wheatley/kubernetes

Fork 0

chore(deps): update helm release cilium to v1.18.6 #4

Merged

Peter merged 1 commit from renovate/cilium-1.x into main

2026-02-03 11:15:13 +01:00

renovate commented

2026-02-03 01:02:42 +01:00

Collaborator

This PR contains the following updates:

Package	Type	Update	Change
cilium (source)	HelmChart	patch	`1.18.3` → `1.18.6`

Release Notes

cilium/cilium (cilium)

`v1.18.6`: 1.18.6

Compare Source

Summary of Changes

Major Changes:

Publish Helm charts to OCI registries (Backport PR #43689, Upstream PR #43624, @aanm)

Minor Changes:

Cilium Preflight check no longer includes Envoy Configmaps, making it easier to correctly run. (Backport PR #43290, Upstream PR #43153, @youngnick)
runtime: Add libatomic1 for cilium-envoy dependency (Backport PR #43642, Upstream PR #43292, @sayboras)

Bugfixes:

bpf:wireguard: delivery host packets to bpf_host for ingress policies (Backport PR #43690, Upstream PR #42892, @smagnani96)
cgroup: don't start watch if KPRConfig.EnableSocketLB is disabled (Backport PR #43290, Upstream PR #43256, @mhofstetter)
Fix a bug with local redirect service entries being created when backend pods weren't ready. (Backport PR #43425, Upstream PR #43095, @aditighag)
Fix an issue in proxy NOTRACK iptables rule for aws-cni chaining mode which causes proxy->upstream(outside cluster) traffic not being SNAT'd. (Backport PR #43676, Upstream PR #43566, @fristonio)
Fix GC of possible duplicated identities in kvstore mode (Backport PR #43425, Upstream PR #43287, @giorio94)
Fixes a deadlock that was causing endpoint to be stuck without progressing with any updates. (Backport PR #43290, Upstream PR #43242, @marseel)
gateway-api: correctly handle CiliumGatewayClassConfig as a namespaced resource. (Backport PR #43290, Upstream PR #43254, @youngnick)
xds: fix nil-pointer in processRequestStream (Backport PR #43612, Upstream PR #43609, @mhofstetter)

CI Changes:

bpf: tests: egressgw: enable HostFW (Backport PR #43337, Upstream PR #42955, @julianwiedmann)
bpf: tests: egressgw: install ipcache_v6_add_world_entry() (Backport PR #43337, Upstream PR #42988, @julianwiedmann)
chore: comment job to use generated token instead of PAT (Backport PR #43612, Upstream PR #43148, @sekhar-isovalent)
ci: Use newer lvh image for privileged tests (Backport PR #43490, Upstream PR #41082, @rastislavs)

Misc Changes:

.github/workflows: remove auto-requested reviewers (Backport PR #43425, Upstream PR #42952, @aanm)
Add documentation and examples for using the egressDeny field in CiliumNetworkPolicy (Backport PR #43425, Upstream PR #40272, @syedazeez337)
bpf: clear mark content before storing the cluster ID (Backport PR #43290, Upstream PR #43159, @giorio94)
bpf: prevent cluster ID from being incorrectly retrieved from mark when aliased (Backport PR #43290, Upstream PR #43258, @giorio94)
chore(deps): update all github action dependencies (v1.18) (#43467, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#43665, @cilium-renovate[bot])
chore(deps): update anchore/sbom-action action to v0.21.0 (v1.18) (#43512, @cilium-renovate[bot])
chore(deps): update base-images (v1.18) (#43543, @cilium-renovate[bot])
chore(deps): update base-images (v1.18) (#43664, @cilium-renovate[bot])
chore(deps): update docker.io/library/busybox:1.37.0 docker digest to 2383baa (v1.18) (#43662, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.11 docker digest to 54528d1 (v1.18) (#43464, @cilium-renovate[bot])
chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.7 (v1.18) (#43465, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.12-1767177245-7935d4d711cb6f8020385a50c996b90896e16a71 (v1.18) (#43539, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1767794330-db497dd19e346b39d81d7b5c0dedf6c812bcc5c9 (v1.18) (#43638, @cilium-renovate[bot])
chore(deps): update rhysd/actionlint docker tag to v1.7.10 (v1.18) (#43541, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#43466, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#43542, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#43571, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#43663, @cilium-renovate[bot])
cmapisrv/test: miscellaneous fixes to the ciliumidentities script test (Backport PR #43425, Upstream PR #43372, @giorio94)
docs: Add missing IPv6 fragmentation BPF map reference (Backport PR #43290, Upstream PR #43161, @doniacld)
Fix a regression in the new services control plane where loadBalancerSourceRanges was applied by default to all service types. (Backport PR #43575, Upstream PR #42351, @borkmann)
operator: the K8s Secret synchronization process now resynchronizes after an hour for synced Secrets. (Backport PR #43425, Upstream PR #42414, @youngnick)
release: change OCI registry (Backport PR #43689, Upstream PR #43646, @aanm)
route: install ingress proxy routes with WireGuard and L7Proxy (Backport PR #43434, Upstream PR #42835, @smagnani96)

Other Changes:

[v1.18] bpf:hubble: support policy verdict from L3 devices (#43381, @smagnani96)
[v1.18] deps: bump CNI plugins version to v1.9.0 (#43593, @diyi0926)
install: Update image digests for v1.18.5 (#43400, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4
quay.io/cilium/cilium:stable@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.6@sha256:8ee142912a0e261850c0802d9256ddbe3729e1cd35c6bea2d93077f334c3cf3b
quay.io/cilium/clustermesh-apiserver:stable@sha256:8ee142912a0e261850c0802d9256ddbe3729e1cd35c6bea2d93077f334c3cf3b

docker-plugin

quay.io/cilium/docker-plugin:v1.18.6@sha256:7931555ad713a48a28e4bf097402e0e398461dbf51b81cb8192558c5cb0dc48f
quay.io/cilium/docker-plugin:stable@sha256:7931555ad713a48a28e4bf097402e0e398461dbf51b81cb8192558c5cb0dc48f

hubble-relay

quay.io/cilium/hubble-relay:v1.18.6@sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e
quay.io/cilium/hubble-relay:stable@sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.6@sha256:212c4cbe27da3772bcb952b8f8cbaa0b0eef72488b52edf90ad2b32072a3ca4c
quay.io/cilium/operator-alibabacloud:stable@sha256:212c4cbe27da3772bcb952b8f8cbaa0b0eef72488b52edf90ad2b32072a3ca4c

operator-aws

quay.io/cilium/operator-aws:v1.18.6@sha256:47dbc1a5bd483fec170dab7fb0bf2cca3585a4893675b0324d41d97bac8be5eb
quay.io/cilium/operator-aws:stable@sha256:47dbc1a5bd483fec170dab7fb0bf2cca3585a4893675b0324d41d97bac8be5eb

operator-azure

quay.io/cilium/operator-azure:v1.18.6@sha256:a57aff47aeb32eccfedaa2a49d1af984d996d6d6de79609c232e0c4cf9ce97a1
quay.io/cilium/operator-azure:stable@sha256:a57aff47aeb32eccfedaa2a49d1af984d996d6d6de79609c232e0c4cf9ce97a1

operator-generic

quay.io/cilium/operator-generic:v1.18.6@sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af
quay.io/cilium/operator-generic:stable@sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af

operator

quay.io/cilium/operator:v1.18.6@sha256:0e8903aa092025918761d24ae9a91af35baa5b6910b5d0e3feac91ab8a2bc65b
quay.io/cilium/operator:stable@sha256:0e8903aa092025918761d24ae9a91af35baa5b6910b5d0e3feac91ab8a2bc65b

`v1.18.5`: 1.18.5

Compare Source

Summary of Changes

Minor Changes:

[v1.18] proxy: Bump envoy version to v1.34.11 (#43143, @sayboras)
Change the sidecar etcd instance of the Cluster Mesh API Server listen on all IP addresses (Backport PR #42948, Upstream PR #42818, @giorio94)

Bugfixes:

allow missing verbs for cilium-agent cluster role when readSecretsOnlyFromSecretsNamespace is false (Backport PR #42948, Upstream PR #42790, @kraashen)
AWS EC2: Fix ENI attachment on multi-network card instances with high-performance networking (EFA) setups (Backport PR #42745, Upstream PR #42512, @41ks)
CiliumEnvoyConfig proxy ports are now restored on agent restarts. (Backport PR #43117, Upstream PR #43108, @jrajahalme)
Cleanup FQDNs that have leaked into the global FQDN cache (Backport PR #42864, Upstream PR #42485, @sjohnsonpal)
Do not opt-out Endpoint ID 1 from dnsproxy transparent mode. (Backport PR #42948, Upstream PR #42887, @jrajahalme)
ENI: Fix panic on nil subnet (Backport PR #43117, Upstream PR #43023, @HadrienPatte)
Ensure cilium-agent gracefully does fallbacks when etcd is in a bad state. (Backport PR #43059, Upstream PR #42977, @odinuge)
Fix a bug that would cause Cilium to not report L4 checksum update errors when the length attribute is missing in ICMP Error messages with TCP inner packets. (Backport PR #42828, Upstream PR #42426, @yushoyamaguchi)
Fix a bug that would cause IPsec logs to incorrectly report the XFRM rules being processed as "Ingress" rules. (Backport PR #42828, Upstream PR #42640, @sjohnsonpal)
Fix agent local identity leak (Backport PR #43117, Upstream PR #42662, @odinuge)
Fix bug that could cause the agent to fail to add XFRM states when IPsec is enabled, thus preventing a proper startup. (Backport PR #42948, Upstream PR #42666, @pchaigno)
Fix GC of per-cluster ctmap entries (Backport PR #43294, Upstream PR #43160, @giorio94)
Fix ipcache issues causing severe issues with the fqdn subsystem (Backport PR #42864, Upstream PR #42815, @odinuge)
Fix issue where endpoints got stuck in "waiting-to-regenerate" (Backport PR #42948, Upstream PR #42856, @odinuge)
Fix leak in the policy subsystem (Backport PR #43117, Upstream PR #42661, @odinuge)
Fix rare kvstore issue where cilium continues to use an expired lease causing kvstore operations to fail consistently (Backport PR #42745, Upstream PR #42709, @odinuge)
fqdn: Fix fqdn subsystem correctness issues causing packet drops and inconsistent ipcache (Backport PR #43117, Upstream PR #42500, @odinuge)
In rare cases, the cilium-operator losing the lead of the HA deployment could continue acting as if leading for at most a minute, leading to split-brain problems such as double allocation of pod CIDRs. (Backport PR #43059, Upstream PR #42920, @bimmlerd)
KVStoreMesh now correctly respects the CA bundle setting when validating remote cluster certificates (Backport PR #42828, Upstream PR #42726, @giorio94)
policy: Fix rare Endpoint Selector Policy Deadlock causing policies to not be updated with new identities (Backport PR #42864, Upstream PR #42306, @odinuge)
Recreate CiliumEndpoints (k8s resource) if they are accidentally deleted. (Backport PR #43117, Upstream PR #42877, @aanm)
redirectpolicy: Avoid recomputing on pod changes that do not change resulting redirect backends (Backport PR #42948, Upstream PR #42814, @joamaki)

CI Changes:

bpf: test: add BPF Masq tests for unknown / handled protocols (Backport PR #42711, Upstream PR #42144, @julianwiedmann)
bpf: test: egressgw: fix up ENABLE_MASQUERADE (Backport PR #42966, Upstream PR #42912, @julianwiedmann)
bpf: tests: add BPF MASQ test for ICMP ECHOs (Backport PR #42711, Upstream PR #42656, @julianwiedmann)
bpf: tests: set ENABLE_MASQUERADE_IPV6 for EGW XDP test (Backport PR #43059, Upstream PR #42962, @julianwiedmann)
bpf:test: cover host endpoint case in tc_nodeport_l3_dev.h (Backport PR #43059, Upstream PR #42983, @smagnani96)
Delete .github/workflows/build-images-hotfixes.yaml (Backport PR #42966, Upstream PR #42958, @sekhar-isovalent)
gh: conn-disrupt: fix XFRM error checks (Backport PR #42764, Upstream PR #42724, @julianwiedmann)
gh: ipsec-e2e: fix flaky connection disruptivity test (Backport PR #42823, Upstream PR #42780, @julianwiedmann)
gha: additionally cleanup disk space in clustermesh upgrade workflow (Backport PR #42948, Upstream PR #42862, @giorio94)
gha: don't filter lint-build-commits steps when workflow is modified (Backport PR #42948, Upstream PR #42844, @giorio94)
gha: wait for cert-manager CRDs to be ready in conformance clustermesh (Backport PR #42966, Upstream PR #42947, @giorio94)
makefile: More reliable update-helm-values (Backport PR #42828, Upstream PR #42736, @devodev)

Misc Changes:

.github/workflows: make adjustments for new GitHub workflow behavior (#43219, @aanm)
[v1.18] deps: bump x/crypto to v0.45.0 (#43114, @ferozsalam)
[v1.18] vendor: Bump to StateDB v0.4.6 (#42953, @joamaki)
chore(deps): update all github action dependencies (v1.18) (#42783, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#42937, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#43036, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#43181, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#43268, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#43317, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (patch) (#43314, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.18) (#42804, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.18) (#43037, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.18.9 (v1.18) (#43182, @cilium-renovate[bot])
chore(deps): update dependency cilium/little-vm-helper to v0.0.28 (v1.18) (#42771, @cilium-renovate[bot])
chore(deps): update dependency protocolbuffers/protobuf to v33.1 (v1.18) (#42805, @cilium-renovate[bot])
chore(deps): update dependency protocolbuffers/protobuf to v33.2 (v1.18) (#43184, @cilium-renovate[bot])
chore(deps): update dependency protocolbuffers/protobuf-go to v1.36.11 (v1.18) (#43315, @cilium-renovate[bot])
chore(deps): update docker.io/library/busybox:1.37.0 docker digest to d80cd69 (v1.18) (#43312, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.10 docker digest to 7b13449 (v1.18) (#42935, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.10 docker digest to 83d7392 (v1.18) (#42802, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.11 docker digest to e3fb71a (v1.18) (#43313, @cilium-renovate[bot])
chore(deps): update gcr.io/distroless/static:nonroot docker digest to 2b7c93f (v1.18) (#43135, @cilium-renovate[bot])
chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.6 (v1.18) (#42936, @cilium-renovate[bot])
chore(deps): update github artifact actions (v1.18) (#43318, @cilium-renovate[bot])
chore(deps): update go to v1.24.11 (v1.18) (#43183, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/certgen docker tag to v0.3.1 (v1.18) (#43052, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#42803, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#43316, @cilium-renovate[bot])
docs: Add limitation about LB to same backend via multiple VIPs (Backport PR #42745, Upstream PR #42632, @brb)
Documentation: host firewall: document emergency recovery (Backport PR #42948, Upstream PR #42776, @squeed)
fqdn: rewrite name manager test to use real ipcache (Backport PR #42948, Upstream PR #42820, @odinuge)
Minor improvements around certificate validation in etcd/clustermesh troubleshoot commands (Backport PR #42948, Upstream PR #42782, @giorio94)
node/manager: TestNodesStartupPruning poll state (Backport PR #42948, Upstream PR #41648, @0xch4z)
policy: Marshal L4Filter marshalling errors into json (Backport PR #42948, Upstream PR #42834, @joestringer)
xds: Do not log an error on a done context (Backport PR #43117, Upstream PR #42990, @jrajahalme)

Other Changes:

[v1.18] Add periodic resync for secret-sync controller (#43356, @youngnick)
[v1.18] bpf: lxc: transfer source identity for lxc-to-host policy (#42821, @julianwiedmann)
[v1.18] ipcache: Fix leak in CIDR metadata consolidation logic (#43354, @christarazi)
[v1.18] lb: Implement Hybrid-DSR via annotation infrastructure (#43056, @julianwiedmann)
[v1.18] proxy: Bump envoy version to v1.34.12 (#43259, @sayboras)
install: Update image digests for v1.18.4 (#42735, @cilium-release-bot[bot])
Kubernetes endpoints that are terminating are retained in the backends BPF state regardless of the "serving" condition to avoid connection disruptions when a pod no longer signals readiness to process new connections. (#42708, @joamaki)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.5@sha256:2c92fb05962a346eaf0ce11b912ba434dc10bd54b9989e970416681f4a069628
quay.io/cilium/cilium:stable@sha256:2c92fb05962a346eaf0ce11b912ba434dc10bd54b9989e970416681f4a069628

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.5@sha256:952f07c30390847e4d9dfaa19a76c4eca946251ffbc4f6459946570f93ee72f1
quay.io/cilium/clustermesh-apiserver:stable@sha256:952f07c30390847e4d9dfaa19a76c4eca946251ffbc4f6459946570f93ee72f1

docker-plugin

quay.io/cilium/docker-plugin:v1.18.5@sha256:db81fda86653d96ea40687dc314985f5f23d5b57719dd1cb0d151be2c7c8789f
quay.io/cilium/docker-plugin:stable@sha256:db81fda86653d96ea40687dc314985f5f23d5b57719dd1cb0d151be2c7c8789f

hubble-relay

quay.io/cilium/hubble-relay:v1.18.5@sha256:17212962c92ff52384f94e407ffe3698714fcbd35c7575f67f24032d6224e446
quay.io/cilium/hubble-relay:stable@sha256:17212962c92ff52384f94e407ffe3698714fcbd35c7575f67f24032d6224e446

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.5@sha256:2e60f635495eb2837296ced5475875c281a05765d5ddd644a05e126bbb080b3c
quay.io/cilium/operator-alibabacloud:stable@sha256:2e60f635495eb2837296ced5475875c281a05765d5ddd644a05e126bbb080b3c

operator-aws

quay.io/cilium/operator-aws:v1.18.5@sha256:7608025d8b727a10f21d924d8e4f40beb176cefd690320433452816ad8776f52
quay.io/cilium/operator-aws:stable@sha256:7608025d8b727a10f21d924d8e4f40beb176cefd690320433452816ad8776f52

operator-azure

quay.io/cilium/operator-azure:v1.18.5@sha256:126667e000267f893cb81042bf8a710ad2f219619eb9ce06e8949333bd325ac6
quay.io/cilium/operator-azure:stable@sha256:126667e000267f893cb81042bf8a710ad2f219619eb9ce06e8949333bd325ac6

operator-generic

quay.io/cilium/operator-generic:v1.18.5@sha256:36c3f6f14c8ced7f45b40b0a927639894b44269dd653f9528e7a0dc363a4eb99
quay.io/cilium/operator-generic:stable@sha256:36c3f6f14c8ced7f45b40b0a927639894b44269dd653f9528e7a0dc363a4eb99

operator

quay.io/cilium/operator:v1.18.5@sha256:c6806ee97ef35a79aa72d411bc7f12745a1ea684208853e7d13c8e7f84cbb606
quay.io/cilium/operator:stable@sha256:c6806ee97ef35a79aa72d411bc7f12745a1ea684208853e7d13c8e7f84cbb606

`v1.18.4`: 1.18.4

Compare Source

Security Advisories

This release addresses GHSA-38pp-6gcp-rqvm.

Summary of Changes

Minor Changes:

fix indentation for certgen resources in helm templates (Backport PR #42450, Upstream PR #42412, @sdickhoven)

Bugfixes:

bpf: Do not accidentally update IPcache in cluster-aware routing (Backport PR #42577, Upstream PR #42472, @brb)
cilium-operator: ciliumendpoints are not garbage collected until a minimum age is reached (5m by default) (Backport PR #42577, Upstream PR #42413, @zhouhaibing089)
controller: avoid spurious errors when RemoveControllerAndWait is invoked when the controller does not exist (Backport PR #42617, Upstream PR #41384, @asdfmi)
encrypt status: also check tcx attachment on interfaces (Backport PR #42450, Upstream PR #42328, @bersoare)
envoy: pass stream idle timeout from Helm to configmap (Backport PR #42617, Upstream PR #42499, @mhofstetter)
Fix BGP operator crash when bgp-secrets-namespace not set. (Backport PR #42577, Upstream PR #42425, @rastislavs)
Fix cilium_operator_lbipam_conflicting_pools metric to report correct value. (Backport PR #42289, Upstream PR #41999, @hanapedia)
Fix issue where fqdn GC starts too early that results in potentially missed ips in the IPCache (Backport PR #42617, Upstream PR #42502, @odinuge)
Fix potential policy deadlock causing endpoint to use previous identity for policy calculation when endpoint changes identity (Backport PR #42617, Upstream PR #42420, @odinuge)
Fix the output of cilium lrp list command to show LRP selected backends. (Backport PR #42577, Upstream PR #42110, @Bigdelle)
Fix trace aggregation for IPv4 Host Firewall, reducing the amount of generated events. (Backport PR #42617, Upstream PR #42595, @smagnani96)
fix: Panic during endpoint restore due to nil logger (Backport PR #42450, Upstream PR #42385, @pinaki-08)
gatewayAPI: correctly handle reference to CGCC as cluster-scoped resource instead of namespaced one (Backport PR #42289, Upstream PR #42172, @oblazek)
operator/ciliumenvoyconfig: consistently propagate --http-stream-idle-timeout value (Backport PR #42577, Upstream PR #42495, @tklauser)
policy: prevent incorrect mutation of network policy when using policy-default-local-cluster (Backport PR #42698, Upstream PR #42668, @MrFreezeex)
Preventing removal of existing tproxy iptables rules for other services when they share a name prefix. (Backport PR #42450, Upstream PR #42236, @dackroyd)
When using the Egress Strict Mode for Transparent Encryption with Wireguard, packets destined to the local host are no longer excluded from encryption enforcement (when leaving the node), and will be dropped. (Backport PR #42450, Upstream PR #42419, @julianwiedmann)

CI Changes:

.github/actions/e2e: define static job names (Backport PR #42435, Upstream PR #42332, @aanm)
[v1.18] .github/workflows: Add base-SHA input to ariane triggered workflows (#42192, @dylandreimerink)
ci: Allow for alpine image overwrite within cache Dockerfile (Backport PR #42289, Upstream PR #42108, @jpayne3506)
conformance-aws-cni: disable l7 proxy with aws-cni (Backport PR #42617, Upstream PR #42578, @aanm)
Deflake TestNodeManagerAbortReleaseIPReassignment (Backport PR #42577, Upstream PR #42276, @lconnery)
gh: ginkgo: fix focus for service hairpin test (Backport PR #42641, Upstream PR #42633, @julianwiedmann)
gh: ginkgo: reduce number of tested k8s versions in PRs (Backport PR #42470, Upstream PR #42465, @julianwiedmann)
gh: ginkgo: replace rhel8 with 5.10 kernel (Backport PR #42449, Upstream PR #42084, @julianwiedmann)
gha/conformance-clustermesh: let service nodeport be selected randomly (Backport PR #42617, Upstream PR #41697, @giorio94)
gha: allow configuring runner for workflows building Cilium binaries (Backport PR #42617, Upstream PR #42582, @giorio94)
Testing for RHEL8 compatibility now uses a RHEL8.10-compatible kernel (previously this was a RHEL8.6-compatible kernel). (Backport PR #42604, Upstream PR #41639, @julianwiedmann)

Misc Changes:

[v1.18] deps: bump CNI plugins version (#42443, @ferozsalam)
bpf: host: remove stale code comment (Backport PR #42450, Upstream PR #42237, @julianwiedmann)
bpf: lxc: always set identity mark on forwarded egressing traffic (Backport PR #42617, Upstream PR #42551, @julianwiedmann)
bpf: nodeport: don't include EGW reply hook in bpf_wireguard (Backport PR #42450, Upstream PR #42187, @julianwiedmann)
chore(deps): update all github action dependencies (v1.18) (#42397, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#42541, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#42682, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.18.8 (v1.18) (#42346, @cilium-renovate[bot])
chore(deps): update docker.io/library/busybox:1.37.0 docker digest to e3652a0 (v1.18) (#42539, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.10 docker digest to c3ea417 (v1.18) (#42679, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.9 docker digest to 5034fa4 (v1.18) (#42396, @cilium-renovate[bot])
chore(deps): update github artifact actions (v1.18) (#42398, @cilium-renovate[bot])
chore(deps): update go to v1.24.10 (v1.18) (#42621, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.10-1762597008-ff7ae7d623be00078865cff1b0672cc5d9bfc6d5 (v1.18) (#42680, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-llvm docker tag to v1758805548 (v1.18) (#42399, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#42540, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#42681, @cilium-renovate[bot])
ci: Add workflow permissions for auto-approve and renovate (Backport PR #42450, Upstream PR #42281, @kyle-c-simmons)
ci: Fix call-backport-label-updater permissions (Backport PR #42450, Upstream PR #42510, @kyle-c-simmons)
ci: Update hubble test workflow permissions (Backport PR #42450, Upstream PR #41911, @kyle-c-simmons)
cilium, routes: Downgrade warning on direct-routing-skip-unreachable (Backport PR #42289, Upstream PR #42210, @borkmann)
docs: tuning: remove some references to old kernels (Backport PR #42617, Upstream PR #42601, @julianwiedmann)
Docs: update fragmentation docs to reflect ipv6 (Backport PR #42289, Upstream PR #41748, @tommyp1ckles)
fix: run post-release and publish-helm workflows on cilium org (Backport PR #42450, Upstream PR #42279, @sekhar-isovalent)
loadbalancer: fix up code comment (Backport PR #42450, Upstream PR #42273, @julianwiedmann)
Log proxy instance creation at debug level (Backport PR #42617, Upstream PR #42319, @sjohnsonpal)
operator: Prevent panic when GCing identities (Backport PR #42289, Upstream PR #42217, @HadrienPatte)
pkg/nodediscover: Don't log warnings for intermittent updates (Backport PR #42577, Upstream PR #42505, @aditighag)

Other Changes:

[v1.18] ipam: fix TestNodeManagerAbortReleaseIPReassignment test (#42636, @rastislavs)
[v1.18] test: ginkgo: skip BPF masq tests on configs without external node (#42462, @julianwiedmann)
install: Update image digests for v1.18.3 (#42344, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
quay.io/cilium/cilium:stable@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.4@sha256:c240a7cbead5479d9085b5e837977bf6750164167a1c9f956720815d160d447d
quay.io/cilium/clustermesh-apiserver:stable@sha256:c240a7cbead5479d9085b5e837977bf6750164167a1c9f956720815d160d447d

docker-plugin

quay.io/cilium/docker-plugin:v1.18.4@sha256:5ec897904e4bd9784df8353b1bdc3559f541f4ca5957103addd46b600430888a
quay.io/cilium/docker-plugin:stable@sha256:5ec897904e4bd9784df8353b1bdc3559f541f4ca5957103addd46b600430888a

hubble-relay

quay.io/cilium/hubble-relay:v1.18.4@sha256:6d350cb1c84b847adb152173debef1f774126c69de21a5921a1e6a23b8779723
quay.io/cilium/hubble-relay:stable@sha256:6d350cb1c84b847adb152173debef1f774126c69de21a5921a1e6a23b8779723

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.4@sha256:c57d07e5dde3a1974c5cd5d46596db5ea7264f66e9e4ce98a59236aa88b857f7
quay.io/cilium/operator-alibabacloud:stable@sha256:c57d07e5dde3a1974c5cd5d46596db5ea7264f66e9e4ce98a59236aa88b857f7

operator-aws

quay.io/cilium/operator-aws:v1.18.4@sha256:f4c19007a804d37c781d6c8982006c5f1d8a890941036f9ab285e517fd181336
quay.io/cilium/operator-aws:stable@sha256:f4c19007a804d37c781d6c8982006c5f1d8a890941036f9ab285e517fd181336

operator-azure

quay.io/cilium/operator-azure:v1.18.4@sha256:19e7465ec8b151ec444757b6ce583b7a0d1e5e9fc5e3aef31d90e93019f599ca
quay.io/cilium/operator-azure:stable@sha256:19e7465ec8b151ec444757b6ce583b7a0d1e5e9fc5e3aef31d90e93019f599ca

operator-generic

quay.io/cilium/operator-generic:v1.18.4@sha256:1b22b9ff28affdf574378a70dade4ef835b00b080c2ee2418530809dd62c3012
quay.io/cilium/operator-generic:stable@sha256:1b22b9ff28affdf574378a70dade4ef835b00b080c2ee2418530809dd62c3012

operator

quay.io/cilium/operator:v1.18.4@sha256:78a4f6fb8da0556ed3648aeb789988bd2cb6847c805fb73e381f3e3b17dce0a5
quay.io/cilium/operator:stable@sha256:78a4f6fb8da0556ed3648aeb789988bd2cb6847c805fb73e381f3e3b17dce0a5

Configuration

📅 Schedule: Branch creation - "before 6am on Tuesday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | HelmChart | patch | `1.18.3` → `1.18.6` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.18.6`](https://github.com/cilium/cilium/releases/tag/v1.18.6): 1.18.6 [Compare Source](https://github.com/cilium/cilium/compare/1.18.5...1.18.6) ## Summary of Changes **Major Changes:** - Publish Helm charts to OCI registries (Backport PR [#43689](https://github.com/cilium/cilium/issues/43689), Upstream PR [#43624](https://github.com/cilium/cilium/issues/43624), [@aanm](https://github.com/aanm)) **Minor Changes:** - Cilium Preflight check no longer includes Envoy Configmaps, making it easier to correctly run. (Backport PR [#43290](https://github.com/cilium/cilium/issues/43290), Upstream PR [#43153](https://github.com/cilium/cilium/issues/43153), [@youngnick](https://github.com/youngnick)) - runtime: Add libatomic1 for cilium-envoy dependency (Backport PR [#43642](https://github.com/cilium/cilium/issues/43642), Upstream PR [#43292](https://github.com/cilium/cilium/issues/43292), [@sayboras](https://github.com/sayboras)) **Bugfixes:** - bpf:wireguard: delivery host packets to bpf\_host for ingress policies (Backport PR [#43690](https://github.com/cilium/cilium/issues/43690), Upstream PR [#42892](https://github.com/cilium/cilium/issues/42892), [@smagnani96](https://github.com/smagnani96)) - cgroup: don't start watch if KPRConfig.EnableSocketLB is disabled (Backport PR [#43290](https://github.com/cilium/cilium/issues/43290), Upstream PR [#43256](https://github.com/cilium/cilium/issues/43256), [@mhofstetter](https://github.com/mhofstetter)) - Fix a bug with local redirect service entries being created when backend pods weren't ready. (Backport PR [#43425](https://github.com/cilium/cilium/issues/43425), Upstream PR [#43095](https://github.com/cilium/cilium/issues/43095), [@aditighag](https://github.com/aditighag)) - Fix an issue in proxy NOTRACK iptables rule for aws-cni chaining mode which causes proxy->upstream(outside cluster) traffic not being SNAT'd. (Backport PR [#43676](https://github.com/cilium/cilium/issues/43676), Upstream PR [#43566](https://github.com/cilium/cilium/issues/43566), [@fristonio](https://github.com/fristonio)) - Fix GC of possible duplicated identities in kvstore mode (Backport PR [#43425](https://github.com/cilium/cilium/issues/43425), Upstream PR [#43287](https://github.com/cilium/cilium/issues/43287), [@giorio94](https://github.com/giorio94)) - Fixes a deadlock that was causing endpoint to be stuck without progressing with any updates. (Backport PR [#43290](https://github.com/cilium/cilium/issues/43290), Upstream PR [#43242](https://github.com/cilium/cilium/issues/43242), [@marseel](https://github.com/marseel)) - gateway-api: correctly handle CiliumGatewayClassConfig as a namespaced resource. (Backport PR [#43290](https://github.com/cilium/cilium/issues/43290), Upstream PR [#43254](https://github.com/cilium/cilium/issues/43254), [@youngnick](https://github.com/youngnick)) - xds: fix nil-pointer in `processRequestStream` (Backport PR [#43612](https://github.com/cilium/cilium/issues/43612), Upstream PR [#43609](https://github.com/cilium/cilium/issues/43609), [@mhofstetter](https://github.com/mhofstetter)) **CI Changes:** - bpf: tests: egressgw: enable HostFW (Backport PR [#43337](https://github.com/cilium/cilium/issues/43337), Upstream PR [#42955](https://github.com/cilium/cilium/issues/42955), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: tests: egressgw: install ipcache\_v6\_add\_world\_entry() (Backport PR [#43337](https://github.com/cilium/cilium/issues/43337), Upstream PR [#42988](https://github.com/cilium/cilium/issues/42988), [@julianwiedmann](https://github.com/julianwiedmann)) - chore: comment job to use generated token instead of PAT (Backport PR [#43612](https://github.com/cilium/cilium/issues/43612), Upstream PR [#43148](https://github.com/cilium/cilium/issues/43148), [@sekhar-isovalent](https://github.com/sekhar-isovalent)) - ci: Use newer lvh image for privileged tests (Backport PR [#43490](https://github.com/cilium/cilium/issues/43490), Upstream PR [#41082](https://github.com/cilium/cilium/issues/41082), [@rastislavs](https://github.com/rastislavs)) **Misc Changes:** - .github/workflows: remove auto-requested reviewers (Backport PR [#43425](https://github.com/cilium/cilium/issues/43425), Upstream PR [#42952](https://github.com/cilium/cilium/issues/42952), [@aanm](https://github.com/aanm)) - Add documentation and examples for using the egressDeny field in CiliumNetworkPolicy (Backport PR [#43425](https://github.com/cilium/cilium/issues/43425), Upstream PR [#40272](https://github.com/cilium/cilium/issues/40272), [@syedazeez337](https://github.com/syedazeez337)) - bpf: clear mark content before storing the cluster ID (Backport PR [#43290](https://github.com/cilium/cilium/issues/43290), Upstream PR [#43159](https://github.com/cilium/cilium/issues/43159), [@giorio94](https://github.com/giorio94)) - bpf: prevent cluster ID from being incorrectly retrieved from mark when aliased (Backport PR [#43290](https://github.com/cilium/cilium/issues/43290), Upstream PR [#43258](https://github.com/cilium/cilium/issues/43258), [@giorio94](https://github.com/giorio94)) - chore(deps): update all github action dependencies (v1.18) ([#43467](https://github.com/cilium/cilium/issues/43467), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#43665](https://github.com/cilium/cilium/issues/43665), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update anchore/sbom-action action to v0.21.0 (v1.18) ([#43512](https://github.com/cilium/cilium/issues/43512), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (v1.18) ([#43543](https://github.com/cilium/cilium/issues/43543), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update base-images (v1.18) ([#43664](https://github.com/cilium/cilium/issues/43664), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/busybox:1.37.0 docker digest to [`2383baa`](https://github.com/cilium/cilium/commit/2383baa) (v1.18) ([#43662](https://github.com/cilium/cilium/issues/43662), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.11 docker digest to [`54528d1`](https://github.com/cilium/cilium/commit/54528d1) (v1.18) ([#43464](https://github.com/cilium/cilium/issues/43464), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.7 (v1.18) ([#43465](https://github.com/cilium/cilium/issues/43465), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.12-1767177245-7935d4d711cb6f8020385a50c996b90896e16a71 (v1.18) ([#43539](https://github.com/cilium/cilium/issues/43539), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1767794330-db497dd19e346b39d81d7b5c0dedf6c812bcc5c9 (v1.18) ([#43638](https://github.com/cilium/cilium/issues/43638), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update rhysd/actionlint docker tag to v1.7.10 (v1.18) ([#43541](https://github.com/cilium/cilium/issues/43541), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#43466](https://github.com/cilium/cilium/issues/43466), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#43542](https://github.com/cilium/cilium/issues/43542), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#43571](https://github.com/cilium/cilium/issues/43571), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#43663](https://github.com/cilium/cilium/issues/43663), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - cmapisrv/test: miscellaneous fixes to the ciliumidentities script test (Backport PR [#43425](https://github.com/cilium/cilium/issues/43425), Upstream PR [#43372](https://github.com/cilium/cilium/issues/43372), [@giorio94](https://github.com/giorio94)) - docs: Add missing IPv6 fragmentation BPF map reference (Backport PR [#43290](https://github.com/cilium/cilium/issues/43290), Upstream PR [#43161](https://github.com/cilium/cilium/issues/43161), [@doniacld](https://github.com/doniacld)) - Fix a regression in the new services control plane where loadBalancerSourceRanges was applied by default to all service types. (Backport PR [#43575](https://github.com/cilium/cilium/issues/43575), Upstream PR [#42351](https://github.com/cilium/cilium/issues/42351), [@borkmann](https://github.com/borkmann)) - operator: the K8s Secret synchronization process now resynchronizes after an hour for synced Secrets. (Backport PR [#43425](https://github.com/cilium/cilium/issues/43425), Upstream PR [#42414](https://github.com/cilium/cilium/issues/42414), [@youngnick](https://github.com/youngnick)) - release: change OCI registry (Backport PR [#43689](https://github.com/cilium/cilium/issues/43689), Upstream PR [#43646](https://github.com/cilium/cilium/issues/43646), [@aanm](https://github.com/aanm)) - route: install ingress proxy routes with WireGuard and L7Proxy (Backport PR [#43434](https://github.com/cilium/cilium/issues/43434), Upstream PR [#42835](https://github.com/cilium/cilium/issues/42835), [@smagnani96](https://github.com/smagnani96)) **Other Changes:** - \[v1.18] bpf:hubble: support policy verdict from L3 devices ([#43381](https://github.com/cilium/cilium/issues/43381), [@smagnani96](https://github.com/smagnani96)) - \[v1.18] deps: bump CNI plugins version to v1.9.0 ([#43593](https://github.com/cilium/cilium/issues/43593), [@diyi0926](https://github.com/diyi0926)) - install: Update image digests for v1.18.5 ([#43400](https://github.com/cilium/cilium/issues/43400), [@cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.18.6@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4` `quay.io/cilium/cilium:stable@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.18.6@sha256:8ee142912a0e261850c0802d9256ddbe3729e1cd35c6bea2d93077f334c3cf3b` `quay.io/cilium/clustermesh-apiserver:stable@sha256:8ee142912a0e261850c0802d9256ddbe3729e1cd35c6bea2d93077f334c3cf3b` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.18.6@sha256:7931555ad713a48a28e4bf097402e0e398461dbf51b81cb8192558c5cb0dc48f` `quay.io/cilium/docker-plugin:stable@sha256:7931555ad713a48a28e4bf097402e0e398461dbf51b81cb8192558c5cb0dc48f` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.18.6@sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e` `quay.io/cilium/hubble-relay:stable@sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.18.6@sha256:212c4cbe27da3772bcb952b8f8cbaa0b0eef72488b52edf90ad2b32072a3ca4c` `quay.io/cilium/operator-alibabacloud:stable@sha256:212c4cbe27da3772bcb952b8f8cbaa0b0eef72488b52edf90ad2b32072a3ca4c` ##### operator-aws `quay.io/cilium/operator-aws:v1.18.6@sha256:47dbc1a5bd483fec170dab7fb0bf2cca3585a4893675b0324d41d97bac8be5eb` `quay.io/cilium/operator-aws:stable@sha256:47dbc1a5bd483fec170dab7fb0bf2cca3585a4893675b0324d41d97bac8be5eb` ##### operator-azure `quay.io/cilium/operator-azure:v1.18.6@sha256:a57aff47aeb32eccfedaa2a49d1af984d996d6d6de79609c232e0c4cf9ce97a1` `quay.io/cilium/operator-azure:stable@sha256:a57aff47aeb32eccfedaa2a49d1af984d996d6d6de79609c232e0c4cf9ce97a1` ##### operator-generic `quay.io/cilium/operator-generic:v1.18.6@sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af` `quay.io/cilium/operator-generic:stable@sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af` ##### operator `quay.io/cilium/operator:v1.18.6@sha256:0e8903aa092025918761d24ae9a91af35baa5b6910b5d0e3feac91ab8a2bc65b` `quay.io/cilium/operator:stable@sha256:0e8903aa092025918761d24ae9a91af35baa5b6910b5d0e3feac91ab8a2bc65b` ### [`v1.18.5`](https://github.com/cilium/cilium/releases/tag/v1.18.5): 1.18.5 [Compare Source](https://github.com/cilium/cilium/compare/1.18.4...1.18.5) ## Summary of Changes **Minor Changes:** - \[v1.18] proxy: Bump envoy version to v1.34.11 ([#43143](https://github.com/cilium/cilium/issues/43143), [@sayboras](https://github.com/sayboras)) - Change the sidecar etcd instance of the Cluster Mesh API Server listen on all IP addresses (Backport PR [#42948](https://github.com/cilium/cilium/issues/42948), Upstream PR [#42818](https://github.com/cilium/cilium/issues/42818), [@giorio94](https://github.com/giorio94)) **Bugfixes:** - allow missing verbs for cilium-agent cluster role when readSecretsOnlyFromSecretsNamespace is false (Backport PR [#42948](https://github.com/cilium/cilium/issues/42948), Upstream PR [#42790](https://github.com/cilium/cilium/issues/42790), [@kraashen](https://github.com/kraashen)) - AWS EC2: Fix ENI attachment on multi-network card instances with high-performance networking (EFA) setups (Backport PR [#42745](https://github.com/cilium/cilium/issues/42745), Upstream PR [#42512](https://github.com/cilium/cilium/issues/42512), [@41ks](https://github.com/41ks)) - CiliumEnvoyConfig proxy ports are now restored on agent restarts. (Backport PR [#43117](https://github.com/cilium/cilium/issues/43117), Upstream PR [#43108](https://github.com/cilium/cilium/issues/43108), [@jrajahalme](https://github.com/jrajahalme)) - Cleanup FQDNs that have leaked into the global FQDN cache (Backport PR [#42864](https://github.com/cilium/cilium/issues/42864), Upstream PR [#42485](https://github.com/cilium/cilium/issues/42485), [@sjohnsonpal](https://github.com/sjohnsonpal)) - Do not opt-out Endpoint ID 1 from dnsproxy transparent mode. (Backport PR [#42948](https://github.com/cilium/cilium/issues/42948), Upstream PR [#42887](https://github.com/cilium/cilium/issues/42887), [@jrajahalme](https://github.com/jrajahalme)) - ENI: Fix panic on nil subnet (Backport PR [#43117](https://github.com/cilium/cilium/issues/43117), Upstream PR [#43023](https://github.com/cilium/cilium/issues/43023), [@HadrienPatte](https://github.com/HadrienPatte)) - Ensure cilium-agent gracefully does fallbacks when etcd is in a bad state. (Backport PR [#43059](https://github.com/cilium/cilium/issues/43059), Upstream PR [#42977](https://github.com/cilium/cilium/issues/42977), [@odinuge](https://github.com/odinuge)) - Fix a bug that would cause Cilium to not report L4 checksum update errors when the length attribute is missing in ICMP Error messages with TCP inner packets. (Backport PR [#42828](https://github.com/cilium/cilium/issues/42828), Upstream PR [#42426](https://github.com/cilium/cilium/issues/42426), [@yushoyamaguchi](https://github.com/yushoyamaguchi)) - Fix a bug that would cause IPsec logs to incorrectly report the XFRM rules being processed as "Ingress" rules. (Backport PR [#42828](https://github.com/cilium/cilium/issues/42828), Upstream PR [#42640](https://github.com/cilium/cilium/issues/42640), [@sjohnsonpal](https://github.com/sjohnsonpal)) - Fix agent local identity leak (Backport PR [#43117](https://github.com/cilium/cilium/issues/43117), Upstream PR [#42662](https://github.com/cilium/cilium/issues/42662), [@odinuge](https://github.com/odinuge)) - Fix bug that could cause the agent to fail to add XFRM states when IPsec is enabled, thus preventing a proper startup. (Backport PR [#42948](https://github.com/cilium/cilium/issues/42948), Upstream PR [#42666](https://github.com/cilium/cilium/issues/42666), [@pchaigno](https://github.com/pchaigno)) - Fix GC of per-cluster ctmap entries (Backport PR [#43294](https://github.com/cilium/cilium/issues/43294), Upstream PR [#43160](https://github.com/cilium/cilium/issues/43160), [@giorio94](https://github.com/giorio94)) - Fix ipcache issues causing severe issues with the fqdn subsystem (Backport PR [#42864](https://github.com/cilium/cilium/issues/42864), Upstream PR [#42815](https://github.com/cilium/cilium/issues/42815), [@odinuge](https://github.com/odinuge)) - Fix issue where endpoints got stuck in "waiting-to-regenerate" (Backport PR [#42948](https://github.com/cilium/cilium/issues/42948), Upstream PR [#42856](https://github.com/cilium/cilium/issues/42856), [@odinuge](https://github.com/odinuge)) - Fix leak in the policy subsystem (Backport PR [#43117](https://github.com/cilium/cilium/issues/43117), Upstream PR [#42661](https://github.com/cilium/cilium/issues/42661), [@odinuge](https://github.com/odinuge)) - Fix rare kvstore issue where cilium continues to use an expired lease causing kvstore operations to fail consistently (Backport PR [#42745](https://github.com/cilium/cilium/issues/42745), Upstream PR [#42709](https://github.com/cilium/cilium/issues/42709), [@odinuge](https://github.com/odinuge)) - fqdn: Fix fqdn subsystem correctness issues causing packet drops and inconsistent ipcache (Backport PR [#43117](https://github.com/cilium/cilium/issues/43117), Upstream PR [#42500](https://github.com/cilium/cilium/issues/42500), [@odinuge](https://github.com/odinuge)) - In rare cases, the cilium-operator losing the lead of the HA deployment could continue acting as if leading for at most a minute, leading to split-brain problems such as double allocation of pod CIDRs. (Backport PR [#43059](https://github.com/cilium/cilium/issues/43059), Upstream PR [#42920](https://github.com/cilium/cilium/issues/42920), [@bimmlerd](https://github.com/bimmlerd)) - KVStoreMesh now correctly respects the CA bundle setting when validating remote cluster certificates (Backport PR [#42828](https://github.com/cilium/cilium/issues/42828), Upstream PR [#42726](https://github.com/cilium/cilium/issues/42726), [@giorio94](https://github.com/giorio94)) - policy: Fix rare Endpoint Selector Policy Deadlock causing policies to not be updated with new identities (Backport PR [#42864](https://github.com/cilium/cilium/issues/42864), Upstream PR [#42306](https://github.com/cilium/cilium/issues/42306), [@odinuge](https://github.com/odinuge)) - Recreate CiliumEndpoints (k8s resource) if they are accidentally deleted. (Backport PR [#43117](https://github.com/cilium/cilium/issues/43117), Upstream PR [#42877](https://github.com/cilium/cilium/issues/42877), [@aanm](https://github.com/aanm)) - redirectpolicy: Avoid recomputing on pod changes that do not change resulting redirect backends (Backport PR [#42948](https://github.com/cilium/cilium/issues/42948), Upstream PR [#42814](https://github.com/cilium/cilium/issues/42814), [@joamaki](https://github.com/joamaki)) **CI Changes:** - bpf: test: add BPF Masq tests for unknown / handled protocols (Backport PR [#42711](https://github.com/cilium/cilium/issues/42711), Upstream PR [#42144](https://github.com/cilium/cilium/issues/42144), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: test: egressgw: fix up ENABLE\_MASQUERADE (Backport PR [#42966](https://github.com/cilium/cilium/issues/42966), Upstream PR [#42912](https://github.com/cilium/cilium/issues/42912), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: tests: add BPF MASQ test for ICMP ECHOs (Backport PR [#42711](https://github.com/cilium/cilium/issues/42711), Upstream PR [#42656](https://github.com/cilium/cilium/issues/42656), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: tests: set ENABLE\_MASQUERADE\_IPV6 for EGW XDP test (Backport PR [#43059](https://github.com/cilium/cilium/issues/43059), Upstream PR [#42962](https://github.com/cilium/cilium/issues/42962), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf:test: cover host endpoint case in tc\_nodeport\_l3\_dev.h (Backport PR [#43059](https://github.com/cilium/cilium/issues/43059), Upstream PR [#42983](https://github.com/cilium/cilium/issues/42983), [@smagnani96](https://github.com/smagnani96)) - Delete .github/workflows/build-images-hotfixes.yaml (Backport PR [#42966](https://github.com/cilium/cilium/issues/42966), Upstream PR [#42958](https://github.com/cilium/cilium/issues/42958), [@sekhar-isovalent](https://github.com/sekhar-isovalent)) - gh: conn-disrupt: fix XFRM error checks (Backport PR [#42764](https://github.com/cilium/cilium/issues/42764), Upstream PR [#42724](https://github.com/cilium/cilium/issues/42724), [@julianwiedmann](https://github.com/julianwiedmann)) - gh: ipsec-e2e: fix flaky connection disruptivity test (Backport PR [#42823](https://github.com/cilium/cilium/issues/42823), Upstream PR [#42780](https://github.com/cilium/cilium/issues/42780), [@julianwiedmann](https://github.com/julianwiedmann)) - gha: additionally cleanup disk space in clustermesh upgrade workflow (Backport PR [#42948](https://github.com/cilium/cilium/issues/42948), Upstream PR [#42862](https://github.com/cilium/cilium/issues/42862), [@giorio94](https://github.com/giorio94)) - gha: don't filter lint-build-commits steps when workflow is modified (Backport PR [#42948](https://github.com/cilium/cilium/issues/42948), Upstream PR [#42844](https://github.com/cilium/cilium/issues/42844), [@giorio94](https://github.com/giorio94)) - gha: wait for cert-manager CRDs to be ready in conformance clustermesh (Backport PR [#42966](https://github.com/cilium/cilium/issues/42966), Upstream PR [#42947](https://github.com/cilium/cilium/issues/42947), [@giorio94](https://github.com/giorio94)) - makefile: More reliable update-helm-values (Backport PR [#42828](https://github.com/cilium/cilium/issues/42828), Upstream PR [#42736](https://github.com/cilium/cilium/issues/42736), [@devodev](https://github.com/devodev)) **Misc Changes:** - .github/workflows: make adjustments for new GitHub workflow behavior ([#43219](https://github.com/cilium/cilium/issues/43219), [@aanm](https://github.com/aanm)) - \[v1.18] deps: bump x/crypto to v0.45.0 ([#43114](https://github.com/cilium/cilium/issues/43114), [@ferozsalam](https://github.com/ferozsalam)) - \[v1.18] vendor: Bump to StateDB v0.4.6 ([#42953](https://github.com/cilium/cilium/issues/42953), [@joamaki](https://github.com/joamaki)) - chore(deps): update all github action dependencies (v1.18) ([#42783](https://github.com/cilium/cilium/issues/42783), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#42937](https://github.com/cilium/cilium/issues/42937), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#43036](https://github.com/cilium/cilium/issues/43036), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#43181](https://github.com/cilium/cilium/issues/43181), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#43268](https://github.com/cilium/cilium/issues/43268), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#43317](https://github.com/cilium/cilium/issues/43317), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) (patch) ([#43314](https://github.com/cilium/cilium/issues/43314), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#42804](https://github.com/cilium/cilium/issues/42804), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#43037](https://github.com/cilium/cilium/issues/43037), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.9 (v1.18) ([#43182](https://github.com/cilium/cilium/issues/43182), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/little-vm-helper to v0.0.28 (v1.18) ([#42771](https://github.com/cilium/cilium/issues/42771), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v33.1 (v1.18) ([#42805](https://github.com/cilium/cilium/issues/42805), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v33.2 (v1.18) ([#43184](https://github.com/cilium/cilium/issues/43184), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf-go to v1.36.11 (v1.18) ([#43315](https://github.com/cilium/cilium/issues/43315), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/busybox:1.37.0 docker digest to [`d80cd69`](https://github.com/cilium/cilium/commit/d80cd69) (v1.18) ([#43312](https://github.com/cilium/cilium/issues/43312), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.10 docker digest to [`7b13449`](https://github.com/cilium/cilium/commit/7b13449) (v1.18) ([#42935](https://github.com/cilium/cilium/issues/42935), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.10 docker digest to [`83d7392`](https://github.com/cilium/cilium/commit/83d7392) (v1.18) ([#42802](https://github.com/cilium/cilium/issues/42802), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.11 docker digest to [`e3fb71a`](https://github.com/cilium/cilium/commit/e3fb71a) (v1.18) ([#43313](https://github.com/cilium/cilium/issues/43313), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/distroless/static:nonroot docker digest to [`2b7c93f`](https://github.com/cilium/cilium/commit/2b7c93f) (v1.18) ([#43135](https://github.com/cilium/cilium/issues/43135), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.6 (v1.18) ([#42936](https://github.com/cilium/cilium/issues/42936), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update github artifact actions (v1.18) ([#43318](https://github.com/cilium/cilium/issues/43318), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.24.11 (v1.18) ([#43183](https://github.com/cilium/cilium/issues/43183), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/certgen docker tag to v0.3.1 (v1.18) ([#43052](https://github.com/cilium/cilium/issues/43052), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#42803](https://github.com/cilium/cilium/issues/42803), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#43316](https://github.com/cilium/cilium/issues/43316), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - docs: Add limitation about LB to same backend via multiple VIPs (Backport PR [#42745](https://github.com/cilium/cilium/issues/42745), Upstream PR [#42632](https://github.com/cilium/cilium/issues/42632), [@brb](https://github.com/brb)) - Documentation: host firewall: document emergency recovery (Backport PR [#42948](https://github.com/cilium/cilium/issues/42948), Upstream PR [#42776](https://github.com/cilium/cilium/issues/42776), [@squeed](https://github.com/squeed)) - fqdn: rewrite name manager test to use real ipcache (Backport PR [#42948](https://github.com/cilium/cilium/issues/42948), Upstream PR [#42820](https://github.com/cilium/cilium/issues/42820), [@odinuge](https://github.com/odinuge)) - Minor improvements around certificate validation in etcd/clustermesh troubleshoot commands (Backport PR [#42948](https://github.com/cilium/cilium/issues/42948), Upstream PR [#42782](https://github.com/cilium/cilium/issues/42782), [@giorio94](https://github.com/giorio94)) - node/manager: TestNodesStartupPruning poll state (Backport PR [#42948](https://github.com/cilium/cilium/issues/42948), Upstream PR [#41648](https://github.com/cilium/cilium/issues/41648), [@0xch4z](https://github.com/0xch4z)) - policy: Marshal L4Filter marshalling errors into json (Backport PR [#42948](https://github.com/cilium/cilium/issues/42948), Upstream PR [#42834](https://github.com/cilium/cilium/issues/42834), [@joestringer](https://github.com/joestringer)) - xds: Do not log an error on a done context (Backport PR [#43117](https://github.com/cilium/cilium/issues/43117), Upstream PR [#42990](https://github.com/cilium/cilium/issues/42990), [@jrajahalme](https://github.com/jrajahalme)) **Other Changes:** - \[v1.18] Add periodic resync for secret-sync controller ([#43356](https://github.com/cilium/cilium/issues/43356), [@youngnick](https://github.com/youngnick)) - \[v1.18] bpf: lxc: transfer source identity for lxc-to-host policy ([#42821](https://github.com/cilium/cilium/issues/42821), [@julianwiedmann](https://github.com/julianwiedmann)) - \[v1.18] ipcache: Fix leak in CIDR metadata consolidation logic ([#43354](https://github.com/cilium/cilium/issues/43354), [@christarazi](https://github.com/christarazi)) - \[v1.18] lb: Implement Hybrid-DSR via annotation infrastructure ([#43056](https://github.com/cilium/cilium/issues/43056), [@julianwiedmann](https://github.com/julianwiedmann)) - \[v1.18] proxy: Bump envoy version to v1.34.12 ([#43259](https://github.com/cilium/cilium/issues/43259), [@sayboras](https://github.com/sayboras)) - install: Update image digests for v1.18.4 ([#42735](https://github.com/cilium/cilium/issues/42735), [@cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) - Kubernetes endpoints that are terminating are retained in the backends BPF state regardless of the "serving" condition to avoid connection disruptions when a pod no longer signals readiness to process new connections. ([#42708](https://github.com/cilium/cilium/issues/42708), [@joamaki](https://github.com/joamaki)) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.18.5@sha256:2c92fb05962a346eaf0ce11b912ba434dc10bd54b9989e970416681f4a069628` `quay.io/cilium/cilium:stable@sha256:2c92fb05962a346eaf0ce11b912ba434dc10bd54b9989e970416681f4a069628` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.18.5@sha256:952f07c30390847e4d9dfaa19a76c4eca946251ffbc4f6459946570f93ee72f1` `quay.io/cilium/clustermesh-apiserver:stable@sha256:952f07c30390847e4d9dfaa19a76c4eca946251ffbc4f6459946570f93ee72f1` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.18.5@sha256:db81fda86653d96ea40687dc314985f5f23d5b57719dd1cb0d151be2c7c8789f` `quay.io/cilium/docker-plugin:stable@sha256:db81fda86653d96ea40687dc314985f5f23d5b57719dd1cb0d151be2c7c8789f` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.18.5@sha256:17212962c92ff52384f94e407ffe3698714fcbd35c7575f67f24032d6224e446` `quay.io/cilium/hubble-relay:stable@sha256:17212962c92ff52384f94e407ffe3698714fcbd35c7575f67f24032d6224e446` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.18.5@sha256:2e60f635495eb2837296ced5475875c281a05765d5ddd644a05e126bbb080b3c` `quay.io/cilium/operator-alibabacloud:stable@sha256:2e60f635495eb2837296ced5475875c281a05765d5ddd644a05e126bbb080b3c` ##### operator-aws `quay.io/cilium/operator-aws:v1.18.5@sha256:7608025d8b727a10f21d924d8e4f40beb176cefd690320433452816ad8776f52` `quay.io/cilium/operator-aws:stable@sha256:7608025d8b727a10f21d924d8e4f40beb176cefd690320433452816ad8776f52` ##### operator-azure `quay.io/cilium/operator-azure:v1.18.5@sha256:126667e000267f893cb81042bf8a710ad2f219619eb9ce06e8949333bd325ac6` `quay.io/cilium/operator-azure:stable@sha256:126667e000267f893cb81042bf8a710ad2f219619eb9ce06e8949333bd325ac6` ##### operator-generic `quay.io/cilium/operator-generic:v1.18.5@sha256:36c3f6f14c8ced7f45b40b0a927639894b44269dd653f9528e7a0dc363a4eb99` `quay.io/cilium/operator-generic:stable@sha256:36c3f6f14c8ced7f45b40b0a927639894b44269dd653f9528e7a0dc363a4eb99` ##### operator `quay.io/cilium/operator:v1.18.5@sha256:c6806ee97ef35a79aa72d411bc7f12745a1ea684208853e7d13c8e7f84cbb606` `quay.io/cilium/operator:stable@sha256:c6806ee97ef35a79aa72d411bc7f12745a1ea684208853e7d13c8e7f84cbb606` ### [`v1.18.4`](https://github.com/cilium/cilium/releases/tag/v1.18.4): 1.18.4 [Compare Source](https://github.com/cilium/cilium/compare/1.18.3...1.18.4) ## Security Advisories This release addresses [GHSA-38pp-6gcp-rqvm](https://github.com/cilium/cilium/security/advisories/GHSA-38pp-6gcp-rqvm). ## Summary of Changes **Minor Changes:** - fix indentation for certgen resources in helm templates (Backport PR [#42450](https://github.com/cilium/cilium/issues/42450), Upstream PR [#42412](https://github.com/cilium/cilium/issues/42412), [@sdickhoven](https://github.com/sdickhoven)) **Bugfixes:** - bpf: Do not accidentally update IPcache in cluster-aware routing (Backport PR [#42577](https://github.com/cilium/cilium/issues/42577), Upstream PR [#42472](https://github.com/cilium/cilium/issues/42472), [@brb](https://github.com/brb)) - cilium-operator: ciliumendpoints are not garbage collected until a minimum age is reached (5m by default) (Backport PR [#42577](https://github.com/cilium/cilium/issues/42577), Upstream PR [#42413](https://github.com/cilium/cilium/issues/42413), [@zhouhaibing089](https://github.com/zhouhaibing089)) - controller: avoid spurious errors when RemoveControllerAndWait is invoked when the controller does not exist (Backport PR [#42617](https://github.com/cilium/cilium/issues/42617), Upstream PR [#41384](https://github.com/cilium/cilium/issues/41384), [@asdfmi](https://github.com/asdfmi)) - encrypt status: also check tcx attachment on interfaces (Backport PR [#42450](https://github.com/cilium/cilium/issues/42450), Upstream PR [#42328](https://github.com/cilium/cilium/issues/42328), [@bersoare](https://github.com/bersoare)) - envoy: pass stream idle timeout from Helm to configmap (Backport PR [#42617](https://github.com/cilium/cilium/issues/42617), Upstream PR [#42499](https://github.com/cilium/cilium/issues/42499), [@mhofstetter](https://github.com/mhofstetter)) - Fix BGP operator crash when bgp-secrets-namespace not set. (Backport PR [#42577](https://github.com/cilium/cilium/issues/42577), Upstream PR [#42425](https://github.com/cilium/cilium/issues/42425), [@rastislavs](https://github.com/rastislavs)) - Fix cilium\_operator\_lbipam\_conflicting\_pools metric to report correct value. (Backport PR [#42289](https://github.com/cilium/cilium/issues/42289), Upstream PR [#41999](https://github.com/cilium/cilium/issues/41999), [@hanapedia](https://github.com/hanapedia)) - Fix issue where fqdn GC starts too early that results in potentially missed ips in the IPCache (Backport PR [#42617](https://github.com/cilium/cilium/issues/42617), Upstream PR [#42502](https://github.com/cilium/cilium/issues/42502), [@odinuge](https://github.com/odinuge)) - Fix potential policy deadlock causing endpoint to use previous identity for policy calculation when endpoint changes identity (Backport PR [#42617](https://github.com/cilium/cilium/issues/42617), Upstream PR [#42420](https://github.com/cilium/cilium/issues/42420), [@odinuge](https://github.com/odinuge)) - Fix the output of cilium lrp list command to show LRP selected backends. (Backport PR [#42577](https://github.com/cilium/cilium/issues/42577), Upstream PR [#42110](https://github.com/cilium/cilium/issues/42110), [@Bigdelle](https://github.com/Bigdelle)) - Fix trace aggregation for IPv4 Host Firewall, reducing the amount of generated events. (Backport PR [#42617](https://github.com/cilium/cilium/issues/42617), Upstream PR [#42595](https://github.com/cilium/cilium/issues/42595), [@smagnani96](https://github.com/smagnani96)) - fix: Panic during endpoint restore due to nil logger (Backport PR [#42450](https://github.com/cilium/cilium/issues/42450), Upstream PR [#42385](https://github.com/cilium/cilium/issues/42385), [@pinaki-08](https://github.com/pinaki-08)) - gatewayAPI: correctly handle reference to CGCC as cluster-scoped resource instead of namespaced one (Backport PR [#42289](https://github.com/cilium/cilium/issues/42289), Upstream PR [#42172](https://github.com/cilium/cilium/issues/42172), [@oblazek](https://github.com/oblazek)) - operator/ciliumenvoyconfig: consistently propagate --http-stream-idle-timeout value (Backport PR [#42577](https://github.com/cilium/cilium/issues/42577), Upstream PR [#42495](https://github.com/cilium/cilium/issues/42495), [@tklauser](https://github.com/tklauser)) - policy: prevent incorrect mutation of network policy when using policy-default-local-cluster (Backport PR [#42698](https://github.com/cilium/cilium/issues/42698), Upstream PR [#42668](https://github.com/cilium/cilium/issues/42668), [@MrFreezeex](https://github.com/MrFreezeex)) - Preventing removal of existing tproxy iptables rules for other services when they share a name prefix. (Backport PR [#42450](https://github.com/cilium/cilium/issues/42450), Upstream PR [#42236](https://github.com/cilium/cilium/issues/42236), [@dackroyd](https://github.com/dackroyd)) - When using the Egress Strict Mode for Transparent Encryption with Wireguard, packets destined to the local host are no longer excluded from encryption enforcement (when leaving the node), and will be dropped. (Backport PR [#42450](https://github.com/cilium/cilium/issues/42450), Upstream PR [#42419](https://github.com/cilium/cilium/issues/42419), [@julianwiedmann](https://github.com/julianwiedmann)) **CI Changes:** - .github/actions/e2e: define static job names (Backport PR [#42435](https://github.com/cilium/cilium/issues/42435), Upstream PR [#42332](https://github.com/cilium/cilium/issues/42332), [@aanm](https://github.com/aanm)) - \[v1.18] .github/workflows: Add base-SHA input to ariane triggered workflows ([#42192](https://github.com/cilium/cilium/issues/42192), [@dylandreimerink](https://github.com/dylandreimerink)) - ci: Allow for alpine image overwrite within cache Dockerfile (Backport PR [#42289](https://github.com/cilium/cilium/issues/42289), Upstream PR [#42108](https://github.com/cilium/cilium/issues/42108), [@jpayne3506](https://github.com/jpayne3506)) - conformance-aws-cni: disable l7 proxy with aws-cni (Backport PR [#42617](https://github.com/cilium/cilium/issues/42617), Upstream PR [#42578](https://github.com/cilium/cilium/issues/42578), [@aanm](https://github.com/aanm)) - Deflake TestNodeManagerAbortReleaseIPReassignment (Backport PR [#42577](https://github.com/cilium/cilium/issues/42577), Upstream PR [#42276](https://github.com/cilium/cilium/issues/42276), [@lconnery](https://github.com/lconnery)) - gh: ginkgo: fix focus for service hairpin test (Backport PR [#42641](https://github.com/cilium/cilium/issues/42641), Upstream PR [#42633](https://github.com/cilium/cilium/issues/42633), [@julianwiedmann](https://github.com/julianwiedmann)) - gh: ginkgo: reduce number of tested k8s versions in PRs (Backport PR [#42470](https://github.com/cilium/cilium/issues/42470), Upstream PR [#42465](https://github.com/cilium/cilium/issues/42465), [@julianwiedmann](https://github.com/julianwiedmann)) - gh: ginkgo: replace rhel8 with 5.10 kernel (Backport PR [#42449](https://github.com/cilium/cilium/issues/42449), Upstream PR [#42084](https://github.com/cilium/cilium/issues/42084), [@julianwiedmann](https://github.com/julianwiedmann)) - gha/conformance-clustermesh: let service nodeport be selected randomly (Backport PR [#42617](https://github.com/cilium/cilium/issues/42617), Upstream PR [#41697](https://github.com/cilium/cilium/issues/41697), [@giorio94](https://github.com/giorio94)) - gha: allow configuring runner for workflows building Cilium binaries (Backport PR [#42617](https://github.com/cilium/cilium/issues/42617), Upstream PR [#42582](https://github.com/cilium/cilium/issues/42582), [@giorio94](https://github.com/giorio94)) - Testing for RHEL8 compatibility now uses a RHEL8.10-compatible kernel (previously this was a RHEL8.6-compatible kernel). (Backport PR [#42604](https://github.com/cilium/cilium/issues/42604), Upstream PR [#41639](https://github.com/cilium/cilium/issues/41639), [@julianwiedmann](https://github.com/julianwiedmann)) **Misc Changes:** - \[v1.18] deps: bump CNI plugins version ([#42443](https://github.com/cilium/cilium/issues/42443), [@ferozsalam](https://github.com/ferozsalam)) - bpf: host: remove stale code comment (Backport PR [#42450](https://github.com/cilium/cilium/issues/42450), Upstream PR [#42237](https://github.com/cilium/cilium/issues/42237), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: lxc: always set identity mark on forwarded egressing traffic (Backport PR [#42617](https://github.com/cilium/cilium/issues/42617), Upstream PR [#42551](https://github.com/cilium/cilium/issues/42551), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: nodeport: don't include EGW reply hook in bpf\_wireguard (Backport PR [#42450](https://github.com/cilium/cilium/issues/42450), Upstream PR [#42187](https://github.com/cilium/cilium/issues/42187), [@julianwiedmann](https://github.com/julianwiedmann)) - chore(deps): update all github action dependencies (v1.18) ([#42397](https://github.com/cilium/cilium/issues/42397), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#42541](https://github.com/cilium/cilium/issues/42541), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#42682](https://github.com/cilium/cilium/issues/42682), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.8 (v1.18) ([#42346](https://github.com/cilium/cilium/issues/42346), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/busybox:1.37.0 docker digest to [`e3652a0`](https://github.com/cilium/cilium/commit/e3652a0) (v1.18) ([#42539](https://github.com/cilium/cilium/issues/42539), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.10 docker digest to [`c3ea417`](https://github.com/cilium/cilium/commit/c3ea417) (v1.18) ([#42679](https://github.com/cilium/cilium/issues/42679), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.9 docker digest to [`5034fa4`](https://github.com/cilium/cilium/commit/5034fa4) (v1.18) ([#42396](https://github.com/cilium/cilium/issues/42396), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update github artifact actions (v1.18) ([#42398](https://github.com/cilium/cilium/issues/42398), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.24.10 (v1.18) ([#42621](https://github.com/cilium/cilium/issues/42621), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.10-1762597008-ff7ae7d623be00078865cff1b0672cc5d9bfc6d5 (v1.18) ([#42680](https://github.com/cilium/cilium/issues/42680), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-llvm docker tag to v1758805548 (v1.18) ([#42399](https://github.com/cilium/cilium/issues/42399), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#42540](https://github.com/cilium/cilium/issues/42540), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#42681](https://github.com/cilium/cilium/issues/42681), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - ci: Add workflow permissions for auto-approve and renovate (Backport PR [#42450](https://github.com/cilium/cilium/issues/42450), Upstream PR [#42281](https://github.com/cilium/cilium/issues/42281), [@kyle-c-simmons](https://github.com/kyle-c-simmons)) - ci: Fix call-backport-label-updater permissions (Backport PR [#42450](https://github.com/cilium/cilium/issues/42450), Upstream PR [#42510](https://github.com/cilium/cilium/issues/42510), [@kyle-c-simmons](https://github.com/kyle-c-simmons)) - ci: Update hubble test workflow permissions (Backport PR [#42450](https://github.com/cilium/cilium/issues/42450), Upstream PR [#41911](https://github.com/cilium/cilium/issues/41911), [@kyle-c-simmons](https://github.com/kyle-c-simmons)) - cilium, routes: Downgrade warning on direct-routing-skip-unreachable (Backport PR [#42289](https://github.com/cilium/cilium/issues/42289), Upstream PR [#42210](https://github.com/cilium/cilium/issues/42210), [@borkmann](https://github.com/borkmann)) - docs: tuning: remove some references to old kernels (Backport PR [#42617](https://github.com/cilium/cilium/issues/42617), Upstream PR [#42601](https://github.com/cilium/cilium/issues/42601), [@julianwiedmann](https://github.com/julianwiedmann)) - Docs: update fragmentation docs to reflect ipv6 (Backport PR [#42289](https://github.com/cilium/cilium/issues/42289), Upstream PR [#41748](https://github.com/cilium/cilium/issues/41748), [@tommyp1ckles](https://github.com/tommyp1ckles)) - fix: run post-release and publish-helm workflows on cilium org (Backport PR [#42450](https://github.com/cilium/cilium/issues/42450), Upstream PR [#42279](https://github.com/cilium/cilium/issues/42279), [@sekhar-isovalent](https://github.com/sekhar-isovalent)) - loadbalancer: fix up code comment (Backport PR [#42450](https://github.com/cilium/cilium/issues/42450), Upstream PR [#42273](https://github.com/cilium/cilium/issues/42273), [@julianwiedmann](https://github.com/julianwiedmann)) - Log proxy instance creation at debug level (Backport PR [#42617](https://github.com/cilium/cilium/issues/42617), Upstream PR [#42319](https://github.com/cilium/cilium/issues/42319), [@sjohnsonpal](https://github.com/sjohnsonpal)) - operator: Prevent panic when GCing identities (Backport PR [#42289](https://github.com/cilium/cilium/issues/42289), Upstream PR [#42217](https://github.com/cilium/cilium/issues/42217), [@HadrienPatte](https://github.com/HadrienPatte)) - pkg/nodediscover: Don't log warnings for intermittent updates (Backport PR [#42577](https://github.com/cilium/cilium/issues/42577), Upstream PR [#42505](https://github.com/cilium/cilium/issues/42505), [@aditighag](https://github.com/aditighag)) **Other Changes:** - \[v1.18] ipam: fix TestNodeManagerAbortReleaseIPReassignment test ([#42636](https://github.com/cilium/cilium/issues/42636), [@rastislavs](https://github.com/rastislavs)) - \[v1.18] test: ginkgo: skip BPF masq tests on configs without external node ([#42462](https://github.com/cilium/cilium/issues/42462), [@julianwiedmann](https://github.com/julianwiedmann)) - install: Update image digests for v1.18.3 ([#42344](https://github.com/cilium/cilium/issues/42344), [@cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f` `quay.io/cilium/cilium:stable@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.18.4@sha256:c240a7cbead5479d9085b5e837977bf6750164167a1c9f956720815d160d447d` `quay.io/cilium/clustermesh-apiserver:stable@sha256:c240a7cbead5479d9085b5e837977bf6750164167a1c9f956720815d160d447d` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.18.4@sha256:5ec897904e4bd9784df8353b1bdc3559f541f4ca5957103addd46b600430888a` `quay.io/cilium/docker-plugin:stable@sha256:5ec897904e4bd9784df8353b1bdc3559f541f4ca5957103addd46b600430888a` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.18.4@sha256:6d350cb1c84b847adb152173debef1f774126c69de21a5921a1e6a23b8779723` `quay.io/cilium/hubble-relay:stable@sha256:6d350cb1c84b847adb152173debef1f774126c69de21a5921a1e6a23b8779723` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.18.4@sha256:c57d07e5dde3a1974c5cd5d46596db5ea7264f66e9e4ce98a59236aa88b857f7` `quay.io/cilium/operator-alibabacloud:stable@sha256:c57d07e5dde3a1974c5cd5d46596db5ea7264f66e9e4ce98a59236aa88b857f7` ##### operator-aws `quay.io/cilium/operator-aws:v1.18.4@sha256:f4c19007a804d37c781d6c8982006c5f1d8a890941036f9ab285e517fd181336` `quay.io/cilium/operator-aws:stable@sha256:f4c19007a804d37c781d6c8982006c5f1d8a890941036f9ab285e517fd181336` ##### operator-azure `quay.io/cilium/operator-azure:v1.18.4@sha256:19e7465ec8b151ec444757b6ce583b7a0d1e5e9fc5e3aef31d90e93019f599ca` `quay.io/cilium/operator-azure:stable@sha256:19e7465ec8b151ec444757b6ce583b7a0d1e5e9fc5e3aef31d90e93019f599ca` ##### operator-generic `quay.io/cilium/operator-generic:v1.18.4@sha256:1b22b9ff28affdf574378a70dade4ef835b00b080c2ee2418530809dd62c3012` `quay.io/cilium/operator-generic:stable@sha256:1b22b9ff28affdf574378a70dade4ef835b00b080c2ee2418530809dd62c3012` ##### operator `quay.io/cilium/operator:v1.18.4@sha256:78a4f6fb8da0556ed3648aeb789988bd2cb6847c805fb73e381f3e3b17dce0a5` `quay.io/cilium/operator:stable@sha256:78a4f6fb8da0556ed3648aeb789988bd2cb6847c805fb73e381f3e3b17dce0a5` </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on Tuesday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate added 1 commit 2026-02-03 01:02:43 +01:00

chore(deps): update helm release cilium to v1.18.6 c6bf95bfa5

Peter merged commit e0296b52f6 into main

2026-02-03 11:15:13 +01:00

Peter referenced this pull request from a commit

2026-02-03 11:15:14 +01:00

Merge pull request 'chore(deps): update helm release cilium to v1.18.6' (#4) from renovate/cilium-1.x into main

No reviewers

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: wheatley/kubernetes#4

No description provided.

Rows
Columns

chore(deps): update helm release cilium to v1.18.6 #4

Release Notes

v1.18.6: 1.18.6

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.18.5: 1.18.5

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.18.4: 1.18.4

Security Advisories

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

Configuration

`v1.18.6`: 1.18.6

`v1.18.5`: 1.18.5

`v1.18.4`: 1.18.4