Update cilium v1.16.1 (#300)

packages/system/cilium/charts/cilium/Chart.yaml

@@ -79,7 +79,7 @@ annotations:
     Pod IP Pool\n  description: |\n    CiliumPodIPPool defines an IP pool that can
     be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
 apiVersion: v2
-appVersion: 1.16.0
+appVersion: 1.16.1
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
@@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.16.0
+version: 1.16.1

packages/system/cilium/charts/cilium/README.md.gotmpl

@@ -48,7 +48,7 @@ offer from the [Getting Started Guides page](https://docs.cilium.io/en/stable/ge
 ## Getting Help
 
 The best way to get help if you get stuck is to ask a question on the
-[Cilium Slack channel](https://cilium.herokuapp.com/). With Cilium
+[Cilium Slack channel](https://slack.cilium.io). With Cilium
 contributors across the globe, there is almost always someone available to help.
 
 {{ template "chart.valuesSection" . }}

packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml

@@ -984,7 +984,7 @@ spec:
           defaultMode: 0400
           sources:
           - secret:
-              name: hubble-server-certs
+              name: {{ .Values.hubble.tls.server.existingSecret | default "hubble-server-certs" }}
               optional: true
               items:
               - key: tls.crt
@@ -1010,7 +1010,7 @@ spec:
           defaultMode: 0400
           sources:
           - secret:
-              name: hubble-metrics-server-certs
+              name: {{ .Values.hubble.tls.server.existingSecret | default "hubble-metrics-server-certs" }}
               optional: true
               items:
               - key: tls.crt

packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml

@@ -1290,6 +1290,9 @@ data:
   clustermesh-enable-endpoint-sync: {{ .Values.clustermesh.enableEndpointSliceSynchronization | quote }}
   clustermesh-enable-mcs-api: {{ .Values.clustermesh.enableMCSAPISupport | quote }}
 
+  nat-map-stats-entries: {{ .Values.nat.mapStatsEntries | quote }}
+  nat-map-stats-interval: {{ .Values.nat.mapStatsInterval | quote }}
+
 # Extra config allows adding arbitrary properties to the cilium config.
 # By putting it at the end of the ConfigMap, it's also possible to override existing properties.
 {{- if .Values.extraConfig }}

packages/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml

@@ -170,7 +170,7 @@ spec:
           defaultMode: 0400
           sources:
           - secret:
-              name: hubble-relay-client-certs
+              name: {{ .Values.hubble.relay.tls.client.existingSecret | default "hubble-relay-client-certs" }}
               items:
                 - key: tls.crt
                   path: client.crt
@@ -188,7 +188,7 @@ spec:
           {{- end }}
           {{- if .Values.hubble.relay.tls.server.enabled }}
           - secret:
-              name: hubble-relay-server-certs
+              name: {{ .Values.hubble.relay.tls.server.existingSecret | default "hubble-relay-server-certs" }}
               items:
                 - key: tls.crt
                   path: server.crt

packages/system/cilium/charts/cilium/templates/hubble-ui/deployment.yaml

@@ -186,7 +186,7 @@ spec:
           defaultMode: 0400
           sources:
           - secret:
-              name: hubble-ui-client-certs
+              name: {{ .Values.hubble.ui.tls.client.existingSecret | default "hubble-ui-client-certs" }}
               items:
                 - key: tls.crt
                   path: client.crt

packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl

@@ -10,10 +10,6 @@ spec:
         {{- end }}
     spec:
       securityContext:
-        {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }}
-        appArmorProfile:
-          type: RuntimeDefault
-        {{- end }}
         seccompProfile:
           type: RuntimeDefault
       containers:

packages/system/cilium/charts/cilium/templates/hubble/tls-provided/metrics-server-secret.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.metrics.tls.enabled (not .Values.hubble.tls.auto.enabled) }}
+{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.metrics.tls.enabled (not .Values.hubble.tls.auto.enabled) (not .Values.hubble.metrics.tls.server.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:

packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled }}
+{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled (not .Values.hubble.relay.tls.client.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:

packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }}
+{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled (not .Values.hubble.relay.tls.server.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:

packages/system/cilium/charts/cilium/templates/hubble/tls-provided/server-secret.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) }}
+{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) (not .Values.hubble.tls.server.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:

packages/system/cilium/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }}
+{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled (not .Values.hubble.ui.tls.client.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:

packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml

@@ -39,6 +39,10 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       initContainers:
         - name: init
           image: {{ include "cilium.image" .Values.authentication.mutual.spire.install.initImage | quote }}

packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml

@@ -38,6 +38,10 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- if gt (len .Values.authentication.mutual.spire.install.server.initContainers) 0 }}
       initContainers:
         {{- toYaml .Values.authentication.mutual.spire.install.server.initContainers | nindent 8 }}

packages/system/cilium/charts/cilium/values.schema.json

@@ -2606,6 +2606,9 @@
                     "cert": {
                       "type": "string"
                     },
+                    "existingSecret": {
+                      "type": "string"
+                    },
                     "extraDnsNames": {
                       "items": {},
                       "type": "array"
@@ -2981,6 +2984,9 @@
                     "cert": {
                       "type": "string"
                     },
+                    "existingSecret": {
+                      "type": "string"
+                    },
                     "key": {
                       "type": "string"
                     }
@@ -2995,6 +3001,9 @@
                     "enabled": {
                       "type": "boolean"
                     },
+                    "existingSecret": {
+                      "type": "string"
+                    },
                     "extraDnsNames": {
                       "items": {},
                       "type": "array"
@@ -3087,6 +3096,9 @@
                 "cert": {
                   "type": "string"
                 },
+                "existingSecret": {
+                  "type": "string"
+                },
                 "extraDnsNames": {
                   "items": {},
                   "type": "array"
@@ -3372,6 +3384,9 @@
                     "cert": {
                       "type": "string"
                     },
+                    "existingSecret": {
+                      "type": "string"
+                    },
                     "key": {
                       "type": "string"
                     }
@@ -3830,6 +3845,17 @@
     "name": {
       "type": "string"
     },
+    "nat": {
+      "properties": {
+        "mapStatsEntries": {
+          "type": "integer"
+        },
+        "mapStatsInterval": {
+          "type": "string"
+        }
+      },
+      "type": "object"
+    },
     "nat46x64Gateway": {
       "properties": {
         "enabled": {

packages/system/cilium/charts/cilium/values.yaml

@@ -153,10 +153,10 @@ image:
   # @schema
   override: ~
   repository: "quay.io/cilium/cilium"
-  tag: "v1.16.0"
+  tag: "v1.16.1"
   pullPolicy: "IfNotPresent"
   # cilium-digest
-  digest: "sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058"
+  digest: "sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
   useDigest: true
 # -- Affinity for cilium-agent.
 affinity:
@@ -1077,9 +1077,14 @@ hubble:
       enabled: false
       # Configure hubble metrics server TLS.
       server:
-        # -- base64 encoded PEM values for the Hubble metrics server certificate.
+        # -- Name of the Secret containing the certificate and key for the Hubble metrics server.
+        # If specified, cert and key are ignored.
+        existingSecret: ""
+        # -- base64 encoded PEM values for the Hubble metrics server certificate (deprecated).
+        # Use existingSecret instead.
         cert: ""
-        # -- base64 encoded PEM values for the Hubble metrics server key.
+        # -- base64 encoded PEM values for the Hubble metrics server key (deprecated).
+        # Use existingSecret instead.
         key: ""
         # -- Extra DNS names added to certificate when it's auto generated
         extraDnsNames: []
@@ -1277,9 +1282,16 @@ hubble:
       #   name: ca-issuer
       # -- certmanager issuer used when hubble.tls.auto.method=certmanager.
       certManagerIssuerRef: {}
-    # -- base64 encoded PEM values for the Hubble server certificate and private key
+    # -- The Hubble server certificate and private key
     server:
+      # -- Name of the Secret containing the certificate and key for the Hubble server.
+      # If specified, cert and key are ignored.
+      existingSecret: ""
+      # -- base64 encoded PEM values for the Hubble server certificate (deprecated).
+      # Use existingSecret instead.
       cert: ""
+      # -- base64 encoded PEM values for the Hubble server key (deprecated).
+      # Use existingSecret instead.
       key: ""
       # -- Extra DNS names added to certificate when it's auto generated
       extraDnsNames: []
@@ -1297,9 +1309,9 @@ hubble:
       # @schema
       override: ~
       repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.16.0"
+      tag: "v1.16.1"
       # hubble-relay-digest
-      digest: "sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d"
+      digest: "sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- Specifies the resources for the hubble-relay pods
@@ -1391,14 +1403,21 @@ hubble:
     listenPort: "4245"
     # -- TLS configuration for Hubble Relay
     tls:
-      # -- base64 encoded PEM values for the hubble-relay client certificate and private key
+      # -- The hubble-relay client certificate and private key.
       # This keypair is presented to Hubble server instances for mTLS
       # authentication and is required when hubble.tls.enabled is true.
       # These values need to be set manually if hubble.tls.auto.enabled is false.
       client:
+        # -- Name of the Secret containing the certificate and key for the Hubble metrics server.
+        # If specified, cert and key are ignored.
+        existingSecret: ""
+        # -- base64 encoded PEM values for the Hubble relay client certificate (deprecated).
+        # Use existingSecret instead.
         cert: ""
+        # -- base64 encoded PEM values for the Hubble relay client key (deprecated).
+        # Use existingSecret instead.
         key: ""
-      # -- base64 encoded PEM values for the hubble-relay server certificate and private key
+      # -- The hubble-relay server certificate and private key
       server:
         # When set to true, enable TLS on for Hubble Relay server
         # (ie: for clients connecting to the Hubble Relay API).
@@ -1407,8 +1426,14 @@ hubble:
         # False allow non-mutual TLS connections.
         # This option has no effect when TLS is disabled.
         mtls: false
-        # These values need to be set manually if hubble.tls.auto.enabled is false.
+        # -- Name of the Secret containing the certificate and key for the Hubble relay server.
+        # If specified, cert and key are ignored.
+        existingSecret: ""
+        # -- base64 encoded PEM values for the Hubble relay server certificate (deprecated).
+        # Use existingSecret instead.
         cert: ""
+        # -- base64 encoded PEM values for the Hubble relay server key (deprecated).
+        # Use existingSecret instead.
         key: ""
         # -- extra DNS names added to certificate when its auto gen
         extraDnsNames: []
@@ -1515,12 +1540,15 @@ hubble:
     # -- Roll out Hubble-ui pods automatically when configmap is updated.
     rollOutPods: false
     tls:
-      # -- base64 encoded PEM values used to connect to hubble-relay
-      # This keypair is presented to Hubble Relay instances for mTLS
-      # authentication and is required when hubble.relay.tls.server.enabled is true.
-      # These values need to be set manually if hubble.tls.auto.enabled is false.
       client:
+        # -- Name of the Secret containing the client certificate and key for Hubble UI
+        # If specified, cert and key are ignored.
+        existingSecret: ""
+        # -- base64 encoded PEM values for the Hubble UI client certificate (deprecated).
+        # Use existingSecret instead.
         cert: ""
+        # -- base64 encoded PEM values for the Hubble UI client key (deprecated).
+        # Use existingSecret instead.
         key: ""
     backend:
       # -- Hubble-ui backend image.
@@ -1886,6 +1914,11 @@ enableMasqueradeRouteSource: false
 enableIPv4BIGTCP: false
 # -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods
 enableIPv6BIGTCP: false
+nat:
+  # -- Number of the top-k SNAT map connections to track in Cilium statedb.
+  mapStatsEntries: 32
+  # -- Interval between how often SNAT map is counted for stats.
+  mapStatsInterval: 30s
 egressGateway:
   # -- Enables egress gateway to redirect and SNAT the traffic that leaves the
   # cluster.
@@ -2441,15 +2474,15 @@ operator:
     # @schema
     override: ~
     repository: "quay.io/cilium/operator"
-    tag: "v1.16.0"
+    tag: "v1.16.1"
     # operator-generic-digest
-    genericDigest: "sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316"
+    genericDigest: "sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4"
     # operator-azure-digest
-    azureDigest: "sha256:dd7562e20bc72b55c65e2110eb98dca1dd2bbf6688b7d8cea2bc0453992c121d"
+    azureDigest: "sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22"
     # operator-aws-digest
-    awsDigest: "sha256:8dbe47a77ba8e1a5b111647a43db10c213d1c7dfc9f9aab5ef7279321ad21a2f"
+    awsDigest: "sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4"
     # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:d2d9f450f2fc650d74d4b3935f4c05736e61145b9c6927520ea52e1ebcf4f3ea"
+    alibabacloudDigest: "sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804"
     useDigest: true
     pullPolicy: "IfNotPresent"
     suffix: ""
@@ -2723,9 +2756,9 @@ preflight:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium"
-    tag: "v1.16.0"
+    tag: "v1.16.1"
     # cilium-digest
-    digest: "sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058"
+    digest: "sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
     useDigest: true
     pullPolicy: "IfNotPresent"
   # -- The priority class to use for the preflight pod.
@@ -2872,9 +2905,9 @@ clustermesh:
       # @schema
       override: ~
       repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.16.0"
+      tag: "v1.16.1"
       # clustermesh-apiserver-digest
-      digest: "sha256:a1597b7de97cfa03f1330e6b784df1721eb69494cd9efb0b3a6930680dfe7a8e"
+      digest: "sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- TCP port for the clustermesh-apiserver health API.