #​35781, Upstream PR #​35599, @​squeed)
• Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (Backport PR #​35543, Upstream PR #​35293, @​squeed)
• Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (Backport PR #​35906, Upstream PR #​35890, @​squeed)
• Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". (#​35611, @​pippolo84)
• helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (Backport PR #​35319, Upstream PR #​35301, @​hox)
• helm: fix duplicate configmap key for bpf-lb-sock-terminate-pod-connections (Backport PR #​35781, Upstream PR #​35703, @​solidDoWant)
• helm: set automountServiceAccountToken to false for hubble-relay sa (Backport PR #​35781, Upstream PR #​35674, @​ayuspin)
• hubble: fix endpoint cluster name (Backport PR #​35781, Upstream PR #​35415, @​kaworu)
• hubble: Lock exporters while gathering metrics (Backport PR #​35908, Upstream PR #​35860, @​joestringer)
• Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (Backport PR #​35781, Upstream PR #​35143, @​jrajahalme)
• ipam: Validate CiliumNode resource in ENI mode (Backport PR #​35792, Upstream PR #​35784, @​sayboras)
• l7lb: fix registration of flag loadbalancer-l7 (Backport PR #​35781, Upstream PR #​35623, @​mhofstetter)
• Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (Backport PR #​35319, Upstream PR #​35069, @​chancez)
• option: Reduce log level for WG strict mode + IPv6 (Backport PR #​35908, Upstream PR #​35763, @​pchaigno)
• Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (Backport PR #​35468, Upstream PR #​35381, @​jrajahalme)
• treewide: Add wrapper for netlink functions that may fail with ErrDumpInterrupted (Backport PR #​35654, Upstream PR #​35614, @​gandro)
• wireguard: Fix connectivity issues following node reboots. (Backport PR #​35908, Upstream PR #​35750, @​jrife)

CI Changes:

• .github/conformance-ginkgo: replace deprecated jq flag (Backport PR #​35468, Upstream PR #​35399, @​aanm)
• .github: extend timeout for tests-ipsec-upgrade workflow (Backport PR #​35781, Upstream PR #​35657, @​rastislavs)
• .github: remove libncurses5 from integration tests (Backport PR #​35468, Upstream PR #​35408, @​aanm)
• [v1.16] gh: e2e-upgrade: restart LRP backend pod after upgrade (#​35329, @​ysksuzuki)
• [v1.16] github: update rhel8 LVH image to rhel8.6 (#​35733, @​julianwiedmann)
• Additionally test KVStore mode in E2E/IPSec workflows (Backport PR #​35905, Upstream PR #​35679, @​giorio94)
• ci: conformance-kind: re-enable flaky Aggregator test (Backport PR #​35582, Upstream PR #​35286, @​julianwiedmann)
• ci: datapath-verifier: bump lvh images (Backport PR #​35648, Upstream PR #​35456, @​julianwiedmann)
• gha: Update chmod command (Backport PR #​35468, Upstream PR #​35400, @​sayboras)
• github: Pass the workflow step timeout to go test (Backport PR #​35908, Upstream PR #​35814, @​jrajahalme)
• Refactor and set a default for GH_RUNNER_EXTRA_POWER (Backport PR #​35319, Upstream PR #​35267, @​aanm)
• workflows/gateway-api: Cover IPsec with GatewayAPI (Backport PR #​35908, Upstream PR #​35584, @​pchaigno)
• workflows/ingress: Run basic checks (Backport PR #​35908, Upstream PR #​35683, @​pchaigno)
• workflows/ipsec: Cover Ingress (Backport PR #​35908, Upstream PR #​35476, @​pchaigno)
• workflows: Extend IPsec tests to cover egress gateway (Backport PR #​35540, Upstream PR #​35323, @​pchaigno)

Misc Changes:

• .github/build-images-base: checkout base branch to get scripts (Backport PR #​35319, Upstream PR #​35236, @​aanm)
• .github: remove retention days for image digests (Backport PR #​35468, Upstream PR #​35457, @​aanm)
• bpf: vxlan helper improvements (Backport PR #​35543, Upstream PR #​34755, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.16) (#​35382, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35439, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35573, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35710, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​35438, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.8 docker digest to 0ca97f4 (v1.16) (#​35730, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.8 docker digest to b274ff1 (v1.16) (#​35379, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.9 (v1.16) (#​35854, @​cilium-renovate[bot])
• chore(deps): update quay.io/cili

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

--- kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: flux-system
-      version: 1.15.4
+      version: 1.16.6
   install:
     remediation:
       retries: 3
   interval: 30m
   maxHistory: 2
   uninstall:

[github-actions]

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -117,12 +117,15 @@

   tofqdns-proxy-response-max-delay: 100ms
   agent-not-ready-taint-key: node.cilium.io/agent-not-ready
   mesh-auth-enabled: 'true'
   mesh-auth-queue-size: '1024'
   mesh-auth-rotated-identities-queue-size: '1024'
   mesh-auth-gc-interval: 5m0s
+  proxy-xff-num-trusted-hops-ingress: '0'
+  proxy-xff-num-trusted-hops-egress: '0'
   proxy-connect-timeout: '2'
   proxy-max-requests-per-connection: '0'
   proxy-max-connection-duration-seconds: '0'
+  proxy-idle-timeout-seconds: '60'
   external-envoy-proxy: 'false'
   max-connected-clusters: '255'
 
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,23 +16,24 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 9a88ebc9addecebb31605eabe7b93078c76cf3fa4508e6ad4402b2c07ffb7d75
-        container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
-        container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
+        cilium.io/cilium-configmap-checksum: 57637ef49675b15e79541fe0876415662801fb1d7e0e145bca767e7a30a47f4d
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
+      securityContext:
+        appArmorProfile:
+          type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.15.4@sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426
+        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -181,13 +182,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.15.4@sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426
+        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -205,14 +206,44 @@

         - name: KUBERNETES_SERVICE_PORT
           value: '6443'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
+      - name: apply-sysctl-overwrites
+        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: BIN_PATH
+          value: /opt/cni/bin
+        command:
+        - sh
+        - -ec
+        - |
+          cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
+          nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
+          rm /hostbin/cilium-sysctlfix
+        volumeMounts:
+        - name: hostproc
+          mountPath: /hostproc
+        - name: cni-path
+          mountPath: /hostbin
+        terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          seLinuxOptions:
+            level: s0
+            type: spc_t
+          capabilities:
+            add:
+            - SYS_ADMIN
+            - SYS_CHROOT
+            - SYS_PTRACE
+            drop:
+            - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.15.4@sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426
+        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -222,13 +253,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.15.4@sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426
+        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -270,13 +301,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.15.4@sha256:b760a4831f5aab71c711f7537a107b751d0d0ce90dd32d8b358df3c5da385426
+        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
@@ -318,12 +349,16 @@

           path: /var/run/cilium
           type: DirectoryOrCreate
       - name: bpf-maps
         hostPath:
           path: /sys/fs/bpf
           type: DirectoryOrCreate
+      - name: hostproc
+        hostPath:
+          path: /proc
+          type: Directory
       - name: cilium-cgroup
         hostPath:
           path: /sys/fs/cgroup
           type: DirectoryOrCreate
       - name: cni-path
         hostPath:
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,24 +20,24 @@

       maxSurge: 25%
       maxUnavailable: 50%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 9a88ebc9addecebb31605eabe7b93078c76cf3fa4508e6ad4402b2c07ffb7d75
+        cilium.io/cilium-configmap-checksum: 57637ef49675b15e79541fe0876415662801fb1d7e0e145bca767e7a30a47f4d
         prometheus.io/port: '9963'
         prometheus.io/scrape: 'true'
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.15.4@sha256:404890a83cca3f28829eb7e54c1564bb6904708cdb7be04ebe69c2b60f164e9a
+        image: quay.io/cilium/operator-generic:v1.15.7@sha256:6840a6dde703b3e73dd31e03390327a9184fcb888efbad9d9d098d65b9035b54
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -34,13 +34,13 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.15.4@sha256:03ad857feaf52f1b4774c29614f42a50b370680eb7d0bfbc1ae065df84b1070a
+        image: quay.io/cilium/hubble-relay:v1.15.7@sha256:12870e87ec6c105ca86885c4ee7c184ece6b706cc0f22f63d2a62a9a818fd68f
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

@@ -23,19 +23,23 @@

         cilium.io/hubble-ui-nginx-configmap-checksum: e8acee96ed990156efd0291c8c33709d2c7902d2ec993eefa16c7cd3d1a9d84b
       labels:
         k8s-app: hubble-ui
         app.kubernetes.io/name: hubble-ui
         app.kubernetes.io/part-of: cilium
     spec:
+      securityContext:
+        fsGroup: 1001
+        runAsGroup: 1001
+        runAsUser: 1001
       priorityClassName: null
       serviceAccount: hubble-ui
       serviceAccountName: hubble-ui
       automountServiceAccountToken: true
       containers:
       - name: frontend
-        image: quay.io/cilium/hubble-ui:v0.13.0@sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666
+        image: quay.io/cilium/hubble-ui:v0.13.1@sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6
         imagePullPolicy: IfNotPresent
         ports:
         - name: http
           containerPort: 8081
         livenessProbe:
           httpGet:
@@ -50,13 +54,13 @@

           mountPath: /etc/nginx/conf.d/default.conf
           subPath: nginx.conf
         - name: tmp-dir
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: backend
-        image: quay.io/cilium/hubble-ui-backend:v0.13.0@sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803
+        image: quay.io/cilium/hubble-ui-backend:v0.13.1@sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b
         imagePullPolicy: IfNotPresent
         env:
         - name: EVENTS_SERVER_PORT
           value: '8090'
         - name: FLOWS_API_ADDR
           value: hubble-relay:80