feat(helm/cilium): update 1.15.11 ➼ 1.16.4

[tinfoild]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
cilium (source)	HelmChart	minor	1.15.11 -> 1.16.4

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

cilium/cilium (cilium)

v1.16.4: 1.16.4

Compare Source

Security Advisories

This release addresses GHSA-xg58-75qf-9r67.

Summary of Changes

Minor Changes:

• Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport PR #​35908, Upstream PR #​35809, @​jrajahalme)
• clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport PR #​35543, Upstream PR #​35349, @​giorio94)
• helm: Lower default hubble.tls.auto.certValidityDuration to 365 days (Backport PR #​35781, Upstream PR #​35630, @​chancez)
• helm: New socketLB.tracing flag (Backport PR #​35781, Upstream PR #​35747, @​pchaigno)
• hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR #​35781, Upstream PR #​35632, @​chancez)
• netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport PR #​35543, Upstream PR #​35306, @​jrife)

Bugfixes:

• Avoid duplicate errors in health status for node-neighbor-link-updater (Backport PR #​35468, Upstream PR #​35179, @​wedaly)
• bgpv1: fix reconciliation of services with shared VIPs (Backport PR #​35468, Upstream PR #​35333, @​rastislavs)
• bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport PR #​35863, Upstream PR #​35690, @​YutaroHayakawa)
• bgpv2: set local peering address when specified (Backport PR #​35781, Upstream PR #​35552, @​harsimran-pabla)
• Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport PR #​35603, Upstream PR #​35150, @​jrajahalme)
• Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an timeout waiting for response error is encountered. (Backport PR #​35781, Upstream PR #​35589, @​bimmlerd)
• config: Remove superfluous warning on native routing CIDR (Backport PR #​35781, Upstream PR #​35738, @​gandro)
• Fix missing flowlabel hash on SRv6 traffic. (Backport PR #​35781, Upstream PR #​35498, @​akaliwod)
• Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport PR #​35543, Upstream PR #​35173, @​smagnani96)
• Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (Backport PR #​35781, Upstream PR #​35673, @​giorio94)
• Fix redirect from L3 device to remote endpoint via overlay network. (Backport PR #​35468, Upstream PR #​35165, @​julianwiedmann)
• Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR #​35908, Upstream PR #​35694, @​julianwiedmann)
• Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (Backport PR #​35781, Upstream PR #​35599, @​squeed)
• Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (Backport PR #​35543, Upstream PR #​35293, @​squeed)
• Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (Backport PR #​35906, Upstream PR #​35890, @​squeed)
• Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". (#​35611, @​pippolo84)
• helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (Backport PR #​35319, Upstream PR #​35301, @​hox)
• helm: fix duplicate configmap key for bpf-lb-sock-terminate-pod-connections (Backport PR #​35781, Upstream PR #​35703, @​solidDoWant)
• helm: set automountServiceAccountToken to false for hubble-relay sa (Backport PR #​35781, Upstream PR #​35674, @​ayuspin)
• hubble: fix endpoint cluster name (Backport PR #​35781, Upstream PR #​35415, @​kaworu)
• hubble: Lock exporters while gathering metrics (Backport PR #​35908, Upstream PR #​35860, @​joestringer)
• Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (Backport PR #​35781, Upstream PR #​35143, @​jrajahalme)
• ipam: Validate CiliumNode resource in ENI mode (Backport PR #​35792, Upstream PR #​35784, @​sayboras)
• l7lb: fix registration of flag loadbalancer-l7 (Backport PR #​35781, Upstream PR #​35623, @​mhofstetter)
• Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (Backport PR #​35319, Upstream PR #​35069, @​chancez)
• option: Reduce log level for WG strict mode + IPv6 (Backport PR #​35908, Upstream PR #​35763, @​pchaigno)
• Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (Backport PR #​35468, Upstream PR #​35381, @​jrajahalme)
• treewide: Add wrapper for netlink functions that may fail with ErrDumpInterrupted (Backport PR #​35654, Upstream PR #​35614, @​gandro)
• wireguard: Fix connectivity issues following node reboots. (Backport PR #​35908, Upstream PR #​35750, @​jrife)

CI Changes:

• .github/conformance-ginkgo: replace deprecated jq flag (Backport PR #​35468, Upstream PR #​35399, @​aanm)
• .github: extend timeout for tests-ipsec-upgrade workflow (Backport PR #​35781, Upstream PR #​35657, @​rastislavs)
• .github: remove libncurses5 from integration tests (Backport PR #​35468, Upstream PR #​35408, @​aanm)
• [v1.16] gh: e2e-upgrade: restart LRP backend pod after upgrade (#​35329, @​ysksuzuki)
• [v1.16] github: update rhel8 LVH image to rhel8.6 (#​35733, @​julianwiedmann)
• Additionally test KVStore mode in E2E/IPSec workflows (Backport PR #​35905, Upstream PR #​35679, @​giorio94)
• ci: conformance-kind: re-enable flaky Aggregator test (Backport PR #​35582, Upstream PR #​35286, @​julianwiedmann)
• ci: datapath-verifier: bump lvh images (Backport PR #​35648, Upstream PR #​35456, @​julianwiedmann)
• gha: Update chmod command (Backport PR #​35468, Upstream PR #​35400, @​sayboras)
• github: Pass the workflow step timeout to go test (Backport PR #​35908, Upstream PR #​35814, @​jrajahalme)
• Refactor and set a default for GH_RUNNER_EXTRA_POWER (Backport PR #​35319, Upstream PR #​35267, @​aanm)
• workflows/gateway-api: Cover IPsec with GatewayAPI (Backport PR #​35908, Upstream PR #​35584, @​pchaigno)
• workflows/ingress: Run basic checks (Backport PR #​35908, Upstream PR #​35683, @​pchaigno)
• workflows/ipsec: Cover Ingress (Backport PR #​35908, Upstream PR #​35476, @​pchaigno)
• workflows: Extend IPsec tests to cover egress gateway (Backport PR #​35540, Upstream PR #​35323, @​pchaigno)

Misc Changes:

• .github/build-images-base: checkout base branch to get scripts (Backport PR #​35319, Upstream PR #​35236, @​aanm)
• .github: remove retention days for image digests (Backport PR #​35468, Upstream PR #​35457, @​aanm)
• bpf: vxlan helper improvements (Backport PR #​35543, Upstream PR #​34755, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.16) (#​35382, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35439, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35573, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35710, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​35438, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.8 docker digest to 0ca97f4 (v1.16) (#​35730, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.8 docker digest to b274ff1 (v1.16) (#​35379, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.9 (v1.16) (#​35854, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1729635771-fa4efeff33a344a45e14a4068c61dc438b3d2270 (v1.16) (#​35491, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​35731, @​cilium-renovate[bot])
• cilium, docs: Extend requirements for L7 proxy (Backport PR #​35781, Upstream PR #​35669, @​borkmann)
• cilium: add probe for netkit for more user friendly error when not supported (Backport PR #​35781, Upstream PR #​35551, @​borkmann)
• ctrl-runtime: lower severity of retryable reconcile errors (Backport PR #​35592, Upstream PR #​35364, @​giorio94)
• daemon: Reduce level of socket LB tracing warning (Backport PR #​35908, Upstream PR #​35798, @​pchaigno)
• datapath: move policy map value prefix length to flags (Backport PR #​35603, Upstream PR #​35534, @​jrajahalme)
• dnsproxy: fix error when sessionUDPFactory fails (Backport PR #​35543, Upstream PR #​33998, @​marseel)
• docs/ipsec: Remove KPR limitation (Backport PR #​35908, Upstream PR #​35743, @​pchaigno)
• docs/xfrm: Fix incorrect statement regarding XFRM IN policies (Backport PR #​35781, Upstream PR #​35626, @​pchaigno)
• docs: Change invalid Helm option --agent.enabled with --agent=false in upgrade documentation (Backport PR #​35319, Upstream PR #​35288, @​oneumyvakin)
• docs: clean up stale kernel requirements (Backport PR #​35582, Upstream PR #​35575, @​julianwiedmann)
• docs: Fix incorrect link to RFC 4271 for BGP control plane timers. (Backport PR #​35781, Upstream PR #​35725, @​nvibert)
• docs: kpr: update error message regarding SocketLB tracing (Backport PR #​35468, Upstream PR #​35337, @​julianwiedmann)
• docs: tuning: XDP LB also supports tunnel routing (Backport PR #​35582, Upstream PR #​35574, @​julianwiedmann)
• docs: update 1.16 upgrade note for LRP (#​35944, @​ysksuzuki)
• docs: update default identity label filters (Backport PR #​35468, Upstream PR #​35422, @​marseel)
• docs: XFRM reference guide for IPsec development (Backport PR #​35582, Upstream PR #​35322, @​pchaigno)
• Envoy simplify listener setup (Backport PR #​35764, Upstream PR #​35642, @​jrajahalme)
• envoy: Configure internal_address_config to avoid warning log (Backport PR #​35471, Upstream PR #​35090, @​sayboras)
• envoy: Limit started serving logging to the typeURL of the stream (Backport PR #​35781, Upstream PR #​35736, @​jrajahalme)
• Fix wrongly spelled config option in error message (Backport PR #​35543, Upstream PR #​35390, @​baurmatt)
• helm: clarify text for serviceNoBackendResponse (Backport PR #​35908, Upstream PR #​35734, @​julianwiedmann)
• hubble: Add 'release' Make target (Backport PR #​35781, Upstream PR #​35561, @​michi-covalent)
• image: Use cilium-builder instead of golang as operator builder image (Backport PR #​35781, Upstream PR #​35351, @​learnitall)
• iptables: always warn about missing xt_socket module (Backport PR #​35781, Upstream PR #​35591, @​julianwiedmann)
• makefile: add target to install Cilium in kvstore mode (Backport PR #​35905, Upstream PR #​35646, @​giorio94)
• proxy: Ensure proxy ports are written on shutdown (Backport PR #​35908, Upstream PR #​35839, @​jrajahalme)
• Silence spurious clustermesh-related warnings (Backport PR #​35850, Upstream PR #​35867, @​giorio94)

Other Changes:

• [v1.16] envoy: Add configuration for OverloadManager (#​35787, @​sayboras)
• [v1.16] envoy: Bump envoy version from 1.29.x to 1.30.x (#​35563, @​sayboras)
• [v1.16] policy/correlation: Fix PolicyMatch{L3Proto,L4Only} case (#​35681, @​gandro)
• chore(deps): update cilium-envoy dependency (#​35920, @​sayboras)
• install: Update image digests for v1.16.3 (#​35361, @​cilium-release-bot[bot])
• Policy add deny rule test and benchmark (#​35714, @​jrajahalme)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.4@​sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
quay.io/cilium/cilium:stable@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.4@​sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2
quay.io/cilium/clustermesh-apiserver:stable@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2

docker-plugin

quay.io/cilium/docker-plugin:v1.16.4@​sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e
quay.io/cilium/docker-plugin:stable@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e

hubble-relay

quay.io/cilium/hubble-relay:v1.16.4@​sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
quay.io/cilium/hubble-relay:stable@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.4@​sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686
quay.io/cilium/operator-alibabacloud:stable@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686

operator-aws

quay.io/cilium/operator-aws:v1.16.4@​sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be
quay.io/cilium/operator-aws:stable@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be

operator-azure

quay.io/cilium/operator-azure:v1.16.4@​sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de
quay.io/cilium/operator-azure:stable@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de

operator-generic

quay.io/cilium/operator-generic:v1.16.4@​sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
quay.io/cilium/operator-generic:stable@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5

operator

quay.io/cilium/operator:v1.16.4@​sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff
quay.io/cilium/operator:stable@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff

v1.16.3: 1.16.3

Compare Source

Summary of Changes

Bugfixes:

• bgpv2: fix reconciliation of services with shared VIPs (Backport PR #​35274, Upstream PR #​35166, @​rastislavs)
• bgpv2: Fix service reconciliation logic to update service advertisement metadata only after successful reconciliation (Backport PR #​35036, Upstream PR #​34976, @​rastislavs)
• bpf: nat: recreate a NAT entry if the packet hits the stale entry (Backport PR #​35036, Upstream PR #​34913, @​ysksuzuki)
• bugtool: fix cilium-health command (Backport PR #​35274, Upstream PR #​35068, @​ayuspin)
• Fix a low-probability issue where the DNS proxy could occasionally drop DNS queries due to "duplicate request id" errors. (Backport PR #​35036, Upstream PR #​34941, @​bimmlerd)
• Fix issue where bpf packet buffer mark would in some cases set incorrect mark value resulting in incorrectly SNATed traffic. (Backport PR #​35036, Upstream PR #​34789, @​tommyp1ckles)
• Fix parameter check to forbid IPAM ENI with TUNNEL routing, and prevent agent segfault when also IPSec is enabled. (Backport PR #​34918, Upstream PR #​34651, @​smagnani96)
• Fixed bug in LB-IPAM where restarting the operator would unshare previously shared IPs between services (Backport PR #​35036, Upstream PR #​34783, @​dylandreimerink)
• Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport PR #​35274, Upstream PR #​35109, @​jrajahalme)
• Fixed bug where service id allocator would loop infinity when out of service ids (Backport PR #​35274, Upstream PR #​35033, @​WeeNews)
• Fixes startup fatal error when updating CiliumNode resource. (Backport PR #​34918, Upstream PR #​34862, @​harsimran-pabla)
• gateway-api: Align GRPCRoute matchers with GEP specification (Backport PR #​35274, Upstream PR #​34808, @​cfsnyder)
• helm template function no longer errors when using k8sServiceHost: auto (Backport PR #​35274, Upstream PR #​35186, @​kreeuwijk)
• hubble: add printer for lost events (Backport PR #​35274, Upstream PR #​35208, @​aanm)
• ipcache: Yet another refcounting fix with mix of APIs (Backport PR #​35036, Upstream PR #​34715, @​gandro)
• netkit: Allow ARP packets through when using host firewall. (Backport PR #​35274, Upstream PR #​35070, @​jrife)
• wireguard: Fix issue where updates to a WireGuard device's configuration caused connectivity blips. (Backport PR #​35115, Upstream PR #​34612, @​jrife)

CI Changes:

• .github/lint-build-commits: fix workflow for push events (Backport PR #​35274, Upstream PR #​35264, @​aanm)
• .github: create cache directories on cache miss (Backport PR #​35157, Upstream PR #​35088, @​aanm)
• .github: do not push floating tag from PRs (Backport PR #​35230, Upstream PR #​35227, @​aanm)
• .github: install golang action after checkout (Backport PR #​35157, Upstream PR #​34843, @​aanm)
• .github: re-enable configurations in e2e-upgrade (Backport PR #​35157, Upstream PR #​34800, @​aanm)
• .github: specify cache-dependency-path in lint-workflows (Backport PR #​35157, Upstream PR #​34845, @​aanm)
• [1.16] test: Skip envoy internal_address_config warning log (#​35053, @​pippolo84)
• [v1.16] gha: fix incorrect go version in lint-build-commits workflow (#​35312, @​giorio94)
• ci: conformance-[gateway-api|ginkgo|ingress] wait for images before matrix generation (Backport PR #​34918, Upstream PR #​34820, @​aanm)
• fix: repository nil value handled on workflow_dispatch context for renovate updates (Backport PR #​34918, Upstream PR #​34902, @​Artyop)
• servicemesh, ci: run internal to NodePort test (Backport PR #​35274, Upstream PR #​35177, @​marseel)

Misc Changes:

• .github: add cache to cilium-cli and hubble-cli build workflows (Backport PR #​35157, Upstream PR #​34847, @​aanm)
• .github: clean up disk for lint-build workflow (Backport PR #​35157, Upstream PR #​35141, @​aanm)
• .github: fix build image process to commit changes (Backport PR #​35274, Upstream PR #​35262, @​aanm)
• .github: fix lvh-kind warnings (Backport PR #​35157, Upstream PR #​34811, @​aanm)
• .github: fix runtime image digests (Backport PR #​35274, Upstream PR #​35107, @​aanm)
• .github: push floating tag for push events for stable branches (#​35235, @​aanm)
• [v1.16] .github: do not update github runners for bpf workflows (#​35106, @​aanm)
• [v1.16] manually update dependency cilium/cilium-cli to v0.16.19 (v1.16) (#​35310, @​julianwiedmann)
• bgpv2/docs: add ebgp multihop documentation (Backport PR #​35036, Upstream PR #​34951, @​harsimran-pabla)
• bgpv2: cleanup service reconciliation logic (Backport PR #​35036, Upstream PR #​34959, @​rastislavs)
• Change GH runners to GH's default (Backport PR #​35157, Upstream PR #​33451, @​aanm)
• chore(deps): update all github action dependencies (v1.16) (#​35025, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35082, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35250, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​35005, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​35283, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.18 (v1.16) (#​34999, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.7 docker digest to ddad330 (v1.16) (#​35101, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.8 (v1.16) (#​35201, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727741018-e3a7412f65722ebbe34254b3582b89d315765d0d (v1.16) (#​35137, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727997080-b094128ed01b784b63ada19b54f8c7fdc3042e6e (v1.16) (#​35218, @​cilium-renovate[bot])
• cilium-cli: Show config.cilium.io annotations on configmap (Backport PR #​35155, Upstream PR #​35020, @​joamaki)
• docs: Add known issue for netkit endpoint route issues (Backport PR #​35274, Upstream PR #​35126, @​jrife)
• docs: fix EKS Kubernetes compatibility link (Backport PR #​35036, Upstream PR #​34922, @​fjvela)
• docs: Improve warning on insecure global IPsec keys (Backport PR #​34918, Upstream PR #​34846, @​pchaigno)
• docs: move sig-policy to second Tuesday of the month (Backport PR #​35115, Upstream PR #​35040, @​squeed)
• fix: Assign PodStore from Pod resource until cell migration is completed (Backport PR #​35274, Upstream PR #​34090, @​dlapcevic)
• helm: add client auth to hubble server certificate (Backport PR #​35036, Upstream PR #​34934, @​kaworu)
• helm: set key usages for hubble certificates with cert-manager (Backport PR #​35036, Upstream PR #​34946, @​kaworu)
• Improve speed on lint commits GH workflow (Backport PR #​35157, Upstream PR #​34848, @​aanm)
• install/kubernetes: fix Operator's clusterrole for pods deletion (Backport PR #​35274, Upstream PR #​35193, @​aanm)
• Re-write GitHub cache usages across workflows (Backport PR #​35157, Upstream PR #​34866, @​aanm)
• Remove conformance-e2e tests (Backport PR #​35157, Upstream PR #​34742, @​aanm)

Other Changes:

• [v1.16] Add missing test coverage in v1.16 branch (#​35223, @​aanm)
• [v1.16] author backport: fix ENABLE_LOCAL_REDIRECT_POLICY (#​35129, @​ysksuzuki)
• [v1.16] author backport: LRP fixes (#​35072, @​ysksuzuki)
• [v1.16] ginkgo: disable test for deprecated annotations-based L7 visibility (#​35160, @​tklauser)
• [v1.16] test/k8s: replace L7 visibility Pod annotations by L7 visibility policy (#​35151, @​tklauser)
• install: Update image digests for v1.16.2 (#​35052, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.3@​sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
quay.io/cilium/cilium:stable@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.3@​sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb
quay.io/cilium/clustermesh-apiserver:stable@sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb

docker-plugin

quay.io/cilium/docker-plugin:v1.16.3@​sha256:87af6722fdf73cd98123635108f1507d2c982aad82b89906a2925dc4e251acae
quay.io/cilium/docker-plugin:stable@sha256:87af6722fdf73cd98123635108f1507d2c982aad82b89906a2925dc4e251acae

hubble-relay

quay.io/cilium/hubble-relay:v1.16.3@​sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089
quay.io/cilium/hubble-relay:stable@sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.3@​sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898
quay.io/cilium/operator-alibabacloud:stable@sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898

operator-aws

quay.io/cilium/operator-aws:v1.16.3@​sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916
quay.io/cilium/operator-aws:stable@sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916

operator-azure

quay.io/cilium/operator-azure:v1.16.3@​sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542
quay.io/cilium/operator-azure:stable@sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542

operator-generic

quay.io/cilium/operator-generic:v1.16.3@​sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b
quay.io/cilium/operator-generic:stable@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b

operator

quay.io/cilium/operator:v1.16.3@​sha256:11219d0027c7ab5fb5ac531d4456b570b51f0d871c52c69e5e70c164bb38af0f
quay.io/cilium/operator:stable@sha256:11219d0027c7ab5fb5ac531d4456b570b51f0d871c52c69e5e70c164bb38af0f

v1.16.2: 1.16.2

Compare Source

We are happy to release Cilium v1.16.2!

This release brings us improved validation for updating from v1.15, fixed panics, race conditions and deadlocks, CI fixes and many many more changes!

Check out the summary below for details.

Summary of Changes

Minor Changes:

• Add validation to prevent users from using deprecated values that have been removed in v1.15 and v1.16 (Backport PR #​34452, Upstream PR #​34229, @​chancez)
• bgpv2: update status field of CiliumBGPNodeConfig CRD (Backport PR #​34580, Upstream PR #​33411, @​harsimran-pabla)
• docs: Update examples for CNP L7 Host (Backport PR #​34644, Upstream PR #​34578, @​sayboras)
• egressgw: drop traffic when gateway node is not configured for policy (Backport PR #​34452, Upstream PR #​33625, @​julianwiedmann)

Bugfixes:

• add support for validation of stringToString values in ConfigMap (Backport PR #​34586, Upstream PR #​34279, @​alex-berger)
• bgpv2: correct service reconciler initialization (Backport PR #​34452, Upstream PR #​34415, @​harsimran-pabla)
• bgpv2: fix cilium-dbg bgp filtering by ASN & route-policy dump format (Backport PR #​34452, Upstream PR #​34335, @​rastislavs)
• bpf: Fix Prune map operation leaking BPF map entries (Backport PR #​34586, Upstream PR #​34476, @​gandro)
• config: fix disabling config 'Debug' (Backport PR #​34469, Upstream PR #​34401, @​mhofstetter)
• daemon: Create IPsec and LRP maps early on startup (Backport PR #​34452, Upstream PR #​34388, @​pchaigno)
• daemon: Fix error logic flow for pod store being out of date (Backport PR #​34586, Upstream PR #​34389, @​christarazi)
• envoy: fix log level mapping when changing log level via API (Backport PR #​34452, Upstream PR #​34400, @​mhofstetter)
• Fix "invalid sysctl parameter" error when Cilium needs to modify a sysctl with capital letters in its name. (Backport PR #​34586, Upstream PR #​34298, @​julianwiedmann)
• Fix a bug in Cilium's kube-proxy replacement, where replies by a local backend are dropped with DROP_NO_FIB. (Backport PR #​34452, Upstream PR #​34303, @​julianwiedmann)
• Fix a race condition that would cause errors related to maps LB{4,6}_SKIP_MAP when loading programs. (Backport PR #​34586, Upstream PR #​34453, @​pchaigno)
• Fix agent panic when IPsec is enabled but XFRM stats are not exposed by the kernel. (Backport PR #​34831, Upstream PR #​34647, @​chaunceyjiang)
• Fix issue where a hostport service would be created on an incorrect node when cilium-agent is configured with disable-endpoint-crd (Backport PR #​34644, Upstream PR #​34385, @​haozhangami)
• Fix operator deployment connecting to clustermesh kvstoremesh when endpointslice sync or MCS-API Service exports is enabled (Backport PR #​34586, Upstream PR #​34295, @​MrFreezeex)
• Fix parsing of complex api-rate-limit options. The parsing failed when rate limits were configured for multiple API endpoints with multiple options, for example: "endpoint-create=rate-limit:1/s,rate-burst=1,endpoint-delete=rate-limit:2/s,rate-burst=2". The ability to also specify the rate limits as JSON strings was also returned. (Backport PR #​34586, Upstream PR #​34249, @​joamaki)
• Fix possible connection disruption on agent restart with WireGuard + native routing (Backport PR #​34831, Upstream PR #​34095, @​giorio94)
• Fix possible panic occurring in case errors are returned while updating/deleting IPv6 routes (Backport PR #​34831, Upstream PR #​34721, @​giorio94)
• Fix the Egress Gateway reconciliation logic to make progress after setting the rp_filter sysctl failed. (Backport PR #​34831, Upstream PR #​34775, @​julianwiedmann)
• Fixes broken pod-to-remote-hostport connectivity when IPsec is used with L7 ingress policy and KPR. (Backport PR #​34586, Upstream PR #​33805, @​jschwinger233)
• Fixes deadlock in identity watcher. This fixes an issue where a kvstore disconnect can cause the event r

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[cloudflare-workers-and-pages]

Deploying jjgadgets-biohazard with    Cloudflare Pages

Latest commit:	9f77f40
Status:	✅  Deploy successful!
Preview URL:	https://7923c1da.jjgadgets-biohazard.pages.dev
Branch Preview URL:	https://renovate-cilium.jjgadgets-biohazard.pages.dev

View logs

[tinfoild]

--- kube/deploy/core/_networking/cilium/app Kustomization: flux-system/1-core-1-networking-cilium-app HelmRelease: kube-system/cilium

+++ kube/deploy/core/_networking/cilium/app Kustomization: flux-system/1-core-1-networking-cilium-app HelmRelease: kube-system/cilium

@@ -16,13 +16,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium-charts
         namespace: flux-system
-      version: 1.15.11
+      version: 1.16.4
   interval: 5m
   timeout: 1h
   values:
     bgpControlPlane:
       enabled: true
     dashboards:

[tinfoild]

--- HelmRelease: kube-system/cilium ServiceAccount: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium ServiceAccount: kube-system/hubble-relay

@@ -1,7 +1,8 @@

 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: hubble-relay
   namespace: kube-system
+automountServiceAccountToken: false
 
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

@@ -4703,27 +4703,27 @@

           ],
           "spaceLength": 10,
           "stack": false,
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(cilium_policy_l7_denied_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m]))",
+              "expr": "sum(rate(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"denied\"}[1m]))",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "denied",
               "refId": "A"
             },
             {
-              "expr": "sum(rate(cilium_policy_l7_forwarded_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m]))",
+              "expr": "sum(rate(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"forwarded\"}[1m]))",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "forwarded",
               "refId": "B"
             },
             {
-              "expr": "sum(rate(cilium_policy_l7_received_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m]))",
+              "expr": "sum(rate(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"received\"}[1m]))",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "received",
               "refId": "C"
             }
           ],
@@ -4869,13 +4869,13 @@

           }
         },
         {
           "aliasColors": {
             "Max per node processingTime": "#e24d42",
             "Max per node upstreamTime": "#58140c",
-            "avg(cilium_policy_l7_parse_errors_total{pod=~\"cilium.*\"})": "#bf1b00",
+            "avg(cilium_policy_l7_total{pod=~\"cilium.*\", rule=\"parse_errors\"})": "#bf1b00",
             "parse errors": "#bf1b00"
           },
           "bars": true,
           "dashLength": 10,
           "dashes": false,
           "datasource": {
@@ -4928,13 +4928,13 @@

             },
             {
               "alias": "Max per node upstreamTime",
               "yaxis": 2
             },
             {
-              "alias": "avg(cilium_policy_l7_parse_errors_total{pod=~\"cilium.*\"})",
+              "alias": "avg(cilium_policy_l7_total{pod=~\"cilium.*\", rule=\"parse_errors\"})",
               "yaxis": 2
             },
             {
               "alias": "parse errors",
               "yaxis": 2
             }
@@ -4949,13 +4949,13 @@

               "interval": "",
               "intervalFactor": 1,
               "legendFormat": "{{scope}}",
               "refId": "A"
             },
             {
-              "expr": "avg(cilium_policy_l7_parse_errors_total{k8s_app=\"cilium\", pod=~\"$pod\"}) by (pod)",
+              "expr": "avg(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"parse_errors\"}) by (pod)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "parse errors",
               "refId": "B"
             }
           ],
@@ -5307,13 +5307,13 @@

               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "Max {{scope}}",
               "refId": "B"
             },
             {
-              "expr": "max(rate(cilium_policy_l7_parse_errors_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m])) by (pod)",
+              "expr": "max(rate(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"parse_errors\"}[1m])) by (pod)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "parse errors",
               "refId": "A"
             }
           ],
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -7,13 +7,12 @@

 data:
   identity-allocation-mode: crd
   identity-heartbeat-timeout: 30m0s
   identity-gc-interval: 15m0s
   cilium-endpoint-gc-interval: 5m0s
   nodes-gc-interval: 5m0s
-  skip-cnp-status-startup-clean: 'false'
   debug: 'false'
   debug-verbose: ''
   enable-policy: default
   policy-cidr-match-mode: ''
   prometheus-serve-addr: :9962
   controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services
@@ -29,52 +28,62 @@

   monitor-aggregation-flags: all
   bpf-map-dynamic-size-ratio: '0.0025'
   enable-host-legacy-routing: 'true'
   bpf-policy-map-max: '40960'
   bpf-lb-map-max: '65536'
   bpf-lb-external-clusterip: 'false'
+  bpf-events-drop-enabled: 'true'
+  bpf-events-policy-verdict-enabled: 'true'
+  bpf-events-trace-enabled: 'true'
   preallocate-bpf-maps: 'false'
-  sidecar-istio-proxy-image: cilium/istio_proxy
   cluster-name: biohazard
   cluster-id: '1'
   routing-mode: native
   service-no-backend-response: reject
   enable-l7-proxy: 'true'
   enable-ipv4-masquerade: 'true'
   enable-ipv4-big-tcp: 'false'
   enable-ipv6-big-tcp: 'false'
   enable-ipv6-masquerade: 'true'
+  enable-tcx: 'false'
+  datapath-mode: veth
   enable-bpf-masquerade: 'false'
   enable-masquerade-to-route-source: 'false'
   enable-xt-socket-fallback: 'true'
   install-no-conntrack-iptables-rules: 'false'
   auto-direct-node-routes: 'true'
+  direct-routing-skip-unreachable: 'false'
   enable-local-redirect-policy: 'false'
   devices: br0
+  enable-runtime-device-detection: 'true'
   kube-proxy-replacement: 'true'
   kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256
   bpf-lb-sock: 'false'
+  bpf-lb-sock-terminate-pod-connections: 'false'
+  nodeport-addresses: ''
   enable-health-check-nodeport: 'true'
   enable-health-check-loadbalancer-ip: 'false'
   node-port-bind-protection: 'true'
   enable-auto-protect-node-port-range: 'true'
   bpf-lb-mode: dsr
   bpf-lb-algorithm: maglev
   bpf-lb-acceleration: disabled
   enable-svc-source-range-check: 'true'
   enable-l2-neigh-discovery: 'true'
   arping-refresh-period: 30s
+  k8s-require-ipv4-pod-cidr: 'false'
+  k8s-require-ipv6-pod-cidr: 'false'
   enable-endpoint-routes: 'true'
   enable-k8s-networkpolicy: 'true'
   write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
   cni-exclusive: 'false'
   cni-log-file: /var/run/cilium/cilium-cni.log
   enable-endpoint-health-checking: 'true'
   enable-health-checking: 'true'
   enable-well-known-identities: 'false'
-  enable-remote-node-identity: 'true'
+  enable-node-selector-labels: 'false'
   synchronize-k8s-nodes: 'true'
   operator-api-serve-addr: 127.0.0.1:9234
   enable-hubble: 'true'
   hubble-socket-path: /var/run/cilium/hubble.sock
   hubble-export-file-max-size-mb: '10'
   hubble-export-file-max-backups: '5'
@@ -117,12 +126,19 @@

   mesh-auth-queue-size: '1024'
   mesh-auth-rotated-identities-queue-size: '1024'
   mesh-auth-gc-interval: 5m0s
   proxy-xff-num-trusted-hops-ingress: '0'
   proxy-xff-num-trusted-hops-egress: '0'
   proxy-connect-timeout: '2'
+  proxy-initial-fetch-timeout: '30'
   proxy-max-requests-per-connection: '0'
   proxy-max-connection-duration-seconds: '0'
   proxy-idle-timeout-seconds: '60'
   external-envoy-proxy: 'true'
+  envoy-base-id: '0'
+  envoy-keep-cap-netbindservice: 'false'
   max-connected-clusters: '255'
+  clustermesh-enable-endpoint-sync: 'false'
+  clustermesh-enable-mcs-api: 'false'
+  nat-map-stats-entries: '32'
+  nat-map-stats-interval: 30s
 
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config

@@ -262,12 +262,13 @@

             }
           }
         ]
       },
       "dynamicResources": {
         "ldsConfig": {
+          "initialFetchTimeout": "30s",
           "apiConfigSource": {
             "apiType": "GRPC",
             "transportApiVersion": "V3",
             "grpcServices": [
               {
                 "envoyGrpc": {
@@ -277,12 +278,13 @@

             ],
             "setNodeOnFirstMessageOnly": true
           },
           "resourceApiVersion": "V3"
         },
         "cdsConfig": {
+          "initialFetchTimeout": "30s",
           "apiConfigSource": {
             "apiType": "GRPC",
             "transportApiVersion": "V3",
             "grpcServices": [
               {
                 "envoyGrpc": {
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-relay-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-relay-config

@@ -6,9 +6,9 @@

   namespace: kube-system
 data:
   config.yaml: "cluster-name: biohazard\npeer-service: \"hubble-peer.kube-system.svc.cluster.local:443\"\
     \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\
     \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file:\
     \ /var/lib/hubble-relay/tls/client.crt\ntls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key\n\
-    tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\ndisable-server-tls:\
-    \ true\n"
+    tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\n\
+    disable-server-tls: true\n"
 
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium

@@ -96,14 +96,12 @@

   verbs:
   - get
   - update
 - apiGroups:
   - cilium.io
   resources:
-  - ciliumnetworkpolicies/status
-  - ciliumclusterwidenetworkpolicies/status
   - ciliumendpoints/status
   - ciliumendpoints
   - ciliuml2announcementpolicies/status
   - ciliumbgpnodeconfigs/status
   verbs:
   - patch
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

@@ -12,12 +12,20 @@

   - pods
   verbs:
   - get
   - list
   - watch
   - delete
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  resourceNames:
+  - cilium-config
+  verbs:
+  - patch
 - apiGroups:
   - ''
   resources:
   - nodes
   verbs:
   - list
@@ -170,12 +178,13 @@

   - ciliumpodippools.cilium.io
 - apiGroups:
   - cilium.io
   resources:
   - ciliumloadbalancerippools
   - ciliumpodippools
+  - ciliumbgppeeringpolicies
   - ciliumbgpclusterconfigs
   - ciliumbgpnodeconfigoverrides
   verbs:
   - get
   - list
   - watch
--- HelmRelease: kube-system/cilium Service: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Service: kube-system/hubble-relay

@@ -12,8 +12,8 @@

   type: ClusterIP
   selector:
     k8s-app: hubble-relay
   ports:
   - protocol: TCP
     port: 80
-    targetPort: 4245
+    targetPort: grpc
 
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,24 +16,24 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 97084497dc3b16b34679bc574bddb614554de20d8a727fc15af93f42f441d43f
+        cilium.io/cilium-configmap-checksum: d13e9d9852cd9e0ab51b76165bb636d44e8adef2852e3c384a500fa884e59a48
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.15.11@sha256:4444c963c586dd29c9219f4f984b87b7d6f7ee5c0ce650b442111a6ab602b00f
+        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -193,13 +193,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.15.11@sha256:4444c963c586dd29c9219f4f984b87b7d6f7ee5c0ce650b442111a6ab602b00f
+        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -218,13 +218,13 @@

           value: '7445'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.15.11@sha256:4444c963c586dd29c9219f4f984b87b7d6f7ee5c0ce650b442111a6ab602b00f
+        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -248,13 +248,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.15.11@sha256:4444c963c586dd29c9219f4f984b87b7d6f7ee5c0ce650b442111a6ab602b00f
+        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -264,13 +264,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.15.11@sha256:4444c963c586dd29c9219f4f984b87b7d6f7ee5c0ce650b442111a6ab602b00f
+        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -312,13 +312,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.15.11@sha256:4444c963c586dd29c9219f4f984b87b7d6f7ee5c0ce650b442111a6ab602b00f
+        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
@@ -403,12 +403,22 @@

               - key: tls.key
                 path: common-etcd-client.key
               - key: tls.crt
                 path: common-etcd-client.crt
               - key: ca.crt
                 path: common-etcd-client-ca.crt
+          - secret:
+              name: clustermesh-apiserver-local-cert
+              optional: true
+              items:
+              - key: tls.key
+                path: local-etcd-client.key
+              - key: tls.crt
+                path: local-etcd-client.crt
+              - key: ca.crt
+                path: local-etcd-client-ca.crt
       - name: host-proc-sys-net
         hostPath:
           path: /proc/sys/net
           type: Directory
       - name: host-proc-sys-kernel
         hostPath:
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

@@ -33,12 +33,13 @@

       - name: cilium-envoy
         image: quay.io/cilium/cilium-envoy:v1.30.7-1731393961-97edc2815e2c6a174d3d12e71731d54f5d32ea16@sha256:0287b36f70cfbdf54f894160082f4f94d1ee1fb10389f3a95baa6c8e448586ed
         imagePullPolicy: IfNotPresent
         command:
         - /usr/bin/cilium-envoy-starter
         args:
+        - --
         - -c /var/run/cilium/envoy/bootstrap-config.json
         - --base-id 0
         - --log-level info
         - --log-format [%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v
         startupProbe:
           httpGet:
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,24 +20,24 @@

       maxSurge: 25%
       maxUnavailable: 50%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 97084497dc3b16b34679bc574bddb614554de20d8a727fc15af93f42f441d43f
+        cilium.io/cilium-configmap-checksum: d13e9d9852cd9e0ab51b76165bb636d44e8adef2852e3c384a500fa884e59a48
         prometheus.io/port: '9963'
         prometheus.io/scrape: 'true'
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.15.11@sha256:8edf16ce4bc5c02457136cf0e7a58adf396f0880d6192ca0666f116f53f4979d
+        image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -17,13 +17,13 @@

     rollingUpdate:
       maxUnavailable: 1
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/hubble-relay-configmap-checksum: 786769b6b0f34ebdf3576f42e351f4bd27a8716273290b35fcc034b5f3c63541
+        cilium.io/hubble-relay-configmap-checksum: f18d283e3ced5dd280579a24600ca22a98b825420dc58ad772a9ee1fb959fd5b
       labels:
         k8s-app: hubble-relay
         app.kubernetes.io/name: hubble-relay
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
@@ -34,13 +34,13 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.15.11@sha256:d352d3860707e8d734a0b185ff69e30b3ffd630a7ec06ba6a4402bed64b4456c
+        image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports: