fix(helm): update chart cilium to 1.16.1

[k3s-home-gha-bot]

This PR contains the following updates:

Package	Update	Change
cilium (source)	patch	1.16.0 -> 1.16.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

cilium/cilium (cilium)

v1.16.1: 1.16.1

Compare Source

Security Advisories

This release addresses the following security vulnerabilities:

• GHSA-vwf8-q6fw-4wcm
• GHSA-qcm3-7879-xcww

Summary of Changes

Minor Changes:

• Deprecate providing Hubble TLS secrets in helm values (Backport PR #​34297, Upstream PR #​34114, @​chancez)
• gateway-api: Add required labels and annotations (Backport PR #​34215, Upstream PR #​33990, @​sayboras)
• helm: add config for nat-map-stats-{interval, entries} config. (Backport PR #​34158, Upstream PR #​33847, @​tommyp1ckles)
• Internal listener references are now properly qualified with namespace and CEC name. (Backport PR #​34158, Upstream PR #​34104, @​jrajahalme)
• Support configuring imagePullSecrets for spire agent/server pods (Backport PR #​34158, Upstream PR #​33952, @​chancez)

Bugfixes:

• auth: Fix data race in Upsert (Backport PR #​34158, Upstream PR #​33905, @​chaunceyjiang)
• BGPv1 + BGPv2: Fix incorrect service reconciliation in setups with multiple BGP instances (virtual routers) (Backport PR #​34297, Upstream PR #​34177, @​rastislavs)
• bgpv1: Fix data race in bgppSelection (Backport PR #​34158, Upstream PR #​33904, @​chaunceyjiang)
• bgpv2: Avoid duplicate route policy naming (Backport PR #​34158, Upstream PR #​34031, @​rastislavs)
• BGPv2: Fix Service advertisement selector: do not require matching CiliumLoadBalancerIPPool (Backport PR #​34201, Upstream PR #​34182, @​rastislavs)
• Fix a nil dereference crash during cilium-agent initialization affecting setups with FQDN policies. The crash is triggered when a restored endpoint performs a DNS request just a the right time during early cilium-agent restoration. Problem is not expected to be persistent and the agent should get pass the problematic part of the initialization on restart. (Backport PR #​34158, Upstream PR #​34059, @​joamaki)
• Fix appArmorProfile condition for CronJob helm template (Backport PR #​34297, Upstream PR #​34100, @​sathieu)
• Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport PR #​34181, Upstream PR #​34091, @​giorio94)
• Fix issue in picking node IP addresses from the loopback device. This fixes a regression in v1.15 and v1.16 where VIPs assigned to the lo device were not considered by Cilium.
  Fix spurious updates node addresses to avoid unnecessary datapath reinitializations. (Backport PR #​34085, Upstream PR #​34012, @​joamaki)
• Fix possible connection disruption on agent restart with WireGuard + kvstore (Backport PR #​34158, Upstream PR #​34062, @​giorio94)
• Fixes DNS proxy "connect: cannot assign requested address" errors in transparent mode, which were due to opening multiple TCP connections to the upstream DNS server. (Backport PR #​34201, Upstream PR #​33989, @​bimmlerd)
• gateway-api: Add HTTP method condition in sortable routes (Backport PR #​34158, Upstream PR #​34109, @​sayboras)
• gateway-api: Enqueue gateway for Reference Grant changes (Backport PR #​34158, Upstream PR #​34032, @​sayboras)
• lbipam: fixed bug in sharing key logic (Backport PR #​34158, Upstream PR #​34106, @​dylandreimerink)
• policy: Fix policy cache covers context lookup. (#​34322, @​nathanjsweet)
• service: Relax protocol matching for L7 Service (Backport PR #​34195, Upstream PR #​34131, @​sayboras)

CI Changes:

• .github: ginkgo: remove duplicate datapath ipv4only test in f09/f21. (Backport PR #​34297, Upstream PR #​34071, @​tommyp1ckles)
• bpf: egressgw: don't install allow-all policy in to-netdev tests (Backport PR #​34201, Upstream PR #​34143, @​julianwiedmann)
• ci: multi pool run tests concurrently (Backport PR #​34297, Upstream PR #​33945, @​viktor-kurchenko)
• Fix workflow telemetry in ci-ipsec-upgrade (Backport PR #​34158, Upstream PR #​34097, @​chancez)
• gha: Add extended features in gateway profile run (Backport PR #​34215, Upstream PR #​34098, @​sayboras)
• gha: Free up Github runner disk space (Backport PR #​34297, Upstream PR #​34247, @​sayboras)
• gha: lint absence of trailing spaces in workflow files (Backport PR #​34158, Upstream PR #​33908, @​giorio94)
• gha: simplify the call-backport-label-updater workflow (Backport PR #​34158, Upstream PR #​33934, @​giorio94)
• ginkgo-ci: split f09 into two groups to reduce timeouts & flakes (Backport PR #​34297, Upstream PR #​34038, @​tommyp1ckles)
• test: use cgr.dev/chainguard/busybox:latest instead of docker.io image. (Backport PR #​34158, Upstream PR #​34004, @​tommyp1ckles)
• tests-clustermesh-upgrade: Don't hardcode test namespace (Backport PR #​34158, Upstream PR #​34121, @​michi-covalent)

Misc Changes:

• [v1.16] docs: Add note for CNP empty slices semantic under v1.16 section (#​34008, @​pippolo84)
• Add source IP visibility info to Ingress and Gateway API docs (Backport PR #​34297, Upstream PR #​34137, @​youngnick)
• bgpv1: Reconcile with retry in BGP Controller (Backport PR #​34158, Upstream PR #​33971, @​rastislavs)
• bgpv2: deprecate local port setting in transport config (Backport PR #​34209, Upstream PR #​33438, @​harsimran-pabla)
• bgpv2: use correct path key in path reconciler (Backport PR #​34158, Upstream PR #​33947, @​harsimran-pabla)
• bitlpm: Avoid allocs in CIDR trie lookups (Backport PR #​34158, Upstream PR #​33518, @​jrajahalme)
• bitlpm: Simplify matchPrefix() (Backport PR #​34158, Upstream PR #​33517, @​jrajahalme)
• bugtool: dump cilium_skip_lb{4,6} (Backport PR #​34158, Upstream PR #​34017, @​ysksuzuki)
• bugtool: dumping more Envoy information (Backport PR #​34158, Upstream PR #​34110, @​mhofstetter)
• chore(deps): update all github action dependencies (v1.16) (#​34166, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v27.3 (v1.16) (#​34165, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.15 (v1.16) (#​34049, @​cilium-renovate[bot])
• Clean up documentation make targets for cases of nesting make builds inside container invocations (Backport PR #​34297, Upstream PR #​34151, @​joestringer)
• doc: update slack channel reference (Backport PR #​34158, Upstream PR #​34044, @​Huweicai)
• docs: Add warning on CRDs requirement for using the Gateway API (Backport PR #​34297, Upstream PR #​33974, @​xtineskim)
• Documentation: Introduce support for redirects (Backport PR #​34297, Upstream PR #​34233, @​chancez)
• Documentation: Update readthedocs configuration (Backport PR #​34297, Upstream PR #​34190, @​joestringer)
• Fix two bugs in dnsproxy tcp conn reuse (Backport PR #​34201, Upstream PR #​34175, @​bimmlerd)
• Improve documentation on configuring Hubble TLS (Backport PR #​34297, Upstream PR #​34115, @​chancez)
• iptables: Support Envoy listener chaining (Backport PR #​34297, Upstream PR #​34105, @​jrajahalme)
• Makefile: Fix docker flags for fast image targets (Backport PR #​34297, Upstream PR #​34132, @​joestringer)
• policy: Sanitize DNS Rules to Disallow Port Ranges (Backport PR #​34201, Upstream PR #​34023, @​nathanjsweet)
• Revert "fix: support validation of stringToString values in ConfigMap" (Backport PR #​34305, Upstream PR #​34277, @​aanm)
• vendor: Bump StateDB to version v0.2.1 (Backport PR #​34246, Upstream PR #​33587, @​joamaki)

Other Changes:

• install: Update image digests for v1.16.0 (#​33994, @​cilium-release-bot[bot])
• v1.16: Remove leftover backporter state file (#​34210, @​gandro)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.1@​sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
quay.io/cilium/cilium:stable@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.1@​sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f
quay.io/cilium/clustermesh-apiserver:stable@sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f

docker-plugin

quay.io/cilium/docker-plugin:v1.16.1@​sha256:243fd7759818d990a7f9b33df3eb685a9f250a12020e22f660547f9516b76320
quay.io/cilium/docker-plugin:stable@sha256:243fd7759818d990a7f9b33df3eb685a9f250a12020e22f660547f9516b76320

hubble-relay

quay.io/cilium/hubble-relay:v1.16.1@​sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35
quay.io/cilium/hubble-relay:stable@sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.1@​sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804
quay.io/cilium/operator-alibabacloud:stable@sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804

operator-aws

quay.io/cilium/operator-aws:v1.16.1@​sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4
quay.io/cilium/operator-aws:stable@sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4

operator-azure

quay.io/cilium/operator-azure:v1.16.1@​sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22
quay.io/cilium/operator-azure:stable@sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22

operator-generic

quay.io/cilium/operator-generic:v1.16.1@​sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4
quay.io/cilium/operator-generic:stable@sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4

operator

quay.io/cilium/operator:v1.16.1@​sha256:258b28fefc9f3fe1cbcb21a3b2c4c96dcc72f6ee258eed0afebe9b0ac47f462b
quay.io/cilium/operator:stable@sha256:258b28fefc9f3fe1cbcb21a3b2c4c96dcc72f6ee258eed0afebe9b0ac47f462b

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

--- kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: flux-system
-      version: 1.16.0
+      version: 1.16.1
   install:
     remediation:
       retries: 3
   interval: 30m
   uninstall:
     keepHistory: false

[github-actions]

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -138,7 +138,9 @@

   external-envoy-proxy: 'true'
   envoy-base-id: '0'
   envoy-keep-cap-netbindservice: 'false'
   max-connected-clusters: '255'
   clustermesh-enable-endpoint-sync: 'false'
   clustermesh-enable-mcs-api: 'false'
+  nat-map-stats-entries: '32'
+  nat-map-stats-interval: 30s
 
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,24 +16,24 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 3e08d994256df54ce27c324cd0959855ae1b4ccf4710c884c6a59a5aa95b897b
+        cilium.io/cilium-configmap-checksum: 33e991b58a134d0000a4ddeeb7179a9af7e7e21647844be81ccbf28694b76705
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.16.0@sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058
+        image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -166,13 +166,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.16.0@sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058
+        image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -191,13 +191,13 @@

           value: '6444'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.16.0@sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058
+        image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /run/cilium/cgroupv2
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -214,13 +214,13 @@

         - name: cni-path
           mountPath: /hostbin
         terminationMessagePolicy: FallbackToLogsOnError
         securityContext:
           privileged: true
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.16.0@sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058
+        image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -235,13 +235,13 @@

         - name: cni-path
           mountPath: /hostbin
         terminationMessagePolicy: FallbackToLogsOnError
         securityContext:
           privileged: true
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.16.0@sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058
+        image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -274,13 +274,13 @@

         - name: cilium-cgroup
           mountPath: /run/cilium/cgroupv2
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.16.0@sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058
+        image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,22 +20,22 @@

       maxSurge: 25%
       maxUnavailable: 100%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 3e08d994256df54ce27c324cd0959855ae1b4ccf4710c884c6a59a5aa95b897b
+        cilium.io/cilium-configmap-checksum: 33e991b58a134d0000a4ddeeb7179a9af7e7e21647844be81ccbf28694b76705
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.16.0@sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316
+        image: quay.io/cilium/operator-generic:v1.16.1@sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -34,13 +34,13 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.16.0@sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d
+        image: quay.io/cilium/hubble-relay:v1.16.1@sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports: