From be4a13d559367e95ea4c57797a1b5078c09c2886 Mon Sep 17 00:00:00 2001
From: openshift-service-mesh-bot <openshiftservicemeshbot@gmail.com>
Date: Wed, 15 Jan 2025 05:05:29 +0000
Subject: [PATCH] Automator: Update dependencies in
 istio-ecosystem/sail-operator@main

Signed-off-by: openshift-service-mesh-bot <openshiftservicemeshbot@gmail.com>
---
 .devcontainer/devcontainer.json               |  2 +-
 .github/workflows/update-deps.yaml            |  2 +-
 Makefile.core.mk                              |  8 ++--
 api/v1alpha1/values_types.gen.go              |  1 +
 bundle.Dockerfile                             |  2 +-
 .../sailoperator.clusterserviceversion.yaml   | 24 +++++-----
 .../manifests/sailoperator.io_istiocnis.yaml  |  2 +-
 .../sailoperator.io_istiorevisions.yaml       |  2 +-
 .../sailoperator.io_istiorevisiontags.yaml    |  2 +-
 bundle/manifests/sailoperator.io_istios.yaml  |  2 +-
 .../manifests/sailoperator.io_ztunnels.yaml   |  2 +-
 ...curity.istio.io_authorizationpolicies.yaml | 44 +++++++++++++++++++
 bundle/metadata/annotations.yaml              |  2 +-
 bundle/tests/scorecard/config.yaml            | 10 ++---
 chart/crds/sailoperator.io_istiocnis.yaml     |  2 +-
 .../crds/sailoperator.io_istiorevisions.yaml  |  2 +-
 .../sailoperator.io_istiorevisiontags.yaml    |  2 +-
 chart/crds/sailoperator.io_istios.yaml        |  2 +-
 chart/crds/sailoperator.io_ztunnels.yaml      |  2 +-
 ...curity.istio.io_authorizationpolicies.yaml | 44 +++++++++++++++++++
 chart/templates/olm/scorecard.yaml            | 10 ++---
 chart/values.yaml                             |  2 +-
 common/.commonfiles.sha                       |  2 +-
 common/config/license-lint.yml                | 16 ++++++-
 common/scripts/setup_env.sh                   |  2 +-
 go.mod                                        |  8 ++--
 go.sum                                        | 16 +++----
 resources/latest/charts/base/Chart.yaml       |  4 +-
 .../latest/charts/base/files/crd-all.gen.yaml | 44 +++++++++++++++++++
 .../profile-compatibility-version-1.24.yaml   |  3 ++
 resources/latest/charts/cni/Chart.yaml        |  4 +-
 .../profile-compatibility-version-1.24.yaml   |  3 ++
 .../charts/cni/templates/clusterrole.yaml     |  2 +-
 .../charts/cni/templates/configmap-cni.yaml   |  1 +
 resources/latest/charts/cni/values.yaml       |  6 ++-
 resources/latest/charts/gateway/Chart.yaml    |  4 +-
 .../profile-compatibility-version-1.24.yaml   |  3 ++
 .../charts/gateway/templates/deployment.yaml  |  2 +-
 resources/latest/charts/istiod/Chart.yaml     |  4 +-
 .../istiod/files/injection-template.yaml      |  2 +-
 .../profile-compatibility-version-1.24.yaml   |  3 ++
 resources/latest/charts/istiod/values.yaml    |  2 +-
 .../profile-compatibility-version-1.24.yaml   |  3 ++
 .../latest/charts/revisiontags/values.yaml    |  2 +-
 resources/latest/charts/ztunnel/Chart.yaml    |  4 +-
 .../profile-compatibility-version-1.24.yaml   |  3 ++
 .../latest/charts/ztunnel/templates/rbac.yaml |  2 +-
 resources/latest/charts/ztunnel/values.yaml   |  2 +-
 versions.yaml                                 | 14 +++---
 49 files changed, 250 insertions(+), 82 deletions(-)

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 7f057ea2f..ce531b794 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:master-0b8e6b9676d328fbeb28a23b8d1134dcc56d98ec",
+  "image": "gcr.io/istio-testing/build-tools:master-18659ab5deb644ab728206113deffe161b181dbf",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",
diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml
index 98cf48313..f50931900 100644
--- a/.github/workflows/update-deps.yaml
+++ b/.github/workflows/update-deps.yaml
@@ -23,7 +23,7 @@ jobs:
   update-deps:
     runs-on: ubuntu-latest
     container:
-      image: gcr.io/istio-testing/build-tools:master-0b8e6b9676d328fbeb28a23b8d1134dcc56d98ec
+      image: gcr.io/istio-testing/build-tools:master-18659ab5deb644ab728206113deffe161b181dbf
       options: --entrypoint ''
 
     steps:
diff --git a/Makefile.core.mk b/Makefile.core.mk
index 04558df11..bc2aed753 100644
--- a/Makefile.core.mk
+++ b/Makefile.core.mk
@@ -478,12 +478,12 @@ OPM ?= $(LOCALBIN)/opm
 ISTIOCTL ?= $(LOCALBIN)/istioctl
 
 ## Tool Versions
-OPERATOR_SDK_VERSION ?= v1.38.0
+OPERATOR_SDK_VERSION ?= v1.39.1
 HELM_VERSION ?= v3.16.4
-CONTROLLER_TOOLS_VERSION ?= v0.16.5
-OPM_VERSION ?= v1.49.0
+CONTROLLER_TOOLS_VERSION ?= v0.17.1
+OPM_VERSION ?= v1.50.0
 OLM_VERSION ?= v0.30.0
-GITLEAKS_VERSION ?= v8.21.2
+GITLEAKS_VERSION ?= v8.23.0
 ISTIOCTL_VERSION ?= 1.23.0
 
 # GENERATE_RELATED_IMAGES defines whether `spec.relatedImages` is going to be generated or not
diff --git a/api/v1alpha1/values_types.gen.go b/api/v1alpha1/values_types.gen.go
index f992471a2..bd895f579 100644
--- a/api/v1alpha1/values_types.gen.go
+++ b/api/v1alpha1/values_types.gen.go
@@ -419,6 +419,7 @@ type GlobalConfig struct {
 	IpFamilyPolicy *string `json:"ipFamilyPolicy,omitempty"`
 	// Specifies how waypoints are configured within Istio.
 	Waypoint *WaypointConfig `json:"waypoint,omitempty"` // The next available key is 73
+
 }
 
 // Configuration for Security Token Service (STS) server.
diff --git a/bundle.Dockerfile b/bundle.Dockerfile
index 8b93d32f9..8c0ae3c74 100644
--- a/bundle.Dockerfile
+++ b/bundle.Dockerfile
@@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
 LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=sailoperator
 LABEL operators.operatorframework.io.bundle.channels.v1="dev-0.3"
-LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.38.0
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.39.1
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v4
 
diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml
index 888f50a84..773f1c4ec 100644
--- a/bundle/manifests/sailoperator.clusterserviceversion.yaml
+++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml
@@ -34,7 +34,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: OpenShift Optional, Integration & Delivery, Networking, Security
     containerImage: quay.io/maistra-dev/sail-operator:0.3-latest
-    createdAt: "2024-12-19T05:05:23Z"
+    createdAt: "2025-01-15T05:05:24Z"
     description: Experimental operator for installing Istio service mesh
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "true"
@@ -46,7 +46,7 @@ metadata:
     features.operators.openshift.io/token-auth-aws: "false"
     features.operators.openshift.io/token-auth-azure: "false"
     features.operators.openshift.io/token-auth-gcp: "false"
-    operators.operatorframework.io/builder: operator-sdk-v1.38.0
+    operators.operatorframework.io/builder: operator-sdk-v1.39.1
     operators.operatorframework.io/internal-objects: '["wasmplugins.extensions.istio.io","destinationrules.networking.istio.io","envoyfilters.networking.istio.io","gateways.networking.istio.io","proxyconfigs.networking.istio.io","serviceentries.networking.istio.io","sidecars.networking.istio.io","virtualservices.networking.istio.io","workloadentries.networking.istio.io","workloadgroups.networking.istio.io","authorizationpolicies.security.istio.io","peerauthentications.security.istio.io","requestauthentications.security.istio.io","telemetries.telemetry.istio.io"]'
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
     repository: https://github.com/istio-ecosystem/sail-operator
@@ -255,7 +255,7 @@ spec:
           one control plane instance to another. When the \"RevisionBased\"\nstrategy
           is used, a new Istio control plane instance is created for every change
           to the\nIstio.spec.version field. The old control plane remains in place
-          until all workloads have\nbeen moved to the new control plane instance.\n\n\nThe
+          until all workloads have\nbeen moved to the new control plane instance.\n\nThe
           \"InPlace\" strategy is the default.\tTODO: change default to \"RevisionBased\""
         displayName: Type
         path: updateStrategy.type
@@ -371,7 +371,7 @@ spec:
     - v1.22.6
     - v1.22.5
     - v1.21.6
-    - latest (d547b858)
+    - latest (76439c97)
 
     [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it.
   displayName: Sail Operator
@@ -647,10 +647,10 @@ spec:
           template:
             metadata:
               annotations:
-                images.latest.cni: gcr.io/istio-testing/install-cni:1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
-                images.latest.istiod: gcr.io/istio-testing/pilot:1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
-                images.latest.proxy: gcr.io/istio-testing/proxyv2:1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
-                images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+                images.latest.cni: gcr.io/istio-testing/install-cni:1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
+                images.latest.istiod: gcr.io/istio-testing/pilot:1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
+                images.latest.proxy: gcr.io/istio-testing/proxyv2:1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
+                images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
                 images.v1_21_6.cni: docker.io/istio/install-cni:1.21.6
                 images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6
                 images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6
@@ -843,13 +843,13 @@ spec:
   provider:
     name: Red Hat, Inc.
   relatedImages:
-  - image: gcr.io/istio-testing/install-cni:1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+  - image: gcr.io/istio-testing/install-cni:1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
     name: latest.cni
-  - image: gcr.io/istio-testing/pilot:1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+  - image: gcr.io/istio-testing/pilot:1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
     name: latest.istiod
-  - image: gcr.io/istio-testing/proxyv2:1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+  - image: gcr.io/istio-testing/proxyv2:1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
     name: latest.proxy
-  - image: gcr.io/istio-testing/ztunnel:1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+  - image: gcr.io/istio-testing/ztunnel:1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
     name: latest.ztunnel
   - image: docker.io/istio/install-cni:1.21.6
     name: v1_21_6.cni
diff --git a/bundle/manifests/sailoperator.io_istiocnis.yaml b/bundle/manifests/sailoperator.io_istiocnis.yaml
index 715d15c73..c40e3fc0a 100644
--- a/bundle/manifests/sailoperator.io_istiocnis.yaml
+++ b/bundle/manifests/sailoperator.io_istiocnis.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
   creationTimestamp: null
   name: istiocnis.sailoperator.io
 spec:
diff --git a/bundle/manifests/sailoperator.io_istiorevisions.yaml b/bundle/manifests/sailoperator.io_istiorevisions.yaml
index 1a0b0f2a2..059c5d0be 100644
--- a/bundle/manifests/sailoperator.io_istiorevisions.yaml
+++ b/bundle/manifests/sailoperator.io_istiorevisions.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
   creationTimestamp: null
   name: istiorevisions.sailoperator.io
 spec:
diff --git a/bundle/manifests/sailoperator.io_istiorevisiontags.yaml b/bundle/manifests/sailoperator.io_istiorevisiontags.yaml
index 90db7a5a2..001026086 100644
--- a/bundle/manifests/sailoperator.io_istiorevisiontags.yaml
+++ b/bundle/manifests/sailoperator.io_istiorevisiontags.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
   creationTimestamp: null
   name: istiorevisiontags.sailoperator.io
 spec:
diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml
index 8cc090376..0ff880db9 100644
--- a/bundle/manifests/sailoperator.io_istios.yaml
+++ b/bundle/manifests/sailoperator.io_istios.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
   creationTimestamp: null
   name: istios.sailoperator.io
 spec:
diff --git a/bundle/manifests/sailoperator.io_ztunnels.yaml b/bundle/manifests/sailoperator.io_ztunnels.yaml
index 0d7e4ff5d..94795719b 100644
--- a/bundle/manifests/sailoperator.io_ztunnels.yaml
+++ b/bundle/manifests/sailoperator.io_ztunnels.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
   creationTimestamp: null
   name: ztunnels.sailoperator.io
 spec:
diff --git a/bundle/manifests/security.istio.io_authorizationpolicies.yaml b/bundle/manifests/security.istio.io_authorizationpolicies.yaml
index fa157496c..742c5a02c 100644
--- a/bundle/manifests/security.istio.io_authorizationpolicies.yaml
+++ b/bundle/manifests/security.istio.io_authorizationpolicies.yaml
@@ -117,6 +117,13 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              notServiceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
                               principals:
                                 description: Optional.
                                 items:
@@ -132,8 +139,22 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              serviceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
                             type: object
+                            x-kubernetes-validations:
+                            - message: Cannot set serviceAccounts with namespaces
+                                or principals
+                              rule: |-
+                                (has(self.serviceAccounts) || has(self.notServiceAccounts)) ? (!has(self.principals) &&
+                                !has(self.notPrincipals) && !has(self.namespaces) && !has(self.notNamespaces)) : true
                         type: object
+                      maxItems: 512
                       type: array
                     to:
                       description: Optional.
@@ -207,6 +228,7 @@ spec:
                         type: object
                       type: array
                   type: object
+                maxItems: 512
                 type: array
               selector:
                 description: Optional.
@@ -477,6 +499,13 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              notServiceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
                               principals:
                                 description: Optional.
                                 items:
@@ -492,8 +521,22 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              serviceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
                             type: object
+                            x-kubernetes-validations:
+                            - message: Cannot set serviceAccounts with namespaces
+                                or principals
+                              rule: |-
+                                (has(self.serviceAccounts) || has(self.notServiceAccounts)) ? (!has(self.principals) &&
+                                !has(self.notPrincipals) && !has(self.namespaces) && !has(self.notNamespaces)) : true
                         type: object
+                      maxItems: 512
                       type: array
                     to:
                       description: Optional.
@@ -567,6 +610,7 @@ spec:
                         type: object
                       type: array
                   type: object
+                maxItems: 512
                 type: array
               selector:
                 description: Optional.
diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml
index 64c8aac64..fa359ef48 100644
--- a/bundle/metadata/annotations.yaml
+++ b/bundle/metadata/annotations.yaml
@@ -5,7 +5,7 @@ annotations:
   operators.operatorframework.io.bundle.metadata.v1: metadata/
   operators.operatorframework.io.bundle.package.v1: sailoperator
   operators.operatorframework.io.bundle.channels.v1: "dev-0.3"
-  operators.operatorframework.io.metrics.builder: operator-sdk-v1.38.0
+  operators.operatorframework.io.metrics.builder: operator-sdk-v1.39.1
   operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
   operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v4
 
diff --git a/bundle/tests/scorecard/config.yaml b/bundle/tests/scorecard/config.yaml
index cf5c4335e..397065cd7 100644
--- a/bundle/tests/scorecard/config.yaml
+++ b/bundle/tests/scorecard/config.yaml
@@ -8,7 +8,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - basic-check-spec
-    image: quay.io/operator-framework/scorecard-test:v1.38.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: basic
       test: basic-check-spec-test
@@ -18,7 +18,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - olm-bundle-validation
-    image: quay.io/operator-framework/scorecard-test:v1.38.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: olm
       test: olm-bundle-validation-test
@@ -28,7 +28,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - olm-crds-have-validation
-    image: quay.io/operator-framework/scorecard-test:v1.38.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: olm
       test: olm-crds-have-validation-test
@@ -38,7 +38,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - olm-spec-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.38.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: olm
       test: olm-spec-descriptors-test
@@ -48,7 +48,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - olm-status-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.38.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: olm
       test: olm-status-descriptors-test
diff --git a/chart/crds/sailoperator.io_istiocnis.yaml b/chart/crds/sailoperator.io_istiocnis.yaml
index 36d5d3c86..d1c0f19be 100644
--- a/chart/crds/sailoperator.io_istiocnis.yaml
+++ b/chart/crds/sailoperator.io_istiocnis.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
   name: istiocnis.sailoperator.io
 spec:
   group: sailoperator.io
diff --git a/chart/crds/sailoperator.io_istiorevisions.yaml b/chart/crds/sailoperator.io_istiorevisions.yaml
index 76a8eddee..7159800b1 100644
--- a/chart/crds/sailoperator.io_istiorevisions.yaml
+++ b/chart/crds/sailoperator.io_istiorevisions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
   name: istiorevisions.sailoperator.io
 spec:
   group: sailoperator.io
diff --git a/chart/crds/sailoperator.io_istiorevisiontags.yaml b/chart/crds/sailoperator.io_istiorevisiontags.yaml
index 3c4866eb1..716291003 100644
--- a/chart/crds/sailoperator.io_istiorevisiontags.yaml
+++ b/chart/crds/sailoperator.io_istiorevisiontags.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
   name: istiorevisiontags.sailoperator.io
 spec:
   group: sailoperator.io
diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml
index 3b02d14bd..b11d8b6af 100644
--- a/chart/crds/sailoperator.io_istios.yaml
+++ b/chart/crds/sailoperator.io_istios.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
   name: istios.sailoperator.io
 spec:
   group: sailoperator.io
diff --git a/chart/crds/sailoperator.io_ztunnels.yaml b/chart/crds/sailoperator.io_ztunnels.yaml
index 827970906..08aec9aef 100644
--- a/chart/crds/sailoperator.io_ztunnels.yaml
+++ b/chart/crds/sailoperator.io_ztunnels.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.1
   name: ztunnels.sailoperator.io
 spec:
   group: sailoperator.io
diff --git a/chart/crds/security.istio.io_authorizationpolicies.yaml b/chart/crds/security.istio.io_authorizationpolicies.yaml
index 734288200..1f474c458 100644
--- a/chart/crds/security.istio.io_authorizationpolicies.yaml
+++ b/chart/crds/security.istio.io_authorizationpolicies.yaml
@@ -116,6 +116,13 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              notServiceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
                               principals:
                                 description: Optional.
                                 items:
@@ -131,8 +138,22 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              serviceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
                             type: object
+                            x-kubernetes-validations:
+                            - message: Cannot set serviceAccounts with namespaces
+                                or principals
+                              rule: |-
+                                (has(self.serviceAccounts) || has(self.notServiceAccounts)) ? (!has(self.principals) &&
+                                !has(self.notPrincipals) && !has(self.namespaces) && !has(self.notNamespaces)) : true
                         type: object
+                      maxItems: 512
                       type: array
                     to:
                       description: Optional.
@@ -206,6 +227,7 @@ spec:
                         type: object
                       type: array
                   type: object
+                maxItems: 512
                 type: array
               selector:
                 description: Optional.
@@ -476,6 +498,13 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              notServiceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
                               principals:
                                 description: Optional.
                                 items:
@@ -491,8 +520,22 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              serviceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
                             type: object
+                            x-kubernetes-validations:
+                            - message: Cannot set serviceAccounts with namespaces
+                                or principals
+                              rule: |-
+                                (has(self.serviceAccounts) || has(self.notServiceAccounts)) ? (!has(self.principals) &&
+                                !has(self.notPrincipals) && !has(self.namespaces) && !has(self.notNamespaces)) : true
                         type: object
+                      maxItems: 512
                       type: array
                     to:
                       description: Optional.
@@ -566,6 +609,7 @@ spec:
                         type: object
                       type: array
                   type: object
+                maxItems: 512
                 type: array
               selector:
                 description: Optional.
diff --git a/chart/templates/olm/scorecard.yaml b/chart/templates/olm/scorecard.yaml
index 82c508161..d837da890 100644
--- a/chart/templates/olm/scorecard.yaml
+++ b/chart/templates/olm/scorecard.yaml
@@ -9,7 +9,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - basic-check-spec
-    image: quay.io/operator-framework/scorecard-test:v1.38.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: basic
       test: basic-check-spec-test
@@ -19,7 +19,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - olm-bundle-validation
-    image: quay.io/operator-framework/scorecard-test:v1.38.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: olm
       test: olm-bundle-validation-test
@@ -29,7 +29,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - olm-crds-have-validation
-    image: quay.io/operator-framework/scorecard-test:v1.38.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: olm
       test: olm-crds-have-validation-test
@@ -39,7 +39,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - olm-spec-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.38.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: olm
       test: olm-spec-descriptors-test
@@ -49,7 +49,7 @@ stages:
   - entrypoint:
     - scorecard-test
     - olm-status-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.38.0
+    image: quay.io/operator-framework/scorecard-test:v1.39.1
     labels:
       suite: olm
       test: olm-status-descriptors-test
diff --git a/chart/values.yaml b/chart/values.yaml
index b7e608d05..db7f8669a 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -28,7 +28,7 @@ csv:
     - v1.22.6
     - v1.22.5
     - v1.21.6
-    - latest (d547b858)
+    - latest (76439c97)
 
     [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it.
   support: Community based
diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha
index 3df74a12e..4504d3a1f 100644
--- a/common/.commonfiles.sha
+++ b/common/.commonfiles.sha
@@ -1 +1 @@
-ad4552bfdc5ead45c5d8084e4bf254b788090603
+ba7210ce85bf5b4ea2795fdf3cf66cc971360224
diff --git a/common/config/license-lint.yml b/common/config/license-lint.yml
index ef4859462..8743adf16 100644
--- a/common/config/license-lint.yml
+++ b/common/config/license-lint.yml
@@ -125,4 +125,18 @@ allowlisted_modules:
 
 # Simplified BSD (BSD-2-Clause): https://github.com/russross/blackfriday/blob/master/LICENSE.txt
 - github.com/russross/blackfriday
-- github.com/russross/blackfriday/v2
\ No newline at end of file
+- github.com/russross/blackfriday/v2
+
+# W3C Test Suite License, W3C 3-clause BSD License
+# gonum uses this for its some of its test files
+# gonum.org/v1/gonum/graph/formats/rdf/testdata/LICENSE.md
+- gonum.org/v1/gonum
+
+# BSD 3-clause: https://github.com/go-inf/inf/blob/v0.9.1/LICENSE
+- gopkg.in/inf.v0
+
+# BSD 3-clause: https://github.com/go-git/gcfg/blob/main/LICENSE
+- github.com/go-git/gcfg
+
+# Apache 2.0
+- github.com/aws/smithy-go
diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh
index 82ab62499..1bc9bde45 100755
--- a/common/scripts/setup_env.sh
+++ b/common/scripts/setup_env.sh
@@ -75,7 +75,7 @@ fi
 TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
 PROJECT_ID=${PROJECT_ID:-istio-testing}
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  IMAGE_VERSION=master-0b8e6b9676d328fbeb28a23b8d1134dcc56d98ec
+  IMAGE_VERSION=master-18659ab5deb644ab728206113deffe161b181dbf
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
   IMAGE_NAME=build-tools
diff --git a/go.mod b/go.mod
index 0cc6605f8..4183db9aa 100644
--- a/go.mod
+++ b/go.mod
@@ -25,8 +25,8 @@ require (
 	gomodules.xyz/jsonpatch/v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.16.3
-	istio.io/client-go v1.24.0-alpha.0.0.20241218215832-3daa0126820b
-	istio.io/istio v0.0.0-20241219014932-d547b8580cf6
+	istio.io/client-go v1.24.0-alpha.0.0.20250103213757-fb95213c2bc2
+	istio.io/istio v0.0.0-20250115035851-76439c975a78
 	k8s.io/api v0.32.0
 	k8s.io/apiextensions-apiserver v0.32.0
 	k8s.io/apimachinery v0.32.0
@@ -152,7 +152,7 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e // indirect
-	golang.org/x/net v0.32.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/oauth2 v0.24.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
@@ -167,7 +167,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gotest.tools/v3 v3.5.1 // indirect
-	istio.io/api v1.24.0-alpha.0.0.20241218215532-27d505cbdb11 // indirect
+	istio.io/api v1.24.0-alpha.0.0.20250103213058-f293e9c39285 // indirect
 	k8s.io/apiserver v0.32.0 // indirect
 	k8s.io/component-base v0.32.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
diff --git a/go.sum b/go.sum
index 13fa41fe8..4a673cb93 100644
--- a/go.sum
+++ b/go.sum
@@ -421,8 +421,8 @@ golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
-golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
 golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -494,12 +494,12 @@ gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 helm.sh/helm/v3 v3.16.3 h1:kb8bSxMeRJ+knsK/ovvlaVPfdis0X3/ZhYCSFRP+YmY=
 helm.sh/helm/v3 v3.16.3/go.mod h1:zeVWGDR4JJgiRbT3AnNsjYaX8OTJlIE9zC+Q7F7iUSU=
-istio.io/api v1.24.0-alpha.0.0.20241218215532-27d505cbdb11 h1:AlkTHCbrikiyS6Pz4Qke8+yXEOpgpC8kRMBaBClAIpg=
-istio.io/api v1.24.0-alpha.0.0.20241218215532-27d505cbdb11/go.mod h1:QFzEXv/IT582T0FHZVp1QoolvE4ws0zz/vVO55blmlE=
-istio.io/client-go v1.24.0-alpha.0.0.20241218215832-3daa0126820b h1:c8USLMmfK3eOUbQ4ut9nT4fnX48nx4mUc7q2AMu5Ppo=
-istio.io/client-go v1.24.0-alpha.0.0.20241218215832-3daa0126820b/go.mod h1:SETUIw6SAGTLesSeed9N0SbW+72RoYB1J9LHuWgpMkQ=
-istio.io/istio v0.0.0-20241219014932-d547b8580cf6 h1:HN+KGGjBUnAY/oAcuAJgZITuwIajFZdPYyxyefozmyg=
-istio.io/istio v0.0.0-20241219014932-d547b8580cf6/go.mod h1:TiOIr/B86DoFGpimy1QGCrQbCT4XCJIbZ9fvs1mZ7AU=
+istio.io/api v1.24.0-alpha.0.0.20250103213058-f293e9c39285 h1:HMEJDYg8lxp2g/I7oHZPX91DkbYlHKYBJ+hm76U6Q24=
+istio.io/api v1.24.0-alpha.0.0.20250103213058-f293e9c39285/go.mod h1:QFzEXv/IT582T0FHZVp1QoolvE4ws0zz/vVO55blmlE=
+istio.io/client-go v1.24.0-alpha.0.0.20250103213757-fb95213c2bc2 h1:egds+0nRCW+ACMq0Zj+mQ7rdZFiuJWhduL+JF847Njc=
+istio.io/client-go v1.24.0-alpha.0.0.20250103213757-fb95213c2bc2/go.mod h1:SxwtgVDTEray23wIAmsXnzpXiKckYH3G+TISxorESUo=
+istio.io/istio v0.0.0-20250115035851-76439c975a78 h1:9/PvvNFPWwRCunY8Ztq6QDH8fND1SMG8AX9ONLovwkY=
+istio.io/istio v0.0.0-20250115035851-76439c975a78/go.mod h1:gwxuNcyDdTWkypGK2J6ENSeGrNfIzWBsxGLsm5MHpRA=
 k8s.io/api v0.32.0 h1:OL9JpbvAU5ny9ga2fb24X8H6xQlVp+aJMFlgtQjR9CE=
 k8s.io/api v0.32.0/go.mod h1:4LEwHZEf6Q/cG96F3dqR965sYOfmPM7rq81BLgsE0p0=
 k8s.io/apiextensions-apiserver v0.32.0 h1:S0Xlqt51qzzqjKPxfgX1xh4HBZE+p8KKBq+k2SWNOE0=
diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml
index 360100c65..4b8aad2b5 100644
--- a/resources/latest/charts/base/Chart.yaml
+++ b/resources/latest/charts/base/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+appVersion: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
 description: Helm chart for deploying Istio cluster resources and CRDs
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -7,4 +7,4 @@ keywords:
 name: base
 sources:
 - https://github.com/istio/istio
-version: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+version: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
diff --git a/resources/latest/charts/base/files/crd-all.gen.yaml b/resources/latest/charts/base/files/crd-all.gen.yaml
index 5360fe804..fe8bc7d21 100644
--- a/resources/latest/charts/base/files/crd-all.gen.yaml
+++ b/resources/latest/charts/base/files/crd-all.gen.yaml
@@ -14717,6 +14717,13 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              notServiceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
                               principals:
                                 description: Optional.
                                 items:
@@ -14732,8 +14739,22 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              serviceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
                             type: object
+                            x-kubernetes-validations:
+                            - message: Cannot set serviceAccounts with namespaces
+                                or principals
+                              rule: |-
+                                (has(self.serviceAccounts) || has(self.notServiceAccounts)) ? (!has(self.principals) &&
+                                !has(self.notPrincipals) && !has(self.namespaces) && !has(self.notNamespaces)) : true
                         type: object
+                      maxItems: 512
                       type: array
                     to:
                       description: Optional.
@@ -14807,6 +14828,7 @@ spec:
                         type: object
                       type: array
                   type: object
+                maxItems: 512
                 type: array
               selector:
                 description: Optional.
@@ -15077,6 +15099,13 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              notServiceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
                               principals:
                                 description: Optional.
                                 items:
@@ -15092,8 +15121,22 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              serviceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
                             type: object
+                            x-kubernetes-validations:
+                            - message: Cannot set serviceAccounts with namespaces
+                                or principals
+                              rule: |-
+                                (has(self.serviceAccounts) || has(self.notServiceAccounts)) ? (!has(self.principals) &&
+                                !has(self.notPrincipals) && !has(self.namespaces) && !has(self.notNamespaces)) : true
                         type: object
+                      maxItems: 512
                       type: array
                     to:
                       description: Optional.
@@ -15167,6 +15210,7 @@ spec:
                         type: object
                       type: array
                   type: object
+                maxItems: 512
                 type: array
               selector:
                 description: Optional.
diff --git a/resources/latest/charts/base/files/profile-compatibility-version-1.24.yaml b/resources/latest/charts/base/files/profile-compatibility-version-1.24.yaml
index 2704a7d95..cd989a73c 100644
--- a/resources/latest/charts/base/files/profile-compatibility-version-1.24.yaml
+++ b/resources/latest/charts/base/files/profile-compatibility-version-1.24.yaml
@@ -6,3 +6,6 @@ pilot:
   env:
     # 1.24 behavioral changes
     PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+cni:
+  ambient:
+    dnsCapture: false
diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml
index 7dff03064..1030df5ac 100644
--- a/resources/latest/charts/cni/Chart.yaml
+++ b/resources/latest/charts/cni/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+appVersion: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
 description: Helm chart for istio-cni components
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -8,4 +8,4 @@ keywords:
 name: cni
 sources:
 - https://github.com/istio/istio
-version: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+version: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
diff --git a/resources/latest/charts/cni/files/profile-compatibility-version-1.24.yaml b/resources/latest/charts/cni/files/profile-compatibility-version-1.24.yaml
index 2704a7d95..cd989a73c 100644
--- a/resources/latest/charts/cni/files/profile-compatibility-version-1.24.yaml
+++ b/resources/latest/charts/cni/files/profile-compatibility-version-1.24.yaml
@@ -6,3 +6,6 @@ pilot:
   env:
     # 1.24 behavioral changes
     PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+cni:
+  ambient:
+    dnsCapture: false
diff --git a/resources/latest/charts/cni/templates/clusterrole.yaml b/resources/latest/charts/cni/templates/clusterrole.yaml
index bd9ba7fdf..a51cd782f 100644
--- a/resources/latest/charts/cni/templates/clusterrole.yaml
+++ b/resources/latest/charts/cni/templates/clusterrole.yaml
@@ -18,7 +18,7 @@ rules:
 - apiGroups: [""]
   resources: ["pods","nodes","namespaces"]
   verbs: ["get", "list", "watch"]
-{{- if (eq (coalesce .Values.platform .Values.global.platform) "openshift") }}
+{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }}
 - apiGroups: ["security.openshift.io"]
   resources: ["securitycontextconstraints"]
   resourceNames: ["privileged"]
diff --git a/resources/latest/charts/cni/templates/configmap-cni.yaml b/resources/latest/charts/cni/templates/configmap-cni.yaml
index 39a09fb69..2c2bfe57f 100644
--- a/resources/latest/charts/cni/templates/configmap-cni.yaml
+++ b/resources/latest/charts/cni/templates/configmap-cni.yaml
@@ -16,6 +16,7 @@ data:
   AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }}
   AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | default "false" | quote  }}
   AMBIENT_IPV6: {{ .Values.ambient.ipv6 | default "false" | quote }}
+  AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | default "false" | quote }}
   {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values
   CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires..
   {{- end }}
diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml
index bbcd96e2d..c0457ddd9 100644
--- a/resources/latest/charts/cni/values.yaml
+++ b/resources/latest/charts/cni/values.yaml
@@ -48,9 +48,11 @@ _internal_defaults_do_not_set:
     # Set ambient config dir path: defaults to /etc/ambient-config
     configDir: ""
     # If enabled, and ambient is enabled, DNS redirection will be enabled
-    dnsCapture: false
+    dnsCapture: true
     # If enabled, and ambient is enabled, enables ipv6 support
     ipv6: true
+    # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup.
+    reconcileIptablesOnStartup: false
 
 
   repair:
@@ -113,7 +115,7 @@ _internal_defaults_do_not_set:
     hub: gcr.io/istio-testing
 
     # Default tag for Istio images.
-    tag: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+    tag: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
 
     # Variant of the image to use.
     # Currently supported are: [debug, distroless]
diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml
index 2f5888196..999239853 100644
--- a/resources/latest/charts/gateway/Chart.yaml
+++ b/resources/latest/charts/gateway/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+appVersion: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
 description: Helm chart for deploying Istio gateways
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -9,4 +9,4 @@ name: gateway
 sources:
 - https://github.com/istio/istio
 type: application
-version: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+version: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
diff --git a/resources/latest/charts/gateway/files/profile-compatibility-version-1.24.yaml b/resources/latest/charts/gateway/files/profile-compatibility-version-1.24.yaml
index 2704a7d95..cd989a73c 100644
--- a/resources/latest/charts/gateway/files/profile-compatibility-version-1.24.yaml
+++ b/resources/latest/charts/gateway/files/profile-compatibility-version-1.24.yaml
@@ -6,3 +6,6 @@ pilot:
   env:
     # 1.24 behavioral changes
     PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+cni:
+  ambient:
+    dnsCapture: false
diff --git a/resources/latest/charts/gateway/templates/deployment.yaml b/resources/latest/charts/gateway/templates/deployment.yaml
index e9bfbbd36..9db59d8b9 100644
--- a/resources/latest/charts/gateway/templates/deployment.yaml
+++ b/resources/latest/charts/gateway/templates/deployment.yaml
@@ -77,7 +77,7 @@ spec:
             allowPrivilegeEscalation: false
             privileged: false
             readOnlyRootFilesystem: true
-            {{- if not (eq .Values.platform "openshift") }}
+            {{- if not (eq (.Values.platform | default "") "openshift") }}
             runAsUser: 1337
             runAsGroup: 1337
             {{- end }}
diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml
index 3e0c4d7e3..95af023fb 100644
--- a/resources/latest/charts/istiod/Chart.yaml
+++ b/resources/latest/charts/istiod/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+appVersion: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
 description: Helm chart for istio control plane
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -9,4 +9,4 @@ keywords:
 name: istiod
 sources:
 - https://github.com/istio/istio
-version: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+version: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
diff --git a/resources/latest/charts/istiod/files/injection-template.yaml b/resources/latest/charts/istiod/files/injection-template.yaml
index 93eafdacd..3b3f69cd9 100644
--- a/resources/latest/charts/istiod/files/injection-template.yaml
+++ b/resources/latest/charts/istiod/files/injection-template.yaml
@@ -52,7 +52,7 @@ metadata:
     sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
     {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
     {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
-    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }}
+    traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}",
     traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
     {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
     traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
diff --git a/resources/latest/charts/istiod/files/profile-compatibility-version-1.24.yaml b/resources/latest/charts/istiod/files/profile-compatibility-version-1.24.yaml
index 2704a7d95..cd989a73c 100644
--- a/resources/latest/charts/istiod/files/profile-compatibility-version-1.24.yaml
+++ b/resources/latest/charts/istiod/files/profile-compatibility-version-1.24.yaml
@@ -6,3 +6,6 @@ pilot:
   env:
     # 1.24 behavioral changes
     PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+cni:
+  ambient:
+    dnsCapture: false
diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml
index f359aa8ec..076011e3c 100644
--- a/resources/latest/charts/istiod/values.yaml
+++ b/resources/latest/charts/istiod/values.yaml
@@ -242,7 +242,7 @@ _internal_defaults_do_not_set:
     # Dev builds from prow are on gcr.io
     hub: gcr.io/istio-testing
     # Default tag for Istio images.
-    tag: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+    tag: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
     # Variant of the image to use.
     # Currently supported are: [debug, distroless]
     variant: ""
diff --git a/resources/latest/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/resources/latest/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
index 2704a7d95..cd989a73c 100644
--- a/resources/latest/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
+++ b/resources/latest/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
@@ -6,3 +6,6 @@ pilot:
   env:
     # 1.24 behavioral changes
     PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+cni:
+  ambient:
+    dnsCapture: false
diff --git a/resources/latest/charts/revisiontags/values.yaml b/resources/latest/charts/revisiontags/values.yaml
index f359aa8ec..076011e3c 100644
--- a/resources/latest/charts/revisiontags/values.yaml
+++ b/resources/latest/charts/revisiontags/values.yaml
@@ -242,7 +242,7 @@ _internal_defaults_do_not_set:
     # Dev builds from prow are on gcr.io
     hub: gcr.io/istio-testing
     # Default tag for Istio images.
-    tag: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+    tag: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
     # Variant of the image to use.
     # Currently supported are: [debug, distroless]
     variant: ""
diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml
index 387b012f2..bc336c51b 100644
--- a/resources/latest/charts/ztunnel/Chart.yaml
+++ b/resources/latest/charts/ztunnel/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+appVersion: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
 description: Helm chart for istio ztunnel components
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -8,4 +8,4 @@ keywords:
 name: ztunnel
 sources:
 - https://github.com/istio/istio
-version: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+version: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
diff --git a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
index 2704a7d95..cd989a73c 100644
--- a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
+++ b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
@@ -6,3 +6,6 @@ pilot:
   env:
     # 1.24 behavioral changes
     PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+cni:
+  ambient:
+    dnsCapture: false
diff --git a/resources/latest/charts/ztunnel/templates/rbac.yaml b/resources/latest/charts/ztunnel/templates/rbac.yaml
index 21b0e8de3..3b90cf5af 100644
--- a/resources/latest/charts/ztunnel/templates/rbac.yaml
+++ b/resources/latest/charts/ztunnel/templates/rbac.yaml
@@ -21,7 +21,7 @@ metadata:
     {{- .Values.annotations | toYaml | nindent 4 }}
 {{- end }}
 ---
-{{- if (eq .Values.platform "openshift") }}
+{{- if (eq (.Values.platform | default "") "openshift") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml
index 5c8b9bd67..83162360b 100644
--- a/resources/latest/charts/ztunnel/values.yaml
+++ b/resources/latest/charts/ztunnel/values.yaml
@@ -4,7 +4,7 @@ _internal_defaults_do_not_set:
   # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
   hub: gcr.io/istio-testing
   # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
-  tag: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+  tag: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
   # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
   variant: ""
 
diff --git a/versions.yaml b/versions.yaml
index 4dbc419ff..15f47b772 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -115,13 +115,13 @@ versions:
       - https://istio-release.storage.googleapis.com/charts/cni-1.21.6.tgz
       - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.6.tgz
   - name: latest
-    version: 1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea
+    version: 1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e
     repo: https://github.com/istio/istio
     branch: master
-    commit: d547b8580cf6298e15ba732823b2e027071516ea
+    commit: 76439c975a78c08419c0b1a75e79a9c479fd631e
     charts:
-      - https://storage.googleapis.com/istio-build/dev/1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea/helm/base-1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea.tgz
-      - https://storage.googleapis.com/istio-build/dev/1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea/helm/cni-1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea.tgz
-      - https://storage.googleapis.com/istio-build/dev/1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea/helm/gateway-1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea.tgz
-      - https://storage.googleapis.com/istio-build/dev/1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea/helm/istiod-1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea.tgz
-      - https://storage.googleapis.com/istio-build/dev/1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea/helm/ztunnel-1.25-alpha.d547b8580cf6298e15ba732823b2e027071516ea.tgz
+      - https://storage.googleapis.com/istio-build/dev/1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e/helm/base-1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e.tgz
+      - https://storage.googleapis.com/istio-build/dev/1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e/helm/cni-1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e.tgz
+      - https://storage.googleapis.com/istio-build/dev/1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e/helm/gateway-1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e.tgz
+      - https://storage.googleapis.com/istio-build/dev/1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e/helm/istiod-1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e.tgz
+      - https://storage.googleapis.com/istio-build/dev/1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e/helm/ztunnel-1.25-alpha.76439c975a78c08419c0b1a75e79a9c479fd631e.tgz