Skip to content

feat(helm): update chart cilium ( 1.17.6 → 1.19.1 )#350

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/cilium-1.x
Open

feat(helm): update chart cilium ( 1.17.6 → 1.19.1 )#350
renovate[bot] wants to merge 1 commit intomainfrom
renovate/cilium-1.x

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Aug 3, 2025
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change
cilium (source) minor 1.17.61.19.1

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

cilium/cilium (cilium)

v1.19.1

Compare Source

v1.19.0: 1.19.0

Compare Source

🎉 Release Announcement 🎉: We are excited to announce the Cilium 1.19.0 release!

A total of 2934 new commits have been contributed to this release by a growing community of over 1010 developers and over 23,600 GitHub stars! 🤩

⚠️ You may need to take action during upgrade to Cilium v1.19 if you use Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the Upgrade Guide for more details.

The full changelog can be found here.

Here are some of the highlights:

To keep up to date with all the latest Cilium releases, join #release 🎉

🎂❤️❤️❤️🎂
This is a very special release for Cilium, as it celebrates 10 years since the first commit. We couldn’t be more proud of what this project has accomplished. All the GitHub issues, pull requests, reviews, stars, forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug reports, design docs, discussions, meetings, Slack messages, YouTube streams, eCHO episodes, conference talks, blog posts, demos, and presentations have made the project the success it is today.
🎂❤️❤️❤️🎂

Docker Manifests
cilium

quay.io/cilium/cilium:v1.19.0@​sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.0@​sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49

docker-plugin

quay.io/cilium/docker-plugin:v1.19.0@​sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50

hubble-relay

quay.io/cilium/hubble-relay:v1.19.0@​sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.0@​sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0

operator-aws

quay.io/cilium/operator-aws:v1.19.0@​sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6

operator-azure

quay.io/cilium/operator-azure:v1.19.0@​sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a

operator-generic

quay.io/cilium/operator-generic:v1.19.0@​sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648

operator

quay.io/cilium/operator:v1.19.0@​sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65

v1.18.7: 1.18.7

Compare Source

Summary of Changes

Minor Changes:

  • Exclude topology.kubernetes.io labels from security labels by default (Backport PR #​43777, Upstream PR #​43725, @​moscicky)
  • hubble-relay: Add hubble.relay.logOptions.format and hubble.relay.logOptions.level Helm values to configure log format (text, text-ts, json, json-ts) and level (debug, info, warn, error) (Backport PR #​44004, Upstream PR #​43644, @​puwun)

Bugfixes:

  • Add permissions to the cilium-operator so that it can create EndpointSlices when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #​44034, Upstream PR #​43912, @​fgiloux)
  • bpf: Correct refinement of inner packet L4 checksum detection (Backport PR #​43923, Upstream PR #​43868, @​br4243)
  • bpf: Fix marker to skip nodeport when punting to proxy (Backport PR #​43886, Upstream PR #​43069, @​borkmann)
  • clustermesh: correctly phase out not ready/not service endpoints from global services (Backport PR #​44056, Upstream PR #​43807, @​MrFreezeex)
  • Fix a bug with local redirect service entries being created when backend pods weren't ready. (Backport PR #​43756, Upstream PR #​43095, @​aditighag)
  • Fix ICMP error packet handling by adding the missing checksum recalculation performed during RevNAT for SNATed load-balanced traffic. (Backport PR #​43861, Upstream PR #​43196, @​yushoyamaguchi)
  • Grant permissions to the cilium-operator so that it can reconcile ingresses when the when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #​44034, Upstream PR #​43949, @​giorio94)
  • helm: Fixed RBAC errors with operator.enabled=false by aligning cilium-tlsinterception-secrets Role/RoleBinding conditionals (Backport PR #​44281, Upstream PR #​44159, @​puwun)
  • loadbalancer: Fix GetInstancesOfService to avoid removing an endpoint from Service A causes all requests to Service B to fail if the name of Service A is the prefix of Service B (Backport PR #​43777, Upstream PR #​43620, @​imroc)
  • Reduces rtnl_mutex contention on SR-IOV nodes by not requesting VF information in netlink RTM_GETLINK operations (Backport PR #​44281, Upstream PR #​43517, @​pasteley)

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests
cilium

quay.io/cilium/cilium:v1.18.7@​sha256:99b029a0a7c2224dac8c1cc3b6b3ba52af00e2ff981d927e84260ee781e9753c

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.7@​sha256:3d4512153afc5d8ceda3517f9b243619b55a67f9abaebcc92c4be2df94d43cfa

docker-plugin

quay.io/cilium/docker-plugin:v1.18.7@​sha256:e9f15016c7247dffeb2a9216cccc2ab6d36345a2504d34e319c6e9a7873bf3e9

hubble-relay

quay.io/cilium/hubble-relay:v1.18.7@​sha256:9bb9b2b1a4f4bef12a77738756cfbf970daa701e536e42f0a9c64a621bc7c9d5

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.7@​sha256:ca3f0dd26a4b447524dce51ee8ef82485a08187b840c21ce4a1398c02b5174a0

operator-aws

quay.io/cilium/operator-aws:v1.18.7@​sha256:fe56a6289afea7f6420f8de0218710ccaaa7af891df5fc180ddd33e6c7509b45

operator-azure

quay.io/cilium/operator-azure:v1.18.7@​sha256:5fb753344c84ab0989d525f789738c874f3fa8f07fbb5cfce06034d027c9728f

operator-generic

quay.io/cilium/operator-generic:v1.18.7@​sha256:244306c5e7c6b73dc7193424f46ed8a0530767b03f03baac80dd717a3a3f0ad7

operator

quay.io/cilium/operator:v1.18.7@​sha256:8aa2bb32df776b8e8f6cfb57ab3eaed5a451bc9f20f1d62a2393840fc072678f

v1.18.6: 1.18.6

Compare Source

Summary of Changes

Major Changes:

Minor Changes:

Bugfixes:

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.6@​sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4
quay.io/cilium/cilium:stable@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.6@​sha256:8ee142912a0e261850c0802d9256ddbe3729e1cd35c6bea2d93077f334c3cf3b
quay.io/cilium/clustermesh-apiserver:stable@sha256:8ee142912a0e261850c0802d9256ddbe3729e1cd35c6bea2d93077f334c3cf3b

docker-plugin

quay.io/cilium/docker-plugin:v1.18.6@​sha256:7931555ad713a48a28e4bf097402e0e398461dbf51b81cb8192558c5cb0dc48f
quay.io/cilium/docker-plugin:stable@sha256:7931555ad713a48a28e4bf097402e0e398461dbf51b81cb8192558c5cb0dc48f

hubble-relay

quay.io/cilium/hubble-relay:v1.18.6@​sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e
quay.io/cilium/hubble-relay:stable@sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.6@​sha256:212c4cbe27da3772bcb952b8f8cbaa0b0eef72488b52edf90ad2b32072a3ca4c
quay.io/cilium/operator-alibabacloud:stable@sha256:212c4cbe27da3772bcb952b8f8cbaa0b0eef72488b52edf90ad2b32072a3ca4c

operator-aws

quay.io/cilium/operator-aws:v1.18.6@​sha256:47dbc1a5bd483fec170dab7fb0bf2cca3585a4893675b0324d41d97bac8be5eb
quay.io/cilium/operator-aws:stable@sha256:47dbc1a5bd483fec170dab7fb0bf2cca3585a4893675b0324d41d97bac8be5eb

operator-azure

quay.io/cilium/operator-azure:v1.18.6@​sha256:a57aff47aeb32eccfedaa2a49d1af984d996d6d6de79609c232e0c4cf9ce97a1
quay.io/cilium/operator-azure:stable@sha256:a57aff47aeb32eccfedaa2a49d1af984d996d6d6de79609c232e0c4cf9ce97a1

operator-generic

quay.io/cilium/operator-generic:v1.18.6@​sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af
quay.io/cilium/operator-generic:stable@sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af

operator

quay.io/cilium/operator:v1.18.6@​sha256:0e8903aa092025918761d24ae9a91af35baa5b6910b5d0e3feac91ab8a2bc65b
quay.io/cilium/operator:stable@sha256:0e8903aa092025918761d24ae9a91af35baa5b6910b5d0e3feac91ab8a2bc65b

v1.18.5: 1.18.5

Compare Source

Summary of Changes

Minor Changes:

Bugfixes:

CI Changes:

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link

github-actions bot commented Aug 3, 2025
edited
Loading 

--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: kube-system
-      version: 1.17.6
+      version: 1.19.1
   install:
     remediation:
       retries: -1
   interval: 1h
   upgrade:
     cleanupOnFail: true

@renovate renovate bot force-pushed the renovate/cilium-1.x branch 3 times, most recently from cb37693 to 115bc83 Compare August 9, 2025 02:00
@renovate renovate bot force-pushed the renovate/cilium-1.x branch from 115bc83 to 816dc09 Compare August 10, 2025 11:22
@renovate renovate bot changed the title feat(helm): update chart cilium ( 1.17.6 → 1.18.0 ) feat(helm): update chart cilium ( 1.17.6 → 1.18.1 ) Aug 15, 2025
@renovate renovate bot force-pushed the renovate/cilium-1.x branch 2 times, most recently from 1378623 to 5fc6a6c Compare August 19, 2025 13:55
@renovate renovate bot force-pushed the renovate/cilium-1.x branch 2 times, most recently from 26c4b6b to e4abeff Compare August 30, 2025 22:06
@renovate renovate bot force-pushed the renovate/cilium-1.x branch from e4abeff to ce55753 Compare September 17, 2025 18:58
@renovate renovate bot changed the title feat(helm): update chart cilium ( 1.17.6 → 1.18.1 ) feat(helm): update chart cilium ( 1.17.6 → 1.18.2 ) Sep 17, 2025
@renovate renovate bot force-pushed the renovate/cilium-1.x branch 13 times, most recently from 48c826e to f437169 Compare September 28, 2025 18:34
@renovate renovate bot force-pushed the renovate/cilium-1.x branch 8 times, most recently from 9f1fa4a to 8aab62a Compare October 4, 2025 21:39
@renovate renovate bot force-pushed the renovate/cilium-1.x branch from 8aab62a to e5172bb Compare October 8, 2025 04:38
@renovate renovate bot force-pushed the renovate/cilium-1.x branch 2 times, most recently from d523f2d to d0ff3aa Compare October 24, 2025 02:36
@renovate renovate bot changed the title feat(helm): update chart cilium ( 1.17.6 → 1.18.2 ) feat(helm): update chart cilium ( 1.17.6 → 1.18.3 ) Oct 24, 2025
@renovate renovate bot force-pushed the renovate/cilium-1.x branch from d0ff3aa to a6a989e Compare November 10, 2025 20:10
@renovate renovate bot changed the title feat(helm): update chart cilium ( 1.17.6 → 1.18.3 ) feat(helm): update chart cilium ( 1.17.6 → 1.18.4 ) Nov 12, 2025
@renovate renovate bot force-pushed the renovate/cilium-1.x branch from a6a989e to 7dbb20c Compare November 12, 2025 14:59
@renovate renovate bot force-pushed the renovate/cilium-1.x branch from 7dbb20c to ca9028c Compare December 3, 2025 18:48
@renovate renovate bot force-pushed the renovate/cilium-1.x branch from ca9028c to 82ef707 Compare December 17, 2025 13:35
@renovate renovate bot changed the title feat(helm): update chart cilium ( 1.17.6 → 1.18.4 ) feat(helm): update chart cilium ( 1.17.6 → 1.18.5 ) Dec 17, 2025
@renovate renovate bot force-pushed the renovate/cilium-1.x branch 2 times, most recently from 46bc806 to 300c2f4 Compare January 13, 2026 16:47
@renovate renovate bot changed the title feat(helm): update chart cilium ( 1.17.6 → 1.18.5 ) feat(helm): update chart cilium ( 1.17.6 → 1.18.6 ) Jan 13, 2026
@renovate renovate bot force-pushed the renovate/cilium-1.x branch from 300c2f4 to 530fb9b Compare January 23, 2026 18:12
@renovate renovate bot force-pushed the renovate/cilium-1.x branch 2 times, most recently from 2c3e6c9 to 6cdae50 Compare February 4, 2026 01:12
@renovate renovate bot changed the title feat(helm): update chart cilium ( 1.17.6 → 1.18.6 ) feat(helm): update chart cilium ( 1.17.6 → 1.19.0 ) Feb 4, 2026
@github-actions
Copy link

github-actions bot commented Feb 4, 2026
edited
Loading 

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

@@ -7,13 +7,13 @@

   labels:
     k8s-app: cilium
     app.kubernetes.io/name: cilium-agent
     app.kubernetes.io/part-of: cilium
     grafana_dashboard: '1'
 data:
-  cilium-dashboard.json: |
+  cilium-dashboard.json: |-
     {
       "annotations": {
         "list": [
           {
             "builtIn": 1,
             "datasource": {
@@ -49,12 +49,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -143,13 +144,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -179,12 +180,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 35,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -286,13 +288,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -327,13 +329,12 @@

           ],
           "title": "CPU Usage per node",
           "type": "timeseries"
         },
         {
           "collapsed": false,
-          "datasource": null,
           "gridPos": {
             "h": 1,
             "w": 24,
             "x": 0,
             "y": 5
           },
@@ -356,12 +357,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 35,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -508,13 +510,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -564,12 +566,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -643,13 +646,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -701,12 +704,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -780,13 +784,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -848,12 +852,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -927,13 +932,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -991,12 +996,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -1055,13 +1061,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -1073,13 +1079,12 @@

           ],
           "title": "BPF map pressure",
           "type": "timeseries"
         },
         {
           "collapsed": false,
-          "datasource": null,
           "gridPos": {
             "h": 1,
             "w": 24,
             "x": 0,
             "y": 17
           },
@@ -1102,12 +1107,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -1208,13 +1214,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -1242,12 +1248,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -1348,13 +1355,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -1382,12 +1389,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -1488,13 +1496,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -9,12 +9,13 @@

   identity-heartbeat-timeout: 30m0s
   identity-gc-interval: 15m0s
   cilium-endpoint-gc-interval: 5m0s
   nodes-gc-interval: 5m0s
   debug: 'false'
   debug-verbose: ''
+  metrics-sampling-interval: 5m
   enable-policy: default
   policy-cidr-match-mode: ''
   prometheus-serve-addr: :9962
   controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services
   proxy-prometheus-port: '9964'
   operator-prometheus-serve-addr: :9963
@@ -29,12 +30,13 @@

   monitor-aggregation: medium
   monitor-aggregation-interval: 5s
   monitor-aggregation-flags: all
   bpf-map-dynamic-size-ratio: '0.0025'
   enable-host-legacy-routing: 'true'
   bpf-policy-map-max: '16384'
+  bpf-policy-stats-map-max: '65536'
   bpf-lb-map-max: '65536'
   bpf-lb-external-clusterip: 'false'
   bpf-lb-source-range-all-types: 'false'
   bpf-lb-algorithm-annotation: 'false'
   bpf-lb-mode-annotation: 'false'
   bpf-distributed-lru: 'false'
@@ -45,45 +47,44 @@

   cluster-name: default
   cluster-id: '0'
   routing-mode: native
   tunnel-protocol: vxlan
   tunnel-source-port-range: 0-0
   service-no-backend-response: reject
+  policy-deny-response: none
   enable-l7-proxy: 'true'
   enable-ipv4-masquerade: 'true'
   enable-ipv4-big-tcp: 'false'
   enable-ipv6-big-tcp: 'false'
   enable-ipv6-masquerade: 'true'
+  enable-tunnel-big-tcp: 'false'
   enable-tcx: 'true'
   datapath-mode: veth
   enable-bpf-masquerade: 'true'
   enable-masquerade-to-route-source: 'false'
   enable-xt-socket-fallback: 'true'
   install-no-conntrack-iptables-rules: 'false'
   iptables-random-fully: 'false'
   auto-direct-node-routes: 'true'
   direct-routing-skip-unreachable: 'false'
   enable-local-redirect-policy: 'true'
   ipv4-native-routing-cidr: 10.42.0.0/16
-  enable-runtime-device-detection: 'true'
   kube-proxy-replacement: 'true'
   kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256
+  enable-no-service-endpoints-routable: 'true'
   bpf-lb-sock: 'false'
   bpf-lb-sock-hostns-only: 'true'
   nodeport-addresses: ''
   enable-health-check-nodeport: 'true'
   enable-health-check-loadbalancer-ip: 'false'
   node-port-bind-protection: 'true'
   enable-auto-protect-node-port-range: 'true'
   bpf-lb-mode: dsr
   bpf-lb-algorithm: maglev
   bpf-lb-acceleration: disabled
-  enable-experimental-lb: 'false'
-  enable-svc-source-range-check: 'true'
-  enable-l2-neigh-discovery: 'true'
-  arping-refresh-period: 30s
+  enable-l2-neigh-discovery: 'false'
   k8s-require-ipv4-pod-cidr: 'false'
   k8s-require-ipv6-pod-cidr: 'false'
   enable-endpoint-routes: 'true'
   enable-k8s-networkpolicy: 'true'
   enable-endpoint-lockdown-on-policy-overflow: 'false'
   write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
@@ -99,14 +100,13 @@

   enable-hubble: 'true'
   hubble-socket-path: /var/run/cilium/hubble.sock
   hubble-metrics-server: :9965
   hubble-metrics-server-enable-tls: 'false'
   enable-hubble-open-metrics: 'false'
   hubble-metrics: dns drop tcp flow port-distribution icmp http
-  hubble-export-file-max-size-mb: '10'
-  hubble-export-file-max-backups: '5'
+  hubble-network-policy-correlation-enabled: 'true'
   hubble-listen-address: :4244
   hubble-disable-tls: 'false'
   hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
   hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
   hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
   ipam: kubernetes
@@ -116,51 +116,60 @@

   enable-vtep: 'false'
   vtep-endpoint: ''
   vtep-cidr: ''
   vtep-mask: ''
   vtep-mac: ''
   enable-l2-announcements: 'true'
+  packetization-layer-pmtud-mode: blackhole
   procfs: /host/proc
   bpf-root: /sys/fs/bpf
   cgroup-root: /sys/fs/cgroup
-  enable-k8s-terminating-endpoint: 'true'
+  identity-management-mode: agent
   enable-sctp: 'false'
   remove-cilium-node-taints: 'true'
   set-cilium-node-taints: 'true'
   set-cilium-is-up-condition: 'true'
-  unmanaged-pod-watcher-interval: '15'
+  unmanaged-pod-watcher-interval: 15s
   dnsproxy-enable-transparent-mode: 'true'
   dnsproxy-socket-linger-timeout: '10'
   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: 'true'
   tofqdns-endpoint-max-ip-per-hostname: '1000'
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: '10000'
   tofqdns-proxy-response-max-delay: 100ms
+  tofqdns-preallocate-identities: 'true'
   agent-not-ready-taint-key: node.cilium.io/agent-not-ready
-  mesh-auth-enabled: 'true'
+  mesh-auth-enabled: 'false'
   mesh-auth-queue-size: '1024'
   mesh-auth-rotated-identities-queue-size: '1024'
   mesh-auth-gc-interval: 5m0s
   proxy-xff-num-trusted-hops-ingress: '0'
   proxy-xff-num-trusted-hops-egress: '0'
   proxy-connect-timeout: '2'
   proxy-initial-fetch-timeout: '30'
+  proxy-max-active-downstream-connections: '50000'
   proxy-max-requests-per-connection: '0'
   proxy-max-connection-duration-seconds: '0'
   proxy-idle-timeout-seconds: '60'
   proxy-max-concurrent-retries: '128'
+  proxy-use-original-source-address: 'true'
+  proxy-cluster-max-connections: '1024'
+  proxy-cluster-max-requests: '1024'
   http-retry-count: '3'
+  http-stream-idle-timeout: '300'
   external-envoy-proxy: 'false'
   envoy-base-id: '0'
   envoy-access-log-buffer-size: '4096'
   envoy-keep-cap-netbindservice: 'false'
   max-connected-clusters: '255'
+  clustermesh-cache-ttl: 0s
   clustermesh-enable-endpoint-sync: 'false'
   clustermesh-enable-mcs-api: 'false'
+  clustermesh-mcs-api-install-crds: 'true'
+  policy-default-local-cluster: 'true'
   nat-map-stats-entries: '32'
   nat-map-stats-interval: 30s
-  enable-internal-traffic-policy: 'true'
   enable-lb-ipam: 'true'
   enable-non-default-deny-policies: 'true'
   enable-source-ip-verification: 'true'
 
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx

@@ -2,17 +2,39 @@

 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: hubble-ui-nginx
   namespace: kube-system
 data:
-  nginx.conf: "server {\n    listen       8081;\n    listen       [::]:8081;\n   \
-    \ server_name  localhost;\n    root /app;\n    index index.html;\n    client_max_body_size\
-    \ 1G;\n\n    location / {\n        proxy_set_header Host $host;\n        proxy_set_header\
-    \ X-Real-IP $remote_addr;\n\n        location /api {\n            proxy_http_version\
-    \ 1.1;\n            proxy_pass_request_headers on;\n            proxy_pass http://127.0.0.1:8090;\n\
-    \        }\n        location / {\n            # double `/index.html` is required\
-    \ here \n            try_files $uri $uri/ /index.html /index.html;\n        }\n\
-    \n        # Liveness probe\n        location /healthz {\n            access_log\
-    \ off;\n            add_header Content-Type text/plain;\n            return 200\
-    \ 'ok';\n        }\n    }\n}"
+  nginx.conf: |-
+    server {
+        listen       8081;
+        listen       [::]:8081;
+        server_name  localhost;
+        root /app;
+        index index.html;
+        client_max_body_size 1G;
 
+        location / {
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+
+            location /api {
+                proxy_http_version 1.1;
+                proxy_pass_request_headers on;
+                proxy_pass http://127.0.0.1:8090;
+            }
+            location / {
+                if ($http_user_agent ~* "kube-probe") { access_log off; }
+                # double `/index.html` is required here
+                try_files $uri $uri/ /index.html /index.html;
+            }
+
+            # Liveness probe
+            location /healthz {
+                access_log off;
+                add_header Content-Type text/plain;
+                return 200 'ok';
+            }
+        }
+    }
+
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium

@@ -53,13 +53,12 @@

   - watch
   - get
 - apiGroups:
   - cilium.io
   resources:
   - ciliumloadbalancerippools
-  - ciliumbgppeeringpolicies
   - ciliumbgpnodeconfigs
   - ciliumbgpadvertisements
   - ciliumbgppeerconfigs
   - ciliumclusterwideenvoyconfigs
   - ciliumclusterwidenetworkpolicies
   - ciliumegressgatewaypolicies
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

@@ -160,39 +160,37 @@

   resources:
   - customresourcedefinitions
   verbs:
   - update
   resourceNames:
   - ciliumloadbalancerippools.cilium.io
-  - ciliumbgppeeringpolicies.cilium.io
   - ciliumbgpclusterconfigs.cilium.io
   - ciliumbgppeerconfigs.cilium.io
   - ciliumbgpadvertisements.cilium.io
   - ciliumbgpnodeconfigs.cilium.io
   - ciliumbgpnodeconfigoverrides.cilium.io
   - ciliumclusterwideenvoyconfigs.cilium.io
   - ciliumclusterwidenetworkpolicies.cilium.io
   - ciliumegressgatewaypolicies.cilium.io
   - ciliumendpoints.cilium.io
   - ciliumendpointslices.cilium.io
   - ciliumenvoyconfigs.cilium.io
-  - ciliumexternalworkloads.cilium.io
   - ciliumidentities.cilium.io
   - ciliumlocalredirectpolicies.cilium.io
   - ciliumnetworkpolicies.cilium.io
   - ciliumnodes.cilium.io
   - ciliumnodeconfigs.cilium.io
   - ciliumcidrgroups.cilium.io
   - ciliuml2announcementpolicies.cilium.io
   - ciliumpodippools.cilium.io
+  - ciliumgatewayclassconfigs.cilium.io
 - apiGroups:
   - cilium.io
   resources:
   - ciliumloadbalancerippools
   - ciliumpodippools
-  - ciliumbgppeeringpolicies
   - ciliumbgpclusterconfigs
   - ciliumbgpnodeconfigoverrides
   - ciliumbgppeerconfigs
   verbs:
   - get
   - list
@@ -214,7 +212,13 @@

   resources:
   - leases
   verbs:
   - create
   - get
   - update
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumendpointslices
+  verbs:
+  - deletecollection
 
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/hubble-ui

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/hubble-ui

@@ -3,20 +3,12 @@

 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: hubble-ui
   labels:
     app.kubernetes.io/part-of: cilium
 rules:
-- apiGroups:
-  - networking.k8s.io
-  resources:
-  - networkpolicies
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - ''
   resources:
   - componentstatuses
   - endpoints
   - namespaces
@@ -32,15 +24,7 @@

   resources:
   - customresourcedefinitions
   verbs:
   - get
   - list
   - watch
-- apiGroups:
-  - cilium.io
-  resources:
-  - '*'
-  verbs:
-  - get
-  - list
-  - watch
 
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,47 +16,50 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 8c188739d4efe4dc034ef54061cda1fe43ca4feaa3a1cbeb8258bc9109d3ea26
+        cilium.io/cilium-configmap-checksum: 354a4e371baa356dd05d494806e1c57a1f2c49177fe7b46d28d731bafe1cbf6b
+        kubectl.kubernetes.io/default-container: cilium-agent
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
+        seccompProfile:
+          type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+        image: quay.io/cilium/cilium:v1.19.1@sha256:41f1f74a0000de8656f1de4088ea00c8f2d49d6edea579034c73c5fd5fe01792
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9879
+            port: health
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
-          failureThreshold: 105
+          failureThreshold: 300
           periodSeconds: 2
           successThreshold: 1
           initialDelaySeconds: 5
         livenessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9879
+            port: health
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
             - name: require-k8s-connectivity
               value: 'false'
@@ -65,13 +68,13 @@

           failureThreshold: 10
           timeoutSeconds: 5
         readinessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9879
+            port: health
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
           periodSeconds: 30
           successThreshold: 1
@@ -96,12 +99,16 @@

               resource: limits.memory
               divisor: '1'
         - name: KUBERNETES_SERVICE_HOST
           value: 127.0.0.1
         - name: KUBERNETES_SERVICE_PORT
           value: '7445'
+        - name: KUBE_CLIENT_BACKOFF_BASE
+          value: '1'
+        - name: KUBE_CLIENT_BACKOFF_DURATION
+          value: '120'
         lifecycle:
           postStart:
             exec:
               command:
               - bash
               - -c
@@ -127,27 +134,27 @@

                 echo 'Done!'
           preStop:
             exec:
               command:
               - /cni-uninstall.sh
         ports:
+        - name: health
+          containerPort: 9879
+          hostPort: 9879
+          protocol: TCP
         - name: peer-service
           containerPort: 4244
           hostPort: 4244
           protocol: TCP
         - name: prometheus
           containerPort: 9962
           hostPort: 9962
           protocol: TCP
         - name: envoy-metrics
           containerPort: 9964
           hostPort: 9964
-          protocol: TCP
-        - name: envoy-admin
-          containerPort: 9901
-          hostPort: 9901
           protocol: TCP
         - name: hubble-metrics
           containerPort: 9965
           hostPort: 9965
           protocol: TCP
         securityContext:
@@ -201,13 +208,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+        image: quay.io/cilium/cilium:v1.19.1@sha256:41f1f74a0000de8656f1de4088ea00c8f2d49d6edea579034c73c5fd5fe01792
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -225,14 +232,20 @@

         - name: KUBERNETES_SERVICE_PORT
           value: '7445'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+            drop:
+            - ALL
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+        image: quay.io/cilium/cilium:v1.19.1@sha256:41f1f74a0000de8656f1de4088ea00c8f2d49d6edea579034c73c5fd5fe01792
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /sys/fs/cgroup
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -258,13 +271,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+        image: quay.io/cilium/cilium:v1.19.1@sha256:41f1f74a0000de8656f1de4088ea00c8f2d49d6edea579034c73c5fd5fe01792
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -288,13 +301,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+        image: quay.io/cilium/cilium:v1.19.1@sha256:41f1f74a0000de8656f1de4088ea00c8f2d49d6edea579034c73c5fd5fe01792
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -304,13 +317,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+        image: quay.io/cilium/cilium:v1.19.1@sha256:41f1f74a0000de8656f1de4088ea00c8f2d49d6edea579034c73c5fd5fe01792
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -352,17 +365,20 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+        image: quay.io/cilium/cilium:v1.19.1@sha256:41f1f74a0000de8656f1de4088ea00c8f2d49d6edea579034c73c5fd5fe01792
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
+          limits:
+            cpu: 1
+            memory: 1Gi
           requests:
             cpu: 100m
             memory: 10Mi
         securityContext:
           seLinuxOptions:
             level: s0
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,22 +20,25 @@

       maxSurge: 25%
       maxUnavailable: 100%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 8c188739d4efe4dc034ef54061cda1fe43ca4feaa3a1cbeb8258bc9109d3ea26
+        cilium.io/cilium-configmap-checksum: 354a4e371baa356dd05d494806e1c57a1f2c49177fe7b46d28d731bafe1cbf6b
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.17.6@sha256:91ac3bf7be7bed30e90218f219d4f3062a63377689ee7246062fa0cc3839d096
+        image: quay.io/cilium/operator-generic:v1.19.1@sha256:e7278d763e448bf6c184b0682cf98cdca078d58a27e1b2f3c906792670aa211a
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
@@ -58,39 +61,47 @@

               optional: true
         - name: KUBERNETES_SERVICE_HOST
           value: 127.0.0.1
         - name: KUBERNETES_SERVICE_PORT
           value: '7445'
         ports:
+        - name: health
+          containerPort: 9234
+          hostPort: 9234
         - name: prometheus
           containerPort: 9963
           hostPort: 9963
           protocol: TCP
         livenessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9234
+            port: health
             scheme: HTTP
           initialDelaySeconds: 60
           periodSeconds: 10
           timeoutSeconds: 3
         readinessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
-            port: 9234
+            port: health
             scheme: HTTP
           initialDelaySeconds: 0
           periodSeconds: 5
           timeoutSeconds: 3
           failureThreshold: 5
         volumeMounts:
         - name: cilium-config-path
           mountPath: /tmp/cilium/config-map
           readOnly: true
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         terminationMessagePolicy: FallbackToLogsOnError
       hostNetwork: true
       restartPolicy: Always
       priorityClassName: system-cluster-critical
       serviceAccountName: cilium-operator
       automountServiceAccountToken: true
@@ -100,11 +111,14 @@

           - labelSelector:
               matchLabels:
                 io.cilium/app: operator
             topologyKey: kubernetes.io/hostname
       nodeSelector:
         kubernetes.io/os: linux
+      tolerations:
+      - key: node.cilium.io/agent-not-ready
+        operator: Exists
       volumes:
       - name: cilium-config-path
         configMap:
           name: cilium-config
 
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -24,22 +24,27 @@

         k8s-app: hubble-relay
         app.kubernetes.io/name: hubble-relay
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         fsGroup: 65532
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: hubble-relay
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.17.6@sha256:7d17ec10b3d37341c18ca56165b2f29a715cb8ee81311fd07088d8bf68c01e60
+          seccompProfile:
+            type: RuntimeDefault
+        image: quay.io/cilium/hubble-relay:v1.19.1@sha256:d8c4e13bc36a56179292bb52bc6255379cb94cb873700d316ea3139b1bdb8165
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

@@ -31,49 +31,53 @@

         runAsUser: 1001
       priorityClassName: null
       serviceAccountName: hubble-ui
       automountServiceAccountToken: true
       containers:
       - name: frontend
-        image: quay.io/cilium/hubble-ui:v0.13.2@sha256:9e37c1296b802830834cc87342a9182ccbb71ffebb711971e849221bd9d59392
+        image: quay.io/cilium/hubble-ui:v0.13.3@sha256:661d5de7050182d495c6497ff0b007a7a1e379648e60830dd68c4d78ae21761d
         imagePullPolicy: IfNotPresent
         ports:
         - name: http
           containerPort: 8081
         livenessProbe:
           httpGet:
             path: /healthz
-            port: 8081
+            port: http
         readinessProbe:
           httpGet:
             path: /
-            port: 8081
+            port: http
         volumeMounts:
         - name: hubble-ui-nginx-conf
           mountPath: /etc/nginx/conf.d/default.conf
           subPath: nginx.conf
         - name: tmp-dir
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          allowPrivilegeEscalation: false
       - name: backend
-        image: quay.io/cilium/hubble-ui-backend:v0.13.2@sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15
+        image: quay.io/cilium/hubble-ui-backend:v0.13.3@sha256:db1454e45dc39ca41fbf7cad31eec95d99e5b9949c39daaad0fa81ef29d56953
         imagePullPolicy: IfNotPresent
         env:
         - name: EVENTS_SERVER_PORT
           value: '8090'
         - name: FLOWS_API_ADDR
           value: hubble-relay:80
         ports:
         - name: grpc
           containerPort: 8090
         volumeMounts: null
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
       volumes:
       - configMap:
           defaultMode: 420
           name: hubble-ui-nginx
         name: hubble-ui-nginx-conf
-      - emptyDir: {}
-        name: tmp-dir
+      - name: tmp-dir
+        emptyDir: {}
 
--- HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent

+++ HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent

@@ -3,12 +3,13 @@

 kind: ServiceMonitor
 metadata:
   name: cilium-agent
   namespace: kube-system
   labels:
     app.kubernetes.io/part-of: cilium
+    app.kubernetes.io/name: cilium-agent
 spec:
   selector:
     matchLabels:
       app.kubernetes.io/name: cilium-agent
   namespaceSelector:
     matchNames:
@@ -16,13 +17,14 @@

   endpoints:
   - port: metrics
     interval: 10s
     honorLabels: true
     path: /metrics
     relabelings:
-    - replacement: ${1}
+    - action: replace
+      replacement: ${1}
       sourceLabels:
       - __meta_kubernetes_pod_node_name
       targetLabel: node
   targetLabels:
   - k8s-app
 
--- HelmRelease: kube-system/cilium Role: kube-system/cilium-operator-ztunnel

+++ HelmRelease: kube-system/cilium Role: kube-system/cilium-operator-ztunnel

@@ -0,0 +1,20 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cilium-operator-ztunnel
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+
--- HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-operator-ztunnel

+++ HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-operator-ztunnel

@@ -0,0 +1,17 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cilium-operator-ztunnel
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-operator-ztunnel
+subjects:
+- kind: ServiceAccount
+  name: cilium-operator
+  namespace: kube-system
+

@renovate renovate bot force-pushed the renovate/cilium-1.x branch from 6cdae50 to 7aeab88 Compare February 12, 2026 16:08
@renovate renovate bot force-pushed the renovate/cilium-1.x branch from 7aeab88 to de78dd2 Compare February 17, 2026 23:41
@renovate renovate bot changed the title feat(helm): update chart cilium ( 1.17.6 → 1.19.0 ) feat(helm): update chart cilium ( 1.17.6 → 1.19.1 ) Feb 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/bootstrap area/kubernetes renovate/helm type/minor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants