Skip to content

chore(deps): update helm release cilium to v1.19.5#360

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/cilium-1.x
Open

chore(deps): update helm release cilium to v1.19.5#360
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/cilium-1.x

Conversation

@renovate

@renovate renovate Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change
cilium (source) minor 1.18.21.19.5

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

cilium/cilium (cilium)

v1.19.5: 1.19.5

Compare Source

Summary of Changes

Minor Changes:

Bugfixes:

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.5@​sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.5@​sha256:5ed9334b2254315740f9e2a8b6645bf69920f79ef14f436931579d2038784f9b

docker-plugin

quay.io/cilium/docker-plugin:v1.19.5@​sha256:4006d5558390120774a5a903a706dfd64089082bd653b7cb45e9e5a93ff4efea

hubble-relay

quay.io/cilium/hubble-relay:v1.19.5@​sha256:24409bfa1bca075c92acb26ba4b49cd573d99d68d5370f7cc825078185222a0c

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.5@​sha256:c9706343dde700804c2f50c09a2f8291797c707d1747fd50f70c939c23747c16

operator-aws

quay.io/cilium/operator-aws:v1.19.5@​sha256:b8473618e8d2bf8a610da445c8c37e1d1e8221aecd05989456d87a7588d66707

operator-azure

quay.io/cilium/operator-azure:v1.19.5@​sha256:8600299cb121f9df00fd32b93fa74de89ed49dd3a67e3d7301c07325c04c77f8

operator-generic

quay.io/cilium/operator-generic:v1.19.5@​sha256:be848a365776e07d0c5a895eda7aec928ddc52a5a1fa2f432fd7a286609e1db4

operator

quay.io/cilium/operator:v1.19.5@​sha256:07a25f6a248d77f0c8417d21b5ea5424a81fe551421e4baf04dc79b1360e832e

v1.19.4: 1.19.4

Compare Source

Summary of Changes

Minor Changes:

  • cilium-agent: when --k8s-service-proxy-name is set, EndpointSlices are now filtered by the service.kubernetes.io/service-proxy-name label at the watch level, matching how Services are already filtered, operators with hand-managed EndpointSlices must stamp the matching label on those slices. (Backport PR #​45755, Upstream PR #​45504, @​HadrienPatte)
  • iptables-based masquerading: Ensure iptables rules respect longest prefix match by sorting routes by mask length when enable-masquerade-to-route-source is enabled (Backport PR #​45630, Upstream PR #​45192, @​liyihuang)
  • operator/spire: make SPIRE client configurable for ztunnel (Backport PR #​45356, Upstream PR #​44136, @​nddq)
  • pkg/endpoint: skip logger rebuild on policy revision updates (Backport PR #​45630, Upstream PR #​45533, @​sjohnsonpal)

Bugfixes:

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.4@​sha256:2eb67991eaa9368ba199c2fac2c573cb0ffdeb79184533344f42fc9a7ff6af3c

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.4@​sha256:9e40006b2e2b6e66d047f9af52577a93b39d9532958ec6d88d46820bb59ab643

docker-plugin

quay.io/cilium/docker-plugin:v1.19.4@​sha256:720dc5839de8c30acf655ad790866cf89b7691047a020e7b4a4bd66883fbf4d1

hubble-relay

quay.io/cilium/hubble-relay:v1.19.4@​sha256:59af8c0d561e560c2a042e7600a3496bc0367df8fbf868aa68d5834c8ec1a431

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.4@​sha256:693b1e61f22beaa9a0f68aa4056ba873465da96da6382f3276978d01544450dd

operator-aws

quay.io/cilium/operator-aws:v1.19.4@​sha256:9e41b3959d941a0b60ba187f5a2572305846248efb89ac59c18fd25a032f568d

operator-azure

quay.io/cilium/operator-azure:v1.19.4@​sha256:8203f4e5e65c658fe2367a570c7bba5779859982bd3cc263662e35e690be3417

operator-generic

quay.io/cilium/operator-generic:v1.19.4@​sha256:1aa2b62735e7d8ab49ee840ae59c346932024c88901579121395c1271b435f71

operator

quay.io/cilium/operator:v1.19.4@​sha256:7edc61725901e32a13e180c5290d43df5292f5f49c6d654c94a0be2faf52e71e

v1.19.3: 1.19.3

Compare Source

Summary of Changes

Minor Changes:

Bugfixes:

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions

Copy link
Copy Markdown
Contributor

✅ Dry-run — turing

omnictl template sync

(no output)

helmfile diff

Adding repo cilium https://helm.cilium.io/
"cilium" has been added to your repositories

Comparing release=cilium, chart=cilium/cilium, namespace=kube-system
cilium-secrets, cilium-tlsinterception-secrets, Role (rbac.authorization.k8s.io) has changed:
  # Source: cilium/templates/cilium-agent/role.yaml
  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: cilium-tlsinterception-secrets
-   namespace: "cilium-secrets"  
+   namespace: "cilium-secrets"
    labels:
      app.kubernetes.io/part-of: cilium
  rules:
  - apiGroups:
    - ""
    resources:
    - secrets
    verbs:
    - get
    - list
    - watch
kube-system, cilium, ClusterRole (rbac.authorization.k8s.io) has changed:
  # Source: cilium/templates/cilium-agent/clusterrole.yaml
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: cilium
    labels:
      app.kubernetes.io/part-of: cilium
  rules:
  - apiGroups:
    - networking.k8s.io
    resources:
    - networkpolicies
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - discovery.k8s.io
    resources:
    - endpointslices
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - ""
    resources:
    - namespaces
    - services
    - pods
    - endpoints
    - nodes
    verbs:
    - get
    - list
    - watch
  - apiGroups:
+   - coordination.k8s.io
+   resources:
+   - leases
+   verbs:
+   - create
+   - get
+   - update
+   - list
+   - delete
+ - apiGroups:
    - apiextensions.k8s.io
    resources:
    - customresourcedefinitions
    verbs:
    - list
    - watch
    # This is used when validating policies in preflight. This will need to stay
    # until we figure out how to avoid "get" inside the preflight, and then
    # should be removed ideally.
    - get
  - apiGroups:
    - cilium.io
    resources:
    - ciliumloadbalancerippools
    - ciliumbgppeeringpolicies
    - ciliumbgpnodeconfigs
    - ciliumbgpadvertisements
    - ciliumbgppeerconfigs
    - ciliumclusterwideenvoyconfigs
    - ciliumclusterwidenetworkpolicies
    - ciliumegressgatewaypolicies
    - ciliumendpoints
    - ciliumendpointslices
    - ciliumenvoyconfigs
    - ciliumidentities
    - ciliumlocalredirectpolicies
    - ciliumnetworkpolicies
    - ciliumnodes
    - ciliumnodeconfigs
    - ciliumcidrgroups
    - ciliuml2announcementpolicies
    - ciliumpodippools
    verbs:
    - list
    - watch
  - apiGroups:
    - cilium.io
    resources:
    - ciliumidentities
    - ciliumendpoints
    - ciliumnodes
    verbs:
    - create
  - apiGroups:
    - cilium.io
    # To synchronize garbage collection of such resources
    resources:
    - ciliumidentities
    verbs:
    - update
  - apiGroups:
    - cilium.io
    resources:
    - ciliumendpoints
    verbs:
    - delete
    - get
  - apiGroups:
    - cilium.io
    resources:
    - ciliumnodes
    - ciliumnodes/status
    verbs:
    - get
    - update
  - apiGroups:
    - cilium.io
    resources:
    - ciliumendpoints/status
    - ciliumendpoints
    - ciliuml2announcementpolicies/status
    - ciliumbgpnodeconfigs/status
    verbs:
    - patch
kube-system, cilium, DaemonSet (apps) has changed:
  # Source: cilium/templates/cilium-agent/daemonset.yaml
  apiVersion: apps/v1
  kind: DaemonSet
  metadata:
    name: cilium
    namespace: kube-system
    labels:
      k8s-app: cilium
      app.kubernetes.io/part-of: cilium
      app.kubernetes.io/name: cilium-agent
  spec:
    selector:
      matchLabels:
        k8s-app: cilium
    updateStrategy:
      rollingUpdate:
        maxUnavailable: 2
      type: RollingUpdate
    template:
      metadata:
        annotations:
+         kubectl.kubernetes.io/default-container: cilium-agent
        labels:
          k8s-app: cilium
          app.kubernetes.io/name: cilium-agent
          app.kubernetes.io/part-of: cilium
      spec:
        securityContext:
          appArmorProfile:
+           type: Unconfined
+         seccompProfile:
            type: Unconfined
        containers:
        - name: cilium-agent
-         image: "quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a"
+         image: "quay.io/cilium/cilium:v1.19.5@sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732"
          imagePullPolicy: IfNotPresent
          command:
          - cilium-agent
          args:
          - --config-dir=/tmp/cilium/config-map
          startupProbe:
            httpGet:
              host: "127.0.0.1"
              path: /healthz
-             port: 9879
+             port: health
              scheme: HTTP
              httpHeaders:
              - name: "brief"
                value: "true"
-           failureThreshold: 105
+           failureThreshold: 300
            periodSeconds: 2
            successThreshold: 1
            initialDelaySeconds: 5
          livenessProbe:
            httpGet:
              host: "127.0.0.1"
              path: /healthz
-             port: 9879
+             port: health
              scheme: HTTP
              httpHeaders:
              - name: "brief"
                value: "true"
              - name: "require-k8s-connectivity"
                value: "false"
            periodSeconds: 30
            successThreshold: 1
            failureThreshold: 10
            timeoutSeconds: 5
          readinessProbe:
            httpGet:
              host: "127.0.0.1"
              path: /healthz
-             port: 9879
+             port: health
              scheme: HTTP
              httpHeaders:
              - name: "brief"
                value: "true"
            periodSeconds: 30
            successThreshold: 1
            failureThreshold: 3
            timeoutSeconds: 5
          env:
          - name: K8S_NODE_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.nodeName
          - name: CILIUM_K8S_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
          - name: CILIUM_CLUSTERMESH_CONFIG
            value: /var/lib/cilium/clustermesh/
          - name: GOMEMLIMIT
            valueFrom:
              resourceFieldRef:
                resource: limits.memory
                divisor: '1'
-         - name: KUBERNETES_SERVICE_HOST
-           value: "localhost"
-         - name: KUBERNETES_SERVICE_PORT
-           value: "7445"
+         - name: KUBE_CLIENT_BACKOFF_BASE
+           value: "1"
+         - name: KUBE_CLIENT_BACKOFF_DURATION
+           value: "120"
          lifecycle:
            postStart:
              exec:
                command:
                - "bash"
                - "-c"
                - |
                      set -o errexit
                      set -o pipefail
                      set -o nounset
                      
                      # When running in AWS ENI mode, it's likely that 'aws-node' has
                      # had a chance to install SNAT iptables rules. These can result
                      # in dropped traffic, so we should attempt to remove them.
                      # We do it using a 'postStart' hook since this may need to run
                      # for nodes which might have already been init'ed but may still
                      # have dangling rules. This is safe because there are no
                      # dependencies on anything that is part of the startup script
                      # itself, and can be safely run multiple times per node (e.g. in
                      # case of a restart).
                      if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];
                      then
                          echo 'Deleting iptables rules created by the AWS CNI VPC plugin'
                          iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore
                      fi
                      echo 'Done!'
                      
            preStop:
              exec:
                command:
                - /cni-uninstall.sh
+         ports:
+         - name: health
+           containerPort: 9879
+           hostPort: 9879
+           protocol: TCP
+         - name: peer-service
+           containerPort: 4244
+           hostPort: 4244
+           protocol: TCP
          securityContext:
            seLinuxOptions:
              level: s0
              type: spc_t
            capabilities:
              add:
                - CHOWN
                - KILL
                - NET_ADMIN
                - NET_RAW
                - IPC_LOCK
+               - SYS_MODULE
                - SYS_ADMIN
                - SYS_RESOURCE
                - DAC_OVERRIDE
                - FOWNER
                - SETGID
                - SETUID
+               - SYSLOG
              drop:
                - ALL
          terminationMessagePolicy: FallbackToLogsOnError
          volumeMounts:
          - name: envoy-sockets
            mountPath: /var/run/cilium/envoy/sockets
            readOnly: false
          # Unprivileged containers need to mount /proc/sys/net from the host
          # to have write access
          - mountPath: /host/proc/sys/net
            name: host-proc-sys-net
          # Unprivileged containers need to mount /proc/sys/kernel from the host
          # to have write access
          - mountPath: /host/proc/sys/kernel
            name: host-proc-sys-kernel
          - name: bpf-maps
            mountPath: /sys/fs/bpf
            # Unprivileged containers can't set mount propagation to bidirectional
            # in this case we will mount the bpf fs from an init container that
            # is privileged and set the mount propagation from host to container
            # in Cilium.
            mountPropagation: HostToContainer
-         # Check for duplicate mounts before mounting
-         - name: cilium-cgroup
-           mountPath: /sys/fs/cgroup
          - name: cilium-run
            mountPath: /var/run/cilium
          - name: cilium-netns
            mountPath: /var/run/cilium/netns
            mountPropagation: HostToContainer
          - name: etc-cni-netd
            mountPath: /host/etc/cni/net.d
          - name: clustermesh-secrets
            mountPath: /var/lib/cilium/clustermesh
            readOnly: true
            # Needed to be able to load kernel modules
          - name: lib-modules
            mountPath: /lib/modules
            readOnly: true
          - name: xtables-lock
            mountPath: /run/xtables.lock
          - name: hubble-tls
            mountPath: /var/lib/cilium/tls/hubble
            readOnly: true
          - name: tmp
            mountPath: /tmp
+         
        initContainers:
        - name: config
-         image: "quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a"
+         image: "quay.io/cilium/cilium:v1.19.5@sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732"
          imagePullPolicy: IfNotPresent
          command:
          - cilium-dbg
          - build-config
          env:
          - name: K8S_NODE_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.nodeName
          - name: CILIUM_K8S_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
-         - name: KUBERNETES_SERVICE_HOST
-           value: "localhost"
-         - name: KUBERNETES_SERVICE_PORT
-           value: "7445"
          volumeMounts:
          - name: tmp
            mountPath: /tmp
+         terminationMessagePolicy: FallbackToLogsOnError
+         securityContext:
+           capabilities:
+             add:
+               - NET_ADMIN
+             drop:
+               - ALL
+       # Required to mount cgroup2 filesystem on the underlying Kubernetes node.
+       # We use nsenter command with host's cgroup and mount namespaces enabled.
+       - name: mount-cgroup
+         image: "quay.io/cilium/cilium:v1.19.5@sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732"
+         imagePullPolicy: IfNotPresent
+         env:
+         - name: CGROUP_ROOT
+           value: /run/cilium/cgroupv2
+         - name: BIN_PATH
+           value: /opt/cni/bin
+         command:
+         - bash
+         - -ec
+         # The statically linked Go program binary is invoked to avoid any
+         # dependency on utilities like sh and mount that can be missing on certain
+         # distros installed on the underlying host. Copy the binary to the
+         # same directory where we install cilium cni plugin so that exec permissions
+         # are available.
+         - |
+           cp /usr/bin/cilium-mount /hostbin/cilium-mount;
+           nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT;
+           rm /hostbin/cilium-mount
+         volumeMounts:
+         - name: hostproc
+           mountPath: /hostproc
+         - name: cni-path
+           mountPath: /hostbin
          terminationMessagePolicy: FallbackToLogsOnError
+         securityContext:
+           seLinuxOptions:
+             level: s0
+             type: spc_t
+           capabilities:
+             add:
+               - SYS_ADMIN
+               - SYS_CHROOT
+               - SYS_PTRACE
+             drop:
+               - ALL
        - name: apply-sysctl-overwrites
-         image: "quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a"
+         image: "quay.io/cilium/cilium:v1.19.5@sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732"
          imagePullPolicy: IfNotPresent
          env:
          - name: BIN_PATH
            value: /opt/cni/bin
          command:
-         - sh
+         - bash
          - -ec
          # The statically linked Go program binary is invoked to avoid any
          # dependency on utilities like sh that can be missing on certain
          # distros installed on the underlying host. Copy the binary to the
          # same directory where we install cilium cni plugin so that exec permissions
          # are available.
          - |
            cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
            nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
            rm /hostbin/cilium-sysctlfix
          volumeMounts:
          - name: hostproc
            mountPath: /hostproc
          - name: cni-path
            mountPath: /hostbin
          terminationMessagePolicy: FallbackToLogsOnError
          securityContext:
            seLinuxOptions:
              level: s0
              type: spc_t
            capabilities:
              add:
                - SYS_ADMIN
                - SYS_CHROOT
                - SYS_PTRACE
              drop:
                - ALL
        # Mount the bpf fs if it is not mounted. We will perform this task
        # from a privileged container because the mount propagation bidirectional
        # only works from privileged containers.
        - name: mount-bpf-fs
-         image: "quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a"
+         image: "quay.io/cilium/cilium:v1.19.5@sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732"
          imagePullPolicy: IfNotPresent
          args:
          - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf'
          command:
          - /bin/bash
          - -c
          - --
          terminationMessagePolicy: FallbackToLogsOnError
          securityContext:
            privileged: true
          volumeMounts:
          - name: bpf-maps
            mountPath: /sys/fs/bpf
            mountPropagation: Bidirectional
        - name: clean-cilium-state
-         image: "quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a"
+         image: "quay.io/cilium/cilium:v1.19.5@sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732"
          imagePullPolicy: IfNotPresent
          command:
          - /init-container.sh
          env:
          - name: CILIUM_ALL_STATE
            valueFrom:
              configMapKeyRef:
                name: cilium-config
                key: clean-cilium-state
                optional: true
          - name: CILIUM_BPF_STATE
            valueFrom:
              configMapKeyRef:
                name: cilium-config
                key: clean-cilium-bpf-state
                optional: true
          - name: WRITE_CNI_CONF_WHEN_READY
            valueFrom:
              configMapKeyRef:
                name: cilium-config
                key: write-cni-conf-when-ready
                optional: true
-         - name: KUBERNETES_SERVICE_HOST
-           value: "localhost"
-         - name: KUBERNETES_SERVICE_PORT
-           value: "7445"
          terminationMessagePolicy: FallbackToLogsOnError
          securityContext:
            seLinuxOptions:
              level: s0
              type: spc_t
            capabilities:
              add:
                - NET_ADMIN
+               - SYS_MODULE
                - SYS_ADMIN
                - SYS_RESOURCE
              drop:
                - ALL
          volumeMounts:
          - name: bpf-maps
            mountPath: /sys/fs/bpf
            # Required to mount cgroup filesystem from the host to cilium agent pod
          - name: cilium-cgroup
-           mountPath: /sys/fs/cgroup
+           mountPath: /run/cilium/cgroupv2
            mountPropagation: HostToContainer
          - name: cilium-run
            mountPath: /var/run/cilium # wait-for-kube-proxy
        # Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent
        - name: install-cni-binaries
-         image: "quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a"
+         image: "quay.io/cilium/cilium:v1.19.5@sha256:20fbbc14ac20b55a292c0dcda5571bf31cde30a7dbc68c29db3e709390ab0732"
          imagePullPolicy: IfNotPresent
          command:
            - "/install-plugin.sh"
          resources:
+           limits:
+             cpu: 1
+             memory: 1Gi
            requests:
              cpu: 100m
              memory: 10Mi
          securityContext:
            seLinuxOptions:
              level: s0
              type: spc_t
            capabilities:
              drop:
                - ALL
          terminationMessagePolicy: FallbackToLogsOnError
          volumeMounts:
            - name: cni-path
              mountPath: /host/opt/cni/bin # .Values.cni.install
        restartPolicy: Always
        priorityClassName: system-node-critical
        serviceAccountName: "cilium"
        automountServiceAccountToken: true
        terminationGracePeriodSeconds: 1
        hostNetwork: true
+       
        affinity:
          podAntiAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  k8s-app: cilium
              topologyKey: kubernetes.io/hostname
        nodeSelector:
          kubernetes.io/os: linux
        tolerations:
          - operator: Exists
        volumes:
-         # For sharing configuration between the "config" initContainer and the agent
+       # For sharing configuration between the "config" initContainer and the agent
        - name: tmp
          emptyDir: {}
          # To keep state between restarts / upgrades
        - name: cilium-run
          hostPath:
            path: /var/run/cilium
            type: DirectoryOrCreate
          # To exec into pod network namespaces
        - name: cilium-netns
          hostPath:
            path: /var/run/netns
            type: DirectoryOrCreate
          # To keep state between restarts / upgrades for bpf maps
        - name: bpf-maps
          hostPath:
            path: /sys/fs/bpf
            type: DirectoryOrCreate
        # To mount cgroup2 filesystem on the host or apply sysctlfix
        - name: hostproc
          hostPath:
            path: /proc
            type: Directory
        # To keep state between restarts / upgrades for cgroup2 filesystem
        - name: cilium-cgroup
          hostPath:
-           path: /sys/fs/cgroup
+           path: /run/cilium/cgroupv2
            type: DirectoryOrCreate
        # To install cilium cni plugin in the host
        - name: cni-path
          hostPath:
            path:  /opt/cni/bin
            type: DirectoryOrCreate
          # To install cilium cni configuration in the host
        - name: etc-cni-netd
          hostPath:
            path: /etc/cni/net.d
            type: DirectoryOrCreate
          # To be able to load kernel modules
        - name: lib-modules
          hostPath:
            path: /lib/modules
          # To access iptables concurrently with other processes (e.g. kube-proxy)
        - name: xtables-lock
          hostPath:
            path: /run/xtables.lock
            type: FileOrCreate
        # Sharing socket with Cilium Envoy on the same node by using a host path
        - name: envoy-sockets
          hostPath:
            path: "/var/run/cilium/envoy/sockets"
            type: DirectoryOrCreate
          # To read the clustermesh configuration
        - name: clustermesh-secrets
          projected:
            # note: the leading zero means this number is in octal representation: do not remove it
            defaultMode: 0400
            sources:
            - secret:
                name: cilium-clustermesh
                optional: true
                # note: items are not explicitly listed here, since the entries of this secret
                # depend on the peers configured, and that would cause a restart of all agents
                # at every addition/removal. Leaving the field empty makes each secret entry
                # to be automatically projected into the volume as a file whose name is the key.
            - secret:
                name: clustermesh-apiserver-remote-cert
                optional: true
                items:
                - key: tls.key
                  path: common-etcd-client.key
                - key: tls.crt
                  path: common-etcd-client.crt
                - key: ca.crt
                  path: common-etcd-client-ca.crt
            # note: we configure the volume for the kvstoremesh-specific certificate
            # regardless of whether KVStoreMesh is enabled or not, so that it can be
            # automatically mounted in case KVStoreMesh gets subsequently enabled,
            # without requiring an agent restart.
            - secret:
                name: clustermesh-apiserver-local-cert
                optional: true
                items:
                - key: tls.key
                  path: local-etcd-client.key
                - key: tls.crt
                  path: local-etcd-client.crt
                - key: ca.crt
                  path: local-etcd-client-ca.crt
        - name: host-proc-sys-net
          hostPath:
            path: /proc/sys/net
            type: Directory
        - name: host-proc-sys-kernel
          hostPath:
            path: /proc/sys/kernel
            type: Directory
        - name: hubble-tls
          projected:
            # note: the leading zero means this number is in octal representation: do not remove it
            defaultMode: 0400
            sources:
            - secret:
                name: hubble-server-certs
                optional: true
                items:
                - key: tls.crt
                  path: server.crt
                - key: tls.key
                  path: server.key
                - key: ca.crt
                  path: client-ca.crt
kube-system, cilium-ca, Secret (v1) has changed:
  # Source: cilium/templates/cilium-ca-secret.yaml
  apiVersion: v1
  kind: Secret
  metadata:
+   labels:
+     cilium.io/helm-template-non-idempotent: "true"
    name: cilium-ca
    namespace: kube-system
  data:
-   ca.crt: '-------- # (1127 bytes)'
-   ca.key: '-------- # (1675 bytes)'
+   ca.crt: '++++++++ # (1127 bytes)'
+   ca.key: '++++++++ # (1679 bytes)'

kube-system, cilium-config, ConfigMap (v1) has changed:
  # Source: cilium/templates/cilium-configmap.yaml
  apiVersion: v1
  kind: ConfigMap
  metadata:
    name: cilium-config
    namespace: kube-system
  data:

    # Identity allocation mode selects how identities are shared between cilium
    # nodes by setting how they are stored. The options are "crd", "kvstore" or
    # "doublewrite-readkvstore" / "doublewrite-readcrd".
    # - "crd" stores identities in kubernetes as CRDs (custom resource definition).
    #   These can be queried with:
    #     kubectl get ciliumid
    # - "kvstore" stores identities in an etcd kvstore, that is
    #   configured below. Cilium versions before 1.6 supported only the kvstore
    #   backend. Upgrades from these older cilium versions should continue using
    #   the kvstore by commenting out the identity-allocation-mode below, or
    #   setting it to "kvstore".
    # - "doublewrite" modes store identities in both the kvstore and CRDs. This is useful
    #   for seamless migrations from the kvstore mode to the crd mode. Consult the
    #   documentation for more information on how to perform the migration.
    identity-allocation-mode: crd

    identity-heartbeat-timeout: "30m0s"
    identity-gc-interval: "15m0s"
    cilium-endpoint-gc-interval: "5m0s"
    nodes-gc-interval: "5m0s"

    # If you want to run cilium in debug mode change this value to true
    debug: "false"
    debug-verbose: ""
+   metrics-sampling-interval: "5m"
    # The agent can be put into the following three policy enforcement modes
    # default, always and never.
    # https://docs.cilium.io/en/latest/security/policy/intro/#policy-enforcement-modes
    enable-policy: "default"
    policy-cidr-match-mode: ""
    # If you want metrics enabled in cilium-operator, set the port for
    # which the Cilium Operator will have their metrics exposed.
    # NOTE that this will open the port on the nodes where Cilium operator pod
    # is scheduled.
    operator-prometheus-serve-addr: ":9963"
    enable-metrics: "true"
    enable-policy-secrets-sync: "true"
    policy-secrets-only-from-secrets-namespace: "true"
    policy-secrets-namespace: "cilium-secrets"

    # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4
    # address.
    enable-ipv4: "true"

    # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6
    # address.
    enable-ipv6: "false"
    # Users who wish to specify their own custom CNI configuration file must set
    # custom-cni-conf to "true", otherwise Cilium may overwrite the configuration.
    custom-cni-conf: "false"
    enable-bpf-clock-probe: "false"
    # If you want cilium monitor to aggregate tracing for packets, set this level
    # to "low", "medium", or "maximum". The higher the level, the less packets
    # that will be seen in monitor output.
    monitor-aggregation: medium

    # The monitor aggregation interval governs the typical time between monitor
    # notification events for each allowed connection.
    #
    # Only effective when monitor aggregation is set to "medium" or higher.
    monitor-aggregation-interval: "5s"

    # The monitor aggregation flags determine which TCP flags which, upon the
    # first observation, cause monitor notifications to be generated.
    #
    # Only effective when monitor aggregation is set to "medium" or higher.
    monitor-aggregation-flags: all
    # Specifies the ratio (0.0-1.0] of total system memory to use for dynamic
    # sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps.
    bpf-map-dynamic-size-ratio: "0.0025"
    # bpf-policy-map-max specifies the maximum number of entries in endpoint
    # policy map (per endpoint)
    bpf-policy-map-max: "16384"
+   # bpf-policy-stats-map-max specifies the maximum number of entries in global
+   # policy stats map
+   bpf-policy-stats-map-max: "65536"
    # bpf-lb-map-max specifies the maximum number of entries in bpf lb service,
    # backend and affinity maps.
    bpf-lb-map-max: "65536"
    bpf-lb-external-clusterip: "false"
    bpf-lb-source-range-all-types: "false"
    bpf-lb-algorithm-annotation: "false"
    bpf-lb-mode-annotation: "false"

    bpf-distributed-lru: "false"
    bpf-events-drop-enabled: "true"
    bpf-events-policy-verdict-enabled: "true"
    bpf-events-trace-enabled: "true"

    # Pre-allocation of map entries allows per-packet latency to be reduced, at
    # the expense of up-front memory allocation for the entries in the maps. The
    # default value below will minimize memory usage in the default installation;
    # users who are sensitive to latency may consider setting this to "true".
    #
    # This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore
    # this option and behave as though it is set to "true".
    #
    # If this value is modified, then during the next Cilium startup the restore
    # of existing endpoints and tracking of ongoing connections may be disrupted.
    # As a result, reply packets may be dropped and the load-balancing decisions
    # for established connections may change.
    #
    # If this option is set to "false" during an upgrade from 1.3 or earlier to
    # 1.4 or later, then it may cause one-time disruptions during the upgrade.
    preallocate-bpf-maps: "false"

    # Name of the cluster. Only relevant when building a mesh of clusters.
-   cluster-name: omni-turing
-   # Unique ID of the cluster. Must be unique across all conneted clusters and
+   cluster-name: "default"
+   # Unique ID of the cluster. Must be unique across all connected clusters and
    # in the range of 1 and 255. Only relevant when building a mesh of clusters.
    cluster-id: "0"

    # Encapsulation mode for communication between nodes
    # Possible values:
    #   - disabled
    #   - vxlan (default)
    #   - geneve

    routing-mode: "tunnel"
    tunnel-protocol: "vxlan"
    tunnel-source-port-range: "0-0"
    service-no-backend-response: "reject"
+   policy-deny-response: "none"


    # Enables L7 proxy for L7 policy enforcement and visibility
    enable-l7-proxy: "true"
- 
    enable-ipv4-masquerade: "true"
    enable-ipv4-big-tcp: "false"
    enable-ipv6-big-tcp: "false"
    enable-ipv6-masquerade: "true"
    enable-tcx: "true"
    datapath-mode: "veth"
+   enable-bpf-masquerade: "true"
    enable-masquerade-to-route-source: "false"

    enable-xt-socket-fallback: "true"
    install-no-conntrack-iptables-rules: "false"
    iptables-random-fully: "false"

    auto-direct-node-routes: "false"
    direct-routing-skip-unreachable: "false"
-   enable-local-redirect-policy: "false"
-   enable-runtime-device-detection: "true"
+ 
+ 

    kube-proxy-replacement: "true"
    kube-proxy-replacement-healthz-bind-address: ""
+   enable-no-service-endpoints-routable: "true"
    bpf-lb-sock: "false"
    nodeport-addresses: ""
    enable-health-check-nodeport: "true"
    enable-health-check-loadbalancer-ip: "false"
    node-port-bind-protection: "true"
    enable-auto-protect-node-port-range: "true"
    bpf-lb-acceleration: "disabled"
-   enable-experimental-lb: "false"
-   enable-svc-source-range-check: "true"
-   enable-l2-neigh-discovery: "true"
-   arping-refresh-period: "30s"
+   enable-service-topology: "false"
+   enable-l2-neigh-discovery: "false"
    k8s-require-ipv4-pod-cidr: "false"
    k8s-require-ipv6-pod-cidr: "false"
    enable-k8s-networkpolicy: "true"
    enable-endpoint-lockdown-on-policy-overflow: "false"
    # Tell the agent to generate and write a CNI configuration file
    write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
    cni-exclusive: "true"
    cni-log-file: "/var/run/cilium/cilium-cni.log"
    enable-endpoint-health-checking: "true"
    enable-health-checking: "true"
    health-check-icmp-failure-threshold: "3"
    enable-well-known-identities: "false"
    enable-node-selector-labels: "false"
    synchronize-k8s-nodes: "true"
    operator-api-serve-addr: "127.0.0.1:9234"

    enable-hubble: "true"
    # UNIX domain socket for Hubble server to listen to.
    hubble-socket-path: "/var/run/cilium/hubble.sock"
-   hubble-export-file-max-size-mb: "10"
-   hubble-export-file-max-backups: "5"
+   hubble-network-policy-correlation-enabled: "true"
    # An additional address for Hubble server to listen to (e.g. ":4244").
    hubble-listen-address: ":4244"
    hubble-disable-tls: "false"
    hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
    hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
    hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
    ipam: "kubernetes"
    ipam-cilium-node-update-rate: "15s"

    default-lb-service-ipam: "lbipam"
    egress-gateway-reconciliation-trigger-interval: "1s"
    enable-vtep: "false"
    vtep-endpoint: ""
    vtep-cidr: ""
    vtep-mask: ""
    vtep-mac: ""
+   # Enable L2 announcements
+   enable-l2-announcements: "true"
+   l2-announcements-lease-duration: "3s"
+   l2-announcements-renew-deadline: "1s"
+   l2-announcements-retry-period: "200ms"
+ 
+   packetization-layer-pmtud-mode: "blackhole"
    procfs: "/host/proc"
    bpf-root: "/sys/fs/bpf"
-   cgroup-root: "/sys/fs/cgroup"
-   enable-k8s-terminating-endpoint: "true"
+   cgroup-root: "/run/cilium/cgroupv2"
+ 
+   identity-management-mode: "agent"
    enable-sctp: "false"
    remove-cilium-node-taints: "true"
    set-cilium-node-taints: "true"
    set-cilium-is-up-condition: "true"
-   unmanaged-pod-watcher-interval: "15"
+   unmanaged-pod-watcher-interval: "15s"
    # default DNS proxy to transparent mode in non-chaining modes
    dnsproxy-enable-transparent-mode: "true"
    dnsproxy-socket-linger-timeout: "10"
    tofqdns-dns-reject-response-code: "refused"
    tofqdns-enable-dns-compression: "true"
    tofqdns-endpoint-max-ip-per-hostname: "1000"
    tofqdns-idle-connection-grace-period: "0s"
    tofqdns-max-deferred-connection-deletes: "10000"
    tofqdns-proxy-response-max-delay: "100ms"
+   tofqdns-preallocate-identities:  "true"
    agent-not-ready-taint-key: "node.cilium.io/agent-not-ready"

-   mesh-auth-enabled: "true"
+   mesh-auth-enabled: "false"
    mesh-auth-queue-size: "1024"
    mesh-auth-rotated-identities-queue-size: "1024"
    mesh-auth-gc-interval: "5m0s"

    proxy-xff-num-trusted-hops-ingress: "0"
    proxy-xff-num-trusted-hops-egress: "0"
    proxy-connect-timeout: "2"
    proxy-initial-fetch-timeout: "30"
+   proxy-max-active-downstream-connections: "50000"
    proxy-max-requests-per-connection: "0"
    proxy-max-connection-duration-seconds: "0"
    proxy-idle-timeout-seconds: "60"
    proxy-max-concurrent-retries: "128"
+   proxy-use-original-source-address: "true"
+   proxy-cluster-max-connections: "1024"
+   proxy-cluster-max-requests: "1024"
    http-retry-count: "3"
+   http-stream-idle-timeout: "300"

    external-envoy-proxy: "true"
    envoy-base-id: "0"
    envoy-access-log-buffer-size: "4096"
    envoy-keep-cap-netbindservice: "false"
    max-connected-clusters: "255"
+   clustermesh-cache-ttl: "0s"
    clustermesh-enable-endpoint-sync: "false"
    clustermesh-enable-mcs-api: "false"
+   clustermesh-mcs-api-install-crds: "true"
+   policy-default-local-cluster: "true"

    nat-map-stats-entries: "32"
    nat-map-stats-interval: "30s"
-   enable-internal-traffic-policy: "true"
    enable-lb-ipam: "true"
    enable-non-default-deny-policies: "true"
    enable-source-ip-verification: "true"
+   enable-dynamic-config: "true"
+   enable-drift-checker: "true"

  # Extra config allows adding arbitrary properties to the cilium config.
  # By putting it at the end of the ConfigMap, it's also possible to override existing properties.
kube-system, cilium-envoy, DaemonSet (apps) has changed:
  # Source: cilium/templates/cilium-envoy/daemonset.yaml
  apiVersion: apps/v1
  kind: DaemonSet
  metadata:
    name: cilium-envoy
    namespace: kube-system
    labels:
      k8s-app: cilium-envoy
      app.kubernetes.io/part-of: cilium
      app.kubernetes.io/name: cilium-envoy
      name: cilium-envoy
  spec:
    selector:
      matchLabels:
        k8s-app: cilium-envoy
+   
    updateStrategy:
      rollingUpdate:
        maxUnavailable: 2
      type: RollingUpdate
    template:
      metadata:
        annotations:
        labels:
          k8s-app: cilium-envoy
          name: cilium-envoy
          app.kubernetes.io/name: cilium-envoy
          app.kubernetes.io/part-of: cilium
      spec:
        securityContext:
          appArmorProfile:
            type: Unconfined
+       
        containers:
        - name: cilium-envoy
-         image: "quay.io/cilium/cilium-envoy:v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c@sha256:a04218c6879007d60d96339a441c448565b6f86650358652da27582e0efbf182"
+         image: "quay.io/cilium/cilium-envoy:v1.36.8-1781157951-a7f42a3390781539911b5b9107881b35ecc4e752@sha256:326f872e19ce8aa45170efbf583b3f301586ba3feead14b864676d4baf3b45ed"
          imagePullPolicy: IfNotPresent
          command:
          - /usr/bin/cilium-envoy-starter
          args:
          - '--'
          - '-c /var/run/cilium/envoy/bootstrap-config.json'
          - '--base-id 0'
          - '--log-level info'
+         
          startupProbe:
            httpGet:
              host: "127.0.0.1"
              path: /healthz
              port: 9878
              scheme: HTTP
            failureThreshold: 105
            periodSeconds: 2
            successThreshold: 1
            initialDelaySeconds: 5
          livenessProbe:
            httpGet:
              host: "127.0.0.1"
              path: /healthz
              port: 9878
              scheme: HTTP
            periodSeconds: 30
            successThreshold: 1
            failureThreshold: 10
            timeoutSeconds: 5
          readinessProbe:
            httpGet:
              host: "127.0.0.1"
              path: /healthz
              port: 9878
              scheme: HTTP
            periodSeconds: 30
            successThreshold: 1
            failureThreshold: 3
            timeoutSeconds: 5
          env:
          - name: K8S_NODE_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.nodeName
          - name: CILIUM_K8S_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
-         - name: KUBERNETES_SERVICE_HOST
-           value: "localhost"
-         - name: KUBERNETES_SERVICE_PORT
-           value: "7445"
+         
          ports:
          - name: envoy-metrics
            containerPort: 9964
            hostPort: 9964
            protocol: TCP
          securityContext:
            seLinuxOptions:
              level: s0
              type: spc_t
            capabilities:
              add:
                - NET_ADMIN
                - SYS_ADMIN
              drop:
                - ALL
          terminationMessagePolicy: FallbackToLogsOnError
          volumeMounts:
          - name: envoy-sockets
            mountPath: /var/run/cilium/envoy/sockets
            readOnly: false
          - name: envoy-artifacts
            mountPath: /var/run/cilium/envoy/artifacts
            readOnly: true
          - name: envoy-config
            mountPath: /var/run/cilium/envoy/
            readOnly: true
          - name: bpf-maps
            mountPath: /sys/fs/bpf
            mountPropagation: HostToContainer
+         
        restartPolicy: Always
        priorityClassName: system-node-critical
        serviceAccountName: "cilium-envoy"
        automountServiceAccountToken: true
        terminationGracePeriodSeconds: 1
        hostNetwork: true
+       
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: cilium.io/no-schedule
                  operator: NotIn
                  values:
                  - "true"
          podAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  k8s-app: cilium
              topologyKey: kubernetes.io/hostname
          podAntiAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  k8s-app: cilium-envoy
              topologyKey: kubernetes.io/hostname
        nodeSelector:
          kubernetes.io/os: linux
        tolerations:
          - operator: Exists
        volumes:
        - name: envoy-sockets
          hostPath:
            path: "/var/run/cilium/envoy/sockets"
            type: DirectoryOrCreate
        - name: envoy-artifacts
          hostPath:
            path: "/var/run/cilium/envoy/artifacts"
            type: DirectoryOrCreate
        - name: envoy-config
          configMap:
            name: "cilium-envoy-config"
            # note: the leading zero means this number is in octal representation: do not remove it
            defaultMode: 0400
            items:
              - key: bootstrap-config.json
                path: bootstrap-config.json
          # To keep state between restarts / upgrades
          # To keep state between restarts / upgrades for bpf maps
        - name: bpf-maps
          hostPath:
            path: /sys/fs/bpf
            type: DirectoryOrCreate
kube-system, cilium-envoy, Service (v1) has changed:
  # Source: cilium/templates/cilium-envoy/service.yaml
  apiVersion: v1
  kind: Service
  metadata:
    name: cilium-envoy
    namespace: kube-system
    annotations:
      prometheus.io/scrape: "true"
      prometheus.io/port: "9964"
    labels:
      k8s-app: cilium-envoy
      app.kubernetes.io/name: cilium-envoy
      app.kubernetes.io/part-of: cilium
      io.cilium/app: proxy
  spec:
    clusterIP: None
    type: ClusterIP
    selector:
      k8s-app: cilium-envoy
    ports:
    - name: envoy-metrics
      port: 9964
      protocol: TCP
-     targetPort: envoy-metrics
+     targetPort: 9964
kube-system, cilium-envoy-config, ConfigMap (v1) has changed:
  # Source: cilium/templates/cilium-envoy/configmap.yaml
  apiVersion: v1
  kind: ConfigMap
  metadata:
    name: cilium-envoy-config
    namespace: kube-system
  data:
    # Keep the key name as bootstrap-config.json to avoid breaking changes
    bootstrap-config.json: |
-     {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-health-listener"}]}}
+     {"admin":{"address":{"pipe":{"mode":432,"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxConnections":1024,"maxRequests":1024,"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxConnections":1024,"maxRequests":1024,"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxConnections":1024,"maxRequests":1024,"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxConnections":1024,"maxRequests":1024,"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-health-listener"}]}}
kube-system, cilium-operator, ClusterRole (rbac.authorization.k8s.io) has changed:
  # Source: cilium/templates/cilium-operator/clusterrole.yaml
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: cilium-operator
    labels:
      app.kubernetes.io/part-of: cilium
  rules:
  - apiGroups:
    - ""
    resources:
    - pods
    verbs:
    - get
    - list
    - watch
    # to automatically delete [core|kube]dns pods so that are starting to being
    # managed by Cilium
    - delete
  - apiGroups:
    - ""
    resources:
    - configmaps
    resourceNames:
    - cilium-config
    verbs:
     # allow patching of the configmap to set annotations
    - patch
  - apiGroups:
    - ""
    resources:
    - nodes
    verbs:
    - list
    - watch
  - apiGroups:
    - ""
    resources:
    # To remove node taints
    - nodes
    # To set NetworkUnavailable false on startup
    - nodes/status
    verbs:
    - patch
  - apiGroups:
    - discovery.k8s.io
    resources:
    - endpointslices
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - ""
    resources:
    # to perform LB IP allocation for BGP
    - services/status
    verbs:
    - update
    - patch
  - apiGroups:
    - ""
    resources:
    # to check apiserver connectivity
    - namespaces
    - secrets
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - ""
    resources:
    # to perform the translation of a CNP that contains `ToGroup` to its endpoints
    - services
    - endpoints
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - cilium.io
    resources:
    - ciliumnetworkpolicies
    - ciliumclusterwidenetworkpolicies
    verbs:
    # Create auto-generated CNPs and CCNPs from Policies that have 'toGroups'
    - create
    - update
    - deletecollection
    # To update the status of the CNPs and CCNPs
    - patch
    - get
    - list
    - watch
  - apiGroups:
    - cilium.io
    resources:
    - ciliumnetworkpolicies/status
    - ciliumclusterwidenetworkpolicies/status
    verbs:
    # Update the auto-generated CNPs and CCNPs status.
    - patch
    - update
  - apiGroups:
    - cilium.io
    resources:
    - ciliumendpoints
    - ciliumidentities
    verbs:
    # To perform garbage collection of such resources
    - delete
    - list
    - watch
  - apiGroups:
    - cilium.io
    resources:
    - ciliumidentities
    verbs:
    # To synchronize garbage collection of such resources
    - update
  - apiGroups:
    - cilium.io
    resources:
    - ciliumnodes
    verbs:
    - create
    - update
    - get
    - list
    - watch
      # To perform CiliumNode garbage collector
    - delete
  - apiGroups:
    - cilium.io
    resources:
    - ciliumnodes/status
    verbs:
    - update
  - apiGroups:
    - cilium.io
    resources:
    - ciliumendpointslices
    - ciliumenvoyconfigs
    - ciliumbgppeerconfigs
    - ciliumbgpadvertisements
    - ciliumbgpnodeconfigs
    verbs:
    - create
    - update
    - get
    - list
    - watch
    - delete
    - patch
  - apiGroups:
    - cilium.io
    resources:
    - ciliumbgpclusterconfigs/status
    - ciliumbgppeerconfigs/status
    verbs:
    - update
  - apiGroups:
    - apiextensions.k8s.io
    resources:
    - customresourcedefinitions
    verbs:
    - create
    - get
    - list
    - watch
  - apiGroups:
    - apiextensions.k8s.io
    resources:
    - customresourcedefinitions
    verbs:
    - update
    resourceNames:
    - ciliumloadbalancerippools.cilium.io
-   - ciliumbgppeeringpolicies.cilium.io
    - ciliumbgpclusterconfigs.cilium.io
    - ciliumbgppeerconfigs.cilium.io
    - ciliumbgpadvertisements.cilium.io
    - ciliumbgpnodeconfigs.cilium.io
    - ciliumbgpnodeconfigoverrides.cilium.io
    - ciliumclusterwideenvoyconfigs.cilium.io
    - ciliumclusterwidenetworkpolicies.cilium.io
    - ciliumegressgatewaypolicies.cilium.io
    - ciliumendpoints.cilium.io
    - ciliumendpointslices.cilium.io
    - ciliumenvoyconfigs.cilium.io
-   - ciliumexternalworkloads.cilium.io
    - ciliumidentities.cilium.io
    - ciliumlocalredirectpolicies.cilium.io
    - ciliumnetworkpolicies.cilium.io
    - ciliumnodes.cilium.io
    - ciliumnodeconfigs.cilium.io
    - ciliumcidrgroups.cilium.io
    - ciliuml2announcementpolicies.cilium.io
    - ciliumpodippools.cilium.io
+   - ciliumgatewayclassconfigs.cilium.io
  - apiGroups:
    - cilium.io
    resources:
    - ciliumloadbalancerippools
    - ciliumpodippools
    - ciliumbgppeeringpolicies
    - ciliumbgpclusterconfigs
    - ciliumbgpnodeconfigoverrides
    - ciliumbgppeerconfigs
    verbs:
    - get
    - list
    - watch
  - apiGroups:
      - cilium.io
    resources:
      - ciliumpodippools
    verbs:
      - create
  - apiGroups:
    - cilium.io
    resources:
    - ciliumloadbalancerippools/status
    verbs:
    - patch
  # For cilium-operator running in HA mode.
  #
  # Cilium operator running in HA mode requires the use of ResourceLock for Leader Election
  # between multiple running instances.
  # The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less
  # common and fewer objects in the cluster watch "all Leases".
  - apiGroups:
    - coordination.k8s.io
    resources:
    - leases
    verbs:
    - create
    - get
    - update
+ - apiGroups:
+   - cilium.io
+   resources:
+   - ciliumendpointslices
+   verbs:
+   - deletecollection
kube-system, cilium-operator, Deployment (apps) has changed:
  # Source: cilium/templates/cilium-operator/deployment.yaml
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: cilium-operator
    namespace: kube-system
    labels:
      io.cilium/app: operator
      name: cilium-operator
      app.kubernetes.io/part-of: cilium
      app.kubernetes.io/name: cilium-operator
  spec:
    # See docs on ServerCapabilities.LeasesResourceLock in file pkg/k8s/version/version.go
    # for more details.
    replicas: 1
    selector:
      matchLabels:
        io.cilium/app: operator
        name: cilium-operator
    # ensure operator update on single node k8s clusters, by using rolling update with maxUnavailable=100% in case
    # of one replica and no user configured Recreate strategy.
    # otherwise an update might get stuck due to the default maxUnavailable=50% in combination with the
    # podAntiAffinity which prevents deployments of multiple operator replicas on the same node.
    strategy:
      rollingUpdate:
        maxSurge: 25%
        maxUnavailable: 100%
      type: RollingUpdate
    template:
      metadata:
        annotations:
          prometheus.io/port: "9963"
          prometheus.io/scrape: "true"
        labels:
          io.cilium/app: operator
          name: cilium-operator
          app.kubernetes.io/part-of: cilium
          app.kubernetes.io/name: cilium-operator
      spec:
+       securityContext:
+         seccompProfile:
+           type: RuntimeDefault
        containers:
        - name: cilium-operator
-         image: "quay.io/cilium/operator-generic:v1.17.4@sha256:a3906412f477b09904f46aac1bed28eb522bef7899ed7dd81c15f78b7aa1b9b5"
+         image: "quay.io/cilium/operator-generic:v1.19.5@sha256:be848a365776e07d0c5a895eda7aec928ddc52a5a1fa2f432fd7a286609e1db4"
          imagePullPolicy: IfNotPresent
          command:
          - cilium-operator-generic
          args:
          - --config-dir=/tmp/cilium/config-map
          - --debug=$(CILIUM_DEBUG)
          env:
          - name: K8S_NODE_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.nodeName
          - name: CILIUM_K8S_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
          - name: CILIUM_DEBUG
            valueFrom:
              configMapKeyRef:
                key: debug
                name: cilium-config
                optional: true
-         - name: KUBERNETES_SERVICE_HOST
-           value: "localhost"
-         - name: KUBERNETES_SERVICE_PORT
-           value: "7445"
          ports:
+         - name: health
+           containerPort: 9234
+           hostPort: 9234
          - name: prometheus
            containerPort: 9963
            hostPort: 9963
            protocol: TCP
          livenessProbe:
            httpGet:
              host: "127.0.0.1"
              path: /healthz
-             port: 9234
+             port: health
              scheme: HTTP
            initialDelaySeconds: 60
            periodSeconds: 10
            timeoutSeconds: 3
          readinessProbe:
            httpGet:
              host: "127.0.0.1"
              path: /healthz
-             port: 9234
+             port: health
              scheme: HTTP
            initialDelaySeconds: 0
            periodSeconds: 5
            timeoutSeconds: 3
            failureThreshold: 5
          volumeMounts:
          - name: cilium-config-path
            mountPath: /tmp/cilium/config-map
            readOnly: true
+         
+         securityContext:
+           allowPrivilegeEscalation: false
+           capabilities:
+             drop:
+             - ALL
          terminationMessagePolicy: FallbackToLogsOnError
        hostNetwork: true
        restartPolicy: Always
        priorityClassName: system-cluster-critical
        serviceAccountName: "cilium-operator"
        automountServiceAccountToken: true
        # In HA mode, cilium-operator pods must not be scheduled on the same
        # node as they will clash with each other.
        affinity:
          podAntiAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  io.cilium/app: operator
              topologyKey: kubernetes.io/hostname
        nodeSelector:
          kubernetes.io/os: linux
        tolerations:
-         - operator: Exists
+         - key: node-role.kubernetes.io/control-plane
+           operator: Exists
+         - key: node-role.kubernetes.io/master
+           operator: Exists
+         - key: node.kubernetes.io/not-ready
+           operator: Exists
+         - key: node.cloudprovider.kubernetes.io/uninitialized
+           operator: Exists
+         - key: node.cilium.io/agent-not-ready
+           operator: Exists
+       
        volumes:
          # To read the configuration from the config map
        - name: cilium-config-path
          configMap:
            name: cilium-config
kube-system, cilium-secrets, Namespace (v1) has changed:
  # Source: cilium/templates/cilium-secrets-namespace.yaml
  apiVersion: v1
  kind: Namespace
  metadata:
    name: "cilium-secrets"
    labels:
      app.kubernetes.io/part-of: cilium
+   annotations:
kube-system, hubble-server-certs, Secret (v1) has changed:
  # Source: cilium/templates/hubble/tls-helm/server-secret.yaml
  apiVersion: v1
  kind: Secret
  metadata:
+   labels:
+     cilium.io/helm-template-non-idempotent: "true"
    name: hubble-server-certs
    namespace: kube-system
  data:
-   ca.crt: '-------- # (1127 bytes)'
-   tls.crt: '-------- # (1229 bytes)'
-   tls.key: '-------- # (1675 bytes)'
+   ca.crt: '++++++++ # (1127 bytes)'
+   tls.crt: '++++++++ # (1220 bytes)'
+   tls.key: '++++++++ # (1675 bytes)'
  type: kubernetes.io/tls

kube-system, cilium-operator-ztunnel, Role (rbac.authorization.k8s.io) has been added:
- 
+ # Source: cilium/templates/cilium-operator/role.yaml
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+   name: cilium-operator-ztunnel
+   namespace: kube-system
+   labels:
+     app.kubernetes.io/part-of: cilium
+ rules:
+ # ZTunnel DaemonSet management permissions
+ # Note: These permissions must always be granted (not conditional on encryption.type)
+ # because the controller needs to clean up stale DaemonSets when ztunnel is disabled.
+ - apiGroups:
+   - apps
+   resources:
+   - daemonsets
+   verbs:
+   - create
+   - delete
+   - get
+   - list
+   - watch
kube-system, cilium-operator-ztunnel, RoleBinding (rbac.authorization.k8s.io) has been added:
- 
+ # Source: cilium/templates/cilium-operator/rolebinding.yaml
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+   name: cilium-operator-ztunnel
+   namespace: kube-system
+   labels:
+     app.kubernetes.io/part-of: cilium
+ roleRef:
+   apiGroup: rbac.authorization.k8s.io
+   kind: Role
+   name: cilium-operator-ztunnel
+ subjects:
+ - kind: ServiceAccount
+   name: "cilium-operator"
+   namespace: kube-system
kube-system, hubble-relay, Deployment (apps) has been added:
+ # Source: cilium/templates/hubble-relay/deployment.yaml
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+   name: hubble-relay
+   namespace: kube-system
+   labels:
+     k8s-app: hubble-relay
+     app.kubernetes.io/name: hubble-relay
+     app.kubernetes.io/part-of: cilium

+ spec:
+   replicas: 1
+   selector:
+     matchLabels:
+       k8s-app: hubble-relay
+   strategy:
+     rollingUpdate:
+       maxUnavailable: 1
+     type: RollingUpdate
+   template:
+     metadata:
+       annotations:
+       labels:
+         k8s-app: hubble-relay
+         app.kubernetes.io/name: hubble-relay
+         app.kubernetes.io/part-of: cilium
+     spec:
+       securityContext:
+         fsGroup: 65532
+         seccompProfile:
+           type: RuntimeDefault
+       containers:
+         - name: hubble-relay
+           securityContext:
+             allowPrivilegeEscalation: false
+             capabilities:
+               drop:
+               - ALL
+             runAsGroup: 65532
+             runAsNonRoot: true
+             runAsUser: 65532
+             seccompProfile:
+               type: RuntimeDefault
+           image: "quay.io/cilium/hubble-relay:v1.19.5@sha256:24409bfa1bca075c92acb26ba4b49cd573d99d68d5370f7cc825078185222a0c"
+           imagePullPolicy: IfNotPresent
+           command:
+             - hubble-relay
+           args:
+             - serve
+           ports:
+             - name: grpc
+               containerPort: 4245
+           readinessProbe:
+             grpc:
+               port: 4222
+             timeoutSeconds: 3
+           # livenessProbe will kill the pod, we should be very conservative
+           # here on failures since killing the pod should be a last resort, and
+           # we should provide enough time for relay to retry before killing it.
+           livenessProbe:
+             grpc:
+               port: 4222
+             timeoutSeconds: 10
+             # Give relay time to establish connections and make a few retries
+             # before starting livenessProbes.
+             initialDelaySeconds: 10
+             # 10 second * 12 failures = 2 minutes of failure.
+             # If relay cannot become healthy after 2 minutes, then killing it
+             # might resolve whatever issue is occurring.
+             #
+             # 10 seconds is a reasonable retry period so we can see if it's
+             # failing regularly or only sporadically.
+             periodSeconds: 10
+             failureThreshold: 12
+           startupProbe:
+             grpc:
+               port: 4222
+             # Give relay time to get it's certs and establish connections and
+             # make a few retries before starting startupProbes.
+             initialDelaySeconds: 10
+             # 20 * 3 seconds = 1 minute of failure before we consider startup as failed.
+             failureThreshold: 20
+             # Retry more frequently at startup so that it can be considered started more quickly.
+             periodSeconds: 3
+           volumeMounts:
+           - name: config
+             mountPath: /etc/hubble-relay
+             readOnly: true
+           - name: tls
+             mountPath: /var/lib/hubble-relay/tls
+             readOnly: true
+           terminationMessagePolicy: FallbackToLogsOnError
+         
+       restartPolicy: Always
+       priorityClassName: 
+       serviceAccountName: "hubble-relay"
+       automountServiceAccountToken: false
+       terminationGracePeriodSeconds: 1
+       affinity:
+         podAffinity:
+           requiredDuringSchedulingIgnoredDuringExecution:
+           - labelSelector:
+               matchLabels:
+                 k8s-app: cilium
+             topologyKey: kubernetes.io/hostname
+       nodeSelector:
+         kubernetes.io/os: linux
+       volumes:
+       - name: config
+         configMap:
+           name: hubble-relay-config
+           items:
+           - key: config.yaml
+             path: config.yaml
+       - name: tls
+         projected:
+           # note: the leading zero means this number is in octal representation: do not remove it
+           defaultMode: 0400
+           sources:
+           - secret:
+               name: hubble-relay-client-certs
+               items:
+                 - key: tls.crt
+                   path: client.crt
+                 - key: tls.key
+                   path: client.key
+                 - key: ca.crt
+                   path: hubble-server-ca.crt
kube-system, hubble-relay, Service (v1) has been added:
+ # Source: cilium/templates/hubble-relay/service.yaml
+ kind: Service
+ apiVersion: v1
+ metadata:
+   name: hubble-relay
+   namespace: kube-system
+   annotations:
+   labels:
+     k8s-app: hubble-relay
+     app.kubernetes.io/name: hubble-relay
+     app.kubernetes.io/part-of: cilium

+ spec:
+   type: "ClusterIP"
+   selector:
+     k8s-app: hubble-relay
+   ports:
+   - protocol: TCP
+     port: 80
+     targetPort: grpc
kube-system, hubble-relay, ServiceAccount (v1) has been added:
- 
+ # Source: cilium/templates/hubble-relay/serviceaccount.yaml
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+   name: "hubble-relay"
+   namespace: kube-system
+ automountServiceAccountToken: false
kube-system, hubble-relay-client-certs, Secret (v1) has been added:
+ # Source: cilium/templates/hubble/tls-helm/relay-client-secret.yaml
+ apiVersion: v1
+ kind: Secret
+ metadata:
+   labels:
+     cilium.io/helm-template-non-idempotent: "true"
+   name: hubble-relay-client-certs
+   namespace: kube-system
+ data:
+   ca.crt: '++++++++ # (1127 bytes)'
+   tls.crt: '++++++++ # (1200 bytes)'
+   tls.key: '++++++++ # (1679 bytes)'
+ type: kubernetes.io/tls

kube-system, hubble-relay-config, ConfigMap (v1) has been added:
- 
+ # Source: cilium/templates/hubble-relay/configmap.yaml
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+   name: hubble-relay-config
+   namespace: kube-system
+ data:
+   config.yaml: |
+     cluster-name: default
+     peer-service: "hubble-peer.kube-system.svc.cluster.local.:443"
+     listen-address: :4245
+     gops: true
+     gops-port: "9893"
+     retry-timeout: 
+     sort-buffer-len-max: 
+     sort-buffer-drain-timeout: 
+     tls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt
+     tls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key
+     tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt
+     
+     disable-server-tls: true

commit 90b0a8ee7654620638de28e68c67693fd90a3f50

@renovate renovate Bot changed the title Update Helm release cilium to v1.19.5 chore(deps): update helm release cilium to v1.19.5 Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants