diff --git a/src/istio/common/zarf.yaml b/src/istio/common/zarf.yaml
index 9de933358..9980e23db 100644
--- a/src/istio/common/zarf.yaml
+++ b/src/istio/common/zarf.yaml
@@ -13,11 +13,11 @@ components:
     charts:
       - name: base
         url: https://istio-release.storage.googleapis.com/charts
-        version: 1.23.2
+        version: 1.24.1
         namespace: istio-system
       - name: istiod
         url: https://istio-release.storage.googleapis.com/charts
-        version: 1.23.2
+        version: 1.24.1
         namespace: istio-system
         valuesFiles:
           - "../values/values.yaml"
@@ -28,14 +28,13 @@ components:
     actions:
       onDeploy:
         before:
-          - description: "Fix helm ownership if necessary for clean helm upgrade"
+          - description: "Add helm ownership if necessary for clean helm upgrade"
             mute: true
             cmd: |
-              ./zarf tools kubectl annotate EnvoyFilter misdirected-request -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true
-              ./zarf tools kubectl annotate EnvoyFilter remove-server-header -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true
-              ./zarf tools kubectl annotate PeerAuthentication default-istio-system -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true
-              ./zarf tools kubectl annotate PeerAuthentication permissive-pepr-webhook -n pepr-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true
-              ./zarf tools kubectl annotate PeerAuthentication permissive-pepr-webhook-watcher -n pepr-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true
+              # Commands pulled from https://istio.io/latest/news/releases/1.24.x/announcing-1.24/upgrade-notes/#istio-crds-are-templated-by-default-and-can-be-installed-and-upgraded-via-helm-install-istio-base
+              ./zarf tools kubectl label $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "app.kubernetes.io/managed-by=Helm" --overwrite || true
+              ./zarf tools kubectl annotate $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "meta.helm.sh/release-name=base" --overwrite || true
+              ./zarf tools kubectl annotate $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "meta.helm.sh/release-namespace=istio-system" --overwrite || true
         after:
           - description: "Ensure istio-injection is enabled for Pepr"
             mute: true
diff --git a/src/istio/values/registry1-values.yaml b/src/istio/values/registry1-values.yaml
index 17f229fea..62661f45c 100644
--- a/src/istio/values/registry1-values.yaml
+++ b/src/istio/values/registry1-values.yaml
@@ -2,11 +2,11 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 pilot:
-  image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.2-tetratefips-v0
+  image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.24.1-tetratefips-v0
 global:
   proxy_init:
     # renovate: image=registry1.dso.mil/ironbank/tetrate/istio/proxyv2
-    image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.23.2-tetratefips-v0"
+    image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.24.1-tetratefips-v0"
   proxy:
     # renovate: image=registry1.dso.mil/ironbank/tetrate/istio/proxyv2
-    image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.23.2-tetratefips-v0"
+    image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.24.1-tetratefips-v0"
diff --git a/src/istio/values/unicorn-values.yaml b/src/istio/values/unicorn-values.yaml
index 4d112b8c3..e382763ad 100644
--- a/src/istio/values/unicorn-values.yaml
+++ b/src/istio/values/unicorn-values.yaml
@@ -2,11 +2,11 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 pilot:
-  image: "cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.2"
+  image: "cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.24.1"
 global:
   proxy_init:
     # renovate: image=cgr.dev/du-uds-defenseunicorns/istio-proxy-fips
-    image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.23.2"
+    image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.24.1"
   proxy:
     # renovate: image=cgr.dev/du-uds-defenseunicorns/istio-proxy-fips
-    image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.23.2"
+    image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.24.1"
diff --git a/src/istio/values/upstream-values.yaml b/src/istio/values/upstream-values.yaml
index 800d39f62..ff0f5871b 100644
--- a/src/istio/values/upstream-values.yaml
+++ b/src/istio/values/upstream-values.yaml
@@ -2,11 +2,11 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 pilot:
-  image: "docker.io/istio/pilot:1.23.2-distroless"
+  image: "docker.io/istio/pilot:1.24.1-distroless"
 global:
   proxy_init:
     # renovate: image=docker.io/istio/proxyv2
-    image: "###ZARF_REGISTRY###/istio/proxyv2:1.23.2-distroless"
+    image: "###ZARF_REGISTRY###/istio/proxyv2:1.24.1-distroless"
   proxy:
     # renovate: image=docker.io/istio/proxyv2
-    image: "###ZARF_REGISTRY###/istio/proxyv2:1.23.2-distroless"
+    image: "###ZARF_REGISTRY###/istio/proxyv2:1.24.1-distroless"
diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml
index 21bae304e..03b88b419 100644
--- a/src/istio/zarf.yaml
+++ b/src/istio/zarf.yaml
@@ -24,8 +24,8 @@ components:
         valuesFiles:
           - "values/upstream-values.yaml"
     images:
-      - "docker.io/istio/pilot:1.23.2-distroless"
-      - "docker.io/istio/proxyv2:1.23.2-distroless"
+      - "docker.io/istio/pilot:1.24.1-distroless"
+      - "docker.io/istio/proxyv2:1.24.1-distroless"
 
   - name: istio-controlplane
     required: true
@@ -38,8 +38,8 @@ components:
         valuesFiles:
           - "values/registry1-values.yaml"
     images:
-      - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.23.2-tetratefips-v0
-      - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.2-tetratefips-v0
+      - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.24.1-tetratefips-v0
+      - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.24.1-tetratefips-v0
 
   - name: istio-controlplane
     required: true
@@ -52,15 +52,15 @@ components:
         valuesFiles:
           - "values/unicorn-values.yaml"
     images:
-      - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.2
-      - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.23.2
+      - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.24.1
+      - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.24.1
 
   - name: istio-admin-gateway
     required: true
     charts:
       - name: gateway
         url: https://istio-release.storage.googleapis.com/charts
-        version: 1.23.2
+        version: 1.24.1
         releaseName: admin-ingressgateway
         namespace: istio-admin-gateway
       - name: uds-istio-config
@@ -75,7 +75,7 @@ components:
     charts:
       - name: gateway
         url: https://istio-release.storage.googleapis.com/charts
-        version: 1.23.2
+        version: 1.24.1
         releaseName: tenant-ingressgateway
         namespace: istio-tenant-gateway
       - name: uds-istio-config
@@ -90,7 +90,7 @@ components:
     charts:
       - name: gateway
         url: https://istio-release.storage.googleapis.com/charts
-        version: 1.23.2
+        version: 1.24.1
         releaseName: passthrough-ingressgateway
         namespace: istio-passthrough-gateway
       - name: uds-istio-config