feat(helm): update chart cilium to 1.15.0

[renovate]

This PR contains the following updates:

Package	Update	Change	OpenSSF
cilium (source)	minor	1.14.6 -> 1.15.0

---

Release Notes

cilium/cilium (cilium)

v1.15.0: 1.15.0

Compare Source

Changelog

The Cilium core team are excited to announce the Cilium 1.15 release. 🎉

Summary of Changes

Major Changes:

• Add dynamic flowlog exporters configured by yaml file (configmap) without a need of agent restart. (#​28873, @​marqc)
• Add support for extending ClusterMesh to 511 clusters
  By setting the flag --max-connected-clusters=511, a new cluster will be able to connect to a ClusterMesh with up to 511 clusters. If enabled, the number of possible cluster-local identities will be reduced to 32,768. This feature can only be enabled on new clusters, and all clusters in the ClusterMesh must share the same configuration. (#​27520, @​thorn3r)
• Add support for Gateway API v1.0 (#​28836, @​sayboras)
• Add support for k8s 1.28 (#​27361, @​aanm)
• Allow selecting nodes by CIDR policy (#​27464, @​squeed)
• bgpv1: Add bgp/routes API endpoint and cilium bgp routes CLI command (#​27182, @​rastislavs)
• gateway-api: Support GRPCRoute resource (#​28654, @​sayboras)
• k8s: add support for k8s 1.29.0 (#​29473, @​aanm)
• Module Health: Node Manager: First Iteration (#​25994, @​tommyp1ckles)
• Support BGP passwords in the Go BGP implementation. (#​23759, @​dgl)

Minor Changes:

• *_kvstore_operations_duration_seconds metrics do not include client-side rate-limiting latency anymore. (#​27396, @​marseel)
• io.cilium.podippool.namespace: <CiliumPodIPPool_NAMESPACE> and io.cilium.podippool.name: <CiliumPodIPPool_NAME> selectors can be specified for a PodIPPoolSelector of a CiliumBGPPeeringPolicy to select a CiliumPodIPPool by namespaced name instead of labels. (#​28314, @​danehans)
• Add cilium bpf auth flush command for debugging purposes (#​27216, @​meyskens)
• Add an option to Cilium to set the persistent keepalive for cilium_wg0 (#​27932, @​chaunceyjiang)
• Add an option to specify a filters and field mask for hubble-exporter (#​26379, @​AwesomePatrol)
• Add documentation of Hubble exporter - an option to save Hubble flows to a file (#​27610, @​AwesomePatrol)
• Add flows per second information to Hubble status (#​28205, @​glrf)
• Add Hubble Grafana dashboards: Network and DNS overview (#​27751, @​lambdanis)
• add Ingress controller proxy protocol support (#​28194, @​zetaab)
• Add lbipam support for shared ips (#​28806, @​usiegl00)
• Add option to pass api-rate-limit via Helm values (#​28239, @​ungureanuvladvictor)
• Add option to redact http headers (#​26724, @​ChrsMark)
• Add per-controller success/failure count metrics and a config option for these (#​26850, @​asauber)
• Add Prometheus map pressure metrics for NAT maps (#​27001, @​derailed)
• Add securityContext for spire pod in helm chart (#​27363, @​ishuar)
• Add source and destination workload_kind context labels (Hubble). (#​27350, @​marqc)
• Add strict mode for WireGuard Pod2Pod encryption (#​21856, @​3u13r)
• Add support for filtering on HTTP URLs in Hubble (#​28275, @​glrf)
• Added cilium_kvstoremesh_kvstore_sync_errors_counter, cilium_clustermesh_apiserver_kvstore_sync_errors_counter and kvstore_sync_errors_counter metrics that capture data synchronization errors to kvstore. (#​28419, @​marseel)
• Added hubble_relay_pool_peer_connection_status metric for measuring the connection status of all peers. Metric keeps track of number of peers for each possible connectiion status. (#​28217, @​siwiutki)
• Added new ingress.cilium.io/ssl-passthrough annotation for Ingress objects (#​28751, @​youngnick)
• Added the EnableHealthCheckLoadBalancerIP flag to address health checks on LoadBalancerIP in Google Cloud Platform using KubeProxyReplacement. (#​26728, @​nberlee)
• Adds "best-effort" mode for XDP to skip interfaces without driver support (#​28666, @​poblahblahblah)
• Adds optional configurable jobLabel to cilium-agent, cilium-operator, and hubble serviceMonitors (#​28125, @​rbankston)
• Adds the CiliumPodIPPool selector type to BGP CP AdvertisedPathAttributes to match CiliumPodIPPool custom resources. Path attributes apply to routes announced for selected CiliumPodIPPools. (#​28310, @​danehans)
• Allow case-insensitive name for CNI chaining mode (#​28050, @​asauber)
• api, cli: Show srv6 status in cilium status (#​28700, @​husnialhamdani)
• api/cli: Encryption status now includes rendering IPsec status in JSON. (Backport PR #​30529, Upstream PR #​30167, @​viktor-kurchenko)
• api: Add extensions field to observer.GetFlowsRequest and flow.Flows types (#​27577, @​chancez)
• Augments cilium status CLI to report on agent modules health status. (#​25714, @​derailed)
• Auth map garbage collection will trigger if last local endpoint of a security identity was removed (#​27697, @​meyskens)
• bgpv1: Add cilium-dbg bgp route-policies command & include it in the bugtool (#​28973, @​rastislavs)
• bgpv1: Enable cilium-dbg bgp routes advertised command without specifying a peer (Backport PR #​30230, Upstream PR #​30033, @​rastislavs)
• BGPv1: Set R-bit in graceful restart capability negotiation. (#​28293, @​ArsenyBelorukov)
• bgpv1: Use kube-system namespace by default for MD5 secret (#​29478, @​YutaroHayakawa)
• bpf: allow overriding Makefile variables (#​27492, @​lmb)
• bpf: compile test ENABLE_EGRESS_GATEWAY_COMMON (#​27515, @​lmb)
• bpf: gate egressgw datapath on separate defines (#​27189, @​lmb)
• bpf: static data: use inline asm to access static data (#​27589, @​ti-mo)
• bpgv1: move the internal BGP signaler to a cell and allow other cells to depend on it. (#​26745, @​ldelossa)
• can create the directory for the customized cni conf and remove the cni conf file in cleanup command (#​27933, @​sofat1989)
• Change the Helm values configuration for SPIRE to match other images in the Helm charts (#​27621, @​weizhoublue)
• cilium ingress should have an option to set the number of trusted loadbalancer hops (#​27952, @​chaunceyjiang)
• cilium-agent: Remove the obsolete --bpf-lb-dev-ip-addr-inherit option (Backport PR #​30264, Upstream PR #​29963, @​joamaki)
• cilium-dbg: Add statedb query support and commands to inspect statedb tables devices, routes and l2-announce. (#​28872, @​joamaki)
• Cilium-operator and clustermesh's kvstore metrics are now enabled by default in Helm. (#​27653, @​marseel)
• cilium/cmd: make output of 'cilium policy selectors' sorted. (#​27803, @​tommyp1ckles)
• cilium: export intermediate cobra.Commands (#​26265, @​lmb)
• cilium: use absolute path to include Makefile.defs (#​27054, @​lmb)
• CiliumL2AnnouncementPolicy will only select Services that do not specify a LoadBalancerClass or specify a LoadBalancerClass of "io.cilium/l2-announcer". (#​27976, @​danehans)
• cli: Update cilium policy import to allow policy replacement by label (#​27103, @​deverton-godaddy)
• clustermesh-apiserver deployment support lifecycle and terminationGracePeriodSeconds. (#​26945, @​acgs771126)
• cmd/watchdogs: add health reporter to watchdog controller. (#​29038, @​tommyp1ckles)
• cmd: Disable local node routes when endpoint routes are enabled (#​28324, @​gandro)
• Config option to customize the default IP Pool when using MultiPool (#​28818, @​chaunceyjiang)
• Correlate flows with CiliumNetworkPolicies (#​27854, @​chancez)
• daemon: Do not require native routing CIDR if ipmasq-agent is enabled (#​27747, @​gandro)
• daemon: don't wait for presence of unused CiliumNodeConfig CRD (#​27684, @​akhilles)
• daemon: The option "EnableRemoteNodeIdentity" is now deprecated and will be removed from the v1.16 release. (#​28300, @​nathanjsweet)
• Default client-go QPS and burst in agent and operator have been increased to 10 and 20 respectively for k8s versions 1.27+ (#​29445, @​marseel)
• Delete auth map entries for removed Security IDs in SPIRE (#​27663, @​meyskens)
• Deprecated helm options enableK8sEventHandover/enableCnpStatusUpdates were removed.
  Corresponding flag "enable-k8s-event-handover" in Agent and "cnp-status-update-interval" in operator were removed. (#​29395, @​marseel)
• docs, cilium: Remove cilium endpoint regenerate command (#​27326, @​christarazi)
• docs: remove annotations-based l7 visibility (#​28449, @​networkop)
• Don't automatically infer ClusterID and ClusterName for external workloads. (#​27886, @​giorio94)
• egressgw: inject datapath config via hive (#​27414, @​lmb)
• EgressGW: interface selection is now done with BPF, using --install-egress-gateway-routes is no longer needed. (#​26215, @​jibi)
• egressgw: refactor check for conflicting egress IPs (#​27491, @​lmb)
• egressgw: reject config with CiliumEndpointSlice (#​27984, @​julianwiedmann)
• egressgw: tidy up Config handling (#​27221, @​lmb)
• endpoint, endpointmanager: Publish max policymap size as metric (#​27367, @​christarazi)
• ENI: fix calculateExcessIPs excessive calculate of excess ip (#​28467, @​wu0407)
• Envoy running inside the Cilium Agent may now be scraped by Prometheus when using Prometheus' ServiceMonitor objects. (Backport PR #​30349, Upstream PR #​30126, @​youngnick)
• envoy: Bump envoy to 1.26.2 (#​26851, @​sayboras)
• envoy: Bump envoy version to v1.26.4 (#​27104, @​sayboras)
• envoy: Bump envoy version to v1.27.1 (#​28531, @​sayboras)
• envoy: Bump envoy version to v1.27.2 (#​28671, @​mhofstetter)
• envoy: Update envoy version to the latest build (#​27819, @​jrajahalme)
• Extend AWS metadata-based policy enforcement to work with any VPC-enabled service. (#​27071, @​spacepants)
• Fix inaccurate calculation for bootstrap stats of restore (#​27983, @​PlatformLC)
• fix: Preserve OwnerReferences when updating Ingresses with Load Balancer in shared mode (#​28452, @​bittermandel)
• Fixes name used for disabling KVStoreMesh metrics. (#​27680, @​marseel)
• FQDN: transition to asynchronous IPCache APIs (#​29036, @​squeed)
• gateway-api: Add support for gateway.infrastructure attribute (#​29122, @​sayboras)
• gateway-api: Add support for multiple request mirrors (#​28342, @​sayboras)
• gateway-api: Add supported features in GatewayClass status (#​29116, @​sayboras)
• gateway-api: Bump the version to v0.8.1 (#​28195, @​sayboras)
• gateway-api: Bump the version to v1.0.0-rc1 (#​28757, @​sayboras)
• gateway-api: Bump version to v0.8.0-rc1 (#​27592, @​sayboras)
• gateway-api: Check for required CRDs upon startup (#​28982, @​sayboras)
• gateway-api: Update API version for Reference Grant (#​29811, @​sayboras)
• Handle IPv4 fragments in SNAT flows correctly. (#​25340, @​gentoo-root)
• helm: Add extraVolumeMounts to cilium config init container (Backport PR #​30349, Upstream PR #​30131, @​ayuspin)
• helm: Added support for existing Cilium SPIRE NS (#​29032, @​PhilipSchmid)
• helm: allow annotations to be set for preflight resources (#​27860, @​bradwhitfield)
• Hide empty columns by default in "kubectl get ciliumendpoints" output (#​28744, @​Iiqbal2000)
• hive/cell: remove health reporting on health provider. (#​28773, @​tommyp1ckles)
• hubble-relay: Add support for peers joining during requests (#​29326, @​glrf)
• Hubble: add option to filter for pods and services in any namespace (#​28921, @​glrf)
• hubble: Add Support for filtering on HTTP headers (#​28851, @​ChrsMark)
• hubble: Conditionally redact user info present in URLs in (L7) HTTP flows (#​28848, @​ioandr)
• Hubble: improve security by adding an option to redact API key in Kafka requests (L7) (#​25844, @​ioandr)
• hubble: replace deprecated usage of grpc.WithInsecure. (#​25631, @​tommyp1ckles)
• Ignore Indexed Job-specific label by default for CID creation batch.kubernetes.io/job-completion-index. (#​28897, @​tosi3k)
• Ignore StatefulSet-specific labels by default for CID creation. This includes the two following labels:
• statefulset.kubernetes.io/pod-name
• apps.kubernetes.io/pod-index (#​28003, @​tosi3k)
• Implement AdvertisedPathAttributes for CiliumBGPNeighbor in the CiliumBGPPeeringPolicy CRD to allow setting BGP Community and Local Preference path attributes for advertised BGP routes. (#​27705, @​rastislavs)
• Improve cilium status --verbose and cilium-health status --succinct support to show IPv6 IPs as well (#​27912, @​chaunceyjiang)
• Improve cilium-agent bootstrap time when using cluster-pool ipam. (#​28354, @​marseel)
• Improve helm validation for clustermesh, and allow creating the clustermesh configuration also in kvstore mode (#​28763, @​giorio94)
• Improve Hubble Relay Kubernetes Readiness/Liveness check (#​28765, @​glrf)
• Improve the usability of the cilium policy selectors command by including the policy name and namespace in order to easily understand which selector comes from what policy (#​27838, @​christarazi)
• Increase number of dnsproxy mutexes from 128 to 131. (#​27147, @​marseel)
• init: Poll CRD synchronization times have been lowered from 1 second to 50ms. (#​28954, @​howardjohn)
• Introduce ability to specify SAFI/AFI for specific BGP peers. (#​26940, @​ldelossa)
• ipam, metrics: Add new capacity metric (#​27710, @​christarazi)
• ipam/multipool: Introduce specific ip family annotations for specifying ip pools (#​28244, @​hargrovee)
• ipam: Remove cluster-pool-v2beta code (#​27753, @​gandro)
• Merge clustermesh-apiserver and kvstoremesh into a single image (#​27888, @​giorio94)
• metrics: add bpf_map_capacity metric which provides max size of maps (#​28146, @​tommyp1ckles)
• metrics: Add workqueue metrics (#​27042, @​ysksuzuki)
• Modular daemon and operator (#​25986, @​pippolo84)
• Mutual Auth: only respond handshake with certificate if security ID is in use on node (#​27682, @​meyskens)
• mutual-auth: Bump spire image version (#​29101, @​sayboras)
• Named ports in DNS policies are now resolved correctly. (#​29023, @​jrajahalme)
• Named ports in DNS policies are now resolved correctly. (Backport PR #​30529, Upstream PR #​29023, @​jrajahalme)
• Operator modular metrics (#​28005, @​pippolo84)
• operator: Remove identity GC and CES controller legacy metrics (#​28166, @​pippolo84)
• pkg/datapath: Remove defunct --single-cluster-route flag (#​29221, @​gandro)
• pkg/labels: print all leaf CIDRs, not just the last one. (#​28224, @​squeed)
• Pre-initialize several known metric vectors to avoid empty metrics (specifically: endpoint_regenerations_total, policy_change_total, policy_implementation_delay, policy_l7_total and kubernetes_events metrics). (#​27835, @​tommyp1ckles)
• Propagate prefixed labels from Ingress resource to LB service (#​28598, @​log1cb0mb)
• Refactor hubble redact settings schema (#​26989, @​ChrsMark)
• Refactor hubble redact settings schema [v2] (#​27553, @​ChrsMark)
• Remove deprecate clustermesh CA configuration from the helm chart (#​27162, @​giorio94)
• Remove deprecated policy_import_errors_total metric (#​28423, @​tklauser)
• Remove deprecated tunnel option, and corresponding helm values setting (#​29053, @​giorio94)
• Rename the CLI for local Cilium API access to 'cilium-dbg' (#​28085, @​joestringer)
• Replace etcd init script used for clustermesh with a Go equivalent.
  Upgrade etcd to v3.5.10. (#​29109, @​JamesLaverack)
• Replace LB-IPAM IP allocator to remove limitations and enable additional features (#​26488, @​dylandreimerink)
• Replace metricsmap-bpf-prom-sync with Prometheus Collector pattern (#​27370, @​carnerito)
• Respond with ICMP reply for traffic to services without backends (#​28157, @​dylandreimerink)
• show DSR-dispatch mode in cilium-dbg status (#​29217, @​chaunceyjiang)
• Structured Health Reporter + EndpointManager Modular Health Checks (#​27522, @​tommyp1ckles)
• The cilium-agent now sets GOMEMLIMIT to the container's memory resource limit, which helps the Go GC to avoid unnecessary OOMs. (#​27958, @​bimmlerd)
• The podIPPoolSelector field has been added to CiliumBGPVirtualRouter for selectively advertising multi-pool IPAM CIDRs. (#​27100, @​danehans)
• Update to Envoy 1.27.0, run cilium-envoy process without any privileges. (#​27498, @​jrajahalme)
• When BGP control plane is enabled and configured for service announcements, it will only advertise a matching service that has an unspecified loadbalancerClass or set for "io.cilium/bgp-control-plane". (#​26905, @​danehans)
• When master key protection is enabled, failed attempts at recreating k8s identity resources will now be retried. (#​28912, @​tommyp1ckles)
• When tunneling is enabled, a packet will be encapsulated by Cilium's tunnel netdev before encrypting with WireGuard. (#​29000, @​brb)

Bugfixes:

• ImplementationSpecific Ingress paths (which for Cilium Ingress means regex path matches) are now sorted correctly in between Exact and Prefix matches. (#​29381, @​youngnick)
• Add a 5 second timeout to the Mutual Auth TCP handshake (#​26650, @​meyskens)
• Add default toleration for SPIRE agent on control plane nodes (Backport PR #​30230, Upstream PR #​28947, @​meyskens)
• Allow unsupported protocol family errors when deleting IPv6 proxy routing rules (Backport PR #​30529, Upstream PR #​30299, @​rgo3)
• Avoid panic during BPF program compilation when clang command fails to start (Backport PR #​30264, Upstream PR #​30009, @​ti-mo)
• backporting: Revert changes until the new workflow will be in place (#​28371, @​pippolo84)
• bgpv1: Avoid creating resource.Store in Start() hive hooks of BGP CP to ensure proper BGP CP initialization. (Backport PR #​30079, Upstream PR #​29954, @​rastislavs)
• bgpv1: fix manager_test.go build error (#​27543, @​ldelossa)
• bpf: fix wrong loopback address mask value (Backport PR #​30230, Upstream PR #​29946, @​haiyuewa)
• bpf: fixes an issue where inserting inner maps into an outer may fail with EINVAL due to flags mismatch (#​28710, @​ldelossa)
• bpf: nat: set .from_local_endpoint for all inter-cluster SNAT traffic (#​26853, @​julianwiedmann)
• bug fix: close status collector when daemon exits (#​27937, @​sofat1989)
• bug: In dual-stack mode (both IPv4 and IPv6 are enabled), Cilium incorrectly converted CIDRs that covered all possible addresses for an IP Family (e.g. 0.0.0.0/0) to the "reserved:world" entity. Both IP families must be completely covered for "reserved:world" to apply. This resulted in dual-stack mode network policies that could not distinguish between world IPv4 and IPv6 traffic, treating them as one entity instead. (#​22625, @​nathanjsweet)
• Cilium DNS proxy can now use the original pod's address as the source address towards the DNS servers (--dnsproxy-enable-transparent-mode). (Backport PR #​30212, Upstream PR #​29239, @​jrajahalme)
• cleanup: can clean the bpf filters created by the cilium agent with lower version (#​27373, @​sofat1989)
• Conntrack entries for Service connections are now printed in the canonical "source -> destination" format when using the "bpf ct list" command. (#​28913, @​julianwiedmann)
• daemon/cmd: Updates restoreIPCache() to use errors.Is() (Backport PR #​30529, Upstream PR #​30220, @​danehans)
• daemon: Fail init if requirements for BPF masquerade are not met (Backport PR #​30230, Upstream PR #​29778, @​pippolo84)
• datapath: fix dbg-capture-proxy-[pre/post] reporting (#​27704, @​mhofstetter)
• datapath: Fix primary flag in NodeAddress (#​29483, @​joamaki)
• Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail (Backport PR #​30230, Upstream PR #​29400, @​meyskens)
• Don't orphan CEPs when node IPV6 is preferred at dual stack k8s config (#​28142, @​rawmind0)
• Due to a race condition in the experimental runtime device detection, Cilium could fail to make a newly added device available for node port services. (Backport PR #​30230, Upstream PR #​29917, @​bimmlerd)
• egressgateway: Use UID to identify CiliumEndpoints in epDataStore (#​29124, @​rastislavs)
• egressgw: Fix the issue that an iptables SNAT rule in the host netns interferes packets to egress gw and bypass the egress GW policy (#​29379, @​ysksuzuki)
• egressgw: policy: ensure egressGateway field is not nil (#​27802, @​jibi)
• endpointmanager: fix bpf policy pressure getting stuck. (#​28185, @​tommyp1ckles)
• envoy: Bump envoy image to include proxy_protocol filter (Backport PR #​30349, Upstream PR #​30260, @​sayboras)
• envoy: fix init order between accesslog and xDS server (#​27617, @​mhofstetter)
• envoy: fix SO_REUSEPORT with BPF TPROXY (#​30459, @​mhofstetter)
• examples: Fix YAML error backendRefs in HTTP Header Modifier (#​27871, @​haiyuewa)
• Fix a bug that may cause traffic to the node internal IP addresses to be incorrectly masqueraded when node encryption and remote node identities are both disabled, due to an inconsistency in the node manager when handling ipset entries insertions and deletions on node updates. (Backport PR #​30230, Upstream PR #​29986, @​qmonnet)
• Fix all packet drops due to missed tail calls, enable zero tolerance for these errors in CI (Backport PR #​30324, Upstream PR #​30248, @​ti-mo)
• Fix and prevent future bugs limiting pod-to-pod network performance under high load when tunneling and IPSec are both enabled. (Backport PR #​30079, Upstream PR #​29616, @​learnitall)
• Fix bug that could cause IPsec route change failures to be silent. (Backport PR #​30529, Upstream PR #​29423, @​derailed)
• Fix bugs in health-server that cause the state in the prober's cache to drift and allow nodes with empty IP addresses to be added. (Backport PR #​30230, Upstream PR #​29745, @​thorn3r)
• Fix cilium-envoy ServiceMonitor port name (#​27207, @​pixiono)
• Fix connection disruption for IPsec during downgrade to v1.14 by attaching correct bpf program to devices. (#​27480, @​jschwinger233)
• Fix endpoint logger not formatting logs as JSON when daemon log format is set to JSON (#​27263, @​leblowl)
• Fix error when using multiple allowRoutes namespaces in gateway (#​30550, @​mhofstetter)
• Fix Helm rendering for dashboards.enabled=true (#​28542, @​bakito)
• Fix instances of leaked health reporter updates. (Backport PR #​30230, Upstream PR #​30134, @​tommyp1ckles)
• Fix issue where agent attempting to restore local node information (such as cilium_host ip) would fail on k8s fallback method. (Backport PR #​30349, Upstream PR #​29460, @​tommyp1ckles)
• Fix missing NODE_ADD Hubble peer messages in some cases (#​28226, @​AwesomePatrol)
• Fix nodeinit issue causing NotReady state in Kubernetes nodes when laying down an incorrect CNI config (Backport PR #​30529, Upstream PR #​30399, @​tlcowling)
• Fix performance regression for pod-to-pod traffic WireGuard and tunneling. (Backport PR #​30529, Upstream PR #​30329, @​3u13r)
• Fix potential deadlock that results in stale authentication entries in Cilium (#​29082, @​meyskens)
• Fix rare bug possibly causing connection disruption and/or agent panic due to node events processing before full initialization. (Backport PR #​30529, Upstream PR #​30282, @​giorio94)
• Fix rendering helm operator-dashboard annotations (#​29106, @​Zariel)
• Fix wrong host and router IP being used for some IPv6 deployments, which was causing various connectivity problems. (Backport PR #​28500, Upstream PR #​28417, @​ti-mo)
• fix: PromQL syntax on cilium policy query Grafana dashboard (Backport PR #​30529, Upstream PR #​29938, @​M0NsTeRRR)
• Fixed health probing where ICMP probe was incorrectly reporting node as unreachable or reporting unreachable node as reachable in some cases. (Backport PR #​30529, Upstream PR #​30504, @​marseel)
• Fixes an issue where an empty ControlPlaneState was used during registration of BGP speakers. This would cause reconciliation issues as the current state would be unknown. (#​27117, @​ldelossa)
• Fixes an L7 proxy issue by re-introducing 2005 route table. (#​29530, @​jschwinger233)
• gateway-api: fix empty URI when removing path prefix (#​28606, @​dddddai)
• gateway-api: fix status reconcile error handling (Backport PR #​30230, Upstream PR #​29894, @​mhofstetter)
• gateway-api: Requeue Gateway for owning GRPCRoute (Backport PR #​30230, Upstream PR #​30124, @​sayboras)
• gateway: Add GRPCRoute support for status changed predicate (Backport PR #​30230, Upstream PR #​30176, @​sayboras)
• Handle .status.conditions on Services using in accordance with KEP-1623 (#​27399, @​addreas)
• health: Update Cilium agent to listen on nodeip (#​26845, @​tamilmani1989)
• helm: Correct command for initContainer config (#​28613, @​sayboras)
• helm: Fix envoy servicemonitor annotations (Backport PR #​30230, Upstream PR #​30017, @​pmcgrath)
• Implement full CES reconciliation logic in the operator (#​26836, @​alan-kut)
• init well-known identity before new policy repository to fix the fqdn policy issue when enable well-known identity. (Backport PR #​30529, Upstream PR #​30052, @​yingnanzhang666)
• L2 announcements retry getting lease after losing it (Backport PR #​30529, Upstream PR #​30340, @​dylandreimerink)
• l2announcer: Leases are only created for services that are being announced. (#​29446, @​f1ko)
• l7lb: Fix bug where not all relevant ports of a Service were synchronized to Envoy (Backport PR #​30264, Upstream PR #​30107, @​mhofstetter)
• lbipam: Fix off-by-one error in LBIPAM range allocation (#​29425, @​YutaroHayakawa)
• maps/metricspath: protect against concurrent access in Collect (Backport PR #​30230, Upstream PR #​30104, @​buroa)
• neigh: Install neighbor entries only on devices where routes exist (#​28782, @​ysksuzuki)
• node/wireguard: Fix node-to-node encryption inconsistencies in kvstore mode (Backport PR #​30530, Upstream PR #​30423, @​gandro)
• nodediscovery: Fix bug where CiliumInternalIP was flapping (Backport PR #​29973, Upstream PR #​29964, @​gandro)
• pkg/endpoint: fix endpoint health update always being ok. (Backport PR #​30529, Upstream PR #​30365, @​tommyp1ckles)
• pkg/nodediscovery: Updates updateCiliumNodeResource() Warning Message (Backport PR #​30349, Upstream PR #​30257, @​danehans)
• Policy revert used in rare error cases has been corrected. (#​29162, @​jrajahalme)
• policy: Fix mapstate changes error in entry change comparison (Backport PR #​30079, Upstream PR #​29815, @​jrajahalme)
• proxy: fix multiple envoy listeners for same proxyType (#​27510, @​mhofstetter)
• Remove a misplaces ls alias that caused cilium-dbg bpf auth ls to flush the map. (Backport PR #​30529, Upstream PR #​30445, @​meyskens)
• Remove non fatal errors from SPIRE client in the operator (Backport PR #​30230, Upstream PR #​28698, @​meyskens)
• Replace use of strict to true for kubeProxyReplacement in helm chart (#​27433, @​xtineskim)
• Revert "dnsproxy: Use original source address in connections to dns servers" to fix performance regression. (#​29202, @​thorn3r)
• srv6: modify h.encap location in the datapath to avoid incompatibility with IPv4Masq (#​28817, @​ldelossa)
• statedb: Fix termination of string and IP keys (#​29368, @​joamaki)
• The DNS proxy will now compute a UDP checksum over the IPv6 response packet and the pseudo-header. (#​29493, @​danehans)
• Unify parsing of StringSlice flags and allow splitting by commas (preferably) or by spaces. This fixes parsing of 'prometheus.metrics'. (Backport PR #​30079, Upstream PR #​29848, @​joamaki)

CI Changes:

• .github/actions: remove GKE K8s v1.23 from test matrix. (#​28297, @​tommyp1ckles)
• .github/workflows: don't error out if pkill finds no processes (#​26357, @​lmb)
• .github: bump k8s version from v1.28.0 -> v1.28.2. (#​28664, @​tommyp1ckles)
• .github: dump buddyinfo and pagetypeinfo when ci-e2e fails (#​26600, @​lmb)
• .github: re-use common helm values from a single action (#​28180, @​aanm)
• .github: Remove Loki action (#​26676, @​joestringer)
• Add 100 node scale test workflow (#​29214, @​learnitall)
• Add initial, in-progress workflow for automated scale testing (#​28362, @​learnitall)
• Add time wrapper to test agent delays in CI (#​27253, @​joestringer)
• ariane: Disable ci-e2e-upgrade (#​29488, @​brb)
• bpf/tests: Cover IPsec key rotations (#​27185, @​pchaigno)
• bpf/tests: Fixed loop not unrolled error in pktgen (#​28942, @​dylandreimerink)
• bpf: fix flakes when checking metrics map values. (#​28325, @​tommyp1ckles)
• bpf: fix test configuration for 5.10 and 6.1 kernels (Backport PR #​30230, Upstream PR #​29999, @​julianwiedmann)
• bpf: test: pktgen cleanups (#​26776, @​julianwiedmann)
• bpf: tests: add helpers for boilerplate code (#​27429, @​julianwiedmann)
• bpf: tests: add helpers for common patterns (#​27134, @​julianwiedmann)
• bpf: tests: improve CT checks for observed TCP flags (#​26802, @​julianwiedmann)
• build(deps): bump tornado from 6.2 to 6.3.3 in /Documentation (#​27497, @​dependabot[bot])
• ci aws: cleanup EKS cluster in separate job (#​29412, @​mhofstetter)
• CI images: Define a variable for the floating tags (#​28008, @​michi-covalent)
• CI images: Define a variable for the floating tags (#​28228, @​michi-covalent)
• CI Images: Don't push floating tags from feature branches (#​28044, @​michi-covalent)
• ci-clustermesh-upgrade: Adjust name of test to run, to match cilium-cli's renaming (Backport PR #​30264, Upstream PR #​30211, @​qmonnet)
• ci-clustermesh-upgrade: Increment timeout between rollouts to 5min (#​29560, @​mhofstetter)
• ci-e2e-upgrade: Bring it on (#​29073, @​brb)
• ci-e2e-upgrade: Remove setting CLI vsn (#​29435, [@​brb](https://togit

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

--- kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: flux-system
-      version: 1.14.6
+      version: 1.15.0
   install:
     remediation:
       retries: 3
   interval: 30m
   maxHistory: 2
   uninstall:

[github-actions]

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

@@ -39,13 +39,16 @@

             "error": "#890f02",
             "warning": "#c15c17"
           },
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -143,13 +146,16 @@

           "aliasColors": {
             "avg": "#cffaff"
           },
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -283,13 +289,16 @@

             "MAX_virtual_memory_bytes": "#e5ac0e",
             "Max Virtual Memory": "#584477"
           },
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -406,13 +415,16 @@

           "aliasColors": {
             "MAX_resident_memory_bytes_max": "#e5ac0e"
           },
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -523,13 +535,16 @@

           "aliasColors": {
             "all nodes": "#e5a8e2"
           },
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -648,13 +663,16 @@

           "aliasColors": {
             "MAX_resident_memory_bytes_max": "#e5ac0e"
           },
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "description": "BPF memory usage in the entire system including components not managed by Cilium.",
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
@@ -771,13 +789,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "description": "Fill percentage of BPF maps, tagged by map name",
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
@@ -882,13 +903,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -983,13 +1007,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -1084,13 +1111,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -1185,13 +1215,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -1286,13 +1319,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -1387,13 +1423,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -1523,13 +1562,16 @@

         },
         {
           "aliasColors": {},
           "bars": true,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -1624,13 +1666,16 @@

         },
         {
           "aliasColors": {},
           "bars": true,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "decimals": 2,
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
@@ -1727,13 +1772,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -1828,13 +1876,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -1927,13 +1978,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -2028,13 +2082,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -2129,13 +2186,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -2251,13 +2311,16 @@

         },
         {
           "aliasColors": {},
           "bars": true,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "decimals": 2,
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
@@ -2354,13 +2417,16 @@

         },
         {
           "aliasColors": {},
           "bars": true,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -11,13 +11,15 @@

   cilium-endpoint-gc-interval: 5m0s
   nodes-gc-interval: 5m0s
   skip-cnp-status-startup-clean: 'false'
   debug: 'false'
   debug-verbose: ''
   enable-policy: default
+  policy-cidr-match-mode: ''
   prometheus-serve-addr: :9962
+  controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services
   proxy-prometheus-port: '9964'
   operator-prometheus-serve-addr: :9963
   enable-metrics: 'true'
   enable-ipv4: 'true'
   enable-ipv6: 'false'
   custom-cni-conf: 'false'
@@ -30,32 +32,37 @@

   bpf-lb-map-max: '65536'
   bpf-lb-external-clusterip: 'false'
   preallocate-bpf-maps: 'false'
   sidecar-istio-proxy-image: cilium/istio_proxy
   cluster-name: home-cluster
   cluster-id: '1'
-  routing-mode: native
+  routing-mode: tunnel
+  tunnel-protocol: vxlan
+  service-no-backend-response: reject
   enable-l7-proxy: 'true'
   enable-ipv4-masquerade: 'true'
   enable-ipv4-big-tcp: 'false'
   enable-ipv6-big-tcp: 'false'
   enable-ipv6-masquerade: 'true'
   enable-bpf-masquerade: 'true'
+  enable-masquerade-to-route-source: 'false'
   enable-xt-socket-fallback: 'true'
   install-no-conntrack-iptables-rules: 'false'
   auto-direct-node-routes: 'true'
   enable-local-redirect-policy: 'true'
   ipv4-native-routing-cidr: ${CLUSTER_CIDR}
   kube-proxy-replacement: 'true'
   kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256
   bpf-lb-sock: 'false'
   enable-health-check-nodeport: 'true'
+  enable-health-check-loadbalancer-ip: 'false'
   node-port-bind-protection: 'true'
   enable-auto-protect-node-port-range: 'true'
   bpf-lb-mode: dsr
   bpf-lb-algorithm: maglev
+  bpf-lb-acceleration: disabled
   enable-svc-source-range-check: 'true'
   enable-l2-neigh-discovery: 'true'
   arping-refresh-period: 30s
   enable-endpoint-routes: 'true'
   enable-k8s-networkpolicy: 'true'
   write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
@@ -69,21 +76,21 @@

   operator-api-serve-addr: 127.0.0.1:9234
   enable-hubble: 'true'
   hubble-socket-path: /var/run/cilium/hubble.sock
   hubble-metrics-server: :9965
   hubble-metrics: dns:query drop tcp flow port-distribution icmp http
   enable-hubble-open-metrics: 'false'
+  hubble-export-file-max-size-mb: '10'
+  hubble-export-file-max-backups: '5'
   hubble-listen-address: :4244
   hubble-disable-tls: 'false'
   hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
   hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
   hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
   ipam: kubernetes
   ipam-cilium-node-update-rate: 15s
-  disable-cnp-status-updates: 'true'
-  cnp-node-status-gc-interval: 0s
   egress-gateway-reconciliation-trigger-interval: 1s
   enable-vtep: 'false'
   vtep-endpoint: ''
   vtep-cidr: ''
   vtep-mask: ''
   vtep-mac: ''
@@ -93,14 +100,14 @@

   l2-announcements-retry-period: 1s
   enable-bgp-control-plane: 'false'
   bpf-root: /sys/fs/bpf
   cgroup-root: /run/cilium/cgroupv2
   enable-k8s-terminating-endpoint: 'true'
   enable-sctp: 'false'
-  k8s-client-qps: '5'
-  k8s-client-burst: '10'
+  k8s-client-qps: '10'
+  k8s-client-burst: '20'
   remove-cilium-node-taints: 'true'
   set-cilium-node-taints: 'true'
   set-cilium-is-up-condition: 'true'
   unmanaged-pod-watcher-interval: '15'
   dnsproxy-enable-transparent-mode: 'true'
   tofqdns-dns-reject-response-code: refused
@@ -115,7 +122,8 @@

   mesh-auth-rotated-identities-queue-size: '1024'
   mesh-auth-gc-interval: 5m0s
   proxy-connect-timeout: '2'
   proxy-max-requests-per-connection: '0'
   proxy-max-connection-duration-seconds: '0'
   external-envoy-proxy: 'false'
+  max-connected-clusters: '255'
 
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx

@@ -15,8 +15,10 @@

     \ range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout;\n\
     \        if ($request_method = OPTIONS) {\n            return 204;\n        }\n\
     \        # /CORS\n\n        location /api {\n            proxy_http_version 1.1;\n\
     \            proxy_pass_request_headers on;\n            proxy_hide_header Access-Control-Allow-Origin;\n\
     \            proxy_pass http://127.0.0.1:8090;\n        }\n        location /\
     \ {\n            # double `/index.html` is required here \n            try_files\
-    \ $uri $uri/ /index.html /index.html;\n        }\n    }\n}"
+    \ $uri $uri/ /index.html /index.html;\n        }\n\n        # Liveness probe\n\
+    \        location /healthz {\n            access_log off;\n            add_header\
+    \ Content-Type text/plain;\n            return 200 'ok';\n        }\n    }\n}"
 
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-dashboard

@@ -3238,11 +3238,11 @@

           "2d",
           "7d",
           "30d"
         ]
       },
       "timezone": "",
-      "title": "Hubble",
+      "title": "Hubble Metrics and Monitoring",
       "uid": "5HftnJAWz",
       "version": 24
     }
 
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium

@@ -54,12 +54,15 @@

   - get
 - apiGroups:
   - cilium.io
   resources:
   - ciliumloadbalancerippools
   - ciliumbgppeeringpolicies
+  - ciliumbgpnodeconfigs
+  - ciliumbgpadvertisements
+  - ciliumbgppeerconfigs
   - ciliumclusterwideenvoyconfigs
   - ciliumclusterwidenetworkpolicies
   - ciliumegressgatewaypolicies
   - ciliumendpoints
   - ciliumendpointslices
   - ciliumenvoyconfigs
@@ -108,9 +111,10 @@

   resources:
   - ciliumnetworkpolicies/status
   - ciliumclusterwidenetworkpolicies/status
   - ciliumendpoints/status
   - ciliumendpoints
   - ciliuml2announcementpolicies/status
+  - ciliumbgpnodeconfigs/status
   verbs:
   - patch
 
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

@@ -116,12 +116,15 @@

   - update
 - apiGroups:
   - cilium.io
   resources:
   - ciliumendpointslices
   - ciliumenvoyconfigs
+  - ciliumbgppeerconfigs
+  - ciliumbgpadvertisements
+  - ciliumbgpnodeconfigs
   verbs:
   - create
   - update
   - get
   - list
   - watch
@@ -142,12 +145,17 @@

   - customresourcedefinitions
   verbs:
   - update
   resourceNames:
   - ciliumloadbalancerippools.cilium.io
   - ciliumbgppeeringpolicies.cilium.io
+  - ciliumbgpclusterconfigs.cilium.io
+  - ciliumbgppeerconfigs.cilium.io
+  - ciliumbgpadvertisements.cilium.io
+  - ciliumbgpnodeconfigs.cilium.io
+  - ciliumbgpnodeconfigoverrides.cilium.io
   - ciliumclusterwideenvoyconfigs.cilium.io
   - ciliumclusterwidenetworkpolicies.cilium.io
   - ciliumegressgatewaypolicies.cilium.io
   - ciliumendpoints.cilium.io
   - ciliumendpointslices.cilium.io
   - ciliumenvoyconfigs.cilium.io
@@ -162,12 +170,14 @@

   - ciliumpodippools.cilium.io
 - apiGroups:
   - cilium.io
   resources:
   - ciliumloadbalancerippools
   - ciliumpodippools
+  - ciliumbgpclusterconfigs
+  - ciliumbgpnodeconfigoverrides
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - cilium.io
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,21 +16,21 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 08d1b987525060dd3fa1cb445d7d467e645b3f18388f6e86b2d7f1a48139d963
+        cilium.io/cilium-configmap-checksum: 038c6dab4bc719d37bb4a2a8b4d532664cab51cdbcf2cf59d68d468e011c31a0
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.14.6@sha256:37a49f1abb333279a9b802ee8a21c61cde9dd9138b5ac55f77bdfca733ba852a
+        image: quay.io/cilium/cilium:v1.15.0@sha256:9cfd6a0a3a964780e73a11159f93cc363e616f7d9783608f62af6cfdf3759619
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -42,12 +42,13 @@

             httpHeaders:
             - name: brief
               value: 'true'
           failureThreshold: 105
           periodSeconds: 2
           successThreshold: 1
+          initialDelaySeconds: 5
         livenessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
             port: 9879
             scheme: HTTP
@@ -81,12 +82,16 @@

           valueFrom:
             fieldRef:
               apiVersion: v1
               fieldPath: metadata.namespace
         - name: CILIUM_CLUSTERMESH_CONFIG
           value: /var/lib/cilium/clustermesh/
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
         - name: KUBERNETES_SERVICE_HOST
           value: ${KUBE_VIP_ADDR}
         - name: KUBERNETES_SERVICE_PORT
           value: '6443'
         lifecycle:
           postStart:
@@ -158,16 +163,16 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.14.6@sha256:37a49f1abb333279a9b802ee8a21c61cde9dd9138b5ac55f77bdfca733ba852a
-        imagePullPolicy: IfNotPresent
-        command:
-        - cilium
+        image: quay.io/cilium/cilium:v1.15.0@sha256:9cfd6a0a3a964780e73a11159f93cc363e616f7d9783608f62af6cfdf3759619
+        imagePullPolicy: IfNotPresent
+        command:
+        - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
           valueFrom:
             fieldRef:
               apiVersion: v1
@@ -183,13 +188,13 @@

           value: '6443'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.14.6@sha256:37a49f1abb333279a9b802ee8a21c61cde9dd9138b5ac55f77bdfca733ba852a
+        image: quay.io/cilium/cilium:v1.15.0@sha256:9cfd6a0a3a964780e73a11159f93cc363e616f7d9783608f62af6cfdf3759619
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /run/cilium/cgroupv2
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -206,13 +211,13 @@

         - name: cni-path
           mountPath: /hostbin
         terminationMessagePolicy: FallbackToLogsOnError
         securityContext:
           privileged: true
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.14.6@sha256:37a49f1abb333279a9b802ee8a21c61cde9dd9138b5ac55f77bdfca733ba852a
+        image: quay.io/cilium/cilium:v1.15.0@sha256:9cfd6a0a3a964780e73a11159f93cc363e616f7d9783608f62af6cfdf3759619
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -227,13 +232,13 @@

         - name: cni-path
           mountPath: /hostbin
         terminationMessagePolicy: FallbackToLogsOnError
         securityContext:
           privileged: true
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.14.6@sha256:37a49f1abb333279a9b802ee8a21c61cde9dd9138b5ac55f77bdfca733ba852a
+        image: quay.io/cilium/cilium:v1.15.0@sha256:9cfd6a0a3a964780e73a11159f93cc363e616f7d9783608f62af6cfdf3759619
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -243,12 +248,18 @@

               optional: true
         - name: CILIUM_BPF_STATE
           valueFrom:
             configMapKeyRef:
               name: cilium-config
               key: clean-cilium-bpf-state
+              optional: true
+        - name: WRITE_CNI_CONF_WHEN_READY
+          valueFrom:
+            configMapKeyRef:
+              name: cilium-config
+              key: write-cni-conf-when-ready
               optional: true
         - name: KUBERNETES_SERVICE_HOST
           value: ${KUBE_VIP_ADDR}
         - name: KUBERNETES_SERVICE_PORT
           value: '6443'
         terminationMessagePolicy: FallbackToLogsOnError
@@ -260,13 +271,13 @@

         - name: cilium-cgroup
           mountPath: /run/cilium/cgroupv2
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.14.6@sha256:37a49f1abb333279a9b802ee8a21c61cde9dd9138b5ac55f77bdfca733ba852a
+        image: quay.io/cilium/cilium:v1.15.0@sha256:9cfd6a0a3a964780e73a11159f93cc363e616f7d9783608f62af6cfdf3759619
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,22 +20,22 @@

       maxSurge: 25%
       maxUnavailable: 100%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 08d1b987525060dd3fa1cb445d7d467e645b3f18388f6e86b2d7f1a48139d963
+        cilium.io/cilium-configmap-checksum: 038c6dab4bc719d37bb4a2a8b4d532664cab51cdbcf2cf59d68d468e011c31a0
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.14.6@sha256:2f0bf8fb8362c7379f3bf95036b90ad5b67378ed05cd8eb0410c1afc13423848
+        image: quay.io/cilium/operator-generic:v1.15.0@sha256:e26ecd316e742e4c8aa1e302ba8b577c2d37d114583d6c4cdd2b638493546a79
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -34,27 +34,35 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.14.6@sha256:adeb90adae481bb952211483f511afee40825707953ed7ac118902d3bc8dd37f
+        image: quay.io/cilium/hubble-relay:v1.15.0@sha256:45b3ea70b73aee01644f800b8f6138c36446bfb130d2b88b0f75775ebe6a9ab6
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:
         - name: grpc
           containerPort: 4245
         readinessProbe:
-          tcpSocket:
-            port: grpc
+          grpc:
+            port: 4222
+          timeoutSeconds: 3
         livenessProbe:
-          tcpSocket:
-            port: grpc
+          grpc:
+            port: 4222
+          timeoutSeconds: 3
+        startupProbe:
+          grpc:
+            port: 4222
+          timeoutSeconds: 3
+          failureThreshold: 20
+          periodSeconds: 3
         volumeMounts:
         - name: config
           mountPath: /etc/hubble-relay
           readOnly: true
         - name: tls
           mountPath: /var/lib/hubble-relay/tls
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

@@ -17,38 +17,46 @@

     rollingUpdate:
       maxUnavailable: 1
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/hubble-ui-nginx-configmap-checksum: 02d6b04b131029fae39270192dcff10fa3a64af9d1d4d0049f1efbc3f5526a34
+        cilium.io/hubble-ui-nginx-configmap-checksum: e8acee96ed990156efd0291c8c33709d2c7902d2ec993eefa16c7cd3d1a9d84b
       labels:
         k8s-app: hubble-ui
         app.kubernetes.io/name: hubble-ui
         app.kubernetes.io/part-of: cilium
     spec:
       priorityClassName: null
       serviceAccount: hubble-ui
       serviceAccountName: hubble-ui
       automountServiceAccountToken: true
       containers:
       - name: frontend
-        image: quay.io/cilium/hubble-ui:v0.12.1@sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267
+        image: quay.io/cilium/hubble-ui:v0.12.3@sha256:e6b825302fc1e406b1305363fe0bcd1fdf95730b32c2b99a2b36dfa37bdaeec2
         imagePullPolicy: IfNotPresent
         ports:
         - name: http
           containerPort: 8081
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8081
         volumeMounts:
         - name: hubble-ui-nginx-conf
           mountPath: /etc/nginx/conf.d/default.conf
           subPath: nginx.conf
         - name: tmp-dir
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: backend
-        image: quay.io/cilium/hubble-ui-backend:v0.12.1@sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe
+        image: quay.io/cilium/hubble-ui-backend:v0.12.3@sha256:1cd84251cec46e20f9e839ee0afba9b51c8de59d35681234f701d7f42062f138
         imagePullPolicy: IfNotPresent
         env:
         - name: EVENTS_SERVER_PORT
           value: '8090'
         - name: FLOWS_API_ADDR
           value: hubble-relay:80
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-dns-namespace

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-dns-namespace

@@ -0,0 +1,240 @@

+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: hubble-dns-namespace
+  namespace: kube-system
+  labels:
+    k8s-app: hubble
+    app.kubernetes.io/name: hubble
+    app.kubernetes.io/part-of: cilium
+    grafana_dashboard: '1'
+  annotations:
+    grafana_folder: Cilium
+data:
+  hubble-dns-namespace.json: "{\n    \"__inputs\": [\n      {\n        \"name\": \"\
+    DS_PROMETHEUS\",\n        \"label\": \"Prometheus\",\n        \"description\"\
+    : \"\",\n        \"type\": \"datasource\",\n        \"pluginId\": \"prometheus\"\
+    ,\n        \"pluginName\": \"Prometheus\"\n      }\n    ],\n    \"__elements\"\
+    : {},\n    \"__requires\": [\n      {\n        \"type\": \"panel\",\n        \"\
+    id\": \"bargauge\",\n        \"name\": \"Bar gauge\",\n        \"version\": \"\
+    \"\n      },\n      {\n        \"type\": \"grafana\",\n        \"id\": \"grafana\"\
+    ,\n        \"name\": \"Grafana\",\n        \"version\": \"9.4.7\"\n      },\n\
+    \      {\n        \"type\": \"datasource\",\n        \"id\": \"prometheus\",\n\
+    \        \"name\": \"Prometheus\",\n        \"version\": \"1.0.0\"\n      },\n\
+    \      {\n        \"type\": \"panel\",\n        \"id\": \"timeseries\",\n    \
+    \    \"name\": \"Time series\",\n        \"version\": \"\"\n      }\n    ],\n\
+    \    \"annotations\": {\n      \"list\": [\n        {\n          \"builtIn\":\
+    \ 1,\n          \"datasource\": {\n            \"type\": \"datasource\",\n   \
+    \         \"uid\": \"grafana\"\n          },\n          \"enable\": true,\n  \
+    \        \"hide\": true,\n          \"iconColor\": \"rgba(0, 211, 255, 1)\",\n\
+    \          \"name\": \"Annotations & Alerts\",\n          \"target\": {\n    \
+    \        \"limit\": 100,\n            \"matchAny\": false,\n            \"tags\"\
+    : [],\n            \"type\": \"dashboard\"\n          },\n          \"type\":\
+    \ \"dashboard\"\n        }\n      ]\n    },\n    \"description\": \"\",\n    \"\
+    editable\": true,\n    \"fiscalYearStartMonth\": 0,\n    \"gnetId\": 16612,\n\
+    \    \"graphTooltip\": 0,\n    \"id\": null,\n    \"links\": [\n      {\n    \
+    \    \"asDropdown\": true,\n        \"icon\": \"external link\",\n        \"includeVars\"\
+    : true,\n        \"keepTime\": true,\n        \"tags\": [\n          \"cilium-overview\"\
+    \n        ],\n        \"targetBlank\": false,\n        \"title\": \"Cilium Overviews\"\
+    ,\n        \"tooltip\": \"\",\n        \"type\": \"dashboards\",\n        \"url\"\
+    : \"\"\n      },\n      {\n        \"asDropdown\": true,\n        \"icon\": \"\
+    external link\",\n        \"includeVars\": false,\n        \"keepTime\": true,\n\
+    \        \"tags\": [\n          \"hubble\"\n        ],\n        \"targetBlank\"\
+    : false,\n        \"title\": \"Hubble\",\n        \"tooltip\": \"\",\n       \
+    \ \"type\": \"dashboards\",\n        \"url\": \"\"\n      }\n    ],\n    \"liveNow\"\
+    : false,\n    \"panels\": [\n      {\n        \"collapsed\": false,\n        \"\
+    gridPos\": {\n          \"h\": 1,\n          \"w\": 24,\n          \"x\": 0,\n\
+    \          \"y\": 0\n        },\n        \"id\": 2,\n        \"panels\": [],\n\
+    \        \"title\": \"DNS\",\n        \"type\": \"row\"\n      },\n      {\n \
+    \       \"datasource\": {\n          \"type\": \"prometheus\",\n          \"uid\"\
+    : \"${DS_PROMETHEUS}\"\n        },\n        \"description\": \"\",\n        \"\
+    fieldConfig\": {\n          \"defaults\": {\n            \"color\": {\n      \
+    \        \"mode\": \"palette-classic\"\n            },\n            \"custom\"\
+    : {\n              \"axisCenteredZero\": false,\n              \"axisColorMode\"\
+    : \"text\",\n              \"axisLabel\": \"\",\n              \"axisPlacement\"\
+    : \"auto\",\n              \"barAlignment\": 0,\n              \"drawStyle\":\
+    \ \"line\",\n              \"fillOpacity\": 10,\n              \"gradientMode\"\
+    : \"none\",\n              \"hideFrom\": {\n                \"legend\": false,\n\
+    \                \"tooltip\": false,\n                \"viz\": false\n       \
+    \       },\n              \"lineInterpolation\": \"linear\",\n              \"\
+    lineWidth\": 1,\n              \"pointSize\": 5,\n              \"scaleDistribution\"\
+    : {\n                \"type\": \"linear\"\n              },\n              \"\
+    showPoints\": \"auto\",\n              \"spanNulls\": false,\n              \"\
+    stacking\": {\n                \"group\": \"A\",\n                \"mode\": \"\
+    normal\"\n              },\n              \"thresholdsStyle\": {\n           \
+    \     \"mode\": \"off\"\n              }\n            },\n            \"mappings\"\
+    : [],\n            \"min\": 0,\n            \"thresholds\": {\n              \"\
+    mode\": \"absolute\",\n              \"steps\": [\n                {\n       \
+    \           \"color\": \"green\",\n                  \"value\": null\n       \
+    \         },\n                {\n                  \"color\": \"red\",\n     \
+    \             \"value\": 80\n                }\n              ]\n            },\n\
+    \            \"unit\": \"reqps\"\n          },\n          \"overrides\": []\n\
+    \        },\n        \"gridPos\": {\n          \"h\": 9,\n          \"w\": 12,\n\
+    \          \"x\": 0,\n          \"y\": 1\n        },\n        \"id\": 37,\n  \
+    \      \"options\": {\n          \"legend\": {\n            \"calcs\": [\n   \
+    \           \"mean\",\n              \"lastNotNull\"\n            ],\n       \
+    \     \"displayMode\": \"table\",\n            \"placement\": \"bottom\",\n  \
+    \          \"showLegend\": true\n          },\n          \"tooltip\": {\n    \
+    \        \"mode\": \"single\",\n            \"sort\": \"none\"\n          }\n\
+    \        },\n        \"targets\": [\n          {\n            \"datasource\":\
+    \ {\n              \"type\": \"prometheus\",\n              \"uid\": \"${DS_PROMETHEUS}\"\
+    \n            },\n            \"editorMode\": \"code\",\n            \"expr\"\
+    : \"sum(rate(hubble_dns_queries_total{cluster=~\\\"$cluster\\\", source_namespace=~\\\
+    \"$source_namespace\\\", destination_namespace=~\\\"$destination_namespace\\\"\
+    }[$__rate_interval])) by (source) > 0\",\n            \"legendFormat\": \"{{source}}\"\
+    ,\n            \"range\": true,\n            \"refId\": \"A\"\n          }\n \
+    \       ],\n        \"title\": \"DNS queries\",\n        \"type\": \"timeseries\"\
+    \n      },\n      {\n        \"datasource\": {\n          \"type\": \"prometheus\"\
+    ,\n          \"uid\": \"${DS_PROMETHEUS}\"\n        },\n        \"fieldConfig\"\
+    : {\n          \"defaults\": {\n            \"color\": {\n              \"mode\"\
+    : \"thresholds\"\n            },\n            \"mappings\": [],\n            \"\
+    min\": 0,\n            \"thresholds\": {\n              \"mode\": \"absolute\"\
+    ,\n              \"steps\": [\n                {\n                  \"color\"\
+    : \"green\",\n                  \"value\": null\n                }\n         \
+    \     ]\n            },\n            \"unit\": \"reqps\"\n          },\n     \
+    \     \"overrides\": []\n        },\n        \"gridPos\": {\n          \"h\":\
+    \ 9,\n          \"w\": 12,\n          \"x\": 12,\n          \"y\": 1\n       \
+    \ },\n        \"id\": 41,\n        \"options\": {\n          \"displayMode\":\
+    \ \"gradient\",\n          \"minVizHeight\": 10,\n          \"minVizWidth\": 0,\n\
+    \          \"orientation\": \"horizontal\",\n          \"reduceOptions\": {\n\
+    \            \"calcs\": [\n              \"lastNotNull\"\n            ],\n   \
+    \         \"fields\": \"\",\n            \"values\": false\n          },\n   \
+    \       \"showUnfilled\": true\n        },\n        \"pluginVersion\": \"9.4.7\"\
+    ,\n        \"targets\": [\n          {\n            \"datasource\": {\n      \
+    \        \"type\": \"prometheus\",\n              \"uid\": \"${DS_PROMETHEUS}\"\
+    \n            },\n            \"editorMode\": \"code\",\n            \"expr\"\
+    : \"topk(10, sum(rate(hubble_dns_queries_total{cluster=~\\\"$cluster\\\", source_namespace=~\\\
+    \"$source_namespace\\\", destination_namespace=~\\\"$destination_namespace\\\"\
+    }[$__rate_interval])*60) by (query))\",\n            \"legendFormat\": \"{{query}}\"\
+    ,\n            \"range\": true,\n            \"refId\": \"A\"\n          }\n \
+    \       ],\n        \"title\": \"Top 10 DNS queries\",\n        \"type\": \"bargauge\"\
+    \n      },\n      {\n        \"datasource\": {\n          \"type\": \"prometheus\"\
+    ,\n          \"uid\": \"${DS_PROMETHEUS}\"\n        },\n        \"fieldConfig\"\
+    : {\n          \"defaults\": {\n            \"color\": {\n              \"mode\"\
+    : \"palette-classic\"\n            },\n            \"custom\": {\n           \
+    \   \"axisCenteredZero\": false,\n              \"axisColorMode\": \"text\",\n\
+    \              \"axisLabel\": \"\",\n              \"axisPlacement\": \"auto\"\
+    ,\n              \"barAlignment\": 0,\n              \"drawStyle\": \"line\",\n\
+    \              \"fillOpacity\": 10,\n              \"gradientMode\": \"none\"\
+    ,\n              \"hideFrom\": {\n                \"legend\": false,\n       \
+    \         \"tooltip\": false,\n                \"viz\": false\n              },\n\
+    \              \"lineInterpolation\": \"linear\",\n              \"lineWidth\"\
+    : 1,\n              \"pointSize\": 5,\n              \"scaleDistribution\": {\n\
+    \                \"type\": \"linear\"\n              },\n              \"showPoints\"\
+    : \"auto\",\n              \"spanNulls\": false,\n              \"stacking\":\
+    \ {\n                \"group\": \"A\",\n                \"mode\": \"normal\"\n\
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-network-overview-namespace

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-network-overview-namespace

@@ -0,0 +1,396 @@

+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: hubble-network-overview-namespace
+  namespace: kube-system
+  labels:
+    k8s-app: hubble
+    app.kubernetes.io/name: hubble
+    app.kubernetes.io/part-of: cilium
+    grafana_dashboard: '1'
+  annotations:
+    grafana_folder: Cilium
+data:
+  hubble-network-overview-namespace.json: "{\n    \"__inputs\": [\n      {\n     \
+    \   \"name\": \"DS_PROMETHEUS\",\n        \"label\": \"Prometheus\",\n       \
+    \ \"description\": \"\",\n        \"type\": \"datasource\",\n        \"pluginId\"\
+    : \"prometheus\",\n        \"pluginName\": \"Prometheus\"\n      }\n    ],\n \
+    \   \"__elements\": {},\n    \"__requires\": [\n      {\n        \"type\": \"\
+    panel\",\n        \"id\": \"bargauge\",\n        \"name\": \"Bar gauge\",\n  \
+    \      \"version\": \"\"\n      },\n      {\n        \"type\": \"grafana\",\n\
+    \        \"id\": \"grafana\",\n        \"name\": \"Grafana\",\n        \"version\"\
+    : \"9.4.7\"\n      },\n      {\n        \"type\": \"datasource\",\n        \"\
+    id\": \"prometheus\",\n        \"name\": \"Prometheus\",\n        \"version\"\
+    : \"1.0.0\"\n      },\n      {\n        \"type\": \"panel\",\n        \"id\":\
+    \ \"timeseries\",\n        \"name\": \"Time series\",\n        \"version\": \"\
+    \"\n      }\n    ],\n    \"annotations\": {\n      \"list\": [\n        {\n  \
+    \        \"builtIn\": 1,\n          \"datasource\": {\n            \"type\": \"\
+    datasource\",\n            \"uid\": \"grafana\"\n          },\n          \"enable\"\
+    : true,\n          \"hide\": true,\n          \"iconColor\": \"rgba(0, 211, 255,\
+    \ 1)\",\n          \"name\": \"Annotations & Alerts\",\n          \"target\":\
+    \ {\n            \"limit\": 100,\n            \"matchAny\": false,\n         \
+    \   \"tags\": [],\n            \"type\": \"dashboard\"\n          },\n       \
+    \   \"type\": \"dashboard\"\n        }\n      ]\n    },\n    \"description\":\
+    \ \"\",\n    \"editable\": true,\n    \"fiscalYearStartMonth\": 0,\n    \"gnetId\"\
+    : 16612,\n    \"graphTooltip\": 0,\n    \"id\": null,\n    \"links\": [\n    \
+    \  {\n        \"asDropdown\": true,\n        \"icon\": \"external link\",\n  \
+    \      \"includeVars\": true,\n        \"keepTime\": true,\n        \"tags\":\
+    \ [\n          \"cilium-overview\"\n        ],\n        \"targetBlank\": false,\n\
+    \        \"title\": \"Cilium Overviews\",\n        \"tooltip\": \"\",\n      \
+    \  \"type\": \"dashboards\",\n        \"url\": \"\"\n      },\n      {\n     \
+    \   \"asDropdown\": true,\n        \"icon\": \"external link\",\n        \"includeVars\"\
+    : false,\n        \"keepTime\": true,\n        \"tags\": [\n          \"hubble\"\
+    \n        ],\n        \"targetBlank\": false,\n        \"title\": \"Hubble\",\n\
+    \        \"tooltip\": \"\",\n        \"type\": \"dashboards\",\n        \"url\"\
+    : \"\"\n      }\n    ],\n    \"liveNow\": false,\n    \"panels\": [\n      {\n\
+    \        \"collapsed\": false,\n        \"gridPos\": {\n          \"h\": 1,\n\
+    \          \"w\": 24,\n          \"x\": 0,\n          \"y\": 0\n        },\n \
+    \       \"id\": 8,\n        \"panels\": [],\n        \"title\": \"Flows processed\"\
+    ,\n        \"type\": \"row\"\n      },\n      {\n        \"datasource\": {\n \
+    \         \"type\": \"prometheus\",\n          \"uid\": \"${DS_PROMETHEUS}\"\n\
+    \        },\n        \"fieldConfig\": {\n          \"defaults\": {\n         \
+    \   \"color\": {\n              \"mode\": \"palette-classic\"\n            },\n\
+    \            \"custom\": {\n              \"axisCenteredZero\": false,\n     \
+    \         \"axisColorMode\": \"text\",\n              \"axisLabel\": \"\",\n \
+    \             \"axisPlacement\": \"auto\",\n              \"barAlignment\": 0,\n\
+    \              \"drawStyle\": \"line\",\n              \"fillOpacity\": 10,\n\
+    \              \"gradientMode\": \"none\",\n              \"hideFrom\": {\n  \
+    \              \"legend\": false,\n                \"tooltip\": false,\n     \
+    \           \"viz\": false\n              },\n              \"lineInterpolation\"\
+    : \"linear\",\n              \"lineWidth\": 1,\n              \"pointSize\": 5,\n\
+    \              \"scaleDistribution\": {\n                \"type\": \"linear\"\n\
+    \              },\n              \"showPoints\": \"auto\",\n              \"spanNulls\"\
+    : false,\n              \"stacking\": {\n                \"group\": \"A\",\n \
+    \               \"mode\": \"normal\"\n              },\n              \"thresholdsStyle\"\
+    : {\n                \"mode\": \"off\"\n              }\n            },\n    \
+    \        \"mappings\": [],\n            \"min\": 0,\n            \"thresholds\"\
+    : {\n              \"mode\": \"absolute\",\n              \"steps\": [\n     \
+    \           {\n                  \"color\": \"green\",\n                  \"value\"\
+    : null\n                },\n                {\n                  \"color\": \"\
+    red\",\n                  \"value\": 80\n                }\n              ]\n\
+    \            },\n            \"unit\": \"ops\"\n          },\n          \"overrides\"\
+    : []\n        },\n        \"gridPos\": {\n          \"h\": 9,\n          \"w\"\
+    : 12,\n          \"x\": 0,\n          \"y\": 1\n        },\n        \"id\": 12,\n\
+    \        \"options\": {\n          \"legend\": {\n            \"calcs\": [],\n\
+    \            \"displayMode\": \"list\",\n            \"placement\": \"bottom\"\
+    ,\n            \"showLegend\": true\n          },\n          \"tooltip\": {\n\
+    \            \"mode\": \"single\",\n            \"sort\": \"none\"\n         \
+    \ }\n        },\n        \"targets\": [\n          {\n            \"datasource\"\
+    : {\n              \"type\": \"prometheus\",\n              \"uid\": \"${DS_PROMETHEUS}\"\
+    \n            },\n            \"editorMode\": \"code\",\n            \"expr\"\
+    : \"sum(rate(hubble_flows_processed_total{cluster=~\\\"$cluster\\\", source_namespace=~\\\
+    \"$source_namespace\\\", destination_namespace=~\\\"$destination_namespace\\\"\
+    }[$__rate_interval])) by (type, subtype)\",\n            \"legendFormat\": \"\
+    {{type}}/{{subtype}}\",\n            \"range\": true,\n            \"refId\":\
+    \ \"A\"\n          }\n        ],\n        \"title\": \"Flows processed by type\"\
+    ,\n        \"type\": \"timeseries\"\n      },\n      {\n        \"datasource\"\
+    : {\n          \"type\": \"prometheus\",\n          \"uid\": \"${DS_PROMETHEUS}\"\
+    \n        },\n        \"fieldConfig\": {\n          \"defaults\": {\n        \
+    \    \"color\": {\n              \"mode\": \"palette-classic\"\n            },\n\
+    \            \"custom\": {\n              \"axisCenteredZero\": false,\n     \
+    \         \"axisColorMode\": \"text\",\n              \"axisLabel\": \"\",\n \
+    \             \"axisPlacement\": \"auto\",\n              \"barAlignment\": 0,\n\
+    \              \"drawStyle\": \"line\",\n              \"fillOpacity\": 10,\n\
+    \              \"gradientMode\": \"none\",\n              \"hideFrom\": {\n  \
+    \              \"legend\": false,\n                \"tooltip\": false,\n     \
+    \           \"viz\": false\n              },\n              \"lineInterpolation\"\
+    : \"linear\",\n              \"lineWidth\": 1,\n              \"pointSize\": 5,\n\
+    \              \"scaleDistribution\": {\n                \"type\": \"linear\"\n\
+    \              },\n              \"showPoints\": \"auto\",\n              \"spanNulls\"\
+    : false,\n              \"stacking\": {\n                \"group\": \"A\",\n \
+    \               \"mode\": \"normal\"\n              },\n              \"thresholdsStyle\"\
+    : {\n                \"mode\": \"off\"\n              }\n            },\n    \
+    \        \"mappings\": [],\n            \"min\": 0,\n            \"thresholds\"\
+    : {\n              \"mode\": \"absolute\",\n              \"steps\": [\n     \
+    \           {\n                  \"color\": \"green\",\n                  \"value\"\
+    : null\n                },\n                {\n                  \"color\": \"\
+    red\",\n                  \"value\": 80\n                }\n              ]\n\
+    \            },\n            \"unit\": \"ops\"\n          },\n          \"overrides\"\
+    : []\n        },\n        \"gridPos\": {\n          \"h\": 9,\n          \"w\"\
+    : 12,\n          \"x\": 12,\n          \"y\": 1\n        },\n        \"id\": 35,\n\
+    \        \"options\": {\n          \"legend\": {\n            \"calcs\": [],\n\
+    \            \"displayMode\": \"list\",\n            \"placement\": \"bottom\"\
+    ,\n            \"showLegend\": true\n          },\n          \"tooltip\": {\n\
+    \            \"mode\": \"single\",\n            \"sort\": \"none\"\n         \
+    \ }\n        },\n        \"targets\": [\n          {\n            \"datasource\"\
+    : {\n              \"type\": \"prometheus\",\n              \"uid\": \"${DS_PROMETHEUS}\"\
+    \n            },\n            \"editorMode\": \"code\",\n            \"expr\"\
+    : \"sum(rate(hubble_flows_processed_total{cluster=~\\\"$cluster\\\", source_namespace=~\\\
+    \"$source_namespace\\\", destination_namespace=~\\\"$destination_namespace\\\"\
+    }[$__rate_interval])) by (verdict)\",\n            \"legendFormat\": \"{{verdict}}\"\
+    ,\n            \"range\": true,\n            \"refId\": \"A\"\n          }\n \
+    \       ],\n        \"title\": \"Flows processed by verdict\",\n        \"type\"\
+    : \"timeseries\"\n      },\n      {\n        \"datasource\": {\n          \"type\"\
+    : \"prometheus\",\n          \"uid\": \"${DS_PROMETHEUS}\"\n        },\n     \
[Diff truncated by flux-local]