chore(deps): update helm release cilium to v1.17.4 (!1520) · Merge requests · Tristan Gosselin-Hane / infrastructure

Renovate Bot requested to merge renovate/cilium-1.x into master May 15, 2025

This MR contains the following updates:

Package	Type	Update	Change
cilium (source)	HelmChart	patch	`1.17.3` -> `1.17.4`

⚠️ Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

cilium/cilium (cilium)

`v1.17.4`: 1.17.4

Compare Source

Summary of Changes

Minor Changes:

Add TRACE_{FROM/TO}_CRYPTO observation point and bpf metrics for packets forwarded-to/received-from Wireguard. (Backport MR #39260, Upstream MR #34958, @smagnani96)
Cilium Agent liveness probe no longer fails if Kubernetes apiserver cannot be reached. Earlier the agent was restarted if the apiserver could not be reached for approximately 5 minutes. This avoids traffic disruptions on apiserver downtime (e.g. due to maintenance) for features such as L7 and FQDN proxy that require cilium-agent to always be up. (Backport MR #38703, Upstream MR #38458, @joamaki)
Update kafka apiKey helm chart value to true (Backport MR #39214, Upstream MR #38963, @kyle-c-simmons)

Bugfixes:

bpf: nodeport: avoid accidental NAT46x64 clash in from-container (Backport MR #39214, Upstream MR #38916, @julianwiedmann)
Check the TLSRoute and HasServiceImportSupport through the CRD. (Backport MR #39377, Upstream MR #39122, @liyihuang)
Fix a bug where a CiliumNetworkPolicy/CiliumClusterwideNetworkPolicy containing invalid rules would not be reported with invalid status. (Backport MR #38948, Upstream MR #38801, @tklauser)
Fix a bug where services would fail to match wildcard protocols after switching to Local traffic policy with protocol differentiation enabled. (Backport MR #39404, Upstream MR #39360, @pasteley)
Fix a deadlock when a host has no IPv4 address. (Backport MR #39075, Upstream MR #38938, @EmilyShepherd)
Fix a panic happening in the ipset reconciler when a previous reconciliation failed. (Backport MR #39075, Upstream MR #38890, @pippolo84)
Fix bug that would cause the cilium-dbg encrypt status command to not list any decryption interfaces when KPR is enabled. (Backport MR #39214, Upstream MR #39170, @pchaigno)
Fixes a bug where layer-7 rules would override enableDefaultDeny: false, incorrectly dropping traffic. (Backport MR #39375, Upstream MR #38841, @nimishamehta5)
gateway-api: Fix Gateway reconciler failure when TLSRoute CRD is not installed (Backport MR #39377, Upstream MR #38874, @syedazeez337)
gateway-api: Fix parentRefMatched to check Group and Kind (Backport MR #39377, Upstream MR #39275, @syedazeez337)
helm: fix hubble dynamic metrics config conflict (Backport MR #39075, Upstream MR #38893, @devodev)
ipsec: Fix key derivation error in case of corrupted boot IDs (Backport MR #39214, Upstream MR #39059, @pchaigno)
k8s: Fixed a case when delete event for service endpointslices might have been missed if connectivity to k8s apiserver was broken causing stale service cache for service. (Backport MR #38948, Upstream MR #38779, @marseel)
wireguard:overlay: cleanup calls map when unused (Backport MR #38899, Upstream MR #38655, @smagnani96)
xds: Fix a case in which after cilium-agent we were not sending updated resources to Envoy (Backport MR #38977, Upstream MR #38654, @marseel)

CI Changes:

.github/workflows: Enable DualStack for conformance-kind-proxy-embedded (Backport MR #39377, Upstream MR #36398, @dylandreimerink)
[v1.17] l4lb: Support environments with existing veth (#39408, @joestringer)
Align main and stable branch workflows for availability of cilium-cli (Backport MR #38141, Upstream MR #38138, @joestringer)
bpf: tests: fix ethertype when building inner headers of VXLAN packet (Backport MR #39075, Upstream MR #39060, @julianwiedmann)
ci-aks: Enable dual-stack in Conformance AKS (Backport MR #39377, Upstream MR #37704, @gandro)
gateway-api: Add translation tests for GAMMA (Backport MR #39221, Upstream MR #39207, @sayboras)
gh: e2e-upgrade: check for unexpected drops from connectivity tests (Backport MR #39214, Upstream MR #39111, @julianwiedmann)
gh: e2e-upgrade: generate config matrix from file (Backport MR #39058, Upstream MR #38512, @julianwiedmann)
gh: e2e-upgrade: minor log output improvements (Backport MR #39058, Upstream MR #38011, @julianwiedmann)
gh: use e2e-upgrade for IPsec minor upgrade testing (Backport MR #39058, Upstream MR #38757, @julianwiedmann)
gha: always respect the given image tag in the wait-for-images action (Backport MR #38141, Upstream MR #37901, @giorio94)
rate: Disable TestStressRateLimiter (Backport MR #38896, Upstream MR #38877, @YutaroHayakawa)

Misc Changes:

[v1.17] deps: bump CNI plugins version (#39329, @ferozsalam)
[v1.17] deps: bump golang-jwt to 4.5.2 (#39491, @ferozsalam)
Add the doc for multi-pool ipam about how to update the existing ip pool (Backport MR #38948, Upstream MR #38539, @liyihuang)
bpf: host: use MARK_MAGIC_EGW_DONE-embedded identity in to-netdev (Backport MR #38948, Upstream MR #38768, @julianwiedmann)
bpf: nat: ICMP v4 improvements (Backport MR #39332, Upstream MR #36767, @julianwiedmann)
bpf:hubble: update trace/drop notify for L2-less packets (Backport MR #39263, Upstream MR #37097, @smagnani96)
chore(deps): update all github action dependencies (v1.17) (#39183, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.17) (#39316, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.23.8 docker digest to 87bb940 (v1.17) (#38908, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.23.8 docker digest to e54daaa (v1.17) (#39046, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.2 docker digest to 30baaea (v1.17) (#39314, @cilium-renovate[bot])
chore(deps): update docker.io/library/ubuntu:24.04 docker digest to 6015f66 (v1.17) (#39379, @cilium-renovate[bot])
chore(deps): update go to v1.24.2 (v1.17) (#39113, @cilium-renovate[bot])
chore(deps): update go to v1.24.3 (v1.17) (#39380, @cilium-renovate[bot])
chore(deps): update google/cloud-sdk docker tag to v518 (v1.17) (#39048, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744328671-a8b58b35c03a3d100a2b026fc111417207183301 (v1.17) (#38909, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744798797-f7456c0c30336bbd437eff7743374370e415fc44 (v1.17) (#39047, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745916268-e485bbc0c95e30aa233cb06a753789375b12ad18 (v1.17) (#39226, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745971871-f98500f20b253684d483b783b29df2e4db05ea7c (v1.17) (#39248, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1746405645-719d708b1802ce417568d3eaae4c0677dd60e128 (v1.17) (#39324, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c (v1.17) (#39413, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#38911, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#38970, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#39182, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#39315, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#39475, @cilium-renovate[bot])
chore: remove retention-days param in build-images-releases.yaml (Backport MR #39435, Upstream MR #39431, @sekhar-isovalent)
cilium: Fix device controller's dependency on netfilter (Backport MR #38948, Upstream MR #38777, @borkmann)
cilium: Fix ipip device mtu (Backport MR #38948, Upstream MR #38682, @borkmann)
contrib/scripts: Fix IndexError in stacktrace script (Backport MR #39214, Upstream MR #39101, @christarazi)
contrib: Remove kind.sh dependency on git (Backport MR #39377, Upstream MR #39154, @joestringer)
docs: Add good kernel versions for the L7 policy IPv6 bug (Backport MR #39377, Upstream MR #39212, @gentoo-root)
docs: add warning about l7 policy and EnableDefaultDeny (Backport MR #39075, Upstream MR #38675, @squeed)
docs: Document L7 policy IPv6 bug (Backport MR #38948, Upstream MR #38591, @gentoo-root)
docs: Document that traffic to the VPC in ENI mode is not masqueraded (#39156, @liyihuang)
docs: Fix casing and formatting in L3 examples section (Backport MR #39377, Upstream MR #39065, @mikejoh)
docs: Fix variable naming in EKS-to-EKS Clustermesh guide (Backport MR #39075, Upstream MR #38821, @zzuckerfrei)
docs: The Installation on OpenShift OKD document has been updated to link to maintained operators for Cilium (Isovalent Enterprise for Cilium). This operator is validated on all current versions of OpenShift. (Backport MR #39377, Upstream MR #38886, @auriaave)
docs: Update hubble-metrics flag documentation (Backport MR #39075, Upstream MR #38960, @HadrienPatte)
Documentation : Modification of eks-clustermesh-prep.rst (Backport MR #39214, Upstream MR #39025, @rwinieski)
documentation: fix get deployment cmd (Backport MR #39214, Upstream MR #39155, @g0gn)
dynamiclifecycle: fix goroutine leak (Backport MR #39214, Upstream MR #39149, @squeed)
exclude the dummy device type when evaluating MTU, ensuring that local traffic does not interfere with MTU calculations. (Backport MR #39214, Upstream MR #38992, @liyihuang)
Fix LRU maps to streamline distributed LRU flag implementation with map prealloc handling (Backport MR #39214, Upstream MR #39087, @borkmann)
Fix map recreation loop when distributed lru setting is enabled (Backport MR #39075, Upstream MR #38978, @borkmann)
hubble:monitor: align TraceNotify to DropNotify (Backport MR #39264, Upstream MR #38830, @smagnani96)
ipsec: include ipv6 in v1.18 upgrade leak detection (#38843, @ldelossa)
k8s/resource: Don't Add to WaitGroup asynchronously (Backport MR #38948, Upstream MR #38692, @joamaki)
make: fix golangci-lint version detection (Backport MR #39075, Upstream MR #38996, @mhofstetter)
Throw build bug when using TRACE_{FROM,TO}_CRYPTO from unexpected files and cleanup unevaluated build_bug_on. (Backport MR #39260, Upstream MR #38470, @smagnani96)
workflows: fix lint-workflows (Backport MR #39403, Upstream MR #39398, @aanm)

Other Changes:

[v1.17] k8s/statedb: Fix buffering order of objects (#38585, @joamaki)
[v1.17] Stop TLS Interception config being included in preflight (#39481, @youngnick)
bpf,encrypt: fixes the placement of a particular vxlan helper function (#39088, @ldelossa)
install: Update image digests for v1.17.3 (#38933, @cilium-release-bot[bot])
v1.17: Update Go version to 1.24 in go.mod (#39128, @pchaigno)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a quay.io/cilium/cilium:stable@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.4@sha256:0b72f3046cf36ff9b113d53cc61185e893edb5fe728a2c9e561c1083f806453d quay.io/cilium/clustermesh-apiserver:stable@sha256:0b72f3046cf36ff9b113d53cc61185e893edb5fe728a2c9e561c1083f806453d

docker-plugin

quay.io/cilium/docker-plugin:v1.17.4@sha256:d2e1caaf9e6c7194ec20d8044cfd6b0d513cdfd1552e70f41070f3c25206eefa quay.io/cilium/docker-plugin:stable@sha256:d2e1caaf9e6c7194ec20d8044cfd6b0d513cdfd1552e70f41070f3c25206eefa

hubble-relay

quay.io/cilium/hubble-relay:v1.17.4@sha256:c16de12a64b8b56de62b15c1652d036253b40cd7fa643d7e1a404dc71dc66441 quay.io/cilium/hubble-relay:stable@sha256:c16de12a64b8b56de62b15c1652d036253b40cd7fa643d7e1a404dc71dc66441

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.4@sha256:eaa7b18b7cda65af1d454d54224d175fdb69a35199fa949ae7dfda2789c18dd6 quay.io/cilium/operator-alibabacloud:stable@sha256:eaa7b18b7cda65af1d454d54224d175fdb69a35199fa949ae7dfda2789c18dd6

operator-aws

quay.io/cilium/operator-aws:v1.17.4@sha256:3c31583e57648470fbf6646ac67122ac5896ce5f979ab824d9a38cfc7eafc753 quay.io/cilium/operator-aws:stable@sha256:3c31583e57648470fbf6646ac67122ac5896ce5f979ab824d9a38cfc7eafc753

operator-azure

quay.io/cilium/operator-azure:v1.17.4@sha256:d8d95049bfeab47cb1a3f995164e1ca2cdec8e6c7036c29799647999cdae07b1 quay.io/cilium/operator-azure:stable@sha256:d8d95049bfeab47cb1a3f995164e1ca2cdec8e6c7036c29799647999cdae07b1

operator-generic

quay.io/cilium/operator-generic:v1.17.4@sha256:a3906412f477b09904f46aac1bed28eb522bef7899ed7dd81c15f78b7aa1b9b5 quay.io/cilium/operator-generic:stable@sha256:a3906412f477b09904f46aac1bed28eb522bef7899ed7dd81c15f78b7aa1b9b5

operator

quay.io/cilium/operator:v1.17.4@sha256:d51d9f6958b23c48591e10194b62e217c1d3740cdfca1e293fd199d22db7f97f quay.io/cilium/operator:stable@sha256:d51d9f6958b23c48591e10194b62e217c1d3740cdfca1e293fd199d22db7f97f

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

chore(deps): update helm release cilium to v1.17.4