fix(deps): update helm release cilium ( 1.16.5 → 1.16.6 )

[tyriis-automation]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
cilium (source)	HelmChart	patch	1.16.5 -> 1.16.6
cilium (source)		patch	1.16.5 -> 1.16.6

---

Release Notes

cilium/cilium (cilium)

v1.16.6: 1.16.6

Compare Source

Summary of Changes

Major Changes:

• Add feature tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​35852, @​aanm)
• Add feature tracking in Cilium Operator as prometheus metrics (Backport PR #​36263, Upstream PR #​36077, @​aanm)

Minor Changes:

• envoy: Use yaml format for bootstrap config (Backport PR #​36782, Upstream PR #​36820, @​sayboras)
• Reject CNP/CCNP with CIDR rules where CIDRGroupRef is used in combination with ExceptCIDRs (#​36561, @​pippolo84)
• service: Cap number of backends included in monitor message (Backport PR #​36635, Upstream PR #​36394, @​joamaki)

Bugfixes:

• cilium: LB source ranges fixes (Backport PR #​36635, Upstream PR #​36517, @​borkmann)
• eni.subnetTagsFilter and eni.instanceTagsFilter are now templated to comma separated string (Backport PR #​36872, Upstream PR #​36617, @​sderoe)
• envoy: Configure internal address config based on IP family (Backport PR #​36782, Upstream PR #​36733, @​sayboras)
• Fix connectivity issue caused by stale cilium eBPF program when using --bpf-filter-priority (Backport PR #​36635, Upstream PR #​36176, @​tamilmani1989)
• metrics/features: remove reporting metrics' defaults by default (Backport PR #​36263, Upstream PR #​36298, @​aanm)
• pkg/redirectpolicy: Fix backend slices in processConfig (Backport PR #​36872, Upstream PR #​35496, @​Sm0ckingBird)
• ui: drop CORS headers from api response (Backport PR #​36872, Upstream PR #​35762, @​geakstr)

CI Changes:

• [v1.16] .github: Remove CI Fuzz workflow (#​36641, @​joestringer)
• [v1.16] gh: e2e-upgrade: use 6.12 kernel for netkit test configs (#​36620, @​julianwiedmann)
• [v1.16] gha: use /test to trigger tests in stable branches (#​36673, @​giorio94)
• ci: fix job names for various ci workflows (Backport PR #​36263, Upstream PR #​36397, @​marseel)
• Extend the check-ipsec-leak bpftrace script to capture additional details of leaked packets (Backport PR #​36872, Upstream PR #​33398, @​giorio94)
• gh: e2e-upgrade: add coverage for 6.6 kernel (Backport PR #​36988, Upstream PR #​36626, @​julianwiedmann)
• gh: e2e-upgrade: de-renovate the config example (Backport PR #​36635, Upstream PR #​36463, @​julianwiedmann)
• gha: drop leftover token parameter in net-perf-gke workflow (#​36684, @​giorio94)
• gha: fix merging of features-related artifacts (#​36665, @​giorio94)
• gha: merge artifacts in net-perf-gke workflow (Backport PR #​36263, Upstream PR #​36236, @​giorio94)
• gha: Use ubuntu-24.04 for integration-test (Backport PR #​36659, Upstream PR #​36628, @​sayboras)

Misc Changes:

• .github/workflows: always install cilium-cli (Backport PR #​36263, Upstream PR #​36234, @​aanm)
• .github/workflows: do not fail ginkgo if unable to fetch features (Backport PR #​36263, Upstream PR #​36461, @​aanm)
• .github: fix conformance-k8s NP test (Backport PR #​36263, Upstream PR #​36355, @​aanm)
• [v1.16] Use bash syntax to consume env variable (#​36636, @​ferozsalam)
• Add more features tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​36078, @​aanm)
• Add policy-related features tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​36203, @​aanm)
• Add the tls:// prefix in the Hubble TLS doc (Backport PR #​36635, Upstream PR #​36410, @​liyihuang)
• chore(deps): update all github action dependencies (v1.16) (#​36612, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36762, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36950, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​37099, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (patch) (#​36760, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36707, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36787, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36949, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​37033, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.23 (v1.16) (#​36895, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.36.1 docker digest to 7c3c3ce (v1.16) (#​36609, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.10 docker digest to 1a6e657 (v1.16) (#​36850, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.10 docker digest to 9855006 (v1.16) (#​36610, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.11 (v1.16) (#​37045, @​cilium-renovate[bot])
• chore(deps): update helm/kind-action action to v1.12.0 (v1.16) (#​36839, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36611, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36699, @​cilium-renovate[bot])
• doc: fix typo on kubeproxy-free (CEV -> CVE) (Backport PR #​36872, Upstream PR #​36701, @​alagoutte)
• docs: Add missing default identity label in the description of identity-relevant labels' example (Backport PR #​36635, Upstream PR #​36558, @​liyihuang)
• docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (Backport PR #​36635, Upstream PR #​36549, @​verysonglaa)
• Ensure debug symbols are generated for the debug image even when stripping symbols for the release image. (Backport PR #​36635, Upstream PR #​36417, @​EricMountain)
• Fix make -C Documentation update-cmdref when make uses --jobserver-style=fifo. (Backport PR #​36872, Upstream PR #​36788, @​gentoo-root)
• fix(deps): update module golang.org/x/net to v0.33.0 [security] (v1.16) (#​36711, @​cilium-renovate[bot])
• ingress, gateway-api: Convert test fixtures to file based (Backport PR #​36782, Upstream PR #​36732, @​sayboras)
• metrics/features: enable ClusterMesh (Backport PR #​36263, Upstream PR #​36402, @​aanm)
• metrics/features: refactor metric names (Backport PR #​36263, Upstream PR #​36209, @​aanm)
• Prepare for release v1.16.6 (#​36989, @​cilium-release-bot[bot])
• Remove reference to DNS polling (Backport PR #​36872, Upstream PR #​36679, @​JacobHenner)

Other Changes:

• [v1.16] author backport: helm: avoid setting bpf-lb-sock-terminate-pod-connections (#​36650, @​ysksuzuki)
• install: Update image digests for v1.16.5 (#​36671, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.6@​sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
quay.io/cilium/cilium:stable@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.6@​sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a
quay.io/cilium/clustermesh-apiserver:stable@sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a

docker-plugin

quay.io/cilium/docker-plugin:v1.16.6@​sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66
quay.io/cilium/docker-plugin:stable@sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66

hubble-relay

quay.io/cilium/hubble-relay:v1.16.6@​sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b
quay.io/cilium/hubble-relay:stable@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.6@​sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9
quay.io/cilium/operator-alibabacloud:stable@sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9

operator-aws

quay.io/cilium/operator-aws:v1.16.6@​sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d
quay.io/cilium/operator-aws:stable@sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d

operator-azure

quay.io/cilium/operator-azure:v1.16.6@​sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd
quay.io/cilium/operator-azure:stable@sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd

operator-generic

quay.io/cilium/operator-generic:v1.16.6@​sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
quay.io/cilium/operator-generic:stable@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc

operator

quay.io/cilium/operator:v1.16.6@​sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46
quay.io/cilium/operator:stable@sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[tyriis-automation]

--- kubernetes/kube-nas/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/kube-nas/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

@@ -12,13 +12,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium-charts
         namespace: flux-system
-      version: 1.16.5
+      version: 1.16.6
   install:
     remediation:
       retries: 3
   interval: 30m
   maxHistory: 2
   uninstall:

[tyriis-automation]

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -55,13 +55,12 @@

   enable-local-redirect-policy: 'true'
   ipv4-native-routing-cidr: 10.42.0.0/16
   enable-runtime-device-detection: 'true'
   kube-proxy-replacement: 'true'
   kube-proxy-replacement-healthz-bind-address: ''
   bpf-lb-sock: 'false'
-  bpf-lb-sock-terminate-pod-connections: 'false'
   nodeport-addresses: ''
   enable-health-check-nodeport: 'true'
   enable-health-check-loadbalancer-ip: 'false'
   node-port-bind-protection: 'true'
   enable-auto-protect-node-port-range: 'true'
   bpf-lb-mode: dsr
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config

@@ -3,373 +3,8 @@

 kind: ConfigMap
 metadata:
   name: cilium-envoy-config
   namespace: kube-system
 data:
   bootstrap-config.json: |
-    {
-      "node": {
-        "id": "host~127.0.0.1~no-id~localdomain",
-        "cluster": "ingress-cluster"
-      },
-      "staticResources": {
-        "listeners": [
-          {
-            "name": "envoy-prometheus-metrics-listener",
-            "address": {
-              "socket_address": {
-                "address": "0.0.0.0",
-                "port_value": 9964
-              }
-            },
-            "filter_chains": [
-              {
-                "filters": [
-                  {
-                    "name": "envoy.filters.network.http_connection_manager",
-                    "typed_config": {
-                      "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
-                      "stat_prefix": "envoy-prometheus-metrics-listener",
-                      "route_config": {
-                        "virtual_hosts": [
-                          {
-                            "name": "prometheus_metrics_route",
-                            "domains": [
-                              "*"
-                            ],
-                            "routes": [
-                              {
-                                "name": "prometheus_metrics_route",
-                                "match": {
-                                  "prefix": "/metrics"
-                                },
-                                "route": {
-                                  "cluster": "/envoy-admin",
-                                  "prefix_rewrite": "/stats/prometheus"
-                                }
-                              }
-                            ]
-                          }
-                        ]
-                      },
-                      "http_filters": [
-                        {
-                          "name": "envoy.filters.http.router",
-                          "typed_config": {
-                            "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
-                          }
-                        }
-                      ],
-                      "internal_address_config": {
-                        "cidr_ranges": [
-                          {
-                            "address_prefix": "10.0.0.0",
-                            "prefix_len": 8
-                          },
-                          {
-                            "address_prefix": "172.16.0.0",
-                            "prefix_len": 12
-                          },
-                          {
-                            "address_prefix": "192.168.0.0",
-                            "prefix_len": 16
-                          },
-                          {
-                            "address_prefix": "127.0.0.1",
-                            "prefix_len": 32
-                          },
-                          {
-                            "address_prefix": "::1",
-                            "prefix_len": 128
-                          }
-                        ]
-                      },
-                      "stream_idle_timeout": "0s"
-                    }
-                  }
-                ]
-              }
-            ]
-          },
-          {
-            "name": "envoy-health-listener",
-            "address": {
-              "socket_address": {
-                "address": "127.0.0.1",
-                "port_value": 9878
-              }
-            },
-            "filter_chains": [
-              {
-                "filters": [
-                  {
-                    "name": "envoy.filters.network.http_connection_manager",
-                    "typed_config": {
-                      "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
-                      "stat_prefix": "envoy-health-listener",
-                      "route_config": {
-                        "virtual_hosts": [
-                          {
-                            "name": "health",
-                            "domains": [
-                              "*"
-                            ],
-                            "routes": [
-                              {
-                                "name": "health",
-                                "match": {
-                                  "prefix": "/healthz"
-                                },
-                                "route": {
-                                  "cluster": "/envoy-admin",
-                                  "prefix_rewrite": "/ready"
-                                }
-                              }
-                            ]
-                          }
-                        ]
-                      },
-                      "http_filters": [
-                        {
-                          "name": "envoy.filters.http.router",
-                          "typed_config": {
-                            "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
-                          }
-                        }
-                      ],
-                      "internal_address_config": {
-                        "cidr_ranges": [
-                          {
-                            "address_prefix": "10.0.0.0",
-                            "prefix_len": 8
-                          },
-                          {
-                            "address_prefix": "172.16.0.0",
-                            "prefix_len": 12
-                          },
-                          {
-                            "address_prefix": "192.168.0.0",
-                            "prefix_len": 16
-                          },
-                          {
-                            "address_prefix": "127.0.0.1",
-                            "prefix_len": 32
-                          },
-                          {
-                            "address_prefix": "::1",
-                            "prefix_len": 128
-                          }
-                        ]
-                      },
-                      "stream_idle_timeout": "0s"
-                    }
-                  }
-                ]
-              }
-            ]
-          }
-        ],
-        "clusters": [
-          {
-            "name": "ingress-cluster",
-            "type": "ORIGINAL_DST",
-            "connectTimeout": "2s",
-            "lbPolicy": "CLUSTER_PROVIDED",
-            "typedExtensionProtocolOptions": {
-              "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
-                "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
-                "commonHttpProtocolOptions": {
-                  "idleTimeout": "60s",
-                  "maxConnectionDuration": "0s",
-                  "maxRequestsPerConnection": 0
-                },
-                "useDownstreamProtocolConfig": {}
-              }
-            },
-            "cleanupInterval": "2.500s"
-          },
-          {
-            "name": "egress-cluster-tls",
-            "type": "ORIGINAL_DST",
-            "connectTimeout": "2s",
-            "lbPolicy": "CLUSTER_PROVIDED",
-            "typedExtensionProtocolOptions": {
-              "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
-                "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
-                "commonHttpProtocolOptions": {
-                  "idleTimeout": "60s",
-                  "maxConnectionDuration": "0s",
-                  "maxRequestsPerConnection": 0
-                },
-                "upstreamHttpProtocolOptions": {},
-                "useDownstreamProtocolConfig": {}
-              }
-            },
-            "cleanupInterval": "2.500s",
-            "transportSocket": {
-              "name": "cilium.tls_wrapper",
-              "typedConfig": {
-                "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
-              }
-            }
-          },
-          {
-            "name": "egress-cluster",
-            "type": "ORIGINAL_DST",
-            "connectTimeout": "2s",
-            "lbPolicy": "CLUSTER_PROVIDED",
-            "typedExtensionProtocolOptions": {
-              "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
-                "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
-                "commonHttpProtocolOptions": {
-                  "idleTimeout": "60s",
-                  "maxConnectionDuration": "0s",
-                  "maxRequestsPerConnection": 0
-                },
-                "useDownstreamProtocolConfig": {}
-              }
-            },
-            "cleanupInterval": "2.500s"
-          },
-          {
-            "name": "ingress-cluster-tls",
-            "type": "ORIGINAL_DST",
-            "connectTimeout": "2s",
-            "lbPolicy": "CLUSTER_PROVIDED",
-            "typedExtensionProtocolOptions": {
-              "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
-                "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
-                "commonHttpProtocolOptions": {
-                  "idleTimeout": "60s",
-                  "maxConnectionDuration": "0s",
-                  "maxRequestsPerConnection": 0
-                },
-                "upstreamHttpProtocolOptions": {},
-                "useDownstreamProtocolConfig": {}
-              }
-            },
-            "cleanupInterval": "2.500s",
-            "transportSocket": {
-              "name": "cilium.tls_wrapper",
-              "typedConfig": {
-                "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
-              }
-            }
-          },
-          {
-            "name": "xds-grpc-cilium",
-            "type": "STATIC",
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx

@@ -5,20 +5,14 @@

   name: hubble-ui-nginx
   namespace: kube-system
 data:
   nginx.conf: "server {\n    listen       8081;\n    listen       [::]:8081;\n   \
     \ server_name  localhost;\n    root /app;\n    index index.html;\n    client_max_body_size\
     \ 1G;\n\n    location / {\n        proxy_set_header Host $host;\n        proxy_set_header\
-    \ X-Real-IP $remote_addr;\n\n        # CORS\n        add_header Access-Control-Allow-Methods\
-    \ \"GET, POST, PUT, HEAD, DELETE, OPTIONS\";\n        add_header Access-Control-Allow-Origin\
-    \ *;\n        add_header Access-Control-Max-Age 1728000;\n        add_header Access-Control-Expose-Headers\
-    \ content-length,grpc-status,grpc-message;\n        add_header Access-Control-Allow-Headers\
-    \ range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout;\n\
-    \        if ($request_method = OPTIONS) {\n            return 204;\n        }\n\
-    \        # /CORS\n\n        location /api {\n            proxy_http_version 1.1;\n\
-    \            proxy_pass_request_headers on;\n            proxy_hide_header Access-Control-Allow-Origin;\n\
-    \            proxy_pass http://127.0.0.1:8090;\n        }\n        location /\
-    \ {\n            # double `/index.html` is required here \n            try_files\
-    \ $uri $uri/ /index.html /index.html;\n        }\n\n        # Liveness probe\n\
-    \        location /healthz {\n            access_log off;\n            add_header\
-    \ Content-Type text/plain;\n            return 200 'ok';\n        }\n    }\n}"
+    \ X-Real-IP $remote_addr;\n\n        location /api {\n            proxy_http_version\
+    \ 1.1;\n            proxy_pass_request_headers on;\n            proxy_pass http://127.0.0.1:8090;\n\
+    \        }\n        location / {\n            # double `/index.html` is required\
+    \ here \n            try_files $uri $uri/ /index.html /index.html;\n        }\n\
+    \n        # Liveness probe\n        location /healthz {\n            access_log\
+    \ off;\n            add_header Content-Type text/plain;\n            return 200\
+    \ 'ok';\n        }\n    }\n}"
 
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -18,24 +18,24 @@

     type: RollingUpdate
   template:
     metadata:
       annotations:
         prometheus.io/port: '9962'
         prometheus.io/scrape: 'true'
-        cilium.io/cilium-configmap-checksum: 564f0de0efe70f57be43e7633315d800441ab8d84e5d7e7d62f216c109b8d874
+        cilium.io/cilium-configmap-checksum: d84302ec29522ea2e094d9f5934d25ec8cc49f0b141ff0bae40817493b9967e0
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
+        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -147,12 +147,15 @@

           readOnly: false
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
         - name: cilium-run
           mountPath: /var/run/cilium
+        - name: cilium-netns
+          mountPath: /var/run/cilium/netns
+          mountPropagation: HostToContainer
         - name: etc-cni-netd
           mountPath: /host/etc/cni/net.d
         - name: clustermesh-secrets
           mountPath: /var/lib/cilium/clustermesh
           readOnly: true
         - name: lib-modules
@@ -164,13 +167,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
+        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -185,13 +188,13 @@

               fieldPath: metadata.namespace
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
+        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /run/cilium/cgroupv2
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -208,13 +211,13 @@

         - name: cni-path
           mountPath: /hostbin
         terminationMessagePolicy: FallbackToLogsOnError
         securityContext:
           privileged: true
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
+        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -229,13 +232,13 @@

         - name: cni-path
           mountPath: /hostbin
         terminationMessagePolicy: FallbackToLogsOnError
         securityContext:
           privileged: true
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
+        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -264,13 +267,13 @@

         - name: cilium-cgroup
           mountPath: /run/cilium/cgroupv2
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
+        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
@@ -305,12 +308,16 @@

       - name: tmp
         emptyDir: {}
       - name: cilium-run
         hostPath:
           path: /var/run/cilium
           type: DirectoryOrCreate
+      - name: cilium-netns
+        hostPath:
+          path: /var/run/netns
+          type: DirectoryOrCreate
       - name: bpf-maps
         hostPath:
           path: /sys/fs/bpf
           type: DirectoryOrCreate
       - name: hostproc
         hostPath:
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

@@ -28,13 +28,13 @@

     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-envoy
-        image: quay.io/cilium/cilium-envoy:v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8@sha256:709c08ade3d17d52da4ca2af33f431360ec26268d288d9a6cd1d98acc9a1dced
+        image: quay.io/cilium/cilium-envoy:v1.30.9-1737073743-40a016d11c0d863b772961ed0168eea6fe6b10a5@sha256:a69dfe0e54b24b0ff747385c8feeae0612cfbcae97bfcc8ee42a773bb3f69c88
         imagePullPolicy: IfNotPresent
         command:
         - /usr/bin/cilium-envoy-starter
         args:
         - --
         - -c /var/run/cilium/envoy/bootstrap-config.json
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,24 +20,24 @@

       maxSurge: 25%
       maxUnavailable: 100%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 564f0de0efe70f57be43e7633315d800441ab8d84e5d7e7d62f216c109b8d874
+        cilium.io/cilium-configmap-checksum: d84302ec29522ea2e094d9f5934d25ec8cc49f0b141ff0bae40817493b9967e0
         prometheus.io/port: '9963'
         prometheus.io/scrape: 'true'
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.16.5@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039
+        image: quay.io/cilium/operator-generic:v1.16.6@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -34,13 +34,13 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.16.5@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00
+        image: quay.io/cilium/hubble-relay:v1.16.6@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

@@ -17,13 +17,13 @@

     rollingUpdate:
       maxUnavailable: 1
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/hubble-ui-nginx-configmap-checksum: e8acee96ed990156efd0291c8c33709d2c7902d2ec993eefa16c7cd3d1a9d84b
+        cilium.io/hubble-ui-nginx-configmap-checksum: de069d2597e16e4de004ce684b15d74b2ab6051c717ae073d86199a76d91fcf1
       labels:
         k8s-app: hubble-ui
         app.kubernetes.io/name: hubble-ui
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:

[tyriis-automation]

--- kubernetes/talos-flux/apps/kube-system/cilium/app Kustomization: flux-system/apps-cilium HelmRelease: kube-system/cilium

+++ kubernetes/talos-flux/apps/kube-system/cilium/app Kustomization: flux-system/apps-cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium-charts
         namespace: flux-system
-      version: 1.16.5
+      version: 1.16.6
   install:
     remediation:
       retries: 3
   interval: 30m
   uninstall:
     keepHistory: false

[tyriis-automation]

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -58,13 +58,12 @@

   ipv4-native-routing-cidr: 10.244.0.0/16
   devices: eth0
   enable-runtime-device-detection: 'true'
   kube-proxy-replacement: 'true'
   kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256
   bpf-lb-sock: 'false'
-  bpf-lb-sock-terminate-pod-connections: 'false'
   nodeport-addresses: ''
   enable-health-check-nodeport: 'true'
   enable-health-check-loadbalancer-ip: 'false'
   node-port-bind-protection: 'true'
   enable-auto-protect-node-port-range: 'true'
   bpf-lb-mode: dsr
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx

@@ -5,20 +5,14 @@

   name: hubble-ui-nginx
   namespace: kube-system
 data:
   nginx.conf: "server {\n    listen       8081;\n    listen       [::]:8081;\n   \
     \ server_name  localhost;\n    root /app;\n    index index.html;\n    client_max_body_size\
     \ 1G;\n\n    location / {\n        proxy_set_header Host $host;\n        proxy_set_header\
-    \ X-Real-IP $remote_addr;\n\n        # CORS\n        add_header Access-Control-Allow-Methods\
-    \ \"GET, POST, PUT, HEAD, DELETE, OPTIONS\";\n        add_header Access-Control-Allow-Origin\
-    \ *;\n        add_header Access-Control-Max-Age 1728000;\n        add_header Access-Control-Expose-Headers\
-    \ content-length,grpc-status,grpc-message;\n        add_header Access-Control-Allow-Headers\
-    \ range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout;\n\
-    \        if ($request_method = OPTIONS) {\n            return 204;\n        }\n\
-    \        # /CORS\n\n        location /api {\n            proxy_http_version 1.1;\n\
-    \            proxy_pass_request_headers on;\n            proxy_hide_header Access-Control-Allow-Origin;\n\
-    \            proxy_pass http://127.0.0.1:8090;\n        }\n        location /\
-    \ {\n            # double `/index.html` is required here \n            try_files\
-    \ $uri $uri/ /index.html /index.html;\n        }\n\n        # Liveness probe\n\
-    \        location /healthz {\n            access_log off;\n            add_header\
-    \ Content-Type text/plain;\n            return 200 'ok';\n        }\n    }\n}"
+    \ X-Real-IP $remote_addr;\n\n        location /api {\n            proxy_http_version\
+    \ 1.1;\n            proxy_pass_request_headers on;\n            proxy_pass http://127.0.0.1:8090;\n\
+    \        }\n        location / {\n            # double `/index.html` is required\
+    \ here \n            try_files $uri $uri/ /index.html /index.html;\n        }\n\
+    \n        # Liveness probe\n        location /healthz {\n            access_log\
+    \ off;\n            add_header Content-Type text/plain;\n            return 200\
+    \ 'ok';\n        }\n    }\n}"
 
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,24 +16,24 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: dcd2856884e3b1d2f8ff4f5fe374266de1adb304d01a6aa52713e27ea1781a5e
+        cilium.io/cilium-configmap-checksum: 82e0f65410c3c2e3c8b55f13567c9780dd9197e41669e5fc1037b9685143566f
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
+        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -156,12 +156,15 @@

           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
         - name: cilium-run
           mountPath: /var/run/cilium
+        - name: cilium-netns
+          mountPath: /var/run/cilium/netns
+          mountPropagation: HostToContainer
         - name: etc-cni-netd
           mountPath: /host/etc/cni/net.d
         - name: clustermesh-secrets
           mountPath: /var/lib/cilium/clustermesh
           readOnly: true
         - name: lib-modules
@@ -173,13 +176,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
+        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -198,13 +201,13 @@

           value: '6443'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
+        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -219,13 +222,13 @@

         - name: cni-path
           mountPath: /hostbin
         terminationMessagePolicy: FallbackToLogsOnError
         securityContext:
           privileged: true
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
+        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -258,13 +261,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
+        image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
@@ -299,12 +302,16 @@

       - name: tmp
         emptyDir: {}
       - name: cilium-run
         hostPath:
           path: /var/run/cilium
           type: DirectoryOrCreate
+      - name: cilium-netns
+        hostPath:
+          path: /var/run/netns
+          type: DirectoryOrCreate
       - name: bpf-maps
         hostPath:
           path: /sys/fs/bpf
           type: DirectoryOrCreate
       - name: hostproc
         hostPath:
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,22 +20,22 @@

       maxSurge: 25%
       maxUnavailable: 50%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: dcd2856884e3b1d2f8ff4f5fe374266de1adb304d01a6aa52713e27ea1781a5e
+        cilium.io/cilium-configmap-checksum: 82e0f65410c3c2e3c8b55f13567c9780dd9197e41669e5fc1037b9685143566f
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.16.5@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039
+        image: quay.io/cilium/operator-generic:v1.16.6@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -34,13 +34,13 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.16.5@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00
+        image: quay.io/cilium/hubble-relay:v1.16.6@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

@@ -17,13 +17,13 @@

     rollingUpdate:
       maxUnavailable: 1
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/hubble-ui-nginx-configmap-checksum: e8acee96ed990156efd0291c8c33709d2c7902d2ec993eefa16c7cd3d1a9d84b
+        cilium.io/hubble-ui-nginx-configmap-checksum: de069d2597e16e4de004ce684b15d74b2ab6051c717ae073d86199a76d91fcf1
       labels:
         k8s-app: hubble-ui
         app.kubernetes.io/name: hubble-ui
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:

[tyriis-automation]

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
✅ EDITORCONFIG	editorconfig-checker	4		0	0.02s
✅ REPOSITORY	gitleaks	yes		no	4.2s
✅ YAML	prettier	4		0	0.64s
✅ YAML	yamllint	4		0	0.5s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security