search

chaijunkin / home-ops

K3s Cluster powered by proxmox
Do What The F*ck You Want To Public License
3 stars 0 forks source link

feat(helm): update chart cilium ( 1.15.5 → 1.16.4 ) #196

Open renovate[bot] opened 5 months ago

renovate[bot] commented 5 months ago

This PR contains the following updates:

Package Update Change
cilium (source) minor 1.15.5 -> 1.16.4

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

cilium/cilium (cilium) ### [`v1.16.4`](https://redirect.github.com/cilium/cilium/compare/1.16.3...1.16.4) [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.16.3...1.16.4) ### [`v1.16.3`](https://redirect.github.com/cilium/cilium/releases/tag/v1.16.3): 1.16.3 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.16.2...1.16.3) ## Summary of Changes **Bugfixes:** - bgpv2: fix reconciliation of services with shared VIPs (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​35166](https://redirect.github.com/cilium/cilium/issues/35166), [@​rastislavs](https://redirect.github.com/rastislavs)) - bgpv2: Fix service reconciliation logic to update service advertisement metadata only after successful reconciliation (Backport PR [#​35036](https://redirect.github.com/cilium/cilium/issues/35036), Upstream PR [#​34976](https://redirect.github.com/cilium/cilium/issues/34976), [@​rastislavs](https://redirect.github.com/rastislavs)) - bpf: nat: recreate a NAT entry if the packet hits the stale entry (Backport PR [#​35036](https://redirect.github.com/cilium/cilium/issues/35036), Upstream PR [#​34913](https://redirect.github.com/cilium/cilium/issues/34913), [@​ysksuzuki](https://redirect.github.com/ysksuzuki)) - bugtool: fix cilium-health command (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​35068](https://redirect.github.com/cilium/cilium/issues/35068), [@​ayuspin](https://redirect.github.com/ayuspin)) - Fix a low-probability issue where the DNS proxy could occasionally drop DNS queries due to "duplicate request id" errors. (Backport PR [#​35036](https://redirect.github.com/cilium/cilium/issues/35036), Upstream PR [#​34941](https://redirect.github.com/cilium/cilium/issues/34941), [@​bimmlerd](https://redirect.github.com/bimmlerd)) - Fix issue where bpf packet buffer mark would in some cases set incorrect mark value resulting in incorrectly SNATed traffic. (Backport PR [#​35036](https://redirect.github.com/cilium/cilium/issues/35036), Upstream PR [#​34789](https://redirect.github.com/cilium/cilium/issues/34789), [@​tommyp1ckles](https://redirect.github.com/tommyp1ckles)) - Fix parameter check to forbid IPAM ENI with TUNNEL routing, and prevent agent segfault when also IPSec is enabled. (Backport PR [#​34918](https://redirect.github.com/cilium/cilium/issues/34918), Upstream PR [#​34651](https://redirect.github.com/cilium/cilium/issues/34651), [@​smagnani96](https://redirect.github.com/smagnani96)) - Fixed bug in LB-IPAM where restarting the operator would unshare previously shared IPs between services (Backport PR [#​35036](https://redirect.github.com/cilium/cilium/issues/35036), Upstream PR [#​34783](https://redirect.github.com/cilium/cilium/issues/34783), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) - Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​35109](https://redirect.github.com/cilium/cilium/issues/35109), [@​jrajahalme](https://redirect.github.com/jrajahalme)) - Fixed bug where service id allocator would loop infinity when out of service ids (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​35033](https://redirect.github.com/cilium/cilium/issues/35033), [@​WeeNews](https://redirect.github.com/WeeNews)) - Fixes startup fatal error when updating CiliumNode resource. (Backport PR [#​34918](https://redirect.github.com/cilium/cilium/issues/34918), Upstream PR [#​34862](https://redirect.github.com/cilium/cilium/issues/34862), [@​harsimran-pabla](https://redirect.github.com/harsimran-pabla)) - gateway-api: Align GRPCRoute matchers with GEP specification (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​34808](https://redirect.github.com/cilium/cilium/issues/34808), [@​cfsnyder](https://redirect.github.com/cfsnyder)) - helm template function no longer errors when using k8sServiceHost: auto (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​35186](https://redirect.github.com/cilium/cilium/issues/35186), [@​kreeuwijk](https://redirect.github.com/kreeuwijk)) - hubble: add printer for lost events (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​35208](https://redirect.github.com/cilium/cilium/issues/35208), [@​aanm](https://redirect.github.com/aanm)) - ipcache: Yet another refcounting fix with mix of APIs (Backport PR [#​35036](https://redirect.github.com/cilium/cilium/issues/35036), Upstream PR [#​34715](https://redirect.github.com/cilium/cilium/issues/34715), [@​gandro](https://redirect.github.com/gandro)) - netkit: Allow ARP packets through when using host firewall. (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​35070](https://redirect.github.com/cilium/cilium/issues/35070), [@​jrife](https://redirect.github.com/jrife)) - wireguard: Fix issue where updates to a WireGuard device's configuration caused connectivity blips. (Backport PR [#​35115](https://redirect.github.com/cilium/cilium/issues/35115), Upstream PR [#​34612](https://redirect.github.com/cilium/cilium/issues/34612), [@​jrife](https://redirect.github.com/jrife)) **CI Changes:** - .github/lint-build-commits: fix workflow for push events (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​35264](https://redirect.github.com/cilium/cilium/issues/35264), [@​aanm](https://redirect.github.com/aanm)) - .github: create cache directories on cache miss (Backport PR [#​35157](https://redirect.github.com/cilium/cilium/issues/35157), Upstream PR [#​35088](https://redirect.github.com/cilium/cilium/issues/35088), [@​aanm](https://redirect.github.com/aanm)) - .github: do not push floating tag from PRs (Backport PR [#​35230](https://redirect.github.com/cilium/cilium/issues/35230), Upstream PR [#​35227](https://redirect.github.com/cilium/cilium/issues/35227), [@​aanm](https://redirect.github.com/aanm)) - .github: install golang action after checkout (Backport PR [#​35157](https://redirect.github.com/cilium/cilium/issues/35157), Upstream PR [#​34843](https://redirect.github.com/cilium/cilium/issues/34843), [@​aanm](https://redirect.github.com/aanm)) - .github: re-enable configurations in e2e-upgrade (Backport PR [#​35157](https://redirect.github.com/cilium/cilium/issues/35157), Upstream PR [#​34800](https://redirect.github.com/cilium/cilium/issues/34800), [@​aanm](https://redirect.github.com/aanm)) - .github: specify cache-dependency-path in lint-workflows (Backport PR [#​35157](https://redirect.github.com/cilium/cilium/issues/35157), Upstream PR [#​34845](https://redirect.github.com/cilium/cilium/issues/34845), [@​aanm](https://redirect.github.com/aanm)) - \[1.16] test: Skip envoy internal_address_config warning log ([#​35053](https://redirect.github.com/cilium/cilium/issues/35053), [@​pippolo84](https://redirect.github.com/pippolo84)) - \[v1.16] gha: fix incorrect go version in lint-build-commits workflow ([#​35312](https://redirect.github.com/cilium/cilium/issues/35312), [@​giorio94](https://redirect.github.com/giorio94)) - ci: conformance-\[gateway-api|ginkgo|ingress] wait for images before matrix generation (Backport PR [#​34918](https://redirect.github.com/cilium/cilium/issues/34918), Upstream PR [#​34820](https://redirect.github.com/cilium/cilium/issues/34820), [@​aanm](https://redirect.github.com/aanm)) - fix: repository nil value handled on workflow_dispatch context for renovate updates (Backport PR [#​34918](https://redirect.github.com/cilium/cilium/issues/34918), Upstream PR [#​34902](https://redirect.github.com/cilium/cilium/issues/34902), [@​Artyop](https://redirect.github.com/Artyop)) - servicemesh, ci: run internal to NodePort test (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​35177](https://redirect.github.com/cilium/cilium/issues/35177), [@​marseel](https://redirect.github.com/marseel)) **Misc Changes:** - .github: add cache to cilium-cli and hubble-cli build workflows (Backport PR [#​35157](https://redirect.github.com/cilium/cilium/issues/35157), Upstream PR [#​34847](https://redirect.github.com/cilium/cilium/issues/34847), [@​aanm](https://redirect.github.com/aanm)) - .github: clean up disk for lint-build workflow (Backport PR [#​35157](https://redirect.github.com/cilium/cilium/issues/35157), Upstream PR [#​35141](https://redirect.github.com/cilium/cilium/issues/35141), [@​aanm](https://redirect.github.com/aanm)) - .github: fix build image process to commit changes (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​35262](https://redirect.github.com/cilium/cilium/issues/35262), [@​aanm](https://redirect.github.com/aanm)) - .github: fix lvh-kind warnings (Backport PR [#​35157](https://redirect.github.com/cilium/cilium/issues/35157), Upstream PR [#​34811](https://redirect.github.com/cilium/cilium/issues/34811), [@​aanm](https://redirect.github.com/aanm)) - .github: fix runtime image digests (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​35107](https://redirect.github.com/cilium/cilium/issues/35107), [@​aanm](https://redirect.github.com/aanm)) - .github: push floating tag for push events for stable branches ([#​35235](https://redirect.github.com/cilium/cilium/issues/35235), [@​aanm](https://redirect.github.com/aanm)) - \[v1.16] .github: do not update github runners for bpf workflows ([#​35106](https://redirect.github.com/cilium/cilium/issues/35106), [@​aanm](https://redirect.github.com/aanm)) - \[v1.16] manually update dependency cilium/cilium-cli to v0.16.19 (v1.16) ([#​35310](https://redirect.github.com/cilium/cilium/issues/35310), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) - bgpv2/docs: add ebgp multihop documentation (Backport PR [#​35036](https://redirect.github.com/cilium/cilium/issues/35036), Upstream PR [#​34951](https://redirect.github.com/cilium/cilium/issues/34951), [@​harsimran-pabla](https://redirect.github.com/harsimran-pabla)) - bgpv2: cleanup service reconciliation logic (Backport PR [#​35036](https://redirect.github.com/cilium/cilium/issues/35036), Upstream PR [#​34959](https://redirect.github.com/cilium/cilium/issues/34959), [@​rastislavs](https://redirect.github.com/rastislavs)) - Change GH runners to GH's default (Backport PR [#​35157](https://redirect.github.com/cilium/cilium/issues/35157), Upstream PR [#​33451](https://redirect.github.com/cilium/cilium/issues/33451), [@​aanm](https://redirect.github.com/aanm)) - chore(deps): update all github action dependencies (v1.16) ([#​35025](https://redirect.github.com/cilium/cilium/issues/35025), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#​35082](https://redirect.github.com/cilium/cilium/issues/35082), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#​35250](https://redirect.github.com/cilium/cilium/issues/35250), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#​35005](https://redirect.github.com/cilium/cilium/issues/35005), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#​35283](https://redirect.github.com/cilium/cilium/issues/35283), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.18 (v1.16) ([#​34999](https://redirect.github.com/cilium/cilium/issues/34999), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.22.7 docker digest to [`ddad330`](https://redirect.github.com/cilium/cilium/commit/ddad330) (v1.16) ([#​35101](https://redirect.github.com/cilium/cilium/issues/35101), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.22.8 (v1.16) ([#​35201](https://redirect.github.com/cilium/cilium/issues/35201), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727741018-e3a7412f65722ebbe34254b3582b89d315765d0d (v1.16) ([#​35137](https://redirect.github.com/cilium/cilium/issues/35137), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727997080-b094128ed01b784b63ada19b54f8c7fdc3042e6e (v1.16) ([#​35218](https://redirect.github.com/cilium/cilium/issues/35218), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - cilium-cli: Show config.cilium.io annotations on configmap (Backport PR [#​35155](https://redirect.github.com/cilium/cilium/issues/35155), Upstream PR [#​35020](https://redirect.github.com/cilium/cilium/issues/35020), [@​joamaki](https://redirect.github.com/joamaki)) - docs: Add known issue for netkit endpoint route issues (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​35126](https://redirect.github.com/cilium/cilium/issues/35126), [@​jrife](https://redirect.github.com/jrife)) - docs: fix EKS Kubernetes compatibility link (Backport PR [#​35036](https://redirect.github.com/cilium/cilium/issues/35036), Upstream PR [#​34922](https://redirect.github.com/cilium/cilium/issues/34922), [@​fjvela](https://redirect.github.com/fjvela)) - docs: Improve warning on insecure global IPsec keys (Backport PR [#​34918](https://redirect.github.com/cilium/cilium/issues/34918), Upstream PR [#​34846](https://redirect.github.com/cilium/cilium/issues/34846), [@​pchaigno](https://redirect.github.com/pchaigno)) - docs: move sig-policy to second Tuesday of the month (Backport PR [#​35115](https://redirect.github.com/cilium/cilium/issues/35115), Upstream PR [#​35040](https://redirect.github.com/cilium/cilium/issues/35040), [@​squeed](https://redirect.github.com/squeed)) - fix: Assign PodStore from Pod resource until cell migration is completed (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​34090](https://redirect.github.com/cilium/cilium/issues/34090), [@​dlapcevic](https://redirect.github.com/dlapcevic)) - helm: add client auth to hubble server certificate (Backport PR [#​35036](https://redirect.github.com/cilium/cilium/issues/35036), Upstream PR [#​34934](https://redirect.github.com/cilium/cilium/issues/34934), [@​kaworu](https://redirect.github.com/kaworu)) - helm: set key usages for hubble certificates with cert-manager (Backport PR [#​35036](https://redirect.github.com/cilium/cilium/issues/35036), Upstream PR [#​34946](https://redirect.github.com/cilium/cilium/issues/34946), [@​kaworu](https://redirect.github.com/kaworu)) - Improve speed on lint commits GH workflow (Backport PR [#​35157](https://redirect.github.com/cilium/cilium/issues/35157), Upstream PR [#​34848](https://redirect.github.com/cilium/cilium/issues/34848), [@​aanm](https://redirect.github.com/aanm)) - install/kubernetes: fix Operator's clusterrole for pods deletion (Backport PR [#​35274](https://redirect.github.com/cilium/cilium/issues/35274), Upstream PR [#​35193](https://redirect.github.com/cilium/cilium/issues/35193), [@​aanm](https://redirect.github.com/aanm)) - Re-write GitHub cache usages across workflows (Backport PR [#​35157](https://redirect.github.com/cilium/cilium/issues/35157), Upstream PR [#​34866](https://redirect.github.com/cilium/cilium/issues/34866), [@​aanm](https://redirect.github.com/aanm)) - Remove conformance-e2e tests (Backport PR [#​35157](https://redirect.github.com/cilium/cilium/issues/35157), Upstream PR [#​34742](https://redirect.github.com/cilium/cilium/issues/34742), [@​aanm](https://redirect.github.com/aanm)) **Other Changes:** - \[v1.16] Add missing test coverage in v1.16 branch ([#​35223](https://redirect.github.com/cilium/cilium/issues/35223), [@​aanm](https://redirect.github.com/aanm)) - \[v1.16] author backport: fix ENABLE_LOCAL_REDIRECT_POLICY ([#​35129](https://redirect.github.com/cilium/cilium/issues/35129), [@​ysksuzuki](https://redirect.github.com/ysksuzuki)) - \[v1.16] author backport: LRP fixes ([#​35072](https://redirect.github.com/cilium/cilium/issues/35072), [@​ysksuzuki](https://redirect.github.com/ysksuzuki)) - \[v1.16] ginkgo: disable test for deprecated annotations-based L7 visibility ([#​35160](https://redirect.github.com/cilium/cilium/issues/35160), [@​tklauser](https://redirect.github.com/tklauser)) - \[v1.16] test/k8s: replace L7 visibility Pod annotations by L7 visibility policy ([#​35151](https://redirect.github.com/cilium/cilium/issues/35151), [@​tklauser](https://redirect.github.com/tklauser)) - install: Update image digests for v1.16.2 ([#​35052](https://redirect.github.com/cilium/cilium/issues/35052), [@​cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot]) ##### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.16.3@​sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28` `quay.io/cilium/cilium:stable@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.16.3@​sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb` `quay.io/cilium/clustermesh-apiserver:stable@sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.16.3@​sha256:87af6722fdf73cd98123635108f1507d2c982aad82b89906a2925dc4e251acae` `quay.io/cilium/docker-plugin:stable@sha256:87af6722fdf73cd98123635108f1507d2c982aad82b89906a2925dc4e251acae` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.16.3@​sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089` `quay.io/cilium/hubble-relay:stable@sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.16.3@​sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898` `quay.io/cilium/operator-alibabacloud:stable@sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898` ##### operator-aws `quay.io/cilium/operator-aws:v1.16.3@​sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916` `quay.io/cilium/operator-aws:stable@sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916` ##### operator-azure `quay.io/cilium/operator-azure:v1.16.3@​sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542` `quay.io/cilium/operator-azure:stable@sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542` ##### operator-generic `quay.io/cilium/operator-generic:v1.16.3@​sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b` `quay.io/cilium/operator-generic:stable@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b` ##### operator `quay.io/cilium/operator:v1.16.3@​sha256:11219d0027c7ab5fb5ac531d4456b570b51f0d871c52c69e5e70c164bb38af0f` `quay.io/cilium/operator:stable@sha256:11219d0027c7ab5fb5ac531d4456b570b51f0d871c52c69e5e70c164bb38af0f` ### [`v1.16.2`](https://redirect.github.com/cilium/cilium/releases/tag/v1.16.2): 1.16.2 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.16.1...1.16.2) We are happy to release Cilium v1.16.2! This release brings us improved validation for updating from v1.15, fixed panics, race conditions and deadlocks, CI fixes and many many more changes! Check out the summary below for details. ## Summary of Changes **Minor Changes:** - Add validation to prevent users from using deprecated values that have been removed in v1.15 and v1.16 (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34229](https://redirect.github.com/cilium/cilium/issues/34229), [@​chancez](https://redirect.github.com/chancez)) - bgpv2: update status field of CiliumBGPNodeConfig CRD (Backport PR [#​34580](https://redirect.github.com/cilium/cilium/issues/34580), Upstream PR [#​33411](https://redirect.github.com/cilium/cilium/issues/33411), [@​harsimran-pabla](https://redirect.github.com/harsimran-pabla)) - docs: Update examples for CNP L7 Host (Backport PR [#​34644](https://redirect.github.com/cilium/cilium/issues/34644), Upstream PR [#​34578](https://redirect.github.com/cilium/cilium/issues/34578), [@​sayboras](https://redirect.github.com/sayboras)) - egressgw: drop traffic when gateway node is not configured for policy (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​33625](https://redirect.github.com/cilium/cilium/issues/33625), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) **Bugfixes:** - add support for validation of stringToString values in ConfigMap (Backport PR [#​34586](https://redirect.github.com/cilium/cilium/issues/34586), Upstream PR [#​34279](https://redirect.github.com/cilium/cilium/issues/34279), [@​alex-berger](https://redirect.github.com/alex-berger)) - bgpv2: correct service reconciler initialization (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34415](https://redirect.github.com/cilium/cilium/issues/34415), [@​harsimran-pabla](https://redirect.github.com/harsimran-pabla)) - bgpv2: fix cilium-dbg bgp filtering by ASN & route-policy dump format (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34335](https://redirect.github.com/cilium/cilium/issues/34335), [@​rastislavs](https://redirect.github.com/rastislavs)) - bpf: Fix `Prune` map operation leaking BPF map entries (Backport PR [#​34586](https://redirect.github.com/cilium/cilium/issues/34586), Upstream PR [#​34476](https://redirect.github.com/cilium/cilium/issues/34476), [@​gandro](https://redirect.github.com/gandro)) - config: fix disabling config 'Debug' (Backport PR [#​34469](https://redirect.github.com/cilium/cilium/issues/34469), Upstream PR [#​34401](https://redirect.github.com/cilium/cilium/issues/34401), [@​mhofstetter](https://redirect.github.com/mhofstetter)) - daemon: Create IPsec and LRP maps early on startup (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34388](https://redirect.github.com/cilium/cilium/issues/34388), [@​pchaigno](https://redirect.github.com/pchaigno)) - daemon: Fix error logic flow for pod store being out of date (Backport PR [#​34586](https://redirect.github.com/cilium/cilium/issues/34586), Upstream PR [#​34389](https://redirect.github.com/cilium/cilium/issues/34389), [@​christarazi](https://redirect.github.com/christarazi)) - envoy: fix log level mapping when changing log level via API (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34400](https://redirect.github.com/cilium/cilium/issues/34400), [@​mhofstetter](https://redirect.github.com/mhofstetter)) - Fix "invalid sysctl parameter" error when Cilium needs to modify a sysctl with capital letters in its name. (Backport PR [#​34586](https://redirect.github.com/cilium/cilium/issues/34586), Upstream PR [#​34298](https://redirect.github.com/cilium/cilium/issues/34298), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) - Fix a bug in Cilium's kube-proxy replacement, where replies by a local backend are dropped with DROP_NO_FIB. (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34303](https://redirect.github.com/cilium/cilium/issues/34303), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) - Fix a race condition that would cause errors related to maps `LB{4,6}_SKIP_MAP` when loading programs. (Backport PR [#​34586](https://redirect.github.com/cilium/cilium/issues/34586), Upstream PR [#​34453](https://redirect.github.com/cilium/cilium/issues/34453), [@​pchaigno](https://redirect.github.com/pchaigno)) - Fix agent panic when IPsec is enabled but XFRM stats are not exposed by the kernel. (Backport PR [#​34831](https://redirect.github.com/cilium/cilium/issues/34831), Upstream PR [#​34647](https://redirect.github.com/cilium/cilium/issues/34647), [@​chaunceyjiang](https://redirect.github.com/chaunceyjiang)) - Fix issue where a hostport service would be created on an incorrect node when cilium-agent is configured with disable-endpoint-crd (Backport PR [#​34644](https://redirect.github.com/cilium/cilium/issues/34644), Upstream PR [#​34385](https://redirect.github.com/cilium/cilium/issues/34385), [@​haozhangami](https://redirect.github.com/haozhangami)) - Fix operator deployment connecting to clustermesh kvstoremesh when endpointslice sync or MCS-API Service exports is enabled (Backport PR [#​34586](https://redirect.github.com/cilium/cilium/issues/34586), Upstream PR [#​34295](https://redirect.github.com/cilium/cilium/issues/34295), [@​MrFreezeex](https://redirect.github.com/MrFreezeex)) - Fix parsing of complex api-rate-limit options. The parsing failed when rate limits were configured for multiple API endpoints with multiple options, for example: "endpoint-create=rate-limit:1/s,rate-burst=1,endpoint-delete=rate-limit:2/s,rate-burst=2". The ability to also specify the rate limits as JSON strings was also returned. (Backport PR [#​34586](https://redirect.github.com/cilium/cilium/issues/34586), Upstream PR [#​34249](https://redirect.github.com/cilium/cilium/issues/34249), [@​joamaki](https://redirect.github.com/joamaki)) - Fix possible connection disruption on agent restart with WireGuard + native routing (Backport PR [#​34831](https://redirect.github.com/cilium/cilium/issues/34831), Upstream PR [#​34095](https://redirect.github.com/cilium/cilium/issues/34095), [@​giorio94](https://redirect.github.com/giorio94)) - Fix possible panic occurring in case errors are returned while updating/deleting IPv6 routes (Backport PR [#​34831](https://redirect.github.com/cilium/cilium/issues/34831), Upstream PR [#​34721](https://redirect.github.com/cilium/cilium/issues/34721), [@​giorio94](https://redirect.github.com/giorio94)) - Fix the Egress Gateway reconciliation logic to make progress after setting the rp_filter sysctl failed. (Backport PR [#​34831](https://redirect.github.com/cilium/cilium/issues/34831), Upstream PR [#​34775](https://redirect.github.com/cilium/cilium/issues/34775), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) - Fixes broken pod-to-remote-hostport connectivity when IPsec is used with L7 ingress policy and KPR. (Backport PR [#​34586](https://redirect.github.com/cilium/cilium/issues/34586), Upstream PR [#​33805](https://redirect.github.com/cilium/cilium/issues/33805), [@​jschwinger233](https://redirect.github.com/jschwinger233)) - Fixes deadlock in identity watcher. This fixes an issue where a kvstore disconnect can cause the event receiver to exit and the event sender to get stuck forever. (Backport PR [#​34831](https://redirect.github.com/cilium/cilium/issues/34831), Upstream PR [#​34611](https://redirect.github.com/cilium/cilium/issues/34611), [@​dboslee](https://redirect.github.com/dboslee)) - helm: fix envoy prometheus metrics scraping with servicemonitor (Backport PR [#​34472](https://redirect.github.com/cilium/cilium/issues/34472), Upstream PR [#​34448](https://redirect.github.com/cilium/cilium/issues/34448), [@​mhofstetter](https://redirect.github.com/mhofstetter)) - ingress: Avoid opening of port 80 for TLSPassthrough only (Backport PR [#​34586](https://redirect.github.com/cilium/cilium/issues/34586), Upstream PR [#​34474](https://redirect.github.com/cilium/cilium/issues/34474), [@​sayboras](https://redirect.github.com/sayboras)) - ingress: Remove generated CEC if empty (Backport PR [#​34644](https://redirect.github.com/cilium/cilium/issues/34644), Upstream PR [#​34576](https://redirect.github.com/cilium/cilium/issues/34576), [@​sayboras](https://redirect.github.com/sayboras)) - lbipam: fix panic when changing the shared key & req. ip annotation (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34236](https://redirect.github.com/cilium/cilium/issues/34236), [@​mhofstetter](https://redirect.github.com/mhofstetter)) - policy: Fixed CIDRGroupRef breaking the sanitization (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34076](https://redirect.github.com/cilium/cilium/issues/34076), [@​chaunceyjiang](https://redirect.github.com/chaunceyjiang)) - Replace dotted sysctl names with string slices (Backport PR [#​34831](https://redirect.github.com/cilium/cilium/issues/34831), Upstream PR [#​34527](https://redirect.github.com/cilium/cilium/issues/34527), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) **CI Changes:** - .github: change nick-invision/retry -> nick-fields/retry. ([#​34735](https://redirect.github.com/cilium/cilium/issues/34735), [@​michi-covalent](https://redirect.github.com/michi-covalent)) - bgpv1/test: fix route matching in PodIPPoolAdvert test (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34270](https://redirect.github.com/cilium/cilium/issues/34270), [@​rastislavs](https://redirect.github.com/rastislavs)) - ci: clean disk only on ubuntu-latest runners (Backport PR [#​34831](https://redirect.github.com/cilium/cilium/issues/34831), Upstream PR [#​34711](https://redirect.github.com/cilium/cilium/issues/34711), [@​marseel](https://redirect.github.com/marseel)) - ci: Confromance E2E wait for images before matrix generation (Backport PR [#​34831](https://redirect.github.com/cilium/cilium/issues/34831), Upstream PR [#​34707](https://redirect.github.com/cilium/cilium/issues/34707), [@​marseel](https://redirect.github.com/marseel)) - ci: datapath-verifier: also run on 6.6 kernel (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34420](https://redirect.github.com/cilium/cilium/issues/34420), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) - ci: don't run AKS tests on LTS versions (Backport PR [#​34644](https://redirect.github.com/cilium/cilium/issues/34644), Upstream PR [#​34640](https://redirect.github.com/cilium/cilium/issues/34640), [@​marseel](https://redirect.github.com/marseel)) - ci: Wait for images before generating test matrix (Backport PR [#​34831](https://redirect.github.com/cilium/cilium/issues/34831), Upstream PR [#​34727](https://redirect.github.com/cilium/cilium/issues/34727), [@​marseel](https://redirect.github.com/marseel)) - Fix: push PR changes when renovate build images under the workflow_call context (Backport PR [#​34831](https://redirect.github.com/cilium/cilium/issues/34831), Upstream PR [#​34650](https://redirect.github.com/cilium/cilium/issues/34650), [@​Artyop](https://redirect.github.com/Artyop)) - gha: Add disk cleanup step for build and test workflow (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34339](https://redirect.github.com/cilium/cilium/issues/34339), [@​sayboras](https://redirect.github.com/sayboras)) **Misc Changes:** - .github: remove installation steps for arm64 (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34336](https://redirect.github.com/cilium/cilium/issues/34336), [@​aanm](https://redirect.github.com/aanm)) - \[v1.16] deps: update Docker dependency ([#​34354](https://redirect.github.com/cilium/cilium/issues/34354), [@​ferozsalam](https://redirect.github.com/ferozsalam)) - bgpv2: correct error message log (Backport PR [#​34586](https://redirect.github.com/cilium/cilium/issues/34586), Upstream PR [#​34276](https://redirect.github.com/cilium/cilium/issues/34276), [@​harsimran-pabla](https://redirect.github.com/harsimran-pabla)) - chore(deps): update all github action dependencies (v1.16) ([#​34569](https://redirect.github.com/cilium/cilium/issues/34569), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#​34749](https://redirect.github.com/cilium/cilium/issues/34749), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) (patch) ([#​34568](https://redirect.github.com/cilium/cilium/issues/34568), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#​34687](https://redirect.github.com/cilium/cilium/issues/34687), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#​34883](https://redirect.github.com/cilium/cilium/issues/34883), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.15 (v1.16) ([#​34118](https://redirect.github.com/cilium/cilium/issues/34118), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.16 (v1.16) ([#​34497](https://redirect.github.com/cilium/cilium/issues/34497), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.17 (v1.16) ([#​34878](https://redirect.github.com/cilium/cilium/issues/34878), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/busybox:1.36.1 docker digest to [`34b191d`](https://redirect.github.com/cilium/cilium/commit/34b191d) (v1.16) ([#​34760](https://redirect.github.com/cilium/cilium/issues/34760), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.22.7 docker digest to [`4594271`](https://redirect.github.com/cilium/cilium/commit/4594271) (v1.16) ([#​34887](https://redirect.github.com/cilium/cilium/issues/34887), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.22.7 (v1.16) ([#​34797](https://redirect.github.com/cilium/cilium/issues/34797), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore: Avoid docker warning due to casing (Backport PR [#​34856](https://redirect.github.com/cilium/cilium/issues/34856), Upstream PR [#​34125](https://redirect.github.com/cilium/cilium/issues/34125), [@​sayboras](https://redirect.github.com/sayboras)) - cilium-dbg: add Envoy admin commands (Backport PR [#​34586](https://redirect.github.com/cilium/cilium/issues/34586), Upstream PR [#​34398](https://redirect.github.com/cilium/cilium/issues/34398), [@​mhofstetter](https://redirect.github.com/mhofstetter)) - clustermesh/endpointslicesync: fix panic on failure in Test_meshEndpointSlice_Reconcile (Backport PR [#​34831](https://redirect.github.com/cilium/cilium/issues/34831), Upstream PR [#​34699](https://redirect.github.com/cilium/cilium/issues/34699), [@​tklauser](https://redirect.github.com/tklauser)) - contrib: allow l7proxy in egressgw config (Backport PR [#​34831](https://redirect.github.com/cilium/cilium/issues/34831), Upstream PR [#​34636](https://redirect.github.com/cilium/cilium/issues/34636), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) - docs: Avoid using wildcard TLS certificate (Backport PR [#​34831](https://redirect.github.com/cilium/cilium/issues/34831), Upstream PR [#​34609](https://redirect.github.com/cilium/cilium/issues/34609), [@​sayboras](https://redirect.github.com/sayboras)) - docs: Improve disk based policy documentation (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34234](https://redirect.github.com/cilium/cilium/issues/34234), [@​tamilmani1989](https://redirect.github.com/tamilmani1989)) - docs: Update LB-IPAM `allowFirstLastIPs` documentation (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34227](https://redirect.github.com/cilium/cilium/issues/34227), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) - Documentation: Add instructions on accessing the Hubble API with TLS (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34361](https://redirect.github.com/cilium/cilium/issues/34361), [@​chancez](https://redirect.github.com/chancez)) - Documentation: Add section to validate Hubble TLS is enabled (Backport PR [#​34644](https://redirect.github.com/cilium/cilium/issues/34644), Upstream PR [#​34416](https://redirect.github.com/cilium/cilium/issues/34416), [@​chancez](https://redirect.github.com/chancez)) - endpoint: Do not pass a function to WithFields (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34346](https://redirect.github.com/cilium/cilium/issues/34346), [@​jrajahalme](https://redirect.github.com/jrajahalme)) - fix: base image update workflow will now be triggered on renovate branches with a workflow_call event type (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34372](https://redirect.github.com/cilium/cilium/issues/34372), [@​Artyop](https://redirect.github.com/Artyop)) - images: fix path script (Backport PR [#​34768](https://redirect.github.com/cilium/cilium/issues/34768), Upstream PR [#​34764](https://redirect.github.com/cilium/cilium/issues/34764), [@​aanm](https://redirect.github.com/aanm)) - ipsec: Document a new cause of XfrmInStateProtoError (Backport PR [#​34586](https://redirect.github.com/cilium/cilium/issues/34586), Upstream PR [#​34221](https://redirect.github.com/cilium/cilium/issues/34221), [@​jschwinger233](https://redirect.github.com/jschwinger233)) - pkg/endpointmanager: don't hold lock while iterating over subscribers (Backport PR [#​34586](https://redirect.github.com/cilium/cilium/issues/34586), Upstream PR [#​33896](https://redirect.github.com/cilium/cilium/issues/33896), [@​aanm](https://redirect.github.com/aanm)) - Reorganize Hubble docs (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34282](https://redirect.github.com/cilium/cilium/issues/34282), [@​chancez](https://redirect.github.com/chancez)) - Use exponential backoff for etcd connection retries during quorum loss (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34231](https://redirect.github.com/cilium/cilium/issues/34231), [@​hemanthmalla](https://redirect.github.com/hemanthmalla)) - wireguard: minor improvements (Backport PR [#​34452](https://redirect.github.com/cilium/cilium/issues/34452), Upstream PR [#​34285](https://redirect.github.com/cilium/cilium/issues/34285), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) **Other Changes:** - \[v1.16] CODEOWNERS: switch cilium/tophat to cilium/committers ([#​34338](https://redirect.github.com/cilium/cilium/issues/34338), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) - \[v1.16] envoy: Bump envoy version from v1.29.7 to v1.29.9 ([#​34966](https://redirect.github.com/cilium/cilium/issues/34966), [@​sayboras](https://redirect.github.com/sayboras)) - \[v1.16] envoy: Switch to image with timestamp tag ([#​34395](https://redirect.github.com/cilium/cilium/issues/34395), [@​sayboras](https://redirect.github.com/sayboras)) - envoy: Bump golang version ([#​34328](https://redirect.github.com/cilium/cilium/issues/34328), [@​sayboras](https://redirect.github.com/sayboras)) - Fix panic in endpoint regeneration when DNS requests are processed during early initialization. ([#​34892](https://redirect.github.com/cilium/cilium/issues/34892), [@​joamaki](https://redirect.github.com/joamaki)) - install: Update image digests for v1.16.1 ([#​34378](https://redirect.github.com/cilium/cilium/issues/34378), [@​cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot]) ##### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.16.2@​sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea` `quay.io/cilium/cilium:stable@sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.16.2@​sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73` `quay.io/cilium/clustermesh-apiserver:stable@sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.16.2@​sha256:9b455c663e43f785e3ef26471e29e22939c056af41d1e9215007b88dd37cd99b` `quay.io/cilium/docker-plugin:stable@sha256:9b455c663e43f785e3ef26471e29e22939c056af41d1e9215007b88dd37cd99b` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.16.2@​sha256:4b559907b378ac18af82541dafab430a857d94f1057f2598645624e6e7ea286c` `quay.io/cilium/hubble-relay:stable@sha256:4b559907b378ac18af82541dafab430a857d94f1057f2598645624e6e7ea286c` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.16.2@​sha256:16e33abb6b8381e2f66388b6d7141399f06c9b51b9ffa08fd159b8d321929716` `quay.io/cilium/operator-alibabacloud:stable@sha256:16e33abb6b8381e2f66388b6d7141399f06c9b51b9ffa08fd159b8d321929716` ##### operator-aws `quay.io/cilium/operator-aws:v1.16.2@​sha256:b6a73ec94407a56cccc8a395225e2aecc3ca3611e7acfeec86201c19fc0727dd` `quay.io/cilium/operator-aws:stable@sha256:b6a73ec94407a56cccc8a395225e2aecc3ca3611e7acfeec86201c19fc0727dd` ##### operator-azure `quay.io/cilium/operator-azure:v1.16.2@​sha256:fde7cf8bb887e106cd388bb5c3327e92682b2ec3ab4f03bb57b87f495b99f727` `quay.io/cilium/operator-azure:stable@sha256:fde7cf8bb887e106cd388bb5c3327e92682b2ec3ab4f03bb57b87f495b99f727` ##### operator-generic `quay.io/cilium/operator-generic:v1.16.2@​sha256:cccfd3b886d52cb132c06acca8ca559f0fce91a6bd99016219b1a81fdbc4813a` `quay.io/cilium/operator-generic:stable@sha256:cccfd3b886d52cb132c06acca8ca559f0fce91a6bd99016219b1a81fdbc4813a` ##### operator `quay.io/cilium/operator:v1.16.2@​sha256:01c4d846f65ecd2bd86f3d95a0ddc2bc4c813f6074a41828ca9ca2a30ed34381` `quay.io/cilium/operator:stable@sha256:01c4d846f65ecd2bd86f3d95a0ddc2bc4c813f6074a41828ca9ca2a30ed34381` ### [`v1.16.1`](https://redirect.github.com/cilium/cilium/releases/tag/v1.16.1): 1.16.1 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.16.0...1.16.1) ## Security Advisories This release addresses the following security vulnerabilities: - https://github.com/cilium/cilium/security/advisories/GHSA-vwf8-q6fw-4wcm - https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww ## Summary of Changes **Minor Changes:** - Deprecate providing Hubble TLS secrets in helm values (Backport PR [#​34297](https://redirect.github.com/cilium/cilium/issues/34297), Upstream PR [#​34114](https://redirect.github.com/cilium/cilium/issues/34114), [@​chancez](https://redirect.github.com/chancez)) - gateway-api: Add required labels and annotations (Backport PR [#​34215](https://redirect.github.com/cilium/cilium/issues/34215), Upstream PR [#​33990](https://redirect.github.com/cilium/cilium/issues/33990), [@​sayboras](https://redirect.github.com/sayboras)) - helm: add config for nat-map-stats-{interval, entries} config. (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​33847](https://redirect.github.com/cilium/cilium/issues/33847), [@​tommyp1ckles](https://redirect.github.com/tommyp1ckles)) - Internal listener references are now properly qualified with namespace and CEC name. (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​34104](https://redirect.github.com/cilium/cilium/issues/34104), [@​jrajahalme](https://redirect.github.com/jrajahalme)) - Support configuring imagePullSecrets for spire agent/server pods (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​33952](https://redirect.github.com/cilium/cilium/issues/33952), [@​chancez](https://redirect.github.com/chancez)) **Bugfixes:** - auth: Fix data race in Upsert (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​33905](https://redirect.github.com/cilium/cilium/issues/33905), [@​chaunceyjiang](https://redirect.github.com/chaunceyjiang)) - BGPv1 + BGPv2: Fix incorrect service reconciliation in setups with multiple BGP instances (virtual routers) (Backport PR [#​34297](https://redirect.github.com/cilium/cilium/issues/34297), Upstream PR [#​34177](https://redirect.github.com/cilium/cilium/issues/34177), [@​rastislavs](https://redirect.github.com/rastislavs)) - bgpv1: Fix data race in bgppSelection (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​33904](https://redirect.github.com/cilium/cilium/issues/33904), [@​chaunceyjiang](https://redirect.github.com/chaunceyjiang)) - bgpv2: Avoid duplicate route policy naming (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​34031](https://redirect.github.com/cilium/cilium/issues/34031), [@​rastislavs](https://redirect.github.com/rastislavs)) - BGPv2: Fix `Service` advertisement selector: do not require matching `CiliumLoadBalancerIPPool` (Backport PR [#​34201](https://redirect.github.com/cilium/cilium/issues/34201), Upstream PR [#​34182](https://redirect.github.com/cilium/cilium/issues/34182), [@​rastislavs](https://redirect.github.com/rastislavs)) - Fix a nil dereference crash during cilium-agent initialization affecting setups with FQDN policies. The crash is triggered when a restored endpoint performs a DNS request just a the right time during early cilium-agent restoration. Problem is not expected to be persistent and the agent should get pass the problematic part of the initialization on restart. (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​34059](https://redirect.github.com/cilium/cilium/issues/34059), [@​joamaki](https://redirect.github.com/joamaki)) - Fix appArmorProfile condition for CronJob helm template (Backport PR [#​34297](https://redirect.github.com/cilium/cilium/issues/34297), Upstream PR [#​34100](https://redirect.github.com/cilium/cilium/issues/34100), [@​sathieu](https://redirect.github.com/sathieu)) - Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport PR [#​34181](https://redirect.github.com/cilium/cilium/issues/34181), Upstream PR [#​34091](https://redirect.github.com/cilium/cilium/issues/34091), [@​giorio94](https://redirect.github.com/giorio94)) - Fix issue in picking node IP addresses from the loopback device. This fixes a regression in v1.15 and v1.16 where VIPs assigned to the lo device were not considered by Cilium. Fix spurious updates node addresses to avoid unnecessary datapath reinitializations. (Backport PR [#​34085](https://redirect.github.com/cilium/cilium/issues/34085), Upstream PR [#​34012](https://redirect.github.com/cilium/cilium/issues/34012), [@​joamaki](https://redirect.github.com/joamaki)) - Fix possible connection disruption on agent restart with WireGuard + kvstore (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​34062](https://redirect.github.com/cilium/cilium/issues/34062), [@​giorio94](https://redirect.github.com/giorio94)) - Fixes DNS proxy "connect: cannot assign requested address" errors in transparent mode, which were due to opening multiple TCP connections to the upstream DNS server. (Backport PR [#​34201](https://redirect.github.com/cilium/cilium/issues/34201), Upstream PR [#​33989](https://redirect.github.com/cilium/cilium/issues/33989), [@​bimmlerd](https://redirect.github.com/bimmlerd)) - gateway-api: Add HTTP method condition in sortable routes (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​34109](https://redirect.github.com/cilium/cilium/issues/34109), [@​sayboras](https://redirect.github.com/sayboras)) - gateway-api: Enqueue gateway for Reference Grant changes (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​34032](https://redirect.github.com/cilium/cilium/issues/34032), [@​sayboras](https://redirect.github.com/sayboras)) - lbipam: fixed bug in sharing key logic (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​34106](https://redirect.github.com/cilium/cilium/issues/34106), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) - policy: Fix policy cache covers context lookup. ([#​34322](https://redirect.github.com/cilium/cilium/issues/34322), [@​nathanjsweet](https://redirect.github.com/nathanjsweet)) - service: Relax protocol matching for L7 Service (Backport PR [#​34195](https://redirect.github.com/cilium/cilium/issues/34195), Upstream PR [#​34131](https://redirect.github.com/cilium/cilium/issues/34131), [@​sayboras](https://redirect.github.com/sayboras)) **CI Changes:** - .github: ginkgo: remove duplicate datapath ipv4only test in f09/f21. (Backport PR [#​34297](https://redirect.github.com/cilium/cilium/issues/34297), Upstream PR [#​34071](https://redirect.github.com/cilium/cilium/issues/34071), [@​tommyp1ckles](https://redirect.github.com/tommyp1ckles)) - bpf: egressgw: don't install allow-all policy in to-netdev tests (Backport PR [#​34201](https://redirect.github.com/cilium/cilium/issues/34201), Upstream PR [#​34143](https://redirect.github.com/cilium/cilium/issues/34143), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) - ci: multi pool run tests concurrently (Backport PR [#​34297](https://redirect.github.com/cilium/cilium/issues/34297), Upstream PR [#​33945](https://redirect.github.com/cilium/cilium/issues/33945), [@​viktor-kurchenko](https://redirect.github.com/viktor-kurchenko)) - Fix workflow telemetry in ci-ipsec-upgrade (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​34097](https://redirect.github.com/cilium/cilium/issues/34097), [@​chancez](https://redirect.github.com/chancez)) - gha: Add extended features in gateway profile run (Backport PR [#​34215](https://redirect.github.com/cilium/cilium/issues/34215), Upstream PR [#​34098](https://redirect.github.com/cilium/cilium/issues/34098), [@​sayboras](https://redirect.github.com/sayboras)) - gha: Free up Github runner disk space (Backport PR [#​34297](https://redirect.github.com/cilium/cilium/issues/34297), Upstream PR [#​34247](https://redirect.github.com/cilium/cilium/issues/34247), [@​sayboras](https://redirect.github.com/sayboras)) - gha: lint absence of trailing spaces in workflow files (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​33908](https://redirect.github.com/cilium/cilium/issues/33908), [@​giorio94](https://redirect.github.com/giorio94)) - gha: simplify the call-backport-label-updater workflow (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​33934](https://redirect.github.com/cilium/cilium/issues/33934), [@​giorio94](https://redirect.github.com/giorio94)) - ginkgo-ci: split f09 into two groups to reduce timeouts & flakes (Backport PR [#​34297](https://redirect.github.com/cilium/cilium/issues/34297), Upstream PR [#​34038](https://redirect.github.com/cilium/cilium/issues/34038), [@​tommyp1ckles](https://redirect.github.com/tommyp1ckles)) - test: use cgr.dev/chainguard/busybox:latest instead of docker.io image. (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​34004](https://redirect.github.com/cilium/cilium/issues/34004), [@​tommyp1ckles](https://redirect.github.com/tommyp1ckles)) - tests-clustermesh-upgrade: Don't hardcode test namespace (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​34121](https://redirect.github.com/cilium/cilium/issues/34121), [@​michi-covalent](https://redirect.github.com/michi-covalent)) **Misc Changes:** - \[v1.16] docs: Add note for CNP empty slices semantic under v1.16 section ([#​34008](https://redirect.github.com/cilium/cilium/issues/34008), [@​pippolo84](https://redirect.github.com/pippolo84)) - Add source IP visibility info to Ingress and Gateway API docs (Backport PR [#​34297](https://redirect.github.com/cilium/cilium/issues/34297), Upstream PR [#​34137](https://redirect.github.com/cilium/cilium/issues/34137), [@​youngnick](https://redirect.github.com/youngnick)) - bgpv1: Reconcile with retry in BGP Controller (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​33971](https://redirect.github.com/cilium/cilium/issues/33971), [@​rastislavs](https://redirect.github.com/rastislavs)) - bgpv2: deprecate local port setting in transport config (Backport PR [#​34209](https://redirect.github.com/cilium/cilium/issues/34209), Upstream PR [#​33438](https://redirect.github.com/cilium/cilium/issues/33438), [@​harsimran-pabla](https://redirect.github.com/harsimran-pabla)) - bgpv2: use correct path key in path reconciler (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​33947](https://redirect.github.com/cilium/cilium/issues/33947), [@​harsimran-pabla](https://redirect.github.com/harsimran-pabla)) - bitlpm: Avoid allocs in CIDR trie lookups (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​33518](https://redirect.github.com/cilium/cilium/issues/33518), [@​jrajahalme](https://redirect.github.com/jrajahalme)) - bitlpm: Simplify matchPrefix() (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​33517](https://redirect.github.com/cilium/cilium/issues/33517), [@​jrajahalme](https://redirect.github.com/jrajahalme)) - bugtool: dump cilium_skip_lb{4,6} (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​34017](https://redirect.github.com/cilium/cilium/issues/34017), [@​ysksuzuki](https://redirect.github.com/ysksuzuki)) - bugtool: dumping more Envoy information (Backport PR [#​34158](https://redirect.github.com/cilium/cilium/issues/34158), Upstream PR [#​34110](https://redirect.github.com/cilium/cilium/issues/34110), [@​mhofstetter](https://redirect.github.com/mhofstetter)) - chore(deps): update all github action dependencies (v1.16) ([#​34166](https://redirect.github.com/cilium/cilium/issues/34166), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v27.3 (v1.16) ([#​34165](https://redirect.github.com/cilium/cilium/issues/34165), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.1

Configuration

📅 Schedule: Branch creation - "on saturday" in timezone Asia/Kuala_Lumpur, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

This PR was generated by Mend Renovate. View the repository job log.

github-actions[bot] commented 5 months ago 
--- kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: flux-system
-      version: 1.15.5
+      version: 1.16.3
   install:
     remediation:
       retries: 3
   interval: 30m
   uninstall:
     keepHistory: false
github-actions[bot] commented 5 months ago 
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

@@ -4703,27 +4703,27 @@

           ],
           "spaceLength": 10,
           "stack": false,
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(cilium_policy_l7_denied_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m]))",
+              "expr": "sum(rate(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"denied\"}[1m]))",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "denied",
               "refId": "A"
             },
             {
-              "expr": "sum(rate(cilium_policy_l7_forwarded_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m]))",
+              "expr": "sum(rate(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"forwarded\"}[1m]))",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "forwarded",
               "refId": "B"
             },
             {
-              "expr": "sum(rate(cilium_policy_l7_received_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m]))",
+              "expr": "sum(rate(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"received\"}[1m]))",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "received",
               "refId": "C"
             }
           ],
@@ -4869,13 +4869,13 @@

           }
         },
         {
           "aliasColors": {
             "Max per node processingTime": "#e24d42",
             "Max per node upstreamTime": "#58140c",
-            "avg(cilium_policy_l7_parse_errors_total{pod=~\"cilium.*\"})": "#bf1b00",
+            "avg(cilium_policy_l7_total{pod=~\"cilium.*\", rule=\"parse_errors\"})": "#bf1b00",
             "parse errors": "#bf1b00"
           },
           "bars": true,
           "dashLength": 10,
           "dashes": false,
           "datasource": {
@@ -4928,13 +4928,13 @@

             },
             {
               "alias": "Max per node upstreamTime",
               "yaxis": 2
             },
             {
-              "alias": "avg(cilium_policy_l7_parse_errors_total{pod=~\"cilium.*\"})",
+              "alias": "avg(cilium_policy_l7_total{pod=~\"cilium.*\", rule=\"parse_errors\"})",
               "yaxis": 2
             },
             {
               "alias": "parse errors",
               "yaxis": 2
             }
@@ -4949,13 +4949,13 @@

               "interval": "",
               "intervalFactor": 1,
               "legendFormat": "{{scope}}",
               "refId": "A"
             },
             {
-              "expr": "avg(cilium_policy_l7_parse_errors_total{k8s_app=\"cilium\", pod=~\"$pod\"}) by (pod)",
+              "expr": "avg(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"parse_errors\"}) by (pod)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "parse errors",
               "refId": "B"
             }
           ],
@@ -5307,13 +5307,13 @@

               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "Max {{scope}}",
               "refId": "B"
             },
             {
-              "expr": "max(rate(cilium_policy_l7_parse_errors_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m])) by (pod)",
+              "expr": "max(rate(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"parse_errors\"}[1m])) by (pod)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "parse errors",
               "refId": "A"
             }
           ],
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -7,20 +7,18 @@

 data:
   identity-allocation-mode: crd
   identity-heartbeat-timeout: 30m0s
   identity-gc-interval: 15m0s
   cilium-endpoint-gc-interval: 5m0s
   nodes-gc-interval: 5m0s
-  skip-cnp-status-startup-clean: 'false'
   debug: 'false'
   debug-verbose: ''
   enable-policy: default
   policy-cidr-match-mode: ''
   prometheus-serve-addr: :9962
   controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services
-  proxy-prometheus-port: '9964'
   operator-prometheus-serve-addr: :9963
   enable-metrics: 'true'
   enable-ipv4: 'true'
   enable-ipv6: 'false'
   custom-cni-conf: 'false'
   enable-bpf-clock-probe: 'false'
@@ -29,60 +27,71 @@

   monitor-aggregation-interval: 5s
   monitor-aggregation-flags: all
   bpf-map-dynamic-size-ratio: '0.0025'
   bpf-policy-map-max: '16384'
   bpf-lb-map-max: '65536'
   bpf-lb-external-clusterip: 'false'
+  bpf-events-drop-enabled: 'true'
+  bpf-events-policy-verdict-enabled: 'true'
+  bpf-events-trace-enabled: 'true'
   preallocate-bpf-maps: 'false'
-  sidecar-istio-proxy-image: cilium/istio_proxy
   cluster-name: home-kubernetes
   cluster-id: '1'
   routing-mode: native
   service-no-backend-response: reject
   enable-l7-proxy: 'true'
   enable-ipv4-masquerade: 'true'
   enable-ipv4-big-tcp: 'false'
   enable-ipv6-big-tcp: 'false'
   enable-ipv6-masquerade: 'true'
+  enable-tcx: 'true'
+  datapath-mode: veth
   enable-bpf-masquerade: 'true'
   enable-masquerade-to-route-source: 'false'
   enable-xt-socket-fallback: 'true'
   install-no-conntrack-iptables-rules: 'false'
   auto-direct-node-routes: 'true'
+  direct-routing-skip-unreachable: 'false'
   enable-bandwidth-manager: 'true'
   enable-bbr: 'false'
   enable-local-redirect-policy: 'true'
   ipv4-native-routing-cidr: 10.69.0.0/16
   devices: eth+
+  enable-runtime-device-detection: 'true'
   kube-proxy-replacement: 'true'
   kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256
   bpf-lb-sock: 'false'
+  bpf-lb-sock-terminate-pod-connections: 'false'
+  nodeport-addresses: ''
   enable-health-check-nodeport: 'true'
   enable-health-check-loadbalancer-ip: 'false'
   node-port-bind-protection: 'true'
   enable-auto-protect-node-port-range: 'true'
   bpf-lb-mode: dsr
   bpf-lb-algorithm: maglev
   bpf-lb-acceleration: disabled
   enable-svc-source-range-check: 'true'
   enable-l2-neigh-discovery: 'true'
   arping-refresh-period: 30s
+  k8s-require-ipv4-pod-cidr: 'false'
+  k8s-require-ipv6-pod-cidr: 'false'
   enable-endpoint-routes: 'true'
   enable-k8s-networkpolicy: 'true'
   write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
   cni-exclusive: 'false'
   cni-log-file: /var/run/cilium/cilium-cni.log
   enable-endpoint-health-checking: 'true'
   enable-health-checking: 'true'
   enable-well-known-identities: 'false'
-  enable-remote-node-identity: 'true'
+  enable-node-selector-labels: 'false'
   synchronize-k8s-nodes: 'true'
   operator-api-serve-addr: 127.0.0.1:9234
   enable-hubble: 'true'
   hubble-socket-path: /var/run/cilium/hubble.sock
   hubble-metrics-server: :9965
+  hubble-metrics-server-enable-tls: 'false'
   hubble-metrics: dns:query drop tcp flow port-distribution icmp http
   enable-hubble-open-metrics: 'false'
   hubble-export-file-max-size-mb: '10'
   hubble-export-file-max-backups: '5'
   hubble-listen-address: :4244
   hubble-disable-tls: 'false'
@@ -109,12 +118,13 @@

   k8s-client-burst: '20'
   remove-cilium-node-taints: 'true'
   set-cilium-node-taints: 'true'
   set-cilium-is-up-condition: 'true'
   unmanaged-pod-watcher-interval: '15'
   dnsproxy-enable-transparent-mode: 'true'
+  dnsproxy-socket-linger-timeout: '10'
   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: 'true'
   tofqdns-endpoint-max-ip-per-hostname: '50'
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: '10000'
   tofqdns-proxy-response-max-delay: 100ms
@@ -126,9 +136,15 @@

   proxy-xff-num-trusted-hops-ingress: '0'
   proxy-xff-num-trusted-hops-egress: '0'
   proxy-connect-timeout: '2'
   proxy-max-requests-per-connection: '0'
   proxy-max-connection-duration-seconds: '0'
   proxy-idle-timeout-seconds: '60'
-  external-envoy-proxy: 'false'
+  external-envoy-proxy: 'true'
+  envoy-base-id: '0'
+  envoy-keep-cap-netbindservice: 'false'
   max-connected-clusters: '255'
+  clustermesh-enable-endpoint-sync: 'false'
+  clustermesh-enable-mcs-api: 'false'
+  nat-map-stats-entries: '32'
+  nat-map-stats-interval: 30s

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-operator-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-operator-dashboard

@@ -11,17 +11,30 @@

     grafana_dashboard: '1'
   annotations:
     grafana_folder: Cilium
 data:
   cilium-operator-dashboard.json: |
     {
+      "__inputs": [
+        {
+          "name": "DS_PROMETHEUS",
+          "label": "prometheus",
+          "description": "",
+          "type": "datasource",
+          "pluginId": "prometheus",
+          "pluginName": "Prometheus"
+        }
+      ],
       "annotations": {
         "list": [
           {
             "builtIn": 1,
-            "datasource": "-- Grafana --",
+            "datasource": {
+              "type": "datasource",
+              "uid": "grafana"
+            },
             "enable": true,
             "hide": true,
             "iconColor": "rgba(0, 211, 255, 1)",
             "name": "Annotations & Alerts",
             "type": "dashboard"
           }
@@ -37,13 +50,16 @@

           "aliasColors": {
             "avg": "#cffaff"
           },
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -163,13 +179,16 @@

           "aliasColors": {
             "MAX_resident_memory_bytes_max": "#e5ac0e"
           },
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -293,13 +312,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -390,13 +412,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -487,13 +512,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -584,13 +612,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -681,13 +712,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -778,13 +812,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
@@ -875,13 +912,16 @@

         },
         {
           "aliasColors": {},
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": "prometheus",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
           "fieldConfig": {
             "defaults": {
               "custom": {}
             },
             "overrides": []
           },
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-relay-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-relay-config

@@ -6,9 +6,9 @@

   namespace: kube-system
 data:
   config.yaml: "cluster-name: home-kubernetes\npeer-service: \"hubble-peer.kube-system.svc.cluster.local:443\"\
     \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\
     \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file:\
     \ /var/lib/hubble-relay/tls/client.crt\ntls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key\n\
-    tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\ndisable-server-tls:\
-    \ true\n"
+    tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\n\
+    disable-server-tls: true\n"

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-dashboard

@@ -9,3240 +9,1059 @@

     app.kubernetes.io/name: hubble
     app.kubernetes.io/part-of: cilium
     grafana_dashboard: '1'
   annotations:
     grafana_folder: Cilium
 data:
-  hubble-dashboard.json: |
-    {
-      "annotations": {
-        "list": [
-          {
-            "builtIn": 1,
-            "datasource": "-- Grafana --",
-            "enable": true,
-            "hide": true,
-            "iconColor": "rgba(0, 211, 255, 1)",
-            "name": "Annotations & Alerts",
-            "type": "dashboard"
-          }
-        ]
-      },
-      "editable": true,
-      "gnetId": null,
-      "graphTooltip": 0,
-      "id": 3,
-      "links": [],
-      "panels": [
-        {
-          "collapsed": false,
-          "gridPos": {
-            "h": 1,
-            "w": 24,
-            "x": 0,
-            "y": 0
-          },
-          "id": 14,
-          "panels": [],
-          "title": "General Processing",
-          "type": "row"
-        },
-        {
-          "aliasColors": {},
-          "bars": false,
-          "dashLength": 10,
-          "dashes": false,
-          "datasource": "prometheus",
-          "fill": 1,
-          "gridPos": {
-            "h": 5,
-            "w": 12,
-            "x": 0,
-            "y": 1
-          },
-          "id": 12,
-          "legend": {
-            "avg": false,
-            "current": false,
-            "max": false,
-            "min": false,
-            "show": true,
-            "total": false,
-            "values": false
-          },
-          "lines": true,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
-          "options": {},
-          "percentage": false,
-          "pointradius": 2,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [
-            {
-              "alias": "max",
-              "fillBelowTo": "avg",
-              "lines": false
-            },
-            {
-              "alias": "avg",
-              "fill": 0,
-              "fillBelowTo": "min"
-            },
-            {
-              "alias": "min",
-              "lines": false
-            }
-          ],
-          "spaceLength": 10,
-          "stack": false,
-          "steppedLine": false,
-          "targets": [
-            {
-              "expr": "avg(sum(rate(hubble_flows_processed_total[1m])) by (pod))",
-              "format": "time_series",
-              "intervalFactor": 1,
-              "legendFormat": "avg",
-              "refId": "A"
-            },
-            {
-              "expr": "min(sum(rate(hubble_flows_processed_total[1m])) by (pod))",
-              "format": "time_series",
-              "intervalFactor": 1,
-              "legendFormat": "min",
-              "refId": "B"
-            },
-            {
-              "expr": "max(sum(rate(hubble_flows_processed_total[1m])) by (pod))",
-              "format": "time_series",
-              "intervalFactor": 1,
-              "legendFormat": "max",
-              "refId": "C"
-            }
-          ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeRegions": [],
-          "timeShift": null,
-          "title": "Flows processed Per Node",
-          "tooltip": {
-            "shared": true,
-            "sort": 1,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "ops",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
-        },
-        {
-          "aliasColors": {},
-          "bars": false,
-          "dashLength": 10,
-          "dashes": false,
-          "datasource": "prometheus",
-          "fill": 1,
-          "gridPos": {
-            "h": 5,
-            "w": 12,
-            "x": 12,
-            "y": 1
-          },
-          "id": 32,
-          "legend": {
-            "avg": false,
-            "current": false,
-            "max": false,
-            "min": false,
-            "show": true,
-            "total": false,
-            "values": false
-          },
-          "lines": true,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
-          "options": {},
-          "percentage": false,
-          "pointradius": 2,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [],
-          "spaceLength": 10,
-          "stack": true,
-          "steppedLine": false,
-          "targets": [
-            {
-              "expr": "sum(rate(hubble_flows_processed_total[1m])) by (pod, type)",
-              "format": "time_series",
-              "intervalFactor": 1,
-              "legendFormat": "{{type}}",
-              "refId": "A"
-            }
-          ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeRegions": [],
-          "timeShift": null,
-          "title": "Flows Types",
-          "tooltip": {
-            "shared": true,
-            "sort": 2,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "ops",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
-        },
-        {
-          "aliasColors": {},
-          "bars": false,
-          "dashLength": 10,
-          "dashes": false,
-          "datasource": "prometheus",
-          "fill": 1,
-          "gridPos": {
-            "h": 5,
-            "w": 12,
-            "x": 0,
-            "y": 6
-          },
-          "id": 59,
-          "legend": {
-            "avg": false,
-            "current": false,
-            "max": false,
-            "min": false,
-            "show": true,
-            "total": false,
-            "values": false
-          },
-          "lines": true,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
-          "options": {},
-          "percentage": false,
-          "pointradius": 2,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [],
-          "spaceLength": 10,
-          "stack": true,
-          "steppedLine": false,
-          "targets": [
-            {
-              "expr": "sum(rate(hubble_flows_processed_total{type=\"L7\"}[1m])) by (pod, subtype)",
-              "format": "time_series",
-              "intervalFactor": 1,
-              "legendFormat": "{{subtype}}",
-              "refId": "A"
-            }
-          ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeRegions": [],
-          "timeShift": null,
-          "title": "L7 Flow Distribution",
-          "tooltip": {
-            "shared": true,
-            "sort": 2,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "ops",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
-        },
-        {
-          "aliasColors": {},
-          "bars": false,
-          "dashLength": 10,
-          "dashes": false,
-          "datasource": "prometheus",
-          "fill": 1,
-          "gridPos": {
-            "h": 5,
-            "w": 12,
-            "x": 12,
-            "y": 6
-          },
-          "id": 60,
-          "legend": {
-            "avg": false,
-            "current": false,
-            "max": false,
-            "min": false,
-            "show": true,
-            "total": false,
-            "values": false
-          },
-          "lines": true,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
-          "options": {},
-          "percentage": false,
-          "pointradius": 2,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [],
-          "spaceLength": 10,
-          "stack": true,
-          "steppedLine": false,
-          "targets": [
-            {
-              "expr": "sum(rate(hubble_flows_processed_total{type=\"Trace\"}[1m])) by (pod, subtype)",
-              "format": "time_series",
-              "intervalFactor": 1,
-              "legendFormat": "{{subtype}}",
-              "refId": "A"
-            }
-          ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeRegions": [],
-          "timeShift": null,
-          "title": "Trace Flow Distribution",
-          "tooltip": {
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-dns-namespace

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-dns-namespace

@@ -193,15 +193,15 @@

     \ ],\n    \"refresh\": \"\",\n    \"revision\": 1,\n    \"schemaVersion\": 38,\n\
     \    \"style\": \"dark\",\n    \"tags\": [\n      \"kubecon-demo\"\n    ],\n \
     \   \"templating\": {\n      \"list\": [\n        {\n          \"current\": {\n\
     \            \"selected\": false,\n            \"text\": \"default\",\n      \
     \      \"value\": \"default\"\n          },\n          \"hide\": 0,\n        \
     \  \"includeAll\": false,\n          \"label\": \"Data Source\",\n          \"\
-    multi\": false,\n          \"name\": \"prometheus_datasource\",\n          \"\
-    options\": [],\n          \"query\": \"prometheus\",\n          \"queryValue\"\
-    : \"\",\n          \"refresh\": 1,\n          \"regex\": \"(?!grafanacloud-usage|grafanacloud-ml-metrics).+\"\
+    multi\": false,\n          \"name\": \"DS_PROMETHEUS\",\n          \"options\"\
+    : [],\n          \"query\": \"prometheus\",\n          \"queryValue\": \"\",\n\
+    \          \"refresh\": 1,\n          \"regex\": \"(?!grafanacloud-usage|grafanacloud-ml-metrics).+\"\
     ,\n          \"skipUrlSync\": false,\n          \"type\": \"datasource\"\n   \
     \     },\n        {\n          \"current\": {},\n          \"datasource\": {\n\
     \            \"type\": \"prometheus\",\n            \"uid\": \"${DS_PROMETHEUS}\"\
     \n          },\n          \"definition\": \"label_values(cilium_version, cluster)\"\
     ,\n          \"hide\": 0,\n          \"includeAll\": true,\n          \"multi\"\
     : true,\n          \"name\": \"cluster\",\n          \"options\": [],\n      \
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-l7-http-metrics-by-workload

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-l7-http-metrics-by-workload

@@ -11,13 +11,22 @@

     grafana_dashboard: '1'
   annotations:
     grafana_folder: Cilium
 data:
   hubble-l7-http-metrics-by-workload.json: |
     {
-      "__inputs": [],
+      "__inputs": [
+        {
+          "name": "DS_PROMETHEUS",
+          "label": "prometheus",
+          "description": "",
+          "type": "datasource",
+          "pluginId": "prometheus",
+          "pluginName": "Prometheus"
+        }
+      ],
       "__elements": {},
       "__requires": [
         {
           "type": "grafana",
           "id": "grafana",
           "name": "Grafana",
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-network-overview-namespace

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-network-overview-namespace

@@ -349,15 +349,15 @@

     \    \"refresh\": \"\",\n    \"revision\": 1,\n    \"schemaVersion\": 38,\n  \
     \  \"style\": \"dark\",\n    \"tags\": [\n      \"kubecon-demo\"\n    ],\n   \
     \ \"templating\": {\n      \"list\": [\n        {\n          \"current\": {\n\
     \            \"selected\": false,\n            \"text\": \"default\",\n      \
     \      \"value\": \"default\"\n          },\n          \"hide\": 0,\n        \
     \  \"includeAll\": false,\n          \"label\": \"Data Source\",\n          \"\
-    multi\": false,\n          \"name\": \"prometheus_datasource\",\n          \"\
-    options\": [],\n          \"query\": \"prometheus\",\n          \"queryValue\"\
-    : \"\",\n          \"refresh\": 1,\n          \"regex\": \"(?!grafanacloud-usage|grafanacloud-ml-metrics).+\"\
+    multi\": false,\n          \"name\": \"DS_PROMETHEUS\",\n          \"options\"\
+    : [],\n          \"query\": \"prometheus\",\n          \"queryValue\": \"\",\n\
+    \          \"refresh\": 1,\n          \"regex\": \"(?!grafanacloud-usage|grafanacloud-ml-metrics).+\"\
     ,\n          \"skipUrlSync\": false,\n          \"type\": \"datasource\"\n   \
     \     },\n        {\n          \"current\": {},\n          \"datasource\": {\n\
     \            \"type\": \"prometheus\",\n            \"uid\": \"${DS_PROMETHEUS}\"\
     \n          },\n          \"definition\": \"label_values(cilium_version, cluster)\"\
     ,\n          \"hide\": 0,\n          \"includeAll\": true,\n          \"multi\"\
     : true,\n          \"name\": \"cluster\",\n          \"options\": [],\n      \
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium

@@ -106,14 +106,12 @@

   verbs:
   - get
   - update
 - apiGroups:
   - cilium.io
   resources:
-  - ciliumnetworkpolicies/status
-  - ciliumclusterwidenetworkpolicies/status
   - ciliumendpoints/status
   - ciliumendpoints
   - ciliuml2announcementpolicies/status
   - ciliumbgpnodeconfigs/status
   verbs:
   - patch
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

@@ -170,12 +170,13 @@

   - ciliumpodippools.cilium.io
 - apiGroups:
   - cilium.io
   resources:
   - ciliumloadbalancerippools
   - ciliumpodippools
+  - ciliumbgppeeringpolicies
   - ciliumbgpclusterconfigs
   - ciliumbgpnodeconfigoverrides
   verbs:
   - get
   - list
   - watch
--- HelmRelease: kube-system/cilium Service: kube-system/cilium-agent

+++ HelmRelease: kube-system/cilium Service: kube-system/cilium-agent

@@ -15,11 +15,7 @@

     k8s-app: cilium
   ports:
   - name: metrics
     port: 9962
     protocol: TCP
     targetPort: prometheus
-  - name: envoy-metrics
-    port: 9964
-    protocol: TCP
-    targetPort: envoy-metrics

--- HelmRelease: kube-system/cilium Service: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Service: kube-system/hubble-relay

@@ -12,8 +12,8 @@

   type: ClusterIP
   selector:
     k8s-app: hubble-relay
   ports:
   - protocol: TCP
     port: 80
-    targetPort: 4245
+    targetPort: grpc

--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,24 +16,24 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 4ec3d7c0877a13a8c619d4fe53e3942758cdd30db950441ade62a7fc62746869
+        cilium.io/cilium-configmap-checksum: fcb5c0eaa5f9dc95ccf1dfe16602711b668280cc30b5e8db047183ea6d53025c
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
+        image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -133,16 +133,12 @@

           hostPort: 4244
           protocol: TCP
         - name: prometheus
           containerPort: 9962
           hostPort: 9962
           protocol: TCP
-        - name: envoy-metrics
-          containerPort: 9964
-          hostPort: 9964
-          protocol: TCP
         - name: hubble-metrics
           containerPort: 9965
           hostPort: 9965
           protocol: TCP
         securityContext:
           seLinuxOptions:
@@ -162,12 +158,15 @@

             - SETGID
             - SETUID
             drop:
             - ALL
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
+        - name: envoy-sockets
+          mountPath: /var/run/cilium/envoy/sockets
+          readOnly: false
         - mountPath: /host/proc/sys/net
           name: host-proc-sys-net
         - mountPath: /host/proc/sys/kernel
           name: host-proc-sys-kernel
         - name: bpf-maps
           mountPath: /sys/fs/bpf
@@ -190,13 +189,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
+        image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -215,13 +214,13 @@

           value: '6444'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
+        image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /sys/fs/cgroup
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -247,13 +246,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
+        image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -277,13 +276,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
+        image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -293,13 +292,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
+        image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -341,13 +340,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.15.5@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
+        image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
@@ -362,13 +361,12 @@

         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - name: cni-path
           mountPath: /host/opt/cni/bin
       restartPolicy: Always
       priorityClassName: system-node-critical
-      serviceAccount: cilium
       serviceAccountName: cilium
       automountServiceAccountToken: true
       terminationGracePeriodSeconds: 1
       hostNetwork: true
       affinity:
         podAntiAffinity:
@@ -412,12 +410,16 @@

         hostPath:
           path: /lib/modules
       - name: xtables-lock
         hostPath:
           path: /run/xtables.lock
           type: FileOrCreate
+      - name: envoy-sockets
+        hostPath:
+          path: /var/run/cilium/envoy/sockets
+          type: DirectoryOrCreate
       - name: clustermesh-secrets
         projected:
           defaultMode: 256
           sources:
           - secret:
               name: cilium-clustermesh
@@ -429,12 +431,22 @@

               - key: tls.key
                 path: common-etcd-client.key
               - key: tls.crt
                 path: common-etcd-client.crt
               - key: ca.crt
                 path: common-etcd-client-ca.crt
+          - secret:
+              name: clustermesh-apiserver-local-cert
+              optional: true
+              items:
+              - key: tls.key
+                path: local-etcd-client.key
+              - key: tls.crt
+                path: local-etcd-client.crt
+              - key: ca.crt
+                path: local-etcd-client-ca.crt
       - name: host-proc-sys-net
         hostPath:
           path: /proc/sys/net
           type: Directory
       - name: host-proc-sys-kernel
         hostPath:
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,22 +20,22 @@

       maxSurge: 25%
       maxUnavailable: 100%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 4ec3d7c0877a13a8c619d4fe53e3942758cdd30db950441ade62a7fc62746869
+        cilium.io/cilium-configmap-checksum: fcb5c0eaa5f9dc95ccf1dfe16602711b668280cc30b5e8db047183ea6d53025c
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.15.5@sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8
+        image: quay.io/cilium/operator-generic:v1.16.1@sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
@@ -89,13 +89,12 @@

           mountPath: /tmp/cilium/config-map
           readOnly: true
         terminationMessagePolicy: FallbackToLogsOnError
       hostNetwork: true
       restartPolicy: Always
       priorityClassName: system-cluster-critical
-      serviceAccount: cilium-operator
       serviceAccountName: cilium-operator
       automountServiceAccountToken: true
       affinity:
         podAntiAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
           - labelSelector:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -17,13 +17,13 @@

     rollingUpdate:
       maxUnavailable: 1
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/hubble-relay-configmap-checksum: 9ff143e9d452090a95b3354affb34e15672c8bf2f87e5d5f667dfdb7ca16ee27
+        cilium.io/hubble-relay-configmap-checksum: 058d4aa45f038b89c2abca9819ce810326aeb9f8c6d1560d4a2070e0db250b02
       labels:
         k8s-app: hubble-relay
         app.kubernetes.io/name: hubble-relay
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
@@ -34,13 +34,13 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.15.5@sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781
+        image: quay.io/cilium/hubble-relay:v1.16.1@sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:
@@ -50,30 +50,32 @@

           grpc:
             port: 4222
           timeoutSeconds: 3
         livenessProbe:
           grpc:
             port: 4222
-          timeoutSeconds: 3
+          timeoutSeconds: 10
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          failureThreshold: 12
         startupProbe:
           grpc:
             port: 4222
-          timeoutSeconds: 3
+          initialDelaySeconds: 10
           failureThreshold: 20
           periodSeconds: 3
         volumeMounts:
         - name: config
           mountPath: /etc/hubble-relay
           readOnly: true
         - name: tls
           mountPath: /var/lib/hubble-relay/tls
           readOnly: true
         terminationMessagePolicy: FallbackToLogsOnError
       restartPolicy: Always
       priorityClassName: null
-      serviceAccount: hubble-relay
       serviceAccountName: hubble-relay
       automountServiceAccountToken: false
       terminationGracePeriodSeconds: 1
       affinity:
         podAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

@@ -23,19 +23,22 @@

         cilium.io/hubble-ui-nginx-configmap-checksum: e8acee96ed990156efd0291c8c33709d2c7902d2ec993eefa16c7cd3d1a9d84b
       labels:
         k8s-app: hubble-ui
         app.kubernetes.io/name: hubble-ui
         app.kubernetes.io/part-of: cilium
     spec:
+      securityContext:
+        fsGroup: 1001
+        runAsGroup: 1001
+        runAsUser: 1001
       priorityClassName: null
-      serviceAccount: hubble-ui
       serviceAccountName: hubble-ui
       automountServiceAccountToken: true
       containers:
       - name: frontend
-        image: quay.io/cilium/hubble-ui:v0.13.0@sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666
+        image: quay.io/cilium/hubble-ui:v0.13.1@sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6
         imagePullPolicy: IfNotPresent
         ports:
         - name: http
           containerPort: 8081
         livenessProbe:
           httpGet:
@@ -50,13 +53,13 @@

           mountPath: /etc/nginx/conf.d/default.conf
           subPath: nginx.conf
         - name: tmp-dir
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: backend
-        image: quay.io/cilium/hubble-ui-backend:v0.13.0@sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803
+        image: quay.io/cilium/hubble-ui-backend:v0.13.1@sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b
         imagePullPolicy: IfNotPresent
         env:
         - name: EVENTS_SERVER_PORT
           value: '8090'
         - name: FLOWS_API_ADDR
           value: hubble-relay:80
--- HelmRelease: kube-system/cilium ServiceMonitor: kube-system/hubble

+++ HelmRelease: kube-system/cilium ServiceMonitor: kube-system/hubble

@@ -15,12 +15,13 @@

     - kube-system
   endpoints:
   - port: hubble-metrics
     interval: 10s
     honorLabels: true
     path: /metrics
+    scheme: http
     relabelings:
     - replacement: ${1}
       sourceLabels:
       - __meta_kubernetes_pod_node_name
       targetLabel: node

--- HelmRelease: kube-system/cilium ServiceAccount: kube-system/cilium-envoy

+++ HelmRelease: kube-system/cilium ServiceAccount: kube-system/cilium-envoy

@@ -0,0 +1,7 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cilium-envoy
+  namespace: kube-system
+
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config

@@ -0,0 +1,326 @@

+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cilium-envoy-config
+  namespace: kube-system
+data:
+  bootstrap-config.json: |
+    {
+      "node": {
+        "id": "host~127.0.0.1~no-id~localdomain",
+        "cluster": "ingress-cluster"
+      },
+      "staticResources": {
+        "listeners": [
+          {
+            "name": "envoy-prometheus-metrics-listener",
+            "address": {
+              "socket_address": {
+                "address": "0.0.0.0",
+                "port_value": 9964
+              }
+            },
+            "filter_chains": [
+              {
+                "filters": [
+                  {
+                    "name": "envoy.filters.network.http_connection_manager",
+                    "typed_config": {
+                      "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
+                      "stat_prefix": "envoy-prometheus-metrics-listener",
+                      "route_config": {
+                        "virtual_hosts": [
+                          {
+                            "name": "prometheus_metrics_route",
+                            "domains": [
+                              "*"
+                            ],
+                            "routes": [
+                              {
+                                "name": "prometheus_metrics_route",
+                                "match": {
+                                  "prefix": "/metrics"
+                                },
+                                "route": {
+                                  "cluster": "/envoy-admin",
+                                  "prefix_rewrite": "/stats/prometheus"
+                                }
+                              }
+                            ]
+                          }
+                        ]
+                      },
+                      "http_filters": [
+                        {
+                          "name": "envoy.filters.http.router",
+                          "typed_config": {
+                            "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+                          }
+                        }
+                      ],
+                      "stream_idle_timeout": "0s"
+                    }
+                  }
+                ]
+              }
+            ]
+          },
+          {
+            "name": "envoy-health-listener",
+            "address": {
+              "socket_address": {
+                "address": "127.0.0.1",
+                "port_value": 9878
+              }
+            },
+            "filter_chains": [
+              {
+                "filters": [
+                  {
+                    "name": "envoy.filters.network.http_connection_manager",
+                    "typed_config": {
+                      "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
+                      "stat_prefix": "envoy-health-listener",
+                      "route_config": {
+                        "virtual_hosts": [
+                          {
+                            "name": "health",
+                            "domains": [
+                              "*"
+                            ],
+                            "routes": [
+                              {
+                                "name": "health",
+                                "match": {
+                                  "prefix": "/healthz"
+                                },
+                                "route": {
+                                  "cluster": "/envoy-admin",
+                                  "prefix_rewrite": "/ready"
+                                }
+                              }
+                            ]
+                          }
+                        ]
+                      },
+                      "http_filters": [
+                        {
+                          "name": "envoy.filters.http.router",
+                          "typed_config": {
+                            "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+                          }
+                        }
+                      ],
+                      "stream_idle_timeout": "0s"
+                    }
+                  }
+                ]
+              }
+            ]
+          }
+        ],
+        "clusters": [
+          {
+            "name": "ingress-cluster",
+            "type": "ORIGINAL_DST",
+            "connectTimeout": "2s",
+            "lbPolicy": "CLUSTER_PROVIDED",
+            "typedExtensionProtocolOptions": {
+              "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+                "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+                "commonHttpProtocolOptions": {
+                  "idleTimeout": "60s",
+                  "maxConnectionDuration": "0s",
+                  "maxRequestsPerConnection": 0
+                },
+                "useDownstreamProtocolConfig": {}
+              }
+            },
+            "cleanupInterval": "2.500s"
+          },
+          {
+            "name": "egress-cluster-tls",
+            "type": "ORIGINAL_DST",
+            "connectTimeout": "2s",
+            "lbPolicy": "CLUSTER_PROVIDED",
+            "typedExtensionProtocolOptions": {
+              "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+                "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+                "commonHttpProtocolOptions": {
+                  "idleTimeout": "60s",
+                  "maxConnectionDuration": "0s",
+                  "maxRequestsPerConnection": 0
+                },
+                "upstreamHttpProtocolOptions": {},
+                "useDownstreamProtocolConfig": {}
+              }
+            },
+            "cleanupInterval": "2.500s",
+            "transportSocket": {
+              "name": "cilium.tls_wrapper",
+              "typedConfig": {
+                "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
+              }
+            }
+          },
+          {
+            "name": "egress-cluster",
+            "type": "ORIGINAL_DST",
+            "connectTimeout": "2s",
+            "lbPolicy": "CLUSTER_PROVIDED",
+            "typedExtensionProtocolOptions": {
+              "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+                "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+                "commonHttpProtocolOptions": {
+                  "idleTimeout": "60s",
+                  "maxConnectionDuration": "0s",
+                  "maxRequestsPerConnection": 0
+                },
+                "useDownstreamProtocolConfig": {}
+              }
+            },
+            "cleanupInterval": "2.500s"
+          },
+          {
+            "name": "ingress-cluster-tls",
+            "type": "ORIGINAL_DST",
+            "connectTimeout": "2s",
+            "lbPolicy": "CLUSTER_PROVIDED",
+            "typedExtensionProtocolOptions": {
+              "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+                "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+                "commonHttpProtocolOptions": {
+                  "idleTimeout": "60s",
+                  "maxConnectionDuration": "0s",
+                  "maxRequestsPerConnection": 0
+                },
+                "upstreamHttpProtocolOptions": {},
+                "useDownstreamProtocolConfig": {}
+              }
+            },
+            "cleanupInterval": "2.500s",
+            "transportSocket": {
+              "name": "cilium.tls_wrapper",
+              "typedConfig": {
+                "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
+              }
+            }
+          },
+          {
+            "name": "xds-grpc-cilium",
+            "type": "STATIC",
+            "connectTimeout": "2s",
+            "loadAssignment": {
+              "clusterName": "xds-grpc-cilium",
+              "endpoints": [
+                {
+                  "lbEndpoints": [
+                    {
+                      "endpoint": {
+                        "address": {
+                          "pipe": {
+                            "path": "/var/run/cilium/envoy/sockets/xds.sock"
+                          }
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            "typedExtensionProtocolOptions": {
+              "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+                "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+                "explicitHttpConfig": {
+                  "http2ProtocolOptions": {}
+                }
+              }
+            }
+          },
+          {
+            "name": "/envoy-admin",
+            "type": "STATIC",
+            "connectTimeout": "2s",
+            "loadAssignment": {
+              "clusterName": "/envoy-admin",
+              "endpoints": [
+                {
+                  "lbEndpoints": [
+                    {
+                      "endpoint": {
+                        "address": {
+                          "pipe": {
+                            "path": "/var/run/cilium/envoy/sockets/admin.sock"
+                          }
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          }
+        ]
+      },
+      "dynamicResources": {
+        "ldsConfig": {
+          "apiConfigSource": {
+            "apiType": "GRPC",
+            "transportApiVersion": "V3",
+            "grpcServices": [
+              {
+                "envoyGrpc": {
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

@@ -0,0 +1,171 @@

+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: cilium-envoy
+  namespace: kube-system
+  labels:
+    k8s-app: cilium-envoy
+    app.kubernetes.io/part-of: cilium
+    app.kubernetes.io/name: cilium-envoy
+    name: cilium-envoy
+spec:
+  selector:
+    matchLabels:
+      k8s-app: cilium-envoy
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 2
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        prometheus.io/port: '9964'
+        prometheus.io/scrape: 'true'
+      labels:
+        k8s-app: cilium-envoy
+        name: cilium-envoy
+        app.kubernetes.io/name: cilium-envoy
+        app.kubernetes.io/part-of: cilium
+    spec:
+      securityContext:
+        appArmorProfile:
+          type: Unconfined
+      containers:
+      - name: cilium-envoy
+        image: quay.io/cilium/cilium-envoy:v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51@sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b
+        imagePullPolicy: IfNotPresent
+        command:
+        - /usr/bin/cilium-envoy-starter
+        args:
+        - --
+        - -c /var/run/cilium/envoy/bootstrap-config.json
+        - --base-id 0
+        - --log-level info
+        - --log-format [%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v
+        startupProbe:
+          httpGet:
+            host: 127.0.0.1
+            path: /healthz
+            port: 9878
+            scheme: HTTP
+          failureThreshold: 105
+          periodSeconds: 2
+          successThreshold: 1
+          initialDelaySeconds: 5
+        livenessProbe:
+          httpGet:
+            host: 127.0.0.1
+            path: /healthz
+            port: 9878
+            scheme: HTTP
+          periodSeconds: 30
+          successThreshold: 1
+          failureThreshold: 10
+          timeoutSeconds: 5
+        readinessProbe:
+          httpGet:
+            host: 127.0.0.1
+            path: /healthz
+            port: 9878
+            scheme: HTTP
+          periodSeconds: 30
+          successThreshold: 1
+          failureThreshold: 3
+          timeoutSeconds: 5
+        env:
+        - name: K8S_NODE_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        - name: CILIUM_K8S_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: KUBERNETES_SERVICE_HOST
+          value: 127.0.0.1
+        - name: KUBERNETES_SERVICE_PORT
+          value: '6444'
+        ports:
+        - name: envoy-metrics
+          containerPort: 9964
+          hostPort: 9964
+          protocol: TCP
+        securityContext:
+          seLinuxOptions:
+            level: s0
+            type: spc_t
+          capabilities:
+            add:
+            - NET_ADMIN
+            - SYS_ADMIN
+            drop:
+            - ALL
+        terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+        - name: envoy-sockets
+          mountPath: /var/run/cilium/envoy/sockets
+          readOnly: false
+        - name: envoy-artifacts
+          mountPath: /var/run/cilium/envoy/artifacts
+          readOnly: true
+        - name: envoy-config
+          mountPath: /var/run/cilium/envoy/
+          readOnly: true
+        - name: bpf-maps
+          mountPath: /sys/fs/bpf
+          mountPropagation: HostToContainer
+      restartPolicy: Always
+      priorityClassName: system-node-critical
+      serviceAccountName: cilium-envoy
+      automountServiceAccountToken: true
+      terminationGracePeriodSeconds: 1
+      hostNetwork: true
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: cilium.io/no-schedule
+                operator: NotIn
+                values:
+                - 'true'
+        podAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                k8s-app: cilium
+            topologyKey: kubernetes.io/hostname
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                k8s-app: cilium-envoy
+            topologyKey: kubernetes.io/hostname
+      nodeSelector:
+        kubernetes.io/os: linux
+      tolerations:
+      - operator: Exists
+      volumes:
+      - name: envoy-sockets
+        hostPath:
+          path: /var/run/cilium/envoy/sockets
+          type: DirectoryOrCreate
+      - name: envoy-artifacts
+        hostPath:
+          path: /var/run/cilium/envoy/artifacts
+          type: DirectoryOrCreate
+      - name: envoy-config
+        configMap:
+          name: cilium-envoy-config
+          defaultMode: 256
+          items:
+          - key: bootstrap-config.json
+            path: bootstrap-config.json
+      - name: bpf-maps
+        hostPath:
+          path: /sys/fs/bpf
+          type: DirectoryOrCreate
+