fix(helm): update cilium ( 1.16.4 → 1.16.5 )

[lumiere-bot]

This PR contains the following updates:

Package	Update	Change
cilium (source)	patch	1.16.4 -> 1.16.5

---

Release Notes

cilium/cilium (cilium)

v1.16.5: 1.16.5

Compare Source

Summary of Changes

Minor Changes:

• hubble: Stop building 32-bit binaries (Backport PR #​36066, Upstream PR #​35974, @​michi-covalent)

Bugfixes:

• Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (Backport PR #​36540, Upstream PR #​36484, @​julianwiedmann)
• bgp: fix race in bgp stores (Backport PR #​36066, Upstream PR #​35971, @​harsimran-pabla)
• BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR #​36286, Upstream PR #​36230, @​rastislavs)
• BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR #​36286, Upstream PR #​36165, @​rastislavs)
• Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (Backport PR #​36049, Upstream PR #​35984, @​jrajahalme)
• Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (Backport PR #​36462, Upstream PR #​36252, @​bimmlerd)
• cilium-health-ep controller is made to be more robust against successive failures. (Backport PR #​36066, Upstream PR #​35936, @​jrajahalme)
• DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (Backport PR #​36468, Upstream PR #​36142, @​jrajahalme)
• Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (Backport PR #​36049, Upstream PR #​36060, @​jrajahalme)
• Fix an issue where pod-to-world traffic goes up stack when BPF host routing is enabled with tunnel. (Backport PR #​35861, Upstream PR #​35098, @​jschwinger233)
• Fix identity leak for kvstore identity mode (Backport PR #​36066, Upstream PR #​34893, @​odinuge)
• Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (Backport PR #​36302, Upstream PR #​36292, @​giorio94)
• gateway-api: Fix gateway checks for namespace (Backport PR #​36462, Upstream PR #​35452, @​sayboras)
• gha: Remove hostLegacyRouting in clustermesh (Backport PR #​36357, Upstream PR #​35418, @​sayboras)
• helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (Backport PR #​36066, Upstream PR #​36005, @​devodev)
• hubble: consistently use v as prefix for the Hubble version (Backport PR #​36286, Upstream PR #​35891, @​rolinh)
• iptables: Fix data race in iptables manager (Backport PR #​36066, Upstream PR #​35902, @​pippolo84)
• lrp: update LRP services with stale backends on agent restart (Backport PR #​36106, Upstream PR #​36036, @​ysksuzuki)
• policy: Fix bug that allowed port ranges to be attached to L7 policies, which is not permitted. (#​36050, @​nathanjsweet)
• Unbreak the cilium-dbg preflight migrate-identity command (Backport PR #​36286, Upstream PR #​36089, @​giorio94)
• Use strconv.Itoa instead of string() for the correct behavior when converting kafka.ErrorCode from int32 to string. Add relevant unit tests for Kafka plugin and handler. (Backport PR #​36066, Upstream PR #​35856, @​nddq)

CI Changes:

• [v1.16] ci: modularize chart CI push workflow (#​35958, @​ferozsalam)
• gh: conformance-clustermesh: test with IPsec + BPF NodePort (Backport PR #​36462, Upstream PR #​36384, @​julianwiedmann)
• gha: configure environment in build-images-base/image-digests job (Backport PR #​36462, Upstream PR #​36318, @​giorio94)
• node_local_store: prevent racey tests while using mock node store. (Backport PR #​36066, Upstream PR #​35945, @​tommyp1ckles)
• Remove unnecessary hubble port-forward commands (Backport PR #​36066, Upstream PR #​33523, @​michi-covalent)

Misc Changes:

• [v1.16] docs: egress masquerade selector (#​36333, @​viktor-kurchenko)
• [v1.16] images: bump cni plugins to v1.6.0 (#​36092, @​ferozsalam)
• bugtool: dump tail-call map for bpf_wireguard (Backport PR #​36286, Upstream PR #​36183, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.16) (#​36155, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36275, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36443, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (patch) (#​36277, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​35546, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36152, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36279, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36444, @​cilium-renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.16) (#​36153, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.9 docker digest to 147f428 (v1.16) (#​36222, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.10 (v1.16) (#​36441, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1732605705-2aa20ee3acb68cd38d57669af19508bea8f0ba62 (v1.16) (#​36180, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8 (v1.16) (#​36495, @​cilium-renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241129.013349 (v1.16) (#​36278, @​cilium-renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241206.013345 (v1.16) (#​36442, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36154, @​cilium-renovate[bot])
• docs: Add the tls:// prefix before the IP address (Backport PR #​36286, Upstream PR #​36118, @​liyihuang)
• docs: Fix typo in multi-pool section title (Backport PR #​36312, Upstream PR #​36305, @​joestringer)
• docs: In k0s guide, remove dashes to fix invalid Bash variable names. (Backport PR #​36066, Upstream PR #​35923, @​yilas)
• docs: lrp: fix kernel version requirement for skipRedirectFromBackend (Backport PR #​36066, Upstream PR #​35921, @​ysksuzuki)
• docs: system-requirements: require 5.4 kernel (Backport PR #​36462, Upstream PR #​36386, @​julianwiedmann)
• docs: WireGuard doesn't require overlay port in Network Firewalls (Backport PR #​36286, Upstream PR #​36208, @​julianwiedmann)
• Endpoint populate new policymap early if empty (Backport PR #​36479, Upstream PR #​36361, @​jrajahalme)
• envoy: Configure internal_address_config to avoid warning log (Backport PR #​36015, Upstream PR #​35943, @​sayboras)
• envoy: Pass tofqdns-proxy-response-max-delay to Envoy (Backport PR #​36468, Upstream PR #​36330, @​jrajahalme)
• fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (v1.16) (#​36530, @​cilium-renovate[bot])
• Fixed BGP documentation (Backport PR #​36066, Upstream PR #​35953, @​seadog007)
• images: Use cilium-builder image instead of golang to build hubble (Backport PR #​36312, Upstream PR #​35697, @​learnitall)
• lrp: fix kernel version requirement in warning log (Backport PR #​36286, Upstream PR #​36141, @​ysksuzuki)
• Makefile: fix swagger definition for automatic renovate updates (Backport PR #​36066, Upstream PR #​35979, @​aanm)
• proxy: Take proxy port reference for new redirects immediately (Backport PR #​36468, Upstream PR #​36435, @​jrajahalme)
• proxyports: Resolve data races in test (Backport PR #​36468, Upstream PR #​36399, @​jrajahalme)
• proxyports: Sleep a bit longer in tests (Backport PR #​36468, Upstream PR #​36389, @​jrajahalme)
• Remove duplicated watch on services and endpoint in the cilium-agent (Backport PR #​36066, Upstream PR #​35838, @​MrFreezeex)
• Rework error handling logic in neighbor discovery (Backport PR #​36093, Upstream PR #​35144, @​pippolo84)
• Silence spurious clustermesh-related warnings (Backport PR #​36225, Upstream PR #​35867, @​giorio94)
• Update documentation for egress masquerading behavior (Backport PR #​36462, Upstream PR #​36267, @​liyihuang)

Other Changes:

• [1.16] ci/ipsec-upgrade: increase cilium status wait duration (#​36082, @​harsimran-pabla)
• [v1.16] cilium, service: Fix checkLBSrcRange propagation to LB map (#​36511, @​borkmann)
• install: Update image digests for v1.16.4 (#​36047, @​cilium-release-bot[bot])
• jrajahalme/v1.16 cilium cli (#​36541, @​jrajahalme)
• Revert "workflows/ipsec: Cover Ingress" (#​36116, @​harsimran-pabla)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.5@​sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
quay.io/cilium/cilium:stable@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.5@​sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958
quay.io/cilium/clustermesh-apiserver:stable@sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958

docker-plugin

quay.io/cilium/docker-plugin:v1.16.5@​sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768
quay.io/cilium/docker-plugin:stable@sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768

hubble-relay

quay.io/cilium/hubble-relay:v1.16.5@​sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00
quay.io/cilium/hubble-relay:stable@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.5@​sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0
quay.io/cilium/operator-alibabacloud:stable@sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0

operator-aws

quay.io/cilium/operator-aws:v1.16.5@​sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476
quay.io/cilium/operator-aws:stable@sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476

operator-azure

quay.io/cilium/operator-azure:v1.16.5@​sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9
quay.io/cilium/operator-azure:stable@sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9

operator-generic

quay.io/cilium/operator-generic:v1.16.5@​sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039
quay.io/cilium/operator-generic:stable@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039

operator

quay.io/cilium/operator:v1.16.5@​sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940
quay.io/cilium/operator:stable@sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[lumiere-bot]

--- kubernetes/kyak/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/kyak/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: flux-system
-      version: 1.16.4
+      version: 1.16.5
   install:
     remediation:
       retries: 3
   interval: 30m
   upgrade:
     cleanupOnFail: true

[lumiere-bot]

--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -29,13 +29,13 @@

     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -192,13 +192,13 @@

         - name: xtables-lock
           mountPath: /run/xtables.lock
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -217,13 +217,13 @@

           value: '7445'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /sys/fs/cgroup
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -249,13 +249,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -279,13 +279,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -295,13 +295,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -343,13 +343,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -31,13 +31,13 @@

         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
+        image: quay.io/cilium/operator-generic:v1.16.5@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)