chore(deps): update helm release cilium to v1.15.3

[tyriis-automation]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
cilium (source)	HelmChart	patch	1.15.2 -> 1.15.3
cilium (source)		patch	1.15.2 -> 1.15.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

cilium/cilium (cilium)

v1.15.3: 1.15.3

Compare Source

Summary of Changes

Minor Changes:

• bgpv1: BGP Control Plane metrics (Backport PR #​31568, Upstream PR #​31469, @​YutaroHayakawa)
• cni: use default logger with timestamps. (Backport PR #​31342, Upstream PR #​31014, @​tommyp1ckles)
• Introduce cilium-dbg encrypt flush --stale flag to remove XFRM states and policies with stale node IDs. (Backport PR #​31342, Upstream PR #​31159, @​pchaigno)

Bugfixes:

• [v1.15 - Author backport] envoy: enable k8s secret watch even if only CEC is enabled (#​31451, @​mhofstetter)
• cni: Use batch endpoint deletion API in chaining plugin (Backport PR #​31515, Upstream PR #​31456, @​sayboras)
• Fix a bug in the StateDB library that may have caused stale read after write. This may have potentially affected the L2 announcements feature and the node address selection. (Backport PR #​31342, Upstream PR #​31164, @​joamaki)
• Fix a bug where pod label updates are not reflected in endpoint labels in presence of filtered labels. (Backport PR #​31473, Upstream PR #​31395, @​tklauser)
• Fixed issue with assigning 0 nodeID when corresponding bpf map run out of space.
  Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled.
  Otherwise, it was merely generating unnecessary error log messages. (Backport PR #​31490, Upstream PR #​31380, @​marseel)
• gateway-api: Retrieve LB service from same namespace (Backport PR #​31490, Upstream PR #​31271, @​sayboras)
• Handle InvalidParameterValue as well for PD fallback (Backport PR #​31490, Upstream PR #​31016, @​hemanthmalla)
• helm: Update pod affinity for cilium-envoy (Backport PR #​31490, Upstream PR #​31150, @​sayboras)
• hubble/relay: Fix certificate reloading in PeerManager (Backport PR #​31568, Upstream PR #​31376, @​glrf)
• Hubble: fix traffic direction and is reply when IPSec is enabled (Backport PR #​31568, Upstream PR #​31211, @​kaworu)
• k8s/utils: correctly filter out labels in StripPodSpecialLabels (Backport PR #​31473, Upstream PR #​31421, @​tklauser)
• metrics: Disable prometheus metrics by default (Backport PR #​31342, Upstream PR #​31144, @​joestringer)
• operator: fix errors/warnings metric. (Backport PR #​31490, Upstream PR #​31214, @​tommyp1ckles)

CI Changes:

• [v1.15] test: Remove duplicate Cilium deployments in some datapath config tests (#​31520, @​qmonnet)
• Additionally test host firewall + KPR disabled in E2E tests (Backport PR #​31342, Upstream PR #​30914, @​giorio94)
• AKS: avoid overlapping pod and service CIDRs (Backport PR #​31568, Upstream PR #​31504, @​bimmlerd)
• bgpv1: avoid object tracker vs informer race (Backport PR #​31490, Upstream PR #​31010, @​bimmlerd)
• bgpv1: fix Test_PodIPPoolAdvert flakiness (Backport PR #​31490, Upstream PR #​31365, @​rastislavs)
• bpf: fix go testdata check in ci (Backport PR #​31554, Upstream PR #​31419, @​mhofstetter)
• Centralize configuration of kind version/image in GitHub Action workflows (Backport PR #​31191, Upstream PR #​30916, @​giorio94)
• Checkout the target branch, instead of the default one, on pull_request based GHA test workflows (Backport PR #​31191, Upstream PR #​31198, @​giorio94)
• ci-e2e: Add matrix for bpf.tproxy and ingress-controller (Backport PR #​31490, Upstream PR #​31272, @​sayboras)
• ci: Bump lvh-kind ssh-startup-wait-retries (Backport PR #​31490, Upstream PR #​31387, @​YutaroHayakawa)
• controlplane: fix mechanism for ensuring watchers (Backport PR #​31490, Upstream PR #​31030, @​bimmlerd)
• Fix bug preventing consistent symbols between ELF and BTF for eBPF unit tests. (Backport PR #​31342, Upstream PR #​30610, @​learnitall)
• gateway-api: Enable GRPCRoute conformance tests (Backport PR #​31342, Upstream PR #​31055, @​sayboras)
• gha: disable fail-fast on integration tests (Backport PR #​31490, Upstream PR #​31420, @​giorio94)
• gha: drop unused check_url environment variable (Backport PR #​31191, Upstream PR #​30928, @​giorio94)
• introduce ARM github workflows (Backport PR #​31342, Upstream PR #​31196, @​aanm)
• ipam: deepcopy interface resource correctly. (Backport PR #​31490, Upstream PR #​26998, @​tommyp1ckles)
• k8s_install.sh: specify the CNI version (Backport PR #​31342, Upstream PR #​31182, @​aanm)
• loader: fix issue where errors cancelled compile cause error logs. (Backport PR #​31342, Upstream PR #​30988, @​tommyp1ckles)
• Reduce flakiness of controlplane tests (Backport PR #​31490, Upstream PR #​30906, @​bimmlerd)
• slices: don't modify missed input slice in test (Backport PR #​31490, Upstream PR #​31119, @​bimmlerd)

Misc Changes:

• Add monitor aggregation for all events related to packets ingressing to the network-facing device. (Backport PR #​31342, Upstream PR #​31015, @​learnitall)
• Address race condition in TestGetIdentity (Backport PR #​31541, Upstream PR #​30885, @​bimmlerd)
• bgpv1: Adjust ConnectionRetryTimeSeconds to 1 in component tests (Backport PR #​31342, Upstream PR #​31218, @​YutaroHayakawa)
• chore(deps): update all github action dependencies (v1.15) (#​31480, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (#​31582, @​renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.3 (v1.15) (#​31464, @​renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.8 docker digest to 8560736 (v1.15) (#​31450, @​renovate[bot])
• chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 55c6361 (v1.15) (#​31453, @​renovate[bot])
• chore: update json-mock image source in examples (Backport PR #​31568, Upstream PR #​31373, @​loomkoom)
• cilium-dbg: listing load-balancing configurations displays L7LB proxy port (Backport PR #​31568, Upstream PR #​31503, @​mhofstetter)
• datapath, bpf: Remove unnecessary IPsec code (Backport PR #​31490, Upstream PR #​31344, @​pchaigno)
• doc: Clarified GwAPI KPR prerequisites (Backport PR #​31490, Upstream PR #​31366, @​PhilipSchmid)
• docs: Warn on key rotations during upgrades (Backport PR #​31490, Upstream PR #​31437, @​pchaigno)
• Don't emit an error message on namespace termination due to Ingress reconciliation (Backport PR #​31342, Upstream PR #​30808, @​giorio94)
• Downgrade L2 Neighbor Discovery failure log to Debug (Backport PR #​31342, Upstream PR #​31179, @​YutaroHayakawa)
• endpointmanager: Improve health reporter messages when stopped (Backport PR #​31342, Upstream PR #​31231, @​christarazi)
• hive/cell/health: don't warn when reporting on stopped reporter. (Backport PR #​31490, Upstream PR #​31262, @​tommyp1ckles)
• ingress: Update docs with network policy example (Backport PR #​31342, Upstream PR #​31060, @​sayboras)
• job: avoid a race condition in TestTimer_ExitOnCloseFnCtx (Backport PR #​31490, Upstream PR #​30929, @​bimmlerd)
• loader: add message if error is ENOTSUP (Backport PR #​31490, Upstream PR #​31413, @​kkourt)
• policy: Fix missing labels from SelectorCache selectors (Backport PR #​31490, Upstream PR #​31358, @​christarazi)
• Replaced declare_tailcall_if with logic in the loader (Backport PR #​31554, Upstream PR #​30467, @​dylandreimerink)

Other Changes:

• install: Update image digests for v1.15.2 (#​31378, @​jrajahalme)
• v1.15: IPsec Fixes (#​31610, @​pchaigno)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[tyriis-automation]

--- kubernetes/kube-nas/apps/kube-system/cilium/app Kustomization: flux-system/apps-cilium HelmRelease: kube-system/cilium

+++ kubernetes/kube-nas/apps/kube-system/cilium/app Kustomization: flux-system/apps-cilium HelmRelease: kube-system/cilium

@@ -12,13 +12,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium-charts
         namespace: flux-system
-      version: 1.15.2
+      version: 1.15.3
   install:
     remediation:
       retries: 3
   interval: 30m
   maxHistory: 2
   uninstall:

[tyriis-automation]

--- kubernetes/talos-flux/apps/metallb-system/metallb/app Kustomization: flux-system/apps-metallb HelmRelease: metallb-system/metallb

+++ kubernetes/talos-flux/apps/metallb-system/metallb/app Kustomization: flux-system/apps-metallb HelmRelease: metallb-system/metallb

@@ -12,13 +12,13 @@

     spec:
       chart: metallb
       sourceRef:
         kind: HelmRepository
         name: metallb-charts
         namespace: flux-system
-      version: 0.14.4
+      version: 0.14.3
   install:
     crds: CreateReplace
     createNamespace: true
     remediation:
       retries: 3
     replace: true

[tyriis-automation]

--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -26,13 +26,13 @@

         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.15.2@sha256:bfeb3f1034282444ae8c498dca94044df2b9c9c8e7ac678e0b43c849f0b31746
+        image: quay.io/cilium/cilium:v1.15.3@sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -162,13 +162,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.15.2@sha256:bfeb3f1034282444ae8c498dca94044df2b9c9c8e7ac678e0b43c849f0b31746
+        image: quay.io/cilium/cilium:v1.15.3@sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -183,13 +183,13 @@

               fieldPath: metadata.namespace
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.15.2@sha256:bfeb3f1034282444ae8c498dca94044df2b9c9c8e7ac678e0b43c849f0b31746
+        image: quay.io/cilium/cilium:v1.15.3@sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /run/cilium/cgroupv2
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -206,13 +206,13 @@

         - name: cni-path
           mountPath: /hostbin
         terminationMessagePolicy: FallbackToLogsOnError
         securityContext:
           privileged: true
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.15.2@sha256:bfeb3f1034282444ae8c498dca94044df2b9c9c8e7ac678e0b43c849f0b31746
+        image: quay.io/cilium/cilium:v1.15.3@sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -227,13 +227,13 @@

         - name: cni-path
           mountPath: /hostbin
         terminationMessagePolicy: FallbackToLogsOnError
         securityContext:
           privileged: true
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.15.2@sha256:bfeb3f1034282444ae8c498dca94044df2b9c9c8e7ac678e0b43c849f0b31746
+        image: quay.io/cilium/cilium:v1.15.3@sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -262,13 +262,13 @@

         - name: cilium-cgroup
           mountPath: /run/cilium/cgroupv2
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.15.2@sha256:bfeb3f1034282444ae8c498dca94044df2b9c9c8e7ac678e0b43c849f0b31746
+        image: quay.io/cilium/cilium:v1.15.3@sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -31,13 +31,13 @@

         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.15.2@sha256:4dd8f67630f45fcaf58145eb81780b677ef62d57632d7e4442905ad3226a9088
+        image: quay.io/cilium/operator-generic:v1.15.3@sha256:c97f23161906b82f5c81a2d825b0646a5aa1dfb4adf1d49cbb87815079e69d61
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -34,13 +34,13 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.15.2@sha256:48480053930e884adaeb4141259ff1893a22eb59707906c6d38de2fe01916cb0
+        image: quay.io/cilium/hubble-relay:v1.15.3@sha256:b9c6431aa4f22242a5d0d750c621d9d04bdc25549e4fb1116bfec98dd87958a2
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:

[tyriis-automation]

--- HelmRelease: metallb-system/metallb ConfigMap: metallb-system/metallb-excludel2

+++ HelmRelease: metallb-system/metallb ConfigMap: metallb-system/metallb-excludel2

@@ -1,16 +1,12 @@

 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: metallb-excludel2
   namespace: metallb-system
-  labels:
-    app.kubernetes.io/name: metallb
-    app.kubernetes.io/instance: metallb
-    app.kubernetes.io/managed-by: Helm
 data:
   excludel2.yaml: |
     announcedInterfacesToExclude:
     - ^docker.*
     - ^cbr.*
     - ^dummy.*
--- HelmRelease: metallb-system/metallb ClusterRole: metallb-system/metallb:controller

+++ HelmRelease: metallb-system/metallb ClusterRole: metallb-system/metallb:controller

@@ -61,12 +61,13 @@

   - watch
 - apiGroups:
   - apiextensions.k8s.io
   resources:
   - customresourcedefinitions
   resourceNames:
+  - addresspools.metallb.io
   - bfdprofiles.metallb.io
   - bgpadvertisements.metallb.io
   - bgppeers.metallb.io
   - ipaddresspools.metallb.io
   - l2advertisements.metallb.io
   - communities.metallb.io
--- HelmRelease: metallb-system/metallb ClusterRole: metallb-system/metallb:speaker

+++ HelmRelease: metallb-system/metallb ClusterRole: metallb-system/metallb:speaker

@@ -31,14 +31,7 @@

   - ''
   resources:
   - events
   verbs:
   - create
   - patch
-- apiGroups:
-  - metallb.io
-  resources:
-  - servicel2statuses
-  - servicel2statuses/status
-  verbs:
-  - '*'
 
--- HelmRelease: metallb-system/metallb Role: metallb-system/metallb-pod-lister

+++ HelmRelease: metallb-system/metallb Role: metallb-system/metallb-pod-lister

@@ -24,12 +24,20 @@

   - list
   - watch
 - apiGroups:
   - ''
   resources:
   - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - metallb.io
+  resources:
+  - addresspools
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - metallb.io
--- HelmRelease: metallb-system/metallb Role: metallb-system/metallb-controller

+++ HelmRelease: metallb-system/metallb Role: metallb-system/metallb-controller

@@ -46,12 +46,20 @@

   - patch
   - update
   - watch
 - apiGroups:
   - metallb.io
   resources:
+  - addresspools
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - metallb.io
+  resources:
   - ipaddresspools
   verbs:
   - get
   - list
   - watch
 - apiGroups:
--- HelmRelease: metallb-system/metallb DaemonSet: metallb-system/metallb-speaker

+++ HelmRelease: metallb-system/metallb DaemonSet: metallb-system/metallb-speaker

@@ -46,13 +46,13 @@

       - name: reloader
         emptyDir: {}
       - name: metrics
         emptyDir: {}
       initContainers:
       - name: cp-frr-files
-        image: quay.io/frrouting/frr:9.0.2
+        image: quay.io/frrouting/frr:8.5.2
         securityContext:
           runAsUser: 100
           runAsGroup: 101
         command:
         - /bin/sh
         - -c
@@ -60,33 +60,33 @@

         volumeMounts:
         - name: frr-startup
           mountPath: /tmp/frr
         - name: frr-conf
           mountPath: /etc/frr
       - name: cp-reloader
-        image: quay.io/metallb/speaker:v0.14.4
+        image: quay.io/metallb/speaker:v0.14.3
         command:
         - /bin/sh
         - -c
         - cp -f /frr-reloader.sh /etc/frr_reloader/
         volumeMounts:
         - name: reloader
           mountPath: /etc/frr_reloader
       - name: cp-metrics
-        image: quay.io/metallb/speaker:v0.14.4
+        image: quay.io/metallb/speaker:v0.14.3
         command:
         - /bin/sh
         - -c
         - cp -f /frr-metrics /etc/frr_metrics/
         volumeMounts:
         - name: metrics
           mountPath: /etc/frr_metrics
       shareProcessNamespace: true
       containers:
       - name: speaker
-        image: quay.io/metallb/speaker:v0.14.4
+        image: quay.io/metallb/speaker:v0.14.3
         args:
         - --port=7472
         - --log-level=info
         env:
         - name: METALLB_NODE_NAME
           valueFrom:
@@ -159,13 +159,13 @@

           capabilities:
             add:
             - NET_ADMIN
             - NET_RAW
             - SYS_ADMIN
             - NET_BIND_SERVICE
-        image: quay.io/frrouting/frr:9.0.2
+        image: quay.io/frrouting/frr:8.5.2
         env:
         - name: TINI_SUBREAPER
           value: 'true'
         volumeMounts:
         - name: frr-sockets
           mountPath: /var/run/frr
@@ -181,13 +181,13 @@

             sleep 1
             attempts=$(( $attempts + 1 ))
           done
           tail -f /etc/frr/frr.log
         livenessProbe:
           httpGet:
-            path: livez
+            path: /livez
             port: 7473
           initialDelaySeconds: 10
           periodSeconds: 10
           timeoutSeconds: 1
           successThreshold: 1
           failureThreshold: 3
@@ -195,24 +195,24 @@

           httpGet:
             path: /livez
             port: 7473
           failureThreshold: 30
           periodSeconds: 5
       - name: reloader
-        image: quay.io/frrouting/frr:9.0.2
+        image: quay.io/frrouting/frr:8.5.2
         command:
         - /etc/frr_reloader/frr-reloader.sh
         volumeMounts:
         - name: frr-sockets
           mountPath: /var/run/frr
         - name: frr-conf
           mountPath: /etc/frr
         - name: reloader
           mountPath: /etc/frr_reloader
       - name: frr-metrics
-        image: quay.io/frrouting/frr:9.0.2
+        image: quay.io/frrouting/frr:8.5.2
         command:
         - /etc/frr_metrics/frr-metrics
         args:
         - --metrics-port=7473
         ports:
         - containerPort: 7473
--- HelmRelease: metallb-system/metallb Deployment: metallb-system/metallb-controller

+++ HelmRelease: metallb-system/metallb Deployment: metallb-system/metallb-controller

@@ -29,16 +29,17 @@

       securityContext:
         fsGroup: 65534
         runAsNonRoot: true
         runAsUser: 65534
       containers:
       - name: controller
-        image: quay.io/metallb/controller:v0.14.4
+        image: quay.io/metallb/controller:v0.14.3
         args:
         - --port=7472
         - --log-level=error
+        - --cert-service-name=metallb-webhook-service
         - --tls-min-version=VersionTLS12
         env:
         - name: METALLB_ML_SECRET_NAME
           value: metallb-memberlist
         - name: METALLB_DEPLOYMENT
           value: metallb-controller
@@ -81,8 +82,8 @@

       nodeSelector:
         kubernetes.io/os: linux
       volumes:
       - name: cert
         secret:
           defaultMode: 420
-          secretName: metallb-webhook-cert
+          secretName: webhook-server-cert
 

[tyriis-automation]

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
✅ EDITORCONFIG	editorconfig-checker	3		0	0.02s
✅ REPOSITORY	gitleaks	yes		no	2.18s
✅ YAML	prettier	3		0	0.77s
✅ YAML	yamllint	3		0	0.3s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security