Skip to content

feat(hubble): Add support for VRRP and IGMP protocols#41949

Merged
pchaigno merged 2 commits intocilium:mainfrom
kyounghunJang:feature/hubble-flows-vrrp-igmp
Oct 13, 2025
Merged

feat(hubble): Add support for VRRP and IGMP protocols#41949
pchaigno merged 2 commits intocilium:mainfrom
kyounghunJang:feature/hubble-flows-vrrp-igmp

Conversation

@kyounghunJang
Copy link
Copy Markdown
Contributor

@kyounghunJang kyounghunJang commented Sep 30, 2025
edited by aditighag
Loading

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!

Description

This PR extends Hubble to support VRRP and IGMP protocols, allowing flows with these protocols to be correctly correlated and filtered, as requested in issue #41687.

The implementation is broken down into the following logical changes:

  • Extended the flow.proto API definition to include VRRP and IGMP.
  • Implemented the full backend logic in the Hubble parser, correlator, and filters to handle the new protocols.
  • Added unit tests to ensure the new protocol filters work as expected.

Hubble observe (IGMP):

root@opensource:/home/cilium# hubble observe --protocol IGMP -f
Oct 11 12:47:41.035: 10.178.0.3 (host) <> 224.0.0.22 (world) to-network FORWARDED (IGMP IGMPv3 Membership Report)
Oct 11 12:47:41.102: 10.178.0.3 (host) <> 224.0.0.22 (world) to-network FORWARDED (IGMP IGMPv3 Membership Report)

Hubble observe (VRRP):

root@opensource:/home/cilium# hubble observe --protocol VRRP -f
Oct 11 12:48:26.896: 10.178.0.3 (host) <> 192.168.1.10 (world) to-network FORWARDED (VRRP VRRPv2 Advertisement)
Oct 11 12:48:26.896: 10.178.0.3 (host) <> 192.168.1.11 (world) to-network FORWARDED (VRRP VRRPv2 Advertisement)

Fixes: #41687

Extend Hubble parsers to support VRRP and IGMP protocols.

@kyounghunJang kyounghunJang requested review from a team as code owners September 30, 2025 06:12
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Sep 30, 2025
@github-actions github-actions bot added sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. kind/community-contribution This was a contribution made by a community member. labels Sep 30, 2025
gandro
gandro reviewed Sep 30, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! From a first glance, this looks very reasonable. Have you actually tested this in a running system?

@kyounghunJang
Copy link
Copy Markdown
Contributor Author

kyounghunJang commented Oct 1, 2025

@gandro
Hi! I tested this by generating VRRP/IGMP packets using Scapy, and confirmed that hubble observe --protocol vrrp/igmp captured them correctly. Should I perform any additional tests?

@gandro
Copy link
Copy Markdown
Member

gandro commented Oct 1, 2025

@gandro Hi! I tested this by generating VRRP/IGMP packets using Scapy, and confirmed that hubble observe --protocol vrrp/igmp captured them correctly. Should I perform any additional tests?

No, that's all that is needed! Thanks a lot

gandro
gandro reviewed Oct 1, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did another review. This still looks good, though there is a bit of a question of what we want to extract from the protocols. I have left some inline feedback, but I think maybe for now just having type might be enough?

gandro
gandro requested changes Oct 2, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing the feedback! Some minor changes requested still

@kyounghunJang kyounghunJang force-pushed the feature/hubble-flows-vrrp-igmp branch 2 times, most recently from b543cf1 to 637daca Compare October 2, 2025 14:57
@kyounghunJang
feat(api): Extend Hubble flow proto with VRRP and IGMP
f033b9b 
The policy engine now supports VRRP and IGMP. This commit extends
the L4 protocol enumeration in the Hubble flow proto definition to
include VRRP and IGMP.

Fixes: cilium#41687
Signed-off-by: Kyounghoon Jang <[email protected]>
@kyounghunJang kyounghunJang force-pushed the feature/hubble-flows-vrrp-igmp branch from 637daca to 7a3e69b Compare October 2, 2025 15:07
@kyounghunJang
Copy link
Copy Markdown
Contributor Author

kyounghunJang commented Oct 2, 2025

@gandro
Thanks for the feedback! I’ve made the updates.

@kyounghunJang kyounghunJang requested a review from gandro October 3, 2025 11:01
gandro
gandro reviewed Oct 6, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! One last bit

@kyounghunJang kyounghunJang force-pushed the feature/hubble-flows-vrrp-igmp branch from 7a3e69b to e49ff4d Compare October 7, 2025 06:05
@kaworu kaworu requested a review from devodev October 7, 2025 07:42
gandro
gandro approved these changes Oct 7, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@gandro gandro added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/hubble Impacts hubble server or relay labels Oct 7, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Oct 7, 2025
@aditighag
Copy link
Copy Markdown
Member

aditighag commented Oct 8, 2025

Hi @kyounghunJang This is almost ready for merge. Could you address @devodev's comments - #41949 (review)?

auto-merge was automatically disabled October 9, 2025 06:36

Head branch was pushed to by a user without write access

@kyounghunJang kyounghunJang force-pushed the feature/hubble-flows-vrrp-igmp branch 2 times, most recently from 1f7a6a7 to 0c45913 Compare October 9, 2025 09:06
@gandro
Copy link
Copy Markdown
Member

gandro commented Oct 9, 2025

@kyounghunJang Thanks for updating the PR. The dropemitter change mentioned above ideally still should be addressed

@kyounghunJang
feat(hubble): Implement backend support for VRRP/IGMP protocols
a1c7c8c 
With the new API definitions, this commit introduces the end-to-end
backend implementation for handling VRRP and IGMP.

This includes:
- Updating the packet parser and correlation logic to identify the new protocols.
- Implementing protocol-aware filters for Hubble flows.
- Adding metrics handlers to account for VRRP and IGMP.

Fixes: cilium#41687
Signed-off-by: Kyounghoon Jang <[email protected]>
@kyounghunJang kyounghunJang force-pushed the feature/hubble-flows-vrrp-igmp branch from 0c45913 to a1c7c8c Compare October 9, 2025 10:24
@kyounghunJang
Copy link
Copy Markdown
Contributor Author

kyounghunJang commented Oct 9, 2025

@aditighag @gandro
Thank you for the feedback. I realized I had missed that, and I’ve now incorporated it. I also apologize for the delayed response.

I am currently running tests to attach the Hubble flow test print results. When executing hubble observe --protocol vrrp/igmp, the packets are being captured as shown below, but they appear as DROPPED. Is this DROPPED status occurring due to missing code implementation?

Oct  9 10:23:01.769: default/igmp-client-6fcdd45745-2qk6f (ID:19957) <> 224.0.0.22 (world) CT: Unknown L4 protocol DROPPED (IGMP IGMPv3 Membership Report)
Oct  9 10:23:02.270: default/igmp-client-6fcdd45745-2qk6f (ID:19957) <> 224.0.0.22 (world) CT: Unknown L4 protocol DROPPED (IGMP IGMPv3 Membership Report)

@gandro
Copy link
Copy Markdown
Member

gandro commented Oct 9, 2025

@aditighag @gandro Thank you for the feedback. I realized I had missed that, and I’ve now incorporated it. I also apologize for the delayed response.

I am currently running tests to attach the Hubble flow test print results. When executing hubble observe --protocol vrrp/igmp, the packets are being captured as shown below, but they appear as DROPPED. Is this DROPPED status occurring due to missing code implementation?

Oct  9 10:23:01.769: default/igmp-client-6fcdd45745-2qk6f (ID:19957) <> 224.0.0.22 (world) CT: Unknown L4 protocol DROPPED (IGMP IGMPv3 Membership Report)
Oct  9 10:23:02.270: default/igmp-client-6fcdd45745-2qk6f (ID:19957) <> 224.0.0.22 (world) CT: Unknown L4 protocol DROPPED (IGMP IGMPv3 Membership Report)

Aditi might know more - looking at the commits in #39872 it seems like you might have enable passthrough of IGMP via enable-extended-ip-protocols configmap option

@gandro
Copy link
Copy Markdown
Member

gandro commented Oct 9, 2025

/test

@kyounghunJang
Copy link
Copy Markdown
Contributor Author

kyounghunJang commented Oct 9, 2025

@gandro @aditighag

Thank you for explaining the method. However, even with the enable-extended-ip-protocols option set to True, the same issue continues to occur. The host firewall is currently disabled. Is there any additional configuration that needs to be applied?

@pchaigno pchaigno enabled auto-merge October 9, 2025 16:05
@aditighag
Copy link
Copy Markdown
Member

aditighag commented Oct 9, 2025

Thank you for explaining the method. However, even with the enable-extended-ip-protocols option set to True, the same issue continues to occur. The host firewall is currently disabled. Is there any additional configuration that needs to be applied?

If you run cilium monitor --related-to <ep-id-client-pod>, it should tell you the line number corresponding to drops. That said, the VRRP and IGMP support was added for host firewall -- can you enable host firewall, and deploy a test pod in the host netns?

@kyounghunJang
Copy link
Copy Markdown
Contributor Author

kyounghunJang commented Oct 10, 2025

@aditighag

If you run cilium monitor --related-to <ep-id-client-pod>, it should tell you the line number corresponding to drops. That said, the VRRP and IGMP support was added for host firewall -- can you enable host firewall, and deploy a test pod in the host netns?

I have configured the test pod to use the host network namespace and enabled both Cilium host-firewall and enable-extended-ip-protocols. The CiliumClusterwideNetworkPolicy has also been applied. However, as a result, no IGMP packets are captured in hubble observe or cilium monitor.

When checking with tcpdump inside the Cilium agent pod, the packets are captured correctly, as shown below:

root@opensource:/home/cilium# tcpdump -i eth0 igmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:37:47.343491 IP opensource.asia-northeast3-c.c.gifted-monitor-473301-v2.internal > igmp.mcast.net: igmp v3 report, 1 group record(s)
09:37:47.706379 IP opensource.asia-northeast3-c.c.gifted-monitor-473301-v2.internal > igmp.mcast.net: igmp v3 report, 1 group record(s)
09:37:48.174440 IP opensource.asia-northeast3-c.c.gifted-monitor-473301-v2.internal > igmp.mcast.net: igmp v3 report, 1 group record(s)

Pod information, with host network namespace applied, is as follows:

default         igmp-client-7d6cdff749-bthpx         1/1     Running   0                71m     10.178.0.3   opensource   <none>           <none>
default         vrrp-test-64995cdf88-mnjnr           1/1     Running   1 (17h ago)      18h     10.178.0.3   opensource   <none>           <none>
kube-system     cilium-envoy-2rt8s                   1/1     Running   0                3h11m   10.178.0.3   opensource   <none>           <none>
kube-system     cilium-operator-6c775f78c9-28hfc     1/1     Running   0                3h11m   10.178.0.3   opensource   <none>           <none>
kube-system     cilium-skqq9                         1/1     Running   0                55m     10.178.0.3   opensource   <none>           <none>

Am I missing any configuration? Should I enable the Multicast Support feature in Cilium?
Thanks!

@aditighag
Copy link
Copy Markdown
Member

aditighag commented Oct 10, 2025

@aditighag

If you run cilium monitor --related-to <ep-id-client-pod>, it should tell you the line number corresponding to drops. That said, the VRRP and IGMP support was added for host firewall -- can you enable host firewall, and deploy a test pod in the host netns?

I have configured the test pod to use the host network namespace and enabled both Cilium host-firewall and enable-extended-ip-protocols. The CiliumClusterwideNetworkPolicy has also been applied. However, as a result, no IGMP packets are captured in hubble observe or cilium monitor.

Could you share your CCNP? Also, what's the output of $cilium bpf policy get <host-ep-id> when run from the cilium pods. You can get the host ep id by running $cilium endpoint list (look for reserved:host).
You can also set the monitor aggregation flag in cilium config map to none.

@kyounghunJang
Copy link
Copy Markdown
Contributor Author

kyounghunJang commented Oct 11, 2025

@aditighag

Thank you so much!!!
After setting the monitor aggregation flag in the Cilium config map to none, the capture finally worked correctly.
I’m sharing the Cilium monitor and Hubble observe outputs for both IGMP and VRRP protocols below.

Cilium monitor (IGMP):

root@opensource:/home/cilium# cilium monitor --related-to 1255 | grep vrrp
-> network flow 0x0 , identity host->unknown state unknown ifindex eth0 orig-ip 0.0.0.0: 10.178.0.3 -> 224.0.0.22 igmp IGMPv3 Membership Report 0.0.0.1
-> network flow 0x0 , identity host->unknown state unknown ifindex eth0 orig-ip 0.0.0.0: 10.178.0.3 -> 224.0.0.22 igmp IGMPv3 Membership Report 0.0.0.1

Hubble observe (IGMP):

root@opensource:/home/cilium# hubble observe --protocol IGMP -f
Oct 11 12:47:41.035: 10.178.0.3 (host) <> 224.0.0.22 (world) to-network FORWARDED (IGMP IGMPv3 Membership Report)
Oct 11 12:47:41.102: 10.178.0.3 (host) <> 224.0.0.22 (world) to-network FORWARDED (IGMP IGMPv3 Membership Report)

Cilium monitor (VRRP):

root@opensource:/home/cilium# cilium monitor --related-to 1255 | grep vrrp
-> network flow 0x0 , identity host->unknown state unknown ifindex eth0 orig-ip 0.0.0.0: 10.178.0.3 -> 192.168.1.10 vrrp VRRPv2 Advertisement 51 100
-> network flow 0x0 , identity host->unknown state unknown ifindex eth0 orig-ip 0.0.0.0: 10.178.0.3 -> 192.168.1.11 vrrp VRRPv2 Advertisement 51 100

Hubble observe (VRRP):

root@opensource:/home/cilium# hubble observe --protocol VRRP -f
Oct 11 12:48:26.896: 10.178.0.3 (host) <> 192.168.1.10 (world) to-network FORWARDED (VRRP VRRPv2 Advertisement)
Oct 11 12:48:26.896: 10.178.0.3 (host) <> 192.168.1.11 (world) to-network FORWARDED (VRRP VRRPv2 Advertisement)

@gandro gandro requested a review from devodev October 13, 2025 08:28
@pchaigno pchaigno added this pull request to the merge queue Oct 13, 2025
Merged via the queue into cilium:main with commit 5bd952f Oct 13, 2025
73 checks passed
@aditighag
Copy link
Copy Markdown
Member

aditighag commented Oct 14, 2025
edited
Loading

@aditighag

Thank you so much!!! After setting the monitor aggregation flag in the Cilium config map to none, the capture finally worked correctly. I’m sharing the Cilium monitor and Hubble observe outputs for both IGMP and VRRP protocols below.

Perfect! Looks great -- I copied the Hubble flows snippet to the PR description.

@cilium-release-bot cilium-release-bot bot moved this to Released in cilium v1.19.0 Feb 3, 2026
alexlebens pushed a commit to alexlebens/infrastructure that referenced this pull request Feb 5, 2026
@alexlebens
chore(deps): update helm release cilium to v1.19.0 (#3699)
5490094 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | minor | `1.18.6` → `1.19.0` |

---

### Release Notes

<details>
<summary>cilium/cilium (cilium)</summary>

### [`v1.19.0`](https://github.com/cilium/cilium/releases/tag/v1.19.0): 1.19.0

[Compare Source](cilium/cilium@1.18.6...1.19.0)

🎉 **Release Announcement** 🎉: We are excited to announce the [Cilium 1.19.0](https://github.com/cilium/cilium/releases/tag/v1.19.0) release!

A total of **2934 new commits** have been contributed to this release by a growing community of over **1010 developers** and over **23,600 GitHub stars**! 🤩

⚠️ You may need to take action during upgrade to Cilium v1.19 if you use Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the [Upgrade Guide](https://docs.cilium.io/en/v1.19/operations/upgrade/#upgrade-notes) for more details.

The full changelog can be found [here](https://github.com/cilium/cilium/blob/v1.19/CHANGELOG.md).

Here are some of the highlights:

- 🛡️ **Network Policy**
  - 🃏 **Multi-Level DNS Matches**: DNS Policies match pattern now support a wildcard prefix(*`**.`*) to match multilevel subdomain as pattern prefix. ([cilium/cilium#43420](cilium/cilium#43420), [@&#8203;fristonio](https://github.com/fristonio))
  - 📡 **Match New Protocols**: You can now match VRRP and IGMP protocols in host firewall rules. ([cilium/cilium#39872](cilium/cilium#39872), [@&#8203;aditighag](https://github.com/aditighag); [cilium/cilium#41949](cilium/cilium#41949), [@&#8203;kyounghunJang](https://github.com/kyounghunJang))
  - ⛔ **Actively Deny Connections**: When Network Policies deny a connection, Cilium can return ICMPv4 "Destination unreachable" messages for a friendlier deny. ([cilium/cilium#41406](cilium/cilium#41406), [@&#8203;antonipp](https://github.com/antonipp))
  - 🌐 **Select Clusters Explicitly**: When network policy selectors don't explicitly define a cluster for communication to be allowed, they will now default to only allowing the local cluster. ([cilium/cilium#40609](cilium/cilium#40609), [@&#8203;MrFreezeex](https://github.com/MrFreezeex))
  - 🔧 **Unlock Future Work**: This release brings several internal improvements to the network policy engine in preparation for features planned in the next Cilium minor release ([cilium/cilium#39906](cilium/cilium#39906), [@&#8203;vipul-21](https://github.com/vipul-21); [cilium/cilium#42784](cilium/cilium#42784), [cilium/cilium#42896](cilium/cilium#42896), [@&#8203;jrajahalme](https://github.com/jrajahalme))
  - ⚠️ **Deprecate underutilized features**: To focus on solving common problems Cilium users face, this release deprecates the Kafka protocol match fields (beta), as well as the `ToRequires` and `FromRequires` policy fields. ([cilium/cilium#43167](cilium/cilium#43167), [@&#8203;sayboras](https://github.com/sayboras); [cilium/cilium#40967](cilium/cilium#40967), [@&#8203;TheBeeZee](https://github.com/TheBeeZee))

- 🔒 **Encryption & Authentication**
  - 🔐 **Encryption Strict Modes**: Both IPsec and WireGuard transparent encryption modes now support a "strict mode" to require traffic to be encrypted between nodes. Unencrypted traffic will be dropped in this mode. ([cilium/cilium#39239](cilium/cilium#39239), [cilium/cilium#42115](cilium/cilium#42115), [@&#8203;rgo3](https://github.com/rgo3), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))
  - 🚇 **Ztunnel Beta**: You can enroll namespaces into Ztunnel, which enables TCP connections between workloads to be transparently encrypted and authenticated. ([cilium/cilium#42766](cilium/cilium#42766), [cilium/cilium#42819](cilium/cilium#42819), [cilium/cilium#43227](cilium/cilium#43227) and others,  [@&#8203;ldelossa](https://github.com/ldelossa), [@&#8203;rgo3](https://github.com/rgo3), [@&#8203;nddq](https://github.com/nddq))
  - 👥 **Mutual Authentication**: The out-of-band [Mutual Authentication](https://docs.cilium.io/en/v1.19.0/network/servicemesh/mutual-authentication/mutual-authentication/) feature is now disabled by default, pending community feedback. If you have a requirement for mTLS, consider trying the new Ztunnel integration. ([cilium/cilium#42665](cilium/cilium#42665), [@&#8203;christarazi](https://github.com/christarazi))
  - ↪️ **Accelerate IPsec**: The IPsec encryption mode now supports BPF Host Routing for faster route lookups ([cilium/cilium#41997](cilium/cilium#41997), [@&#8203;pchaigno](https://github.com/pchaigno))

- 🚠 **Networking**
  - 🚀  **BIG TCP in Tunnels**: Leverage upcoming Linux support for BIG TCP when communicating over UDP-based tunnels such as VXLAN and Geneve. ([cilium/cilium#43416](cilium/cilium#43416), [@&#8203;gentoo-root](https://github.com/gentoo-root))
  - 🥌 **Packetization-Layer Path MTU Discovery**: Detect maximum transmission unit (MTU) sizes for network paths using TCP. ([cilium/cilium#42012](cilium/cilium#42012), [cilium/cilium#43710](cilium/cilium#43710), [@&#8203;tommyp1ckles](https://github.com/tommyp1ckles))
  - 🚆 **IPv6 Underlay**: You can now choose IPv6 for the tunnel underlay address family on dual-stack clusters. ([cilium/cilium#40324](cilium/cilium#40324), [@&#8203;pchaigno](https://github.com/pchaigno))
  - 🏷️ **Multi-Pool IPAM is ready for wider use**: Update the Multi-Pool IPAM feature to work with IPsec and direct routing modes, and promote it from Beta to Stable. ([cilium/cilium#40460](cilium/cilium#40460), [cilium/cilium#42191](cilium/cilium#42191), [@&#8203;pippolo84](https://github.com/pippolo84))
  - 🎭 **More Configurable Masquerade**: IP Masquerade configuration can now be customized for traffic sent to nodes in other IP subnets, and addresses in IPAM pools can be excluded from masquerade ([cilium/cilium#37568](cilium/cilium#37568), [@&#8203;behzad-mir](https://github.com/behzad-mir); [cilium/cilium#43380](cilium/cilium#43380), [@&#8203;alimehrabikoshki](https://github.com/alimehrabikoshki))

- 🕸️ **Services and Service Mesh**
  - 📣 **Layer-2 Announcements**: Add support for Neighbor Discovery Advertisements for IPv6 Layer-2 Announcements. ([cilium/cilium#39648](cilium/cilium#39648), [@&#8203;msune](https://github.com/msune))
  - 🔁 **IPv6 Service Loopback**: Pods can now connect to themselves via a Kubernetes "loopback service" using IPv6. ([cilium/cilium#39594](cilium/cilium#39594), [@&#8203;saiaunghlyanhtet](https://github.com/saiaunghlyanhtet))
  - ⛩️ **Gateway API Enhancements**: Cilium's GAMMA support now includes support for using GRPCRoute as well as HTTPRoute. ([cilium/cilium#41936](cilium/cilium#41936), [@&#8203;youngnick](https://github.com/youngnick))

- 🛣️ **Border Gateway Protocol (BGP)**
  - 🔌 **Advertise Addresses from Interfaces**: There's a new Interface BGP advertisement type that allows advertisement of IPs assigned on local interfaces. This can be useful for example in multi-homing setups, where a common node's loopback address can be advertised via multiple BGP sessions over different network interfaces. ([cilium/cilium#42469](cilium/cilium#42469), [@&#8203;rastislavs](https://github.com/rastislavs))
  - ✉️ **Override Source IP addresses**: You can override the auto-generated BGP session source IP with the IP address applied on the configured `sourceInterface` to allow binding the BGP connection to the loopback address which is not tied to the specific physical interface's lifecycle ([cilium/cilium#42583](cilium/cilium#42583), [@&#8203;rastislavs](https://github.com/rastislavs))
  - 🔁 **Withdraw Empty Routes**: Optionally withdraw BGP routes when a service has 0 endpoints, to allow balancing to a different DC/cluster with `externalTrafficPolicy=Cluster` ([cilium/cilium#40717](cilium/cilium#40717), [@&#8203;oblazek](https://github.com/oblazek))
  - ⚠️ **Move to `cilium.io/v2` API**: The support for the older `CiliumBGPPeeringPolicy` v1 API is now removed and should be replaced with v2 APIs. ([cilium/cilium#42278](cilium/cilium#42278), [@&#8203;rastislavs](https://github.com/rastislavs))

- 🛰️ **Observability**
  - 🔬 **Trace IP Options**: Configure Cilium and Hubble to trace specific packets through the cluster using IP Options. ([cilium/cilium#41306](cilium/cilium#41306), [@&#8203;Bigdelle](https://github.com/Bigdelle))
  - 🚩 **Filter Encrypted Flows**: Filter flows when using the `hubble` command line to understand the encryption status of the traffic, either `--encrypted` or `--unencrypted`. ([cilium/cilium#43096](cilium/cilium#43096), [@&#8203;SRodi](https://github.com/SRodi))
  - 🔖 **Tag Drops with Policy Names**: Hubble v1.Events drop messages now include which Network Policy caused the drop. ([cilium/cilium#41693](cilium/cilium#41693), [@&#8203;41ks](https://github.com/41ks))

- 🌅 **Performance and Scale**
  - ⚡ **Faster Network Policy Computation**: Improve Cilium resource usage for handling selectors in network policies. ([cilium/cilium#42008](cilium/cilium#42008), [@&#8203;jrajahalme](https://github.com/jrajahalme); [cilium/cilium#42580](cilium/cilium#42580), [@&#8203;odinuge](https://github.com/odinuge))
  - 🔌 **More Efficient Connection Tracking**: Several improvements have been made to reduce the number of connections being tracked by Cilium, particularly when using Geneve, VXLAN or WireGuard. ([cilium/cilium#38782](cilium/cilium#38782), [@&#8203;BenoitKnecht](https://github.com/BenoitKnecht); [cilium/cilium#41990](cilium/cilium#41990), [@&#8203;bersoare](https://github.com/bersoare))
  - 💾 **Better Scale in AWS**: Reduce memory usage for cilium-operator in large AWS environments with many resources. ([cilium/cilium#42529](cilium/cilium#42529), [@&#8203;liyihuang](https://github.com/liyihuang))

- ⚙️ **Operations**
  - 📦 **Access Helm charts via Registry**: Helm charts are also available under `quay.io/cilium/charts/cilium` ([cilium/cilium#43624](cilium/cilium#43624), [@&#8203;aanm](https://github.com/aanm))
  - 📊 **Metrics Encryption**: Add TLS/mTLS support for Prometheus metrics exposed by the Cilium Operator. ([cilium/cilium#42077](cilium/cilium#42077), [@&#8203;phuhung273](https://github.com/phuhung273))
  - 🤖 **Easier Multi-Cluster install**: There's now support for auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster  Services (MCS). ([cilium/cilium#40729](cilium/cilium#40729), [@&#8203;MrFreezeex](https://github.com/MrFreezeex))
  - 📜 **Simpler Certificate Management**: Streamline Cluster Mesh and Hubble certificate generation when using GitOps approaches. ([cilium/cilium#42298](cilium/cilium#42298), [@&#8203;MrFreezeex](https://github.com/MrFreezeex))
  - 🛠️ **Cilium dependencies** were updated to Kubernetes v1.35, Envoy v1.35, Gateway API v1.4, and GoBGP v3.37. ([cilium/cilium#43422](cilium/cilium#43422), [@&#8203;aanm](https://github.com/aanm); [cilium/cilium#40569](cilium/cilium#40569), [@&#8203;sayboras](https://github.com/sayboras); [cilium/cilium#41936](cilium/cilium#41936), [@&#8203;youngnick](https://github.com/youngnick); [cilium/cilium#42824](cilium/cilium#42824), [@&#8203;rastislavs](https://github.com/rastislavs)).

- 🏠 **Community**
  - ❤️ **Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
  - 📰 See studies with [Airbnb](https://youtu.be/7KHenRXNGAw?si=ldTS-X_W0svxo429\&t=546), [Cloudera](https://aws.amazon.com/blogs/migration-and-modernization/scaling-clouderas-development-environment-leveraging-amazon-eks-karpenter-bottlerocket-and-cilium-for-hybrid-cloud/),[ Cybozu](https://www.cncf.io/case-studies/cybozu/), [ESnet](https://www.cncf.io/case-studies/esnet/),[ Nutanix](https://www.cncf.io/case-studies/nutanix/), [OVHcloud](https://corporate.ovhcloud.com/en-gb/newsroom/news/ovhcloud-managed-kubernetes-service-standard-3az/), [TikTok](https://www.youtube.com/watch?v=y0qlhiKtDGo), [University of Wisconsin–Madison](https://www.cncf.io/case-studies/university-of-wisconsin-madison/).
  - 🇺🇸 **Atlanta Events**: The community gathered at [CiliumCon](https://www.youtube.com/playlist?list=PLDg_GiBbAx-mOnWuzd_NXoRfuW9HZAxeZ) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/blob/main/2025-NA/README.md) in Atlanta.
  - 🇳🇱 **Amsterdam Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2026-EU) in Amsterdam, March 23-27. [Read more](https://cilium.io/blog/2026/01/23/cilium-at-kubecon-eu-2026/) about where to find Cilium during the show.
  - 🔟 **Cilium is 10**: Read the [2025 Cilium Annual Report](https://www.cncf.io/wp-content/uploads/2025/12/cilium-annual-report-2025-final.pdf) to see the latest project milestones, a decade on from its first commit.

To keep up to date with all the latest Cilium releases, join #release 🎉

:birthday::heart::heart::heart::birthday:
This is a very special release for Cilium, as it celebrates **10 years** since the first commit. We couldn’t be more proud of what this project has accomplished. All the GitHub issues, pull requests, reviews, stars, forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug reports, design docs, discussions, meetings, Slack messages, YouTube streams, eCHO episodes, conference talks, blog posts, demos, and presentations have made the project the success it is today.
:birthday::heart::heart::heart::birthday:

##### Docker Manifests

##### cilium

`quay.io/cilium/cilium:v1.19.0@&#8203;sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60`

##### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.19.0@&#8203;sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49`

##### docker-plugin

`quay.io/cilium/docker-plugin:v1.19.0@&#8203;sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50`

##### hubble-relay

`quay.io/cilium/hubble-relay:v1.19.0@&#8203;sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4`

##### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.19.0@&#8203;sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0`

##### operator-aws

`quay.io/cilium/operator-aws:v1.19.0@&#8203;sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6`

##### operator-azure

`quay.io/cilium/operator-azure:v1.19.0@&#8203;sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a`

##### operator-generic

`quay.io/cilium/operator-generic:v1.19.0@&#8203;sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648`

##### operator

`quay.io/cilium/operator:v1.19.0@&#8203;sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65`

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4wLjIiLCJ1cGRhdGVkSW5WZXIiOiI0My4wLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNoYXJ0Il19-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3699
Co-authored-by: Renovate Bot <[email protected]>
Co-committed-by: Renovate Bot <[email protected]>
alexlebens pushed a commit to alexlebens/infrastructure that referenced this pull request Feb 5, 2026
@alexlebens
chore(deps): update dependency cilium/cilium to v1.19.0 (#3715)
98f4023 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cilium/cilium](https://github.com/cilium/cilium) | minor | `1.18.6` → `1.19.0` |

---

### Release Notes

<details>
<summary>cilium/cilium (cilium/cilium)</summary>

### [`v1.19.0`](https://github.com/cilium/cilium/releases/tag/v1.19.0): 1.19.0

[Compare Source](cilium/cilium@1.18.6...1.19.0)

🎉 **Release Announcement** 🎉: We are excited to announce the [Cilium 1.19.0](https://github.com/cilium/cilium/releases/tag/v1.19.0) release!

A total of **2934 new commits** have been contributed to this release by a growing community of over **1010 developers** and over **23,600 GitHub stars**! 🤩

⚠️ You may need to take action during upgrade to Cilium v1.19 if you use Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the [Upgrade Guide](https://docs.cilium.io/en/v1.19/operations/upgrade/#upgrade-notes) for more details.

The full changelog can be found [here](https://github.com/cilium/cilium/blob/v1.19/CHANGELOG.md).

Here are some of the highlights:

- 🛡️ **Network Policy**
  - 🃏 **Multi-Level DNS Matches**: DNS Policies match pattern now support a wildcard prefix(*`**.`*) to match multilevel subdomain as pattern prefix. ([cilium/cilium#43420](cilium/cilium#43420), [@&#8203;fristonio](https://github.com/fristonio))
  - 📡 **Match New Protocols**: You can now match VRRP and IGMP protocols in host firewall rules. ([cilium/cilium#39872](cilium/cilium#39872), [@&#8203;aditighag](https://github.com/aditighag); [cilium/cilium#41949](cilium/cilium#41949), [@&#8203;kyounghunJang](https://github.com/kyounghunJang))
  - ⛔ **Actively Deny Connections**: When Network Policies deny a connection, Cilium can return ICMPv4 "Destination unreachable" messages for a friendlier deny. ([cilium/cilium#41406](cilium/cilium#41406), [@&#8203;antonipp](https://github.com/antonipp))
  - 🌐 **Select Clusters Explicitly**: When network policy selectors don't explicitly define a cluster for communication to be allowed, they will now default to only allowing the local cluster. ([cilium/cilium#40609](cilium/cilium#40609), [@&#8203;MrFreezeex](https://github.com/MrFreezeex))
  - 🔧 **Unlock Future Work**: This release brings several internal improvements to the network policy engine in preparation for features planned in the next Cilium minor release ([cilium/cilium#39906](cilium/cilium#39906), [@&#8203;vipul-21](https://github.com/vipul-21); [cilium/cilium#42784](cilium/cilium#42784), [cilium/cilium#42896](cilium/cilium#42896), [@&#8203;jrajahalme](https://github.com/jrajahalme))
  - ⚠️ **Deprecate underutilized features**: To focus on solving common problems Cilium users face, this release deprecates the Kafka protocol match fields (beta), as well as the `ToRequires` and `FromRequires` policy fields. ([cilium/cilium#43167](cilium/cilium#43167), [@&#8203;sayboras](https://github.com/sayboras); [cilium/cilium#40967](cilium/cilium#40967), [@&#8203;TheBeeZee](https://github.com/TheBeeZee))

- 🔒 **Encryption & Authentication**
  - 🔐 **Encryption Strict Modes**: Both IPsec and WireGuard transparent encryption modes now support a "strict mode" to require traffic to be encrypted between nodes. Unencrypted traffic will be dropped in this mode. ([cilium/cilium#39239](cilium/cilium#39239), [cilium/cilium#42115](cilium/cilium#42115), [@&#8203;rgo3](https://github.com/rgo3), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))
  - 🚇 **Ztunnel Beta**: You can enroll namespaces into Ztunnel, which enables TCP connections between workloads to be transparently encrypted and authenticated. ([cilium/cilium#42766](cilium/cilium#42766), [cilium/cilium#42819](cilium/cilium#42819), [cilium/cilium#43227](cilium/cilium#43227) and others,  [@&#8203;ldelossa](https://github.com/ldelossa), [@&#8203;rgo3](https://github.com/rgo3), [@&#8203;nddq](https://github.com/nddq))
  - 👥 **Mutual Authentication**: The out-of-band [Mutual Authentication](https://docs.cilium.io/en/v1.19.0/network/servicemesh/mutual-authentication/mutual-authentication/) feature is now disabled by default, pending community feedback. If you have a requirement for mTLS, consider trying the new Ztunnel integration. ([cilium/cilium#42665](cilium/cilium#42665), [@&#8203;christarazi](https://github.com/christarazi))
  - ↪️ **Accelerate IPsec**: The IPsec encryption mode now supports BPF Host Routing for faster route lookups ([cilium/cilium#41997](cilium/cilium#41997), [@&#8203;pchaigno](https://github.com/pchaigno))

- 🚠 **Networking**
  - 🚀  **BIG TCP in Tunnels**: Leverage upcoming Linux support for BIG TCP when communicating over UDP-based tunnels such as VXLAN and Geneve. ([cilium/cilium#43416](cilium/cilium#43416), [@&#8203;gentoo-root](https://github.com/gentoo-root))
  - 🥌 **Packetization-Layer Path MTU Discovery**: Detect maximum transmission unit (MTU) sizes for network paths using TCP. ([cilium/cilium#42012](cilium/cilium#42012), [cilium/cilium#43710](cilium/cilium#43710), [@&#8203;tommyp1ckles](https://github.com/tommyp1ckles))
  - 🚆 **IPv6 Underlay**: You can now choose IPv6 for the tunnel underlay address family on dual-stack clusters. ([cilium/cilium#40324](cilium/cilium#40324), [@&#8203;pchaigno](https://github.com/pchaigno))
  - 🏷️ **Multi-Pool IPAM is ready for wider use**: Update the Multi-Pool IPAM feature to work with IPsec and direct routing modes, and promote it from Beta to Stable. ([cilium/cilium#40460](cilium/cilium#40460), [cilium/cilium#42191](cilium/cilium#42191), [@&#8203;pippolo84](https://github.com/pippolo84))
  - 🎭 **More Configurable Masquerade**: IP Masquerade configuration can now be customized for traffic sent to nodes in other IP subnets, and addresses in IPAM pools can be excluded from masquerade ([cilium/cilium#37568](cilium/cilium#37568), [@&#8203;behzad-mir](https://github.com/behzad-mir); [cilium/cilium#43380](cilium/cilium#43380), [@&#8203;alimehrabikoshki](https://github.com/alimehrabikoshki))

- 🕸️ **Services and Service Mesh**
  - 📣 **Layer-2 Announcements**: Add support for Neighbor Discovery Advertisements for IPv6 Layer-2 Announcements. ([cilium/cilium#39648](cilium/cilium#39648), [@&#8203;msune](https://github.com/msune))
  - 🔁 **IPv6 Service Loopback**: Pods can now connect to themselves via a Kubernetes "loopback service" using IPv6. ([cilium/cilium#39594](cilium/cilium#39594), [@&#8203;saiaunghlyanhtet](https://github.com/saiaunghlyanhtet))
  - ⛩️ **Gateway API Enhancements**: Cilium's GAMMA support now includes support for using GRPCRoute as well as HTTPRoute. ([cilium/cilium#41936](cilium/cilium#41936), [@&#8203;youngnick](https://github.com/youngnick))

- 🛣️ **Border Gateway Protocol (BGP)**
  - 🔌 **Advertise Addresses from Interfaces**: There's a new Interface BGP advertisement type that allows advertisement of IPs assigned on local interfaces. This can be useful for example in multi-homing setups, where a common node's loopback address can be advertised via multiple BGP sessions over different network interfaces. ([cilium/cilium#42469](cilium/cilium#42469), [@&#8203;rastislavs](https://github.com/rastislavs))
  - ✉️ **Override Source IP addresses**: You can override the auto-generated BGP session source IP with the IP address applied on the configured `sourceInterface` to allow binding the BGP connection to the loopback address which is not tied to the specific physical interface's lifecycle ([cilium/cilium#42583](cilium/cilium#42583), [@&#8203;rastislavs](https://github.com/rastislavs))
  - 🔁 **Withdraw Empty Routes**: Optionally withdraw BGP routes when a service has 0 endpoints, to allow balancing to a different DC/cluster with `externalTrafficPolicy=Cluster` ([cilium/cilium#40717](cilium/cilium#40717), [@&#8203;oblazek](https://github.com/oblazek))
  - ⚠️ **Move to `cilium.io/v2` API**: The support for the older `CiliumBGPPeeringPolicy` v1 API is now removed and should be replaced with v2 APIs. ([cilium/cilium#42278](cilium/cilium#42278), [@&#8203;rastislavs](https://github.com/rastislavs))

- 🛰️ **Observability**
  - 🔬 **Trace IP Options**: Configure Cilium and Hubble to trace specific packets through the cluster using IP Options. ([cilium/cilium#41306](cilium/cilium#41306), [@&#8203;Bigdelle](https://github.com/Bigdelle))
  - 🚩 **Filter Encrypted Flows**: Filter flows when using the `hubble` command line to understand the encryption status of the traffic, either `--encrypted` or `--unencrypted`. ([cilium/cilium#43096](cilium/cilium#43096), [@&#8203;SRodi](https://github.com/SRodi))
  - 🔖 **Tag Drops with Policy Names**: Hubble v1.Events drop messages now include which Network Policy caused the drop. ([cilium/cilium#41693](cilium/cilium#41693), [@&#8203;41ks](https://github.com/41ks))

- 🌅 **Performance and Scale**
  - ⚡ **Faster Network Policy Computation**: Improve Cilium resource usage for handling selectors in network policies. ([cilium/cilium#42008](cilium/cilium#42008), [@&#8203;jrajahalme](https://github.com/jrajahalme); [cilium/cilium#42580](cilium/cilium#42580), [@&#8203;odinuge](https://github.com/odinuge))
  - 🔌 **More Efficient Connection Tracking**: Several improvements have been made to reduce the number of connections being tracked by Cilium, particularly when using Geneve, VXLAN or WireGuard. ([cilium/cilium#38782](cilium/cilium#38782), [@&#8203;BenoitKnecht](https://github.com/BenoitKnecht); [cilium/cilium#41990](cilium/cilium#41990), [@&#8203;bersoare](https://github.com/bersoare))
  - 💾 **Better Scale in AWS**: Reduce memory usage for cilium-operator in large AWS environments with many resources. ([cilium/cilium#42529](cilium/cilium#42529), [@&#8203;liyihuang](https://github.com/liyihuang))

- ⚙️ **Operations**
  - 📦 **Access Helm charts via Registry**: Helm charts are also available under `quay.io/cilium/charts/cilium` ([cilium/cilium#43624](cilium/cilium#43624), [@&#8203;aanm](https://github.com/aanm))
  - 📊 **Metrics Encryption**: Add TLS/mTLS support for Prometheus metrics exposed by the Cilium Operator. ([cilium/cilium#42077](cilium/cilium#42077), [@&#8203;phuhung273](https://github.com/phuhung273))
  - 🤖 **Easier Multi-Cluster install**: There's now support for auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster  Services (MCS). ([cilium/cilium#40729](cilium/cilium#40729), [@&#8203;MrFreezeex](https://github.com/MrFreezeex))
  - 📜 **Simpler Certificate Management**: Streamline Cluster Mesh and Hubble certificate generation when using GitOps approaches. ([cilium/cilium#42298](cilium/cilium#42298), [@&#8203;MrFreezeex](https://github.com/MrFreezeex))
  - 🛠️ **Cilium dependencies** were updated to Kubernetes v1.35, Envoy v1.35, Gateway API v1.4, and GoBGP v3.37. ([cilium/cilium#43422](cilium/cilium#43422), [@&#8203;aanm](https://github.com/aanm); [cilium/cilium#40569](cilium/cilium#40569), [@&#8203;sayboras](https://github.com/sayboras); [cilium/cilium#41936](cilium/cilium#41936), [@&#8203;youngnick](https://github.com/youngnick); [cilium/cilium#42824](cilium/cilium#42824), [@&#8203;rastislavs](https://github.com/rastislavs)).

- 🏠 **Community**
  - ❤️ **Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
  - 📰 See studies with [Airbnb](https://youtu.be/7KHenRXNGAw?si=ldTS-X_W0svxo429\&t=546), [Cloudera](https://aws.amazon.com/blogs/migration-and-modernization/scaling-clouderas-development-environment-leveraging-amazon-eks-karpenter-bottlerocket-and-cilium-for-hybrid-cloud/),[ Cybozu](https://www.cncf.io/case-studies/cybozu/), [ESnet](https://www.cncf.io/case-studies/esnet/),[ Nutanix](https://www.cncf.io/case-studies/nutanix/), [OVHcloud](https://corporate.ovhcloud.com/en-gb/newsroom/news/ovhcloud-managed-kubernetes-service-standard-3az/), [TikTok](https://www.youtube.com/watch?v=y0qlhiKtDGo), [University of Wisconsin–Madison](https://www.cncf.io/case-studies/university-of-wisconsin-madison/).
  - 🇺🇸 **Atlanta Events**: The community gathered at [CiliumCon](https://www.youtube.com/playlist?list=PLDg_GiBbAx-mOnWuzd_NXoRfuW9HZAxeZ) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/blob/main/2025-NA/README.md) in Atlanta.
  - 🇳🇱 **Amsterdam Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2026-EU) in Amsterdam, March 23-27. [Read more](https://cilium.io/blog/2026/01/23/cilium-at-kubecon-eu-2026/) about where to find Cilium during the show.
  - 🔟 **Cilium is 10**: Read the [2025 Cilium Annual Report](https://www.cncf.io/wp-content/uploads/2025/12/cilium-annual-report-2025-final.pdf) to see the latest project milestones, a decade on from its first commit.

To keep up to date with all the latest Cilium releases, join #release 🎉

:birthday::heart::heart::heart::birthday:
This is a very special release for Cilium, as it celebrates **10 years** since the first commit. We couldn’t be more proud of what this project has accomplished. All the GitHub issues, pull requests, reviews, stars, forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug reports, design docs, discussions, meetings, Slack messages, YouTube streams, eCHO episodes, conference talks, blog posts, demos, and presentations have made the project the success it is today.
:birthday::heart::heart::heart::birthday:

#### Docker Manifests

##### cilium

`quay.io/cilium/cilium:v1.19.0@&#8203;sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60`

##### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.19.0@&#8203;sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49`

##### docker-plugin

`quay.io/cilium/docker-plugin:v1.19.0@&#8203;sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50`

##### hubble-relay

`quay.io/cilium/hubble-relay:v1.19.0@&#8203;sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4`

##### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.19.0@&#8203;sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0`

##### operator-aws

`quay.io/cilium/operator-aws:v1.19.0@&#8203;sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6`

##### operator-azure

`quay.io/cilium/operator-azure:v1.19.0@&#8203;sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a`

##### operator-generic

`quay.io/cilium/operator-generic:v1.19.0@&#8203;sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648`

##### operator

`quay.io/cilium/operator:v1.19.0@&#8203;sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65`

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4wLjMiLCJ1cGRhdGVkSW5WZXIiOiI0My4wLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImltYWdlIl19-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3715
Co-authored-by: Renovate Bot <[email protected]>
Co-committed-by: Renovate Bot <[email protected]>
lumiere-bot bot added a commit to coolguy1771/home-ops that referenced this pull request Feb 6, 2026
@lumiere-bot
feat(helm): update chart cilium ( 1.18.6 ➔ 1.19.0 ) (#7528)
7f77b01 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [cilium](https://cilium.io/)
([source](https://redirect.github.com/cilium/cilium)) | HelmChart |
minor | `1.18.6` → `1.19.0` |

---

### Release Notes

<details>
<summary>cilium/cilium (cilium)</summary>

###
[`v1.19.0`](https://redirect.github.com/cilium/cilium/releases/tag/v1.19.0):
1.19.0

[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.18.6...1.19.0)

🎉 **Release Announcement** 🎉: We are excited to announce the [Cilium
1.19.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.19.0)
release!

A total of **2934 new commits** have been contributed to this release by
a growing community of over **1010 developers** and over **23,600 GitHub
stars**! 🤩

⚠️ You may need to take action during upgrade to Cilium v1.19 if you use
Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the
[Upgrade
Guide](https://docs.cilium.io/en/v1.19/operations/upgrade/#upgrade-notes)
for more details.

The full changelog can be found
[here](https://redirect.github.com/cilium/cilium/blob/v1.19/CHANGELOG.md).

Here are some of the highlights:

- 🛡️ **Network Policy**
- 🃏 **Multi-Level DNS Matches**: DNS Policies match pattern now support
a wildcard prefix(*`**.`*) to match multilevel subdomain as pattern
prefix.
([cilium/cilium#43420](https://redirect.github.com/cilium/cilium/pull/43420),
[@&#8203;fristonio](https://redirect.github.com/fristonio))
- 📡 **Match New Protocols**: You can now match VRRP and IGMP protocols
in host firewall rules.
([cilium/cilium#39872](https://redirect.github.com/cilium/cilium/pull/39872),
[@&#8203;aditighag](https://redirect.github.com/aditighag);
[cilium/cilium#41949](https://redirect.github.com/cilium/cilium/pull/41949),
[@&#8203;kyounghunJang](https://redirect.github.com/kyounghunJang))
- ⛔ **Actively Deny Connections**: When Network Policies deny a
connection, Cilium can return ICMPv4 "Destination unreachable" messages
for a friendlier deny.
([cilium/cilium#41406](https://redirect.github.com/cilium/cilium/pull/41406),
[@&#8203;antonipp](https://redirect.github.com/antonipp))
- 🌐 **Select Clusters Explicitly**: When network policy selectors don't
explicitly define a cluster for communication to be allowed, they will
now default to only allowing the local cluster.
([cilium/cilium#40609](https://redirect.github.com/cilium/cilium/pull/40609),
[@&#8203;MrFreezeex](https://redirect.github.com/MrFreezeex))
- 🔧 **Unlock Future Work**: This release brings several internal
improvements to the network policy engine in preparation for features
planned in the next Cilium minor release
([cilium/cilium#39906](https://redirect.github.com/cilium/cilium/pull/39906),
[@&#8203;vipul-21](https://redirect.github.com/vipul-21);
[cilium/cilium#42784](https://redirect.github.com/cilium/cilium/pull/42784),
[cilium/cilium#42896](https://redirect.github.com/cilium/cilium/pull/42896),
[@&#8203;jrajahalme](https://redirect.github.com/jrajahalme))
- ⚠️ **Deprecate underutilized features**: To focus on solving common
problems Cilium users face, this release deprecates the Kafka protocol
match fields (beta), as well as the `ToRequires` and `FromRequires`
policy fields.
([cilium/cilium#43167](https://redirect.github.com/cilium/cilium/pull/43167),
[@&#8203;sayboras](https://redirect.github.com/sayboras);
[cilium/cilium#40967](https://redirect.github.com/cilium/cilium/pull/40967),
[@&#8203;TheBeeZee](https://redirect.github.com/TheBeeZee))

- 🔒 **Encryption & Authentication**
- 🔐 **Encryption Strict Modes**: Both IPsec and WireGuard transparent
encryption modes now support a "strict mode" to require traffic to be
encrypted between nodes. Unencrypted traffic will be dropped in this
mode.
([cilium/cilium#39239](https://redirect.github.com/cilium/cilium/pull/39239),
[cilium/cilium#42115](https://redirect.github.com/cilium/cilium/pull/42115),
[@&#8203;rgo3](https://redirect.github.com/rgo3),
[@&#8203;julianwiedmann](https://redirect.github.com/julianwiedmann))
- 🚇 **Ztunnel Beta**: You can enroll namespaces into Ztunnel, which
enables TCP connections between workloads to be transparently encrypted
and authenticated.
([cilium/cilium#42766](https://redirect.github.com/cilium/cilium/pull/42766),
[cilium/cilium#42819](https://redirect.github.com/cilium/cilium/pull/42819),
[cilium/cilium#43227](https://redirect.github.com/cilium/cilium/pull/43227)
and others, [@&#8203;ldelossa](https://redirect.github.com/ldelossa),
[@&#8203;rgo3](https://redirect.github.com/rgo3),
[@&#8203;nddq](https://redirect.github.com/nddq))
- 👥 **Mutual Authentication**: The out-of-band [Mutual
Authentication](https://docs.cilium.io/en/v1.19/network/servicemesh/mutual-authentication/mutual-authentication/)
feature is now disabled by default, pending community feedback. If you
have a requirement for mTLS, consider trying the new Ztunnel
integration.
([cilium/cilium#42665](https://redirect.github.com/cilium/cilium/pull/42665),
[@&#8203;christarazi](https://redirect.github.com/christarazi))
- ↪️ **Accelerate IPsec**: The IPsec encryption mode now supports BPF
Host Routing for faster route lookups
([cilium/cilium#41997](https://redirect.github.com/cilium/cilium/pull/41997),
[@&#8203;pchaigno](https://redirect.github.com/pchaigno))

- 🚠 **Networking**
- 🚀 **BIG TCP in Tunnels**: Leverage upcoming Linux support for BIG TCP
when communicating over UDP-based tunnels such as VXLAN and Geneve.
([cilium/cilium#43416](https://redirect.github.com/cilium/cilium/pull/43416),
[@&#8203;gentoo-root](https://redirect.github.com/gentoo-root))
- 🥌 **Packetization-Layer Path MTU Discovery**: Detect maximum
transmission unit (MTU) sizes for network paths using TCP.
([cilium/cilium#42012](https://redirect.github.com/cilium/cilium/pull/42012),
[cilium/cilium#43710](https://redirect.github.com/cilium/cilium/pull/43710),
[@&#8203;tommyp1ckles](https://redirect.github.com/tommyp1ckles))
- 🚆 **IPv6 Underlay**: You can now choose IPv6 for the tunnel underlay
address family on dual-stack clusters.
([cilium/cilium#40324](https://redirect.github.com/cilium/cilium/pull/40324),
[@&#8203;pchaigno](https://redirect.github.com/pchaigno))
- 🏷️ **Multi-Pool IPAM is ready for wider use**: Update the Multi-Pool
IPAM feature to work with IPsec and direct routing modes, and promote it
from Beta to Stable.
([cilium/cilium#40460](https://redirect.github.com/cilium/cilium/pull/40460),
[cilium/cilium#42191](https://redirect.github.com/cilium/cilium/pull/42191),
[@&#8203;pippolo84](https://redirect.github.com/pippolo84))
- 🎭 **More Configurable Masquerade**: IP Masquerade configuration can
now be customized for traffic sent to nodes in other IP subnets, and
addresses in IPAM pools can be excluded from masquerade
([cilium/cilium#37568](https://redirect.github.com/cilium/cilium/pull/37568),
[@&#8203;behzad-mir](https://redirect.github.com/behzad-mir);
[cilium/cilium#43380](https://redirect.github.com/cilium/cilium/pull/43380),
[@&#8203;alimehrabikoshki](https://redirect.github.com/alimehrabikoshki))

- 🕸️ **Services and Service Mesh**
- 📣 **Layer-2 Announcements**: Add support for Neighbor Discovery
Advertisements for IPv6 Layer-2 Announcements.
([cilium/cilium#39648](https://redirect.github.com/cilium/cilium/pull/39648),
[@&#8203;msune](https://redirect.github.com/msune))
- 🔁 **IPv6 Service Loopback**: Pods can now connect to themselves via a
Kubernetes "loopback service" using IPv6.
([cilium/cilium#39594](https://redirect.github.com/cilium/cilium/pull/39594),
[@&#8203;saiaunghlyanhtet](https://redirect.github.com/saiaunghlyanhtet))
- ⛩️ **Gateway API Enhancements**: Cilium's GAMMA support now includes
support for using GRPCRoute as well as HTTPRoute.
([cilium/cilium#41936](https://redirect.github.com/cilium/cilium/pull/41936),
[@&#8203;youngnick](https://redirect.github.com/youngnick))

- 🛣️ **Border Gateway Protocol (BGP)**
- 🔌 **Advertise Addresses from Interfaces**: There's a new Interface BGP
advertisement type that allows advertisement of IPs assigned on local
interfaces. This can be useful for example in multi-homing setups, where
a common node's loopback address can be advertised via multiple BGP
sessions over different network interfaces.
([cilium/cilium#42469](https://redirect.github.com/cilium/cilium/pull/42469),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs))
- ✉️ **Override Source IP addresses**: You can override the
auto-generated BGP session source IP with the IP address applied on the
configured `sourceInterface` to allow binding the BGP connection to the
loopback address which is not tied to the specific physical interface's
lifecycle
([cilium/cilium#42583](https://redirect.github.com/cilium/cilium/pull/42583),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs))
- 🔁 **Withdraw Empty Routes**: Optionally withdraw BGP routes when a
service has 0 endpoints, to allow balancing to a different DC/cluster
with `externalTrafficPolicy=Cluster`
([cilium/cilium#40717](https://redirect.github.com/cilium/cilium/pull/40717),
[@&#8203;oblazek](https://redirect.github.com/oblazek))
- ⚠️ **Move to `cilium.io/v2` API**: The support for the older
`CiliumBGPPeeringPolicy` v1 API is now removed and should be replaced
with v2 APIs.
([cilium/cilium#42278](https://redirect.github.com/cilium/cilium/pull/42278),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs))

- 🛰️ **Observability**
- 🔬 **Trace IP Options**: Configure Cilium and Hubble to trace specific
packets through the cluster using IP Options.
([cilium/cilium#41306](https://redirect.github.com/cilium/cilium/pull/41306),
[@&#8203;Bigdelle](https://redirect.github.com/Bigdelle))
- 🚩 **Filter Encrypted Flows**: Filter flows when using the `hubble`
command line to understand the encryption status of the traffic, either
`--encrypted` or `--unencrypted`.
([cilium/cilium#43096](https://redirect.github.com/cilium/cilium/pull/43096),
[@&#8203;SRodi](https://redirect.github.com/SRodi))
- 🔖 **Tag Drops with Policy Names**: Hubble v1.Events drop messages now
include which Network Policy caused the drop.
([cilium/cilium#41693](https://redirect.github.com/cilium/cilium/pull/41693),
[@&#8203;41ks](https://redirect.github.com/41ks))

- 🌅 **Performance and Scale**
- ⚡ **Faster Network Policy Computation**: Improve Cilium resource usage
for handling selectors in network policies.
([cilium/cilium#42008](https://redirect.github.com/cilium/cilium/pull/42008),
[@&#8203;jrajahalme](https://redirect.github.com/jrajahalme);
[cilium/cilium#42580](https://redirect.github.com/cilium/cilium/pull/42580),
[@&#8203;odinuge](https://redirect.github.com/odinuge))
- 🔌 **More Efficient Connection Tracking**: Several improvements have
been made to reduce the number of connections being tracked by Cilium,
particularly when using Geneve, VXLAN or WireGuard.
([cilium/cilium#38782](https://redirect.github.com/cilium/cilium/pull/38782),
[@&#8203;BenoitKnecht](https://redirect.github.com/BenoitKnecht);
[cilium/cilium#41990](https://redirect.github.com/cilium/cilium/pull/41990),
[@&#8203;bersoare](https://redirect.github.com/bersoare))
- 💾 **Better Scale in AWS**: Reduce memory usage for cilium-operator in
large AWS environments with many resources.
([cilium/cilium#42529](https://redirect.github.com/cilium/cilium/pull/42529),
[@&#8203;liyihuang](https://redirect.github.com/liyihuang))

- ⚙️ **Operations**
- 📦 **Access Helm charts via Registry**: Helm charts are also available
under `quay.io/cilium/charts/cilium`
([cilium/cilium#43624](https://redirect.github.com/cilium/cilium/pull/43624),
[@&#8203;aanm](https://redirect.github.com/aanm))
- 📊 **Metrics Encryption**: Add TLS/mTLS support for Prometheus metrics
exposed by the Cilium Operator.
([cilium/cilium#42077](https://redirect.github.com/cilium/cilium/pull/42077),
[@&#8203;phuhung273](https://redirect.github.com/phuhung273))
- 🤖 **Easier Multi-Cluster install**: There's now support for
auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster
Services (MCS).
([cilium/cilium#40729](https://redirect.github.com/cilium/cilium/pull/40729),
[@&#8203;MrFreezeex](https://redirect.github.com/MrFreezeex))
- 📜 **Simpler Certificate Management**: Streamline Cluster Mesh and
Hubble certificate generation when using GitOps approaches.
([cilium/cilium#42298](https://redirect.github.com/cilium/cilium/pull/42298),
[@&#8203;MrFreezeex](https://redirect.github.com/MrFreezeex))
- 🛠️ **Cilium dependencies** were updated to Kubernetes v1.35, Envoy
v1.35, Gateway API v1.4, and GoBGP v3.37.
([cilium/cilium#43422](https://redirect.github.com/cilium/cilium/pull/43422),
[@&#8203;aanm](https://redirect.github.com/aanm);
[cilium/cilium#40569](https://redirect.github.com/cilium/cilium/pull/40569),
[@&#8203;sayboras](https://redirect.github.com/sayboras);
[cilium/cilium#41936](https://redirect.github.com/cilium/cilium/pull/41936),
[@&#8203;youngnick](https://redirect.github.com/youngnick);
[cilium/cilium#42824](https://redirect.github.com/cilium/cilium/pull/42824),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs)).

- 🏠 **Community**
- ❤️ **Production Case Studies**: Many end-users have stepped forward to
tell their stories running Cilium in production. If your company wants
to submit their case studies let us know. We would love to hear your
feedback!
- 📰 See studies with
[Airbnb](https://youtu.be/7KHenRXNGAw?si=ldTS-X_W0svxo429\&t=546),
[Cloudera](https://aws.amazon.com/blogs/migration-and-modernization/scaling-clouderas-development-environment-leveraging-amazon-eks-karpenter-bottlerocket-and-cilium-for-hybrid-cloud/),[
Cybozu](https://www.cncf.io/case-studies/cybozu/),
[ESnet](https://www.cncf.io/case-studies/esnet/),[
Nutanix](https://www.cncf.io/case-studies/nutanix/),
[OVHcloud](https://corporate.ovhcloud.com/en-gb/newsroom/news/ovhcloud-managed-kubernetes-service-standard-3az/),
[TikTok](https://www.youtube.com/watch?v=y0qlhiKtDGo), [University of
Wisconsin–Madison](https://www.cncf.io/case-studies/university-of-wisconsin-madison/).
- 🇺🇸 **Atlanta Events**: The community gathered at
[CiliumCon](https://www.youtube.com/playlist?list=PLDg_GiBbAx-mOnWuzd_NXoRfuW9HZAxeZ)
and the [Cilium Developer
Summit](https://redirect.github.com/cilium/dev-summits/blob/main/2025-NA/README.md)
in Atlanta.
- 🇳🇱 **Amsterdam Events**: Meet us at the upcoming
[CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/)
and [Cilium Developer
Summit](https://redirect.github.com/cilium/dev-summits/tree/main/2026-EU)
in Amsterdam, March 23-27. [Read
more](https://cilium.io/blog/2026/01/23/cilium-at-kubecon-eu-2026/)
about where to find Cilium during the show.
- 🔟 **Cilium is 10**: Read the [2025 Cilium Annual
Report](https://www.cncf.io/wp-content/uploads/2025/12/cilium-annual-report-2025-final.pdf)
to see the latest project milestones, a decade on from its first commit.

To keep up to date with all the latest Cilium releases, join #release 🎉

:birthday::heart::heart::heart::birthday:
This is a very special release for Cilium, as it celebrates **10 years**
since the first commit. We couldn’t be more proud of what this project
has accomplished. All the GitHub issues, pull requests, reviews, stars,
forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug
reports, design docs, discussions, meetings, Slack messages, YouTube
streams, eCHO episodes, conference talks, blog posts, demos, and
presentations have made the project the success it is today.
:birthday::heart::heart::heart::birthday:

#### Docker Manifests

##### cilium


`quay.io/cilium/cilium:v1.19.0@&#8203;sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60`

##### clustermesh-apiserver


`quay.io/cilium/clustermesh-apiserver:v1.19.0@&#8203;sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49`

##### docker-plugin


`quay.io/cilium/docker-plugin:v1.19.0@&#8203;sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50`

##### hubble-relay


`quay.io/cilium/hubble-relay:v1.19.0@&#8203;sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4`

##### operator-alibabacloud


`quay.io/cilium/operator-alibabacloud:v1.19.0@&#8203;sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0`

##### operator-aws


`quay.io/cilium/operator-aws:v1.19.0@&#8203;sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6`

##### operator-azure


`quay.io/cilium/operator-azure:v1.19.0@&#8203;sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a`

##### operator-generic


`quay.io/cilium/operator-generic:v1.19.0@&#8203;sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648`

##### operator


`quay.io/cilium/operator:v1.19.0@&#8203;sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65`

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yLjYiLCJ1cGRhdGVkSW5WZXIiOiI0My4zLjQiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbInJlbm92YXRlL2hlbG0iLCJ0eXBlL21pbm9yIl19-->

Co-authored-by: lumiere-bot[bot] <98047013+lumiere-bot[bot]@users.noreply.github.com>
nicolerenee pushed a commit to nicolerenee/infra that referenced this pull request Feb 7, 2026
@bot-nicole
feat(helm): update chart cilium ( 1.18.6 → 1.19.0 ) (#1356)
b7d2c8a 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cilium](https://cilium.io/)
([source](https://redirect.github.com/cilium/cilium)) | minor | `1.18.6`
→ `1.19.0` |

---

### Release Notes

<details>
<summary>cilium/cilium (cilium)</summary>

###
[`v1.19.0`](https://redirect.github.com/cilium/cilium/releases/tag/v1.19.0):
1.19.0

[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.18.6...1.19.0)

🎉 **Release Announcement** 🎉: We are excited to announce the [Cilium
1.19.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.19.0)
release!

A total of **2934 new commits** have been contributed to this release by
a growing community of over **1010 developers** and over **23,600 GitHub
stars**! 🤩

⚠️ You may need to take action during upgrade to Cilium v1.19 if you use
Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the
[Upgrade
Guide](https://docs.cilium.io/en/v1.19/operations/upgrade/#upgrade-notes)
for more details.

The full changelog can be found
[here](https://redirect.github.com/cilium/cilium/blob/v1.19/CHANGELOG.md).

Here are some of the highlights:

- 🛡️ **Network Policy**
- 🃏 **Multi-Level DNS Matches**: DNS Policies match pattern now support
a wildcard prefix(*`**.`*) to match multilevel subdomain as pattern
prefix.
([cilium/cilium#43420](https://redirect.github.com/cilium/cilium/pull/43420),
[@&#8203;fristonio](https://redirect.github.com/fristonio))
- 📡 **Match New Protocols**: You can now match VRRP and IGMP protocols
in host firewall rules.
([cilium/cilium#39872](https://redirect.github.com/cilium/cilium/pull/39872),
[@&#8203;aditighag](https://redirect.github.com/aditighag);
[cilium/cilium#41949](https://redirect.github.com/cilium/cilium/pull/41949),
[@&#8203;kyounghunJang](https://redirect.github.com/kyounghunJang))
- ⛔ **Actively Deny Connections**: When Network Policies deny a
connection, Cilium can return ICMPv4 "Destination unreachable" messages
for a friendlier deny.
([cilium/cilium#41406](https://redirect.github.com/cilium/cilium/pull/41406),
[@&#8203;antonipp](https://redirect.github.com/antonipp))
- 🌐 **Select Clusters Explicitly**: When network policy selectors don't
explicitly define a cluster for communication to be allowed, they will
now default to only allowing the local cluster.
([cilium/cilium#40609](https://redirect.github.com/cilium/cilium/pull/40609),
[@&#8203;MrFreezeex](https://redirect.github.com/MrFreezeex))
- 🔧 **Unlock Future Work**: This release brings several internal
improvements to the network policy engine in preparation for features
planned in the next Cilium minor release
([cilium/cilium#39906](https://redirect.github.com/cilium/cilium/pull/39906),
[@&#8203;vipul-21](https://redirect.github.com/vipul-21);
[cilium/cilium#42784](https://redirect.github.com/cilium/cilium/pull/42784),
[cilium/cilium#42896](https://redirect.github.com/cilium/cilium/pull/42896),
[@&#8203;jrajahalme](https://redirect.github.com/jrajahalme))
- ⚠️ **Deprecate underutilized features**: To focus on solving common
problems Cilium users face, this release deprecates the Kafka protocol
match fields (beta), as well as the `ToRequires` and `FromRequires`
policy fields.
([cilium/cilium#43167](https://redirect.github.com/cilium/cilium/pull/43167),
[@&#8203;sayboras](https://redirect.github.com/sayboras);
[cilium/cilium#40967](https://redirect.github.com/cilium/cilium/pull/40967),
[@&#8203;TheBeeZee](https://redirect.github.com/TheBeeZee))

- 🔒 **Encryption & Authentication**
- 🔐 **Encryption Strict Modes**: Both IPsec and WireGuard transparent
encryption modes now support a "strict mode" to require traffic to be
encrypted between nodes. Unencrypted traffic will be dropped in this
mode.
([cilium/cilium#39239](https://redirect.github.com/cilium/cilium/pull/39239),
[cilium/cilium#42115](https://redirect.github.com/cilium/cilium/pull/42115),
[@&#8203;rgo3](https://redirect.github.com/rgo3),
[@&#8203;julianwiedmann](https://redirect.github.com/julianwiedmann))
- 🚇 **Ztunnel Beta**: You can enroll namespaces into Ztunnel, which
enables TCP connections between workloads to be transparently encrypted
and authenticated.
([cilium/cilium#42766](https://redirect.github.com/cilium/cilium/pull/42766),
[cilium/cilium#42819](https://redirect.github.com/cilium/cilium/pull/42819),
[cilium/cilium#43227](https://redirect.github.com/cilium/cilium/pull/43227)
and others, [@&#8203;ldelossa](https://redirect.github.com/ldelossa),
[@&#8203;rgo3](https://redirect.github.com/rgo3),
[@&#8203;nddq](https://redirect.github.com/nddq))
- 👥 **Mutual Authentication**: The out-of-band [Mutual
Authentication](https://docs.cilium.io/en/v1.19/network/servicemesh/mutual-authentication/mutual-authentication/)
feature is now disabled by default, pending community feedback. If you
have a requirement for mTLS, consider trying the new Ztunnel
integration.
([cilium/cilium#42665](https://redirect.github.com/cilium/cilium/pull/42665),
[@&#8203;christarazi](https://redirect.github.com/christarazi))
- ↪️ **Accelerate IPsec**: The IPsec encryption mode now supports BPF
Host Routing for faster route lookups
([cilium/cilium#41997](https://redirect.github.com/cilium/cilium/pull/41997),
[@&#8203;pchaigno](https://redirect.github.com/pchaigno))

- 🚠 **Networking**
- 🚀 **BIG TCP in Tunnels**: Leverage upcoming Linux support for BIG TCP
when communicating over UDP-based tunnels such as VXLAN and Geneve.
([cilium/cilium#43416](https://redirect.github.com/cilium/cilium/pull/43416),
[@&#8203;gentoo-root](https://redirect.github.com/gentoo-root))
- 🥌 **Packetization-Layer Path MTU Discovery**: Detect maximum
transmission unit (MTU) sizes for network paths using TCP.
([cilium/cilium#42012](https://redirect.github.com/cilium/cilium/pull/42012),
[cilium/cilium#43710](https://redirect.github.com/cilium/cilium/pull/43710),
[@&#8203;tommyp1ckles](https://redirect.github.com/tommyp1ckles))
- 🚆 **IPv6 Underlay**: You can now choose IPv6 for the tunnel underlay
address family on dual-stack clusters.
([cilium/cilium#40324](https://redirect.github.com/cilium/cilium/pull/40324),
[@&#8203;pchaigno](https://redirect.github.com/pchaigno))
- 🏷️ **Multi-Pool IPAM is ready for wider use**: Update the Multi-Pool
IPAM feature to work with IPsec and direct routing modes, and promote it
from Beta to Stable.
([cilium/cilium#40460](https://redirect.github.com/cilium/cilium/pull/40460),
[cilium/cilium#42191](https://redirect.github.com/cilium/cilium/pull/42191),
[@&#8203;pippolo84](https://redirect.github.com/pippolo84))
- 🎭 **More Configurable Masquerade**: IP Masquerade configuration can
now be customized for traffic sent to nodes in other IP subnets, and
addresses in IPAM pools can be excluded from masquerade
([cilium/cilium#37568](https://redirect.github.com/cilium/cilium/pull/37568),
[@&#8203;behzad-mir](https://redirect.github.com/behzad-mir);
[cilium/cilium#43380](https://redirect.github.com/cilium/cilium/pull/43380),
[@&#8203;alimehrabikoshki](https://redirect.github.com/alimehrabikoshki))

- 🕸️ **Services and Service Mesh**
- 📣 **Layer-2 Announcements**: Add support for Neighbor Discovery
Advertisements for IPv6 Layer-2 Announcements.
([cilium/cilium#39648](https://redirect.github.com/cilium/cilium/pull/39648),
[@&#8203;msune](https://redirect.github.com/msune))
- 🔁 **IPv6 Service Loopback**: Pods can now connect to themselves via a
Kubernetes "loopback service" using IPv6.
([cilium/cilium#39594](https://redirect.github.com/cilium/cilium/pull/39594),
[@&#8203;saiaunghlyanhtet](https://redirect.github.com/saiaunghlyanhtet))
- ⛩️ **Gateway API Enhancements**: Cilium's GAMMA support now includes
support for using GRPCRoute as well as HTTPRoute.
([cilium/cilium#41936](https://redirect.github.com/cilium/cilium/pull/41936),
[@&#8203;youngnick](https://redirect.github.com/youngnick))

- 🛣️ **Border Gateway Protocol (BGP)**
- 🔌 **Advertise Addresses from Interfaces**: There's a new Interface BGP
advertisement type that allows advertisement of IPs assigned on local
interfaces. This can be useful for example in multi-homing setups, where
a common node's loopback address can be advertised via multiple BGP
sessions over different network interfaces.
([cilium/cilium#42469](https://redirect.github.com/cilium/cilium/pull/42469),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs))
- ✉️ **Override Source IP addresses**: You can override the
auto-generated BGP session source IP with the IP address applied on the
configured `sourceInterface` to allow binding the BGP connection to the
loopback address which is not tied to the specific physical interface's
lifecycle
([cilium/cilium#42583](https://redirect.github.com/cilium/cilium/pull/42583),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs))
- 🔁 **Withdraw Empty Routes**: Optionally withdraw BGP routes when a
service has 0 endpoints, to allow balancing to a different DC/cluster
with `externalTrafficPolicy=Cluster`
([cilium/cilium#40717](https://redirect.github.com/cilium/cilium/pull/40717),
[@&#8203;oblazek](https://redirect.github.com/oblazek))
- ⚠️ **Move to `cilium.io/v2` API**: The support for the older
`CiliumBGPPeeringPolicy` v1 API is now removed and should be replaced
with v2 APIs.
([cilium/cilium#42278](https://redirect.github.com/cilium/cilium/pull/42278),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs))

- 🛰️ **Observability**
- 🔬 **Trace IP Options**: Configure Cilium and Hubble to trace specific
packets through the cluster using IP Options.
([cilium/cilium#41306](https://redirect.github.com/cilium/cilium/pull/41306),
[@&#8203;Bigdelle](https://redirect.github.com/Bigdelle))
- 🚩 **Filter Encrypted Flows**: Filter flows when using the `hubble`
command line to understand the encryption status of the traffic, either
`--encrypted` or `--unencrypted`.
([cilium/cilium#43096](https://redirect.github.com/cilium/cilium/pull/43096),
[@&#8203;SRodi](https://redirect.github.com/SRodi))
- 🔖 **Tag Drops with Policy Names**: Hubble v1.Events drop messages now
include which Network Policy caused the drop.
([cilium/cilium#41693](https://redirect.github.com/cilium/cilium/pull/41693),
[@&#8203;41ks](https://redirect.github.com/41ks))

- 🌅 **Performance and Scale**
- ⚡ **Faster Network Policy Computation**: Improve Cilium resource usage
for handling selectors in network policies.
([cilium/cilium#42008](https://redirect.github.com/cilium/cilium/pull/42008),
[@&#8203;jrajahalme](https://redirect.github.com/jrajahalme);
[cilium/cilium#42580](https://redirect.github.com/cilium/cilium/pull/42580),
[@&#8203;odinuge](https://redirect.github.com/odinuge))
- 🔌 **More Efficient Connection Tracking**: Several improvements have
been made to reduce the number of connections being tracked by Cilium,
particularly when using Geneve, VXLAN or WireGuard.
([cilium/cilium#38782](https://redirect.github.com/cilium/cilium/pull/38782),
[@&#8203;BenoitKnecht](https://redirect.github.com/BenoitKnecht);
[cilium/cilium#41990](https://redirect.github.com/cilium/cilium/pull/41990),
[@&#8203;bersoare](https://redirect.github.com/bersoare))
- 💾 **Better Scale in AWS**: Reduce memory usage for cilium-operator in
large AWS environments with many resources.
([cilium/cilium#42529](https://redirect.github.com/cilium/cilium/pull/42529),
[@&#8203;liyihuang](https://redirect.github.com/liyihuang))

- ⚙️ **Operations**
- 📦 **Access Helm charts via Registry**: Helm charts are also available
under `quay.io/cilium/charts/cilium`
([cilium/cilium#43624](https://redirect.github.com/cilium/cilium/pull/43624),
[@&#8203;aanm](https://redirect.github.com/aanm))
- 📊 **Metrics Encryption**: Add TLS/mTLS support for Prometheus metrics
exposed by the Cilium Operator.
([cilium/cilium#42077](https://redirect.github.com/cilium/cilium/pull/42077),
[@&#8203;phuhung273](https://redirect.github.com/phuhung273))
- 🤖 **Easier Multi-Cluster install**: There's now support for
auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster
Services (MCS).
([cilium/cilium#40729](https://redirect.github.com/cilium/cilium/pull/40729),
[@&#8203;MrFreezeex](https://redirect.github.com/MrFreezeex))
- 📜 **Simpler Certificate Management**: Streamline Cluster Mesh and
Hubble certificate generation when using GitOps approaches.
([cilium/cilium#42298](https://redirect.github.com/cilium/cilium/pull/42298),
[@&#8203;MrFreezeex](https://redirect.github.com/MrFreezeex))
- 🛠️ **Cilium dependencies** were updated to Kubernetes v1.35, Envoy
v1.35, Gateway API v1.4, and GoBGP v3.37.
([cilium/cilium#43422](https://redirect.github.com/cilium/cilium/pull/43422),
[@&#8203;aanm](https://redirect.github.com/aanm);
[cilium/cilium#40569](https://redirect.github.com/cilium/cilium/pull/40569),
[@&#8203;sayboras](https://redirect.github.com/sayboras);
[cilium/cilium#41936](https://redirect.github.com/cilium/cilium/pull/41936),
[@&#8203;youngnick](https://redirect.github.com/youngnick);
[cilium/cilium#42824](https://redirect.github.com/cilium/cilium/pull/42824),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs)).

- 🏠 **Community**
- ❤️ **Production Case Studies**: Many end-users have stepped forward to
tell their stories running Cilium in production. If your company wants
to submit their case studies let us know. We would love to hear your
feedback!
- 📰 See studies with
[Airbnb](https://youtu.be/7KHenRXNGAw?si=ldTS-X_W0svxo429\&t=546),
[Cloudera](https://aws.amazon.com/blogs/migration-and-modernization/scaling-clouderas-development-environment-leveraging-amazon-eks-karpenter-bottlerocket-and-cilium-for-hybrid-cloud/),[
Cybozu](https://www.cncf.io/case-studies/cybozu/),
[ESnet](https://www.cncf.io/case-studies/esnet/),[
Nutanix](https://www.cncf.io/case-studies/nutanix/),
[OVHcloud](https://corporate.ovhcloud.com/en-gb/newsroom/news/ovhcloud-managed-kubernetes-service-standard-3az/),
[TikTok](https://www.youtube.com/watch?v=y0qlhiKtDGo), [University of
Wisconsin–Madison](https://www.cncf.io/case-studies/university-of-wisconsin-madison/).
- 🇺🇸 **Atlanta Events**: The community gathered at
[CiliumCon](https://www.youtube.com/playlist?list=PLDg_GiBbAx-mOnWuzd_NXoRfuW9HZAxeZ)
and the [Cilium Developer
Summit](https://redirect.github.com/cilium/dev-summits/blob/main/2025-NA/README.md)
in Atlanta.
- 🇳🇱 **Amsterdam Events**: Meet us at the upcoming
[CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/)
and [Cilium Developer
Summit](https://redirect.github.com/cilium/dev-summits/tree/main/2026-EU)
in Amsterdam, March 23-27. [Read
more](https://cilium.io/blog/2026/01/23/cilium-at-kubecon-eu-2026/)
about where to find Cilium during the show.
- 🔟 **Cilium is 10**: Read the [2025 Cilium Annual
Report](https://www.cncf.io/wp-content/uploads/2025/12/cilium-annual-report-2025-final.pdf)
to see the latest project milestones, a decade on from its first commit.

To keep up to date with all the latest Cilium releases, join #release 🎉

:birthday::heart::heart::heart::birthday:
This is a very special release for Cilium, as it celebrates **10 years**
since the first commit. We couldn’t be more proud of what this project
has accomplished. All the GitHub issues, pull requests, reviews, stars,
forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug
reports, design docs, discussions, meetings, Slack messages, YouTube
streams, eCHO episodes, conference talks, blog posts, demos, and
presentations have made the project the success it is today.
:birthday::heart::heart::heart::birthday:

#### Docker Manifests

##### cilium


`quay.io/cilium/cilium:v1.19.0@&#8203;sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60`

##### clustermesh-apiserver


`quay.io/cilium/clustermesh-apiserver:v1.19.0@&#8203;sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49`

##### docker-plugin


`quay.io/cilium/docker-plugin:v1.19.0@&#8203;sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50`

##### hubble-relay


`quay.io/cilium/hubble-relay:v1.19.0@&#8203;sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4`

##### operator-alibabacloud


`quay.io/cilium/operator-alibabacloud:v1.19.0@&#8203;sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0`

##### operator-aws


`quay.io/cilium/operator-aws:v1.19.0@&#8203;sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6`

##### operator-azure


`quay.io/cilium/operator-azure:v1.19.0@&#8203;sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a`

##### operator-generic


`quay.io/cilium/operator-generic:v1.19.0@&#8203;sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648`

##### operator


`quay.io/cilium/operator:v1.19.0@&#8203;sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65`

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yLjYiLCJ1cGRhdGVkSW5WZXIiOiI0My4zLjQiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbInJlbm92YXRlL2hlbG0iLCJ0eXBlL21pbm9yIl19-->

Co-authored-by: bot-nicole[bot] <205127124+bot-nicole[bot]@users.noreply.github.com>
enchantednatures pushed a commit to enchantednatures/HomeCluster that referenced this pull request Feb 9, 2026
@renovate
feat(helm): update chart cilium ( 1.18.6 → 1.19.0 ) (#986)
13548da 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cilium](https://cilium.io/)
([source](https://redirect.github.com/cilium/cilium)) | minor | `1.18.6`
→ `1.19.0` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>cilium/cilium (cilium)</summary>

###
[`v1.19.0`](https://redirect.github.com/cilium/cilium/releases/tag/v1.19.0):
1.19.0

[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.18.6...1.19.0)

🎉 **Release Announcement** 🎉: We are excited to announce the [Cilium
1.19.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.19.0)
release!

A total of **2934 new commits** have been contributed to this release by
a growing community of over **1010 developers** and over **23,600 GitHub
stars**! 🤩

⚠️ You may need to take action during upgrade to Cilium v1.19 if you use
Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the
[Upgrade
Guide](https://docs.cilium.io/en/v1.19/operations/upgrade/#upgrade-notes)
for more details.

The full changelog can be found
[here](https://redirect.github.com/cilium/cilium/blob/v1.19/CHANGELOG.md).

Here are some of the highlights:

- 🛡️ **Network Policy**
- 🃏 **Multi-Level DNS Matches**: DNS Policies match pattern now support
a wildcard prefix(*`**.`*) to match multilevel subdomain as pattern
prefix.
([cilium/cilium#43420](https://redirect.github.com/cilium/cilium/pull/43420),
[@&#8203;fristonio](https://redirect.github.com/fristonio))
- 📡 **Match New Protocols**: You can now match VRRP and IGMP protocols
in host firewall rules.
([cilium/cilium#39872](https://redirect.github.com/cilium/cilium/pull/39872),
[@&#8203;aditighag](https://redirect.github.com/aditighag);
[cilium/cilium#41949](https://redirect.github.com/cilium/cilium/pull/41949),
[@&#8203;kyounghunJang](https://redirect.github.com/kyounghunJang))
- ⛔ **Actively Deny Connections**: When Network Policies deny a
connection, Cilium can return ICMPv4 "Destination unreachable" messages
for a friendlier deny.
([cilium/cilium#41406](https://redirect.github.com/cilium/cilium/pull/41406),
[@&#8203;antonipp](https://redirect.github.com/antonipp))
- 🌐 **Select Clusters Explicitly**: When network policy selectors don't
explicitly define a cluster for communication to be allowed, they will
now default to only allowing the local cluster.
([cilium/cilium#40609](https://redirect.github.com/cilium/cilium/pull/40609),
[@&#8203;MrFreezeex](https://redirect.github.com/MrFreezeex))
- 🔧 **Unlock Future Work**: This release brings several internal
improvements to the network policy engine in preparation for features
planned in the next Cilium minor release
([cilium/cilium#39906](https://redirect.github.com/cilium/cilium/pull/39906),
[@&#8203;vipul-21](https://redirect.github.com/vipul-21);
[cilium/cilium#42784](https://redirect.github.com/cilium/cilium/pull/42784),
[cilium/cilium#42896](https://redirect.github.com/cilium/cilium/pull/42896),
[@&#8203;jrajahalme](https://redirect.github.com/jrajahalme))
- ⚠️ **Deprecate underutilized features**: To focus on solving common
problems Cilium users face, this release deprecates the Kafka protocol
match fields (beta), as well as the `ToRequires` and `FromRequires`
policy fields.
([cilium/cilium#43167](https://redirect.github.com/cilium/cilium/pull/43167),
[@&#8203;sayboras](https://redirect.github.com/sayboras);
[cilium/cilium#40967](https://redirect.github.com/cilium/cilium/pull/40967),
[@&#8203;TheBeeZee](https://redirect.github.com/TheBeeZee))

- 🔒 **Encryption & Authentication**
- 🔐 **Encryption Strict Modes**: Both IPsec and WireGuard transparent
encryption modes now support a "strict mode" to require traffic to be
encrypted between nodes. Unencrypted traffic will be dropped in this
mode.
([cilium/cilium#39239](https://redirect.github.com/cilium/cilium/pull/39239),
[cilium/cilium#42115](https://redirect.github.com/cilium/cilium/pull/42115),
[@&#8203;rgo3](https://redirect.github.com/rgo3),
[@&#8203;julianwiedmann](https://redirect.github.com/julianwiedmann))
- 🚇 **Ztunnel Beta**: You can enroll namespaces into Ztunnel, which
enables TCP connections between workloads to be transparently encrypted
and authenticated.
([cilium/cilium#42766](https://redirect.github.com/cilium/cilium/pull/42766),
[cilium/cilium#42819](https://redirect.github.com/cilium/cilium/pull/42819),
[cilium/cilium#43227](https://redirect.github.com/cilium/cilium/pull/43227)
and others, [@&#8203;ldelossa](https://redirect.github.com/ldelossa),
[@&#8203;rgo3](https://redirect.github.com/rgo3),
[@&#8203;nddq](https://redirect.github.com/nddq))
- 👥 **Mutual Authentication**: The out-of-band [Mutual
Authentication](https://docs.cilium.io/en/v1.19/network/servicemesh/mutual-authentication/mutual-authentication/)
feature is now disabled by default, pending community feedback. If you
have a requirement for mTLS, consider trying the new Ztunnel
integration.
([cilium/cilium#42665](https://redirect.github.com/cilium/cilium/pull/42665),
[@&#8203;christarazi](https://redirect.github.com/christarazi))
- ↪️ **Accelerate IPsec**: The IPsec encryption mode now supports BPF
Host Routing for faster route lookups
([cilium/cilium#41997](https://redirect.github.com/cilium/cilium/pull/41997),
[@&#8203;pchaigno](https://redirect.github.com/pchaigno))

- 🚠 **Networking**
- 🚀 **BIG TCP in Tunnels**: Leverage upcoming Linux support for BIG TCP
when communicating over UDP-based tunnels such as VXLAN and Geneve.
([cilium/cilium#43416](https://redirect.github.com/cilium/cilium/pull/43416),
[@&#8203;gentoo-root](https://redirect.github.com/gentoo-root))
- 🥌 **Packetization-Layer Path MTU Discovery**: Detect maximum
transmission unit (MTU) sizes for network paths using TCP.
([cilium/cilium#42012](https://redirect.github.com/cilium/cilium/pull/42012),
[cilium/cilium#43710](https://redirect.github.com/cilium/cilium/pull/43710),
[@&#8203;tommyp1ckles](https://redirect.github.com/tommyp1ckles))
- 🚆 **IPv6 Underlay**: You can now choose IPv6 for the tunnel underlay
address family on dual-stack clusters.
([cilium/cilium#40324](https://redirect.github.com/cilium/cilium/pull/40324),
[@&#8203;pchaigno](https://redirect.github.com/pchaigno))
- 🏷️ **Multi-Pool IPAM is ready for wider use**: Update the Multi-Pool
IPAM feature to work with IPsec and direct routing modes, and promote it
from Beta to Stable.
([cilium/cilium#40460](https://redirect.github.com/cilium/cilium/pull/40460),
[cilium/cilium#42191](https://redirect.github.com/cilium/cilium/pull/42191),
[@&#8203;pippolo84](https://redirect.github.com/pippolo84))
- 🎭 **More Configurable Masquerade**: IP Masquerade configuration can
now be customized for traffic sent to nodes in other IP subnets, and
addresses in IPAM pools can be excluded from masquerade
([cilium/cilium#37568](https://redirect.github.com/cilium/cilium/pull/37568),
[@&#8203;behzad-mir](https://redirect.github.com/behzad-mir);
[cilium/cilium#43380](https://redirect.github.com/cilium/cilium/pull/43380),
[@&#8203;alimehrabikoshki](https://redirect.github.com/alimehrabikoshki))

- 🕸️ **Services and Service Mesh**
- 📣 **Layer-2 Announcements**: Add support for Neighbor Discovery
Advertisements for IPv6 Layer-2 Announcements.
([cilium/cilium#39648](https://redirect.github.com/cilium/cilium/pull/39648),
[@&#8203;msune](https://redirect.github.com/msune))
- 🔁 **IPv6 Service Loopback**: Pods can now connect to themselves via a
Kubernetes "loopback service" using IPv6.
([cilium/cilium#39594](https://redirect.github.com/cilium/cilium/pull/39594),
[@&#8203;saiaunghlyanhtet](https://redirect.github.com/saiaunghlyanhtet))
- ⛩️ **Gateway API Enhancements**: Cilium's GAMMA support now includes
support for using GRPCRoute as well as HTTPRoute.
([cilium/cilium#41936](https://redirect.github.com/cilium/cilium/pull/41936),
[@&#8203;youngnick](https://redirect.github.com/youngnick))

- 🛣️ **Border Gateway Protocol (BGP)**
- 🔌 **Advertise Addresses from Interfaces**: There's a new Interface BGP
advertisement type that allows advertisement of IPs assigned on local
interfaces. This can be useful for example in multi-homing setups, where
a common node's loopback address can be advertised via multiple BGP
sessions over different network interfaces.
([cilium/cilium#42469](https://redirect.github.com/cilium/cilium/pull/42469),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs))
- ✉️ **Override Source IP addresses**: You can override the
auto-generated BGP session source IP with the IP address applied on the
configured `sourceInterface` to allow binding the BGP connection to the
loopback address which is not tied to the specific physical interface's
lifecycle
([cilium/cilium#42583](https://redirect.github.com/cilium/cilium/pull/42583),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs))
- 🔁 **Withdraw Empty Routes**: Optionally withdraw BGP routes when a
service has 0 endpoints, to allow balancing to a different DC/cluster
with `externalTrafficPolicy=Cluster`
([cilium/cilium#40717](https://redirect.github.com/cilium/cilium/pull/40717),
[@&#8203;oblazek](https://redirect.github.com/oblazek))
- ⚠️ **Move to `cilium.io/v2` API**: The support for the older
`CiliumBGPPeeringPolicy` v1 API is now removed and should be replaced
with v2 APIs.
([cilium/cilium#42278](https://redirect.github.com/cilium/cilium/pull/42278),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs))

- 🛰️ **Observability**
- 🔬 **Trace IP Options**: Configure Cilium and Hubble to trace specific
packets through the cluster using IP Options.
([cilium/cilium#41306](https://redirect.github.com/cilium/cilium/pull/41306),
[@&#8203;Bigdelle](https://redirect.github.com/Bigdelle))
- 🚩 **Filter Encrypted Flows**: Filter flows when using the `hubble`
command line to understand the encryption status of the traffic, either
`--encrypted` or `--unencrypted`.
([cilium/cilium#43096](https://redirect.github.com/cilium/cilium/pull/43096),
[@&#8203;SRodi](https://redirect.github.com/SRodi))
- 🔖 **Tag Drops with Policy Names**: Hubble v1.Events drop messages now
include which Network Policy caused the drop.
([cilium/cilium#41693](https://redirect.github.com/cilium/cilium/pull/41693),
[@&#8203;41ks](https://redirect.github.com/41ks))

- 🌅 **Performance and Scale**
- ⚡ **Faster Network Policy Computation**: Improve Cilium resource usage
for handling selectors in network policies.
([cilium/cilium#42008](https://redirect.github.com/cilium/cilium/pull/42008),
[@&#8203;jrajahalme](https://redirect.github.com/jrajahalme);
[cilium/cilium#42580](https://redirect.github.com/cilium/cilium/pull/42580),
[@&#8203;odinuge](https://redirect.github.com/odinuge))
- 🔌 **More Efficient Connection Tracking**: Several improvements have
been made to reduce the number of connections being tracked by Cilium,
particularly when using Geneve, VXLAN or WireGuard.
([cilium/cilium#38782](https://redirect.github.com/cilium/cilium/pull/38782),
[@&#8203;BenoitKnecht](https://redirect.github.com/BenoitKnecht);
[cilium/cilium#41990](https://redirect.github.com/cilium/cilium/pull/41990),
[@&#8203;bersoare](https://redirect.github.com/bersoare))
- 💾 **Better Scale in AWS**: Reduce memory usage for cilium-operator in
large AWS environments with many resources.
([cilium/cilium#42529](https://redirect.github.com/cilium/cilium/pull/42529),
[@&#8203;liyihuang](https://redirect.github.com/liyihuang))

- ⚙️ **Operations**
- 📦 **Access Helm charts via Registry**: Helm charts are also available
under `quay.io/cilium/charts/cilium`
([cilium/cilium#43624](https://redirect.github.com/cilium/cilium/pull/43624),
[@&#8203;aanm](https://redirect.github.com/aanm))
- 📊 **Metrics Encryption**: Add TLS/mTLS support for Prometheus metrics
exposed by the Cilium Operator.
([cilium/cilium#42077](https://redirect.github.com/cilium/cilium/pull/42077),
[@&#8203;phuhung273](https://redirect.github.com/phuhung273))
- 🤖 **Easier Multi-Cluster install**: There's now support for
auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster
Services (MCS).
([cilium/cilium#40729](https://redirect.github.com/cilium/cilium/pull/40729),
[@&#8203;MrFreezeex](https://redirect.github.com/MrFreezeex))
- 📜 **Simpler Certificate Management**: Streamline Cluster Mesh and
Hubble certificate generation when using GitOps approaches.
([cilium/cilium#42298](https://redirect.github.com/cilium/cilium/pull/42298),
[@&#8203;MrFreezeex](https://redirect.github.com/MrFreezeex))
- 🛠️ **Cilium dependencies** were updated to Kubernetes v1.35, Envoy
v1.35, Gateway API v1.4, and GoBGP v3.37.
([cilium/cilium#43422](https://redirect.github.com/cilium/cilium/pull/43422),
[@&#8203;aanm](https://redirect.github.com/aanm);
[cilium/cilium#40569](https://redirect.github.com/cilium/cilium/pull/40569),
[@&#8203;sayboras](https://redirect.github.com/sayboras);
[cilium/cilium#41936](https://redirect.github.com/cilium/cilium/pull/41936),
[@&#8203;youngnick](https://redirect.github.com/youngnick);
[cilium/cilium#42824](https://redirect.github.com/cilium/cilium/pull/42824),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs)).

- 🏠 **Community**
- ❤️ **Production Case Studies**: Many end-users have stepped forward to
tell their stories running Cilium in production. If your company wants
to submit their case studies let us know. We would love to hear your
feedback!
- 📰 See studies with
[Airbnb](https://youtu.be/7KHenRXNGAw?si=ldTS-X_W0svxo429\&t=546),
[Cloudera](https://aws.amazon.com/blogs/migration-and-modernization/scaling-clouderas-development-environment-leveraging-amazon-eks-karpenter-bottlerocket-and-cilium-for-hybrid-cloud/),[
Cybozu](https://www.cncf.io/case-studies/cybozu/),
[ESnet](https://www.cncf.io/case-studies/esnet/),[
Nutanix](https://www.cncf.io/case-studies/nutanix/),
[OVHcloud](https://corporate.ovhcloud.com/en-gb/newsroom/news/ovhcloud-managed-kubernetes-service-standard-3az/),
[TikTok](https://www.youtube.com/watch?v=y0qlhiKtDGo), [University of
Wisconsin–Madison](https://www.cncf.io/case-studies/university-of-wisconsin-madison/).
- 🇺🇸 **Atlanta Events**: The community gathered at
[CiliumCon](https://www.youtube.com/playlist?list=PLDg_GiBbAx-mOnWuzd_NXoRfuW9HZAxeZ)
and the [Cilium Developer
Summit](https://redirect.github.com/cilium/dev-summits/blob/main/2025-NA/README.md)
in Atlanta.
- 🇳🇱 **Amsterdam Events**: Meet us at the upcoming
[CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/)
and [Cilium Developer
Summit](https://redirect.github.com/cilium/dev-summits/tree/main/2026-EU)
in Amsterdam, March 23-27. [Read
more](https://cilium.io/blog/2026/01/23/cilium-at-kubecon-eu-2026/)
about where to find Cilium during the show.
- 🔟 **Cilium is 10**: Read the [2025 Cilium Annual
Report](https://www.cncf.io/wp-content/uploads/2025/12/cilium-annual-report-2025-final.pdf)
to see the latest project milestones, a decade on from its first commit.

To keep up to date with all the latest Cilium releases, join #release 🎉

:birthday::heart::heart::heart::birthday:
This is a very special release for Cilium, as it celebrates **10 years**
since the first commit. We couldn’t be more proud of what this project
has accomplished. All the GitHub issues, pull requests, reviews, stars,
forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug
reports, design docs, discussions, meetings, Slack messages, YouTube
streams, eCHO episodes, conference talks, blog posts, demos, and
presentations have made the project the success it is today.
:birthday::heart::heart::heart::birthday:

#### Docker Manifests

##### cilium


`quay.io/cilium/cilium:v1.19.0@&#8203;sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60`

##### clustermesh-apiserver


`quay.io/cilium/clustermesh-apiserver:v1.19.0@&#8203;sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49`

##### docker-plugin


`quay.io/cilium/docker-plugin:v1.19.0@&#8203;sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50`

##### hubble-relay


`quay.io/cilium/hubble-relay:v1.19.0@&#8203;sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4`

##### operator-alibabacloud


`quay.io/cilium/operator-alibabacloud:v1.19.0@&#8203;sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0`

##### operator-aws


`quay.io/cilium/operator-aws:v1.19.0@&#8203;sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6`

##### operator-azure


`quay.io/cilium/operator-azure:v1.19.0@&#8203;sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a`

##### operator-generic


`quay.io/cilium/operator-generic:v1.19.0@&#8203;sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648`

##### operator


`quay.io/cilium/operator:v1.19.0@&#8203;sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65`

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" in timezone
America/New_York, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/enchantednatures/HomeCluster).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUvaGVsbSIsInR5cGUvbWlub3IiXX0=-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
sp3nx0r pushed a commit to sp3nx0r/homelab that referenced this pull request Mar 1, 2026
@renovate
feat(helm): update chart cilium to 1.19.1 (#117)
65f9480 
> ℹ️ **Note**
> 
> This PR body was truncated due to platform limits.

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cilium](https://cilium.io/)
([source](https://redirect.github.com/cilium/cilium)) | minor | `1.14.6`
→ `1.19.1` |
| [cilium](https://cilium.io/)
([source](https://redirect.github.com/cilium/cilium)) | minor | `1.17.5`
→ `1.19.1` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>cilium/cilium (cilium)</summary>

###
[`v1.19.1`](https://redirect.github.com/cilium/cilium/compare/1.19.0...1.19.1)

[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.19.0...1.19.1)

###
[`v1.19.0`](https://redirect.github.com/cilium/cilium/releases/tag/v1.19.0):
1.19.0

[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.18.7...1.19.0)

🎉 **Release Announcement** 🎉: We are excited to announce the [Cilium
1.19.0](https://redirect.github.com/cilium/cilium/releases/tag/v1.19.0)
release!

A total of **2934 new commits** have been contributed to this release by
a growing community of over **1010 developers** and over **23,600 GitHub
stars**! 🤩

⚠️ You may need to take action during upgrade to Cilium v1.19 if you use
Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the
[Upgrade
Guide](https://docs.cilium.io/en/v1.19/operations/upgrade/#upgrade-notes)
for more details.

The full changelog can be found
[here](https://redirect.github.com/cilium/cilium/blob/v1.19/CHANGELOG.md).

Here are some of the highlights:

- 🛡️ **Network Policy**
- 🃏 **Multi-Level DNS Matches**: DNS Policies match pattern now support
a wildcard prefix(*`**.`*) to match multilevel subdomain as pattern
prefix.
([cilium/cilium#43420](https://redirect.github.com/cilium/cilium/pull/43420),
[@&#8203;fristonio](https://redirect.github.com/fristonio))
- 📡 **Match New Protocols**: You can now match VRRP and IGMP protocols
in host firewall rules.
([cilium/cilium#39872](https://redirect.github.com/cilium/cilium/pull/39872),
[@&#8203;aditighag](https://redirect.github.com/aditighag);
[cilium/cilium#41949](https://redirect.github.com/cilium/cilium/pull/41949),
[@&#8203;kyounghunJang](https://redirect.github.com/kyounghunJang))
- ⛔ **Actively Deny Connections**: When Network Policies deny a
connection, Cilium can return ICMPv4 "Destination unreachable" messages
for a friendlier deny.
([cilium/cilium#41406](https://redirect.github.com/cilium/cilium/pull/41406),
[@&#8203;antonipp](https://redirect.github.com/antonipp))
- 🌐 **Select Clusters Explicitly**: When network policy selectors don't
explicitly define a cluster for communication to be allowed, they will
now default to only allowing the local cluster.
([cilium/cilium#40609](https://redirect.github.com/cilium/cilium/pull/40609),
[@&#8203;MrFreezeex](https://redirect.github.com/MrFreezeex))
- 🔧 **Unlock Future Work**: This release brings several internal
improvements to the network policy engine in preparation for features
planned in the next Cilium minor release
([cilium/cilium#39906](https://redirect.github.com/cilium/cilium/pull/39906),
[@&#8203;vipul-21](https://redirect.github.com/vipul-21);
[cilium/cilium#42784](https://redirect.github.com/cilium/cilium/pull/42784),
[cilium/cilium#42896](https://redirect.github.com/cilium/cilium/pull/42896),
[@&#8203;jrajahalme](https://redirect.github.com/jrajahalme))
- ⚠️ **Deprecate underutilized features**: To focus on solving common
problems Cilium users face, this release deprecates the Kafka protocol
match fields (beta), as well as the `ToRequires` and `FromRequires`
policy fields.
([cilium/cilium#43167](https://redirect.github.com/cilium/cilium/pull/43167),
[@&#8203;sayboras](https://redirect.github.com/sayboras);
[cilium/cilium#40967](https://redirect.github.com/cilium/cilium/pull/40967),
[@&#8203;TheBeeZee](https://redirect.github.com/TheBeeZee))

- 🔒 **Encryption & Authentication**
- 🔐 **Encryption Strict Modes**: Both IPsec and WireGuard transparent
encryption modes now support a "strict mode" to require traffic to be
encrypted between nodes. Unencrypted traffic will be dropped in this
mode.
([cilium/cilium#39239](https://redirect.github.com/cilium/cilium/pull/39239),
[cilium/cilium#42115](https://redirect.github.com/cilium/cilium/pull/42115),
[@&#8203;rgo3](https://redirect.github.com/rgo3),
[@&#8203;julianwiedmann](https://redirect.github.com/julianwiedmann))
- 🚇 **Ztunnel Beta**: You can enroll namespaces into Ztunnel, which
enables TCP connections between workloads to be transparently encrypted
and authenticated.
([cilium/cilium#42766](https://redirect.github.com/cilium/cilium/pull/42766),
[cilium/cilium#42819](https://redirect.github.com/cilium/cilium/pull/42819),
[cilium/cilium#43227](https://redirect.github.com/cilium/cilium/pull/43227)
and others, [@&#8203;ldelossa](https://redirect.github.com/ldelossa),
[@&#8203;rgo3](https://redirect.github.com/rgo3),
[@&#8203;nddq](https://redirect.github.com/nddq))
- 👥 **Mutual Authentication**: The out-of-band [Mutual
Authentication](https://docs.cilium.io/en/v1.19/network/servicemesh/mutual-authentication/mutual-authentication/)
feature is now disabled by default, pending community feedback. If you
have a requirement for mTLS, consider trying the new Ztunnel
integration.
([cilium/cilium#42665](https://redirect.github.com/cilium/cilium/pull/42665),
[@&#8203;christarazi](https://redirect.github.com/christarazi))
- ↪️ **Accelerate IPsec**: The IPsec encryption mode now supports BPF
Host Routing for faster route lookups
([cilium/cilium#41997](https://redirect.github.com/cilium/cilium/pull/41997),
[@&#8203;pchaigno](https://redirect.github.com/pchaigno))

- 🚠 **Networking**
- 🚀 **BIG TCP in Tunnels**: Leverage upcoming Linux support for BIG TCP
when communicating over UDP-based tunnels such as VXLAN and Geneve.
([cilium/cilium#43416](https://redirect.github.com/cilium/cilium/pull/43416),
[@&#8203;gentoo-root](https://redirect.github.com/gentoo-root))
- 🥌 **Packetization-Layer Path MTU Discovery**: Detect maximum
transmission unit (MTU) sizes for network paths using TCP.
([cilium/cilium#42012](https://redirect.github.com/cilium/cilium/pull/42012),
[cilium/cilium#43710](https://redirect.github.com/cilium/cilium/pull/43710),
[@&#8203;tommyp1ckles](https://redirect.github.com/tommyp1ckles))
- 🚆 **IPv6 Underlay**: You can now choose IPv6 for the tunnel underlay
address family on dual-stack clusters.
([cilium/cilium#40324](https://redirect.github.com/cilium/cilium/pull/40324),
[@&#8203;pchaigno](https://redirect.github.com/pchaigno))
- 🏷️ **Multi-Pool IPAM is ready for wider use**: Update the Multi-Pool
IPAM feature to work with IPsec and direct routing modes, and promote it
from Beta to Stable.
([cilium/cilium#40460](https://redirect.github.com/cilium/cilium/pull/40460),
[cilium/cilium#42191](https://redirect.github.com/cilium/cilium/pull/42191),
[@&#8203;pippolo84](https://redirect.github.com/pippolo84))
- 🎭 **More Configurable Masquerade**: IP Masquerade configuration can
now be customized for traffic sent to nodes in other IP subnets, and
addresses in IPAM pools can be excluded from masquerade
([cilium/cilium#37568](https://redirect.github.com/cilium/cilium/pull/37568),
[@&#8203;behzad-mir](https://redirect.github.com/behzad-mir);
[cilium/cilium#43380](https://redirect.github.com/cilium/cilium/pull/43380),
[@&#8203;alimehrabikoshki](https://redirect.github.com/alimehrabikoshki))

- 🕸️ **Services and Service Mesh**
- 📣 **Layer-2 Announcements**: Add support for Neighbor Discovery
Advertisements for IPv6 Layer-2 Announcements.
([cilium/cilium#39648](https://redirect.github.com/cilium/cilium/pull/39648),
[@&#8203;msune](https://redirect.github.com/msune))
- 🔁 **IPv6 Service Loopback**: Pods can now connect to themselves via a
Kubernetes "loopback service" using IPv6.
([cilium/cilium#39594](https://redirect.github.com/cilium/cilium/pull/39594),
[@&#8203;saiaunghlyanhtet](https://redirect.github.com/saiaunghlyanhtet))
- ⛩️ **Gateway API Enhancements**: Cilium's GAMMA support now includes
support for using GRPCRoute as well as HTTPRoute.
([cilium/cilium#41936](https://redirect.github.com/cilium/cilium/pull/41936),
[@&#8203;youngnick](https://redirect.github.com/youngnick))

- 🛣️ **Border Gateway Protocol (BGP)**
- 🔌 **Advertise Addresses from Interfaces**: There's a new Interface BGP
advertisement type that allows advertisement of IPs assigned on local
interfaces. This can be useful for example in multi-homing setups, where
a common node's loopback address can be advertised via multiple BGP
sessions over different network interfaces.
([cilium/cilium#42469](https://redirect.github.com/cilium/cilium/pull/42469),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs))
- ✉️ **Override Source IP addresses**: You can override the
auto-generated BGP session source IP with the IP address applied on the
configured `sourceInterface` to allow binding the BGP connection to the
loopback address which is not tied to the specific physical interface's
lifecycle
([cilium/cilium#42583](https://redirect.github.com/cilium/cilium/pull/42583),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs))
- 🔁 **Withdraw Empty Routes**: Optionally withdraw BGP routes when a
service has 0 endpoints, to allow balancing to a different DC/cluster
with `externalTrafficPolicy=Cluster`
([cilium/cilium#40717](https://redirect.github.com/cilium/cilium/pull/40717),
[@&#8203;oblazek](https://redirect.github.com/oblazek))
- ⚠️ **Move to `cilium.io/v2` API**: The support for the older
`CiliumBGPPeeringPolicy` v1 API is now removed and should be replaced
with v2 APIs.
([cilium/cilium#42278](https://redirect.github.com/cilium/cilium/pull/42278),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs))

- 🛰️ **Observability**
- 🔬 **Trace IP Options**: Configure Cilium and Hubble to trace specific
packets through the cluster using IP Options.
([cilium/cilium#41306](https://redirect.github.com/cilium/cilium/pull/41306),
[@&#8203;Bigdelle](https://redirect.github.com/Bigdelle))
- 🚩 **Filter Encrypted Flows**: Filter flows when using the `hubble`
command line to understand the encryption status of the traffic, either
`--encrypted` or `--unencrypted`.
([cilium/cilium#43096](https://redirect.github.com/cilium/cilium/pull/43096),
[@&#8203;SRodi](https://redirect.github.com/SRodi))
- 🔖 **Tag Drops with Policy Names**: Hubble v1.Events drop messages now
include which Network Policy caused the drop.
([cilium/cilium#41693](https://redirect.github.com/cilium/cilium/pull/41693),
[@&#8203;41ks](https://redirect.github.com/41ks))

- 🌅 **Performance and Scale**
- ⚡ **Faster Network Policy Computation**: Improve Cilium resource usage
for handling selectors in network policies.
([cilium/cilium#42008](https://redirect.github.com/cilium/cilium/pull/42008),
[@&#8203;jrajahalme](https://redirect.github.com/jrajahalme);
[cilium/cilium#42580](https://redirect.github.com/cilium/cilium/pull/42580),
[@&#8203;odinuge](https://redirect.github.com/odinuge))
- 🔌 **More Efficient Connection Tracking**: Several improvements have
been made to reduce the number of connections being tracked by Cilium,
particularly when using Geneve, VXLAN or WireGuard.
([cilium/cilium#38782](https://redirect.github.com/cilium/cilium/pull/38782),
[@&#8203;BenoitKnecht](https://redirect.github.com/BenoitKnecht);
[cilium/cilium#41990](https://redirect.github.com/cilium/cilium/pull/41990),
[@&#8203;bersoare](https://redirect.github.com/bersoare))
- 💾 **Better Scale in AWS**: Reduce memory usage for cilium-operator in
large AWS environments with many resources.
([cilium/cilium#42529](https://redirect.github.com/cilium/cilium/pull/42529),
[@&#8203;liyihuang](https://redirect.github.com/liyihuang))

- ⚙️ **Operations**
- 📦 **Access Helm charts via Registry**: Helm charts are also available
under `quay.io/cilium/charts/cilium`
([cilium/cilium#43624](https://redirect.github.com/cilium/cilium/pull/43624),
[@&#8203;aanm](https://redirect.github.com/aanm))
- 📊 **Metrics Encryption**: Add TLS/mTLS support for Prometheus metrics
exposed by the Cilium Operator.
([cilium/cilium#42077](https://redirect.github.com/cilium/cilium/pull/42077),
[@&#8203;phuhung273](https://redirect.github.com/phuhung273))
- 🤖 **Easier Multi-Cluster install**: There's now support for
auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster
Services (MCS).
([cilium/cilium#40729](https://redirect.github.com/cilium/cilium/pull/40729),
[@&#8203;MrFreezeex](https://redirect.github.com/MrFreezeex))
- 📜 **Simpler Certificate Management**: Streamline Cluster Mesh and
Hubble certificate generation when using GitOps approaches.
([cilium/cilium#42298](https://redirect.github.com/cilium/cilium/pull/42298),
[@&#8203;MrFreezeex](https://redirect.github.com/MrFreezeex))
- 🛠️ **Cilium dependencies** were updated to Kubernetes v1.35, Envoy
v1.35, Gateway API v1.4, and GoBGP v3.37.
([cilium/cilium#43422](https://redirect.github.com/cilium/cilium/pull/43422),
[@&#8203;aanm](https://redirect.github.com/aanm);
[cilium/cilium#40569](https://redirect.github.com/cilium/cilium/pull/40569),
[@&#8203;sayboras](https://redirect.github.com/sayboras);
[cilium/cilium#41936](https://redirect.github.com/cilium/cilium/pull/41936),
[@&#8203;youngnick](https://redirect.github.com/youngnick);
[cilium/cilium#42824](https://redirect.github.com/cilium/cilium/pull/42824),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs)).

- 🏠 **Community**
- ❤️ **Production Case Studies**: Many end-users have stepped forward to
tell their stories running Cilium in production. If your company wants
to submit their case studies let us know. We would love to hear your
feedback!
- 📰 See studies with
[Airbnb](https://youtu.be/7KHenRXNGAw?si=ldTS-X_W0svxo429\&t=546),
[Cloudera](https://aws.amazon.com/blogs/migration-and-modernization/scaling-clouderas-development-environment-leveraging-amazon-eks-karpenter-bottlerocket-and-cilium-for-hybrid-cloud/),[
Cybozu](https://www.cncf.io/case-studies/cybozu/),
[ESnet](https://www.cncf.io/case-studies/esnet/),[
Nutanix](https://www.cncf.io/case-studies/nutanix/),
[OVHcloud](https://corporate.ovhcloud.com/en-gb/newsroom/news/ovhcloud-managed-kubernetes-service-standard-3az/),
[TikTok](https://www.youtube.com/watch?v=y0qlhiKtDGo), [University of
Wisconsin–Madison](https://www.cncf.io/case-studies/university-of-wisconsin-madison/).
- 🇺🇸 **Atlanta Events**: The community gathered at
[CiliumCon](https://www.youtube.com/playlist?list=PLDg_GiBbAx-mOnWuzd_NXoRfuW9HZAxeZ)
and the [Cilium Developer
Summit](https://redirect.github.com/cilium/dev-summits/blob/main/2025-NA/README.md)
in Atlanta.
- 🇳🇱 **Amsterdam Events**: Meet us at the upcoming
[CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/)
and [Cilium Developer
Summit](https://redirect.github.com/cilium/dev-summits/tree/main/2026-EU)
in Amsterdam, March 23-27. [Read
more](https://cilium.io/blog/2026/01/23/cilium-at-kubecon-eu-2026/)
about where to find Cilium during the show.
- 🔟 **Cilium is 10**: Read the [2025 Cilium Annual
Report](https://www.cncf.io/wp-content/uploads/2025/12/cilium-annual-report-2025-final.pdf)
to see the latest project milestones, a decade on from its first commit.

To keep up to date with all the latest Cilium releases, join #release 🎉

:birthday::heart::heart::heart::birthday:
This is a very special release for Cilium, as it celebrates **10 years**
since the first commit. We couldn’t be more proud of what this project
has accomplished. All the GitHub issues, pull requests, reviews, stars,
forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug
reports, design docs, discussions, meetings, Slack messages, YouTube
streams, eCHO episodes, conference talks, blog posts, demos, and
presentations have made the project the success it is today.
:birthday::heart::heart::heart::birthday:

##### Docker Manifests

##### cilium


`quay.io/cilium/cilium:v1.19.0@&#8203;sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60`

##### clustermesh-apiserver


`quay.io/cilium/clustermesh-apiserver:v1.19.0@&#8203;sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49`

##### docker-plugin


`quay.io/cilium/docker-plugin:v1.19.0@&#8203;sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50`

##### hubble-relay


`quay.io/cilium/hubble-relay:v1.19.0@&#8203;sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4`

##### operator-alibabacloud


`quay.io/cilium/operator-alibabacloud:v1.19.0@&#8203;sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0`

##### operator-aws


`quay.io/cilium/operator-aws:v1.19.0@&#8203;sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6`

##### operator-azure


`quay.io/cilium/operator-azure:v1.19.0@&#8203;sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a`

##### operator-generic


`quay.io/cilium/operator-generic:v1.19.0@&#8203;sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648`

##### operator


`quay.io/cilium/operator:v1.19.0@&#8203;sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65`

###
[`v1.18.7`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.7):
1.18.7

[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.18.6...1.18.7)

## Summary of Changes

**Minor Changes:**

- Exclude topology.kubernetes.io labels from security labels by default
(Backport PR
[#&#8203;43777](https://redirect.github.com/cilium/cilium/issues/43777),
Upstream PR
[#&#8203;43725](https://redirect.github.com/cilium/cilium/issues/43725),
[@&#8203;moscicky](https://redirect.github.com/moscicky))
- hubble-relay: Add `hubble.relay.logOptions.format` and
`hubble.relay.logOptions.level` Helm values to configure log format
(text, text-ts, json, json-ts) and level (debug, info, warn, error)
(Backport PR
[#&#8203;44004](https://redirect.github.com/cilium/cilium/issues/44004),
Upstream PR
[#&#8203;43644](https://redirect.github.com/cilium/cilium/issues/43644),
[@&#8203;puwun](https://redirect.github.com/puwun))

**Bugfixes:**

- Add permissions to the cilium-operator so that it can create
EndpointSlices when the admission plugin
OwnerReferencesPermissionEnforcement is activated (Backport PR
[#&#8203;44034](https://redirect.github.com/cilium/cilium/issues/44034),
Upstream PR
[#&#8203;43912](https://redirect.github.com/cilium/cilium/issues/43912),
[@&#8203;fgiloux](https://redirect.github.com/fgiloux))
- bpf: Correct refinement of inner packet L4 checksum detection
(Backport PR
[#&#8203;43923](https://redirect.github.com/cilium/cilium/issues/43923),
Upstream PR
[#&#8203;43868](https://redirect.github.com/cilium/cilium/issues/43868),
[@&#8203;br4243](https://redirect.github.com/br4243))
- bpf: Fix marker to skip nodeport when punting to proxy (Backport PR
[#&#8203;43886](https://redirect.github.com/cilium/cilium/issues/43886),
Upstream PR
[#&#8203;43069](https://redirect.github.com/cilium/cilium/issues/43069),
[@&#8203;borkmann](https://redirect.github.com/borkmann))
- clustermesh: correctly phase out not ready/not service endpoints from
global services (Backport PR
[#&#8203;44056](https://redirect.github.com/cilium/cilium/issues/44056),
Upstream PR
[#&#8203;43807](https://redirect.github.com/cilium/cilium/issues/43807),
[@&#8203;MrFreezeex](https://redirect.github.com/MrFreezeex))
- Fix a bug with local redirect service entries being created when
backend pods weren't ready. (Backport PR
[#&#8203;43756](https://redirect.github.com/cilium/cilium/issues/43756),
Upstream PR
[#&#8203;43095](https://redirect.github.com/cilium/cilium/issues/43095),
[@&#8203;aditighag](https://redirect.github.com/aditighag))
- Fix ICMP error packet handling by adding the missing checksum
recalculation performed during RevNAT for SNATed load-balanced traffic.
(Backport PR
[#&#8203;43861](https://redirect.github.com/cilium/cilium/issues/43861),
Upstream PR
[#&#8203;43196](https://redirect.github.com/cilium/cilium/issues/43196),
[@&#8203;yushoyamaguchi](https://redirect.github.com/yushoyamaguchi))
- Grant permissions to the cilium-operator so that it can reconcile
ingresses when the when the admission plugin
OwnerReferencesPermissionEnforcement is activated (Backport PR
[#&#8203;44034](https://redirect.github.com/cilium/cilium/issues/44034),
Upstream PR
[#&#8203;43949](https://redirect.github.com/cilium/cilium/issues/43949),
[@&#8203;giorio94](https://redirect.github.com/giorio94))
- helm: Fixed RBAC errors with `operator.enabled=false` by aligning
cilium-tlsinterception-secrets Role/RoleBinding conditionals (Backport
PR
[#&#8203;44281](https://redirect.github.com/cilium/cilium/issues/44281),
Upstream PR
[#&#8203;44159](https://redirect.github.com/cilium/cilium/issues/44159),
[@&#8203;puwun](https://redirect.github.com/puwun))
- loadbalancer: Fix GetInstancesOfService to avoid removing an endpoint
from Service A causes all requests to Service B to fail if the name of
Service A is the prefix of Service B (Backport PR
[#&#8203;43777](https://redirect.github.com/cilium/cilium/issues/43777),
Upstream PR
[#&#8203;43620](https://redirect.github.com/cilium/cilium/issues/43620),
[@&#8203;imroc](https://redirect.github.com/imroc))
- Reduces rtnl\_mutex contention on SR-IOV nodes by not requesting VF
information in netlink RTM\_GETLINK operations (Backport PR
[#&#8203;44281](https://redirect.github.com/cilium/cilium/issues/44281),
Upstream PR
[#&#8203;43517](https://redirect.github.com/cilium/cilium/issues/43517),
[@&#8203;pasteley](https://redirect.github.com/pasteley))

**CI Changes:**

- fix(ctmap/gc): fix race conditions and flakiness in
TestGCEnableRatchet (Backport PR
[#&#8203;44056](https://redirect.github.com/cilium/cilium/issues/44056),
Upstream PR
[#&#8203;42009](https://redirect.github.com/cilium/cilium/issues/42009),
[@&#8203;AritraDey-Dev](https://redirect.github.com/AritraDey-Dev))
- gh: ariane: don't run cloud workflows for LVH kernel updates (Backport
PR
[#&#8203;44148](https://redirect.github.com/cilium/cilium/issues/44148),
Upstream PR
[#&#8203;44109](https://redirect.github.com/cilium/cilium/issues/44109),
[@&#8203;julianwiedmann](https://redirect.github.com/julianwiedmann))
- gh: ariane: skip more workflows for LVH kernel updates (Backport PR
[#&#8203;44148](https://redirect.github.com/cilium/cilium/issues/44148),
Upstream PR
[#&#8203;44115](https://redirect.github.com/cilium/cilium/issues/44115),
[@&#8203;julianwiedmann](https://redirect.github.com/julianwiedmann))
- gha: let CiliumEndpointSlice migration be run nightly on stable
branches (Backport PR
[#&#8203;44004](https://redirect.github.com/cilium/cilium/issues/44004),
Upstream PR
[#&#8203;43921](https://redirect.github.com/cilium/cilium/issues/43921),
[@&#8203;giorio94](https://redirect.github.com/giorio94))
- gke: lower scope of ESP firewall rule (Backport PR
[#&#8203;43865](https://redirect.github.com/cilium/cilium/issues/43865),
Upstream PR
[#&#8203;43691](https://redirect.github.com/cilium/cilium/issues/43691),
[@&#8203;marseel](https://redirect.github.com/marseel))

**Misc Changes:**

- .github/workflows: use proper directory structure for GH actions
([#&#8203;43760](https://redirect.github.com/cilium/cilium/issues/43760),
[@&#8203;aanm](https://redirect.github.com/aanm))
- chore(deps): update all github action dependencies (v1.18)
([#&#8203;43845](https://redirect.github.com/cilium/cilium/issues/43845),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18)
([#&#8203;43984](https://redirect.github.com/cilium/cilium/issues/43984),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18)
([#&#8203;44099](https://redirect.github.com/cilium/cilium/issues/44099),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18)
([#&#8203;44253](https://redirect.github.com/cilium/cilium/issues/44253),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.18)
([#&#8203;43839](https://redirect.github.com/cilium/cilium/issues/43839),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update base-images (v1.18)
([#&#8203;43840](https://redirect.github.com/cilium/cilium/issues/43840),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update base-images (v1.18)
([#&#8203;43983](https://redirect.github.com/cilium/cilium/issues/43983),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update base-images (v1.18)
([#&#8203;44098](https://redirect.github.com/cilium/cilium/issues/44098),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.19.0 (v1.18)
([#&#8203;43844](https://redirect.github.com/cilium/cilium/issues/43844),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.22.3
(v1.18)
([#&#8203;44096](https://redirect.github.com/cilium/cilium/issues/44096),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/busybox:1.37.0 docker digest to
[`b3255e7`](https://redirect.github.com/cilium/cilium/commit/b3255e7)
(v1.18)
([#&#8203;44249](https://redirect.github.com/cilium/cilium/issues/44249),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/busybox:1.37.0 docker digest to
[`e226d63`](https://redirect.github.com/cilium/cilium/commit/e226d63)
(v1.18)
([#&#8203;43979](https://redirect.github.com/cilium/cilium/issues/43979),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/ubuntu:24.04 docker digest to
[`cd1dba6`](https://redirect.github.com/cilium/cilium/commit/cd1dba6)
(v1.18)
([#&#8203;43980](https://redirect.github.com/cilium/cilium/issues/43980),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update gcr.io/distroless/static:nonroot docker digest to
[`f9f84bd`](https://redirect.github.com/cilium/cilium/commit/f9f84bd)
(v1.18)
([#&#8203;44250](https://redirect.github.com/cilium/cilium/issues/44250),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update quay.io/cilium/certgen docker tag to v0.3.2
(v1.18)
([#&#8203;43841](https://redirect.github.com/cilium/cilium/issues/43841),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to
v1.35.9-1768610924-2528359430c6adba1ab20fc8396b4effe491ed96 (v1.18)
([#&#8203;43842](https://redirect.github.com/cilium/cilium/issues/43842),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to
v1.35.9-1768828720-c6e4827ebca9c47af2a3a6540c563c30947bae29 (v1.18)
([#&#8203;43981](https://redirect.github.com/cilium/cilium/issues/43981),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to
v1.35.9-1770265024-9828c064a10df81f1939b692b01203d88bb439e4 (v1.18)
([#&#8203;44251](https://redirect.github.com/cilium/cilium/issues/44251),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to
v1.35.9-1770554954-8ce3bb4eca04188f4a0a1bfbd0a06a40f90883de (v1.18)
([#&#8203;44260](https://redirect.github.com/cilium/cilium/issues/44260),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch)
([#&#8203;43843](https://redirect.github.com/cilium/cilium/issues/43843),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch)
([#&#8203;43982](https://redirect.github.com/cilium/cilium/issues/43982),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch)
([#&#8203;44097](https://redirect.github.com/cilium/cilium/issues/44097),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- docs: add helm underlayProtocol value to documentation (Backport PR
[#&#8203;44056](https://redirect.github.com/cilium/cilium/issues/44056),
Upstream PR
[#&#8203;43934](https://redirect.github.com/cilium/cilium/issues/43934),
[@&#8203;aanm](https://redirect.github.com/aanm))
- docs: adjust URL to latest stable Hubble CLI version (Backport PR
[#&#8203;43777](https://redirect.github.com/cilium/cilium/issues/43777),
Upstream PR
[#&#8203;43745](https://redirect.github.com/cilium/cilium/issues/43745),
[@&#8203;tklauser](https://redirect.github.com/tklauser))
- docs: Document hubble requirement on kernels with BPF\_EVENTS compiled
in (Backport PR
[#&#8203;44056](https://redirect.github.com/cilium/cilium/issues/44056),
Upstream PR
[#&#8203;44042](https://redirect.github.com/cilium/cilium/issues/44042),
[@&#8203;EmilyShepherd](https://redirect.github.com/EmilyShepherd))
- docs: Update docsearch to v4.5.4 (Backport PR
[#&#8203;44273](https://redirect.github.com/cilium/cilium/issues/44273),
Upstream PR
[#&#8203;44233](https://redirect.github.com/cilium/cilium/issues/44233),
[@&#8203;joestringer](https://redirect.github.com/joestringer))
- Documentation: Added Helm configuration instructions for enabling and
customizing metrics. (Backport PR
[#&#8203;44056](https://redirect.github.com/cilium/cilium/issues/44056),
Upstream PR
[#&#8203;43481](https://redirect.github.com/cilium/cilium/issues/43481),
[@&#8203;suunj](https://redirect.github.com/suunj))
- gitattributes: make install/kubernetes driver match more specific.
(Backport PR
[#&#8203;44056](https://redirect.github.com/cilium/cilium/issues/44056),
Upstream PR
[#&#8203;43943](https://redirect.github.com/cilium/cilium/issues/43943),
[@&#8203;tommyp1ckles](https://redirect.github.com/tommyp1ckles))
- multicast: fix nil assignment to node configuration cell.Out map
(Backport PR
[#&#8203;43865](https://redirect.github.com/cilium/cilium/issues/43865),
Upstream PR
[#&#8203;40859](https://redirect.github.com/cilium/cilium/issues/40859),
[@&#8203;ldelossa](https://redirect.github.com/ldelossa))
- workflows: Add id-token permission to call-publish-helm job (Backport
PR
[#&#8203;43777](https://redirect.github.com/cilium/cilium/issues/43777),
Upstream PR
[#&#8203;43717](https://redirect.github.com/cilium/cilium/issues/43717),
[@&#8203;aanm](https://redirect.github.com/aanm))

**Other Changes:**

- .github/workflows: remove stable from v1.18 branch
([#&#8203;44153](https://redirect.github.com/cilium/cilium/issues/44153),
[@&#8203;aanm](https://redirect.github.com/aanm))
- \[v1.18] Backport setup gke cluster
([#&#8203;43793](https://redirect.github.com/cilium/cilium/issues/43793),
[@&#8203;Artyop](https://redirect.github.com/Artyop))
- install: Update image digests for v1.18.6
([#&#8203;43714](https://redirect.github.com/cilium/cilium/issues/43714),
[@&#8203;cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot])

##### Docker Manifests

##### cilium


`quay.io/cilium/cilium:v1.18.7@&#8203;sha256:99b029a0a7c2224dac8c1cc3b6b3ba52af00e2ff981d927e84260ee781e9753c`

##### clustermesh-apiserver


`quay.io/cilium/clustermesh-apiserver:v1.18.7@&#8203;sha256:3d4512153afc5d8ceda3517f9b243619b55a67f9abaebcc92c4be2df94d43cfa`

##### docker-plugin


`quay.io/cilium/docker-plugin:v1.18.7@&#8203;sha256:e9f15016c7247dffeb2a9216cccc2ab6d36345a2504d34e319c6e9a7873bf3e9`

##### hubble-relay


`quay.io/cilium/hubble-relay:v1.18.7@&#8203;sha256:9bb9b2b1a4f4bef12a77738756cfbf970daa701e536e42f0a9c64a621bc7c9d5`

##### operator-alibabacloud


`quay.io/cilium/operator-alibabacloud:v1.18.7@&#8203;sha256:ca3f0dd26a4b447524dce51ee8ef82485a08187b840c21ce4a1398c02b5174a0`

##### operator-aws


`quay.io/cilium/operator-aws:v1.18.7@&#8203;sha256:fe56a6289afea7f6420f8de0218710ccaaa7af891df5fc180ddd33e6c7509b45`

##### operator-azure


`quay.io/cilium/operator-azure:v1.18.7@&#8203;sha256:5fb753344c84ab0989d525f789738c874f3fa8f07fbb5cfce06034d027c9728f`

##### operator-generic


`quay.io/cilium/operator-generic:v1.18.7@&#8203;sha256:244306c5e7c6b73dc7193424f46ed8a0530767b03f03baac80dd717a3a3f0ad7`

##### operator


`quay.io/cilium/operator:v1.18.7@&#8203;sha256:8aa2bb32df776b8e8f6cfb57ab3eaed5a451bc9f20f1d62a2393840fc072678f`

###
[`v1.18.6`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.6):
1.18.6

[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.18.5...1.18.6)

## Summary of Changes

**Major Changes:**

- Publish Helm charts to OCI registries (Backport PR
[#&#8203;43689](https://redirect.github.com/cilium/cilium/issues/43689),
Upstream PR
[#&#8203;43624](https://redirect.github.com/cilium/cilium/issues/43624),
[@&#8203;aanm](https://redirect.github.com/aanm))

**Minor Changes:**

- Cilium Preflight check no longer includes Envoy Configmaps, making it
easier to correctly run. (Backport PR
[#&#8203;43290](https://redirect.github.com/cilium/cilium/issues/43290),
Upstream PR
[#&#8203;43153](https://redirect.github.com/cilium/cilium/issues/43153),
[@&#8203;youngnick](https://redirect.github.com/youngnick))
- runtime: Add libatomic1 for cilium-envoy dependency (Backport PR
[#&#8203;43642](https://redirect.github.com/cilium/cilium/issues/43642),
Upstream PR
[#&#8203;43292](https://redirect.github.com/cilium/cilium/issues/43292),
[@&#8203;sayboras](https://redirect.github.com/sayboras))

**Bugfixes:**

- bpf:wireguard: delivery host packets to bpf\_host for ingress policies
(Backport PR
[#&#8203;43690](https://redirect.github.com/cilium/cilium/issues/43690),
Upstream PR
[#&#8203;42892](https://redirect.github.com/cilium/cilium/issues/42892),
[@&#8203;smagnani96](https://redirect.github.com/smagnani96))
- cgroup: don't start watch if KPRConfig.EnableSocketLB is disabled
(Backport PR
[#&#8203;43290](https://redirect.github.com/cilium/cilium/issues/43290),
Upstream PR
[#&#8203;43256](https://redirect.github.com/cilium/cilium/issues/43256),
[@&#8203;mhofstetter](https://redirect.github.com/mhofstetter))
- Fix a bug with local redirect service entries being created when
backend pods weren't ready. (Backport PR
[#&#8203;43425](https://redirect.github.com/cilium/cilium/issues/43425),
Upstream PR
[#&#8203;43095](https://redirect.github.com/cilium/cilium/issues/43095),
[@&#8203;aditighag](https://redirect.github.com/aditighag))
- Fix an issue in proxy NOTRACK iptables rule for aws-cni chaining mode
which causes proxy->upstream(outside cluster) traffic not being SNAT'd.
(Backport PR
[#&#8203;43676](https://redirect.github.com/cilium/cilium/issues/43676),
Upstream PR
[#&#8203;43566](https://redirect.github.com/cilium/cilium/issues/43566),
[@&#8203;fristonio](https://redirect.github.com/fristonio))
- Fix GC of possible duplicated identities in kvstore mode (Backport PR
[#&#8203;43425](https://redirect.github.com/cilium/cilium/issues/43425),
Upstream PR
[#&#8203;43287](https://redirect.github.com/cilium/cilium/issues/43287),
[@&#8203;giorio94](https://redirect.github.com/giorio94))
- Fixes a deadlock that was causing endpoint to be stuck without
progressing with any updates. (Backport PR
[#&#8203;43290](https://redirect.github.com/cilium/cilium/issues/43290),
Upstream PR
[#&#8203;43242](https://redirect.github.com/cilium/cilium/issues/43242),
[@&#8203;marseel](https://redirect.github.com/marseel))
- gateway-api: correctly handle CiliumGatewayClassConfig as a namespaced
resource. (Backport PR
[#&#8203;43290](https://redirect.github.com/cilium/cilium/issues/43290),
Upstream PR
[#&#8203;43254](https://redirect.github.com/cilium/cilium/issues/43254),
[@&#8203;youngnick](https://redirect.github.com/youngnick))
- xds: fix nil-pointer in `processRequestStream` (Backport PR
[#&#8203;43612](https://redirect.github.com/cilium/cilium/issues/43612),
Upstream PR
[#&#8203;43609](https://redirect.github.com/cilium/cilium/issues/43609),
[@&#8203;mhofstetter](https://redirect.github.com/mhofstetter))

**CI Changes:**

- bpf: tests: egressgw: enable HostFW (Backport PR
[#&#8203;43337](https://redirect.github.com/cilium/cilium/issues/43337),
Upstream PR
[#&#8203;42955](https://redirect.github.com/cilium/cilium/issues/42955),
[@&#8203;julianwiedmann](https://redirect.github.com/julianwiedmann))
- bpf: tests: egressgw: install ipcache\_v6\_add\_world\_entry()
(Backport PR
[#&#8203;43337](https://redirect.github.com/cilium/cilium/issues/43337),
Upstream PR
[#&#8203;42988](https://redirect.github.com/cilium/cilium/issues/42988),
[@&#8203;julianwiedmann](https://redirect.github.com/julianwiedmann))
- chore: comment job to use generated token instead of PAT (Backport PR
[#&#8203;43612](https://redirect.github.com/cilium/cilium/issues/43612),
Upstream PR
[#&#8203;43148](https://redirect.github.com/cilium/cilium/issues/43148),
[@&#8203;sekhar-isovalent](https://redirect.github.com/sekhar-isovalent))
- ci: Use newer lvh image for privileged tests (Backport PR
[#&#8203;43490](https://redirect.github.com/cilium/cilium/issues/43490),
Upstream PR
[#&#8203;41082](https://redirect.github.com/cilium/cilium/issues/41082),
[@&#8203;rastislavs](https://redirect.github.com/rastislavs))

**Misc Changes:**

- .github/workflows: remove auto-requested reviewers (Backport PR
[#&#8203;43425](https://redirect.github.com/cilium/cilium/issues/43425),
Upstream PR
[#&#8203;42952](https://redirect.github.com/cilium/cilium/issues/42952),
[@&#8203;aanm](https://redirect.github.com/aanm))
- Add documentation and examples for using the egressDeny field in
CiliumNetworkPolicy (Backport PR
[#&#8203;43425](https://redirect.github.com/cilium/cilium/issues/43425),
Upstream PR
[#&#8203;40272](https://redirect.github.com/cilium/cilium/issues/40272),
[@&#8203;syedazeez337](https://redirect.github.com/syedazeez337))
- bpf: clear mark content before storing the cluster ID (Backport PR
[#&#8203;43290](https://redirect.github.com/cilium/cilium/issues/43290),
Upstream PR
[#&#8203;43159](https://redirect.github.com/cilium/cilium/issues/43159),
[@&#8203;giorio94](https://redirect.github.com/giorio94))
- bpf: prevent cluster ID from being incorrectly retrieved from mark
when aliased (Backport PR
[#&#8203;43290](https://redirect.github.com/cilium/cilium/issues/43290),
Upstream PR
[#&#8203;43258](https://redirect.github.com/cilium/cilium/issues/43258),
[@&#8203;giorio94](https://redirect.github.com/giorio94))
- chore(deps): update all github action dependencies (v1.18)
([#&#8203;43467](https://redirect.github.com/cilium/cilium/issues/43467),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18)
([#&#8203;43665](https://redirect.github.com/cilium/cilium/issues/43665),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update anchore/sbom-action action to v0.21.0 (v1.18)
([#&#8203;43512](https://redirect.github.com/cilium/cilium/issues/43512),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update base-images (v1.18)
([#&#8203;43543](https://redirect.github.com/cilium/cilium/issues/43543),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update base-images (v1.18)
([#&#8203;43664](https://redirect.github.com/cilium/cilium/issues/43664),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/busybox:1.37.0 docker digest to
[`2383baa`](https://redirect.github.com/cilium/cilium/commit/2383baa)
(v1.18)
([#&#8203;43662](https://redirect.github.com/cilium/cilium/issues/43662),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/golang:1.24.11 docker digest to
[`54528d1`](https://redirect.github.com/cilium/cilium/commit/54528d1)
(v1.18)
([#&#8203;43464](https://redirect.github.com/cilium/cilium/issues/43464),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.7
(v1.18)
([#&#8203;43465](https://redirect.github.com/cilium/cilium/issues/43465),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to
v1.34.12-1767177245-7935d4d711cb6f8020385a50c996b90896e16a71 (v1.18)
([#&#8203;43539](https://redirect.github.com/cilium/cilium/issues/43539),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to
v1.35.9-1767794330-db497dd19e346b39d81d7b5c0dedf6c812bcc5c9 (v1.18)
([#&#8203;43638](https://redirect.github.com/cilium/cilium/issues/43638),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update rhysd/actionlint docker tag to v1.7.10 (v1.18)
([#&#8203;43541](https://redirect.github.com/cilium/cilium/issues/43541),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch)
([#&#8203;43466](https://redirect.github.com/cilium/cilium/issues/43466),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch)
([#&#8203;43542](https://redirect.github.com/cilium/cilium/issues/43542),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch)
([#&#8203;43571](https://redirect.github.com/cilium/cilium/issues/43571),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch)
([#&#8203;43663](https://redirect.github.com/cilium/cilium/issues/43663),
[@&#8203;cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot])
- cmapisrv/test: miscellaneous fixes to the ciliumidentities script test
(Backport PR
[#&#8203;43425](https://redirect.github.com/cilium/cilium/issues/43425),
Upstream PR
[#&#8203;43372](https://redirect.github.com/cilium/cilium/issues/43372),
[@&#8203;giorio94](https://redirect.github.com/giorio94))
- docs: Add missing IPv6 fragmentation BPF map reference (Backport PR
[#&#8203;43290](https://redirect.github.com/cilium/cilium/issues/43290),
Upstream PR
[#&#8203;43161](https://redirect.github.com/cilium/cilium/issues/43161),
[@&#8203;doniacld](https://redirect.github.com/doniacld))
- Fix a regression in the new services control plane where
loadBalancerSourceRanges was applied by default to all service types.
(Backport PR
[#&#8203;43575](https://redirect.github.com/cilium/cilium/issues/43575),
Upstream PR
[#&#8203;42351](https://redirect.github.com/cilium/cilium/issues/42351),
[@&#8203;borkmann](https://redirect.github.com/borkmann))
- operator: the K8s Secret synchronization process now resynchronizes
after an hour for synced Secrets. (Backport PR
[#&#8203;43425](https://redirect.github.com/cilium/cilium/issues/43425),
Upstream PR
[#&#8203;42414](https://redirect.github.com/cilium/cilium/issues/42414),
[@&#8203;youngnick](https://redirect.github.com/youngnick))
- release: change OCI registry (Backport PR
[#&#8203;43689](https://redirect.github.com/cilium/cilium/issues/43689),
Upstream PR
[#&#8203;43646](https://redirect.github.com/cilium/cilium/issues/43646),
[@&#8203;aanm](https://redirect.github.com/aanm))
- route: install ingress proxy routes with WireGuard and L7Proxy
(Backport PR
[#&#8203;43434](https://redirect.github.com/cilium/cilium/issues/43434),
Upstream PR
[#&#8203;42835](https://redirect.github.com/cilium/cilium/issues/42835),
[@&#8203;smagnani96](https://redirect.github.com/smagnani96))

**Other Changes:**

- \[v1.18] bpf:hubble: support policy verdict from L3 devices
([#&#8203;43381](https://redirect.github.com/cilium/cilium/issues/43381),
[@&#8203;smagnani96](https://redirect.github.com/smagnani96))
- \[v1.18] deps: bump CNI plugins version to v1.9.0
([#&#8203;43593](https://redirect.github.com/cilium/cilium/issues/43593),
[@&#8203;diyi0926](https://redirect.github.com/diyi0926))
- install: Update image digests for v1.18.5
([#&#8203;43400](https://redirect.github.com/cilium/cilium/issues/43400),
[@&#8203;cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot])

#### Docker Manifests

##### cilium


`quay.io/cilium/cilium:v1.18.6@&#8203;sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4`

`quay.io/cilium/cilium:stable@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4`

##### clustermesh-apiserver


`quay.io/cilium/clustermesh-apiserver:v1.18.6@&#8203;sha256:8ee142912a0e261850c0802d9256ddbe3729e1cd35c6bea2d93077f334c3cf3b`

`quay.io/cilium/clustermesh-apiserver:stable@sha256:8ee142912a0e261850c0802d9256ddbe3729e1cd35c6bea2d93077f334c3cf3b`

##### docker-plugin


`quay.io/cilium/docker-plugin:v1.18.6@&#8203;sha256:7931555ad713a48a28e4bf097402e0e398461dbf51b81cb8192558c5cb0dc48f`

`quay.io/cilium/docker-plugin:stable@sha256:7931555ad713a48a28e4bf097402e0e398461dbf51b81cb8192558c5cb0dc48f`

##### hubble-relay


`quay.io/cilium/hubble-relay:v1.18.6@&#8203;sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e`

`quay.io/cilium/hubble-relay:stable@sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e`

##### operator-alibabacloud


`quay.io/cilium/operator-alibabacloud:v1.18.6@&#8203;sha256:212c4cbe27da3772bcb952b8f8cbaa0b0eef72488b52edf90ad2b32072a3ca4c`

`quay.io/cilium/operator-alibabacloud:stable@sha256:212c4cbe27da3772bcb952b8f8cbaa0b0eef72488b52edf90ad2b32072a3ca4c`

##### operator-aws


`quay.io/cilium/operator-aws:v1.18.6@&#8203;sha256:47dbc1a5bd483fec170dab7fb0bf2cca3585a4893675b0324d41d97bac8be5eb`

`quay.io/cilium/operator-aws:stable@sha256:47dbc1a5bd483fec170dab7fb0bf2cca3585a4893675b0324d41d97bac8be5eb`

##### operator-azure


`quay.io/cilium/operator-azure:v1.18.6@&#8203;sha256:a57aff47aeb32eccfedaa2a49d1af984d996d6d6de79609c232e0c4cf9ce97a1`

`quay.io/cilium/operator-azure:stable@sha256:a57aff47aeb32eccfedaa2a49d1af984d996d6d6de79609c232e0c4cf9ce97a1`

##### operator-generic


`quay.io/cilium/operator-generic:v1.18.6@&#8203;sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af`

`quay.io/cilium/operator-generic:stable@sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af`

##### operator


`quay.io/cilium/operator:v1.18.6@&#8203;sha256:0e8903aa092025918761d24ae9a91af35baa5b6910b5d0e3feac91ab8a2bc65b`

`quay.io/cilium/operator:stable@sha256:0e8903aa092025918761d24ae9a91af35baa5b6910b5d0e3feac91ab8a2bc65b`

###
[`v1.18.5`](https://redirect.github.com/cilium/cilium/releases/tag/v1.18.5):
1.18.5

[Compare
Source](https://redirect.github.com/cilium/cilium/compare/1.18.4...1.18.5)

## Summary of Changes

**Minor Changes:**

- \[v1.18] proxy: Bump envoy version to v1.34.11
([#&#8203;43143](https://redirect.github.com/cilium/cilium/issues/43143),
[@&#8203;sayboras](https://redirect.github.com/sayboras))
- Change the sidecar etcd instance of the Cluster Mesh API Server listen
on all IP addresses (Backport PR
[#&#8203;42948](https://redirect.github.com/cilium/cilium/issues/42948),
Upstream PR
[#&#8203;42818](https://redirect.github.com/cilium/cilium/issues/42818),
[@&#8203;giorio94](https://redirect.github.com/giorio94))

**Bugfixes:**

- allow missing verbs for cilium-agent cluster role when
readSecretsOnlyFromSecretsNamespace is false (Backport PR
[#&#8203;42948](https://redirect.github.com/cilium/cilium/issues/42948),
Upstream PR
[#&#8203;42790](https://redirect.github.com/cilium/cilium/issues/42790),
[@&#8203;kraashen](https://redirect.github.com/kraashen))
- AWS EC2: Fix ENI attachment on multi-network card instances with
high-performance networking (EFA) setups (Backport PR
[#&#8203;42745](https://redirect.github.com/cilium/cilium/issues/42745),
Upstream PR
[#&#8203;42512](https://redirect.github.com/cilium/cilium/issues/42512),
[@&#8203;41ks](https://redirect.github.com/41ks))
- CiliumEnvoyConfig proxy ports are now restored on agent restarts.
(Backport PR
[#&#8203;43117](https://redirect.github.com/cilium/cilium/issues/43117),
Upstream PR
[#&#8203;43108](https://redirect.github.com/cilium/cilium/issues/43108),
[@&#8203;jrajahalme](https://redirect.github.com/jrajahalme))
- Cleanup FQDNs that have leaked into the global FQDN cache (Backport PR
[#&#8203;42864](https://redirect.github.com/cilium/cilium/issues/42864),
Upstream PR
[#&#8203;42485](https://redirect.github.com/cilium/cilium/issues/42485),
[@&#8203;sjohnsonpal](https://redirect.github.com/sjohnsonpal))
- Do not opt-out Endpoint ID 1 from dnsproxy transparent mode. (Backport
PR
[#&#8203;42948](https://redirect.github.com/cilium/cilium/issues/42948),
Upstream PR
[#&#8203;42887](https://redirect.github.com/cilium/cilium/issues/42887),
[@&#8203;jrajahalme](https://redirect.github.com/jrajahalme))
- ENI: Fix panic on nil subnet (Backport PR
[#&#8203;43117](https://redirect.github.com/cilium/cilium/issues/43117),
Upstream PR
[#&#8203;43023](https://redirect.github.com/cilium/cilium/issues/43023),
[@&#8203;HadrienPatte](https://redirect.github.com/HadrienPatte))
- Ensure cilium-agent gracefully does fallbacks when etcd is in a bad
state. (Backport PR
[#&#8203;43059](https://redirect.github.com/cilium/cilium/issues/43059),
Upstream PR
[#&#8203;42977](https://redirect.github.com/cilium/cilium/issues/42977),
[@&#8203;odinuge](https://redirect.github.com/odinuge))
- Fix a bug that would cause Cilium to not report L4 checksum update
errors when the length attribute is missing in ICMP Error messages with
TCP inner packets. (Backport PR
[#&#8203;42828](https://redirect.github.com/cilium/cilium/issues/42828),
Upstream PR
[#&#8203;42426](https://redirect.github.com/cilium/cilium/issues/42426),
[@&#8203;yushoyamaguchi](https://redirect.github.com/yushoyamaguchi))
- Fix a bug that would cause IPsec logs to incorrectly report the XFRM
rules being processed as "Ingress" rules. (Backport PR
[#&#8203;42828](https://redirect.github.com/cilium/cilium/issues/42828),
Upstream PR
[#&#8203;42640](https://redirect.github.com/cilium/cilium/issues/42640),
[@&#8203;sjohnsonpal](https://redirect.github.com/sjohnsonpal))
- Fix agent local identity leak (Backport PR
[#&#8203;43117](https://redirect.github.com/cilium/cilium/issues/43117),
Upstream PR
[#&#8203;42662](https://redirect.github.com/cilium/cilium/issues/42662),
[@&#8203;odinuge](https://redirect.github.com/odinuge))
- Fix bug that could cause the agent to fail to add XFRM states when
IPsec is enabled, thus preventing a proper startup. (Backport PR
[#&#8203;42948](https://redirect.github.com/cilium/cilium/issues/42948),
Upstream PR
[#&#8203;42666](https://redirect.github.com/cilium/cilium/issues/42666),
[@&#8203;pchaigno](https://redirect.github.com/pchaigno))
- Fix GC of per-cluster ctmap entries (Backport PR
[#&#8203;43294](https://redirect.github.com/cilium/cilium/issues/43294),
Upstream PR
[#&#8203;43160](https://redirect.github.com/cilium/cilium/issues/43160),
[@&#8203;giorio94](https://redirect.github.com/giorio94))
- Fix ipcache issues causing severe issues with the fqdn subsystem
(Backport PR
[#&#8203;42864](https://redirect.github.com/cilium/cilium/issues/42864),
Upstream PR
[#&#8203;42815](https://redirect.github.com/cilium/cilium/issues/42815),
[@&#8203;odinuge](https://redirect.github.com/odinuge))
- Fix issue where endpoints got stuck in "waiting-to-regenerate"
(Backport PR
[#&#8203;42948](https://redirect.github.com/cilium/cilium/issues/42948),
Upstream PR
[#&#8203;42856](https://redirect.github.com/cilium/cilium/issues/42856),
[@&#8203;odinuge](https://redirect.github.com/odinuge))
- Fix leak in the policy subsystem (Backport PR
[#&#8203;43117](https://redirect.github.com/cilium/cilium/issues/43117),
Upstream PR
[#&#8203;42661](https://redirect.github.com/cilium/cilium/issues/42661),
[@&#8203;odinuge](https://redirect.github.com/odinuge))
- Fix rare kvstore issue where cilium continues to use an expired lease
causing kvstore operations to fail consistently (Backport PR
[#&#8203;42745](https://redirect.github.com/cilium/cilium/issues/42745),
Upstream PR
[#&#8203;42709](https://redirect.github.com/cilium/cilium/issues/42709),
[@&#8203;odinuge](https://redirect.github.com/odinuge))
- fqdn: Fix fqdn subsystem correctness issues causing packet drops and
inconsistent ipcache (Backport PR
[#&#8203;43117](https://redirect.github.com/cilium/cilium/issues/43117),
Upstream PR
[#&#8203;42500](https://redirect.github.com/cilium/cilium/issues/42500),
[@&#8203;odinuge](https://redirect.github.com/odinuge))
- In rare cases, the cilium-operator losing the lead of the HA
deployment could continue acting as if leading for at most a minute,
leading to split-brain problems such as double allocation of pod CIDRs.
(Backport PR
[#&#8203;43059](https://redirect.github.com/cilium/cilium/issues/43059),
Upstream PR
[#&#8203;42920](https://redirect.github.com/cilium/cilium/issues/42920),
[@&#8203;bimmlerd](https://redirect.github.com/bimmlerd))
- KVStoreMesh now correctly respects the CA bundle setting when
validating remote cluster certificates (Backport PR
[#&#8203;42828](https://redirect.github.com/cilium/cilium/issues/42828),
Upstream PR
[#&#8203;42726](https://redirect.github.com/cilium/cilium/issues/42726),
[@&#8203;giorio94](https://redirect.github.com/giorio94))
- policy: Fix rare Endpoint Selector Policy Deadlock causing policies to
not be updated with new identities (Backport PR
[#&#8203;42864](https://redirect.github.com/cilium/cilium/issues/42864),
Upstream PR
[#&#8203;42306](https://redirect.github.com/cilium/cilium/issues/42306),
[@&#8203;odinuge](https://redirect.github.com/odinuge))
- Recreate CiliumEndpoints (k8s resource) if they are accidentally
deleted. (Backport PR
[#&#8203;43117](https://redirect.github.com/cilium/cilium/issues/43117),
Upstream PR
[#&#8203;42877](https://redirect.github.com/cilium/cilium/issues/42877),
[@&#8203;aanm](https://redirect.github.com/aanm))
- redirectpolicy: Avoid recomputing on pod changes that do not change
resulting redirect backends (Backport PR
[#&#8203;42948](https://redirect.github.com/cilium/cilium/issues/42948),
Upstream PR
[#&#8203;42814](https://redirect.github.com/cilium/cilium/issues/42814),
[@&#8203;joamaki](https://redirect.github.com/joamaki))

**CI Changes:**

- bpf: test: add BPF Masq tests for unknown / handled protocols
(Backport PR
[#&#8203;42711](https://redirect.github.com/cilium/cilium/issues/42711),
Upstream PR
[#&#8203;42144](https://redirect.github.com/cilium/cilium/issues/42144),
[@&#8203;julianwiedmann](https://redirect.github.com/julianwiedmann))
- bpf: test: egressgw: fix up ENABLE\_MASQUERADE (Backport PR
[#&#8203;42966](https://redirect.github.com/cilium/cilium/issues/42966),
Upstream PR
[#&#8203;42912](https://redirect.github.com/cilium/cilium/issues/42912),
[@&#8203;julianwiedmann](https://redirect.github.com/julianwiedmann))
- bpf: tests: add BPF MASQ test for ICMP ECHOs (Backport PR
[#&#8203;42711](https://redirect.github.com/cilium/cilium/issues/42711),
Upstream PR
[#&#8203;42656](https://redirect.github.com/cilium/cilium/issues/42656),
[@&#8203;julianwiedmann](https://redirect.github.com/julianwiedmann))
- bpf: tests: set ENABLE\_MASQUERADE\_IPV6 for EGW XDP test (Backport PR
[#&#8203;43059](https://redirect.github.com/cilium/cilium/issues/43059),
Upstream PR
[#&#8203;42962](https://redirect.github.com/cilium/cilium/issues/42962),
[@&#8203;julianwiedmann](https://redirect.github.com/julianwiedmann))
- bpf:test: cover host endpoint case in tc\_nodeport\_l3\_dev.h
(Backport PR
[#&#8203;43059](https://redirect.github.com/cilium/cilium/issues/43059),
Upstream PR
[#&#8203;42983](https://redirect.github.com/cilium/cilium/issues/42983),
[@&#8203;smagnani96](https://redirect.github.com/smagnani96))
- Delete .github/workflows/build-images-hotfixes.yaml (Backport PR
[#&#8203;42966](https://redirect.github.com/cilium/cilium/issues/42966),
Upstream PR
[#&#8203;42958](https://redirect.github.com/cilium/cilium/issues/42958),
[@&#8203;sekhar-isovalent](https://redirect.github.com/sekhar-isovalent))
- gh: conn-disrupt: fix XFRM error checks (Backport PR
[#&#8203;42764](https://redirect.github.com/cilium/cilium/issues/42764),
Upstream PR
[#&#8203;42724](https://redirect.github.com/cilium/cilium/issues/42724),
[@&#8203;julianwiedmann](https://redirect.github.com/julianwiedmann))
- gh: ipsec-e2e: fix flaky connection disruptivity test (Backport PR
[#&#8203;42823](https://redirect.github.com/cilium/cilium/issues/42823),

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "on saturday" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/sp3nx0r/homelab).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIyLjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aditighag aditighag aditighag approved these changes

@derailed derailed derailed approved these changes

@gandro gandro gandro approved these changes

@kaworu kaworu kaworu approved these changes

@devodev devodev Awaiting requested review from devodev

Assignees

No one assigned

Labels

area/hubble Impacts hubble server or relay kind/community-contribution This was a contribution made by a community member. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Projects

No open projects
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Extend Hubble flows with VRRP and IGMP

7 participants

@kyounghunJang @gandro @aditighag @derailed @kaworu @devodev @pchaigno