chore(deps): update helm release cilium to 1.17.1

[renovate]

This PR contains the following updates:

Package	Update	Change
cilium (source)	minor	1.16.2 -> 1.17.1

---

Release Notes

cilium/cilium (cilium)

v1.17.1

Compare Source

v1.17.0: 1.17.0

Compare Source

We are excited to announce the Cilium 1.17.0 release!

A total of 2761 new commits have been contributed to this release by a growing community of over 880 developers and over 20,800 GitHub stars! 🤩

To keep up to date with all the latest Cilium releases, see Announcements

Here's what's new in v1.17.0:

🚠 Networking

• 🚦 Quality of Service: Annotate your Pods for Guaranteed, Burstable or BestEffort egress network traffic priority (#​36025, @​hemanthmalla)
• 🌐 Multi-Cluster Service API: Use Kubernetes MCS to manage global services in a Cilium Cluster Mesh (#​34439, @​MrFreezeex)
• 🔀 Load Balance based on L4 Protocol: Differentiate TCP and UDP based protocols for load balancing, so multiple services on the same port can be directed to different backends (#​33434, @​jibi)
• 🧲 Per-Service LB Algorithms: Choose maglev or random load balancing algorithms for individual services (#​35735, @​kl52752)
• ⛔ Deny lists for Service source ranges: Control whether Kubernetes loadBalancerSourceRanges are treated as an allow or deny list (#​36120, @​borkmann)
• 🏊 Better control over IPAM: IPs can be allocated statically using AWS tags, and multi-pool can support single IP ranges for pools (#​34622, @​antonipp; #​34618, @​juliusmh)
• 🔌 Dynamic MTU detection: Cilium respects changes made to MTU made at runtime without requiring agent restart (#​34314, @​dylandreimerink)

💂‍♀️ Security

• 🚀 Improved network policy performance: The cost of computing complex combinations of network policies has been reduced (Various PRs by @​joamaki, @​jrajahalme, @​marseel, @​nathanjsweet, @​squeed and @​youngnick)
• 🗂️ Prioritize critical network policies: Cilium respects Kubernetes priorityNamespaces to prioritize endpoint propagation for critical namespaces when using CiliumEndpointSlices (#​34199, @​Kaczyniec)
• 📋 Validate Network Policies: Receive better feedback from Kubernetes when creating network policies (#​34585, @​squeed; #​35904, @​renyunkang; #​36598, @​pippolo84)
• 🏷️ Select CIDRGroups by Label: Add labels to CIDRGroups and use these for network policy selection (#​36087, @​squeed)
• 🛎️ Extend ToServices for in-cluster services: Services with a selector can be selected with ToServices network policies statements (#​34208, @​chaunceyjiang)
• 🚧 FQDN Filtering for hostNetwork: Use CiliumClusterwideNetworkPolicy to configure Layer 7 filtering for DNS requests on nodes in the cluster (#​34024, @​atykhyy)
• 📶 HTTP policies on port ranges: Redirect multiple ports in a single policy towards Envoy for Layer 7 filtering of HTTP traffic (#​36056, @​jrajahalme)

🕸️ Service Mesh & Gateway API

• ⛩️ Gateway API 1.2.1: Add support for the latest Gateway API v1.2.1 release, including HTTP retries and mirror fractions (#​34720, @​sayboras)
• 📝 Static Gateway Addressing: Cilium now supports statically specifying addresses for gateways (#​33042, @​chaunceyjiang)
• 🔐 Improved Envoy TLS handling: Use SDS for managing TLS visibility secrets in Envoy, improving policy calculation speed and secrets access (#​35513, @​youngnick)

🛰️ Observability

• 🔍 Dynamic Hubble Metrics: Configure Hubble metrics with a new hubble-metrics-config ConfigMap to tune your network observability (#​35185, @​rectified95)
• 🛤️ Track enabled features using Prometheus: The cilium-agent and cilium-operator components expose Prometheus metrics for which features are enabled. (#​35852, @​aanm)
• 📊 Many new metrics: Improved metrics related to BGP, network connections, network policy, pod management, and Cilium component status (Various PRs by @​AwesomePatrol, @​harsimran-pabla, @​joestringer, @​jshr-w, @​mikejoh, @​nimishamehta5, @​odinuge, @​ovidiutirla, @​rectified95 and @​sjdot)

🌅 Scale

• 📈 Better cluster connectivity checking: The cilium-health component for cluster-wide network connectivity health detection is better tuned for reliable health checking at high scale (#​35163, @​jshr-w)
• ⏳ Rate-limit monitor events: Balance the number of eBPF events against the CPU usage required to process them (#​29711, @​siwiutki)
• 👥 Double-Write Identity mode: New allocation mode for Security Identities to ease migration between CRD and KVStore identity backends (#​31920, @​antonipp)
• ⚖️ Better scale testing: This release benefits from regular automated scale testing for network policy (#​35278, @​marseel)

🏘️ Community

• ❤️ Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
  • Seznam, Alibaba Cloud, SysEleven, QingCloud, ECCO, Reddit, Confluent, SamsungAds, and Sony
• The Cilium Annual Report 2024 was released covering all the highlights from across the community and marking the “Year of Kubernetes Networking”
• The community gathered at Cilium + eBPF Day and the Cilium Developer Summit in Salt Lake City
• Meet us at the upcoming CiliumCon and the Cilium Developer Summit in London

And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ ❤️ ❤️

For the full changelog check https://github.com/cilium/cilium/blob/v1.17.0/CHANGELOG.md

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.0@​sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d
quay.io/cilium/cilium:stable@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.0@​sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605c
quay.io/cilium/clustermesh-apiserver:stable@sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605c

docker-plugin

quay.io/cilium/docker-plugin:v1.17.0@​sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6f
quay.io/cilium/docker-plugin:stable@sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6f

hubble-relay

quay.io/cilium/hubble-relay:v1.17.0@​sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05
quay.io/cilium/hubble-relay:stable@sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.0@​sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8b
quay.io/cilium/operator-alibabacloud:stable@sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8b

operator-aws

quay.io/cilium/operator-aws:v1.17.0@​sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7
quay.io/cilium/operator-aws:stable@sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7

operator-azure

quay.io/cilium/operator-azure:v1.17.0@​sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7
quay.io/cilium/operator-azure:stable@sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7

operator-generic

quay.io/cilium/operator-generic:v1.17.0@​sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8
quay.io/cilium/operator-generic:stable@sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8

operator

quay.io/cilium/operator:v1.17.0@​sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587
quay.io/cilium/operator:stable@sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587

v1.16.6: 1.16.6

Compare Source

Summary of Changes

Major Changes:

• Add feature tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​35852, @​aanm)
• Add feature tracking in Cilium Operator as prometheus metrics (Backport PR #​36263, Upstream PR #​36077, @​aanm)

Minor Changes:

• envoy: Use yaml format for bootstrap config (Backport PR #​36782, Upstream PR #​36820, @​sayboras)
• Reject CNP/CCNP with CIDR rules where CIDRGroupRef is used in combination with ExceptCIDRs (#​36561, @​pippolo84)
• service: Cap number of backends included in monitor message (Backport PR #​36635, Upstream PR #​36394, @​joamaki)

Bugfixes:

• cilium: LB source ranges fixes (Backport PR #​36635, Upstream PR #​36517, @​borkmann)
• eni.subnetTagsFilter and eni.instanceTagsFilter are now templated to comma separated string (Backport PR #​36872, Upstream PR #​36617, @​sderoe)
• envoy: Configure internal address config based on IP family (Backport PR #​36782, Upstream PR #​36733, @​sayboras)
• Fix connectivity issue caused by stale cilium eBPF program when using --bpf-filter-priority (Backport PR #​36635, Upstream PR #​36176, @​tamilmani1989)
• metrics/features: remove reporting metrics' defaults by default (Backport PR #​36263, Upstream PR #​36298, @​aanm)
• pkg/redirectpolicy: Fix backend slices in processConfig (Backport PR #​36872, Upstream PR #​35496, @​Sm0ckingBird)
• ui: drop CORS headers from api response (Backport PR #​36872, Upstream PR #​35762, @​geakstr)

CI Changes:

• [v1.16] .github: Remove CI Fuzz workflow (#​36641, @​joestringer)
• [v1.16] gh: e2e-upgrade: use 6.12 kernel for netkit test configs (#​36620, @​julianwiedmann)
• [v1.16] gha: use /test to trigger tests in stable branches (#​36673, @​giorio94)
• ci: fix job names for various ci workflows (Backport PR #​36263, Upstream PR #​36397, @​marseel)
• Extend the check-ipsec-leak bpftrace script to capture additional details of leaked packets (Backport PR #​36872, Upstream PR #​33398, @​giorio94)
• gh: e2e-upgrade: add coverage for 6.6 kernel (Backport PR #​36988, Upstream PR #​36626, @​julianwiedmann)
• gh: e2e-upgrade: de-renovate the config example (Backport PR #​36635, Upstream PR #​36463, @​julianwiedmann)
• gha: drop leftover token parameter in net-perf-gke workflow (#​36684, @​giorio94)
• gha: fix merging of features-related artifacts (#​36665, @​giorio94)
• gha: merge artifacts in net-perf-gke workflow (Backport PR #​36263, Upstream PR #​36236, @​giorio94)
• gha: Use ubuntu-24.04 for integration-test (Backport PR #​36659, Upstream PR #​36628, @​sayboras)

Misc Changes:

• .github/workflows: always install cilium-cli (Backport PR #​36263, Upstream PR #​36234, @​aanm)
• .github/workflows: do not fail ginkgo if unable to fetch features (Backport PR #​36263, Upstream PR #​36461, @​aanm)
• .github: fix conformance-k8s NP test (Backport PR #​36263, Upstream PR #​36355, @​aanm)
• [v1.16] Use bash syntax to consume env variable (#​36636, @​ferozsalam)
• Add more features tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​36078, @​aanm)
• Add policy-related features tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​36203, @​aanm)
• Add the tls:// prefix in the Hubble TLS doc (Backport PR #​36635, Upstream PR #​36410, @​liyihuang)
• chore(deps): update all github action dependencies (v1.16) (#​36612, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36762, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36950, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​37099, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (patch) (#​36760, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36707, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36787, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36949, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​37033, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.23 (v1.16) (#​36895, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.36.1 docker digest to 7c3c3ce (v1.16) (#​36609, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.10 docker digest to 1a6e657 (v1.16) (#​36850, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.10 docker digest to 9855006 (v1.16) (#​36610, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.11 (v1.16) (#​37045, @​cilium-renovate[bot])
• chore(deps): update helm/kind-action action to v1.12.0 (v1.16) (#​36839, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36611, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36699, @​cilium-renovate[bot])
• doc: fix typo on kubeproxy-free (CEV -> CVE) (Backport PR #​36872, Upstream PR #​36701, @​alagoutte)
• docs: Add missing default identity label in the description of identity-relevant labels' example (Backport PR #​36635, Upstream PR #​36558, @​liyihuang)
• docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (Backport PR #​36635, Upstream PR #​36549, @​verysonglaa)
• Ensure debug symbols are generated for the debug image even when stripping symbols for the release image. (Backport PR #​36635, Upstream PR #​36417, @​EricMountain)
• Fix make -C Documentation update-cmdref when make uses --jobserver-style=fifo. (Backport PR #​36872, Upstream PR #​36788, @​gentoo-root)
• fix(deps): update module golang.org/x/net to v0.33.0 [security] (v1.16) (#​36711, @​cilium-renovate[bot])
• ingress, gateway-api: Convert test fixtures to file based (Backport PR #​36782, Upstream PR #​36732, @​sayboras)
• metrics/features: enable ClusterMesh (Backport PR #​36263, Upstream PR #​36402, @​aanm)
• metrics/features: refactor metric names (Backport PR #​36263, Upstream PR #​36209, @​aanm)
• Prepare for release v1.16.6 (#​36989, @​cilium-release-bot[bot])
• Remove reference to DNS polling (Backport PR #​36872, Upstream PR #​36679, @​JacobHenner)

Other Changes:

• [v1.16] author backport: helm: avoid setting bpf-lb-sock-terminate-pod-connections (#​36650, @​ysksuzuki)
• install: Update image digests for v1.16.5 (#​36671, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.6@​sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
quay.io/cilium/cilium:stable@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.6@​sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a
quay.io/cilium/clustermesh-apiserver:stable@sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a

docker-plugin

quay.io/cilium/docker-plugin:v1.16.6@​sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66
quay.io/cilium/docker-plugin:stable@sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66

hubble-relay

quay.io/cilium/hubble-relay:v1.16.6@​sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b
quay.io/cilium/hubble-relay:stable@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.6@​sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9
quay.io/cilium/operator-alibabacloud:stable@sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9

operator-aws

quay.io/cilium/operator-aws:v1.16.6@​sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d
quay.io/cilium/operator-aws:stable@sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d

operator-azure

quay.io/cilium/operator-azure:v1.16.6@​sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd
quay.io/cilium/operator-azure:stable@sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd

operator-generic

quay.io/cilium/operator-generic:v1.16.6@​sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
quay.io/cilium/operator-generic:stable@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc

operator

quay.io/cilium/operator:v1.16.6@​sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46
quay.io/cilium/operator:stable@sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46

v1.16.5: 1.16.5

Compare Source

Summary of Changes

Minor Changes:

• hubble: Stop building 32-bit binaries (Backport PR #​36066, Upstream PR #​35974, @​michi-covalent)

Bugfixes:

• Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (Backport PR #​36540, Upstream PR #​36484, @​julianwiedmann)
• bgp: fix race in bgp stores (Backport PR #​36066, Upstream PR #​35971, @​harsimran-pabla)
• BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR #​36286, Upstream PR #​36230, @​rastislavs)
• BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR #​36286, Upstream PR #​36165, @​rastislavs)
• Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (Backport PR #​36049, Upstream PR #​35984, @​jrajahalme)
• Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (Backport PR #​36462, Upstream PR #​36252, @​bimmlerd)
• cilium-health-ep controller is made to be more robust against successive failures. (Backport PR #​36066, Upstream PR #​35936, @​jrajahalme)
• DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (Backport PR #​36468, Upstream PR #​36142, @​jrajahalme)
• Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (Backport PR #​36049, Upstream PR #​36060, @​jrajahalme)
• Fix an issue where pod-to-world traffic goes up stack when BPF host routing is enabled with tunnel. (Backport PR #​35861, Upstream PR #​35098, @​jschwinger233)
• Fix identity leak for kvstore identity mode (Backport PR #​36066, Upstream PR #​34893, @​odinuge)
• Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (Backport PR #​36302, Upstream PR #​36292, @​giorio94)
• gateway-api: Fix gateway checks for namespace (Backport PR #​36462, Upstream PR #​35452, @​sayboras)
• gha: Remove hostLegacyRouting in clustermesh (Backport PR #​36357, Upstream PR #​35418, @​sayboras)
• helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (Backport PR #​36066, Upstream PR #​36005, @​devodev)
• hubble: consistently use v as prefix for the Hubble version (Backport PR #​36286, Upstream PR #​35891, @​rolinh)
• iptables: Fix data race in iptables manager (Backport PR #​36066, Upstream PR #​35902, @​pippolo84)
• lrp: update LRP services with stale backends on agent restart (Backport PR #​36106, Upstream PR #​36036, @​ysksuzuki)
• policy: Fix bug that allowed port ranges to be attached to L7 policies, which is not permitted. (#​36050, @​nathanjsweet)
• Unbreak the cilium-dbg preflight migrate-identity command (Backport PR #​36286, Upstream PR #​36089, @​giorio94)
• Use strconv.Itoa instead of string() for the correct behavior when converting kafka.ErrorCode from int32 to string. Add relevant unit tests for Kafka plugin and handler. (Backport PR #​36066, Upstream PR #​35856, @​nddq)

CI Changes:

• [v1.16] ci: modularize chart CI push workflow (#​35958, @​ferozsalam)
• gh: conformance-clustermesh: test with IPsec + BPF NodePort (Backport PR #​36462, Upstream PR #​36384, @​julianwiedmann)
• gha: configure environment in build-images-base/image-digests job (Backport PR #​36462, Upstream PR #​36318, @​giorio94)
• node_local_store: prevent racey tests while using mock node store. (Backport PR #​36066, Upstream PR #​35945, @​tommyp1ckles)
• Remove unnecessary hubble port-forward commands (Backport PR #​36066, Upstream PR #​33523, @​michi-covalent)

Misc Changes:

• [v1.16] docs: egress masquerade selector (#​36333, @​viktor-kurchenko)
• [v1.16] images: bump cni plugins to v1.6.0 (#​36092, @​ferozsalam)
• bugtool: dump tail-call map for bpf_wireguard (Backport PR #​36286, Upstream PR #​36183, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.16) (#​36155, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36275, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36443, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (patch) (#​36277, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​35546, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36152, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36279, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36444, @​cilium-renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.16) (#​36153, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.9 docker digest to 147f428 (v1.16) (#​36222, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.10 (v1.16) (#​36441, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1732605705-2aa20ee3acb68cd38d57669af19508bea8f0ba62 (v1.16) (#​36180, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8 (v1.16) (#​36495, @​cilium-renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241129.013349 (v1.16) (#​36278, @​cilium-renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241206.013345 (v1.16) (#​36442, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36154, @​cilium-renovate[bot])
• docs: Add the tls:// prefix before the IP address (Backport PR #​36286, Upstream PR #​36118, @​liyihuang)
• docs: Fix typo in multi-pool section title (Backport PR #​36312, Upstream PR #​36305, @​joestringer)
• docs: In k0s guide, remove dashes to fix invalid Bash variable names. (Backport PR #​36066, Upstream PR #​35923, @​yilas)
• docs: lrp: fix kernel version requirement for skipRedirectFromBackend (Backport PR #​36066, Upstream PR #​35921, @​ysksuzuki)
• docs: system-requirements: require 5.4 kernel (Backport PR #​36462, Upstream PR #​36386, @​julianwiedmann)
• docs: WireGuard doesn't require overlay port in Network Firewalls (Backport PR #​36286, Upstream PR #​36208, @​julianwiedmann)
• Endpoint populate new policymap early if empty (Backport PR #​36479, Upstream PR #​36361, @​jrajahalme)
• envoy: Configure internal_address_config to avoid warning log (Backport PR #​36015, Upstream PR #​35943, @​sayboras)
• envoy: Pass tofqdns-proxy-response-max-delay to Envoy (Backport PR #​36468, Upstream PR #​36330, @​jrajahalme)
• fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (v1.16) (#​36530, @​cilium-renovate[bot])
• Fixed BGP documentation (Backport PR #​36066, Upstream PR #​35953, @​seadog007)
• images: Use cilium-builder image instead of golang to build hubble (Backport PR #​36312, Upstream PR #​35697, @​learnitall)
• lrp: fix kernel version requirement in warning log (Backport PR #​36286, Upstream PR #​36141, @​ysksuzuki)
• Makefile: fix swagger definition for automatic renovate updates (Backport PR #​36066, Upstream PR #​35979, @​aanm)
• proxy: Take proxy port reference for new redirects immediately (Backport PR #​36468, Upstream PR #​36435, @​jrajahalme)
• proxyports: Resolve data races in test (Backport PR #​36468, Upstream PR #​36399, @​jrajahalme)
• proxyports: Sleep a bit longer in tests (Backport PR #​36468, Upstream PR #​36389, @​jrajahalme)
• Remove duplicated watch on services and endpoint in the cilium-agent (Backport PR #​36066, Upstream PR #​35838, @​MrFreezeex)
• Rework error handling logic in neighbor discovery (Backport PR #​36093, Upstream PR #​35144, @​pippolo84)
• Silence spurious clustermesh-related warnings (Backport PR #​36225, Upstream PR #​35867, @​giorio94)
• Update documentation for egress masquerading behavior (Backport PR #​36462, Upstream PR #​36267, @​liyihuang)

Other Changes:

• [1.16] ci/ipsec-upgrade: increase cilium status wait duration (#​36082, @​harsimran-pabla)
• [v1.16] cilium, service: Fix checkLBSrcRange propagation to LB map (#​36511, @​borkmann)
• install: Update image digests for v1.16.4 (#​36047, @​cilium-release-bot[bot])
• jrajahalme/v1.16 cilium cli (#​36541, @​jrajahalme)
• Revert "workflows/ipsec: Cover Ingress" (#​36116, @​harsimran-pabla)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.5@​sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
quay.io/cilium/cilium:stable@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.5@​sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958
quay.io/cilium/clustermesh-apiserver:stable@sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958

docker-plugin

quay.io/cilium/docker-plugin:v1.16.5@​sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768
quay.io/cilium/docker-plugin:stable@sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768

hubble-relay

quay.io/cilium/hubble-relay:v1.16.5@​sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00
quay.io/cilium/hubble-relay:stable@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.5@​sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0
quay.io/cilium/operator-alibabacloud:stable@sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0

operator-aws

quay.io/cilium/operator-aws:v1.16.5@​sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476
quay.io/cilium/operator-aws:stable@sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476

operator-azure

quay.io/cilium/operator-azure:v1.16.5@​sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9
quay.io/cilium/operator-azure:stable@sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9

operator-generic

quay.io/cilium/operator-generic:v1.16.5@​sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039
quay.io/cilium/operator-generic:stable@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039

operator

quay.io/cilium/operator:v1.16.5@​sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940
quay.io/cilium/operator:stable@sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940

v1.16.4: 1.16.4

Compare Source

Security Advisories

This release addresses GHSA-xg58-75qf-9r67.

Summary of Changes

Minor Changes:

• Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport PR #​35908, Upstream PR #​35809, @​jrajahalme)
• clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport PR #​35543, Upstream PR #​35349, @​giorio94)
• helm: Lower default hubble.tls.auto.certValidityDuration to 365 days (Backport PR #​35781, Upstream PR #​35630, @​chancez)
• helm: New socketLB.tracing flag (Backport PR #​35781, Upstream PR #​35747, @​pchaigno)
• hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR #​35781, Upstream PR #​35632, @​chancez)
• netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport PR #​35543, Upstream PR #​35306, @​jrife)

Bugfixes:

• Avoid duplicate errors in health status for node-neighbor-link-updater (Backport PR #​35468, Upstream PR #​35179, @​wedaly)
• bgpv1: fix reconciliation of services with shared VIPs (Backport PR #​35468, Upstream PR #​35333, @​rastislavs)
• bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport PR #​35863, Upstream PR #​35690, @​YutaroHayakawa)
• bgpv2: set local peering address when specified (Backport PR #​35781, Upstream PR #​35552, @​harsimran-pabla)
• Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport PR #​35603, Upstream PR #​35150, @​jrajahalme)
• Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an timeout waiting for response error is encountered. (Backport PR #​35781, Upstream PR #​35589, @​bimmlerd)
• config: Remove superfluous warning on native routing CIDR (Backport PR #​35781, Upstream PR #​35738, @​gandro)
• Fix missing flowlabel hash on SRv6 traffic. (Backport PR #​35781, Upstream PR #​35498, @​akaliwod)
• Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport PR #​35543, Upstream PR [#​35173](https://redirect.github.com/cilium/cilium

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.