fix(helm): update cilium ( 1.17.0 → 1.17.3 )

[renovate]

This PR contains the following updates:

Package	Update	Change
cilium (source)	patch	1.17.0 -> 1.17.3

---

Release Notes

cilium/cilium (cilium)

v1.17.3

Compare Source

v1.17.2: 1.17.2

Compare Source

Summary of Changes

Minor Changes:

• docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR #​38104, Upstream PR #​37989, @​oblazek)
• Increase granularity of the api_duration_seconds metric buckets (Backport PR #​38104, Upstream PR #​37365, @​jaredledvina)
• New agent option --policy-restore-timeout (default 3m) has been added to bound the maximum time Cilium agent waits for endpoint policies to regenerate before starting serving resources to cilium-envoy proxy. (Backport PR #​37904, Upstream PR #​37658, @​jrajahalme)
• Set json output as default for cilium-dbg endpoint get (Backport PR #​37648, Upstream PR #​36537, @​saiaunghlyanhtet)
• Set json output as default for cilium-dbg endpoint get (Backport PR #​37742, Upstream PR #​36537, @​saiaunghlyanhtet)

Bugfixes:

• Apply Egress bandwith-limiting only once for traffic that is matched by an Egress Gateway policy. (Backport PR #​37904, Upstream PR #​37674, @​julianwiedmann)
• Auth policy is properly maintained also when covered by proxy redirects. (Backport PR #​37904, Upstream PR #​37685, @​jrajahalme)
• Do not auto detect / auto select IPoIB devices (Backport PR #​37648, Upstream PR #​37553, @​dylandreimerink)
• Egress route reconciliation (Backport PR #​38118, Upstream PR #​37962, @​dylandreimerink)
• Fix a regression that made it impossible to disable Hubble via Helm charts (Backport PR #​37648, Upstream PR #​37587, @​devodev)
• Fix bug causing cilium-dbg bpf commands to fail with a map not found error in IPv6-only clusters. (Backport PR #​37904, Upstream PR #​37787, @​pchaigno)
• Fix creating ServiceMonitor for Hubble when dynamic metrics are enabled in the Helm chart (Backport PR #​37648, Upstream PR #​37474, @​dustinspecker)
• Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR #​37904, Upstream PR #​37419, @​javanthropus)
• Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR (Backport PR #​37648, Upstream PR #​36978, @​tommasopozzetti)
• Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR #​37904, Upstream PR #​37818, @​haozhangami)
• Fix helm charts to properly configure tls and peer service for dynamic Hubble metrics. (Backport PR #​37904, Upstream PR #​37543, @​rectified95)
• Fix service id exceeds max limit (Backport PR #​37648, Upstream PR #​37191, @​haozhangami)
• Fix the --dns-policy-unload-on-shutdown feature for restored endpoints (Backport PR #​37648, Upstream PR #​37532, @​antonipp)
• Fix the possible race condition caused by async update from aws to instance map in issue #​36428 (Backport PR #​38104, Upstream PR #​37650, @​liyihuang)
• Fix traffic not getting masqueraded with wildcard devices or egress-masquerade-interfaces when enable-masquerade-to-route-source flag is set. (Backport PR #​37648, Upstream PR #​37450, @​liyihuang)
• fix(helm): multiPoolPreAllocation fix conditional avoid null (Backport PR #​37742, Upstream PR #​37585, @​acelinkio)
• fix: cilium-config configmap was incorrectly resulting in values like 2.09715…2e+06 instead of 2097152 (Backport PR #​37648, Upstream PR #​37236, @​dee-kryvenko)
• fix: duplicate label maps in helm chart templates and add missing commonlabels (Backport PR #​37742, Upstream PR #​37693, @​cmergenthaler)
• Fix: Resolved an issue causing ArgoCD to report constant out-of-sync status due to the hasKey check in Helm. The condition has been simplified to ensure proper synchronization. No functional changes to deployments. (Backport PR #​37648, Upstream PR #​37536, @​nicl-dev)
• Fixed Envoy JSON log format conversion in Helm, preventing crashes. (Backport PR #​37742, Upstream PR #​37656, @​kahirokunn)
• helm: fix large number handling (Backport PR #​37742, Upstream PR #​37670, @​justin0u0)
• hubble: escape terminal special characters from observe output (Backport PR #​37648, Upstream PR #​37401, @​devodev)
• hubble: fix locking of hubble metrics registry for dynamically configured metrics (Backport PR #​38104, Upstream PR #​37923, @​marseel)
• identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport PR #​38104, Upstream PR #​36657, @​oblazek)
• ipam/multi-pool: Periodically perform pool maintenance (Backport PR #​38104, Upstream PR #​37895, @​gandro)
• operator: explicit controller-runtime controller names to avoid naming conflicts (Backport PR #​37742, Upstream PR #​37606, @​mhofstetter)
• operator: Fix duplicate configurations (Backport PR #​37648, Upstream PR #​37293, @​joestringer)
• Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport PR #​38104, Upstream PR #​38029, @​julianwiedmann)
• Updated Gateway API and GAMMA processing to remove incorrect behavior when both parentRefs were present. (Backport PR #​38154, Upstream PR #​38143, @​youngnick)
• Workaround for iptables 1.8.10, used in OpenShift 4.16, 4.17 and 4.18, returning a wrong error message iptables: Incompatible with this kernel to iptables -n -L CHAIN when the chain does not exist. This prevents iptables configuration and induced unnecessary loops and log messages. (Backport PR #​38104, Upstream PR #​37749, @​fgiloux)

CI Changes:

• .github: Remove misleading step from ipsec workflow (Backport PR #​37742, Upstream PR #​37681, @​joestringer)
• .github: s/enbaled/enabled/ (Backport PR #​37648, Upstream PR #​37449, @​chansuke)
• bgpv1: wait for watchers to be ready in tests (Backport PR #​37904, Upstream PR #​37884, @​harsimran-pabla)
• CI: GKE backslash missing disable insecure kubelet (Backport PR #​37904, Upstream PR #​37850, @​auriaave)
• CI: GKE, disable insecure kubelet readonly port (Backport PR #​37904, Upstream PR #​37844, @​auriaave)
• ci: switch to monitor aggregation medium (Backport PR #​38104, Upstream PR #​38036, @​marseel)
• gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR #​37904, Upstream PR #​37551, @​jschwinger233)
• gh: ipsec-e2e: add concurrency for connectivity tests (Backport PR #​37925, Upstream PR #​37891, @​julianwiedmann)
• gh: update naming for bpftrace leak detection script (Backport PR #​37904, Upstream PR #​37865, @​julianwiedmann)

Misc Changes:

• always render enable-hubble in the Cilium configmap (Backport PR #​37904, Upstream PR #​37703, @​kaworu)
• bpf: Add option to utilize core maps via BPF_F_NO_COMMON_LRU (Backport PR #​38104, Upstream PR #​38037, @​borkmann)
• bpf: minor clean-ups for the ENI symmetric routing feature (Backport PR #​37648, Upstream PR #​37379, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.17) (#​37950, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​37944, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​38048, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.17.0 (v1.17) (#​37793, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.0 (v1.17) (#​37949, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.17) (#​38057, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.7 (v1.17) (#​37996, @​cilium-renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (v1.17) (#​37833, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.17) (#​38148, @​cilium-renovate[bot])
• cilium-dbg: output parentIfIndex in bpf endpoint list (Backport PR #​37742, Upstream PR #​37398, @​Mahdi-BZ)
• cilium: Allow to configure tunnel source port range (Backport PR #​37904, Upstream PR #​37777, @​borkmann)
• cilium: Pull in vxlan netlink Go fix and uncomment assertion in test (Backport PR #​37904, Upstream PR #​37808, @​borkmann)
• docs: complete load balancer service manifest in kubeproxy-free (Backport PR #​37648, Upstream PR #​37466, @​ybelleguic)
• docs: fix broken links (Backport PR #​38104, Upstream PR #​37995, @​nueavv)
• docs: masquerading: mention that BPF masq also pulls in BPF Host-Routing (Backport PR #​37648, Upstream PR #​37604, @​julianwiedmann)
• docs: use latest for rtd theme commit with fixed version selector (Backport PR #​37614, Upstream PR #​37421, @​ayuspin)
• envoy: remove duplicated service/endpointslice informers when envoyConfig is enabled (Backport PR #​37742, Upstream PR #​37683, @​marseel)
• Fix API generation and add trusted dependencies to renovate config (Backport PR #​37648, Upstream PR #​36957, @​aanm)
• Fix API generation and add trusted dependencies to renovate config (Backport PR #​37742, Upstream PR #​36957, @​aanm)
• Fix helm value for IPAM Multi-Pool (Backport PR #​38104, Upstream PR #​37963, @​saintdle)
• fqdn/dnsproxy: use netip.Addr for DNSProxy.usedServers (Backport PR #​38104, Upstream PR #​37985, @​tklauser)
• gha: Update the helm flag for TLS related test (Backport PR #​37648, Upstream PR #​37428, @​sayboras)
• ipcache: Slightly optimize calls to fetch tunnel and encrypt metadata (Backport PR #​38104, Upstream PR #​38021, @​christarazi)
• labels: fix TestNewFrom test (Backport PR #​37904, Upstream PR #​37846, @​giorio94)
• Moves Unix socket listener configuration to a new file specifically for Linux builds. (Backport PR #​37648, Upstream PR #​37399, @​ritwikranjan)
• operator: Explicitly init the FQDN regex LRU cache (Backport PR #​37648, Upstream PR #​37366, @​christarazi)
• pkg/hive: always use default logger when decorating cells (Backport PR #​37742, Upstream PR #​37636, @​aanm)
• policy: Skip iteration when proxy port priority is zero (Backport PR #​37648, Upstream PR #​37422, @​jrajahalme)
• Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport PR #​37904, Upstream PR #​37806, @​rolinh)
• Update Hubble UI to v0.13.2 which contains security fixes, add the missing traffic direction in the flow table, and enhance the home namespace list. See v0.13.2 for more details (Backport PR #​37742, Upstream PR #​37631, @​yannikmesserli)
• use runtime image set by env var action in build and lint (Backport PR #​37648, Upstream PR #​37253, @​Artyop)

Other Changes:

• [v1.17] Revert "Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR" (#​38101, @​julianwiedmann)
• Backport set runtime action 1.17 (#​37854, @​Artyop)
• gha: Update GatewayAPI conformance report (#​37671, @​sayboras)
• install: Update image digests for v1.17.1 (#​37580, @​cilium-release-bot[bot])
• v1.17: gh/workflows: Remove conformance-externalworkloads (#​37738, @​brb)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.2@​sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1
quay.io/cilium/cilium:stable@sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.2@​sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398
quay.io/cilium/clustermesh-apiserver:stable@sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398

docker-plugin

quay.io/cilium/docker-plugin:v1.17.2@​sha256:a599893f1fc76fc31afad2bbb73af7e7f618adbf02043b2098fafeca4adf551c
quay.io/cilium/docker-plugin:stable@sha256:a599893f1fc76fc31afad2bbb73af7e7f618adbf02043b2098fafeca4adf551c

hubble-relay

quay.io/cilium/hubble-relay:v1.17.2@​sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc
quay.io/cilium/hubble-relay:stable@sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.2@​sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe
quay.io/cilium/operator-alibabacloud:stable@sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe

operator-aws

quay.io/cilium/operator-aws:v1.17.2@​sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c
quay.io/cilium/operator-aws:stable@sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c

operator-azure

quay.io/cilium/operator-azure:v1.17.2@​sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0
quay.io/cilium/operator-azure:stable@sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0

operator-generic

quay.io/cilium/operator-generic:v1.17.2@​sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249
quay.io/cilium/operator-generic:stable@sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249

operator

quay.io/cilium/operator:v1.17.2@​sha256:697a7e6c4765ef053d33dd2d9d7f14642c01dfa7333ad7902de7ca5afbf3b419
quay.io/cilium/operator:stable@sha256:697a7e6c4765ef053d33dd2d9d7f14642c01dfa7333ad7902de7ca5afbf3b419

v1.17.1: 1.17.1

Compare Source

Summary of Changes

Minor Changes:

• [v1.17] agent: Deprecate lb-only mode (#​37391, @​brb)
• helm: Update CiliumNodeConfig version (Backport PR #​37440, Upstream PR #​37403, @​sayboras)

Bugfixes:

• ces: Fix bug where stale endpoint information was injected into IPCache (Backport PR #​37416, Upstream PR #​37347, @​gandro)
• socket-lb: Fix null pointer dereference in socketlb/cgroup.go (Backport PR #​37440, Upstream PR #​37426, @​alvaroaleman)

CI Changes:

• test: Move the dind image to Quay to avoid rate-limiting (Backport PR #​37440, Upstream PR #​37388, @​pchaigno)

Misc Changes:

• chore(deps): update all github action dependencies (v1.17) (#​37502, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​37342, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.17) (#​37501, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.6 (v1.17) (#​37446, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​37409, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​37496, @​cilium-renovate[bot])

Other Changes:

• install: Update image digests for v1.17.0 (#​37432, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.1@​sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866
quay.io/cilium/cilium:stable@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.1@​sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c
quay.io/cilium/clustermesh-apiserver:stable@sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c

docker-plugin

quay.io/cilium/docker-plugin:v1.17.1@​sha256:d4d838be1d8c20eaf1810f1be1ccc963e8229653357ec6cf8e8c1a53f3f03a71
quay.io/cilium/docker-plugin:stable@sha256:d4d838be1d8c20eaf1810f1be1ccc963e8229653357ec6cf8e8c1a53f3f03a71

hubble-relay

quay.io/cilium/hubble-relay:v1.17.1@​sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc
quay.io/cilium/hubble-relay:stable@sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.1@​sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c
quay.io/cilium/operator-alibabacloud:stable@sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c

operator-aws

quay.io/cilium/operator-aws:v1.17.1@​sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6
quay.io/cilium/operator-aws:stable@sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6

operator-azure

quay.io/cilium/operator-azure:v1.17.1@​sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b
quay.io/cilium/operator-azure:stable@sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b

operator-generic

quay.io/cilium/operator-generic:v1.17.1@​sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97
quay.io/cilium/operator-generic:stable@sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97

operator

quay.io/cilium/operator:v1.17.1@​sha256:5c5f4408112365ae10ebcbab2621c273cebc671fe63b0f19cc1376326f140f89
quay.io/cilium/operator:stable@sha256:5c5f4408112365ae10ebcbab2621c273cebc671fe63b0f19cc1376326f140f89

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

--- kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: flux-system
-      version: 1.17.0
+      version: 1.17.3
   install:
     remediation:
       retries: 3
   interval: 30m
   upgrade:
     cleanupOnFail: true

[github-actions]

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -37,20 +37,22 @@

   bpf-policy-map-max: '16384'
   bpf-lb-map-max: '65536'
   bpf-lb-external-clusterip: 'false'
   bpf-lb-source-range-all-types: 'false'
   bpf-lb-algorithm-annotation: 'false'
   bpf-lb-mode-annotation: 'false'
+  bpf-distributed-lru: 'false'
   bpf-events-drop-enabled: 'true'
   bpf-events-policy-verdict-enabled: 'true'
   bpf-events-trace-enabled: 'true'
   preallocate-bpf-maps: 'false'
   cluster-name: default
   cluster-id: '0'
   routing-mode: native
   tunnel-protocol: vxlan
+  tunnel-source-port-range: 0-0
   service-no-backend-response: reject
   enable-l7-proxy: 'true'
   enable-ipv4-masquerade: 'true'
   enable-ipv4-big-tcp: 'false'
   enable-ipv6-big-tcp: 'false'
   enable-ipv6-masquerade: 'true'
@@ -108,13 +110,12 @@

   hubble-listen-address: :4244
   hubble-disable-tls: 'false'
   hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
   hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
   hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
   ipam: kubernetes
-  ipam-multi-pool-pre-allocation: null
   ipam-cilium-node-update-rate: 15s
   default-lb-service-ipam: lbipam
   egress-gateway-reconciliation-trigger-interval: 1s
   enable-vtep: 'false'
   vtep-endpoint: ''
   vtep-cidr: ''
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets

@@ -3,12 +3,14 @@

 kind: Role
 metadata:
   name: cilium-operator-tlsinterception-secrets
   namespace: cilium-secrets
   labels:
     app.kubernetes.io/part-of: cilium
+    helm.toolkit.fluxcd.io/name: cilium
+    helm.toolkit.fluxcd.io/namespace: kube-system
 rules:
 - apiGroups:
   - ''
   resources:
   - secrets
   verbs:
--- HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-bgp-control-plane-secrets

+++ HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-bgp-control-plane-secrets

@@ -3,12 +3,14 @@

 kind: RoleBinding
 metadata:
   name: cilium-bgp-control-plane-secrets
   namespace: kube-system
   labels:
     app.kubernetes.io/part-of: cilium
+    helm.toolkit.fluxcd.io/name: cilium
+    helm.toolkit.fluxcd.io/namespace: kube-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: cilium-bgp-control-plane-secrets
 subjects:
 - kind: ServiceAccount
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets

@@ -3,12 +3,14 @@

 kind: RoleBinding
 metadata:
   name: cilium-tlsinterception-secrets
   namespace: cilium-secrets
   labels:
     app.kubernetes.io/part-of: cilium
+    helm.toolkit.fluxcd.io/name: cilium
+    helm.toolkit.fluxcd.io/namespace: kube-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: cilium-tlsinterception-secrets
 subjects:
 - kind: ServiceAccount
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets

@@ -3,12 +3,14 @@

 kind: RoleBinding
 metadata:
   name: cilium-operator-tlsinterception-secrets
   namespace: cilium-secrets
   labels:
     app.kubernetes.io/part-of: cilium
+    helm.toolkit.fluxcd.io/name: cilium
+    helm.toolkit.fluxcd.io/namespace: kube-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: cilium-operator-tlsinterception-secrets
 subjects:
 - kind: ServiceAccount
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -18,26 +18,26 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: a7e932337f90e76d9abf9bc153f5a8f35c0ebda17585d18c5660633f42c8f3cf
+        cilium.io/cilium-configmap-checksum: ac453c2bcedb3d0d3d1dfc0105cc0540284ec29158cd635ac843361474ad5e4f
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
         helm.toolkit.fluxcd.io/name: cilium
         helm.toolkit.fluxcd.io/namespace: kube-system
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.17.0@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d
+        image: quay.io/cilium/cilium:v1.17.3@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -201,13 +201,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.17.0@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d
+        image: quay.io/cilium/cilium:v1.17.3@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -226,13 +226,13 @@

           value: '7445'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.17.0@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d
+        image: quay.io/cilium/cilium:v1.17.3@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /sys/fs/cgroup
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -258,13 +258,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.17.0@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d
+        image: quay.io/cilium/cilium:v1.17.3@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -288,13 +288,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.17.0@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d
+        image: quay.io/cilium/cilium:v1.17.3@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -304,13 +304,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.17.0@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d
+        image: quay.io/cilium/cilium:v1.17.3@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -352,13 +352,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.17.0@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d
+        image: quay.io/cilium/cilium:v1.17.3@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -22,24 +22,24 @@

       maxSurge: 25%
       maxUnavailable: 100%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: a7e932337f90e76d9abf9bc153f5a8f35c0ebda17585d18c5660633f42c8f3cf
+        cilium.io/cilium-configmap-checksum: ac453c2bcedb3d0d3d1dfc0105cc0540284ec29158cd635ac843361474ad5e4f
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
         helm.toolkit.fluxcd.io/name: cilium
         helm.toolkit.fluxcd.io/namespace: kube-system
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.17.0@sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8
+        image: quay.io/cilium/operator-generic:v1.17.3@sha256:8bd38d0e97a955b2d725929d60df09d712fb62b60b930551a29abac2dd92e597
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -38,13 +38,13 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.17.0@sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05
+        image: quay.io/cilium/hubble-relay:v1.17.3@sha256:f8674b5139111ac828a8818da7f2d344b4a5bfbaeb122c5dc9abed3e74000c55
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

@@ -36,13 +36,13 @@

         runAsUser: 1001
       priorityClassName: null
       serviceAccountName: hubble-ui
       automountServiceAccountToken: true
       containers:
       - name: frontend
-        image: quay.io/cilium/hubble-ui:v0.13.1@sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6
+        image: quay.io/cilium/hubble-ui:v0.13.2@sha256:9e37c1296b802830834cc87342a9182ccbb71ffebb711971e849221bd9d59392
         imagePullPolicy: IfNotPresent
         ports:
         - name: http
           containerPort: 8081
         livenessProbe:
           httpGet:
@@ -57,13 +57,13 @@

           mountPath: /etc/nginx/conf.d/default.conf
           subPath: nginx.conf
         - name: tmp-dir
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: backend
-        image: quay.io/cilium/hubble-ui-backend:v0.13.1@sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b
+        image: quay.io/cilium/hubble-ui-backend:v0.13.2@sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15
         imagePullPolicy: IfNotPresent
         env:
         - name: EVENTS_SERVER_PORT
           value: '8090'
         - name: FLOWS_API_ADDR
           value: hubble-relay:80