chore(deps): update helm release cilium to v1.17.2

This MR contains the following updates:

Package	Type	Update	Change
cilium (source)	HelmChart	patch	1.17.1 -> 1.17.2

---

Release Notes

cilium/cilium (cilium)

v1.17.2: 1.17.2

Compare Source

Summary of Changes

Minor Changes:

• docs: clarify wording of remote-nodes in context of a clustermesh (Backport MR #​38104, Upstream MR #​37989, @​oblazek)
• Increase granularity of the api_duration_seconds metric buckets (Backport MR #​38104, Upstream MR #​37365, @​jaredledvina)
• New agent option --policy-restore-timeout (default 3m) has been added to bound the maximum time Cilium agent waits for endpoint policies to regenerate before starting serving resources to cilium-envoy proxy. (Backport MR #​37904, Upstream MR #​37658, @​jrajahalme)
• Set json output as default for cilium-dbg endpoint get (Backport MR #​37648, Upstream MR #​36537, @​saiaunghlyanhtet)
• Set json output as default for cilium-dbg endpoint get (Backport MR #​37742, Upstream MR #​36537, @​saiaunghlyanhtet)

Bugfixes:

• Apply Egress bandwith-limiting only once for traffic that is matched by an Egress Gateway policy. (Backport MR #​37904, Upstream MR #​37674, @​julianwiedmann)
• Auth policy is properly maintained also when covered by proxy redirects. (Backport MR #​37904, Upstream MR #​37685, @​jrajahalme)
• Do not auto detect / auto select IPoIB devices (Backport MR #​37648, Upstream MR #​37553, @​dylandreimerink)
• Egress route reconciliation (Backport MR #​38118, Upstream MR #​37962, @​dylandreimerink)
• Fix a regression that made it impossible to disable Hubble via Helm charts (Backport MR #​37648, Upstream MR #​37587, @​devodev)
• Fix bug causing cilium-dbg bpf commands to fail with a map not found error in IPv6-only clusters. (Backport MR #​37904, Upstream MR #​37787, @​pchaigno)
• Fix creating ServiceMonitor for Hubble when dynamic metrics are enabled in the Helm chart (Backport MR #​37648, Upstream MR #​37474, @​dustinspecker)
• Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport MR #​37904, Upstream MR #​37419, @​javanthropus)
• Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR (Backport MR #​37648, Upstream MR #​36978, @​tommasopozzetti)
• Fix envoy metrics could not be obtained on IPv6-only clusters (Backport MR #​37904, Upstream MR #​37818, @​haozhangami)
• Fix helm charts to properly configure tls and peer service for dynamic Hubble metrics. (Backport MR #​37904, Upstream MR #​37543, @​rectified95)
• Fix service id exceeds max limit (Backport MR #​37648, Upstream MR #​37191, @​haozhangami)
• Fix the --dns-policy-unload-on-shutdown feature for restored endpoints (Backport MR #​37648, Upstream MR #​37532, @​antonipp)
• Fix the possible race condition caused by async update from aws to instance map in issue #​36428 (Backport MR #​38104, Upstream MR #​37650, @​liyihuang)
• Fix traffic not getting masqueraded with wildcard devices or egress-masquerade-interfaces when enable-masquerade-to-route-source flag is set. (Backport MR #​37648, Upstream MR #​37450, @​liyihuang)
• fix(helm): multiPoolPreAllocation fix conditional avoid null (Backport MR #​37742, Upstream MR #​37585, @​acelinkio)
• fix: cilium-config configmap was incorrectly resulting in values like 2.09715…2e+06 instead of 2097152 (Backport MR #​37648, Upstream MR #​37236, @​dee-kryvenko)
• fix: duplicate label maps in helm chart templates and add missing commonlabels (Backport MR #​37742, Upstream MR #​37693, @​cmergenthaler)
• Fix: Resolved an issue causing ArgoCD to report constant out-of-sync status due to the hasKey check in Helm. The condition has been simplified to ensure proper synchronization. No functional changes to deployments. (Backport MR #​37648, Upstream MR #​37536, @​nicl-dev)
• Fixed Envoy JSON log format conversion in Helm, preventing crashes. (Backport MR #​37742, Upstream MR #​37656, @​kahirokunn)
• helm: fix large number handling (Backport MR #​37742, Upstream MR #​37670, @​justin0u0)
• hubble: escape terminal special characters from observe output (Backport MR #​37648, Upstream MR #​37401, @​devodev)
• hubble: fix locking of hubble metrics registry for dynamically configured metrics (Backport MR #​38104, Upstream MR #​37923, @​marseel)
• identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport MR #​38104, Upstream MR #​36657, @​oblazek)
• ipam/multi-pool: Periodically perform pool maintenance (Backport MR #​38104, Upstream MR #​37895, @​gandro)
• operator: explicit controller-runtime controller names to avoid naming conflicts (Backport MR #​37742, Upstream MR #​37606, @​mhofstetter)
• operator: Fix duplicate configurations (Backport MR #​37648, Upstream MR #​37293, @​joestringer)
• Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport MR #​38104, Upstream MR #​38029, @​julianwiedmann)
• Updated Gateway API and GAMMA processing to remove incorrect behavior when both parentRefs were present. (Backport MR #​38154, Upstream MR #​38143, @​youngnick)
• Workaround for iptables 1.8.10, used in OpenShift 4.16, 4.17 and 4.18, returning a wrong error message iptables: Incompatible with this kernel to iptables -n -L CHAIN when the chain does not exist. This prevents iptables configuration and induced unnecessary loops and log messages. (Backport MR #​38104, Upstream MR #​37749, @​fgiloux)

CI Changes:

• .github: Remove misleading step from ipsec workflow (Backport MR #​37742, Upstream MR #​37681, @​joestringer)
• .github: s/enbaled/enabled/ (Backport MR #​37648, Upstream MR #​37449, @​chansuke)
• bgpv1: wait for watchers to be ready in tests (Backport MR #​37904, Upstream MR #​37884, @​harsimran-pabla)
• CI: GKE backslash missing disable insecure kubelet (Backport MR #​37904, Upstream MR #​37850, @​auriaave)
• CI: GKE, disable insecure kubelet readonly port (Backport MR #​37904, Upstream MR #​37844, @​auriaave)
• ci: switch to monitor aggregation medium (Backport MR #​38104, Upstream MR #​38036, @​marseel)
• gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport MR #​37904, Upstream MR #​37551, @​jschwinger233)
• gh: ipsec-e2e: add concurrency for connectivity tests (Backport MR #​37925, Upstream MR #​37891, @​julianwiedmann)
• gh: update naming for bpftrace leak detection script (Backport MR #​37904, Upstream MR #​37865, @​julianwiedmann)

Misc Changes:

• always render enable-hubble in the Cilium configmap (Backport MR #​37904, Upstream MR #​37703, @​kaworu)
• bpf: Add option to utilize core maps via BPF_F_NO_COMMON_LRU (Backport MR #​38104, Upstream MR #​38037, @​borkmann)
• bpf: minor clean-ups for the ENI symmetric routing feature (Backport MR #​37648, Upstream MR #​37379, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.17) (#​37950, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​37944, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​38048, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.17.0 (v1.17) (#​37793, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.0 (v1.17) (#​37949, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.17) (#​38057, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.7 (v1.17) (#​37996, @​cilium-renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (v1.17) (#​37833, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.17) (#​38148, @​cilium-renovate[bot])
• cilium-dbg: output parentIfIndex in bpf endpoint list (Backport MR #​37742, Upstream MR #​37398, @​Mahdi-BZ)
• cilium: Allow to configure tunnel source port range (Backport MR #​37904, Upstream MR #​37777, @​borkmann)
• cilium: Pull in vxlan netlink Go fix and uncomment assertion in test (Backport MR #​37904, Upstream MR #​37808, @​borkmann)
• docs: complete load balancer service manifest in kubeproxy-free (Backport MR #​37648, Upstream MR #​37466, @​ybelleguic)
• docs: fix broken links (Backport MR #​38104, Upstream MR #​37995, @​nueavv)
• docs: masquerading: mention that BPF masq also pulls in BPF Host-Routing (Backport MR #​37648, Upstream MR #​37604, @​julianwiedmann)
• docs: use latest for rtd theme commit with fixed version selector (Backport MR #​37614, Upstream MR #​37421, @​ayuspin)
• envoy: remove duplicated service/endpointslice informers when envoyConfig is enabled (Backport MR #​37742, Upstream MR #​37683, @​marseel)
• Fix API generation and add trusted dependencies to renovate config (Backport MR #​37648, Upstream MR #​36957, @​aanm)
• Fix API generation and add trusted dependencies to renovate config (Backport MR #​37742, Upstream MR #​36957, @​aanm)
• Fix helm value for IPAM Multi-Pool (Backport MR #​38104, Upstream MR #​37963, @​saintdle)
• fqdn/dnsproxy: use netip.Addr for DNSProxy.usedServers (Backport MR #​38104, Upstream MR #​37985, @​tklauser)
• gha: Update the helm flag for TLS related test (Backport MR #​37648, Upstream MR #​37428, @​sayboras)
• ipcache: Slightly optimize calls to fetch tunnel and encrypt metadata (Backport MR #​38104, Upstream MR #​38021, @​christarazi)
• labels: fix TestNewFrom test (Backport MR #​37904, Upstream MR #​37846, @​giorio94)
• Moves Unix socket listener configuration to a new file specifically for Linux builds. (Backport MR #​37648, Upstream MR #​37399, @​ritwikranjan)
• operator: Explicitly init the FQDN regex LRU cache (Backport MR #​37648, Upstream MR #​37366, @​christarazi)
• pkg/hive: always use default logger when decorating cells (Backport MR #​37742, Upstream MR #​37636, @​aanm)
• policy: Skip iteration when proxy port priority is zero (Backport MR #​37648, Upstream MR #​37422, @​jrajahalme)
• Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport MR #​37904, Upstream MR #​37806, @​rolinh)
• Update Hubble UI to v0.13.2 which contains security fixes, add the missing traffic direction in the flow table, and enhance the home namespace list. See v0.13.2 for more details (Backport MR #​37742, Upstream MR #​37631, @​yannikmesserli)
• use runtime image set by env var action in build and lint (Backport MR #​37648, Upstream MR #​37253, @​Artyop)

Other Changes:

• [v1.17] Revert "Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR" (#​38101, @​julianwiedmann)
• Backport set runtime action 1.17 (#​37854, @​Artyop)
• gha: Update GatewayAPI conformance report (#​37671, @​sayboras)
• install: Update image digests for v1.17.1 (#​37580, @​cilium-release-bot[bot])
• v1.17: gh/workflows: Remove conformance-externalworkloads (#​37738, @​brb)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.2@​sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1 quay.io/cilium/cilium:stable@sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.2@​sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398 quay.io/cilium/clustermesh-apiserver:stable@sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398

docker-plugin

quay.io/cilium/docker-plugin:v1.17.2@​sha256:a599893f1fc76fc31afad2bbb73af7e7f618adbf02043b2098fafeca4adf551c quay.io/cilium/docker-plugin:stable@sha256:a599893f1fc76fc31afad2bbb73af7e7f618adbf02043b2098fafeca4adf551c

hubble-relay

quay.io/cilium/hubble-relay:v1.17.2@​sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc quay.io/cilium/hubble-relay:stable@sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.2@​sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe quay.io/cilium/operator-alibabacloud:stable@sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe

operator-aws

quay.io/cilium/operator-aws:v1.17.2@​sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c quay.io/cilium/operator-aws:stable@sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c

operator-azure

quay.io/cilium/operator-azure:v1.17.2@​sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0 quay.io/cilium/operator-azure:stable@sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0

operator-generic

quay.io/cilium/operator-generic:v1.17.2@​sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249 quay.io/cilium/operator-generic:stable@sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249

operator

quay.io/cilium/operator:v1.17.2@​sha256:697a7e6c4765ef053d33dd2d9d7f14642c01dfa7333ad7902de7ca5afbf3b419 quay.io/cilium/operator:stable@sha256:697a7e6c4765ef053d33dd2d9d7f14642c01dfa7333ad7902de7ca5afbf3b419

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

---

• If you want to rebase/retry this MR, check this box

---

This MR has been generated by Renovate Bot.