chore(deps): update helm release cilium to v1.17.5
This MR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cilium (source) | HelmChart | patch |
1.17.3 -> 1.17.5
|
⚠ ️ WarningSome dependencies could not be looked up. Check the warning logs for more information.
Release Notes
cilium/cilium (cilium)
v1.17.5: 1.17.5
Summary of Changes
Bugfixes:
- aws/ENI: Only use pagination when not specifying IDs (Backport MR #39564, Upstream MR #39120, @HadrienPatte)
- Fix connections to deleted service backends not getting terminated in certain cases involving services with multiple protocol ports. (Backport MR #39564, Upstream MR #37745, @foyerunix)
- Fix handle_policy_egress programs not being cleaned up during endpoint teardown (Backport MR #39685, Upstream MR #39560, @ti-mo)
- Fixed bug where datapath is unable to compile when active connection tracking and IPv6 are enabled at the same time. (Backport MR #39564, Upstream MR #39509, @dylandreimerink)
- Fixes a bug where a CIDRRule of 0.0.0.0/0 would not select all external traffic. (Backport MR #39765, Upstream MR #39693, @squeed)
- gateway-api: Use original source address for GAMMA (Backport MR #39685, Upstream MR #39206, @sayboras)
- helm/hubble: Fix wrong value for metrics server tls existingSecret (Backport MR #39685, Upstream MR #39668, @devodev)
- install/kubernetes: change mapDynamicSizeRatio from number to string (Backport MR #39963, Upstream MR #39834, @aanm)
- operator: skip retry of node taint update when node not found (Backport MR #39564, Upstream MR #39517, @jshr-w)
- Persist parent interface index of endpoint across agent restarts (Backport MR #39765, Upstream MR #39575, @dylandreimerink)
- Policy updates to Envoy no longer consider a single selector as an L3 wildcard. Cilium bpf datapath policy enforcement is not done for Cilium Ingress policy enforcement so the L3 identity needs to be enforced in all cases. (Backport MR #39564, Upstream MR #39511, @jrajahalme)
CI Changes:
- bpf: test: fix up mis-spelled HAVE_NETNS_COOKIE (Backport MR #39564, Upstream MR #39420, @julianwiedmann)
- call for metrics in smoke tests from runner instead of installing apt/curl on cilium pod (Backport MR #39862, Upstream MR #37362, @Artyop)
- gh: e2e: enable secondary-network LB testing for all KPR=true configs (Backport MR #39780, Upstream MR #39718, @julianwiedmann)
- gh: eks: restore concurrent execution of connectivity tests (Backport MR #39685, Upstream MR #39673, @julianwiedmann)
- Re-optimize CI build process (Backport MR #39862, Upstream MR #39802, @aanm)
Misc Changes:
- .github/workflows: remove cilium-cli from build-go-caches (#39801, @aanm)
- [v1.17] bpf: host: don't detect WG traffic in from-netdev@cilium_wg0 (#38233, @julianwiedmann)
- Add a section to talk about the native routing masquerading in the cloud environment. (Backport MR #39564, Upstream MR #39343, @liyihuang)
- bpf: host: flag Cilium's ESP traffic as TRACE_REASON_ENCRYPTED (Backport MR #39685, Upstream MR #39558, @julianwiedmann)
- bpf: Skip lxc src IP check for proxy traffic (Backport MR #39564, Upstream MR #39530, @sayboras)
- bpf:wireguard: reuse MARK_MAGIC_ENCRYPT for encrypted packets (Backport MR #39652, Upstream MR #39651, @smagnani96)
- chore(deps): update all github action dependencies (v1.17) (#39476, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.17) (#39704, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#39570, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#39687, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#39821, @cilium-renovate[bot])
- chore(deps): update all-dependencies (v1.17) (#39879, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v31 (v1.17) (#39607, @cilium-renovate[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v31.1 (v1.17) (#39951, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.24.3 docker digest to
4c0a181(v1.17) (#39725, @cilium-renovate[bot]) - chore(deps): update docker.io/library/golang:1.24.3 docker digest to
81bf592(v1.17) (#39822, @cilium-renovate[bot]) - chore(deps): update docker.io/library/golang:1.24.3 docker digest to
86b4cff(v1.17) (#39605, @cilium-renovate[bot]) - chore(deps): update gcr.io/distroless/static:nonroot docker digest to
188ddfb(v1.17) (#39606, @cilium-renovate[bot]) - chore(deps): update go to v1.24.4 (v1.17) (#39949, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1749031919-98c55b1d0c1154fb6c9e760583c2dcd7778686e2 (v1.17) (#39886, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1749271279-0864395884b263913eac200ee2048fd985f8e626 (v1.17) (#39935, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#39703, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#39950, @cilium-renovate[bot])
- HELM: Adding Label Support to clustermesh apiserver service (Backport MR #39564, Upstream MR #39520, @camrossi)
- mtu/endpoint_updater.go: Check for unix.EINVAL not os.ErrInvalid (Backport MR #39862, Upstream MR #39658, @dylandreimerink)
- mtu: Catch expected error in endpoint MTU updater (Backport MR #39685, Upstream MR #36596, @dylandreimerink)
- pkg/fswatcher: Rewrite without underlying use of fsnotify (Backport MR #39963, Upstream MR #38537, @glibsm)
Other Changes:
- [v1.17] chore(deps): revert etcd bump to v3.6.0 (#39628, @giorio94)
- [v1.17] vendor: Bump Hive and StateDB (#39689, @joamaki)
- install: Update image digests for v1.17.4 (#39548, @cilium-release-bot[bot])
Docker Manifests
cilium
quay.io/cilium/cilium:v1.17.5@​sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6
quay.io/cilium/cilium:stable@sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.17.5@​sha256:78dc40b9cb8d7b1ad21a76ff3e11541809acda2ac4ef94150cc832100edc247d
quay.io/cilium/clustermesh-apiserver:stable@sha256:78dc40b9cb8d7b1ad21a76ff3e11541809acda2ac4ef94150cc832100edc247d
docker-plugin
quay.io/cilium/docker-plugin:v1.17.5@​sha256:0da0960b1d34d07ff1aba99d491e2413f0285cf09d94b183c4329e7e7b6949cb
quay.io/cilium/docker-plugin:stable@sha256:0da0960b1d34d07ff1aba99d491e2413f0285cf09d94b183c4329e7e7b6949cb
hubble-relay
quay.io/cilium/hubble-relay:v1.17.5@​sha256:fbb8a6afa8718200fca9381ad274ed695792dbadd2417b0e99c36210ae4964ff
quay.io/cilium/hubble-relay:stable@sha256:fbb8a6afa8718200fca9381ad274ed695792dbadd2417b0e99c36210ae4964ff
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.17.5@​sha256:654db67929f716b6178a34a15cb8f95e391465085bcf48cdba49819a56fcd259
quay.io/cilium/operator-alibabacloud:stable@sha256:654db67929f716b6178a34a15cb8f95e391465085bcf48cdba49819a56fcd259
operator-aws
quay.io/cilium/operator-aws:v1.17.5@​sha256:3e189ec1e286f1bf23d47c45bdeac6025ef7ec3d2dc16190ee768eb94708cbc3
quay.io/cilium/operator-aws:stable@sha256:3e189ec1e286f1bf23d47c45bdeac6025ef7ec3d2dc16190ee768eb94708cbc3
operator-azure
quay.io/cilium/operator-azure:v1.17.5@​sha256:add78783fdaced7453a324612eeb9ebecf56002b56c14c73596b3b4923321026
quay.io/cilium/operator-azure:stable@sha256:add78783fdaced7453a324612eeb9ebecf56002b56c14c73596b3b4923321026
operator-generic
quay.io/cilium/operator-generic:v1.17.5@​sha256:f954c97eeb1b47ed67d08cc8fb4108fb829f869373cbb3e698a7f8ef1085b09e
quay.io/cilium/operator-generic:stable@sha256:f954c97eeb1b47ed67d08cc8fb4108fb829f869373cbb3e698a7f8ef1085b09e
operator
quay.io/cilium/operator:v1.17.5@​sha256:815f6e0648724ed4cdbdc072889ad4223de251f21e0503035af91d41dd547cc4
quay.io/cilium/operator:stable@sha256:815f6e0648724ed4cdbdc072889ad4223de251f21e0503035af91d41dd547cc4
v1.17.4: 1.17.4
Summary of Changes
Minor Changes:
- Add TRACE_{FROM/TO}_CRYPTO observation point and bpf metrics for packets forwarded-to/received-from Wireguard. (Backport MR #39260, Upstream MR #34958, @smagnani96)
- Cilium Agent liveness probe no longer fails if Kubernetes apiserver cannot be reached. Earlier the agent was restarted if the apiserver could not be reached for approximately 5 minutes. This avoids traffic disruptions on apiserver downtime (e.g. due to maintenance) for features such as L7 and FQDN proxy that require cilium-agent to always be up. (Backport MR #38703, Upstream MR #38458, @joamaki)
- Update kafka apiKey helm chart value to true (Backport MR #39214, Upstream MR #38963, @kyle-c-simmons)
Bugfixes:
- bpf: nodeport: avoid accidental NAT46x64 clash in from-container (Backport MR #39214, Upstream MR #38916, @julianwiedmann)
- Check the TLSRoute and HasServiceImportSupport through the CRD. (Backport MR #39377, Upstream MR #39122, @liyihuang)
- Fix a bug where a
CiliumNetworkPolicy/CiliumClusterwideNetworkPolicycontaining invalid rules would not be reported with invalid status. (Backport MR #38948, Upstream MR #38801, @tklauser) - Fix a bug where services would fail to match wildcard protocols after switching to Local traffic policy with protocol differentiation enabled. (Backport MR #39404, Upstream MR #39360, @pasteley)
- Fix a deadlock when a host has no IPv4 address. (Backport MR #39075, Upstream MR #38938, @EmilyShepherd)
- Fix a panic happening in the ipset reconciler when a previous reconciliation failed. (Backport MR #39075, Upstream MR #38890, @pippolo84)
- Fix bug that would cause the
cilium-dbg encrypt statuscommand to not list any decryption interfaces when KPR is enabled. (Backport MR #39214, Upstream MR #39170, @pchaigno) - Fixes a bug where layer-7 rules would override enableDefaultDeny: false, incorrectly dropping traffic. (Backport MR #39375, Upstream MR #38841, @nimishamehta5)
- gateway-api: Fix Gateway reconciler failure when TLSRoute CRD is not installed (Backport MR #39377, Upstream MR #38874, @syedazeez337)
- gateway-api: Fix parentRefMatched to check Group and Kind (Backport MR #39377, Upstream MR #39275, @syedazeez337)
- helm: fix hubble dynamic metrics config conflict (Backport MR #39075, Upstream MR #38893, @devodev)
- ipsec: Fix key derivation error in case of corrupted boot IDs (Backport MR #39214, Upstream MR #39059, @pchaigno)
- k8s: Fixed a case when delete event for service endpointslices might have been missed if connectivity to k8s apiserver was broken causing stale service cache for service. (Backport MR #38948, Upstream MR #38779, @marseel)
- wireguard:overlay: cleanup calls map when unused (Backport MR #38899, Upstream MR #38655, @smagnani96)
- xds: Fix a case in which after cilium-agent we were not sending updated resources to Envoy (Backport MR #38977, Upstream MR #38654, @marseel)
CI Changes:
- .github/workflows: Enable DualStack for conformance-kind-proxy-embedded (Backport MR #39377, Upstream MR #36398, @dylandreimerink)
- [v1.17] l4lb: Support environments with existing veth (#39408, @joestringer)
- Align main and stable branch workflows for availability of cilium-cli (Backport MR #38141, Upstream MR #38138, @joestringer)
- bpf: tests: fix ethertype when building inner headers of VXLAN packet (Backport MR #39075, Upstream MR #39060, @julianwiedmann)
- ci-aks: Enable dual-stack in Conformance AKS (Backport MR #39377, Upstream MR #37704, @gandro)
- gateway-api: Add translation tests for GAMMA (Backport MR #39221, Upstream MR #39207, @sayboras)
- gh: e2e-upgrade: check for unexpected drops from connectivity tests (Backport MR #39214, Upstream MR #39111, @julianwiedmann)
- gh: e2e-upgrade: generate config matrix from file (Backport MR #39058, Upstream MR #38512, @julianwiedmann)
- gh: e2e-upgrade: minor log output improvements (Backport MR #39058, Upstream MR #38011, @julianwiedmann)
- gh: use e2e-upgrade for IPsec minor upgrade testing (Backport MR #39058, Upstream MR #38757, @julianwiedmann)
- gha: always respect the given image tag in the wait-for-images action (Backport MR #38141, Upstream MR #37901, @giorio94)
- rate: Disable TestStressRateLimiter (Backport MR #38896, Upstream MR #38877, @YutaroHayakawa)
Misc Changes:
- [v1.17] deps: bump CNI plugins version (#39329, @ferozsalam)
- [v1.17] deps: bump golang-jwt to 4.5.2 (#39491, @ferozsalam)
- Add the doc for multi-pool ipam about how to update the existing ip pool (Backport MR #38948, Upstream MR #38539, @liyihuang)
- bpf: host: use MARK_MAGIC_EGW_DONE-embedded identity in to-netdev (Backport MR #38948, Upstream MR #38768, @julianwiedmann)
- bpf: nat: ICMP v4 improvements (Backport MR #39332, Upstream MR #36767, @julianwiedmann)
- bpf:hubble: update trace/drop notify for L2-less packets (Backport MR #39263, Upstream MR #37097, @smagnani96)
- chore(deps): update all github action dependencies (v1.17) (#39183, @cilium-renovate[bot])
- chore(deps): update all github action dependencies (v1.17) (#39316, @cilium-renovate[bot])
- chore(deps): update docker.io/library/golang:1.23.8 docker digest to
87bb940(v1.17) (#38908, @cilium-renovate[bot]) - chore(deps): update docker.io/library/golang:1.23.8 docker digest to
e54daaa(v1.17) (#39046, @cilium-renovate[bot]) - chore(deps): update docker.io/library/golang:1.24.2 docker digest to
30baaea(v1.17) (#39314, @cilium-renovate[bot]) - chore(deps): update docker.io/library/ubuntu:24.04 docker digest to
6015f66(v1.17) (#39379, @cilium-renovate[bot]) - chore(deps): update go to v1.24.2 (v1.17) (#39113, @cilium-renovate[bot])
- chore(deps): update go to v1.24.3 (v1.17) (#39380, @cilium-renovate[bot])
- chore(deps): update google/cloud-sdk docker tag to v518 (v1.17) (#39048, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744328671-a8b58b35c03a3d100a2b026fc111417207183301 (v1.17) (#38909, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744798797-f7456c0c30336bbd437eff7743374370e415fc44 (v1.17) (#39047, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745916268-e485bbc0c95e30aa233cb06a753789375b12ad18 (v1.17) (#39226, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745971871-f98500f20b253684d483b783b29df2e4db05ea7c (v1.17) (#39248, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1746405645-719d708b1802ce417568d3eaae4c0677dd60e128 (v1.17) (#39324, @cilium-renovate[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c (v1.17) (#39413, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#38911, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#38970, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#39182, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#39315, @cilium-renovate[bot])
- chore(deps): update stable lvh-images (v1.17) (patch) (#39475, @cilium-renovate[bot])
- chore: remove
retention-daysparam inbuild-images-releases.yaml(Backport MR #39435, Upstream MR #39431, @sekhar-isovalent) - cilium: Fix device controller's dependency on netfilter (Backport MR #38948, Upstream MR #38777, @borkmann)
- cilium: Fix ipip device mtu (Backport MR #38948, Upstream MR #38682, @borkmann)
- contrib/scripts: Fix IndexError in stacktrace script (Backport MR #39214, Upstream MR #39101, @christarazi)
- contrib: Remove kind.sh dependency on git (Backport MR #39377, Upstream MR #39154, @joestringer)
- docs: Add good kernel versions for the L7 policy IPv6 bug (Backport MR #39377, Upstream MR #39212, @gentoo-root)
- docs: add warning about l7 policy and EnableDefaultDeny (Backport MR #39075, Upstream MR #38675, @squeed)
- docs: Document L7 policy IPv6 bug (Backport MR #38948, Upstream MR #38591, @gentoo-root)
- docs: Document that traffic to the VPC in ENI mode is not masqueraded (#39156, @liyihuang)
- docs: Fix casing and formatting in L3 examples section (Backport MR #39377, Upstream MR #39065, @mikejoh)
- docs: Fix variable naming in EKS-to-EKS Clustermesh guide (Backport MR #39075, Upstream MR #38821, @zzuckerfrei)
- docs: The Installation on OpenShift OKD document has been updated to link to maintained operators for Cilium (Isovalent Enterprise for Cilium). This operator is validated on all current versions of OpenShift. (Backport MR #39377, Upstream MR #38886, @auriaave)
- docs: Update
hubble-metricsflag documentation (Backport MR #39075, Upstream MR #38960, @HadrienPatte) - Documentation : Modification of eks-clustermesh-prep.rst (Backport MR #39214, Upstream MR #39025, @rwinieski)
- documentation: fix get deployment cmd (Backport MR #39214, Upstream MR #39155, @g0gn)
- dynamiclifecycle: fix goroutine leak (Backport MR #39214, Upstream MR #39149, @squeed)
- exclude the dummy device type when evaluating MTU, ensuring that local traffic does not interfere with MTU calculations. (Backport MR #39214, Upstream MR #38992, @liyihuang)
- Fix LRU maps to streamline distributed LRU flag implementation with map prealloc handling (Backport MR #39214, Upstream MR #39087, @borkmann)
- Fix map recreation loop when distributed lru setting is enabled (Backport MR #39075, Upstream MR #38978, @borkmann)
- hubble:monitor: align TraceNotify to DropNotify (Backport MR #39264, Upstream MR #38830, @smagnani96)
- ipsec: include ipv6 in v1.18 upgrade leak detection (#38843, @ldelossa)
- k8s/resource: Don't Add to WaitGroup asynchronously (Backport MR #38948, Upstream MR #38692, @joamaki)
- make: fix golangci-lint version detection (Backport MR #39075, Upstream MR #38996, @mhofstetter)
- Throw build bug when using TRACE_{FROM,TO}_CRYPTO from unexpected files and cleanup unevaluated build_bug_on. (Backport MR #39260, Upstream MR #38470, @smagnani96)
- workflows: fix lint-workflows (Backport MR #39403, Upstream MR #39398, @aanm)
Other Changes:
- [v1.17] k8s/statedb: Fix buffering order of objects (#38585, @joamaki)
- [v1.17] Stop TLS Interception config being included in preflight (#39481, @youngnick)
- bpf,encrypt: fixes the placement of a particular vxlan helper function (#39088, @ldelossa)
- install: Update image digests for v1.17.3 (#38933, @cilium-release-bot[bot])
- v1.17: Update Go version to 1.24 in go.mod (#39128, @pchaigno)
Docker Manifests
cilium
quay.io/cilium/cilium:v1.17.4@​sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a
quay.io/cilium/cilium:stable@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a
clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.17.4@​sha256:0b72f3046cf36ff9b113d53cc61185e893edb5fe728a2c9e561c1083f806453d
quay.io/cilium/clustermesh-apiserver:stable@sha256:0b72f3046cf36ff9b113d53cc61185e893edb5fe728a2c9e561c1083f806453d
docker-plugin
quay.io/cilium/docker-plugin:v1.17.4@​sha256:d2e1caaf9e6c7194ec20d8044cfd6b0d513cdfd1552e70f41070f3c25206eefa
quay.io/cilium/docker-plugin:stable@sha256:d2e1caaf9e6c7194ec20d8044cfd6b0d513cdfd1552e70f41070f3c25206eefa
hubble-relay
quay.io/cilium/hubble-relay:v1.17.4@​sha256:c16de12a64b8b56de62b15c1652d036253b40cd7fa643d7e1a404dc71dc66441
quay.io/cilium/hubble-relay:stable@sha256:c16de12a64b8b56de62b15c1652d036253b40cd7fa643d7e1a404dc71dc66441
operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.17.4@​sha256:eaa7b18b7cda65af1d454d54224d175fdb69a35199fa949ae7dfda2789c18dd6
quay.io/cilium/operator-alibabacloud:stable@sha256:eaa7b18b7cda65af1d454d54224d175fdb69a35199fa949ae7dfda2789c18dd6
operator-aws
quay.io/cilium/operator-aws:v1.17.4@​sha256:3c31583e57648470fbf6646ac67122ac5896ce5f979ab824d9a38cfc7eafc753
quay.io/cilium/operator-aws:stable@sha256:3c31583e57648470fbf6646ac67122ac5896ce5f979ab824d9a38cfc7eafc753
operator-azure
quay.io/cilium/operator-azure:v1.17.4@​sha256:d8d95049bfeab47cb1a3f995164e1ca2cdec8e6c7036c29799647999cdae07b1
quay.io/cilium/operator-azure:stable@sha256:d8d95049bfeab47cb1a3f995164e1ca2cdec8e6c7036c29799647999cdae07b1
operator-generic
quay.io/cilium/operator-generic:v1.17.4@​sha256:a3906412f477b09904f46aac1bed28eb522bef7899ed7dd81c15f78b7aa1b9b5
quay.io/cilium/operator-generic:stable@sha256:a3906412f477b09904f46aac1bed28eb522bef7899ed7dd81c15f78b7aa1b9b5
operator
quay.io/cilium/operator:v1.17.4@​sha256:d51d9f6958b23c48591e10194b62e217c1d3740cdfca1e293fd199d22db7f97f
quay.io/cilium/operator:stable@sha256:d51d9f6958b23c48591e10194b62e217c1d3740cdfca1e293fd199d22db7f97f
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.