feat(helm): update cilium ( 1.16.6 → 1.19.5 )

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
cilium (source)	minor	1.16.6 → 1.19.5

---

Release Notes

cilium/cilium (cilium)

v1.19.5: 1.19.5

Compare Source

Summary of Changes

Minor Changes:

• Extend the information reported by the troubleshoot kvstore and clustermesh commands (Backport PR #​46554, Upstream PR #​46516, @​giorio94)
• helm: Remove loadBalancer.standalone option (Backport PR #​46170, Upstream PR #​46070, @​joestringer)
• wireguard:mtu: fix mtu calculation with potential padding (Backport PR #​46170, Upstream PR #​45940, @​smagnani96)

Bugfixes:

• Always add cluster label to node when nodeSelectorLabels is enabled to fix CiliumNetworkPolicy with fromNodes/toNodes with policy-default-local-cluster enabled (enabled by default in 1.19+) (Backport PR #​46170, Upstream PR #​46068, @​MrFreezeex)
• azure: Fix public IP reassignment failure loop on operator restart (Backport PR #​46289, Upstream PR #​46240, @​HadrienPatte)
• bgp: Don't provide default_gateway reconciler when disabled (Backport PR #​46024, Upstream PR #​45911, @​YutaroHayakawa)
• bgp: Reduce amount of soft peer resets by service reconciliation and fix potentially missed incorrect metadata update upon failed reconciliation. (Backport PR #​46245, Upstream PR #​45927, @​rastislavs)
• bpf: fix host proxy packet routing to pods (Backport PR #​46024, Upstream PR #​45916, @​atykhyy)
• bug: fixed weighted backend traffic splitting for TLSRoute passthrough listeners in Gateway API (Backport PR #​46170, Upstream PR #​45937, @​nickolaev)
• datapath/mtu: add altname to mark cilium owned interfaces and do skip changing MTU on interfaces not managed by cilium (Backport PR #​46028, Upstream PR #​45799, @​bersoare)
• Fix a bug that causes the NamespaceSelector field in a CiliumEgressGatewayPolicy to be corrupted, and no longer effective. (Backport PR #​46024, Upstream PR #​45926, @​julianwiedmann)
• Fix a rare bug in clustermesh-apiserver that triggers incorrect deletion of a valid endpoint entry from the etcd under high pod churn (Backport PR #​46170, Upstream PR #​45780, @​adamwathieu)
• Fix BGP PeerConfig status cleanup so it no longer times out when there are no managed conditions to remove. (Backport PR #​46170, Upstream PR #​45967, @​ysksuzuki)
• Fix bug that would disrupt node connectivity when ClusterIP/LoadBalancer VIPs overlapped with node-local IP addresses. (Backport PR #​46024, Upstream PR #​45572, @​ajmmm)
• Fix TLS passthrough routes failing silently when a gateway has mixed HTTP, HTTPS, and TLS listeners and a TLSRoute with no sectionName. (Backport PR #​45966, Upstream PR #​45371, @​syedazeez337)
• Fix wildcard namespace bypass for selectorless ipBlock rules (Backport PR #​46456, Upstream PR #​46305, @​TheBeeZee)
• fix(gateway-api): Prevent controller panic during Gateway reconciliation when GatewayClass has an invalid or malformed spec.parametersRef. (Backport PR #​46400, Upstream PR #​46340, @​arybolovlev)
• fix(gateway-api): set ready condition in endpointSlice to true (Backport PR #​46400, Upstream PR #​46237, @​ulrichgiraud)
• fix: nil pointer dereference panic due to uninitialized logger (Backport PR #​46170, Upstream PR #​45782, @​weizhoublue)
• Fixed a race where a reused endpoint ID could have its BPF state directory removed by the outgoing endpoint (Backport PR #​46554, Upstream PR #​46091, @​eyupcanakman)
• Fixed unsolicited IPv6 L2 announcements ignored by receiving hosts, as not conformant to RFC 4861 (Backport PR #​46170, Upstream PR #​46079, @​giorio94)
• Fixes a bug where policymap pressure was incorrectly being reported as 0. (Backport PR #​46024, Upstream PR #​45791, @​squeed)
• gateway-api/ingress: set service label on EndpointSlices (Backport PR #​46400, Upstream PR #​46242, @​mhofstetter)
• gateway-api: fix GatewayClass field index (Backport PR #​46289, Upstream PR #​46127, @​thorn3r)
• gateway-api: prune stale Gateway API route parent statuses (Backport PR #​46400, Upstream PR #​46296, @​mhofstetter)
• Improve robustness of kvstore keys construction to prevent possible surprising behavior in rare circumstances (Backport PR #​46554, Upstream PR #​46412, @​giorio94)
• iptables: match wireguard packets by proto+port instead of packet mark (Backport PR #​46289, Upstream PR #​45974, @​bersoare)
• multipool: Fix retries for CiliumNode Get errors (Backport PR #​46408, Upstream PR #​46124, @​pippolo84)
• sockets: fix nil pointer dereference in filterAndDestroySockets (Backport PR #​46024, Upstream PR #​44843, @​umut-polat)
• The internal representation of load-balancing backends has been refactored to efficiently support thousands of services referencing a shared backend. (#​46462, @​joamaki)

CI Changes:

• chore(deps): update lvh-images for conformance-runtime (Backport PR #​46025, Upstream PR #​45922, @​julianwiedmann)
• ci:bpftrace: fail curl with corrupted binary download (Backport PR #​46024, Upstream PR #​45948, @​smagnani96)
• fix the race condition for the TestRouterIDAllocation bgp test case (Backport PR #​46289, Upstream PR #​44545, @​liyihuang)
• gha: make conformance kubespray runner configurable (Backport PR #​46289, Upstream PR #​46171, @​giorio94)
• helm: add tmpl files to .helmignore (Backport PR #​46554, Upstream PR #​46445, @​sekhar-isovalent)
• helm: allow overriding of registry_prefix in charts (Backport PR #​46289, Upstream PR #​46217, @​sekhar-isovalent)
• ipam: Deflake TestMarkForReleaseNoAllocate (Backport PR #​46289, Upstream PR #​46188, @​pippolo84)
• Move pull_request triggered workflows to ariane (Backport PR #​46452, Upstream PR #​45363, @​nebril)
• Reapply "ci: Log in for image registry pulls" (Backport PR #​46495, Upstream PR #​46376, @​nebril)

Misc Changes:

• [v1.19] - chore(deps): update docker.io/library/ubuntu:24.04 docker digest to 7… (#​46578, @​aanm)
• [v1.19] Backport health command fixes from 46102 (#​46250, @​joamaki)
• [v1.19] deps: bump various go packages (#​46185, @​ferozsalam)
• [v1.19] loadbalancer: return correct IP family for IPv6 ClusterIP addresses (#​46425, @​tklauser)
• bpf: local_delivery: add CB flag for "use_redirect_peer" (Backport PR #​46204, Upstream PR #​46169, @​julianwiedmann)
• bpf: local_delivery: condense usage of skb cb slots (Backport PR #​46204, Upstream PR #​46064, @​julianwiedmann)
• bpf: local_delivery: use CB_DELIVERY_FLAGS to transfer proxy state (Backport PR #​46554, Upstream PR #​46291, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.19) (#​45994, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​46016, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​46117, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​46268, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​46280, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​46395, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​46538, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.19) (#​45468, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.19) (#​46581, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.19) (#​45995, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.19) (#​46164, @​cilium-renovate[bot])
• chore(deps): update base-images to v1.25.11 (v1.19) (#​46342, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium digest to 0fc1dd3 (v1.19) (#​46153, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium digest to 11ecd4e (v1.19) (#​46277, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium digest to cd47774 (v1.19) (#​46137, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium digest to e1b3ec8 (v1.19) (#​46007, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.19.3 (v1.19) (#​46120, @​cilium-renovate[bot])
• chore(deps): update dependency bufbuild/buf to v1.70.0 (v1.19) (#​46267, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.4 (v1.19) (#​46150, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.30 (v1.19) (#​46266, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v35.1 (v1.19) (#​46570, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to 9532d8c (v1.19) (#​46535, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.25.10 docker digest to cd05a37 (v1.19) (#​46138, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.25.11 docker digest to 379065f (v1.19) (#​46536, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.12 (v1.19) (#​46560, @​cilium-renovate[bot])
• chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260518104151-5ebe05f9440b (v1.19) (#​46139, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/certgen docker tag to v0.4.5 (v1.19) (#​46561, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.8-1781157951-a7f42a3390781539911b5b9107881b35ecc4e752 (v1.19) (#​46377, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.19) (patch) (#​45392, @​cilium-renovate[bot])
• docs: Add caveats on Kubernetes versions when using host L7 DNS policies (Backport PR #​46289, Upstream PR #​45843, @​atykhyy)
• docs: Document BTF as a requirement (Backport PR #​46289, Upstream PR #​46063, @​pchaigno)
• docs: fix Markdown-style hyperlink in mutual-authentication.rst (Backport PR #​46024, Upstream PR #​45751, @​bitflicker64)
• Fix broken gateway-api documentation links (Backport PR #​46554, Upstream PR #​46527, @​0xch4z)
• Fix pointer-address comparison for Gateway API Route ParentReference status handling (Backport PR #​46400, Upstream PR #​46355, @​weizhoublue)
• fix(deps): update k8s.io patch updates stable to v0.35.5 (v1.19) (#​46140, @​cilium-renovate[bot])
• fix(deps): update k8s.io patch updates stable to v0.35.5 (v1.19) (patch) (#​46015, @​cilium-renovate[bot])
• fix(deps): update k8s.io patch updates stable to v0.35.6 (v1.19) (#​46562, @​cilium-renovate[bot])
• fix(deps): update k8s.io/utils digest to ff6756f (v1.19) (#​45996, @​cilium-renovate[bot])
• fix(deps): update module k8s.io/apimachinery to v0.35.5 (v1.19) (#​45997, @​cilium-renovate[bot])
• fix(deps): update module k8s.io/apimachinery to v0.35.6 (v1.19) (#​46537, @​cilium-renovate[bot])
• Miscellaneous improvements to the fake client (Backport PR #​46024, Upstream PR #​45784, @​giorio94)
• operator: miscellaneous improvements to the troubleshoot clustermesh command (Backport PR #​46554, Upstream PR #​46502, @​giorio94)
• Remove defunct l2podAnnouncements.interface Helm value that rendered a configmap key the agent no longer recognises, causing crash-loops when L2 pod announcements were enabled. Users must use l2podAnnouncements.interfacePattern instead. (Backport PR #​46170, Upstream PR #​46093, @​salamidrus)
• Revert ".github/workflows: do not use deployments for environments" (Backport PR #​46400, Upstream PR #​46348, @​aanm)

Other Changes:

• [v1.19] proxy: Bump upstream version to v1.37.x (#​46439, @​sayboras)
• install: Update image digests for v1.19.4 (#​45961, @​cilium-release-bot[bot])
• v1.19: kvstore: Don't set fake pod CIDRs for remote nodes (#​46361, @​pchaigno)
• vendor: bump statedb to v0.5.8 (#​46505, @​giorio94)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.5@​sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.5@​sha256:5ed9334b2254315740f9e2a8b6645bf69920f79ef14f436931579d2038784f9b

docker-plugin

quay.io/cilium/docker-plugin:v1.19.5@​sha256:4006d5558390120774a5a903a706dfd64089082bd653b7cb45e9e5a93ff4efea

hubble-relay

quay.io/cilium/hubble-relay:v1.19.5@​sha256:24409bfa1bca075c92acb26ba4b49cd573d99d68d5370f7cc825078185222a0c

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.5@​sha256:c9706343dde700804c2f50c09a2f8291797c707d1747fd50f70c939c23747c16

operator-aws

quay.io/cilium/operator-aws:v1.19.5@​sha256:b8473618e8d2bf8a610da445c8c37e1d1e8221aecd05989456d87a7588d66707

operator-azure

quay.io/cilium/operator-azure:v1.19.5@​sha256:8600299cb121f9df00fd32b93fa74de89ed49dd3a67e3d7301c07325c04c77f8

operator-generic

quay.io/cilium/operator-generic:v1.19.5@​sha256:be848a365776e07d0c5a895eda7aec928ddc52a5a1fa2f432fd7a286609e1db4

operator

quay.io/cilium/operator:v1.19.5@​sha256:07a25f6a248d77f0c8417d21b5ea5424a81fe551421e4baf04dc79b1360e832e

v1.19.4: 1.19.4

Compare Source

Summary of Changes

Minor Changes:

• cilium-agent: when --k8s-service-proxy-name is set, EndpointSlices are now filtered by the service.kubernetes.io/service-proxy-name label at the watch level, matching how Services are already filtered, operators with hand-managed EndpointSlices must stamp the matching label on those slices. (Backport PR #​45755, Upstream PR #​45504, @​HadrienPatte)
• iptables-based masquerading: Ensure iptables rules respect longest prefix match by sorting routes by mask length when enable-masquerade-to-route-source is enabled (Backport PR #​45630, Upstream PR #​45192, @​liyihuang)
• operator/spire: make SPIRE client configurable for ztunnel (Backport PR #​45356, Upstream PR #​44136, @​nddq)
• pkg/endpoint: skip logger rebuild on policy revision updates (Backport PR #​45630, Upstream PR #​45533, @​sjohnsonpal)

Bugfixes:

• bpf: egressgw: respect egress ifindex during FIB lookup (Backport PR #​45695, Upstream PR #​45661, @​julianwiedmann)
• bpf: host: fix source identity for IPsec trace in to-netdev (Backport PR #​45594, Upstream PR #​45588, @​julianwiedmann)
• cilium-dbg: cilium map list now displays "unknown" instead of 0 for maps that do not support cache-based entry counting. (Backport PR #​45888, Upstream PR #​44951, @​skymensch)
• cilium: Fix incorrect IPv6 BIG TCP display (Backport PR #​45630, Upstream PR #​45529, @​pchaigno)
• clustermesh: fails gracefully instead of crashing when EndpointSliceSync is not able to setup the EndpointSlice watch (Backport PR #​45496, Upstream PR #​45402, @​MrFreezeex)
• clustermesh: Fix Helm typo preventing to add annotations when setting clustermesh.apiserver.tls.auto.method: certmanager (Backport PR #​45630, Upstream PR #​45576, @​owayss)
• Fix cilium-agent crash when a transient network error occurs during CiliumNode update. The agent now retries instead of calling Fatal. (Backport PR #​45673, Upstream PR #​44526, @​nebojsaj1726)
• Fix CiliumLocalRedirectPolicy addressMatcher overriding an existing Service's frontend when its backend pods are not yet Ready. (Backport PR #​45584, Upstream PR #​45522, @​ysksuzuki)
• Fix dedicated Ingress reconciliation panic on invalid TLS passthrough rules (Backport PR #​45888, Upstream PR #​45737, @​weizhoublue)
• Fix host L7 policy operation (Backport PR #​45496, Upstream PR #​45030, @​atykhyy)
• Fix IPsec packet drops during rolling restart with key rotation by deferring SPI advertisement until XFRM states are ready (Backport PR #​45630, Upstream PR #​44701, @​hbangT)
• Fix issue where datapath reinitialization may get stuck when triggered from the local API (Backport PR #​45630, Upstream PR #​45557, @​jrife)
• Fix missing global service backends in Cluster Mesh when multiple service ports point to the same target port. (Backport PR #​45356, Upstream PR #​45179, @​RiccardoAtzori91)
• fix(egressGateway): skip unmatched gateways when using multiple gateway (Backport PR #​45630, Upstream PR #​44705, @​ieth0)
• fix(gateway-api): prevent silent disable on CRD discovery timeout (Backport PR #​45630, Upstream PR #​44662, @​aslafy-z)
• fix(ipsec): panic in parseSPI on malformed input (Backport PR #​45496, Upstream PR #​44815, @​isoyuki)
• Fixed intermittent ARP failures for LoadBalancer services caused by pointer reuse during BPF map iteration in the L2 responder reconciler. (Backport PR #​45673, Upstream PR #​45197, @​Krishnachaitanyakc)
• Fixed SocketLB returning EPERM instead of EHOSTUNREACH when a Service has no backends. (Backport PR #​45673, Upstream PR #​45185, @​chez-shanpu)
• Fixes an issue where L7 LoadBalancer and Ingress traffic would be dropped on certain kernel versions when Cilium is attached to a bridge network device. (Backport PR #​45755, Upstream PR #​45582, @​liyihuang)
• Fixes dropped packets on ingress when full header not in linear skb area (Backport PR #​45496, Upstream PR #​45195, @​javiercardona-work)
• hubble-relay: fix TLS config variable shadowing preventing cleanup on shutdown (Backport PR #​45630, Upstream PR #​45085, @​Aprazor)
• policy: Fix CCG matching for duplicate label keys (Backport PR #​45356, Upstream PR #​45225, @​christarazi)
• Respect backends for BGP only when they are in state: active (Backport PR #​45673, Upstream PR #​45286, @​CallMeFoxie)
• secretsync recreate synced secret when source secret type changes (Backport PR #​45888, Upstream PR #​45721, @​ssam18)
• wireguard: clamp cilium_wg0 MTU to IPV6_MIN_MTU (1280) when IPv6 is enabled, preventing silent packet loss in tunnel+encryption mode with constrained path MTU (Backport PR #​45496, Upstream PR #​45425, @​tibrezus)

CI Changes:

• .github/workflows: skip full test suite for workflow_dispatch on dev … (Backport PR #​45356, Upstream PR #​45285, @​aanm)
• complexity-diff: Small improvements (Backport PR #​45673, Upstream PR #​45556, @​pchaigno)
• contrib: fix typo in identity_is_node.cocci (Backport PR #​45630, Upstream PR #​45505, @​julianwiedmann)
• datapath/loader: Add map count to verifier complexity records (Backport PR #​45673, Upstream PR #​44652, @​dylandreimerink)
• gha/clustermesh: use OCI registry for cert-manager (Backport PR #​45356, Upstream PR #​45326, @​giorio94)
• logging: Update leader election log level override (Backport PR #​45496, Upstream PR #​45358, @​joamaki)
• Use extra power github runner if available for multi-pool CI workflow (Backport PR #​45673, Upstream PR #​45555, @​fristonio)

Misc Changes:

• [v1.19] deps: bump x/net to v0.53 (#​45935, @​ferozsalam)
• Add documentation and warnings on DNS interception (Backport PR #​45888, Upstream PR #​45525, @​ferozsalam)
• chore(deps): update all external docker images dependencies to v0.13.5 (v1.19) (patch) (#​45462, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45467, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45728, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45747, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45870, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45882, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.19) (#​45466, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.19) (#​45615, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.19) (#​45729, @​cilium-renovate[bot])
• chore(deps): update base-images to v1.25.10 (v1.19) (#​45902, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium digest to 354584b (v1.19) (#​45614, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium digest to 6663075 (v1.19) (#​45481, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium digest to 6e3229e (v1.19) (#​45620, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium digest to b782452 (v1.19) (#​45488, @​cilium-renovate[bot])
• chore(deps): update dependency bufbuild/buf to v1.69.0 (v1.19) (#​45872, @​cilium-renovate[bot])
• chore(deps): update module github.com/moby/spdystream to v0.5.1 [security] (v1.19) (#​45431, @​cilium-renovate[bot])
• chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260416084302-2b3d1fe14578 (v1.19) (#​45463, @​cilium-renovate[bot])
• chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260423112246-3fa174937a6b (v1.19) (#​45730, @​cilium-renovate[bot])
• chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260505141229-de8f85687fd2 (v1.19) (#​45881, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/certgen docker tag to v0.4.3 (v1.19) (#​45501, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.6-1776352947-78da350f53f63526ff6487f2e1f3b14d2062ce17 (v1.19) (#​45464, @​cilium-renovate[bot])
• ci: make registry configurable (#​45437, @​Artyop)
• docs(policy): update namespace label support (Backport PR #​45630, Upstream PR #​44922, @​lconnery)
• docs: add small CiliumCIDRGroup scalability callout (Backport PR #​45888, Upstream PR #​45763, @​squeed)
• Fail hive health tree script command if no status is found for filter (Backport PR #​45888, Upstream PR #​45554, @​fristonio)
• Fix Endpoint regeneration health reporting (Backport PR #​45630, Upstream PR #​45011, @​fristonio)
• fix(deps): update k8s.io patch updates stable to v0.35.4 (v1.19) (patch) (#​45465, @​cilium-renovate[bot])
• helm: allow overriding of external images in charts (Backport PR #​45634, Upstream PR #​45597, @​sekhar-isovalent)
• helm: do not set operator health port as hostPort when hostNetwork is disabled (Backport PR #​45673, Upstream PR #​45386, @​robinelfrink)
• loadbalancer/reflectors: Filter EndpointSlice watch by service labels (Backport PR #​45755, Upstream PR #​45528, @​HadrienPatte)

Other Changes:

• [v1.19] ipam: fix data race in MultiPoolManager node update (#​45521, @​Kunalbehbud)
• chore(deps): update quay.io/cilium/cilium-envoy (#​45908, @​sayboras)
• install: Restore RBAC for ciliumbgppeeringpolicies to allow for gradual upgrade of Cilium pods from v1.18 to v1.19. (#​45829, @​rastislavs)
• install: Update image digests for v1.19.3 (#​45401, @​cilium-release-bot[bot])
• v1.19: bpf: Reduce stack usage and complexity of tail_handle_snat_fwd_ipv6 (#​45360, @​pchaigno)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.4@​sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.4@​sha256:9e40006b2e2b6e66d047f9af52577a93b39d9532958ec6d88d46820bb59ab643

docker-plugin

quay.io/cilium/docker-plugin:v1.19.4@​sha256:720dc5839de8c30acf655ad790866cf89b7691047a020e7b4a4bd66883fbf4d1

hubble-relay

quay.io/cilium/hubble-relay:v1.19.4@​sha256:59af8c0d561e560c2a042e7600a3496bc0367df8fbf868aa68d5834c8ec1a431

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.4@​sha256:693b1e61f22beaa9a0f68aa4056ba873465da96da6382f3276978d01544450dd

operator-aws

quay.io/cilium/operator-aws:v1.19.4@​sha256:9e41b3959d941a0b60ba187f5a2572305846248efb89ac59c18fd25a032f568d

operator-azure

quay.io/cilium/operator-azure:v1.19.4@​sha256:8203f4e5e65c658fe2367a570c7bba5779859982bd3cc263662e35e690be3417

operator-generic

quay.io/cilium/operator-generic:v1.19.4@​sha256:1aa2b62735e7d8ab49ee840ae59c346932024c88901579121395c1271b435f71

operator

quay.io/cilium/operator:v1.19.4@​sha256:7edc61725901e32a13e180c5290d43df5292f5f49c6d654c94a0be2faf52e71e

v1.19.3: 1.19.3

Compare Source

Summary of Changes

Minor Changes:

• Fix performance bug in L7 policy proxy redirect handling (Backport PR #​44828, Upstream PR #​44613, @​fristonio)
• Fixes issue where the Cilium agent fails to initialise when using KVStore identity mode with etcd behind a K8s Service (Backport PR #​44828, Upstream PR #​44653, @​41ks)
• helm,docs: add configDriftDetection Helm values and documentation (Backport PR #​44974, Upstream PR #​44703, @​PhilipSchmid)

Bugfixes:

• [v1.19] Fix incorrect policy service selector handling (#​44888, @​fristonio)
• bgp: Fix potential race in service advertisements upon error retry (Backport PR #​45211, Upstream PR #​45049, @​rastislavs)
• clustermesh: fix a bug in the MCS-API CRD installl that could attempt a CRD downgrade when the version label is higher (Backport PR #​44828, Upstream PR #​44738, @​MrFreezeex)
• ctmap: Change order of active maps (Backport PR #​44828, Upstream PR #​44729, @​brb)
• Ensure completion.WaitGroup always has a timeout (Backport PR #​45217, Upstream PR #​44731, @​jrajahalme)
• envoy: Fix xds server npds listeners accounting (Backport PR #​45217, Upstream PR #​44830, @​fristonio)
• Fix a slow memory leak triggered by incremental policy updates (Backport PR #​44994, Upstream PR #​44328, @​odinuge)
• Fix endpoints for static pods stuck in init identity (Backport PR #​45211, Upstream PR #​45016, @​aaroniscode)
• Fix in-cluster NodePort connectivity failure in DSR mode when SocketLB is disabled. When a pod accesses a NodePort service via a remote node's IP (instead of the ClusterIP) and the selected backend resides on the same node as the client, the connection fails due to missing reverse NAT on the reply path. (Backport PR #​44968, Upstream PR #​41963, @​gyutaeb)
• Fix memory leak triggered by policies being created and deleted (Backport PR #​44828, Upstream PR #​44724, @​odinuge)
• Fix panic in Hubble Relay when new peer address is unresolvable (Backport PR #​45211, Upstream PR #​45021, @​pesarkhobeee)
• fix(datapath): ignore link-local IPv6 addresses for NodePort binding (Backport PR #​44974, Upstream PR #​44778, @​Bigdelle)
• Fixed a bug in dual-stack cluster-pool IPAM where an operator restart with a pre-existing duplicate IPv6 PodCIDR could cause the affected node's IPv4 PodCIDR to be incorrectly freed and reassigned to another node. (Backport PR #​44866, Upstream PR #​44832, @​christarazi)
• Fixed an issue where policy update ack is never completed after endpoint deletion. (Backport PR #​44818, Upstream PR #​44754, @​jrajahalme)
• Fixed ipcache identity update hang when last proxy listener is removed. (Backport PR #​45217, Upstream PR #​44597, @​jrajahalme)
• Fixes GRPCRoute being silently excluded from Envoy config when a Gateway listener explicitly sets allowedRoutes.kinds. (Backport PR #​44974, Upstream PR #​44826, @​eufriction)
• Fixes increased CPU usage in hubble observe caused by log coloring feature, even when coloring was disabled (Backport PR #​44828, Upstream PR #​44119, @​tporeba)
• lb: fix panic in orphan backend cleanup when addr is zero-value (Backport PR #​44994, Upstream PR #​44853, @​vipul-21)
• lb: Skip nil slots during BPF map restore to prevent panic (Backport PR #​44974, Upstream PR #​44895, @​vipul-21)
• operator/identitygc: fix nil pointer dereference on shutdown (Backport PR [#​45211](https

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Europe/Lisbon)

• Branch creation
  • "every weekend"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

--- kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: flux-system
-      version: 1.16.6
+      version: 1.19.5
   install:
     remediation:
       retries: 3
   interval: 30m
   upgrade:
     cleanupOnFail: true

[github-actions]

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

@@ -9,8456 +9,11195 @@

     app.kubernetes.io/name: cilium-agent
     app.kubernetes.io/part-of: cilium
     grafana_dashboard: '1'
   annotations:
     grafana_folder: Cilium
 data:
-  cilium-dashboard.json: |
+  cilium-dashboard.json: |-
     {
       "annotations": {
         "list": [
           {
             "builtIn": 1,
-            "datasource": "-- Grafana --",
+            "datasource": {
+              "type": "datasource",
+              "uid": "grafana"
+            },
             "enable": true,
             "hide": true,
             "iconColor": "rgba(0, 211, 255, 1)",
             "name": "Annotations & Alerts",
             "type": "dashboard"
           }
         ]
       },
       "description": "Dashboard for Cilium (https://cilium.io/) metrics",
       "editable": true,
-      "gnetId": null,
+      "fiscalYearStartMonth": 0,
       "graphTooltip": 1,
-      "iteration": 1606309591568,
+      "id": 1,
       "links": [],
       "panels": [
         {
-          "aliasColors": {
-            "error": "#890f02",
-            "warning": "#c15c17"
-          },
-          "bars": false,
-          "dashLength": 10,
-          "dashes": false,
           "datasource": {
             "type": "prometheus",
             "uid": "${DS_PROMETHEUS}"
           },
           "fieldConfig": {
             "defaults": {
-              "custom": {}
-            },
-            "overrides": []
-          },
-          "fill": 1,
-          "fillGradient": 0,
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "axisBorderShow": false,
+                "axisCenteredZero": false,
+                "axisColorMode": "text",
+                "axisLabel": "",
+                "axisPlacement": "auto",
+                "barAlignment": 0,
+                "barWidthFactor": 0.6,
+                "drawStyle": "line",
+                "fillOpacity": 10,
+                "gradientMode": "none",
+                "hideFrom": {
+                  "legend": false,
+                  "tooltip": false,
+                  "viz": false
+                },
+                "insertNulls": false,
+                "lineInterpolation": "linear",
+                "lineWidth": 1,
+                "pointSize": 5,
+                "scaleDistribution": {
+                  "type": "linear"
+                },
+                "showPoints": "never",
+                "spanNulls": false,
+                "stacking": {
+                  "group": "A",
+                  "mode": "none"
+                },
+                "thresholdsStyle": {
+                  "mode": "off"
+                }
+              },
+              "links": [],
+              "mappings": [],
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "green",
+                    "value": null
+                  },
+                  {
+                    "color": "red",
+                    "value": 80
+                  }
+                ]
+              },
+              "unit": "opm"
+            },
+            "overrides": [
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "error"
+                },
+                "properties": [
+                  {
+                    "id": "color",
+                    "value": {
+                      "fixedColor": "#890f02",
+                      "mode": "fixed"
+                    }
+                  }
+                ]
+              },
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "warning"
+                },
+                "properties": [
+                  {
+                    "id": "color",
+                    "value": {
+                      "fixedColor": "#c15c17",
+                      "mode": "fixed"
+                    }
+                  }
+                ]
+              }
+            ]
+          },
           "gridPos": {
             "h": 5,
             "w": 12,
             "x": 0,
             "y": 0
           },
-          "hiddenSeries": false,
           "id": 76,
-          "legend": {
-            "avg": false,
-            "current": false,
-            "max": false,
-            "min": false,
-            "show": true,
-            "total": false,
-            "values": false
-          },
-          "lines": true,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
           "options": {
-            "dataLinks": []
-          },
-          "paceLength": 10,
-          "percentage": false,
-          "pointradius": 5,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [
-            {
-              "alias": "error",
-              "yaxis": 2
-            }
-          ],
-          "spaceLength": 10,
-          "stack": false,
-          "steppedLine": false,
+            "legend": {
+              "calcs": [],
+              "displayMode": "list",
+              "placement": "bottom",
+              "showLegend": true
+            },
+            "tooltip": {
+              "mode": "multi",
+              "sort": "none"
+            }
+          },
+          "pluginVersion": "11.3.1",
           "targets": [
             {
+              "datasource": {
+                "type": "prometheus",
+                "uid": "${DS_PROMETHEUS}"
+              },
+              "editorMode": "code",
               "expr": "sum(rate(cilium_errors_warnings_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m])) by (pod, level) * 60",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "{{level}}",
+              "range": true,
               "refId": "A"
             }
           ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeRegions": [],
-          "timeShift": null,
           "title": "Errors & Warnings",
-          "tooltip": {
-            "shared": true,
-            "sort": 0,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "opm",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "opm",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
+          "type": "timeseries"
         },
         {
-          "aliasColors": {
-            "avg": "#cffaff"
-          },
-          "bars": false,
-          "dashLength": 10,
-          "dashes": false,
           "datasource": {
             "type": "prometheus",
             "uid": "${DS_PROMETHEUS}"
           },
           "fieldConfig": {
             "defaults": {
-              "custom": {}
-            },
-            "overrides": []
-          },
-          "fill": 0,
-          "fillGradient": 0,
+              "color": {
+                "mode": "palette-classic"
+              },
+              "custom": {
+                "axisBorderShow": false,
+                "axisCenteredZero": false,
+                "axisColorMode": "text",
+                "axisLabel": "",
+                "axisPlacement": "auto",
+                "barAlignment": 0,
+                "barWidthFactor": 0.6,
+                "drawStyle": "line",
+                "fillOpacity": 35,
+                "gradientMode": "none",
+                "hideFrom": {
+                  "legend": false,
+                  "tooltip": false,
+                  "viz": false
+                },
+                "insertNulls": false,
+                "lineInterpolation": "linear",
+                "lineWidth": 1,
+                "pointSize": 5,
+                "scaleDistribution": {
+                  "type": "linear"
+                },
+                "showPoints": "never",
+                "spanNulls": false,
+                "stacking": {
+                  "group": "A",
+                  "mode": "none"
+                },
+                "thresholdsStyle": {
+                  "mode": "off"
+                }
+              },
+              "links": [],
+              "mappings": [],
+              "thresholds": {
+                "mode": "absolute",
+                "steps": [
+                  {
+                    "color": "green",
+                    "value": null
+                  },
+                  {
+                    "color": "red",
+                    "value": 80
+                  }
+                ]
+              },
+              "unit": "percent"
+            },
+            "overrides": [
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "avg"
+                },
+                "properties": [
+                  {
+                    "id": "color",
+                    "value": {
+                      "fixedColor": "#cffaff",
+                      "mode": "fixed"
+                    }
+                  }
+                ]
+              },
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "max"
+                },
+                "properties": [
+                  {
+                    "id": "custom.fillBelowTo",
+                    "value": "min"
+                  },
+                  {
+                    "id": "custom.lineWidth",
+                    "value": 0
+                  }
+                ]
+              },
+              {
+                "matcher": {
+                  "id": "byName",
+                  "options": "min"
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -9,125 +9,157 @@

   identity-heartbeat-timeout: 30m0s
   identity-gc-interval: 15m0s
   cilium-endpoint-gc-interval: 5m0s
   nodes-gc-interval: 5m0s
   debug: 'false'
   debug-verbose: ''
+  metrics-sampling-interval: 5m
   enable-policy: default
   policy-cidr-match-mode: ''
   prometheus-serve-addr: :9962
   controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services
   proxy-prometheus-port: '9964'
   operator-prometheus-serve-addr: :9963
   enable-metrics: 'true'
+  enable-policy-secrets-sync: 'true'
+  policy-secrets-only-from-secrets-namespace: 'true'
+  policy-secrets-namespace: cilium-secrets
   enable-ipv4: 'true'
   enable-ipv6: 'false'
   custom-cni-conf: 'false'
   enable-bpf-clock-probe: 'false'
   monitor-aggregation: medium
   monitor-aggregation-interval: 5s
   monitor-aggregation-flags: all
   bpf-map-dynamic-size-ratio: '0.0025'
   bpf-policy-map-max: '16384'
+  bpf-policy-stats-map-max: '65536'
   bpf-lb-map-max: '65536'
   bpf-lb-external-clusterip: 'false'
+  bpf-lb-source-range-all-types: 'false'
+  bpf-lb-algorithm-annotation: 'false'
+  bpf-lb-mode-annotation: 'false'
+  bpf-distributed-lru: 'false'
   bpf-events-drop-enabled: 'true'
   bpf-events-policy-verdict-enabled: 'true'
   bpf-events-trace-enabled: 'true'
   preallocate-bpf-maps: 'false'
   cluster-name: athena
   cluster-id: '1'
   routing-mode: native
+  tunnel-protocol: vxlan
+  tunnel-source-port-range: 0-0
   service-no-backend-response: reject
+  policy-deny-response: none
   enable-l7-proxy: 'true'
   enable-ipv4-masquerade: 'true'
   enable-ipv4-big-tcp: 'false'
   enable-ipv6-big-tcp: 'false'
   enable-ipv6-masquerade: 'true'
   enable-tcx: 'true'
   datapath-mode: veth
   enable-bpf-masquerade: 'false'
   enable-masquerade-to-route-source: 'false'
   enable-xt-socket-fallback: 'true'
   install-no-conntrack-iptables-rules: 'false'
+  iptables-random-fully: 'false'
   auto-direct-node-routes: 'true'
   direct-routing-skip-unreachable: 'false'
   enable-local-redirect-policy: 'true'
   ipv4-native-routing-cidr: 10.10.0.0/16
-  enable-runtime-device-detection: 'true'
   kube-proxy-replacement: 'true'
   kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256
+  enable-no-service-endpoints-routable: 'true'
   bpf-lb-sock: 'false'
   bpf-lb-sock-hostns-only: 'true'
   nodeport-addresses: ''
   enable-health-check-nodeport: 'true'
   enable-health-check-loadbalancer-ip: 'false'
   node-port-bind-protection: 'true'
   enable-auto-protect-node-port-range: 'true'
   bpf-lb-mode: dsr
   bpf-lb-algorithm: maglev
   bpf-lb-acceleration: disabled
-  enable-svc-source-range-check: 'true'
-  enable-l2-neigh-discovery: 'true'
-  arping-refresh-period: 30s
+  enable-service-topology: 'false'
+  enable-l2-neigh-discovery: 'false'
   k8s-require-ipv4-pod-cidr: 'false'
   k8s-require-ipv6-pod-cidr: 'false'
   enable-endpoint-routes: 'true'
   enable-k8s-networkpolicy: 'true'
+  enable-endpoint-lockdown-on-policy-overflow: 'false'
   write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
   cni-exclusive: 'false'
   cni-log-file: /var/run/cilium/cilium-cni.log
   enable-endpoint-health-checking: 'true'
   enable-health-checking: 'true'
+  health-check-icmp-failure-threshold: '3'
   enable-well-known-identities: 'false'
   enable-node-selector-labels: 'false'
   synchronize-k8s-nodes: 'true'
   operator-api-serve-addr: 127.0.0.1:9234
+  enable-hubble: 'false'
   ipam: kubernetes
   ipam-cilium-node-update-rate: 15s
+  default-lb-service-ipam: lbipam
   egress-gateway-reconciliation-trigger-interval: 1s
   enable-vtep: 'false'
   vtep-endpoint: ''
   vtep-cidr: ''
   vtep-mask: ''
   vtep-mac: ''
   enable-l2-announcements: 'true'
+  packetization-layer-pmtud-mode: blackhole
   procfs: /host/proc
   bpf-root: /sys/fs/bpf
   cgroup-root: /sys/fs/cgroup
-  enable-k8s-terminating-endpoint: 'true'
+  identity-management-mode: agent
   enable-sctp: 'false'
-  k8s-client-qps: '10'
-  k8s-client-burst: '20'
   remove-cilium-node-taints: 'true'
   set-cilium-node-taints: 'true'
   set-cilium-is-up-condition: 'true'
-  unmanaged-pod-watcher-interval: '15'
+  unmanaged-pod-watcher-interval: 15s
   dnsproxy-enable-transparent-mode: 'true'
   dnsproxy-socket-linger-timeout: '10'
   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: 'true'
-  tofqdns-endpoint-max-ip-per-hostname: '50'
+  tofqdns-endpoint-max-ip-per-hostname: '1000'
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: '10000'
   tofqdns-proxy-response-max-delay: 100ms
+  tofqdns-preallocate-identities: 'true'
   agent-not-ready-taint-key: node.cilium.io/agent-not-ready
-  mesh-auth-enabled: 'true'
+  mesh-auth-enabled: 'false'
   mesh-auth-queue-size: '1024'
   mesh-auth-rotated-identities-queue-size: '1024'
   mesh-auth-gc-interval: 5m0s
   proxy-xff-num-trusted-hops-ingress: '0'
   proxy-xff-num-trusted-hops-egress: '0'
   proxy-connect-timeout: '2'
   proxy-initial-fetch-timeout: '30'
+  proxy-max-active-downstream-connections: '50000'
   proxy-max-requests-per-connection: '0'
   proxy-max-connection-duration-seconds: '0'
   proxy-idle-timeout-seconds: '60'
+  proxy-max-concurrent-retries: '128'
+  proxy-use-original-source-address: 'true'
+  proxy-cluster-max-connections: '1024'
+  proxy-cluster-max-requests: '1024'
+  http-retry-count: '3'
+  http-stream-idle-timeout: '300'
   external-envoy-proxy: 'false'
   envoy-base-id: '0'
+  envoy-access-log-buffer-size: '4096'
   envoy-keep-cap-netbindservice: 'false'
   max-connected-clusters: '255'
+  clustermesh-cache-ttl: 0s
   clustermesh-enable-endpoint-sync: 'false'
   clustermesh-enable-mcs-api: 'false'
+  clustermesh-mcs-api-install-crds: 'true'
+  policy-default-local-cluster: 'true'
   nat-map-stats-entries: '32'
   nat-map-stats-interval: 30s
+  enable-lb-ipam: 'true'
+  enable-non-default-deny-policies: 'true'
+  enable-source-ip-verification: 'true'
+  enable-dynamic-config: 'true'
+  enable-drift-checker: 'true'
 
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-operator-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-operator-dashboard

@@ -1013,13 +1013,19 @@

       ],
       "refresh": false,
       "schemaVersion": 25,
       "style": "dark",
       "tags": [],
       "templating": {
-        "list": []
+        "list": [
+          {
+            "type": "datasource",
+            "name": "DS_PROMETHEUS",
+            "query": "prometheus"
+          }
+        ]
       },
       "time": {
         "from": "now-30m",
         "to": "now"
       },
       "timepicker": {
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

@@ -53,12 +53,13 @@

   - update
   - patch
 - apiGroups:
   - ''
   resources:
   - namespaces
+  - secrets
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - ''
@@ -136,12 +137,19 @@

   - get
   - list
   - watch
   - delete
   - patch
 - apiGroups:
+  - cilium.io
+  resources:
+  - ciliumbgpclusterconfigs/status
+  - ciliumbgppeerconfigs/status
+  verbs:
+  - update
+- apiGroups:
   - apiextensions.k8s.io
   resources:
   - customresourcedefinitions
   verbs:
   - create
   - get
@@ -152,41 +160,41 @@

   resources:
   - customresourcedefinitions
   verbs:
   - update
   resourceNames:
   - ciliumloadbalancerippools.cilium.io
-  - ciliumbgppeeringpolicies.cilium.io
   - ciliumbgpclusterconfigs.cilium.io
   - ciliumbgppeerconfigs.cilium.io
   - ciliumbgpadvertisements.cilium.io
   - ciliumbgpnodeconfigs.cilium.io
   - ciliumbgpnodeconfigoverrides.cilium.io
   - ciliumclusterwideenvoyconfigs.cilium.io
   - ciliumclusterwidenetworkpolicies.cilium.io
   - ciliumegressgatewaypolicies.cilium.io
   - ciliumendpoints.cilium.io
   - ciliumendpointslices.cilium.io
   - ciliumenvoyconfigs.cilium.io
-  - ciliumexternalworkloads.cilium.io
   - ciliumidentities.cilium.io
   - ciliumlocalredirectpolicies.cilium.io
   - ciliumnetworkpolicies.cilium.io
   - ciliumnodes.cilium.io
   - ciliumnodeconfigs.cilium.io
   - ciliumcidrgroups.cilium.io
   - ciliuml2announcementpolicies.cilium.io
   - ciliumpodippools.cilium.io
+  - ciliumgatewayclassconfigs.cilium.io
 - apiGroups:
   - cilium.io
   resources:
   - ciliumloadbalancerippools
   - ciliumpodippools
   - ciliumbgppeeringpolicies
   - ciliumbgpclusterconfigs
   - ciliumbgpnodeconfigoverrides
+  - ciliumbgppeerconfigs
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - cilium.io
@@ -205,7 +213,13 @@

   resources:
   - leases
   verbs:
   - create
   - get
   - update
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumendpointslices
+  verbs:
+  - deletecollection
 
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,60 +16,65 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 1d9dd7de44a4535a928ffeef0787b5c79723050a2e399a92043be004c3791c74
+        cilium.io/cilium-configmap-checksum: bbc1392a73c65ad69baea3bf69a782207c59b5720129d7bf6bd7c5be45c15ef7
+        kubectl.kubernetes.io/default-container: cilium-agent
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
+        seccompProfile:
+          type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.19.5@sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9879
+            port: health
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
-          failureThreshold: 105
+          failureThreshold: 300
           periodSeconds: 2
           successThreshold: 1
           initialDelaySeconds: 5
         livenessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9879
+            port: health
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
+            - name: require-k8s-connectivity
+              value: 'false'
           periodSeconds: 30
           successThreshold: 1
           failureThreshold: 10
           timeoutSeconds: 5
         readinessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9879
+            port: health
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
           periodSeconds: 30
           successThreshold: 1
@@ -94,12 +99,16 @@

               resource: limits.memory
               divisor: '1'
         - name: KUBERNETES_SERVICE_HOST
           value: 127.0.0.1
         - name: KUBERNETES_SERVICE_PORT
           value: '7445'
+        - name: KUBE_CLIENT_BACKOFF_BASE
+          value: '1'
+        - name: KUBE_CLIENT_BACKOFF_DURATION
+          value: '120'
         lifecycle:
           postStart:
             exec:
               command:
               - bash
               - -c
@@ -125,27 +134,23 @@

                 echo 'Done!'
           preStop:
             exec:
               command:
               - /cni-uninstall.sh
         ports:
-        - name: peer-service
-          containerPort: 4244
-          hostPort: 4244
+        - name: health
+          containerPort: 9879
+          hostPort: 9879
           protocol: TCP
         - name: prometheus
           containerPort: 9962
           hostPort: 9962
           protocol: TCP
         - name: envoy-metrics
           containerPort: 9964
           hostPort: 9964
-          protocol: TCP
-        - name: envoy-admin
-          containerPort: 9901
-          hostPort: 9901
           protocol: TCP
         securityContext:
           seLinuxOptions:
             level: s0
             type: spc_t
           capabilities:
@@ -190,13 +195,13 @@

         - name: xtables-lock
           mountPath: /run/xtables.lock
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.19.5@sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -214,22 +219,28 @@

         - name: KUBERNETES_SERVICE_PORT
           value: '7445'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+            drop:
+            - ALL
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.19.5@sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /sys/fs/cgroup
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
-        - sh
+        - bash
         - -ec
         - |
           cp /usr/bin/cilium-mount /hostbin/cilium-mount;
           nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT;
           rm /hostbin/cilium-mount
         volumeMounts:
@@ -247,19 +258,19 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.19.5@sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
-        - sh
+        - bash
         - -ec
         - |
           cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
           nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
           rm /hostbin/cilium-sysctlfix
         volumeMounts:
@@ -277,13 +288,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.19.5@sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -293,13 +304,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.19.5@sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -341,17 +352,20 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+        image: quay.io/cilium/cilium:v1.19.5@sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
+          limits:
+            cpu: 1
+            memory: 1Gi
           requests:
             cpu: 100m
             memory: 10Mi
         securityContext:
           seLinuxOptions:
             level: s0
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,22 +20,25 @@

       maxSurge: 25%
       maxUnavailable: 100%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 1d9dd7de44a4535a928ffeef0787b5c79723050a2e399a92043be004c3791c74
+        cilium.io/cilium-configmap-checksum: bbc1392a73c65ad69baea3bf69a782207c59b5720129d7bf6bd7c5be45c15ef7
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.16.6@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
+        image: quay.io/cilium/operator-generic:v1.19.5@sha256:be848a365776e07d0c5a895eda7aec928ddc52a5a1fa2f432fd7a286609e1db4
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
@@ -58,39 +61,47 @@

               optional: true
         - name: KUBERNETES_SERVICE_HOST
           value: 127.0.0.1
         - name: KUBERNETES_SERVICE_PORT
           value: '7445'
         ports:
+        - name: health
+          containerPort: 9234
+          hostPort: 9234
         - name: prometheus
           containerPort: 9963
           hostPort: 9963
           protocol: TCP
         livenessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9234
+            port: health
             scheme: HTTP
           initialDelaySeconds: 60
           periodSeconds: 10
           timeoutSeconds: 3
         readinessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9234
+            port: health
             scheme: HTTP
           initialDelaySeconds: 0
           periodSeconds: 5
           timeoutSeconds: 3
           failureThreshold: 5
         volumeMounts:
         - name: cilium-config-path
           mountPath: /tmp/cilium/config-map
           readOnly: true
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         terminationMessagePolicy: FallbackToLogsOnError
       hostNetwork: true
       restartPolicy: Always
       priorityClassName: system-cluster-critical
       serviceAccountName: cilium-operator
       automountServiceAccountToken: true
@@ -101,12 +112,21 @@

               matchLabels:
                 io.cilium/app: operator
             topologyKey: kubernetes.io/hostname
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:
-      - operator: Exists
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+      - key: node.kubernetes.io/not-ready
+        operator: Exists
+      - key: node.cloudprovider.kubernetes.io/uninitialized
+        operator: Exists
+      - key: node.cilium.io/agent-not-ready
+        operator: Exists
       volumes:
       - name: cilium-config-path
         configMap:
           name: cilium-config
 
--- HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent

+++ HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent

@@ -3,26 +3,28 @@

 kind: ServiceMonitor
 metadata:
   name: cilium-agent
   namespace: kube-system
   labels:
     app.kubernetes.io/part-of: cilium
+    app.kubernetes.io/name: cilium-agent
 spec:
   selector:
     matchLabels:
-      k8s-app: cilium
+      app.kubernetes.io/name: cilium-agent
   namespaceSelector:
     matchNames:
     - kube-system
   endpoints:
   - port: metrics
     interval: 10s
     honorLabels: true
     path: /metrics
     relabelings:
-    - replacement: ${1}
+    - action: replace
+      replacement: ${1}
       sourceLabels:
       - __meta_kubernetes_pod_node_name
       targetLabel: node
   targetLabels:
   - k8s-app
 
--- HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets

+++ HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets

@@ -0,0 +1,8 @@

+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-tlsinterception-secrets

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cilium-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets

@@ -0,0 +1,19 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cilium-operator-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - update
+  - patch
+
--- HelmRelease: kube-system/cilium Role: kube-system/cilium-operator-ztunnel

+++ HelmRelease: kube-system/cilium Role: kube-system/cilium-operator-ztunnel

@@ -0,0 +1,20 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cilium-operator-ztunnel
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets

@@ -0,0 +1,17 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cilium-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+  name: cilium
+  namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets

+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets

@@ -0,0 +1,17 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cilium-operator-tlsinterception-secrets
+  namespace: cilium-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-operator-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+  name: cilium-operator
+  namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-operator-ztunnel

+++ HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-operator-ztunnel

@@ -0,0 +1,17 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cilium-operator-ztunnel
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-operator-ztunnel
+subjects:
+- kind: ServiceAccount
+  name: cilium-operator
+  namespace: kube-system
+