fix(helm): update chart cilium to 1.15.8

[tinfoild]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
cilium (source)	HelmChart	patch	1.15.7 -> 1.15.8
cilium (source)		patch	1.15.7 -> 1.15.8

---

Release Notes

cilium/cilium (cilium)

v1.15.8: 1.15.8

Compare Source

Security Advisories

This release addresses the following security vulnerabilities:

• GHSA-vwf8-q6fw-4wcm
• GHSA-qcm3-7879-xcww
• GHSA-q7w8-72mr-vpgw

Summary of Changes

Minor Changes:

• helm: Add validation to prevent users from using deprecated values that have been removed (#​34213, @​chancez)
• helm: Cleanup old k8s version check and deprecated atributes (Backport PR #​34157, Upstream PR #​31940, @​sayboras)
• Make hubble-relay more resilient to transient errors (Backport PR #​34157, Upstream PR #​33894, @​chancez)

Bugfixes:

• add support for validation of stringToString values in ConfigMap (Backport PR #​33962, Upstream PR #​33779, @​alex-berger)
• auth: Fix data race in Upsert (Backport PR #​34157, Upstream PR #​33905, @​chaunceyjiang)
• auth: fix fatal error: concurrent map iteration and map write (Backport PR #​33809, Upstream PR #​33634, @​chaunceyjiang)
• cert: Adding H2 Protocol Support when Get gRPC Config For Client (Backport PR #​33809, Upstream PR #​33616, @​mrproliu)
• DNS Proxy: Allow SO_LINGER to be set to the socket to upstream (Backport PR #​33809, Upstream PR #​33592, @​gandro)
• Fix an issue in updates to node addresses which may have caused missing NodePort frontend IP addresses. May have affected NodePort/LoadBalancer services for users running with runtime device detection enabled when node's IP addresses were changed after Cilium had started.
  Node IP as defined in the Kubernetes Node is now preferred when selecting the NodePort frontend IPs. (Backport PR #​33818, Upstream PR #​33629, @​joamaki)
• Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport PR #​34183, Upstream PR #​34091, @​giorio94)
• Fix issue in picking node IP addresses from the loopback device. This fixes a regression in v1.15 and v1.16 where VIPs assigned to the lo device were not considered by Cilium.
  Fix spurious updates node addresses to avoid unnecessary datapath reinitializations. (Backport PR #​34086, Upstream PR #​34012, @​joamaki)
• Fix rare race condition afflicting clustermesh while stopping the retrieval of the remote cluster configuration, possibly causing a deadlock (Backport PR #​33809, Upstream PR #​33735, @​giorio94)
• Fixes a race condition during agent startup that causes the k8s node label updates to not get propagated to the host endpoint. (Backport PR #​33663, Upstream PR #​33511, @​skmatti)
• gateway-api: Add HTTP method condition in sortable routes (Backport PR #​34157, Upstream PR #​34109, @​sayboras)
• gateway-api: Enqueue gateway for Reference Grant changes (Backport PR #​34157, Upstream PR #​34032, @​sayboras)
• helm: remove duplicate metrics for Envoy pod (Backport PR #​34157, Upstream PR #​33803, @​mhofstetter)
• lbipam: fixed bug in sharing key logic (Backport PR #​34157, Upstream PR #​34106, @​dylandreimerink)
• pkg/metrics: fix data race warning on metrics init hook. (Backport PR #​33962, Upstream PR #​33823, @​tommyp1ckles)
• Reduce conntrack lifetime for closing service connections. (Backport PR #​33962, Upstream PR #​33907, @​julianwiedmann)
• Skip regenerating host endpoint on k8s node labels update if identity labels are unchanged (Backport PR #​33809, Upstream PR #​33306, @​skmatti)
• The cilium agent will now recover from stale nodeID mappings which could occur in clusters with high node churn, possibly manifesting itself in dropped IPsec traffic. (Backport PR #​34157, Upstream PR #​33666, @​bimmlerd)

CI Changes:

• [v1.15] ci/ipsec: add missing config for patch-upgrade test with 6.6 kernel (#​33736, @​julianwiedmann)
• [v1.15] gh/e2e: fix up config 15 to not use bpf-next (#​33738, @​julianwiedmann)
• gha: Add http client timeout in Ingress (Backport PR #​33809, Upstream PR #​33683, @​sayboras)
• gha: don't fail if all cloud provider matrix entries are filtered out (Backport PR #​33962, Upstream PR #​33819, @​giorio94)
• gha: ensure that helm values.schema.json is not accidentally backported (#​33845, @​giorio94)
• gha: lint absence of trailing spaces in workflow files (Backport PR #​34157, Upstream PR #​33908, @​giorio94)
• gha: simplify the call-backport-label-updater workflow (Backport PR #​33962, Upstream PR #​33934, @​giorio94)
• test: use cgr.dev/chainguard/busybox:latest instead of docker.io image. (Backport PR #​34157, Upstream PR #​34004, @​tommyp1ckles)
• tests-clustermesh-upgrade: Don't hardcode test namespace (Backport PR #​34157, Upstream PR #​34121, @​michi-covalent)
• workflow: Use per-tunnel keys for the IPsec upgrade test (Backport PR #​33809, Upstream PR #​33769, @​pchaigno)

Misc Changes:

• [v1.15] Update Docker dependency (#​34196, @​ferozsalam)
• bugtool: dumping more Envoy information (Backport PR #​34157, Upstream PR #​34110, @​mhofstetter)
• chore(deps): update all github action dependencies (v1.15) (#​34170, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​33649, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​34168, @​cilium-renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.15) (#​33793, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.13 (v1.15) (#​33794, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/hubble to v1 (v1.15) (#​34051, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.12 docker digest to 7e0e13a (v1.15) (#​33792, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.5 (v1.15) (#​33857, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.6 (v1.15) (#​34167, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.15) (patch) (#​33798, @​cilium-renovate[bot])
• daemon/ipam: don't swallow parse error of CIDR (Backport PR #​33809, Upstream PR #​33283, @​bimmlerd)
• doc: update slack channel reference (Backport PR #​34157, Upstream PR #​34044, @​Huweicai)
• docs,LRP: Add steps to restart agent and operator pods and update feature roadmap status (Backport PR #​33809, Upstream PR #​33655, @​aditighag)
• docs: Add node about socketLB.hostNamespaceOnly to Kata page (Backport PR #​33809, Upstream PR #​33725, @​brb)
• docs: Extend LRP guide with troubleshooting section (Backport PR #​33809, Upstream PR #​33373, @​aditighag)
• docs: generalize version specific notes section (Backport PR #​33962, Upstream PR #​33888, @​giorio94)
• docs: Remove CNCF graduation from the roadmap (Backport PR #​33809, Upstream PR #​33680, @​joestringer)
• docs: remove mention of outdated clustermesh + L7 policies + tunnel limitation (Backport PR #​33809, Upstream PR #​33626, @​giorio94)
• docs: Update LVH VM image pull instructions (Backport PR #​33809, Upstream PR #​33621, @​brb)
• Documentation: Add --set cni.exclusive=false for Azure Chain Mode (Backport PR #​33809, Upstream PR #​33708, @​Mais316)
• helm: Allow socket linger timeout to be set to zero (Backport PR #​33962, Upstream PR #​33887, @​gandro)
• policy: Fix mapstate.Diff() used in tests (Backport PR #​33809, Upstream PR #​33449, @​jrajahalme)
• Remove stable tags from v1.15 releases (#​33985, @​joestringer)
• renovate: onboard etcd image used in integration tests (Backport PR #​33809, Upstream PR #​33679, @​giorio94)
• Revert "fix: support validation of stringToString values in ConfigMap" (Backport PR #​34306, Upstream PR #​34277, @​aanm)

Other Changes:

• [v1.15] ci: use base and head SHAs from context in lint-build-commits workflow (#​34267, @​tklauser)
• [v1.15] Revert "docs: Update LRP feature status" (#​34238, @​ysksuzuki)
• Fix bug in Bandwidth Manager that caused it to not find native devices. (#​33910, @​joamaki)
• install: Update image digests for v1.15.7 (#​33744, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.8@​sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.8@​sha256:4c1f33aae2b76392b57e867820471b5472f0886f7358513d47ee80c09af15a0e

docker-plugin

quay.io/cilium/docker-plugin:v1.15.8@​sha256:15b1b6e83e1c0eea97df179660c1898661c1d0da5d431c68f98c702581e29310

hubble-relay

quay.io/cilium/hubble-relay:v1.15.8@​sha256:47e8a19f60d0d226ec3d2c675ec63908f1f2fb936a39897f2e3255b3bab01ad6

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.8@​sha256:388ef72febd719bc9d16d5ee47fe6f846f73f0d8a6f9586ada04cb39eb2962d1

operator-aws

quay.io/cilium/operator-aws:v1.15.8@​sha256:3807dd23c2b5f90489824ddd13dca6e84e714dc9eae44e5718acfe86c855b7a1

operator-azure

quay.io/cilium/operator-azure:v1.15.8@​sha256:c517db3d12fcf038a9a4a81b88027a19672078bf8c2fcd6b2563f3eff9514d21

operator-generic

quay.io/cilium/operator-generic:v1.15.8@​sha256:e77ae6fc8a978f98363cf74d3c883dfaa6454c6e23ec417a60952f29408e2f18

operator

quay.io/cilium/operator:v1.15.8@​sha256:e9cf35fe3dc86933ccf3fdfdb7620d218c50aaca5f14e4ba5f422460ea4cb23c

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[cloudflare-workers-and-pages]

Deploying jjgadgets-biohazard with    Cloudflare Pages

Latest commit:	b9b24bd
Status:	✅  Deploy successful!
Preview URL:	https://addc86ce.jjgadgets-biohazard.pages.dev
Branch Preview URL:	https://renovate-patch-cilium.jjgadgets-biohazard.pages.dev

View logs

[tinfoild]

--- kube/deploy/core/_networking/cilium/app Kustomization: flux-system/1-core-1-networking-cilium-app HelmRelease: kube-system/cilium

+++ kube/deploy/core/_networking/cilium/app Kustomization: flux-system/1-core-1-networking-cilium-app HelmRelease: kube-system/cilium

@@ -16,13 +16,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium-charts
         namespace: flux-system
-      version: 1.15.7
+      version: 1.15.8
   interval: 5m
   postRenderers:
   - kustomize:
       patches:
       - patch: |
           - op: replace

[tinfoild]

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -101,12 +101,13 @@

   k8s-client-burst: '20'
   remove-cilium-node-taints: 'true'
   set-cilium-node-taints: 'true'
   set-cilium-is-up-condition: 'true'
   unmanaged-pod-watcher-interval: '15'
   dnsproxy-enable-transparent-mode: 'false'
+  dnsproxy-socket-linger-timeout: '10'
   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: 'true'
   tofqdns-endpoint-max-ip-per-hostname: '50'
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: '10000'
   tofqdns-proxy-response-max-delay: 100ms
--- HelmRelease: kube-system/cilium Service: kube-system/cilium-envoy

+++ HelmRelease: kube-system/cilium Service: kube-system/cilium-envoy

@@ -1,25 +0,0 @@

----
-apiVersion: v1
-kind: Service
-metadata:
-  name: cilium-envoy
-  namespace: kube-system
-  annotations:
-    prometheus.io/scrape: 'true'
-    prometheus.io/port: '9964'
-  labels:
-    k8s-app: cilium-envoy
-    app.kubernetes.io/name: cilium-envoy
-    app.kubernetes.io/part-of: cilium
-    io.cilium/app: proxy
-spec:
-  clusterIP: None
-  type: ClusterIP
-  selector:
-    k8s-app: cilium-envoy
-  ports:
-  - name: envoy-metrics
-    port: 9964
-    protocol: TCP
-    targetPort: envoy-metrics
-
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,24 +16,24 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: bd411fac2c2c8dd54ee2530147a11279d60af892700424c0308e9df834410fce
+        cilium.io/cilium-configmap-checksum: 32630daee2048a8fb08935a7eeb2b3346731a31b77dcc3b04e82347e264d1b32
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
+        image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -185,13 +185,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
+        image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -210,13 +210,13 @@

           value: '6443'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
+        image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -240,13 +240,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
+        image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -256,13 +256,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
+        image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -304,13 +304,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.15.7@sha256:2e432bf6879feb8b891c497d6fd784b13e53456017d2b8e4ea734145f0282ef0
+        image: quay.io/cilium/cilium:v1.15.8@sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
@@ -325,13 +325,12 @@

         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - name: cni-path
           mountPath: /host/opt/cni/bin
       restartPolicy: Always
       priorityClassName: system-node-critical
-      serviceAccount: cilium
       serviceAccountName: cilium
       automountServiceAccountToken: true
       terminationGracePeriodSeconds: 1
       hostNetwork: true
       affinity:
         podAntiAffinity:
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

@@ -115,13 +115,12 @@

           readOnly: true
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: HostToContainer
       restartPolicy: Always
       priorityClassName: system-node-critical
-      serviceAccount: cilium-envoy
       serviceAccountName: cilium-envoy
       automountServiceAccountToken: true
       terminationGracePeriodSeconds: 1
       hostNetwork: true
       affinity:
         nodeAffinity:
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,24 +20,24 @@

       maxSurge: 25%
       maxUnavailable: 50%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: bd411fac2c2c8dd54ee2530147a11279d60af892700424c0308e9df834410fce
+        cilium.io/cilium-configmap-checksum: 32630daee2048a8fb08935a7eeb2b3346731a31b77dcc3b04e82347e264d1b32
         prometheus.io/port: '9963'
         prometheus.io/scrape: 'true'
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.15.7@sha256:6840a6dde703b3e73dd31e03390327a9184fcb888efbad9d9d098d65b9035b54
+        image: quay.io/cilium/operator-generic:v1.15.8@sha256:e77ae6fc8a978f98363cf74d3c883dfaa6454c6e23ec417a60952f29408e2f18
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
@@ -91,13 +91,12 @@

           mountPath: /tmp/cilium/config-map
           readOnly: true
         terminationMessagePolicy: FallbackToLogsOnError
       hostNetwork: true
       restartPolicy: Always
       priorityClassName: system-cluster-critical
-      serviceAccount: cilium-operator
       serviceAccountName: cilium-operator
       automountServiceAccountToken: true
       affinity:
         podAntiAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
           - labelSelector:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -34,13 +34,13 @@

           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.15.7@sha256:12870e87ec6c105ca86885c4ee7c184ece6b706cc0f22f63d2a62a9a818fd68f
+        image: quay.io/cilium/hubble-relay:v1.15.8@sha256:47e8a19f60d0d226ec3d2c675ec63908f1f2fb936a39897f2e3255b3bab01ad6
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         - --debug
@@ -51,30 +51,32 @@

           grpc:
             port: 4222
           timeoutSeconds: 3
         livenessProbe:
           grpc:
             port: 4222
-          timeoutSeconds: 3
+          timeoutSeconds: 10
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          failureThreshold: 12
         startupProbe:
           grpc:
             port: 4222
-          timeoutSeconds: 3
+          initialDelaySeconds: 10
           failureThreshold: 20
           periodSeconds: 3
         volumeMounts:
         - name: config
           mountPath: /etc/hubble-relay
           readOnly: true
         - name: tls
           mountPath: /var/lib/hubble-relay/tls
           readOnly: true
         terminationMessagePolicy: FallbackToLogsOnError
       restartPolicy: Always
       priorityClassName: null
-      serviceAccount: hubble-relay
       serviceAccountName: hubble-relay
       automountServiceAccountToken: false
       terminationGracePeriodSeconds: 1
       affinity:
         podAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

@@ -28,13 +28,12 @@

     spec:
       securityContext:
         fsGroup: 1001
         runAsGroup: 1001
         runAsUser: 1001
       priorityClassName: null
-      serviceAccount: hubble-ui
       serviceAccountName: hubble-ui
       automountServiceAccountToken: true
       containers:
       - name: frontend
         image: quay.io/cilium/hubble-ui:v0.13.1@sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6
         imagePullPolicy: IfNotPresent