feat(helm): update chart cilium to 1.17.1

[renovate]

This PR contains the following updates:

Package	Update	Change
cilium (source)	minor	1.16.6 -> 1.17.1

---

Release Notes

cilium/cilium (cilium)

v1.17.1

Compare Source

v1.17.0: 1.17.0

Compare Source

We are excited to announce the Cilium 1.17.0 release!

A total of 2761 new commits have been contributed to this release by a growing community of over 880 developers and over 20,800 GitHub stars! 🤩

To keep up to date with all the latest Cilium releases, see Announcements

Here's what's new in v1.17.0:

🚠 Networking

• 🚦 Quality of Service: Annotate your Pods for Guaranteed, Burstable or BestEffort egress network traffic priority (#​36025, @​hemanthmalla)
• 🌐 Multi-Cluster Service API: Use Kubernetes MCS to manage global services in a Cilium Cluster Mesh (#​34439, @​MrFreezeex)
• 🔀 Load Balance based on L4 Protocol: Differentiate TCP and UDP based protocols for load balancing, so multiple services on the same port can be directed to different backends (#​33434, @​jibi)
• 🧲 Per-Service LB Algorithms: Choose maglev or random load balancing algorithms for individual services (#​35735, @​kl52752)
• ⛔ Deny lists for Service source ranges: Control whether Kubernetes loadBalancerSourceRanges are treated as an allow or deny list (#​36120, @​borkmann)
• 🏊 Better control over IPAM: IPs can be allocated statically using AWS tags, and multi-pool can support single IP ranges for pools (#​34622, @​antonipp; #​34618, @​juliusmh)
• 🔌 Dynamic MTU detection: Cilium respects changes made to MTU made at runtime without requiring agent restart (#​34314, @​dylandreimerink)

💂‍♀️ Security

• 🚀 Improved network policy performance: The cost of computing complex combinations of network policies has been reduced (Various PRs by @​joamaki, @​jrajahalme, @​marseel, @​nathanjsweet, @​squeed and @​youngnick)
• 🗂️ Prioritize critical network policies: Cilium respects Kubernetes priorityNamespaces to prioritize endpoint propagation for critical namespaces when using CiliumEndpointSlices (#​34199, @​Kaczyniec)
• 📋 Validate Network Policies: Receive better feedback from Kubernetes when creating network policies (#​34585, @​squeed; #​35904, @​renyunkang; #​36598, @​pippolo84)
• 🏷️ Select CIDRGroups by Label: Add labels to CIDRGroups and use these for network policy selection (#​36087, @​squeed)
• 🛎️ Extend ToServices for in-cluster services: Services with a selector can be selected with ToServices network policies statements (#​34208, @​chaunceyjiang)
• 🚧 FQDN Filtering for hostNetwork: Use CiliumClusterwideNetworkPolicy to configure Layer 7 filtering for DNS requests on nodes in the cluster (#​34024, @​atykhyy)
• 📶 HTTP policies on port ranges: Redirect multiple ports in a single policy towards Envoy for Layer 7 filtering of HTTP traffic (#​36056, @​jrajahalme)

🕸️ Service Mesh & Gateway API

• ⛩️ Gateway API 1.2.1: Add support for the latest Gateway API v1.2.1 release, including HTTP retries and mirror fractions (#​34720, @​sayboras)
• 📝 Static Gateway Addressing: Cilium now supports statically specifying addresses for gateways (#​33042, @​chaunceyjiang)
• 🔐 Improved Envoy TLS handling: Use SDS for managing TLS visibility secrets in Envoy, improving policy calculation speed and secrets access (#​35513, @​youngnick)

🛰️ Observability

• 🔍 Dynamic Hubble Metrics: Configure Hubble metrics with a new hubble-metrics-config ConfigMap to tune your network observability (#​35185, @​rectified95)
• 🛤️ Track enabled features using Prometheus: The cilium-agent and cilium-operator components expose Prometheus metrics for which features are enabled. (#​35852, @​aanm)
• 📊 Many new metrics: Improved metrics related to BGP, network connections, network policy, pod management, and Cilium component status (Various PRs by @​AwesomePatrol, @​harsimran-pabla, @​joestringer, @​jshr-w, @​mikejoh, @​nimishamehta5, @​odinuge, @​ovidiutirla, @​rectified95 and @​sjdot)

🌅 Scale

• 📈 Better cluster connectivity checking: The cilium-health component for cluster-wide network connectivity health detection is better tuned for reliable health checking at high scale (#​35163, @​jshr-w)
• ⏳ Rate-limit monitor events: Balance the number of eBPF events against the CPU usage required to process them (#​29711, @​siwiutki)
• 👥 Double-Write Identity mode: New allocation mode for Security Identities to ease migration between CRD and KVStore identity backends (#​31920, @​antonipp)
• ⚖️ Better scale testing: This release benefits from regular automated scale testing for network policy (#​35278, @​marseel)

🏘️ Community

• ❤️ Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
  • Seznam, Alibaba Cloud, SysEleven, QingCloud, ECCO, Reddit, Confluent, SamsungAds, and Sony
• The Cilium Annual Report 2024 was released covering all the highlights from across the community and marking the “Year of Kubernetes Networking”
• The community gathered at Cilium + eBPF Day and the Cilium Developer Summit in Salt Lake City
• Meet us at the upcoming CiliumCon and the Cilium Developer Summit in London

And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ ❤️ ❤️

For the full changelog check https://github.com/cilium/cilium/blob/v1.17.0/CHANGELOG.md

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.0@​sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d
quay.io/cilium/cilium:stable@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.0@​sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605c
quay.io/cilium/clustermesh-apiserver:stable@sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605c

docker-plugin

quay.io/cilium/docker-plugin:v1.17.0@​sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6f
quay.io/cilium/docker-plugin:stable@sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6f

hubble-relay

quay.io/cilium/hubble-relay:v1.17.0@​sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05
quay.io/cilium/hubble-relay:stable@sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.0@​sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8b
quay.io/cilium/operator-alibabacloud:stable@sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8b

operator-aws

quay.io/cilium/operator-aws:v1.17.0@​sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7
quay.io/cilium/operator-aws:stable@sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7

operator-azure

quay.io/cilium/operator-azure:v1.17.0@​sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7
quay.io/cilium/operator-azure:stable@sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7

operator-generic

quay.io/cilium/operator-generic:v1.17.0@​sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8
quay.io/cilium/operator-generic:stable@sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8

operator

quay.io/cilium/operator:v1.17.0@​sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587
quay.io/cilium/operator:stable@sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

--- kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: flux-system
-      version: 1.16.6
+      version: 1.17.1
   install:
     remediation:
       retries: 3
   interval: 30m
   upgrade:
     cleanupOnFail: true

[github-actions]

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

@@ -15,261 +15,323 @@

   cilium-dashboard.json: |
     {
       "annotations": {
         "list": [
           {
             "builtIn": 1,
-            "datasource": "-- Grafana --",
+            "datasource": {
+              "type": "datasource",
+              "uid": "grafana"
+            },
             "enable": true,
             "hide": true,
             "iconColor": "rgba(0, 211, 255, 1)",
             "name": "Annotations & Alerts",
             "type": "dashboard"
           }
         ]
       },
       "description": "Dashboard for Cilium (https://cilium.io/) metrics",
       "editable": true,
-      "gnetId": null,
+      "fiscalYearStartMonth": 0,
       "graphTooltip": 1,
-      "iteration": 1606309591568,
+      "id": 1,
       "links": [],
       "panels": [
         {
-          "aliasColors": {
-            "error": "#890f02",
-            "warning": "#c15c17"
-          },
-          "bars": false,
-          "dashLength": 10,
-          "dashes": false,
           "datasource": {
             "type": "prometheus",
             "uid": "${DS_PROMETHEUS}"
           },
           "fieldConfig": {
             "defaults": {
-              "custom": {}
-            },
-            "overrides": []
-          },
-          "fill": 1,
-          "fillGradient": 0,
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "axisBorderShow": false,
+                "axisCenteredZero": false,
+                "axisColorMode": "text",
+                "axisLabel": "",
+                "axisPlacement": "auto",
+                "barAlignment": 0,
+                "drawStyle": "line",
+                "fillOpacity": 10,
+                "gradientMode": "none",
+                "hideFrom": {
+                  "legend": false,
+                  "tooltip": false,
+                  "viz": false
+                },
+                "insertNulls": false,
+                "lineInterpolation": "linear",
+                "lineWidth": 1,
+                "pointSize": 5,
+                "scaleDistribution": {
+                  "type": "linear"
+                },
+                "showPoints": "never",
+                "spanNulls": false,
+                "stacking": {
+                  "group": "A",
+                  "mode": "none"
+                },
+                "thresholdsStyle": {
+                  "mode": "off"
+                }
+              },
+              "links": [],
+              "mappings": [],
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "green",
+                    "value": null
+                  },
+                  {
+                    "color": "red",
+                    "value": 80
+                  }
+                ]
+              },
+              "unit": "opm"
+            },
+            "overrides": [
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "error"
+                },
+                "properties": [
+                  {
+                    "id": "color",
+                    "value": {
+                      "fixedColor": "#890f02",
+                      "mode": "fixed"
+                    }
+                  }
+                ]
+              },
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "warning"
+                },
+                "properties": [
+                  {
+                    "id": "color",
+                    "value": {
+                      "fixedColor": "#c15c17",
+                      "mode": "fixed"
+                    }
+                  }
+                ]
+              }
+            ]
+          },
           "gridPos": {
             "h": 5,
             "w": 12,
             "x": 0,
             "y": 0
           },
-          "hiddenSeries": false,
           "id": 76,
-          "legend": {
-            "avg": false,
-            "current": false,
-            "max": false,
-            "min": false,
-            "show": true,
-            "total": false,
-            "values": false
-          },
-          "lines": true,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
           "options": {
-            "dataLinks": []
-          },
-          "paceLength": 10,
-          "percentage": false,
-          "pointradius": 5,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [
-            {
-              "alias": "error",
-              "yaxis": 2
-            }
-          ],
-          "spaceLength": 10,
-          "stack": false,
-          "steppedLine": false,
+            "legend": {
+              "calcs": [],
+              "displayMode": "list",
+              "placement": "bottom",
+              "showLegend": true
+            },
+            "tooltip": {
+              "mode": "multi",
+              "sort": "none"
+            }
+          },
+          "pluginVersion": "10.4.3",
           "targets": [
             {
+              "datasource": {
+                "type": "prometheus",
+                "uid": "${DS_PROMETHEUS}"
+              },
+              "editorMode": "code",
               "expr": "sum(rate(cilium_errors_warnings_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m])) by (pod, level) * 60",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "{{level}}",
+              "range": true,
               "refId": "A"
             }
           ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeRegions": [],
-          "timeShift": null,
           "title": "Errors & Warnings",
-          "tooltip": {
-            "shared": true,
-            "sort": 0,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "opm",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "opm",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
+          "type": "timeseries"
         },
         {
-          "aliasColors": {
-            "avg": "#cffaff"
-          },
-          "bars": false,
-          "dashLength": 10,
-          "dashes": false,
           "datasource": {
             "type": "prometheus",
             "uid": "${DS_PROMETHEUS}"
           },
           "fieldConfig": {
             "defaults": {
-              "custom": {}
-            },
-            "overrides": []
-          },
-          "fill": 0,
-          "fillGradient": 0,
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "axisBorderShow": false,
+                "axisCenteredZero": false,
+                "axisColorMode": "text",
+                "axisLabel": "",
+                "axisPlacement": "auto",
+                "barAlignment": 0,
+                "drawStyle": "line",
+                "fillOpacity": 35,
+                "gradientMode": "none",
+                "hideFrom": {
+                  "legend": false,
+                  "tooltip": false,
+                  "viz": false
+                },
+                "insertNulls": false,
+                "lineInterpolation": "linear",
+                "lineWidth": 1,
+                "pointSize": 5,
+                "scaleDistribution": {
+                  "type": "linear"
+                },
+                "showPoints": "never",
+                "spanNulls": false,
+                "stacking": {
+                  "group": "A",
+                  "mode": "none"
+                },
+                "thresholdsStyle": {
+                  "mode": "off"
+                }
+              },
+              "links": [],
+              "mappings": [],
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "green",
+                    "value": null
+                  },
+                  {
+                    "color": "red",
+                    "value": 80
+                  }
+                ]
+              },
+              "unit": "percent"
+            },
+            "overrides": [
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "avg"
+                },
+                "properties": [
+                  {
+                    "id": "color",
+                    "value": {
+                      "fixedColor": "#cffaff",
+                      "mode": "fixed"
+                    }
+                  }
+                ]
+              },
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "max"
+                },
+                "properties": [
+                  {
+                    "id": "custom.fillBelowTo",
+                    "value": "min"
+                  },
+                  {
+                    "id": "custom.lineWidth",
+                    "value": 0
+                  }
+                ]
+              },
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "min"
+                },
+                "properties": [
+                  {
+                    "id": "custom.lineWidth",
+                    "value": 0
+                  }
+                ]
+              }
+            ]
+          },
           "gridPos": {
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -16,42 +16,50 @@

   policy-cidr-match-mode: ''
   prometheus-serve-addr: :9962
   controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services
   proxy-prometheus-port: '9964'
   operator-prometheus-serve-addr: :9963
   enable-metrics: 'true'
+  enable-policy-secrets-sync: 'true'
+  policy-secrets-only-from-secrets-namespace: 'true'
+  policy-secrets-namespace: cilium-secrets
   enable-ipv4: 'true'
   enable-ipv6: 'false'
   custom-cni-conf: 'false'
   enable-bpf-clock-probe: 'false'
   monitor-aggregation: medium
   monitor-aggregation-interval: 5s
   monitor-aggregation-flags: all
   bpf-map-dynamic-size-ratio: '0.0025'
   bpf-policy-map-max: '16384'
   bpf-lb-map-max: '65536'
   bpf-lb-external-clusterip: 'false'
+  bpf-lb-source-range-all-types: 'false'
+  bpf-lb-algorithm-annotation: 'false'
+  bpf-lb-mode-annotation: 'false'
   bpf-events-drop-enabled: 'true'
   bpf-events-policy-verdict-enabled: 'true'
   bpf-events-trace-enabled: 'true'
   preallocate-bpf-maps: 'false'
   cluster-name: home-kubernetes
   cluster-id: '1'
   routing-mode: native
+  tunnel-protocol: vxlan
   service-no-backend-response: reject
   enable-l7-proxy: 'true'
   enable-ipv4-masquerade: 'true'
   enable-ipv4-big-tcp: 'false'
   enable-ipv6-big-tcp: 'false'
   enable-ipv6-masquerade: 'true'
   enable-tcx: 'true'
   datapath-mode: veth
   enable-bpf-masquerade: 'false'
   enable-masquerade-to-route-source: 'false'
   enable-xt-socket-fallback: 'true'
   install-no-conntrack-iptables-rules: 'false'
+  iptables-random-fully: 'false'
   auto-direct-node-routes: 'true'
   direct-routing-skip-unreachable: 'false'
   enable-local-redirect-policy: 'true'
   ipv4-native-routing-cidr: 10.69.0.0/16
   enable-runtime-device-detection: 'true'
   kube-proxy-replacement: 'true'
@@ -63,24 +71,27 @@

   enable-health-check-loadbalancer-ip: 'false'
   node-port-bind-protection: 'true'
   enable-auto-protect-node-port-range: 'true'
   bpf-lb-mode: dsr
   bpf-lb-algorithm: maglev
   bpf-lb-acceleration: disabled
+  enable-experimental-lb: 'false'
   enable-svc-source-range-check: 'true'
   enable-l2-neigh-discovery: 'true'
   arping-refresh-period: 30s
   k8s-require-ipv4-pod-cidr: 'false'
   k8s-require-ipv6-pod-cidr: 'false'
   enable-endpoint-routes: 'true'
   enable-k8s-networkpolicy: 'true'
+  enable-endpoint-lockdown-on-policy-overflow: 'false'
   write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
   cni-exclusive: 'false'
   cni-log-file: /var/run/cilium/cilium-cni.log
   enable-endpoint-health-checking: 'true'
   enable-health-checking: 'true'
+  health-check-icmp-failure-threshold: '3'
   enable-well-known-identities: 'false'
   enable-node-selector-labels: 'false'
   synchronize-k8s-nodes: 'true'
   operator-api-serve-addr: 127.0.0.1:9234
   enable-hubble: 'true'
   hubble-socket-path: /var/run/cilium/hubble.sock
@@ -93,36 +104,36 @@

   hubble-listen-address: :4244
   hubble-disable-tls: 'false'
   hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
   hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
   hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
   ipam: kubernetes
+  ipam-multi-pool-pre-allocation: null
   ipam-cilium-node-update-rate: 15s
+  default-lb-service-ipam: lbipam
   egress-gateway-reconciliation-trigger-interval: 1s
   enable-vtep: 'false'
   vtep-endpoint: ''
   vtep-cidr: ''
   vtep-mask: ''
   vtep-mac: ''
   enable-l2-announcements: 'true'
   procfs: /host/proc
   bpf-root: /sys/fs/bpf
   cgroup-root: /sys/fs/cgroup
   enable-k8s-terminating-endpoint: 'true'
   enable-sctp: 'false'
-  k8s-client-qps: '10'
-  k8s-client-burst: '20'
   remove-cilium-node-taints: 'true'
   set-cilium-node-taints: 'true'
   set-cilium-is-up-condition: 'true'
   unmanaged-pod-watcher-interval: '15'
   dnsproxy-enable-transparent-mode: 'true'
   dnsproxy-socket-linger-timeout: '10'
   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: 'true'
-  tofqdns-endpoint-max-ip-per-hostname: '50'
+  tofqdns-endpoint-max-ip-per-hostname: '1000'
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: '10000'
   tofqdns-proxy-response-max-delay: 100ms
   agent-not-ready-taint-key: node.cilium.io/agent-not-ready
   mesh-auth-enabled: 'true'
   mesh-auth-queue-size: '1024'
@@ -132,15 +143,22 @@

   proxy-xff-num-trusted-hops-egress: '0'
   proxy-connect-timeout: '2'
   proxy-initial-fetch-timeout: '30'
   proxy-max-requests-per-connection: '0'
   proxy-max-connection-duration-seconds: '0'
   proxy-idle-timeout-seconds: '60'
+  proxy-max-concurrent-retries: '128'
+  http-retry-count: '3'
   external-envoy-proxy: 'false'
   envoy-base-id: '0'
+  envoy-access-log-buffer-size: '4096'
   envoy-keep-cap-netbindservice: 'false'
   max-connected-clusters: '255'
   clustermesh-enable-endpoint-sync: 'false'
   clustermesh-enable-mcs-api: 'false'
   nat-map-stats-entries: '32'
   nat-map-stats-interval: 30s
+  enable-internal-traffic-policy: 'true'
+  enable-lb-ipam: 'true'
+  enable-non-default-deny-policies: 'true'
+  enable-source-ip-verification: 'true'
 
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-operator-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-operator-dashboard

@@ -1013,13 +1013,19 @@

       ],
       "refresh": false,
       "schemaVersion": 25,
       "style": "dark",
       "tags": [],
       "templating": {
-        "list": []
+        "list": [
+          {
+            "type": "datasource",
+            "name": "DS_PROMETHEUS",
+            "query": "prometheus"
+          }
+        ]
       },
       "time": {
         "from": "now-30m",
         "to": "now"
       },
       "timepicker": {
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-relay-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-relay-config

@@ -3,12 +3,11 @@

 kind: ConfigMap
 metadata:
   name: hubble-relay-config
   namespace: kube-system
 data:
   config.yaml: "cluster-name: home-kubernetes\npeer-service: \"hubble-peer.kube-system.svc.cluster.local.:443\"\
-    \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\
-    \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file:\
-    \ /var/lib/hubble-relay/tls/client.crt\ntls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key\n\
-    tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\n\
-    disable-server-tls: true\n"
+    \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\
+    \ \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt\n\
+    tls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key\ntls-hubble-server-ca-files:\
+    \ /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\ndisable-server-tls: true\n"
 
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

@@ -53,12 +53,13 @@

   - update
   - patch
 - apiGroups:
   - ''
   resources:
   - namespaces
+  - secrets
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - ''
@@ -135,12 +136,19 @@

   - update
   - get
   - list
   - watch
   - delete
   - patch
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumbgpclusterconfigs/status
+  - ciliumbgppeerconfigs/status
+  verbs:
+  - update
 - apiGroups:
   - apiextensions.k8s.io
   resources:
   - customresourcedefinitions
   verbs:
   - create
@@ -181,12 +189,13 @@

   resources:
   - ciliumloadbalancerippools
   - ciliumpodippools
   - ciliumbgppeeringpolicies
   - ciliumbgpclusterconfigs
   - ciliumbgpnodeconfigoverrides
+  - ciliumbgppeerconfigs
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - cilium.io
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,24 +16,24 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: de8cf26ceabe378b2f47632fd3fd210ee1e5b4ab5d6f3f888abe408c8a29cf7f
+        cilium.io/cilium-configmap-checksum: a06498011ecf39871d59038443a9e69df3403f243310d0daf31bd31c6ef472e9
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -197,13 +197,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -222,13 +222,13 @@

           value: '7445'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /sys/fs/cgroup
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -254,13 +254,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -284,13 +284,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -300,13 +300,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -348,13 +348,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,22 +20,22 @@

       maxSurge: 25%
       maxUnavailable: 100%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: de8cf26ceabe378b2f47632fd3fd210ee1e5b4ab5d6f3f888abe408c8a29cf7f
+        cilium.io/cilium-configmap-checksum: a06498011ecf39871d59038443a9e69df3403f243310d0daf31bd31c6ef472e9
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.16.6@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
+        image: quay.io/cilium/operator-generic:v1.17.1@sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -17,13 +17,13 @@

     rollingUpdate:
       maxUnavailable: 1
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/hubble-relay-configmap-checksum: 7013f296857a469857f02e7d0b7e0933fcdf29925c02e28162c33b4a8a00baca
+        cilium.io/hubble-relay-configmap-checksum: eff0e5f47a53fa4b010591dc8fd68bffd75ccd6298d9d502cc7125e0b3fede93
       labels:
         k8s-app: hubble-relay
         app.kubernetes.io/name: hubble-relay
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
@@ -34,13 +34,13 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.16.6@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b
+        image: quay.io/cilium/hubble-relay:v1.17.1@sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:
--- HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent

+++ HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent

@@ -6,13 +6,13 @@

   namespace: kube-system
   labels:
     app.kubernetes.io/part-of: cilium
 spec:
   selector:
     matchLabels:
-      k8s-app: cilium
+      app.kubernetes.io/name: cilium-agent
   namespaceSelector:
     matchNames:
     - kube-system
   endpoints:
   - port: metrics
     interval: 10s
--- HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets

+++ HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets

@@ -0,0 +1,8 @@

+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-tlsinterception-secrets

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cilium-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets

@@ -0,0 +1,19 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cilium-operator-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - update
+  - patch
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets

@@ -0,0 +1,17 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cilium-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+  name: cilium
+  namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets

@@ -0,0 +1,17 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cilium-operator-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-operator-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+  name: cilium-operator
+  namespace: kube-system
+