diff --git a/.github/workflows/build-x86-image.yaml b/.github/workflows/build-x86-image.yaml
index d5d6eb0e81a..c1137618147 100644
--- a/.github/workflows/build-x86-image.yaml
+++ b/.github/workflows/build-x86-image.yaml
@@ -22,7 +22,7 @@ concurrency:
 
 env:
   GOSEC_VERSION: '2.15.0'
-  HELM_VERSION: v3.10.3
+  HELM_VERSION: v3.11.1
 
 jobs:
   build-kube-ovn:
@@ -758,11 +758,13 @@ jobs:
           sudo cp -r /root/.kube/ ~/.kube/
           sudo chown -R $(id -un). ~/.kube/
 
-      - name: Install Kube-OVN
-        run: make kind-install
+      - name: Install Kube-OVN with Cilium chaining
+        run: make kind-install-cilium-chaining
 
       - name: Run E2E
         working-directory: ${{ env.E2E_DIR }}
+        env:
+          E2E_CILIUM_CHAINING: "true"
         run: make k8s-conformance-e2e
 
       - name: Cleanup
diff --git a/Makefile b/Makefile
index eebd8e405ec..96007dad34f 100644
--- a/Makefile
+++ b/Makefile
@@ -13,7 +13,7 @@ CONTROL_PLANE_TAINTS = node-role.kubernetes.io/master node-role.kubernetes.io/co
 MULTUS_IMAGE = ghcr.io/k8snetworkplumbingwg/multus-cni:stable
 MULTUS_YAML = https://raw.githubusercontent.com/k8snetworkplumbingwg/multus-cni/master/deployments/multus-daemonset.yml
 
-CILIUM_VERSION = 1.11.6
+CILIUM_VERSION = 1.12.7
 CILIUM_IMAGE_REPO = quay.io/cilium/cilium
 
 VPC_NAT_GW_IMG = $(REGISTRY)/vpc-nat-gateway:$(VERSION)
@@ -222,10 +222,6 @@ kind-init-ipv6:
 kind-init-dual:
 	@ip_family=dual $(MAKE) kind-init
 
-.PHONY: kind-init-cilium
-kind-init-cilium:
-	@kube_proxy_mode=iptables $(MAKE) kind-init
-
 .PHONY: kind-load-image
 kind-load-image:
 	$(call kind_load_image,kube-ovn,$(REGISTRY)/kube-ovn:$(VERSION))
@@ -379,12 +375,12 @@ kind-install-multus:
 	kubectl apply -f "$(MULTUS_YAML)"
 	kubectl -n kube-system rollout status ds kube-multus-ds
 
-.PHONY: kind-install-cilium
-kind-install-cilium: kind-load-image kind-untaint-control-plane
+.PHONY: kind-install-cilium-chaining
+kind-install-cilium-chaining: kind-load-image kind-untaint-control-plane
 	$(eval KUBERNETES_SERVICE_HOST = $(shell kubectl get nodes kube-ovn-control-plane -o jsonpath='{.status.addresses[0].address}'))
 	$(call docker_ensure_image_exists,$(CILIUM_IMAGE_REPO):v$(CILIUM_VERSION))
 	$(call kind_load_image,kube-ovn,$(CILIUM_IMAGE_REPO):v$(CILIUM_VERSION))
-	kubectl apply -f yamls/chaining.yaml
+	kubectl apply -f yamls/cilium-chaining.yaml
 	helm repo add cilium https://helm.cilium.io/
 	helm install cilium cilium/cilium \
 		--version $(CILIUM_VERSION) \
@@ -392,15 +388,15 @@ kind-install-cilium: kind-load-image kind-untaint-control-plane
 		--set k8sServiceHost=$(KUBERNETES_SERVICE_HOST) \
 		--set k8sServicePort=6443 \
 		--set tunnel=disabled \
+		--set sessionAffinity=true \
 		--set enableIPv4Masquerade=false \
-		--set enableIdentityMark=false \
 		--set cni.chainingMode=generic-veth \
 		--set cni.customConf=true \
 		--set cni.configMap=cni-configuration
 	kubectl -n kube-system rollout status ds cilium --timeout 300s
-	bash dist/images/cilium.sh
+	bash dist/images/install-cilium-cli.sh
 	sed 's/VERSION=.*/VERSION=$(VERSION)/' dist/images/install.sh | \
-	ENABLE_LB=false ENABLE_NP=false WITHOUT_KUBE_PROXY=true CNI_CONFIG_PRIORITY=10 bash
+		ENABLE_LB=false ENABLE_NP=false CNI_CONFIG_PRIORITY=10 bash
 	kubectl describe no
 
 .PHONY: kind-reload
diff --git a/dist/images/.dockerignore b/dist/images/.dockerignore
index 8776c0ae406..fe9cfd20f2f 100644
--- a/dist/images/.dockerignore
+++ b/dist/images/.dockerignore
@@ -1,5 +1,6 @@
 install.sh
 install-pre-1.16.sh
+install-cilium-cli.sh
 ovn-ic-db-docker.sh
 generate-ssl-docker.sh
 cleanup.sh
diff --git a/dist/images/install-cilium-cli.sh b/dist/images/install-cilium-cli.sh
new file mode 100644
index 00000000000..b09090fd36b
--- /dev/null
+++ b/dist/images/install-cilium-cli.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -e
+
+CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
+CILIUM_CLI_ARCH=amd64
+if [ "$(uname -m)" = "aarch64" ]; then
+ CILIUM_CLI_ARCH=arm64
+fi
+
+curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CILIUM_CLI_ARCH}.tar.gz{,.sha256sum}
+if command -v sha256sum >/dev/null; then
+  sha256sum --check cilium-linux-${CILIUM_CLI_ARCH}.tar.gz.sha256sum
+fi
+sudo tar xzvfC cilium-linux-${CILIUM_CLI_ARCH}.tar.gz /usr/local/bin
+rm cilium-linux-${CILIUM_CLI_ARCH}.tar.gz{,.sha256sum}
diff --git a/yamls/cilium-chaining.yaml b/yamls/cilium-chaining.yaml
new file mode 100644
index 00000000000..402ef19e4c9
--- /dev/null
+++ b/yamls/cilium-chaining.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cni-configuration
+  namespace: kube-system
+data:
+  cni-config: |-
+    {
+      "name": "generic-veth",
+      "cniVersion": "0.3.1",
+      "plugins": [
+        {
+          "type": "kube-ovn",
+          "log_level": "info",
+          "datastore_type": "kubernetes",
+          "mtu": 1400,
+          "server_socket": "/run/openvswitch/kube-ovn-daemon.sock",
+          "ipam": {
+              "type": "kube-ovn",
+              "server_socket": "/run/openvswitch/kube-ovn-daemon.sock"
+          }
+        },
+        {
+          "type": "portmap",
+          "snat": true,
+          "capabilities": {"portMappings": true}
+        },
+        {
+          "type": "cilium-cni"
+        }
+      ]
+    }