🌱 Bump github.com/cilium/cilium from 1.17.3 to 1.17.4 #389

dependabot · 2025-05-19T08:15:55Z

Bumps github.com/cilium/cilium from 1.17.3 to 1.17.4.

Release notes

Sourced from github.com/cilium/cilium's releases.

1.17.4

Summary of Changes

Minor Changes:

Add TRACE_{FROM/TO}_CRYPTO observation point and bpf metrics for packets forwarded-to/received-from Wireguard. (Backport PR cilium/cilium#39260, Upstream PR cilium/cilium#34958, @smagnani96)

Cilium Agent liveness probe no longer fails if Kubernetes apiserver cannot be reached. Earlier the agent was restarted if the apiserver could not be reached for approximately 5 minutes. This avoids traffic disruptions on apiserver downtime (e.g. due to maintenance) for features such as L7 and FQDN proxy that require cilium-agent to always be up. (Backport PR cilium/cilium#38703, Upstream PR cilium/cilium#38458, @joamaki)

Update kafka apiKey helm chart value to true (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#38963, @kyle-c-simmons)

Bugfixes:

bpf: nodeport: avoid accidental NAT46x64 clash in from-container (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#38916, @julianwiedmann)

Check the TLSRoute and HasServiceImportSupport through the CRD. (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#39122, @liyihuang)

Fix a bug where a CiliumNetworkPolicy/CiliumClusterwideNetworkPolicy containing invalid rules would not be reported with invalid status. (Backport PR cilium/cilium#38948, Upstream PR cilium/cilium#38801, @tklauser)

Fix a bug where services would fail to match wildcard protocols after switching to Local traffic policy with protocol differentiation enabled. (Backport PR cilium/cilium#39404, Upstream PR cilium/cilium#39360, @pasteley)

Fix a deadlock when a host has no IPv4 address. (Backport PR cilium/cilium#39075, Upstream PR cilium/cilium#38938, @EmilyShepherd)

Fix a panic happening in the ipset reconciler when a previous reconciliation failed. (Backport PR cilium/cilium#39075, Upstream PR cilium/cilium#38890, @pippolo84)

Fix bug that would cause the cilium-dbg encrypt status command to not list any decryption interfaces when KPR is enabled. (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#39170, @pchaigno)

Fixes a bug where layer-7 rules would override enableDefaultDeny: false, incorrectly dropping traffic. (Backport PR cilium/cilium#39375, Upstream PR cilium/cilium#38841, @nimishamehta5)

gateway-api: Fix Gateway reconciler failure when TLSRoute CRD is not installed (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#38874, @syedazeez337)

gateway-api: Fix parentRefMatched to check Group and Kind (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#39275, @syedazeez337)

helm: fix hubble dynamic metrics config conflict (Backport PR cilium/cilium#39075, Upstream PR cilium/cilium#38893, @devodev)

ipsec: Fix key derivation error in case of corrupted boot IDs (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#39059, @pchaigno)

k8s: Fixed a case when delete event for service endpointslices might have been missed if connectivity to k8s apiserver was broken causing stale service cache for service. (Backport PR cilium/cilium#38948, Upstream PR cilium/cilium#38779, @marseel)

wireguard:overlay: cleanup calls map when unused (Backport PR cilium/cilium#38899, Upstream PR cilium/cilium#38655, @smagnani96)

xds: Fix a case in which after cilium-agent we were not sending updated resources to Envoy (Backport PR cilium/cilium#38977, Upstream PR cilium/cilium#38654, @marseel)

CI Changes:

.github/workflows: Enable DualStack for conformance-kind-proxy-embedded (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#36398, @dylandreimerink)

cilium/cilium#39408@joestringer)

Align main and stable branch workflows for availability of cilium-cli (Backport PR cilium/cilium#38141, Upstream PR cilium/cilium#38138, @joestringer)

bpf: tests: fix ethertype when building inner headers of VXLAN packet (Backport PR cilium/cilium#39075, Upstream PR cilium/cilium#39060, @julianwiedmann)

ci-aks: Enable dual-stack in Conformance AKS (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#37704, @gandro)

gateway-api: Add translation tests for GAMMA (Backport PR cilium/cilium#39221, Upstream PR cilium/cilium#39207, @sayboras)

gh: e2e-upgrade: check for unexpected drops from connectivity tests (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#39111, @julianwiedmann)

gh: e2e-upgrade: generate config matrix from file (Backport PR cilium/cilium#39058, Upstream PR cilium/cilium#38512, @julianwiedmann)

gh: e2e-upgrade: minor log output improvements (Backport PR cilium/cilium#39058, Upstream PR cilium/cilium#38011, @julianwiedmann)

gh: use e2e-upgrade for IPsec minor upgrade testing (Backport PR cilium/cilium#39058, Upstream PR cilium/cilium#38757, @julianwiedmann)

gha: always respect the given image tag in the wait-for-images action (Backport PR cilium/cilium#38141, Upstream PR cilium/cilium#37901, @giorio94)

rate: Disable TestStressRateLimiter (Backport PR cilium/cilium#38896, Upstream PR cilium/cilium#38877, @YutaroHayakawa)

Misc Changes:

cilium/cilium#39329@ferozsalam)

cilium/cilium#39491@ferozsalam)

Add the doc for multi-pool ipam about how to update the existing ip pool (Backport PR cilium/cilium#38948, Upstream PR cilium/cilium#38539, @liyihuang)

bpf: host: use MARK_MAGIC_EGW_DONE-embedded identity in to-netdev (Backport PR cilium/cilium#38948, Upstream PR cilium/cilium#38768, @julianwiedmann)

bpf: nat: ICMP v4 improvements (Backport PR cilium/cilium#39332, Upstream PR cilium/cilium#36767, @julianwiedmann)

bpf:hubble: update trace/drop notify for L2-less packets (Backport PR cilium/cilium#39263, Upstream PR cilium/cilium#37097, @smagnani96)

cilium/cilium#39183@cilium-renovate[bot])

cilium/cilium#39316@cilium-renovate[bot])

cilium/cilium#38908@cilium-renovate[bot])

... (truncated)

Changelog

Sourced from github.com/cilium/cilium's changelog.

v1.17.4

Summary of Changes

Minor Changes:

Add TRACE_{FROM/TO}_CRYPTO observation point and bpf metrics for packets forwarded-to/received-from Wireguard. (Backport PR cilium/cilium#39260, Upstream PR cilium/cilium#34958, @smagnani96)

Cilium Agent liveness probe no longer fails if Kubernetes apiserver cannot be reached. Earlier the agent was restarted if the apiserver could not be reached for approximately 5 minutes. This avoids traffic disruptions on apiserver downtime (e.g. due to maintenance) for features such as L7 and FQDN proxy that require cilium-agent to always be up. (Backport PR cilium/cilium#38703, Upstream PR cilium/cilium#38458, @joamaki)

Update kafka apiKey helm chart value to true (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#38963, @kyle-c-simmons)

Bugfixes:

bpf: nodeport: avoid accidental NAT46x64 clash in from-container (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#38916, @julianwiedmann)

Check the TLSRoute and HasServiceImportSupport through the CRD. (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#39122, @liyihuang)

Fix a bug where a CiliumNetworkPolicy/CiliumClusterwideNetworkPolicy containing invalid rules would not be reported with invalid status. (Backport PR cilium/cilium#38948, Upstream PR cilium/cilium#38801, @tklauser)

Fix a bug where services would fail to match wildcard protocols after switching to Local traffic policy with protocol differentiation enabled. (Backport PR cilium/cilium#39404, Upstream PR cilium/cilium#39360, @pasteley)

Fix a deadlock when a host has no IPv4 address. (Backport PR cilium/cilium#39075, Upstream PR cilium/cilium#38938, @EmilyShepherd)

Fix a panic happening in the ipset reconciler when a previous reconciliation failed. (Backport PR cilium/cilium#39075, Upstream PR cilium/cilium#38890, @pippolo84)

Fix bug that would cause the cilium-dbg encrypt status command to not list any decryption interfaces when KPR is enabled. (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#39170, @pchaigno)

Fixes a bug where layer-7 rules would override enableDefaultDeny: false, incorrectly dropping traffic. (Backport PR cilium/cilium#39375, Upstream PR cilium/cilium#38841, @nimishamehta5)

gateway-api: Fix Gateway reconciler failure when TLSRoute CRD is not installed (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#38874, @syedazeez337)

gateway-api: Fix parentRefMatched to check Group and Kind (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#39275, @syedazeez337)

helm: fix hubble dynamic metrics config conflict (Backport PR cilium/cilium#39075, Upstream PR cilium/cilium#38893, @devodev)

ipsec: Fix key derivation error in case of corrupted boot IDs (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#39059, @pchaigno)

k8s: Fixed a case when delete event for service endpointslices might have been missed if connectivity to k8s apiserver was broken causing stale service cache for service. (Backport PR cilium/cilium#38948, Upstream PR cilium/cilium#38779, @marseel)

wireguard:overlay: cleanup calls map when unused (Backport PR cilium/cilium#38899, Upstream PR cilium/cilium#38655, @smagnani96)

xds: Fix a case in which after cilium-agent we were not sending updated resources to Envoy (Backport PR cilium/cilium#38977, Upstream PR cilium/cilium#38654, @marseel)

CI Changes:

.github/workflows: Enable DualStack for conformance-kind-proxy-embedded (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#36398, @dylandreimerink)

cilium/cilium#39408@joestringer)

Align main and stable branch workflows for availability of cilium-cli (Backport PR cilium/cilium#38141, Upstream PR cilium/cilium#38138, @joestringer)

bpf: tests: fix ethertype when building inner headers of VXLAN packet (Backport PR cilium/cilium#39075, Upstream PR cilium/cilium#39060, @julianwiedmann)

ci-aks: Enable dual-stack in Conformance AKS (Backport PR cilium/cilium#39377, Upstream PR cilium/cilium#37704, @gandro)

gateway-api: Add translation tests for GAMMA (Backport PR cilium/cilium#39221, Upstream PR cilium/cilium#39207, @sayboras)

gh: e2e-upgrade: check for unexpected drops from connectivity tests (Backport PR cilium/cilium#39214, Upstream PR cilium/cilium#39111, @julianwiedmann)

gh: e2e-upgrade: generate config matrix from file (Backport PR cilium/cilium#39058, Upstream PR cilium/cilium#38512, @julianwiedmann)

gh: e2e-upgrade: minor log output improvements (Backport PR cilium/cilium#39058, Upstream PR cilium/cilium#38011, @julianwiedmann)

gh: use e2e-upgrade for IPsec minor upgrade testing (Backport PR cilium/cilium#39058, Upstream PR cilium/cilium#38757, @julianwiedmann)

gha: always respect the given image tag in the wait-for-images action (Backport PR cilium/cilium#38141, Upstream PR cilium/cilium#37901, @giorio94)

rate: Disable TestStressRateLimiter (Backport PR cilium/cilium#38896, Upstream PR cilium/cilium#38877, @YutaroHayakawa)

Misc Changes:

cilium/cilium#39329@ferozsalam)

cilium/cilium#39491@ferozsalam)

Add the doc for multi-pool ipam about how to update the existing ip pool (Backport PR cilium/cilium#38948, Upstream PR cilium/cilium#38539, @liyihuang)

bpf: host: use MARK_MAGIC_EGW_DONE-embedded identity in to-netdev (Backport PR cilium/cilium#38948, Upstream PR cilium/cilium#38768, @julianwiedmann)

bpf: nat: ICMP v4 improvements (Backport PR cilium/cilium#39332, Upstream PR cilium/cilium#36767, @julianwiedmann)

bpf:hubble: update trace/drop notify for L2-less packets (Backport PR cilium/cilium#39263, Upstream PR cilium/cilium#37097, @smagnani96)

cilium/cilium#39183@cilium-renovate[bot])

cilium/cilium#39316@cilium-renovate[bot])

... (truncated)

Commits

55aecc0 Prepare for release v1.17.4
357f5b4 dynamicconfig: Fix flake in TestDynamicConfigMap
7ec52f8 k8s: TransformMany should objects to delete
6da79a2 k8s/testutils: Fallback to k8s decoder
9b70924 docs: masquerade notes for eni mode with eks mode
6ce1005 bpf: clarify DROP_UNKNOWN_ICMP_* macros
4c028b9 bpf: nat: support IPv4 NAT for ICMP_TIME_EXCEEDED
378c200 bpf: nat: cover all IPv4 DEST_UNREACH codes
0026f2a deps: bump golang-jwt to 4.5.2
2de1ed9 Stop TLS Interception config being included in preflight
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

codecov · 2025-05-19T08:19:17Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 73.50%. Comparing base (196ae85) to head (702595e).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #389   +/-   ##
=======================================
  Coverage   73.50%   73.50%           
=======================================
  Files          15       15           
  Lines        2744     2744           
=======================================
  Hits         2017     2017           
  Misses        547      547           
  Partials      180      180

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

rahulait · 2025-05-19T18:37:11Z

@dependabot rebase

Bumps [github.com/cilium/cilium](https://github.com/cilium/cilium) from 1.17.3 to 1.17.4. - [Release notes](https://github.com/cilium/cilium/releases) - [Changelog](https://github.com/cilium/cilium/blob/1.17.4/CHANGELOG.md) - [Commits](cilium/cilium@1.17.3...1.17.4) --- updated-dependencies: - dependency-name: github.com/cilium/cilium dependency-version: 1.17.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github.com/cilium/cilium](https://github.com/cilium/cilium) from 1.17.3 to 1.17.4. - [Release notes](https://github.com/cilium/cilium/releases) - [Changelog](https://github.com/cilium/cilium/blob/1.17.4/CHANGELOG.md) - [Commits](cilium/cilium@1.17.3...1.17.4) --- updated-dependencies: - dependency-name: github.com/cilium/cilium dependency-version: 1.17.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

dependabot bot added the dependencies dependency updates including security fixes label May 19, 2025

dependabot bot had a problem deploying to prod May 19, 2025 08:16 Failure

dependabot bot temporarily deployed to prod May 19, 2025 08:16 Inactive

dependabot bot force-pushed the dependabot/go_modules/github.com/cilium/cilium-1.17.4 branch from 3651e8c to f4c02e4 Compare May 19, 2025 15:14

dependabot bot had a problem deploying to prod May 19, 2025 15:14 Failure

dependabot bot temporarily deployed to prod May 19, 2025 15:14 Inactive

dependabot bot force-pushed the dependabot/go_modules/github.com/cilium/cilium-1.17.4 branch from f4c02e4 to 702595e Compare May 19, 2025 18:38

dependabot bot temporarily deployed to prod May 19, 2025 18:38 Inactive

rahulait approved these changes May 19, 2025

View reviewed changes

rahulait merged commit 8cad101 into main May 19, 2025
9 checks passed

dependabot bot deleted the dependabot/go_modules/github.com/cilium/cilium-1.17.4 branch May 19, 2025 19:21

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

🌱 Bump github.com/cilium/cilium from 1.17.3 to 1.17.4 #389

🌱 Bump github.com/cilium/cilium from 1.17.3 to 1.17.4 #389

Uh oh!

dependabot bot commented on behalf of github May 19, 2025 •

edited

Loading

Uh oh!

codecov bot commented May 19, 2025 •

edited

Loading

Uh oh!

rahulait commented May 19, 2025

Uh oh!

Uh oh!

Uh oh!

🌱 Bump github.com/cilium/cilium from 1.17.3 to 1.17.4 #389

🌱 Bump github.com/cilium/cilium from 1.17.3 to 1.17.4 #389

Uh oh!

Conversation

dependabot bot commented on behalf of github May 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

1.17.4

Summary of Changes

v1.17.4

Summary of Changes

Uh oh!

codecov bot commented May 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

rahulait commented May 19, 2025

Uh oh!

Uh oh!

Uh oh!

dependabot bot commented on behalf of github May 19, 2025 •

edited

Loading

codecov bot commented May 19, 2025 •

edited

Loading