feat(helm): update chart cilium ( 1.18.5 ➔ 1.19.4 )

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
cilium (source)	minor	1.18.5 → 1.19.4

---

Release Notes

cilium/cilium (cilium)

v1.19.4: 1.19.4

Compare Source

Summary of Changes

Minor Changes:

• cilium-agent: when --k8s-service-proxy-name is set, EndpointSlices are now filtered by the service.kubernetes.io/service-proxy-name label at the watch level, matching how Services are already filtered, operators with hand-managed EndpointSlices must stamp the matching label on those slices. (Backport PR #​45755, Upstream PR #​45504, @​HadrienPatte)
• iptables-based masquerading: Ensure iptables rules respect longest prefix match by sorting routes by mask length when enable-masquerade-to-route-source is enabled (Backport PR #​45630, Upstream PR #​45192, @​liyihuang)
• operator/spire: make SPIRE client configurable for ztunnel (Backport PR #​45356, Upstream PR #​44136, @​nddq)
• pkg/endpoint: skip logger rebuild on policy revision updates (Backport PR #​45630, Upstream PR #​45533, @​sjohnsonpal)

Bugfixes:

• bpf: egressgw: respect egress ifindex during FIB lookup (Backport PR #​45695, Upstream PR #​45661, @​julianwiedmann)
• bpf: host: fix source identity for IPsec trace in to-netdev (Backport PR #​45594, Upstream PR #​45588, @​julianwiedmann)
• cilium-dbg: cilium map list now displays "unknown" instead of 0 for maps that do not support cache-based entry counting. (Backport PR #​45888, Upstream PR #​44951, @​skymensch)
• cilium: Fix incorrect IPv6 BIG TCP display (Backport PR #​45630, Upstream PR #​45529, @​pchaigno)
• clustermesh: fails gracefully instead of crashing when EndpointSliceSync is not able to setup the EndpointSlice watch (Backport PR #​45496, Upstream PR #​45402, @​MrFreezeex)
• clustermesh: Fix Helm typo preventing to add annotations when setting clustermesh.apiserver.tls.auto.method: certmanager (Backport PR #​45630, Upstream PR #​45576, @​owayss)
• Fix cilium-agent crash when a transient network error occurs during CiliumNode update. The agent now retries instead of calling Fatal. (Backport PR #​45673, Upstream PR #​44526, @​nebojsaj1726)
• Fix CiliumLocalRedirectPolicy addressMatcher overriding an existing Service's frontend when its backend pods are not yet Ready. (Backport PR #​45584, Upstream PR #​45522, @​ysksuzuki)
• Fix dedicated Ingress reconciliation panic on invalid TLS passthrough rules (Backport PR #​45888, Upstream PR #​45737, @​weizhoublue)
• Fix host L7 policy operation (Backport PR #​45496, Upstream PR #​45030, @​atykhyy)
• Fix IPsec packet drops during rolling restart with key rotation by deferring SPI advertisement until XFRM states are ready (Backport PR #​45630, Upstream PR #​44701, @​hbangT)
• Fix issue where datapath reinitialization may get stuck when triggered from the local API (Backport PR #​45630, Upstream PR #​45557, @​jrife)
• Fix missing global service backends in Cluster Mesh when multiple service ports point to the same target port. (Backport PR #​45356, Upstream PR #​45179, @​RiccardoAtzori91)
• fix(egressGateway): skip unmatched gateways when using multiple gateway (Backport PR #​45630, Upstream PR #​44705, @​ieth0)
• fix(gateway-api): prevent silent disable on CRD discovery timeout (Backport PR #​45630, Upstream PR #​44662, @​aslafy-z)
• fix(ipsec): panic in parseSPI on malformed input (Backport PR #​45496, Upstream PR #​44815, @​isoyuki)
• Fixed intermittent ARP failures for LoadBalancer services caused by pointer reuse during BPF map iteration in the L2 responder reconciler. (Backport PR #​45673, Upstream PR #​45197, @​Krishnachaitanyakc)
• Fixed SocketLB returning EPERM instead of EHOSTUNREACH when a Service has no backends. (Backport PR #​45673, Upstream PR #​45185, @​chez-shanpu)
• Fixes an issue where L7 LoadBalancer and Ingress traffic would be dropped on certain kernel versions when Cilium is attached to a bridge network device. (Backport PR #​45755, Upstream PR #​45582, @​liyihuang)
• Fixes dropped packets on ingress when full header not in linear skb area (Backport PR #​45496, Upstream PR #​45195, @​javiercardona-work)
• hubble-relay: fix TLS config variable shadowing preventing cleanup on shutdown (Backport PR #​45630, Upstream PR #​45085, @​Aprazor)
• policy: Fix CCG matching for duplicate label keys (Backport PR #​45356, Upstream PR #​45225, @​christarazi)
• Respect backends for BGP only when they are in state: active (Backport PR #​45673, Upstream PR #​45286, @​CallMeFoxie)
• secretsync recreate synced secret when source secret type changes (Backport PR #​45888, Upstream PR #​45721, @​ssam18)
• wireguard: clamp cilium_wg0 MTU to IPV6_MIN_MTU (1280) when IPv6 is enabled, preventing silent packet loss in tunnel+encryption mode with constrained path MTU (Backport PR #​45496, Upstream PR #​45425, @​tibrezus)

CI Changes:

• .github/workflows: skip full test suite for workflow_dispatch on dev … (Backport PR #​45356, Upstream PR #​45285, @​aanm)
• complexity-diff: Small improvements (Backport PR #​45673, Upstream PR #​45556, @​pchaigno)
• contrib: fix typo in identity_is_node.cocci (Backport PR #​45630, Upstream PR #​45505, @​julianwiedmann)
• datapath/loader: Add map count to verifier complexity records (Backport PR #​45673, Upstream PR #​44652, @​dylandreimerink)
• gha/clustermesh: use OCI registry for cert-manager (Backport PR #​45356, Upstream PR #​45326, @​giorio94)
• logging: Update leader election log level override (Backport PR #​45496, Upstream PR #​45358, @​joamaki)
• Use extra power github runner if available for multi-pool CI workflow (Backport PR #​45673, Upstream PR #​45555, @​fristonio)

Misc Changes:

• [v1.19] deps: bump x/net to v0.53 (#​45935, @​ferozsalam)
• Add documentation and warnings on DNS interception (Backport PR #​45888, Upstream PR #​45525, @​ferozsalam)
• chore(deps): update all external docker images dependencies to v0.13.5 (v1.19) (patch) (#​45462, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45467, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45728, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45747, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45870, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45882, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.19) (#​45466, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.19) (#​45615, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.19) (#​45729, @​cilium-renovate[bot])
• chore(deps): update base-images to v1.25.10 (v1.19) (#​45902, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium digest to 354584b (v1.19) (#​45614, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium digest to 6663075 (v1.19) (#​45481, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium digest to 6e3229e (v1.19) (#​45620, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium digest to b782452 (v1.19) (#​45488, @​cilium-renovate[bot])
• chore(deps): update dependency bufbuild/buf to v1.69.0 (v1.19) (#​45872, @​cilium-renovate[bot])
• chore(deps): update module github.com/moby/spdystream to v0.5.1 [security] (v1.19) (#​45431, @​cilium-renovate[bot])
• chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260416084302-2b3d1fe14578 (v1.19) (#​45463, @​cilium-renovate[bot])
• chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260423112246-3fa174937a6b (v1.19) (#​45730, @​cilium-renovate[bot])
• chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260505141229-de8f85687fd2 (v1.19) (#​45881, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/certgen docker tag to v0.4.3 (v1.19) (#​45501, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.6-1776352947-78da350f53f63526ff6487f2e1f3b14d2062ce17 (v1.19) (#​45464, @​cilium-renovate[bot])
• ci: make registry configurable (#​45437, @​Artyop)
• docs(policy): update namespace label support (Backport PR #​45630, Upstream PR #​44922, @​lconnery)
• docs: add small CiliumCIDRGroup scalability callout (Backport PR #​45888, Upstream PR #​45763, @​squeed)
• Fail hive health tree script command if no status is found for filter (Backport PR #​45888, Upstream PR #​45554, @​fristonio)
• Fix Endpoint regeneration health reporting (Backport PR #​45630, Upstream PR #​45011, @​fristonio)
• fix(deps): update k8s.io patch updates stable to v0.35.4 (v1.19) (patch) (#​45465, @​cilium-renovate[bot])
• helm: allow overriding of external images in charts (Backport PR #​45634, Upstream PR #​45597, @​sekhar-isovalent)
• helm: do not set operator health port as hostPort when hostNetwork is disabled (Backport PR #​45673, Upstream PR #​45386, @​robinelfrink)
• loadbalancer/reflectors: Filter EndpointSlice watch by service labels (Backport PR #​45755, Upstream PR #​45528, @​HadrienPatte)

Other Changes:

• [v1.19] ipam: fix data race in MultiPoolManager node update (#​45521, @​Kunalbehbud)
• chore(deps): update quay.io/cilium/cilium-envoy (#​45908, @​sayboras)
• install: Restore RBAC for ciliumbgppeeringpolicies to allow for gradual upgrade of Cilium pods from v1.18 to v1.19. (#​45829, @​rastislavs)
• install: Update image digests for v1.19.3 (#​45401, @​cilium-release-bot[bot])
• v1.19: bpf: Reduce stack usage and complexity of tail_handle_snat_fwd_ipv6 (#​45360, @​pchaigno)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.4@​sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.4@​sha256:9e40006b2e2b6e66d047f9af52577a93b39d9532958ec6d88d46820bb59ab643

docker-plugin

quay.io/cilium/docker-plugin:v1.19.4@​sha256:720dc5839de8c30acf655ad790866cf89b7691047a020e7b4a4bd66883fbf4d1

hubble-relay

quay.io/cilium/hubble-relay:v1.19.4@​sha256:59af8c0d561e560c2a042e7600a3496bc0367df8fbf868aa68d5834c8ec1a431

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.4@​sha256:693b1e61f22beaa9a0f68aa4056ba873465da96da6382f3276978d01544450dd

operator-aws

quay.io/cilium/operator-aws:v1.19.4@​sha256:9e41b3959d941a0b60ba187f5a2572305846248efb89ac59c18fd25a032f568d

operator-azure

quay.io/cilium/operator-azure:v1.19.4@​sha256:8203f4e5e65c658fe2367a570c7bba5779859982bd3cc263662e35e690be3417

operator-generic

quay.io/cilium/operator-generic:v1.19.4@​sha256:1aa2b62735e7d8ab49ee840ae59c346932024c88901579121395c1271b435f71

operator

quay.io/cilium/operator:v1.19.4@​sha256:7edc61725901e32a13e180c5290d43df5292f5f49c6d654c94a0be2faf52e71e

v1.19.3: 1.19.3

Compare Source

Summary of Changes

Minor Changes:

• Fix performance bug in L7 policy proxy redirect handling (Backport PR #​44828, Upstream PR #​44613, @​fristonio)
• Fixes issue where the Cilium agent fails to initialise when using KVStore identity mode with etcd behind a K8s Service (Backport PR #​44828, Upstream PR #​44653, @​41ks)
• helm,docs: add configDriftDetection Helm values and documentation (Backport PR #​44974, Upstream PR #​44703, @​PhilipSchmid)

Bugfixes:

• [v1.19] Fix incorrect policy service selector handling (#​44888, @​fristonio)
• bgp: Fix potential race in service advertisements upon error retry (Backport PR #​45211, Upstream PR #​45049, @​rastislavs)
• clustermesh: fix a bug in the MCS-API CRD installl that could attempt a CRD downgrade when the version label is higher (Backport PR #​44828, Upstream PR #​44738, @​MrFreezeex)
• ctmap: Change order of active maps (Backport PR #​44828, Upstream PR #​44729, @​brb)
• Ensure completion.WaitGroup always has a timeout (Backport PR #​45217, Upstream PR #​44731, @​jrajahalme)
• envoy: Fix xds server npds listeners accounting (Backport PR #​45217, Upstream PR #​44830, @​fristonio)
• Fix a slow memory leak triggered by incremental policy updates (Backport PR #​44994, Upstream PR #​44328, @​odinuge)
• Fix endpoints for static pods stuck in init identity (Backport PR #​45211, Upstream PR #​45016, @​aaroniscode)
• Fix in-cluster NodePort connectivity failure in DSR mode when SocketLB is disabled. When a pod accesses a NodePort service via a remote node's IP (instead of the ClusterIP) and the selected backend resides on the same node as the client, the connection fails due to missing reverse NAT on the reply path. (Backport PR #​44968, Upstream PR #​41963, @​gyutaeb)
• Fix memory leak triggered by policies being created and deleted (Backport PR #​44828, Upstream PR #​44724, @​odinuge)
• Fix panic in Hubble Relay when new peer address is unresolvable (Backport PR #​45211, Upstream PR #​45021, @​pesarkhobeee)
• fix(datapath): ignore link-local IPv6 addresses for NodePort binding (Backport PR #​44974, Upstream PR #​44778, @​Bigdelle)
• Fixed a bug in dual-stack cluster-pool IPAM where an operator restart with a pre-existing duplicate IPv6 PodCIDR could cause the affected node's IPv4 PodCIDR to be incorrectly freed and reassigned to another node. (Backport PR #​44866, Upstream PR #​44832, @​christarazi)
• Fixed an issue where policy update ack is never completed after endpoint deletion. (Backport PR #​44818, Upstream PR #​44754, @​jrajahalme)
• Fixed ipcache identity update hang when last proxy listener is removed. (Backport PR #​45217, Upstream PR #​44597, @​jrajahalme)
• Fixes GRPCRoute being silently excluded from Envoy config when a Gateway listener explicitly sets allowedRoutes.kinds. (Backport PR #​44974, Upstream PR #​44826, @​eufriction)
• Fixes increased CPU usage in hubble observe caused by log coloring feature, even when coloring was disabled (Backport PR #​44828, Upstream PR #​44119, @​tporeba)
• lb: fix panic in orphan backend cleanup when addr is zero-value (Backport PR #​44994, Upstream PR #​44853, @​vipul-21)
• lb: Skip nil slots during BPF map restore to prevent panic (Backport PR #​44974, Upstream PR #​44895, @​vipul-21)
• operator/identitygc: fix nil pointer dereference on shutdown (Backport PR #​45211, Upstream PR #​45091, @​tsotne95)
• wal: Do not truncate in NewWriter (Backport PR #​44974, Upstream PR #​44886, @​joamaki)
• WireGuard now respects the underlay-protocol=ipv6 setting when selecting peer endpoints in dual-stack clusters with IPv6 underlay, fixing connectivity issues where IPv4 was incorrectly used despite being unreachable across nodes. (Backport PR #​45247, Upstream PR #​44629, @​tibrezus)

CI Changes:

• .github/workflows: disable cache for go steps (Backport PR #​45211, Upstream PR #​45073, @​aanm)
• .github/workflows: replace external set-commit-status action (Backport PR #​45211, Upstream PR #​45078, @​aanm)
• .github: cleanup disk before ci-verifier tests (Backport PR #​44994, Upstream PR #​44971, @​aanm)
• allocator: handle unlikely goroutine leak (Backport PR #​44828, Upstream PR #​44589, @​asauber)
• ci: add fail-fast false to ci image builds (Backport PR #​45211, Upstream PR #​45079, @​Artyop)
• ci: fix is-workflow-call check to handle empty input (Backport PR #​45052, Upstream PR #​45020, @​aanm)
• ci: fix PR branch pull step on stable pushes (Backport PR #​45052, Upstream PR #​45019, @​Artyop)
• ci: fix pr number check for base branch retrieval (Backport PR #​45052, Upstream PR #​45024, @​Artyop)
• ci: set TMPDIR=/host/tmp in datapath verifier tests (Backport PR #​45211, Upstream PR #​45047, @​aanm)
• ci: Switch catchpoint/workflow-telemetry-action to our fork (#​45219, @​YutaroHayakawa)
• Fix some test-e2e-upgrade issues (Backport PR #​45211, Upstream PR #​45075, @​aanm)
• fix: escape $ character in regex to prevent injection (Backport PR #​44828, Upstream PR #​44638, @​peoyekunle)
• fix: harden k8s apiserver endpoint access (Backport PR #​44994, Upstream PR #​44863, @​sekhar-isovalent)
• sockets: Ensure bpffs is mounted in TestPrivilegedSocketDestroyers (Backport PR #​45052, Upstream PR #​44979, @​christarazi)

Misc Changes:

• .github/workflows: do not use deployments for environments (Backport PR #​45211, Upstream PR #​44908, @​aanm)
• [v1.19] vendor: update google.golang.org/grpc to v1.79.3 (#​45345, @​aanm)
• bgp: Disable MPTCP in the MD5 probing in the test (Backport PR #​45211, Upstream PR #​45102, @​YutaroHayakawa)
• bgp: Introduce --with-attrs option to bgp/routes (Backport PR #​45211, Upstream PR #​45015, @​YutaroHayakawa)
• bpf: lxc: limit NAT buffer lookup to per-packet LB (Backport PR #​44968, Upstream PR #​44387, @​julianwiedmann)
• bpf: Reduce scope of large variables (Backport PR #​45211, Upstream PR #​45067, @​pchaigno)
• bpf: Use global function for snat_v6_needs_masquerade (Backport PR #​44828, Upstream PR #​44544, @​pchaigno)
• bpf_lxc: improve per-packet LB for NodePort services (Backport PR #​44968, Upstream PR #​44710, @​saiaunghlyanhtet)
• chore(deps): update all github action dependencies (v1.19) (#​44934, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45038, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45169, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45304, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.19) (#​44674, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.19) (#​45039, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.19) (#​45305, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.19) (#​44786, @​cilium-renovate[bot])
• chore(deps): update base-images to v1.25.9 (v1.19) (#​45273, @​cilium-renovate[bot])
• chore(deps): update dependency bufbuild/buf to v1.67.0 (v1.19) (#​45167, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.29 (v1.19) (#​45280, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to 1487d0a (v1.19) (#​45035, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.25.9 docker digest to a95d3d1 (v1.19) (#​45315, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.9 (v1.19) (#​44929, @​cilium-renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v4 to v4.1.4 [security] (v1.19) (#​45149, @​cilium-renovate[bot])
• chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260320123815-c9b9b51b278a (v1.19) (#​44930, @​cilium-renovate[bot])
• chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260408163332-73b2175ca510 (v1.19) (#​45302, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773729248-8de84653be3b2b3011e1cee5b3e702f6556fb3df (v1.19) (#​44931, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1774363526-9d47d40f80df306891816788b71415813ce49ef3 (v1.19) (#​45036, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.5-1775137579-2b3493aca96923190423ccec7e4dbc5f074ccad4 (v1.19) (#​45168, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.6-1775912317-d56e4f5fec87556b7aaf3b8edeb100025ec87183 (v1.19) (#​45303, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.6-1776000132-2437d2edeaf4d9b56ef279bd0d71127440c067aa (v1.19) (#​45320, @​cilium-renovate[bot])
• chore(deps): update quay.io/goswagger/swagger docker tag to v0.33.2 (v1.19) (#​44932, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.19) (patch) (#​45037, @​cilium-renovate[bot])
• docs: document reverse_sk map exhaustion impact on socket termination (Backport PR #​44860, Upstream PR #​44835, @​ysksuzuki)
• docs: Update sphinx theme to v3.1.0 (Backport PR #​45335, Upstream PR #​45289, @​joestringer)
• Fix EKS workflows misc errors (Backport PR #​45052, Upstream PR #​45023, @​aanm)
• fix(deps): update k8s.io patch updates stable to v0.35.3 (v1.19) (patch) (#​44933, @​cilium-renovate[bot])
• fix(deps): update k8s.io/utils digest to 28399d8 (v1.19) (#​44928, @​cilium-renovate[bot])
• fix(deps): update sigs.k8s.io/mcs-api/controllers digest to 4b9911b (v1.19) (#​45177, @​cilium-renovate[bot])
• fix: using a local action needs checkout in eks-cluster-delete (Backport PR #​44994, Upstream PR #​44890, @​sekhar-isovalent)
• helm: Use bash instead of sh in init containers for Ubuntu 24.04 compatibility (Backport PR #​44828, Upstream PR #​44615, @​shivdesh)
• Probe support for BIG TCP for tunnels instead of relying on the config option. (Backport PR #​45211, Upstream PR #​43959, @​gentoo-root)

Other Changes:

• [v1.19] deps: bump cni plugins to v1.9.1 (#​45240, @​ferozsalam)
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.10 (v1.19) (#​45166, @​cilium-renovate[bot])
• install: Update image digests for v1.19.2 (#​44957, @​cilium-release-bot[bot])
• loadbalancer: Fix issue in resynchronization of state from api-server which may have left stale backends around until an updated EndpointSlice was received (#​45198, @​joamaki)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.3@​sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.3@​sha256:a8136a7615d6c6041d3aa6f2674d17beaec238170d669507ccc05328a778e2b7

docker-plugin

quay.io/cilium/docker-plugin:v1.19.3@​sha256:728c3903518b0b6904e7208143355b38b7e6de3b514694fb6098b25bb9457397

hubble-relay

quay.io/cilium/hubble-relay:v1.19.3@​sha256:5ee21d57b6ef2aa6db67e603a735fdceb162454b352b7335b651456e308f681b

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.3@​sha256:176321a65123373ff8c7823b25183102cbad98375e8d6c80b96d68b6e8491103

operator-aws

quay.io/cilium/operator-aws:v1.19.3@​sha256:a53dcbfb77282bf2ddd3abbe60f6d49762e7c1389a36cb35b71d504644a56640

operator-azure

quay.io/cilium/operator-azure:v1.19.3@​sha256:699c1571a3df1a98882ee13610d47cffb7b34ee7e8d276096db798a5f6c7e4cb

operator-generic

quay.io/cilium/operator-generic:v1.19.3@​sha256:205b09b0ed6accbf9fe688d312a9f0fcfc6a316fc081c23fbffb472af5dd62cd

operator

quay.io/cilium/operator:v1.19.3@​sha256:9075e6944996227574762ec0118caab0145d6e67f821409c4a6756b6b6caf6ea

v1.19.2: 1.19.2

Compare Source

Summary of Changes

Minor Changes:

• ztunnel/helm: move ztunnel daemonset management from operator to helm (Backport PR #​44593, Upstream PR #​43763, @​nddq)

Bugfixes:

• Add rate limiting to neighbor reconciler to reduce CPU usage and memory churn (Backport PR #​44699, Upstream PR #​43928, @​dylandreimerink)
• bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (Backport PR #​44760, Upstream PR #​44658, @​smagnani96)
• cilium-dbg: fix seg-fault ip get -l reserved:host (Backport PR #​44517, Upstream PR #​44443, @​aanm)
• clustermesh: fix a few minor typo/issues in the MCS-API documentation (Backport PR #​44398, Upstream PR #​44299, @​MrFreezeex)
• clustermesh: fix a goroutine leak related to EndpointSliceSync when removing cluster (Backport PR #​44517, Upstream PR #​44444, @​MrFreezeex)
• clustermesh: fix a race condition where EndpointSlices created just before a cluster is removed could be left uncleaned (Backport PR #​44517, Upstream PR #​44503, @​MrFreezeex)
• Enable Cilium upgrade and downgrade when existing XDP attach types differ from new XDP programs (Backport PR #​44496, Upstream PR #​44209, @​dylandreimerink)
• Fix a bug where node IPv6 updates and deletes were not correctly propagated to the Linux kernel neighbor subsystem. (Backport PR #​44593, Upstream PR #​44540, @​tklauser)
• Fix bug where more Helm options were gated by loadbalancer option than intended (Backport PR #​44699, Upstream PR #​42916, @​mliner)
• Fix envoy admin socket being created as world-accessible (Backport PR #​44593, Upstream PR #​44512, @​0xch4z)
• Fix IPSec key rotation race condition where packets were dropped due to XFRM states not being ready when peers started using the new key. Also adds logging for key rotation flow. (Backport PR #​44699, Upstream PR #​44335, @​daanvinken)
• Fix tearing down wrong pod's veth in aws-cni chaining when using deterministic pod names (Backport PR #​44517, Upstream PR #​44494, @​aanm)
• Fixed a bug in service load balancing where backend slot assignments could have gaps when maintenance backends exist, potentially causing traffic misrouting. (Backport PR #​44398, Upstream PR #​43902, @​Aman-Cool)
• Fixed a bug where bandwidth priority updates were not applied when only the priority annotation was changed on a Pod. (Backport PR #​44517, Upstream PR #​44329, @​zbb88888)
• Fixed an issue where wildcard FQDN network policy identities were not correctly pushed to Envoy when using SNI-based policies. (Backport PR #​44517, Upstream PR #​44462, @​liyihuang)
• Fixed VTEP ARP responses returning 00:00:00:00:00:00 MAC due to interface MAC missing from eBPF Overlay configuration. (Backport PR #​44699, Upstream PR #​44513, @​akos011221)
• gateway-api: Fix hostname intersection bug that was preventing cert-manager challenges from working correctly. (Backport PR #​44517, Upstream PR #​44492, @​youngnick)
• gateway-api: Fixed some issues with TLSRoute attachment that will be covered by new conformance tests soon. (Backport PR #​44517, Upstream PR #​44397, @​youngnick)
• Grant permissions to the cilium-operator so that it can reconcile ServiceImport when the when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #​44517, Upstream PR #​44458, @​MrFreezeex)
• helm/ztunnel: Add host field to readiness probe to bind the health check port 15021 to 127.0.0.1 instead of 0.0.0.0 (Backport PR #​44593, Upstream PR #​44196, @​nddq)
• ingress: Ensure that the shared ingress exposes port 443 so that it can pass upstream loadbalancer health checks. (Backport PR #​44517, Upstream PR #​44229, @​xtineskim)
• ipam: Fix concurrent map access to multipool map (Backport PR #​44517, Upstream PR #​44150, @​christarazi)
• l7lb: fix bypassing ingress policies for local backends (Backport PR #​44800, Upstream PR #​44693, @​smagnani96)
• loadbalancer/healthserver: refresh ProxyRedirect per request (Backport PR #​44398, Upstream PR #​44286, @​mhofstetter)
• policy: Improve PASS handling for non-consecutive tiers and wildcard fallbacks (Backport PR #​44418, Upstream PR #​43917, @​TheBeeZee)

CI Changes:

• .github/workflows: eks-cluster-pool-manager: fix race condition and c… (Backport PR #​44398, Upstream PR #​44283, @​aanm)
• ci: add k8s 1.35 for AKS (Backport PR #​44699, Upstream PR #​44550, @​Artyop)
• ci: add k8s 1.35 for gke tests (Backport PR #​44699, Upstream PR #​44549, @​Artyop)
• ci: k8s 1.35 to EKS matrix (Backport PR #​44517, Upstream PR [#​44403](

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

qgr1-cluster-0 - helmrelease

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -54,12 +54,13 @@

   cluster-name: qgr1-cluster-0
   cluster-id: '1'
   routing-mode: native
   tunnel-protocol: vxlan
   tunnel-source-port-range: 0-0
   service-no-backend-response: reject
+  policy-deny-response: none
   enable-l7-proxy: 'true'
   enable-ipv4-masquerade: 'true'
   enable-ipv4-big-tcp: 'true'
   enable-ipv6-big-tcp: 'false'
   enable-ipv6-masquerade: 'true'
   enable-tcx: 'true'
@@ -76,23 +77,24 @@

   enable-bbr-hostns-only: 'false'
   enable-local-redirect-policy: 'true'
   ipv4-native-routing-cidr: 10.36.0.0/16
   devices: en+
   kube-proxy-replacement: 'true'
   kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256
+  enable-no-service-endpoints-routable: 'true'
   bpf-lb-sock: 'true'
   bpf-lb-sock-hostns-only: 'true'
   nodeport-addresses: ''
   enable-health-check-nodeport: 'true'
   enable-health-check-loadbalancer-ip: 'false'
   node-port-bind-protection: 'true'
   enable-auto-protect-node-port-range: 'true'
   bpf-lb-mode: dsr
   bpf-lb-algorithm: maglev
   bpf-lb-acceleration: disabled
-  enable-svc-source-range-check: 'true'
+  enable-service-topology: 'false'
   enable-l2-neigh-discovery: 'false'
   k8s-require-ipv4-pod-cidr: 'false'
   k8s-require-ipv6-pod-cidr: 'false'
   enable-endpoint-routes: 'true'
   enable-k8s-networkpolicy: 'true'
   enable-endpoint-lockdown-on-policy-overflow: 'false'
@@ -120,54 +122,62 @@

   bgp-secrets-namespace: kube-system
   enable-bgp-control-plane-status-report: 'true'
   bgp-router-id-allocation-mode: default
   bgp-router-id-allocation-ip-pool: ''
   enable-bgp-legacy-origin-attribute: 'false'
   enable-pmtu-discovery: 'true'
+  packetization-layer-pmtud-mode: blackhole
   procfs: /host/proc
   bpf-root: /sys/fs/bpf
   cgroup-root: /run/cilium/cgroupv2
   identity-management-mode: agent
   enable-sctp: 'false'
   remove-cilium-node-taints: 'true'
   set-cilium-node-taints: 'true'
   set-cilium-is-up-condition: 'true'
-  unmanaged-pod-watcher-interval: '15'
+  unmanaged-pod-watcher-interval: 15s
   dnsproxy-enable-transparent-mode: 'true'
   dnsproxy-socket-linger-timeout: '10'
   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: 'true'
   tofqdns-endpoint-max-ip-per-hostname: '1000'
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: '10000'
   tofqdns-proxy-response-max-delay: 100ms
   tofqdns-preallocate-identities: 'true'
   agent-not-ready-taint-key: node.cilium.io/agent-not-ready
-  mesh-auth-enabled: 'true'
+  mesh-auth-enabled: 'false'
   mesh-auth-queue-size: '1024'
   mesh-auth-rotated-identities-queue-size: '1024'
   mesh-auth-gc-interval: 5m0s
   proxy-xff-num-trusted-hops-ingress: '0'
   proxy-xff-num-trusted-hops-egress: '0'
   proxy-connect-timeout: '2'
   proxy-initial-fetch-timeout: '30'
+  proxy-max-active-downstream-connections: '50000'
   proxy-max-requests-per-connection: '0'
   proxy-max-connection-duration-seconds: '0'
   proxy-idle-timeout-seconds: '60'
   proxy-max-concurrent-retries: '128'
+  proxy-use-original-source-address: 'true'
+  proxy-cluster-max-connections: '1024'
+  proxy-cluster-max-requests: '1024'
   http-retry-count: '3'
   http-stream-idle-timeout: '300'
   external-envoy-proxy: 'true'
   envoy-base-id: '0'
   envoy-access-log-buffer-size: '4096'
   envoy-keep-cap-netbindservice: 'false'
   max-connected-clusters: '255'
+  clustermesh-cache-ttl: 0s
   clustermesh-enable-endpoint-sync: 'false'
   clustermesh-enable-mcs-api: 'false'
-  policy-default-local-cluster: 'false'
+  clustermesh-mcs-api-install-crds: 'true'
+  policy-default-local-cluster: 'true'
   nat-map-stats-entries: '32'
   nat-map-stats-interval: 30s
-  enable-internal-traffic-policy: 'true'
   enable-lb-ipam: 'true'
   enable-non-default-deny-policies: 'true'
   enable-source-ip-verification: 'true'
+  enable-dynamic-config: 'true'
+  enable-drift-checker: 'true'
 
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config

@@ -3,8 +3,8 @@

 kind: ConfigMap
 metadata:
   name: cilium-envoy-config
   namespace: kube-system
 data:
   bootstrap-config.json: |
-    {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-health-listener"}]}}
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

@@ -72,12 +72,24 @@

   - watch
   - create
   - update
   - delete
   - patch
 - apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+  - patch
+- apiGroups:
   - cilium.io
   resources:
   - ciliumnetworkpolicies
   - ciliumclusterwidenetworkpolicies
   verbs:
   - create
@@ -164,13 +176,12 @@

   resources:
   - customresourcedefinitions
   verbs:
   - update
   resourceNames:
   - ciliumloadbalancerippools.cilium.io
-  - ciliumbgppeeringpolicies.cilium.io
   - ciliumbgpclusterconfigs.cilium.io
   - ciliumbgppeerconfigs.cilium.io
   - ciliumbgpadvertisements.cilium.io
   - ciliumbgpnodeconfigs.cilium.io
   - ciliumbgpnodeconfigoverrides.cilium.io
   - ciliumclusterwideenvoyconfigs.cilium.io
@@ -272,7 +283,13 @@

   resources:
   - serviceimports
   verbs:
   - get
   - list
   - watch
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumendpointslices
+  verbs:
+  - deletecollection
 
--- HelmRelease: kube-system/cilium Service: kube-system/cilium-envoy

+++ HelmRelease: kube-system/cilium Service: kube-system/cilium-envoy

@@ -18,8 +18,8 @@

   selector:
     k8s-app: cilium-envoy
   ports:
   - name: envoy-metrics
     port: 9964
     protocol: TCP
-    targetPort: envoy-metrics
+    targetPort: 9964
 
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,13 +16,13 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 0aaec65d6662e6a0823e80c87180cdd90a34513c222faec286e03d6e170bf382
+        cilium.io/cilium-configmap-checksum: 832590e13e507f2e137adfb34f6a3a60a5ffa708280b5ea31a4d4d614415ee14
         kubectl.kubernetes.io/default-container: cilium-agent
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
@@ -30,36 +30,36 @@

         appArmorProfile:
           type: Unconfined
         seccompProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.18.5@sha256:2c92fb05962a346eaf0ce11b912ba434dc10bd54b9989e970416681f4a069628
+        image: quay.io/cilium/cilium:v1.19.4@sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9879
+            port: health
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
           failureThreshold: 300
           periodSeconds: 2
           successThreshold: 1
           initialDelaySeconds: 5
         livenessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9879
+            port: health
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
             - name: require-k8s-connectivity
               value: 'false'
@@ -68,13 +68,13 @@

           failureThreshold: 10
           timeoutSeconds: 5
         readinessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9879
+            port: health
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
           periodSeconds: 30
           successThreshold: 1
@@ -133,12 +133,17 @@

                 fi
                 echo 'Done!'
           preStop:
             exec:
               command:
               - /cni-uninstall.sh
+        ports:
+        - name: health
+          containerPort: 9879
+          hostPort: 9879
+          protocol: TCP
         securityContext:
           seLinuxOptions:
             level: s0
             type: spc_t
           capabilities:
             add:
@@ -185,13 +190,13 @@

         - name: xtables-lock
           mountPath: /run/xtables.lock
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.18.5@sha256:2c92fb05962a346eaf0ce11b912ba434dc10bd54b9989e970416681f4a069628
+        image: quay.io/cilium/cilium:v1.19.4@sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -209,22 +214,28 @@

         - name: KUBERNETES_SERVICE_PORT
           value: '6443'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+            drop:
+            - ALL
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.18.5@sha256:2c92fb05962a346eaf0ce11b912ba434dc10bd54b9989e970416681f4a069628
+        image: quay.io/cilium/cilium:v1.19.4@sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /run/cilium/cgroupv2
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
-        - sh
+        - bash
         - -ec
         - |
           cp /usr/bin/cilium-mount /hostbin/cilium-mount;
           nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT;
           rm /hostbin/cilium-mount
         volumeMounts:
@@ -242,19 +253,19 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.18.5@sha256:2c92fb05962a346eaf0ce11b912ba434dc10bd54b9989e970416681f4a069628
+        image: quay.io/cilium/cilium:v1.19.4@sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
-        - sh
+        - bash
         - -ec
         - |
           cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
           nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
           rm /hostbin/cilium-sysctlfix
         volumeMounts:
@@ -272,13 +283,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.18.5@sha256:2c92fb05962a346eaf0ce11b912ba434dc10bd54b9989e970416681f4a069628
+        image: quay.io/cilium/cilium:v1.19.4@sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -288,13 +299,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.18.5@sha256:2c92fb05962a346eaf0ce11b912ba434dc10bd54b9989e970416681f4a069628
+        image: quay.io/cilium/cilium:v1.19.4@sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -336,17 +347,20 @@

         - name: cilium-cgroup
           mountPath: /run/cilium/cgroupv2
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.18.5@sha256:2c92fb05962a346eaf0ce11b912ba434dc10bd54b9989e970416681f4a069628
+        image: quay.io/cilium/cilium:v1.19.4@sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
+          limits:
+            cpu: 1
+            memory: 1Gi
           requests:
             cpu: 100m
             memory: 10Mi
         securityContext:
           seLinuxOptions:
             level: s0
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

@@ -28,13 +28,13 @@

     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-envoy
-        image: quay.io/cilium/cilium-envoy:v1.34.12-1765374555-6a93b0bbba8d6dc75b651cbafeedb062b2997716@sha256:3108521821c6922695ff1f6ef24b09026c94b195283f8bfbfc0fa49356a156e1
+        image: quay.io/cilium/cilium-envoy:v1.36.6-1778235340-b87d1e32f522b33bd51701c6476d199326f01496@sha256:71d4fa0ec45e8d546dbd5604e169dc77fe92be63b799313bff031d00d89762e3
         imagePullPolicy: IfNotPresent
         command:
         - /usr/bin/cilium-envoy-starter
         args:
         - --
         - -c /var/run/cilium/envoy/bootstrap-config.json
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,25 +20,25 @@

       maxSurge: 25%
       maxUnavailable: 50%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 0aaec65d6662e6a0823e80c87180cdd90a34513c222faec286e03d6e170bf382
+        cilium.io/cilium-configmap-checksum: 832590e13e507f2e137adfb34f6a3a60a5ffa708280b5ea31a4d4d614415ee14
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.18.5@sha256:36c3f6f14c8ced7f45b40b0a927639894b44269dd653f9528e7a0dc363a4eb99
+        image: quay.io/cilium/operator-generic:v1.19.4@sha256:1aa2b62735e7d8ab49ee840ae59c346932024c88901579121395c1271b435f71
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
@@ -60,26 +60,30 @@

               name: cilium-config
               optional: true
         - name: KUBERNETES_SERVICE_HOST
           value: qgr1-k8s.mole-bowfin.ts.net
         - name: KUBERNETES_SERVICE_PORT
           value: '6443'
+        ports:
+        - name: health
+          containerPort: 9234
+          hostPort: 9234
         livenessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9234
+            port: health
             scheme: HTTP
           initialDelaySeconds: 60
           periodSeconds: 10
           timeoutSeconds: 3
         readinessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9234
+            port: health
             scheme: HTTP
           initialDelaySeconds: 0
           periodSeconds: 5
           timeoutSeconds: 3
           failureThreshold: 5
         volumeMounts:
--- HelmRelease: kube-system/cilium Role: kube-system/cilium-operator-ztunnel

+++ HelmRelease: kube-system/cilium Role: kube-system/cilium-operator-ztunnel

@@ -0,0 +1,20 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cilium-operator-ztunnel
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+
--- HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-operator-ztunnel

+++ HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-operator-ztunnel

@@ -0,0 +1,17 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cilium-operator-ztunnel
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-operator-ztunnel
+subjects:
+- kind: ServiceAccount
+  name: cilium-operator
+  namespace: kube-system
+

[github-actions]

qgr1-cluster-0 - kustomization

--- k8s/base/kube-system/cilium Kustomization: flux-system/kube-system-cilium HelmRelease: kube-system/cilium

+++ k8s/base/kube-system/cilium Kustomization: flux-system/kube-system-cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium-charts
         namespace: flux-system
-      version: 1.18.5
+      version: 1.19.4
   install:
     createNamespace: true
     remediation:
       retries: 50
     timeout: 15m
   interval: 30m