Skip to content

feat(helm): update cilium ( 1.16.6 → 1.19.4 )#56

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/cilium-1.x
Open

feat(helm): update cilium ( 1.16.6 → 1.19.4 )#56
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/cilium-1.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Feb 8, 2025
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change
cilium (source) minor 1.16.61.19.4

Release Notes

cilium/cilium (cilium)

v1.19.4

Compare Source

v1.19.3: 1.19.3

Compare Source

Summary of Changes

Minor Changes:

Bugfixes:

  • [v1.19] Fix incorrect policy service selector handling (#​44888, @​fristonio)
  • bgp: Fix potential race in service advertisements upon error retry (Backport PR #​45211, Upstream PR #​45049, @​rastislavs)
  • clustermesh: fix a bug in the MCS-API CRD installl that could attempt a CRD downgrade when the version label is higher (Backport PR #​44828, Upstream PR #​44738, @​MrFreezeex)
  • ctmap: Change order of active maps (Backport PR #​44828, Upstream PR #​44729, @​brb)
  • Ensure completion.WaitGroup always has a timeout (Backport PR #​45217, Upstream PR #​44731, @​jrajahalme)
  • envoy: Fix xds server npds listeners accounting (Backport PR #​45217, Upstream PR #​44830, @​fristonio)
  • Fix a slow memory leak triggered by incremental policy updates (Backport PR #​44994, Upstream PR #​44328, @​odinuge)
  • Fix endpoints for static pods stuck in init identity (Backport PR #​45211, Upstream PR #​45016, @​aaroniscode)
  • Fix in-cluster NodePort connectivity failure in DSR mode when SocketLB is disabled. When a pod accesses a NodePort service via a remote node's IP (instead of the ClusterIP) and the selected backend resides on the same node as the client, the connection fails due to missing reverse NAT on the reply path. (Backport PR #​44968, Upstream PR #​41963, @​gyutaeb)
  • Fix memory leak triggered by policies being created and deleted (Backport PR #​44828, Upstream PR #​44724, @​odinuge)
  • Fix panic in Hubble Relay when new peer address is unresolvable (Backport PR #​45211, Upstream PR #​45021, @​pesarkhobeee)
  • fix(datapath): ignore link-local IPv6 addresses for NodePort binding (Backport PR #​44974, Upstream PR #​44778, @​Bigdelle)
  • Fixed a bug in dual-stack cluster-pool IPAM where an operator restart with a pre-existing duplicate IPv6 PodCIDR could cause the affected node's IPv4 PodCIDR to be incorrectly freed and reassigned to another node. (Backport PR #​44866, Upstream PR #​44832, @​christarazi)
  • Fixed an issue where policy update ack is never completed after endpoint deletion. (Backport PR #​44818, Upstream PR #​44754, @​jrajahalme)
  • Fixed ipcache identity update hang when last proxy listener is removed. (Backport PR #​45217, Upstream PR #​44597, @​jrajahalme)
  • Fixes GRPCRoute being silently excluded from Envoy config when a Gateway listener explicitly sets allowedRoutes.kinds. (Backport PR #​44974, Upstream PR #​44826, @​eufriction)
  • Fixes increased CPU usage in hubble observe caused by log coloring feature, even when coloring was disabled (Backport PR #​44828, Upstream PR #​44119, @​tporeba)
  • lb: fix panic in orphan backend cleanup when addr is zero-value (Backport PR #​44994, Upstream PR #​44853, @​vipul-21)
  • lb: Skip nil slots during BPF map restore to prevent panic (Backport PR #​44974, Upstream PR #​44895, @​vipul-21)
  • operator/identitygc: fix nil pointer dereference on shutdown (Backport PR #​45211, Upstream PR #​45091, @​tsotne95)
  • wal: Do not truncate in NewWriter (Backport PR #​44974, Upstream PR #​44886, @​joamaki)
  • WireGuard now respects the underlay-protocol=ipv6 setting when selecting peer endpoints in dual-stack clusters with IPv6 underlay, fixing connectivity issues where IPv4 was incorrectly used despite being unreachable across nodes. (Backport PR #​45247, Upstream PR #​44629, @​tibrezus)

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.3@​sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.3@​sha256:a8136a7615d6c6041d3aa6f2674d17beaec238170d669507ccc05328a778e2b7

docker-plugin

quay.io/cilium/docker-plugin:v1.19.3@​sha256:728c3903518b0b6904e7208143355b38b7e6de3b514694fb6098b25bb9457397

hubble-relay

quay.io/cilium/hubble-relay:v1.19.3@​sha256:5ee21d57b6ef2aa6db67e603a735fdceb162454b352b7335b651456e308f681b

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.3@​sha256:176321a65123373ff8c7823b25183102cbad98375e8d6c80b96d68b6e8491103

operator-aws

quay.io/cilium/operator-aws:v1.19.3@​sha256:a53dcbfb77282bf2ddd3abbe60f6d49762e7c1389a36cb35b71d504644a56640

operator-azure

quay.io/cilium/operator-azure:v1.19.3@​sha256:699c1571a3df1a98882ee13610d47cffb7b34ee7e8d276096db798a5f6c7e4cb

operator-generic

quay.io/cilium/operator-generic:v1.19.3@​sha256:205b09b0ed6accbf9fe688d312a9f0fcfc6a316fc081c23fbffb472af5dd62cd

operator

quay.io/cilium/operator:v1.19.3@​sha256:9075e6944996227574762ec0118caab0145d6e67f821409c4a6756b6b6caf6ea

v1.19.2: 1.19.2

Compare Source

Summary of Changes

Minor Changes:

Bugfixes:

  • Add rate limiting to neighbor reconciler to reduce CPU usage and memory churn (Backport PR #​44699, Upstream PR #​43928, @​dylandreimerink)
  • bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (Backport PR #​44760, Upstream PR #​44658, @​smagnani96)
  • cilium-dbg: fix seg-fault ip get -l reserved:host (Backport PR #​44517, Upstream PR #​44443, @​aanm)
  • clustermesh: fix a few minor typo/issues in the MCS-API documentation (Backport PR #​44398, Upstream PR #​44299, @​MrFreezeex)
  • clustermesh: fix a goroutine leak related to EndpointSliceSync when removing cluster (Backport PR #​44517, Upstream PR #​44444, @​MrFreezeex)
  • clustermesh: fix a race condition where EndpointSlices created just before a cluster is removed could be left uncleaned (Backport PR #​44517, Upstream PR #​44503, @​MrFreezeex)
  • Enable Cilium upgrade and downgrade when existing XDP attach types differ from new XDP programs (Backport PR #​44496, Upstream PR #​44209, @​dylandreimerink)
  • Fix a bug where node IPv6 updates and deletes were not correctly propagated to the Linux kernel neighbor subsystem. (Backport PR #​44593, Upstream PR #​44540, @​tklauser)
  • Fix bug where more Helm options were gated by loadbalancer option than intended (Backport PR #​44699, Upstream PR #​42916, @​mliner)
  • Fix envoy admin socket being created as world-accessible (Backport PR #​44593, Upstream PR #​44512, @​0xch4z)
  • Fix IPSec key rotation race condition where packets were dropped due to XFRM states not being ready when peers started using the new key. Also adds logging for key rotation flow. (Backport PR #​44699, Upstream PR #​44335, @​daanvinken)
  • Fix tearing down wrong pod's veth in aws-cni chaining when using deterministic pod names (Backport PR #​44517, Upstream PR #​44494, @​aanm)
  • Fixed a bug in service load balancing where backend slot assignments could have gaps when maintenance backends exist, potentially causing traffic misrouting. (Backport PR #​44398, Upstream PR #​43902, @​Aman-Cool)
  • Fixed a bug where bandwidth priority updates were not applied when only the priority annotation was changed on a Pod. (Backport PR #​44517, Upstream PR #​44329, @​zbb88888)
  • Fixed an issue where wildcard FQDN network policy identities were not correctly pushed to Envoy when using SNI-based policies. (Backport PR #​44517, Upstream PR #​44462, @​liyihuang)
  • Fixed VTEP ARP responses returning 00:00:00:00:00:00 MAC due to interface MAC missing from eBPF Overlay configuration. (Backport PR #​44699, Upstream PR #​44513, @​akos011221)
  • gateway-api: Fix hostname intersection bug that was preventing cert-manager challenges from working correctly. (Backport PR #​44517, Upstream PR #​44492, @​youngnick)
  • gateway-api: Fixed some issues with TLSRoute attachment that will be covered by new conformance tests soon. (Backport PR #​44517, Upstream PR #​44397, @​youngnick)
  • Grant permissions to the cilium-operator so that it can reconcile ServiceImport when the when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #​44517, Upstream PR #​44458, @​MrFreezeex)
  • helm/ztunnel: Add host field to readiness probe to bind the health check port 15021 to 127.0.0.1 instead of 0.0.0.0 (Backport PR #​44593, Upstream PR #​44196, @​nddq)
  • ingress: Ensure that the shared ingress exposes port 443 so that it can pass upstream loadbalancer health checks. (Backport PR #​44517, Upstream PR #​44229, @​xtineskim)
  • ipam: Fix concurrent map access to multipool map (Backport PR #​44517, Upstream PR #​44150, @​christarazi)
  • l7lb: fix bypassing ingress policies for local backends (Backport PR #​44800, Upstream PR #​44693, @​smagnani96)
  • loadbalancer/healthserver: refresh ProxyRedirect per request (Backport PR #​44398, Upstream PR #​44286, @​mhofstetter)
  • policy: Improve PASS handling for non-consecutive tiers and wildcard fallbacks (Backport PR #​44418, Upstream PR #​43917, @​TheBeeZee)

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.2@​sha256:7bc7e0be845cae0a70241e622cd03c3b169001c9383dd84329c59ca86a8b1341

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.2@​sha256:d1f44a78a0d0996ab1841f7564bc6fbd6e242d4ef673a2a8bfdd7385ef68018d

docker-plugin

quay.io/cilium/docker-plugin:v1.19.2@​sha256:1ba743852ab063d83955c3917d75b2d296ff78d944d09fc1802f85f07ebee334

hubble-relay

quay.io/cilium/hubble-relay:v1.19.2@​sha256:9987c73bad48c987fd065185535fd15a6717cbe8a8caf7fc7ef0413532cf490e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.2@​sha256:90bdedf6b0d3108245f8194f8c69262af2c8d839480f99d2396deed057899142

operator-aws

quay.io/cilium/operator-aws:v1.19.2@​sha256:6eaa299ad267d7b8fcb4bb17ee1008b391052e2e35f690b21783b1b23b5c0bf2

operator-azure

quay.io/cilium/operator-azure:v1.19.2@​sha256:9c040a57f4584782eda9a91f7cf3292ca5d0fb41d75f4aa41ece29d66e145293

operator-generic

quay.io/cilium/operator-generic:v1.19.2@​sha256:e363f4f634c2a66a36e01618734ea17e7b541b949b9a5632f9c180ab16de23f0

operator

quay.io/cilium/operator:v1.19.2@​sha256:56ea76f4c1dfc8a899581b35bb2fc87b3110ee57ff0ab4003ae26d5a27d81448

v1.19.1: 1.19.1

Compare Source

Summary of Changes

Bugfixes:

  • clustermesh: fix CRD update permission for MCS-API CRD install (Backport PR #​44280, Upstream PR #​44224, @​Preisschild)
  • Fix panic during datapath reinitialization if DirectRouting device is required but missing (Backport PR #​44280, Upstream PR #​44219, @​fristonio)
  • helm: Fixed RBAC errors with operator.enabled=false by aligning cilium-tlsinterception-secrets Role/RoleBinding conditionals (Backport PR #​44280, Upstream PR #​44159, @​puwun)
  • Reduces rtnl_mutex contention on SR-IOV nodes by not requesting VF information in netlink RTM_GETLINK operations (Backport PR #​44280, Upstream PR #​43517, @​pasteley)

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.1@​sha256:41f1f74a0000de8656f1de4088ea00c8f2d49d6edea579034c73c5fd5fe01792

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.1@​sha256:56d6c3dc13b50126b80ecb571707a0ea97f6db694182b9d61efd386d04e5bb28

docker-plugin

quay.io/cilium/docker-plugin:v1.19.1@​sha256:6edfbf46ca484b1ed961f3c7382159ba7f0227e7af692159e99e8d4810ecaf34

hubble-relay

quay.io/cilium/hubble-relay:v1.19.1@​sha256:d8c4e13bc36a56179292bb52bc6255379cb94cb873700d316ea3139b1bdb8165

operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.

Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone Europe/Lisbon)

  • Branch creation
    • "every weekend"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 8, 2025
edited
Loading 

--- kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: flux-system
-      version: 1.16.6
+      version: 1.19.4
   install:
     remediation:
       retries: 3
   interval: 30m
   upgrade:
     cleanupOnFail: true

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 8, 2025
edited
Loading 

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

@@ -9,8456 +9,11195 @@

     app.kubernetes.io/name: cilium-agent
     app.kubernetes.io/part-of: cilium
     grafana_dashboard: '1'
   annotations:
     grafana_folder: Cilium
 data:
-  cilium-dashboard.json: |
+  cilium-dashboard.json: |-
     {
       "annotations": {
         "list": [
           {
             "builtIn": 1,
-            "datasource": "-- Grafana --",
+            "datasource": {
+              "type": "datasource",
+              "uid": "grafana"
+            },
             "enable": true,
             "hide": true,
             "iconColor": "rgba(0, 211, 255, 1)",
             "name": "Annotations & Alerts",
             "type": "dashboard"
           }
         ]
       },
       "description": "Dashboard for Cilium (https://cilium.io/) metrics",
       "editable": true,
-      "gnetId": null,
+      "fiscalYearStartMonth": 0,
       "graphTooltip": 1,
-      "iteration": 1606309591568,
+      "id": 1,
       "links": [],
       "panels": [
         {
-          "aliasColors": {
-            "error": "#890f02",
-            "warning": "#c15c17"
-          },
-          "bars": false,
-          "dashLength": 10,
-          "dashes": false,
           "datasource": {
             "type": "prometheus",
             "uid": "${DS_PROMETHEUS}"
           },
           "fieldConfig": {
             "defaults": {
-              "custom": {}
-            },
-            "overrides": []
-          },
-          "fill": 1,
-          "fillGradient": 0,
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "axisBorderShow": false,
+                "axisCenteredZero": false,
+                "axisColorMode": "text",
+                "axisLabel": "",
+                "axisPlacement": "auto",
+                "barAlignment": 0,
+                "barWidthFactor": 0.6,
+                "drawStyle": "line",
+                "fillOpacity": 10,
+                "gradientMode": "none",
+                "hideFrom": {
+                  "legend": false,
+                  "tooltip": false,
+                  "viz": false
+                },
+                "insertNulls": false,
+                "lineInterpolation": "linear",
+                "lineWidth": 1,
+                "pointSize": 5,
+                "scaleDistribution": {
+                  "type": "linear"
+                },
+                "showPoints": "never",
+                "spanNulls": false,
+                "stacking": {
+                  "group": "A",
+                  "mode": "none"
+                },
+                "thresholdsStyle": {
+                  "mode": "off"
+                }
+              },
+              "links": [],
+              "mappings": [],
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "green",
+                    "value": null
+                  },
+                  {
+                    "color": "red",
+                    "value": 80
+                  }
+                ]
+              },
+              "unit": "opm"
+            },
+            "overrides": [
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "error"
+                },
+                "properties": [
+                  {
+                    "id": "color",
+                    "value": {
+                      "fixedColor": "#890f02",
+                      "mode": "fixed"
+                    }
+                  }
+                ]
+              },
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "warning"
+                },
+                "properties": [
+                  {
+                    "id": "color",
+                    "value": {
+                      "fixedColor": "#c15c17",
+                      "mode": "fixed"
+                    }
+                  }
+                ]
+              }
+            ]
+          },
           "gridPos": {
             "h": 5,
             "w": 12,
             "x": 0,
             "y": 0
           },
-          "hiddenSeries": false,
           "id": 76,
-          "legend": {
-            "avg": false,
-            "current": false,
-            "max": false,
-            "min": false,
-            "show": true,
-            "total": false,
-            "values": false
-          },
-          "lines": true,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
           "options": {
-            "dataLinks": []
-          },
-          "paceLength": 10,
-          "percentage": false,
-          "pointradius": 5,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [
-            {
-              "alias": "error",
-              "yaxis": 2
-            }
-          ],
-          "spaceLength": 10,
-          "stack": false,
-          "steppedLine": false,
+            "legend": {
+              "calcs": [],
+              "displayMode": "list",
+              "placement": "bottom",
+              "showLegend": true
+            },
+            "tooltip": {
+              "mode": "multi",
+              "sort": "none"
+            }
+          },
+          "pluginVersion": "11.3.1",
           "targets": [
             {
+              "datasource": {
+                "type": "prometheus",
+                "uid": "${DS_PROMETHEUS}"
+              },
+              "editorMode": "code",
               "expr": "sum(rate(cilium_errors_warnings_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m])) by (pod, level) * 60",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "{{level}}",
+              "range": true,
               "refId": "A"
             }
           ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeRegions": [],
-          "timeShift": null,
           "title": "Errors & Warnings",
-          "tooltip": {
-            "shared": true,
-            "sort": 0,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "opm",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "opm",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
+          "type": "timeseries"
         },
         {
-          "aliasColors": {
-            "avg": "#cffaff"
-          },
-          "bars": false,
-          "dashLength": 10,
-          "dashes": false,
           "datasource": {
             "type": "prometheus",
             "uid": "${DS_PROMETHEUS}"
           },
           "fieldConfig": {
             "defaults": {
-              "custom": {}
-            },
-            "overrides": []
-          },
-          "fill": 0,
-          "fillGradient": 0,
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "axisBorderShow": false,
+                "axisCenteredZero": false,
+                "axisColorMode": "text",
+                "axisLabel": "",
+                "axisPlacement": "auto",
+                "barAlignment": 0,
+                "barWidthFactor": 0.6,
+                "drawStyle": "line",
+                "fillOpacity": 35,
+                "gradientMode": "none",
+                "hideFrom": {
+                  "legend": false,
+                  "tooltip": false,
+                  "viz": false
+                },
+                "insertNulls": false,
+                "lineInterpolation": "linear",
+                "lineWidth": 1,
+                "pointSize": 5,
+                "scaleDistribution": {
+                  "type": "linear"
+                },
+                "showPoints": "never",
+                "spanNulls": false,
+                "stacking": {
+                  "group": "A",
+                  "mode": "none"
+                },
+                "thresholdsStyle": {
+                  "mode": "off"
+                }
+              },
+              "links": [],
+              "mappings": [],
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "green",
+                    "value": null
+                  },
+                  {
+                    "color": "red",
+                    "value": 80
+                  }
+                ]
+              },
+              "unit": "percent"
+            },
+            "overrides": [
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "avg"
+                },
+                "properties": [
+                  {
+                    "id": "color",
+                    "value": {
+                      "fixedColor": "#cffaff",
+                      "mode": "fixed"
+                    }
+                  }
+                ]
+              },
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "max"
+                },
+                "properties": [
+                  {
+                    "id": "custom.fillBelowTo",
+                    "value": "min"
+                  },
+                  {
+                    "id": "custom.lineWidth",
+                    "value": 0
+                  }
+                ]
+              },
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "min"
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -9,125 +9,157 @@

   identity-heartbeat-timeout: 30m0s
   identity-gc-interval: 15m0s
   cilium-endpoint-gc-interval: 5m0s
   nodes-gc-interval: 5m0s
   debug: 'false'
   debug-verbose: ''
+  metrics-sampling-interval: 5m
   enable-policy: default
   policy-cidr-match-mode: ''
   prometheus-serve-addr: :9962
   controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services
   proxy-prometheus-port: '9964'
   operator-prometheus-serve-addr: :9963
   enable-metrics: 'true'
+  enable-policy-secrets-sync: 'true'
+  policy-secrets-only-from-secrets-namespace: 'true'
+  policy-secrets-namespace: cilium-secrets
   enable-ipv4: 'true'
   enable-ipv6: 'false'
   custom-cni-conf: 'false'
   enable-bpf-clock-probe: 'false'
   monitor-aggregation: medium
   monitor-aggregation-interval: 5s
   monitor-aggregation-flags: all
   bpf-map-dynamic-size-ratio: '0.0025'
   bpf-policy-map-max: '16384'
+  bpf-policy-stats-map-max: '65536'
   bpf-lb-map-max: '65536'
   bpf-lb-external-clusterip: 'false'
+  bpf-lb-source-range-all-types: 'false'
+  bpf-lb-algorithm-annotation: 'false'
+  bpf-lb-mode-annotation: 'false'
+  bpf-distributed-lru: 'false'
   bpf-events-drop-enabled: 'true'
   bpf-events-policy-verdict-enabled: 'true'
   bpf-events-trace-enabled: 'true'
   preallocate-bpf-maps: 'false'
   cluster-name: athena
   cluster-id: '1'
   routing-mode: native
+  tunnel-protocol: vxlan
+  tunnel-source-port-range: 0-0
   service-no-backend-response: reject
+  policy-deny-response: none
   enable-l7-proxy: 'true'
   enable-ipv4-masquerade: 'true'
   enable-ipv4-big-tcp: 'false'
   enable-ipv6-big-tcp: 'false'
   enable-ipv6-masquerade: 'true'
   enable-tcx: 'true'
   datapath-mode: veth
   enable-bpf-masquerade: 'false'
   enable-masquerade-to-route-source: 'false'
   enable-xt-socket-fallback: 'true'
   install-no-conntrack-iptables-rules: 'false'
+  iptables-random-fully: 'false'
   auto-direct-node-routes: 'true'
   direct-routing-skip-unreachable: 'false'
   enable-local-redirect-policy: 'true'
   ipv4-native-routing-cidr: 10.10.0.0/16
-  enable-runtime-device-detection: 'true'
   kube-proxy-replacement: 'true'
   kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256
+  enable-no-service-endpoints-routable: 'true'
   bpf-lb-sock: 'false'
   bpf-lb-sock-hostns-only: 'true'
   nodeport-addresses: ''
   enable-health-check-nodeport: 'true'
   enable-health-check-loadbalancer-ip: 'false'
   node-port-bind-protection: 'true'
   enable-auto-protect-node-port-range: 'true'
   bpf-lb-mode: dsr
   bpf-lb-algorithm: maglev
   bpf-lb-acceleration: disabled
-  enable-svc-source-range-check: 'true'
-  enable-l2-neigh-discovery: 'true'
-  arping-refresh-period: 30s
+  enable-service-topology: 'false'
+  enable-l2-neigh-discovery: 'false'
   k8s-require-ipv4-pod-cidr: 'false'
   k8s-require-ipv6-pod-cidr: 'false'
   enable-endpoint-routes: 'true'
   enable-k8s-networkpolicy: 'true'
+  enable-endpoint-lockdown-on-policy-overflow: 'false'
   write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
   cni-exclusive: 'false'
   cni-log-file: /var/run/cilium/cilium-cni.log
   enable-endpoint-health-checking: 'true'
   enable-health-checking: 'true'
+  health-check-icmp-failure-threshold: '3'
   enable-well-known-identities: 'false'
   enable-node-selector-labels: 'false'
   synchronize-k8s-nodes: 'true'
   operator-api-serve-addr: 127.0.0.1:9234
+  enable-hubble: 'false'
   ipam: kubernetes
   ipam-cilium-node-update-rate: 15s
+  default-lb-service-ipam: lbipam
   egress-gateway-reconciliation-trigger-interval: 1s
   enable-vtep: 'false'
   vtep-endpoint: ''
   vtep-cidr: ''
   vtep-mask: ''
   vtep-mac: ''
   enable-l2-announcements: 'true'
+  packetization-layer-pmtud-mode: blackhole
   procfs: /host/proc
   bpf-root: /sys/fs/bpf
   cgroup-root: /sys/fs/cgroup
-  enable-k8s-terminating-endpoint: 'true'
+  identity-management-mode: agent
   enable-sctp: 'false'
-  k8s-client-qps: '10'
-  k8s-client-burst: '20'
   remove-cilium-node-taints: 'true'
   set-cilium-node-taints: 'true'
   set-cilium-is-up-condition: 'true'
-  unmanaged-pod-watcher-interval: '15'
+  unmanaged-pod-watcher-interval: 15s
   dnsproxy-enable-transparent-mode: 'true'
   dnsproxy-socket-linger-timeout: '10'
   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: 'true'
-  tofqdns-endpoint-max-ip-per-hostname: '50'
+  tofqdns-endpoint-max-ip-per-hostname: '1000'
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: '10000'
   tofqdns-proxy-response-max-delay: 100ms
+  tofqdns-preallocate-identities: 'true'
   agent-not-ready-taint-key: node.cilium.io/agent-not-ready
-  mesh-auth-enabled: 'true'
+  mesh-auth-enabled: 'false'
   mesh-auth-queue-size: '1024'
   mesh-auth-rotated-identities-queue-size: '1024'
   mesh-auth-gc-interval: 5m0s
   proxy-xff-num-trusted-hops-ingress: '0'
   proxy-xff-num-trusted-hops-egress: '0'
   proxy-connect-timeout: '2'
   proxy-initial-fetch-timeout: '30'
+  proxy-max-active-downstream-connections: '50000'
   proxy-max-requests-per-connection: '0'
   proxy-max-connection-duration-seconds: '0'
   proxy-idle-timeout-seconds: '60'
+  proxy-max-concurrent-retries: '128'
+  proxy-use-original-source-address: 'true'
+  proxy-cluster-max-connections: '1024'
+  proxy-cluster-max-requests: '1024'
+  http-retry-count: '3'
+  http-stream-idle-timeout: '300'
   external-envoy-proxy: 'false'
   envoy-base-id: '0'
+  envoy-access-log-buffer-size: '4096'
   envoy-keep-cap-netbindservice: 'false'
   max-connected-clusters: '255'
+  clustermesh-cache-ttl: 0s
   clustermesh-enable-endpoint-sync: 'false'
   clustermesh-enable-mcs-api: 'false'
+  clustermesh-mcs-api-install-crds: 'true'
+  policy-default-local-cluster: 'true'
   nat-map-stats-entries: '32'
   nat-map-stats-interval: 30s
+  enable-lb-ipam: 'true'
+  enable-non-default-deny-policies: 'true'
+  enable-source-ip-verification: 'true'
+  enable-dynamic-config: 'true'
+  enable-drift-checker: 'true'
 
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-operator-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-operator-dashboard

@@ -1013,13 +1013,19 @@

       ],
       "refresh": false,
       "schemaVersion": 25,
       "style": "dark",
       "tags": [],
       "templating": {
-        "list": []
+        "list": [
+          {
+            "type": "datasource",
+            "name": "DS_PROMETHEUS",
+            "query": "prometheus"
+          }
+        ]
       },
       "time": {
         "from": "now-30m",
         "to": "now"
       },
       "timepicker": {
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

@@ -53,12 +53,13 @@

   - update
   - patch
 - apiGroups:
   - ''
   resources:
   - namespaces
+  - secrets
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - ''
@@ -136,12 +137,19 @@

   - get
   - list
   - watch
   - delete
   - patch
 - apiGroups:
+  - cilium.io
+  resources:
+  - ciliumbgpclusterconfigs/status
+  - ciliumbgppeerconfigs/status
+  verbs:
+  - update
+- apiGroups:
   - apiextensions.k8s.io
   resources:
   - customresourcedefinitions
   verbs:
   - create
   - get
@@ -152,41 +160,41 @@

   resources:
   - customresourcedefinitions
   verbs:
   - update
   resourceNames:
   - ciliumloadbalancerippools.cilium.io
-  - ciliumbgppeeringpolicies.cilium.io
   - ciliumbgpclusterconfigs.cilium.io
   - ciliumbgppeerconfigs.cilium.io
   - ciliumbgpadvertisements.cilium.io
   - ciliumbgpnodeconfigs.cilium.io
   - ciliumbgpnodeconfigoverrides.cilium.io
   - ciliumclusterwideenvoyconfigs.cilium.io
   - ciliumclusterwidenetworkpolicies.cilium.io
   - ciliumegressgatewaypolicies.cilium.io
   - ciliumendpoints.cilium.io
   - ciliumendpointslices.cilium.io
   - ciliumenvoyconfigs.cilium.io
-  - ciliumexternalworkloads.cilium.io
   - ciliumidentities.cilium.io
   - ciliumlocalredirectpolicies.cilium.io
   - ciliumnetworkpolicies.cilium.io
   - ciliumnodes.cilium.io
   - ciliumnodeconfigs.cilium.io
   - ciliumcidrgroups.cilium.io
   - ciliuml2announcementpolicies.cilium.io
   - ciliumpodippools.cilium.io
+  - ciliumgatewayclassconfigs.cilium.io
 - apiGroups:
   - cilium.io
   resources:
   - ciliumloadbalancerippools
   - ciliumpodippools
   - ciliumbgppeeringpolicies
   - ciliumbgpclusterconfigs
   - ciliumbgpnodeconfigoverrides
+  - ciliumbgppeerconfigs
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - cilium.io
@@ -205,7 +213,13 @@

   resources:
   - leases
   verbs:
   - create
   - get
   - update
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumendpointslices
+  verbs:
+  - deletecollection
 
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,60 +16,65 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 1d9dd7de44a4535a928ffeef0787b5c79723050a2e399a92043be004c3791c74
+        cilium.io/cilium-configmap-checksum: bbc1392a73c65ad69baea3bf69a782207c59b5720129d7bf6bd7c5be45c15ef7
+        kubectl.kubernetes.io/default-container: cilium-agent
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
+        seccompProfile:
+          type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.19.4@sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9879
+            port: health
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
-          failureThreshold: 105
+          failureThreshold: 300
           periodSeconds: 2
           successThreshold: 1
           initialDelaySeconds: 5
         livenessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9879
+            port: health
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
+            - name: require-k8s-connectivity
+              value: 'false'
           periodSeconds: 30
           successThreshold: 1
           failureThreshold: 10
           timeoutSeconds: 5
         readinessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9879
+            port: health
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
           periodSeconds: 30
           successThreshold: 1
@@ -94,12 +99,16 @@

               resource: limits.memory
               divisor: '1'
         - name: KUBERNETES_SERVICE_HOST
           value: 127.0.0.1
         - name: KUBERNETES_SERVICE_PORT
           value: '7445'
+        - name: KUBE_CLIENT_BACKOFF_BASE
+          value: '1'
+        - name: KUBE_CLIENT_BACKOFF_DURATION
+          value: '120'
         lifecycle:
           postStart:
             exec:
               command:
               - bash
               - -c
@@ -125,27 +134,23 @@

                 echo 'Done!'
           preStop:
             exec:
               command:
               - /cni-uninstall.sh
         ports:
-        - name: peer-service
-          containerPort: 4244
-          hostPort: 4244
+        - name: health
+          containerPort: 9879
+          hostPort: 9879
           protocol: TCP
         - name: prometheus
           containerPort: 9962
           hostPort: 9962
           protocol: TCP
         - name: envoy-metrics
           containerPort: 9964
           hostPort: 9964
-          protocol: TCP
-        - name: envoy-admin
-          containerPort: 9901
-          hostPort: 9901
           protocol: TCP
         securityContext:
           seLinuxOptions:
             level: s0
             type: spc_t
           capabilities:
@@ -190,13 +195,13 @@

         - name: xtables-lock
           mountPath: /run/xtables.lock
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.19.4@sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -214,22 +219,28 @@

         - name: KUBERNETES_SERVICE_PORT
           value: '7445'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+            drop:
+            - ALL
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.19.4@sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /sys/fs/cgroup
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
-        - sh
+        - bash
         - -ec
         - |
           cp /usr/bin/cilium-mount /hostbin/cilium-mount;
           nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT;
           rm /hostbin/cilium-mount
         volumeMounts:
@@ -247,19 +258,19 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.19.4@sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
-        - sh
+        - bash
         - -ec
         - |
           cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
           nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
           rm /hostbin/cilium-sysctlfix
         volumeMounts:
@@ -277,13 +288,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.19.4@sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -293,13 +304,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.19.4@sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -341,17 +352,20 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.19.4@sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
+          limits:
+            cpu: 1
+            memory: 1Gi
           requests:
             cpu: 100m
             memory: 10Mi
         securityContext:
           seLinuxOptions:
             level: s0
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,22 +20,25 @@

       maxSurge: 25%
       maxUnavailable: 100%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 1d9dd7de44a4535a928ffeef0787b5c79723050a2e399a92043be004c3791c74
+        cilium.io/cilium-configmap-checksum: bbc1392a73c65ad69baea3bf69a782207c59b5720129d7bf6bd7c5be45c15ef7
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.16.6@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
+        image: quay.io/cilium/operator-generic:v1.19.4@sha256:1aa2b62735e7d8ab49ee840ae59c346932024c88901579121395c1271b435f71
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
@@ -58,39 +61,47 @@

               optional: true
         - name: KUBERNETES_SERVICE_HOST
           value: 127.0.0.1
         - name: KUBERNETES_SERVICE_PORT
           value: '7445'
         ports:
+        - name: health
+          containerPort: 9234
+          hostPort: 9234
         - name: prometheus
           containerPort: 9963
           hostPort: 9963
           protocol: TCP
         livenessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9234
+            port: health
             scheme: HTTP
           initialDelaySeconds: 60
           periodSeconds: 10
           timeoutSeconds: 3
         readinessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9234
+            port: health
             scheme: HTTP
           initialDelaySeconds: 0
           periodSeconds: 5
           timeoutSeconds: 3
           failureThreshold: 5
         volumeMounts:
         - name: cilium-config-path
           mountPath: /tmp/cilium/config-map
           readOnly: true
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         terminationMessagePolicy: FallbackToLogsOnError
       hostNetwork: true
       restartPolicy: Always
       priorityClassName: system-cluster-critical
       serviceAccountName: cilium-operator
       automountServiceAccountToken: true
@@ -101,12 +112,21 @@

               matchLabels:
                 io.cilium/app: operator
             topologyKey: kubernetes.io/hostname
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:
-      - operator: Exists
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+      - key: node.kubernetes.io/not-ready
+        operator: Exists
+      - key: node.cloudprovider.kubernetes.io/uninitialized
+        operator: Exists
+      - key: node.cilium.io/agent-not-ready
+        operator: Exists
       volumes:
       - name: cilium-config-path
         configMap:
           name: cilium-config
 
--- HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent

+++ HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent

@@ -3,26 +3,28 @@

 kind: ServiceMonitor
 metadata:
   name: cilium-agent
   namespace: kube-system
   labels:
     app.kubernetes.io/part-of: cilium
+    app.kubernetes.io/name: cilium-agent
 spec:
   selector:
     matchLabels:
-      k8s-app: cilium
+      app.kubernetes.io/name: cilium-agent
   namespaceSelector:
     matchNames:
     - kube-system
   endpoints:
   - port: metrics
     interval: 10s
     honorLabels: true
     path: /metrics
     relabelings:
-    - replacement: ${1}
+    - action: replace
+      replacement: ${1}
       sourceLabels:
       - __meta_kubernetes_pod_node_name
       targetLabel: node
   targetLabels:
   - k8s-app
 
--- HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets

+++ HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets

@@ -0,0 +1,8 @@

+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-tlsinterception-secrets

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cilium-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets

@@ -0,0 +1,19 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cilium-operator-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - update
+  - patch
+
--- HelmRelease: kube-system/cilium Role: kube-system/cilium-operator-ztunnel

+++ HelmRelease: kube-system/cilium Role: kube-system/cilium-operator-ztunnel

@@ -0,0 +1,20 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cilium-operator-ztunnel
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets

@@ -0,0 +1,17 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cilium-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+  name: cilium
+  namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets

@@ -0,0 +1,17 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cilium-operator-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-operator-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+  name: cilium-operator
+  namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-operator-ztunnel

+++ HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-operator-ztunnel

@@ -0,0 +1,17 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cilium-operator-ztunnel
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-operator-ztunnel
+subjects:
+- kind: ServiceAccount
+  name: cilium-operator
+  namespace: kube-system
+

@renovate renovate Bot changed the title feat(helm): update cilium ( 1.16.6 → 1.17.0 ) feat(helm): update cilium ( 1.16.6 → 1.17.1 ) Feb 13, 2025
@renovate renovate Bot force-pushed the renovate/cilium-1.x branch from 35ed4f9 to 898f8c0 Compare February 13, 2025 12:42
@eivarin eivarin force-pushed the main branch 7 times, most recently from b854a53 to 05a2961 Compare March 12, 2025 22:46
@renovate renovate Bot force-pushed the renovate/cilium-1.x branch from 898f8c0 to 42595ee Compare March 15, 2025 18:36
@renovate renovate Bot changed the title feat(helm): update cilium ( 1.16.6 → 1.17.1 ) feat(helm): update cilium ( 1.16.6 → 1.17.2 ) Mar 15, 2025
@eivarin eivarin force-pushed the main branch 14 times, most recently from cf65ea8 to a605820 Compare March 17, 2025 16:32
@eivarin eivarin force-pushed the main branch 29 times, most recently from fef0cc0 to 234272b Compare March 18, 2025 01:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/kubernetes renovate/helm type/minor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants