chore(deps): update helm release cilium to v1.18.1 (!1520) · Merge requests · Tristan Gosselin-Hane / infrastructure

Renovate Bot requested to merge renovate/cilium-1.x into master May 15, 2025

This MR contains the following updates:

Package	Type	Update	Change
cilium (source)	HelmChart	minor	`1.17.3` -> `1.18.1`

⚠️ Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

cilium/cilium (cilium)

`v1.18.1`: 1.18.1

Compare Source

Summary of Changes

Minor Changes:

Add kernel_version, endpoint_routes_enabled, strict_mode_enabled and kubernetes_version feature metrics. (Backport MR #41078, Upstream MR #41003, @aanm)
eni: improve logging and speed up ipam reconciliation in case of node scale-downs (Backport MR #40979, Upstream MR #40852, @marseel)
kvstore: Cilium Agent no longer fails health-check if operator is unavailable (Backport MR #40979, Upstream MR #40920, @marseel)
operator: CRDs are updated in series instead of in parallel now during Cilium upgrades. This should lower the pressure on the k8s control plane (Backport MR #40847, Upstream MR #40322, @marseel)

Bugfixes:

Add missing safeguards to topology-aware routing: use all backends when no suitable one matching the zone hints are found or a backend exists without a zone hint. (#41116, @joamaki)
aws/eni: Don't use subnet tags to filter ENIs for GC (Backport MR #40979, Upstream MR #40656, @HadrienPatte)
clustermesh: fix regression possibly causing cross-cluster connections disruption if the clustermesh-apiserver is restarted at the same time as Cilium agents. (Backport MR #40979, Upstream MR #40786, @giorio94)
clustermesh: fix regression preventing global services with unnamed ports from including remote backends (Backport MR #40865, Upstream MR #40848, @giorio94)
Fix bug where the presence of a label called "ingress" causes incorrect assignment of identities to workloads, affecting policy enforcement. (Backport MR #40847, Upstream MR #40791, @christarazi)
Fix skipping of LoadBalancer services when IPMode is not set to VIP (KEP-1860) (Backport MR #40979, Upstream MR #40915, @joamaki)
fix(GH-37724): Sync policies on startup (Backport MR #40847, Upstream MR #40357, @anubhabMajumdar)
fix: create policy snapshot only for sdp (Backport MR #40979, Upstream MR #40785, @vipul-21)
Fixes a bug where the Cilium agent may segfault when starting. (Backport MR #40847, Upstream MR #40824, @squeed)
Fixes an error where the Ingress controller, when run in host network, created an invalid Service. (Backport MR #41078, Upstream MR #40232, @rtheobald)
helm: Create envoy-config ConfigMap for preflight (Backport MR #41078, Upstream MR #40875, @sayboras)
install/kubernetes: fix clustermesh-apiserver extraEnv (Backport MR #41078, Upstream MR #41021, @aanm)
loadbalancer: Fix backend state in REST API (Backport MR #40847, Upstream MR #40780, @mhofstetter)

CI Changes:

.github/actions: only upload files with features-tested prefix (Backport MR #40979, Upstream MR #40975, @aanm)
Add TESTOWNERS file (#40864, @joestringer)
ci: Add Cleanup Disk space step into conformance-runtime (Backport MR #40979, Upstream MR #40973, @rastislavs)
ci: Fix CI-Fuzz Build failures (Backport MR #40979, Upstream MR #40728, @lomackie)
ci: Reuse connectivity test flags in proxy-embedded (Backport MR #41078, Upstream MR #41036, @joestringer)
endpoint: Avoid unnecessarily logging a warning during endpoint deletion (Backport MR #40979, Upstream MR #40927, @christarazi)
Fix GKE cluster creation failures when branch names exceed 63-byte label limit by implementing automatic truncation with hash-based uniqueness preservation. (Backport MR #40847, Upstream MR #40725, @pillai-ashwin)
Improved test failure attribution on stable branches by using TESTOWNERS files to route failures to appropriate code quality teams rather than generic CI infrastructure teams. (Backport MR #40847, Upstream MR #40776, @pillai-ashwin)
ipsec: fix privileged tests (Backport MR #41078, Upstream MR #41006, @smagnani96)
tools/testowners: de-duplicate error logs (Backport MR #40847, Upstream MR #40778, @tklauser)
workflows/ipsec: Fix leak detection for IPv6-only in e2e downgrade (Backport MR #40979, Upstream MR #40881, @smagnani96)

Misc Changes:

.github/workflows: bump build-images-base timeout to 60 minutes (Backport MR #40979, Upstream MR #40919, @aanm)
.github/workflows: print open file descriptors (Backport MR #40979, Upstream MR #40941, @aanm)
.github: fix removal of all files in /mnt (Backport MR #40847, Upstream MR #40818, @aanm)
.github: remove all contents of /mnt in build images CI (Backport MR #40847, Upstream MR #40814, @aanm)
chore(deps): update actions/download-artifact action to v5 (v1.18) (#41055, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#40901, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#41056, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.18) (#40900, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.18.6 (v1.18) (#40898, @cilium-renovate[bot])
chore(deps): update go to v1.24.6 (v1.18) (#40993, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#40899, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#41054, @cilium-renovate[bot])
ci: add/change runner labels (Backport MR #40979, Upstream MR #40972, @Artyop)
daemon/test: explicitly wait for identities synchronization (Backport MR #40847, Upstream MR #40811, @giorio94)
docs: Remove references to v1.15 (Backport MR #41078, Upstream MR #41033, @joestringer)
Fix loadbalancer handling of backends with ClusterID set (Backport MR #41078, Upstream MR #40968, @giorio94)
Fix race condition issues (Backport MR #40979, Upstream MR #40949, @aanm)
fix(deps): update module github.com/docker/docker to v28.3.3+incompatible [security] (v1.18) (#40793, @cilium-renovate[bot])
loadbalancer: Raise default retry duration to 1 second (Backport MR #41078, Upstream MR #40997, @joamaki)
loadbalancer: Use unique for L3n4Addr (Backport MR #40847, Upstream MR #40633, @joamaki)
Makefile: Fix multi codeowner detection (Backport MR #40847, Upstream MR #40923, @joestringer)
Reduced memory usage by roughly 10% for large EndpointSlices by sharing identical objects. (Backport MR #41078, Upstream MR #40987, @joamaki)
values(.yaml.tmpl): Add Geneve (Class Option) to dsrDispatch paramater (Backport MR #40847, Upstream MR #40625, @alagoutte)
vendor: Bump to StateDB v0.4.5 (Backport MR #40979, Upstream MR #40783, @joamaki)

Other Changes:

ci: reduce gke failures (#41070, @brlbil)
install: Update image digests for v1.18.0 (#40782, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9 quay.io/cilium/cilium:stable@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.1@sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb quay.io/cilium/clustermesh-apiserver:stable@sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb

docker-plugin

quay.io/cilium/docker-plugin:v1.18.1@sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3 quay.io/cilium/docker-plugin:stable@sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3

hubble-relay

quay.io/cilium/hubble-relay:v1.18.1@sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0 quay.io/cilium/hubble-relay:stable@sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.1@sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a quay.io/cilium/operator-alibabacloud:stable@sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a

operator-aws

quay.io/cilium/operator-aws:v1.18.1@sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042 quay.io/cilium/operator-aws:stable@sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042

operator-azure

quay.io/cilium/operator-azure:v1.18.1@sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06 quay.io/cilium/operator-azure:stable@sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06

operator-generic

quay.io/cilium/operator-generic:v1.18.1@sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc quay.io/cilium/operator-generic:stable@sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc

operator

quay.io/cilium/operator:v1.18.1@sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e quay.io/cilium/operator:stable@sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e

`v1.18.0`: 1.18.0

Compare Source

We are excited to announce the Cilium 1.18.0 release!

A total of 3298 new commits have been contributed to this release by a growing community of over 955 developers and over 22,000 GitHub stars! ⭐

To keep up to date with all the latest Cilium releases, see Announcements

Here's what's new in v1.18.0:

🚠 Networking

⚖️ Load Balancing Redesign: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features (cilium/cilium#38469, @joamaki)
🔌 Virtual Network Devices: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels (cilium/cilium#37723, @ldelossa; cilium/cilium#37346, @gyutaeb)
Ⓜ️ Multiple Egress Gateways: Egress Gateways policies can now direct traffic towards multiple gateway nodes (cilium/cilium#39304, @carlos-abad)
🚦 Ingress Rate Limiting: The bandwidth manager now supports ingress rate limiting (cilium/cilium#36351, @l1b0k)
📢 Multi-Device L2 Announcements: The L2 pod announcement feature now supports multiple devices (cilium/cilium#38198, @dylandreimerink)
🏢 Neighbor Subsystem Rework: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state (cilium/cilium#39987, @dylandreimerink)

🌐 IPv6

🚇 Tunneling Underlay: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption (cilium/cilium#38296, cilium/cilium#39497, @pchaigno)
💬 Kube Proxy Replacement: Cilium now implements service translation when running on an IPv6 underlay (cilium/cilium#39074, @pchaigno)
📋 Delegated IPAM: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 (cilium/cilium#38249, @caorui-io, @kadevu)
📦 IP Fragment Support: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality (cilium/cilium#38110, @gentoo-root)
🚪 Egress gateway policies can now match IPv6 address ranges (cilium/cilium#38452, @rgo3)

🛡️ Policy & Observability

🏷️ Policy Names in Hubble-CLI: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble (cilium/cilium#39453, @antonipp)
📝 Policy Log Fields: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching (cilium/cilium#39902, @squeed)
🛰️ Encapsulated Traffic Decoding: Hubble decodes encapsulated traffic for deeper introspection into traffic flows (cilium/cilium#37634, @kaworu)
🏰 ClusterMesh Policy Restriction: A new option allows the cluster entity to apply only to the local cluster in ClusterMesh environment (cilium/cilium#39338, @MrFreezeex)
✨ Enhanced Policy Dashboard: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions (cilium/cilium#36492, cilium/cilium#37445, @squeed)

🌅 Performance

📊 Scale Test Results: Cilium implements policies and services up to 45% faster in higher scale environments (Various; @marseel, cilium/cilium#40227)
📦 Image Size Reduction: Docker image sizes are reduced by 32% on arm64 architecture images (cilium/cilium#40005, @marseel)
⚡ Improved Policy Performance: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized (cilium/cilium#39340, @squeed; cilium/cilium#40414, @marseel)
🪞 EndpointSlice Mirroring for Multi-Cluster Services: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller (cilium/cilium#38596, @MrFreezeex)
🌐 KVStoreMesh Optimization: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value (cilium/cilium#36471, @HadrienPatte)
🧠 Egress Gateway Processing: Egress gateway policy processing is significantly improved when matching a large number of pods (cilium/cilium#37714, @giorio94)
🗑️ Optimized Garbage Collection for Connection Tracking: Cilium leverages batched iterators for CTMap GC (cilium/cilium#36288, @tommyp1ckles)

⚙️ Operations

📈 API Server Connections at Scale: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations (cilium/cilium#37601, @aditighag; cilium/cilium#38031, @orange30; cilium/cilium#36648, @wedaly)
🔄 ConfigMap Synchronization: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration (cilium/cilium#36510, @ovidiutirla)
🎓 CRD Promotion to Stable: Promote CiliumCIDRGroup, CiliumLoadBalancerIPPool and all BGP CRDs to stable API (cilium/cilium#38940, @christarazi; cilium/cilium#39090, @pippolo84; cilium/cilium#37765, @rastislavs)
⛔ Node Taints Handling: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node (cilium/cilium#40137, @Murat Parlakisik)
:wood: Migrate to Slog: Cilium now uses slog as log library for all components (cilium/cilium#39664, @aanm)
🔧 Cilium dependencies were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 (cilium/cilium#39124, cilium/cilium#40175, cilium/cilium#39632, @sayboras; cilium/cilium#38868, @squeed)
🐧 Minimum Linux Requirements: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 (cilium/cilium#38308, @julianwiedmann)

🕸️ Service Mesh & Gateway API

⛩️ Gateway API v1.3.0: Gateway API support is bumped to v1.3.0 (cilium/cilium#39590, @sayboras)
🔗 Improved GatewayClass Configuration: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations (cilium/cilium#37792, cilium/cilium#37402, cilium/cilium#40138, @sayboras)
🚏 Multiple HTTPRoutes: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service (cilium/cilium#39922, @youngnick)
🪄 Route Changes Reconciliation: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things (cilium/cilium#37798, @sayboras)

🏷️ IP Address Management

☁️ AWS Prefix Delegation: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode (cilium/cilium#39678, @41ks)
🏬 Multi-Pool IPAM with KVStore: Add support for Multi-Pool IPAM in external KVstore mode (cilium/cilium#39638, @pippolo84)
🔐 Multi-Pool IPAM with IPSec: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode (cilium/cilium#39442, @pippolo84)
↪️ Multi-Pool Tunnel Routing: Add support for tunnel routing in multi-pool IPAM mode (cilium/cilium#38483, @pippolo84)

🛣️ BGP

📇 Route Aggregation: Add support for BGP route aggregation in the control plane (cilium/cilium#37275, @romanspb80)
🎯 Overlapping Selector Matches: Support overlapping selector matches in CiliumBGPAdvertisement resources (cilium/cilium#36414, @dswaffordcw)
🆔 New Router ID generation modes: Generate router-id based on MAC addresses, or from an IP address pool (cilium/cilium#36451, @yushoyamaguchi; cilium/cilium#38300, @liyihuang)

🧑‍💻 Development Experience

🧪 Test attribution: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems (cilium/cilium#37027, @Joe Stringer)
🛏️ Policy REST API: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred (cilium/cilium#40212, @squeed)
🏗️ Feature Deprecation: Deprecate underused features like Custom Calls, Recorder API and External Workloads (cilium/cilium#38480, cilium/cilium#39642, cilium/cilium#37418, @brb)

🏢 Community

❤️ Production Case Studies: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
- ByteDance, Canopus Networks, Corner Banca, DB Schenker, eBay, ECCO, G-Research, Social Network Company, and Preferred Networks
🇬🇧 London Events: The community gathered at CiliumCon and the Cilium Developer Summit in London
🇺🇸 Atlanta Events: Meet us at the upcoming CiliumCon and Cilium Developers Summit in Atlanta, Georgia
👥 SIG Community Meetings: SIG Community now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community

📔 Full CHANGELOG

Full CHANGELOG.md can be found here.

And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people_holding_hands: ❤️

`v1.17.7`: 1.17.7

Compare Source

Summary of Changes

Minor Changes:

Add kernel_version, endpoint_routes_enabled, strict_mode_enabled and kubernetes_version feature metrics. (Backport MR #41074, Upstream MR #41003, @aanm)

Bugfixes:

Added cleanup of deprecated cilium_policy_v1 maps (Backport MR #40578, Upstream MR #39400, @pasteley)
bgp: Use private fork of the GoBGP to fix BGP MD5 auth (Backport MR #40578, Upstream MR #40566, @YutaroHayakawa)
bpf/nat: fix header offset while reverse nat-ing icmp6 pkt too big. (Backport MR #40387, Upstream MR #40002, @tommyp1ckles)
Enable protocol differentiation by default on the operator, matching the agent (#40643, @dylandreimerink)
Fix a bug where Cilium leaks stale routes when IPsec is enabled. (Backport MR #40664, Upstream MR #40653, @pippolo84)
fix(helm): fix values.schema.json types for bpf.events.default.{rateLimit,burstLimit} (Backport MR #40578, Upstream MR #40543, @vchirikov)
fix: kube-proxy healthz panic on port 10256 (#40590, @tamilmani1989)
Helm: Correct seccompProfile for cilium-agent pods (Backport MR #40578, Upstream MR #40476, @jcpunk)
install/kubernetes: fix clustermesh-apiserver extraEnv (Backport MR #41074, Upstream MR #41021, @aanm)
pkg/ipam: fix multi-pool allocator not releasing un-used /32 and /128 CIDRs (Backport MR #40578, Upstream MR #40393, @alimehrabikoshki)
service: Only set algorithm annotation when requested (#40845, @tsotne95)

CI Changes:

.github/actions: only upload files with features-tested prefix (Backport MR #40988, Upstream MR #40975, @aanm)
.github: Don't overwrite junit results (Backport MR #41014, Upstream MR #39159, @joestringer)
.github: Run final steps when tests aren't skipped (Backport MR #41014, Upstream MR #40180, @joestringer)
[v1.17] .github: Remove use of cosign attest --recursive (#40699, @YutaroHayakawa)
[v1.17] ci: Revert build_commits runner to ubuntu-22.04 (#40837, @rastislavs)
builder: Add tparse,junit tooling (Backport MR #41014, Upstream MR #39092, @joestringer)
Centralize dynamic test ownership configuration (Backport MR #41014, Upstream MR #38045, @joestringer)
ci: conformance-eks token extended to 8h (Backport MR #40578, Upstream MR #40474, @mathpl)
ci: more powerful runners for go linting (Backport MR #40765, Upstream MR #40582, @mathpl)
CLI: Attribute tests to codeowners (Backport MR #41014, Upstream MR #37027, @joestringer)
Emit junit output from BPF unit tests (Backport MR #41014, Upstream MR #39099, @joestringer)
Fix GKE cluster creation failures when branch names exceed 63-byte label limit by implementing automatic truncation with hash-based uniqueness preservation. (Backport MR #40849, Upstream MR #40725, @pillai-ashwin)
Improved test failure attribution on stable branches by using TESTOWNERS files to route failures to appropriate code quality teams rather than generic CI infrastructure teams. (Backport MR #41014, Upstream MR #40776, @pillai-ashwin)
pkg/egw: Add missing waitForReconciliationRun (Backport MR #40578, Upstream MR #40355, @aditighag)
spire: Fix unreliable test (Backport MR #40664, Upstream MR #40561, @joestringer)
tools/testowners: de-duplicate error logs (Backport MR #41074, Upstream MR #40778, @tklauser)
Upload junit results for Go unit test runs (Backport MR #41014, Upstream MR #39015, @joestringer)

Misc Changes:

.github/workflows: bump build-images-base timeout to 60 minutes (Backport MR #40988, Upstream MR #40919, @aanm)
.github: fix removal of all files in /mnt (Backport MR #40849, Upstream MR #40818, @aanm)
.github: fix upload artifacts for features.json (#41091, @aanm)
.github: remove all contents of /mnt in build images CI (Backport MR #40849, Upstream MR #40814, @aanm)
.github: remove stable tag from v1.17 branches (#40772, @aanm)
certloader: Add client variants of watched TLS configs (Backport MR #40624, Upstream MR #40399, @devodev)
chore(deps): update actions/download-artifact action to v5 (v1.17) (#41058, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.17) (#40746, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.17) (#40905, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.17) (#41059, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.17) (#40744, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.17) (#40984, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.18.6 (v1.17) (#40902, @cilium-renovate[bot])
chore(deps): update dependency cilium/little-vm-helper to v0.0.26 (v1.17) (#40646, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.5 docker digest to ef5b4be (v1.17) (#40745, @cilium-renovate[bot])
chore(deps): update go to v1.24.6 (v1.17) (#40994, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.33.6-1753919866-df8077dbd3932edccb59f1c5c70e01f2c1f63741 (v1.17) (#40903, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#40673, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#40904, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#41057, @cilium-renovate[bot])
ci: add/change runner labels (Backport MR #40988, Upstream MR #40972, @Artyop)
cli: Load code owners dynamically via --code-owners (Backport MR #41014, Upstream MR #38044, @joestringer)
daemon/test: explicitly wait for identities synchronization (Backport MR #40849, Upstream MR #40811, @giorio94)
doc:monitor: clarify direction traced with default aggregation level (Backport MR #40578, Upstream MR #40398, @smagnani96)
docs: Add missing IPAM modes to configuration page (Backport MR #40664, Upstream MR #40540, @RayyanSeliya)
docs: Add warning about changing an IP pool (Backport MR #40664, Upstream MR #40567, @sorrison)
docs: remove l7 EnableDefaultDeny callout (Backport MR #40578, Upstream MR #40441, @squeed)
Fix race condition issues (Backport MR #40988, Upstream MR #40949, @aanm)
Makefile: Fix multi codeowner detection (Backport MR #41014, Upstream MR #40923, @joestringer)
Makefile: Improve tparse,junit output handling (Backport MR #41014, Upstream MR #39098, @joestringer)
Support extending cilium-agent volumes as a downstream packager (Backport MR #40578, Upstream MR #40401, @devodev)
tools: Move codeowners library from cilium-cli dir (Backport MR #41014, Upstream MR #40253, @joestringer)

Other Changes:

Fix bug where LocalRedirectPolicy forwarding would break if you enable bpf-lb-algorithm-annotation (#40246, @tarabrind)
images: update cilium-{runtime,builder} (#40839, @aanm)
install: Update image digests for v1.17.6 (#40546, @cilium-release-bot[bot])
vendor: Bump to StateDB v0.4.5 (#40850, @joamaki)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.7@sha256:2852feca0d0d936ed0333cd64859f3c5ece2db582ba5fed848f57aff786be4a6

docker-plugin

quay.io/cilium/docker-plugin:v1.17.7@sha256:1b7c8d64f01b309521f13ab2a15239a688b9f545bb97058d383ad3bb55e42e67

hubble-relay

quay.io/cilium/hubble-relay:v1.17.7@sha256:9394312ce65c3c253a8c26a6c292f58736e75c78d1446ecfcd244f1418bebe77

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.7@sha256:271e64d6c91019a1a4815b4c78294962bf51c9f764c680fdfacb2adb6e9d0c4d

operator-aws

quay.io/cilium/operator-aws:v1.17.7@sha256:ce37d2ccf921761a4171a507748a06a204592890e6f8cf7d1c354648e098c830

operator-azure

quay.io/cilium/operator-azure:v1.17.7@sha256:9c1db11de2e0cdcaba522c8f396b9a643738f3d3f958fa9b4d62f57bac5daafb

operator-generic

quay.io/cilium/operator-generic:v1.17.7@sha256:a610be2562d0f5a8945a27df7d5681711263ce92e09947e867fc37fc9ab08788

operator

quay.io/cilium/operator:v1.17.7@sha256:122e49fce82df90693f8981e5d9013b6a9248284db17226259e39364ba9a211d

`v1.17.6`: 1.17.6

Compare Source

Summary of Changes

Minor Changes:

helm: KPR subflag changes (Backport MR #40222, Upstream MR #39721, @brb)

Bugfixes:

Deny policies are now synced to Envoy so that they can be enforced for Ingress policies. (Backport MR #40187, Upstream MR #39736, @jrajahalme)
Do not fail the agent startup in case IPv6 support is enabled and the node does not have an IPv6 address assigned yet (Backport MR #40205, Upstream MR #40143, @pippolo84)
Fix bug preventing a global service from including remote backends, if the local service has no selector, and the remote one gets removed and then added again. (#40361, @giorio94)
Fix data race involving DumpReliablyWithCallback map operation. (Backport MR #40094, Upstream MR #38590, @aditighag)
Fix IPAM IP release racing condition when IP reassigned back to ENI (Backport MR #40289, Upstream MR #40019, @victorcq)
hubble automatically pick the hubble-prefer-ipv6 to true if ipv4 not enabled (Backport MR #40289, Upstream MR #40210, @chengjoey)
LBIPAM: Fix deletion of CiliumLoadBalancerIPPool with multiple IP blocks that led to an operator crash (Backport MR #40094, Upstream MR #40013, @pippolo84)
pkg/egressgateway: ensure gateway IP is IPv4 (Backport MR #40332, Upstream MR #40209, @rgo3)
policy: fix error handling for selector policy resolution (#40404, @fristonio)

CI Changes:

ci: do not run north-south conn disrupt tests for 5.4 kernels (#39443, @ldelossa)
ci: fix north-south conn disrupt for 5.4 kernel (#40434, @smagnani96)

Misc Changes:

.github/workflows: remove reviewers if ciliumbot approved MR (Backport MR #40094, Upstream MR #39989, @aanm)
auto-approve: add repository as part command (Backport MR #40094, Upstream MR #40050, @aanm)
auto-approve: add repository as part command (Backport MR #40332, Upstream MR #40089, @aanm)
chore(deps): update all github action dependencies (v1.17) (#40158, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.17) (#40044, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.17) (#40458, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.18.5 (v1.17) (#39948, @cilium-renovate[bot])
chore(deps): update go to v1.24.5 (v1.17) (#40424, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.33.4-1752151664-7c2edb0b44cf95f326d628b837fcdd845102ba68 (v1.17) (#40466, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#40157, @cilium-renovate[bot])
cilium: fix socket termination for v4-in-v6 clients (Backport MR #40295, Upstream MR #39994, @borkmann)
contrib/git: add merge drivers to automate post-merge commands (Backport MR #40289, Upstream MR #40189, @aanm)
disk-cleanup: parallelize cleanup process to speed up step (Backport MR #40094, Upstream MR #40054, @aanm)
doc:ipsec:kvstore: explicit limitations that could lead to staling XFRM states and no connectivity (Backport MR #40176, Upstream MR #39719, @smagnani96)
docs/ipsec: Fix incorrect statement on hostns encryption (Backport MR #40176, Upstream MR #40133, @pchaigno)
Makefile: Require API generation commands to succeed (Backport MR #40205, Upstream MR #40199, @joestringer)
operator/secretsync: silence reconciliation logs (Backport MR #40289, Upstream MR #40217, @tklauser)
proxy: Use upstream envoy control plane API (Backport MR #40216, Upstream MR #39672, @sayboras)
v1.17: helm: Restore hostPort.enabled flag (#40480, @brb)

Other Changes:

[v1.17] deps: Update cilium-envoy image to 1.33.x (#40088, @sayboras)
Backport: kube-proxy-healthz to return 503 if node terminating (#40317, @tamilmani1989)
Bpf datapath TCP conntrack entries are (re)created only in the forward direction, solving an issue with freezing proxy connections when backend connection is re-opened. (#40448, @jrajahalme)
envoy: Bump cilium-envoy to the latest v1.33.x (#40368, @sayboras)
install: Update image digests for v1.17.5 (#40117, @cilium-release-bot[bot])
proxy: Bump envoy version to the latest v1.33.x (#40181, @sayboras)
v1.17: docs: Document encapsulation options (#40471, @pchaigno)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353 quay.io/cilium/cilium:stable@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.6@sha256:f619e97432db427e1511bf91af3be8ded418c53a353a09629e04c5880659d1df quay.io/cilium/clustermesh-apiserver:stable@sha256:f619e97432db427e1511bf91af3be8ded418c53a353a09629e04c5880659d1df

docker-plugin

quay.io/cilium/docker-plugin:v1.17.6@sha256:2d6175582c036dde241448b2b937353ce304d7a30eec9b66e96279b4b39c4f36 quay.io/cilium/docker-plugin:stable@sha256:2d6175582c036dde241448b2b937353ce304d7a30eec9b66e96279b4b39c4f36

hubble-relay

quay.io/cilium/hubble-relay:v1.17.6@sha256:7d17ec10b3d37341c18ca56165b2f29a715cb8ee81311fd07088d8bf68c01e60 quay.io/cilium/hubble-relay:stable@sha256:7d17ec10b3d37341c18ca56165b2f29a715cb8ee81311fd07088d8bf68c01e60

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.6@sha256:5352e670719dc61f059c1e1a04bc0563c2144738386fa7236dc167ff3fef4c64 quay.io/cilium/operator-alibabacloud:stable@sha256:5352e670719dc61f059c1e1a04bc0563c2144738386fa7236dc167ff3fef4c64

operator-aws

quay.io/cilium/operator-aws:v1.17.6@sha256:24db5c811e24e51e7ce166e8e056967875bf3544cc2ead6984f34f705fe71847 quay.io/cilium/operator-aws:stable@sha256:24db5c811e24e51e7ce166e8e056967875bf3544cc2ead6984f34f705fe71847

operator-azure

quay.io/cilium/operator-azure:v1.17.6@sha256:1b7e193ccbc718f723993a0f11eb8fbf16376e822fe8c4dc792d7696701d57c8 quay.io/cilium/operator-azure:stable@sha256:1b7e193ccbc718f723993a0f11eb8fbf16376e822fe8c4dc792d7696701d57c8

operator-generic

quay.io/cilium/operator-generic:v1.17.6@sha256:91ac3bf7be7bed30e90218f219d4f3062a63377689ee7246062fa0cc3839d096 quay.io/cilium/operator-generic:stable@sha256:91ac3bf7be7bed30e90218f219d4f3062a63377689ee7246062fa0cc3839d096

operator

quay.io/cilium/operator:v1.17.6@sha256:e7b41cdba20875f8a6595eca1baf1cff1b8367417cffa99be7b1b9b0a11ab677 quay.io/cilium/operator:stable@sha256:e7b41cdba20875f8a6595eca1baf1cff1b8367417cffa99be7b1b9b0a11ab677

`v1.17.5`: 1.17.5

Compare Source

Summary of Changes

Bugfixes:

aws/ENI: Only use pagination when not specifying IDs (Backport MR #39564, Upstream MR #39120, @HadrienPatte)
Fix connections to deleted service backends not getting terminated in certain cases involving services with multiple protocol ports. (Backport MR #39564, Upstream MR #37745, @foyerunix)
Fix handle_policy_egress programs not being cleaned up during endpoint teardown (Backport MR #39685, Upstream MR #39560, @ti-mo)
Fixed bug where datapath is unable to compile when active connection tracking and IPv6 are enabled at the same time. (Backport MR #39564, Upstream MR #39509, @dylandreimerink)
Fixes a bug where a CIDRRule of 0.0.0.0/0 would not select all external traffic. (Backport MR #39765, Upstream MR #39693, @squeed)
gateway-api: Use original source address for GAMMA (Backport MR #39685, Upstream MR #39206, @sayboras)
helm/hubble: Fix wrong value for metrics server tls existingSecret (Backport MR #39685, Upstream MR #39668, @devodev)
install/kubernetes: change mapDynamicSizeRatio from number to string (Backport MR #39963, Upstream MR #39834, @aanm)
operator: skip retry of node taint update when node not found (Backport MR #39564, Upstream MR #39517, @jshr-w)
Persist parent interface index of endpoint across agent restarts (Backport MR #39765, Upstream MR #39575, @dylandreimerink)
Policy updates to Envoy no longer consider a single selector as an L3 wildcard. Cilium bpf datapath policy enforcement is not done for Cilium Ingress policy enforcement so the L3 identity needs to be enforced in all cases. (Backport MR #39564, Upstream MR #39511, @jrajahalme)

CI Changes:

bpf: test: fix up mis-spelled HAVE_NETNS_COOKIE (Backport MR #39564, Upstream MR #39420, @julianwiedmann)
call for metrics in smoke tests from runner instead of installing apt/curl on cilium pod (Backport MR #39862, Upstream MR #37362, @Artyop)
gh: e2e: enable secondary-network LB testing for all KPR=true configs (Backport MR #39780, Upstream MR #39718, @julianwiedmann)
gh: eks: restore concurrent execution of connectivity tests (Backport MR #39685, Upstream MR #39673, @julianwiedmann)
Re-optimize CI build process (Backport MR #39862, Upstream MR #39802, @aanm)

Misc Changes:

.github/workflows: remove cilium-cli from build-go-caches (#39801, @aanm)
[v1.17] bpf: host: don't detect WG traffic in from-netdev@cilium_wg0 (#38233, @julianwiedmann)
Add a section to talk about the native routing masquerading in the cloud environment. (Backport MR #39564, Upstream MR #39343, @liyihuang)
bpf: host: flag Cilium's ESP traffic as TRACE_REASON_ENCRYPTED (Backport MR #39685, Upstream MR #39558, @julianwiedmann)
bpf: Skip lxc src IP check for proxy traffic (Backport MR #39564, Upstream MR #39530, @sayboras)
bpf:wireguard: reuse MARK_MAGIC_ENCRYPT for encrypted packets (Backport MR #39652, Upstream MR #39651, @smagnani96)
chore(deps): update all github action dependencies (v1.17) (#39476, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.17) (#39704, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.17) (#39570, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.17) (#39687, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.17) (#39821, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.17) (#39879, @cilium-renovate[bot])
chore(deps): update dependency protocolbuffers/protobuf to v31 (v1.17) (#39607, @cilium-renovate[bot])
chore(deps): update dependency protocolbuffers/protobuf to v31.1 (v1.17) (#39951, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.3 docker digest to 4c0a181 (v1.17) (#39725, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.3 docker digest to 81bf592 (v1.17) (#39822, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.3 docker digest to 86b4cff (v1.17) (#39605, @cilium-renovate[bot])
chore(deps): update gcr.io/distroless/static:nonroot docker digest to 188ddfb (v1.17) (#39606, @cilium-renovate[bot])
chore(deps): update go to v1.24.4 (v1.17) (#39949, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1749031919-98c55b1d0c1154fb6c9e760583c2dcd7778686e2 (v1.17) (#39886, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1749271279-0864395884b263913eac200ee2048fd985f8e626 (v1.17) (#39935, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#39703, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#39950, @cilium-renovate[bot])
HELM: Adding Label Support to clustermesh apiserver service (Backport MR #39564, Upstream MR #39520, @camrossi)
mtu/endpoint_updater.go: Check for unix.EINVAL not os.ErrInvalid (Backport MR #39862, Upstream MR #39658, @dylandreimerink)
mtu: Catch expected error in endpoint MTU updater (Backport MR #39685, Upstream MR #36596, @dylandreimerink)
pkg/fswatcher: Rewrite without underlying use of fsnotify (Backport MR #39963, Upstream MR #38537, @glibsm)

Other Changes:

[v1.17] chore(deps): revert etcd bump to v3.6.0 (#39628, @giorio94)
[v1.17] vendor: Bump Hive and StateDB (#39689, @joamaki)
install: Update image digests for v1.17.4 (#39548, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.5@sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6 quay.io/cilium/cilium:stable@sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.5@sha256:78dc40b9cb8d7b1ad21a76ff3e11541809acda2ac4ef94150cc832100edc247d quay.io/cilium/clustermesh-apiserver:stable@sha256:78dc40b9cb8d7b1ad21a76ff3e11541809acda2ac4ef94150cc832100edc247d

docker-plugin

quay.io/cilium/docker-plugin:v1.17.5@sha256:0da0960b1d34d07ff1aba99d491e2413f0285cf09d94b183c4329e7e7b6949cb quay.io/cilium/docker-plugin:stable@sha256:0da0960b1d34d07ff1aba99d491e2413f0285cf09d94b183c4329e7e7b6949cb

hubble-relay

quay.io/cilium/hubble-relay:v1.17.5@sha256:fbb8a6afa8718200fca9381ad274ed695792dbadd2417b0e99c36210ae4964ff quay.io/cilium/hubble-relay:stable@sha256:fbb8a6afa8718200fca9381ad274ed695792dbadd2417b0e99c36210ae4964ff

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.5@sha256:654db67929f716b6178a34a15cb8f95e391465085bcf48cdba49819a56fcd259 quay.io/cilium/operator-alibabacloud:stable@sha256:654db67929f716b6178a34a15cb8f95e391465085bcf48cdba49819a56fcd259

operator-aws

quay.io/cilium/operator-aws:v1.17.5@sha256:3e189ec1e286f1bf23d47c45bdeac6025ef7ec3d2dc16190ee768eb94708cbc3 quay.io/cilium/operator-aws:stable@sha256:3e189ec1e286f1bf23d47c45bdeac6025ef7ec3d2dc16190ee768eb94708cbc3

operator-azure

quay.io/cilium/operator-azure:v1.17.5@sha256:add78783fdaced7453a324612eeb9ebecf56002b56c14c73596b3b4923321026 quay.io/cilium/operator-azure:stable@sha256:add78783fdaced7453a324612eeb9ebecf56002b56c14c73596b3b4923321026

operator-generic

quay.io/cilium/operator-generic:v1.17.5@sha256:f954c97eeb1b47ed67d08cc8fb4108fb829f869373cbb3e698a7f8ef1085b09e quay.io/cilium/operator-generic:stable@sha256:f954c97eeb1b47ed67d08cc8fb4108fb829f869373cbb3e698a7f8ef1085b09e

operator

quay.io/cilium/operator:v1.17.5@sha256:815f6e0648724ed4cdbdc072889ad4223de251f21e0503035af91d41dd547cc4 quay.io/cilium/operator:stable@sha256:815f6e0648724ed4cdbdc072889ad4223de251f21e0503035af91d41dd547cc4

`v1.17.4`: 1.17.4

Compare Source

Summary of Changes

Minor Changes:

Add TRACE_{FROM/TO}_CRYPTO observation point and bpf metrics for packets forwarded-to/received-from Wireguard. (Backport MR #39260, Upstream MR #34958, @smagnani96)
Cilium Agent liveness probe no longer fails if Kubernetes apiserver cannot be reached. Earlier the agent was restarted if the apiserver could not be reached for approximately 5 minutes. This avoids traffic disruptions on apiserver downtime (e.g. due to maintenance) for features such as L7 and FQDN proxy that require cilium-agent to always be up. (Backport MR #38703, Upstream MR #38458, @joamaki)
Update kafka apiKey helm chart value to true (Backport MR #39214, Upstream MR #38963, @kyle-c-simmons)

Bugfixes:

bpf: nodeport: avoid accidental NAT46x64 clash in from-container (Backport MR #39214, Upstream MR #38916, @julianwiedmann)
Check the TLSRoute and HasServiceImportSupport through the CRD. (Backport MR #39377, Upstream MR #39122, @liyihuang)
Fix a bug where a CiliumNetworkPolicy/CiliumClusterwideNetworkPolicy containing invalid rules would not be reported with invalid status. (Backport MR #38948, Upstream MR #38801, @tklauser)
Fix a bug where services would fail to match wildcard protocols after switching to Local traffic policy with protocol differentiation enabled. (Backport MR #39404, Upstream MR #39360, @pasteley)
Fix a deadlock when a host has no IPv4 address. (Backport MR #39075, Upstream MR #38938, @EmilyShepherd)
Fix a panic happening in the ipset reconciler when a previous reconciliation failed. (Backport MR #39075, Upstream MR #38890, @pippolo84)
Fix bug that would cause the cilium-dbg encrypt status command to not list any decryption interfaces when KPR is enabled. (Backport MR #39214, Upstream MR #39170, @pchaigno)
Fixes a bug where layer-7 rules would override enableDefaultDeny: false, incorrectly dropping traffic. (Backport MR #39375, Upstream MR #38841, @nimishamehta5)
gateway-api: Fix Gateway reconciler failure when TLSRoute CRD is not installed (Backport MR #39377, Upstream MR #38874, @syedazeez337)
gateway-api: Fix parentRefMatched to check Group and Kind (Backport MR #39377, Upstream MR #39275, @syedazeez337)
helm: fix hubble dynamic metrics config conflict (Backport MR #39075, Upstream MR #38893, @devodev)
ipsec: Fix key derivation error in case of corrupted boot IDs (Backport MR #39214, Upstream MR #39059, @pchaigno)
k8s: Fixed a case when delete event for service endpointslices might have been missed if connectivity to k8s apiserver was broken causing stale service cache for service. (Backport MR #38948, Upstream MR #38779, @marseel)
wireguard:overlay: cleanup calls map when unused (Backport MR #38899, Upstream MR #38655, @smagnani96)
xds: Fix a case in which after cilium-agent we were not sending updated resources to Envoy (Backport MR #38977, Upstream MR #38654, @marseel)

CI Changes:

.github/workflows: Enable DualStack for conformance-kind-proxy-embedded (Backport MR #39377, Upstream MR #36398, @dylandreimerink)
[v1.17] l4lb: Support environments with existing veth (#39408, @joestringer)
Align main and stable branch workflows for availability of cilium-cli (Backport MR #38141, Upstream MR #38138, @joestringer)
bpf: tests: fix ethertype when building inner headers of VXLAN packet (Backport MR #39075, Upstream MR #39060, @julianwiedmann)
ci-aks: Enable dual-stack in Conformance AKS (Backport MR #39377, Upstream MR #37704, @gandro)
gateway-api: Add translation tests for GAMMA (Backport MR #39221, Upstream MR #39207, @sayboras)
gh: e2e-upgrade: check for unexpected drops from connectivity tests (Backport MR #39214, Upstream MR #39111, @julianwiedmann)
gh: e2e-upgrade: generate config matrix from file (Backport MR #39058, Upstream MR #38512, @julianwiedmann)
gh: e2e-upgrade: minor log output improvements (Backport MR #39058, Upstream MR #38011, @julianwiedmann)
gh: use e2e-upgrade for IPsec minor upgrade testing (Backport MR #39058, Upstream MR #38757, @julianwiedmann)
gha: always respect the given image tag in the wait-for-images action (Backport MR #38141, Upstream MR #37901, @giorio94)
rate: Disable TestStressRateLimiter (Backport MR #38896, Upstream MR #38877, @YutaroHayakawa)

Misc Changes:

[v1.17] deps: bump CNI plugins version (#39329, @ferozsalam)
[v1.17] deps: bump golang-jwt to 4.5.2 (#39491, @ferozsalam)
Add the doc for multi-pool ipam about how to update the existing ip pool (Backport MR #38948, Upstream MR #38539, @liyihuang)
bpf: host: use MARK_MAGIC_EGW_DONE-embedded identity in to-netdev (Backport MR #38948, Upstream MR #38768, @julianwiedmann)
bpf: nat: ICMP v4 improvements (Backport MR #39332, Upstream MR #36767, @julianwiedmann)
bpf:hubble: update trace/drop notify for L2-less packets (Backport MR #39263, Upstream MR #37097, @smagnani96)
chore(deps): update all github action dependencies (v1.17) (#39183, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.17) (#39316, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.23.8 docker digest to 87bb940 (v1.17) (#38908, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.23.8 docker digest to e54daaa (v1.17) (#39046, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.2 docker digest to 30baaea (v1.17) (#39314, @cilium-renovate[bot])
chore(deps): update docker.io/library/ubuntu:24.04 docker digest to 6015f66 (v1.17) (#39379, @cilium-renovate[bot])
chore(deps): update go to v1.24.2 (v1.17) (#39113, @cilium-renovate[bot])
chore(deps): update go to v1.24.3 (v1.17) (#39380, @cilium-renovate[bot])
chore(deps): update google/cloud-sdk docker tag to v518 (v1.17) (#39048, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744328671-a8b58b35c03a3d100a2b026fc111417207183301 (v1.17) (#38909, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744798797-f7456c0c30336bbd437eff7743374370e415fc44 (v1.17) (#39047, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745916268-e485bbc0c95e30aa233cb06a753789375b12ad18 (v1.17) (#39226, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745971871-f98500f20b253684d483b783b29df2e4db05ea7c (v1.17) (#39248, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1746405645-719d708b1802ce417568d3eaae4c0677dd60e128 (v1.17) (#39324, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c (v1.17) (#39413, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#38911, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#38970, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#39182, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#39315, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.17) (patch) (#39475, @cilium-renovate[bot])
chore: remove retention-days param in build-images-releases.yaml (Backport MR #39435, Upstream MR #39431, @sekhar-isovalent)
cilium: Fix device controller's dependency on netfilter (Backport MR #38948, Upstream MR #38777, @borkmann)
cilium: Fix ipip device mtu (Backport MR #38948, Upstream MR #38682, @borkmann)
contrib/scripts: Fix IndexError in stacktrace script (Backport MR #39214, Upstream MR #39101, @christarazi)
contrib: Remove kind.sh dependency on git (Backport MR #39377, Upstream MR #39154, @joestringer)
docs: Add good kernel versions for the L7 policy IPv6 bug (Backport MR #39377, Upstream MR #39212, @gentoo-root)
docs: add warning about l7 policy and EnableDefaultDeny (Backport MR #39075, Upstream MR #38675, @squeed)
docs: Document L7 policy IPv6 bug (Backport MR #38948, Upstream MR #38591, @gentoo-root)
docs: Document that traffic to the VPC in ENI mode is not masqueraded (#39156, @liyihuang)
docs: Fix casing and formatting in L3 examples section (Backport MR #39377, Upstream MR #39065, @mikejoh)
docs: Fix variable naming in EKS-to-EKS Clustermesh guide (Backport MR #39075, Upstream MR #38821, @zzuckerfrei)
docs: The Installation on OpenShift OKD document has been updated to link to maintained operators for Cilium (Isovalent Enterprise for Cilium). This operator is validated on all current versions of OpenShift. (Backport MR #39377, Upstream MR #38886, @auriaave)
docs: Update hubble-metrics flag documentation (Backport MR #39075, Upstream MR #38960, @HadrienPatte)
Documentation : Modification of eks-clustermesh-prep.rst (Backport MR #39214, Upstream MR #39025, @rwinieski)
documentation: fix get deployment cmd (Backport MR #39214, Upstream MR #39155, @g0gn)
dynamiclifecycle: fix goroutine leak (Backport MR #39214, Upstream MR #39149, @squeed)
exclude the dummy device type when evaluating MTU, ensuring that local traffic does not interfere with MTU calculations. (Backport MR #39214, Upstream MR #38992, @liyihuang)
Fix LRU maps to streamline distributed LRU flag implementation with map prealloc handling (Backport MR #39214, Upstream MR #39087, @borkmann)
Fix map recreation loop when distributed lru setting is enabled (Backport MR #39075, Upstream MR #38978, @borkmann)
hubble:monitor: align TraceNotify to DropNotify (Backport MR #39264, Upstream MR #38830, @smagnani96)
ipsec: include ipv6 in v1.18 upgrade leak detection (#38843, @ldelossa)
k8s/resource: Don't Add to WaitGroup asynchronously (Backport MR #38948, Upstream MR #38692, @joamaki)
make: fix golangci-lint version detection (Backport MR #39075, Upstream MR #38996, @mhofstetter)
Throw build bug when using TRACE_{FROM,TO}_CRYPTO from unexpected files and cleanup unevaluated build_bug_on. (Backport MR #39260, Upstream MR #38470, @smagnani96)
workflows: fix lint-workflows (Backport MR #39403, Upstream MR #39398, @aanm)

Other Changes:

[v1.17] k8s/statedb: Fix buffering order of objects (#38585, @joamaki)
[v1.17] Stop TLS Interception config being included in preflight (#39481, @youngnick)
bpf,encrypt: fixes the placement of a particular vxlan helper function (#39088, @ldelossa)
install: Update image digests for v1.17.3 (#38933, @cilium-release-bot[bot])
v1.17: Update Go version to 1.24 in go.mod (#39128, @pchaigno)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a quay.io/cilium/cilium:stable@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.4@sha256:0b72f3046cf36ff9b113d53cc61185e893edb5fe728a2c9e561c1083f806453d quay.io/cilium/clustermesh-apiserver:stable@sha256:0b72f3046cf36ff9b113d53cc61185e893edb5fe728a2c9e561c1083f806453d

docker-plugin

quay.io/cilium/docker-plugin:v1.17.4@sha256:d2e1caaf9e6c7194ec20d8044cfd6b0d513cdfd1552e70f41070f3c25206eefa quay.io/cilium/docker-plugin:stable@sha256:d2e1caaf9e6c7194ec20d8044cfd6b0d513cdfd1552e70f41070f3c25206eefa

hubble-relay

quay.io/cilium/hubble-relay:v1.17.4@sha256:c16de12a64b8b56de62b15c1652d036253b40cd7fa643d7e1a404dc71dc66441 quay.io/cilium/hubble-relay:stable@sha256:c16de12a64b8b56de62b15c1652d036253b40cd7fa643d7e1a404dc71dc66441

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.4@sha256:eaa7b18b7cda65af1d454d54224d175fdb69a35199fa949ae7dfda2789c18dd6 quay.io/cilium/operator-alibabacloud:stable@sha256:eaa7b18b7cda65af1d454d54224d175fdb69a35199fa949ae7dfda2789c18dd6

operator-aws

quay.io/cilium/operator-aws:v1.17.4@sha256:3c31583e57648470fbf6646ac67122ac5896ce5f979ab824d9a38cfc7eafc753 quay.io/cilium/operator-aws:stable@sha256:3c31583e57648470fbf6646ac67122ac5896ce5f979ab824d9a38cfc7eafc753

operator-azure

quay.io/cilium/operator-azure:v1.17.4@sha256:d8d95049bfeab47cb1a3f995164e1ca2cdec8e6c7036c29799647999cdae07b1 quay.io/cilium/operator-azure:stable@sha256:d8d95049bfeab47cb1a3f995164e1ca2cdec8e6c7036c29799647999cdae07b1

operator-generic

quay.io/cilium/operator-generic:v1.17.4@sha256:a3906412f477b09904f46aac1bed28eb522bef7899ed7dd81c15f78b7aa1b9b5 quay.io/cilium/operator-generic:stable@sha256:a3906412f477b09904f46aac1bed28eb522bef7899ed7dd81c15f78b7aa1b9b5

operator

quay.io/cilium/operator:v1.17.4@sha256:d51d9f6958b23c48591e10194b62e217c1d3740cdfca1e293fd199d22db7f97f quay.io/cilium/operator:stable@sha256:d51d9f6958b23c48591e10194b62e217c1d3740cdfca1e293fd199d22db7f97f

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited Aug 15, 2025 by Renovate Bot

chore(deps): update helm release cilium to v1.18.1

Release Notes

v1.18.1: 1.18.1

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.18.0: 1.18.0

🚠 Networking

🌐 IPv6

🛡️ Policy & Observability

🌅 Performance

⚙️ Operations

🕸️ Service Mesh & Gateway API

🏷️ IP Address Management

🛣️ BGP

🧑‍💻 Development Experience

🏢 Community

📔 Full CHANGELOG

v1.17.7: 1.17.7

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.17.6: 1.17.6

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.17.5: 1.17.5

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.17.4: 1.17.4

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

Configuration

Merge request reports

`v1.18.1`: 1.18.1

`v1.18.0`: 1.18.0

`v1.17.7`: 1.17.7

`v1.17.6`: 1.17.6

`v1.17.5`: 1.17.5

`v1.17.4`: 1.17.4