projectsyn · simu · Nov 25, 2025 · Nov 20, 2025
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -144,10 +144,10 @@ parameters:
     charts:
       cilium:
         source: https://helm.cilium.io
-        version: "1.16.4"
+        version: "1.17.10"
       cilium-enterprise:
         source: "<CILIUM-ENTERPRISE-CHART-REPO-URL>" # Configure the Chart repository URL in your global defaults
-        version: "1.16.4"
+        version: "1.17.9"
 
     images:
       oc:

diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -1,4 +1,4 @@
-:helm-minor-version: v1.16
+:current-minor-version: v1.17
 
 = Parameters
 
@@ -191,7 +191,7 @@ type:: object
 default:: https://github.com/projectsyn/component-cilium/blob/master/class/defaults.yml[See `class/defaults.yml`]
 
 The configuration values of the underlying Cilium helm chart.
-See https://docs.cilium.io/en/{helm-minor-version}/helm-reference/[Opensource Cilium documentation] for supported values.
+See https://docs.cilium.io/en/{current-minor-version}/helm-reference/[Opensource Cilium documentation] for supported values.
 
 The component will pre-process certain Helm values to allow users to more gracefully upgrade to newer Cilium versions which remove deprecated Helm values.
 
@@ -268,7 +268,7 @@ l7Proxy: false
 ----
 
 Notably, the L7 proxy feature is disabled by default when egress gateway policies are enabled.
-This is recommended by the Cilium documentation, see also https://docs.cilium.io/en/{helm-minor-version}/network/egress-gateway/#incompatibility-with-other-features[the upstream documentation].
+This is recommended by the Cilium documentation, see also https://docs.cilium.io/en/{current-minor-version}/network/egress-gateway/#incompatibility-with-other-features[the upstream documentation].
 
 Additionally, BPF masquerading can't be disabled when the egress gateway feature is enabled.
 
@@ -441,7 +441,7 @@ The component's support for configuring BGP egress IPs through `egress_ip_ranges
 Announcing egress IPs via BGP is only supported in Isovalent Networking for Kubernetes.
 
 When the field is provided, and not an empty object, the component adds the contents as entries in `metadata.labels` of the resulting policies.
-In this case, the component configures the egress policies with https://docs.isovalent.com/v1.16/configuration-guide/networking/egress-gateway/introduction.html#requirements-for-egress-ip-and-ipam-feature[Cilium's Egress Gateawy IPAM] and `maxGatewayNodes: 1` in the `spec.egressGroups` entry.
+In this case, the component configures the egress policies with https://docs.isovalent.com/{current-minor-version}/configuration-guide/networking/egress-gateway/introduction.html#requirements-for-egress-ip-and-ipam-feature[Cilium's Egress Gateawy IPAM] and `maxGatewayNodes: 1` in the `spec.egressGroups` entry.
 
 Please note that policies which use EGW IPAM will ignore static routes on the active gateway node (as of Cilium 1.16.16 and Cilium 1.17.9).
 
@@ -767,7 +767,7 @@ default:: `false`
 
 Whether to enable the BGP control plane feature in Cilium.
 
-See the https://docs.cilium.io/en/{helm-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/[upstream BGP control plane documentation] for details on the architecture and the individual custom resources mentioned in this section.
+See the https://docs.cilium.io/en/{current-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/[upstream BGP control plane documentation] for details on the architecture and the individual custom resources mentioned in this section.
 
 === `bgp.enterprise`
 
@@ -816,7 +816,7 @@ Field `spec` is merged over the partial object generated from fields `nodeSelect
 
 The component validates that `CiliumBGPClusterConfig` resources only reference `CiliumBGPPeerConfig` resources which are defined in parameter `bgp.peer_configs`.
 
-See the https://docs.cilium.io/en/{helm-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/#bgp-cluster-configuration[upstream documentation] for all available configuration options.
+See the https://docs.cilium.io/en/{current-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/#bgp-cluster-configuration[upstream documentation] for all available configuration options.
 
 
 ==== Example
@@ -898,7 +898,7 @@ Field `spec` is merged over the partial object created from field `families`.
 
 The component validates that `CiliumBGPPeerConfig` resources only reference BGP auth secret `Secret` resources which are defined in parameter `bgp.auth_secrets`.
 
-See the https://docs.cilium.io/en/{helm-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/#bgp-peer-configuration[upstream documentation] for details.
+See the https://docs.cilium.io/en/{current-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/#bgp-peer-configuration[upstream documentation] for details.
 
 ==== Example
 
@@ -962,7 +962,7 @@ The namespace can be changed by setting Helm value `bgpControlPlane.secretsNames
 
 The component sets `metadata.namespace` to the configured `bgpControlPlane.secretsNamspace.name` for secrets defined through this parameter.
 
-See the https://docs.cilium.io/en/v1.16/network/bgp-control-plane/bgp-control-plane-v2/#md5-password[upstream documentation] for details.
+See the https://docs.cilium.io/en/{current-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/#md5-password[upstream documentation] for details.
 
 === `bgp.node_config_overrides`
 
@@ -978,7 +978,7 @@ The component creates one `CiliumBGPNodeConfigOverride` for each entry in this p
 The key is used as `metadata.name` of the resulting object.
 The component expects that each value in this parameter is a valid partial `CiliumBGPNodeConfigOverride` resource and doesn't apply any processing.
 
-See the https://docs.cilium.io/en/v1.16/network/bgp-control-plane/bgp-control-plane-v2/#bgp-configuration-override[upstream documentation] for details.
+See the https://docs.cilium.io/en/{current-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/#bgp-configuration-override[upstream documentation] for details.
 
 NOTE: The resource name must match the Kubernetes node name of the node for which the configuration is intended.
 
@@ -997,7 +997,7 @@ The component supports fields `metadata` and `advertisements` for each entry of
 Field `metadata` is added to the resulting resource as is.
 Field `advertisements` is expected to be an object, and the values of the object are used for field `spec.advertisements` in the resulting resource without further processing.
 
-See the https://docs.cilium.io/en/v1.16/network/bgp-control-plane/bgp-control-plane-v2/#bgp-advertisements[upstream documentation] for details.
+See the https://docs.cilium.io/en/{current-minor-version}/network/bgp-control-plane/bgp-control-plane-v2/#bgp-advertisements[upstream documentation] for details.
 
 NOTE: The resource name must match the Kubernetes node name of the node for which the configuration is intended.
 

diff --git a/...trol-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml b/...trol-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml
@@ -54,7 +54,7 @@ spec:
                 resourceFieldRef:
                   divisor: '1'
                   resource: limits.memory
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
           imagePullPolicy: IfNotPresent
           lifecycle:
             postStart:
@@ -93,6 +93,8 @@ spec:
               httpHeaders:
                 - name: brief
                   value: 'true'
+                - name: require-k8s-connectivity
+                  value: 'false'
               path: /healthz
               port: 9879
               scheme: HTTP
@@ -109,14 +111,6 @@ spec:
               hostPort: 9962
               name: prometheus
               protocol: TCP
-            - containerPort: 9964
-              hostPort: 9964
-              name: envoy-metrics
-              protocol: TCP
-            - containerPort: 9901
-              hostPort: 9901
-              name: envoy-admin
-              protocol: TCP
             - containerPort: 9965
               hostPort: 9965
               name: hubble-metrics
@@ -169,6 +163,9 @@ spec:
             successThreshold: 1
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
+            - mountPath: /var/run/cilium/envoy/sockets
+              name: envoy-sockets
+              readOnly: false
             - mountPath: /host/proc/sys/net
               name: host-proc-sys-net
             - mountPath: /host/proc/sys/kernel
@@ -178,6 +175,9 @@ spec:
               name: bpf-maps
             - mountPath: /var/run/cilium
               name: cilium-run
+            - mountPath: /var/run/cilium/netns
+              mountPropagation: HostToContainer
+              name: cilium-netns
             - mountPath: /host/etc/cni/net.d
               name: etc-cni-netd
             - mountPath: /var/lib/cilium/clustermesh
@@ -206,7 +206,7 @@ spec:
                 fieldRef:
                   apiVersion: v1
                   fieldPath: metadata.namespace
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
           imagePullPolicy: IfNotPresent
           name: config
           terminationMessagePolicy: FallbackToLogsOnError
@@ -225,7 +225,7 @@ spec:
               value: /run/cilium/cgroupv2
             - name: BIN_PATH
               value: /var/lib/cni/bin
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
           imagePullPolicy: IfNotPresent
           name: mount-cgroup
           securityContext:
@@ -255,7 +255,7 @@ spec:
           env:
             - name: BIN_PATH
               value: /var/lib/cni/bin
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
           imagePullPolicy: IfNotPresent
           name: apply-sysctl-overwrites
           securityContext:
@@ -281,7 +281,7 @@ spec:
             - /bin/bash
             - -c
             - --
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
           imagePullPolicy: IfNotPresent
           name: mount-bpf-fs
           securityContext:
@@ -312,7 +312,7 @@ spec:
                   key: write-cni-conf-when-ready
                   name: cilium-config
                   optional: true
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
           imagePullPolicy: IfNotPresent
           name: clean-cilium-state
           securityContext:
@@ -338,7 +338,7 @@ spec:
               name: cilium-run
         - command:
             - /install-plugin.sh
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
           imagePullPolicy: IfNotPresent
           name: install-cni-binaries
           resources:
@@ -360,6 +360,9 @@ spec:
         kubernetes.io/os: linux
       priorityClassName: system-node-critical
       restartPolicy: Always
+      securityContext:
+        seccompProfile:
+          type: Unconfined
       serviceAccountName: cilium
       terminationGracePeriodSeconds: 1
       tolerations:
@@ -371,6 +374,10 @@ spec:
             path: /var/run/cilium
             type: DirectoryOrCreate
           name: cilium-run
+        - hostPath:
+            path: /var/run/netns
+            type: DirectoryOrCreate
+          name: cilium-netns
         - hostPath:
             path: /sys/fs/bpf
             type: DirectoryOrCreate
@@ -398,6 +405,10 @@ spec:
             path: /run/xtables.lock
             type: FileOrCreate
           name: xtables-lock
+        - hostPath:
+            path: /var/run/cilium/envoy/sockets
+            type: DirectoryOrCreate
+          name: envoy-sockets
         - name: clustermesh-secrets
           projected:
             defaultMode: 256

diff --git a/...p-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml b/...p-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml
@@ -31,3 +31,20 @@ rules:
       - get
       - list
       - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/part-of: cilium
+  name: cilium-tlsinterception-secrets
+  namespace: cilium-secrets
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/...ol-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml b/...ol-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml
@@ -29,3 +29,19 @@ subjects:
   - kind: ServiceAccount
     name: cilium
     namespace: cilium
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/part-of: cilium
+  name: cilium-tlsinterception-secrets
+  namespace: cilium-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-tlsinterception-secrets
+subjects:
+  - kind: ServiceAccount
+    name: cilium
+    namespace: cilium
diff --git a/...ontrol-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml b/...ontrol-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/service.yaml
@@ -14,10 +14,6 @@ spec:
       port: 9962
       protocol: TCP
       targetPort: prometheus
-    - name: envoy-metrics
-      port: 9964
-      protocol: TCP
-      targetPort: envoy-metrics
   selector:
     k8s-app: cilium
   type: ClusterIP
diff --git a/...plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml b/...plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml
@@ -21,6 +21,6 @@ spec:
       - cilium
   selector:
     matchLabels:
-      k8s-app: cilium
+      app.kubernetes.io/name: cilium-agent
   targetLabels:
     - k8s-app