chore(deps): update helm release cilium to v1.17.0-pre.3

This MR contains the following updates:

Package	Type	Update	Change
cilium (source)	HelmChart	patch	1.17.0-pre.2 -> 1.17.0-pre.3

---

⚠️ Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

cilium/cilium (cilium)

v1.17.0-pre.3: 1.17.0-pre.3

Compare Source

Summary of Changes

Major Changes:

• Add feature tracking in Cilium agent as prometheus metrics (#​35852, @​aanm)
• Add feature tracking in Cilium Operator as prometheus metrics (#​36077, @​aanm)
• Allow users to override the load balancing algorithm for Services by setting the service.cilium.io/lb-algorithm annotation. (#​35735, @​kl52752)
• Cilium now sends TLS Interception and Header manipulation secrets referenced in CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy by reference using SDS, using the same secret synchronization method used for Ingress, Gateway API, and BGP control plane secrets. (#​35513, @​youngnick)
• feat: add dynamically configured Hubble metrics (#​35185, @​rectified95)

Minor Changes:

• Add a commonLabel to all cilium deployed resources (#​35628, @​strongjz)
• Add cli support for impersonation --as and --as-group flags (#​35240, @​cnmcavoy)
• Add Multi-Pool Pre-Allocation Helm chart setting (#​35812, @​CallMeFoxie)
• Add new batched iterator type in pkg/bpf (#​35079, @​tommyp1ckles)
• Add the option --health-check-icmp-failure-threshold to set the number of ICMP requests to send during health checking before marking a node or endpoint as unreachable. (#​36023, @​pippolo84)
• Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (#​35809, @​jrajahalme)
• Added Lock and Unlock metric for kvstore locks (#​36037, @​odinuge)
• Adjust verification for tunnel-protocol and routing-mode in helm templates to remove occurrence of duplicate entries in rendered configmap. Remove constraint on tunnelProtocol for aksbyocni. (#​36226, @​jonasbadstuebner)
• AWS AL2023 support (#​36076, @​viktor-kurchenko)
• bgp: Add neighbor_asn label to BGP metrics (#​35503, @​mikejoh)
• bgpv2: Add a knob to disable CRD status reporting (#​35976, @​YutaroHayakawa)
• bpf: Enforce symmetric routing for endpoints with parent interfaces (#​35298, @​dylandreimerink)
• cilium: Add option for lb src ranges to act as deny cidr list (#​36120, @​borkmann)
• connectivity health checking: improve the reliability of health checking at large scales by rate-limiting probes (#​35163, @​jshr-w)
• Decouples the creation of metrics services from ServiceMonitors in the Cilium Helm chart, providing greater flexibility for Prometheus integration. (#​36013, @​saiaunghlyanhtet)
• Disable deprecated support for running the Cilium KVStore in pod network (#​35741, @​giorio94)
• Don't mark the agent as ready until successfully connecting to the kvstore (if enabled) (#​36035, @​giorio94)
• Egress masquerade multiple interfaces fix (#​36103, @​viktor-kurchenko)
• envoy: Bump envoy version to v1.31 (#​35959, @​sayboras)
• helm: New socketLB.tracing flag (#​35747, @​pchaigno)
• hubble: from and to cluster filters (#​33325, @​kaworu)
• hubble: Stop building 32-bit binaries (#​35974, @​michi-covalent)
• images: Update LLVM to 18.1.8 (#​36197, @​sayboras)
• Improve the CiliumNode to KVStore synchronization logic of the Cilium operator (#​35840, @​giorio94)
• introducing a new CLI option to display ipcache information by labels or cidr (#​35275, @​vasu-dasari)
• k8s: Add support for 1.32.0 (#​36235, @​sayboras)
• Limit FQDNS matchName and matchPattern length to 255 characters (#​35577, @​rudrakhp)
• operator: improve the responsiveness of tainting and setting conditions on k8s nodes (#​35785, @​marseel)
• operator: make max consecutive quorum errors configurable (#​36033, @​giorio94)
• policy: Add selectorcache cardinality metrics (#​35859, @​joestringer)
• Remove support for the insecure, deprecated global IPsec key. Per-tunnel IPsec keys will now be used regardless of the IPsec secret format. (#​34709, @​pchaigno)
• Skip WireGuard traffic in the BPF SNAT processing, slightly reducing pressure on the BPF Connection tracking and NAT maps. (#​35900, @​smagnani96)
• Stop propagating duplicate health and ingress endpoint information to the kvstore (#​35997, @​giorio94)
• sysdump: respect worker count and collect Cilium profiling data as first task (#​35897, @​giorio94)

Bugfixes:

• bgp: fix race in bgp stores (#​35971, @​harsimran-pabla)
• BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (#​36230, @​rastislavs)
• bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (#​35690, @​YutaroHayakawa)
• BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (#​36165, @​rastislavs)
• bpf:nat: restore a NAT entry if its REV NAT is not found (#​35304, @​sugangli)
• Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (#​35984, @​jrajahalme)
• cilium-cli/connectivity: fix nil-pointer dereference if minimum version can't be detected (#​35802, @​tklauser)
• cilium-health-ep controller is made to be more robust against successive failures. (#​35936, @​jrajahalme)
• config: Remove superfluous warning on native routing CIDR (#​35738, @​gandro)
• Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (#​36060, @​jrajahalme)
• Export Map{Key,Value} fields to prevent map {get,list} handler panics. (#​36219, @​tommyp1ckles)
• Fix bug that would break all pod-to-pod connectivity when using the per-tunnel IPsec key system. (#​35806, @​pchaigno)
• Fix identity leak for kvstore identity mode (#​34893, @​odinuge)
• Fix incorrect trace reason for egress packets when WireGuard is used with Host Firewall. (#​35354, @​smagnani96)
• Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (#​36292, @​giorio94)
• Fix: cilium-cli install --repository flag respects repository even with cached versions. (#​35670, @​renyunkang)
• Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (#​35694, @​julianwiedmann)
• Fixes a bug where identities may be leaked if a pod changes labels and is immediately deleted. (#​35947, @​orange30)
• Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (#​35890, @​squeed)
• Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". (#​35624, @​pippolo84)
• helm: fix duplicate configmap key for bpf-lb-sock-terminate-pod-connections (#​35703, @​solidDoWant)
• helm: set automountServiceAccountToken to false for hubble-relay sa (#​35674, @​ayuspin)
• helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (#​36005, @​devodev)
• hubble: consistently use v as prefix for the Hubble version (#​35891, @​rolinh)
• hubble: Lock exporters while gathering metrics (#​35860, @​joestringer)
• ipam: Avoid empty CIDR in ENI mode (#​35695, @​sayboras)
• ipam: Validate CiliumNode resource in ENI mode (#​35784, @​sayboras)
• iptables: Fix data race in iptables manager (#​35902, @​pippolo84)
• k8s: Avoid panic while checking ip mode (#​35782, @​sayboras)
• lrp: update LRP services with stale backends on agent restart (#​36036, @​ysksuzuki)
• option: Reduce log level for WG strict mode + IPv6 (#​35763, @​pchaigno)
• pkg/redirectpolicy: Fix backend slices in processConfig (#​35496, @​Sm0ckingBird)
• policy/correlation: Fix PolicyMatchL3Proto case (#​35680, @​gandro)
• Unbreak the cilium-dbg preflight migrate-identity command (#​36089, @​giorio94)
• Use strconv.Itoa instead of string() for the correct behavior when converting kafka.ErrorCode from int32 to string. Add relevant unit tests for Kafka plugin and handler. (#​35856, @​nddq)
• wireguard: Fix connectivity issues following node reboots. (#​35750, @​jrife)

CI Changes:

• .github: extend timeout for tests-e2e-upgrade workflow (#​35696, @​rastislavs)
• .github: quote arguments in bash string comparison (#​35842, @​devodev)
• .github: remove use of deprecated --disable-check cilium-cli option (#​35776, @​tklauser)
• .github: Use --input-file when testing piping flows into Hubble CLI (#​35858, @​chancez)
• Additionally test KVStore mode in E2E/IPSec workflows (#​35679, @​giorio94)
• ci: add watch request thresholds (#​35808, @​marseel)
• ci: fix cleanup of stale kops clusters. (#​35986, @​marseel)
• ci: fix native wireguard encryption (#​35520, @​marseel)
• CI: Update tested K8S versions (#​35726, @​brlbil)
• ci: use the VERSION file from the MR branch in push-charts-ci.yaml (#​35950, @​ferozsalam)
• cilium-cli/connectivity: allow to specify log levels to check (#​36231, @​tklauser)
• cilium-cli: Improve tcpdump termination timeout handling (#​36021, @​liyihuang)
• cilium-cli: retry exec-in-pod requests in case of transient errors (#​35961, @​tklauser)
• cilium-cli: Run BGP tests sequentially (#​35727, @​rastislavs)
• Cleanup leaked GCE kops clusters (#​35915, @​marseel)
• cli/connectivity: Check for unexpected warning logs (#​35723, @​pchaigno)
• cli: Don't ignore datapath bug packet drops (#​36105, @​pchaigno)
• datapath: Improve XFRM leak tests (#​35796, @​pchaigno)
• Enabling IPSec pod-to-pod-with-l7-policy-encryption connectivity test for v1.15 and v1.16. (#​35742, @​smagnani96)
• Fix flake in node manager TestNodeManagerEmitStatus test (#​36097, @​glrf)
• gha: Add coverage for policy secret sync (#​36040, @​sayboras)
• gha: Enable ingress-controller in e2e tests (#​36043, @​sayboras)
• gha: enable the log-errors check in the clustermesh upgrade workflow (#​35739, @​giorio94)
• gha: merge artifacts in net-perf-gke workflow (#​36236, @​giorio94)
• gha: test disabled kvstoremesh clustermesh upgrade/downgrade tests (#​36242, @​giorio94)
• gha: uniform downgrade settings in clustermesh upgrade/downgrade test (#​36239, @​giorio94)
• ginkgo: Get rid of K8sUpdates (#​35035, @​brb)
• github: bump LVH image versions (#​35719, @​julianwiedmann)
• github: Checkout code before running cilium/cilium-cli action (#​36117, @​michi-covalent)
• github: Pass the workflow step timeout to go test (#​35814, @​jrajahalme)
• github: Simplify the checkout logic (#​36190, @​michi-covalent)
• hubble: ignore some testifylint linter errors (#​36096, @​rolinh)
• ipsec: Fix arguments in XFRM IN policy test (#​36030, @​pchaigno)
• node_local_store: prevent racey tests while using mock node store. (#​35945, @​tommyp1ckles)
• renovate: Fix image updates for IPsec workflows (#​35555, @​pchaigno)
• renovate: use proper image repository for config check (#​36227, @​tklauser)
• renovate: various smaller updates (#​36135, @​julianwiedmann)
• test, cli/connectivity: Remove stale error log exceptions (#​35848, @​pchaigno)
• test: remove --service-no-backend-response warning from ignore list (#​35830, @​julianwiedmann)
• treewide: use {assert|require}.JSONEq to compare JSON strings in tests (#​35960, @​rolinh)
• Update push-chart-ci.yaml to pass variables through the environmnet (#​36061, @​pwntester)
• workflows/clustermesh: Improve naming of on-failure sysdumps (#​35748, @​pchaigno)
• workflows/ingress: Run basic checks (#​35683, @​pchaigno)
• workflows/ipsec: Disable mutual auth (#​35932, @​pchaigno)

Misc Changes:

• .github/workflows: always install cilium-cli (#​36234, @​aanm)
• Add Alauda to the USERS.md (#​35862, @​oilbeater)
• Add cmdref generated documentation for clustermesh-apiserver (#​36205, @​HadrienPatte)
• Add coverage for SNI enforcement in cilium-cli connectivity tests. (#​35887, @​jrajahalme)
• Add Incentive.me to USERS.md (#​35704, @​lucasfcnunes)
• Add more features tracking in Cilium agent as prometheus metrics (#​36078, @​aanm)
• add Netcloud AG to USERS.md (#​35981, @​janung)
• allocator: correctly propagate context to RunGC call (#​36034, @​giorio94)
• bgp: remove metallb bgp ginkgo tests (#​36192, @​harsimran-pabla)
• bgpv2: Fix the wrong termination condition of cleanup-peer-config-status (#​36245, @​YutaroHayakawa)
• bgpv2: relax mandatory PeerASN field in BGP peer configuration (#​35817, @​harsimran-pabla)
• bgpv2: Status reporting document (#​36134, @​YutaroHayakawa)
• bpf datapath now manages policy verdict precedence between L3 and wildcard-L3 policy map matches (#​35449, @​jrajahalme)
• bpf: clean up CB_IFINDEX (#​36133, @​julianwiedmann)
• bpf: egressgw: support policy entry with egress ifindex (#​36151, @​julianwiedmann)
• bpf: icmp6: check nexthdr before loading ICMPv6 type (#​36249, @​julianwiedmann)
• bpf: minor SNAT improvements (#​35531, @​julianwiedmann)
• bpf: nat: support more embedded ICMP types for DEST_UNREACH packet (#​36179, @​julianwiedmann)
• bpf: nodeport: replace 0 identity with UNKNOWN_ID (#​36137, @​julianwiedmann)
• bugtool: deprecate flag k8s-mode (#​35689, @​mhofstetter)
• bugtool: dump tail-call map for bpf_wireguard (#​36183, @​julianwiedmann)
• Centralize policy calculation in the PolicyRepository (#​35941, @​squeed)
• cgroup: downgrade the socket LB tracing setup failure log to Info (#​35775, @​ysksuzuki)
• chore(deps): update all github action dependencies (main) (#​35713, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#​35729, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#​36140, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#​36270, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#​36007, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#​36124, @​cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#​35706, @​cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#​35765, @​cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#​36008, @​cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#​36125, @​cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#​36145, @​cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#​36271, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#​35712, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#​35911, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#​36009, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#​36139, @​cilium-renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.19 (main) (#​36149, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.20 (main) (#​35826, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.23.3 docker digest to 73f06be (main) (#​36006, @​cilium-renovate[bot])
• chore(deps): update docker/dockerfile:1.11 docker digest to 10c699f (main) (#​35878, @​cilium-renovate[bot])
• chore(deps): update go (main) (#​35955, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.3 (main) (#​35827, @​cilium-renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v1.62.0 (main) (#​35956, @​cilium-renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v1.62.2 (main) (#​36221, @​cilium-renovate[bot])
• chore(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.1 [security] (main) (#​35751, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1730965050-cd22d9ffa21eb4f214bf059bcc5d2f40f0c47882 (main) (#​35835, @​cilium-renovate[bot])
• chore: fix some function names (#​34626, @​jinjiadu)
• cilium, ci: Add netkit with per-endpoint-routes (#​35542, @​borkmann)
• cilium-cli/install: remove deprecated no-op --disable-check flag (#​36110, @​tklauser)
• cilium-cli: apply network policies to no-conn-disrupt test (#​35685, @​giorio94)
• cilium-cli: Skip nil details for Service error in check-log-errors (#​35671, @​rastislavs)
• cilium-cli: Use unique CNP names (#​36064, @​jrajahalme)
• cilium-dbg: Add sysdump command (#​35370, @​joestringer)
• cilium-dbg: Replace statedb command with "shell -- db show" (#​35545, @​joamaki)
• cilium: per service algorithm follow-ups (#​36204, @​borkmann)
• CiliumEnvoyConfig handling for experimental control-plane (#​35598, @​joamaki)
• cleanup: Remove deprecated field TrafficPolicy (#​36187, @​sayboras)
• clustermesh: fix config watcher missed events with fsnotify 1.8.0 (#​35770, @​giorio94)
• ctmap/gc: implement stream.Observable[GCEvent] for CT Map GC (#​36084, @​ysksuzuki)
• daemon: Catch panics in shell handler (#​35918, @​joamaki)
• daemon: Reduce level of socket LB tracing warning (#​35798, @​pchaigno)
• daemon: refactor Hubble Exporters as a cell (#​35596, @​devodev)
• datapath/iptables: make --enable-xt-socket-fallback a cell flag (#​36111, @​tklauser)
• deps, renovate: Bump GoBGP to v3.31.0 & Re-enable GoBGP dependency updates (#​35795, @​rastislavs)
• docs/ipsec: Remove KPR limitation (#​35743, @​pchaigno)
• docs/xfrm: Fix incorrect statement regarding XFRM IN policies (#​35626, @​pchaigno)
• docs: Add documentation for cilium/vendor reponsibilities (#​34211, @​learnitall)
• docs: Add documentation for Gateway API Addresses Support (#​35536, @​chaunceyjiang)
• docs: Add generated file for new sysdump cmd (#​35883, @​sayboras)
• docs: Add the tls:// prefix before the IP address (#​36118, @​liyihuang)
• docs: Fix a typo in API rate-limiting documentation (#​36246, @​usiegj00)
• docs: Fix incorrect link to RFC 4271 for BGP control plane timers. (#​35725, @​nvibert)
• docs: Improve dev workflow for renovate (#​35687, @​joestringer)
• docs: In k0s guide, remove dashes to fix invalid Bash variable names. (#​35923, @​yilas)
• docs: lrp: fix kernel version requirement for skipRedirectFromBackend (#​35921, @​ysksuzuki)
• docs: update keyless signing link (#​36144, @​ferozsalam)
• docs: WireGuard doesn't require overlay port in Network Firewalls (#​36208, @​julianwiedmann)
• endpoint: Fix syncing of invalid policymap entries on upgrade (#​35834, @​jrajahalme)
• endpoint: make restore-rules caching private (#​35488, @​squeed)
• envoy: Configure internal_address_config to avoid warning log (#​35943, @​sayboras)
• envoy: Configure internal_address_config to avoid warning log (#​36198, @​sayboras)
• envoy: Limit started serving logging to the typeURL of the stream (#​35736, @​jrajahalme)
• envoy: Update envoy image to the latest (#​36100, @​sayboras)
• envoy: Update image for SDS headermatch crash (#​36177, @​jrajahalme)
• experimental: Add Maglev support (#​35430, @​DamianSawicki)
• Fix missing edsClusterConfig in CiliumClusterwideEnvoyConfig for envoy-circuit-breaker.yaml example (#​35647, @​kachi-bits)
• fix(deps): update all go dependencies main (main) (#​35707, @​cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#​36138, @​cilium-renovate[bot])
• fix(deps): update aws-sdk-go-v2 monorepo (main) (#​35708, @​cilium-renovate[bot])
• fix(deps): update aws-sdk-go-v2 monorepo (main) (#​36126, @​cilium-renovate[bot])
• fix(deps): update kubernetes packages to v0.31.3 (main) (#​36127, @​cilium-renovate[bot])
• fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.194.0 (main) (#​36273, @​cilium-renovate[bot])
• fix(deps): update module k8s.io/kubectl to v0.31.2 (main) (#​35709, @​cilium-renovate[bot])
• fix(deps): update opentelemetry-go monorepo to v1.32.0 (main) (#​36274, @​cilium-renovate[bot])
• fix: dynamicSizeRatio in "Memory available for map entries" log message (#​36211, @​jingyuanliang)
• fix: SetBackends should always update frontends of the modified service (#​35864, @​DamianSawicki)
• Fixed BGP documentation (#​35953, @​seadog007)
• go.mod: Bump controller-tools to v0.16.5 (#​35992, @​christarazi)
• golang: Enable type alias again for go 1.23 (#​35406, @​sayboras)
• helm: clarify text for serviceNoBackendResponse (#​35734, @​julianwiedmann)
• helm: Define a variable for common label validation exclusion (#​36218, @​michi-covalent)
• helm: fix commonLabels parsing in hubble dashboard configmap (#​36196, @​devodev)
• helm: Remove redundant attribute in TLS configuration (#​36041, @​sayboras)
• helm: Support extending certgen configuration templates (#​35853, @​chancez)
• hubble-relay: make MinTLSVersion a var (#​36188, @​devodev)
• hubble: add a couple of "any interface" filter test cases (#​34984, @​kaworu)
• hubble: make MinTLSVersion a var (#​36164, @​devodev)
• images: bump cni plugins to v1.6.0 (#​36075, @​ferozsalam)
• ipsec: Fix XFRM clean up (#​36031, @​pchaigno)
• ipsec: Simplify XFRM IN policies and templates (#​35831, @​pchaigno)
• k8s/epslices: ensure that all fields are always DeepCopied (#​36000, @​giorio94)
• kvstore: drop obsolete removal of legacy prefixes (#​35995, @​giorio94)
• lbmap: skip expensive debug log operations when disabled (#​35999, @​giorio94)
• Logging: Add klog override matcher to remap certain errors to "info" level (#​35942, @​tommyp1ckles)
• lrp: fix kernel version requirement in warning log (#​36141, @​ysksuzuki)
• makefile: add target to install Cilium in kvstore mode (#​35646, @​giorio94)
• Makefile: fix swagger definition for automatic renovate updates (#​35979, @​aanm)
• Mark BPF-based proxy redirection (bpf-tproxy) feature as beta (#​35790, @​hemanthmalla)
• metrics/features: refactor metric names (#​36209, @​aanm)
• Miscellaneous improvements to DNS introspection policies in connectivity tests (#​36193, @​giorio94)
• node: avoid JSON unserializable log field (#​35894, @​bimmlerd)
• node: Improve local node synchronizer logging (#​36171, @​pippolo84)
• operator/bgpv2: Relax warnings upon transient k8s errors (#​36256, @​rastislavs)
• operator: always use controller-runtime metric registry as base (#​36243, @​mhofstetter)
• operator: demote non-consecutive health check warnings (#​36238, @​giorio94)
• pkg/map/stats: provide Observable[T] fields for nat iteration. (#​35515, @​tommyp1ckles)
• pkg/metrics/bpf: new bpf_maps & bpf_progs metrics (#​29984, @​mvisonneau)
• pkg/redirectpolicy: Delete unused variable in getAndUpsertPolicySvcCo… (#​35794, @​Sm0ckingBird)
• policy/api: don't write zero enableDefaultDeny field (#​35804, @​squeed)
• policy: consistent enablement in agent and operator (#​36167, @​dlapcevic)
• policy: Do not fuzz mapState receiver (#​36200, @​jrajahalme)
• policy: No-op Identity Allocator (#​35973, @​dlapcevic)
• policy: Use no-op ID allocator when policy is disabled (#​36102, @​dlapcevic)
• Prepare for release v1.17.0-pre.2 (#​35699, @​cilium-release-bot[bot])
• proxy: Ensure proxy ports are written on shutdown (#​35839, @​jrajahalme)
• README.rst: Update Cilium's intro picture with the up-to-date logo for Tetragon (#​36002, @​paularah)
• README: Update releases (#​35701, @​joestringer)
• README: Update releases (#​36062, @​bimmlerd)
• Refactor deprecated call to grpc.DialContext in Hubble Relay (#​36027, @​devodev)
• Remove duplicated watch on services and endpoint in the cilium-agent (#​35838, @​MrFreezeex)
• renovate: fix API files generation using renovate (#​35676, @​aanm)
• renovate: fix auto update of GH issue template (#​35675, @​aanm)
• renovate: fix PS1: unbound variable error (#​35978, @​aanm)
• Revert "sysdump: collect Cilium profiling data as first task" (#​35771, @​giorio94)
• Silence error logs if pod is deleted during restoration (#​35851, @​giorio94)
• Silence spurious clustermesh-related warnings (#​35867, @​giorio94)
• sysdump: Collect crashed pod logs in cilium-test namespaces (#​35612, @​jschwinger233)
• test: FQDN: prevent names from being GCd when restarting (#​35985, @​squeed)
• Update basic-https.yaml (#​36207, @​sajjadjafaribojd)
• Update USERS.md with Virtuozzo (#​35841, @​egoust)
• Update values file to include flag iptablesRandomFully (#​35484, @​rbankston)
• watcher: Avoid using global default slog (#​35702, @​sayboras)
• workflow fix: extra space remove to make linter happy (#​35889, @​viktor-kurchenko)

Other Changes:

• envoy: Start listening on xDS socket only after endpoint restoration (#​36032, @​jrajahalme)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.0-pre.3@​sha256:a85a0ebd4155217cbd4083cac4c79a31180b43dad1ba3be807107b31c03ba534

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.0-pre.3@​sha256:ec1aea788396299ed4fdc57611be8422394b2d2af89eb89f9ad3807c94dfeeca

docker-plugin

quay.io/cilium/docker-plugin:v1.17.0-pre.3@​sha256:02e48d83037ac7da8f3fd7b8d5be2de8c085f387611080d58911774d6d8e11b8

hubble-relay

quay.io/cilium/hubble-relay:v1.17.0-pre.3@​sha256:c728161d06a7ff6b709edeb3a82ba8ede683a2968130876d8681b71bbbc8e327

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.0-pre.3@​sha256:6f6fc68230fc34986be3df26ee7713407463b073474822859e8b1d0d5fb1b0d6

operator-aws

quay.io/cilium/operator-aws:v1.17.0-pre.3@​sha256:241c82b7d60160ed66849b21f8b4c7ab1ded1777500fa856411c057c47eead14

operator-azure

quay.io/cilium/operator-azure:v1.17.0-pre.3@​sha256:bcd18e91fbc36808e1f3525cd75a207e24ce3aac9f2fea219255d86d8140b2ef

operator-generic

quay.io/cilium/operator-generic:v1.17.0-pre.3@​sha256:3f408dba3ab1940765ba4b0ecf37dbc68a7d823051a70a9f20e0dfe78cb52403

operator

quay.io/cilium/operator:v1.17.0-pre.3@​sha256:28dea23ee214c870944b7806d6a05e4264a0af4e31f1199262a2384fc87476e7

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

---

• If you want to rebase/retry this MR, check this box

---

This MR has been generated by Renovate Bot.