fix(container): update image ghcr.io/home-operations/charts-mirror/cilium (1.18.3 → 1.18.4)

[yo-renovate]

This PR contains the following updates:

Package	Update	Change
ghcr.io/home-operations/charts-mirror/cilium (source)	patch	1.18.3 -> 1.18.4

---

Release Notes

cilium/cilium (ghcr.io/home-operations/charts-mirror/cilium)

v1.18.4: 1.18.4

Compare Source

Security Advisories

This release addresses GHSA-38pp-6gcp-rqvm.

Summary of Changes

Minor Changes:

• fix indentation for certgen resources in helm templates (Backport PR #​42450, Upstream PR #​42412, @​sdickhoven)

Bugfixes:

• bpf: Do not accidentally update IPcache in cluster-aware routing (Backport PR #​42577, Upstream PR #​42472, @​brb)
• cilium-operator: ciliumendpoints are not garbage collected until a minimum age is reached (5m by default) (Backport PR #​42577, Upstream PR #​42413, @​zhouhaibing089)
• controller: avoid spurious errors when RemoveControllerAndWait is invoked when the controller does not exist (Backport PR #​42617, Upstream PR #​41384, @​asdfmi)
• encrypt status: also check tcx attachment on interfaces (Backport PR #​42450, Upstream PR #​42328, @​bersoare)
• envoy: pass stream idle timeout from Helm to configmap (Backport PR #​42617, Upstream PR #​42499, @​mhofstetter)
• Fix BGP operator crash when bgp-secrets-namespace not set. (Backport PR #​42577, Upstream PR #​42425, @​rastislavs)
• Fix cilium_operator_lbipam_conflicting_pools metric to report correct value. (Backport PR #​42289, Upstream PR #​41999, @​hanapedia)
• Fix issue where fqdn GC starts too early that results in potentially missed ips in the IPCache (Backport PR #​42617, Upstream PR #​42502, @​odinuge)
• Fix potential policy deadlock causing endpoint to use previous identity for policy calculation when endpoint changes identity (Backport PR #​42617, Upstream PR #​42420, @​odinuge)
• Fix the output of cilium lrp list command to show LRP selected backends. (Backport PR #​42577, Upstream PR #​42110, @​Bigdelle)
• Fix trace aggregation for IPv4 Host Firewall, reducing the amount of generated events. (Backport PR #​42617, Upstream PR #​42595, @​smagnani96)
• fix: Panic during endpoint restore due to nil logger (Backport PR #​42450, Upstream PR #​42385, @​pinaki-08)
• gatewayAPI: correctly handle reference to CGCC as cluster-scoped resource instead of namespaced one (Backport PR #​42289, Upstream PR #​42172, @​oblazek)
• operator/ciliumenvoyconfig: consistently propagate --http-stream-idle-timeout value (Backport PR #​42577, Upstream PR #​42495, @​tklauser)
• policy: prevent incorrect mutation of network policy when using policy-default-local-cluster (Backport PR #​42698, Upstream PR #​42668, @​MrFreezeex)
• Preventing removal of existing tproxy iptables rules for other services when they share a name prefix. (Backport PR #​42450, Upstream PR #​42236, @​dackroyd)
• When using the Egress Strict Mode for Transparent Encryption with Wireguard, packets destined to the local host are no longer excluded from encryption enforcement (when leaving the node), and will be dropped. (Backport PR #​42450, Upstream PR #​42419, @​julianwiedmann)

CI Changes:

• .github/actions/e2e: define static job names (Backport PR #​42435, Upstream PR #​42332, @​aanm)
• [v1.18] .github/workflows: Add base-SHA input to ariane triggered workflows (#​42192, @​dylandreimerink)
• ci: Allow for alpine image overwrite within cache Dockerfile (Backport PR #​42289, Upstream PR #​42108, @​jpayne3506)
• conformance-aws-cni: disable l7 proxy with aws-cni (Backport PR #​42617, Upstream PR #​42578, @​aanm)
• Deflake TestNodeManagerAbortReleaseIPReassignment (Backport PR #​42577, Upstream PR #​42276, @​lconnery)
• gh: ginkgo: fix focus for service hairpin test (Backport PR #​42641, Upstream PR #​42633, @​julianwiedmann)
• gh: ginkgo: reduce number of tested k8s versions in PRs (Backport PR #​42470, Upstream PR #​42465, @​julianwiedmann)
• gh: ginkgo: replace rhel8 with 5.10 kernel (Backport PR #​42449, Upstream PR #​42084, @​julianwiedmann)
• gha/conformance-clustermesh: let service nodeport be selected randomly (Backport PR #​42617, Upstream PR #​41697, @​giorio94)
• gha: allow configuring runner for workflows building Cilium binaries (Backport PR #​42617, Upstream PR #​42582, @​giorio94)
• Testing for RHEL8 compatibility now uses a RHEL8.10-compatible kernel (previously this was a RHEL8.6-compatible kernel). (Backport PR #​42604, Upstream PR #​41639, @​julianwiedmann)

Misc Changes:

• [v1.18] deps: bump CNI plugins version (#​42443, @​ferozsalam)
• bpf: host: remove stale code comment (Backport PR #​42450, Upstream PR #​42237, @​julianwiedmann)
• bpf: lxc: always set identity mark on forwarded egressing traffic (Backport PR #​42617, Upstream PR #​42551, @​julianwiedmann)
• bpf: nodeport: don't include EGW reply hook in bpf_wireguard (Backport PR #​42450, Upstream PR #​42187, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.18) (#​42397, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​42541, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​42682, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.8 (v1.18) (#​42346, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to e3652a0 (v1.18) (#​42539, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.10 docker digest to c3ea417 (v1.18) (#​42679, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.9 docker digest to 5034fa4 (v1.18) (#​42396, @​cilium-renovate[bot])
• chore(deps): update github artifact actions (v1.18) (#​42398, @​cilium-renovate[bot])
• chore(deps): update go to v1.24.10 (v1.18) (#​42621, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.10-1762597008-ff7ae7d623be00078865cff1b0672cc5d9bfc6d5 (v1.18) (#​42680, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-llvm docker tag to v1758805548 (v1.18) (#​42399, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​42540, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​42681, @​cilium-renovate[bot])
• ci: Add workflow permissions for auto-approve and renovate (Backport PR #​42450, Upstream PR #​42281, @​kyle-c-simmons)
• ci: Fix call-backport-label-updater permissions (Backport PR #​42450, Upstream PR #​42510, @​kyle-c-simmons)
• ci: Update hubble test workflow permissions (Backport PR #​42450, Upstream PR #​41911, @​kyle-c-simmons)
• cilium, routes: Downgrade warning on direct-routing-skip-unreachable (Backport PR #​42289, Upstream PR #​42210, @​borkmann)
• docs: tuning: remove some references to old kernels (Backport PR #​42617, Upstream PR #​42601, @​julianwiedmann)
• Docs: update fragmentation docs to reflect ipv6 (Backport PR #​42289, Upstream PR #​41748, @​tommyp1ckles)
• fix: run post-release and publish-helm workflows on cilium org (Backport PR #​42450, Upstream PR #​42279, @​sekhar-isovalent)
• loadbalancer: fix up code comment (Backport PR #​42450, Upstream PR #​42273, @​julianwiedmann)
• Log proxy instance creation at debug level (Backport PR #​42617, Upstream PR #​42319, @​sjohnsonpal)
• operator: Prevent panic when GCing identities (Backport PR #​42289, Upstream PR #​42217, @​HadrienPatte)
• pkg/nodediscover: Don't log warnings for intermittent updates (Backport PR #​42577, Upstream PR #​42505, @​aditighag)

Other Changes:

• [v1.18] ipam: fix TestNodeManagerAbortReleaseIPReassignment test (#​42636, @​rastislavs)
• [v1.18] test: ginkgo: skip BPF masq tests on configs without external node (#​42462, @​julianwiedmann)
• install: Update image digests for v1.18.3 (#​42344, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.4@​sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
quay.io/cilium/cilium:stable@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.4@​sha256:c240a7cbead5479d9085b5e837977bf6750164167a1c9f956720815d160d447d
quay.io/cilium/clustermesh-apiserver:stable@sha256:c240a7cbead5479d9085b5e837977bf6750164167a1c9f956720815d160d447d

docker-plugin

quay.io/cilium/docker-plugin:v1.18.4@​sha256:5ec897904e4bd9784df8353b1bdc3559f541f4ca5957103addd46b600430888a
quay.io/cilium/docker-plugin:stable@sha256:5ec897904e4bd9784df8353b1bdc3559f541f4ca5957103addd46b600430888a

hubble-relay

quay.io/cilium/hubble-relay:v1.18.4@​sha256:6d350cb1c84b847adb152173debef1f774126c69de21a5921a1e6a23b8779723
quay.io/cilium/hubble-relay:stable@sha256:6d350cb1c84b847adb152173debef1f774126c69de21a5921a1e6a23b8779723

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.4@​sha256:c57d07e5dde3a1974c5cd5d46596db5ea7264f66e9e4ce98a59236aa88b857f7
quay.io/cilium/operator-alibabacloud:stable@sha256:c57d07e5dde3a1974c5cd5d46596db5ea7264f66e9e4ce98a59236aa88b857f7

operator-aws

quay.io/cilium/operator-aws:v1.18.4@​sha256:f4c19007a804d37c781d6c8982006c5f1d8a890941036f9ab285e517fd181336
quay.io/cilium/operator-aws:stable@sha256:f4c19007a804d37c781d6c8982006c5f1d8a890941036f9ab285e517fd181336

operator-azure

quay.io/cilium/operator-azure:v1.18.4@​sha256:19e7465ec8b151ec444757b6ce583b7a0d1e5e9fc5e3aef31d90e93019f599ca
quay.io/cilium/operator-azure:stable@sha256:19e7465ec8b151ec444757b6ce583b7a0d1e5e9fc5e3aef31d90e93019f599ca

operator-generic

quay.io/cilium/operator-generic:v1.18.4@​sha256:1b22b9ff28affdf574378a70dade4ef835b00b080c2ee2418530809dd62c3012
quay.io/cilium/operator-generic:stable@sha256:1b22b9ff28affdf574378a70dade4ef835b00b080c2ee2418530809dd62c3012

operator

quay.io/cilium/operator:v1.18.4@​sha256:78a4f6fb8da0556ed3648aeb789988bd2cb6847c805fb73e381f3e3b17dce0a5
quay.io/cilium/operator:stable@sha256:78a4f6fb8da0556ed3648aeb789988bd2cb6847c805fb73e381f3e3b17dce0a5

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[yo-renovate]

--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium OCIRepository: kube-system/cilium

+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium OCIRepository: kube-system/cilium

@@ -10,9 +10,9 @@

 spec:
   interval: 15m
   layerSelector:
     mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
     operation: copy
   ref:
-    tag: 1.18.3
+    tag: 1.18.4
   url: oci://ghcr.io/home-operations/charts-mirror/cilium
 

[yo-renovate]

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -143,12 +143,13 @@

   proxy-initial-fetch-timeout: '30'
   proxy-max-requests-per-connection: '0'
   proxy-max-connection-duration-seconds: '0'
   proxy-idle-timeout-seconds: '60'
   proxy-max-concurrent-retries: '128'
   http-retry-count: '3'
+  http-stream-idle-timeout: '300'
   external-envoy-proxy: 'false'
   envoy-base-id: '0'
   envoy-access-log-buffer-size: '4096'
   envoy-keep-cap-netbindservice: 'false'
   max-connected-clusters: '255'
   clustermesh-enable-endpoint-sync: 'false'
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,13 +16,13 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: ce3aad719b63b52643a1806fb8c93aeee222be41808c686aa61ceeac5dee732b
+        cilium.io/cilium-configmap-checksum: ecb3e1dab2615f234e3b98da2ddf391fa4751c65a98f26fc38da3f68315ad8ef
         kubectl.kubernetes.io/default-container: cilium-agent
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
@@ -30,13 +30,13 @@

         appArmorProfile:
           type: Unconfined
         seccompProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15
+        image: quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -197,13 +197,13 @@

         - name: xtables-lock
           mountPath: /run/xtables.lock
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15
+        image: quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -222,13 +222,13 @@

           value: '7445'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15
+        image: quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /sys/fs/cgroup
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -254,13 +254,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15
+        image: quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -284,13 +284,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15
+        image: quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -300,13 +300,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15
+        image: quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -348,13 +348,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15
+        image: quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,25 +20,25 @@

       maxSurge: 25%
       maxUnavailable: 100%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: ce3aad719b63b52643a1806fb8c93aeee222be41808c686aa61ceeac5dee732b
+        cilium.io/cilium-configmap-checksum: ecb3e1dab2615f234e3b98da2ddf391fa4751c65a98f26fc38da3f68315ad8ef
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.18.3@sha256:b5a0138e1a38e4437c5215257ff4e35373619501f4877dbaf92c89ecfad81797
+        image: quay.io/cilium/operator-generic:v1.18.4@sha256:1b22b9ff28affdf574378a70dade4ef835b00b080c2ee2418530809dd62c3012
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)