fix(helm): update cilium ( 1.15.6 → 1.15.7 )

[drae-bot]

This PR contains the following updates:

Package	Update	Change
cilium (source)	patch	1.15.6 -> 1.15.7

---

Release Notes

cilium/cilium (cilium)

v1.15.7: 1.15.7

Compare Source

Summary of Changes

We are pleased to release Cilium v1.15.7, which makes the load balancer class of the Clustermesh API server configurable and includes stability and bug fixes. Thanks to all contributors, reviewers, testers, and users!

Minor Changes:

• helm: loadBalancerClass for Cluster Mesh APIserver (Backport PR #​33342, Upstream PR #​33033, @​PhilipSchmid)
• ui: v0.13.1 release (Backport PR #​33223, Upstream PR #​32852, @​geakstr)

Bugfixes:

• bgpv1: reorder neighbor creation and deletion steps (Backport PR #​33378, Upstream PR #​33262, @​harsimran-pabla)
• datapath: Fix redirect from from L3 netdev to tunnel (Backport PR #​33529, Upstream PR #​33421, @​brb)
• Datasource error fixed for Hubble DNS and Network dashboards (Backport PR #​33631, Upstream PR #​30580, @​Pionerd)
• egress-gateway: Validate ep identity before fetching labels (Backport PR #​33529, Upstream PR #​33311, @​pippolo84)
• envoy: Avoid short circuit backend filtering (Backport PR #​33533, Upstream PR #​33403, @​sayboras)
• Fix #​32587 concurrent hubble dynamic exporter stop and reload (Backport PR #​33098, Upstream PR #​33000, @​marqc)
• Fix hubble metrics leak by using CiliumEndpoint watcher to remove stale metrics. (Backport PR #​33529, Upstream PR #​33260, @​sgargan)
• Fix rare spurious double reconnection upon clustermesh configuration change for remote cluster (Backport PR #​33378, Upstream PR #​33248, @​giorio94)
• Fix too many open Unix sockets (Backport PR #​33631, Upstream PR #​33569, @​chaunceyjiang)
• gateway-api: Check for matching controller name (Backport PR #​33223, Upstream PR #​33050, @​sayboras)
• Generate SBOM from the correct release image (#​33052, @​ferozsalam)
• helm: Decouple sysctlfix from cgroup.autoMount (Backport PR #​33010, Upstream PR #​32866, @​YutaroHayakawa)
• ipsec: do not nil out EncryptInterface when using IPAM ENI on netlink… (Backport PR #​33631, Upstream PR #​33512, @​jasonaliyetti)
• IPv6 and IPv4 '0.0.0.0/0' CIDR parsing in policy processing has been fixed (Backport PR #​33529, Upstream PR #​33448, @​jrajahalme)
• Recreate CT entries for non-TCP to fix L7 proxy redirect failures. (Backport PR #​33378, Upstream PR #​33222, @​ysksuzuki)
• Report the correct drop reason when a packet is dropped by the bpf_lxc program. (Backport PR #​33631, Upstream PR #​33551, @​julianwiedmann)
• Revert PR #​32244 which caused unintended side-effects that negatively impacted network performance. (Backport PR #​33378, Upstream PR #​33304, @​learnitall)
• socketlb: tolerate cgroupv1 when detaching bpf programs (Backport PR #​33631, Upstream PR #​33599, @​rgo3)
• Update IPsec to handle larger PSK values when using per-tunnel PSK (Backport PR #​33631, Upstream PR #​33472, @​jasonaliyetti)
• When the Bandwidth Manager feature is enabled, don't apply Egress rate-limiting to "Port unreachable" ICMP replies by Cilium's North-South Loadbalancer. (Backport PR #​33631, Upstream PR #​33624, @​julianwiedmann)

CI Changes:

• [v1.15] Disable release SBOM asset uploads (#​33072, @​ferozsalam)
• Bump CLI to v0.16.11 (Backport PR #​33529, Upstream PR #​33444, @​brb)
• ci: Add IPsec leak detection for ci-ipsec-e2e (Backport PR #​33047, Upstream PR #​32930, @​jschwinger233)
• ci: l4lb: Don't hang on gathering logs forever (Backport PR #​33010, Upstream PR #​32947, @​joestringer)
• gh: ipsec: clarify check for leaked proxy traffic during key rotation (Backport PR #​33631, Upstream PR #​33509, @​julianwiedmann)
• gha: Only retrieve IPv4 CIDR from docker network (Backport PR #​33110, Upstream PR #​33093, @​sayboras)
• workflows: e2e-upgrade: fix EXTRA parameters (Backport PR #​33223, Upstream PR #​33150, @​jibi)

Misc Changes:

• .github: add workflow for renovate to build base images (Backport PR #​33346, Upstream PR #​33326, @​aanm)
• .github: fix cloud workflows for renovate (Backport PR #​33321, Upstream PR #​33320, @​aanm)
• .github: fix worfklows used by renovate (Backport PR #​33317, Upstream PR #​33309, @​aanm)
• [v1.15] remove tracking of backports with MLH (#​33124, @​aanm)
• Add auto-merge for renovate for trusted dependencies (Backport PR #​33317, Upstream PR #​33287, @​aanm)
• bpf: ct: return actual error from CT lookup (Backport PR #​33378, Upstream PR #​33225, @​julianwiedmann)
• bpf: encap: fix ifindex in TO_OVERLAY trace notification (Backport PR #​33575, Upstream PR #​33083, @​julianwiedmann)
• bpf: lxc: fix ifindex in TO_ENDPOINT trace notification (Backport PR #​33575, Upstream PR #​33085, @​julianwiedmann)
• bpf: lxc: prefer SECLABEL_IPV4 over SECLABEL in ipv4_policy() (Backport PR #​33378, Upstream PR #​33181, @​julianwiedmann)
• build(deps): bump urllib3 from 2.0.7 to 2.2.2 in /Documentation (Backport PR #​33378, Upstream PR #​33218, @​dependabot[bot])
• build-images-base: cancel github runs based on branch name (Backport PR #​33378, Upstream PR #​33353, @​aanm)
• build-images-base: push to branch if pull request ref doesn't exist (Backport PR #​33378, Upstream PR #​33368, @​aanm)
• build-images: fetch artifacts with specific pattern (Backport PR #​33378, Upstream PR #​33216, @​aanm)
• chore(deps): update all github action dependencies (v1.15) (#​33177, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (#​33338, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (#​33492, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​33175, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​33337, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​33571, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.16.11 (v1.15) (#​33650, @​cilium-renovate[bot])
• chore(deps): update cilium/scale-tests-action digest to 511e3d9 (v1.15) (#​33208, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.10 (v1.15) (#​32990, @​cilium-renovate[bot])
• chore(deps): update dependency eksctl-io/eksctl to v0.182.0 (v1.15) (#​32991, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.11 docker digest to 2eb85b8 (v1.15) (#​33174, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.11 docker digest to b405b62 (v1.15) (#​33336, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.12 docker digest to 488f80a (v1.15) (#​33660, @​cilium-renovate[bot])
• chore(deps): update docker/build-push-action action to v5.4.0 (v1.15) (#​33018, @​cilium-renovate[bot])
• chore(deps): update docker/build-push-action action to v6 (v1.15) (#​33198, @​cilium-renovate[bot])
• chore(deps): update go to v1.21.12 (v1.15) (#​33539, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.15) (patch) (#​33003, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.15) (patch) (#​33176, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.15) (patch) (#​33301, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.15) (patch) (#​33657, @​cilium-renovate[bot])
• daemon: Allow DNS transparent mode to be turned off with encryption (Backport PR #​33631, Upstream PR #​33420, @​gandro)
• docs: Improve note on kube-apiserver entity limitations (Backport PR #​33529, Upstream PR #​33382, @​gandro)
• docs: ipsec: mention dependency on transparent mode for DNS proxy (Backport PR #​33098, Upstream PR #​33062, @​julianwiedmann)
• Documentation: accept ORG and REPO (Backport PR #​33631, Upstream PR #​33514, @​aanm)
• examples: Fix subject selector in ingress policy (Backport PR #​33378, Upstream PR #​33292, @​joestringer)
• Fix renovate's concurrency group (Backport PR #​33559, Upstream PR #​33528, @​aanm)
• images: update cilium-{runtime,builder} (#​33714, @​aanm)
• Increase usability of Makefile.override (Backport PR #​33098, Upstream PR #​32660, @​learnitall)
• install/kubernetes: update nodeinit image to latest version (Backport PR #​33529, Upstream PR #​33427, @​marseel)
• ipcache: Fix orphaned ipcache entries when mixing Upsert and Inject (Backport PR #​33152, Upstream PR #​33120, @​squeed)
• LRP: Misc fix-ups (Backport PR #​33529, Upstream PR #​33442, @​aditighag)
• Miscellaneous fixes in the usage of Makefile.override and build modifiers (Backport PR #​33098, Upstream PR #​33129, @​giorio94)
• Miscellaneous improvements to clustermesh-related troubleshooting tools (Backport PR #​33378, Upstream PR #​32951, @​giorio94)
• Remove release scripts (Backport PR #​33010, Upstream PR #​32938, @​aanm)
• Renovate changes (Backport PR #​33559, Upstream PR #​33519, @​aanm)
• renovate: add auto-approve bot for renovate PRs (Backport PR #​33642, Upstream PR #​33604, @​aanm)

Other Changes:

• (v1.15) Add permissions to read generated SBOMs (#​33059, @​ferozsalam)
• [v1.15] bpf: ct: return actual error from CT lookup (fixup) (#​33484, @​julianwiedmann)
• [v1.15] gh/workflows: fix skipping of no-frag test in ipsec-e2e workflow (#​33671, @​julianwiedmann)
• Bump GoBGP to v3.27.0 (#​32993, @​YutaroHayakawa)
• envoy: Bump golang version to v1.22.5 (#​33555, @​sayboras)
• envoy: Update envoy 1.28.x to v1.28.5 (#​33483, @​sayboras)
• install: Update image digests for v1.15.6 (#​33015, @​qmonnet)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.7@​sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
quay.io/cilium/cilium:stable@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.7@​sha256:f8fc26060e0f0c131200b762667f91788a4499362fc72209ce30b4032e926c68
quay.io/cilium/clustermesh-apiserver:stable@sha256:f8fc26060e0f0c131200b762667f91788a4499362fc72209ce30b4032e926c68

docker-plugin

quay.io/cilium/docker-plugin:v1.15.7@​sha256:1091cd5586fd5bac23816a05f8828758442a134255e0f73f0ac384310395d304
quay.io/cilium/docker-plugin:stable@sha256:1091cd5586fd5bac23816a05f8828758442a134255e0f73f0ac384310395d304

hubble-relay

quay.io/cilium/hubble-relay:v1.15.7@​sha256:12870e87ec6c105ca86885c4ee7c184ece6b706cc0f22f63d2a62a9a818fd68f
quay.io/cilium/hubble-relay:stable@sha256:12870e87ec6c105ca86885c4ee7c184ece6b706cc0f22f63d2a62a9a818fd68f

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.7@​sha256:2dcd7e3305cb47e4b5fbbb9bc2451d6aacb18788a87cab95cf86aec65ec19329
quay.io/cilium/operator-alibabacloud:stable@sha256:2dcd7e3305cb47e4b5fbbb9bc2451d6aacb18788a87cab95cf86aec65ec19329

operator-aws

quay.io/cilium/operator-aws:v1.15.7@​sha256:bb4085da666a5c7a7c6f8135f0de10f0b6895dbf561e9fccda0e272b51bb936e
quay.io/cilium/operator-aws:stable@sha256:bb4085da666a5c7a7c6f8135f0de10f0b6895dbf561e9fccda0e272b51bb936e

operator-azure

quay.io/cilium/operator-azure:v1.15.7@​sha256:8e189549bc3c31a44a1171cc970b8e502ae8bf55cd07035735c4b3a24a16f80b
quay.io/cilium/operator-azure:stable@sha256:8e189549bc3c31a44a1171cc970b8e502ae8bf55cd07035735c4b3a24a16f80b

operator-generic

quay.io/cilium/operator-generic:v1.15.7@​sha256:6840a6dde703b3e73dd31e03390327a9184fcb888efbad9d9d098d65b9035b54
quay.io/cilium/operator-generic:stable@sha256:6840a6dde703b3e73dd31e03390327a9184fcb888efbad9d9d098d65b9035b54

operator

quay.io/cilium/operator:v1.15.7@​sha256:9a599861adc64631c134f86c95823321b59948f35ebc5af31586987d74166341
quay.io/cilium/operator:stable@sha256:9a599861adc64631c134f86c95823321b59948f35ebc5af31586987d74166341

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[drae-bot]

--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -27,13 +27,13 @@

     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def
+        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -173,13 +173,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def
+        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -197,14 +197,44 @@

         - name: KUBERNETES_SERVICE_PORT
           value: '6443'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
+      - name: apply-sysctl-overwrites
+        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: BIN_PATH
+          value: /opt/cni/bin
+        command:
+        - sh
+        - -ec
+        - |
+          cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
+          nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
+          rm /hostbin/cilium-sysctlfix
+        volumeMounts:
+        - name: hostproc
+          mountPath: /hostproc
+        - name: cni-path
+          mountPath: /hostbin
+        terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          seLinuxOptions:
+            level: s0
+            type: spc_t
+          capabilities:
+            add:
+            - SYS_ADMIN
+            - SYS_CHROOT
+            - SYS_PTRACE
+            drop:
+            - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def
+        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -214,13 +244,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def
+        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -262,13 +292,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.15.6@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def
+        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
@@ -310,12 +340,16 @@

           path: /var/run/cilium
           type: DirectoryOrCreate
       - name: bpf-maps
         hostPath:
           path: /sys/fs/bpf
           type: DirectoryOrCreate
+      - name: hostproc
+        hostPath:
+          path: /proc
+          type: Directory
       - name: cilium-cgroup
         hostPath:
           path: /sys/fs/cgroup
           type: DirectoryOrCreate
       - name: cni-path
         hostPath:
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -31,13 +31,13 @@

         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.15.6@sha256:5789f0935eef96ad571e4f5565a8800d3a8fbb05265cf6909300cd82fd513c3d
+        image: quay.io/cilium/operator-generic:v1.15.7@sha256:6840a6dde703b3e73dd31e03390327a9184fcb888efbad9d9d098d65b9035b54
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -34,13 +34,13 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.15.6@sha256:a0863dd70d081b273b87b9b7ce7e2d3f99171c2f5e202cd57bc6691e51283e0c
+        image: quay.io/cilium/hubble-relay:v1.15.7@sha256:12870e87ec6c105ca86885c4ee7c184ece6b706cc0f22f63d2a62a9a818fd68f
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

@@ -33,13 +33,13 @@

       priorityClassName: null
       serviceAccount: hubble-ui
       serviceAccountName: hubble-ui
       automountServiceAccountToken: true
       containers:
       - name: frontend
-        image: quay.io/cilium/hubble-ui:v0.13.0@sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666
+        image: quay.io/cilium/hubble-ui:v0.13.1@sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6
         imagePullPolicy: IfNotPresent
         ports:
         - name: http
           containerPort: 8081
         livenessProbe:
           httpGet:
@@ -54,13 +54,13 @@

           mountPath: /etc/nginx/conf.d/default.conf
           subPath: nginx.conf
         - name: tmp-dir
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: backend
-        image: quay.io/cilium/hubble-ui-backend:v0.13.0@sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803
+        image: quay.io/cilium/hubble-ui-backend:v0.13.1@sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b
         imagePullPolicy: IfNotPresent
         env:
         - name: EVENTS_SERVER_PORT
           value: '8090'
         - name: FLOWS_API_ADDR
           value: hubble-relay:80

[drae-bot]

--- kubernetes/darkstar/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/darkstar/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

@@ -14,13 +14,13 @@

       chart: cilium
       interval: 30m
       sourceRef:
         kind: HelmRepository
         name: cilium-charts
         namespace: flux-system
-      version: 1.15.6
+      version: 1.15.7
   install:
     createNamespace: true
     remediation:
       retries: 3
   interval: 30m
   upgrade:

[drae-bot]

🦙 MegaLinter status: ❌ ERROR

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
❌ ANSIBLE	ansible-lint	yes		88	13.65s
✅ COPYPASTE	jscpd	yes		no	1.22s
✅ REPOSITORY	git_diff	yes		no	0.02s
✅ REPOSITORY	secretlint	yes		no	1.59s
✅ YAML	prettier	2		0	0.39s
✅ YAML	yamllint	2		0	0.22s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by