fix(helm): update chart cilium to 1.16.5

[renovate]

This PR contains the following updates:

Package	Update	Change
cilium (source)	patch	1.16.1 -> 1.16.5

---

Release Notes

cilium/cilium (cilium)

v1.16.5: 1.16.5

Compare Source

Summary of Changes

Minor Changes:

• hubble: Stop building 32-bit binaries (Backport PR #​36066, Upstream PR #​35974, @​michi-covalent)

Bugfixes:

• Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (Backport PR #​36540, Upstream PR #​36484, @​julianwiedmann)
• bgp: fix race in bgp stores (Backport PR #​36066, Upstream PR #​35971, @​harsimran-pabla)
• BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR #​36286, Upstream PR #​36230, @​rastislavs)
• BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR #​36286, Upstream PR #​36165, @​rastislavs)
• Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (Backport PR #​36049, Upstream PR #​35984, @​jrajahalme)
• Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (Backport PR #​36462, Upstream PR #​36252, @​bimmlerd)
• cilium-health-ep controller is made to be more robust against successive failures. (Backport PR #​36066, Upstream PR #​35936, @​jrajahalme)
• DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (Backport PR #​36468, Upstream PR #​36142, @​jrajahalme)
• Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (Backport PR #​36049, Upstream PR #​36060, @​jrajahalme)
• Fix an issue where pod-to-world traffic goes up stack when BPF host routing is enabled with tunnel. (Backport PR #​35861, Upstream PR #​35098, @​jschwinger233)
• Fix identity leak for kvstore identity mode (Backport PR #​36066, Upstream PR #​34893, @​odinuge)
• Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (Backport PR #​36302, Upstream PR #​36292, @​giorio94)
• gateway-api: Fix gateway checks for namespace (Backport PR #​36462, Upstream PR #​35452, @​sayboras)
• gha: Remove hostLegacyRouting in clustermesh (Backport PR #​36357, Upstream PR #​35418, @​sayboras)
• helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (Backport PR #​36066, Upstream PR #​36005, @​devodev)
• hubble: consistently use v as prefix for the Hubble version (Backport PR #​36286, Upstream PR #​35891, @​rolinh)
• iptables: Fix data race in iptables manager (Backport PR #​36066, Upstream PR #​35902, @​pippolo84)
• lrp: update LRP services with stale backends on agent restart (Backport PR #​36106, Upstream PR #​36036, @​ysksuzuki)
• policy: Fix bug that allowed port ranges to be attached to L7 policies, which is not permitted. (#​36050, @​nathanjsweet)
• Unbreak the cilium-dbg preflight migrate-identity command (Backport PR #​36286, Upstream PR #​36089, @​giorio94)
• Use strconv.Itoa instead of string() for the correct behavior when converting kafka.ErrorCode from int32 to string. Add relevant unit tests for Kafka plugin and handler. (Backport PR #​36066, Upstream PR #​35856, @​nddq)

CI Changes:

• [v1.16] ci: modularize chart CI push workflow (#​35958, @​ferozsalam)
• gh: conformance-clustermesh: test with IPsec + BPF NodePort (Backport PR #​36462, Upstream PR #​36384, @​julianwiedmann)
• gha: configure environment in build-images-base/image-digests job (Backport PR #​36462, Upstream PR #​36318, @​giorio94)
• node_local_store: prevent racey tests while using mock node store. (Backport PR #​36066, Upstream PR #​35945, @​tommyp1ckles)
• Remove unnecessary hubble port-forward commands (Backport PR #​36066, Upstream PR #​33523, @​michi-covalent)

Misc Changes:

• [v1.16] docs: egress masquerade selector (#​36333, @​viktor-kurchenko)
• [v1.16] images: bump cni plugins to v1.6.0 (#​36092, @​ferozsalam)
• bugtool: dump tail-call map for bpf_wireguard (Backport PR #​36286, Upstream PR #​36183, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.16) (#​36155, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36275, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36443, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (patch) (#​36277, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​35546, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36152, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36279, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36444, @​cilium-renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.16) (#​36153, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.9 docker digest to 147f428 (v1.16) (#​36222, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.10 (v1.16) (#​36441, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1732605705-2aa20ee3acb68cd38d57669af19508bea8f0ba62 (v1.16) (#​36180, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8 (v1.16) (#​36495, @​cilium-renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241129.013349 (v1.16) (#​36278, @​cilium-renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241206.013345 (v1.16) (#​36442, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36154, @​cilium-renovate[bot])
• docs: Add the tls:// prefix before the IP address (Backport PR #​36286, Upstream PR #​36118, @​liyihuang)
• docs: Fix typo in multi-pool section title (Backport PR #​36312, Upstream PR #​36305, @​joestringer)
• docs: In k0s guide, remove dashes to fix invalid Bash variable names. (Backport PR #​36066, Upstream PR #​35923, @​yilas)
• docs: lrp: fix kernel version requirement for skipRedirectFromBackend (Backport PR #​36066, Upstream PR #​35921, @​ysksuzuki)
• docs: system-requirements: require 5.4 kernel (Backport PR #​36462, Upstream PR #​36386, @​julianwiedmann)
• docs: WireGuard doesn't require overlay port in Network Firewalls (Backport PR #​36286, Upstream PR #​36208, @​julianwiedmann)
• Endpoint populate new policymap early if empty (Backport PR #​36479, Upstream PR #​36361, @​jrajahalme)
• envoy: Configure internal_address_config to avoid warning log (Backport PR #​36015, Upstream PR #​35943, @​sayboras)
• envoy: Pass tofqdns-proxy-response-max-delay to Envoy (Backport PR #​36468, Upstream PR #​36330, @​jrajahalme)
• fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (v1.16) (#​36530, @​cilium-renovate[bot])
• Fixed BGP documentation (Backport PR #​36066, Upstream PR #​35953, @​seadog007)
• images: Use cilium-builder image instead of golang to build hubble (Backport PR #​36312, Upstream PR #​35697, @​learnitall)
• lrp: fix kernel version requirement in warning log (Backport PR #​36286, Upstream PR #​36141, @​ysksuzuki)
• Makefile: fix swagger definition for automatic renovate updates (Backport PR #​36066, Upstream PR #​35979, @​aanm)
• proxy: Take proxy port reference for new redirects immediately (Backport PR #​36468, Upstream PR #​36435, @​jrajahalme)
• proxyports: Resolve data races in test (Backport PR #​36468, Upstream PR #​36399, @​jrajahalme)
• proxyports: Sleep a bit longer in tests (Backport PR #​36468, Upstream PR #​36389, @​jrajahalme)
• Remove duplicated watch on services and endpoint in the cilium-agent (Backport PR #​36066, Upstream PR #​35838, @​MrFreezeex)
• Rework error handling logic in neighbor discovery (Backport PR #​36093, Upstream PR #​35144, @​pippolo84)
• Silence spurious clustermesh-related warnings (Backport PR #​36225, Upstream PR #​35867, @​giorio94)
• Update documentation for egress masquerading behavior (Backport PR #​36462, Upstream PR #​36267, @​liyihuang)

Other Changes:

• [1.16] ci/ipsec-upgrade: increase cilium status wait duration (#​36082, @​harsimran-pabla)
• [v1.16] cilium, service: Fix checkLBSrcRange propagation to LB map (#​36511, @​borkmann)
• install: Update image digests for v1.16.4 (#​36047, @​cilium-release-bot[bot])
• jrajahalme/v1.16 cilium cli (#​36541, @​jrajahalme)
• Revert "workflows/ipsec: Cover Ingress" (#​36116, @​harsimran-pabla)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.5@​sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
quay.io/cilium/cilium:stable@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.5@​sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958
quay.io/cilium/clustermesh-apiserver:stable@sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958

docker-plugin

quay.io/cilium/docker-plugin:v1.16.5@​sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768
quay.io/cilium/docker-plugin:stable@sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768

hubble-relay

quay.io/cilium/hubble-relay:v1.16.5@​sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00
quay.io/cilium/hubble-relay:stable@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.5@​sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0
quay.io/cilium/operator-alibabacloud:stable@sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0

operator-aws

quay.io/cilium/operator-aws:v1.16.5@​sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476
quay.io/cilium/operator-aws:stable@sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476

operator-azure

quay.io/cilium/operator-azure:v1.16.5@​sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9
quay.io/cilium/operator-azure:stable@sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9

operator-generic

quay.io/cilium/operator-generic:v1.16.5@​sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039
quay.io/cilium/operator-generic:stable@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039

operator

quay.io/cilium/operator:v1.16.5@​sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940
quay.io/cilium/operator:stable@sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940

v1.16.4: 1.16.4

Compare Source

Security Advisories

This release addresses GHSA-xg58-75qf-9r67.

Summary of Changes

Minor Changes:

• Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport PR #​35908, Upstream PR #​35809, @​jrajahalme)
• clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport PR #​35543, Upstream PR #​35349, @​giorio94)
• helm: Lower default hubble.tls.auto.certValidityDuration to 365 days (Backport PR #​35781, Upstream PR #​35630, @​chancez)
• helm: New socketLB.tracing flag (Backport PR #​35781, Upstream PR #​35747, @​pchaigno)
• hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR #​35781, Upstream PR #​35632, @​chancez)
• netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport PR #​35543, Upstream PR #​35306, @​jrife)

Bugfixes:

• Avoid duplicate errors in health status for node-neighbor-link-updater (Backport PR #​35468, Upstream PR #​35179, @​wedaly)
• bgpv1: fix reconciliation of services with shared VIPs (Backport PR #​35468, Upstream PR #​35333, @​rastislavs)
• bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport PR #​35863, Upstream PR #​35690, @​YutaroHayakawa)
• bgpv2: set local peering address when specified (Backport PR #​35781, Upstream PR #​35552, @​harsimran-pabla)
• Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport PR #​35603, Upstream PR #​35150, @​jrajahalme)
• Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an timeout waiting for response error is encountered. (Backport PR #​35781, Upstream PR #​35589, @​bimmlerd)
• config: Remove superfluous warning on native routing CIDR (Backport PR #​35781, Upstream PR #​35738, @​gandro)
• Fix missing flowlabel hash on SRv6 traffic. (Backport PR #​35781, Upstream PR #​35498, @​akaliwod)
• Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport PR #​35543, Upstream PR #​35173, @​smagnani96)
• Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (Backport PR #​35781, Upstream PR #​35673, @​giorio94)
• Fix redirect from L3 device to remote endpoint via overlay network. (Backport PR #​35468, Upstream PR #​35165, @​julianwiedmann)
• Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR #​35908, Upstream PR #​35694, @​julianwiedmann)
• Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (Backport PR #​35781, Upstream PR #​35599, @​squeed)
• Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (Backport PR #​35543, Upstream PR #​35293, @​squeed)
• Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (Backport PR #​35906, Upstream PR #​35890, @​squeed)
• Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". (#​35611, @​pippolo84)
• helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (Backport PR #​35319, Upstream PR #​35301, @​hox)
• helm: fix duplicate configmap key for bpf-lb-sock-terminate-pod-connections (Backport PR #​35781, Upstream PR #​35703, @​solidDoWant)
• helm: set automountServiceAccountToken to false for hubble-relay sa (Backport PR #​35781, Upstream PR #​35674, @​ayuspin)
• hubble: fix endpoint cluster name (Backport PR #​35781, Upstream PR #​35415, @​kaworu)
• hubble: Lock exporters while gathering metrics (Backport PR #​35908, Upstream PR #​35860, @​joestringer)
• Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (Backport PR #​35781, Upstream PR #​35143, @​jrajahalme)
• ipam: Validate CiliumNode resource in ENI mode (Backport PR #​35792, Upstream PR #​35784, @​sayboras)
• l7lb: fix registration of flag loadbalancer-l7 (Backport PR #​35781, Upstream PR #​35623, @​mhofstetter)
• Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (Backport PR #​35319, Upstream PR #​35069, @​chancez)
• option: Reduce log level for WG strict mode + IPv6 (Backport PR #​35908, Upstream PR #​35763, @​pchaigno)
• Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (Backport PR #​35468, Upstream PR #​35381, @​jrajahalme)
• treewide: Add wrapper for netlink functions that may fail with ErrDumpInterrupted (Backport PR #​35654, Upstream PR #​35614, @​gandro)
• wireguard: Fix connectivity issues following node reboots. (Backport PR #​35908, Upstream PR #​35750, @​jrife)

CI Changes:

• .github/conformance-ginkgo: replace deprecated jq flag (Backport PR #​35468, Upstream PR #​35399, @​aanm)
• .github: extend timeout for tests-ipsec-upgrade workflow (Backport PR #​35781, Upstream PR #​35657, @​rastislavs)
• .github: remove libncurses5 from integration tests (Backport PR #​35468, Upstream PR #​35408, @​aanm)
• [v1.16] gh: e2e-upgrade: restart LRP backend pod after upgrade (#​35329, @​ysksuzuki)
• [v1.16] github: update rhel8 LVH image to rhel8.6 (#​35733, @​julianwiedmann)
• Additionally test KVStore mode in E2E/IPSec workflows (Backport PR #​35905, Upstream PR #​35679, @​giorio94)
• ci: conformance-kind: re-enable flaky Aggregator test (Backport PR #​35582, Upstream PR #​35286, @​julianwiedmann)
• ci: datapath-verifier: bump lvh images (Backport PR #​35648, Upstream PR #​35456, @​julianwiedmann)
• gha: Update chmod command (Backport PR #​35468, Upstream PR #​35400, @​sayboras)
• github: Pass the workflow step timeout to go test (Backport PR #​35908, Upstream PR #​35814, @​jrajahalme)
• Refactor and set a default for GH_RUNNER_EXTRA_POWER (Backport PR #​35319, Upstream PR #​35267, @​aanm)
• workflows/gateway-api: Cover IPsec with GatewayAPI (Backport PR #​35908, Upstream PR #​35584, @​pchaigno)
• workflows/ingress: Run basic checks (Backport PR #​35908, Upstream PR #​35683, @​pchaigno)
• workflows/ipsec: Cover Ingress (Backport PR #​35908, Upstream PR #​35476, @​pchaigno)
• workflows: Extend IPsec tests to cover egress gateway (Backport PR #​35540, Upstream PR #​35323, @​pchaigno)

Misc Changes:

• .github/build-images-base: checkout base branch to get scripts (Backport PR #​35319, Upstream PR #​35236, @​aanm)
• .github: remove retention days for image digests (Backport PR #​35468, Upstream PR #​35457, @​aanm)
• bpf: vxlan helper improvements (Backport PR #​35543, Upstream PR #​34755, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.16) (#​35382, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35439, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35573, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35710, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​35438, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.8 docker digest to 0ca97f4 (v1.16) (#​35730, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.8 docker digest to b274ff1 (v1.16) (#​35379, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.9 (v1.16) (#​35854, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1729635771-fa4efeff33a344a45e14a4068c61dc438b3d2270 (v1.16) (#​35491, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​35731, @​cilium-renovate[bot])
• cilium, docs: Extend requirements for L7 proxy (Backport PR #​35781, Upstream PR #​35669, @​borkmann)
• cilium: add probe for netkit for more user friendly error when not supported (Backport PR #​35781, Upstream PR #​35551, @​borkmann)
• ctrl-runtime: lower severity of retryable reconcile errors (Backport PR #​35592, Upstream PR #​35364, @​giorio94)
• daemon: Reduce level of socket LB tracing warning (Backport PR #​35908, Upstream PR #​35798, @​pchaigno)
• datapath: move policy map value prefix length to flags (Backport PR #​35603, Upstream PR #​35534, @​jrajahalme)
• dnsproxy: fix error when sessionUDPFactory fails (Backport PR #​35543, Upstream PR #​33998, @​marseel)
• docs/ipsec: Remove KPR limitation (Backport PR #​35908, Upstream PR #​35743, @​pchaigno)
• docs/xfrm: Fix incorrect statement regarding XFRM IN policies (Backport PR #​35781, Upstream PR #​35626, @​pchaigno)
• docs: Change invalid Helm option --agent.enabled with --agent=false in upgrade documentation (Backport PR #​35319, Upstream PR #​35288, @​oneumyvakin)
• docs: clean up stale kernel requirements (Backport PR #​35582, Upstream PR #​35575, @​julianwiedmann)
• docs: Fix incorrect link to RFC 4271 for BGP control plane timers. (Backport PR #​35781, Upstream PR #​35725, @​nvibert)
• docs: kpr: update error message regarding SocketLB tracing (Backport PR #​35468, Upstream PR #​35337, @​julianwiedmann)
• docs: tuning: XDP LB also supports tunnel routing (Backport PR #​35582, Upstream PR #​35574, @​julianwiedmann)
• docs: update 1.16 upgrade note for LRP (#​35944, @​ysksuzuki)
• docs: update default identity label filters (Backport PR #​35468, Upstream PR #​35422, @​marseel)
• docs: XFRM reference guide for IPsec development (Backport PR #​35582, Upstream PR #​35322, @​pchaigno)
• Envoy simplify listener setup (Backport PR #​35764, Upstream PR #​35642, @​jrajahalme)
• envoy: Configure internal_address_config to avoid warning log (Backport PR #​35471, Upstream PR #​35090, @​sayboras)
• envoy: Limit started serving logging to the typeURL of the stream (Backport PR #​35781, Upstream PR #​35736, @​jrajahalme)
• Fix wrongly spelled config option in error message (Backport PR #​35543, Upstream PR #​35390, @​baurmatt)
• helm: clarify text for serviceNoBackendResponse (Backport PR #​35908, Upstream PR #​35734, @​julianwiedmann)
• hubble: Add 'release' Make target (Backport PR #​35781, Upstream PR #​35561, @​michi-covalent)
• image: Use cilium-builder instead of golang as operator builder image (Backport PR #​35781, Upstream PR #​35351, @​learnitall)
• iptables: always warn about missing xt_socket module (Backport PR #​35781, Upstream PR #​35591, @​julianwiedmann)
• makefile: add target to install Cilium in kvstore mode (Backport PR #​35905, Upstream PR #​35646, @​giorio94)
• proxy: Ensure proxy ports are written on shutdown (Backport PR #​35908, Upstream PR #​35839, @​jrajahalme)
• Silence spurious clustermesh-related warnings (Backport PR #​35850, Upstream PR #​35867, @​giorio94)

Other Changes:

• [v1.16] envoy: Add configuration for OverloadManager (#​35787, @​sayboras)
• [v1.16] envoy: Bump envoy version from 1.29.x to 1.30.x (#​35563, @​sayboras)
• [v1.16] policy/correlation: Fix PolicyMatch{L3Proto,L4Only} case (#​35681, @​gandro)
• chore(deps): update cilium-envoy dependency (#​35920, @​sayboras)
• install: Update image digests for v1.16.3 (#​35361, @​cilium-release-bot[bot])
• Policy add deny rule test and benchmark (#​35714, @​jrajahalme)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.4@​sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
quay.io/cilium/cilium:stable@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.4@​sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2
quay.io/cilium/clustermesh-apiserver:stable@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2

docker-plugin

quay.io/cilium/docker-plugin:v1.16.4@​sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e
quay.io/cilium/docker-plugin:stable@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e

hubble-relay

quay.io/cilium/hubble-relay:v1.16.4@​sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
quay.io/cilium/hubble-relay:stable@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.4@​sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686
quay.io/cilium/operator-alibabacloud:stable@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686

operator-aws

quay.io/cilium/operator-aws:v1.16.4@​sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be
quay.io/cilium/operator-aws:stable@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be

operator-azure

quay.io/cilium/operator-azure:v1.16.4@​sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de
quay.io/cilium/operator-azure:stable@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de

operator-generic

quay.io/cilium/operator-generic:v1.16.4@​sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
quay.io/cilium/operator-generic:stable@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5

operator

quay.io/cilium/operator:v1.16.4@​sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff
quay.io/cilium/operator:stable@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff

v1.16.3: 1.16.3

Compare Source

Summary of Changes

Bugfixes:

• bgpv2: fix reconciliation of services with shared VIPs (Backport PR #​35274, Upstream PR #​35166, @​rastislavs)
• bgpv2: Fix service reconciliation logic to update service advertisement metadata only after successful reconciliation (Backport PR #​35036, Upstream PR #​34976, @​rastislavs)
• bpf: nat: recreate a NAT entry if the packet hits the stale entry (Backport PR #​35036, Upstream PR #​34913, @​ysksuzuki)
• bugtool: fix cilium-health command (Backport PR #​35274, Upstream PR #​35068, @​ayuspin)
• Fix a low-probability issue where the DNS proxy could occasionally drop DNS queries due to "duplicate request id" errors. (Backport PR #​35036, Upstream PR #​34941, @​bimmlerd)
• Fix issue where bpf packet buffer mark would in some cases set incorrect mark value resulting in incorrectly SNATed traffic. (Backport PR #​35036, Upstream PR #​34789, @​tommyp1ckles)
• Fix parameter check to forbid IPAM ENI with TUNNEL routing, and prevent agent segfault when also IPSec is enabled. (Backport PR #​34918, Upstream PR #​34651, @​smagnani96)
• Fixed bug in LB-IPAM where restarting the operator would unshare previously shared IPs between services (Backport PR #​35036, Upstream PR #​34783, @​dylandreimerink)
• Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport PR #​35274, Upstream PR #​35109, @​jrajahalme)
• Fixed bug where service id allocator would loop infinity when out of service ids (Backport PR #​35274, Upstream PR #​35033, @​WeeNews)
• Fixes startup fatal error when updating CiliumNode resource. (Backport PR #​34918, Upstream PR #​34862, @​harsimran-pabla)
• gateway-api: Align GRPCRoute matchers with GEP specification (Backport PR #​35274, Upstream PR #​34808, @​cfsnyder)
• helm template function no longer errors when using k8sServiceHost: auto (Backport PR #​35274, Upstream PR #​35186, @​kreeuwijk)
• hubble: add printer for lost events (Backport PR #​35274, Upstream PR #​35208, @​aanm)
• ipcache: Yet another refcounting fix with mix of APIs (Backport PR #​35036, Upstream PR #​34715, @​gandro)
• netkit: Allow ARP packets through when using host firewall. (Backport PR #​35274, Upstream PR #​35070, @​jrife)
• wireguard: Fix issue where updates to a WireGuard device's configuration caused connectivity blips. (Backport PR #​35115, Upstream PR #​34612, @​jrife)

CI Changes:

• .github/lint-build-commits: fix workflow for push events (Backport PR #​35274, Upstream PR #​35264, @​aanm)
• .github: create cache directories on cache miss (Backport PR #​35157, Upstream PR #​35088, @​aanm)
• .github: do not push floating tag from PRs (Backport PR #​35230, Upstream PR #​35227, [@&fix(helm): update chart grafana to 6.59.4 #8

---

Configuration

📅 Schedule: Branch creation - "on saturday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[jsaveker]

Here is an automated review from ChatGPT of this pull request.

Based on the provided git diff, the changes pertain to updating the version of the Cilium Helm chart from 1.16.1 to 1.16.2 across various Kubernetes configuration templates.

Security Analysis:

1. Version Update Security: Upgrading software, including Helm charts, can address known vulnerabilities in previous versions. If 1.16.2 fixes security issues present in 1.16.1, this update improves security. However, it's important to review the release notes and security advisories for 1.16.2 to ensure no new vulnerabilities are introduced.

2. Dependence on External Sources: The Helm charts are configured to be fetched from https://helm.cilium.io/. Trusting an external source requires ensuring the source's reliability and secuirty. It's assumed that this source is trustworthy as it is the official repository for Cilium. Always ensure communication with external sources is secure (using HTTPS, as is done here, is good practice).

3. Automatic Updates (implied): The comment # renovate: datasource=helm implies the use of Renovate or a similar tool for automatic updates. Automated dependency updates are a double-edged sword: they can ensure quick application of security patches but might introduce breaking changes or vulnerabilities if not properly reviewed. It's important to have thorough testing and review processes in place.

Potential Issues Identified: No direct security issues can be confidently identified from this git diff alone. The primary action taken is a version update which generally implies security improvements, assuming the new version patches vulnerabilities or security issues from the previous version.

Suggested Fixes/Improvements:

• Review Release Notes: Ensure the new version (1.16.2) does not introduce new vulnerabilities or regressions through thorough review of the Cilium release notes and potential security bulletins. This preemptive action is not directly codifiable but is crucial.

• Validate External Sources:

  • Currently, the Helm repository source is hardcoded to https://helm.cilium.io/. It's important to validate that this URL remains secure, using mechanisms such as pinning the TLS certificate fingerprint or integrating a repository signature verification process. Although specific implementation is contextual and might depend on the capabilities of the tooling (helm or Kubernetes infra), it's a significant step toward ensuring the integrity and authenticity of external dependencies.

Note: Implementation of TLS pinning or repository signature verification is specific and should be aligned with your infrastructure's capabilities and security guidelines. Ensure these practices do not interfere with automatic update mechanisms in ways that could prevent the application of security patches.

• Automated Security and Integration Testing: Upon updating any dependency, automated security scanning (e.g., using tools like Snyk, Clair) and integration testing should be conducted to quickly detect any vulnerabilities introduced or compatibility issues with the new version.

# Pseudocode for integration into CI/CD pipeline:
steps:
  - name: Security Scanning
    run: security-scan [options]
  - name: Integration Testing
    run: integration-test [options]

• Regular Manual Security Reviews: Despite the efficiency of automated tools, regularly scheduled manual security reviews of dependencies and their sources remain invaluable. These reviews can capture subtle issues that automated tools might miss.

Conclusion: No direct security vulnerabilities were identified from the git diff provided, under the assumption that an upgrade in the Cilium Helm chart version is a routine patch or minor update process. Nonetheless, recommended practices and validation steps surrounding external dependency management are suggested to ensure overall security posture is maintained or enhanced.