chore(deps): update helm release cilium to v1.17.3

This MR contains the following updates:

Package	Type	Update	Change
cilium (source)	HelmChart	patch	1.17.2 -> 1.17.3

---

Release Notes

cilium/cilium (cilium)

v1.17.3: 1.17.3

Compare Source

Summary of Changes

Minor Changes:

• hubble: accurately report startup failure reason from cilium status (Backport MR #​38526, Upstream MR #​37567, @​devodev)
• Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport MR #​38399, Upstream MR #​37936, @​smagnani96)

Bugfixes:

• Always detach BPF programs from cilium_wg0 when not needed. (Backport MR #​38184, Upstream MR #​38179, @​smagnani96)
• Avoid installing no-track rules when IP family is disabled (Backport MR #​38526, Upstream MR #​38438, @​ysksuzuki)
• bgpv2: Fix service reconciliation by BGP peer IP change (Backport MR #​38700, Upstream MR #​38620, @​rastislavs)
• bpf: wireguard: avoid ipcache lookup for source's security identity (Backport MR #​38684, Upstream MR #​38592, @​julianwiedmann)
• clustermesh: fix mcs-api count of clusters disagreeing with a conflict (the count was previously increased by one) (Backport MR #​38298, Upstream MR #​38267, @​MrFreezeex)
• Ensure that replies to world-to-pod ICMP in AWS ENI are routed via the correct parent interface. (Backport MR #​38394, Upstream MR #​38335, @​gentoo-root)
• Fix deadlock in compilation lock (Backport MR #​38805, Upstream MR #​38784, @​dylandreimerink)
• Fix panic caused in dual cluster setups where LRPs with skipRedirectFromBackend flag set to true are installed and IPv6 is disabled. (Backport MR #​38700, Upstream MR #​38656, @​aditighag)
• Fix the ipv6 only cluster doesn't work with multi pool in some k8s distribution(Openshift) (Backport MR #​38526, Upstream MR #​38472, @​liyihuang)
• Fix: cilium-operator no longer patches services on shutdown (Backport MR #​38298, Upstream MR #​37967, @​rsafonseca)
• Fixes an issue where the agent failed to start on clusters with large numbers of network policies. (Backport MR #​38700, Upstream MR #​38556, @​squeed)
• For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport MR #​38800, Upstream MR #​38737, @​julianwiedmann)
• ingress: don't cleanup ingress status of unmanaged Ingress resources (Backport MR #​38700, Upstream MR #​38555, @​mhofstetter)
• ipam/aws: properly paginate Operator DescribeNetworkInterfaces AWS API calls in ENI IPAM mode in order to avoid throttling, timeouts and errors from the API (Backport MR #​38298, Upstream MR #​37983, @​antonipp)
• netkit: Fix issue where MAC addresses get changed by systemd in L2 mode causing health checks to fail (Backport MR #​38526, Upstream MR #​37812, @​jrife)

CI Changes:

• build: update golangci-lint to v2.0.0 (Backport MR #​38629, Upstream MR #​38473, @​mhofstetter)
• ci: build CI images within merge group (Backport MR #​38526, Upstream MR #​38065, @​marseel)
• ci: prepare CI Image build for being required (Backport MR #​38526, Upstream MR #​38320, @​marseel)
• cilium-cli: extend no-interrupted-connections to test Egress Gateway (Backport MR #​38527, Upstream MR #​38193, @​ysksuzuki)
• cilium-cli: extend no-interrupted-connections to test NodePort from outside (Backport MR #​37797, Upstream MR #​37294, @​ysksuzuki)
• Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport MR #​38517, Upstream MR #​38264, @​smagnani96)
• Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport MR #​38517, Upstream MR #​38290, @​smagnani96)
• Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport MR #​38740, Upstream MR #​38281, @​smagnani96)
• Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport MR #​38517, Upstream MR #​38265, @​smagnani96)
• Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport MR #​38517, Upstream MR #​38292, @​smagnani96)
• Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport MR #​38517, Upstream MR #​38291, @​smagnani96)
• gh: aws-cni: set --enable-identity-mark=false option (Backport MR #​38800, Upstream MR #​38738, @​julianwiedmann)
• gh: e2e-upgrade: also test NS & EGW disruptivity during downgrade (Backport MR #​38527, Upstream MR #​38511, @​julianwiedmann)
• gha: enable north/south conn-disrupt-test in clustermesh upgrade tests (Backport MR #​38527, Upstream MR #​38554, @​giorio94)
• Ignore encrypt interface field when validating option.Config after initialization (Backport MR #​38298, Upstream MR #​37184, @​Artyop)
• Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport MR #​38740, Upstream MR #​38278, @​smagnani96)
• Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport MR #​38517, Upstream MR #​38293, @​smagnani96)
• Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport MR #​38740, Upstream MR #​38266, @​smagnani96)
• proxy/proxyports: fix flake and data race in TestPortAllocator (Backport MR #​38674, Upstream MR #​38062, @​tklauser)
• proxy: fix flake in TestPortAllocator test (Backport MR #​38674, Upstream MR #​38646, @​mhofstetter)
• Refactoring and code comments for the check-encryption-leak script. (Backport MR #​38740, Upstream MR #​38263, @​smagnani96)
• Report masqueraded flow through proxy in the check-encryption-leak script. (Backport MR #​38740, Upstream MR #​38297, @​smagnani96)
• Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport MR #​38517, Upstream MR #​38280, @​smagnani96)
• Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport MR #​38517, Upstream MR #​38289, @​smagnani96)
• Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport MR #​38526, Upstream MR #​38289, @​smagnani96)
• Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport MR #​38517, Upstream MR #​38287, @​smagnani96)
• Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport MR #​38740, Upstream MR #​38268, @​smagnani96)
• test: Update FQDN related domain and IP (Backport MR #​38769, Upstream MR #​38754, @​sayboras)

Misc Changes:

• [v1.17] bpf: host: ipsec: check whether destination has tunnel_endpoint (#​38802, @​julianwiedmann)
• [v1.17] bpf: ipsec: improve handling of source security identity in encrypted-overlay code (#​38594, @​julianwiedmann)
• [v1.17] deps: bump package x/oauth2 (#​38403, @​ferozsalam)
• [v1.17] deps: bump x/net to v0.38.0 (#​38780, @​ferozsalam)
• bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport MR #​38684, Upstream MR #​37956, @​julianwiedmann)
• bpf: let MARK_MAGIC_EGW_DONE carry source identity (Backport MR #​38684, Upstream MR #​38430, @​julianwiedmann)
• bpf: nodeport: preserve monitor aggregation in egress path (Backport MR #​38526, Upstream MR #​38312, @​julianwiedmann)
• bugtool: collect more detailed link statistics (Backport MR #​38526, Upstream MR #​38391, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.17) (#​38353, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​38436, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​38612, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​38303, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​38542, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.17) (#​38730, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.17) (#​38354, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.17) (#​38611, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to 37f7b37 (v1.17) (#​38350, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.23.7 docker digest to cb45cf7 (v1.17) (#​38351, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.20 (v1.17) (#​38434, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.21 (v1.17) (#​38608, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.8 (v1.17) (#​38713, @​cilium-renovate[bot])
• chore(deps): update kindest/node docker tag to v1.29.14 (v1.17) (#​38352, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.17) (#​38257, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742515734-d30064faed34d8936672353d4b6d6dbcfbaa7b2d (v1.17) (#​38384, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742784301-90f2717e10fcd34f9aca97413fcd00ca2b8ccfee (v1.17) (#​38441, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743506100-0821ef0acdf9f824d47d34e02932be522b3e7233 (v1.17) (#​38671, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744108394-d3be7c547203cd80d0c4902e4b9deac09c727456 (v1.17) (#​38773, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​38316, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​38435, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​38831, @​cilium-renovate[bot])
• cilium, status: Do not display annotations if KPR is disabled (Backport MR #​38700, Upstream MR #​38677, @​borkmann)
• doc(troubleshooting): add -verbose to cilium-health status (Backport MR #​38298, Upstream MR #​38169, @​alagoutte)
• doc: Envoy daemonset works on OpenShift (Backport MR #​38298, Upstream MR #​38236, @​fgiloux)
• docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport MR #​38526, Upstream MR #​38173, @​yrsuthari)
• docs: add per-node default pool example (Backport MR #​38298, Upstream MR #​38135, @​acudovs)
• docs: clarify hubble flow filter match semantics (Backport MR #​38700, Upstream MR #​38657, @​devodev)
• docs: Correct the envoy circuit-breaking example manifest (Backport MR #​38298, Upstream MR #​38158, @​raphink)
• docs: Document jitter applied to BGP ConnectRetryTimeSeconds (Backport MR #​38526, Upstream MR #​38231, @​rastislavs)
• docs: Update LLVM requirements to 18.1 (Backport MR #​38526, Upstream MR #​38294, @​gentoo-root)
• Documentation: "cilium config set" restarts by default (Backport MR #​38298, Upstream MR #​38114, @​joamaki)
• Documentation: fix mentions of per-node cilium-dbg tool (Backport MR #​38298, Upstream MR #​38276, @​tklauser)
• fix SBOM attestation documentation (Backport MR #​38526, Upstream MR #​38429, @​jaehanbyun)
• fix(Documentation/installationk0s.rst): adjust kuberouter naming in k0s documentation (Backport MR #​38298, Upstream MR #​38243, @​RiRa12621)
• images: bump distroless to static (Backport MR #​38694, Upstream MR #​38647, @​kaworu)
• ipcache: reduce labels map memory churn in resolveLabels a bit (Backport MR #​38526, Upstream MR #​38494, @​tklauser)
• maglev: Fix division by zero upon table recreation (Backport MR #​38700, Upstream MR #​38659, @​borkmann)
• pkg/controller: fix data race in update params locked (Backport MR #​38526, Upstream MR #​38327, @​aanm)
• pkg/endpoint: fix GetLabels data race access (Backport MR #​38526, Upstream MR #​38328, @​aanm)
• pkg/endpoint: fix race in unit test (Backport MR #​38298, Upstream MR #​38129, @​squeed)
• policy: sync policy map for fake endpoints (Backport MR #​38526, Upstream MR #​38367, @​harsimran-pabla)
• proxy: Fix data race in proxyports test (Backport MR #​38674, Upstream MR #​37890, @​jrajahalme)
• Removal logic for the new cil_from_wireguard program to handle Cilium Downgrades from v1.18. (#​38187, @​smagnani96)
• remove the endpointRoutes for aws cni in the doc (Backport MR #​38700, Upstream MR #​38381, @​liyihuang)
• wireguard: cleanup cilium_calls map upon downgrading from v1.18 (#​38595, @​smagnani96)

Other Changes:

• [v1.17] hubble/exporter: Fix logging exporter options as JSON (#​38476, @​devodev)
• [v1.17] proxy: Bump envoy version to 1.32.x (#​38306, @​sayboras)
• deps: Bump GoBGP to v3.35.0 (#​38405, @​rastislavs)
• fix AWS ENI IPAM mode performance regression in the Operator when --update-ec2-adapter-limit-via-api is set to true (#​38532, @​antonipp)
• Fix IPv6 for LocalRedirectPolicy with skipRedirectFromBackend option. (#​38509, @​julianwiedmann)
• install: Update image digests for v1.17.2 (#​38205, @​cilium-release-bot[bot])
• ipsec: backport minimal VinE support for upgrade scenarios (#​37993, @​ldelossa)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.3@​sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873 quay.io/cilium/cilium:stable@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.3@​sha256:98d5feaf67dd9b5d8d219ff5990de10539566eedc5412bcf52df75920896ad42 quay.io/cilium/clustermesh-apiserver:stable@sha256:98d5feaf67dd9b5d8d219ff5990de10539566eedc5412bcf52df75920896ad42

docker-plugin

quay.io/cilium/docker-plugin:v1.17.3@​sha256:aece31ec01842f78ae30009b5ca42ab5abd4b042a6fff49b48d06f0f37eddef9 quay.io/cilium/docker-plugin:stable@sha256:aece31ec01842f78ae30009b5ca42ab5abd4b042a6fff49b48d06f0f37eddef9

hubble-relay

quay.io/cilium/hubble-relay:v1.17.3@​sha256:f8674b5139111ac828a8818da7f2d344b4a5bfbaeb122c5dc9abed3e74000c55 quay.io/cilium/hubble-relay:stable@sha256:f8674b5139111ac828a8818da7f2d344b4a5bfbaeb122c5dc9abed3e74000c55

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.3@​sha256:e9a9ab227c6e833985bde6537b4d1540b0907f21a84319de4b7d62c5302eed5c quay.io/cilium/operator-alibabacloud:stable@sha256:e9a9ab227c6e833985bde6537b4d1540b0907f21a84319de4b7d62c5302eed5c

operator-aws

quay.io/cilium/operator-aws:v1.17.3@​sha256:40f235111fb2bca209ee65b12f81742596e881a0a3ee4d159776d78e3091ba7f quay.io/cilium/operator-aws:stable@sha256:40f235111fb2bca209ee65b12f81742596e881a0a3ee4d159776d78e3091ba7f

operator-azure

quay.io/cilium/operator-azure:v1.17.3@​sha256:6a3294ec8a2107048254179c3ac5121866f90d20fccf12f1d70960e61f304713 quay.io/cilium/operator-azure:stable@sha256:6a3294ec8a2107048254179c3ac5121866f90d20fccf12f1d70960e61f304713

operator-generic

quay.io/cilium/operator-generic:v1.17.3@​sha256:8bd38d0e97a955b2d725929d60df09d712fb62b60b930551a29abac2dd92e597 quay.io/cilium/operator-generic:stable@sha256:8bd38d0e97a955b2d725929d60df09d712fb62b60b930551a29abac2dd92e597

operator

quay.io/cilium/operator:v1.17.3@​sha256:169c137515459fe0ea4c483021f704dba8901ac5180bdee4e05f5901dbfd7115 quay.io/cilium/operator:stable@sha256:169c137515459fe0ea4c483021f704dba8901ac5180bdee4e05f5901dbfd7115

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

---

• If you want to rebase/retry this MR, check this box

---

This MR has been generated by Renovate Bot.