Update Helm release cilium to v1.17.4

class/defaults.yml

@@ -132,7 +132,7 @@ parameters:
     charts:
       cilium:
         source: https://helm.cilium.io
-        version: "1.16.4"
+        version: "1.17.4"
       cilium-enterprise:
         source: "<CILIUM-ENTERPRISE-CHART-REPO-URL>" # Configure the Chart repository URL in your global defaults
         version: "1.16.4"

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/daemonset.yaml

@@ -54,7 +54,7 @@ spec:
                 resourceFieldRef:
                   divisor: '1'
                   resource: limits.memory
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.17.4@%!s(<nil>)
           imagePullPolicy: IfNotPresent
           lifecycle:
             postStart:
@@ -93,6 +93,8 @@ spec:
               httpHeaders:
                 - name: brief
                   value: 'true'
+                - name: require-k8s-connectivity
+                  value: 'false'
               path: /healthz
               port: 9879
               scheme: HTTP
@@ -178,6 +180,9 @@ spec:
               name: bpf-maps
             - mountPath: /var/run/cilium
               name: cilium-run
+            - mountPath: /var/run/cilium/netns
+              mountPropagation: HostToContainer
+              name: cilium-netns
             - mountPath: /host/etc/cni/net.d
               name: etc-cni-netd
             - mountPath: /var/lib/cilium/clustermesh
@@ -206,7 +211,7 @@ spec:
                 fieldRef:
                   apiVersion: v1
                   fieldPath: metadata.namespace
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.17.4@%!s(<nil>)
           imagePullPolicy: IfNotPresent
           name: config
           terminationMessagePolicy: FallbackToLogsOnError
@@ -225,7 +230,7 @@ spec:
               value: /run/cilium/cgroupv2
             - name: BIN_PATH
               value: /var/lib/cni/bin
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.17.4@%!s(<nil>)
           imagePullPolicy: IfNotPresent
           name: mount-cgroup
           securityContext:
@@ -255,7 +260,7 @@ spec:
           env:
             - name: BIN_PATH
               value: /var/lib/cni/bin
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.17.4@%!s(<nil>)
           imagePullPolicy: IfNotPresent
           name: apply-sysctl-overwrites
           securityContext:
@@ -281,7 +286,7 @@ spec:
             - /bin/bash
             - -c
             - --
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.17.4@%!s(<nil>)
           imagePullPolicy: IfNotPresent
           name: mount-bpf-fs
           securityContext:
@@ -312,7 +317,7 @@ spec:
                   key: write-cni-conf-when-ready
                   name: cilium-config
                   optional: true
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.17.4@%!s(<nil>)
           imagePullPolicy: IfNotPresent
           name: clean-cilium-state
           securityContext:
@@ -338,7 +343,7 @@ spec:
               name: cilium-run
         - command:
             - /install-plugin.sh
-          image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
+          image: quay.io/cilium/cilium:v1.17.4@%!s(<nil>)
           imagePullPolicy: IfNotPresent
           name: install-cni-binaries
           resources:
@@ -371,6 +376,10 @@ spec:
             path: /var/run/cilium
             type: DirectoryOrCreate
           name: cilium-run
+        - hostPath:
+            path: /var/run/netns
+            type: DirectoryOrCreate
+          name: cilium-netns
         - hostPath:
             path: /sys/fs/bpf
             type: DirectoryOrCreate

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/role.yaml

@@ -31,3 +31,20 @@ rules:
       - get
       - list
       - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/part-of: cilium
+  name: cilium-tlsinterception-secrets
+  namespace: cilium-secrets
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/rolebinding.yaml

@@ -29,3 +29,19 @@ subjects:
   - kind: ServiceAccount
     name: cilium
     namespace: cilium
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/part-of: cilium
+  name: cilium-tlsinterception-secrets
+  namespace: cilium-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-tlsinterception-secrets
+subjects:
+  - kind: ServiceAccount
+    name: cilium
+    namespace: cilium

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-agent/servicemonitor.yaml

@@ -21,6 +21,6 @@ spec:
       - cilium
   selector:
     matchLabels:
-      k8s-app: cilium
+      app.kubernetes.io/name: cilium-agent
   targetLabels:
     - k8s-app

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-configmap.yaml

@@ -4,14 +4,17 @@ data:
   arping-refresh-period: 30s
   auto-direct-node-routes: 'false'
   bgp-secrets-namespace: kube-system
+  bpf-distributed-lru: 'false'
   bpf-events-drop-enabled: 'true'
   bpf-events-policy-verdict-enabled: 'true'
   bpf-events-trace-enabled: 'true'
   bpf-lb-acceleration: disabled
+  bpf-lb-algorithm-annotation: 'false'
   bpf-lb-external-clusterip: 'false'
   bpf-lb-map-max: '65536'
+  bpf-lb-mode-annotation: 'false'
   bpf-lb-sock: 'false'
-  bpf-lb-sock-terminate-pod-connections: 'false'
+  bpf-lb-source-range-all-types: 'false'
   bpf-map-dynamic-size-ratio: '0.0025'
   bpf-policy-map-max: '16384'
   bpf-root: /sys/fs/bpf
@@ -30,21 +33,26 @@ data:
   datapath-mode: veth
   debug: 'false'
   debug-verbose: ''
+  default-lb-service-ipam: lbipam
   direct-routing-skip-unreachable: 'false'
   dnsproxy-enable-transparent-mode: 'true'
   dnsproxy-socket-linger-timeout: '10'
   egress-gateway-reconciliation-trigger-interval: 1s
   enable-auto-protect-node-port-range: 'true'
   enable-bgp-control-plane: 'true'
+  enable-bgp-control-plane-status-report: 'true'
   enable-bpf-clock-probe: 'false'
   enable-bpf-masquerade: 'true'
   enable-endpoint-health-checking: 'true'
+  enable-endpoint-lockdown-on-policy-overflow: 'false'
   enable-endpoint-routes: 'true'
+  enable-experimental-lb: 'false'
   enable-health-check-loadbalancer-ip: 'false'
   enable-health-check-nodeport: 'true'
   enable-health-checking: 'true'
   enable-hubble: 'true'
   enable-hubble-open-metrics: 'false'
+  enable-internal-traffic-policy: 'true'
   enable-ipv4: 'true'
   enable-ipv4-big-tcp: 'false'
   enable-ipv4-masquerade: 'true'
@@ -55,20 +63,27 @@ data:
   enable-k8s-terminating-endpoint: 'true'
   enable-l2-neigh-discovery: 'true'
   enable-l7-proxy: 'true'
+  enable-lb-ipam: 'true'
   enable-local-redirect-policy: 'false'
   enable-masquerade-to-route-source: 'false'
   enable-node-selector-labels: 'false'
+  enable-non-default-deny-policies: 'true'
   enable-policy: default
+  enable-policy-secrets-sync: 'true'
   enable-runtime-device-detection: 'true'
   enable-sctp: 'false'
+  enable-source-ip-verification: 'true'
   enable-svc-source-range-check: 'true'
   enable-tcx: 'true'
   enable-vtep: 'false'
   enable-well-known-identities: 'false'
   enable-xt-socket-fallback: 'true'
+  envoy-access-log-buffer-size: '4096'
   envoy-base-id: '0'
   envoy-keep-cap-netbindservice: 'false'
   external-envoy-proxy: 'false'
+  health-check-icmp-failure-threshold: '3'
+  http-retry-count: '3'
   hubble-disable-tls: 'true'
   hubble-export-file-max-backups: '5'
   hubble-export-file-max-size-mb: '10'
@@ -85,6 +100,7 @@ data:
   install-no-conntrack-iptables-rules: 'false'
   ipam: cluster-pool
   ipam-cilium-node-update-rate: 15s
+  iptables-random-fully: 'false'
   k8s-client-burst: '30'
   k8s-client-qps: '15'
   k8s-require-ipv4-pod-cidr: 'false'
@@ -106,12 +122,15 @@ data:
   nodes-gc-interval: 5m0s
   operator-api-serve-addr: 127.0.0.1:9234
   policy-cidr-match-mode: ''
+  policy-secrets-namespace: cilium-secrets
+  policy-secrets-only-from-secrets-namespace: 'true'
   preallocate-bpf-maps: 'false'
   procfs: /host/proc
   prometheus-serve-addr: :9962
   proxy-connect-timeout: '2'
   proxy-idle-timeout-seconds: '60'
   proxy-initial-fetch-timeout: '30'
+  proxy-max-concurrent-retries: '128'
   proxy-max-connection-duration-seconds: '0'
   proxy-max-requests-per-connection: '0'
   proxy-prometheus-port: '9964'
@@ -125,11 +144,12 @@ data:
   synchronize-k8s-nodes: 'true'
   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: 'true'
-  tofqdns-endpoint-max-ip-per-hostname: '50'
+  tofqdns-endpoint-max-ip-per-hostname: '1000'
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: '10000'
   tofqdns-proxy-response-max-delay: 100ms
   tunnel-protocol: vxlan
+  tunnel-source-port-range: 0-0
   unmanaged-pod-watcher-interval: '15'
   vtep-cidr: ''
   vtep-endpoint: ''

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/clusterrole.yaml

@@ -55,6 +55,7 @@ rules:
       - ''
     resources:
       - namespaces
+      - secrets
     verbs:
       - get
       - list
@@ -137,6 +138,13 @@ rules:
       - watch
       - delete
       - patch
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumbgpclusterconfigs/status
+      - ciliumbgppeerconfigs/status
+    verbs:
+      - update
   - apiGroups:
       - apiextensions.k8s.io
     resources:
@@ -183,6 +191,7 @@ rules:
       - ciliumbgppeeringpolicies
       - ciliumbgpclusterconfigs
       - ciliumbgpnodeconfigoverrides
+      - ciliumbgppeerconfigs
     verbs:
       - get
       - list

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/deployment.yaml

@@ -59,7 +59,7 @@ spec:
                   key: debug
                   name: cilium-config
                   optional: true
-          image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
+          image: quay.io/cilium/operator-generic:v1.17.4@%!s(<nil>)
           imagePullPolicy: IfNotPresent
           livenessProbe:
             httpGet:

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/role.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/part-of: cilium
+  name: cilium-operator-tlsinterception-secrets
+  namespace: cilium-secrets
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - create
+      - delete
+      - update
+      - patch

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-operator/rolebinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/part-of: cilium
+  name: cilium-operator-tlsinterception-secrets
+  namespace: cilium-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-operator-tlsinterception-secrets
+subjects:
+  - kind: ServiceAccount
+    name: cilium-operator
+    namespace: cilium

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/cilium-secrets-namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/part-of: cilium
+  name: cilium-secrets

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/configmap.yaml

@@ -1,9 +1,9 @@
 apiVersion: v1
 data:
-  config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local:80\"\
-    \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\
-    \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\
-    \ndisable-server-tls: true\n"
+  config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.cilium.svc.cluster.local.:80\"\
+    \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\
+    \ \nsort-buffer-drain-timeout: \ndisable-client-tls: true\n\ndisable-server-tls:\
+    \ true\n"
 kind: ConfigMap
 metadata:
   name: hubble-relay-config

tests/golden/bgp-control-plane/cilium/cilium/01_cilium_helmchart/cilium/templates/hubble-relay/deployment.yaml

@@ -37,7 +37,7 @@ spec:
             - serve
           command:
             - hubble-relay
-          image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
+          image: quay.io/cilium/hubble-relay:v1.17.4@%!s(<nil>)
           imagePullPolicy: IfNotPresent
           livenessProbe:
             failureThreshold: 12