⬆️ Update cilium ( 1.16.3 → 1.16.4 )

[feisar-bot]

This PR contains the following updates:

Package	Type	Update	Change
cilium (source)	HelmChart	patch	1.16.3 -> 1.16.4
cilium (source)		patch	1.16.3 -> 1.16.4

---

Release Notes

cilium/cilium (cilium)

v1.16.4: 1.16.4

Compare Source

Summary of Changes

Minor Changes:

• Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport PR #​35908, Upstream PR #​35809, @​jrajahalme)
• clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport PR #​35543, Upstream PR #​35349, @​giorio94)
• helm: Lower default hubble.tls.auto.certValidityDuration to 365 days (Backport PR #​35781, Upstream PR #​35630, @​chancez)
• helm: New socketLB.tracing flag (Backport PR #​35781, Upstream PR #​35747, @​pchaigno)
• hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR #​35781, Upstream PR #​35632, @​chancez)
• netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport PR #​35543, Upstream PR #​35306, @​jrife)

Bugfixes:

• Avoid duplicate errors in health status for node-neighbor-link-updater (Backport PR #​35468, Upstream PR #​35179, @​wedaly)
• bgpv1: fix reconciliation of services with shared VIPs (Backport PR #​35468, Upstream PR #​35333, @​rastislavs)
• bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport PR #​35863, Upstream PR #​35690, @​YutaroHayakawa)
• bgpv2: set local peering address when specified (Backport PR #​35781, Upstream PR #​35552, @​harsimran-pabla)
• Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport PR #​35603, Upstream PR #​35150, @​jrajahalme)
• Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an timeout waiting for response error is encountered. (Backport PR #​35781, Upstream PR #​35589, @​bimmlerd)
• config: Remove superfluous warning on native routing CIDR (Backport PR #​35781, Upstream PR #​35738, @​gandro)
• Fix missing flowlabel hash on SRv6 traffic. (Backport PR #​35781, Upstream PR #​35498, @​akaliwod)
• Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport PR #​35543, Upstream PR #​35173, @​smagnani96)
• Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (Backport PR #​35781, Upstream PR #​35673, @​giorio94)
• Fix redirect from L3 device to remote endpoint via overlay network. (Backport PR #​35468, Upstream PR #​35165, @​julianwiedmann)
• Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR #​35908, Upstream PR #​35694, @​julianwiedmann)
• Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (Backport PR #​35781, Upstream PR #​35599, @​squeed)
• Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (Backport PR #​35543, Upstream PR #​35293, @​squeed)
• Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (Backport PR #​35906, Upstream PR #​35890, @​squeed)
• Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". (#​35611, @​pippolo84)
• helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (Backport PR #​35319, Upstream PR #​35301, @​hox)
• helm: fix duplicate configmap key for bpf-lb-sock-terminate-pod-connections (Backport PR #​35781, Upstream PR #​35703, @​solidDoWant)
• helm: set automountServiceAccountToken to false for hubble-relay sa (Backport PR #​35781, Upstream PR #​35674, @​ayuspin)
• hubble: fix endpoint cluster name (Backport PR #​35781, Upstream PR #​35415, @​kaworu)
• hubble: Lock exporters while gathering metrics (Backport PR #​35908, Upstream PR #​35860, @​joestringer)
• Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (Backport PR #​35781, Upstream PR #​35143, @​jrajahalme)
• ipam: Validate CiliumNode resource in ENI mode (Backport PR #​35792, Upstream PR #​35784, @​sayboras)
• l7lb: fix registration of flag loadbalancer-l7 (Backport PR #​35781, Upstream PR #​35623, @​mhofstetter)
• Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (Backport PR #​35319, Upstream PR #​35069, @​chancez)
• option: Reduce log level for WG strict mode + IPv6 (Backport PR #​35908, Upstream PR #​35763, @​pchaigno)
• Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (Backport PR #​35468, Upstream PR #​35381, @​jrajahalme)
• treewide: Add wrapper for netlink functions that may fail with ErrDumpInterrupted (Backport PR #​35654, Upstream PR #​35614, @​gandro)
• wireguard: Fix connectivity issues following node reboots. (Backport PR #​35908, Upstream PR #​35750, @​jrife)

CI Changes:

• .github/conformance-ginkgo: replace deprecated jq flag (Backport PR #​35468, Upstream PR #​35399, @​aanm)
• .github: extend timeout for tests-ipsec-upgrade workflow (Backport PR #​35781, Upstream PR #​35657, @​rastislavs)
• .github: remove libncurses5 from integration tests (Backport PR #​35468, Upstream PR #​35408, @​aanm)
• [v1.16] gh: e2e-upgrade: restart LRP backend pod after upgrade (#​35329, @​ysksuzuki)
• [v1.16] github: update rhel8 LVH image to rhel8.6 (#​35733, @​julianwiedmann)
• Additionally test KVStore mode in E2E/IPSec workflows (Backport PR #​35905, Upstream PR #​35679, @​giorio94)
• ci: conformance-kind: re-enable flaky Aggregator test (Backport PR #​35582, Upstream PR #​35286, @​julianwiedmann)
• ci: datapath-verifier: bump lvh images (Backport PR #​35648, Upstream PR #​35456, @​julianwiedmann)
• gha: Update chmod command (Backport PR #​35468, Upstream PR #​35400, @​sayboras)
• github: Pass the workflow step timeout to go test (Backport PR #​35908, Upstream PR #​35814, @​jrajahalme)
• Refactor and set a default for GH_RUNNER_EXTRA_POWER (Backport PR #​35319, Upstream PR #​35267, @​aanm)
• workflows/gateway-api: Cover IPsec with GatewayAPI (Backport PR #​35908, Upstream PR #​35584, @​pchaigno)
• workflows/ingress: Run basic checks (Backport PR #​35908, Upstream PR #​35683, @​pchaigno)
• workflows/ipsec: Cover Ingress (Backport PR #​35908, Upstream PR #​35476, @​pchaigno)
• workflows: Extend IPsec tests to cover egress gateway (Backport PR #​35540, Upstream PR #​35323, @​pchaigno)

Misc Changes:

• .github/build-images-base: checkout base branch to get scripts (Backport PR #​35319, Upstream PR #​35236, @​aanm)
• .github: remove retention days for image digests (Backport PR #​35468, Upstream PR #​35457, @​aanm)
• bpf: vxlan helper improvements (Backport PR #​35543, Upstream PR #​34755, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.16) (#​35382, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35439, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35573, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35710, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​35438, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.8 docker digest to 0ca97f4 (v1.16) (#​35730, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.8 docker digest to b274ff1 (v1.16) (#​35379, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.9 (v1.16) (#​35854, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1729635771-fa4efeff33a344a45e14a4068c61dc438b3d2270 (v1.16) (#​35491, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​35731, @​cilium-renovate[bot])
• cilium, docs: Extend requirements for L7 proxy (Backport PR #​35781, Upstream PR #​35669, @​borkmann)
• cilium: add probe for netkit for more user friendly error when not supported (Backport PR #​35781, Upstream PR #​35551, @​borkmann)
• ctrl-runtime: lower severity of retryable reconcile errors (Backport PR #​35592, Upstream PR #​35364, @​giorio94)
• daemon: Reduce level of socket LB tracing warning (Backport PR #​35908, Upstream PR #​35798, @​pchaigno)
• datapath: move policy map value prefix length to flags (Backport PR #​35603, Upstream PR #​35534, @​jrajahalme)
• dnsproxy: fix error when sessionUDPFactory fails (Backport PR #​35543, Upstream PR #​33998, @​marseel)
• docs/ipsec: Remove KPR limitation (Backport PR #​35908, Upstream PR #​35743, @​pchaigno)
• docs/xfrm: Fix incorrect statement regarding XFRM IN policies (Backport PR #​35781, Upstream PR #​35626, @​pchaigno)
• docs: Change invalid Helm option --agent.enabled with --agent=false in upgrade documentation (Backport PR #​35319, Upstream PR #​35288, @​oneumyvakin)
• docs: clean up stale kernel requirements (Backport PR #​35582, Upstream PR #​35575, @​julianwiedmann)
• docs: Fix incorrect link to RFC 4271 for BGP control plane timers. (Backport PR #​35781, Upstream PR #​35725, @​nvibert)
• docs: kpr: update error message regarding SocketLB tracing (Backport PR #​35468, Upstream PR #​35337, @​julianwiedmann)
• docs: tuning: XDP LB also supports tunnel routing (Backport PR #​35582, Upstream PR #​35574, @​julianwiedmann)
• docs: update 1.16 upgrade note for LRP (#​35944, @​ysksuzuki)
• docs: update default identity label filters (Backport PR #​35468, Upstream PR #​35422, @​marseel)
• docs: XFRM reference guide for IPsec development (Backport PR #​35582, Upstream PR #​35322, @​pchaigno)
• Envoy simplify listener setup (Backport PR #​35764, Upstream PR #​35642, @​jrajahalme)
• envoy: Configure internal_address_config to avoid warning log (Backport PR #​35471, Upstream PR #​35090, @​sayboras)
• envoy: Limit started serving logging to the typeURL of the stream (Backport PR #​35781, Upstream PR #​35736, @​jrajahalme)
• Fix wrongly spelled config option in error message (Backport PR #​35543, Upstream PR #​35390, @​baurmatt)
• helm: clarify text for serviceNoBackendResponse (Backport PR #​35908, Upstream PR #​35734, @​julianwiedmann)
• hubble: Add 'release' Make target (Backport PR #​35781, Upstream PR #​35561, @​michi-covalent)
• image: Use cilium-builder instead of golang as operator builder image (Backport PR #​35781, Upstream PR #​35351, @​learnitall)
• iptables: always warn about missing xt_socket module (Backport PR #​35781, Upstream PR #​35591, @​julianwiedmann)
• makefile: add target to install Cilium in kvstore mode (Backport PR #​35905, Upstream PR #​35646, @​giorio94)
• proxy: Ensure proxy ports are written on shutdown (Backport PR #​35908, Upstream PR #​35839, @​jrajahalme)
• Silence spurious clustermesh-related warnings (Backport PR #​35850, Upstream PR #​35867, @​giorio94)

Other Changes:

• [v1.16] envoy: Add configuration for OverloadManager (#​35787, @​sayboras)
• [v1.16] envoy: Bump envoy version from 1.29.x to 1.30.x (#​35563, @​sayboras)
• [v1.16] policy/correlation: Fix PolicyMatch{L3Proto,L4Only} case (#​35681, @​gandro)
• chore(deps): update cilium-envoy dependency (#​35920, @​sayboras)
• install: Update image digests for v1.16.3 (#​35361, @​cilium-release-bot[bot])
• Policy add deny rule test and benchmark (#​35714, @​jrajahalme)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.4@​sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
quay.io/cilium/cilium:stable@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.4@​sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2
quay.io/cilium/clustermesh-apiserver:stable@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2

docker-plugin

quay.io/cilium/docker-plugin:v1.16.4@​sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e
quay.io/cilium/docker-plugin:stable@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e

hubble-relay

quay.io/cilium/hubble-relay:v1.16.4@​sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
quay.io/cilium/hubble-relay:stable@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.4@​sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686
quay.io/cilium/operator-alibabacloud:stable@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686

operator-aws

quay.io/cilium/operator-aws:v1.16.4@​sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be
quay.io/cilium/operator-aws:stable@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be

operator-azure

quay.io/cilium/operator-azure:v1.16.4@​sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de
quay.io/cilium/operator-azure:stable@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de

operator-generic

quay.io/cilium/operator-generic:v1.16.4@​sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
quay.io/cilium/operator-generic:stable@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5

operator

quay.io/cilium/operator:v1.16.4@​sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff
quay.io/cilium/operator:stable@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[feisar-bot]

--- HelmRelease: kube-system/cilium ServiceAccount: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium ServiceAccount: kube-system/hubble-relay

@@ -1,7 +1,8 @@

 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: hubble-relay
   namespace: kube-system
+automountServiceAccountToken: false
 
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -125,12 +125,13 @@

   mesh-auth-queue-size: '1024'
   mesh-auth-rotated-identities-queue-size: '1024'
   mesh-auth-gc-interval: 5m0s
   proxy-xff-num-trusted-hops-ingress: '0'
   proxy-xff-num-trusted-hops-egress: '0'
   proxy-connect-timeout: '2'
+  proxy-initial-fetch-timeout: '30'
   proxy-max-requests-per-connection: '0'
   proxy-max-connection-duration-seconds: '0'
   proxy-idle-timeout-seconds: '60'
   external-envoy-proxy: 'true'
   envoy-base-id: '0'
   envoy-keep-cap-netbindservice: 'false'
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config

@@ -262,12 +262,13 @@

             }
           }
         ]
       },
       "dynamicResources": {
         "ldsConfig": {
+          "initialFetchTimeout": "30s",
           "apiConfigSource": {
             "apiType": "GRPC",
             "transportApiVersion": "V3",
             "grpcServices": [
               {
                 "envoyGrpc": {
@@ -277,12 +278,13 @@

             ],
             "setNodeOnFirstMessageOnly": true
           },
           "resourceApiVersion": "V3"
         },
         "cdsConfig": {
+          "initialFetchTimeout": "30s",
           "apiConfigSource": {
             "apiType": "GRPC",
             "transportApiVersion": "V3",
             "grpcServices": [
               {
                 "envoyGrpc": {
@@ -300,20 +302,19 @@

           "name": "envoy.bootstrap.internal_listener",
           "typed_config": {
             "@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"
           }
         }
       ],
-      "layeredRuntime": {
-        "layers": [
-          {
-            "name": "static_layer_0",
-            "staticLayer": {
-              "overload": {
-                "global_downstream_max_connections": 50000
-              }
+      "overload_manager": {
+        "resource_monitors": [
+          {
+            "name": "envoy.resource_monitors.global_downstream_max_connections",
+            "typed_config": {
+              "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig",
+              "max_active_downstream_connections": "50000"
             }
           }
         ]
       },
       "admin": {
         "address": {
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,24 +16,24 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 09c6d1307204f78b12086769995d24eb472488f3d526ed5a4e9d9f2ac4807db9
+        cilium.io/cilium-configmap-checksum: ece0692cd91a514e51bda8396bf0fab7e7c5fc58e587aaba799b23ed8ac1a4f4
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -188,13 +188,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -213,13 +213,13 @@

           value: '7445'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -243,13 +243,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -259,13 +259,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -307,13 +307,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+        image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

@@ -28,13 +28,13 @@

     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-envoy
-        image: quay.io/cilium/cilium-envoy:v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd@sha256:42614a44e508f70d03a04470df5f61e3cffd22462471a0be0544cf116f2c50ba
+        image: quay.io/cilium/cilium-envoy:v1.30.7-1731393961-97edc2815e2c6a174d3d12e71731d54f5d32ea16@sha256:0287b36f70cfbdf54f894160082f4f94d1ee1fb10389f3a95baa6c8e448586ed
         imagePullPolicy: IfNotPresent
         command:
         - /usr/bin/cilium-envoy-starter
         args:
         - --
         - -c /var/run/cilium/envoy/bootstrap-config.json
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,24 +20,24 @@

       maxSurge: 25%
       maxUnavailable: 50%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 09c6d1307204f78b12086769995d24eb472488f3d526ed5a4e9d9f2ac4807db9
+        cilium.io/cilium-configmap-checksum: ece0692cd91a514e51bda8396bf0fab7e7c5fc58e587aaba799b23ed8ac1a4f4
         prometheus.io/port: '9963'
         prometheus.io/scrape: 'true'
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.16.3@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b
+        image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -34,13 +34,13 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.16.3@sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089
+        image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:

[feisar-bot]

--- kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: flux-system
-      version: 1.16.3
+      version: 1.16.4
   install:
     createNamespace: true
     remediation:
       retries: 3
   interval: 30m
   maxHistory: 2